Consolidated Platform Configuration Guide, Cisco IOS Release 15.

2(3)E
(Catalyst 3560-CX and 2960-CX Switches)
First Published: 2015-03-11
Last Modified: 2015-07-10

Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
http://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (1110R)
© 2015 Cisco Systems, Inc. All rights reserved.
 CONTENTS

PREFACE Preface lxxiii

Document Conventions lxxiii
Related Documentation lxxv
Obtaining Documentation and Submitting a Service Request lxxv

CHAPTER 1 Using the Command-Line Interface 1

Information About Using the Command-Line Interface 1
Command Modes 1
Understanding Abbreviated Commands 3
No and Default Forms of Commands 3
CLI Error Messages 3
Configuration Logging 4
Using the Help System 4
How to Use the CLI to Configure Features 5
Configuring the Command History 5
Changing the Command History Buffer Size 5
Recalling Commands 6
Disabling the Command History Feature 6
Enabling and Disabling Editing Features 7
Editing Commands Through Keystrokes 7
Editing Command Lines That Wrap 8
Searching and Filtering Output of show and more Commands 9
Accessing the CLI Through a Console Connection or Through Telnet 10

PART I Interface and Hardware 11

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
iii
 Contents

CHAPTER 2 Configuring Interface Characteristics 13

Finding Feature Information 13
Information About Configuring Interface Characteristics 13
Interface Types 13
Port-Based VLANs 13
Switch Ports 14
Switch Virtual Interfaces 15
EtherChannel Port Groups 16
Power over Ethernet Ports 16
Using the Switch USB Ports 16
USB Mini-Type B Console Port 17
USB Type A Ports 17
Interface Connections 17
Interface Configuration Mode 18
Default Ethernet Interface Configuration 19
Interface Speed and Duplex Mode 20
Speed and Duplex Configuration Guidelines 20
IEEE 802.3x Flow Control 21
How to Configure Interface Characteristics 21
Configuring Interfaces 21
Adding a Description for an Interface 22
Configuring a Range of Interfaces 23
Configuring and Using Interface Range Macros 25
Configuring Ethernet Interfaces 26
Setting the Interface Speed and Duplex Parameters 26
Configuring IEEE 802.3x Flow Control 28
Configuring SVI Autostate Exclude 29
Shutting Down and Restarting the Interface 30
Configuring the Console Media Type 32
Configuring the USB Inactivity Timeout 33
Monitoring Interface Characteristics 34
Monitoring Interface Status 34
Clearing and Resetting Interfaces and Counters 35

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
iv
 Contents

Configuration Examples for Interface Characteristics 35

Adding a Description to an Interface: Example 35
Configuring a Range of Interfaces: Examples 36
Configuring and Using Interface Range Macros: Examples 36
Setting Interface Speed and Duplex Mode: Example 37
Configuring the Console Media Type: Example 37
Configuring the USB Inactivity Timeout: Example 37

CHAPTER 3 Configuring Auto-MDIX 39

Prerequisites for Auto-MDIX 39
Restrictions for Auto-MDIX 39
Information about Configuring Auto-MDIX 39
Auto-MDIX on an Interface 39
How to Configure Auto-MDIX 40
Configuring Auto-MDIX on an Interface 40
Example for Configuring Auto-MDIX 41

CHAPTER 4 Configuring LLDP, LLDP-MED, and Wired Location Service 43

Finding Feature Information 43
LLDP, LLDP-MED, and Wired Location Service Overview 43
LLDP 43
LLDP Supported TLVs 44
LLDP and Cisco Medianet 44
LLDP-MED 44
LLDP-MED Supported TLVs 44
Wired Location Service 45
Default LLDP Configuration 46
Restrictions for LLDP 47
How to Configure LLDP, LLDP-MED, and Wired Location Service 47
Enabling LLDP 47
Configuring LLDP Characteristics 49
Configuring LLDP-MED TLVs 51
Configuring Network-Policy TLV 52
Configuring Location TLV and Wired Location Service 55

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
v
 Contents

Enabling Wired Location Service on the Switch 57

Configuration Examples for LLDP, LLDP-MED, and Wired Location Service 59
Configuring Network-Policy TLV: Examples 59
Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service 59

CHAPTER 5 Configuring MultiGigabit Ports on WS-C3560CX-8PD-S 61

Finding Feature Information 61
Overview of MultiGigabit Ports 61
Restrictions for MultiGigabit Ports 61
Supported Cable Types and Maximum Length 62
Setting the Interface Speed 62
Examples: Setting the Interface Speed 63

CHAPTER 6 Configuring System MTU 65

Finding Feature Information 65
Information about the MTU 65
System MTU Guidelines 65
How to Configure MTU 66

Configuring the System MTU 66

Configuration Examples for System MTU 67

CHAPTER 7 Configuring Boot Fast 69

Finding Feature Information 69
Configuring Boot Fast on the switch 69
Enabling Boot Fast 69
Disabling Boot Fast 70

CHAPTER 8 Configuring PoE 73

Finding Feature Information 73
Information about PoE 73
Power over Ethernet Ports 73
PoE and PoE Pass-Through Ports on Catalyst WS-C3560CX-8PT-S 73
Example: Configuring PoE and PoE Pass-Through Ports on WS-C3560CX-8PT-S 74
Supported Protocols and Standards 75

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
vi
 Contents

Powered-Device Detection and Initial Power Allocation 75

Power Management Modes 76
How to Configure PoE 79
Configuring a Power Management Mode on a PoE Port 79
Fast POE 81
Configuring Persistent and Fast POE 81
Configuring PoE and PoE Pass-Through Ports on Catalyst WS-C3560CX-8PT-S 82
Persistent POE 83
Fast POE 83
Configuring Persistent and Fast POE 83
Budgeting Power for Devices Connected to a PoE Port 84
Budgeting Power to All PoE ports 85
Budgeting Power to a Specific PoE Port 86
Configuring Power Policing 87
Monitoring Power Status 89
Configuration Examples for Configuring PoE 90
Budgeting Power: Example 90

CHAPTER 9 Configuring EEE 91

Finding Feature Information 91
Information About EEE 91
EEE Overview 91
Default EEE Configuration 91
Restrictions for EEE 92
How to Configure EEE 92
Enabling or Disabling EEE 92
Monitoring EEE 93
Configuration Examples for Configuring EEE 93

PART II IPv6 95

CHAPTER 10 Configuring MLD Snooping 97

Finding Feature Information 97
Information About Configuring IPv6 MLD Snooping 97

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
vii
 Contents

Understanding MLD Snooping 97

MLD Messages 98
MLD Queries 98
Multicast Client Aging Robustness 99
Multicast Router Discovery 99
MLD Reports 100
MLD Done Messages and Immediate-Leave 100
Topology Change Notification Processing 100
How to Configure IPv6 MLD Snooping 101
Default MLD Snooping Configuration 101
MLD Snooping Configuration Guidelines 101
Enabling or Disabling MLD Snooping on the Switch (CLI) 102
Enabling or Disabling MLD Snooping on a VLAN (CLI) 103
Configuring a Static Multicast Group (CLI) 103
Configuring a Multicast Router Port (CLI) 104
Enabling MLD Immediate Leave (CLI) 105
Configuring MLD Snooping Queries (CLI) 106
Disabling MLD Listener Message Suppression (CLI) 107
Displaying MLD Snooping Information 108
Configuration Examples for Configuring MLD Snooping 109
Configuring a Static Multicast Group: Example 109
Configuring a Multicast Router Port: Example 109
Enabling MLD Immediate Leave: Example 109
Configuring MLD Snooping Queries: Example 110

CHAPTER 11 Configuring IPv6 Unicast Routing 111

Finding Feature Information 111
Information About Configuring IPv6 Unicast Routing 111
Understanding IPv6 111
IPv6 Addresses 112
Supported IPv6 Unicast Routing Features 112
Unsupported IPv6 Unicast Routing Features 117
IPv6 Feature Limitations 117
Configuring IPv6 117

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
viii
 Contents

Default IPv6 Configuration 117

Configuring IPv6 Addressing and Enabling IPv6 Routing (CLI) 118
Configuring First Hop Security in IPv6 120
Configuring Default Router Preference (CLI) 131
Configuring IPv6 ICMP Rate Limiting (CLI) 132
Configuring CEF and dCEF for IPv6 133
Configuring Static Routing for IPv6 (CLI) 133
Configuring RIP for IPv6 (CLI) 135
Configuring OSPF for IPv6 (CLI) 137
Tuning LSA and SPF Timers for OSPFv3 Fast Convergence 139
Configuring LSA and SPF Throttling for OSPFv3 Fast Convergence 140
Configuring EIGRP for IPv6 141
Configuring HSRP for IPv6 142
Enabling HSRP Version 2 142

Enabling an HSRP Group for IPv6 143

Configuring Multi-VRF CE 145
Default Multi-VRF CE Configuration 145
Configuring VRFs 145
Configuring VRF-Aware Services 147
Configuring VRF-Aware Services for Neighbor Discovery 147
Configuring VRF-Aware Services for PING 147
Configuring VRF-Aware Services for HSRP 148
Configuring VRF-Aware Services for Traceroute 149
Configuring VRF-Aware Services for FTP and TFTP 149
Configuring a VPN Routing Session 150
Configuring BGP PE to CE Routing Sessions 151
Multi-VRF CE Configuration Example 153
Displaying Multi-VRF CE Status 156
Displaying IPv6 156
Configuring DHCP for IPv6 Address Assignment 157
Default DHCPv6 Address Assignment Configuration 157
DHCPv6 Address Assignment Configuration Guidelines 157
Enabling DHCPv6 Server Function (CLI) 158
Enabling DHCPv6 Client Function (CLI) 160

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
ix
 Contents

Configuration Examples for IPv6 Unicast Routing 161

Configuring IPv6 Addressing and Enabling IPv6 Routing: Example 161
Configuring Default Router Preference: Example 162
Enabling an HSRP Group for IPv6: Example 162
Enabling DHCPv6 Server Function: Example 162
Enabling DHCPv6 Client Function: Example 163
Configuring IPv6 ICMP Rate Limiting: Example 163
Configuring Static Routing for IPv6: Example 163
Configuring RIP for IPv6: Example 164
Displaying IPv6: Example 164

CHAPTER 12 Implementing IPv6 Multicast 165

Finding Feature Information 165
Information About Implementing IPv6 Multicast Routing 165
IPv6 Multicast Overview 165
IPv6 Multicast Routing Implementation 166
MLD Access Group 166
Explicit Tracking of Receivers 166

IPv6 Multicast User Authentication and Profile Support 166

IPV6 MLD Proxy 167
Protocol Independent Multicast 167
PIM-Sparse Mode 167

IPv6 BSR: Configure RP Mapping 170

PIM-Source Specific Multicast 170
Routable Address Hello Option 172
Bidirectional PIM 172
Static Mroutes 173
MRIB 173
MFIB 173
IPv6 Multicast VRF Lite 173
IPv6 Multicast Process Switching and Fast Switching 174
Multiprotocol BGP for the IPv6 Multicast Address Family 174
NSF and SSO Support In IPv6 Multicast 175

Bandwidth-Based CAC for IPv6 Multicast 175

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
x
 Contents

Implementing IPv6 Multicast 175

Enabling IPv6 Multicast Routing 175
Customizing and Verifying the MLD Protocol 175
Customizing and Verifying MLD on an Interface 175
Implementing MLD Group Limits 177
Configuring Explicit Tracking of Receivers to Track Host Behavior 179
Configuring Multicast User Authentication and Profile Support 179
Enabling MLD Proxy in IPv6 181
Resetting the MLD Traffic Counters 182
Clearing the MLD Interface Counters 183
Configuring PIM 183
Configuring PIM-SM and Displaying PIM-SM Information for a Group Range 183
Configuring PIM Options 184
Configuring Bidirectional PIM and Displaying Bidirectional PIM Information 185
Resetting the PIM Traffic Counters 186
Clearing the PIM Topology Table to Reset the MRIB Connection 187
Configuring a BSR 188
Configuring a BSR and Verifying BSR Information 188
Sending PIM RP Advertisements to the BSR 189
Configuring BSR for Use Within Scoped Zones 189
Configuring BSR Switches to Announce Scope-to-RP Mappings 190
Configuring SSM Mapping 191
Configuring Static Mroutes 192
Using MFIB in IPv6 Multicast 193
Verifying MFIB Operation in IPv6 Multicast 193
Resetting MFIB Traffic Counters 194

PART III Layer 2 195

CHAPTER 13 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling 197

Finding Feature Information 197
Prerequisites for Configuring Tunneling 197
IEEE 802.1Q Tunneling 197
Layer 2 Protocol Tunneling 198

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xi
 Contents

Layer 2 Tunneling for EtherChannels 199

Information about Tunneling 200
IEEE 802.1Q and Layer 2 Protocol Overview 200
IEEE 802.1Q Tunneling 200
IEEE 802.1Q Tunneling Configuration Guidelines 202
Native VLANs 202
System MTU 203
Default IEEE 802.1Q Tunneling Configuration 204
Layer 2 Protocol Tunneling Overview 204
Layer 2 Protocol Tunneling on Ports 206
Default Layer 2 Protocol Tunneling Configuration 207
How to Configure Tunneling 207
Configuring an IEEE 802.1Q Tunneling Port 207
Configuring Layer 2 Protocol Tunneling 210
Configuring the SP Edge Switch 213
Configuring the Customer Switch 216
Configuration Examples for IEEE 802.1Q and Layer 2 Protocol Tunneling 218
Example: Configuring an IEEE 802.1Q Tunneling Port 218
Example: Configuring Layer 2 Protocol Tunneling 219
Examples: Configuring the SP Edge and Customer Switches 219
Monitoring Tunneling Status 221
Where to Go Next 221

CHAPTER 14 Configuring Spanning Tree Protocol 223

Finding Feature Information 223
Restrictions for STP 223
Information About Spanning Tree Protocol 224
Spanning Tree Protocol 224
Spanning-Tree Topology and BPDUs 224
Bridge ID, Device Priority, and Extended System ID 226
Port Priority Versus Path Cost 226
Spanning-Tree Interface States 227
How a Switch or Port Becomes the Root Switch or Root Port 230
Spanning Tree and Redundant Connectivity 230

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xii
 Contents

Spanning-Tree Address Management 231

Accelerated Aging to Retain Connectivity 231
Spanning-Tree Modes and Protocols 231
Supported Spanning-Tree Instances 232
Spanning-Tree Interoperability and Backward Compatibility 232
STP and IEEE 802.1Q Trunks 233
VLAN-Bridge Spanning Tree 233
Default Spanning-Tree Configuration 234
How to Configure Spanning-Tree Features 234
Changing the Spanning-Tree Mode 234

Disabling Spanning Tree 236

Configuring the Root Switch 237

Configuring a Secondary Root Device 238

Configuring Port Priority 239

Configuring Path Cost 241

Configuring the Device Priority of a VLAN 242

Configuring the Hello Time 243

Configuring the Forwarding-Delay Time for a VLAN 244

Configuring the Maximum-Aging Time for a VLAN 245

Configuring the Transmit Hold-Count 246

Monitoring Spanning-Tree Status 247

CHAPTER 15 Configuring Multiple Spanning-Tree Protocol 249

Finding Feature Information 249
Prerequisites for MSTP 249
Restrictions for MSTP 250
Information About MSTP 251
MSTP Configuration 251
MSTP Configuration Guidelines 251
Root Switch 252
Multiple Spanning-Tree Regions 253
IST, CIST, and CST 253
Operations Within an MST Region 254
Operations Between MST Regions 254

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xiii
Contents

IEEE 802.1s Terminology 255

Illustration of MST Regions 255
Hop Count 256
Boundary Ports 257
IEEE 802.1s Implementation 257
Port Role Naming Change 257
Interoperation Between Legacy and Standard Switches 258
Detecting Unidirectional Link Failure 258
Interoperability with IEEE 802.1D STP 259
RSTP Overview 259
Port Roles and the Active Topology 259
Rapid Convergence 260
Synchronization of Port Roles 261
Bridge Protocol Data Unit Format and Processing 262
Topology Changes 263
Protocol Migration Process 264
Default MSTP Configuration 265
About MST-to-PVST+ Interoperability (PVST+ Simulation) 265
About Detecting Unidirectional Link Failure 265
How to Configure MSTP Features 266
Specifying the MST Region Configuration and Enabling MSTP 266

Configuring the Root Switch 269

Configuring a Secondary Root Switch 270

Configuring Port Priority 271

Configuring Path Cost 273

Configuring the Switch Priority 274

Configuring the Hello Time 276

Configuring the Forwarding-Delay Time 277

Configuring the Maximum-Aging Time 278

Configuring the Maximum-Hop Count 278

Specifying the Link Type to Ensure Rapid Transitions 279

Designating the Neighbor Type 281

Restarting the Protocol Migration Process 282

Configuring PVST+ Simulation 283

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xiv
 Contents

Examples 284
Examples: PVST+ Simulation 284
Monitoring MST Configuration and Status 287
Feature Information for MSTP 288

CHAPTER 16 Configuring Optional Spanning-Tree Features 289

Finding Feature Information 289
Restriction for Optional Spanning-Tree Features 289
Information About Optional Spanning-Tree Features 290
PortFast 290
BPDU Guard 290
BPDU Filtering 291
UplinkFast 291
BackboneFast 293
EtherChannel Guard 296
Root Guard 296
Loop Guard 297
STP PortFast Port Types 297
Bridge Assurance 298
How to Configure Optional Spanning-Tree Features 299
Enabling PortFast 299

Enabling BPDU Guard 301

Enabling BPDU Filtering 302

Enabling UplinkFast for Use with Redundant Links 304

Disabling UplinkFast 305

Enabling BackboneFast 306

Enabling EtherChannel Guard 307

Enabling Root Guard 308

Enabling Loop Guard 310

Enabling PortFast Port Types 311

Configuring the Default Port State Globally 311
Configuring PortFast Edge on a Specified Interface 312
Configuring a PortFast Network Port on a Specified Interface 313
Enabling Bridge Assurance 315

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xv
 Contents

Examples 316
Examples: Configuring PortFast Edge on a Specified Interface 316
Examples: Configuring a PortFast Network Port on a Specified Interface 316
Example: Configuring Bridge Assurance 317
Monitoring the Spanning-Tree Status 318

CHAPTER 17 Configuring Bidirection Forwarding Detection 321

Finding Feature Information 321
Prerequisites for Bidirectional Forwarding Detection 321
Restrictions for Bidirectional Forwarding Detection 322
Information About Bidirectional Forwarding Detection 322
BFD Operation 322
Neighbor Relationships 322
BFD Detection of Failures 323
BFD Version Interoperability 324
BFD Session Limits 324
BFD Support for Nonbroadcast Media Interfaces 324
BFD Support for Nonstop Forwarding with Stateful Switchover 324
BFD Support for Stateful Switchover 324
BFD Support for Static Routing 325
Benefits of Using BFD for Failure Detection 326
How to Configure Bidirectional Forwarding Detection 326
Configuring BFD Session Parameters on the Interface 326
Configuring BFD Support for Dynamic Routing Protocols 327
Configuring BFD Support for BGP 327
Configuring BFD Support for EIGRP 329
Configuring BFD Support for OSPF 331
Configuring BFD Support for Static Routing 334
Configuring BFD Echo Mode 336
Monitoring and Troubleshooting BFD 338
Configuration Examples for Bidirectional Forwarding Detection 339
Example: Configuring BFD in an EIGRP Network with Echo Mode Enabled by Default 339
Example: Configuring BFD in an OSPF Network 345
Example: Configuring BFD Support for Static Routing 348

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xvi
 Contents

CHAPTER 18 Configuring EtherChannels 351

Finding Feature Information 351
Restrictions for EtherChannels 351
Information About EtherChannels 352
EtherChannel Overview 352
EtherChannel Modes 352
EtherChannel on Switches 353
EtherChannel Link Failover 353
Channel Groups and Port-Channel Interfaces 354
Port Aggregation Protocol 354
PAgP Modes 355

PAgP Learn Method and Priority 355

PAgP Interaction with Virtual Switches and Dual-Active Detection 356
PAgP Interaction with Other Features 356

Link Aggregation Control Protocol 357

LACP Modes 357
LACP Interaction with Other Features 357

EtherChannel On Mode 358

Load-Balancing and Forwarding Methods 358
MAC Address Forwarding 358
IP Address Forwarding 358
Load-Balancing Advantages 359
EtherChannel Load Deferral Overview 360
Default EtherChannel Configuration 360
EtherChannel Configuration Guidelines 361
Layer 2 EtherChannel Configuration Guidelines 362
Auto-LAG 362
Auto-LAG Configuration Guidelines 363
How to Configure EtherChannels 363
Configuring Layer 2 EtherChannels 363

Configuring EtherChannel Load-Balancing 365

Configuring Port Channel Load Deferral 366
Configuring the PAgP Learn Method and Priority 368

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xvii
 Contents

Configuring LACP Hot-Standby Ports 369

Configuring the LACP System Priority 370

Configuring the LACP Port Priority 371

Configuring the LACP Port Channel Min-Links Feature 372

Configuring LACP Fast Rate Timer 373

Configuring Auto-LAG Globally 374
Configuring Auto-LAG on a Port Interface 375
Configuring Persistence with Auto-LAG 376
Monitoring EtherChannel, PAgP, and LACP Status 377
Configuration Examples for Configuring EtherChannels 378
Configuring Layer 2 EtherChannels: Examples 378
Example: Configuring Port Channel Load Deferral 379

Configuring Auto LAG: Examples 379

Configuring LACP Port Channel Min-Links: Examples 380
Example: Configuring LACP Fast Rate Timer 380

CHAPTER 19 Configuring Link-State Tracking 383

Finding Feature Information 383
Restrictions for Configuring Link-State Tracking 383
Understanding Link-State Tracking 384
How to Configure Link-State Tracking 386

Monitoring Link-State Tracking 387

Configuring Link-State Tracking: Example 387

CHAPTER 20 Configuring Resilient Ethernet Protocol 389

Finding Feature Information 389
REP Overview 389
Link Integrity 391
Fast Convergence 392
VLAN Load Balancing 392
Spanning Tree Interaction 394
REP Ports 394
How to Configure REP 394
Default REP Configuration 394

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xviii
 Contents

REP Configuration Guidelines 395

Configuring the REP Administrative VLAN 396
Configuring REP Interfaces 397
Setting Manual Preemption for VLAN Load Balancing 401
Configuring SNMP Traps for REP 401
Monitoring REP 402
Configuring Examples for Configuring REP 403
Configuring the REP Administrative VLAN: Examples 403
Configuring REP Interfaces: Examples 403

CHAPTER 21 Configuring Flex Links and the MAC Address-Table Move Update Feature 405
Finding Feature Information 405
Restrictions for Configuring Flex Links and MAC Address-Table Move Update 405
Information About Flex Links and MAC Address-Table Move Update 406
Flex Links 406
Flex Links Configuration 406
VLAN Flex Links Load Balancing and Support 407
Multicast Fast Convergence with Flex Links Failover 407
Learning the Other Flex Links Port as the mrouter Port 407
Generating IGMP Reports 408
Leaking IGMP Reports 408
MAC Address-Table Move Update 408
Flex Links VLAN Load Balancing Configuration Guidelines 410
MAC Address-Table Move Update Configuration Guidelines 410
Default Flex Links and MAC Address-Table Move Update Configuration 410
How to Configure Flex Links and the MAC Address-Table Move Update Feature 410
Configuring Flex Links 410

Configuring a Preemption Scheme for a Pair of Flex Links 411

Configuring VLAN Load Balancing on Flex Links 413

Configuring MAC Address-Table Move Update 413

Configuring a Switch to Obtain and Process MAC Address-Table Move Update Messages 415

Monitoring Flex Links, Multicast Fast Convergence, and MAC Address-Table Move Update 415
Configuration Examples for Flex Links 416
Configuring Flex Links: Examples 416

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xix
 Contents

Configuring VLAN Load Balancing on Flex Links: Examples 416

Configuring the MAC Address-Table Move Update: Examples 417
Configuring Multicast Fast Convergence with Flex Links Failover: Examples 418

CHAPTER 22 Configuring UniDirectional Link Detection 421

Finding Feature Information 421
Restrictions for Configuring UDLD 421
Information About UDLD 422
Modes of Operation 422
Normal Mode 422
Aggressive Mode 422
Methods to Detect Unidirectional Links 423
Neighbor Database Maintenance 423
Event-Driven Detection and Echoing 423
UDLD Reset Options 424
Default UDLD Configuration 424
How to Configure UDLD 424
Enabling UDLD Globally 424

Enabling UDLD on an Interface 426

Monitoring and Maintaining UDLD 427

PART IV High Availability 429

CHAPTER 23 Configuring HSRP and VRRP 431

Configuring HSRP 431

Finding Feature Information 431

Information About Configuring HSRP 431
HSRP Overview 431
HSRP Versions 433
Multiple HSRP 434
SSO HSRP 434
How to Configure HSRP 435
Default HSRP Configuration 435
HSRP Configuration Guidelines 435

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xx
 Contents

Enabling HSRP 436

Configuring HSRP Priority 437
Configuring MHSRP 440
Configuring HSRP Authentication and Timers 446
Enabling HSRP Support for ICMP Redirect Messages 447
Configuring HSRP Groups and Clustering 448

Troubleshooting HSRP 448

Verifying HSRP 448
Verifying HSRP Configurations 448
Configuration Examples for Configuring HSRP 449
Enabling HSRP: Example 449
Configuring HSRP Priority: Example 449
Configuring MHSRP: Example 449
Configuring HSRP Authentication and Timer: Example 450
Configuring HSRP Groups and Clustering: Example 451
Information About VRRP 451
Configuring VRRP 451

CHAPTER 24 Configuring Service Level Agreements 453

Finding Feature Information 453
Restrictions on SLAs 453
Information About SLAs 454
Cisco IOS IP Service Level Agreements (SLAs) 454
Network Performance Measurement with Cisco IOS IP SLAs 455
IP SLA Responder and IP SLA Control Protocol 455
Response Time Computation for IP SLAs 456
IP SLAs Operation Scheduling 457
IP SLA Operation Threshold Monitoring 457
UDP Jitter 458
How to Configure IP SLAs Operations 459
Default Configuration 459
Configuration Guidelines 459
Configuring the IP SLA Responder 460
Implementing IP SLA Network Performance Measurement 461

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xxi
 Contents

Analyzing IP Service Levels by Using the UDP Jitter Operation 465

Analyzing IP Service Levels by Using the ICMP Echo Operation 469
Monitoring IP SLA Operations 472
Monitoring IP SLA Operation Examples 473

CHAPTER 25 Configuring Enhanced Object Tracking 475

Finding Feature Information 475
Information About Enhanced Object Tracking 475
Enhanced Object Tracking Overview 475
Tracking Interface Line-Protocol or IP Routing State 476
Tracked Lists 476
Tracking Other Characteristics 477
IP SLAs Object Tracking 477
Static Route Object Tracking 477
How to Configure Enhanced Object Tracking 478
Configuring Tracking for Line State Protocol or IP Routing State on an Interface 478
Configuring Tracked Lists 479
Configuring a Tracked List with a Weight Threshold 479
Configuring a Tracked List with a Percentage Threshold 481
Configuring HSRP Object Tracking 482
Configuring IP SLAs Object Tracking 485
Configuring Static Route Object Tracking 486
Configuring a Primary Interface for Static Routing 486

Configuring a Primary Interface for DHCP 487

Configuring IP SLAs Monitoring Agent 488
Configuring a Routing Policy and a Default Route 489
Monitoring Enhanced Object Tracking 491

PART V Network Management 493

CHAPTER 26 Configuring Cisco IOS Configuration Engine 495

Finding Feature Information 495
Prerequisites for Configuring the Configuration Engine 495
Restrictions for Configuring the Configuration Engine 496

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xxii
 Contents

Information About Configuring the Configuration Engine 496

Cisco Configuration Engine Software 496
Configuration Service 497
Event Service 497
NameSpace Mapper 498
Cisco Networking Services IDs and Device Hostnames 498
ConfigID 498
DeviceID 498
Hostname and DeviceID 499
Hostname, DeviceID, and ConfigID 499
Cisco IOS CNS Agents 499
Initial Configuration 499
Incremental (Partial) Configuration 500
Synchronized Configuration 501
Automated CNS Configuration 501
How to Configure the Configuration Engine 502
Enabling the CNS Event Agent 502
Enabling the Cisco IOS CNS Agent 503
Enabling an Initial Configuration for Cisco IOS CNS Agent 505
Refreshing DeviceIDs 510
Enabling a Partial Configuration for Cisco IOS CNS Agent 512
Monitoring CNS Configurations 514

CHAPTER 27 Configuring the Cisco Discovery Protocol 515

Finding Feature Information 515
Information About CDP 515
CDP Overview 515
Default CDP Configuration 516
How to Configure CDP 516
Configuring CDP Characteristics 516
Disabling CDP 518
Enabling CDP 519
Disabling CDP on an Interface 521
Enabling CDP on an Interface 522

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xxiii
 Contents

Monitoring and Maintaining CDP 524

CHAPTER 28 Configuring Simple Network Management Protocol 525

Finding Feature Information 525
Prerequisites for SNMP 525
Restrictions for SNMP 527
Information About SNMP 528
SNMP Overview 528
SNMP Manager Functions 528
SNMP Agent Functions 528
SNMP Community Strings 529
SNMP MIB Variables Access 529
SNMP Notifications 530
SNMP ifIndex MIB Object Values 530
Default SNMP Configuration 531
SNMP Configuration Guidelines 531
How to Configure SNMP 532
Disabling the SNMP Agent 532
Configuring Community Strings 533
Configuring SNMP Groups and Users 536
Configuring SNMP Notifications 539
Setting the Agent Contact and Location Information 544
Limiting TFTP Servers Used Through SNMP 545
Monitoring SNMP Status 546
SNMP Examples 547

CHAPTER 29 Configuring SPAN and RSPAN 549

Finding Feature Information 549
Prerequisites for SPAN and RSPAN 549
Restrictions for SPAN and RSPAN 550
Information About SPAN and RSPAN 551
SPAN and RSPAN 551
Local SPAN 552
Remote SPAN 553

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xxiv
 Contents

SPAN and RSPAN Concepts and Terminology 554

SPAN and RSPAN Interaction with Other Features 560
Flow-Based SPAN 561
Default SPAN and RSPAN Configuration 562
Configuration Guidelines 562
SPAN Configuration Guidelines 562
RSPAN Configuration Guidelines 562
FSPAN and FRSPAN Configuration Guidelines 563
How to Configure SPAN and RSPAN 563
Creating a Local SPAN Session 563
Creating a Local SPAN Session and Configuring Incoming Traffic 566
Specifying VLANs to Filter 568
Configuring a VLAN as an RSPAN VLAN 570
Creating an RSPAN Source Session 572
Specifying VLANs to Filter 574
Creating an RSPAN Destination Session 576
Creating an RSPAN Destination Session and Configuring Incoming Traffic 578
Configuring an FSPAN Session 580
Configuring an FRSPAN Session 583
Monitoring SPAN and RSPAN Operations 586
SPAN and RSPAN Configuration Examples 586
Example: Configuring Local SPAN 586
Examples: Creating an RSPAN VLAN 588

CHAPTER 30 Configuring RMON 591

Finding Feature Information 591
Information About RMON 591
Understanding RMON 591
How to Configure RMON 593
Default RMON Configuration 593
Configuring RMON Alarms and Events 593
Collecting Group History Statistics on an Interface 595
Collecting Group Ethernet Statistics on an Interface 597
Monitoring RMON Status 598

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xxv
 Contents

CHAPTER 31 Configuring Embedded Event Manager 599

Information about Embedded Event Manager 599
Understanding Embedded Event Manager 599
Embedded Event Manager Actions 600
Embedded Event Manager Policies 600
Embedded Event Manager Environment Variables 601
Embedded Event Manager 3.2 601

How to Configure Embedded Event Manager 602

Registering and Defining an Embedded Event Manager Applet 602
Registering and Defining an Embedded Event Manager TCL Script 603
Monitoring Embedded Event Manager 605
Displaying Embedded Event Manager Information 605
Configuration Examples for Embedded Event Manager 605
Example: Generating SNMP Notifications 605
Example: Responding to EEM Events 605
Example: Displaying EEM Environment Variables 605

CHAPTER 32 Configuring NetFlow Lite 607

Finding Feature Information 607
Prerequisites for NetFlow Lite 607
Restrictions for NetFlow Lite 607
Information About NetFlow Lite 609
NetFlow Lite Overview 609
Flexible NetFlow Components 609
Flow Records 609
Flow Exporters 613
Flow Monitors 614
Flow Samplers 616
Default Settings 616
How to Configure NetFlow Lite 616
Creating a Flow Record 617
Creating a Flow Exporter 619
Creating a Flow Monitor 621

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xxvi
 Contents

Creating a Sampler 623

Applying a Flow to an Interface 625
Configuring a Bridged NetFlow on a VLAN 626
Configuring Layer 2 NetFlow 627
Monitoring Flexible NetFlow 629
Configuration Examples for NetFlow Lite 629
Example: Configuring a Flow 629

CHAPTER 33 Configuring Cache Services Using the Web Cache Communication Protocol 631
Finding Feature Information 631
Prerequisites for WCCP 631
Restrictions for WCCP 632
Information About WCCP 633
WCCP Overview 633
WCCP Message Exchange 633
WCCP Negotiation 634
MD5 Security 634
Packet Redirection and Service Groups 634
How to Configure WCCP 636
Default WCCP Configuration 636
Enabling the Cache Service 636

PART VI QoS 643

CHAPTER 34 Configuring QoS 645

Finding Feature Information 645
Prerequisites for QoS 645
QoS ACL Guidelines 645
Policing Guidelines 646
General QoS Guidelines 646
Restrictions for QoS 647
Information About QoS 648
QoS Implementation 648
Layer 2 Frame Prioritization Bits 649

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xxvii
Contents

Layer 3 Packet Prioritization Bits 649

End-to-End QoS Solution Using Classification 650
QoS Basic Model 650
Actions at Ingress Port 650
Actions at Egress Port 651
Classification Overview 651
Policing and Marking Overview 656
Mapping Tables Overview 658
Queueing and Scheduling Overview 659
Queueing and Scheduling on Ingress Queues 661
Queueing and Scheduling on Egress Queues 664
Packet Modification 668
Standard QoS Default Configuration 668
Default Ingress Queue Configuration 669
Default Egress Queue Configuration 670
Default Mapping Table Configuration 673
DSCP Maps 673
Default CoS-to-DSCP Map 673
Default IP-Precedence-to-DSCP Map 674
Default DSCP-to-CoS Map 674
How to Configure QoS 675
Enabling QoS Globally 675
Configuring Classification Using Port Trust States 676
Configuring the Trust State on Ports Within the QoS Domain 676
Configuring the CoS Value for an Interface 679
Configuring a Trusted Boundary to Ensure Port Security 680
Enabling DSCP Transparency Mode 682
Configuring the DSCP Trust State on a Port Bordering Another QoS Domain 684
Configuring a QoS Policy 686
Classifying Traffic by Using ACLs 687
Classifying Traffic by Using Class Maps 694
Classifying Traffic by Using Class Maps and Filtering IPv6 Traffic 697
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps 699
Classifying, Policing, and Marking Traffic by Using Aggregate Policers 704

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xxviii
 Contents

Configuring DSCP Maps 706

Configuring the CoS-to-DSCP Map 706
Configuring the IP-Precedence-to-DSCP Map 707
Configuring the Policed-DSCP Map 709
Configuring the DSCP-to-CoS Map 710
Configuring the DSCP-to-DSCP-Mutation Map 711
Configuring Ingress Queue Characteristics 713
Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds 713
Allocating Buffer Space Between the Ingress Queues 715
Allocating Bandwidth Between the Ingress Queues 717
Configuring the Ingress Priority Queue 718
Configuring Egress Queue Characteristics 720
Configuration Guidelines 720
Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set 720
Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID 724
Configuring SRR Shaped Weights on Egress Queues 726
Configuring SRR Shared Weights on Egress Queues 727
Configuring the Egress Expedite Queue 729
Limiting the Bandwidth on an Egress Interface 731
Monitoring Standard QoS 732
Configuration Examples for QoS 733
Example: Configuring Port to the DSCP-Trusted State and Modifying the DSCP-to-DSCP-Mutation
Map 733
Examples: Classifying Traffic by Using ACLs 733
Examples: Classifying Traffic by Using Class Maps 735
Examples: Classifying, Policing, and Marking Traffic on Physical Ports Using Policy Maps 736
Examples: Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps
737

Examples: Classifying, Policing, and Marking Traffic by Using Aggregate Policers 739
Examples: Configuring DSCP Maps 740
Examples: Configuring Ingress Queue Characteristics 742
Examples: Configuring Egress Queue Characteristics 743
Where to Go Next 744

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xxix
 Contents

CHAPTER 35 Configuring Auto-QoS 745

Finding Feature Information 745
Prerequisites for Auto-QoS 745
Information about Configuring Auto-QoS 746
Auto-QoS Overview 746
Generated Auto-QoS Configuration 746
VoIP Device Specifics 747
Enhanced Auto-QoS for Video, Trust, and Classification 748
Auto-QoS Configuration Migration 748
Auto-QoS Configuration Guidelines 749
Auto-QoS VoIP Considerations 749
Auto-QoS Enhanced Considerations 749
Effects of Auto-QoS on Running Configuration 750
How to Configure Auto-QoS 750
Configuring Auto-QoS 750
Enabling Auto-QoS 750
Troubleshooting Auto-QoS 752
Monitoring Auto-QoS 752
Configuration Examples for Auto-Qos 753
Examples: Global Auto-QoS Configuration 753
Examples: Auto-QoS Generated Configuration for VoIP Devices 757
Examples: Auto-QoS Generated Configuration for VoIP Devices 759
Examples: Auto-QoS Generated Configuration For Enhanced Video, Trust, and Classify Devices
760

Where to Go Next for Auto-QoS 763

PART VII Routing 765

CHAPTER 36 Configuring IP Unicast Routing 767

Finding Feature Information 767
Information About Configuring IP Unicast Routing 768
Information About IP Routing 768
Types of Routing 768

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xxx
 Contents

How to Configure IP Routing 769

How to Configure IP Addressing 770
Default IP Addressing Configuration 770
Assigning IP Addresses to Network Interfaces 771
Using Subnet Zero 773
Classless Routing 774
Disabling Classless Routing 775
Configuring Address Resolution Methods 776
Address Resolution 776
Defining a Static ARP Cache 777
Setting ARP Encapsulation 778
Enabling Proxy ARP 779
Routing Assistance When IP Routing is Disabled 780
Proxy ARP 781
Proxy ARP 781
Default Gateway 781
ICMP Router Discovery Protocol 782
ICMP Router Discovery Protocol (IRDP) 782
Configuring Broadcast Packet Handling 784
Broadcast Packet Handling 784
Enabling Directed Broadcast-to-Physical Broadcast Translation 785
UDP Broadcast Packets and Protocols 786
Forwarding UDP Broadcast Packets and Protocols 787
Establishing an IP Broadcast Address 788
IP Broadcast Flooding 789
Flooding IP Broadcasts 790
Monitoring and Maintaining IP Addressing 791
How to Configure IP Unicast Routing 792
Enabling IP Unicast Routing 792
Example of Enabling IP Unicast Routing 793
Information About RIP 793
How to Configure RIP 794
Default RIP Configuration 794
Configuring Basic RIP Parameters 795

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xxxi
Contents

Configuring RIP Authentication 797

Summary Addresses and Split Horizon 798
Configuring Summary Addresses and Split Horizon 798
Configuring Split Horizon 800
Configuration Example for Summary Addresses and Split Horizon 801
Information About OSPF 802
How to Configure OSPF 802
Default OSPF Configuration 802
Configuring Basic OSPF Parameters 805
Example: Configuring Basic OSPF Parameters 806
Configuring OSPF Interfaces 806
OSPF Area Parameters 809
Configuring OSPF Area Parameters 809
Other OSPF Parameters 811
Configuring Other OSPF Parameters 812
LSA Group Pacing 814
Changing LSA Group Pacing 814
Loopback Interfaces 815
Configuring a Loopback Interface 815
Monitoring OSPF 816
Information About EIGRP 817
EIGRP Features 817
EIGRP Components 817
How to Configure EIGRP 818
Default EIGRP Configuration 818
EIGRP Nonstop Forwarding 820
Configuring Basic EIGRP Parameters 821
Configuring EIGRP Interfaces 822
Configuring EIGRP Route Authentication 824
EIGRP Stub Routing 826
Monitoring and Maintaining EIGRP 827
Information About BGP 827
BGP Network Topology 827
How to Configure BGP 829

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xxxii
 Contents

Default BGP Configuration 829

Nonstop Forwarding Awareness 832
Information About BGP Routing 832
Enabling BGP Routing 833
Example: Configuring BGP on Routers 834
Routing Policy Changes 836
Managing Routing Policy Changes 836
BGP Decision Attributes 837
Configuring BGP Decision Attributes 839
Route Maps 841
Configuring BGP Filtering with Route Maps 841
BGP Filtering 842
Configuring BGP Filtering by Neighbor 842
Configuring BGP Filtering by Access Lists and Neighbors 843
Prefix List for BGP Filtering 844
Configuring Prefix Lists for BGP Filtering 845
BGP Community Filtering 846
Configuring BGP Community Filtering 846
BGP Neighbors and Peer Groups 848
Configuring BGP Neighbors and Peer Groups 848
Aggregate Routes 851
Configuring Aggregate Addresses in a Routing Table 851
Routing Domain Confederations 852
Configuring Routing Domain Confederations 852
BGP Route Reflectors 854
Configuring BGP Route Reflectors 854
Route Dampening 855
Configuring Route Dampening 856
More BGP Information 857
Monitoring and Maintaining BGP 857
Information About ISO CLNS Routing 858
Connectionless Routing 858
How to Configure ISO CLNS Routing 859
IS-IS Dynamic Routing 859

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xxxiii
Contents

Default IS-IS Configuration 860

Nonstop Forwarding Awareness 861
Enabling IS-IS Routing 861
Example: Configuring IS-IS Routing 863
IS-IS Global Parameters 864
Configuring IS-IS Global Parameters 865
IS-IS Interface Parameters 868
Configuring IS-IS Interface Parameters 869
Monitoring and Maintaining ISO IGRP and IS-IS 871
Information About Multi-VRF CE 872
Understanding Multi-VRF CE 873
Network Topology 873
Packet-Forwarding Process 874
Network Components 874
VRF-Aware Services 875
How to Configure Multi-VRF CE 875
Default Multi-VRF CE Configuration 875
Multi-VRF CE Configuration Guidelines 876
Configuring VRFs 876
Configuring VRF-Aware Services 878
Configuring VRF-Aware Services for ARP 878
Configuring VRF-Aware Services for Ping 879
Configuring VRF-Aware Services for SNMP 879
Configuring VRF-Aware Servcies for HSRP 880
Configuring VRF-Aware Servcies for uRPF 881
Configuring VRF-Aware RADIUS 882
Configuring VRF-Aware Services for Syslog 882
Configuring VRF-Aware Services for Traceroute 883
Configuring VRF-Aware Services for FTP and TFTP 883
Configuring Multicast VRFs 885
Configuring a VPN Routing Session 886
Configuring BGP PE to CE Routing Sessions 888
Multi-VRF CE Configuration Example 889
Monitoring Multi-VRF CE 893

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xxxiv
 Contents

Configuring Unicast Reverse Path Forwarding 893

Protocol-Independent Features 894
Distributed Cisco Express Forwarding 894
Information About Cisco Express Forwarding 894
How to Configure Cisco Express Forwarding 894
Number of Equal-Cost Routing Paths 897
Information About Equal-Cost Routing Paths 897
How to Configure Equal-Cost Routing Paths 897
Static Unicast Routes 898
Information About Static Unicast Routes 898
Configuring Static Unicast Routes 898
Default Routes and Networks 900
Information About Default Routes and Networks 900
How to Configure Default Routes and Networks 900
Route Maps to Redistribute Routing Information 901
Information About Route Maps 901
How to Configure a Route Map 901
How to Control Route Distribution 905
Policy-Based Routing 907
Information About Policy-Based Routing 907
How to Configure PBR 908
Filtering Routing Information 911
Setting Passive Interfaces 911
Controlling Advertising and Processing in Routing Updates 912
Filtering Sources of Routing Information 913
Managing Authentication Keys 914
Prerequisites 914
How to Configure Authentication Keys 914
Monitoring and Maintaining the IP Network 916

CHAPTER 37 Configuring Fallback Bridging 917

Finding Feature Information 917
Restrictions for Fallback Bridging 917
Information about Fallback Bridging 918

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xxxv
 Contents

Fallback Bridging Overview 918

Example: Fallback Bridging Network 919
How to Configure Fallback Bridging 919
Creating a Bridge Group 919
Adjusting Spanning Tree Parameters 921
Adjusting BPDU Intervals 925
Adjusting the Intervals Between Hello BPDUs 925
Changing the Forward-Delay Interval 926
Changing the Maximum-Idle Interval 927
Disabling the Spanning Tree on an Interface 929
Monitoring and Maintaining Fallback Bridging 930
Default Fallback Bridging Configuration 930

PART VIII Multicast Routing 933

CHAPTER 38 IP Multicast Routing Technology Overview 935

Finding Feature Information 935
Information About IP Multicast Technology 935
Role of IP Multicast in Information Delivery 935
IP Multicast Routing Protocols 935
Multicast Group Transmission Scheme 936
IP Multicast Boundary 938
IP Multicast Group Addressing 939
IP Class D Addresses 939
IP Multicast Address Scoping 939
Layer 2 Multicast Addresses 941
IP Multicast Delivery Modes 941
Source Specific Multicast 941

CHAPTER 39 Configuring IGMP 943

Finding Feature Information 943
Prerequisites for IGMP 943
Restrictions for Configuring IGMP 944
Information About IGMP 944

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xxxvi
 Contents

Role of the Internet Group Management Protocol 944

IGMP Multicast Addresses 944
IGMP Versions 945
IGMP Version 1 945
IGMP Version 2 945
IGMP Version 3 945
IGMPv3 Host Signalling 946
IGMP Versions Differences 946
IGMP Join and Leave Process 948
IGMP Join Process 948
IGMP Leave Process 948
Default IGMP Configuration 949
How to Configure IGMP 950
Configuring the Switch as a Member of a Group 950

Controlling Access to IP Multicast Group 951

Changing the IGMP Version 953
Modifying the IGMP Host-Query Message Interval 955

Changing the IGMP Query Timeout for IGMPv2 956

Changing the Maximum Query Response Time for IGMPv2 958

Configuring the Switch as a Statically Connected Member 959

Monitoring IGMP 960

Configuration Examples for IGMP 961
Example: Configuring the Switch as a Member of a Multicast Group 961
Example: Controlling Access to IP Multicast Groups 962

CHAPTER 40 Configuring CGMP 963

Finding Feature Information 963
Prerequisites for Configuring CGMP 963
Restrictions for CGMP 963
Information About CGMP 964
Enabling CGMP Server Support 964
Monitoring CGMP 966

CHAPTER 41 Configuring PIM 969

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xxxvii
Contents

Prerequisites for PIM 969

Restrictions for PIM 970
PIMv1 and PIMv2 Interoperability 970
Restrictions for Configuring PIM Stub Routing 970
Restrictions for Configuring Auto-RP and BSR 971
Information About PIM 972
Protocol Independent Multicast 972

PIM Dense Mode 972

PIM Sparse Mode 973
Sparse-Dense Mode 973
PIM Versions 974
PIM Stub Routing 974
IGMP Helper 975
Rendezvous Points 976
Auto-RP 976
Sparse-Dense Mode for Auto-RP 977
Bootstrap Router 977
PIM Domain Border 977
Multicast Forwarding 978
Multicast Distribution Source Tree 978
Multicast Distribution Shared Tree 979
Source Tree Advantage 979
Shared Tree Advantage 980
PIM Shared Tree and Source Tree 980
Reverse Path Forwarding 982
RPF Check 982
Default PIM Routing Configuration 983
How to Configure PIM 984
Enabling PIM Stub Routing 984

Configuring a Rendezvous Point 985

Manually Assigning an RP to Multicast Groups 986

Setting Up Auto-RP in a New Internetwork 988

Adding Auto-RP to an Existing Sparse-Mode Cloud 991

Configuring Sparse Mode with a Single Static RP 994

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xxxviii
 Contents

Preventing Join Messages to False RPs 996

Filtering Incoming RP Announcement Messages 996

Configuring PIMv2 BSR 998

Defining the PIM Domain Border 998

Defining the IP Multicast Boundary 1000

Configuring Candidate BSRs 1001

Configuring the Candidate RPs 1003

Delaying the Use of PIM Shortest-Path Tree 1005

Modifying the PIM Router-Query Message Interval 1007

Verifying PIM Operations 1008

Verifying IP Multicast Operation in a PIM-SM or a PIM-SSM Network 1008
Using PIM-Enabled Routers to Test IP Multicast Reachability 1014
Monitoring and Troubleshooting PIM 1016
Monitoring PIM Information 1016
Monitoring the RP Mapping and BSR Information 1016
Troubleshooting PIMv1 and PIMv2 Interoperability Problems 1017
Configuration Examples for PIM 1017
Example: Enabling PIM Stub Routing 1017
Example: Verifying PIM Stub Routing 1018
Example: Manually Assigning an RP to Multicast Groups 1018
Example: Configuring Auto-RP 1018
Example: Defining the IP Multicast Boundary to Deny Auto-RP Information 1018
Example: Filtering Incoming RP Announcement Messages 1018
Example: Preventing Join Messages to False RPs 1019
Example: Configuring Candidate BSRs 1019
Example: Configuring Candidate RPs 1019

CHAPTER 42 Configuring HSRP Aware PIM 1021

HSRP Aware PIM 1021
Finding Feature Information 1021
Restrictions for HSRP Aware PIM 1021
Information About HSRP Aware PIM 1022
HSRP 1022
HSRP Aware PIM 1022

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xxxix
 Contents

How to Configure HSRP Aware PIM 1023

Configuring an HSRP Group on an Interface 1023
Configuring PIM Redundancy 1025
Configuration Examples for HSRP Aware PIM 1026
Example: Configuring an HSRP Group on an Interface 1026
Example: Configuring PIM Redundancy 1026

CHAPTER 43 Configuring VRRP Aware PIM 1027

VRRP Aware PIM 1027
Finding Feature Information 1027
Restrictions for VRRP Aware PIM 1027
Information About VRRP Aware PIM 1028
Overview of VRRP Aware PIM 1028
How to Configure VRRP Aware PIM 1028
Configuring VRRP Aware PIM 1028
Configuration Examples for VRRP Aware PIM 1030
Example: VRRP Aware PIM 1030

CHAPTER 44 Configuring Basic IP Multicast Routing 1031

Finding Feature Information 1031
Prerequisites for Basic IP Multicast Routing 1031
Restrictions for Basic IP Multicast Routing 1032
Information About Basic IP Multicast Routing 1032
Default IP Multicast Routing Configuration 1032
sdr Listener Support 1033
How to Configure Basic IP Multicast Routing 1033
Configuring Basic IP Multicast Routing 1033
Configuring Optional IP Multicast Routing Features 1035
Defining the IP Multicast Boundary 1035

Configuring Multicast VRFs 1037

Advertising Multicast Multimedia Sessions Using SAP Listener 1039
Monitoring and Maintaining Basic IP Multicast Routing 1040
Clearing Caches, Tables, and Databases 1040
Displaying System and Network Statistics 1041

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xl
 Contents

CHAPTER 45 Configuring SSM 1043

Finding Feature Information 1043
Prerequisites for Configuring SSM 1043
Restrictions for Configuring SSM 1044
Information About SSM and SSM Mapping 1045
SSM Components 1045

How SSM Differs from Internet Standard Multicast 1045

SSM Operations 1046
IGMPv3 Host Signaling 1046
Benefits of 1047

SSM Mapping Overview 1048

Static SSM Mapping 1048
DNS-Based SSM Mapping 1048
SSM Mapping Benefits 1050
How to Configure SSM and SSM Mapping 1050
Configuring SSM 1050

Configuring SSM Mapping 1052

Configuring Static SSM Mapping 1052

Configuring DNS-Based SSM Mapping 1054

Configuring Static Traffic Forwarding with SSM Mapping 1056

Verifying SSM Mapping Configuration and Operation 1057

Monitoring SSM and SSM Mapping 1059
Monitoring SSM 1059
Monitoring SSM Mapping 1059
Configuration Examples for SSM and SSM Mapping 1060
SSM with IGMPv3 Example 1060
SSM Filtering Example 1060
SSM Mapping Example 1061
DNS Server Configuration Example 1063

CHAPTER 46 Configuring IGMP Snooping and Multicast VLAN Registration 1065

Finding Feature Information 1065
Prerequisites for Configuring IGMP Snooping and MVR 1065

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xli
Contents

Prerequisites for IGMP Snooping 1065

Prerequisites for MVR 1066
Restrictions for Configuring IGMP Snooping and MVR 1066
Restrictions for IGMP Snooping 1066
Restrictions for MVR 1067
Information About IGMP Snooping and MVR 1068
IGMP Snooping 1068
IGMP Versions 1069
Joining a Multicast Group 1069
Leaving a Multicast Group 1070
Immediate Leave 1071

IGMP Configurable-Leave Timer 1071

IGMP Report Suppression 1071
Default IGMP Snooping Configuration 1072
Multicast VLAN Registration 1072
MVR and IGMP 1072
Modes of Operation 1073
MVR in a Multicast Television Application 1073
Default MVR Configuration 1075
IGMP Filtering and Throttling 1075
Default IGMP Filtering and Throttling Configuration 1076
How to Configure IGMP Snooping and MVR 1076
Enabling or Disabling IGMP Snooping on a Switch 1076

Enabling or Disabling IGMP Snooping on a VLAN Interface 1078

Setting the Snooping Method 1079
Configuring a Multicast Router Port 1080

Configuring a Host Statically to Join a Group 1082

Enabling IGMP Immediate Leave 1083

Configuring the IGMP Leave Timer 1084

Configuring TCN-Related Commands 1086

Controlling the Multicast Flooding Time After a TCN Event 1086

Recovering from Flood Mode 1087

Disabling Multicast Flooding During a TCN Event 1088

Configuring the IGMP Snooping Querier 1090

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xlii
 Contents

Disabling IGMP Report Suppression 1092

Configuring MVR Global Parameters 1093

Configuring MVR Interfaces 1096
Configuring IGMP Profiles 1098

Applying IGMP Profiles 1100

Setting the Maximum Number of IGMP Groups 1101

Configuring the IGMP Throttling Action 1103

Monitoring IGMP Snooping and MVR 1105

Monitoring IGMP Snooping Information 1105
Monitoring MVR 1106
Monitoring IGMP Filtering and Throttling Configuration 1107
Configuration Examples for IGMP Snooping and MVR 1108
Example: Configuring IGMP Snooping Using CGMP Packets 1108
Example: Enabling a Static Connection to a Multicast Router 1108
Example: Configuring a Host Statically to Join a Group 1108
Example: Enabling IGMP Immediate Leave 1108
Example: Setting the IGMP Snooping Querier Source Address 1108
Example: Setting the IGMP Snooping Querier Maximum Response Time 1109
Example: Setting the IGMP Snooping Querier Timeout 1109
Example: Setting the IGMP Snooping Querier Feature 1109
Example: Configuring IGMP Profiles 1109
Example: Applying IGMP Profile 1110
Example: Setting the Maximum Number of IGMP Groups 1110
Example: Configuring MVR Global Parameters 1110
Example: Configuring MVR Interfaces 1110

CHAPTER 47 Configuring MSDP 1111

Finding Feature Information 1111
Prerequisites for MSDP 1111
Information About Multicast Source Discovery Protocol 1111
1111

MSDP Benefits 1113

Default MSDP Peers 1114
MSDP Mesh Groups 1115

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xliii
Contents

Benefits of MSDP Mesh Groups 1115

SA Origination Filters 1115
Use of Outgoing Filter Lists in MSDP 1116
Use of Incoming Filter Lists in MSDP 1116
TTL Thresholds in MSDP 1117
MSDP Message Types 1118
SA Messages 1118
SA Request Messages 1118
SA Response Messages 1118
Keepalive Messages 1118
Default MSDP Configuration 1118
How to Configure MSDP 1118
Configuring a Default MSDP Peer 1118
Caching Source-Active State 1120
Requesting Source Information from an MSDP Peer 1122
Controlling Source Information that Your Switch Originates 1123
Redistributing Sources 1123
Filtering Source-Active Request Messages 1125
Controlling Source Information that Your Switch Forwards 1127
Using a Filter 1127
Using TTL to Limit the Multicast Data Sent in SA Messages 1129
Controlling Source Information that Your Switch Receives 1130
Configuring an MSDP Mesh Group 1132
Shutting Down an MSDP Peer 1133
Including a Bordering PIM Dense-Mode Region in MSDP 1134
Configuring an Originating Address other than the RP Address 1136
Monitoring and Maintaining MSDP 1137
Monitoring MSDP 1137
Clearing MSDP Connections Statistics and SA Cache Entries 1140
Configuration Examples for Configuring MSDP 1141
Configuring a Default MSDP Peer: Example 1141
Caching Source-Active State: Example 1141
Requesting Source Information from an MSDP Peer: Example 1141
Controlling Source Information that Your Switch Originates: Example 1142

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xliv
 Contents

Controlling Source Information that Your Switch Forwards: Example 1142

Controlling Source Information that Your Switch Receives: Example 1142
Example: Configuring MSDP Mesh Groups 1142
Requesting Source Information from an MSDP Peer: Example 1143

PART IX Security 1145

CHAPTER 48 Security Features Overview 1147

Security Features Overview 1147

CHAPTER 49 Preventing Unauthorized Access 1151

Finding Feature Information 1151

Preventing Unauthorized Access 1151

CHAPTER 50 Controlling Switch Access with Passwords and Privilege Levels 1153

Finding Feature Information 1153

Restrictions for Controlling Switch Access with Passwords and Privileges 1153
Information About Passwords and Privilege Levels 1154
Default Password and Privilege Level Configuration 1154
Additional Password Security 1154
Password Recovery 1154
Terminal Line Telnet Configuration 1155
Username and Password Pairs 1155
Privilege Levels 1155
How to Control Switch Access with Passwords and Privilege Levels 1156
Setting or Changing a Static Enable Password 1156
Protecting Enable and Enable Secret Passwords with Encryption 1158
Disabling Password Recovery 1159
Setting a Telnet Password for a Terminal Line 1161
Configuring Username and Password Pairs 1162
Setting the Privilege Level for a Command 1164
Changing the Default Privilege Level for Lines 1166
Logging into and Exiting a Privilege Level 1167
Monitoring Switch Access 1168

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xlv
 Contents

Configuration Examples for Setting Passwords and Privilege Levels 1168

Example: Setting or Changing a Static Enable Password 1168
Example: Protecting Enable and Enable Secret Passwords with Encryption 1168
Example: Setting a Telnet Password for a Terminal Line 1168
Example: Setting the Privilege Level for a Command 1169

CHAPTER 51 Configuring TACACS+ 1171

Finding Feature Information 1171

Prerequisites for TACACS+ 1171
Information About TACACS+ 1173
TACACS+ and Switch Access 1173
TACACS+ Overview 1173
TACACS+ Operation 1174
Method List 1175
TACACS+ Configuration Options 1175
TACACS+ Login Authentication 1175
TACACS+ Authorization for Privileged EXEC Access and Network Services 1176
TACACS+ Accounting 1176
Default TACACS+ Configuration 1176
How to Configure TACACS+ 1176
Identifying the TACACS+ Server Host and Setting the Authentication Key 1177
Configuring TACACS+ Login Authentication 1178
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 1181
Starting TACACS+ Accounting 1182
Establishing a Session with a Router if the AAA Server is Unreachable 1184
Monitoring TACACS+ 1184

CHAPTER 52 Configuring RADIUS 1185

Finding Feature Information 1185

Prerequisites for Configuring RADIUS 1185
Restrictions for Configuring RADIUS 1186
Information about RADIUS 1187
RADIUS and Switch Access 1187
RADIUS Overview 1187

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xlvi
 Contents

RADIUS Operation 1188

RADIUS Change of Authorization 1189
Change-of-Authorization Requests 1190
CoA Request Response Code 1192
CoA Request Commands 1193
Default RADIUS Configuration 1195
RADIUS Server Host 1195
RADIUS Login Authentication 1196
AAA Server Groups 1196
AAA Authorization 1197
RADIUS Accounting 1197
Vendor-Specific RADIUS Attributes 1197
Vendor-Proprietary RADIUS Server Communication 1209
How to Configure RADIUS 1209
Identifying the RADIUS Server Host 1209
Configuring RADIUS Login Authentication 1212
Defining AAA Server Groups 1214
Configuring RADIUS Authorization for User Privileged Access and Network Services 1217
Starting RADIUS Accounting 1218
Configuring Settings for All RADIUS Servers 1220
Configuring the Switch to Use Vendor-Specific RADIUS Attributes 1222
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 1223
Configuring CoA on the Switch 1225
Monitoring CoA Functionality 1227
Configuration Examples for Controlling Switch Access with RADIUS 1228
Examples: Identifying the RADIUS Server Host 1228
Example: Using Two Different RADIUS Group Servers 1228
Examples: Configuring the Switch to Use Vendor-Specific RADIUS Attributes 1228
Example: Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 1229

CHAPTER 53 Configuring Kerberos 1231

Finding Feature Information 1231

Prerequisites for Controlling Switch Access with Kerberos 1231
Information about Kerberos 1232

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xlvii
 Contents

Kerberos and Switch Access 1232

Kerberos Overview 1232
Kerberos Operation 1234
Authenticating to a Boundary Switch 1234
Obtaining a TGT from a KDC 1235
Authenticating to Network Services 1235
How to Configure Kerberos 1235
Monitoring the Kerberos Configuration 1235

CHAPTER 54 Configuring Local Authentication and Authorization 1237

Finding Feature Information 1237

How to Configure Local Authentication and Authorization 1237
Configuring the Switch for Local Authentication and Authorization 1237
Monitoring Local Authentication and Authorization 1240

CHAPTER 55 Configuring Secure Shell (SSH) 1241

Finding Feature Information 1241

Prerequisites for Configuring Secure Shell 1241
Restrictions for Configuring Secure Shell 1242
Information about SSH 1242
SSH and Switch Access 1242
SSH Servers, Integrated Clients, and Supported Versions 1243
SSH Configuration Guidelines 1243
Secure Copy Protocol Overview 1244
Secure Copy Protocol 1244
How to Configure SSH 1245
Setting Up the SwitchDevice to Run SSH 1245
Configuring the SSH Server 1246
Monitoring the SSH Configuration and Status 1249

CHAPTER 56 Configuring Secure Socket Layer HTTP 1251

Finding Feature Information 1251

Information about Secure Sockets Layer (SSL) HTTP 1251
Secure HTTP Servers and Clients Overview 1251

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xlviii
 Contents

Certificate Authority Trustpoints 1252

CipherSuites 1253
Default SSL Configuration 1254
SSL Configuration Guidelines 1254
How to Configure Secure HTTP Servers and Clients 1254
Configuring a CA Trustpoint 1254
Configuring the Secure HTTP Server 1257
Configuring the Secure HTTP Client 1259
Monitoring Secure HTTP Server and Client Status 1260

CHAPTER 57 Configuring IPv4 ACLs 1263

Finding Feature Information 1263

Prerequisites for Configuring IPv4 Access Control Lists 1263
Restrictions for Configuring IPv4 Access Control Lists 1263
Information about Network Security with ACLs 1265
ACL Overview 1265
Access Control Entries 1265
ACL Supported Types 1265
Supported ACLs 1265
ACL Precedence 1266
Port ACLs 1266
Router ACLs 1267
VLAN Maps 1268
ACEs and Fragmented and Unfragmented Traffic 1268
ACEs and Fragmented and Unfragmented Traffic Examples 1268
Standard and Extended IPv4 ACLs 1269
IPv4 ACL Switch Unsupported Features 1270
Access List Numbers 1270
Numbered Standard IPv4 ACLs 1271
Numbered Extended IPv4 ACLs 1271
Named IPv4 ACLs 1272
ACL Logging 1272
Hardware and Software Treatment of IP ACLs 1273
VLAN Map Configuration Guidelines 1273

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
xlix
Contents

VLAN Maps with Router ACLs 1274

VLAN Maps and Router ACL Configuration Guidelines 1274
VACL Logging 1275
Time Ranges for ACLs 1275
IPv4 ACL Interface Considerations 1276
How to Configure ACLs 1276
Configuring IPv4 ACLs 1276
Creating a Numbered Standard ACL 1277
Creating a Numbered Extended ACL 1278
Creating Named Standard ACLs 1282
Creating Extended Named ACLs 1283
Configuring Time Ranges for ACLs 1285
Applying an IPv4 ACL to a Terminal Line 1287
Applying an IPv4 ACL to an Interface 1288
Creating Named MAC Extended ACLs 1290
Applying a MAC ACL to a Layer 2 Interface 1291
Configuring VLAN Maps 1293
Creating a VLAN Map 1295
Applying a VLAN Map to a VLAN 1296
Monitoring IPv4 ACLs 1297
Configuration Examples for ACLs 1298
Examples: Using Time Ranges with ACLs 1298
Examples: Including Comments in ACLs 1299
IPv4 ACL Configuration Examples 1300
ACLs in a Small Networked Office 1300
Examples: ACLs in a Small Networked Office 1300
Example: Numbered ACLs 1301
Examples: Extended ACLs 1301
Examples: Named ACLs 1302
Examples: Time Range Applied to an IP ACL 1303
Examples: Configuring Commented IP ACL Entries 1303
Examples: ACL Logging 1304
Configuration Examples for ACLs and VLAN Maps 1305
Example: Creating an ACL and a VLAN Map to Deny a Packet 1305

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
l
 Contents

Example: Creating an ACL and a VLAN Map to Permit a Packet 1305

Example: Default Action of Dropping IP Packets and Forwarding MAC Packets 1305
Example: Default Action of Dropping MAC Packets and Forwarding IP Packets 1306
Example: Default Action of Dropping All Packets 1307
Configuration Examples for Using VLAN Maps in Your Network 1307
Example: Wiring Closet Configuration 1307
Example: Restricting Access to a Server on Another VLAN 1308
Example: Denying Access to a Server on Another VLAN 1309
Configuration Examples of Router ACLs and VLAN Maps Applied to VLANs 1309
Example: ACLs and Switched Packets 1309
Example: ACLs and Bridged Packets 1310
Example: ACLs and Routed Packets 1310
Example: ACLs and Multicast Packets 1311

CHAPTER 58 Configuring IPv6 ACLs 1313

Finding Feature Information 1313
IPv6 ACLs Overview 1313
Interactions with Other Features and Switches 1314
Restrictions for IPv6 ACLs 1314
Default Configuration for IPv6 ACLs 1315

Configuring IPv6 ACLs 1315

Attaching an IPv6 ACL to an Interface 1319
Monitoring IPv6 ACLs 1320

CHAPTER 59 Configuring DHCP 1323

Finding Feature Information 1323

Information About DHCP 1323
DHCP Server 1323
DHCP Relay Agent 1323
DHCP Snooping 1324
Option-82 Data Insertion 1325
Cisco IOS DHCP Server Database 1328
DHCP Snooping Binding Database 1328
How to Configure DHCP Features 1330

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
li
 Contents

Default DHCP Snooping Configuration 1330

DHCP Snooping Configuration Guidelines 1331
Configuring the DHCP Server 1331
Configuring the DHCP Relay Agent 1331

Specifying the Packet Forwarding Address 1332

Prerequisites for Configuring DHCP Snooping and Option 82 1334

Enabling DHCP Snooping and Option 82 1335

Enabling the Cisco IOS DHCP Server Database 1339

Monitoring DHCP Snooping Information 1339
Configuring DHCP Server Port-Based Address Allocation 1339
Information About Configuring DHCP Server Port-Based Address Allocation 1339
Default Port-Based Address Allocation Configuration 1340
Port-Based Address Allocation Configuration Guidelines 1340
Enabling the DHCP Snooping Binding Database Agent 1340
Enabling DHCP Server Port-Based Address Allocation 1342
Monitoring DHCP Server Port-Based Address Allocation 1344

CHAPTER 60 Configuring IP Source Guard 1345

Finding Feature Information 1345

Information About IP Source Guard 1345
IP Source Guard 1345
IP Source Guard for Static Hosts 1346
IP Source Guard Configuration Guidelines 1347
How to Configure IP Source Guard 1347
Enabling IP Source Guard 1347
Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port 1349
Monitoring IP Source Guard 1351

CHAPTER 61 Configuring Dynamic ARP Inspection 1353

Finding Feature Information 1353
Restrictions for Dynamic ARP Inspection 1353
Understanding Dynamic ARP Inspection 1355
Interface Trust States and Network Security 1356
Rate Limiting of ARP Packets 1357

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lii
 Contents

Relative Priority of ARP ACLs and DHCP Snooping Entries 1358

Logging of Dropped Packets 1358

Default Dynamic ARP Inspection Configuration 1358

Relative Priority of ARP ACLs and DHCP Snooping Entries 1359
Configuring ARP ACLs for Non-DHCP Environments 1359

Configuring Dynamic ARP Inspection in DHCP Environments 1362

Limiting the Rate of Incoming ARP Packets 1364
Performing Dynamic ARP Inspection Validation Checks 1366
Monitoring DAI 1368
Verifying the DAI Configuration 1368

CHAPTER 62 Configuring IEEE 802.1x Port-Based Authentication 1371

Finding Feature Information 1371
Information About 802.1x Port-Based Authentication 1371
Port-Based Authentication Process 1372
Port-Based Authentication Initiation and Message Exchange 1374
Authentication Manager for Port-Based Authentication 1375
Port-Based Authentication Methods 1375
Per-User ACLs and Filter-Ids 1376
Port-Based Authentication Manager CLI Commands 1377
Ports in Authorized and Unauthorized States 1378
802.1x Host Mode 1379
802.1x Multiple Authentication Mode 1380
Multi-auth Per User VLAN assignment 1380
MAC Move 1382
MAC Replace 1382
802.1x Accounting 1383
802.1x Accounting Attribute-Value Pairs 1383
802.1x Readiness Check 1384
Switch-to-RADIUS-Server Communication 1385
802.1x Authentication with VLAN Assignment 1385
802.1x Authentication with Per-User ACLs 1387
802.1x Authentication with Downloadable ACLs and Redirect URLs 1387
Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL 1389

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
liii
Contents

Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs 1390
VLAN ID-based MAC Authentication 1390
802.1x Authentication with Guest VLAN 1390
802.1x Authentication with Restricted VLAN 1391
802.1x Authentication with Inaccessible Authentication Bypass 1392
Inaccessible Authentication Bypass Support on Multiple-Authentication Ports 1392
Inaccessible Authentication Bypass Authentication Results 1393
Inaccessible Authentication Bypass Feature Interactions 1393
802.1x Critical Voice VLAN 1394
802.1x User Distribution 1394
802.1x User Distribution Configuration Guidelines 1395
IEEE 802.1x Authentication with Voice VLAN Ports 1395
IEEE 802.1x Authentication with Port Security 1396
IEEE 802.1x Authentication with Wake-on-LAN 1396
IEEE 802.1x Authentication with MAC Authentication Bypass 1396
Network Admission Control Layer 2 IEEE 802.1x Validation 1398
Flexible Authentication Ordering 1398
Open1x Authentication 1399
Multidomain Authentication 1399
802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT) 1401
Voice Aware 802.1x Security 1402
Common Session ID 1403
How to Configure 802.1x Port-Based Authentication 1403
Default 802.1x Authentication Configuration 1403
802.1x Authentication Configuration Guidelines 1405
802.1x Authentication 1405
VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass
1406

MAC Authentication Bypass 1406

Maximum Number of Allowed Devices Per Port 1407
Configuring 802.1x Readiness Check 1407
Configuring Voice Aware 802.1x Security 1409
Configuring 802.1x Violation Modes 1411
Configuring 802.1x Authentication 1412

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
liv
 Contents

Configuring 802.1x Port-Based Authentication 1413

Configuring the Switch-to-RADIUS-Server Communication 1415
Configuring the Host Mode 1417
Configuring Periodic Re-Authentication 1418
Changing the Quiet Period 1419
Changing the Switch-to-Client Retransmission Time 1421
Setting the Switch-to-Client Frame-Retransmission Number 1422
Setting the Re-Authentication Number 1423
Enabling MAC Move 1424
Enabling MAC Replace 1425
Configuring 802.1x Accounting 1427
Configuring a Guest VLAN 1428
Configuring a Restricted VLAN 1430
Configuring Number of Authentication Attempts on a Restricted VLAN 1431
Configuring 802.1x Inaccessible Authentication Bypass with Critical Voice VLAN 1433
Example of Configuring Inaccessible Authentication Bypass 1436
Configuring 802.1x Authentication with WoL 1436
Configuring MAC Authentication Bypass 1438
Formatting a MAC Authentication Bypass Username and Password 1439
Configuring 802.1x User Distribution 1440
Example of Configuring VLAN Groups 1441
Configuring NAC Layer 2 802.1x Validation 1442
Configuring an Authenticator Switch with NEAT 1443
Configuring a Supplicant Switch with NEAT 1445
Configuring 802.1x Authentication with Downloadable ACLs and Redirect URLs 1448
Configuring Downloadable ACLs 1448
Configuring a Downloadable Policy 1450
Configuring VLAN ID-based MAC Authentication 1452
Configuring Flexible Authentication Ordering 1453
Configuring Open1x 1454
Disabling 802.1x Authentication on the Port 1456
Resetting the 802.1x Authentication Configuration to the Default Values 1457
Monitoring 802.1x Statistics and Status 1458

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lv
 Contents

CHAPTER 63 Configuring Web-Based Authentication 1461

Finding Feature Information 1461

Web-Based Authentication Overview 1461
Device Roles 1462
Host Detection 1462
Session Creation 1463
Authentication Process 1463
Local Web Authentication Banner 1464
Web Authentication Customizable Web Pages 1466
Guidelines 1466
Authentication Proxy Web Page Guidelines 1468
Redirection URL for Successful Login Guidelines 1468
Web-based Authentication Interactions with Other Features 1469
Port Security 1469
LAN Port IP 1469
Gateway IP 1469
ACLs 1469
Context-Based Access Control 1469
EtherChannel 1469
How to Configure Web-Based Authentication 1470
Default Web-Based Authentication Configuration 1470
Web-Based Authentication Configuration Guidelines and Restrictions 1470
Configuring the Authentication Rule and Interfaces 1471
Configuring AAA Authentication 1473
Configuring Switch-to-RADIUS-Server Communication 1475
Configuring the HTTP Server 1476
Customizing the Authentication Proxy Web Pages 1478
Specifying a Redirection URL for Successful Login 1479
Configuring the Web-Based Authentication Parameters 1480
Configuring a Web-Based Authentication Local Banner 1481
Configuring Web-Based Authentication without SVI 1482
Configuring Web-Based Authentication with VRF Aware 1484
Removing Web-Based Authentication Cache Entries 1485

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lvi
 Contents

Monitoring Web-Based Authentication Status 1486

CHAPTER 64 Configuring Port-Based Traffic Control 1487

Overview of Port-Based Traffic Control 1487

Finding Feature Information 1488

Information About Storm Control 1488
Storm Control 1488
How Traffic Activity is Measured 1488
Traffic Patterns 1489
How to Configure Storm Control 1490
Configuring Storm Control and Threshold Levels 1490
Configuring Storm Control and Threshold Levels 1492
Configuring Small-Frame Arrival Rate 1495
Information About Protected Ports 1497
Protected Ports 1497
Default Protected Port Configuration 1498
Protected Ports Guidelines 1498
How to Configure Protected Ports 1498
Configuring a Protected Port 1498
Monitoring Protected Ports 1499
Where to Go Next 1500
Information About Port Blocking 1500
Port Blocking 1500
How to Configure Port Blocking 1500
Blocking Flooded Traffic on an Interface 1500
Monitoring Port Blocking 1502
Prerequisites for Port Security 1502
Restrictions for Port Security 1502
Information About Port Security 1502
Port Security 1502
Types of Secure MAC Addresses 1503
Sticky Secure MAC Addresses 1503
Security Violations 1503
Port Security Aging 1505

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lvii
Contents

Default Port Security Configuration 1505

Port Security Configuration Guidelines 1505
Overview of Port-Based Traffic Control 1507

How to Configure Port Security 1507

Enabling and Configuring Port Security 1507
Enabling and Configuring Port Security Aging 1512
Finding Feature Information 1514
Information About Storm Control 1514
Storm Control 1514
How Traffic Activity is Measured 1514
Traffic Patterns 1515
How to Configure Storm Control 1516
Configuring Storm Control and Threshold Levels 1516
Configuring Storm Control and Threshold Levels 1518
Configuring Small-Frame Arrival Rate 1521
Information About Protected Ports 1523
Protected Ports 1523
Default Protected Port Configuration 1523
Protected Ports Guidelines 1523
How to Configure Protected Ports 1524
Configuring a Protected Port 1524
Monitoring Protected Ports 1525
Where to Go Next 1525
Information About Port Blocking 1525
Port Blocking 1525
How to Configure Port Blocking 1526
Blocking Flooded Traffic on an Interface 1526
Monitoring Port Blocking 1528
Configuration Examples for Port Security 1528
Information About Protocol Storm Protection 1529
Protocol Storm Protection 1529
Default Protocol Storm Protection Configuration 1529
How to Configure Protocol Storm Protection 1529
Enabling Protocol Storm Protection 1529

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lviii
 Contents

Monitoring Protocol Storm Protection 1531

CHAPTER 65 Configuring IPv6 First Hop Security 1533

Finding Feature Information 1533
Prerequisites for First Hop Security in IPv6 1533
Restrictions for First Hop Security in IPv6 1534
Information about First Hop Security in IPv6 1534
How to Configure an IPv6 Snooping Policy 1536
How to Attach an IPv6 Snooping Policy to an Interface 1538
How to Attach an IPv6 Snooping Policy to a Layer 2 EtherChannel Interface 1539
How to Configure the IPv6 Binding Table Content 1540

How to Configure an IPv6 Neighbor Discovery Inspection Policy 1542

How to Attach an IPv6 Neighbor Discovery Inspection Policy to an Interface 1544

How to Attach an IPv6 Neighbor Discovery Inspection Policy to a Layer 2 EtherChannel Interface
1545

How to Configure an IPv6 Router Advertisement Guard Policy 1546

How to Attach an IPv6 Router Advertisement Guard Policy to an Interface 1548
How to Attach an IPv6 Router Advertisement Guard Policy to a Layer 2 EtherChannel Interface
1549

How to Configure an IPv6 DHCP Guard Policy 1550

How to Attach an IPv6 DHCP Guard Policy to an Interface or a VLAN on an Interface 1553
How to Attach an IPv6 DHCP Guard Policy to a Layer 2 EtherChannel Interface 1554
How to Configure IPv6 Source Guard 1555
How to Attach an IPv6 Source Guard Policy to an Interface 1556
How to Configure IPv6 Source Guard 1557
How to Attach an IPv6 Source Guard Policy to an Interface 1558
How to attach an IPv6 Source Guard Policy to a Layer 2 EtherChannel Interface 1559
How to Configure IPv6 Prefix Guard 1560
How to Attach an IPv6 Prefix Guard Policy to an Interface 1561
How to attach an IPv6 Prefix Guard Policy to a Layer 2 EtherChannel Interface 1562

CHAPTER 66 Configuring FIPS 1565

Information About FIPS and Common Criteria 1565

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lix
 Contents

PART X System Management 1567

CHAPTER 67 Administering the System 1569

Information About Administering the Switch 1569
System Time and Date Management 1569
System Clock 1569
Real Time Clock 1570
Network Time Protocol 1570
NTP Stratum 1571
NTP Associations 1572
NTP Security 1572
NTP Implementation 1572
NTP Version 4 1573

System Name and Prompt 1573

Default System Name and Prompt Configuration 1573
DNS 1573
Default DNS Settings 1574
Login Banners 1574
Default Banner Configuration 1574
MAC Address Table 1574
MAC Address Table Creation 1575
MAC Addresses and VLANs 1575
Default MAC Address Table Settings 1575
ARP Table Management 1575
How to Administer the Switch 1576
Configuring the Time and Date Manually 1576
Setting the System Clock 1576
Configuring the Time Zone 1577
Configuring Summer Time (Daylight Saving Time) 1578
Configuring a System Name 1581
Setting Up DNS 1582
Configuring a Message-of-the-Day Login Banner 1584
Configuring a Login Banner 1585

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lx
 Contents

Managing the MAC Address Table 1587

Changing the Address Aging Time 1587
Configuring MAC Address Change Notification Traps 1588
Configuring MAC Address Move Notification Traps 1590
Configuring MAC Threshold Notification Traps 1592
Adding and Removing Static Address Entries 1594
Configuring Unicast MAC Address Filtering 1595
Monitoring and Maintaining Administration of the Switch 1597
Configuration Examples for Switch Administration 1598
Example: Setting the System Clock 1598
Examples: Configuring Summer Time 1598
Example: Configuring a MOTD Banner 1598
Example: Configuring a Login Banner 1599
Example: Configuring MAC Address Change Notification Traps 1599
Example: Configuring MAC Threshold Notification Traps 1599
Example: Adding the Static Address to the MAC Address Table 1599
Example: Configuring Unicast MAC Address Filtering 1600

CHAPTER 68 Performing Switch Setup Configuration 1601

Information About Performing Switch Setup Configuration 1601
Boot Process 1601
Switches Information Assignment 1602
Default Switch Information 1602
DHCP-Based Autoconfiguration Overview 1603
DHCP Client Request Process 1603
DHCP-based Autoconfiguration and Image Update 1604
Restrictions for DHCP-based Autoconfiguration 1604
DHCP Autoconfiguration 1605
DHCP Auto-Image Update 1605
DHCP Server Configuration Guidelines 1605
Purpose of the DNS Server 1606
How to Obtain Configuration Files 1606
How to Control Environment Variables 1607
Common Environment Variables 1608

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lxi
 Contents

Environment Variables for TFTP 1609

Scheduled Reload of the Software Image 1610
How to Perform Switch Setup Configuration 1610
Configuring DHCP Autoconfiguration (Only Configuration File) 1610
Configuring DHCP Auto-Image Update (Configuration File and Image) 1613
Configuring the Client to Download Files from DHCP Server 1616
Manually Assigning IP Information to Multiple SVIs 1617
Configuring the NVRAM Buffer Size 1619
Modifying the Switch Startup Configuration 1620
Specifying the Filename to Read and Write the System Configuration 1620
Manually Booting the Switch 1621
Configuring a Scheduled Software Image Reload 1622
Monitoring Switch Setup Configuration 1623
Example: Verifying the Switch Running Configuration 1623
Examples: Displaying Software Install 1624
Configuration Examples for Performing Switch Setup 1624
Example: Configuring a Switch as a DHCP Server 1624
Example: Configuring DHCP Auto-Image Update 1625
Example: Configuring a Switch to Download Configurations from a DHCP Server 1625
Example: Configuring NVRAM Buffer Size 1626

CHAPTER 69 Configuring Right-To-Use Licenses 1627

Finding Feature Information 1627
Restrictions for Configuring RTU Licenses 1627
Information About Configuring RTU Licenses 1628
Right-To-Use Licensing 1628
Right-To-Use Image-Based Licenses 1628
Right-To-Use License States 1629
Mobility Controller Mode 1629
Right-To-Use Adder AP-Count Rehosting Licenses 1629
How to Configure RTU Licenses 1630
Activating an Imaged Based License 1630
Activating an AP-Count License 1631
Obtaining an Upgrade or Capacity Adder License 1632

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lxii
 Contents

Rehosting a License 1632

Monitoring and Maintaining RTU Licenses 1633
Configuration Examples for RTU Licensing 1633
Examples: Activating RTU Image Based Licenses 1633
Examples: Displaying RTU Licensing Information 1634
Example: Displaying RTU License Details 1634
Example: Displaying RTU License Mismatch 1634
Example: Displaying RTU Licensing Usage 1635

CHAPTER 70 Clustering Switches 1637

Understanding Switch Clusters 1637
Cluster Command Switch Characteristics 1638
Standby Cluster Command Switch Characteristics 1639
Candidate Switch and Cluster Member Switch Characteristics 1639
Planning a Switch Cluster 1640
Automatic Discovery of Cluster Candidates and Members 1640
Discovery Through CDP Hops 1640
Discovery Through Non-CDP-Capable and Noncluster-Capable Devices 1641
Discovery Through Different VLANs 1641
Discovery Through Different Management VLANs 1642
Discovery Through Routed Ports 1643
Discovery of Newly Installed Switches 1643
HSRP and Standby Cluster Command Switches 1644
Virtual IP Addresses 1645
Other Considerations for Cluster Standby Groups 1645
Automatic Recovery of Cluster Configuration 1646
IP Addresses 1647
Hostnames 1647
Passwords 1647
SNMP Community Strings 1648
TACACS+ and RADIUS 1648
LRE Profiles 1648
Using the CLI to Manage Switch Clusters 1648
Catalyst 1900 and Catalyst 2820 CLI Considerations 1649

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lxiii
 Contents

Using SNMP to Manage Switch Clusters 1649

CHAPTER 71 Configuring SDM Templates 1651

Finding Feature Information 1651
Information About Configuring SDM Templates 1651
Restrictions for SDM Templates 1651
SDM Templates 1651
Default Templates for Catalyst 2960-CX 1652
Default Templates for Catalyst 3560-CX 1652
How to Configure SDM Templates 1653
Setting the SDM Template 1653
Configuration Examples for SDM Templates 1654
Examples: Displaying SDM Templates 1654
Examples: Configuring SDM Templates 1655

CHAPTER 72 Configuring System Message Logs 1657

Information About Configuring System Message Logs 1657
System Messsage Logging 1657
System Log Message Format 1658
Default System Message Logging Settings 1659
Syslog Message Limits 1659
How to Configure System Message Logs 1660
Setting the Message Display Destination Device 1660
Synchronizing Log Messages 1661
Disabling Message Logging 1663
Enabling and Disabling Time Stamps on Log Messages 1664
Enabling and Disabling Sequence Numbers in Log Messages 1664
Defining the Message Severity Level 1665
Limiting Syslog Messages Sent to the History Table and to SNMP 1666
Logging Messages to a UNIX Syslog Daemon 1667
Monitoring and Maintaining System Message Logs 1668
Monitoring Configuration Archive Logs 1668
Configuration Examples for System Message Logs 1668
Example: Switch System Message 1668

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lxiv
 Contents

Examples: Displaying Service Timestamps Log 1669

CHAPTER 73 Configuring Online Diagnostics 1671

Information About Configuring Online Diagnostics 1671
Online Diagnostics 1671
How to Configure Online Diagnostics 1672
Starting Online Diagnostic Tests 1672
Configuring Online Diagnostics 1672
Scheduling Online Diagnostics 1672
Configuring Health-Monitoring Diagnostics 1673
Monitoring and Maintaining Online Diagnostics 1676
Displaying Online Diagnostic Tests and Test Results 1676
Configuration Examples for Online Diagnostic Tests 1677
Starting Online Diagnostic Tests 1677
Example: Configure a Health Monitoring Test 1678
Examples: Schedule Diagnostic Test 1678
Displaying Online Diagnostics: Examples 1678

CHAPTER 74 Troubleshooting the Software Configuration 1681

Information About Troubleshooting the Software Configuration 1681
Software Failure on a Switch 1681
Lost or Forgotten Password on a Switch 1681
Power over Ethernet Ports 1682
Disabled Port Caused by Power Loss 1682
Disabled Port Caused by False Link-Up 1683
Ping 1683
Layer 2 Traceroute 1683
Layer 2 Traceroute Guidelines 1683
IP Traceroute 1684

Time Domain Reflector Guidelines 1685

Debug Commands 1686
Onboard Failure Logging on the Switch 1686
Possible Symptoms of High CPU Utilization 1687

How to Troubleshoot the Software Configuration 1687

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lxv
 Contents

Recovering from a Software Failure 1687

Recovering from a Lost or Forgotten Password 1689
Procedure with Password Recovery Enabled 1690
Procedure with Password Recovery Disabled 1692
Recovering from a Command Switch Failure 1694
Replacing a Failed Command Switch with a Cluster Member 1694
Replacing a Failed Command Switch with Another Switch 1696
Preventing Autonegotiation Mismatches 1697
Troubleshooting SFP Module Security and Identification 1697
Monitoring SFP Module Status 1698
Executing Ping 1698
Monitoring Temperature 1699
Monitoring the Physical Path 1699
Executing IP Traceroute 1699
Running TDR and Displaying the Results 1699
Redirecting Debug and Error Message Output 1700
Using the show platform forward Command 1700
Configuring OBFL 1700
Verifying Troubleshooting of the Software Configuration 1701
Displaying OBFL Information 1701
Example: Verifying the Problem and Cause for High CPU Utilization 1702
Scenarios for Troubleshooting the Software Configuration 1704
Scenarios to Troubleshoot Power over Ethernet (PoE) 1704
Configuration Examples for Troubleshooting Software 1706
Example: Pinging an IP Host 1706
Example: Performing a Traceroute to an IP Host 1707
Example: Enabling All System Diagnostics 1708

PART XI VLAN 1709

CHAPTER 75 Configuring VTP 1711

Finding Feature Information 1711
Prerequisites for VTP 1711
Restrictions for VTP 1712

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lxvi
 Contents

Information About VTP 1712

VTP 1712
VTP Domain 1712
VTP Modes 1713
VTP Advertisements 1715
VTP Version 2 1715

VTP Version 3 1716

VTP Pruning 1716

VTP Configuration Guidelines 1717
VTP Configuration Requirements 1717
VTP Settings 1717
Domain Names for Configuring VTP 1718
Passwords for the VTP Domain 1718
VTP Version 1718
Default VTP Configuration 1719
How to Configure VTP 1720
Configuring VTP Mode 1720

Configuring a VTP Version 3 Password 1722

Configuring a VTP Version 3 Primary Server 1723

Enabling the VTP Version 1724

Enabling VTP Pruning 1726

Configuring VTP on a Per-Port Basis 1727

Adding a VTP Client Switch to a VTP Domain 1728

Monitoring VTP 1730

Configuration Examples for VTP 1731
Example: Configuring a Switch as the Primary Server 1731
Example: Configuring Switch as VTP Server 1732
Example: Enabling VTP on the Interface 1732
Example: Creating the VTP Password 1732
Where to Go Next 1732

CHAPTER 76 Configuring VLANs 1733

Finding Feature Information 1733
Prerequisites for VLANs 1733

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lxvii
 Contents

Restrictions for VLANs 1734

Information About VLANs 1734
Logical Networks 1734
Supported VLANs 1734
VLAN Port Membership Modes 1735
VLAN Configuration Files 1736
Normal-Range VLAN Configuration Guidelines 1736
Extended-Range VLAN Configuration Guidelines 1737
Default VLAN Configurations 1738
Default Ethernet VLAN Configuration 1738
How to Configure VLANs 1739
How to Configure Normal-Range VLANs 1739
Creating or Modifying an Ethernet VLAN 1740
Deleting a VLAN 1741

Assigning Static-Access Ports to a VLAN 1743

How to Configure Extended-Range VLANs 1744

Creating an Extended-Range VLAN 1744
Monitoring VLANs 1746
Configuration Examples 1748
Example: Creating a VLAN Name 1748
Example: Configuring a Port as Access Port 1748
Example: Creating an Extended-Range VLAN 1749
Where to Go Next 1749

CHAPTER 77 Configuring VLAN Trunks 1751

Finding Feature Information 1751
Prerequisites for VLAN Trunks 1751
Information About VLAN Trunks 1752
Trunking Overview 1752
Trunking Modes 1752
Layer 2 Interface Modes 1752
Allowed VLANs on a Trunk 1753
Load Sharing on Trunk Ports 1754
Network Load Sharing Using STP Priorities 1754

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lxviii
 Contents

Network Load Sharing Using STP Path Cost 1754

Feature Interactions 1754
Default Layer 2 Ethernet Interface VLAN Configuration 1755
How to Configure VLAN Trunks 1755
Configuring an Ethernet Interface as a Trunk Port 1755
Configuring a Trunk Port 1755

Defining the Allowed VLANs on a Trunk 1757

Changing the Pruning-Eligible List 1759

Configuring the Native VLAN for Untagged Traffic 1761

Configuring Trunk Ports for Load Sharing 1762

Configuring Load Sharing Using STP Port Priorities 1762

Configuring Load Sharing Using STP Path Cost 1766

Configuration Examples for VLAN Trunking 1769

Example: Configuring a Trunk Port 1769
Example: Removing a VLAN from a Port 1769
Where to Go Next 1769

CHAPTER 78 Configuring VMPS 1771

Finding Feature Information 1771
Prerequisites for VMPS 1771
Restrictions for VMPS 1771
Information About VMPS 1772
Dynamic VLAN Assignments 1772
Dynamic-Access Port VLAN Membership 1773
Default VMPS Client Configuration 1773
How to Configure VMPS 1774
Entering the IP Address of the VMPS 1774
Configuring Dynamic-Access Ports on VMPS Clients 1775
Reconfirming VLAN Memberships 1777
Changing the Reconfirmation Interval 1778
Changing the Retry Count 1779
Troubleshooting Dynamic-Access Port VLAN Membership 1780
Monitoring the VMPS 1780
Configuration Example for VMPS 1781

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lxix
 Contents

Example: VMPS Configuration 1781

Where to Go Next 1782

CHAPTER 79 Configuring Voice VLANs 1785

Finding Feature Information 1785
Prerequisites for Voice VLANs 1785
Restrictions for Voice VLANs 1786
Information About Voice VLAN 1786
Voice VLANs 1786
Cisco IP Phone Voice Traffic 1786
Cisco IP Phone Data Traffic 1787
Voice VLAN Configuration Guidelines 1787
Default Voice VLAN Configuration 1788
How to Configure Voice VLAN 1788
Configuring Cisco IP Phone Voice Traffic 1788
Configuring the Priority of Incoming Data Frames 1790

Monitoring Voice VLAN 1792

Configuration Examples 1792
Example: Configuring Cisco IP Phone Voice Traffic 1792
Example: Configuring the Priority of Incoming Data Frames 1793
Where to Go Next 1793

CHAPTER 80 Configuring Private VLANs 1795

Finding Feature Information 1795
Prerequisites for Private VLANs 1795
Restrictions for Private VLANs 1795
Information About Private VLANs 1797
Private VLAN Domains 1797
Secondary VLANs 1797
Private VLANs Ports 1798
Private VLANs in Networks 1799
IP Addressing Scheme with Private VLANs 1799
Private VLANs Across Multiple Switches 1799
Private-VLAN Interaction with Other Features 1800

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lxx
 Contents

Private VLANs and Unicast, Broadcast, and Multicast Traffic 1800

Private VLANs and SVIs 1801
Private-VLAN Configuration Guidelines 1801
Secondary and Primary VLAN Configuration 1801
Private VLAN Port Configuration 1803
Private VLAN Configuration Tasks 1803
How to Configure Private VLANs 1804
Configuring and Associating VLANs in a Private VLAN 1804
Configuring a Layer 2 Interface as a Private VLAN Host Port 1807
Configuring a Layer 2 Interface as a Private VLAN Promiscuous Port 1809
Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface 1811
Monitoring Private VLANs 1813
Configuration Examples for Private VLANs 1813
Example: Configuring an Interface as a Host Port 1813
Example: Configuring an Interface as a Private VLAN Promiscuous Port 1814
Example: Mapping Secondary VLANs to a Primary VLAN Interface 1814
Example: Monitoring Private VLANs 1815
Where to Go Next 1815
Additional References 1815

APPENDIX A Important Notice 1819

Disclaimer 1819
Statement 361—VoIP and Emergency Calling Services do not Function if Power Fails 1819
Statement 1071—Warning Definition 1821

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lxxi
Contents

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lxxii
 Preface
This book describes configuration information and examples for NetFlow Lite on the switch.
• Document Conventions, on page lxxiii
• Related Documentation, on page lxxv
• Obtaining Documentation and Submitting a Service Request, on page lxxv

Document Conventions
This document uses the following conventions:

Convention Description
^ or Ctrl Both the ^ symbol and Ctrl represent the Control (Ctrl) key on a keyboard. For
example, the key combination ^D or Ctrl-D means that you hold down the Control
key while you press the D key. (Keys are indicated in capital letters but are not
case sensitive.)

bold font Commands and keywords and user-entered text appear in bold font.

Italic font Document titles, new or emphasized terms, and arguments for which you supply
values are in italic font.

Courier font Terminal sessions and information the system displays appear in courier font.

Bold Courier font Bold Courier font indicates text that the user must enter.
[x] Elements in square brackets are optional.

... An ellipsis (three consecutive nonbolded periods without spaces) after a syntax
element indicates that the element can be repeated.

| A vertical line, called a pipe, indicates a choice within a set of keywords or

arguments.

[x | y] Optional alternative keywords are grouped in brackets and separated by vertical

bars.

{x | y} Required alternative keywords are grouped in braces and separated by vertical

bars.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lxxiii
 Preface
Preface

Convention Description
[x {y | z}] Nested set of square brackets or braces indicate optional or required choices within
optional or required elements. Braces and a vertical bar within square brackets
indicate a required choice within an optional element.

string A nonquoted set of characters. Do not use quotation marks around the string or
the string will include the quotation marks.

<> Nonprinting characters such as passwords are in angle brackets.

[] Default responses to system prompts are in square brackets.

!, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code
indicates a comment line.

Reader Alert Conventions

This document may use the following conventions for reader alerts:

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.

Tip Means the following information will help you solve a problem.

Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or
loss of data.

Timesaver Means the described action saves time. You can save time by performing the action described in the paragraph.

Warning IMPORTANT SAFETY INSTRUCTIONS

This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work
on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard
practices for preventing accidents. Use the statement number provided at the end of each warning to locate
its translation in the translated safety warnings that accompanied this device. Statement 1071
SAVE THESE INSTRUCTIONS

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lxxiv
 Preface
Related Documentation

Related Documentation

Note Before installing or upgrading the switch, refer to the switch release notes.

• Cisco Catalyst 3560-CX and 2960-CX switches documentation location at http://www.cisco.com/c/en/

us/support/switches/catalyst-3560-cx-series-switches/tsd-products-support-series-home.html and
http://www.cisco.com/c/en/us/support/switches/catalyst-2960-cx-series-switches/
tsd-products-support-series-home.html
• Cisco Validated Designs documents, located at:
http://www.cisco.com/go/designzone

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information,
see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco
technical documentation, at:
http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS version 2.0.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lxxv
 Preface
Obtaining Documentation and Submitting a Service Request

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
lxxvi
 CHAPTER 1
Using the Command-Line Interface
• Information About Using the Command-Line Interface, on page 1
• How to Use the CLI to Configure Features, on page 5

Information About Using the Command-Line Interface

Command Modes
The Cisco IOS user interface is divided into many different modes. The commands available to you depend
on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands
available for each command mode.
You can start a CLI session through a console connection, through Telnet, an SSH, or by using the browser.
When you start a session, you begin in user mode, often called user EXEC mode. Only a limited subset of
the commands are available in user EXEC mode. For example, most of the user EXEC commands are one-time
commands, such as show commands, which show the current configuration status, and clear commands,
which clear counters or interfaces. The user EXEC commands are not saved when the switch reboots.
To have access to all commands, you must enter privileged EXEC mode. Normally, you must enter a password
to enter privileged EXEC mode. From this mode, you can enter any privileged EXEC command or enter
global configuration mode.
Using the configuration modes (global, interface, and line), you can make changes to the running configuration.
If you save the configuration, these commands are stored and used when the switch reboots. To access the
various configuration modes, you must start at global configuration mode. From global configuration mode,
you can enter interface configuration mode and line configuration mode .
This table describes the main command modes, how to access each one, the prompt you see in that mode, and
how to exit the mode.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1
 Using the Command-Line Interface
Command Modes

Table 1: Command Mode Summary

Mode Access Method Prompt Exit Method About This Mode

User EXEC Begin a session Enter logout or Use this mode to

SwitchDevice>
using Telnet, SSH, quit.
• Change
or console.
terminal
settings.
• Perform basic
tests.
• Display system
information.

Privileged EXEC While in user Enter disable to Use this mode to

SwitchDevice#
EXEC mode, enter exit. verify commands
the enable that you have
command. entered. Use a
password to protect
access to this mode.

Global While in privileged To exit to Use this mode to

SwitchDevice(config)#
configuration EXEC mode, enter privileged configure parameters
the configure EXEC mode, that apply to the
command. enter exit or entire switch.
end, or press
Ctrl-Z.

VLAN While in global To exit to Use this mode to

SwitchDevice(config-vlan)#
configuration configuration mode, global configure VLAN
enter the vlan configuration parameters. When
vlan-id command. mode, enter the VTP mode is
exit command. transparent, you can
create
To return to
extended-range
privileged
VLANs (VLAN IDs
EXEC mode,
greater than 1005)
press Ctrl-Z or
and save
enter end.
configurations in the
switch startup
configuration file.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
2
 Using the Command-Line Interface
Understanding Abbreviated Commands

Mode Access Method Prompt Exit Method About This Mode

Interface While in global To exit to Use this mode to

SwitchDevice(config-if)#
configuration configuration mode, global configure parameters
enter the interface configuration for the Ethernet
command (with a mode, enter ports.
specific interface). exit.
To return to
privileged
EXEC mode,
press Ctrl-Z or
enter end.

Line configuration While in global To exit to Use this mode to

SwitchDevice(config-line)#
configuration mode, global configure parameters
specify a line with configuration for the terminal line.
the line vty or line mode, enter
console command. exit.
To return to
privileged
EXEC mode,
press Ctrl-Z or
enter end.

Understanding Abbreviated Commands

You need to enter only enough characters for the switch to recognize the command as unique.
This example shows how to enter the show configuration privileged EXEC command in an abbreviated form:

SwitchDevice# show conf

No and Default Forms of Commands

Almost every configuration command also has a no form. In general, use the no form to disable a feature or
function or reverse the action of a command. For example, the no shutdown interface configuration command
reverses the shutdown of an interface. Use the command without the keyword no to reenable a disabled feature
or to enable a feature that is disabled by default.
Configuration commands can also have a default form. The default form of a command returns the command
setting to its default. Most commands are disabled by default, so the default form is the same as the no form.
However, some commands are enabled by default and have variables set to certain default values. In these
cases, the default command enables the command and sets variables to their default values.

CLI Error Messages

This table lists some error messages that you might encounter while using the CLI to configure your switch.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
3
 Using the Command-Line Interface
Configuration Logging

Table 2: Common CLI Error Messages

Error Message Meaning How to Get Help

% Ambiguous You did not enter enough Reenter the command followed by a question mark
command: "show
characters for your switch to (?) without any space between the command and
con"
recognize the command. the question mark.
The possible keywords that you can enter with the
command appear.
% Incomplete You did not enter all of the Reenter the command followed by a question mark
command.
keywords or values required by (?) with a space between the command and the
this command. question mark.
The possible keywords that you can enter with the
command appear.
% Invalid input You entered the command Enter a question mark (?) to display all of the
detected at ‘^’
incorrectly. The caret (^) marks commands that are available in this command mode.
marker.
the point of the error.
The possible keywords that you can enter with the
command appear.

Configuration Logging
You can log and view changes to the switch configuration. You can use the Configuration Change Logging
and Notification feature to track changes on a per-session and per-user basis. The logger tracks each
configuration command that is applied, the user who entered the command, the time that the command was
entered, and the parser return code for the command. This feature includes a mechanism for asynchronous
notification to registered applications whenever the configuration changes. You can choose to have the
notifications sent to the syslog.

Note Only CLI or HTTP changes are logged.

Using the Help System

You can enter a question mark (?) at the system prompt to display a list of commands available for each
command mode. You can also obtain a list of associated keywords and arguments for any command.

SUMMARY STEPS
1. help
2. abbreviated-command-entry ?
3. abbreviated-command-entry <Tab>
4. ?
5. command ?
6. command keyword ?

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
4
 Using the Command-Line Interface
How to Use the CLI to Configure Features

DETAILED STEPS

Command or Action Purpose

Step 1 help Obtains a brief description of the help system in any
command mode.
Example:
SwitchDevice# help

Step 2 abbreviated-command-entry ? Obtains a list of commands that begin with a particular

character string.
Example:
SwitchDevice# di?
dir disable disconnect

Step 3 abbreviated-command-entry <Tab> Completes a partial command name.

Example:
SwitchDevice# sh conf<tab>
SwitchDevice# show configuration

Step 4 ? Lists all commands available for a particular command

mode.
Example:
SwitchDevice> ?

Step 5 command ? Lists the associated keywords for a command.

Example:
SwitchDevice> show ?

Step 6 command keyword ? Lists the associated arguments for a keyword.

Example:
SwitchDevice(config)# cdp holdtime ?
<10-255> Length of time (in sec) that receiver
must keep this packet

How to Use the CLI to Configure Features

Configuring the Command History
The software provides a history or record of commands that you have entered. The command history feature
is particularly useful for recalling long or complex commands or entries, including access lists. You can
customize this feature to suit your needs.

Changing the Command History Buffer Size

By default, the switch records ten command lines in its history buffer. You can alter this number for a current
terminal session or for all sessions on a particular line. This procedure is optional.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
5
 Using the Command-Line Interface
Recalling Commands

SUMMARY STEPS
1. terminal history [size number-of-lines]

DETAILED STEPS

Command or Action Purpose

Step 1 terminal history [size number-of-lines] Changes the number of command lines that the switch
records during the current terminal session in privileged
Example:
EXEC mode. You can configure the size from 0 to 256.
SwitchDevice# terminal history size 200

Recalling Commands
To recall commands from the history buffer, perform one of the actions listed in this table. These actions are
optional.

Note The arrow keys function only on ANSI-compatible terminals such as VT100s.

SUMMARY STEPS
1. Ctrl-P or use the up arrow key
2. Ctrl-N or use the down arrow key
3. show history

DETAILED STEPS

Command or Action Purpose

Step 1 Ctrl-P or use the up arrow key Recalls commands in the history buffer, beginning with the
most recent command. Repeat the key sequence to recall
successively older commands.

Step 2 Ctrl-N or use the down arrow key Returns to more recent commands in the history buffer after
recalling commands with Ctrl-P or the up arrow key. Repeat
the key sequence to recall successively more recent
commands.

Step 3 show history Lists the last several commands that you just entered in
privileged EXEC mode. The number of commands that
Example:
appear is controlled by the setting of the terminal history
SwitchDevice# show history global configuration command and the history line
configuration command.

Disabling the Command History Feature

The command history feature is automatically enabled. You can disable it for the current terminal session or
for the command line. This procedure is optional.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
6
 Using the Command-Line Interface
Enabling and Disabling Editing Features

SUMMARY STEPS
1. terminal no history

DETAILED STEPS

Command or Action Purpose

Step 1 terminal no history Disables the feature during the current terminal session in
privileged EXEC mode.
Example:
SwitchDevice# terminal no history

Enabling and Disabling Editing Features

Although enhanced editing mode is automatically enabled, you can disable it and reenable it.

SUMMARY STEPS
1. terminal editing
2. terminal no editing

DETAILED STEPS

Command or Action Purpose

Step 1 terminal editing Reenables the enhanced editing mode for the current
terminal session in privileged EXEC mode.
Example:
SwitchDevice# terminal editing

Step 2 terminal no editing Disables the enhanced editing mode for the current terminal
session in privileged EXEC mode.
Example:
SwitchDevice# terminal no editing

Editing Commands Through Keystrokes

The keystrokes help you to edit the command lines. These keystrokes are optional.

Note The arrow keys function only on ANSI-compatible terminals such as VT100s.

Table 3: Editing Commands

Editing Commands Description

Ctrl-B or use the left arrow key Moves the cursor back one character.

Ctrl-F or use the right arrow Moves the cursor forward one character.
key

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
7
 Using the Command-Line Interface
Editing Command Lines That Wrap

Ctrl-A Moves the cursor to the beginning of the command line.

Ctrl-E Moves the cursor to the end of the command line.

Esc B Moves the cursor back one word.

Esc F Moves the cursor forward one word.

Ctrl-T Transposes the character to the left of the cursor with the character located
at the cursor.

Delete or Backspace key Erases the character to the left of the cursor.

Ctrl-D Deletes the character at the cursor.

Ctrl-K Deletes all characters from the cursor to the end of the command line.

Ctrl-U or Ctrl-X Deletes all characters from the cursor to the beginning of the command
line.

Ctrl-W Deletes the word to the left of the cursor.

Esc D Deletes from the cursor to the end of the word.

Esc C Capitalizes at the cursor.

Esc L Changes the word at the cursor to lowercase.

Esc U Capitalizes letters from the cursor to the end of the word.

Ctrl-V or Esc Q Designates a particular keystroke as an executable command, perhaps as

a shortcut.

Return key Scrolls down a line or screen on displays that are longer than the terminal
screen can display.
Note The More prompt is used for any output that has more lines
than can be displayed on the terminal screen, including show
command output. You can use the Return and Space bar
keystrokes whenever you see the More prompt.

Space bar Scrolls down one screen.

Ctrl-L or Ctrl-R Redisplays the current command line if the switch suddenly sends a
message to your screen.

Editing Command Lines That Wrap

You can use a wraparound feature for commands that extend beyond a single line on the screen. When the
cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first ten
characters of the line, but you can scroll back and check the syntax at the beginning of the command. The
keystroke actions are optional.
To scroll back to the beginning of the command entry, press Ctrl-B or the left arrow key repeatedly. You can
also press Ctrl-A to immediately move to the beginning of the line.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
8
 Using the Command-Line Interface
Searching and Filtering Output of show and more Commands

Note The arrow keys function only on ANSI-compatible terminals such as VT100s.

The following example shows how to wrap a command line that extends beyond a single line on the screen.

SUMMARY STEPS
1. access-list
2. Ctrl-A
3. Return key

DETAILED STEPS

Command or Action Purpose

Step 1 access-list Displays the global configuration command entry that
extends beyond one line.
Example:
When the cursor first reaches the end of the line, the line is
SwitchDevice(config)# access-list 101 permit tcp shifted ten spaces to the left and redisplayed. The dollar
10.15.22.25 255.255.255.0 10.15.22.35 sign ($) shows that the line has been scrolled to the left.
SwitchDevice(config)# $ 101 permit tcp 10.15.22.25
Each time the cursor reaches the end of the line, the line is
255.255.255.0 10.15.22.35 255.25
SwitchDevice(config)# $t tcp 10.15.22.25 again shifted ten spaces to the left.
255.255.255.0 131.108.1.20 255.255.255.0 eq
SwitchDevice(config)# $15.22.25 255.255.255.0
10.15.22.35 255.255.255.0 eq 45

Step 2 Ctrl-A Checks the complete syntax.

Example: The dollar sign ($) appears at the end of the line to show
SwitchDevice(config)# access-list 101 permit tcp that the line has been scrolled to the right.
10.15.22.25 255.255.255.0 10.15.2$

Step 3 Return key Execute the commands.

The software assumes that you have a terminal screen that
is 80 columns wide. If you have a different width, use the
terminal width privileged EXEC command to set the width
of your terminal.
Use line wrapping with the command history feature to
recall and modify previous complex command entries.

Searching and Filtering Output of show and more Commands

You can search and filter the output for show and more commands. This is useful when you need to sort
through large amounts of output or if you want to exclude output that you do not need to see. Using these
commands is optional.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
9
 Using the Command-Line Interface
Accessing the CLI Through a Console Connection or Through Telnet

SUMMARY STEPS
1. {show | more} command | {begin | include | exclude} regular-expression

DETAILED STEPS

Command or Action Purpose

Step 1 {show | more} command | {begin | include | exclude} Searches and filters the output.
regular-expression
Expressions are case sensitive. For example, if you enter
Example: | exclude output, the lines that contain output are not
SwitchDevice# show interfaces | include protocol displayed, but the lines that contain output appear.
Vlan1 is up, line protocol is up
Vlan10 is up, line protocol is down
GigabitEthernet1/0/1 is up, line protocol is down
GigabitEthernet1/0/2 is up, line protocol is up

Accessing the CLI Through a Console Connection or Through Telnet

Before you can access the CLI, you must connect a terminal or a PC to the switch console and then power on
the switch, as described in the hardware installation guide that shipped with your switch.
If your switch is already configured, you can access the CLI through a local console connection or through a
remote Telnet session, but your switch must first be configured for this type of access.
You can use one of these methods to establish a connection with the switch:

Procedure
• Connect the switch console port to a management station or dial-up modem. For information about
connecting to the console, see the switch hardware installation guide.
• Use any Telnet TCP/IP or encrypted Secure Shell (SSH) package from a remote management station.
The switch must have network connectivity with the Telnet or SSH client, and the switch must have an
enable secret password configured.
• The switch supports up to 16 simultaneous Telnet sessions. Changes made by one Telnet user are
reflected in all other Telnet sessions.
• The switch supports up to five simultaneous secure SSH sessions.

After you connect through the console port, through a Telnet session or through an SSH session, the
user EXEC prompt appears on the management station.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
10
PA R T I
Interface and Hardware
• Configuring Interface Characteristics, on page 13
• Configuring Auto-MDIX, on page 39
• Configuring LLDP, LLDP-MED, and Wired Location Service, on page 43
• Configuring MultiGigabit Ports on WS-C3560CX-8PD-S, on page 61
• Configuring System MTU, on page 65
• Configuring Boot Fast, on page 69
• Configuring PoE, on page 73
• Configuring EEE, on page 91
 CHAPTER 2
Configuring Interface Characteristics
• Finding Feature Information, on page 13
• Information About Configuring Interface Characteristics, on page 13
• How to Configure Interface Characteristics, on page 21
• Monitoring Interface Characteristics, on page 34
• Configuration Examples for Interface Characteristics, on page 35

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Information About Configuring Interface Characteristics

Interface Types
This section describes the different types of interfaces supported by the switch. The rest of the chapter describes
configuration procedures for physical interface characteristics.

Port-Based VLANs
A VLAN is a switched network that is logically segmented by function, team, or application, without regard
to the physical location of the users. Packets received on a port are forwarded only to ports that belong to the
same VLAN as the receiving port. Network devices in different VLANs cannot communicate with one another
without a Layer 3 device to route traffic between the VLANs.
VLAN partitions provide hard firewalls for traffic in the VLAN, and each VLAN has its own MAC address
table. A VLAN comes into existence when a local port is configured to be associated with the VLAN, when

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
13
 Interface and Hardware
Switch Ports

the VLAN Trunking Protocol (VTP) learns of its existence from a neighbor on a trunk, or when a user creates
a VLAN. VLANs can be formed with ports across the stack.
To configure VLANs, use the vlan vlan-id global configuration command to enter VLAN configuration mode.
The VLAN configurations for normal-range VLANs (VLAN IDs 1 to 1005) are saved in the VLAN database.
If VTP is version 1 or 2, to configure extended-range VLANs (VLAN IDs 1006 to 4094), you must first set
VTP mode to transparent. Extended-range VLANs created in transparent mode are not added to the VLAN
database but are saved in the switch running configuration. With VTP version 3, you can create extended-range
VLANs in client or server mode. These VLANs are saved in the VLAN database.
In a switch stack, the VLAN database is downloaded to all switches in a stack, and all switches in the stack
build the same VLAN database. The running configuration and the saved configuration are the same for all
switches in a stack.
Add ports to a VLAN by using the switchport interface configuration commands:
• Identify the interface.
• For a trunk port, set trunk characteristics, and, if desired, define the VLANs to which it can belong.
• For an access port, set and define the VLAN to which it belongs.

Switch Ports
Switch ports are Layer 2-only interfaces associated with a physical port. Switch ports belong to one or more
VLANs. A switch port can be an access port or a trunk port. You can configure a port as an access port or
trunk port or let the Dynamic Trunking Protocol (DTP) operate on a per-port basis to set the switchport mode
by negotiating with the port on the other end of the link. switch ports are used for managing the physical
interface and associated Layer 2 protocols and do not handle routing or bridging.
Configure switch ports by using the switchport interface configuration commands.

Access Ports
An access port belongs to and carries the traffic of only one VLAN (unless it is configured as a voice VLAN
port). Traffic is received and sent in native formats with no VLAN tagging. Traffic arriving on an access port
is assumed to belong to the VLAN assigned to the port. If an access port receives a tagged packet (Inter-Switch
Link [ISL] or IEEE 802.1Q tagged), the packet is dropped, and the source address is not learned.
The types of access ports supported are:
• Static access ports are manually assigned to a VLAN (or through a RADIUS server for use with IEEE
802.1x.
• VLAN membership of dynamic access ports is learned through incoming packets. By default, a dynamic
access port is not a member of any VLAN, and forwarding to and from the port is enabled only when
the VLAN membership of the port is discovered. Dynamic access ports on the switch are assigned to a
VLAN by a VLAN Membership Policy Server (VMPS). The VMPS can be a Catalyst 6500 series switch;
the switch cannot be a VMPS server.

You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and
another VLAN for data traffic from a device attached to the phone.

Trunk Ports
A trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN
database.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
14
 Interface and Hardware
Switch Virtual Interfaces

The switch supports only IEEE 802.1Q trunk ports. An IEEE 802.1Q trunk port supports simultaneous tagged
and untagged traffic. An IEEE 802.1Q trunk port is assigned a default port VLAN ID (PVID), and all untagged
traffic travels on the port default PVID. All untagged traffic and tagged traffic with a NULL VLAN ID are
assumed to belong to the port default PVID. A packet with a VLAN ID equal to the outgoing port default
PVID is sent untagged. All other traffic is sent with a VLAN tag.
Although by default, a trunk port is a member of every VLAN known to the VTP, you can limit VLAN
membership by configuring an allowed list of VLANs for each trunk port. The list of allowed VLANs does
not affect any other port but the associated trunk port. By default, all possible VLANs (VLAN ID 1 to 4094)
are in the allowed list. A trunk port can become a member of a VLAN only if VTP knows of the VLAN and
if the VLAN is in the enabled state. If VTP learns of a new, enabled VLAN and the VLAN is in the allowed
list for a trunk port, the trunk port automatically becomes a member of that VLAN and traffic is forwarded
to and from the trunk port for that VLAN. If VTP learns of a new, enabled VLAN that is not in the allowed
list for a trunk port, the port does not become a member of the VLAN, and no traffic for the VLAN is forwarded
to or from the port.

Switch Virtual Interfaces

A switch virtual interface (SVI) represents a VLAN of switch ports as one interface to the routing or bridging
function in the system. You can associate only one SVI with a VLAN. You configure an SVI for a VLAN
only to route between VLANs or to provide IP host connectivity to the switch. By default, an SVI is created
for the default VLAN (VLAN 1) to permit remote switch administration. Additional SVIs must be explicitly
configured.

Note You cannot delete interface VLAN 1.

SVIs provide IP host connectivity only to the system. SVIs are created the first time that you enter the vlan
interface configuration command for a VLAN interface. The VLAN corresponds to the VLAN tag associated
with data frames on an ISL or IEEE 802.1Q encapsulated trunk or the VLAN ID configured for an access
port. Configure a VLAN interface for each VLAN for which you want to route traffic, and assign it an IP
address.
Although the switch stack or switch supports a total of 1005 VLANs and SVIs, the interrelationship between
the number of SVIs and routed ports and the number of other features being configured might impact CPU
performance because of hardware limitations.
When you create an SVI, it does not become active until it is associated with a physical port.

SVI Autostate Exclude

The line state of an SVI with multiple ports on a VLAN is in the up state when it meets these conditions:
• The VLAN exists and is active in the VLAN database on the switch
• The VLAN interface exists and is not administratively down.
• At least one Layer 2 (access or trunk) port exists, has a link in the up state on this VLAN, and is in the
spanning-tree forwarding state on the VLAN.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
15
 Interface and Hardware
EtherChannel Port Groups

Note The protocol link state for VLAN interfaces come up when the first switchport belonging to the corresponding
VLAN link comes up and is in STP forwarding state.

The default action, when a VLAN has multiple ports, is that the SVI goes down when all ports in the VLAN
go down. You can use the SVI autostate exclude feature to configure a port so that it is not included in the
SVI line-state up-or-down calculation. For example, if the only active port on the VLAN is a monitoring port,
you might configure autostate exclude on that port so that the VLAN goes down when all other ports go down.
When enabled on a port, autostate exclude applies to all VLANs that are enabled on that port.
The VLAN interface is brought up when one Layer 2 port in the VLAN has had time to converge (transition
from STP listening-learning state to forwarding state). This prevents features such as routing protocols from
using the VLAN interface as if it were fully operational and minimizes other problems, such as routing black
holes.

EtherChannel Port Groups

EtherChannel port groups treat multiple switch ports as one switch port. These port groups act as a single
logical port for high-bandwidth connections between switches or between switches and servers. An
EtherChannel balances the traffic load across the links in the channel. If a link within the EtherChannel fails,
traffic previously carried over the failed link changes to the remaining links. You can group multiple trunk
ports into one logical trunk port or multiple access ports into one logical access port. Most protocols operate
over either single ports or aggregated switch ports and do not recognize the physical ports within the port
group. Exceptions are the DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol
(PAgP), which operate only on physical ports.
When you configure an EtherChannel, you create a port-channel logical interface and assign an interface to
the EtherChannel. For Layer 2 interfaces, use the channel-group interface configuration command to
dynamically create the port-channel logical interface. This command binds the physical and logical ports
together.

Note Cisco Catalyst 2960-CX and 3560-CX support a maximum of six EtherChannel port groups.

Power over Ethernet Ports

A PoE-capable switch port automatically supplies power to one of these connected devices if the switch senses
that there is no power on the circuit:
• a Cisco pre-standard powered device (such as a Cisco IP Phone or a Cisco Aironet Access Point)
• an IEEE 802.3af-compliant powered device

A powered device can receive redundant power when it is connected to a PoE switch port and to an AC power
source. The device does not receive redundant power when it is only connected to the PoE port.

Using the Switch USB Ports

Theswitch has three USB ports on the front panel — a USB mini-Type B console port and two USB Type A
ports.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
16
 Interface and Hardware
USB Mini-Type B Console Port

USB Mini-Type B Console Port

The switch has the following console ports:
• USB mini-Type B console connection
• RJ-45 console port

Console output appears on devices connected to both ports, but console input is active on only one port at a
time. By default, the USB connector takes precedence over the RJ-45 connector.

Note Windows PCs require a driver for the USB port. See the hardware installation guide for driver installation
instructions.

Use the supplied USB Type A-to-USB mini-Type B cable to connect a PC or other device to the switch. The
connected device must include a terminal emulation application. When the switch detects a valid USB
connection to a powered-on device that supports host functionality (such as a PC), input from the RJ-45
console is immediately disabled, and input from the USB console is enabled. Removing the USB connection
immediately reenables input from the RJ-45 console connection. An LED on the switch shows which console
connection is in use.

Console Port Change Logs

At software startup, a log shows whether the USB or the RJ-45 console is active. Every switch always first
displays the RJ-45 media type.
When the USB cable is removed or the PC de-activates the USB connection, the hardware automatically
changes to the RJ-45 console interface:
You can configure the console type to always be RJ-45, and you can configure an inactivity timeout for the
USB connector.

USB Type A Ports

The USB Type A ports provide access to external USB flash devices, also known as thumb drives or USB
keys. The switch supports Cisco 64 MB, 256 MB, 512 MB, 1 GB, 4 GB, and 8 GB flash drives. You can use
standard Cisco IOS command- line interface (CLI) commands to read, write, erase, and copy to or from the
flash device. You can also configure the switch to boot from the USB flash drive.

Interface Connections
Devices within a single VLAN can communicate directly through any switch. Ports in different VLANs cannot
exchange data without going through a routing device.
In the following configuration example, when Host A in VLAN 20 sends data to Host B in VLAN 30, the
data must go from Host A to the switch, to the router, back to the switch, and then to Host B.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
17
 Interface and Hardware
Interface Configuration Mode

Figure 1: Connecting VLANs with the Switch

With a standard Layer 2 switch, ports in different VLANs have to exchange information through a router.

Note The Catalyst 3560-CX and 2960-CX switches do not support stacking. Ignore all references to stacking
throughout this book.

Interface Configuration Mode

The switch supports these interface types:
• Physical ports—switch ports and routed ports
• VLANs—switch virtual interfaces
• Port channels—EtherChannel interfaces

You can also configure a range of interfaces.

To configure a physical interface (port), specify the interface type, module number, and switch port number,
and enter interface configuration mode.
• Type—Gigabit Ethernet (gigabitethernet or gi) for 10/100/1000 Mb/s Ethernet ports, or small form-factor
pluggable (SFP) module Gigabit Ethernet interfaces (gigabitethernet or gi).
• Module number—The module or slot number on the switch (always 0).
• Port number—The interface number on the switch. The 10/100/1000 port numbers always begin at 1,
starting with the far left port when facing the front of the switch, for example, gigabitethernet1/0/1 or
gigabitethernet1/0/8. For a switch with 10/100/1000 ports and SFP module ports, SFP module ports are
numbered consecutively following the 10/100/1000 ports.

You can identify physical interfaces by physically checking the interface location on the switch. You can also
use the show privileged EXEC commands to display information about a specific interface or all the interfaces
on the switch. The remainder of this chapter primarily provides physical interface configuration procedures.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
18
 Interface and Hardware
Default Ethernet Interface Configuration

Default Ethernet Interface Configuration

This table shows the Ethernet interface default configuration, including some features that apply only to Layer
2 interfaces.

Table 4: Default Layer 2 Ethernet Interface Configuration

Feature Default Setting

Operating mode Layer 2 or switching mode (switchport command).

Allowed VLAN range VLANs 1– 4094.

Default VLAN (for access ports) VLAN 1.

Native VLAN (for IEEE 802.1Q trunks) VLAN 1.

802.1p priority-tagged traffic Drop all packets tagged with VLAN 0.

VLAN trunking Switchport mode dynamic auto (supports DTP).

Port enable state All ports are enabled.

Port description None defined.

Speed Autonegotiate. (Not supported on the 10-Gigabit interfaces.)

Duplex mode Autonegotiate. (Not supported on the 10-Gigabit interfaces.)

Flow control Flow control is set to receive: off. It is always off for sent
packets.

EtherChannel (PAgP) Disabled on all Ethernet ports.

Port blocking (unknown multicast and Disabled (not blocked).

unknown unicast traffic)

Broadcast, multicast, and unicast storm Disabled.

control

Protected port Disabled.

Port security Disabled.

Port Fast Disabled.

Auto-MDIX Enabled.
Note The switch might not support a pre-standard
powered device—such as Cisco IP phones and
access points that do not fully support IEEE
802.3af—if that powered device is connected to the
switch through a crossover cable. This is regardless
of whether auto-MIDX is enabled on the switch
port.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
19
 Interface and Hardware
Interface Speed and Duplex Mode

Feature Default Setting

Power over Ethernet (PoE) Enabled (auto).

Keepalive messages Disabled on SFP module ports; enabled on all other ports.

Interface Speed and Duplex Mode

Ethernet interfaces on the switch operate at 10, 100, or 1000 Mb/s and in either full- or half-duplex mode. In
full-duplex mode, two stations can send and receive traffic at the same time. Normally, 10-Mb/s ports operate
in half-duplex mode, which means that stations can either receive or send traffic.
Switch models include Gigabit Ethernet (10/100/1000-Mb/s) ports and small form-factor pluggable (SFP)
module slots supporting SFP modules.

Speed and Duplex Configuration Guidelines

When configuring an interface speed and duplex mode, note these guidelines:
• Do not disable Auto-Negotiation on PoE switches.
• Gigabit Ethernet (10/100/1000-Mb/s) ports support all speed options and all duplex options (auto, half,
and full). However, Gigabit Ethernet ports operating at 1000 Mb/s do not support half-duplex mode.
• For SFP module ports, the speed and duplex CLI options change depending on the SFP module type:
• The 1000BASE-x (where -x is -BX, -CWDM, -LX, -SX, and -ZX) SFP module ports support the
nonegotiate keyword in the speed interface configuration command. Duplex options are not
supported.
• The 1000BASE-T SFP module ports support the same speed and duplex options as the
10/100/1000-Mb/s ports.

• If both ends of the line support autonegotiation, we highly recommend the default setting of auto
negotiation.
• If one interface supports autonegotiation and the other end does not, configure duplex and speed on both
interfaces; do not use the auto setting on the supported side.
• When STP is enabled and a port is reconfigured, the switch can take up to 30 seconds to check for loops.
The port LED is amber while STP reconfigureAs best practice, we suggest configuring the speed and
duplex options on a link to auto or to fixed on both the ends. If one side of the link is configured to auto
and the other side is configured to fixed, the link will not be up and this is expected.s.
• As best practice, we suggest configuring the speed and duplex options on a link to auto or to fixed on
both the ends. If one side of the link is configured to auto and the other side is configured to fixed, the
link will not be up and this is expected.

Caution Changing the interface speed and duplex mode configuration might shut down and re-enable the interface
during the reconfiguration.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
20
 Interface and Hardware
IEEE 802.3x Flow Control

IEEE 802.3x Flow Control

Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested
nodes to pause link operation at the other end. If one port experiences congestion and cannot receive any more
traffic, it notifies the other port by sending a pause frame to stop sending until the condition clears. Upon
receipt of a pause frame, the sending device stops sending any data packets, which prevents any loss of data
packets during the congestion period.

Note The switch ports can receive, but not send, pause frames.

You use the flowcontrol interface configuration command to set the interface’s ability to receive pause frames
to on, off, or desired. The default state is off.
When set to desired, an interface can operate with an attached device that is required to send flow-control
packets or with an attached device that is not required to but can send flow-control packets.
These rules apply to flow control settings on the device:
• receive on (or desired): The port cannot send pause frames but can operate with an attached device that
is required to or can send pause frames; the port can receive pause frames.
• receive off: Flow control does not operate in either direction. In case of congestion, no indication is given
to the link partner, and no pause frames are sent or received by either device.

Note For details on the command settings and the resulting flow control resolution on local and remote ports, see
the flowcontrol interface configuration command in the command reference for this release.

How to Configure Interface Characteristics

Configuring Interfaces
These general instructions apply to all interface configuration processes.

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
21
 Interface and Hardware
Adding a Description for an Interface

Command or Action Purpose

SwitchDevice# configure terminal

Step 3 interface Identifies the interface type, and the number of the
connector.
Example:
Note You do not need to add a space between the
SwitchDevice(config)# interface interface type and the interface number. For
gigabitethernet1/0/1 example, in the preceding line, you can specify
SwitchDevice(config-if)#
either gigabitethernet 1/0/1,
gigabitethernet1/0/1, gi 1/0/1, or gi1/0/1.

Step 4 Follow each interface command with the interface Defines the protocols and applications that will run on the
configuration commands that the interface requires. interface. The commands are collected and applied to the
interface when you enter another interface command or
enter end to return to privileged EXEC mode.

Step 5 interface range or interface range macro (Optional) Configures a range of interfaces.
Note Interfaces configured in a range must be the same
type and must be configured with the same
feature options.

Step 6 show interfaces Displays a list of all interfaces on or configured for the
switch. A report is provided for each interface that the
device supports or for the specified interface.

Adding a Description for an Interface

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. description string
5. end
6. show interfaces interface-id description
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
22
 Interface and Hardware
Configuring a Range of Interfaces

Command or Action Purpose

Step 2 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface for which you are adding a
description, and enter interface configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/2

Step 4 description string Adds a description (up to 240 characters) for an interface.
Example:

SwitchDevice(config-if)# description Connects to

Marketing

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 6 show interfaces interface-id description Verifies your entry.

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring a Range of Interfaces

To configure multiple interfaces with the same configuration parameters, use the interface range global
configuration command. When you enter the interface-range configuration mode, all command parameters
that you enter are attributed to all interfaces within that range until you exit this mode.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface range {port-range | macro macro_name}
4. end
5. show interfaces [interface-id]
6. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
23
 Interface and Hardware
Configuring a Range of Interfaces

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface range {port-range | macro macro_name} Specifies the range of interfaces (VLANs or physical ports)
to be configured, and enter interface-range configuration
Example:
mode.
SwitchDevice(config)# interface range macro • You can use the interface range command to
configure up to five port ranges or a previously defined
macro.
• The macro variable is explained in the Configuring
and Using Interface Range Macros, on page 25.
• In a comma-separated port-range, you must enter the
interface type for each entry and enter spaces before
and after the comma.
• In a hyphen-separated port-range, you do not need to
re-enter the interface type, but you must enter a space
before the hyphen.

Note Use the normal configuration commands to apply

the configuration parameters to all interfaces in
the range. Each command is executed as it is
entered.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show interfaces [interface-id] Verifies the configuration of the interfaces in the range.
Example:

SwitchDevice# show interfaces

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
24
 Interface and Hardware
Configuring and Using Interface Range Macros

Command or Action Purpose

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring and Using Interface Range Macros

You can create an interface range macro to automatically select a range of interfaces for configuration. Before
you can use the macro keyword in the interface range macro global configuration command string, you
must use the define interface-range global configuration command to define the macro.

SUMMARY STEPS
1. enable
2. configure terminal
3. define interface-range macro_name interface-range
4. interface range macro macro_name
5. end
6. show running-config | include define
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 define interface-range macro_name interface-range Defines the interface-range macro, and save it in NVRAM.
Example: • The macro_name is a 32-character maximum character
string.
SwitchDevice(config)# define interface-range
enet_list gigabitethernet1/0/1 - 2 • A macro can contain up to five comma-separated
interface ranges.
• Each interface-range must consist of the same port
type.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
25
 Interface and Hardware
Configuring Ethernet Interfaces

Command or Action Purpose

Note Before you can use the macro keyword in the
interface range macro global configuration
command string, you must use the define
interface-range global configuration command
to define the macro.

Step 4 interface range macro macro_name Selects the interface range to be configured using the values
saved in the interface-range macro called macro_name.
Example:
You can now use the normal configuration commands to
SwitchDevice(config)# interface range macro apply the configuration to all interfaces in the defined
enet_list macro.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config | include define Shows the defined interface range macro configuration.
Example:

SwitchDevice# show running-config | include define

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring Ethernet Interfaces

Setting the Interface Speed and Duplex Parameters

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. speed {10 | 100 | 1000 | 2500 | 5000 | 10000 | auto [10 | 100 | 1000 | 2500 | 5000 | 10000] | nonegotiate}
5. duplex {auto | full | half}
6. end
7. show interfaces interface-id
8. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
26
 Interface and Hardware
Setting the Interface Speed and Duplex Parameters

9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the physical interface to be configured, and enter
interface configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/3

Step 4 speed {10 | 100 | 1000 | 2500 | 5000 | 10000 | auto [10 | Enter the appropriate speed parameter for the interface:
100 | 1000 | 2500 | 5000 | 10000] | nonegotiate}
• Enter 10, 100, 1000 2500, 5000, or 10000 to set a
Example: specific speed for the interface.

SwitchDevice(config-if)# speed 10
• Enter auto to enable the interface to autonegotiate
speed with the connected device. If you specify a speed
and also set the auto keyword, the port autonegotiates
only at the specified speeds.
• The nonegotiate keyword is available only for SFP
module ports. SFP module ports operate only at 1000
Mb/s but can be configured to not negotiate if
connected to a device that does not support
autonegotiation.

Step 5 duplex {auto | full | half} This command is not available on a 10-Gigabit Ethernet
interface.
Example:
Enter the duplex parameter for the interface.
SwitchDevice(config-if)# duplex half
Enable half-duplex mode (for interfaces operating only at
10 or 100 Mb/s). You cannot configure half-duplex mode
for interfaces operating at 1000 Mb/s.
You can configure the duplex setting when the speed is set
to auto.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
27
 Interface and Hardware
Configuring IEEE 802.3x Flow Control

Command or Action Purpose

Step 6 end Returns to privileged EXEC mode.
Example:

SwitchDevice(config-if)# end

Step 7 show interfaces interface-id Displays the interface speed and duplex mode configuration.
Example:

SwitchDevice# show interfaces gigabitethernet1/0/3

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring IEEE 802.3x Flow Control

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. flowcontrol {receive} {on | off | desired}
4. end
5. show interfaces interface-id
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode
Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
28
 Interface and Hardware
Configuring SVI Autostate Exclude

Command or Action Purpose

Step 2 interface interface-id Specifies the physical interface to be configured, and enter
interface configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 3 flowcontrol {receive} {on | off | desired} Configures the flow control mode for the port.
Example:

SwitchDevice(config-if)# flowcontrol receive on

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 5 show interfaces interface-id Verifies the interface flow control settings.
Example:

SwitchDevice# show interfaces gigabitethernet1/0/1

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring SVI Autostate Exclude

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. switchport autostate exclude
5. end
6. show running config interface interface-id
7. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
29
 Interface and Hardware
Shutting Down and Restarting the Interface

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies a Layer 2 interface (physical port or port channel),
and enter interface configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/2

Step 4 switchport autostate exclude Excludes the access or trunk port when defining the status
of an SVI line state (up or down)
Example:

SwitchDevice(config-if)# switchport autostate

exclude

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 6 show running config interface interface-id (Optional) Shows the running configuration.
Verifies the configuration.

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Shutting Down and Restarting the Interface

Shutting down an interface disables all functions on the specified interface and marks the interface as unavailable
on all monitoring command displays. This information is communicated to other network servers through all
dynamic routing protocols. The interface is not mentioned in any routing updates.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
30
 Interface and Hardware
Shutting Down and Restarting the Interface

SUMMARY STEPS
1. enable
2. configure terminal
3. interface {vlan vlan-id} | { gigabitethernetinterface-id} | {port-channel port-channel-number}
4. shutdown
5. no shutdown
6. end
7. show running-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface {vlan vlan-id} | { gigabitethernetinterface-id} Selects the interface to be configured.

| {port-channel port-channel-number}
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/2

Step 4 shutdown Shuts down an interface.

Example:

SwitchDevice(config-if)# shutdown

Step 5 no shutdown Restarts an interface.

Example:

SwitchDevice(config-if)# no shutdown

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
31
 Interface and Hardware
Configuring the Console Media Type

Command or Action Purpose

Step 7 show running-config Verifies your entries.
Example:

SwitchDevice# show running-config

Configuring the Console Media Type

Follow these steps to set the console media type to RJ-45. If you configure the console as RJ-45, USB console
operation is disabled, and input comes only through the RJ-45 connector.

SUMMARY STEPS
1. enable
2. configure terminal
3. line console 0
4. media-type rj45
5. end
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 line console 0 Configures the console and enters line configuration mode.
Example:

SwitchDevice(config)# line console 0

Step 4 media-type rj45 Configures the console media type to be only RJ-45 port.
If you do not enter this command and both types are
Example:
connected, the USB port is used by default.
SwitchDevice(config-line)# media-type rj45

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
32
 Interface and Hardware
Configuring the USB Inactivity Timeout

Command or Action Purpose

Step 5 end Returns to privileged EXEC mode.
Example:

SwitchDevice(config)# end

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring the USB Inactivity Timeout

The configurable inactivity timeout reactivates the RJ-45 console port if the USB console port is activated
but no input activity occurs on it for a specified time period. When the USB console port is deactivated due
to a timeout, you can restore its operation by disconnecting and reconnecting the USB cable.

SUMMARY STEPS
1. enable
2. configure terminal
3. line console 0
4. usb-inactivity-timeout timeout-minutes
5. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 line console 0 Configures the console and enters line configuration mode.
Example:

SwitchDevice(config)# line console 0

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
33
 Interface and Hardware
Monitoring Interface Characteristics

Command or Action Purpose

Step 4 usb-inactivity-timeout timeout-minutes Specify an inactivity timeout for the console port. The range
is 1 to 240 minutes. The default is to have no timeout
Example:
configured.
SwitchDevice(config-line)# usb-inactivity-timeout
30

Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Monitoring Interface Characteristics

Monitoring Interface Status
Commands entered at the privileged EXEC prompt display information about the interface, including the
versions of the software and the hardware, the configuration, and statistics about the interfaces.

Table 5: Show Commands for Interfaces

Command Purpose

show interfaces interface-id status Displays interface status or a list of interfaces in the
[err-disabled] error-disabled state.

show interfaces [interface-id] switchport Displays administrative and operational status of switching
(nonrouting) ports. You can use this command to find out if a
port is in routing or in switching mode.

show interfaces [interface-id] description Displays the description configured on an interface or all
interfaces and the interface status.

show ip interface [interface-id] Displays the usability status of all interfaces configured for IP
routing or the specified interface.

show interface [interface-id] stats Displays the input and output packets by the switching path
for the interface.

show interfaces interface-id (Optional) Displays speed and duplex on the interface.

show interfaces transceiver (Optional) Displays Digital Optical Monitoring (DOM) status
dom-supported-list on the connect SFP modules.

show interfaces transceiver properties (Optional) Displays temperature, voltage, or amount of current
on the interface.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
34
 Interface and Hardware
Clearing and Resetting Interfaces and Counters

Command Purpose

show interfaces [interface-id] [{transceiver Displays physical and operational status about an SFP module.
properties | detail}] module number]

show running-config interface Displays the running configuration in RAM for the interface.
[interface-id]

show version Displays the hardware configuration, software version, the

names and sources of configuration files, and the boot images.

show controllers ethernet-controller Displays the operational state of the auto-MDIX feature on the
interface-id phy interface.

Clearing and Resetting Interfaces and Counters

Table 6: Clear Commands for Interfaces

Command Purpose

clear counters [interface-id] Clears interface counters.

clear interface interface-id Resets the hardware logic on an interface.

clear line [number | console 0 | vty number] Resets the hardware logic on an asynchronous serial line.

Note The clear counters privileged EXEC command does not clear counters retrieved by using Simple Network
Management Protocol (SNMP), but only those seen with the show interface privileged EXEC command.

Configuration Examples for Interface Characteristics

Adding a Description to an Interface: Example
SwitchDevice# configure terminal
Enter configuration commands, one per line. End with CNTRL/Z.
SwitchDevice(config)# interface gigabitethernet1/0/2
SwitchDevice(config-if)# description Connects to Marketing
SwitchDevice(config-if)# end
SwitchDevice# show interfaces gigabitethernet1/0/2 description
Interface Status Protocol Description
Gi1/0/2 admin down down Connects to Marketing

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
35
 Interface and Hardware
Configuring a Range of Interfaces: Examples

Configuring a Range of Interfaces: Examples

This example shows how to use the interface range global configuration command to set the speed to 100
Mb/s on ports 1 to 4 on switch 1:

SwitchDevice# configure terminal

SwitchDevice(config)# interface range gigabitethernet1/0/1 - 4
SwitchDevice(config-if-range)# speed 100

This example shows how to use a comma to add different interface type strings to the range to enable Gigabit
Ethernet ports 1 to 3 and 10-Gigabit Ethernet ports 1 and 2 to receive flow-control pause frames:

SwitchDevice# configure terminal

SwitchDevice(config)# interface range gigabitethernet1/0/1 - 3 , tengigabitethernet1/0/1 -
2
SwitchDevice(config-if-range)# flowcontrol receive on

If you enter multiple configuration commands while you are in interface-range mode, each command is
executed as it is entered. The commands are not batched and executed after you exit interface-range mode. If
you exit interface-range configuration mode while the commands are being executed, some commands might
not be executed on all interfaces in the range. Wait until the command prompt reappears before exiting
interface-range configuration mode.

Configuring and Using Interface Range Macros: Examples

This example shows how to define an interface-range named enet_list to include ports 1 and 2 on switch 1
and to verify the macro configuration:

SwitchDevice# configure terminal

SwitchDevice(config)# define interface-range enet_list gigabitethernet1/0/1 - 2
SwitchDevice(config)# end
SwitchDevice# show running-config | include define
define interface-range enet_list GigabitEthernet1/0/1 - 2

This example shows how to create a multiple-interface macro named macro1:

SwitchDevice# configure terminal

SwitchDevice(config)# define interface-range macro1 gigabitethernet1/0/1 - 2,
gigabitethernet1/0/5 - 7, tengigabitethernet1/0/1 -2
SwitchDevice(config)# end

This example shows how to enter interface-range configuration mode for the interface-range macro enet_list:

SwitchDevice# configure terminal

SwitchDevice(config)# interface range macro enet_list
SwitchDevice(config-if-range)#

This example shows how to delete the interface-range macro enet_list and to verify that it was deleted.

SwitchDevice# configure terminal

SwitchDevice(config)# no define interface-range enet_list
SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
36
 Interface and Hardware
Setting Interface Speed and Duplex Mode: Example

SwitchDevice# show run | include define

SwitchDevice#

Setting Interface Speed and Duplex Mode: Example

This example shows how to set the interface speed to 100 Mb/s and the duplex mode to half on a 10/100/1000
Mb/s port:

SwitchDevice# configure terminal

SwitchDevice(config)# interface gigabitethernet1/0/3
SwitchDevice(config-if)# speed 10
SwitchDevice(config-if)# duplex half

This example shows how to set the interface speed to 100 Mb/s on a 10/100/1000 Mb/s port:

SwitchDevice# configure terminal

SwitchDevice(config)# interface gigabitethernet1/0/2
SwitchDevice(config-if)# speed 100

Configuring the Console Media Type: Example

This example disables the USB console media type and enables the RJ-45 console media type.

SwitchDevice# configure terminal

SwitchDevice(config)# line console 0
SwitchDevice(config-line)# media-type rj45

This example reverses the previous configuration and immediately activates any USB console that is connected.

SwitchDevice# configure terminal

SwitchDevice(config)# line console 0
SwitchDevice(config-line)# no media-type rj45

Configuring the USB Inactivity Timeout: Example

This example configures the inactivity timeout to 30 minutes:

SwitchDevice# configure terminal

SwitchDevice(config)# line console 0
SwitchDevice(config-line)# usb-inactivity-timeout 30

To disable the configuration, use these commands:

SwitchDevice# configure terminal

SwitchDevice(config)# line console 0
SwitchDevice(config-line)# no usb-inactivity-timeout

If there is no (input) activity on a USB console port for the configured number of minutes, the inactivity
timeout setting applies to the RJ-45 port, and a log shows this occurrence:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
37
 Interface and Hardware
Configuring the USB Inactivity Timeout: Example

*Mar 1 00:47:25.625: %USB_CONSOLE-6-INACTIVITY_DISABLE: Console media-type USB disabled

due to inactivity, media-type reverted to RJ45.

At this point, the only way to reactivate the USB console port is to disconnect and reconnect the cable.
When the USB cable on the switch has been disconnected and reconnected, a log similar to this appears:

*Mar 1 00:48:28.640: %USB_CONSOLE-6-MEDIA_USB: Console media-type is USB.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
38
 CHAPTER 3
Configuring Auto-MDIX
• Prerequisites for Auto-MDIX, on page 39
• Restrictions for Auto-MDIX, on page 39
• Information about Configuring Auto-MDIX, on page 39
• How to Configure Auto-MDIX, on page 40
• Example for Configuring Auto-MDIX, on page 41

Prerequisites for Auto-MDIX

Automatic medium-dependent interface crossover (auto-MDIX) is enabled by default.
Auto-MDIX is supported on all 10/100/1000-Mb/s and on 10/100/1000BASE-TX small form-factor pluggable
(SFP)-module interfaces. It is not supported on 1000BASE-SX or -LX SFP module interfaces.

Restrictions for Auto-MDIX

The switch might not support a pre-standard powered device—such as Cisco IP phones and access points that
do not fully support IEEE 802.3af—if that powered device is connected to the switch through a crossover
cable. This is regardless of whether auto-MIDX is enabled on the switch port.

Information about Configuring Auto-MDIX

Auto-MDIX on an Interface
When automatic medium-dependent interface crossover (auto-MDIX) is enabled on an interface, the interface
automatically detects the required cable connection type (straight through or crossover) and configures the
connection appropriately. When connecting switches without the auto-MDIX feature, you must use
straight-through cables to connect to devices such as servers, workstations, or routers and crossover cables
to connect to other switches or repeaters. With auto-MDIX enabled, you can use either type of cable to connect
to other devices, and the interface automatically corrects for any incorrect cabling. For more information about
cabling requirements, see the hardware installation guide.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
39
 Interface and Hardware
How to Configure Auto-MDIX

This table shows the link states that result from auto-MDIX settings and correct and incorrect cabling.

Table 7: Link Conditions and Auto-MDIX Settings

Local Side Auto-MDIX Remote Side Auto-MDIX With Correct Cabling With Incorrect Cabling

On On Link up Link up

On Off Link up Link up

Off On Link up Link up

Off Off Link up Link down

How to Configure Auto-MDIX

Configuring Auto-MDIX on an Interface
SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. speed auto
5. duplex auto
6. end
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the physical interface to be configured, and enter
interface configuration mode.
Example:

SwitchDevice(config)# interface

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
40
 Interface and Hardware
Example for Configuring Auto-MDIX

Command or Action Purpose

gigabitethernet1/0/1

Step 4 speed auto Configures the interface to autonegotiate speed with the
connected device.
Example:

SwitchDevice(config-if)# speed auto

Step 5 duplex auto Configures the interface to autonegotiate duplex mode with
the connected device.
Example:

SwitchDevice(config-if)# duplex auto

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Example for Configuring Auto-MDIX

This example shows how to enable auto-MDIX on a port:

SwitchDevice# configure terminal

SwitchDevice(config)# interface gigabitethernet1/0/1
SwitchDevice(config-if)# speed auto
SwitchDevice(config-if)# duplex auto
SwitchDevice(config-if)# mdix auto
SwitchDevice(config-if)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
41
 Interface and Hardware
Example for Configuring Auto-MDIX

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
42
 CHAPTER 4
Configuring LLDP, LLDP-MED, and Wired
Location Service
• Finding Feature Information, on page 43
• LLDP, LLDP-MED, and Wired Location Service Overview, on page 43
• How to Configure LLDP, LLDP-MED, and Wired Location Service, on page 47
• Configuration Examples for LLDP, LLDP-MED, and Wired Location Service, on page 59
• Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service, on page 59

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

LLDP, LLDP-MED, and Wired Location Service Overview

LLDP
The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs over Layer 2 (the data link layer)
on all Cisco-manufactured devices (routers, bridges, access servers, switches, and controllers). CDP allows
network management applications to automatically discover and learn about other Cisco devices connected
to the network.
To support non-Cisco devices and to allow for interoperability between other devices, the switch supports the
IEEE 802.1AB Link Layer Discovery Protocol (LLDP). LLDP is a neighbor discovery protocol that is used
for network devices to advertise information about themselves to other devices on the network. This protocol
runs over the data-link layer, which allows two systems running different network layer protocols to learn
about each other.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
43
 Interface and Hardware
LLDP Supported TLVs

LLDP Supported TLVs

LLDP supports a set of attributes that it uses to discover neighbor devices. These attributes contain type,
length, and value descriptions and are referred to as TLVs. LLDP supported devices can use TLVs to receive
and send information to their neighbors. This protocol can advertise details such as configuration information,
device capabilities, and device identity.
The switch supports these basic management TLVs. These are mandatory LLDP TLVs.
• Port description TLV
• System name TLV
• System description TLV
• System capabilities TLV
• Management address TLV

These organizationally specific LLDP TLVs are also advertised to support LLDP-MED.
• Port VLAN ID TLV (IEEE 802.1 organizationally specific TLVs)
• MAC/PHY configuration/status TLV (IEEE 802.3 organizationally specific TLVs)

LLDP and Cisco Medianet

When you configure LLDP or CDP location information on a per-port basis, remote devices can send Cisco
Medianet location information to the switch. For information, go to
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cdp_discover.html.

LLDP-MED
LLDP for Media Endpoint Devices (LLDP-MED) is an extension to LLDP that operates between endpoint
devices such as IP phones and network devices such as switches. It specifically provides support for voice
over IP (VoIP) applications and provides additional TLVs for capabilities discovery, network policy, Power
over Ethernet, inventory management and location information. By default, all LLDP-MED TLVs are enabled.

LLDP-MED Supported TLVs

LLDP-MED supports these TLVs:
• LLDP-MED capabilities TLV
Allows LLDP-MED endpoints to determine the capabilities that the connected device supports and has
enabled.
• Network policy TLV
Allows both network connectivity devices and endpoints to advertise VLAN configurations and associated
Layer 2 and Layer 3 attributes for the specific application on that port. For example, the switch can notify
a phone of the VLAN number that it should use. The phone can connect to any switch, obtain its VLAN
number, and then start communicating with the call control.
By defining a network-policy profile TLV, you can create a profile for voice and voice-signaling by
specifying the values for VLAN, class of service (CoS), differentiated services code point (DSCP), and

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
44
 Interface and Hardware
Wired Location Service

tagging mode. These profile attributes are then maintained centrally on the switch and propagated to the
phone.
• Power management TLV
Enables advanced power management between LLDP-MED endpoint and network connectivity devices.
Allows switches and phones to convey power information, such as how the device is powered, power
priority, and how much power the device needs.
LLDP-MED also supports an extended power TLV to advertise fine-grained power requirements, end-point
power priority, and end-point and network connectivity-device power status. LLDP is enabled and power
is applied to a port, the power TLV determines the actual power requirement of the endpoint device so
that the system power budget can be adjusted accordingly. The switch processes the requests and either
grants or denies power based on the current power budget. If the request is granted, the switch updates
the power budget. If the request is denied, the switch turns off power to the port, generates a syslog
message, and updates the power budget. If LLDP-MED is disabled or if the endpoint does not support
the LLDP-MED power TLV, the initial allocation value is used throughout the duration of the connection.
You can change power settings by entering the power inline {auto [max max-wattage] | never | static
[max max-wattage]} interface configuration command. By default the PoE interface is in auto mode; If
no value is specified, the maximum is allowed (30 W).
• Inventory management TLV
Allows an endpoint to send detailed inventory information about itself to the switch, including information
hardware revision, firmware version, software version, serial number, manufacturer name, model name,
and asset ID TLV.
• Location TLV
Provides location information from the switch to the endpoint device. The location TLV can send this
information:
• Civic location information
Provides the civic address information and postal information. Examples of civic location information
are street address, road name, and postal community name information.
• ELIN location information
Provides the location information of a caller. The location is determined by the Emergency location
identifier number (ELIN), which is a phone number that routes an emergency call to the local public
safety answering point (PSAP) and which the PSAP can use to call back the emergency caller.

Wired Location Service

The switch uses the location service feature to send location and attachment tracking information for its
connected devices to a Cisco Mobility Services Engine (MSE). The tracked device can be a wireless endpoint,
a wired endpoint, or a wired switch or controller. The switch notifies the MSE of device link up and link down
events through the Network Mobility Services Protocol (NMSP) location and attachment notifications.
The MSE starts the NMSP connection to the switch, which opens a server port. When the MSE connects to
the switch there are a set of message exchanges to establish version compatibility and service exchange
information followed by location information synchronization. After connection, the switch periodically sends
location and attachment notifications to the MSE. Any link up or link down events detected during an interval
are aggregated and sent at the end of the interval.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
45
 Interface and Hardware
Default LLDP Configuration

When the switch determines the presence or absence of a device on a link-up or link-down event, it obtains
the client-specific information such as the MAC address, IP address, and username. If the client is LLDP-MED-
or CDP-capable, the switch obtains the serial number and UDI through the LLDP-MED location TLV or
CDP.
Depending on the device capabilities, the switch obtains this client information at link up:
• Slot and port specified in port connection
• MAC address specified in the client MAC address
• IP address specified in port connection
• 802.1X username if applicable
• Device category is specified as a wired station
• State is specified as new
• Serial number, UDI
• Model number
• Time in seconds since the switch detected the association

Depending on the device capabilities, the switch obtains this client information at link down:
• Slot and port that was disconnected
• MAC address
• IP address
• 802.1X username if applicable
• Device category is specified as a wired station
• State is specified as delete
• Serial number, UDI
• Time in seconds since the switch detected the disassociation

When the switch shuts down, it sends an attachment notification with the state delete and the IP address before
closing the NMSP connection to the MSE. The MSE interprets this notification as disassociation for all the
wired clients associated with the switch.
If you change a location address on the switch, the switch sends an NMSP location notification message that
identifies the affected ports and the changed address information.

Default LLDP Configuration

Table 8: Default LLDP Configuration

Feature Default Setting

LLDP global state Disabled

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
46
 Interface and Hardware
Restrictions for LLDP

Feature Default Setting

LLDP holdtime (before discarding) 120 seconds

LLDP timer (packet update frequency) 30 seconds

LLDP reinitialization delay 2 seconds

LLDP tlv-select Disabled to send and receive all TLVs

LLDP interface state Disabled

LLDP receive Disabled

LLDP transmit Disabled

LLDP med-tlv-select Disabled to send all LLDP-MED TLVs. When LLDP

is globally enabled, LLDP-MED-TLV is also enabled.

Restrictions for LLDP

• If the interface is configured as a tunnel port, LLDP is automatically disabled.
• If you first configure a network-policy profile on an interface, you cannot apply the switchport voice
vlan command on the interface. If the switchport voice vlan vlan-id is already configured on an interface,
you can apply a network-policy profile on the interface. This way the interface has the voice or
voice-signaling VLAN network-policy profile applied on the interface.
• You cannot configure static secure MAC addresses on an interface that has a network-policy profile.

How to Configure LLDP, LLDP-MED, and Wired Location Service

Enabling LLDP
SUMMARY STEPS
1. enable
2. configure terminal
3. lldp run
4. interface interface-id
5. lldp transmit
6. lldp receive
7. end
8. show lldp
9. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
47
 Interface and Hardware
Enabling LLDP

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 lldp run Enables LLDP globally on the switch.

Example:

SwitchDevice (config)# lldp run

Step 4 interface interface-id Specifies the interface on which you are enabling LLDP,
and enter interface configuration mode.
Example:

SwitchDevice (config)# interface

gigabitethernet2/0/1

Step 5 lldp transmit Enables the interface to send LLDP packets.

Example:

SwitchDevice(config-if)# lldp transmit

Step 6 lldp receive Enables the interface to receive LLDP packets.

Example:

SwitchDevice(config-if)# lldp receive

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 8 show lldp Verifies the configuration.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
48
 Interface and Hardware
Configuring LLDP Characteristics

Command or Action Purpose

SwitchDevice# show lldp

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring LLDP Characteristics

You can configure the frequency of LLDP updates, the amount of time to hold the information before discarding
it, and the initialization delay time. You can also select the LLDP and LLDP-MED TLVs to send and receive.

Note Steps 2 through 5 are optional and can be performed in any order.

SUMMARY STEPS
1. enable
2. configure terminal
3. lldp holdtime seconds
4. lldp reinit delay
5. lldp timer rate
6. lldp tlv-select
7. interface interface-id
8. lldp med-tlv-select
9. end
10. show lldp
11. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
49
 Interface and Hardware
Configuring LLDP Characteristics

Command or Action Purpose

SwitchDevice# configure terminal

Step 3 lldp holdtime seconds (Optional) Specifies the amount of time a receiving device
should hold the information from your device before
Example:
discarding it.
SwitchDevice(config)# lldp holdtime 120 The range is 0 to 65535 seconds; the default is 120 seconds.

Step 4 lldp reinit delay (Optional) Specifies the delay time in seconds for LLDP
to initialize on an interface.
Example:
The range is 2 to 5 seconds; the default is 2 seconds.
SwitchDevice(config)# lldp reinit 2

Step 5 lldp timer rate (Optional) Sets the sending frequency of LLDP updates
in seconds.
Example:
The range is 5 to 65534 seconds; the default is 30 seconds.
SwitchDevice(config)# lldp timer 30

Step 6 lldp tlv-select (Optional) Specifies the LLDP TLVs to send or receive.
Example:

SwitchDevice(config)# tlv-select

Step 7 interface interface-id Specifies the interface on which you are enabling LLDP,
and enter interface configuration mode.
Example:

SwitchDevice (config)# interface

gigabitethernet2/0/1

Step 8 lldp med-tlv-select (Optional) Specifies the LLDP-MED TLVs to send or

receive.
Example:

SwitchDevice (config-if)# lldp

med-tlv-select inventory management

Step 9 end Returns to privileged EXEC mode.

Example:

SwitchDevice (config-if)# end

Step 10 show lldp Verifies the configuration.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
50
 Interface and Hardware
Configuring LLDP-MED TLVs

Command or Action Purpose

SwitchDevice# show lldp

Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring LLDP-MED TLVs

By default, the switch only sends LLDP packets until it receives LLDP-MED packets from the end device.
It then sends LLDP packets with MED TLVs, as well. When the LLDP-MED entry has been aged out, it again
only sends LLDP packets.
By using the lldp interface configuration command, you can configure the interface not to send the TLVs
listed in the following table.

Table 9: LLDP-MED TLVs

LLDP-MED TLV Description

inventory-management LLDP-MED inventory management TLV

location LLDP-MED location TLV

network-policy LLDP-MED network policy TLV

power-management LLDP-MED power management TLV

Follow these steps to enable a TLV on an interface:

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. lldp med-tlv-select
5. end
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
51
 Interface and Hardware
Configuring Network-Policy TLV

Command or Action Purpose

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface on which you are enabling LLDP,
and enter interface configuration mode.
Example:

SwitchDevice (config)# interface

gigabitethernet 2/0/1

Step 4 lldp med-tlv-select Specifies the TLV to enable.

Example:

SwitchDevice(config-if)# lldp med-tlv-select

inventory management

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring Network-Policy TLV

SUMMARY STEPS
1. enable
2. configure terminal
3. network-policy profile profile number
4. {voice | voice-signaling} vlan [vlan-id {cos cvalue | dscp dvalue}] | [[dot1p {cos cvalue | dscp dvalue}]
| none | untagged]
5. exit
6. interface interface-id
7. network-policy profile number

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
52
 Interface and Hardware
Configuring Network-Policy TLV

8. lldp med-tlv-select network-policy

9. end
10. show network-policy profile
11. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 network-policy profile profile number Specifies the network-policy profile number, and enter
network-policy configuration mode. The range is 1 to
Example:
4294967295.
SwitchDevice(config)# network-policy profile 1

Step 4 {voice | voice-signaling} vlan [vlan-id {cos cvalue | dscp Configures the policy attributes:
dvalue}] | [[dot1p {cos cvalue | dscp dvalue}] | none |
• voice—Specifies the voice application type.
untagged]
Example: • voice-signaling—Specifies the voice-signaling
application type.
SwitchDevice(config-network-policy)# voice vlan • vlan—Specifies the native VLAN for voice traffic.
100 cos 4
• vlan-id—(Optional) Specifies the VLAN for voice
traffic. The range is 1 to 4094.
• cos cvalue—(Optional) Specifies the Layer 2 priority
class of service (CoS) for the configured VLAN. The
range is 0 to 7; the default is 5.
• dscp dvalue—(Optional) Specifies the differentiated
services code point (DSCP) value for the configured
VLAN. The range is 0 to 63; the default is 46.
• dot1p—(Optional) Configures the telephone to use
IEEE 802.1p priority tagging and use VLAN 0 (the
native VLAN).
• none—(Optional) Do not instruct the IP telephone
about the voice VLAN. The telephone uses the
configuration from the telephone key pad.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
53
 Interface and Hardware
Configuring Network-Policy TLV

Command or Action Purpose

• untagged—(Optional) Configures the telephone to
send untagged voice traffic. This is the default for the
telephone.
• untagged—(Optional) Configures the telephone to
send untagged voice traffic. This is the default for the
telephone.

Step 5 exit Returns to global configuration mode.

Example:

SwitchDevice(config)# exit

Step 6 interface interface-id Specifies the interface on which you are configuring a
network-policy profile, and enter interface configuration
Example:
mode.
SwitchDevice (config)# interface
gigabitethernet2/0/1

Step 7 network-policy profile number Specifies the network-policy profile number.

Example:

SwitchDevice(config-if)# network-policy 1

Step 8 lldp med-tlv-select network-policy Specifies the network-policy TLV.

Example:

SwitchDevice(config-if)# lldp med-tlv-select

network-policy

Step 9 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 10 show network-policy profile Verifies the configuration.

Example:

SwitchDevice# show network-policy profile

Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
54
 Interface and Hardware
Configuring Location TLV and Wired Location Service

Command or Action Purpose

SwitchDevice# copy running-config startup-config

Configuring Location TLV and Wired Location Service

Beginning in privileged EXEC mode, follow these steps to configure location information for an endpoint
and to apply it to an interface.

SUMMARY STEPS
1. configure terminal
2. location {admin-tag string | civic-location identifier {id | host} | elin-location string identifier id |
custom-location identifier {id | host} | geo-location identifier {id | host}}
3. exit
4. interface interface-id
5. location {additional-location-information word | civic-location-id {id | host} | elin-location-id id |
custom-location-id {id | host} | geo-location-id {id | host} }
6. end
7. Use one of the following:
• show location admin-tag string
• show location civic-location identifier id
• show location elin-location identifier id
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 location {admin-tag string | civic-location identifier {id Specifies the location information for an endpoint.
| host} | elin-location string identifier id | custom-location
• admin-tag—Specifies an administrative tag or site
identifier {id | host} | geo-location identifier {id | host}}
information.
Example:
• civic-location—Specifies civic location information.
SwitchDevice(config)# location civic-location • elin-location—Specifies emergency location
identifier 1
information (ELIN).
SwitchDevice(config-civic)# number 3550
• custom-location—Specifies custom location
SwitchDevice(config-civic)# primary-road-name
information.
"Cisco Way"

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
55
 Interface and Hardware
Configuring Location TLV and Wired Location Service

Command or Action Purpose

SwitchDevice(config-civic)# city "San Jose" • geo-location—Specifies geo-spatial location
SwitchDevice(config-civic)# state CA information.
SwitchDevice(config-civic)# building 19 • identifier id—Specifies the ID for the civic, ELIN,
SwitchDevice(config-civic)# room C6 custom, or geo location.
SwitchDevice(config-civic)# county "Santa Clara" • host—Specifies the host civic, custom, or geo location.
SwitchDevice(config-civic)# country US
• string—Specifies the site or location information in
alphanumeric format.

Step 3 exit Returns to global configuration mode.

Example:

SwitchDevice(config-civic)# exit

Step 4 interface interface-id Specifies the interface on which you are configuring the
location information, and enter interface configuration
Example:
mode.
SwitchDevice (config)# interface
gigabitethernet2/0/1

Step 5 location {additional-location-information word | Enters location information for an interface:

civic-location-id {id | host} | elin-location-id id |
• additional-location-information—Specifies
custom-location-id {id | host} | geo-location-id {id | host}
additional information for a location or place.
}
Example: • civic-location-id—Specifies global civic location
information for an interface.
SwitchDevice(config-if)# location elin-location-id • elin-location-id—Specifies emergency location
1
information for an interface.
• custom-location-id—Specifies custom location
information for an interface.
• geo-location-id—Specifies geo-spatial location
information for an interface.
• host—Specifies the host location identifier.
• word—Specifies a word or phrase with additional
location information.
• id—Specifies the ID for the civic, ELIN, custom, or
geo location. The ID range is 1 to 4095.

Step 6 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
56
 Interface and Hardware
Enabling Wired Location Service on the Switch

Command or Action Purpose

SwitchDevice(config-if)# end

Step 7 Use one of the following: Verifies the configuration.

• show location admin-tag string
• show location civic-location identifier id
• show location elin-location identifier id
Example:

SwitchDevice# show location admin-tag

or

SwitchDevice# show location civic-location

identifier

or

SwitchDevice# show location elin-location

identifier

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config

startup-config

Enabling Wired Location Service on the Switch

Before you begin

For wired location to function, you must first enter the ip device tracking global configuration command.

SUMMARY STEPS
1. enable
2. configure terminal
3. nmsp notification interval {attachment | location} interval-seconds
4. end
5. show network-policy profile
6. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
57
 Interface and Hardware
Enabling Wired Location Service on the Switch

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 nmsp notification interval {attachment | location} Specifies the NMSP notification interval.
interval-seconds
attachment—Specifies the attachment notification interval.
Example:
location—Specifies the location notification interval.
SwitchDevice(config)# nmsp notification interval interval-seconds—Duration in seconds before the switch
location 10 sends the MSE the location or attachment updates. The
range is 1 to 30; the default is 30.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show network-policy profile Verifies the configuration.

Example:

SwitchDevice# show network-policy profile

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
58
 Interface and Hardware
Configuration Examples for LLDP, LLDP-MED, and Wired Location Service

Configuration Examples for LLDP, LLDP-MED, and Wired

Location Service
Configuring Network-Policy TLV: Examples
This example shows how to configure VLAN 100 for voice application with CoS and to enable the
network-policy profile and network-policy TLV on an interface:

Switch# configure terminal

Switch(config)# network-policy 1
Switch(config-network-policy)# voice vlan 100 cos 4
Switch(config-network-policy)# exit
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# network-policy profile 1
Switch(config-if)# lldp med-tlv-select network-policy

This example shows how to configure the voice application type for the native VLAN with priority tagging:

Switchconfig-network-policy)# voice vlan dot1p cos 4

Switchconfig-network-policy)# voice vlan dot1p dscp 34

Monitoring and Maintaining LLDP, LLDP-MED, and Wired

Location Service
Commands for monitoring and maintaining LLDP, LLDP-MED, and wired location service.

Command Description

clear lldp counters Resets the traffic counters to zero.

clear lldp table Deletes the LLDP neighbor information table.

clear nmsp statistics Clears the NMSP statistic counters.

show lldp Displays global information, such as frequency of

transmissions, the holdtime for packets being sent,
and the delay time before LLDP initializes on an
interface.

show lldp entry entry-name Displays information about a specific neighbor.

You can enter an asterisk (*) to display all neighbors,
or you can enter the neighbor name.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
59
 Interface and Hardware
Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service

Command Description

show lldp interface [interface-id] Displays information about interfaces with LLDP
enabled.
You can limit the display to a specific interface.

show lldp neighbors [interface-id] [detail] Displays information about neighbors, including
device type, interface type and number, holdtime
settings, capabilities, and port ID.
You can limit the display to neighbors of a specific
interface or expand the display for more detailed
information.

show lldp traffic Displays LLDP counters, including the number of

packets sent and received, number of packets
discarded, and number of unrecognized TLVs.

show location admin-tag string Displays the location information for the specified
administrative tag or site.

show location civic-location identifier id Displays the location information for a specific global
civic location.

show location elin-location identifier id Displays the location information for an emergency
location

show network-policy profile Displays the configured network-policy profiles.

show nmsp Displays the NMSP information

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
60
 CHAPTER 5
Configuring MultiGigabit Ports on
WS-C3560CX-8PD-S
• Finding Feature Information, on page 61
• Overview of MultiGigabit Ports, on page 61
• Restrictions for MultiGigabit Ports, on page 61
• Supported Cable Types and Maximum Length, on page 62
• Setting the Interface Speed, on page 62
• Examples: Setting the Interface Speed, on page 63

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Overview of MultiGigabit Ports

Cisco’s Multigigabit Ethernet technology allows you to leverage 802.11ac Wave 2 speeds on your device.
Beginning with Cisco IOS XE 3.7.E1 and IOS 15.2(3) E1, you can configure the WS-C3560CX-8XPD-S
module to auto-negotiate multiple speeds on switch ports, and support 100 Mbps, 1 Gbps, 2.5 Gbps, and 5
Gbps speeds on Category 5e cables, and up to 10 Gbps over Category6 and Category 6A cables.
The WS-C3560CX-8XPD-S module has 8 ports, of which the 6 ports are 1-Gigabit Ethernet ports and 2 ports
are the Multi-Gigabit ports. The module also has 2 SFP+ ports.

Restrictions for MultiGigabit Ports

The following restrictions apply:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
61
 Interface and Hardware
Supported Cable Types and Maximum Length

• MultiGigabit ports do not support 10Mbps speed.

• MultiGigabit ports do not support half-duplex mode.
• MultiGigabit ports do not support EEE.

Supported Cable Types and Maximum Length

The following table lists the types of cables and the maximum length of cables supported on the Multigigabit
ports.

Cable Type 100M 1G 2.5G 5G 10G

Category5E Yes Yes Yes Yes Not Available

Category6 Yes Yes Yes Yes Yes (55 meters)

Category6A Yes Yes Yes Yes Yes

Setting the Interface Speed

To set port speed to 100Mbps/1000Mbps/2500Mbps/5000Mbps/10000Mbps on a Multigigabit Ethernet
interface (on a 1000Base-T port), perform this task:

Note Only 2 ports on the WS-C3560CX-8XPD-S module support Multigigabit Ethernet.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface tengigabitethernetslot/interface
4. speed [100 | 1000 | 2500 | 5000 | 10000 | auto [100 | 1000 | 2500 | 5000 | 10000]]
5. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
62
 Interface and Hardware
Examples: Setting the Interface Speed

Command or Action Purpose

SwitchDevice# configure terminal

Step 3 interface tengigabitethernetslot/interface Specifies the interface to be configured.

Example:
SwitchDevice(config)# interface tengigabitethernet
1/0/2

Step 4 speed [100 | 1000 | 2500 | 5000 | 10000 | auto [100 | 1000 Sets the interface speed.
| 2500 | 5000 | 10000]]
Note 10G speed is supported only on Category6 and
Example: Category6A cables.
SwitchDevice (config-if)# speed 5000

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

What to do next
To restore autonegotiation (default setting), enter the no speed command in the interface configuration mode.
Related Topics
Examples: Setting the Interface Speed, on page 63

Examples: Setting the Interface Speed

This example shows how to set the interface speed to 5G on the Multigigabit Ethernet interface 1/0/2:
SwitchDevice(config)# interface tengigabitethernet 1/0/2
SwitchDevice (config-if)# speed 5000

This example shows how to allow the Multigigabit Ethernet interface 1/0/2 to autonegotiate the speed and
duplex mode:
SwitchDevice(config)# interface gigabitethernet 1/0/2
SwitchDevice(config-if)# speed auto

This example shows how to limit speed negotiation to 2.5G on the Multigigabit Ethernet interface 1/0/1:
SwitchDevice(config)# interface gigabitethernet 1/0/1
SwitchDevice(config-if)# speed auto 2500

Related Topics
Setting the Interface Speed, on page 62

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
63
 Interface and Hardware
Examples: Setting the Interface Speed

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
64
 CHAPTER 6
Configuring System MTU
• Finding Feature Information, on page 65
• Information about the MTU, on page 65
• How to Configure MTU , on page 66
• Configuration Examples for System MTU, on page 67

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Information about the MTU

The default maximum transmission unit (MTU) size for frames received and transmitted on all interfaces is
1500 bytes. You can increase the MTU size for all interfaces operating at 10 or 100 Mb/s by using the system
mtu global configuration command. You can increase the MTU size to support jumbo frames on all Gigabit
Ethernet interfaces by using the system mtu jumbo global configuration command.

Note The switch supports jumbo frames at CPU.

System MTU Guidelines

When configuring the system MTU values, follow these guidelines:
• The default maximum transmission unit (MTU) size for frames received and transmitted on all interfaces
is 1500 bytes. You can increase the MTU size for all interfaces operating at 10 or 100 Mb/s by using the

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
65
 Interface and Hardware
How to Configure MTU

system mtu global configuration command. You can increase the MTU size to support jumbo frames
on all Gigabit Ethernet interfaces by using the system mtu jumbo global configuration command.
• Gigabit Ethernet ports are not affected by the system mtu command; 10/100 ports are not affected by
the system mtu jumbo command. If you do not configure the system mtu jumbo command, the setting
of the system mtu command applies to all Gigabit Ethernet interfaces.

How to Configure MTU

Configuring the System MTU
Beginning in privileged EXEC mode, follow these steps to change the MTU size for all 10/100 or Gigabit
Ethernet interfaces:

SUMMARY STEPS
1. configure terminal
2. system mtu bytes
3. system mtu jumbo bytes
4. end
5. copy running-config startup-config
6. reload
7. show system mtu

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
SwitchDevice# configure terminal

Step 2 system mtu bytes The range is 1500 to 1998 bytes; the default is 1500 bytes.
Example:
SwitchDevice(config)# system mtu 2500

Step 3 system mtu jumbo bytes The range is 1500 to 9198 bytes; the default is 1500 bytes.
Example:
SwitchDevice(config)# system mtu jumbo 7500

Step 4 end Returns to privileged EXEC mode.

Example:
SwitchDevice(config)# end

Step 5 copy running-config startup-config Saves your entries in the configuration file.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
66
 Interface and Hardware
Configuration Examples for System MTU

Command or Action Purpose

SwitchDevice# copy running-config startup-config

Step 6 reload Reloads the operating system.

Example:
SwitchDevice# reload

Step 7 show system mtu Verifies your settings.

Example:
SwitchDevice# show system mtu

Configuration Examples for System MTU

This example shows how to set the maximum packet size for a Gigabit Ethernet port to 7500 bytes:

SwitchDevice(config)# system mtu 1900

SwitchDevice(config)# system mtu jumbo 7500
SwitchDevice(config)# exit

If you enter a value that is outside the allowed range for the specific type of interface, the value is not accepted.
This example shows the response when you try to set Gigabit Ethernet interfaces to an out-of-range number:

SwitchDevice(config)# system mtu jumbo 25000

^
% Invalid input detected at '^' marker.

This is an example of output from the show system mtu command:

SwitchDevice# show system mtu

Global Ethernet MTU is 1500 bytes.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
67
 Interface and Hardware
Configuration Examples for System MTU

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
68
 CHAPTER 7
Configuring Boot Fast
• Finding Feature Information, on page 69
• Configuring Boot Fast on the switch, on page 69

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Configuring Boot Fast on the switch

This features when enabled, helps the switch to Boot up fast. The Memory test is performed for a limited
range, the switch Skips File system check (FSCK) and Skips Post test.

Note When Fast boot is enabled, you can still run the POST tests manually from the command line interface, once
the switch has booted up, using diagnostic start command.

Enabling Boot Fast

To enable the boot fast feature, perform the following steps:

SUMMARY STEPS
1. enable
2. configure terminal
3. boot fast
4. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
69
 Interface and Hardware
Disabling Boot Fast

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 boot fast Enables fast boot feature

Example: Performs Memory test for a limited range, Skips File system
check (FSCK) and Skips Post test.
SwitchDevice(config)# boot fast

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Disabling Boot Fast

To disable the boot fast feature, perform the following steps:

SUMMARY STEPS
1. enable
2. configure terminal
3. no boot fast
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
70
 Interface and Hardware
Disabling Boot Fast

Command or Action Purpose

Step 2 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 3 no boot fast Disables the boot fast feature.

Example:

SwitchDevice(config)# no boot fast

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
71
 Interface and Hardware
Disabling Boot Fast

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
72
 CHAPTER 8
Configuring PoE
• Finding Feature Information, on page 73
• Information about PoE, on page 73
• How to Configure PoE, on page 79
• Monitoring Power Status, on page 89
• Configuration Examples for Configuring PoE, on page 90

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Information about PoE

Power over Ethernet Ports
A PoE-capable switch port automatically supplies power to one of these connected devices if the switch senses
that there is no power on the circuit:
• a Cisco pre-standard powered device (such as a Cisco IP Phone or a Cisco Aironet Access Point)
• an IEEE 802.3af-compliant powered device

A powered device can receive redundant power when it is connected to a PoE switch port and to an AC power
source. The device does not receive redundant power when it is only connected to the PoE port.

PoE and PoE Pass-Through Ports on Catalyst WS-C3560CX-8PT-S

The Catalyst WS-C3560CX-8PT-S is a PD/PSE product, which means that the switch can behave like both
a Power Device (PD) and Power Source Equipment (PSE). This switch will be powered on by the PoE voltage

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
73
 Interface and Hardware
Example: Configuring PoE and PoE Pass-Through Ports on WS-C3560CX-8PT-S

derived from its uplink ports (PD1 or PD2) or from the voltage supplied by external auxiliary power supply
(AUX). The switch will enable powering over PoE, PoE+ and UPOE, as well as AC and DC input.
The power available from uplinks and one of the power adapter will be added for increased input power,
which translates to a higher PoE budget. Some of this power will be used for system power and rest would
be provided to downlink POE+ ports as pass-through power that will be available to power other PoE peripheral
devices like IP phones, IP Cameras and so on.
• The Catalyst WS-C3560CX-8PT-S will support powering from 2xUPOE uplinks.
• It will support a DC power adaptor which will enable the switch to be powered by 24V DC input.
• AUX contributes 78W to the system.
• The power sources (AC or DC) and PoE will be additive. The table below lists different power values
for PoE budget.

Table 10: PoE Budget

PoE Budget(Watts) Uplink 1 Uplink 2 Comment

0 PoE PoE Normal operation, no PoE

budget

0 0 PoE+ Normal operation, no PoE

budget

20 PoE+ PoE+ PoE budget available

22 0 UPoE PoE budget available

33 UPoE PoE PoE budget available

44 PoE+ UPoE PoE budget available

68 UPoE UPoE PoE budget available

The switch is expected to boot with T1 power and negotiate to T2 power which is known as Low Power
Bootup. The Low Power Bootup occurs in the following case:
• One of the uplink port is connected to the PSE.
• No Auxiliary power adapter is connected.

In this case, the switch will power up in low power mode with ASIC powered down and negotiate power
using CDP/LLDP. The system will power up and initialize ASIC once power is negotiated and continue to
boot without software reload.

Example: Configuring PoE and PoE Pass-Through Ports on WS-C3560CX-8PT-S

The show env power privileged EXEC command provides information about powering options on your
switch:
SwitchDevice# show env power

Power Source Type Power(w) Mode

-------------- -------------- --------- ---------

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
74
 Interface and Hardware
Supported Protocols and Standards

A.C. Input Auxilliary 80(w) Available

Gi0/9 Type2 30(w) Available
Gi0/10 Type2 30(w) Available

Available : The PoE received on this link is used for powering this switch and
providing PoE pass-through if applicable.

Note All these power sources adds up to the POE budget. The system consumption is approximately 24W.

Supported Protocols and Standards

The switch uses these protocols and standards to support PoE:
• CDP with power consumption—The powered device notifies the switch of the amount of power it is
consuming. The switch does not reply to the power-consumption messages. The switch can only supply
power to or remove power from the PoE port.
• Cisco intelligent power management—The powered device and the switch negotiate through
power-negotiation CDP messages for an agreed-upon power-consumption level. The negotiation allows
a high-power Cisco powered device, which consumes more than 7 W, to operate at its highest power
mode. The powered device first boots up in low-power mode, consumes less than 7 W, and negotiates
to obtain enough power to operate in high-power mode. The device changes to high-power mode only
when it receives confirmation from the switch.
High-power devices can operate in low-power mode on switches that do not support power-negotiation
CDP.
Cisco intelligent power management is backward-compatible with CDP with power consumption; the
switch responds according to the CDP message that it receives. CDP is not supported on third-party
powered devices; therefore, the switch uses the IEEE classification to determine the power usage of the
device.
• IEEE 802.3af—The major features of this standard are powered-device discovery, power administration,
disconnect detection, and optional powered-device power classification. For more information, see the
standard.

Powered-Device Detection and Initial Power Allocation

The switch detects a Cisco pre-standard or an IEEE-compliant powered device when the PoE-capable port is
in the no-shutdown state, PoE is enabled (the default), and the connected device is not being powered by an
AC adaptor.
After device detection, the switch determines the device power requirements based on its type:
• The initial power allocation is the maximum amount of power that a powered device requires. The switch
initially allocates this amount of power when it detects and powers the powered device. As the switch
receives CDP messages from the powered device and as the powered device negotiates power levels
with the switch through CDP power-negotiation messages, the initial power allocation might be adjusted.
• The switch classifies the detected IEEE device within a power consumption class. Based on the available
power in the power budget, the switch determines if a port can be powered. Table 11: IEEE Power
Classifications, on page 76 lists these levels.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
75
 Interface and Hardware
Power Management Modes

Table 11: IEEE Power Classifications

Class Maximum Power Level Required from the Switch

0 (class status unknown) 15.4 W

1 4W

2 7W

3 15.4 W

4 30 W (For IEEE 802.3at Type 2 powered devices)

The switch monitors and tracks requests for power and grants power only when it is available. The switch
tracks its power budget (the amount of power available on the switch for PoE). Theswitch performs
power-accounting calculations when a port is granted or denied power to keep the power budget up to date.
After power is applied to the port, the switch uses CDP to determine the CDP-specific power consumption
requirement of the connected Cisco powered devices, which is the amount of power to allocate based on the
CDP messages. The switch adjusts the power budget accordingly. This does not apply to third-party PoE
devices. The switch processes a request and either grants or denies power. If the request is granted, the switch
updates the power budget. If the request is denied, the switch ensures that power to the port is turned off,
generates a syslog message, and updates the LEDs. Powered devices can also negotiate with the switch for
more power.
With PoE+, powered devices use IEEE 802.3at and LLDP power with media dependent interface (MDI) type,
length, and value descriptions (TLVs), Power-via-MDI TLVs, for negotiating power up to 30 W. Cisco
pre-standard devices and Cisco IEEE powered devices can use CDP or the IEEE 802.3at power-via-MDI
power negotiation mechanism to request power levels up to 30 W.

Note The initial allocation for Class 0, Class 3, and Class 4 powered devices is 15.4 W. When a device starts up
and uses CDP or LLDP to send a request for more than 15.4 W, it can be allocated up to the maximum of 30
W.

Note The CDP-specific power consumption requirement is referred to as the actual power consumption requirement
in the software configuration guides and command references.

If the switch detects a fault caused by an undervoltage, overvoltage, overtemperature, oscillator-fault, or

short-circuit condition, it turns off power to the port, generates a syslog message, and updates the power
budget and LEDs.

Power Management Modes

The switch supports these PoE modes:
• auto—The switch automatically detects if the connected device requires power. If the switch discovers
a powered device connected to the port and if the switch has enough power, it grants power, updates the
power budget, turns on power to the port on a first-come, first-served basis, and updates the LEDs. For
LED information, see the hardware installation guide.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
76
 Interface and Hardware
Power Monitoring and Power Policing

If the switch has enough power for all the powered devices, they all come up. If enough power is available
for all powered devices connected to the switch, power is turned on to all devices. If there is not enough
available PoE, or if a device is disconnected and reconnected while other devices are waiting for power,
it cannot be determined which devices are granted or are denied power.
If granting power would exceed the system power budget, the switch denies power, ensures that power
to the port is turned off, generates a syslog message, and updates the LEDs. After power has been denied,
the switch periodically rechecks the power budget and continues to attempt to grant the request for power.
If a device being powered by the switch is then connected to wall power, the switch might continue to
power the device. The switch might continue to report that it is still powering the device whether the
device is being powered by the switch or receiving power from an AC power source.
If a powered device is removed, the switch automatically detects the disconnect and removes power from
the port. You can connect a nonpowered device without damaging it.
You can specify the maximum wattage that is allowed on the port. If the IEEE class maximum wattage
of the powered device is greater than the configured maximum value, the switch does not provide power
to the port. If the switch powers a powered device, but the powered device later requests through CDP
messages more than the configured maximum value, the switch removes power to the port. The power
that was allocated to the powered device is reclaimed into the global power budget. If you do not specify
a wattage, the switch delivers the maximum value. Use the auto setting on any PoE port. The auto mode
is the default setting.
• static—The switch pre-allocates power to the port (even when no powered device is connected) and
guarantees that power will be available for the port. The switch allocates the port configured maximum
wattage, and the amount is never adjusted through the IEEE class or by CDP messages from the powered
device. Because power is pre-allocated, any powered device that uses less than or equal to the maximum
wattage is guaranteed to be powered when it is connected to the static port. The port no longer participates
in the first-come, first-served model.
However, if the powered-device IEEE class is greater than the maximum wattage, the switch does not
supply power to it. If the switch learns through CDP messages that the powered device is consuming
more than the maximum wattage, the switch shuts down the powered device.
If you do not specify a wattage, the switch pre-allocates the maximum value. The switch powers the port
only if it discovers a powered device. Use the static setting on a high-priority interface.
• never—The switch disables powered-device detection and never powers the PoE port even if an unpowered
device is connected. Use this mode only when you want to make sure that power is never applied to a
PoE-capable port, making the port a data-only port.

For most situations, the default configuration (auto mode) works well, providing plug-and-play operation. No
further configuration is required. However, perform this task to configure a PoE port for a higher priority, to
make it data only, or to specify a maximum wattage to disallow high-power powered devices on a port.

Power Monitoring and Power Policing

When policing of the real-time power consumption is enabled, the switch takes action when a powered device
consumes more power than the maximum amount allocated, also referred to as the cutoff-power value.
When PoE is enabled, the switch senses the real-time power consumption of the powered device. The switch
monitors the real-time power consumption of the connected powered device; this is called power monitoring
or power sensing. The switch also polices the power usage with the power policing feature.
Power monitoring is backward-compatible with Cisco intelligent power management and CDP-based power
consumption. It works with these features to ensure that the PoE port can supply power to the powered device.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
77
 Interface and Hardware
Maximum Power Allocation (Cutoff Power) on a PoE Port

The switch senses the real-time power consumption of the connected device as follows:
1. The switch monitors the real-time power consumption on individual ports.
2. The switch records the power consumption, including peak power usage. The switch reports the information
through the CISCO-POWER-ETHERNET-EXT-MIB.
3. If power policing is enabled, the switch polices power usage by comparing the real-time power consumption
to the maximum power allocated to the device. The maximum power consumption is also referred to as
the cutoff power on a PoE port.
If the device uses more than the maximum power allocation on the port, the switch can either turn off
power to the port, or the switch can generate a syslog message and update the LEDs (the port LED is now
blinking amber) while still providing power to the device based on the switch configuration. By default,
power-usage policing is disabled on all PoE ports.
If error recovery from the PoE error-disabled state is enabled, the switch automatically takes the PoE port
out of the error-disabled state after the specified amount of time.
If error recovery is disabled, you can manually re-enable the PoE port by using the shutdown and no
shutdown interface configuration commands.
4. If policing is disabled, no action occurs when the powered device consumes more than the maximum
power allocation on the PoE port, which could adversely affect the switch.

Maximum Power Allocation (Cutoff Power) on a PoE Port

When power policing is enabled, the switch determines one of the these values as the cutoff power on the
PoE port in this order:
1. Manually when you set the user-defined power level that the switch budgets for the port by using the
power inline consumption default wattage global or interface configuration command
2. Manually when you set the user-defined power level that limits the power allowed on the port by using
the power inline auto max max-wattage or the power inline static max max-wattage interface
configuration command
3. Automatically when the switch sets the power usage of the device by using CDP power negotiation or by
the IEEE classification and LLDP power negotiation.

Use the first or second method in the previous list to manually configure the cutoff-power value by entering
the power inline consumption default wattage or the power inline [auto | static max] max-wattage command.
If you do not manually configure the cutoff-power value, the switch automatically determines it by using CDP
power negotiation or the device IEEE classification and LLDP power negotiation. If CDP or LLDP are not
enabled, the default value of 30 W is applied. However without CDP or LLDP, the switch does not allow
devices to consume more than 15.4 W of power because values from 15400 to 30000 mW are only allocated
based on CDP or LLDP requests. If a powered device consumes more than 15.4 W without CDP or LLDP
negotiation, the device might be in violation of the maximum current (Imax) limitation and might experience
an Icut fault for drawing more current than the maximum. The port remains in the fault state for a time before
attempting to power on again. If the port continuously draws more than 15.4 W, the cycle repeats.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
78
 Interface and Hardware
Power Consumption Values

Note When a powered device connected to a PoE+ port restarts and sends a CDP or LLDP packet with a power
TLV, the switch locks to the power-negotiation protocol of that first packet and does not respond to power
requests from the other protocol. For example, if the switch is locked to CDP, it does not provide power to
devices that send LLDP requests. If CDP is disabled after the switch has locked on it, the switch does not
respond to LLDP power requests and can no longer power on any accessories. In this case, you should restart
the powered device.

Power Consumption Values

You can configure the initial power allocation and the maximum power allocation on a port. However, these
values are only the configured values that determine when the switch should turn on or turn off power on the
PoE port. The maximum power allocation is not the same as the actual power consumption of the powered
device. The actual cutoff power value that the switch uses for power policing is not equal to the configured
power value.
When power policing is enabled, the switch polices the power usage at the switch port, which is greater than
the power consumption of the device. When you are manually set the maximum power allocation, you must
consider the power loss over the cable from the switch port to the powered device. The cutoff power is the
sum of the rated power consumption of the powered device and the worst-case power loss over the cable.
We recommend that you enable power policing when PoE is enabled on your switch. For example, if policing
is disabled and you set the cutoff-power value by using the power inline auto max 6300 interface configuration
command, the configured maximum power allocation on the PoE port is 6.3 W (6300 mW). The switch
provides power to the connected devices on the port if the device needs up to 6.3 W. If the CDP-power
negotiated value or the IEEE classification value exceeds the configured cutoff value, the switch does not
provide power to the connected device. After the switch turns on power on the PoE port, the switch does not
police the real-time power consumption of the device, and the device can consume more power than the
maximum allocated amount, which could adversely affect the switch and the devices connected to the other
PoE ports.
Because the switch supports internal power supplies and the Cisco Redundant Power System 2300 (also
referred to as the RPS 2300), the total amount of power available for the powered devices varies depending
on the power supply configuration.

How to Configure PoE

Configuring a Power Management Mode on a PoE Port

Note When you make PoE configuration changes, the port being configured drops power. Depending on the new
configuration, the state of the other PoE ports, and the state of the power budget, the port might not be powered
up again. For example, port 1 is in the auto and on state, and you configure it for static mode. The switch
removes power from port 1, detects the powered device, and repowers the port. If port 1 is in the auto and on
state and you configure it with a maximum wattage of 10 W, the switch removes power from the port and
then redetects the powered device. The switch repowers the port only if the powered device is a class 1, class
2, or a Cisco-only powered device.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
79
 Interface and Hardware
Configuring a Power Management Mode on a PoE Port

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. power inline {auto [max max-wattage] | never | static [max max-wattage]}
5. end
6. show power inline [interface-id | module switch-number]
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:
SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the physical port to be configured, and enters
interface configuration mode.
Example:
SwitchDevice(config)# interface
gigabitethernet2/0/1

Step 4 power inline {auto [max max-wattage] | never | static Configures the PoE mode on the port. The keywords have
[max max-wattage]} these meanings:
Example: • auto—Enables powered-device detection. If enough
SwitchDevice(config-if)# power inline auto power is available, automatically allocates power to
the PoE port after device detection. This is the default
setting.
• max max-wattage—Limits the power allowed on the
port. If no value is specified, the maximum is allowed.
• max max-wattage—Limits the power allowed on the
port. The range is 4000 to 30000 mW. If no value is
specified, the maximum is allowed.
• never —Disables device detection, and disable power
to the port.

Note If a port has a Cisco powered device connected

to it, do not use the power inline never
command to configure the port. A false link-up
can occur, placing the port into the error-disabled
state.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
80
 Interface and Hardware
Fast POE

Command or Action Purpose

• static—Enables powered-device detection. Pre-allocate
(reserve) power for a port before the switch discovers
the powered device. The switch reserves power for
this port even when no device is connected and
guarantees that power will be provided upon device
detection.

The switch allocates power to a port configured in static

mode before it allocates power to a port configured in auto
mode.

Step 5 end Returns to privileged EXEC mode.

Example:
SwitchDevice(config-if)# end

Step 6 show power inline [interface-id | module switch-number] Displays PoE status for a switch, for the specified interface.
Example:
SwitchDevice# show power inline

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Fast POE
Fast PoE - This feature remembers the last power drawn from a particular PSE port and switches on power
the moment AC power is plugged in (within 15 to 20 seconds of switching on power) without waiting for IOS
to boot up. When poe-ha is enabled on a particular port, the switch on a recovery after power failure, provides
power to the connected endpoint devices within short duration before even the IOS forwarding starts up.
This feature can be configured by the same command as poe-ha. If the user replaces the power device connected
to a port when the switch is powered off, then this new device will get the power which the previous device
was drawing.

Configuring Persistent and Fast POE

To configure persistent POE and Fast POE, perform the following steps:

Note You will need to configure the poe-ha command before connecting the PD, or you will need to manually
shut/unshut the port after configuring poe-ha.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
81
 Interface and Hardware
Configuring PoE and PoE Pass-Through Ports on Catalyst WS-C3560CX-8PT-S

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. power inline port poe-ha
5. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the physical port to be configured, and enters
interface configuration mode.
Example:
SwitchDevice(config)# interface
gigabitethernet2/0/1

Step 4 power inline port poe-ha Configures POE High Availability.

Example:

SwitchDevice(config-if)# power inline port poe-ha

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Configuring PoE and PoE Pass-Through Ports on Catalyst WS-C3560CX-8PT-S

You can configure the power management, budgeting, and policing on the Catalyst WS-C3560CX-8PT-S
compact switch PoE ports the same as with any other PoE switch.
The show env power privileged EXEC command provides information about powering options on your
switch.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
82
 Interface and Hardware
Persistent POE

Persistent POE
The Persistent POE provides uninterrupted power to connected PD device even when the PSE switch is
booting.

Note Power to the ports will be interrupted in case of MCU firmware upgrade and ports will be back up immediately
after the upgrade.

Note This feature is available only on the following models of Catalyst 3560-CX and Catalyst 2960-CX switches:
• WS-3560CX-8PC-S
• WS-3560CX-12PC-S
• WS-C3560CX-8XPD-S
• WS-C2960CX-8PC-L

Fast POE
Fast PoE - This feature remembers the last power drawn from a particular PSE port and switches on power
the moment AC power is plugged in (within 15 to 20 seconds of switching on power) without waiting for IOS
to boot up. When poe-ha is enabled on a particular port, the switch on a recovery after power failure, provides
power to the connected endpoint devices within short duration before even the IOS forwarding starts up.
This feature can be configured by the same command as poe-ha. If the user replaces the power device connected
to a port when the switch is powered off, then this new device will get the power which the previous device
was drawing.

Configuring Persistent and Fast POE

To configure persistent POE and Fast POE, perform the following steps:

Note You will need to configure the poe-ha command before connecting the PD, or you will need to manually
shut/unshut the port after configuring poe-ha.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. power inline port poe-ha
5. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
83
 Interface and Hardware
Budgeting Power for Devices Connected to a PoE Port

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the physical port to be configured, and enters
interface configuration mode.
Example:
SwitchDevice(config)# interface
gigabitethernet2/0/1

Step 4 power inline port poe-ha Configures POE High Availability.

Example:

SwitchDevice(config-if)# power inline port poe-ha

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Budgeting Power for Devices Connected to a PoE Port

When Cisco powered devices are connected to PoE ports, the switch uses Cisco Discovery Protocol (CDP)
to determine the CDP-specific power consumption of the devices, and the switch adjusts the power budget
accordingly. This does not apply to IEEE third-party powered devices. For these devices, when the switch
grants a power request, the switch adjusts the power budget according to the powered-device IEEE classification.
If the powered device is a class 0 (class status unknown) or a class 3, the switch budgets 15,400 mW for the
device, regardless of the CDP-specific amount of power needed. If the powered device reports a higher class
than its CDP-specific consumption or does not support power classification (defaults to class 0), the switch
can power fewer devices because it uses the IEEE class information to track the global power budget.
By using the power inline consumption wattage interface configuration command or the power inline
consumption default wattage global configuration command, you can override the default power requirement
specified by the IEEE classification. The difference between what is mandated by the IEEE classification and
what is actually needed by the device is reclaimed into the global power budget for use by additional devices.
You can then extend the switch power budget and use it more effectively.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
84
 Interface and Hardware
Budgeting Power to All PoE ports

Caution You should carefully plan your switch power budget, enable the power monitoring feature, and make certain
not to oversubscribe the power supply.

Note When you manually configure the power budget, you must also consider the power loss over the cable between
the switch and the powered device.

Budgeting Power to All PoE ports

SUMMARY STEPS
1. enable
2. configure terminal
3. no cdp run
4. power inline consumption default wattage
5. end
6. show power inline consumption default
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:
SwitchDevice# configure terminal

Step 3 no cdp run (Optional) Disables CDP.

Example:
SwitchDevice(config)# no cdp run

Step 4 power inline consumption default wattage Configures the power consumption of powered devices
connected to each PoE port.
Example:
SwitchDevice(config)# power inline consumption The range for each device is 4000 to 30000 mW (PoE+).
default 5000 The default is 30000 mW.

Step 5 end Returns to privileged EXEC mode.

Example:
SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
85
 Interface and Hardware
Budgeting Power to a Specific PoE Port

Command or Action Purpose

Step 6 show power inline consumption default Displays the power consumption status.
Example:
SwitchDevice# show power inline consumption default

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Budgeting Power to a Specific PoE Port

SUMMARY STEPS
1. enable
2. configure terminal
3. no cdp run
4. interface interface-id
5. power inline consumption wattage
6. end
7. show power inline consumption
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:
SwitchDevice# configure terminal

Step 3 no cdp run (Optional) Disables CDP.

Example:
SwitchDevice(config)# no cdp run

Step 4 interface interface-id Specifies the physical port to be configured, and enter
interface configuration mode.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
86
 Interface and Hardware
Configuring Power Policing

Command or Action Purpose

SwitchDevice(config)# interface
gigabitethernet2/0/1

Step 5 power inline consumption wattage Configures the power consumption of a powered device
connected to a PoE port on the switch.
Example:
SwitchDevice(config-if)# power inline consumption The range for each device is 4000 to 30000 mW (PoE+).
5000 The default is 30000 mW (PoE+).

Step 6 end Returns to privileged EXEC mode.

Example:
SwitchDevice(config-if)# end

Step 7 show power inline consumption Displays the power consumption data.
Example:
SwitchDevice# show power inline consumption

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring Power Policing

By default, the switch monitors the real-time power consumption of connected powered devices. You can
configure the switch to police the power usage. By default, policing is disabled.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. power inline police [action{log | errdisable}]
5. exit
6. Use one of the following:
• errdisable detect cause inline-power
• errdisable recovery cause inline-power
• errdisable recovery interval interval
7. exit
8. Use one of the following:
• show power inline police
• show errdisable recovery
9. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
87
 Interface and Hardware
Configuring Power Policing

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:
SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the physical port to be configured, and enter
interface configuration mode.
Example:
SwitchDevice(config)# interface
gigabitethernet2/0/1

Step 4 power inline police [action{log | errdisable}] If the real-time power consumption exceeds the maximum
power allocation on the port, configures the switch to take
Example:
one of these actions:
SwitchDevice(config-if)# power inline police
• power inline police—Shuts down the PoE port, turns
off power to it, and puts it in the error-disabled state.

Note You can enable error detection for the PoE

error-disabled cause by using the errdisable
detect cause inline-power global configuration
command. You can also enable the timer to
recover from the PoE error-disabled state by
using the errdisable recovery cause
inline-power interval interval global
configuration command.

• power inline police action errdisable—Turns off

power to the port if the real-time power consumption
exceeds the maximum power allocation on the port.
• power inline police action log—Generates a syslog
message while still providing power to the port.

If you do not enter the action log keywords, the default

action shuts down the port and puts the port in the
error-disabled state.

Step 5 exit Returns to global configuration mode.

Example:
SwitchDevice(config-if)# exit

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
88
 Interface and Hardware
Monitoring Power Status

Command or Action Purpose

Step 6 Use one of the following: (Optional) Enables error recovery from the PoE
error-disabled state, and configures the PoE recover
• errdisable detect cause inline-power
mechanism variables.
• errdisable recovery cause inline-power
• errdisable recovery interval interval By default, the recovery interval is 300 seconds.

Example: For interval interval, specifies the time in seconds to

recover from the error-disabled state. The range is 30 to
SwitchDevice(config)# errdisable detect cause
inline-power 86400.

SwitchDevice(config)# errdisable recovery cause

inline-power

SwitchDevice(config)# errdisable recovery interval

100

Step 7 exit Returns to privileged EXEC mode.

Example:
SwitchDevice(config)# exit

Step 8 Use one of the following: Displays the power monitoring status, and verify the error
recovery settings.
• show power inline police
• show errdisable recovery
Example:
SwitchDevice# show power inline police

SwitchDevice# show errdisable recovery

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Monitoring Power Status

Table 12: Show Commands for Power Status

Command Purpose

show env power switch (Optional) Displays the status of the internal power supplies for the
specified switch.

show power inline [interface-id Displays PoE status for a switch, for an interface.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
89
 Interface and Hardware
Configuration Examples for Configuring PoE

Command Purpose

show power inline police Displays the power policing data.

show env power Displays the status of the power supplies for the specified switch.

Configuration Examples for Configuring PoE

Budgeting Power: Example
When you enter one of the following commands,
• [no] power inline consumption default wattage global configuration command
• [no] power inline consumption wattage
interface configuration command
this caution message appears:

%CAUTION: Interface Gi1/0/1: Misconfiguring the 'power inline consumption/allocation'

command may cause damage to the
switch and void your warranty. Take precaution not to oversubscribe the power supply. It
is recommended to enable power
policing if the switch supports it. Refer to documentation.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
90
 CHAPTER 9
Configuring EEE
• Finding Feature Information, on page 91
• Information About EEE, on page 91
• Restrictions for EEE, on page 92
• How to Configure EEE, on page 92
• Monitoring EEE, on page 93
• Configuration Examples for Configuring EEE, on page 93

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Information About EEE

EEE Overview
Energy Efficient Ethernet (EEE) is an IEEE 802.3az standard that is designed to reduce power consumption
in Ethernet networks during idle periods.
EEE can be enabled on devices that support low power idle (LPI) mode. Such devices can save power by
entering LPI mode during periods of low utilization. In LPI mode, systems on both ends of the link can save
power by shutting down certain services. EEE provides the protocol needed to transition into and out of LPI
mode in a way that is transparent to upper layer protocols and applications.

Default EEE Configuration

EEE is disabled by default.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
91
 Interface and Hardware
Restrictions for EEE

EEE is enabled by default.

Restrictions for EEE

EEE has the following restrictions:
• Changing the EEE configuration resets the interface because the device has to restart Layer 1
autonegotiation.
• You might want to enable the Link Layer Discovery Protocol (LLDP) for devices that require longer
wakeup times before they are able to accept data on their receive paths. Doing so enables the device to
negotiate for extended system wakeup times from the transmitting link partner.

How to Configure EEE

You can enable or disable EEE on an interface that is connected to an EEE-capable link partner.

Enabling or Disabling EEE

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. power efficient-ethernet auto
4. no power efficient-ethernet auto
5. end
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the interface to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
92
 Interface and Hardware
Monitoring EEE

Command or Action Purpose

Step 3 power efficient-ethernet auto Enables EEE on the specified interface. When EEE is
enabled, the device advertises and autonegotiates EEE to
Example:
its link partner.
SwitchDevice(config-if)# power efficient-ethernet
auto

Step 4 no power efficient-ethernet auto Disables EEE on the specified interface.

Example:

SwitchDevice(config-if)# no power
efficient-ethernet auto

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Monitoring EEE
Table 13: Commands for Displaying EEE Settings

Command Purpose

show eee capabilities interface interface-id Displays EEE capabilities for the specified interface.

show eee status interface interface-id Displays EEE status information for the specified
interface.

Configuration Examples for Configuring EEE

This example shows how to enable EEE for an interface:

SwitchDevice# configure terminal

SwitchDevice(config)# interface gigabitethernet1/0/1
SwitchDevice(config-if)# power efficient-ethernet auto

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
93
 Interface and Hardware
Configuration Examples for Configuring EEE

This example shows how to disable EEE for an interface:

SwitchDevice# configure terminal

SwitchDevice(config)# interface gigabitethernet1/0/1
SwitchDevice(config-if)# no power efficient-ethernet auto

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
94
PA R T II
IPv6
• Configuring MLD Snooping, on page 97
• Configuring IPv6 Unicast Routing, on page 111
• Implementing IPv6 Multicast, on page 165
 CHAPTER 10
Configuring MLD Snooping
This module contains details of configuring MLD snooping
• Finding Feature Information, on page 97
• Information About Configuring IPv6 MLD Snooping, on page 97
• How to Configure IPv6 MLD Snooping, on page 101
• Displaying MLD Snooping Information, on page 108
• Configuration Examples for Configuring MLD Snooping, on page 109

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Information About Configuring IPv6 MLD Snooping

You can use Multicast Listener Discovery (MLD) snooping to enable efficient distribution of IP Version 6
(IPv6) multicast data to clients and routers in a switched network on the switch. Unless otherwise noted, the
term switch refers to a standalone switch.

Note For complete syntax and usage information for the commands used in this chapter, see the command reference
for this release or the Cisco IOS documentation referenced in the procedures.

Understanding MLD Snooping

In IP Version 4 (IPv4), Layer 2 switches can use Internet Group Management Protocol (IGMP) snooping to
limit the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
97
 IPv6
MLD Messages

is forwarded to only those interfaces associated with IP multicast devices. In IPv6, MLD snooping performs
a similar function. With MLD snooping, IPv6 multicast data is selectively forwarded to a list of ports that
want to receive the data, instead of being flooded to all ports in a VLAN. This list is constructed by snooping
IPv6 multicast control packets.
MLD is a protocol used by IPv6 multicast routers to discover the presence of multicast listeners (nodes wishing
to receive IPv6 multicast packets) on the links that are directly attached to the routers and to discover which
multicast packets are of interest to neighboring nodes. MLD is derived from IGMP; MLD Version 1 (MLDv1)
is equivalent to IGMPv2, and MLD Version 2 (MLDv2) is equivalent to IGMPv3. MLD is a subprotocol of
Internet Control Message Protocol Version 6 (ICMPv6), and MLD messages are a subset of ICMPv6 messages,
identified in IPv6 packets by a preceding Next Header value of 58.
The switch supports two versions of MLD snooping:
• MLDv1 snooping detects MLDv1 control packets and sets up traffic bridging based on IPv6 destination
multicast addresses.
• MLDv2 basic snooping (MBSS) uses MLDv2 control packets to set up traffic forwarding based on IPv6
destination multicast addresses.

The switch can snoop on both MLDv1 and MLDv2 protocol packets and bridge IPv6 multicast data based on
destination IPv6 multicast addresses.

Note The switch does not support MLDv2 enhanced snooping, which sets up IPv6 source and destination multicast
address-based forwarding.

MLD snooping can be enabled or disabled globally or per VLAN. When MLD snooping is enabled, a per-VLAN
IPv6 multicast address table is constructed in software and hardware. The switch then performs IPv6
multicast-address based bridging in hardware.

MLD Messages
MLDv1 supports three types of messages:
• Listener Queries are the equivalent of IGMPv2 queries and are either General Queries or
Multicast-Address-Specific Queries (MASQs).
• Multicast Listener Reports are the equivalent of IGMPv2 reports
• Multicast Listener Done messages are the equivalent of IGMPv2 leave messages.

MLDv2 supports MLDv2 queries and reports, as well as MLDv1 Report and Done messages.
Message timers and state transitions resulting from messages being sent or received are the same as those of
IGMPv2 messages. MLD messages that do not have valid link-local IPv6 source addresses are ignored by
MLD routers and switches.

MLD Queries
The switch sends out MLD queries, constructs an IPv6 multicast address database, and generates MLD
group-specific and MLD group-and-source-specific queries in response to MLD Done messages. The switch
also supports report suppression, report proxying, Immediate-Leave functionality, and static IPv6 multicast
group address configuration.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
98
 IPv6
Multicast Client Aging Robustness

When MLD snooping is disabled, all MLD queries are flooded in the ingress VLAN.
When MLD snooping is enabled, received MLD queries are flooded in the ingress VLAN, and a copy of the
query is sent to the CPU for processing. From the received query, MLD snooping builds the IPv6 multicast
address database. It detects multicast router ports, maintains timers, sets report response time, learns the querier
IP source address for the VLAN, learns the querier port in the VLAN, and maintains multicast-address aging.

Note When the IPv6 multicast router is a Catalyst 6500 switch and you are using extended VLANs (in the range
1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in
order for the Catalyst 2960, 2960-S, 2960-C, 2960-X or 2960-CX switch to receive queries on the VLAN.
For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the
Catalyst 6500 switch.

When a group exists in the MLD snooping database, the switch responds to a group-specific query by sending
an MLDv1 report. When the group is unknown, the group-specific query is flooded to the ingress VLAN.
When a host wants to leave a multicast group, it can send out an MLD Done message (equivalent to IGMP
Leave message). When the switch receives an MLDv1 Done message, if Immediate- Leave is not enabled,
the switch sends an MASQ to the port from which the message was received to determine if other devices
connected to the port should remain in the multicast group.

Multicast Client Aging Robustness

You can configure port membership removal from addresses based on the number of queries. A port is removed
from membership to an address only when there are no reports to the address on the port for the configured
number of queries. The default number is 2.

Multicast Router Discovery

Like IGMP snooping, MLD snooping performs multicast router discovery, with these characteristics:
• Ports configured by a user never age out.
• Dynamic port learning results from MLDv1 snooping queries and IPv6 PIMv2 packets.
• If there are multiple routers on the same Layer 2 interface, MLD snooping tracks a single multicast router
on the port (the router that most recently sent a router control packet).
• Dynamic multicast router port aging is based on a default timer of 5 minutes; the multicast router is
deleted from the router port list if no control packet is received on the port for 5 minutes.
• IPv6 multicast router discovery only takes place when MLD snooping is enabled on the switch.
• Received IPv6 multicast router control packets are always flooded to the ingress VLAN, whether or not
MLD snooping is enabled on the switch.
• After the discovery of the first IPv6 multicast router port, unknown IPv6 multicast data is forwarded
only to the discovered router ports (before that time, all IPv6 multicast data is flooded to the ingress
VLAN).

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
99
 IPv6
MLD Reports

MLD Reports
The processing of MLDv1 join messages is essentially the same as with IGMPv2. When no IPv6 multicast
routers are detected in a VLAN, reports are not processed or forwarded from the switch. When IPv6 multicast
routers are detected and an MLDv1 report is received, an IPv6 multicast group address is entered in the VLAN
MLD database. Then all IPv6 multicast traffic to the group within the VLAN is forwarded using this address.
When MLD snooping is disabled, reports are flooded in the ingress VLAN.
When MLD snooping is enabled, MLD report suppression, called listener message suppression, is automatically
enabled. With report suppression, the switch forwards the first MLDv1 report received by a group to IPv6
multicast routers; subsequent reports for the group are not sent to the routers. When MLD snooping is disabled,
report suppression is disabled, and all MLDv1 reports are flooded to the ingress VLAN.
The switch also supports MLDv1 proxy reporting. When an MLDv1 MASQ is received, the switch responds
with MLDv1 reports for the address on which the query arrived if the group exists in the switch on another
port and if the port on which the query arrived is not the last member port for the address.

MLD Done Messages and Immediate-Leave

When the Immediate-Leave feature is enabled and a host sends an MLDv1 Done message (equivalent to an
IGMP leave message), the port on which the Done message was received is immediately deleted from the
group.You enable Immediate-Leave on VLANs and (as with IGMP snooping), you should only use the feature
on VLANs where a single host is connected to the port. If the port was the last member of a group, the group
is also deleted, and the leave information is forwarded to the detected IPv6 multicast routers.
When Immediate Leave is not enabled in a VLAN (which would be the case when there are multiple clients
for a group on the same port) and a Done message is received on a port, an MASQ is generated on that port.
The user can control when a port membership is removed for an existing address in terms of the number of
MASQs. A port is removed from membership to an address when there are no MLDv1 reports to the address
on the port for the configured number of queries.
The number of MASQs generated is configured by using the ipv6 mld snooping last-listener-query count
global configuration command. The default number is 2.
The MASQ is sent to the IPv6 multicast address for which the Done message was sent. If there are no reports
sent to the IPv6 multicast address specified in the MASQ during the switch maximum response time, the port
on which the MASQ was sent is deleted from the IPv6 multicast address database. The maximum response
time is the time configured by using the ipv6 mld snooping last-listener-query-interval global configuration
command. If the deleted port is the last member of the multicast address, the multicast address is also deleted,
and the switch sends the address leave information to all detected multicast routers.

Topology Change Notification Processing

When topology change notification (TCN) solicitation is enabled by using the ipv6 mld snooping tcn query
solicit global configuration command, MLDv1 snooping sets the VLAN to flood all IPv6 multicast traffic
with a configured number of MLDv1 queries before it begins sending multicast data only to selected ports.
You set this value by using the ipv6 mld snooping tcn flood query count global configuration command.
The default is to send two queries. The switch also generates MLDv1 global Done messages with valid
link-local IPv6 source addresses when the switch becomes the STP root in the VLAN or when it is configured
by the user. This is same as done in IGMP snooping.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
100
 IPv6
How to Configure IPv6 MLD Snooping

How to Configure IPv6 MLD Snooping

Default MLD Snooping Configuration
Table 14: Default MLD Snooping Configuration

Feature Default Setting

MLD snooping (Global) Disabled.

MLD snooping (per VLAN) Enabled. MLD snooping must be globally enabled for VLAN
MLD snooping to take place.

IPv6 Multicast addresses None configured.

IPv6 Multicast router ports None configured.

MLD snooping Immediate Leave Disabled.

MLD snooping robustness variable Global: 2; Per VLAN: 0.

Note The VLAN value overrides the global setting. When
the VLAN value is 0, the VLAN uses the global count.

Last listener query count Global: 2; Per VLAN: 0.

Note The VLAN value overrides the global setting. When
the VLAN value is 0, the VLAN uses the global count.

Last listener query interval Global: 1000 (1 second); VLAN: 0.

Note The VLAN value overrides the global setting. When
the VLAN value is 0, the VLAN uses the global
interval.

TCN query solicit Disabled.

TCN query count 2.

MLD listener suppression Enabled.

MLD Snooping Configuration Guidelines

When configuring MLD snooping, consider these guidelines:
• You can configure MLD snooping characteristics at any time, but you must globally enable MLD snooping
by using the ipv6 mld snooping global configuration command for the configuration to take effect.
• When the IPv6 multicast router is a Catalyst 6500 switch and you are using extended VLANs (in the
range 1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
101
 IPv6
Enabling or Disabling MLD Snooping on the Switch (CLI)

switch in order for the switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it
is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
• MLD snooping and IGMP snooping act independently of each other. You can enable both features at
the same time on the switch.

Enabling or Disabling MLD Snooping on the Switch (CLI)

By default, IPv6 MLD snooping is globally disabled on the switch and enabled on all VLANs. When MLD
snooping is globally disabled, it is also disabled on all VLANs. When you globally enable MLD snooping,
the VLAN configuration overrides the global configuration. That is, MLD snooping is enabled only on VLAN
interfaces in the default state (enabled).
You can enable and disable MLD snooping on a per-VLAN basis or for a range of VLANs, but if you globally
disable MLD snooping, it is disabled in all VLANs. If global snooping is enabled, you can enable or disable
VLAN snooping.
Beginning in privileged EXEC mode, follow these steps to globally enable MLD snooping on the switch:

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ipv6 mld snooping Enables MLD snooping on the switch.

Example:

SwitchDevice(config)# ipv6 mld snooping

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 4 copy running-config startup-config (Optional) Save your entries in the configuration file.
Example:

SwitchDevice(config)# copy running-config

startup-config

Step 5 reload Reload the operating system.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
102
 IPv6
Enabling or Disabling MLD Snooping on a VLAN (CLI)

Command or Action Purpose

SwitchDevice(config)# reload

Enabling or Disabling MLD Snooping on a VLAN (CLI)

Beginning in privileged EXEC mode, follow these steps to enable MLD snooping on a VLAN.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ipv6 mld snooping Enables MLD snooping on the switch.

Example:

SwitchDevice(config)# ipv6 mld snooping

Step 3 ipv6 mld snooping vlan vlan-id Enables MLD snooping on the VLAN. The VLAN ID range
is 1 to 1001 and 1006 to 4094.
Example:
Note MLD snooping must be globally enabled for
SwitchDevice(config)# ipv6 mld snooping vlan 1 VLAN snooping to be enabled.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# ipv6 mld snooping vlan 1

Configuring a Static Multicast Group (CLI)

Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure an
IPv6 multicast address and member ports for a VLAN.
Beginning in privileged EXEC mode, follow these steps to add a Layer 2 port as a member of a multicast
group:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
103
 IPv6
Configuring a Multicast Router Port (CLI)

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode
Example:

SwitchDevice# configure terminal

Step 2 ipv6 mld snooping vlan vlan-id static Configures a multicast group with a Layer 2 port as a
ipv6_multicast_address interface interface-id member of a multicast group:
Example: • vlan-id is the multicast group VLAN ID. The VLAN
ID range is 1 to 1001 and 1006 to 4094.
SwitchDevice(config)# ipv6 mld snooping vlan 1
static FF12::3 interface gigabitethernet • ipv6_multicast_address is the 128-bit group IPv6
0/1 address. The address must be in the form specified in
RFC 2373.
• interface-id is the member port. It can be a physical
interface or a port channel (1 to 48).

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 4 Use one of the following: Verifies the static member port and the IPv6 address.
• show ipv6 mld snooping address
• show ipv6 mld snooping address vlan vlan-id
Example:

SwitchDevice# show ipv6 mld snooping address

or
SwitchDevice# show ipv6 mld snooping vlan 1

Configuring a Multicast Router Port (CLI)

Note Static connections to multicast routers are supported only on switch ports.

Beginning in privileged EXEC mode, follow these steps to add a multicast router port to a VLAN:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
104
 IPv6
Enabling MLD Immediate Leave (CLI)

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
SwitchDevice# configure terminal

Step 2 ipv6 mld snooping vlan vlan-id mrouter interface Specifies the multicast router VLAN ID, and specify the
interface-id interface to the multicast router.
Example: • The VLAN ID range is 1 to 1001 and 1006 to 4094.
SwitchDevice(config)# ipv6 mld snooping vlan 1
mrouter interface gigabitethernet
• The interface can be a physical interface or a port
0/2 channel. The port-channel range is 1 to 48.

Step 3 end Returns to privileged EXEC mode.

Example:
SwitchDevice(config)# end

Step 4 show ipv6 mld snooping mrouter [ vlan vlan-id ] Verifies that IPv6 MLD snooping is enabled on the VLAN
interface.
Example:
SwitchDevice# show ipv6 mld snooping mrouter vlan
1

Enabling MLD Immediate Leave (CLI)

Beginning in privileged EXEC mode, follow these steps to enable MLDv1 Immediate Leave:

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
SwitchDevice# configure terminal

Step 2 ipv6 mld snooping vlan vlan-id immediate-leave Enables MLD Immediate Leave on the VLAN interface.
Example:
SwitchDevice(config)# ipv6 mld snooping vlan 1
immediate-leave

Step 3 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
105
 IPv6
Configuring MLD Snooping Queries (CLI)

Command or Action Purpose

SwitchDevice(config)# end

Step 4 show ipv6 mld snooping vlan vlan-id Verifies that Immediate Leave is enabled on the VLAN
interface.
Example:
SwitchDevice# show ipv6 mld snooping vlan 1

Configuring MLD Snooping Queries (CLI)

Beginning in privileged EXEC mode, follow these steps to configure MLD snooping query characteristics
for the switch or for a VLAN:

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
SwitchDevice# configure terminal

Step 2 ipv6 mld snooping robustness-variable value (Optional) Sets the number of queries that are sent before
switch will deletes a listener (port) that does not respond
Example:
to a general query. The range is 1 to 3; the default is 2.
SwitchDevice(config)# ipv6 mld snooping
robustness-variable 3

Step 3 ipv6 mld snooping vlan vlan-id robustness-variable (Optional) Sets the robustness variable on a VLAN basis,
value which determines the number of general queries that MLD
snooping sends before aging out a multicast address when
Example:
there is no MLD report response. The range is 1 to 3; the
SwitchDevice(config)# ipv6 mld snooping vlan 1 default is 0. When set to 0, the number used is the global
robustness-variable 3
robustness variable value.

Step 4 ipv6 mld snooping last-listener-query-count count (Optional) Sets the number of MASQs that the switch
sends before aging out an MLD client. The range is 1 to
Example:
7; the default is 2. The queries are sent 1 second apart.
SwitchDevice(config)# ipv6 mld snooping
last-listener-query-count 7

Step 5 ipv6 mld snooping vlan vlan-id (Optional) Sets the last-listener query count on a VLAN
last-listener-query-count count basis. This value overrides the value configured globally.
The range is 1 to 7; the default is 0. When set to 0, the
Example:
global count value is used. Queries are sent 1 second apart.
SwitchDevice(config)# ipv6 mld snooping vlan 1
last-listener-query-count 7

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
106
 IPv6
Disabling MLD Listener Message Suppression (CLI)

Command or Action Purpose

Step 6 ipv6 mld snooping last-listener-query-interval interval (Optional) Sets the maximum response time that the switch
waits after sending out a MASQ before deleting a port
Example:
from the multicast group. The range is 100 to 32,768
SwitchDevice(config)# ipv6 mld snooping thousands of a second. The default is 1000 (1 second).
last-listener-query-interval 2000

Step 7 ipv6 mld snooping vlan vlan-id (Optional) Sets the last-listener query interval on a VLAN
last-listener-query-interval interval basis. This value overrides the value configured globally.
The range is 0 to 32,768 thousands of a second. The default
Example:
is 0. When set to 0, the global last-listener query interval
SwitchDevice(config)# ipv6 mld snooping vlan 1 is used.
last-listener-query-interval 2000

Step 8 ipv6 mld snooping tcn query solicit (Optional) Enables topology change notification (TCN)
solicitation, which means that VLANs flood all IPv6
Example:
multicast traffic for the configured number of queries
SwitchDevice(config)# ipv6 mld snooping tcn query before sending multicast data to only those ports requesting
solicit
to receive it. The default is for TCN to be disabled.

Step 9 ipv6 mld snooping tcn flood query count count (Optional) When TCN is enabled, specifies the number of
TCN queries to be sent. The range is from 1 to 10; the
Example:
default is 2.
SwitchDevice(config)# ipv6 mld snooping tcn flood
query count 5

Step 10 end Returns to privileged EXEC mode.

Step 11 show ipv6 mld snooping querier [ vlan vlan-id] (Optional) Verifies that the MLD snooping querier
information for the switch or for the VLAN.
Example:
SwitchDevice(config)# show ipv6 mld snooping
querier vlan 1

Disabling MLD Listener Message Suppression (CLI)

MLD snooping listener message suppression is enabled by default. When it is enabled, the switch forwards
only one MLD report per multicast router query. When message suppression is disabled, multiple MLD reports
could be forwarded to the multicast routers.
Beginning in privileged EXEC mode, follow these steps to disable MLD listener message suppression:

Procedure

Command or Action Purpose

Step 1 configure terminal Enter global configuration mode.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
107
 IPv6
Displaying MLD Snooping Information

Command or Action Purpose

SwitchDevice# configure terminal

Step 2 no ipv6 mld snooping listener-message-suppression Disable MLD message suppression.

Example:
SwitchDevice(config)# no ipv6 mld snooping
listener-message-suppression

Step 3 end Return to privileged EXEC mode.

Example:
SwitchDevice(config)# end

Step 4 show ipv6 mld snooping Verify that IPv6 MLD snooping report suppression is
disabled.
Example:
SwitchDevice# show ipv6 mld snooping

Displaying MLD Snooping Information

You can display MLD snooping information for dynamically learned and statically configured router ports
and VLAN interfaces. You can also display IPv6 group address multicast entries for a VLAN configured for
MLD snooping.

Table 15: Commands for Displaying MLD Snooping Information

Command Purpose

show ipv6 mld snooping [ vlan Displays the MLD snooping configuration information for all VLANs
vlan-id ] on the switch or for a specified VLAN.
(Optional) Enter vlan vlan-id to display information for a single VLAN.
The VLAN ID range is 1 to 1001 and 1006 to 4094.

show ipv6 mld snooping mrouter Displays information on dynamically learned and manually configured
[ vlan vlan-id ] multicast router interfaces. When you enable MLD snooping, the switch
automatically learns the interface to which a multicast router is connected.
These are dynamically learned interfaces.
(Optional) Enters vlan vlan-id to display information for a single VLAN.
The VLAN ID range is 1 to 1001 and 1006 to 4094.

show ipv6 mld snooping querier Displays information about the IPv6 address and incoming port for the
[ vlan vlan-id ] most-recently received MLD query messages in the VLAN.
(Optional) Enters vlan vlan-id to display information for a single
VLAN.The VLAN ID range is 1 to 1001 and 1006 to 4094.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
108
 IPv6
Configuration Examples for Configuring MLD Snooping

Command Purpose

show ipv6 mld snooping address Displays all IPv6 multicast address information or specific IPv6 multicast
[ vlan vlan-id ] [ count | address information for the switch or a VLAN.
dynamic | user ]
• Enters count to show the group count on the switch or in a VLAN.
• Enters dynamic to display MLD snooping learned group
information for the switch or for a VLAN.
• Entesr user to display MLD snooping user-configured group
information for the switch or for a VLAN.

show ipv6 mld snooping address Displays MLD snooping for the specified VLAN and IPv6 multicast
vlan vlan-id [ address.
ipv6-multicast-address ]

Configuration Examples for Configuring MLD Snooping

Configuring a Static Multicast Group: Example
This example shows how to statically configure an IPv6 multicast group:

SwitchDevice# configure terminal

SwitchDevice(config)# ipv6 mld snooping vlan 2 static FF12::3 interface gigabitethernet

1/0/1
SwitchDevice(config)# end

Configuring a Multicast Router Port: Example

This example shows how to add a multicast router port to VLAN 200:

SwitchDevice# configure terminal

SwitchDevice(config)# ipv6 mld snooping vlan 200 mrouter interface gigabitethernet

0/2
SwitchDevice(config)# exit

Enabling MLD Immediate Leave: Example

This example shows how to enable MLD Immediate Leave on VLAN 130:

SwitchDevice# configure terminal

SwitchDevice(config)# ipv6 mld snooping vlan 130 immediate-leave
SwitchDevice(config)# exit

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
109
 IPv6
Configuring MLD Snooping Queries: Example

Configuring MLD Snooping Queries: Example

This example shows how to set the MLD snooping global robustness variable to 3:

SwitchDevice# configure terminal

SwitchDevice(config)# ipv6 mld snooping robustness-variable 3
SwitchDevice(config)# exit

This example shows how to set the MLD snooping last-listener query count for a VLAN to 3:

SwitchDevice# configure terminal

SwitchDevice(config)# ipv6 mld snooping vlan 200 last-listener-query-count 3
SwitchDevice(config)# exit

This example shows how to set the MLD snooping last-listener query interval (maximum response time) to
2000 (2 seconds):

SwitchDevice# configure terminal

SwitchDevice(config)# ipv6 mld snooping last-listener-query-interval 2000
SwitchDevice(config)# exit

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
110
 CHAPTER 11
Configuring IPv6 Unicast Routing
• Finding Feature Information, on page 111
• Information About Configuring IPv6 Unicast Routing, on page 111
• Configuring DHCP for IPv6 Address Assignment, on page 157
• Configuration Examples for IPv6 Unicast Routing, on page 161

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Information About Configuring IPv6 Unicast Routing

This chapter describes how to configure IPv6 unicast routing on the switch.

Understanding IPv6
IPv4 users can move to IPv6 and receive services such as end-to-end security, quality of service (QoS), and
globally unique addresses. The IPv6 address space reduces the need for private addresses and Network Address
Translation (NAT) processing by border routers at network edges.
For information about how Cisco Systems implements IPv6, go to:
http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html
For information about IPv6 and other features in this chapter
• See the Cisco IOS IPv6 Configuration Library.
• Use the Search field on Cisco.com to locate the Cisco IOS software documentation. For example, if you
want information about static routes, you can enter Implementing Static Routes for IPv6 in the search
field to learn about static routes.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
111
 IPv6
IPv6 Addresses

IPv6 Addresses
The switch supports only IPv6 unicast addresses. It does not support site-local unicast addresses, or anycast
addresses.
The IPv6 128-bit addresses are represented as a series of eight 16-bit hexadecimal fields separated by colons
in the format: n:n:n:n:n:n:n:n. This is an example of an IPv6 address:
2031:0000:130F:0000:0000:09C0:080F:130B
For easier implementation, leading zeros in each field are optional. This is the same address without leading
zeros:
2031:0:130F:0:0:9C0:80F:130B
You can also use two colons (::) to represent successive hexadecimal fields of zeros, but you can use this short
version only once in each address:
2031:0:130F::09C0:080F:130B
For more information about IPv6 address formats, address types, and the IPv6 packet header, see the
“Implementing IPv6 Addressing and Basic Connectivity” chapter of Cisco IOS IPv6 Configuration Library
on Cisco.com.
In the "Implementing Addressing and Basic Connectivity" chapter, these sections apply to the Catalyst 2960,
2960-S, 2960-C, 2960-X, 2960-CX and 3560-CX switches:
• IPv6 Address Formats
• IPv6 Address Type: Multicast
• IPv6 Address Output Display
• Simplified IPv6 Packet Header

Supported IPv6 Unicast Routing Features

These sections describe the IPv6 protocol features supported by the switch:

128-Bit Wide Unicast Addresses

The switch supports aggregatable global unicast addresses and link-local unicast addresses. It does not support
site-local unicast addresses.
• Aggregatable global unicast addresses are IPv6 addresses from the aggregatable global unicast prefix.
The address structure enables strict aggregation of routing prefixes and limits the number of routing table
entries in the global routing table. These addresses are used on links that are aggregated through
organizations and eventually to the Internet service provider.
These addresses are defined by a global routing prefix, a subnet ID, and an interface ID. Current global
unicast address allocation uses the range of addresses that start with binary value 001 (2000::/3). Addresses
with a prefix of 2000::/3(001) through E000::/3(111) must have 64-bit interface identifiers in the extended
unique identifier (EUI)-64 format.
• Link local unicast addresses can be automatically configured on any interface by using the link-local
prefix FE80::/10(1111 1110 10) and the interface identifier in the modified EUI format. Link-local
addresses are used in the neighbor discovery protocol (NDP) and the stateless autoconfiguration process.
Nodes on a local link use link-local addresses and do not require globally unique addresses to communicate.
IPv6 routers do not forward packets with link-local source or destination addresses to other links.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
112
 IPv6
DNS for IPv6

For more information, see the section about IPv6 unicast addresses in the “Implementing IPv6 Addressing
and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.

DNS for IPv6

IPv6 supports Domain Name System (DNS) record types in the DNS name-to-address and address-to-name
lookup processes. The DNS AAAA resource record types support IPv6 addresses and are equivalent to an A
address record in IPv4. The switch supports DNS resolution for IPv4 and IPv6.

Path MTU Discovery for IPv6 Unicast

The switch supports advertising the system maximum transmission unit (MTU) to IPv6 nodes and path MTU
discovery. Path MTU discovery allows a host to dynamically discover and adjust to differences in the MTU
size of every link along a given data path. In IPv6, if a link along the path is not large enough to accommodate
the packet size, the source of the packet handles the fragmentation.

ICMPv6
The Internet Control Message Protocol (ICMP) in IPv6 generates error messages, such as ICMP destination
unreachable messages, to report errors during processing and other diagnostic functions. In IPv6, ICMP
packets are also used in the neighbor discovery protocol and path MTU discovery.

Neighbor Discovery
The switch supports NDP for IPv6, a protocol running on top of ICMPv6, and static neighbor entries for IPv6
stations that do not support NDP. The IPv6 neighbor discovery process uses ICMP messages and solicited-node
multicast addresses to determine the link-layer address of a neighbor on the same network (local link), to
verify the reachability of the neighbor, and to keep track of neighboring routers.
The switch supports ICMPv6 redirect for routes with mask lengths less than 64 bits. ICMP redirect is not
supported for host routes or for summarized routes with mask lengths greater than 64 bits.
Neighbor discovery throttling ensures that the switch CPU is not unnecessarily burdened while it is in the
process of obtaining the next hop forwarding information to route an IPv6 packet. The switch drops any
additional IPv6 packets whose next hop is the same neighbor that the switch is actively trying to resolve. This
drop avoids further load on the CPU.

Default Router Preference

The switch supports IPv6 default router preference (DRP), an extension in router advertisement messages.
DRP improves the ability of a host to select an appropriate router, especially when the host is multihomed
and the routers are on different links. The switch does not support the Route Information Option in RFC 4191.
An IPv6 host maintains a default router list from which it selects a router for traffic to offlink destinations.
The selected router for a destination is then cached in the destination cache. NDP for IPv6 specifies that routers
that are reachable or probably reachable are preferred over routers whose reachability is unknown or suspect.
For reachable or probably reachable routers, NDP can either select the same router every time or cycle through
the router list. By using DRP, you can configure an IPv6 host to prefer one router over another, provided both
are reachable or probably reachable.
For more information about DRP for IPv6, see the Cisco IOS IPv6 Configuration Library on Cisco.com.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
113
 IPv6
IPv6 Stateless Autoconfiguration and Duplicate Address Detection

IPv6 Stateless Autoconfiguration and Duplicate Address Detection

The switch uses stateless autoconfiguration to manage link, subnet, and site addressing changes, such as
management of host and mobile IP addresses. A host autonomously configures its own link-local address,
and booting nodes send router solicitations to request router advertisements for configuring interfaces.
For more information about autoconfiguration and duplicate address detection, see the “Implementing IPv6
Addressing and Basic Connectivity” chapter of Cisco IOS IPv6 Configuration Library on Cisco.com.

IPv6 Applications
The switch has IPv6 support for these applications:
• Ping, traceroute, and Telnet
• Secure Shell (SSH) over an IPv6 transport
• HTTP server access over IPv6 transport
• DNS resolver for AAAA over IPv4 transport
• Cisco Discovery Protocol (CDP) support for IPv6 addresses

For more information about managing these applications, see the Cisco IOS IPv6 Configuration Library on
Cisco.com.

DHCP for IPv6 Address Assignment

DHCPv6 enables DHCP servers to pass configuration parameters, such as IPv6 network addresses, to IPv6
clients. The address assignment feature manages non-duplicate address assignment in the correct prefix based
on the network where the host is connected. Assigned addresses can be from one or multiple prefix pools.
Additional options, such as default domain and DNS name-server address, can be passed back to the client.
Address pools can be assigned for use on a specific interface, on multiple interfaces, or the server can
automatically find the appropriate pool.
For more information and to configure these features, see the Cisco IOS IPv6 Configuration Guide.
This document describes only the DHCPv6 address assignment. For more information about configuring the
DHCPv6 client, server, or relay agent functions, see the “Implementing DHCP for IPv6” chapter in the Cisco
IOS IPv6 Configuration Library on Cisco.com.

Static Routes for IPv6

Static routes are manually configured and define an explicit route between two networking devices. Static
routes are useful for smaller networks with only one path to an outside network or to provide security for
certain types of traffic in a larger network.
For more information about static routes, see the “Implementing Static Routes for IPv6” chapter in the Cisco
IOS IPv6 Configuration Library on Cisco.com.

RIP for IPv6

Routing Information Protocol (RIP) for IPv6 is a distance-vector protocol that uses hop count as a routing
metric. It includes support for IPv6 addresses and prefixes and the all-RIP-routers multicast group address
FF02::9 as the destination address for RIP update messages.
For more information about RIP for IPv6, see the “Implementing RIP for IPv6” chapter in the Cisco IOS IPv6
Configuration Library on Cisco.com.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
114
 IPv6
OSPF for IPv6

OSPF for IPv6

The switch running the feature set supports Open Shortest Path First (OSPF) for IPv6, a link-state protocol
for IP. For more information, seeCisco IOS IPv6 Configuration Library on Cisco.com.

OSPFv3 Graceful Restart

OSPFv3 feature allows nonstop data forwarding along known routes while the OSPFv3 routing protocol
information is restored. A switch uses graceful restart either in restart mode (for a graceful-restart-capable
switch) or in helper mode (for a graceful-restart-aware switch).
To use the graceful restart function, a switch must be in high-availability stateful switchover (SSO) mode
(dual route processor). A switch capable of graceful restart uses it when these failures occur:
• A route processor failure that results in changeover to the standby route processor
• A planned route processor changeover to the standby route processor

The graceful restart feature requires that neighboring switches be graceful-restart aware.
For more information, see the Implementing OSPF for IPv6 chapter in the Cisco IOS IPv6 Configuration
Library on Cisco.com.

Fast Convergence: LSA and SPF Throttling

The OSPFv3 link-state advertisements (LSA) and shortest path first (SPF) throttling feature provides a dynamic
method to slow down link-state advertisement updates in OSPFv3 during times of network instability. This
feature also allows faster OSPFv3 convergence by providing LSA rate limiting in milliseconds.
OSPFv3 previously used static timers for rate-limiting SPF calculation and LSA generation. Although these
timers are configurable, the values are specified in seconds, which poses a limitation on OSPFv3 convergence.
LSA and SPF throttling achieves subsecond convergence by providing a more sophisticated SPF and LSA
rate-limiting method can react quickly to changes and also provide stability and protection during prolonged
periods of instability.

Authentication Support with IPsec

To ensure that OSPF for IPv6 (OSPFv3) packets are not altered and resent to the switch, OSPFv3 packets
must be authenticated. OSPFv3 uses the IPsec secure socket API to add authentication to OSPFv3 packets.
This API has been extended to provide support for IPv6.
OSPFv3 requires the use of IPsec to enable authentication. Crypto images are required to use authentication,
because only crypto images include the IPsec API needed for use with OSPFv3.

Configuring HSRP for IPv6

HSRP provides routing redundancy for routing IPv6 traffic not dependent on the availability of any single
router. IPv6 hosts learn of available routers through IPv6 neighbor discovery router advertisement messages.
These messages are multicast periodically or are solicited by hosts.
An HSRP IPv6 group has a virtual MAC address that is derived from the HSRP group number and a virtual
IPv6 link-local address that is, by default, derived from the HSRP virtual MAC address. Periodic messages
are sent for the HSRP virtual IPv6 link-local address when the HSRP group is active. These messages stop
after a final one is sent when the group leaves the active state.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
115
 IPv6
EIGRP IPv6

Note When configuring HSRP for IPv6, you must enable HSRP version 2 (HSRPv2) on the interface.

EIGRP IPv6
Switches running the IP services feature set support the Enhanced Interior Gateway Routing Protocol (EIGRP)
for IPv6. It is configured on the interfaces on which it runs and does not require a global IPv6 address.

Note Switches running the IP base feature set do not support any IPv6 EIGRP features, including IPv6 EIGRP stub
routing.

Before running, an instance of EIGRP IPv6 requires an implicit or explicit router ID. An implicit router ID
is derived from a local IPv4 address, so any IPv4 node always has an available router ID. However, EIGRP
IPv6 might be running in a network with only IPv6 nodes and therefore might not have an available IPv4
router ID.
For more information about EIGRP for IPv6, see the “Implementing EIGRP for IPv6” chapter in the Cisco
IOS IPv6 Configuration Library on Cisco.com.

SNMP and Syslog Over IPv6

To support both IPv4 and IPv6, IPv6 network management requires both IPv6 and IPv4 transports. Syslog
over IPv6 supports address data types for these transports.
SNMP and syslog over IPv6 provide these features:
• Support for both IPv4 and IPv6
• IPv6 transport for SNMP and to modify the SNMP agent to support traps for an IPv6 host
• SNMP- and syslog-related MIBs to support IPv6 addressing
• Configuration of IPv6 hosts as trap receivers

For support over IPv6, SNMP modifies the existing IP transport mapping to simultaneously support IPv4 and
IPv6. These SNMP actions support IPv6 transport management:
• Opens User Datagram Protocol (UDP) SNMP socket with default settings
• Provides a new transport mechanism called SR_IPV6_TRANSPORT
• Sends SNMP notifications over IPv6 transport
• Supports SNMP-named access lists for IPv6 transport
• Supports SNMP proxy forwarding using IPv6 transport
• Verifies SNMP Manager feature works with IPv6 transport

For information on SNMP over IPv6, including configuration procedures, see the “Managing Cisco IOS
Applications over IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
For information about syslog over IPv6, including configuration procedures, see the “Implementing IPv6
Addressing and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
116
 IPv6
HTTP(S) Over IPv6

HTTP(S) Over IPv6

The HTTP client sends requests to both IPv4 and IPv6 HTTP servers, which respond to requests from both
IPv4 and IPv6 HTTP clients. URLs with literal IPv6 addresses must be specified in hexadecimal using 16-bit
values between colons.
The accept socket call chooses an IPv4 or IPv6 address family. The accept socket is either an IPv4 or IPv6
socket. The listening socket continues to listen for both IPv4 and IPv6 signals that indicate a connection. The
IPv6 listening socket is bound to an IPv6 wildcard address.
The underlying TCP/IP stack supports a dual-stack environment. HTTP relies on the TCP/IP stack and the
sockets for processing network-layer interactions.
Basic network connectivity (ping) must exist between the client and the server hosts before HTTP connections
can be made.
For more information, see the “Managing Cisco IOS Applications over IPv6” chapter in the Cisco IOS IPv6
Configuration Library on Cisco.com.

Unsupported IPv6 Unicast Routing Features

The switch does not support these IPv6 features:
• IPv6 policy-based routing
• IPv6 virtual private network (VPN) routing and forwarding (VRF) table support
• IPv6 packets destined to site-local addresses
• Tunneling protocols, such as IPv4-to-IPv6 or IPv6-to-IPv4
• The switch as a tunnel endpoint supporting IPv4-to-IPv6 or IPv6-to-IPv4 tunneling protocols
• IPv6 unicast reverse-path forwarding

IPv6 Feature Limitations

Because IPv6 is implemented in switch hardware, some limitations occur due to the IPv6 compressed addresses
in the hardware memory. These hardware limitations result in some loss of functionality and limits some
features.
These are feature limitations.
• The switch cannot forward SNAP-encapsulated IPv6 packets in hardware. They are forwarded in software.
• The switch cannot apply QoS classification on source-routed IPv6 packets in hardware.

Configuring IPv6
Default IPv6 Configuration
Table 16: Default IPv6 Configuration

Feature Default Setting

SDM template Default

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
117
 IPv6
Configuring IPv6 Addressing and Enabling IPv6 Routing (CLI)

Feature Default Setting

IPv6 addresses None configured

Configuring IPv6 Addressing and Enabling IPv6 Routing (CLI)

This section describes how to assign IPv6 addresses to individual Layer 3 interfaces and to globally forward
IPv6 traffic on the switch.
Before configuring IPv6 on the switch, consider these guidelines:
• Be sure to select a dual IPv4 and IPv6 SDM template.
• In the ipv6 address interface configuration command, you must enter the ipv6-address and ipv6-prefix
variables with the address specified in hexadecimal using 16-bit values between colons. The prefix-length
variable (preceded by a slash [/]) is a decimal value that shows how many of the high-order contiguous
bits of the address comprise the prefix (the network portion of the address).

To forward IPv6 traffic on an interface, you must configure a global IPv6 address on that interface. Configuring
an IPv6 address on an interface automatically configures a link-local address and activates IPv6 for the
interface. The configured interface automatically joins these required multicast groups for that link:
• solicited-node multicast group FF02:0:0:0:0:1:ff00::/104 for each unicast address assigned to the interface
(this address is used in the neighbor discovery process.)
• all-nodes link-local multicast group FF02::1
• all-routers link-local multicast group FF02::2

For more information about configuring IPv6 routing, see the “Implementing Addressing and Basic Connectivity
for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
Beginning in privileged EXEC mode, follow these steps to assign an IPv6 address to a Layer 3 interface and
enable IPv6 routing:

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode after the switch reloads.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Enters interface configuration mode, and specifies the
Layer 3 interface to configure. The interface can be a
Example:
physical interface, a switch virtual interface (SVI), or a
Layer 3 EtherChannel.
SwitchDevice(config)# interface gigabitethernet
1/0/1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
118
 IPv6
Configuring IPv6 Addressing and Enabling IPv6 Routing (CLI)

Command or Action Purpose

Step 3 no switchport Removes the interface from Layer 2 configuration mode
(if it is a physical interface).
Example:

SwitchDevice(config-if)# no switchport

Step 4 Use one of the following: • Specifies a global IPv6 address with an extended
unique identifier (EUI) in the low-order 64 bits of the
• ipv6 address ipv6-prefix/prefix length eui-64
IPv6 address. Specify only the network prefix; the
• ipv6 address ipv6-address/prefix length last 64 bits are automatically computed from the
• ipv6 address ipv6-address link-local switch MAC address. This enables IPv6 processing
• ipv6 enable on the interface.
Example: • Manually configures an IPv6 address on the interface.
SwitchDevice(config-if)# ipv6 address
2001:0DB8:c18:1::/64 eui 64 • Specifies a link-local address on the interface to be
used instead of the link-local address that is
SwitchDevice(config-if)# ipv6 address automatically configured when IPv6 is enabled on
2001:0DB8:c18:1::/64 the interface. This command enables IPv6 processing
on the interface.
SwitchDevice(config-if)# ipv6 address
• Automatically configures an IPv6 link-local address
2001:0DB8:c18:1:: link-local
on the interface, and enables the interface for IPv6
processing. The link-local address can only be used
SwitchDevice(config-if)# ipv6 enable
to communicate with nodes on the same link.

Step 5 exit Returns to global configuration mode.

Example:

SwitchDevice(config-if)# exit

Step 6 ip routing Enables IP routing on the switch.

Example:

SwitchDevice(config)# ip routing

Step 7 ipv6 unicast-routing Enables forwarding of IPv6 unicast data packets.

Example:

SwitchDevice(config)# ipv6 unicast-routing

Step 8 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
119
 IPv6
Configuring First Hop Security in IPv6

Command or Action Purpose

Step 9 show ipv6 interface interface-id Verifies your entries.
Example:

SwitchDevice# show ipv6 interface gigabitethernet

1/0/1

Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
SwitchDevice# copy running-config startup-config

Related Topics
Configuring IPv6 Addressing and Enabling IPv6 Routing: Example, on page 161

Configuring First Hop Security in IPv6

Prerequisites for First Hop Security in IPv6
• You have configured the necessary IPv6 enabled SDM template.
• You should be familiar with the IPv6 neighbor discovery feature.

Restrictions for First Hop Security in IPv6

• The following restrictions apply when applying FHS policies to EtherChannel interfaces (Port Channels):
• A physical port with an FHS policy attached cannot join an EtherChannel group.
• An FHS policy cannot be attached to an physical port when it is a member of an EtherChannel
group.

• By default, a snooping policy has a security-level of guard. When such a snooping policy is configured
on an access switch, external IPv6 Router Advertisement (RA) or Dynamic Host Configuration Protocol
for IPv6 (DHCPv6) server packets are blocked, even though the uplink port facing the router or DHCP
server/relay is configured as a trusted port. To allow IPv6 RA or DHCPv6 server messages, do the
following:
• Apply an IPv6 RA-guard policy (for RA) or IPv6 DHCP-guard policy (for DHCP server messages
) on the uplink port.
• Configure a snooping policy with a lower security-level, for example glean or inspect. However;
configuring a lower security level is not recommended with such a snooping policy, because benefits
of First Hop security features are not effective.

Information about First Hop Security in IPv6

First Hop Security in IPv6 (FHS IPv6) is a set of IPv6 security features, the policies of which can be attached
to a physical interface, or a VLAN. An IPv6 software policy database service stores and accesses these policies.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
120
IPv6
Information about First Hop Security in IPv6

When a policy is configured or modified, the attributes of the policy are stored or updated in the software
policy database, then applied as was specified. The following IPv6 policies are currently supported:
• IPv6 Snooping Policy—IPv6 Snooping Policy acts as a container policy that enables most of the features
available with FHS in IPv6.
• IPv6 FHS Binding Table Content—A database table of IPv6 neighbors connected to the switch is created
from information sources such as Neighbor Discovery (ND) protocol snooping. This database, or binding,
table is used by various IPv6 guard features (such as IPv6 ND Inspection) to validate the link-layer
address (LLA), the IPv4 or IPv6 address, and prefix binding of the neighbors to prevent spoofing and
redirect attacks.
• IPv6 Neighbor Discovery Inspection—IPv6 ND inspection learns and secures bindings for stateless
autoconfiguration addresses in Layer 2 neighbor tables. IPv6 ND inspection analyzes neighbor discovery
messages in order to build a trusted binding table database and IPv6 neighbor discovery messages that
do not conform are dropped. An ND message is considered trustworthy if its IPv6-to-Media Access
Control (MAC) mapping is verifiable.
This feature mitigates some of the inherent vulnerabilities of the ND mechanism, such as attacks on
DAD, address resolution, router discovery, and the neighbor cache.
• IPv6 Router Advertisement Guard—The IPv6 Router Advertisement (RA) guard feature enables the
network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network
switch platform. RAs are used by routers to announce themselves on the link. The RA Guard feature
analyzes the RAs and filters out bogus RAs sent by unauthorized routers. In host mode, all router
advertisement and router redirect messages are disallowed on the port. The RA guard feature compares
configuration information on the Layer 2 device with the information found in the received RA frame.
Once the Layer 2 device has validated the content of the RA frame and router redirect frame against the
configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not
validated, the RA is dropped.
• IPv6 DHCP Guard—The IPv6 DHCP Guard feature blocks reply and advertisement messages that come
from unauthorized DHCPv6 servers and relay agents. IPv6 DHCP guard can prevent forged messages
from being entered in the binding table and block DHCPv6 server messages when they are received on
ports that are not explicitly configured as facing a DHCPv6 server or DHCP relay. To use this feature,
configure a policy and attach it to an interface or a VLAN. To debug DHCP guard packets, use the debug
ipv6 snooping dhcp-guard privileged EXEC command.
• IPv6 Source Guard—Like IPv4 Source Guard, IPv6 Source Guard validates the source address or prefix
to prevent source address spoofing.
A source guard programs the hardware to allow or deny traffic based on source or destination addresses.
It deals exclusively with data packet traffic.
The IPv6 source guard feature provides the ability to use the IPv6 binding table to install PACLs to
prevent a host from sending packets with an invalid IPv6 source address.
To debug source-guard packets, use the debug ipv6 snooping source-guard privileged EXEC command.

Note The IPv6 PACL feature is supported only in the ingress direction; it is not
supported in the egress direction.

The following restrictions apply:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
121
 IPv6
Information about First Hop Security in IPv6

• An FHS policy cannot be attached to an physical port when it is a member of an EtherChannel

group.
• When IPv6 source guard is enabled on a switch port, NDP or DHCP snooping must be enabled on
the interface to which the switch port belongs. Otherwise, all data traffic from this port will be
blocked.
• An IPv6 source guard policy cannot be attached to a VLAN. It is supported only at the interface
level.
• You cannot use IPv6 Source Guard and Prefix Guard together. When you attach the policy to an
interface, it should be "validate address" or "validate prefix" but not both.
• PVLAN and Source/Prefix Guard cannot be applied together.

For more information on IPv6 Source Guard, see the IPv6 Source Guard chapter of the Cisco IOS IPv6
Configuration Guide Library on Cisco.com.
• IPv6 Prefix Guard—The IPv6 prefix guard feature works within the IPv6 source guard feature, to enable
the device to deny traffic originated from non-topologically correct addresses. IPv6 prefix guard is often
used when IPv6 prefixes are delegated to devices (for example, home gateways) using DHCP prefix
delegation. The feature discovers ranges of addresses assigned to the link and blocks any traffic sourced
with an address outside this range.
For more information on IPv6 Prefix Guard, see the IPv6 Prefix Guard chapter of the Cisco IOS IPv6
Configuration Guide Library on Cisco.com.
• IPv6 Destination Guard—The IPv6 destination guard feature works with IPv6 neighbor discovery to
ensure that the device performs address resolution only for those addresses that are known to be active
on the link. It relies on the address glean functionality to populate all destinations active on the link into
the binding table and then blocks resolutions before they happen when the destination is not found in the
binding table.

Note IPv6 Destination Guard is recommended only on Layer 3. It is not recommended

on Layer2.

For more information about IPv6 Destination Guard, see the IPv6 Destination Guard chapter of the Cisco
IOS IPv6 Configuration Guide Library on Cisco.com.
• IPv6 Neighbor Discovery Multicast Suppress—The IPv6 Neighbor Discovery multicast suppress feature
is an IPv6 snooping feature that runs on a switch or a wireless controller and is used to reduce the amount
of control traffic necessary for proper link operations.
• DHCPv6 Relay—Lightweight DHCPv6 Relay Agent—The DHCPv6 Relay—Lightweight DHCPv6
Relay Agent feature allows relay agent information to be inserted by an access node that performs a
link-layer bridging (non-routing) function. Lightweight DHCPv6 Relay Agent (LDRA) functionality
can be implemented in existing access nodes, such as DSL access multiplexers (DSLAMs) and Ethernet
switches, that do not support IPv6 control or routing functions. LDRA is used to insert relay-agent options
in DHCP version 6 (DHCPv6) message exchanges primarily to identify client-facing interfaces. LDRA
functionality can be enabled on an interface and on a VLAN.
For more information about DHCPv6 Relay, See the DHCPv6 Relay—Lightweight DHCPv6 Relay
Agent section of the IP Addressing: DHCP Configuration Guide, Cisco IOS Release 15.1SG.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
122
 IPv6
How to configure an IPv6 Snooping Policy

How to configure an IPv6 Snooping Policy

SUMMARY STEPS
1. enable
2. configure terminal
3. IPv6 snooping policy policy -name
4. [data-glean |default | device-role [node|switch] |limit {address-countvalue } | no | protocol
[all | nodhcp | ndp] |security-level [glean | guard| inspect]| tracking [disable | enable]|
trusted-port }
5. exit
6. show ipv6 snooping policypolicy-name

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Step 3 IPv6 snooping policy policy -name Creates a snooping policy in global configuration mode.

Step 4 [data-glean |default | device-role [node|switch] Enables data address gleaning, validates messages against
|limit {address-countvalue } | no | protocol [all | various criteria, specifies the security level for messages.
nodhcp | ndp] |security-level [glean | guard|
• (Optional) data-glean—Enables data address gleaning.
inspect]| tracking [disable | enable]| trusted-port
This option is disabled by default.
}
• (Optional) default—Sets all default options.
• (Optional) device-role [node | switch]—Qualifies the
role of the device attached to the port.
• (Optional) limit {address-count value}—Limits the
number ofaddresses allowed per target.
• (Optional) no—Negates a command or set its defaults.
• (Optional) protocol [ all | dhcp | ndp]—Specifies
which protocol should be redirected to the snooping
feature for analysis. The default, is all. To change the
default, use the no protocol command.
• (Optional) security-level [glean | guard |
inspect]—Specifies the level of security enforced by
the feature.
• glean—Gleans addresses from messages and
populates the binding table without any
verification.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
123
 IPv6
How to Attach an IPv6 Snooping Policy to an Interface or VLAN

Command or Action Purpose

• guard—Gleans addresses and inspects messages.
In addition, it rejects RA and DHCP server
messages. This is the default option.
• inspect—Gleans addresses, validates messages
for consistency and conformance, and enforces
address ownership.

• (Optional) tracking [disable | enable]—Overrides the

default tracking behavior and specifies a tracking
option.
• (Optional) trusted-port—Sets up a trusted port. It
disables the guard on applicable targets. Bindings
learned through a trusted port have preference over
bindings learned through any other port. A trusted port
is also given preference in case of a collision while
making an entry in the table.

Step 5 exit Exits the snooping policy configuration mode.

Step 6 show ipv6 snooping policypolicy-name Displays the snooping policy configuration.

How to Attach an IPv6 Snooping Policy to an Interface or VLAN

SUMMARY STEPS
1. enable
2. configure terminal
3. Perform one of the following tasks:
• interface type number
• switchport
• ipv6 snooping [attach-policy policy_name]
OR

• vlan configuration vlan list

• ipv6 snooping attach-policy policy-name
4. show ipv6 snooping policy policy-name
5. show ipv6 neighbors binding

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
124
 IPv6
How to Attach an IPv6 Neighbor Discovery Multicast Suppress Policy on a Device

Command or Action Purpose

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Step 3 Perform one of the following tasks: Specifies an interface type and number, and enters the
interface configuration mode.
• interface type number
Note type can be physical interface or ether-channel.
• switchport
Configures the interface as a Layer 2 port.
• ipv6 snooping [attach-policy policy_name]
Attaches the snooping policy (where data gleaning is
OR
enabled) to an interface. Specifies the port and the policy
that is attached to the port.
• vlan configuration vlan list
• ipv6 snooping attach-policy policy-name Note If you have enabled data-glean on a snooping
policy, you must attach it to an interface and not
a VLAN.

Step 4 show ipv6 snooping policy policy-name Displays the snooping policy configuration.

Step 5 show ipv6 neighbors binding Displays the binding table entries populated by the snooping
policy.

How to Attach an IPv6 Neighbor Discovery Multicast Suppress Policy on a Device

To attach an IPV6 Neighbor Discovery Multicast Suppress policy on a device, complete the following steps:

SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 nd suppress policy policy-name
4. mode dad-proxy
5. mode full-proxy
6. mode mc-proxy

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
125
 IPv6
How to Attach an IPv6 Neighbor Discovery Multicast Suppress Policy on an Interface

Command or Action Purpose

Step 3 ipv6 nd suppress policy policy-name Defines the Neighbor Discovery suppress policy name and
enters Neighbor Discovery suppress policy configuration
mode.

Step 4 mode dad-proxy Enables Neighbor Discovery suppress in IPv6 DAD proxy
mode.

Step 5 mode full-proxy Enables Neighbor Discovery suppress to proxy multicast

and unicast Neighbor Solicitation messages.

Step 6 mode mc-proxy Enables Neighbor Discovery suppress to proxy multicast

Neighbor Solicitation messages.

How to Attach an IPv6 Neighbor Discovery Multicast Suppress Policy on an Interface

To attach an IPv6 Neighbor Discovery Multicast Suppress policy on an interface, complete the following
steps:

SUMMARY STEPS
1. enable
2. configure terminal
3. Perform one of the following tasks:
• interface type number
• ipv6 nd inspection [attach-policy policy_name [ vlan { add | except | none | remove | all} vlan
[ vlan1, vlan2, vlan3...]]]
OR

• vlan configuration vlan-id

• ipv6 nd inspection [attach-policy policy_name [ vlan { add | except | none | remove | all} vlan
[ vlan1, vlan2, vlan3...]]]
4. exit

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Step 3 Perform one of the following tasks: Specifies an interface type and number, and places the
device in interface configuration mode.
• interface type number

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
126
 IPv6
How to Attach an IPv6 Neighbor Discovery Multicast Suppress Policy to a Layer 2 EtherChannel Interface

Command or Action Purpose

• ipv6 nd inspection [attach-policy policy_name [ vlan Attaches the IPv6 Neighbor Discovery Multicast Policy to
{ add | except | none | remove | all} vlan [ vlan1, an interface or a VLAN.
vlan2, vlan3...]]]
OR

• vlan configuration vlan-id

• ipv6 nd inspection [attach-policy policy_name [ vlan
{ add | except | none | remove | all} vlan [ vlan1,
vlan2, vlan3...]]]

Step 4 exit Exists the interface configuration mode.

How to Attach an IPv6 Neighbor Discovery Multicast Suppress Policy to a Layer 2 EtherChannel Interface
To attach an IPv6 Neighbor Discovery Multicast Suppress policy on an EtherChannel interface, complete the
following steps:

SUMMARY STEPS
1. enable
2. configure terminal
3. Perform one of the following tasks:
• interface port-channel port-channel-number
• ipv6 nd inspection [attach-policy policy_name [ vlan { add | except | none | remove | all} vlan
[ vlan1, vlan2, vlan3...]]]
OR

• vlan configuration vlan-id

• ipv6 nd inspection [attach-policy policy_name [ vlan { add | except | none | remove | all} vlan
[ vlan1, vlan2, vlan3...]]]
4. exit

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Step 3 Perform one of the following tasks: Specifies an interface type and port number and places the
switch in the port channel configuration mode.
• interface port-channel port-channel-number

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
127
 IPv6
How to Configure an IPv6 DHCP Guard Policy

Command or Action Purpose

• ipv6 nd inspection [attach-policy policy_name [ vlan Attaches the IPv6 Neighbor Discovery Multicast Policy to
{ add | except | none | remove | all} vlan [ vlan1, an interface or a VLAN.
vlan2, vlan3...]]]
OR

• vlan configuration vlan-id

• ipv6 nd inspection [attach-policy policy_name [ vlan
{ add | except | none | remove | all} vlan [ vlan1,
vlan2, vlan3...]]]

Step 4 exit Exists the interface configuration mode.

How to Configure an IPv6 DHCP Guard Policy

SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 dhcp guard policy policy-name
4. [default | device-role [client | server] |no | exit | trusted-port]
5. exit
6. Perform one of the following tasks:
• interface type number
• ipv6 dhcp guard attach-policy policy-name
OR

• vlan configuration vlan-id

• ipv6 dhcp guard attach-policy policy-name

7. show ipv6 dhcp guard policy policy_name

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Step 3 ipv6 dhcp guard policy policy-name Specifies the DHCPv6 Guard policy name and enters
DHCPv6 Guard Policy configuration mode.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
128
 IPv6
How to Configure an IPv6 DHCP Guard Policy

Command or Action Purpose

Step 4 [default | device-role [client | server] |no | exit | (Optional) Filters out DHCPv6 replies and DHCPv6
trusted-port] advertisements on the port that are not from a device of the
specified role. Default is client.
• client—Default value, specifies that the attached
device is a client. Server messages are dropped on this
port.
• server—Specifies that the attached device is a
DHCPv6 server. Server messages are allowed on this
port.

(Optional) trusted-port—Sets the port to a trusted mode.

No further policing takes place on the port.
Note If you configure a trusted port then the
device-role option is not available.

Step 5 exit Exits the DHCP guard policy global configuration mode.

Step 6 Perform one of the following tasks: Specifies an interface type and number and enters the
interface configuration mode.
• interface type number
Attaches the DHCP guard policy to an interface or VLAN.
• ipv6 dhcp guard attach-policy policy-name
OR

• vlan configuration vlan-id

• ipv6 dhcp guard attach-policy policy-name

Step 7 show ipv6 dhcp guard policy policy_name Displays the DHCP guard policy configuration.

Example of DHCPv6 Guard Configuration

enable
configure terminal
ipv6 access-list acl1
permit host FE80::A8BB:CCFF:FE01:F700 any
ipv6 prefix-list abc permit 2001:0DB8::/64 le 128
ipv6 dhcp guard policy pol1
device-role server
match server access-list acl1
match reply prefix-list abc
preference min 0
preference max 255
trusted-port
interface GigabitEthernet 0/2/0
switchport
ipv6 dhcp guard attach-policy pol1 vlan add 1
vlan configuration 1
ipv6 dhcp guard attach-policy pol1
show ipv6 dhcp guard policy pol1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
129
 IPv6
How to Configure IPv6 Source Guard

How to Configure IPv6 Source Guard

SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 source-guard policy policy_name
4. [deny global-autoconf] [permit link-local] [default{. . . }] [exit] [no{. . . }]
5. ipv6 source-guard[attach-policypolicy-name]
6. exit
7. show ipv6 source-guard policypolicy_name

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Step 3 ipv6 source-guard policy policy_name Specifies the IPv6 Source Guard policy name and enters
IPv6 Source Guard policy configuration mode.

Step 4 [deny global-autoconf] [permit link-local] [default{. . . Defines the IPv6 Source Guard policy.
}] [exit] [no{. . . }]
• deny global-autoconf—Denies data traffic from
auto-configured global addresses. This is useful when
all global addresses on a link are DHCP-assigned and
the administrator wants to block hosts with
self-configured addresses to send traffic.
• permit link-local—Allows all data traffic that is
sourced by a link-local address.

Step 5 ipv6 source-guard[attach-policypolicy-name] Specifies the policy name.

(Optional) attach-policy policy-name—Filters based on
the policy name

Step 6 exit Exits the source guard policy configuration mode.

Step 7 show ipv6 source-guard policypolicy_name Shows the policy configuration and all the interfaces where
the policy is applied.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
130
 IPv6
Configuring Default Router Preference (CLI)

Configuring Default Router Preference (CLI)

Router advertisement messages are sent with the default router preference (DRP) configured by the ipv6 nd
router-preference interface configuration command. If no DRP is configured, RAs are sent with a medium
preference.
A DRP is useful when two routers on a link might provide equivalent, but not equal-cost routing, and policy
might dictate that hosts should prefer one of the routers.
For more information about configuring DRP for IPv6, see the “Implementing IPv6 Addresses and Basic
Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
Beginning in privileged EXEC mode, follow these steps to configure a DRP for a router on an interface.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Enters interface configuration mode and identifies the
Layer 3 interface on which you want to specify the DRP.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 3 ipv6 nd router-preference {high | medium | low} Specifies a DRP for the router on the switch interface.
Example:

SwitchDevice(config-if)# ipv6 nd router-preference

medium

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show ipv6 interface Verifies the configuration.

Example:

SwitchDevice# show ipv6 interface

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
131
 IPv6
Configuring IPv6 ICMP Rate Limiting (CLI)

Command or Action Purpose

SwitchDevice# copy running-config startup-config

Related Topics
Configuring Default Router Preference: Example, on page 162

Configuring IPv6 ICMP Rate Limiting (CLI)

ICMP rate limiting is enabled by default with a default interval between error messages of 100 milliseconds
and a bucket size (maximum number of tokens to be stored in a bucket) of 10.
Beginning in privileged EXEC mode, follow these steps to change the ICMP rate-limiting parameters:

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ipv6 icmp error-interval interval [bucketsize] Configures the interval and bucket size for IPv6 ICMP error
messages:
Example:
• interval—The interval (in milliseconds) between
SwitchDevice(config)# ipv6 icmp error-interval 50 tokens being added to the bucket. The range is from 0
20 to 2147483647 milliseconds.
• bucketsize—(Optional) The maximum number of
tokens stored in the bucket. The range is from 1 to 200.

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 4 show ipv6 interface [interface-id] Verifies your entries.

Example:

SwitchDevice# show ipv6 interface gigabitethernet

1/0/1

Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
132
 IPv6
Configuring CEF and dCEF for IPv6

Command or Action Purpose

SwitchDevice# copy running-config startup-config

Related Topics
Configuring IPv6 ICMP Rate Limiting: Example, on page 163

Configuring CEF and dCEF for IPv6

Cisco Express Forwarding (CEF) is a Layer 3 IP switching technology to improve network performance. CEF
implements an advanced IP look-up and forwarding algorithm to deliver maximum Layer 3 switching
performance. It is less CPU-intensive than fast-switching route-caching, allowing more CPU processing power
to be dedicated to packet forwarding. IPv4 CEF and dCEF are enabled by default. IPv6 CEF and dCEF are
disabled by default, but automatically enabled when you configure IPv6 routing.
IPv6 CEF and dCEF are automatically disabled when IPv6 routing is unconfigured. IPv6 CEF and dCEF
cannot disabled through configuration. You can verify the IPv6 state by entering the show ipv6 cef privileged
EXEC command.
To route IPv6 unicast packets, you must first globally configure forwarding of IPv6 unicast packets by using
the ipv6 unicast-routing global configuration command, and you must configure an IPv6 address and IPv6
processing on an interface by using the ipv6 address interface configuration command.
For more information about configuring CEF and dCEF, see Cisco IOS IPv6 Configuration Library on
Cisco.com.

Configuring Static Routing for IPv6 (CLI)

Before configuring a static IPv6 route, you must enable routing by using the ip routing global configuration
command, enable the forwarding of IPv6 packets by using the ipv6 unicast-routing global configuration
command, and enable IPv6 on at least one Layer 3 interface by configuring an IPv6 address on the interface.
For more information about configuring static IPv6 routing, see the “Implementing Static Routes for IPv6”
chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ipv6 route ipv6-prefix/prefix length {ipv6-address | Configures a static IPv6 route.
interface-id [ipv6-address]} [administrative distance]
• ipv6-prefix—The IPv6 network that is the destination
Example: of the static route. It can also be a hostname when static
host routes are configured.
SwitchDevice(config)# ipv6 route 2001:0DB8::/32

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
133
 IPv6
Configuring Static Routing for IPv6 (CLI)

Command or Action Purpose

gigabitethernet2/0/1 130 • /prefix length—The length of the IPv6 prefix. A
decimal value that shows how many of the high-order
contiguous bits of the address comprise the prefix (the
network portion of the address). A slash mark must
precede the decimal value.
• ipv6-address—The IPv6 address of the next hop that
can be used to reach the specified network. The IPv6
address of the next hop need not be directly connected;
recursion is done to find the IPv6 address of the
directly connected next hop. The address must be in
the form documented in RFC 2373, specified in
hexadecimal using 16-bit values between colons.
• interface-id—Specifies direct static routes from
point-to-point and broadcast interfaces. With
point-to-point interfaces, there is no need to specify
the IPv6 address of the next hop. With broadcast
interfaces, you should always specify the IPv6 address
of the next hop, or ensure that the specified prefix is
assigned to the link, specifying a link-local address as
the next hop. You can optionally specify the IPv6
address of the next hop to which packets are sent.

Note You must specify an interface-id when using a

link-local address as the next hop (the link-local
next hop must also be an adjacent router).

• administrative distance—(Optional) An administrative

distance. The range is 1 to 254; the default value is 1,
which gives static routes precedence over any other
type of route except connected routes. To configure a
floating static route, use an administrative distance
greater than that of the dynamic routing protocol.

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 4 Use one of the following: Verifies your entries by displaying the contents of the IPv6
routing table.
• show ipv6 static [ ipv6-address | ipv6-prefix/prefix
length ] [interface interface-id ] [detail]][recursive] • interface interface-id—(Optional) Displays only those
[detail] static routes with the specified interface as an egress
• show ipv6 route static [updated] interface.
Example: • recursive—(Optional) Displays only recursive static
routes. The recursive keyword is mutually exclusive

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
134
 IPv6
Configuring RIP for IPv6 (CLI)

Command or Action Purpose

SwitchDevice# show ipv6 static 2001:0DB8::/32 with the interface keyword, but it can be used with or
interface gigabitethernet2/0/1 without the IPv6 prefix included in the command
syntax.
or
• detail—(Optional) Displays this additional
SwitchDevice# show ipv6 route static information:
• For valid recursive routes, the output path set,
and maximum resolution depth.
• For invalid routes, the reason why the route is not
valid.

Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Configuring Static Routing for IPv6: Example, on page 163

Configuring RIP for IPv6 (CLI)

Before configuring the switch to run IPv6 RIP, you must enable routing by using the ip routing global
configuration command, enable the forwarding of IPv6 packets by using the ipv6 unicast-routing global
configuration command, and enable IPv6 on any Layer 3 interfaces on which IPv6 RIP is to be enabled.
For more information about configuring RIP routing for IPv6, see the “Implementing RIP for IPv6” chapter
in the Cisco IOS IPv6 Configuration Library on Cisco.com,

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ipv6 router rip name Configures an IPv6 RIP routing process, and enters router
configuration mode for the process.
Example:

SwitchDevice(config)# ipv6 router rip cisco

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
135
 IPv6
Configuring RIP for IPv6 (CLI)

Command or Action Purpose

Step 3 maximum-paths number-paths (Optional) Define the maximum number of equal-cost
routes that IPv6 RIP can support. The range is from 1 to
Example:
32, and the default is 16 routes.
SwitchDevice(config-router)# maximum-paths 6

Step 4 exit Returns to global configuration mode.

Example:

SwitchDevice(config-router)# exit

Step 5 interface interface-id Enters interface configuration mode, and specifies the
Layer 3 interface to configure.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 6 ipv6 rip name enable Enables the specified IPv6 RIP routing process on the
interface.
Example:

SwitchDevice(config-if)# ipv6 rip cisco enable

Step 7 ipv6 rip name default-information {only | originate} (Optional) Originates the IPv6 default route (::/0) into the
RIP routing process updates sent from the specified
Example:
interface.
SwitchDevice(config-if)# ipv6 rip cisco Note To avoid routing loops after the IPv6 default
default-information only route (::/0) is originated from any interface, the
routing process ignores all default routes
received on any interface.

• only—Select to originate the default route, but

suppress all other routes in the updates sent on this
interface.
• originate—Select to originate the default route in
addition to all other routes in the updates sent on this
interface.

Step 8 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 9 Use one of the following: • Displays information about current IPv6 RIP
processes.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
136
 IPv6
Configuring OSPF for IPv6 (CLI)

Command or Action Purpose

• show ipv6 rip [name] [ interfaceinterface-id] [ • Displays the current contents of the IPv6 routing table.
database ] [ next-hops ]
• show ipv6 rip
Example:
SwitchDevice# show ipv6 rip cisco interface
gigabitethernet2/0/1

or
SwitchDevice# show ipv6 rip

Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Configuring RIP for IPv6: Example, on page 164

Configuring OSPF for IPv6 (CLI)

You can customize OSPF for IPv6 for your network. However, the defaults for OSPF in IPv6 are set to meet
the requirements of most customers and features.
Follow these guidelines:
• Be careful when changing the defaults for IPv6 commands. Changing the defaults might adversely affect
OSPF for the IPv6 network.
• Before you enable IPv6 OSPF on an interface, you must enable routing by using the ip routing global
configuration command, enable the forwarding of IPv6 packets by using the ipv6 unicast-routing global
configuration command, and enable IPv6 on Layer 3 interfaces on which you are enabling IPv6 OSPF.

For more information about configuring OSPF routing for IPv6, see the “Implementing OSPF for IPv6”
chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ipv6 router ospf process-id Enables OSPF router configuration mode for the process.
The process ID is the number assigned administratively
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
137
 IPv6
Configuring OSPF for IPv6 (CLI)

Command or Action Purpose

when enabling the OSPF for IPv6 routing process. It is
SwitchDevice(config)# ipv6 router ospf 21
locally assigned and can be a positive integer from 1 to
65535.

Step 3 area area-id range {ipv6-prefix/prefix length} [advertise (Optional) Consolidates and summarizes routes at an area
| not-advertise] [cost cost] boundary.
Example: • area-id—Identifier of the area about which routes are
to be summarized. It can be specified as either a
SwitchDevice(config)# area .3 range 2001:0DB8::/32 decimal value or as an IPv6 prefix.
not-advertise
• ipv6-prefix/prefix length—The destination IPv6
network and a decimal value that shows how many
of the high-order contiguous bits of the address
comprise the prefix (the network portion of the
address). A slash mark (/) must precede the decimal
value.
• advertise—(Optional) Sets the address range status
to advertise and generate a Type 3 summary link-state
advertisement (LSA).
• not-advertise—(Optional) Sets the address range
status to DoNotAdvertise. The Type 3 summary LSA
is suppressed, and component networks remain hidden
from other networks.
• cost cost—(Optional) Sets the metric or cost for this
summary route, which is used during OSPF SPF
calculation to determine the shortest paths to the
destination. The value can be 0 to 16777215.

Step 4 maximum paths number-paths (Optional) Defines the maximum number of equal-cost
routes to the same destination that IPv6 OSPF should enter
Example:
in the routing table. The range is from 1 to 32, and the
default is 16 paths.
SwitchDevice(config)# maximum paths 16

Step 5 exit Returns to global configuration mode.

Example:

SwitchDevice(config-if)# exit

Step 6 interface interface-id Enters interface configuration mode, and specifies the
Layer 3 interface to configure.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 7 ipv6 ospf process-id area area-id [instance instance-id] Enables OSPF for IPv6 on the interface.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
138
 IPv6
Tuning LSA and SPF Timers for OSPFv3 Fast Convergence

Command or Action Purpose

Example: • instance instance-id—(Optional) Instance identifier.

SwitchDevice(config-if)# ipv6 ospf 21 area .3

Step 8 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 9 Use one of the following: • Displays information about OSPF interfaces.
• show ipv6 ospf [ process-id ] [ area-id ] interface • Displays general information about OSPF routing
[ interface-id ] processes.
• show ipv6 ospf [ process-id ] [ area-id ]
Example:
SwitchDevice# show ipv6 ospf 21 interface
gigabitethernet2/0/1

or
SwitchDevice# show ipv6 ospf 21

Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Tuning LSA and SPF Timers for OSPFv3 Fast Convergence

SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 router ospfprocess-id
4. timers lsa arrival milliseconds
5. timers pacing floodmilliseconds
6. timers pacing lsa-groupseconds
7. timers pacing retransmissionmilliseconds
8. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
139
 IPv6
Configuring LSA and SPF Throttling for OSPFv3 Fast Convergence

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ipv6 router ospfprocess-id Enables OSPFv3 router configuration mode.

Step 4 timers lsa arrival milliseconds Sets the minimum interval at which the software accepts
the same LSA from OSPFv3 neighbors.

Step 5 timers pacing floodmilliseconds Configures LSA flood packet pacing.

Step 6 timers pacing lsa-groupseconds Changes the interval at which OSPFv3 LSAs are collected
into a group and refreshed, checksummed, or aged.

Step 7 timers pacing retransmissionmilliseconds Configures LSA retransmission packet pacing in OSPFv3.

Step 8 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Configuring LSA and SPF Throttling for OSPFv3 Fast Convergence

SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 router ospfprocess-id
4. timers throttle spf spf-start spf-hold spf-max-wait
5. timers throttle lsastart-intervalhold-intervalmax-interval
6. timers lsa arrivalmilliseconds
7. timers pacing floodmilliseconds
8. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
140
 IPv6
Configuring EIGRP for IPv6

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ipv6 router ospfprocess-id Enables OSPFv3 router configuration mode.

Step 4 timers throttle spf spf-start spf-hold spf-max-wait Turns on SPF throttling.

Step 5 timers throttle lsastart-intervalhold-intervalmax-interval Sets rate-limiting values for OSPFv3 LSA generation.

Step 6 timers lsa arrivalmilliseconds Sets the minimum interval at which the software accepts
the same LSA from OSPFv3 neighbors.

Step 7 timers pacing floodmilliseconds Configures LSA flood packet pacing.

Step 8 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Configuring EIGRP for IPv6

Before configuring the switch to run IPv6 EIGRP, enable routing by entering the ip routing global
configuration command, enable the forwarding of IPv6 packets by entering the ipv6 unicast-routing global
configuration command, and enable IPv6 on any Layer 3 interfaces on which you want to enable IPv6 EIGRP.
To set an explicit router ID, use the show ipv6 eigrp command to see the configured router IDs, and then use
the router-id command.
As with EIGRP IPv4, you can use EIGRPv6 to specify your EIGRP IPv6 interfaces and to select a subset of
those as passive interfaces. Use the passive-interface command to make an interface passive, and then use
the no passive-interface command on selected interfaces to make them active. EIGRP IPv6 does not need to
be configured on a passive interface.
For more configuration procedures, see the “Implementing EIGRP for IPv6” chapter in the Cisco IOS IPv6
Configuration Library on Cisco.com.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
141
 IPv6
Configuring HSRP for IPv6

Configuring HSRP for IPv6

Hot Standby Router Protocol (HSRP) for IPv6 provides routing redundancy for routing IPv6 traffic not
dependent on the availability of any single router.
When HSRP for IPv6 is enabled on a switch, IPv6 hosts learn of available IPv6 routers through IPv6 neighbor
discovery router advertisement messages. An HSRP IPv6 group has a virtual MAC address that is derived
from the HSRP group number. The group has a virtual IPv6 link-local address that is, by default, derived from
the HSRP virtual MAC address. Periodic messages are sent for the HSRP virtual IPv6 link-local address when
the HSRP group is active.
When configuring HSRP for IPv6, you must enable HSRP version 2 (HSRPv2) on the interface.

Note Before configuring an HSRP for IPv6 group, you must enable the forwarding of IPv6 packets by using the
ipv6 unicast-routing global configuration command and enable IPv6 on the interface on which you will
configure an HSRP for IPv6 group.

Enabling HSRP Version 2

For more information about configuring HSRP for IPv6, see the “Configuring First Hop Redundancy Protocols
in IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Enters interface configuration mode, and enters the Layer 3
interface on which you want to specify the standby version.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 3 standby version {1 | 2} Sets the HSRP version. Enter 2 to change the HSRP version.
The default is 1.
Example:

SwitchDevice(config-if)# standby version 2

Step 4 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
142
 IPv6
Enabling an HSRP Group for IPv6

Command or Action Purpose

SwitchDevice(config)# end

Step 5 show standby Verifies the configuration.

Example:

SwitchDevice# show standby

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Enabling an HSRP Group for IPv6

This task explains how to create or enable HSRP for IPv6 on a Layer 3 interface.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Enters interface configuration mode, and enters the Layer 3
interface on which you want to enable HSRP for IPv6.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 3 standby [group-number] ipv6 {link-local-address | Creates (or enables) the HSRP for IPv6 group.
autoconfig}
• (Optional) group-number—The group number on the
Example: interface for which HSRP is being enabled. The range
is 0 to 4095. The default is 0. If there is only one HSRP
SwitchDevice(config-if)# standby 2 ipv6 auto config group, you do not need to enter a group number.
• Enter the link-local address of the Hot Standby router
interface, or enable the link-local address to be
generated automatically from the link-local prefix and
a modified EUI-64 format interface identifier, where
the EUI-64 interface identifier is created from the
relevant HSRP virtual MAC address.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
143
 IPv6
Enabling an HSRP Group for IPv6

Command or Action Purpose

Step 4 standby [group-number] preempt [delay {minimum Configures the router to preempt, which means that when
seconds | reload seconds | sync seconds}] the local router has a higher priority than the active router,
it assumes control as the active router.
Example:
• (Optional) group-number—The group number to
SwitchDevice(config-if)# standby 2 preempt delay which the command applies.
reload 0
• (Optional) delay—Sets to cause the local router to
postpone taking over the active role for the shown
number of seconds. The range is 0 to 3600 (1 hour).
The default is 0 (no delay before taking over).
• (Optional) reload—Sets the preemption delay, in
seconds, after a reload. The delay period applies only
to the first interface-up event after the router reloads.
• (Optional) sync—Sets the maximum synchronization
period, in seconds, for IP redundancy clients.

Use the no form of the command to restore the default

values.

Step 5 standby [group-number] priority priority Sets a priority value used in choosing the active router.
The range is 1 to 255; the default priority is 100. The highest
Example:
number represents the highest priority.
SwitchDevice(config-if)# standby 2 priority 200 Use the no form of the command to restore the default
values.

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 show standby [interface-id [group-number]] Verifies the configuration.

Example:

SwitchDevice# show standby gigabitethernet 1/0/1

2

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Enabling an HSRP Group for IPv6: Example, on page 162

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
144
 IPv6
Configuring Multi-VRF CE

Configuring Multi-VRF CE
The switch supports multiple VPN routing/forwarding (multi-VRF) instances in customer edge (CE) devices
(multi-VRF CE) when the it is running the IP services or advanced IP Services feature set. Multi-VRF CE
allows a service provider to support two or more VPNs with overlapping IP addresses.

Note The switch does not use Multiprotocol Label Switching (MPLS) to support VPNs.

IPv6 multicast routing is not supported on a VRF associated interface.

Default Multi-VRF CE Configuration

Table 17: Default VRF Configuration

Feature Default Setting

VRF Disabled. No VRFs are defined.

Maps No import maps, export maps, or route maps are

defined.

Forwarding table The default for an interface is the global routing table.

Configuring VRFs
For complete syntax and usage information for the commands, see the switch command reference for this
release and the Cisco IOS Switching Services Command Reference.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ipv6 unicast-routing Enables IPv6 unicast routing.

Example:

SwitchDevice(config)# ipv6 unicast routing

Step 3 vrf definition vrf-name Names the VRF, and enters VRF configuration mode.
Example:

SwitchDevice(config)# vrf definition vpn1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
145
 IPv6
Configuring VRFs

Command or Action Purpose

Step 4 address family ipv6 Specifies the IPv6 address family and enter address family
configuration mode.
Example:

SwitchDevice(config)# address family ipv6

Step 5 rd route-distinguisher Creates a VRF table by specifying a route distinguisher.

Enter either an AS number and an arbitrary number (xxx:y)
Example:
or an IP address and arbitrary number (A.B.C.D:y)
SwitchDevice(config-vrf)# rd 100:2

Step 6 route-target {export | import | both} Creates a list of import, export, or import and export route
route-target-ext-community target communities for the specified VRF. Enter either an
AS system number and an arbitrary number (xxx:y) or an
Example:
IP address and an arbitrary number (A.B.C.D:y). The
route-target-ext-community should be the same as the
SwitchDevice(config-vrf)# route-target both 100:2
route-distinguisher entered in Step 4.

Step 7 import map route-map (Optional) Associates a route map with the VRF.
Example:

SwitchDevice(config-vrf)# import map importmap1

Step 8 interface interface-id Specifies the Layer 3 interface to be associated with the
VRF, and enter interface configuration mode. The interface
Example:
can be a routed port or SVI.
SwitchDevice(config-vrf)# interface
gigabitethernet 1/0/1

Step 9 vrf forwarding vrf-name Associates the VRF with the Layer 3 interface.
Example:

SwitchDevice(config-if)# vrf forwarding vpn1

Step 10 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 11 show vrf [brief | detail | interfaces] [vrf-name] Verifies the configuration. Displays information about the
configured VRFs.
Example:

SwitchDevice# show vrf interfaces vpn1

Step 12 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
146
 IPv6
Configuring VRF-Aware Services

Command or Action Purpose

Configuring VRF-Aware Services

These services are VRF-Aware:
• ARP
• Ping
• Simple Network Management Protocol (SNMP)
• Hot Standby Router Protocol (HSRP)
• Unicast Reverse Path Forwarding (uRPF)
• Syslog
• Traceroute
• FTP and TFTP

Note The switch does not support VRF-aware services for Unicast Reverse Path
Forwarding (uRPF) or Network Time Protocol (NTP).

Configuring VRF-Aware Services for Neighbor Discovery

For complete syntax and usage information for the commands, see the switch command reference for this
release and the Cisco IOS Switching Services Command Reference, Release 12.4.

Procedure

Command or Action Purpose

Step 1 show ipv6 neighbors vrfvrf-name Displays the ARP table in the specified VRF.
Example:

SwitchDevice# show ipv6 neighbors vrf vpn1

Configuring VRF-Aware Services for PING

For complete syntax and usage information for the commands, see the switch command reference for this
release and the Cisco IOS Switching Services Command Reference, Release .

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
147
 IPv6
Configuring VRF-Aware Services for HSRP

Procedure

Command or Action Purpose

Step 1 ping vrfvrf-nameipv6ipv6-address Displays the ARP table in the specified VRF.
Example:

SwitchDevice# ping vrf vpn1 ipv6

Configuring VRF-Aware Services for HSRP

For complete syntax and usage information for the commands, see the switch command reference for this
release and the Cisco IOS Switching Services Command Reference, Release 12.4.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Enters interface configuration mode, and enter the Layer 3
interface on which you want to enable HSRP.
Example:
SwitchDevice# interface gigabitethernet1/0/1

Step 3 no switchport Removes the interface from Layer 2 configuration mode if

it is a physical interface.
Example:

SwitchDevice# no switchport

Step 4 vrf forwardingvrf-name Configures VRF on the interface.

Example:

SwitchDevice# vrf forwarding vpn1

Step 5 ipv6 addressipv6 address Enters the IPv6 address for the interface.
Example:

SwitchDevice# ipv6 address 2001::DB8:1/64

Step 6 standby 1 ipv6ipv6 address Enables HSRP and configures the virtual IP address.
Example:

SwitchDevice# standby 1 ipv6 2001::DB8:1/64

Step 7 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
148
 IPv6
Configuring VRF-Aware Services for Traceroute

Command or Action Purpose

SwitchDevice(config)# end

Configuring VRF-Aware Services for Traceroute

For complete syntax and usage information for the commands, see the switch command reference for this
release and the Cisco IOS Switching Services Command Reference, Release .

Procedure

Command or Action Purpose

Step 1 traceroute vrf vrf-nameipv6-address Specifies the name of a VPN VRF in which to find the
destination address.
Example:
SwitchDevice# traceroute vrfvpn1 2001::DB8:1/64

Configuring VRF-Aware Services for FTP and TFTP

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ip ftp source-interface interface-type interface-number Specifies the source IP address for FTP connections.
Example:

SwitchDevice(config)# ip ftp source-interface

gigabitethernet 1/0/2

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)#end

Step 4 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 5 ip tftp source-interface interface-type interface-number Specifies the source IP address for TFTP connections.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
149
 IPv6
Configuring a VPN Routing Session

Command or Action Purpose

SwitchDevice(config)# ip tftp source-interface

gigabitethernet 1/0/2

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)#end

Configuring a VPN Routing Session

Routing within the VPN can be configured with any supported routing protocol (OSPF, EIGRP, or BGP) or
with static routing. The configuration shown here is for OSPF, but the process is the same for other protocols.

Note To configure an EIGRP routing process to run within a VRF instance, you must configure an
autonomous-system number by entering the autonomous-system autonomous-system-number address-family
configuration mode command.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 router ospfv3 process-id Enables OSPF routing, specifies a VPN forwarding table,
and enter router configuration mode.
Example:

SwitchDevice(config)# router ospfv3 1

Step 3 router router-id Specifies the OSPF router-id in IP address format for this
OSPFv3 process.
Example:

SwitchDevice(config)# router router-id

Step 4 log-adjacency-changes (Optional) Logs changes in the adjacency state. This is the
default state.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
150
 IPv6
Configuring BGP PE to CE Routing Sessions

Command or Action Purpose

SwitchDevice(config-router)# log-adjacency-changes

Step 5 address-family ipv6 unicast vrf vrf-name Enters address family command mode for the VRF.
Example:

SwitchDevice(config-router)# address-family ipv6

unicast vrf vpn1

Step 6 area area-id normal Specifies OSPFv3 area parameters and type.
Example:

SwitchDevice(config-router)# area 2

Step 7 redistribute bgp autonomous-system-number Redistributes routes from BGP routing process to OSPF
routing process.
Example:

SwitchDevice(config-router)# redistribute bgp 10

Step 8 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-router)# end

Step 9 show ospfv3 vrf vrf-name Verifies the configuration of the OSPFv3 network.
Example:

SwitchDevice# show ospfv3 vrf vpn1

Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring BGP PE to CE Routing Sessions

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
151
 IPv6
Configuring BGP PE to CE Routing Sessions

Command or Action Purpose

Step 2 router bgp autonomous-system-number Configures the BGP routing process with the AS number
passed to other BGP routers, and enter router configuration
Example:
mode.
SwitchDevice(config)# router bgp 2

Step 3 bgp router id router-id Configures a fixed 32-bit router id as the identifier of the
local router running BGP.
Example:

SwitchDevice(config)# bgp router-id

Step 4 redistribute ospf process-id Sets the switch to redistribute OSPF internal routes.
Example:

SwitchDevice(config-router)# redistribute ospf 1

Step 5 address-family ipv6 vrf vrf-name Defines BGP parameters for PE to CE routing sessions,
and enter VRF address-family mode.
Example:

SwitchDevice(config-router)# address-family ipv6

vrf vpn1

Step 6 network ipv6 network-number Specifies an IPv6 Network number to announce via BGP.
Example:

SwitchDevice(config-router)# network ipv6

255.255.255.0

Step 7 neighbor ipv6 address remote-as as-number Defines a BGP session between PE and CE routers.
Example:

SwitchDevice(config-router)# neighbor 10.1.1.2

remote-as 2

Step 8 neighbor address activate Activates the advertisement of the IPv4 address family.
Example:

SwitchDevice(config-router)# neighbor 10.2.1.1

activate

Step 9 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-router)# end

Step 10 show bgp vrf vrf-name Verifies BGP configuration on the VRF.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
152
 IPv6
Multi-VRF CE Configuration Example

Command or Action Purpose

SwitchDevice# show ip bgp ipv4 neighbors

Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Multi-VRF CE Configuration Example

OSPF is the protocol used in VPN1, VPN2, and the global network. BGP is used in the CE to PE connections.
The examples following the illustration show how to configure a switch as CE Switch A, and the VRF
configuration for customer switches D and E. Commands for configuring CE Switch C and the other customer
switches are not included but would be similar.
Figure 2: Multi-VRF CE Configuration Example

On Switch A, enable routing and configure VRF.

SwitchDevice# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.
SwitchDevice(config)# ipv6 unicast-routing
SwitchDevice(config)# vrf definition v11
SwitchDevice(config-vrf)# rd 11:1
SwitchDevice(config-vrf)# address-family ipv6
SwitchDevice(config-vrf)# exit
SwitchDevice(config-vrf)# vrf definition v12
SwitchDevice(config-vrf)# rd 12:1
SwitchDevice(config-vrf)# address-family ipv6
SwitchDevice(config-vrf-af)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
153
 IPv6
Multi-VRF CE Configuration Example

Configure the physical interfaces on Switch A. Gigabit Ethernet interface 1/0/24 is a trunk connection to the
PE. Gigabit Ethernet ports 1/0/1 and 1/0/2 connect to VPNs.

SwitchDevice# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.
SwitchDevice(config)# interface GigabitEthernet 1/0/1
SwitchDevice(config-if)# switchport access vlan 208
SwitchDevice(config-if)# no ip address
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface gigabitEthernet 1/0/2
SwitchDevice(config-if)# switchport access vlan 118
SwitchDevice(config-if)# no ip address
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface GigabitEthernet 1/0/24
SwitchDevice(config-if)# switchport trunk encapsulation dot1q
SwitchDevice(config-if)# switchport mode trunk
SwitchDevice(config-if)# exit

Configure the VLANs used on Switch A. VLAN 10 is used by VRF 11 between the CE and the PE. VLAN
20 is used by VRF 12 between the CE and the PE. VLANs 118 and 208 are used for the VPNs that include
Switch E and Switch D, respectively:

SwitchDevice(config)# interface vlan10

SwitchDevice(config-if)# vrf forwarding v11
SwitchDevice(config-if)# ipv6 address 1000::1/64
SwitchDevice(config-if)# exit

SwitchDevice(config)# interface vlan20

SwitchDevice(config-if)# vrf forwarding v12
SwitchDevice(config-if)# ipv6 address 2000::1/64
SwitchDevice(config-if)# exit

SwitchDevice(config)# interface vlan208

SwitchDevice(config-if)# vrf forwarding v11
SwitchDevice(config-if)# ipv6 address 3000::1/64
SwitchDevice(config-if)# exit

SwitchDevice(config)# interface vlan118

SwitchDevice(config-if)# vrf forwarding v12
SwitchDevice(config-if)# ipv6 address 4000::1/64
SwitchDevice(config-if)# exit

Configure OSPFv3 routing on VPN1 and VPN2.

SwitchDevice(config)# router ospfv3 1

SwitchDevice(config-router)# router-id 1.1.1.1
SwitchDevice(config-router)# address-family ipv6 unicast vrf v11
SwitchDevice(config-router-af)# area 0 normal
SwitchDevice(config-router-af)# redistribute bgp 800
SwitchDevice(config-router)# exit
SwitchDevice(config)# router ospfv3 2
SwitchDevice(config-router)# router-id 2.2.2.2
SwitchDevice(config-router)# address-family ipv6 unicast vrf v12
SwitchDevice(config-router-af)# area 0 normal
SwitchDevice(config-router-af)# redistribute bgp 800
SwitchDevice(config-router-af)# exit
SwitchDevice(config-router)# exit
SwitchDevice(config)# exit

Configure BGP for CE to PE routing.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
154
IPv6
Multi-VRF CE Configuration Example

SwitchDevice(config)# router bgp 800

SwitchDevice(config-router)# bgp router-id 8.8.8.8
SwitchDevice(config-router)# address-family ipv6 vrf v11
SwitchDevice(config-router-af)# redistribute ospf 1
SwitchDevice(config-router-af)# neighbor 1000::2 remote-as 100
SwitchDevice(config-router-af)# neighbor 1000::2 activate
SwitchDevice(config-router-af)# network 3000::/64
SwitchDevice(config-router-af)# exit

SwitchDevice(config)# address-family ipv6 vrf v12

SwitchDevice(config-router-af)# redistribute ospf 2
SwitchDevice(config-router-af)# neighbor 2000::2 remote-as 100
SwitchDevice(config-router-af)# neighbor 2000::2 activate
SwitchDevice(config-router-af)# network 4000::/64

Switch D belongs to VPN 1. Configure the connection to Switch A by using these commands.

SwitchDevice# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.
SwitchDevice(config)# ipv6 unicast-routing
SwitchDevice(config)# interface GigabitEthernet 5/0/16
SwitchDevice(config-if)# no switchport
SwitchDevice(config-if)# ipv6 address 3000::2/64
SwitchDevice(config-if)# exit

SwitchDevice(config-router)# router ospfv3 101

SwitchDevice(config-router)# address-family ipv6
SwitchDevice(config-router-af)# area 0 normal
SwitchDevice(config-router-af)# redistribute connected
SwitchDevice(config-router-af)# exit
SwitchDevice(config-router)# exit

Switch E belongs to VPN 2. Configure the connection to Switch A by using these commands.

SwitchDevice(config)# ipv6 unicast-routing

SwitchDevice(config)# interface GigabitEthernet 3/0/13
SwitchDevice(config-if)# switchport access vlan 20
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface vlan 20
SwitchDevice(config-if)# ipv6 address 4000::2/64

SwitchDevice(config)# router ospfv3 101

SwitchDevice(config-router)# address-family ipv6
SwitchDevice(config-router-af)# area 0 normal
SwitchDevice(config-router-af)# redistribute connected
SwitchDevice(config-router-af)# end

When used on switch B (the PE router), these commands configure only the connections to the CE device,
Switch A.

SwitchDevice(config)# vrf definition v1

SwitchDevice(config-vrf)# rd 1:1
SwitchDevice(config-vrf)# address-family ipv6
SwitchDevice(config-vrf-af)# exit
SwitchDevice(config-vrf)# exit

SwitchDevice(config)# vrf definition v2

SwitchDevice(config-vrf)# rd 2:1
SwitchDevice(config-vrf)# address-family ipv6

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
155
 IPv6
Displaying Multi-VRF CE Status

SwitchDevice(config-vrf-af)# exit
SwitchDevice(config-vrf)# exit

SwitchDevice(config-if)# interface g 1/0/2

SwitchDevice(config-if)# vrf forwarding v1
SwitchDevice(config-if)# ipv6 address 1000::2/64
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface g 1/0/4
SwitchDevice(config-if)# vrf forwarding v2
SwitchDevice(config-if)# ipv6 address 2000::2/64

SwitchDevice(config-if)# interface gigabitEthernet 1/0/1

SwitchDevice(config-if)# switchport trunk encapsulation dot1q
SwitchDevice(config-if)# switchport mode trunk

SwitchDevice(config)# router bgp 100

SwitchDevice(config-router)# address-family ipv6 vrf v1
SwitchDevice(config-router-af)# neighbor 1000::1 remote-as 100
SwitchDevice(config-router-af)# neighbor 1000::1 activate
SwitchDevice(config-router-af)# network 3000::/64
SwitchDevice(config-router-af)# exit
SwitchDevice(config-router)# address-family ipv6 vrf v2
SwitchDevice(config-router-af)# neighbor 2000::1 remote-as 100
SwitchDevice(config-router-af)# neighbor 2000::1 activate
SwitchDevice(config-router-af)# network 4000::/64

Displaying Multi-VRF CE Status

Table 18: Commands for Displaying Multi-VRF CE Information

Command Purpose

show ipv6 protocols vrfvrf -name Displays routing protocol information associated with
a VRF.

show ipv6 route vrfvrf -name [connected] [protocol Displays IP routing table information associated with
[as-number] ] [list] [mobile] [odr] [profile] [static] a VRF.
[summary] [supernets-only]

show ipv6 vrf [brief | detail | interfaces] [vrf-name] Displays information about the defined VRF instances.

Displaying IPv6
For complete syntax and usage information on these commands, see the Cisco IOS command reference
publications.

Table 19: Command for Monitoring IPv6

Command Purpose

show ipv6 access-list Displays a summary of access lists.

show ipv6 cef Displays Cisco Express Forwarding for IPv6.

show ipv6 interfaceinterface-id Displays IPv6 interface status and configuration.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
156
 IPv6
Configuring DHCP for IPv6 Address Assignment

Command Purpose

show ipv6 mtu Displays IPv6 MTU per destination cache.

show ipv6 neighbors Displays IPv6 neighbor cache entries.

show ipv6 prefix-list Displays a list of IPv6 prefix lists.

show ipv6 protocols Displays a list of IPv6 routing protocols on the switch.

show ipv6 rip Displays IPv6 RIP routing protocol status.

show ipv6 route Displays IPv6 route table entries.

show ipv6 static Displays IPv6 static routes.

show ipv6 traffic Displays IPv6 traffic statistics.

Related Topics
Displaying IPv6: Example, on page 164

Configuring DHCP for IPv6 Address Assignment

This section describes only the DHCPv6 address assignment. For more information about configuring the
DHCPv6 client, server, or relay agent functions, see the “Implementing DHCP for IPv6” chapter in the Cisco
IOS IPv6 Configuration Library on Cisco.com.

Default DHCPv6 Address Assignment Configuration

By default, no DHCPv6 features are configured on the switch.

DHCPv6 Address Assignment Configuration Guidelines

When configuring DHCPv6 address assignment, consider these guidelines:
• In the procedures, the specified interface must be one of these Layer 3 interfaces:
• DHCPv6 IPv6 routing must be enabled on a Layer 3 interface.
• SVI: a VLAN interface created by using the interface vlan vlan_id command.
• EtherChannel port channel in Layer 3 mode: a port-channel logical interface created by using the
interface port-channel port-channel-number command.

• The switch can act as a DHCPv6 client, server, or relay agent. The DHCPv6 client, server, and relay
function are mutually exclusive on an interface.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
157
 IPv6
Enabling DHCPv6 Server Function (CLI)

Enabling DHCPv6 Server Function (CLI)

Use the no form of the DHCP pool configuration mode commands to change the DHCPv6 pool characteristics.
To disable the DHCPv6 server function on an interface, use the no ipv6 dhcp server interface configuration
command.
Beginning in privileged EXEC mode, follow these steps to enable the DHCPv6 server function on an interface.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ipv6 dhcp pool poolname Enters DHCP pool configuration mode, and define the
name for the IPv6 DHCP pool. The pool name can be a
Example:
symbolic string (such as Engineering) or an integer (such
as 0).
SwitchDevice(config)# ipv6 dhcp pool 7

Step 3 address prefix IPv6-prefix {lifetime} {t1 t1 | infinite} (Optional) Specifies an address prefix for address
assignment.
Example:
This address must be in hexadecimal, using 16-bit values
SwitchDevice(config-dhcpv6)# address prefix between colons.
2001:1000::0/64 lifetime 3600
lifetime t1 t1—Specifies a time interval (in seconds) that
an IPv6 address prefix remains in the valid state. The range
is 5 to 4294967295 seconds. Specify infinite for no time
interval.

Step 4 link-address IPv6-prefix (Optional) Specifies a link-address IPv6 prefix.

Example: When an address on the incoming interface or a
link-address in the packet matches the specified IPv6
SwitchDevice(config-dhcpv6)# link-address prefix, the server uses the configuration information pool.
2001:1002::0/64
This address must be in hexadecimal, using 16-bit values
between colons.

Step 5 vendor-specific vendor-id (Optional) Enters vendor-specific configuration mode and

specifies a vendor-specific identification number. This
Example:
number is the vendor IANA Private Enterprise Number.
The range is 1 to 4294967295.
SwitchDevice(config-dhcpv6)# vendor-specific 9

Step 6 suboption number {address IPv6-address | ascii (Optional) Enters a vendor-specific suboption number.
ASCII-string | hex hex-string} The range is 1 to 65535. Enter an IPv6 address, ASCII
text, or a hex string as defined by the suboption parameters.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
158
 IPv6
Enabling DHCPv6 Server Function (CLI)

Command or Action Purpose

SwitchDevice(config-dhcpv6-vs)# suboption 1
address 1000:235D::

Step 7 exit Returns to DHCP pool configuration mode.

Example:

SwitchDevice(config-dhcpv6-vs)# exit

Step 8 exit Returns to global configuration mode.

Example:

SwitchDevice(config-dhcpv6)# exit

Step 9 interface interface-id Enters interface configuration mode, and specifies the
interface to configure.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 10 ipv6 dhcp server [poolname | automatic] [rapid-commit] Enables DHCPv6 server function on an interface.
[preference value] [allow-hint]
• poolname—(Optional) User-defined name for the
Example: IPv6 DHCP pool. The pool name can be a symbolic
string (such as Engineering) or an integer (such as 0).
SwitchDevice(config-if)# ipv6 dhcp server
automatic • automatic—(Optional) Enables the system to
automatically determine which pool to use when
allocating addresses for a client.
• rapid-commit—(Optional) Allows two-message
exchange method.
• preference value—(Optional) Configures the
preference value carried in the preference option in
the advertise message sent by the server. The range
is from 0 to 255. The preference value default is 0.
• allow-hint—(Optional) Specifies whether the server
should consider client suggestions in the SOLICIT
message. By default, the server ignores client hints.

Step 11 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
159
 IPv6
Enabling DHCPv6 Client Function (CLI)

Command or Action Purpose

Step 12 Do one of the following: • Verifies DHCPv6 pool configuration.
• show ipv6 dhcp pool • Verifies that the DHCPv6 server function is enabled
• show ipv6 dhcp interface on an interface.
Example:
SwitchDevice# show ipv6 dhcp pool

or
SwitchDevice# show ipv6 dhcp interface

Step 13 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Enabling DHCPv6 Server Function: Example, on page 162

Enabling DHCPv6 Client Function (CLI)

This task explains how to enable the DHCPv6 client on an interface.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Enters interface configuration mode, and specifies the
interface to configure.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 3 ipv6 address dhcp [rapid-commit] Enables the interface to acquire an IPv6 address from the
DHCPv6 server.
Example:
rapid-commit—(Optional) Allow two-message exchange
SwitchDevice(config-if)# ipv6 address dhcp method for address assignment.
rapid-commit

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
160
 IPv6
Configuration Examples for IPv6 Unicast Routing

Command or Action Purpose

Step 4 ipv6 dhcp client request [vendor-specific] (Optional) Enables the interface to request the
vendor-specific option.
Example:

SwitchDevice(config-if)# ipv6 dhcp client request

vendor-specific

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show ipv6 dhcp interface Verifies that the DHCPv6 client is enabled on an interface.
Example:

SwitchDevice# show ipv6 dhcp interface

Related Topics
Enabling DHCPv6 Client Function: Example, on page 163

Configuration Examples for IPv6 Unicast Routing

Configuring IPv6 Addressing and Enabling IPv6 Routing: Example
This example shows how to enable IPv6 with both a link-local address and a global address based on the IPv6
prefix 2001:0DB8:c18:1::/64. The EUI-64 interface ID is used in the low-order 64 bits of both addresses.
Output from the show ipv6 interface EXEC command is included to show how the interface ID
(20B:46FF:FE2F:D940) is appended to the link-local prefix FE80::/64 of the interface.

SwitchDevice(config)# ipv6 unicast-routing

SwitchDevice(config)# interface gigabitethernet1/0/11

SwitchDevice(config-if)# ipv6 address 2001:0DB8:c18:1::/64 eui 64

SwitchDevice(config-if)# end
SwitchDevice# show ipv6 interface gigabitethernet1/0/11
GigabitEthernet1/0/11 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::20B:46FF:FE2F:D940
Global unicast address(es):
2001:0DB8:c18:1:20B:46FF:FE2F:D940, subnet is 2001:0DB8:c18:1::/64 [EUI]
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF2F:D940
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
161
 IPv6
Configuring Default Router Preference: Example

ND advertised reachable time is 0 milliseconds

ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses.

Related Topics
Configuring IPv6 Addressing and Enabling IPv6 Routing (CLI), on page 118

Configuring Default Router Preference: Example

This example shows how to configure a DRP of high for the router on an interface.

SwitchDevice# configure terminal

SwitchDevice(config)# interface gigabitethernet1/0/1
SwitchDevice(config-if)# ipv6 nd router-preference high
SwitchDevice(config-if)# end

Related Topics
Configuring Default Router Preference (CLI), on page 131

Enabling an HSRP Group for IPv6: Example

This example shows how to activate HSRP for IPv6 for group 1 on a port. The IP address used by the hot
standby group is learned by using HSRP for IPv6.

Note This procedure is the minimum number of steps required to enable HSRP for IPv6. Other configurations are
optional.

SwitchDevice# configure terminal

SwitchDevice(config)# interface gigabitethernet1/0/1
SwitchDevice(config-if)# no switchport
SwitchDevice(config-if)# standby 1 ipv6 autoconfig
SwitchDevice(config-if)# end
SwitchDevice# show standby

Related Topics
Enabling an HSRP Group for IPv6, on page 143

Enabling DHCPv6 Server Function: Example

This example shows how to configure a pool called engineering with an IPv6 address prefix:

SwitchDevice# configure terminal

SwitchDevice(config)# ipv6 dhcp pool engineering
SwitchDevice(config-dhcpv6)#address prefix 2001:1000::0/64
SwitchDevice(config-dhcpv6)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
162
 IPv6
Enabling DHCPv6 Client Function: Example

This example shows how to configure a pool called testgroup with three link-addresses and an IPv6 address
prefix:

SwitchDevice# configure terminal

SwitchDevice(config)# ipv6 dhcp pool testgroup
SwitchDevice(config-dhcpv6)# link-address 2001:1001::0/64
SwitchDevice(config-dhcpv6)# link-address 2001:1002::0/64
SwitchDevice(config-dhcpv6)# link-address 2001:2000::0/48
SwitchDevice(config-dhcpv6)# address prefix 2001:1003::0/64
SwitchDevice(config-dhcpv6)# end

This example shows how to configure a pool called 350 with vendor-specific options:

SwitchDevice# configure terminal

SwitchDevice(config)# ipv6 dhcp pool 350
SwitchDevice(config-dhcpv6)# address prefix 2001:1005::0/48
SwitchDevice(config-dhcpv6)# vendor-specific 9
SwitchDevice(config-dhcpv6-vs)# suboption 1 address 1000:235D::1
SwitchDevice(config-dhcpv6-vs)# suboption 2 ascii "IP-Phone"
SwitchDevice(config-dhcpv6-vs)# end

Related Topics
Enabling DHCPv6 Server Function (CLI), on page 158

Enabling DHCPv6 Client Function: Example

This example shows how to acquire an IPv6 address and to enable the rapid-commit option:

SwitchDevice(config)# interface gigabitethernet2/0/1

SwitchDevice(config-if)# ipv6 address dhcp rapid-commit

Related Topics
Enabling DHCPv6 Client Function (CLI), on page 160

Configuring IPv6 ICMP Rate Limiting: Example

This example shows how to configure an IPv6 ICMP error message interval of 50 milliseconds and a bucket
size of 20 tokens.

SwitchDevice(config)#ipv6 icmp error-interval 50 20

Related Topics
Configuring IPv6 ICMP Rate Limiting (CLI), on page 132

Configuring Static Routing for IPv6: Example

This example shows how to configure a floating static route to an interface with an administrative distance
of 130:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
163
 IPv6
Configuring RIP for IPv6: Example

SwitchDevice(config)# ipv6 route 2001:0DB8::/32 gigabitethernet2/0/1 130

Related Topics
Configuring Static Routing for IPv6 (CLI), on page 133

Configuring RIP for IPv6: Example

This example shows how to enable the RIP routing process cisco with a maximum of eight equal-cost routes
and to enable it on an interface:

SwitchDevice(config)# ipv6 router rip cisco

SwitchDevice(config-router)# maximum-paths 8
SwitchDevice(config)# exit
SwitchDevice(config)# interface gigabitethernet2/0/11
SwitchDevice(config-if)# ipv6 rip cisco enable

Related Topics
Configuring RIP for IPv6 (CLI), on page 135

Displaying IPv6: Example

This is an example of the output from the show ipv6 interface privileged EXEC command:

SwitchDevice# show ipv6 interface

Vlan1 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::20B:46FF:FE2F:D940
Global unicast address(es):
3FFE:C000:0:1:20B:46FF:FE2F:D940, subnet is 3FFE:C000:0:1::/64 [EUI]
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF2F:D940
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
<output truncated>

Related Topics
Displaying IPv6, on page 156

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
164
 CHAPTER 12
Implementing IPv6 Multicast
• Finding Feature Information, on page 165
• Information About Implementing IPv6 Multicast Routing, on page 165
• Implementing IPv6 Multicast, on page 175

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Information About Implementing IPv6 Multicast Routing

This chapter describes how to implement IPv6 multicast routing on the switch.
Traditional IP communication allows a host to send packets to a single host (unicast transmission) or to all
hosts (broadcast transmission). IPv6 multicast provides a third scheme, allowing a host to send a single data
stream to a subset of all hosts (group transmission) simultaneously.

Note IPv6 Multicast Routing is supported only on Cisco Catalyst 3560-CX switches.

IPv6 Multicast Overview

An IPv6 multicast group is an arbitrary group of receivers that want to receive a particular data stream. This
group has no physical or geographical boundaries--receivers can be located anywhere on the Internet or in
any private network. Receivers that are interested in receiving data flowing to a particular group must join
the group by signaling their local switch. This signaling is achieved with the MLD protocol.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
165
 IPv6
IPv6 Multicast Routing Implementation

Switches use the MLD protocol to learn whether members of a group are present on their directly attached
subnets. Hosts join multicast groups by sending MLD report messages. The network then delivers data to a
potentially unlimited number of receivers, using only one copy of the multicast data on each subnet. IPv6
hosts that wish to receive the traffic are known as group members.
Packets delivered to group members are identified by a single multicast group address. Multicast packets are
delivered to a group using best-effort reliability, just like IPv6 unicast packets.
The multicast environment consists of senders and receivers. Any host, regardless of whether it is a member
of a group, can send to a group. However, only members of a group can listen to and receive the message.
A multicast address is chosen for the receivers in a multicast group. Senders use that address as the destination
address of a datagram to reach all members of the group.
Membership in a multicast group is dynamic; hosts can join and leave at any time. There is no restriction on
the location or number of members in a multicast group. A host can be a member of more than one multicast
group at a time.
How active a multicast group is, its duration, and its membership can vary from group to group and from time
to time. A group that has members may have no activity.

IPv6 Multicast Routing Implementation

The Cisco IOS software supports the following protocols to implement IPv6 multicast routing:
• MLD is used by IPv6 switches to discover multicast listeners (nodes that want to receive multicast packets
destined for specific multicast addresses) on directly attached links. There are two versions of MLD:
MLD version 1 is based on version 2 of the Internet Group Management Protocol (IGMP) for IPv4, and
MLD version 2 is based on version 3 of the IGMP for IPv4. IPv6 multicast for Cisco IOS software uses
both MLD version 2 and MLD version 1. MLD version 2 is fully backward-compatible with MLD version
1 (described in RFC 2710). Hosts that support only MLD version 1 will interoperate with a switch running
MLD version 2. Mixed LANs with both MLD version 1 and MLD version 2 hosts are likewise supported.
• PIM-SM is used between switches so that they can track which multicast packets to forward to each
other and to their directly connected LANs.
• PIM in Source Specific Multicast (PIM-SSM) is similar to PIM-SM with the additional ability to report
interest in receiving packets from specific source addresses (or from all but the specific source addresses)
to an IP multicast address.

MLD Access Group

The MLD access group provides receiver access control in Cisco IOS IPv6 multicast switches. This feature
limits the list of groups a receiver can join, and it allows or denies sources used to join SSM channels.

Explicit Tracking of Receivers

The explicit tracking feature allows a switch to track the behavior of the hosts within its IPv6 network. This
feature also enables the fast leave mechanism to be used with MLD version 2 host reports.

IPv6 Multicast User Authentication and Profile Support

IPv6 multicast by design allows any host in the network to become a receiver or a source for a multicast group.
Therefore, multicast access control is needed to control multicast traffic in the network. Access control

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
166
 IPv6
IPV6 MLD Proxy

functionality consists mainly of source access control and accounting, receiver access control and accounting,
and provisioning of this access control mechanism.
Multicast access control provides an interface between multicast and authentication, authorization, and
accounting (AAA) for provisioning, authorizing, and accounting at the last-hop switch, receiver access control
functions in multicast, and group or channel disabling capability in multicast.
When you deploy a new multicast service environment, it is necessary to add user authentication and provide
a user profile download on a per-interface basis. The use of AAA and IPv6 multicast supports user authentication
and downloading of the user profile in a multicast environment.
The event that triggers the download of a multicast access-control profile from the RADIUS server to the
access switch is arrival of an MLD join on the access switch. When this event occurs, a user can cause the
authorization cache to time out and request download periodically or use an appropriate multicast clear
command to trigger a new download in case of profile changes.
Accounting occurs via RADIUS accounting. Start and stop accounting records are sent to the RADIUS server
from the access switch. In order for you to track resource consumption on a per-stream basis, these accounting
records provide information about the multicast source and group. The start record is sent when the last-hop
switch receives a new MLD report, and the stop record is sent upon MLD leave or if the group or channel is
deleted for any reason.

IPV6 MLD Proxy

The MLD proxy feature provides a mechanism for a switch to generate MLD membership reports for all (*,
G)/(S, G) entries or a user-defined subset of these entries on the switch's upstream interface. The MLD proxy
feature enables a device to learn proxy group membership information, and forward multicast packets based
upon that information.
If a switch is acting as RP for mroute proxy entries, MLD membership reports for these entries can be generated
on user specified proxy interface.

Protocol Independent Multicast

Protocol Independent Multicast (PIM) is used between switches so that they can track which multicast packets
to forward to each other and to their directly connected LANs. PIM works independently of the unicast routing
protocol to perform send or receive multicast route updates like other protocols. Regardless of which unicast
routing protocols are being used in the LAN to populate the unicast routing table, Cisco IOS PIM uses the
existing unicast table content to perform the Reverse Path Forwarding (RPF) check instead of building and
maintaining its own separate routing table.
You can configure IPv6 multicast to use either PIM-SM or PIM-SSM operation, or you can use both PIM-SM
and PIM-SSM together in your network.

PIM-Sparse Mode
IPv6 multicast provides support for intradomain multicast routing using PIM-SM. PIM-SM uses unicast
routing to provide reverse-path information for multicast tree building, but it is not dependent on any particular
unicast routing protocol.
PIM-SM is used in a multicast network when relatively few switches are involved in each multicast and these
switches do not forward multicast packets for a group, unless there is an explicit request for the traffic. PIM-SM
distributes information about active sources by forwarding data packets on the shared tree. PIM-SM initially
uses shared trees, which requires the use of an RP.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
167
 IPv6
Designated Switch

Requests are accomplished via PIM joins, which are sent hop by hop toward the root node of the tree. The
root node of a tree in PIM-SM is the RP in the case of a shared tree or the first-hop switch that is directly
connected to the multicast source in the case of a shortest path tree (SPT). The RP keeps track of multicast
groups and the hosts that send multicast packets are registered with the RP by that host's first-hop switch.
As a PIM join travels up the tree, switches along the path set up multicast forwarding state so that the requested
multicast traffic will be forwarded back down the tree. When multicast traffic is no longer needed, a switch
sends a PIM prune up the tree toward the root node to prune (or remove) the unnecessary traffic. As this PIM
prune travels hop by hop up the tree, each switch updates its forwarding state appropriately. Ultimately, the
forwarding state associated with a multicast group or source is removed.
A multicast data sender sends data destined for a multicast group. The designated switch (DR) of the sender
takes those data packets, unicast-encapsulates them, and sends them directly to the RP. The RP receives these
encapsulated data packets, de-encapsulates them, and forwards them onto the shared tree. The packets then
follow the (*, G) multicast tree state in the switches on the RP tree, being replicated wherever the RP tree
branches, and eventually reaching all the receivers for that multicast group. The process of encapsulating data
packets to the RP is called registering, and the encapsulation packets are called PIM register packets.

Designated Switch
Cisco switches use PIM-SM to forward multicast traffic and follow an election process to select a designated
switch when there is more than one switch on a LAN segment.
The designated switch is responsible for sending PIM register and PIM join and prune messages toward the
RP to inform it about active sources and host group membership.
If there are multiple PIM-SM switches on a LAN, a designated switch must be elected to avoid duplicating
multicast traffic for connected hosts. The PIM switch with the highest IPv6 address becomes the DR for the
LAN unless you choose to force the DR election by use of the ipv6 pim dr-priority command. This command
allows you to specify the DR priority of each switch on the LAN segment (default priority = 1) so that the
switch with the highest priority will be elected as the DR. If all switches on the LAN segment have the same
priority, then the highest IPv6 address is again used as the tiebreaker.
If the DR should fail, the PIM-SM provides a way to detect the failure of Switch A and elect a failover DR.
If the DR (Switch A) became inoperable, Switch B would detect this situation when its neighbor adjacency
with Switch A timed out. Because Switch B has been hearing MLD membership reports from Host A, it
already has MLD state for Group A on this interface and would immediately send a join to the RP when it
became the new DR. This step reestablishes traffic flow down a new branch of the shared tree via Switch B.
Additionally, if Host A were sourcing traffic, Switch B would initiate a new register process immediately
after receiving the next multicast packet from Host A. This action would trigger the RP to join the SPT to
Host A via a new branch through Switch B.

Note • Two PIM switches are neighbors if there is a direct connection between them. To display your PIM
neighbors, use the show ipv6 pim neighbor privileged EXEC command.
• The DR election process is required only on multiaccess LANs.

Rendezvous Point
IPv6 PIM provides embedded RP support. Embedded RP support allows the switch to learn RP information
using the multicast group destination address instead of the statically configured RP. For switches that are
the RP, the switch must be statically configured as the RP.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
168
 IPv6
PIMv6 Anycast RP Solution Overview

The switch searches for embedded RP group addresses in MLD reports or PIM messages and data packets.
On finding such an address, the switch learns the RP for the group from the address itself. It then uses this
learned RP for all protocol activity for the group. For switches that are the RP, the switch is advertised as an
embedded RP must be configured as the RP.
To select a static RP over an embedded RP, the specific embedded RP group range or mask must be configured
in the access list of the static RP. When PIM is configured in sparse mode, you must also choose one or more
switches to operate as an RP. An RP is a single common root placed at a chosen point of a shared distribution
tree and is configured statically in each box.
PIM DRs forward data from directly connected multicast sources to the RP for distribution down the shared
tree. Data is forwarded to the RP in one of two ways:
• Data is encapsulated in register packets and unicast directly to the RP by the first-hop switch operating
as the DR.
• If the RP has itself joined the source tree, it is multicast-forwarded per the RPF forwarding algorithm
described in the PIM-Sparse Mode section.

The RP address is used by first-hop switches to send PIM register messages on behalf of a host sending a
packet to the group. The RP address is also used by last-hop switches to send PIM join and prune messages
to the RP to inform it about group membership. You must configure the RP address on all switches (including
the RP switch).
A PIM switch can be an RP for more than one group. Only one RP address can be used at a time within a
PIM domain for a certain group. The conditions specified by the access list determine for which groups the
switch is an RP.
IPv6 multicast supports the PIM accept register feature, which is the ability to perform PIM-SM register
message filtering at the RP. The user can match an access list or compare the AS path for the registered source
with the AS path specified in a route map.

PIMv6 Anycast RP Solution Overview

The anycast RP solution in IPv6 PIM allows an IPv6 network to support anycast services for the PIM-SM
RP. It allows anycast RP to be used inside a domain that runs PIM only. This feature is useful when interdomain
connection is not required. Anycast RP can be used in IPv4 as well as IPv6, but it does not depend on the
Multicast Source Discovery Protocol (MSDP), which runs only on IPv4.
Anycast RP is a mechanism that ISP-based backbones use to get fast convergence when a PIM RP device
fails. To allow receivers and sources to rendezvous to the closest RP, the packets from a source need to get
to all RPs to find joined receivers.
A unicast IP address is chosen as the RP address. This address is either statically configured or distributed
using a dynamic protocol to all PIM devices throughout the domain. A set of devices in the domain is chosen
to act as RPs for this RP address; these devices are called the anycast RP set. Each device in the anycast RP
set is configured with a loopback interface using the RP address. Each device in the anycast RP set also needs
a separate physical IP address to be used for communication between the RPs.
The RP address, or a prefix that covers the RP address, is injected into the unicast routing system inside of
the domain. Each device in the anycast RP set is configured with the addresses of all other devices in the
anycast RP set, and this configuration must be consistent in all RPs in the set.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
169
 IPv6
IPv6 BSR: Configure RP Mapping

IPv6 BSR: Configure RP Mapping

PIM switches in a domain must be able to map each multicast group to the correct RP address. The BSR
protocol for PIM-SM provides a dynamic, adaptive mechanism to distribute group-to-RP mapping information
rapidly throughout a domain. With the IPv6 BSR feature, if an RP becomes unreachable, it will be detected
and the mapping tables will be modified so that the unreachable RP is no longer used, and the new tables will
be rapidly distributed throughout the domain.
Every PIM-SM multicast group needs to be associated with the IP or IPv6 address of an RP. When a new
multicast sender starts sending, its local DR will encapsulate these data packets in a PIM register message
and send them to the RP for that multicast group. When a new multicast receiver joins, its local DR will send
a PIM join message to the RP for that multicast group. When any PIM switch sends a (*, G) join message,
the PIM switch needs to know which is the next switch toward the RP so that G (Group) can send a message
to that switch. Also, when a PIM switch is forwarding data packets using (*, G) state, the PIM switch needs
to know which is the correct incoming interface for packets destined for G, because it needs to reject any
packets that arrive on other interfaces.
A small set of switches from a domain are configured as candidate bootstrap switches (C-BSRs) and a single
BSR is selected for that domain. A set of switches within a domain are also configured as candidate RPs
(C-RPs); typically, these switches are the same switches that are configured as C-BSRs. Candidate RPs
periodically unicast candidate-RP-advertisement (C-RP-Adv) messages to the BSR of that domain, advertising
their willingness to be an RP. A C-RP-Adv message includes the address of the advertising C-RP, and an
optional list of group addresses and mask length fields, indicating the group prefixes for which the candidacy
is advertised. The BSR then includes a set of these C-RPs, along with their corresponding group prefixes, in
bootstrap messages (BSMs) it periodically originates. BSMs are distributed hop-by-hop throughout the domain.
Bidirectional BSR support allows bidirectional RPs to be advertised in C-RP messages and bidirectional
ranges in the BSM. All switches in a system must be able to use the bidirectional range in the BSM; otherwise,
the bidirectional RP feature will not function.

PIM-Source Specific Multicast

PIM-SSM is the routing protocol that supports the implementation of SSM and is derived from PIM-SM.
However, unlike PIM-SM where data from all multicast sources are sent when there is a PIM join, the SSM
feature forwards datagram traffic to receivers from only those multicast sources that the receivers have explicitly
joined, thus optimizing bandwidth utilization and denying unwanted Internet broadcast traffic. Further, instead
of the use of RP and shared trees, SSM uses information found on source addresses for a multicast group.
This information is provided by receivers through the source addresses relayed to the last-hop switches by
MLD membership reports, resulting in shortest-path trees directly to the sources.
In SSM, delivery of datagrams is based on (S, G) channels. Traffic for one (S, G) channel consists of datagrams
with an IPv6 unicast source address S and the multicast group address G as the IPv6 destination address.
Systems will receive this traffic by becoming members of the (S, G) channel. Signaling is not required, but
receivers must subscribe or unsubscribe to (S, G) channels to receive or not receive traffic from specific
sources.
MLD version 2 is required for SSM to operate. MLD allows the host to provide source information. Before
SSM can run with MLD, SSM must be supported in the Cisco IOS IPv6 switch, the host where the application
is running, and the application itself.

SSM Mapping for IPv6

SSM mapping for IPv6 supports both static and dynamic Domain Name System (DNS) mapping for MLD
version 1 receivers. This feature allows deployment of IPv6 SSM with hosts that are incapable of providing
MLD version 2 support in their TCP/IP host stack and their IP multicast receiving application.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
170
 IPv6
PIM Shared Tree and Source Tree (Shortest-Path Tree)

SSM mapping allows the switch to look up the source of a multicast MLD version 1 report either in the running
configuration of the switch or from a DNS server. The switch can then initiate an (S, G) join toward the source.

PIM Shared Tree and Source Tree (Shortest-Path Tree)

By default, members of a group receive data from senders to the group across a single data distribution tree
rooted at the RP. This type of distribution tree is called shared tree or rendezvous point tree (RPT), as illustrated
in the figure below. Data from senders is delivered to the RP for distribution to group members joined to the
shared tree.
If the data threshold warrants, leaf switches on the shared tree may initiate a switch to the data distribution
tree rooted at the source. This type of distribution tree is called a shortest path tree or source tree. By default,
the Cisco IOS software switches to a source tree upon receiving the first data packet from a source.
The following process details the move from shared tree to source tree:
1. Receiver joins a group; leaf Switch C sends a join message toward the RP.
2. RP puts the link to Switch C in its outgoing interface list.
3. Source sends the data; Switch A encapsulates the data in the register and sends it to the RP.
4. RP forwards the data down the shared tree to Switch C and sends a join message toward the source. At
this point, data may arrive twice at Switch C, once encapsulated and once natively.
5. When data arrives natively (unencapsulated) at the RP, the RP sends a register-stop message to Switch
A.
6. By default, receipt of the first data packet prompts Switch C to send a join message toward the source.
7. When Switch C receives data on (S, G), it sends a prune message for the source up the shared tree.
8. RP deletes the link to Switch C from the outgoing interface of (S, G).
9. RP triggers a prune message toward the source.

Join and prune messages are sent for sources and RPs. They are sent hop-by-hop and are processed by each
PIM switch along the path to the source or RP. Register and register-stop messages are not sent hop-by-hop.
They are sent by the designated switch that is directly connected to a source and are received by the RP for
the group.

Reverse Path Forwarding

Reverse-path forwarding is used for forwarding multicast datagrams. It functions as follows:
• If a switch receives a datagram on an interface it uses to send unicast packets to the source, the packet
has arrived on the RPF interface.
• If the packet arrives on the RPF interface, a switch forwards the packet out the interfaces present in the
outgoing interface list of a multicast routing table entry.
• If the packet does not arrive on the RPF interface, the packet is silently discarded to prevent loops.

PIM uses both source trees and RP-rooted shared trees to forward datagrams; the RPF check is performed
differently for each, as follows:
• If a PIM switch has source-tree state (that is, an (S, G) entry is present in the multicast routing table),
the switch performs the RPF check against the IPv6 address of the source of the multicast packet.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
171
 IPv6
Routable Address Hello Option

• If a PIM switch has shared-tree state (and no explicit source-tree state), it performs the RPF check on
the RP's address (which is known when members join the group).

Sparse-mode PIM uses the RPF lookup function to determine where it needs to send joins and prunes. (S, G)
joins (which are source-tree states) are sent toward the source. (*, G) joins (which are shared-tree states) are
sent toward the RP.

Routable Address Hello Option

When an IPv6 interior gateway protocol is used to build the unicast routing table, the procedure to detect the
upstream switch address assumes the address of a PIM neighbor is always same as the address of the next-hop
switch, as long as they refer to the same switch. However, it may not be the case when a switch has multiple
addresses on a link.
Two typical situations can lead to this situation for IPv6. The first situation can occur when the unicast routing
table is not built by an IPv6 interior gateway protocol such as multicast BGP. The second situation occurs
when the address of an RP shares a subnet prefix with downstream switches (note that the RP switch address
has to be domain-wide and therefore cannot be a link-local address).
The routable address hello option allows the PIM protocol to avoid such situations by adding a PIM hello
message option that includes all the addresses on the interface on which the PIM hello message is advertised.
When a PIM switch finds an upstream switch for some address, the result of RPF calculation is compared
with the addresses in this option, in addition to the PIM neighbor's address itself. Because this option includes
all the possible addresses of a PIM switch on that link, it always includes the RPF calculation result if it refers
to the PIM switch supporting this option.
Because of size restrictions on PIM messages and the requirement that a routable address hello option fits
within a single PIM hello message, a limit of 16 addresses can be configured on the interface.

Bidirectional PIM
Bidirectional PIM allows multicast switches to keep reduced state information, as compared with unidirectional
shared trees in PIM-SM. Bidirectional shared trees convey data from sources to the rendezvous point address
(RPA) and distribute them from the RPA to the receivers. Unlike PIM-SM, bidirectional PIM does not switch
over to the source tree, and there is no register encapsulation of data from the source to the RP.
A single designated forwarder (DF) exists for each RPA on every link within a bidirectional PIM domain
(including multiaccess and point-to-point links). The only exception is the RPL on which no DF exists. The
DF is the switch on the link with the best route to the RPA, which is determined by comparing MRIB-provided
metrics. A DF for a given RPA forwards downstream traffic onto its link and forwards upstream traffic from
its link toward the rendezvous point link (RPL). The DF performs this function for all bidirectional groups
that map to the RPA. The DF on a link is also responsible for processing Join messages from downstream
switches on the link as well as ensuring that packets are forwarded to local receivers discovered through a
local membership mechanism such as MLD.
Bidirectional PIM offers advantages when there are many moderate or low-rate sources. However, the
bidirectional shared trees may have worse delay characteristics than do the source trees built in PIM-SM
(depending on the topology).
Only static configuration of bidirectional RPs is supported in IPv6.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
172
 IPv6
Static Mroutes

Static Mroutes
IPv6 static mroutes behave much in the same way as IPv4 static mroutes used to influence the RPF check.
IPv6 static mroutes share the same database as IPv6 static routes and are implemented by extending static
route support for RPF checks. Static mroutes support equal-cost multipath mroutes, and they also support
unicast-only static routes.

MRIB
The Multicast Routing Information Base (MRIB) is a protocol-independent repository of multicast routing
entries instantiated by multicast routing protocols (routing clients). Its main function is to provide independence
between routing protocols and the Multicast Forwarding Information Base (MFIB). It also acts as a coordination
and communication point among its clients.
Routing clients use the services provided by the MRIB to instantiate routing entries and retrieve changes made
to routing entries by other clients. Besides routing clients, MRIB also has forwarding clients (MFIB instances)
and special clients such as MLD. MFIB retrieves its forwarding entries from MRIB and notifies the MRIB
of any events related to packet reception. These notifications can either be explicitly requested by routing
clients or spontaneously generated by the MFIB.
Another important function of the MRIB is to allow for the coordination of multiple routing clients in
establishing multicast connectivity within the same multicast session. MRIB also allows for the coordination
between MLD and routing protocols.

MFIB
The MFIB is a platform-independent and routing-protocol-independent library for IPv6 software. Its main
purpose is to provide a Cisco IOS platform with an interface with which to read the IPv6 multicast forwarding
table and notifications when the forwarding table changes. The information provided by the MFIB has clearly
defined forwarding semantics and is designed to make it easy for the platform to translate to its specific
hardware or software forwarding mechanisms.
When routing or topology changes occur in the network, the IPv6 routing table is updated, and those changes
are reflected in the MFIB. The MFIB maintains next-hop address information based on the information in the
IPv6 routing table. Because there is a one-to-one correlation between MFIB entries and routing table entries,
the MFIB contains all known routes and eliminates the need for route cache maintenance that is associated
with switching paths such as fast switching and optimum switching.

IPv6 Multicast VRF Lite

The IPv6 Multicast VRF Lite feature provides IPv6 multicast support for multiple virtual routing/forwarding
contexts (VRFs). The scope of these VRFs is limited to the switch in which the VRFs are defined.
This feature provides separation between routing and forwarding, providing an additional level of security
because no communication between devices belonging to different VRFs is allowed unless it is explicitly
configured. The IPv6 Multicast VRF Lite feature simplifies the management and troubleshooting of traffic
belonging to a specific VRF.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
173
 IPv6
IPv6 Multicast Process Switching and Fast Switching

IPv6 Multicast Process Switching and Fast Switching

A unified MFIB is used to provide both fast switching and process switching support for PIM-SM and
PIM-SSM in IPv6 multicast. In process switching, the must examine, rewrite, and forward each packet. The
packet is first received and copied into the system memory. The switch then looks up the Layer 3 network
address in the routing table. The Layer 2 frame is then rewritten with the next-hop destination address and
sent to the outgoing interface. The also computes the cyclic redundancy check (CRC). This switching method
is the least scalable method for switching IPv6 packets.
IPv6 multicast fast switching allows switches to provide better packet forwarding performance than process
switching. Information conventionally stored in a route cache is stored in several data structures for IPv6
multicast switching. The data structures provide optimized lookup for efficient packet forwarding.
In IPv6 multicast forwarding, the first packet is fast-switched if the PIM protocol logic allows it. In IPv6
multicast fast switching, the MAC encapsulation header is precomputed. IPv6 multicast fast switching uses
the MFIB to make IPv6 destination prefix-based switching decisions. In addition to the MFIB, IPv6 multicast
fast switching uses adjacency tables to prepend Layer 2 addressing information. The adjacency table maintains
Layer 2 next-hop addresses for all MFIB entries.
The adjacency table is populated as adjacencies are discovered. Each time an adjacency entry is created (such
as through ARP), a link-layer header for that adjacent node is precomputed and stored in the adjacency table.
Once a route is determined, it points to a next hop and corresponding adjacency entry. It is subsequently used
for encapsulation during switching of packets.
A route might have several paths to a destination prefix, such as when a switch is configured for simultaneous
load balancing and redundancy. For each resolved path, a pointer is added for the adjacency corresponding
to the next-hop interface for that path. This mechanism is used for load balancing across several paths.

Multiprotocol BGP for the IPv6 Multicast Address Family

The multiprotocol BGP for the IPv6 multicast address family feature provides multicast BGP extensions for
IPv6 and supports the same features and functionality as IPv4 BGP. IPv6 enhancements to multicast BGP
include support for an IPv6 multicast address family and network layer reachability information(NLRI) and
next hop (the next switch in the path to the destination) attributes that use IPv6 addresses.
Multicast BGP is an enhanced BGP that allows the deployment of interdomain IPv6 multicast. Multiprotocol
BGP carries routing information for multiple network layer protocol address families; for example, IPv6
address family and for IPv6 multicast routes. The IPv6 multicast address family contains routes used for RPF
lookup by the IPv6 PIM protocol, and multicast BGP IPV6 provides for interdomain transport of the same.
Users must use multiprotocol BGP for IPv6 multicast when using IPv6 multicast with BGP because the unicast
BGP learned routes will not be used for IPv6 multicast.
Multicast BGP functionality is provided through a separate address family context. A subsequent address
family identifier (SAFI) provides information about the type of the network layer reachability information
that is carried in the attribute. Multiprotocol BGP unicast uses SAFI 1 messages, and multiprotocol BGP
multicast uses SAFI 2 messages. SAFI 1 messages indicate that the routes are only usable for IP unicast, but
not IP multicast. Because of this functionality, BGP routes in the IPv6 unicast RIB must be ignored in the
IPv6 multicast RPF lookup.
A separate BGP routing table is maintained to configure incongruent policies and topologies (forexample,
IPv6 unicast and multicast) by using IPv6 multicast RPF lookup. Multicast RPF lookup is very similar to the
IP unicast route lookup.
No MRIB is associated with the IPv6 multicast BGP table. However, IPv6 multicast BGP operates on the
unicast IPv6 RIB when needed. Multicast BGP does not insert or update routes into the IPv6 unicast RIB.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
174
 IPv6
NSF and SSO Support In IPv6 Multicast

NSF and SSO Support In IPv6 Multicast

Support for nonstop forwarding (NSF) and stateful switchover (SSO) is provided in IPv6 Multicast.

Bandwidth-Based CAC for IPv6 Multicast

The bandwidth-based call admission control (CAC) for IPv6 multicast feature implements a way to count
per-interface mroute state limiters using cost multipliers. This feature can be used to provide bandwidth-based
CAC on a per-interface basis in network environments where the multicast flows use different amounts of
bandwidth.
This feature limits and accounts for IPv6 multicast state in detail. When this feature is configured, interfaces
can be limited to the number of times they may be used as incoming or outgoing interfaces in the IPv6 multicast
PIM topology.
With this feature, switch administrators can configure global limit cost commands for state matching access
lists and specify which cost multiplier to use when accounting such state against the interface limits. This
feature provides the required flexibility to implement bandwidth-based local CAC policy by tuning appropriate
cost multipliers for different bandwidth requirements.

Implementing IPv6 Multicast

Enabling IPv6 Multicast Routing
Beginning in privileged EXEC mode, follow these steps:

Procedure

Command or Action Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 ipv6 multicast-routing Enables multicast routing on all IPv6-enabled interfaces

and enables multicast forwarding for PIM and MLD on all
Example:
enabled interfaces of the switch.
SwitchDevice (config)# ipv6 multicast-routing

Step 3 copy running-config startup-config (Optional) Save your entries in the configuration file.

Customizing and Verifying the MLD Protocol

Customizing and Verifying MLD on an Interface
Beginning in privileged EXEC mode, follow these steps:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
175
 IPv6
Customizing and Verifying MLD on an Interface

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.

Step 2 interface type number Specifies an interface type and number, and places the
switch in interface configuration mode.
Example:

Switch(config)# interface GigabitEthernet 1/0/1

Step 3 ipv6 mld join-group [group-address] [include | exclude] Configures MLD reporting for a specified group and
{source-address | source-list [acl]} source.
Example:

Switch (config-if) # ipv6 mld join-group FF04::10

Step 4 ipv6 mld access-group access-list-name Allows the user to perform IPv6 multicast receiver access
control.
Example:

Switch (config-if) # ipv6 access-list acc-grp-1

Step 5 ipv6 mld static-group [group-address] [include | exclude] Statically forwards traffic for the multicast group onto a
{source-address | source-list [acl]} specified interface and cause the interface to behave as if
a MLD joiner were present on the interface.
Example:

Switch (config-if) # ipv6 mld static-group

ff04::10 include 100::1

Step 6 ipv6 mld query-max-response-time seconds Configures the maximum response time advertised in MLD
queries.
Example:

Switch (config-if) # ipv6 mld

query-max-response-time 20

Step 7 ipv6 mld query-timeout seconds Configures the timeout value before the switch takes over
as the querier for the interface.
Example:

Switch (config-if) # ipv6 mld query-timeout 130

Step 8 exit Enter this command twice to exit interface configuration

mode and enter privileged EXEC mode.
Example:

Switch (config-if) # exit

Step 9 show ipv6 mld groups [link-local] [ group-name | Displays the multicast groups that are directly connected
group-address] [interface-type interface-number] [detail to the switch and that were learned through MLD.
| explicit]
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
176
 IPv6
Implementing MLD Group Limits

Command or Action Purpose

Switch # show ipv6 mld groups GigabitEthernet

1/0/1

Step 10 show ipv6 mld groups summary Displays the number of (*, G) and (S, G) membership
reports present in the MLD cache.
Example:

Switch # show ipv6 mld groups summary

Step 11 show ipv6 mld interface [type number] Displays multicast-related information about an interface.
Example:

Switch # show ipv6 mld interface GigabitEthernet

1/0/1

Step 12 debug ipv6 mld [group-name | group-address | Enables debugging on MLD protocol activity.
interface-type]
Example:

Switch # debug ipv6 mld

Step 13 debug ipv6 mld explicit [group-name | group-address Displays information related to the explicit tracking of
hosts.
Example:
Switch # debug ipv6 mld explicit

Step 14 copy running-config startup-config (Optional) Save your entries in the configuration file.

Implementing MLD Group Limits

Per-interface and global MLD limits operate independently of each other. Both per-interface and global MLD
limits can be configured on the same switch. The number of MLD limits, globally or per interface, is not
configured by default; the limits must be configured by the user. A membership report that exceeds either the
per-interface or the global state limit is ignored.

Implementing MLD Group Limits Globally

SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 mld [vrf vrf-name] state-limit number
4. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
177
 IPv6
Implementing MLD Group Limits per Interface

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enters global configuration mode.
Example:

SwitchDevice# enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ipv6 mld [vrf vrf-name] state-limit number Limits the number of MLD states globally.
Example:
SwitchDevice(config)# ipv6 mld state-limit 300

Step 4 copy running-config startup-config (Optional) Save your entries in the configuration file.

Implementing MLD Group Limits per Interface

SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ipv6 mld limit number [except]access-list
5. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enters global configuration mode.
Example:

SwitchDevice# enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface type number Specifies an interface type and number, and places the
switch in interface configuration mode.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
178
 IPv6
Configuring Explicit Tracking of Receivers to Track Host Behavior

Command or Action Purpose

SwitchDevice(config)# interface GigabitEthernet

1/0/1

Step 4 ipv6 mld limit number [except]access-list Limits the number of MLD states on a per-interface basis.
Example:

SwitchDevice(config-if)# ipv6 mld limit 100

Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.

Configuring Explicit Tracking of Receivers to Track Host Behavior

The explicit tracking feature allows a switch to track the behavior of the hosts within its IPv6 network and
enables the fast leave mechanism to be used with MLD version 2 host reports.
Beginning in privileged EXEC mode, follow these steps:

Procedure

Command or Action Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 interface type number Specifies an interface type and number, and places the
switch in interface configuration mode.
Example:
Switch(config)# interface GigabitEthernet 1/0/1

Step 3 ipv6 mld explicit-tracking access-list-name Enables explicit tracking of hosts.

Example:
Switch(config-if)# ipv6 mld explicit-tracking list1

Step 4 copy running-config startup-config (Optional) Save your entries in the configuration file.

Configuring Multicast User Authentication and Profile Support

Before you configure multicast user authentication and profile support, you should be aware of the following
restrictions:
• The port, interface, VC, or VLAN ID is the user or subscriber identity. User identity by hostname, user
ID, or password is not supported
• Enabling AAA Access Control for IPv6 Multicast
• Specifying Method Lists and Enabling Multicast Accounting
• Disabling the Switch from Receiving Unauthenticated Multicast Traffic Disabling the Switch from
Receiving Unauthenticated Multicast Traffic

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
179
 IPv6
Enabling AAA Access Control for IPv6 Multicast

• Resetting Authorization Status on an MLD Interface

Enabling AAA Access Control for IPv6 Multicast

Beginning in privileged EXEC mode, follow these steps:

Procedure

Command or Action Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 aaa new-model Enables the AAA access control system.

Example:
SwitchDevice(config)# aaa new-model

Step 3 copy running-config startup-config (Optional) Save your entries in the configuration file.

Specifying Method Lists and Enabling Multicast Accounting

Perform this task to specify the method lists used for AAA authorization and accounting and how to enable
multicast accounting on specified groups or channels on an interface.
Beginning in privileged EXEC mode, follow these steps:

Procedure

Command or Action Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 aaa authorization multicast default [ method3 | method4 Enables AAA authorization and sets parameters that restrict
] user access to an IPv6 multicast network.
Example:
Switch (config)# aaa authorization multicast
default

Step 3 aaa accounting multicast default [ start-stop | stop- only Enables AAA accounting of IPv6 multicast services for
[ broadcast ] [method1 ] [method2] [method3] [method2] billing or security purposes when you use RADIUS.
Example:
Switch (config)# aaa accounting multicast default

Step 4 interface type number Specifies an interface type and number, and places the
switch in interface configuration mode.
Example:
Switch (config)# interface FastEthernet 1/0

Step 5 ipv6 multicast aaa account receive access-list-name Enables AAA accounting on specified groups or chacopy
access-list-name[throttlethrottle-number] running-config startup-confignnels.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
180
 IPv6
Disabling the Switch from Receiving Unauthenticated Multicast Traffic

Command or Action Purpose

Switch (config-if)# ipv6 multicast aaa account
receive list1

Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.

Disabling the Switch from Receiving Unauthenticated Multicast Traffic

In some situations, access control may be needed to prevent multicast traffic from being received unless the
subscriber is authenticated and the channels are authorized as per access control profiles. That is, there should
be no traffic at all unless specified otherwise by access control profiles.
Perform this task to disable the switch from receiving multicast traffic to be received from unauthenticated
groups or unauthorized channels.
Beginning in privileged EXEC mode, follow these steps:

Procedure

Command or Action Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 ipv6 multicast [ vrfvrf-name ] group-range Disables multicast protocol actions and traffic forwarding
[access-list-name for unauthorized groups or channels on all the interfaces in
a switch.
Example:

Switch (config)# ipv6 multicast group-range

Step 3 copy running-config startup-config (Optional) Save your entries in the configuration file.

Enabling MLD Proxy in IPv6

Beginning in privileged EXEC mode, follow these steps.

Procedure

Command or Action Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 ipv6 mld host-proxy [group-acl] Enables the MLD proxy feature.
Example:

Switch (config)# ipv6 mld host-proxy proxy-group

Step 3 ipv6 mld host-proxy interface[ group-acl] Enables the MLD proxy feature on a specified interface on
an RP.
Example:

Switch (config)# ipv6 mld host-proxy interface

Ethernet 0/0

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
181
 IPv6
Resetting Authorization Status on an MLD Interface

Command or Action Purpose

Step 4 show ipv6 mld host-proxy[ interface-type Displays IPv6 MLD host proxy information.
interface-number] group [ group-address]]
Example:

Switch (config)# show ipv6 mld host-proxy

Ethernet0/0

Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.

Resetting Authorization Status on an MLD Interface

If no interface is specified, authorization is reset on all MLD interfaces.
Beginning in privileged EXEC mode, follow these steps.

Procedure

Command or Action Purpose

Step 1 clear ipv6 multicast aaa authorization [interface-type Enter global configuration mode.
interface-number]
Example:

Switch # clear ipv6 multicast aaa authorization

FastEthernet 1/0

Step 2 copy running-config startup-config (Optional) Save your entries in the configuration file.

Resetting the MLD Traffic Counters

Beginning in privileged EXEC mode, follow these steps.

Procedure

Command or Action Purpose

Step 1 clear ipv6 mld traffic Resets all MLD traffic counters.
Example:

Switch # clear ipv6 mld traffic

Step 2 show ipv6 mld traffic Displays the MLD traffic counters.
Example:

Switch # show ipv6 mld traffic

Step 3 copy running-config startup-config (Optional) Save your entries in the configuration file.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
182
 IPv6
Clearing the MLD Interface Counters

Clearing the MLD Interface Counters

Beginning in privileged EXEC mode, follow these steps.

Procedure

Command or Action Purpose

Step 1 clear ipv6 mld counters interface-type Clears the MLD interface counters.
Example:

Switch # clear ipv6 mld counters Ethernet1/0

Step 2 copy running-config startup-config (Optional) Save your entries in the configuration file.

Configuring PIM
This section explains how to configure PIM.

Configuring PIM-SM and Displaying PIM-SM Information for a Group Range

Beginning in privileged EXEC mode, follow these steps:

Procedure

Command or Action Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 ipv6 pim rp-address ipv6-address[group-access-list] Configures the address of a PIM RP for a particular group
range.
Example:

Switch (config) # ipv6 pim rp-address

2001:DB8::01:800:200E:8C6C acc-grp-1

Step 3 exit Exits global configuration mode, and returns the switch to
privileged EXEC mode.
Example:

Switch (config) # exit

Step 4 show ipv6 pim interface [state-on] [state-off] Displays information about interfaces configured for PIM.
[type-number]
Example:

Switch # show ipv6 pim interface

Step 5 show ipv6 pim group-map [group-name | group-address] Displays an IPv6 multicast group mapping table.
| [group-range | group-mask] [info-source {bsr | default
| embedded-rp | static}]
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
183
 IPv6
Configuring PIM Options

Command or Action Purpose

Switch # show ipv6 pim group-map

Step 6 show ipv6 pim neighbor [detail] [interface-type Displays the PIM neighbors discovered by the Cisco IOS
interface-number | count] software.
Example:

Switch # show ipv6 pim neighbor

Step 7 show ipv6 pim range-list [config] [rp-address | rp-name] Displays information about IPv6 multicast range lists.
Example:

Switch # show ipv6 pim range-list

Step 8 show ipv6 pim tunnel [interface-type interface-number] Displays information about the PIM register encapsulation
and de-encapsulation tunnels on an interface.
Example:

Switch # show ipv6 pim tunnel

Step 9 debug ipv6 pim [group-name | group-address | interface Enables debugging on PIM protocol activity.
interface-type | bsr | group | mvpn | neighbor]
Example:

Switch # debug ipv6 pim

Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file.

Configuring PIM Options

Beginning in privileged EXEC mode, follow these steps:

Procedure

Command or Action Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 ipv6 pim spt-threshold infinity [group-list Configures when a PIM leaf switch joins the SPT for the
access-list-name] specified groups.
Example:

Switch (config) # ipv6 pim spt-threshold infinity

group-list acc-grp-1

Step 3 ipv6 pim accept-register {list access-list | route-map Accepts or rejects registers at the RP.
map-name}
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
184
 IPv6
Configuring Bidirectional PIM and Displaying Bidirectional PIM Information

Command or Action Purpose

Switch (config) # ipv6 pim accept-register

route-map reg-filter

Step 4 interface type number Specifies an interface type and number, and places the
switch in interface configuration mode.
Example:

Switch (config) # interface GigabitEthernet 1/0/1

Step 5 ipv6 pim dr-priority value Configures the DR priority on a PIM switch.
Example:

Switch (config-if) # ipv6 pim dr-priority 3

Step 6 ipv6 pim hello-interval seconds Configures the frequency of PIM hello messages on an
interface.
Example:

Switch (config-if) # ipv6 pim hello-interval 45

Step 7 ipv6 pim join-prune-interval seconds Configures periodic join and prune announcement intervals
for a specified interface.
Example:

Switch (config-if) # ipv6 pim join-prune-interval

75

Step 8 exit Enter this command twice to exit interface configuration

mode and enter privileged EXEC mode.
Example:

Switch (config-if) # exit

Step 9 ipv6 pim join-prune statistic [interface-type] Displays the average join-prune aggregation for the most
recently aggregated packets for each interface.
Example:

Switch (config-if) # show ipv6 pim join-prune

statistic

Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file.

Configuring Bidirectional PIM and Displaying Bidirectional PIM Information

Beginning in privileged EXEC mode, follow these steps:

Procedure

Command or Action Purpose

Step 1 configure terminal Enter global configuration mode.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
185
 IPv6
Resetting the PIM Traffic Counters

Command or Action Purpose

Step 2 ipv6 pim [vrf vrf-name] rp-address ipv6-address Configures the address of a PIM RP for a particular group
[group-access-list] [bidir] range. Use of the bidir keyword means that the group range
will be used for bidirectional shared-tree forwarding.
Example:

Switch (config) # ipv6 pim rp-address

2001:DB8::01:800:200E:8C6C bidir

Step 3 exit Exits global configuration mode, and returns the switch to
privileged EXEC mode.
Example:

Switch (config-if) # exit

Step 4 show ipv6 pim [vrf vrf-name] df [interface-type Displays the designated forwarder (DF)-election state of
interface-number] [rp-address] each interface for RP.
Example:

Switch (config) # show ipv6 pim df

Step 5 show ipv6 pim [vrf vrf-name] df winner [interface-type Displays the DF-election winner on each interface for each
interface-number] [rp-address] RP.
Example:

Switch (config-if) # show ipv6 pim df winner

ethernet 1/0 200::1

Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.

Resetting the PIM Traffic Counters

If PIM malfunctions or in order to verify that the expected number of PIM packets are received and sent, the
user can clear PIM traffic counters. Once the traffic counters are cleared, the user can enter the show ipv6
pim traffic command to verify that PIM is functioning correctly and that PIM packets are being received and
sent correctly.
Beginning in privileged EXEC mode, follow these steps:

Procedure

Command or Action Purpose

Step 1 clear ipv6 pim traffic Resets the PIM traffic counters.
Example:

Switch # clear ipv6 pim traffic

Step 2 show ipv6 pim traffic Displays the PIM traffic counters.
Example:

Switch # show ipv6 pim traffic

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
186
 IPv6
Clearing the PIM Topology Table to Reset the MRIB Connection

Command or Action Purpose

Step 3 copy running-config startup-config (Optional) Save your entries in the configuration file.

Clearing the PIM Topology Table to Reset the MRIB Connection

No configuration is necessary to use the MRIB. However, users may in certain situations want to clear the
PIM topology table in order to reset the MRIB connection and verify MRIB information.
Beginning in privileged EXEC mode, follow these steps:

Procedure

Command or Action Purpose

Step 1 clear ipv6 pim topology [group-name | group-address] Clears the PIM topology table.
Example:
Switch # clear ipv6 pim topology FF04::10

Step 2 show ipv6 mrib client [filter] [name {client-name | Displays multicast-related information about an interface.
client-name : client-id}]
Example:

Switch # show ipv6 mrib client

Step 3 show ipv6 mrib route {link-local | summary | Displays the MRIB route information.
[sourceaddress-or-name | *] [groupname-or-address[
prefix-length]]]
Example:

Switch # show ipv6 mrib route

Step 4 show ipv6 pim topology [groupname-or-address Displays PIM topology table information for a specific
[sourceaddress-or-name] | link-local | route-count group or all groups.
[detail]]
Example:

Switch # show ipv6 pim topology

Step 5 debug ipv6 mrib client Enables debugging on MRIB client management activity.
Example:

Switch # debug ipv6 mrib client

Step 6 debug ipv6 mrib io Enables debugging on MRIB I/O events.

Example:

Switch # debug ipv6 mrib io

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
187
 IPv6
Configuring a BSR

Command or Action Purpose

Step 7 debug ipv6 mrib proxy Enables debugging on MRIB proxy activity between the
switch processor and line cards on distributed switch
Example:
platforms.
Switch # debug ipv6 mrib proxy

Step 8 debug ipv6 mrib route [group-name | group-address] Displays information about MRIB routing entry-related
activity.
Example:

Switch # debug ipv6 mrib route

Step 9 debug ipv6 mrib table Enables debugging on MRIB table management activity.
Example:

Switch # debug ipv6 mrib table

Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file.

Configuring a BSR
The tasks included here are described below.

Configuring a BSR and Verifying BSR Information

Beginning in privileged EXEC mode, follow these steps:

Procedure

Command or Action Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 ipv6 pim bsr candidate bsr Configures a switch to be a candidate BSR.
ipv6-address[hash-mask-length] [priority priority-value]
Example:

Switch (config) # ipv6 pim bsr candidate bsr

2001:DB8:3000:3000::42 124 priority 10

Step 3 interface type number Specifies an interface type and number, and places the
switch in interface configuration mode.
Example:

Switch (config) # interface GigabitEthernet 1/0/1

Step 4 ipv6 pim bsr border Specifies an interface type and number, and places the
switch in interface configuration mode.
Example:

Switch (config-if) # ipv6 pim bsr border

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
188
 IPv6
Sending PIM RP Advertisements to the BSR

Command or Action Purpose

Step 5 exit Enter this command twice to exit interface configuration
mode and enter privileged EXEC mode.
Example:

Switch (config-if) # exit

Step 6 show ipv6 pim bsr {election | rp-cache | candidate-rp} Displays information related to PIM BSR protocol
processing.
Example:

Switch (config-if) # show ipv6 pim bsr election

Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.

Sending PIM RP Advertisements to the BSR

Beginning in privileged EXEC mode, follow these steps:

Procedure

Command or Action Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 ipv6 pim bsr candidate rp ipv6-address [group-list Sends PIM RP advertisements to the BSR.
access-list-name] [priority priority-value] [interval
seconds]
Example:

Switch(config) # ipv6 pim bsr candidate rp

2001:DB8:3000:3000::42 priority 0

Step 3 interface type number Specifies an interface type and number, and places the
switch in interface configuration mode.
Example:

Switch(config) # interface GigabitEthernet 1/0/1

Step 4 ipv6 pim bsr border Configures a border for all BSMs of any scope on a
specified interface.
Example:

Switch(config-if) # ipv6 pim bsr border

Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.

Configuring BSR for Use Within Scoped Zones

Beginning in privileged EXEC mode, follow these steps:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
189
 IPv6
Configuring BSR Switches to Announce Scope-to-RP Mappings

Procedure

Command or Action Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 ipv6 pim bsr candidate rp ipv6-address Configures a switch to be a candidate BSR.
[hash-mask-length] [priority priority-value]
Example:

Switch(config) # ipv6 pim bsr candidate bsr

2001:DB8:1:1:4

Step 3 ipv6 pim bsr candidate rp ipv6-address [group-list Configures the candidate RP to send PIM RP advertisements
access-list-name] [priority priority-value] [interval to the BSR.
seconds]
Example:

Switch(config) # ipv6 pim bsr candidate rp

2001:DB8:1:1:1 group-list list scope 6

Step 4 interface type number Specifies an interface type and number, and places the
switch in interface configuration mode.
Example:

Switch(config-if) # interface GigabitEthernet 1/0/1

Step 5 ipv6 multicast boundary scope scope-value Configures a multicast boundary on the interface for a
specified scope.
Example:

Switch(config-if) # ipv6 multicast boundary scope

6

Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.

Configuring BSR Switches to Announce Scope-to-RP Mappings

IPv6 BSR switches can be statically configured to announce scope-to-RP mappings directly instead of learning
them from candidate-RP messages. A user might want to configure a BSR switch to announce scope-to-RP
mappings so that an RP that does not support BSR is imported into the BSR. Enabling this feature also allows
an RP positioned outside the enterprise's BSR domain to be learned by the known remote RP on the local
candidate BSR switch.
Beginning in privileged EXEC mode, follow these steps:

Procedure

Command or Action Purpose

Step 1 configure terminal Enter global configuration mode.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
190
 IPv6
Configuring SSM Mapping

Command or Action Purpose

Step 2 ipv6 pim bsr announced rp ipv6-address [group-list Announces scope-to-RP mappings directly from the BSR
access-list-name] [priority priority-value] for the specified candidate RP.
Example:

Switch(config)# ipv6 pim bsr announced rp

2001:DB8:3000:3000::42 priority 0

Step 3 copy running-config startup-config (Optional) Save your entries in the configuration file.

Configuring SSM Mapping

When the SSM mapping feature is enabled, DNS-based SSM mapping is automatically enabled, which means
that the switch will look up the source of a multicast MLD version 1 report from a DNS server.
You can use either DNS-based or static SSM mapping, depending on your switch configuration. If you choose
to use static SSM mapping, you can configure multiple static SSM mappings. If multiple static SSM mappings
are configured, the source addresses of all matching access lists will be used.

Note To use DNS-based SSM mapping, the switch needs to find at least one correctly configured DNS server, to
which the switch may be directly attached.

Beginning in privileged EXEC mode, follow these steps:

Procedure

Command or Action Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 ipv6 mld ssm-map enable Enables the SSM mapping feature for groups in the
configured SSM range.
Example:

Switch(config) # ipv6 mld ssm-map enable

Step 3 no ipv6 mld ssm-map query dns Disables DNS-based SSM mapping.
Example:

Switch(config) # no ipv6 mld ssm-map query dns

Step 4 ipv6 mld ssm-map static access-list source-address Configures static SSM mappings.
Example:

Switch(config-if) # ipv6 mld ssm-map static

SSM_MAP_ACL_2 2001:DB8:1::1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
191
 IPv6
Configuring Static Mroutes

Command or Action Purpose

Step 5 exit Exits global configuration mode, and returns the switch to
privileged EXEC mode.
Example:

Switch(config-if) # exit

Step 6 show ipv6 mld ssm-map [source-address] Displays SSM mapping information.
Example:

Switch(config-if) # show ipv6 mld ssm-map

Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.

Configuring Static Mroutes

Static multicast routes (mroutes) in IPv6 can be implemented as an extension of IPv6 static routes. You can
configure your switch to use a static route for unicast routing only, to use a static multicast route for multicast
RPF selection only, or to use a static route for both unicast routing and multicast RPF selection.
Beginning in privileged EXEC mode, follow these steps:

Procedure

Command or Action Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 ipv6 route {ipv6-prefix / prefix-length ipv6-address | Establishes static IPv6 routes. The example shows a static
interface-type interface-number ipv6-address]} route used for both unicast routing and multicast RPF
[administrative-distance] [administrative-multicast-distance selection.
| unicast | multicast] [tag tag]
Example:

Switch (config) # ipv6 route 2001:DB8::/64 6::6

100

Step 3 exit Exits global configuration mode, and returns the switch to
privileged EXEC mode.
Example:

Switch # exit

Step 4 show ipv6 mroute [link-local | [group-name | Displays the contents of the IPv6 multicast routing table.
group-address [source-address | source-name]] [summary]
[count]
Example:

Switch # show ipv6 mroute ff07::1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
192
 IPv6
Using MFIB in IPv6 Multicast

Command or Action Purpose

Step 5 show ipv6 mroute [link-local | group-name | Displays the active multicast streams on the switch.
group-address] active [kbps]
Example:

Switch (config-if) # show ipv6 mroute active

Step 6 show ipv6 rpf [ipv6-prefix] Checks RPF information for a given unicast host address
and prefix.
Example:

Switch (config-if) # show ipv6 rpf 2001::1:1:2

Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.

Using MFIB in IPv6 Multicast

Multicast forwarding is automatically enabled when IPv6 multicast routing is enabled.

Verifying MFIB Operation in IPv6 Multicast

Beginning in privileged EXEC mode, follow these steps:

Procedure

Command or Action Purpose

Step 1 show ipv6 mfib [link-local | verbose | group-address-name Displays the forwarding entries and interfaces in the IPv6
| ipv6-prefix / prefix-length | source-address-name | count MFIB.
| interface | status | summary]
Example:

Switch # show ipv6 mfib

Step 2 show ipv6 mfib [all | linkscope | group-name | Displays the contents of the IPv6 multicast routing table.
group-address [source-name | source-address]] count
Example:

Switch # show ipv6 mfib ff07::1

Step 3 show ipv6 mfib interface Displays information about IPv6 multicast-enabled
interfaces and their forwarding status.
Example:

Switch # show ipv6 mfib interface

Step 4 show ipv6 mfib status Displays general MFIB configuration and operational status.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
193
 IPv6
Resetting MFIB Traffic Counters

Command or Action Purpose

Switch # show ipv6 mfib status

Step 5 show ipv6 mfib summary Displays summary information about the number of IPv6
MFIB entries and interfaces.
Example:
Switch # show ipv6 mfib summary

Step 6 debug ipv6 mfib [group-name | group-address] [adjacency Enables debugging output on the IPv6 MFIB.
| db | fs | init | interface | mrib [detail] | nat | pak |
platform | ppr | ps | signal | table]
Example:
Switch # debug ipv6 mfib FF04::10 pak

Resetting MFIB Traffic Counters

Beginning in privileged EXEC mode, follow these steps:

Procedure

Command or Action Purpose

Step 1 clear ipv6 mfib counters [group-name | group-address Resets all active MFIB traffic counters.
[source-address | source-name]]
Example:

Switch # clear ipv6 mfib counters FF04::10

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
194
PA R T III
Layer 2
• Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling, on page 197
• Configuring Spanning Tree Protocol, on page 223
• Configuring Multiple Spanning-Tree Protocol, on page 249
• Configuring Optional Spanning-Tree Features, on page 289
• Configuring Bidirection Forwarding Detection, on page 321
• Configuring EtherChannels, on page 351
• Configuring Link-State Tracking, on page 383
• Configuring Resilient Ethernet Protocol, on page 389
• Configuring Flex Links and the MAC Address-Table Move Update Feature, on page 405
• Configuring UniDirectional Link Detection, on page 421
 CHAPTER 13
Configuring IEEE 802.1Q and Layer 2 Protocol
Tunneling
• Finding Feature Information, on page 197
• Prerequisites for Configuring Tunneling, on page 197
• Information about Tunneling, on page 200
• How to Configure Tunneling, on page 207
• Configuration Examples for IEEE 802.1Q and Layer 2 Protocol Tunneling, on page 218
• Monitoring Tunneling Status, on page 221
• Where to Go Next, on page 221

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Prerequisites for Configuring Tunneling

The following sections list prerequisites and considerations for configuring IEEE 802.1Q and Layer 2 protocol
tunneling.

IEEE 802.1Q Tunneling

Although IEEE 802.1Q tunneling works well for Layer 2 packet switching, there are incompatibilities between
some Layer 2 features and Layer 3 switching.
• A tunnel port cannot be a routed port.
• IP routing is not supported on a VLAN that includes IEEE 802.1Q ports. Packets received from a tunnel
port are forwarded based only on Layer 2 information. If routing is enabled on a switch virtual interface

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
197
 Layer 2
Layer 2 Protocol Tunneling

(SVI) that includes tunnel ports, untagged IP packets received from the tunnel port are recognized and
routed by the switch. Customers can access the Internet through its native VLAN. If this access is not
needed, you should not configure SVIs on VLANs that include tunnel ports.
• Fallback bridging is not supported on tunnel ports. Because all IEEE 802.1Q-tagged packets received
from a tunnel port are treated as non-IP packets, if fallback bridging is enabled on VLANs that have
tunnel ports configured, IP packets would be improperly bridged across VLANs. Therefore, you must
not enable fallback bridging on VLANs with tunnel ports.
• Tunnel ports do not support IP access control lists (ACLs).
• Layer 3 quality of service (QoS) ACLs and other QoS features related to Layer 3 information are not
supported on tunnel ports. MAC-based QoS is supported on tunnel ports.
• EtherChannel port groups are compatible with tunnel ports as long as the IEEE 802.1Q configuration is
consistent within an EtherChannel port group.
• Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), and UniDirectional Link
Detection (UDLD) are supported on IEEE 802.1Q tunnel ports.
• Dynamic Trunking Protocol (DTP) is not compatible with IEEE 802.1Q tunneling because you must
manually configure asymmetric links with tunnel ports and trunk ports.
• VLAN Trunking Protocol (VTP) does not work between devices that are connected by an asymmetrical
link or devices that communicate through a tunnel.
• Loopback detection is supported on IEEE 802.1Q tunnel ports.
• When a port is configured as an IEEE 802.1Q tunnel port, spanning-tree bridge protocol data unit (BPDU)
filtering is automatically enabled on the interface. Cisco Discovery Protocol (CDP) and the Layer Link
Discovery Protocol (LLDP) are automatically disabled on the interface.

Related Topics
Configuring an IEEE 802.1Q Tunneling Port, on page 207
Example: Configuring an IEEE 802.1Q Tunneling Port, on page 218

Layer 2 Protocol Tunneling

• The switch supports tunneling of CDP, STP, including multiple STP (MSTP), and VTP. Protocol tunneling
is disabled by default but can be enabled for the individual protocols on IEEE 802.1Q tunnel ports or
access ports.
• The switch does not support Layer 2 protocol tunneling on ports with switchport mode dynamic auto or
dynamic desirable.
• DTP is not compatible with layer 2 protocol tunneling.
• The edge switches on the outbound side of the service-provider network restore the proper Layer 2
protocol and MAC address information and forward the packets to all tunnel and access ports in the same
metro VLAN.
• For interoperability with third-party vendor switches, the switch supports a Layer 2 protocol-tunnel
bypass feature. Bypass mode transparently forwards control PDUs to vendor switches that have different
ways of controlling protocol tunneling. When Layer 2 protocol tunneling is enabled on ingress ports on
a switch, egress trunk ports forward the tunneled packets with a special encapsulation. If you also enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
198
 Layer 2
Layer 2 Tunneling for EtherChannels

Layer 2 protocol tunneling on the egress trunk port, this behavior is bypassed, and the switch forwards
control PDUs without any processing or modification.
• The switch supports PAgP, LACP, and UDLD tunneling for emulated point-to-point network topologies.
Protocol tunneling is disabled by default but can be enabled for the individual protocols on IEEE 802.1Q
tunnel ports or on access ports.
• If you enable PAgP or LACP tunneling, we recommend that you also enable UDLD on the interface for
faster link-failure detection.
• Loopback detection is not supported on Layer 2 protocol tunneling of PAgP, LACP, or UDLD packets.
• EtherChannel port groups are compatible with tunnel ports when the IEEE 802.1Q configuration is
consistent within an EtherChannel port group.
• If an encapsulated PDU (with the proprietary destination MAC address) is received from a tunnel port
or an access port with Layer 2 tunneling enabled, the tunnel port is shut down to prevent loops. The port
also shuts down when a configured shutdown threshold for the protocol is reached. You can manually
reenable the port (by entering a shutdown and a no shutdown command sequence). If errdisable recovery
is enabled, the operation is retried after a specified time interval.
• Only decapsulated PDUs are forwarded to the customer network. The spanning-tree instance running on
the service-provider network does not forward BPDUs to tunnel ports. CDP packets are not forwarded
from tunnel ports.
• When protocol tunneling is enabled on an interface, you can set a per-protocol, per-port, shutdown
threshold for the PDUs generated by the customer network. If the limit is exceeded, the port shuts down.
You can also limit BPDU rate by using QoS ACLs and policy maps on a tunnel port.
• When protocol tunneling is enabled on an interface, you can set a per-protocol, per-port, drop threshold
for the PDUs generated by the customer network. If the limit is exceeded, the port drops PDUs until the
rate at which it receives them is below the drop threshold.
• Because tunneled PDUs (especially STP BPDUs) must be delivered to all remote sites so that the customer
virtual network operates properly, you can give PDUs higher priority within the service-provider network
than data packets received from the same tunnel port. By default, the PDUs use the same CoS value as
data packets.

Related Topics
Configuring Layer 2 Protocol Tunneling, on page 210
Example: Configuring Layer 2 Protocol Tunneling, on page 219

Layer 2 Tunneling for EtherChannels

To configure Layer 2 point-to-point tunneling to facilitate the automatic creation of EtherChannels, you need
to configure both the SP (service-provider) edge switch and the customer switch.
Related Topics
Configuring Layer 2 Protocol Tunneling, on page 210
Example: Configuring Layer 2 Protocol Tunneling, on page 219

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
199
 Layer 2
Information about Tunneling

Information about Tunneling

IEEE 802.1Q and Layer 2 Protocol Overview
Virtual private networks (VPNs) provide enterprise-scale connectivity on a shared infrastructure, often
Ethernet-based, with the same security, prioritization, reliability, and manageability requirements of private
networks. Tunneling is a feature designed for service providers who carry traffic of multiple customers across
their networks and are required to maintain the VLAN and Layer 2 protocol configurations of each customer
without impacting the traffic of other customers.

Note IEEE 802.1Q and Layer 2 protocol tunneling are supported only on Cisco Catalyst 3560-CX switches.

For complete syntax and usage information for the commands used in this chapter, see the command reference
for this release.

IEEE 802.1Q Tunneling

Business customers of service providers often have specific requirements for VLAN IDs and the number of
VLANs to be supported. The VLAN ranges required by different customers in the same service-provider
network might overlap, and traffic of customers through the infrastructure might be mixed. Assigning a unique
range of VLAN IDs to each customer would restrict customer configurations and could easily exceed the
VLAN limit (4096) of the IEEE 802.1Q specification.
Using the IEEE 802.1Q tunneling feature, service providers can use a single VLAN to support customers who
have multiple VLANs. Customer VLAN IDs are preserved, and traffic from different customers is segregated
within the service-provider network, even when they appear to be in the same VLAN. Using IEEE 802.1Q
tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy and retagging the tagged packets. A
port configured to support IEEE 802.1Q tunneling is called a tunnel port. When you configure tunneling, you
assign a tunnel port to a VLAN ID that is dedicated to tunneling. Each customer requires a separate
service-provider VLAN ID, but that VLAN ID supports all of the customer’s VLANs.
Customer traffic tagged in the normal way with appropriate VLAN IDs comes from an IEEE 802.1Q trunk
port on the customer device and into a tunnel port on the service-provider edge switch. The link between the
customer device and the edge switch is asymmetric because one end is configured as an IEEE 802.1Q trunk
port, and the other end is configured as a tunnel port. You assign the tunnel port interface to an access VLAN
ID that is unique to each customer.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
200
Layer 2
IEEE 802.1Q Tunneling

Figure 3: IEEE 802.1Q Tunnel Ports in a Service-Provider Network

Packets coming from the customer trunk port into the tunnel port on the service-provider edge switch are
normally IEEE 802.1Q-tagged with the appropriate VLAN ID. The tagged packets remain intact inside the
switch and when they exit the trunk port into the service-provider network, they are encapsulated with another
layer of an IEEE 802.1Q tag (called the metro tag) that contains the VLAN ID that is unique to the customer.
The original customer IEEE 802.1Q tag is preserved in the encapsulated packet. Therefore, packets entering
the service-provider network are double-tagged, with the outer (metro) tag containing the customer’s access
VLAN ID, and the inner VLAN ID being that of the incoming traffic.
When the double-tagged packet enters another trunk port in a service-provider core switch, the outer tag is
stripped as the switch processes the packet. When the packet exits another trunk port on the same core switch,
the same metro tag is again added to the packet.
Figure 4: Original (Normal), IEEE 802.1Q, and Double-Tagged Ethernet Packet Formats

This figure shows the tag structures of the double-tagged packets.

When the packet enters the trunk port of the service-provider egress switch, the outer tag is again stripped as
the switch internally processes the packet. However, the metro tag is not added when the packet is sent out

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
201
 Layer 2
IEEE 802.1Q Tunneling Configuration Guidelines

the tunnel port on the edge switch into the customer network. The packet is sent as a normal IEEE
802.1Q-tagged frame to preserve the original VLAN numbers in the customer network.
In the above network figure, Customer A was assigned VLAN 30, and Customer B was assigned VLAN 40.
Packets entering the edge switch tunnel ports with IEEE 802.1Q tags are double-tagged when they enter the
service-provider network, with the outer tag containing VLAN ID 30 or 40, appropriately, and the inner tag
containing the original VLAN number, for example, VLAN 100. Even if both Customers A and B have VLAN
100 in their networks, the traffic remains segregated within the service-provider network because the outer
tag is different. Each customer controls its own VLAN numbering space, which is independent of the VLAN
numbering space used by other customers and the VLAN numbering space used by the service-provider
network.
At the outbound tunnel port, the original VLAN numbers on the customer’s network are recovered. It is
possible to have multiple levels of tunneling and tagging, but the switch supports only one level in this release.
If traffic coming from a customer network is not tagged (native VLAN frames), these packets are bridged or
routed as normal packets. All packets entering the service-provider network through a tunnel port on an edge
switch are treated as untagged packets, whether they are untagged or already tagged with IEEE 802.1Q headers.
The packets are encapsulated with the metro tag VLAN ID (set to the access VLAN of the tunnel port) when
they are sent through the service-provider network on an IEEE 802.1Q trunk port. The priority field on the
metro tag is set to the interface class of service (CoS) priority configured on the tunnel port. (The default is
zero if none is configured.)
Related Topics
Configuring an IEEE 802.1Q Tunneling Port, on page 207
Example: Configuring an IEEE 802.1Q Tunneling Port, on page 218

IEEE 802.1Q Tunneling Configuration Guidelines

When you configure IEEE 802.1Q tunneling, you should always use an asymmetrical link between the customer
device and the edge switch, with the customer device port configured as an IEEE 802.1Q trunk port and the
edge switch port configured as a tunnel port.
Assign tunnel ports only to VLANs that are used for tunneling.
Configuration requirements for native VLANs and for and maximum transmission units (MTUs) are explained
in these next sections.

Native VLANs
When configuring IEEE 802.1Q tunneling on an edge switch, you must use IEEE 802.1Q trunk ports for
sending packets into the service-provider network. However, packets going through the core of the
service-provider network can be carried through IEEE 802.1Q trunks, ISL trunks, or nontrunking links. When
IEEE 802.1Q trunks are used in these core switches, the native VLANs of the IEEE 802.1Q trunks must not
match any native VLAN of the nontrunking (tunneling) port on the same switch because traffic on the native
VLAN would not be tagged on the IEEE 802.1Q sending trunk port.
In the following network figure, VLAN 40 is configured as the native VLAN for the IEEE 802.1Q trunk port
from Customer X at the ingress edge switch in the service-provider network (Switch B). Switch A of Customer
X sends a tagged packet on VLAN 30 to the ingress tunnel port of Switch B in the service-provider network,
which belongs to access VLAN 40. Because the access VLAN of the tunnel port (VLAN 40) is the same as
the native VLAN of the edge switch trunk port (VLAN 40), the metro tag is not added to tagged packets
received from the tunnel port. The packet carries only the VLAN 30 tag through the service-provider network

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
202
 Layer 2
System MTU

to the trunk port of the egress-edgeswitch (Switch C) and is misdirected through the egress switch tunnel port
to Customer Y.
Figure 5: Potential Problems with IEEE 802.1Q Tunneling and Native VLANs

These are some ways to solve this problem:

•
• Use the vlan dot1q tag native global configuration command to configure the edge switches so that all
packets going out an IEEE 802.1Q trunk, including the native VLAN, are tagged. If the switches is
configured to tag native VLAN packets on all IEEE 802.1Q trunks, the switches accepts untagged packets,
but sends only tagged packets.
• Ensure that the native VLAN ID on the edge switches trunk port is not within the customer VLAN range.
For example, if the trunk port carries traffic of VLANs 100 to 200, assign the native VLAN a number
outside that range.

System MTU
The default system MTU for traffic on the switch is 1500 bytes.
You can configure 10-Gigabit and Gigabit Ethernet ports to support frames larger than 1500 bytes by using
the system mtu jumbo global configuration command.
The system MTU and system jumbo MTU values do not include the IEEE 802.1Q header. Because the IEEE
802.1Q tunneling feature increases the frame size by 4 bytes when the metro tag is added, you must configure
all switches in the service-provider network to be able to process maximum frames by adding 4 bytes to the
system MTU and system jumbo MTU sizes.
For example, the switch supports a maximum frame size of 1496 bytes with one of these configurations:
• The switch has a system jumbo MTU value of 1500 bytes, and the switchport mode dot1q tunnel
interface configuration command is configured on a 10-Gigabit or Gigabit Ethernet switch port.
• The switch member has a system MTU value of 1500 bytes, and the switchport mode dot1q tunnel
interface configuration command is configured on a Fast Ethernet port of the member.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
203
 Layer 2
Default IEEE 802.1Q Tunneling Configuration

Default IEEE 802.1Q Tunneling Configuration

By default, IEEE 802.1Q tunneling is disabled because the default switchport mode is dynamic auto. Tagging
of IEEE 802.1Q native VLAN packets on all IEEE 802.1Q trunk ports is also disabled.

Layer 2 Protocol Tunneling Overview

Customers at different sites connected across a service-provider network need to use various Layer 2 protocols
to scale their topologies to include all remote sites, as well as the local sites. STP must run properly, and every
VLAN should build a proper spanning tree that includes the local site and all remote sites across the
service-provider network. Cisco Discovery Protocol (CDP) must discover neighboring Cisco devices from
local and remote sites. VLAN Trunking Protocol (VTP) must provide consistent VLAN configuration
throughout all sites in the customer network.
When protocol tunneling is enabled, edge switches on the inbound side of the service-provider network
encapsulate Layer 2 protocol packets with a special MAC address and send them across the service-provider
network. Core switches in the network do not process these packets but forward them as normal packets.
Layer 2 protocol data units (PDUs) for CDP, STP, or VTP cross the service-provider network and are delivered
to customer switches on the outbound side of the service-provider network. Identical packets are received by
all customer ports on the same VLANs with these results:
• Users on each of a customer’s sites can properly run STP, and every VLAN can build a correct spanning
tree based on parameters from all sites and not just from the local site.
• CDP discovers and shows information about the other Cisco devices connected through the
service-provider network.
• VTP provides consistent VLAN configuration throughout the customer network, propagating to all
switches through the service provider.

Note To provide interoperability with third-party vendors, you can use the Layer 2 protocol-tunnel bypass feature.
Bypass mode transparently forwards control PDUs to vendor switches that have different ways of controlling
protocol tunneling. You implement bypass mode by enabling Layer 2 protocol tunneling on the egress trunk
port. When Layer 2 protocol tunneling is enabled on the trunk port, the encapsulated tunnel MAC address is
removed and the protocol packets have their normal MAC address.

Layer 2 protocol tunneling can be used independently or can enhance IEEE 802.1Q tunneling. If protocol
tunneling is not enabled on IEEE 802.1Q tunneling ports, remoteswitches at the receiving end of the
service-provider network do not receive the PDUs and cannot properly run STP, CDP, and VTP. When
protocol tunneling is enabled, Layer 2 protocols within each customer’s network are totally separate from
those running within the service-provider network. Customer switches on different sites that send traffic
through the service-provider network with IEEE 802.1Q tunneling achieve complete knowledge of the
customer’s VLAN. If IEEE 802.1Q tunneling is not used, you can still enable Layer 2 protocol tunneling by
connecting to the customer switch through access ports and by enabling tunneling on the service-provider
access port.
For example, in the following figure (Layer 2 Protocol Tunneling), Customer X has four switches in the same
VLAN, that are connected through the service-provider network. If the network does not tunnel PDUs, switches
on the far ends of the network cannot properly run STP, CDP, and VTP. For example, STP for a VLAN on
a switch in Customer X, Site 1, will build a spanning tree on theswitches at that site without considering

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
204
Layer 2
Layer 2 Protocol Tunneling Overview

convergence parameters based on Customer X’s switch in Site 2. This could result in the topology shown in
the Layer 2 Network Topology without Proper Convergence figure.
Figure 6: Layer 2 Protocol Tunneling

Figure 7: Layer 2 Network Topology Without Proper Convergence

In an SP network, you can use Layer 2 protocol tunneling to enhance the creation of EtherChannels by
emulating a point-to-point network topology. When you enable protocol tunneling (PAgP or LACP) on the
SP switch, remote customer switches receive the PDUs and can negotiate the automatic creation of
EtherChannels.
For example, in the following figure (Layer 2 Protocol Tunneling for EtherChannels), Customer A has two
switches in the same VLAN that are connected through the SP network. When the network tunnels PDUs,
switches on the far ends of the network can negotiate the automatic creation of EtherChannels without needing
dedicated lines.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
205
 Layer 2
Layer 2 Protocol Tunneling on Ports

Figure 8: Layer 2 Protocol Tunneling for EtherChannels

Layer 2 Protocol Tunneling on Ports

You can enable Layer 2 protocol tunneling (by protocol) on the ports that are connected to the customer in
the edge switches of the service-provider network. The service-provider edge switches connected to the
customer switch perform the tunneling process. Edge switch tunnel ports are connected to customer IEEE
802.1Q trunk ports. Edge switch access ports are connected to customer access ports. The edge switches
connected to the customer switch perform the tunneling process.
You can enable Layer 2 protocol tunneling on ports that are configured as access ports or tunnel ports. You
cannot enable Layer 2 protocol tunneling on ports configured in either switchport mode dynamic auto mode
(the default mode) or switchport mode dynamic desirable mode.
The switch supports Layer 2 protocol tunneling for CDP, STP, and VTP. For emulated point-to-point network
topologies, it also supports PAgP, LACP, and UDLD protocols. The switch does not support Layer 2 protocol
tunneling for LLDP.

Note PAgP, LACP, and UDLD protocol tunneling is only intended to emulate a point-to-point topology. An
erroneous configuration that sends tunneled packets to many ports could lead to a network failure.

When the Layer 2 PDUs that entered the service-provider inbound edge switch through a Layer 2
protocol-enabled port exit through the trunk port into the service-provider network, the switch overwrites the
customer PDU-destination MAC address with a well-known Cisco proprietary multicast address
(01-00-0c-cd-cd-d0). If IEEE 802.1Q tunneling is enabled, packets are also double-tagged; the outer tag is
the customer metro tag, and the inner tag is the customer’s VLAN tag. The core switches ignore the inner
tags and forward the packet to all trunk ports in the same metro VLAN. The edge switches on the outbound
side restore the proper Layer 2 protocol and MAC address information and forward the packets to all tunnel
or access ports in the same metro VLAN. Therefore, the Layer 2 PDUs remain intact and are delivered across
the service-provider infrastructure to the other side of the customer network.
See the Layer 2 Protocol Tunneling figure in Layer 2 Protocol Tunneling Overview, on page 204, with Customer
X and Customer Y in access VLANs 30 and 40, respectively. Asymmetric links connect the customers in Site
1 to edge switches in the service-provider network. The Layer 2 PDUs (for example, BPDUs) coming into
Switch B from Customer Y in Site 1 are forwarded to the infrastructure as double-tagged packets with the
well-known MAC address as the destination MAC address. These double-tagged packets have the metro
VLAN tag of 40, as well as an inner VLAN tag (for example, VLAN 100). When the double-tagged packets
enter Switch D, the outer VLAN tag 40 is removed, the well-known MAC address is replaced with the

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
206
 Layer 2
Default Layer 2 Protocol Tunneling Configuration

respective Layer 2 protocol MAC address, and the packet is sent to Customer Y on Site 2 as a single-tagged
frame in VLAN 100.
You can also enable Layer 2 protocol tunneling on access ports on the edge switch connected to access or
trunk ports on the customer switch. In this case, the encapsulation and decapsulation process is the same as
described in the previous paragraph, except that the packets are not double-tagged in the service-provider
network. The single tag is the customer-specific access VLAN tag.
Related Topics
Configuring Layer 2 Protocol Tunneling, on page 210
Example: Configuring Layer 2 Protocol Tunneling, on page 219

Default Layer 2 Protocol Tunneling Configuration

The following table shows the default Layer 2 protocol tunneling configuration.

Table 20: Default Layer 2 Ethernet Interface VLAN Configuration

Feature Default Setting

Layer 2 protocol tunneling Disabled.

Shutdown threshold None set.

Drop threshold None set.

CoS Value If a CoS value is configured on the interface, that

value is used to set the BPDU CoS value for Layer 2
protocol tunneling. If no CoS value is configured at
the interface level, the default value for CoS marking
of L2 protocol tunneling BPDUs is 5. This does not
apply to data traffic.

How to Configure Tunneling

Configuring an IEEE 802.1Q Tunneling Port
SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. switchport access vlan vlan-id
5. switchport mode dot1q-tunnel
6. exit
7. vlan dot1q tag native
8. end
9. Use one of the following:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
207
 Layer 2
Configuring an IEEE 802.1Q Tunneling Port

• show dot1q-tunnel
• show running-config interface
10. show vlan dot1q tag native
11. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Enters interface configuration mode for the interface to be
configured as a tunnel port. This should be the edge port
Example:
in the service-provider network that connects to the
customer switch. Valid interfaces include physical
SwitchDevice(config)# interface
gigabitethernet2/0/1 interfaces and port-channel logical interfaces (port channels
1 to 48).

Step 4 switchport access vlan vlan-id Specifies the default VLAN, which is used if the interface
stops trunking. This VLAN ID is specific to the particular
Example:
customer.
SwitchDevice(config-if)# switchport access vlan
2

Step 5 switchport mode dot1q-tunnel Sets the interface as an IEEE 802.1Q tunnel port.
Example: Note Use the no switchport mode dot1q-tunnel
interface configuration command to return the
SwitchDevice(config-if)# switchport mode port to the default state of dynamic desirable.
dot1q-tunnel

Step 6 exit Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# exit

Step 7 vlan dot1q tag native (Optional) Sets the switch to enable tagging of native
VLAN packets on all IEEE 802.1Q trunk ports. When not
Example:
set, and a customer VLAN ID is the same as the native

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
208
 Layer 2
Configuring an IEEE 802.1Q Tunneling Port

Command or Action Purpose

VLAN, the trunk port does not apply a metro tag, and
SwitchDevice(config)# vlan dot1q tag native
packets could be sent to the wrong destination.
Note Use the no vlan dot1q tag native global
configuration command to disable tagging of
native VLAN packets.

Step 8 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 9 Use one of the following: Displays the ports configured for IEEE 802.1Q tunneling.
• show dot1q-tunnel Displays the ports that are in tunnel mode.
• show running-config interface
Example:

SwitchDevice# show dot1q-tunnel

or

SwitchDevice# show running-config interface

Step 10 show vlan dot1q tag native Displays IEEE 802.1Q native VLAN tagging status.
Example:

SwitchDevice# show vlan dot1q native

Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
IEEE 802.1Q Tunneling, on page 200
IEEE 802.1Q Tunneling, on page 197
Example: Configuring an IEEE 802.1Q Tunneling Port, on page 218

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
209
 Layer 2
Configuring Layer 2 Protocol Tunneling

Configuring Layer 2 Protocol Tunneling

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. Use one of the following:
• switchport mode access
• switchport mode dot1q-tunnel
5. l2protocol-tunnel [cdp | lldp | point-to-point | stp | vtp]
6. l2protocol-tunnel shutdown-threshold [ packet_second_rate_value | cdp | lldp point-to-point | stp
| vtp]
7. l2protocol-tunnel drop-threshold [ packet_second_rate_value | cdp | lldp | point-to-point | stp | vtp]
8. exit
9. errdisable recovery cause l2ptguard
10. l2protocol-tunnel cos value
11. end
12. show l2protocol
13. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface connected to the phone, and enters
interface configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 4 Use one of the following: Configures the interface as an access port or an IEEE
802.1Q tunnel port.
• switchport mode access
• switchport mode dot1q-tunnel

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
210
 Layer 2
Configuring Layer 2 Protocol Tunneling

Command or Action Purpose

Example:

SwitchDevice# switchport mode access

or

SwitchDevice# switchport mode dot1q-tunnel

Step 5 l2protocol-tunnel [cdp | lldp | point-to-point | stp | vtp] Enables protocol tunneling for the desired protocol. If no
keyword is entered, tunneling is enabled for all three Layer
Example:
2 protocols.
SwitchDevice# l2protocol-tunnel cdp Note Use the no l2protocol-tunnel [cdp | lldp |
point-to-point | stp | vtp] interface
configuration command to disable protocol
tunneling for one of the Layer 2 protocols or
for all three.

Step 6 l2protocol-tunnel shutdown-threshold [ (Optional) Configures the threshold for packets-per-second

packet_second_rate_value | cdp | lldp point-to-point | stp accepted for encapsulation. The interface is disabled if the
| vtp] configured threshold is exceeded. If no protocol option is
specified, the threshold applies to each of the tunneled
Example:
Layer 2 protocol types. The range is 1 to 4096. The default
is to have no threshold configured.
SwitchDevice# l2protocol-tunnel shutdown-threshold
100 cdp Note If you also set a drop threshold on this interface,
the shutdown-threshold value must be greater
than or equal to the drop-threshold value.

Note Use the no l2protocol-tunnel

shutdown-threshold [
packet_second_rate_value | cdp | lldp|
point-to-point | stp | vtp] and the no
l2protocol-tunnel drop-threshold [
packet_second_rate_value | cdp | lldp|
point-to-point |stp | vtp] commands to return
the shutdown and drop thresholds to the default
settings.

Step 7 l2protocol-tunnel drop-threshold [ (Optional) Configures the threshold for packets-per-second

packet_second_rate_value | cdp | lldp | point-to-point | accepted for encapsulation. The interface drops packets if
stp | vtp] the configured threshold is exceeded. If no protocol option
is specified, the threshold applies to each of the tunneled
Example:
Layer 2 protocol types. The range is 1 to 4096. The default
is to have no threshold configured.
SwitchDevice# l2protocol-tunnel drop-threshold
100 cdp Note If you also set a shutdown threshold on this
interface, the drop-threshold value must be
less than or equal to the shutdown-threshold
value.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
211
 Layer 2
Configuring Layer 2 Protocol Tunneling

Command or Action Purpose

Note Use the no l2protocol-tunnel
shutdown-threshold [cdp | lldp| point-to-point
| stp | vtp] and the no l2protocol-tunnel
drop-threshold [cdp | stp | vtp] commands to
return the shutdown and drop thresholds to the
default settings.

Step 8 exit Returns to global configuration mode.

Example:

SwitchDevice# exit

Step 9 errdisable recovery cause l2ptguard (Optional) Configures the recovery mechanism from a
Layer 2 maximum-rate error so that the interface is
Example:
reenabled and can try again. Errdisable recovery is disabled
by default; when enabled, the default time interval is 300
SwitchDevice(config)# errdisable recovery cause
l2ptguard seconds.

Step 10 l2protocol-tunnel cos value (Optional) Configures the CoS value for all tunneled Layer
2 PDUs. The range is 0 to 7; the default is the default CoS
Example:
value for the interface. If none is configured, the default
is 5.
SwitchDevice(config)# l2protocol-tunnel cos value
7

Step 11 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 12 show l2protocol Displays the Layer 2 tunnel ports on the switch, including
the protocols configured, the thresholds, and the counters.
Example:

SwitchDevice# show l2protocol

Step 13 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Layer 2 Protocol Tunneling on Ports, on page 206
Layer 2 Protocol Tunneling , on page 198

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
212
 Layer 2
Configuring the SP Edge Switch

Layer 2 Tunneling for EtherChannels, on page 199

Example: Configuring Layer 2 Protocol Tunneling, on page 219

Configuring the SP Edge Switch

Before you begin
For EtherChannels, you need to configure both the SP (service-provider) edge switches and the customer
switches for Layer 2 protocol tunneling.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. switchport mode dot1q-tunnel
5. l2protocol-tunnel point-to-point [pagp | lacp | udld]
6. l2protocol-tunnel shutdown-threshold [point-to-point [pagp | lacp | udld]] value
7. l2protocol-tunnel drop-threshold [point-to-point [pagp | lacp | udld]] value
8. no cdp enable
9. spanning-tree bpdu filter enable
10. exit
11. errdisable recovery cause l2ptguard
12. l2protocol-tunnel cos value
13. end
14. show l2protocol
15. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface connected to the phone, and enters
interface configuration mode.
Example:

SwitchDevice(config)# interface

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
213
 Layer 2
Configuring the SP Edge Switch

Command or Action Purpose

gigabitethernet1/0/1

Step 4 switchport mode dot1q-tunnel Configures the interface as an IEEE 802.1Q tunnel port.
Example:

SwitchDevice(config-if)# switchport mode

dot1q-tunnel

Step 5 l2protocol-tunnel point-to-point [pagp | lacp | udld] (Optional) Enables point-to-point protocol tunneling for
the desired protocol. If no keyword is entered, tunneling
Example:
is enabled for all three protocols.
SwitchDevice(config-if)# l2protocol-tunnel Note To avoid a network failure, make sure that the
point-to-point pagp network is a point-to-point topology before you
enable tunneling for PAgP, LACP, or UDLD
packets.

Note Use the no l2protocol-tunnel [point-to-point

[pagp | lacp | udld]] interface configuration
command to disable point-to-point protocol
tunneling for one of the Layer 2 protocols or
for all three.

Step 6 l2protocol-tunnel shutdown-threshold [point-to-point (Optional) Configures the threshold for packets-per-second
[pagp | lacp | udld]] value accepted for encapsulation. The interface is disabled if the
configured threshold is exceeded. If no protocol option is
Example:
specified, the threshold applies to each of the tunneled
Layer 2 protocol types. The range is 1 to 4096. The default
SwitchDevice(config-if)# l2protocol-tunnel
shutdown-threshold point-to-point pagp 100 is to have no threshold configured.
Note If you also set a drop threshold on this interface,
the shutdown-threshold value must be greater
than or equal to the drop-threshold value.

Note Use the no l2protocol-tunnel

shutdown-threshold [point-to-point [pagp |
lacp | udld]] and the no l2protocol-tunnel
drop-threshold [[point-to-point [pagp | lacp
| udld]] commands to return the shutdown and
drop thresholds to the default settings.

Step 7 l2protocol-tunnel drop-threshold [point-to-point [pagp (Optional) Configures the threshold for packets-per-second
| lacp | udld]] value accepted for encapsulation. The interface drops packets if
the configured threshold is exceeded. If no protocol option
Example:
is specified, the threshold applies to each of the tunneled
Layer 2 protocol types. The range is 1 to 4096. The default
SwitchDevice(config-if)# l2protocol-tunnel
drop-threshold point-to-point pagp 500 is to have no threshold configured.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
214
 Layer 2
Configuring the SP Edge Switch

Command or Action Purpose

Note If you also set a shutdown threshold on this
interface, the drop-threshold value must be
less than or equal to the shutdown-threshold
value.

Step 8 no cdp enable Disables CDP on the interface.

Example:

SwitchDevice(config-if)# no cdp enable

Step 9 spanning-tree bpdu filter enable Enables BPDU filtering on the interface.
Example:

SwitchDevice(config-if)# spanning-tree bpdu filter

enable

Step 10 exit Returns to global configuration mode.

Example:

SwitchDevice(config-if)# exit

Step 11 errdisable recovery cause l2ptguard (Optional) Configures the recovery mechanism from a
Layer 2 maximum-rate error so that the interface is
Example:
reenabled and can try again. Errdisable recovery is disabled
by default; when enabled, the default time interval is 300
SwitchDevice(config)# errdisable recovery cause
l2ptguard seconds.

Step 12 l2protocol-tunnel cos value (Optional) Configures the CoS value for all tunneled Layer
2 PDUs. The range is 0 to 7; the default is the default CoS
Example:
value for the interface. If none is configured, the default
is 5.
SwitchDevice(config)# l2protocol-tunnel cos 2

Step 13 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 14 show l2protocol Displays the Layer 2 tunnel ports on the switch, including
the protocols configured, the thresholds, and the counters.
Example:

SwitchDevice)# show l2protocol

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
215
 Layer 2
Configuring the Customer Switch

Command or Action Purpose

Step 15 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Examples: Configuring the SP Edge and Customer Switches, on page 219

Configuring the Customer Switch

Before you begin
For EtherChannels, you need to configure both the SP edge switch and the customer switches for Layer 2
protocol tunneling.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. switchport trunk encapsulation dot1q
5. switchport mode trunk
6. udld port
7. channel-group channel-group-number mode desirable
8. exit
9. interface port-channel port-channel number
10. shutdown
11. no shutdown
12. end
13. show l2protocol
14. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
216
 Layer 2
Configuring the Customer Switch

Command or Action Purpose

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface connected to the phone, and enters
interface configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 4 switchport trunk encapsulation dot1q Sets the trunking encapsulation format to IEEE 802.1Q.
Example:

SwitchDevice(config)# switchport trunk

encapsulation dot1q

Step 5 switchport mode trunk Enables trunking on the interface.

Example:

SwitchDevice(config-if)# switchport mode trunk

Step 6 udld port Enables UDLD in normal mode on the interface.

Example:

SwitchDevice(config-if)# udld port

Step 7 channel-group channel-group-number mode desirable Assigns the interface to a channel group, and specifies
desirable for the PAgP mode.
Example:

SwitchDevice(config-if)# channel-group 25 mode

desirable

Step 8 exit Returns to global configuration mode.

Example:

SwitchDevice(config-if)# exit

Step 9 interface port-channel port-channel number Enters port-channel interface mode.

Example:

SwitchDevice(config)# interface port-channel

port-channel 25

Step 10 shutdown Shuts down the interface.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
217
 Layer 2
Configuration Examples for IEEE 802.1Q and Layer 2 Protocol Tunneling

Command or Action Purpose

Example:

SwitchDevice(config)# shutdown

Step 11 no shutdown Enables the interface.

Example:

SwitchDevice(config)# no shutdown

Step 12 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 13 show l2protocol Displays the Layer 2 tunnel ports on the switch, including
the protocols configured, the thresholds, and the counters.
Example:

SwitchDevice# show l2protocol

Step 14 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example: Note Use the no switchport mode trunk, the no
udld enable, and the no channel group
SwitchDevice# copy running-config startup-config channel-group-number mode desirable
interface configuration commands to return the
interface to the default settings.

Related Topics
Examples: Configuring the SP Edge and Customer Switches, on page 219

Configuration Examples for IEEE 802.1Q and Layer 2 Protocol

Tunneling
Example: Configuring an IEEE 802.1Q Tunneling Port
The following example shows how to configure an interface as a tunnel port, enable tagging of native VLAN
packets, and verify the configuration.

Switch(config)# interface gigabitethernet1/0/7

Switch(config-if)# switchport access vlan 22
% Access VLAN does not exist. Creating vlan 22
Switch(config-if)# switchport mode dot1q-tunnel
Switch(config-if)# exit

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
218
 Layer 2
Example: Configuring Layer 2 Protocol Tunneling

Switch(config)# vlan dot1q tag native

Switch(config)# end
Switch# show dot1q-tunnel interface gigabitethernet1/0/7
Port
-----
Gi1/0/1Port
-----
Switch# show vlan dot1q tag native
dot1q native vlan tagging is enabled

Related Topics
Configuring an IEEE 802.1Q Tunneling Port, on page 207
IEEE 802.1Q Tunneling, on page 200
IEEE 802.1Q Tunneling, on page 197

Example: Configuring Layer 2 Protocol Tunneling

The following example shows how to configure Layer 2 protocol tunneling for CDP, STP, and VTP and to
verify the configuration.

Switch(config)# interface gigabitethernet1/0/11

Switch(config-if)# l2protocol-tunnel cdp
Switch(config-if)# l2protocol-tunnel stp
Switch(config-if)# l2protocol-tunnel vtp
Switch(config-if)# l2protocol-tunnel shutdown-threshold 1500
Switch(config-if)# l2protocol-tunnel drop-threshold 1000
Switch(config-if)# exit
Switch(config)# l2protocol-tunnel cos 7
Switch(config)# end
Switch# show l2protocol

COS for Encapsulated Packets: 7

Port Protocol Shutdown Drop Encapsulation Decapsulation Drop
Threshold Threshold Counter Counter Counter
------- -------- --------- --------- ------------- ------------- -------------
Gi0/11 cdp 1500 1000 2288 2282 0
stp 1500 1000 116 13 0
vtp 1500 1000 3 67 0
pagp ---- ---- 0 0 0
lacp ---- ---- 0 0 0
udld ---- ---- 0 0 0

Related Topics
Configuring Layer 2 Protocol Tunneling, on page 210
Layer 2 Protocol Tunneling on Ports, on page 206
Layer 2 Protocol Tunneling , on page 198
Layer 2 Tunneling for EtherChannels, on page 199

Examples: Configuring the SP Edge and Customer Switches

This example shows how to configure the SP edge switch 1 and edge switch 2. VLANs 17, 18, 19, and 20
are the access VLANs, Fast Ethernet interfaces 1 and 2 are point-to-point tunnel ports with PAgP and UDLD
enabled, the drop threshold is 1000, and Fast Ethernet interface 3 is a trunk port.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
219
 Layer 2
Examples: Configuring the SP Edge and Customer Switches

SP edge switch 1 configuration:

Switch(config)# interface gigabitethernet1/0/1

Switch(config-if)# switchport access vlan 17
Switch(config-if)# switchport mode dot1q-tunnel
Switch(config-if)# l2protocol-tunnel point-to-point pagp
Switch(config-if)# l2protocol-tunnel point-to-point udld
Switch(config-if)# l2protocol-tunnel drop-threshold point-to-point pagp 1000
Switch(config-if)# exit
Switch(config)# interface gigabitethernet1/0/2
Switch(config-if)# switchport access vlan 18
Switch(config-if)# switchport mode dot1q-tunnel
Switch(config-if)# l2protocol-tunnel point-to-point pagp
Switch(config-if)# l2protocol-tunnel point-to-point udld
Switch(config-if)# l2protocol-tunnel drop-threshold point-to-point pagp 1000
Switch(config-if)# exit
Switch(config)# interface gigabitethernet1/0/3
Switch(config-if)# switchport trunk encapsulation isl
Switch(config-if)# switchport mode trunk

SP edge switch 2 configuration:

Switch(config)# interface gigabitethernet1/0/1

Switch(config-if)# switchport access vlan 19
Switch(config-if)# switchport mode dot1q-tunnel
Switch(config-if)# l2protocol-tunnel point-to-point pagp
Switch(config-if)# l2protocol-tunnel point-to-point udld
Switch(config-if)# l2protocol-tunnel drop-threshold point-to-point pagp 1000
Switch(config-if)# exit
Switch(config)# interface gigabitethernet1/0/2
Switch(config-if)# switchport access vlan 20
Switch(config-if)# switchport mode dot1q-tunnel
Switch(config-if)# l2protocol-tunnel point-to-point pagp
Switch(config-if)# l2protocol-tunnel point-to-point udld
Switch(config-if)# l2protocol-tunnel drop-threshold point-to-point pagp 1000
Switch(config-if)# exit
Switch(config)# interface gigabitethernet1/0/3
Switch(config-if)# switchport trunk encapsulation isl
Switch(config-if)# switchport mode trunk

This example shows how to configure the customer switch at Site 1. Fast Ethernet interfaces 1, 2, 3, and 4
are set for IEEE 802.1Q trunking, UDLD is enabled, EtherChannel group 1 is enabled, and the port channel
is shut down and then enabled to activate the EtherChannel configuration.

Switch(config)# interface gigabitethernet1/0/1

Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# udld enable
Switch(config-if)# channel-group 1 mode desirable
Switch(config-if)# exit
Switch(config)# interface gigabitethernet1/0/2
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# udld enable
Switch(config-if)# channel-group 1 mode desirable
Switch(config-if)# exit
Switch(config)# interface gigabitethernet1/0/3
Switch(config-if)# switchport trunk encapsulation dot1q

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
220
 Layer 2
Monitoring Tunneling Status

Switch(config-if)# switchport mode trunk

Switch(config-if)# udld enable
Switch(config-if)# channel-group 1 mode desirable
Switch(config-if)# exit
Switch(config)# interface gigabitethernet1/0/4
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# udld enable
Switch(config-if)# channel-group 1 mode desirable
Switch(config-if)# exit
Switch(config)# interface port-channel 1
Switch(config-if)# shutdown
Switch(config-if)# no shutdown
Switch(config-if)# exit

Related Topics
Configuring the SP Edge Switch, on page 213
Configuring the Customer Switch, on page 216

Monitoring Tunneling Status

The following table describes the commands used to monitor tunneling status.

Table 21: Commands for Monitoring Tunneling

Command Purpose

clear l2protocol-tunnel counters Clears the protocol counters on Layer 2 protocol

tunneling ports.

show dot1q-tunnel Displays IEEE 802.1Q tunnel ports on the switch.

show dot1q-tunnel interface interface-id Verifies if a specific interface is a tunnel port.

show l2protocol-tunnel Displays information about Layer 2 protocol tunneling

ports.

show errdisable recovery Verifies if the recovery timer from a Layer 2

protocol-tunnel error disable state is enabled.

show l2protocol-tunnel interface interface-id Displays information about a specific Layer 2 protocol
tunneling port.

show l2protocol-tunnel summary Displays only Layer 2 protocol summary information.

show vlan dot1q tag native Displays the status of native VLAN tagging on the
switch.

Where to Go Next
You can configure the following:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
221
 Layer 2
Where to Go Next

• VTP
• VLANs
• VLAN Trunking
• Private VLANs
• VLAN Membership Policy Server (VMPS)
• Voice VLANs

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
222
 CHAPTER 14
Configuring Spanning Tree Protocol
• Finding Feature Information, on page 223
• Restrictions for STP, on page 223
• Information About Spanning Tree Protocol, on page 224
• How to Configure Spanning-Tree Features, on page 234
• Monitoring Spanning-Tree Status, on page 247

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Restrictions for STP

• An attempt to configure a switch as the root switch fails if the value necessary to be the root switch is
less than 1.
• If your network consists of switches that support and do not support the extended system ID, it is unlikely
that the switch with the extended system ID support will become the root switch. The extended system
ID increases the switch priority value every time the VLAN number is greater than the priority of the
connected switches running older software.
• The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not
configure an access switch as the spanning-tree primary root.

Related Topics
Configuring the Root Switch , on page 237
Bridge ID, Device Priority, and Extended System ID, on page 226
Spanning-Tree Topology and BPDUs, on page 224
Accelerated Aging to Retain Connectivity, on page 231

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
223
 Layer 2
Information About Spanning Tree Protocol

Information About Spanning Tree Protocol

Spanning Tree Protocol
Spanning Tree Protocol (STP) is a Layer 2 link management protocol that provides path redundancy while
preventing loops in the network. For a Layer 2 Ethernet network to function properly, only one active path
can exist between any two stations. Multiple active paths among end stations cause loops in the network. If
a loop exists in the network, end stations might receive duplicate messages. Switches might also learn
end-station MAC addresses on multiple Layer 2 interfaces. These conditions result in an unstable network.
Spanning-tree operation is transparent to end stations, which cannot detect whether they are connected to a
single LAN segment or a switched LAN of multiple segments.
The STP uses a spanning-tree algorithm to select one switch of a redundantly connected network as the root
of the spanning tree. The algorithm calculates the best loop-free path through a switched Layer 2 network by
assigning a role to each port based on the role of the port in the active topology:
• Root—A forwarding port elected for the spanning-tree topology
• Designated—A forwarding port elected for every switched LAN segment
• Alternate—A blocked port providing an alternate path to the root bridge in the spanning tree
• Backup—A blocked port in a loopback configuration

The switch that has all of its ports as the designated role or as the backup role is the root switch. The switch
that has at least one of its ports in the designated role is called the designated switch.
Spanning tree forces redundant data paths into a standby (blocked) state. If a network segment in the spanning
tree fails and a redundant path exists, the spanning-tree algorithm recalculates the spanning-tree topology and
activates the standby path. Switches send and receive spanning-tree frames, called bridge protocol data units
(BPDUs), at regular intervals. The switches do not forward these frames but use them to construct a loop-free
path. BPDUs contain information about the sending switch and its ports, including switch and MAC addresses,
switch priority, port priority, and path cost. Spanning tree uses this information to elect the root switch and
root port for the switched network and the root port and designated port for each switched segment.
When two ports on a switch are part of a loop, the spanning-tree and path cost settings control which port is
put in the forwarding state and which is put in the blocking state. The spanning-tree port priority value
represents the location of a port in the network topology and how well it is located to pass traffic. The path
cost value represents the media speed.

Note By default, the switch sends keepalive messages (to ensure the connection is up) only on interfaces that do
not have small form-factor pluggable (SFP) modules. You can change the default for an interface by entering
the [no] keepalive interface configuration command with no keywords.

Spanning-Tree Topology and BPDUs

The stable, active spanning-tree topology of a switched network is controlled by these elements:
• The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
224
Layer 2
Spanning-Tree Topology and BPDUs

• The spanning-tree path cost to the root switch.

• The port identifier (port priority and MAC address) associated with each Layer 2 interface.

When the switches in a network are powered up, each functions as the root switch. Each switch sends a
configuration BPDU through all of its ports. The BPDUs communicate and compute the spanning-tree topology.
Each configuration BPDU contains this information:
• The unique bridge ID of the switch that the sending switch identifies as the root switch
• The spanning-tree path cost to the root
• The bridge ID of the sending switch
• Message age
• The identifier of the sending interface
• Values for the hello, forward delay, and max-age protocol timers

When a switch receives a configuration BPDU that contains superior information (lower bridge ID, lower
path cost, and so forth), it stores the information for that port. If this BPDU is received on the root port of the
switch, the switch also forwards it with an updated message to all attached LANs for which it is the designated
switch.
If a switch receives a configuration BPDU that contains inferior information to that currently stored for that
port, it discards the BPDU. If the switch is a designated switch for the LAN from which the inferior BPDU
was received, it sends that LAN a BPDU containing the up-to-date information stored for that port. In this
way, inferior information is discarded, and superior information is propagated on the network.
A BPDU exchange results in these actions:
• One switch in the network is elected as the root switch (the logical center of the spanning-tree topology
in a switched network). See the figure following the bullets.
For each VLAN, the switch with the highest switch priority (the lowest numerical priority value) is
elected as the root switch. If all switches are configured with the default priority (32768), the switch with
the lowest MAC address in the VLAN becomes the root switch. The switch priority value occupies the
most significant bits of the bridge ID, as shown in the following figure.
• A root port is selected for each switch (except the root switch). This port provides the best path (lowest
cost) when the switch forwards packets to the root switch.
• The shortest distance to the root switch is calculated for each switch based on the path cost.
• A designated switch for each LAN segment is selected. The designated switch incurs the lowest path
cost when forwarding packets from that LAN to the root switch. The port through which the designated
switch is attached to the LAN is called the designated port.

All paths that are not needed to reach the root switch from anywhere in the switched network are placed in
the spanning-tree blocking mode.
Related Topics
Configuring the Root Switch , on page 237
Restrictions for STP, on page 223

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
225
 Layer 2
Bridge ID, Device Priority, and Extended System ID

Bridge ID, Device Priority, and Extended System ID

The IEEE 802.1D standard requires that each switch has an unique bridge identifier (bridge ID), which controls
the selection of the root switch. Because each VLAN is considered as a different logical bridge with PVST+
and Rapid PVST+, the same switch must have a different bridge ID for each configured VLAN. Each VLAN
on the switch has a unique 8-byte bridge ID. The 2 most-significant bytes are used for the switch priority, and
the remaining 6 bytes are derived from the switch MAC address.
The switch supports the IEEE 802.1t spanning-tree extensions, and some of the bits previously used for the
switch priority are now used as the VLAN identifier. The result is that fewer MAC addresses are reserved for
the switch, and a larger range of VLAN IDs can be supported, all while maintaining the uniqueness of the
bridge ID.
The 2 bytes previously used for the switch priority are reallocated into a 4-bit priority value and a 12-bit
extended system ID value equal to the VLAN ID.

Table 22: Device Priority Value and Extended System ID

Priority Value Extended System ID (Set Equal to the VLAN ID)

Bit Bit Bit Bit Bit Bit Bit Bit 9 Bit 8 Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1
16 15 14 13 12 11 10

32768 16384 8192 4096 2048 1024 512 256 128 64 32 16 8 4 2 1

Spanning tree uses the extended system ID, the switch priority, and the allocated spanning-tree MAC address
to make the bridge ID unique for each VLAN.
Support for the extended system ID affects how you manually configure the root switch, the secondary root
switch, and the switch priority of a VLAN. For example, when you change the switch priority value, you
change the probability that the switch will be elected as the root switch. Configuring a higher value decreases
the probability; a lower value increases the probability.
If any root switch for the specified VLAN has a switch priority lower than 24576, the switch sets its own
priority for the specified VLAN to 4096 less than the lowest switch priority. 4096 is the value of the
least-significant bit of a 4-bit switch priority value as shown in the table.
Related Topics
Configuring the Root Switch , on page 237
Restrictions for STP, on page 223
Configuring the Root Switch , on page 269
Root Switch, on page 252
Specifying the MST Region Configuration and Enabling MSTP , on page 266

Port Priority Versus Path Cost

If a loop occurs, spanning tree uses port priority when selecting an interface to put into the forwarding state.
You can assign higher priority values (lower numerical values) to interfaces that you want selected first and
lower priority values (higher numerical values) that you want selected last. If all interfaces have the same
priority value, spanning tree puts the interface with the lowest interface number in the forwarding state and
blocks the other interfaces.
The spanning-tree path cost default value is derived from the media speed of an interface. If a loop occurs,
spanning tree uses cost when selecting an interface to put in the forwarding state. You can assign lower cost

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
226
 Layer 2
Spanning-Tree Interface States

values to interfaces that you want selected first and higher cost values that you want selected last. If all
interfaces have the same cost value, spanning tree puts the interface with the lowest interface number in the
forwarding state and blocks the other interfaces.
If your switch is a member of a switch stack, you must assign lower cost values to interfaces that you want
selected first and higher cost values that you want selected last instead of adjusting its port priority. For details,
see Related Topics.
Related Topics
Configuring Port Priority , on page 239
Configuring Path Cost , on page 241

Spanning-Tree Interface States

Propagation delays can occur when protocol information passes through a switched LAN. As a result, topology
changes can take place at different times and at different places in a switched network. When an interface
transitions directly from nonparticipation in the spanning-tree topology to the forwarding state, it can create
temporary data loops. Interfaces must wait for new topology information to propagate through the switched
LAN before starting to forward frames. They must allow the frame lifetime to expire for forwarded frames
that have used the old topology.
Each Layer 2 interface on a switch using spanning tree exists in one of these states:
• Blocking—The interface does not participate in frame forwarding.
• Listening—The first transitional state after the blocking state when the spanning tree decides that the
interface should participate in frame forwarding.
• Learning—The interface prepares to participate in frame forwarding.
• Forwarding—The interface forwards frames.
• Disabled—The interface is not participating in spanning tree because of a shutdown port, no link on the
port, or no spanning-tree instance running on the port.

An interface moves through these states:

• From initialization to blocking
• From blocking to listening or to disabled
• From listening to learning or to disabled
• From learning to forwarding or to disabled
• From forwarding to disabled

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
227
 Layer 2
Blocking State

Figure 9: Spanning-Tree Interface States

An interface moves through the states.

When you power up the switch, spanning tree is enabled by default, and every interface in the switch, VLAN,
or network goes through the blocking state and the transitory states of listening and learning. Spanning tree
stabilizes each interface at the forwarding or blocking state.
When the spanning-tree algorithm places a Layer 2 interface in the forwarding state, this process occurs:
1. The interface is in the listening state while spanning tree waits for protocol information to move the
interface to the blocking state.
2. While spanning tree waits for the forward-delay timer to expire, it moves the interface to the learning
state and resets the forward-delay timer.
3. In the learning state, the interface continues to block frame forwarding as the switch learns end-station
location information for the forwarding database.
4. When the forward-delay timer expires, spanning tree moves the interface to the forwarding state, where
both learning and frame forwarding are enabled.

Blocking State
A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU
is sent to each switch interface. A switch initially functions as the root until it exchanges BPDUs with other
switches. This exchange establishes which switch in the network is the root or root switch. If there is only
one switch in the network, no exchange occurs, the forward-delay timer expires, and the interface moves to
the listening state. An interface always enters the blocking state after switch initialization.
An interface in the blocking state performs these functions:
• Discards frames received on the interface
• Discards frames switched from another interface for forwarding
• Does not learn addresses
• Receives BPDUs

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
228
 Layer 2
Listening State

Listening State
The listening state is the first state a Layer 2 interface enters after the blocking state. The interface enters this
state when the spanning tree decides that the interface should participate in frame forwarding.
An interface in the listening state performs these functions:
• Discards frames received on the interface
• Discards frames switched from another interface for forwarding
• Does not learn addresses
• Receives BPDUs

Learning State
A Layer 2 interface in the learning state prepares to participate in frame forwarding. The interface enters the
learning state from the listening state.
An interface in the learning state performs these functions:
• Discards frames received on the interface
• Discards frames switched from another interface for forwarding
• Learns addresses
• Receives BPDUs

Forwarding State
A Layer 2 interface in the forwarding state forwards frames. The interface enters the forwarding state from
the learning state.
An interface in the forwarding state performs these functions:
• Receives and forwards frames received on the interface
• Forwards frames switched from another interface
• Learns addresses
• Receives BPDUs

Disabled State
A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An
interface in the disabled state is nonoperational.
A disabled interface performs these functions:
• Discards frames received on the interface
• Discards frames switched from another interface for forwarding
• Does not learn addresses
• Does not receive BPDUs

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
229
 Layer 2
How a Switch or Port Becomes the Root Switch or Root Port

How a Switch or Port Becomes the Root Switch or Root Port

If all switches in a network are enabled with default spanning-tree settings, the switch with the lowest MAC
address becomes the root switch.
Figure 10: Spanning-Tree Topology

Switch A is elected as the root switch because the switch priority of all the switches is set to the default (32768)
and Switch A has the lowest MAC address. However, because of traffic patterns, number of forwarding
interfaces, or link types, Switch A might not be the ideal root switch. By increasing the priority (lowering the
numerical value) of the ideal switch so that it becomes the root switch, you force a spanning-tree recalculation

to form a new topology with the ideal switch as the root.

When the spanning-tree topology is calculated based on default parameters, the path between source and
destination end stations in a switched network might not be ideal. For instance, connecting higher-speed links
to an interface that has a higher number than the root port can cause a root-port change. The goal is to make
the fastest link the root port.
For example, assume that one port on Switch B is a Gigabit Ethernet link and that another port on Switch B
(a 10/100 link) is the root port. Network traffic might be more efficient over the Gigabit Ethernet link. By
changing the spanning-tree port priority on the Gigabit Ethernet port to a higher priority (lower numerical
value) than the root port, the Gigabit Ethernet port becomes the new root port.
Related Topics
Configuring Port Priority , on page 239

Spanning Tree and Redundant Connectivity

Figure 11: Spanning Tree and Redundant Connectivity

You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device
or to two different devices. Spanning tree automatically disables one interface but enables it if the other one
fails. If one link is high-speed and the other is low-speed, the low-speed link is always disabled. If the speeds

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
230
 Layer 2
Spanning-Tree Address Management

are the same, the port priority and port ID are added together, and spanning tree disables the link with the

highest value.
You can also create redundant links between switches by using EtherChannel groups.

Spanning-Tree Address Management

IEEE 802.1D specifies 17 multicast addresses, ranging from 0x00180C2000000 to 0x0180C2000010, to be
used by different bridge protocols. These addresses are static addresses that cannot be removed.
Regardless of the spanning-tree state, each switch in the stack receives but does not forward packets destined
for addresses between 0x0180C2000000 and 0x0180C200000F.
If spanning tree is enabled, the CPU on the switch or on each switch in the stack receives packets destined
for 0x0180C2000000 and 0x0180C2000010. If spanning tree is disabled, the switch or each switch in the
stack forwards those packets as unknown multicast addresses.

Accelerated Aging to Retain Connectivity

The default for aging dynamic addresses is 5 minutes, the default setting of the mac address-table aging-time
global configuration command. However, a spanning-tree reconfiguration can cause many station locations
to change. Because these stations could be unreachable for 5 minutes or more during a reconfiguration, the
address-aging time is accelerated so that station addresses can be dropped from the address table and then
relearned. The accelerated aging is the same as the forward-delay parameter value (spanning-tree vlan vlan-id
forward-time seconds global configuration command) when the spanning tree reconfigures.
Because each VLAN is a separate spanning-tree instance, the switch accelerates aging on a per-VLAN basis.
A spanning-tree reconfiguration on one VLAN can cause the dynamic addresses learned on that VLAN to be
subject to accelerated aging. Dynamic addresses on other VLANs can be unaffected and remain subject to
the aging interval entered for the switch.
Related Topics
Configuring the Root Switch , on page 237
Restrictions for STP, on page 223

Spanning-Tree Modes and Protocols

The switch supports these spanning-tree modes and protocols:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
231
 Layer 2
Supported Spanning-Tree Instances

• PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary extensions.
The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a
loop-free path through the network.
The PVST+ provides Layer 2 load-balancing for the VLAN on which it runs. You can create different
logical topologies by using the VLANs on your network to ensure that all of your links are used but that
no one link is oversubscribed. Each instance of PVST+ on a VLAN has a single root switch. This root
switch propagates the spanning-tree information associated with that VLAN to all other switches in the
network. Because each switch has the same information about the network, this process ensures that the
network topology is maintained.
• Rapid PVST+—This spanning-tree mode is the same as PVST+ except that is uses a rapid convergence
based on the IEEE 802.1w standard. Beginning from the 15.2(4)E release, the default mode of STP is
Rapid PVST+ . To provide rapid convergence, the Rapid PVST+ immediately deletes dynamically learned
MAC address entries on a per-port basis upon receiving a topology change. By contrast, PVST+ uses a
short aging time for dynamically learned MAC address entries.
Rapid PVST+ uses the same configuration as PVST+ (except where noted), and the switch needs only
minimal extra configuration. The benefit of Rapid PVST+ is that you can migrate a large PVST+ install
base to Rapid PVST+ without having to learn the complexities of the Multiple Spanning Tree Protocol
(MSTP) configuration and without having to reprovision your network. In Rapid PVST+ mode, each
VLAN runs its own spanning-tree instance up to the maximum supported.
• MSTP—This spanning-tree mode is based on the IEEE 802.1s standard. You can map multiple VLANs
to the same spanning-tree instance, which reduces the number of spanning-tree instances required to
support a large number of VLANs. The MSTP runs on top of the RSTP (based on IEEE 802.1w), which
provides for rapid convergence of the spanning tree by eliminating the forward delay and by quickly
transitioning root ports and designated ports to the forwarding state. In a switch stack, the cross-stack
rapid transition (CSRT) feature performs the same function as RSTP. You cannot run MSTP without
RSTP or CSRT.

Related Topics
Changing the Spanning-Tree Mode , on page 234

Supported Spanning-Tree Instances

In PVST+ or Rapid PVST+ mode, the switch or switch stack supports up to 128 spanning-tree instances.
In MSTP mode, the switch or switch stack supports up to 65 MST instances. The number of VLANs that can
be mapped to a particular MST instance is unlimited.
Related Topics
Disabling Spanning Tree , on page 236
Default Spanning-Tree Configuration, on page 234
Default MSTP Configuration, on page 265

Spanning-Tree Interoperability and Backward Compatibility

In a mixed MSTP and PVST+ network, the common spanning-tree (CST) root must be inside the MST
backbone, and a PVST+ switch cannot connect to multiple MST regions.
When a network contains switches running Rapid PVST+ and switches running PVST+, we recommend that
the Rapid PVST+ switches and PVST+ switches be configured for different spanning-tree instances. In the

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
232
 Layer 2
STP and IEEE 802.1Q Trunks

Rapid PVST+ spanning-tree instances, the root switch must be a Rapid PVST+ switch. In the PVST+ instances,
the root switch must be a PVST+ switch. The PVST+ switches should be at the edge of the network.
All stack members run the same version of spanning tree (all PVST+, all Rapid PVST+, or all MSTP).

Table 23: PVST+, MSTP, and Rapid-PVST+ Interoperability and Compatibility

PVST+ MSTP Rapid PVST+

PVST+ Yes Yes (with restrictions) Yes (reverts to PVST+)

MSTP Yes (with restrictions) Yes Yes (reverts to PVST+)

Rapid PVST+ Yes (reverts to PVST+) Yes (reverts to PVST+) Yes

Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 266
MSTP Configuration Guidelines, on page 251
Multiple Spanning-Tree Regions, on page 253

STP and IEEE 802.1Q Trunks

The IEEE 802.1Q standard for VLAN trunks imposes some limitations on the spanning-tree strategy for a
network. The standard requires only one spanning-tree instance for all VLANs allowed on the trunks. However,
in a network of Cisco switches connected through IEEE 802.1Q trunks, the switches maintain one spanning-tree
instance for each VLAN allowed on the trunks.
When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch
uses PVST+ to provide spanning-tree interoperability. If Rapid PVST+ is enabled, the switch uses it instead
of PVST+. The switch combines the spanning-tree instance of the IEEE 802.1Q VLAN of the trunk with the
spanning-tree instance of the non-Cisco IEEE 802.1Q switch.
However, all PVST+ or Rapid PVST+ information is maintained by Cisco switches separated by a cloud of
non-Cisco IEEE 802.1Q switches. The non-Cisco IEEE 802.1Q cloud separating the Cisco switches is treated
as a single trunk link between the switches.
Rapid PVST+ is automatically enabled on IEEE 802.1Q trunks, and no user configuration is required. The
external spanning-tree behavior on access ports and Inter-Switch Link (ISL) trunk ports is not affected by
PVST+.

VLAN-Bridge Spanning Tree

Cisco VLAN-bridge spanning tree is used with the fallback bridging feature (bridge groups), which forwards
non-IP protocols such as DECnet between two or more VLAN bridge domains or routed ports. The
VLAN-bridge spanning tree allows the bridge groups to form a spanning tree on top of the individual VLAN
spanning trees to prevent loops from forming if there are multiple connections among VLANs. It also prevents
the individual spanning trees from the VLANs being bridged from collapsing into a single spanning tree.
To support VLAN-bridge spanning tree, some of the spanning-tree timers are increased. To use the fallback
bridging feature, you must have the IP services feature set enabled on your switch.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
233
 Layer 2
Default Spanning-Tree Configuration

Default Spanning-Tree Configuration

Table 24: Default Spanning-Tree Configuration

Feature Default Setting

Enable state Enabled on VLAN 1.

Spanning-tree mode Rapid PVST+ ( PVST+ and MSTP are disabled.)

Switch priority 32768

Spanning-tree port priority (configurable on a 128

per-interface basis)

Spanning-tree port cost (configurable on a 1000 Mb/s: 4

per-interface basis)
100 Mb/s: 19
10 Mb/s: 100

Spanning-tree VLAN port priority (configurable on 128

a per-VLAN basis)

Spanning-tree VLAN port cost (configurable on a 1000 Mb/s: 4

per-VLAN basis)
100 Mb/s: 19
10 Mb/s: 100

Spanning-tree timers Hello time: 2 seconds

Forward-delay time: 15 seconds
Maximum-aging time: 20 seconds
Transmit hold count: 6 BPDUs

Note Beginning from the 15.2(4)E release, the default mode of STP is Rapid PVST+.

Related Topics
Disabling Spanning Tree , on page 236
Supported Spanning-Tree Instances, on page 232

How to Configure Spanning-Tree Features

Changing the Spanning-Tree Mode
The switch supports three spanning-tree modes: per-VLAN spanning tree plus (PVST+), Rapid PVST+, or
multiple spanning tree protocol (MSTP). By default, the switch runs the Rapid PVST+ protocol.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
234
 Layer 2
Changing the Spanning-Tree Mode

If you want to enable a mode that is different from the default mode, this procedure is required.

SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree mode {pvst | mst | rapid-pvst}
4. interface interface-id
5. spanning-tree link-type point-to-point
6. end
7. clear spanning-tree detected-protocols

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 spanning-tree mode {pvst | mst | rapid-pvst} Configures a spanning-tree mode. All stack members run
the same version of spanning tree.
Example:
• Select pvst to enable PVST+.
SwitchDevice(config)# spanning-tree mode pvst
• Select mst to enable MSTP.
• Select rapid-pvst to enable rapid PVST+.

Step 4 interface interface-id Specifies an interface to configure, and enters interface

configuration mode. Valid interfaces include physical ports,
Example:
VLANs, and port channels. The VLAN ID range is 1 to
4094. The port-channel range is 1 to 48.
SwitchDevice(config)# interface
GigabitEthernet1/0/1

Step 5 spanning-tree link-type point-to-point Specifies that the link type for this port is point-to-point.
Example: If you connect this port (local port) to a remote port through
a point-to-point link and the local port becomes a designated
SwitchDevice(config-if)# spanning-tree link-type port, the switch negotiates with the remote port and rapidly
point-to-point changes the local port to the forwarding state.

Step 6 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
235
 Layer 2
Disabling Spanning Tree

Command or Action Purpose

SwitchDevice(config-if)# end

Step 7 clear spanning-tree detected-protocols If any port on the switch is connected to a port on a legacy
IEEE 802.1D switch, this command restarts the protocol
Example:
migration process on the entire switch.
SwitchDevice# clear spanning-tree This step is optional if the designated switch detects that
detected-protocols this switch is running rapid PVST+.

Related Topics
Spanning-Tree Modes and Protocols, on page 231

Disabling Spanning Tree

Spanning tree is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning-tree
limit. Disable spanning tree only if you are sure there are no loops in the network topology.

Caution When spanning tree is disabled and loops are present in the topology, excessive traffic and indefinite packet
duplication can drastically reduce network performance.

This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. no spanning-tree vlan vlan-id
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 no spanning-tree vlan vlan-id For vlan-id, the range is 1 to 4094.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
236
 Layer 2
Configuring the Root Switch

Command or Action Purpose

SwitchDevice(config)# no spanning-tree vlan 300

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Related Topics
Supported Spanning-Tree Instances, on page 232
Default Spanning-Tree Configuration, on page 234

Configuring the Root Switch

To configure a switch as the root for the specified VLAN, use the spanning-tree vlan vlan-id root global
configuration command to modify the switch priority from the default value (32768) to a significantly lower
value. When you enter this command, the software checks the switch priority of the root switches for each
VLAN. Because of the extended system ID support, the switch sets its own priority for the specified VLAN
to 24576 if this value will cause this switch to become the root for the specified VLAN.
Use the diameter keyword to specify the Layer 2 network diameter (that is, the maximum number of switch
hops between any two end stations in the Layer 2 network). When you specify the network diameter, the
switch automatically sets an optimal hello time, forward-delay time, and maximum-age time for a network
of that diameter, which can significantly reduce the convergence time. You can use the hello keyword to
override the automatically calculated hello time.
This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree vlan vlan-id root primary [diameter net-diameter
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
237
 Layer 2
Configuring a Secondary Root Device

Command or Action Purpose

SwitchDevice# configure terminal

Step 3 spanning-tree vlan vlan-id root primary [diameter Configures a switch to become the root for the specified
net-diameter VLAN.
Example: • For vlan-id, you can specify a single VLAN identified
by VLAN ID number, a range of VLANs separated
SwitchDevice(config)# spanning-tree vlan 20-24 root by a hyphen, or a series of VLANs separated by a
primary diameter 4 comma. The range is 1 to 4094.
• (Optional) For diameter net-diameter, specify the
maximum number of switches between any two end
stations. The range is 2 to 7.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

What to do next
After configuring the switch as the root switch, we recommend that you avoid manually configuring the hello
time, forward-delay time, and maximum-age time through the spanning-tree vlan vlan-id hello-time,
spanning-tree vlan vlan-id forward-time, and the spanning-tree vlan vlan-id max-age global configuration
commands.
Related Topics
Bridge ID, Device Priority, and Extended System ID, on page 226
Spanning-Tree Topology and BPDUs, on page 224
Accelerated Aging to Retain Connectivity, on page 231
Restrictions for STP, on page 223

Configuring a Secondary Root Device

When you configure a switch as the secondary root, the switch priority is modified from the default value
(32768) to 28672. With this priority, the switch is likely to become the root switch for the specified VLAN
if the primary root switch fails. This is assuming that the other network switches use the default switch priority
of 32768, and therefore, are unlikely to become the root switch.
You can execute this command on more than one switch to configure multiple backup root switches. Use the
same network diameter and hello-time values that you used when you configured the primary root switch
with the spanning-tree vlan vlan-id root primary global configuration command.
This procedure is optional.

SUMMARY STEPS
1. enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
238
 Layer 2
Configuring Port Priority

2. configure terminal
3. spanning-tree vlan vlan-id root secondary [diameter net-diameter
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 spanning-tree vlan vlan-id root secondary [diameter Configures a switch to become the secondary root for the
net-diameter specified VLAN.
Example: • For vlan-id, you can specify a single VLAN identified
by VLAN ID number, a range of VLANs separated
SwitchDevice(config)# spanning-tree vlan 20-24 root by a hyphen, or a series of VLANs separated by a
secondary diameter 4 comma. The range is 1 to 4094.
• (Optional) For diameter net-diameter, specify the
maximum number of switches between any two end
stations. The range is 2 to 7.

Use the same network diameter value that you used when
configuring the primary root switch.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Configuring Port Priority

Note If your switch is a member of a switch stack, you must use the spanning-tree [vlan vlan-id] cost cost interface
configuration command instead of the spanning-tree [vlan vlan-id] port-priority priority interface
configuration command to select an interface to put in the forwarding state. Assign lower cost values to
interfaces that you want selected first and higher cost values that you want selected last.

This procedure is optional.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
239
 Layer 2
Configuring Port Priority

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. spanning-tree port-priority priority
5. spanning-tree vlan vlan-id port-priority priority
6. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies an interface to configure, and enters interface

configuration mode.
Example:
Valid interfaces include physical ports and port-channel
SwitchDevice(config)# interface logical interfaces (port-channel port-channel-number).
gigabitethernet1/0/2

Step 4 spanning-tree port-priority priority Configures the port priority for an interface.
Example: For priority, the range is 0 to 240, in increments of 16; the
default is 128. Valid values are 0, 16, 32, 48, 64, 80, 96,
SwitchDevice(config-if)# spanning-tree 112, 128, 144, 160, 176, 192, 208, 224, and 240. All other
port-priority 0 values are rejected. The lower the number, the higher the
priority.

Step 5 spanning-tree vlan vlan-id port-priority priority Configures the port priority for a VLAN.
Example: • For vlan-id, you can specify a single VLAN identified
by VLAN ID number, a range of VLANs separated
SwitchDevice(config-if)# spanning-tree vlan 20-25 by a hyphen, or a series of VLANs separated by a
port-priority 0 comma. The range is 1 to 4094.
• For priority, the range is 0 to 240, in increments of 16;
the default is 128. Valid values are 0, 16, 32, 48, 64,
80, 96, 112, 128, 144, 160, 176, 192, 208, 224, and
240. All other values are rejected. The lower the
number, the higher the priority.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
240
 Layer 2
Configuring Path Cost

Command or Action Purpose

Step 6 end Returns to privileged EXEC mode.
Example:

SwitchDevice(config-if)# end

Related Topics
Port Priority Versus Path Cost, on page 226
How a Switch or Port Becomes the Root Switch or Root Port, on page 230

Configuring Path Cost

This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. spanning-tree cost cost
5. spanning-tree vlan vlan-id cost cost
6. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies an interface to configure, and enters interface

configuration mode. Valid interfaces include physical ports
Example:
and port-channel logical interfaces (port-channel
port-channel-number).
SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 4 spanning-tree cost cost Configures the cost for an interface.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
241
 Layer 2
Configuring the Device Priority of a VLAN

Command or Action Purpose

If a loop occurs, spanning tree uses the path cost when
SwitchDevice(config-if)# spanning-tree cost 250
selecting an interface to place into the forwarding state. A
lower path cost represents higher-speed transmission.
For cost, the range is 1 to 200000000; the default value is
derived from the media speed of the interface.

Step 5 spanning-tree vlan vlan-id cost cost Configures the cost for a VLAN.
Example: If a loop occurs, spanning tree uses the path cost when
selecting an interface to place into the forwarding state. A
SwitchDevice(config-if)# spanning-tree vlan lower path cost represents higher-speed transmission.
10,12-15,20 cost 300
• For vlan-id, you can specify a single VLAN identified
by VLAN ID number, a range of VLANs separated
by a hyphen, or a series of VLANs separated by a
comma. The range is 1 to 4094.
• For cost, the range is 1 to 200000000; the default value
is derived from the media speed of the interface.

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

The show spanning-tree interface interface-id privileged EXEC command displays information only for
ports that are in a link-up operative state. Otherwise, you can use the show running-config privileged EXEC
command to confirm the configuration.
Related Topics
Port Priority Versus Path Cost, on page 226

Configuring the Device Priority of a VLAN

You can configure the switch priority and make it more likely that a standalone switch or a switch in the stack
will be chosen as the root switch.

Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree
vlan vlan-id root primary and the spanning-tree vlan vlan-id root secondary global configuration commands
to modify the switch priority.

This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
242
 Layer 2
Configuring the Hello Time

3. spanning-tree vlan vlan-id priority priority

4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 spanning-tree vlan vlan-id priority priority Configures the switch priority of a VLAN.
Example: • For vlan-id, you can specify a single VLAN identified
by VLAN ID number, a range of VLANs separated
SwitchDevice(config)# spanning-tree vlan 20 by a hyphen, or a series of VLANs separated by a
priority 8192 comma. The range is 1 to 4094.
• For priority, the range is 0 to 61440 in increments of
4096; the default is 32768. The lower the number, the
more likely the switch will be chosen as the root
switch.
Valid priority values are 4096, 8192, 12288, 16384,
20480, 24576, 28672, 32768, 36864, 40960, 45056,
49152, 53248, 57344, and 61440. All other values are
rejected.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Configuring the Hello Time

The hello time is the time interval between configuration messages generated and sent by the root switch.
This procedure is optional.

SUMMARY STEPS
1. enable
2. spanning-tree vlan vlan-id hello-time seconds

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
243
 Layer 2
Configuring the Forwarding-Delay Time for a VLAN

3. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 spanning-tree vlan vlan-id hello-time seconds Configures the hello time of a VLAN. The hello time is the
time interval between configuration messages generated
Example:
and sent by the root switch. These messages mean that the
switch is alive.
SwitchDevice(config)# spanning-tree vlan 20-24
hello-time 3 • For vlan-id, you can specify a single VLAN identified
by VLAN ID number, a range of VLANs separated
by a hyphen, or a series of VLANs separated by a
comma. The range is 1 to 4094.
• For seconds, the range is 1 to 10; the default is 2.

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Configuring the Forwarding-Delay Time for a VLAN

This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree vlan vlan-id forward-time seconds
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
244
 Layer 2
Configuring the Maximum-Aging Time for a VLAN

Command or Action Purpose

Step 2 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 3 spanning-tree vlan vlan-id forward-time seconds Configures the forward time of a VLAN. The forwarding
delay is the number of seconds an interface waits before
Example:
changing from its spanning-tree learning and listening states
to the forwarding state.
SwitchDevice(config)# spanning-tree vlan 20,25
forward-time 18 • For vlan-id, you can specify a single VLAN identified
by VLAN ID number, a range of VLANs separated
by a hyphen, or a series of VLANs separated by a
comma. The range is 1 to 4094.
• For seconds, the range is 4 to 30; the default is 15.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Configuring the Maximum-Aging Time for a VLAN

This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree vlan vlan-id max-age seconds
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
245
 Layer 2
Configuring the Transmit Hold-Count

Command or Action Purpose

SwitchDevice# configure terminal

Step 3 spanning-tree vlan vlan-id max-age seconds Configures the maximum-aging time of a VLAN. The
maximum-aging time is the number of seconds a switch
Example:
waits without receiving spanning-tree configuration
messages before attempting a reconfiguration.
SwitchDevice(config)# spanning-tree vlan 20 max-age
30 • For vlan-id, you can specify a single VLAN identified
by VLAN ID number, a range of VLANs separated
by a hyphen, or a series of VLANs separated by a
comma. The range is 1 to 4094.
• For seconds, the range is 6 to 40; the default is 20.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Configuring the Transmit Hold-Count

You can configure the BPDU burst size by changing the transmit hold count value.

Note Changing this parameter to a higher value can have a significant impact on CPU utilization, especially in
Rapid PVST+ mode. Lowering this value can slow down convergence in certain scenarios. We recommend
that you maintain the default setting.

This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree transmit hold-count value
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
246
 Layer 2
Monitoring Spanning-Tree Status

Command or Action Purpose

Step 2 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 3 spanning-tree transmit hold-count value Configures the number of BPDUs that can be sent before
pausing for 1 second.
Example:
For value, the range is 1 to 20; the default is 6.
SwitchDevice(config)# spanning-tree transmit
hold-count 6

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Monitoring Spanning-Tree Status

Table 25: Commands for Displaying Spanning-Tree Status

show spanning-tree active Displays spanning-tree information on active

interfaces only.

show spanning-tree detail Displays a detailed summary of interface information.

show spanning-tree vlan vlan-id Displays spanning-tree information for the specified
VLAN.

show spanning-tree interface interface-id Displays spanning-tree information for the specified
interface.

show spanning-tree interface interface-id portfast Displays spanning-tree portfast information for the
specified interface.

show spanning-tree summary [totals] Displays a summary of interface states or displays the
total lines of the STP state section.

To clear spanning-tree counters, use the clear spanning-tree [interface interface-id] privileged EXEC
command.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
247
 Layer 2
Monitoring Spanning-Tree Status

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
248
 CHAPTER 15
Configuring Multiple Spanning-Tree Protocol
• Finding Feature Information, on page 249
• Prerequisites for MSTP, on page 249
• Restrictions for MSTP, on page 250
• Information About MSTP, on page 251
• How to Configure MSTP Features, on page 266
• Examples, on page 284
• Monitoring MST Configuration and Status, on page 287
• Feature Information for MSTP, on page 288

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Prerequisites for MSTP

• For two or more switches to be in the same multiple spanning tree (MST) region, they must have the
same VLAN-to-instance map, the same configuration revision number, and the same name.
• For two or more stacked switches to be in the same MST region, they must have the same
VLAN-to-instance map, the same configuration revision number, and the same name.
• For load-balancing across redundant paths in the network to work, all VLAN-to-instance mapping
assignments must match; otherwise, all traffic flows on a single link. You can achieve load-balancing
across a switch stack by manually configuring the path cost.
• For load-balancing between a per-VLAN spanning tree plus (PVST+) and an MST cloud or between a
rapid-PVST+ and an MST cloud to work, all MST boundary ports must be forwarding. MST boundary
ports are forwarding when the internal spanning tree (IST) master of the MST cloud is the root of the
common spanning tree (CST). If the MST cloud consists of multiple MST regions, one of the MST

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
249
 Layer 2
Restrictions for MSTP

regions must contain the CST root, and all of the other MST regions must have a better path to the root
contained within the MST cloud than a path through the PVST+ or rapid-PVST+ cloud. You might have
to manually configure the switches in the clouds.

Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 266
MSTP Configuration Guidelines, on page 251
Multiple Spanning-Tree Regions, on page 253

Restrictions for MSTP

• The switch stack supports up to 65 MST instances. The number of VLANs that can be mapped to a
particular MST instance is unlimited.
• PVST+, Rapid PVST+, and MSTP are supported, but only one version can be active at any time. (For
example, all VLANs run PVST+, all VLANs run Rapid PVST+, or all VLANs run MSTP.)
• All stack members must run the same version of spanning tree (all PVST+, Rapid PVST+, or MSTP).
• VLAN Trunking Protocol (VTP) propagation of the MST configuration is not supported. However, you
can manually configure the MST configuration (region name, revision number, and VLAN-to-instance
mapping) on each switch within the MST region by using the command-line interface (CLI) or through
the Simple Network Management Protocol (SNMP) support.
• Partitioning the network into a large number of regions is not recommended. However, if this situation
is unavoidable, we recommend that you partition the switched LAN into smaller LANs interconnected
by routers or non-Layer 2 devices.
• A region can have one member or multiple members with the same MST configuration; each member
must be capable of processing rapid spanning tree protocol (RSTP) Bridge Protocol Data Units (BPDUs).
There is no limit to the number of MST regions in a network, but each region can only support up to 65
spanning-tree instances. You can assign a VLAN to only one spanning-tree instance at a time.
• After configuring a switch as the root switch, we recommend that you avoid manually configuring the
hello time, forward-delay time, and maximum-age time through the spanning-tree mst hello-time,
spanning-tree mst forward-time, and the spanning-tree mst max-age global configuration commands.

Table 26: PVST+, MSTP, and Rapid PVST+ Interoperability and Compatibility

PVST+ MSTP Rapid PVST+

PVST+ Yes Yes (with restrictions) Yes (reverts to PVST+)

MSTP Yes (with restrictions) Yes Yes (reverts to PVST+)

Rapid PVST+ Yes (reverts to PVST+) Yes (reverts to PVST+) Yes

Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 266
MSTP Configuration Guidelines, on page 251
Multiple Spanning-Tree Regions, on page 253

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
250
 Layer 2
Information About MSTP

Configuring the Root Switch , on page 269

Root Switch, on page 252

Information About MSTP

MSTP Configuration
MSTP, which uses RSTP for rapid convergence, enables multiple VLANs to be grouped into and mapped to
the same spanning-tree instance, reducing the number of spanning-tree instances needed to support a large
number of VLANs. The MSTP provides for multiple forwarding paths for data traffic, enables load balancing,
and reduces the number of spanning-tree instances required to support a large number of VLANs. It improves
the fault tolerance of the network because a failure in one instance (forwarding path) does not affect other
instances (forwarding paths).

Note The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard.

The most common initial deployment of MSTP is in the backbone and distribution layers of a Layer 2 switched
network. This deployment provides the highly available network required in a service-provider environment.
When the switch is in the MST mode, the RSTP, which is based on IEEE 802.1w, is automatically enabled.
The RSTP provides rapid convergence of the spanning tree through explicit handshaking that eliminates the
IEEE 802.1D forwarding delay and quickly transitions root ports and designated ports to the forwarding state.
Both MSTP and RSTP improve the spanning-tree operation and maintain backward compatibility with
equipment that is based on the (original) IEEE 802.1D spanning tree, with existing Cisco-proprietary Multiple
Instance STP (MISTP), and with existing Cisco PVST+ and rapid per-VLAN spanning-tree plus (Rapid
PVST+).
A switch stack appears as a single spanning-tree node to the rest of the network, and all stack members use
the same switch ID.

MSTP Configuration Guidelines

• When you enable MST by using the spanning-tree mode mst global configuration command, RSTP is
automatically enabled.
• For configuration guidelines about UplinkFast, BackboneFast, and cross-stack UplinkFast, see the relevant
sections in the Related Topics section.
• When the switch is in MST mode, it uses the long path-cost calculation method (32 bits) to compute the
path cost values. With the long path-cost calculation method, the following path cost values are supported:

Speed Path Cost Value

10 Mb/s 2,000,000

100 Mb/s 200,000

1 Gb/s 20,000

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
251
 Layer 2
Root Switch

Speed Path Cost Value

10 Gb/s 2,000

100 Gb/s 200

Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 266
Prerequisites for MSTP, on page 249
Restrictions for MSTP, on page 250
Spanning-Tree Interoperability and Backward Compatibility, on page 232
Optional Spanning-Tree Configuration Guidelines
BackboneFast, on page 293
UplinkFast, on page 291

Root Switch
The switch maintains a spanning-tree instance for the group of VLANs mapped to it. A switch ID, consisting
of the switch priority and the switch MAC address, is associated with each instance. For a group of VLANs,
the switch with the lowest switch ID becomes the root switch.
When you configure a switch as the root, you modify the switch priority from the default value (32768) to a
significantly lower value so that the switch becomes the root switch for the specified spanning-tree instance.
When you enter this command, the switch checks the switch priorities of the root switches. Because of the
extended system ID support, the switch sets its own priority for the specified instance to 24576 if this value
will cause this switches to become the root for the specified spanning-tree instance.
If any root switch for the specified instance has a switch priority lower than 24576, the switch sets its own
priority to 4096 less than the lowest switch priority. (4096 is the value of the least-significant bit of a 4-bit
switch priority value. For more information, select "Bridge ID, Switch Priority, and Extended System ID"
link in Related Topics.
If your network consists of switches that support and do not support the extended system ID, it is unlikely
that the switch with the extended system ID support will become the root switch. The extended system ID
increases the switch priority value every time the VLAN number is greater than the priority of the connected
switches running older software.
The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not configure
an access switch as the spanning-tree primary root.
Use the diameter keyword, which is available only for MST instance 0, to specify the Layer 2 network
diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network).
When you specify the network diameter, the switch automatically sets an optimal hello time, forward-delay
time, and maximum-age time for a network of that diameter, which can significantly reduce the convergence
time. You can use the hello keyword to override the automatically calculated hello time.
Related Topics
Configuring the Root Switch , on page 269
Restrictions for MSTP, on page 250
Bridge ID, Device Priority, and Extended System ID, on page 226

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
252
 Layer 2
Multiple Spanning-Tree Regions

Multiple Spanning-Tree Regions

For switches to participate in multiple spanning-tree (MST) instances, you must consistently configure the
switches with the same MST configuration information. A collection of interconnected switches that have the
same MST configuration comprises an MST region.
The MST configuration controls to which MST region each switch belongs. The configuration includes the
name of the region, the revision number, and the MST VLAN-to-instance assignment map. You configure
the switch for a region by specifying the MST region configuration on it. You can map VLANs to an MST
instance, specify the region name, and set the revision number. For instructions and an example, select the
"Specifying the MST Region Configuration and Enabling MSTP" link in Related Topics.
A region can have one or multiple members with the same MST configuration. Each member must be capable
of processing RSTP bridge protocol data units (BPDUs). There is no limit to the number of MST regions in
a network, but each region can support up to 65 spanning-tree instances. Instances can be identified by any
number in the range from 0 to 4094. You can assign a VLAN to only one spanning-tree instance at a time.
Related Topics
Illustration of MST Regions, on page 255
Specifying the MST Region Configuration and Enabling MSTP , on page 266
Prerequisites for MSTP, on page 249
Restrictions for MSTP, on page 250
Spanning-Tree Interoperability and Backward Compatibility, on page 232
Optional Spanning-Tree Configuration Guidelines
BackboneFast, on page 293
UplinkFast, on page 291

IST, CIST, and CST

Unlike PVST+ and Rapid PVST+ in which all the spanning-tree instances are independent, the MSTP establishes
and maintains two types of spanning trees:
• An internal spanning tree (IST), which is the spanning tree that runs in an MST region.
Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special
instance for a region, known as the internal spanning tree (IST). All other MST instances are numbered
from 1 to 4094.
The IST is the only spanning-tree instance that sends and receives BPDUs. All of the other spanning-tree
instance information is contained in M-records, which are encapsulated within MSTP BPDUs. Because
the MSTP BPDU carries information for all instances, the number of BPDUs that need to be processed
to support multiple spanning-tree instances is significantly reduced.
All MST instances within the same region share the same protocol timers, but each MST instance has
its own topology parameters, such as root switch ID, root path cost, and so forth. By default, all VLANs
are assigned to the IST.
An MST instance is local to the region; for example, MST instance 1 in region A is independent of MST
instance 1 in region B, even if regions A and B are interconnected.
• A common and internal spanning tree (CIST), which is a collection of the ISTs in each MST region, and
the common spanning tree (CST) that interconnects the MST regions and single spanning trees.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
253
 Layer 2
Operations Within an MST Region

The spanning tree computed in a region appears as a subtree in the CST that encompasses the entire
switched domain. The CIST is formed by the spanning-tree algorithm running among switches that
support the IEEE 802.1w, IEEE 802.1s, and IEEE 802.1D standards. The CIST inside an MST region
is the same as the CST outside a region.

Operations Within an MST Region

The IST connects all the MSTP switches in a region. When the IST converges, the root of the IST becomes
the CIST regional root (called the IST master before the implementation of the IEEE 802.1s standard). It is
the switch within the region with the lowest switch ID and path cost to the CIST root. The CIST regional root
is also the CIST root if there is only one region in the network. If the CIST root is outside the region, one of
the MSTP switches at the boundary of the region is selected as the CIST regional root.
When an MSTP switch initializes, it sends BPDUs claiming itself as the root of the CIST and the CIST regional
root, with both of the path costs to the CIST root and to the CIST regional root set to zero. The switch also
initializes all of its MST instances and claims to be the root for all of them. If the switch receives superior
MST root information (lower switch ID, lower path cost, and so forth) than currently stored for the port, it
relinquishes its claim as the CIST regional root.
During initialization, a region might have many subregions, each with its own CIST regional root. As switches
receive superior IST information, they leave their old subregions and join the new subregion that contains the
true CIST regional root. All subregions shrink except for the one that contains the true CIST regional root.
For correct operation, all switches in the MST region must agree on the same CIST regional root. Therefore,
any two switches in the region only synchronize their port roles for an MST instance if they converge to a
common CIST regional root.
Related Topics
Illustration of MST Regions, on page 255

Operations Between MST Regions

If there are multiple regions or legacy IEEE 802.1D switches within the network, MSTP establishes and
maintains the CST, which includes all MST regions and all legacy STP switches in the network. The MST
instances combine with the IST at the boundary of the region to become the CST.
The IST connects all the MSTP switches in the region and appears as a subtree in the CIST that encompasses
the entire switched domain. The root of the subtree is the CIST regional root. The MST region appears as a
virtual switch to adjacent STP switches and MST regions.
Only the CST instance sends and receives BPDUs, and MST instances add their spanning-tree information
into the BPDUs to interact with neighboring switches and compute the final spanning-tree topology. Because
of this, the spanning-tree parameters related to BPDU transmission (for example, hello time, forward time,
max-age, and max-hops) are configured only on the CST instance but affect all MST instances. Parameters
related to the spanning-tree topology (for example, switch priority, port VLAN cost, and port VLAN priority)
can be configured on both the CST instance and the MST instance.
MSTP switches use Version 3 RSTP BPDUs or IEEE 802.1D STP BPDUs to communicate with legacy IEEE
802.1D switches. MSTP switches use MSTP BPDUs to communicate with MSTP switches.
Related Topics
Illustration of MST Regions, on page 255

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
254
 Layer 2
IEEE 802.1s Terminology

IEEE 802.1s Terminology

Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify
some internal or regional parameters. These parameters are significant only within an MST region, as opposed
to external parameters that are relevant to the whole network. Because the CIST is the only spanning-tree
instance that spans the whole network, only the CIST parameters require the external rather than the internal
or regional qualifiers.
• The CIST root is the root switch for the unique instance that spans the whole network, the CIST.
• The CIST external root path cost is the cost to the CIST root. This cost is left unchanged within an MST
region. Remember that an MST region looks like a single switch for the CIST. The CIST external root
path cost is the root path cost calculated between these virtual switches and switches that do not belong
to any region.
• The CIST regional root was called the IST master in the prestandard implementation. If the CIST root
is in the region, the CIST regional root is the CIST root. Otherwise, the CIST regional root is the closest
switch to the CIST root in the region. The CIST regional root acts as a root switch for the IST.
• The CIST internal root path cost is the cost to the CIST regional root in a region. This cost is only relevant
to the IST, instance 0.

Table 27: Prestandard and Standard Terminology

IEEE Standard Cisco Prestandard Cisco Standard

CIST regional root IST master CIST regional root

CIST internal root path cost IST master path cost CIST internal path cost

CIST external root path cost Root path cost Root path cost

MSTI regional root Instance root Instance root

MSTI internal root path cost Root path cost Root path cost

Illustration of MST Regions

This figure displays three MST regions and a legacy IEEE 802.1D switch (D). The CIST regional root for
region 1 (A) is also the CIST root. The CIST regional root for region 2 (B) and the CIST regional root for
region 3 (C) are the roots for their respective subtrees within the CIST. The RSTP runs in all regions.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
255
 Layer 2
Hop Count

Figure 12: MST Regions, CIST Masters, and CST Root

Related Topics
Multiple Spanning-Tree Regions, on page 253
Operations Within an MST Region, on page 254
Operations Between MST Regions, on page 254

Hop Count
The IST and MST instances do not use the message-age and maximum-age information in the configuration
BPDU to compute the spanning-tree topology. Instead, they use the path cost to the root and a hop-count
mechanism similar to the IP time-to-live (TTL) mechanism.
By using the spanning-tree mst max-hops global configuration command, you can configure the maximum
hops inside the region and apply it to the IST and all MST instances in that region. The hop count achieves
the same result as the message-age information (triggers a reconfiguration). The root switch of the instance
always sends a BPDU (or M-record) with a cost of 0 and the hop count set to the maximum value. When a
switch receives this BPDU, it decrements the received remaining hop count by one and propagates this value
as the remaining hop count in the BPDUs it generates. When the count reaches zero, the switch discards the
BPDU and ages the information held for the port.
The message-age and maximum-age information in the RSTP portion of the BPDU remain the same throughout
the region, and the same values are propagated by the region designated ports at the boundary.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
256
 Layer 2
Boundary Ports

Boundary Ports
In the Cisco prestandard implementation, a boundary port connects an MST region to a single spanning-tree
region running RSTP, to a single spanning-tree region running PVST+ or rapid PVST+, or to another MST
region with a different MST configuration. A boundary port also connects to a LAN, the designated switch
of which is either a single spanning-tree switch or a switch with a different MST configuration.
There is no definition of a boundary port in the IEEE 802.1s standard. The IEEE 802.1Q-2002 standard
identifies two kinds of messages that a port can receive:
• internal (coming from the same region)
• external (coming from another region)

When a message is internal, the CIST part is received by the CIST, and each MST instance receives its
respective M-record.
When a message is external, it is received only by the CIST. If the CIST role is root or alternate, or if the
external BPDU is a topology change, it could have an impact on the MST instances.
An MST region includes both switches and LANs. A segment belongs to the region of its designated port.
Therefore, a port in a different region than the designated port for a segment is a boundary port. This definition
allows two ports internal to a region to share a segment with a port belonging to a different region, creating
the possibility of a port receiving both internal and external messages.
The primary change from the Cisco prestandard implementation is that a designated port is not defined as
boundary, unless it is running in an STP-compatible mode.

Note If there is a legacy STP switch on the segment, messages are always considered external.

The other change from the Cisco prestandard implementation is that the CIST regional root switch ID field
is now inserted where an RSTP or legacy IEEE 802.1Q switch has the sender switch ID. The whole region
performs like a single virtual switch by sending a consistent sender switch ID to neighboring switches. In this
example, switch C would receive a BPDU with the same consistent sender switch ID of root, whether or not
A or B is designated for the segment.

IEEE 802.1s Implementation

The Cisco implementation of the IEEE MST standard includes features required to meet the standard, as well
as some of the desirable prestandard functionality that is not yet incorporated into the published standard.

Port Role Naming Change

The boundary role is no longer in the final MST standard, but this boundary concept is maintained in Cisco’s
implementation. However, an MST instance port at a boundary of the region might not follow the state of the
corresponding CIST port. Two boundary roles currently exist:
• The boundary port is the root port of the CIST regional root—When the CIST instance port is proposed
and is in sync, it can send back an agreement and move to the forwarding state only after all the
corresponding MSTI ports are in sync (and thus forwarding). The MSTI ports now have a special master
role.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
257
 Layer 2
Interoperation Between Legacy and Standard Switches

• The boundary port is not the root port of the CIST regional root—The MSTI ports follow the state and
role of the CIST port. The standard provides less information, and it might be difficult to understand
why an MSTI port can be alternately blocking when it receives no BPDUs (MRecords). In this case,
although the boundary role no longer exists, the show commands identify a port as boundary in the type
column of the output.

Interoperation Between Legacy and Standard Switches

Because automatic detection of prestandard switches can fail, you can use an interface configuration command
to identify prestandard ports. A region cannot be formed between a standard and a prestandard switch, but
they can interoperate by using the CIST. Only the capability of load-balancing over different instances is lost
in that particular case. The CLI displays different flags depending on the port configuration when a port
receives prestandard BPDUs. A syslog message also appears the first time a switch receives a prestandard
BPDU on a port that has not been configured for prestandard BPDU transmission.
Figure 13: Standard and Prestandard Switch Interoperation

Assume that A is a standard switch and B a prestandard switch, both configured to be in the same region. A
is the root switch for the CIST, and B has a root port (BX) on segment X and an alternate port (BY) on segment
Y. If segment Y flaps, and the port on BY becomes the alternate before sending out a single prestandard
BPDU, AY cannot detect that a prestandard switch is connected to Y and continues to send standard BPDUs.
The port BY is fixed in a boundary, and no load balancing is possible between A and B. The same problem
exists on segment X, but B might transmit topology

changes.

Note We recommend that you minimize the interaction between standard and prestandard MST implementations.

Detecting Unidirectional Link Failure

This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The
software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link
failures that could cause bridging loops.
When a designated port detects a conflict, it keeps its role, but reverts to the discarding state because disrupting
connectivity in case of inconsistency is preferable to opening a bridging loop.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
258
 Layer 2
Interoperability with IEEE 802.1D STP

Figure 14: Detecting Unidirectional Link Failure

This figure illustrates a unidirectional link failure that typically creates a bridging loop. Switch A is the root
switch, and its BPDUs are lost on the link leading to switch B. RSTP and MST BPDUs include the role and
state of the sending port. With this information, switch A can detect that switch B does not react to the superior
BPDUs it sends and that switch B is the designated, not root switch. As a result, switch A blocks (or keeps

blocking) its port, which prevents the bridging loop.

Interoperability with IEEE 802.1D STP

A switch running MSTP supports a built-in protocol migration mechanism that enables it to interoperate with
legacy IEEE 802.1D switches. If this switch receives a legacy IEEE 802.1D configuration BPDU (a BPDU
with the protocol version set to 0), it sends only IEEE 802.1D BPDUs on that port. An MSTP switch also can
detect that a port is at the boundary of a region when it receives a legacy BPDU, an MSTP BPDU (Version
3) associated with a different region, or an RSTP BPDU (Version 2).
However, the switch does not automatically revert to the MSTP mode if it no longer receives IEEE 802.1D
BPDUs because it cannot detect whether the legacy switch has been removed from the link unless the legacy
switch is the designated switch. A switch might also continue to assign a boundary role to a port when the
switch to which this switch is connected has joined the region. To restart the protocol migration process (force
the renegotiation with neighboring switches), use the clear spanning-tree detected-protocols privileged
EXEC command.
If all the legacy switches on the link are RSTP switches, they can process MSTP BPDUs as if they are RSTP
BPDUs. Therefore, MSTP switches send either a Version 0 configuration and TCN BPDUs or Version 3
MSTP BPDUs on a boundary port. A boundary port connects to a LAN, the designated switch of which is
either a single spanning-tree switch or a switch with a different MST configuration.

RSTP Overview
The RSTP takes advantage of point-to-point wiring and provides rapid convergence of the spanning tree.
Reconfiguration of the spanning tree can occur in less than 1 second (in contrast to 50 seconds with the default
settings in the IEEE 802.1D spanning tree).

Port Roles and the Active Topology

The RSTP provides rapid convergence of the spanning tree by assigning port roles and by learning the active
topology. The RSTP builds upon the IEEE 802.1D STP to select the switch with the highest switch priority
(lowest numerical priority value) as the root switch. The RSTP then assigns one of these port roles to individual
ports:
• Root port—Provides the best path (lowest cost) when the switch forwards packets to the root switch.
• Designated port—Connects to the designated switch, which incurs the lowest path cost when forwarding
packets from that LAN to the root switch. The port through which the designated switch is attached to
the LAN is called the designated port.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
259
 Layer 2
Rapid Convergence

• Alternate port—Offers an alternate path toward the root switch to that provided by the current root port.
• Backup port—Acts as a backup for the path provided by a designated port toward the leaves of the
spanning tree. A backup port can exist only when two ports are connected in a loopback by a point-to-point
link or when a switch has two or more connections to a shared LAN segment.
• Disabled port—Has no role within the operation of the spanning tree.

A port with the root or a designated port role is included in the active topology. A port with the alternate or
backup port role is excluded from the active topology.
In a stable topology with consistent port roles throughout the network, the RSTP ensures that every root port
and designated port immediately transition to the forwarding state while all alternate and backup ports are
always in the discarding state (equivalent to blocking in IEEE 802.1D). The port state controls the operation
of the forwarding and learning processes.

Table 28: Port State Comparison

Operational Status STP Port State RSTP Port State Is Port Included in the
(IEEE 802.1D) Active Topology?

Enabled Blocking Discarding No

Enabled Listening Discarding No

Enabled Learning Learning Yes

Enabled Forwarding Forwarding Yes

Disabled Disabled Discarding No

To be consistent with Cisco STP implementations, this guide defines the port state as blocking instead of
discarding. Designated ports start in the listening state.

Rapid Convergence
The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a
LAN. It provides rapid convergence for edge ports, new root ports, and ports connected through point-to-point
links as follows:
• Edge ports—If you configure a port as an edge port on an RSTP switch by using the spanning-tree
portfast interface configuration command, the edge port immediately transitions to the forwarding state.
An edge port is the same as a Port Fast-enabled port, and you should enable it only on ports that connect
to a single end station.
• Root ports—If the RSTP selects a new root port, it blocks the old root port and immediately transitions
the new root port to the forwarding state.
• Point-to-point links—If you connect a port to another port through a point-to-point link and the local
port becomes a designated port, it negotiates a rapid transition with the other port by using the
proposal-agreement handshake to ensure a loop-free topology.
Figure 15: Proposal and Agreement Handshaking for Rapid Convergence

Switch A is connected to Switch B through a point-to-point link, and all of the ports are in the blocking
state. Assume that the priority of Switch A is a smaller numerical value than the priority of Switch B.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
260
 Layer 2
Synchronization of Port Roles

Switch A sends a proposal message (a configuration BPDU with the proposal flag set) to Switch B,
proposing itself as the designated switch.
After receiving the proposal message, Switch B selects as its new root port the port from which the
proposal message was received, forces all nonedge ports to the blocking state, and sends an agreement
message (a BPDU with the agreement flag set) through its new root port.
After receiving Switch B’s agreement message, Switch A also immediately transitions its designated
port to the forwarding state. No loops in the network are formed because Switch B blocked all of its
nonedge ports and because there is a point-to-point link between Switches A and B.
When Switch C is connected to Switch B, a similar set of handshaking messages are exchanged. Switch
C selects the port connected to Switch B as its root port, and both ends immediately transition to the
forwarding state. With each iteration of this handshaking process, one more switch joins the active
topology. As the network converges, this proposal-agreement handshaking progresses from the root
toward the leaves of the spanning tree.
In a switch stack, the cross-stack rapid transition (CSRT) feature ensures that a stack member receives
acknowledgments from all stack members during the proposal-agreement handshaking before moving
the port to the forwarding state. CSRT is automatically enabled when the switch is in MST mode.
The switch learns the link type from the port duplex mode: a full-duplex port is considered to have a
point-to-point connection; a half-duplex port is considered to have a shared connection. You can override
the default setting that is controlled by the duplex setting by using the spanning-tree link-type interface
configuration command.

Synchronization of Port Roles

When the switch receives a proposal message on one of its ports and that port is selected as the new root port,
the RSTP forces all other ports to synchronize with the new root information.
The switch is synchronized with superior root information received on the root port if all other ports are
synchronized. An individual port on the switch is synchronized if

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
261
 Layer 2
Bridge Protocol Data Unit Format and Processing

• That port is in the blocking state.

• It is an edge port (a port configured to be at the edge of the network).

If a designated port is in the forwarding state and is not configured as an edge port, it transitions to the blocking
state when the RSTP forces it to synchronize with new root information. In general, when the RSTP forces a
port to synchronize with root information and the port does not satisfy any of the above conditions, its port
state is set to blocking.
Figure 16: Sequence of Events During Rapid Convergence

After ensuring that all of the ports are synchronized, the switch sends an agreement message to the designated
switch corresponding to its root port. When the switches connected by a point-to-point link are in agreement
about their port roles, the RSTP immediately transitions the port states to forwarding.

Bridge Protocol Data Unit Format and Processing

The RSTP BPDU format is the same as the IEEE 802.1D BPDU format except that the protocol version is
set to 2. A new 1-byte Version 1 Length field is set to zero, which means that no version 1 protocol information
is present.

Table 29: RSTP BPDU Flags

Bit Function

0 Topology change (TC)

1 Proposal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
262
 Layer 2
Processing Superior BPDU Information

Bit Function

2–3: Port role:

00 Unknown
01 Alternate port
10 Root port
11 Designated port

4 Learning

5 Forwarding

6 Agreement

7 Topology change acknowledgement (TCA)

The sending switch sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on
that LAN. The port role in the proposal message is always set to the designated port.
The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal. The port role
in the agreement message is always set to the root port.
The RSTP does not have a separate topology change notification (TCN) BPDU. It uses the topology change
(TC) flag to show the topology changes. However, for interoperability with IEEE 802.1D switches, the RSTP
switch processes and generates TCN BPDUs.
The learning and forwarding flags are set according to the state of the sending port.

Processing Superior BPDU Information

If a port receives superior root information (lower switch ID, lower path cost, and so forth) than currently
stored for the port, the RSTP triggers a reconfiguration. If the port is proposed and is selected as the new root
port, RSTP forces all the other ports to synchronize.
If the BPDU received is an RSTP BPDU with the proposal flag set, the switch sends an agreement message
after all of the other ports are synchronized. If the BPDU is an IEEE 802.1D BPDU, the switch does not set
the proposal flag and starts the forward-delay timer for the port. The new root port requires twice the
forward-delay time to transition to the forwarding state.
If the superior information received on the port causes the port to become a backup or alternate port, RSTP
sets the port to the blocking state but does not send the agreement message. The designated port continues
sending BPDUs with the proposal flag set until the forward-delay timer expires, at which time the port
transitions to the forwarding state.

Processing Inferior BPDU Information

If a designated port receives an inferior BPDU (such as a higher switch ID or a higher path cost than currently
stored for the port) with a designated port role, it immediately replies with its own information.

Topology Changes
This section describes the differences between the RSTP and the IEEE 802.1D in handling spanning-tree
topology changes.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
263
 Layer 2
Protocol Migration Process

• Detection—Unlike IEEE 802.1D in which any transition between the blocking and the forwarding state
causes a topology change, only transitions from the blocking to the forwarding state cause a topology
change with RSTP (only an increase in connectivity is considered a topology change). State changes on
an edge port do not cause a topology change. When an RSTP switch detects a topology change, it deletes
the learned information on all of its nonedge ports except on those from which it received the TC
notification.
• Notification—Unlike IEEE 802.1D, which uses TCN BPDUs, the RSTP does not use them. However,
for IEEE 802.1D interoperability, an RSTP switch processes and generates TCN BPDUs.
• Acknowledgement—When an RSTP switch receives a TCN message on a designated port from an IEEE
802.1D switch, it replies with an IEEE 802.1D configuration BPDU with the TCA bit set. However, if
the TC-while timer (the same as the topology-change timer in IEEE 802.1D) is active on a root port
connected to an IEEE 802.1D switch and a configuration BPDU with the TCA bit set is received, the
TC-while timer is reset.
This behavior is only required to support IEEE 802.1D switches. The RSTP BPDUs never have the TCA
bit set.
• Propagation—When an RSTP switch receives a TC message from another switch through a designated
or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding
the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the
information learned on them.
• Protocol migration—For backward compatibility with IEEE 802.1D switches, RSTP selectively sends
IEEE 802.1D configuration BPDUs and TCN BPDUs on a per-port basis.
When a port is initialized, the migrate-delay timer is started (specifies the minimum time during which
RSTP BPDUs are sent), and RSTP BPDUs are sent. While this timer is active, the switch processes all
BPDUs received on that port and ignores the protocol type.
If the switch receives an IEEE 802.1D BPDU after the port migration-delay timer has expired, it assumes
that it is connected to an IEEE 802.1D switch and starts using only IEEE 802.1D BPDUs. However, if
the RSTP switch is using IEEE 802.1D BPDUs on a port and receives an RSTP BPDU after the timer
has expired, it restarts the timer and starts using RSTP BPDUs on that port.

Protocol Migration Process

A switch running MSTP supports a built-in protocol migration mechanism that enables it to interoperate with
legacy IEEE 802.1D switches. If this switch receives a legacy IEEE 802.1D configuration BPDU (a BPDU
with the protocol version set to 0), it sends only IEEE 802.1D BPDUs on that port. An MSTP switch also can
detect that a port is at the boundary of a region when it receives a legacy BPDU, an MST BPDU (Version 3)
associated with a different region, or an RST BPDU (Version 2).
However, the switch does not automatically revert to the MSTP mode if it no longer receives IEEE 802.1D
BPDUs because it cannot detect whether the legacy switch has been removed from the link unless the legacy
switch is the designated switch. A switch also might continue to assign a boundary role to a port when the
switch to which it is connected has joined the region.
Related Topics
Restarting the Protocol Migration Process , on page 282

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
264
 Layer 2
Default MSTP Configuration

Default MSTP Configuration

Table 30: Default MSTP Configuration

Feature Default Setting

Spanning-tree mode MSTP

Switch priority (configurable on a per-CIST port 32768

basis)

Spanning-tree port priority (configurable on a 128

per-CIST port basis)

Spanning-tree port cost (configurable on a per-CIST 1000 Mb/s: 20000

port basis)
100 Mb/s: 20000
10 Mb/s: 20000
1000 Mb/s: 20000
100 Mb/s: 20000
10 Mb/s: 20000

Hello time 3 seconds

Forward-delay time 20 seconds

Maximum-aging time 20 seconds

Maximum hop count 20 hops

Related Topics
Supported Spanning-Tree Instances, on page 232
Specifying the MST Region Configuration and Enabling MSTP , on page 266

About MST-to-PVST+ Interoperability (PVST+ Simulation)

•

About Detecting Unidirectional Link Failure

The dispute mechanism that detects unidirectional link failures is included in the IEEE 802.1D-2004 RSTP
and IEEE 802.1Q-2005 MSTP standard, and requires no user configuration.
The switch checks the consistency of the port role and state in the BPDUs it receives, to detect unidirectional
link failures that could cause bridging loops. When a designated port detects a conflict, it keeps its role, but
reverts to a discarding (blocking) state because disrupting connectivity in case of inconsistency is preferable
to opening a bridging loop.
For example, in the figure below, Switch A is the root bridge and Switch B is the designated port. BPDUs
from Switch A are lost on the link leading to switch B.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
265
 Layer 2
How to Configure MSTP Features

Figure 17: Detecting Unidirectional Link Failure

Since Rapid PVST+ (802.1w) and MST BPDUs include the role and state of the sending port, Switch A detects
(from the inferior BPDU), that switch B does not react to the superior BPDUs it sends, because switch B has
the role of a designated port and not the root bridge. As a result, switch A blocks (or keeps blocking) its port,
thus preventing the bridging loop.
Note these guidelines and limitations relating to the dispute mechanism:
• It works only on switches running RSTP or MST (the dispute mechanism requires reading the role and
state of the port initiating BPDUs).
• It may result in loss of connectivity. For example, in the figure below, Bridge A cannot transmit on the
port it elected as a root port. As a result of this situation, there is loss of connectivity (r1 and r2 are
designated, a1 is root and a2 is alternate. There is only a one way connectivity between A and R).
Figure 18: Loss of Connectivity

• It may cause permanent bridging loops on shared segments. For example, in the figure below, suppose
that bridge R has the best priority, and that port b1 cannot receive any traffic from the shared segment 1
and sends inferior designated information on segment 1. Both r1 and a1 can detect this inconsistency.
However, with the current dispute mechanism, only r1 will revert to discarding while the root port a1
opens a permanent loop. However, this problem does not occur in Layer 2 switched networks that are
connected by point-to-point links.
Figure 19: Bridging Loops on Shared Segments

How to Configure MSTP Features

Specifying the MST Region Configuration and Enabling MSTP
For two or more switches to be in the same MST region, they must have the same VLAN-to-instance mapping,
the same configuration revision number, and the same name.
A region can have one member or multiple members with the same MST configuration; each member must
be capable of processing RSTP BPDUs. There is no limit to the number of MST regions in a network, but
each region can only support up to 65 spanning-tree instances. You can assign a VLAN to only one
spanning-tree instance at a time.

SUMMARY STEPS
1. enable
2. configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
266
 Layer 2
Specifying the MST Region Configuration and Enabling MSTP

3. spanning-tree mst configuration

4. instance instance-id vlan vlan-range
5. name name
6. revision version
7. show pending
8. exit
9. spanning-tree mode mst
10. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 spanning-tree mst configuration Enters MST configuration mode.

Example:

SwitchDevice(config)# spanning-tree mst

configuration

Step 4 instance instance-id vlan vlan-range Maps VLANs to an MST instance.

Example: • For instance-id, the range is 0 to 4094.

SwitchDevice(config-mst)# instance 1 vlan 10-20

• For vlan vlan-range, the range is 1 to 4094.
When you map VLANs to an MST instance, the
mapping is incremental, and the VLANs specified in
the command are added to or removed from the
VLANs that were previously mapped.

To specify a VLAN range, use a hyphen; for example,

instance 1 vlan 1-63 maps VLANs 1 through 63 to MST
instance 1.
To specify a VLAN series, use a comma; for example,
instance 1 vlan 10, 20, 30 maps VLANs 10, 20, and 30
to MST instance 1.

Step 5 name name Specifies the configuration name. The name string has a
maximum length of 32 characters and is case sensitive.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
267
 Layer 2
Specifying the MST Region Configuration and Enabling MSTP

Command or Action Purpose

SwitchDevice(config-mst)# name region1

Step 6 revision version Specifies the configuration revision number. The range is
0 to 65535.
Example:

SwitchDevice(config-mst)# revision 1

Step 7 show pending Verifies your configuration by displaying the pending

configuration.
Example:

SwitchDevice(config-mst)# show pending

Step 8 exit Applies all changes, and returns to global configuration

mode.
Example:

SwitchDevice(config-mst)# exit

Step 9 spanning-tree mode mst Enables MSTP. RSTP is also enabled.

Example: Changing spanning-tree modes can disrupt traffic because
all spanning-tree instances are stopped for the previous
SwitchDevice(config)# spanning-tree mode mst mode and restarted in the new mode.
You cannot run both MSTP and PVST+ or both MSTP
and Rapid PVST+ at the same time.

Step 10 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Related Topics
MSTP Configuration Guidelines, on page 251
Multiple Spanning-Tree Regions, on page 253
Prerequisites for MSTP, on page 249
Restrictions for MSTP, on page 250
Spanning-Tree Interoperability and Backward Compatibility, on page 232
Optional Spanning-Tree Configuration Guidelines
BackboneFast, on page 293
UplinkFast, on page 291
Default MSTP Configuration, on page 265
Configuring the Root Switch , on page 269
Bridge ID, Device Priority, and Extended System ID, on page 226
Configuring a Secondary Root Switch , on page 270
Configuring Port Priority , on page 271
Configuring Path Cost , on page 273

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
268
 Layer 2
Configuring the Root Switch

Configuring the Switch Priority , on page 274

Configuring the Hello Time , on page 276
Configuring the Forwarding-Delay Time , on page 277
Configuring the Maximum-Aging Time , on page 278
Configuring the Maximum-Hop Count , on page 278
Specifying the Link Type to Ensure Rapid Transitions , on page 279
Designating the Neighbor Type , on page 281
Restarting the Protocol Migration Process , on page 282

Configuring the Root Switch

This procedure is optional.

Before you begin

A multiple spanning tree (MST) must be specified and enabled on the switch. For instructions, see Related
Topics.
You must also know the specified MST instance ID. Step 2 in the example uses 0 as the instance ID because
that was the instance ID set up by the instructions listed under Related Topics.

SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree mst instance-id root primary
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 spanning-tree mst instance-id root primary Configures a switch as the root switch.
Example: • For instance-id, you can specify a single instance, a
range of instances separated by a hyphen, or a series
SwitchDevice(config)# spanning-tree mst 0 root of instances separated by a comma. The range is 0 to
primary 4094.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
269
 Layer 2
Configuring a Secondary Root Switch

Command or Action Purpose

Step 4 end Returns to privileged EXEC mode.
Example:

SwitchDevice(config)# end

Related Topics
Root Switch, on page 252
Specifying the MST Region Configuration and Enabling MSTP , on page 266
Restrictions for MSTP, on page 250
Bridge ID, Device Priority, and Extended System ID, on page 226
Configuring a Secondary Root Switch , on page 270

Configuring a Secondary Root Switch

When you configure a switch with the extended system ID support as the secondary root, the switch priority
is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for
the specified instance if the primary root switch fails. This is assuming that the other network switches use
the default switch priority of 32768 and therefore are unlikely to become the root switch.
You can execute this command on more than one switch to configure multiple backup root switches. Use the
same network diameter and hello-time values that you used when you configured the primary root switch
with the spanning-tree mst instance-id root primary global configuration command.
This procedure is optional.

Before you begin

A multiple spanning tree (MST) must be specified and enabled on the switch. For instructions, see Related
Topics.
You must also know the specified MST instance ID. This example uses 0 as the instance ID because that was
the instance ID set up by the instructions listed under Related Topics.

SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree mst instance-id root secondary
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
270
 Layer 2
Configuring Port Priority

Command or Action Purpose

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 spanning-tree mst instance-id root secondary Configures a switch as the secondary root switch.
Example: • For instance-id, you can specify a single instance, a
range of instances separated by a hyphen, or a series
SwitchDevice(config)# spanning-tree mst 0 root of instances separated by a comma. The range is 0 to
secondary 4094.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 266
Configuring the Root Switch , on page 269

Configuring Port Priority

If a loop occurs, the MSTP uses the port priority when selecting an interface to put into the forwarding state.
You can assign higher priority values (lower numerical values) to interfaces that you want selected first and
lower priority values (higher numerical values) that you want selected last. If all interfaces have the same
priority value, the MSTP puts the interface with the lowest interface number in the forwarding state and blocks
the other interfaces.

Note If the switch is a member of a switch stack, you must use the spanning-tree mst [instance-id] cost cost
interface configuration command instead of the spanning-tree mst [instance-id] port-priority priority
interface configuration command to select a port to put in the forwarding state. Assign lower cost values to
ports that you want selected first and higher cost values to ports that you want selected last. For more
information, see the path costs topic listed under Related Topics.

This procedure is optional.

Before you begin

A multiple spanning tree (MST) must be specified and enabled on the switch. For instructions, see Related
Topics.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
271
 Layer 2
Configuring Port Priority

You must also know the specified MST instance ID and the interface used. This example uses 0 as the instance
ID and GigabitEthernet1/0/1 as the interface because that was the instance ID and interface set up by the
instructions listed under Related Topics.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. spanning-tree mst instance-id port-priority priority
5. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies an interface to configure, and enters interface

configuration mode.
Example:

SwitchDevice(config)# interface
GigabitEthernet1/0/1

Step 4 spanning-tree mst instance-id port-priority priority Configures port priority.

Example: • For instance-id, you can specify a single instance, a
range of instances separated by a hyphen, or a series
SwitchDevice(config-if)# spanning-tree mst 0 of instances separated by a comma. The range is 0 to
port-priority 64 4094.
• For priority, the range is 0 to 240 in increments of 16.
The default is 128. The lower the number, the higher
the priority.
The priority values are 0, 16, 32, 48, 64, 80, 96, 112,
128, 144, 160, 176, 192, 208, 224, and 240. All other
values are rejected.

Step 5 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
272
 Layer 2
Configuring Path Cost

Command or Action Purpose

SwitchDevice(config-if)# end

The show spanning-tree mst interface interface-id privileged EXEC command displays information only
if the port is in a link-up operative state. Otherwise, you can use the show running-config interface privileged
EXEC command to confirm the configuration.
Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 266
Configuring Path Cost , on page 273

Configuring Path Cost

The MSTP path cost default value is derived from the media speed of an interface. If a loop occurs, the MSTP
uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to
interfaces that you want selected first and higher cost values that you want selected last. If all interfaces have
the same cost value, the MSTP puts the interface with the lowest interface number in the forwarding state and
blocks the other interfaces.
This procedure is optional.

Before you begin

A multiple spanning tree (MST) must be specified and enabled on the switch. For instructions, see Related
Topics.
You must also know the specified MST instance ID and the interface used. This example uses 0 as the instance
ID and GigabitEthernet1/0/1 as the interface because that was the instance ID and interface set up by the
instructions listed under Related Topics.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. spanning-tree mst instance-id cost cost
5. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
273
 Layer 2
Configuring the Switch Priority

Command or Action Purpose

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies an interface to configure, and enters interface

configuration mode. Valid interfaces include physical ports
Example:
and port-channel logical interfaces. The port-channel range
is 1 to 48.
SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 4 spanning-tree mst instance-id cost cost Configures the cost.

Example: If a loop occurs, the MSTP uses the path cost when selecting
an interface to place into the forwarding state. A lower path
SwitchDevice(config-if)# spanning-tree mst 0 cost cost represents higher-speed transmission.
17031970
• For instance-id, you can specify a single instance, a
range of instances separated by a hyphen, or a series
of instances separated by a comma. The range is 0 to
4094.
• For cost, the range is 1 to 200000000; the default value
is derived from the media speed of the interface.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

The show spanning-tree mst interface interface-id privileged EXEC command displays information only
for ports that are in a link-up operative state. Otherwise, you can use the show running-config privileged
EXEC command to confirm the configuration.
Related Topics
Configuring Port Priority , on page 271
Specifying the MST Region Configuration and Enabling MSTP , on page 266

Configuring the Switch Priority

Changing the priority of a switch makes it more likely to be chosen as the root switch whether it is a standalone
switch or a switch in the stack.

Note Exercise care when using this command. For normal network configurations, we recommend that you use the
spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global
configuration commands to specify a switch as the root or secondary root switch. You should modify the
switch priority only in circumstances where these commands do not work.

This procedure is optional.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
274
 Layer 2
Configuring the Switch Priority

Before you begin

A multiple spanning tree (MST) must be specified and enabled on the switch. For instructions, see Related
Topics.
You must also know the specified MST instance ID used. This example uses 0 as the instance ID because
that was the instance ID set up by the instructions listed under Related Topics.

SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree mst instance-id priority priority
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 spanning-tree mst instance-id priority priority Configures the switch priority.
Example: • For instance-id, you can specify a single instance, a
range of instances separated by a hyphen, or a series
SwitchDevice(config)# spanning-tree mst 0 priority of instances separated by a comma. The range is 0 to
40960 4094.
• For priority, the range is 0 to 61440 in increments of
4096; the default is 32768. The lower the number, the
more likely the switch will be chosen as the root
switch.
Priority values are 0, 4096, 8192, 12288, 16384, 20480,
24576, 28672, 32768, 36864, 40960, 45056, 49152,
53248, 57344, and 61440. These are the only
acceptable values.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
275
 Layer 2
Configuring the Hello Time

Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 266

Configuring the Hello Time

The hello time is the time interval between configuration messages generated and sent by the root switch.
This procedure is optional.

Before you begin

A multiple spanning tree (MST) must be specified and enabled on the switch. For instructions, see Related
Topics.

SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree mst hello-time seconds
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 spanning-tree mst hello-time seconds Configures the hello time for all MST instances. The hello
time is the time interval between configuration messages
Example:
generated and sent by the root switch. These messages
indicate that the switch is alive.
SwitchDevice(config)# spanning-tree mst hello-time
4 For seconds, the range is 1 to 10; the default is 3.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
276
 Layer 2
Configuring the Forwarding-Delay Time

Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 266

Configuring the Forwarding-Delay Time

Before you begin
A multiple spanning tree (MST) must be specified and enabled on the switch. For instructions, see Related
Topics.

SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree mst forward-time seconds
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 spanning-tree mst forward-time seconds Configures the forward time for all MST instances. The
forwarding delay is the number of seconds a port waits
Example:
before changing from its spanning-tree learning and
listening states to the forwarding state.
SwitchDevice(config)# spanning-tree mst
forward-time 25 For seconds, the range is 4 to 30; the default is 20.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 266

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
277
 Layer 2
Configuring the Maximum-Aging Time

Configuring the Maximum-Aging Time

Before you begin
A multiple spanning tree (MST) must be specified and enabled on the switch. For instructions, see Related
Topics.

SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree mst max-age seconds
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 spanning-tree mst max-age seconds Configures the maximum-aging time for all MST instances.
The maximum-aging time is the number of seconds a switch
Example:
waits without receiving spanning-tree configuration
messages before attempting a reconfiguration.
SwitchDevice(config)# spanning-tree mst max-age 40
For seconds, the range is 6 to 40; the default is 20.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 266

Configuring the Maximum-Hop Count

This procedure is optional.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
278
 Layer 2
Specifying the Link Type to Ensure Rapid Transitions

Before you begin

A multiple spanning tree (MST) must be specified and enabled on the switch. For instructions, see Related
Topics.

SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree mst max-hops hop-count
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 spanning-tree mst max-hops hop-count Specifies the number of hops in a region before the BPDU
is discarded, and the information held for a port is aged.
Example:
For hop-count, the range is 1 to 255; the default is 20.
SwitchDevice(config)# spanning-tree mst max-hops
25

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 266

Specifying the Link Type to Ensure Rapid Transitions

If you connect a port to another port through a point-to-point link and the local port becomes a designated
port, the RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake
to ensure a loop-free topology.
By default, the link type is controlled from the duplex mode of the interface: a full-duplex port is considered
to have a point-to-point connection; a half-duplex port is considered to have a shared connection. If you have

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
279
 Layer 2
Specifying the Link Type to Ensure Rapid Transitions

a half-duplex link physically connected point-to-point to a single port on a remote switch running MSTP, you
can override the default setting of the link type and enable rapid transitions to the forwarding state.
This procedure is optional.

Before you begin

A multiple spanning tree (MST) must be specified and enabled on the switch. For instructions, see Related
Topics.
You must also know the specified MST instance ID and the interface used. This example uses 0 as the instance
ID and GigabitEthernet1/0/1 as the interface because that was the instance ID and interface set up by the
instructions listed under Related Topics.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. spanning-tree link-type point-to-point
5. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies an interface to configure, and enters interface

configuration mode. Valid interfaces include physical ports,
Example:
VLANs, and port-channel logical interfaces. The VLAN
ID range is 1 to 4094. The port-channel range is 1 to 48.
SwitchDevice(config)# interface
GigabitEthernet1/0/1

Step 4 spanning-tree link-type point-to-point Specifies that the link type of a port is point-to-point.
Example:

SwitchDevice(config-if)# spanning-tree link-type

point-to-point

Step 5 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
280
 Layer 2
Designating the Neighbor Type

Command or Action Purpose

SwitchDevice(config-if)# end

Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 266

Designating the Neighbor Type

A topology could contain both prestandard and IEEE 802.1s standard compliant devices. By default, ports
can automatically detect prestandard devices, but they can still receive both standard and prestandard BPDUs.
When there is a mismatch between a device and its neighbor, only the CIST runs on the interface.
You can choose to set a port to send only prestandard BPDUs. The prestandard flag appears in all the show
commands, even if the port is in STP compatibility mode.
This procedure is optional.

Before you begin

A multiple spanning tree (MST) must be specified and enabled on the switch. For instructions, see Related
Topics.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. spanning-tree mst pre-standard
5. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies an interface to configure, and enters interface

configuration mode. Valid interfaces include physical ports.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
281
 Layer 2
Restarting the Protocol Migration Process

Command or Action Purpose

SwitchDevice(config)# interface
GigabitEthernet1/0/1

Step 4 spanning-tree mst pre-standard Specifies that the port can send only prestandard BPDUs.
Example:

SwitchDevice(config-if)# spanning-tree mst

pre-standard

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 266

Restarting the Protocol Migration Process

This procedure restarts the protocol migration process and forces renegotiation with neighboring switches. It
reverts the switch to MST mode. It is needed when the switch no longer receives IEEE 802.1D BPDUs after
it has been receiving them.
Follow these steps to restart the protocol migration process (force the renegotiation with neighboring switches)
on the switch.

Before you begin

A multiple spanning tree (MST) must be specified and enabled on the switch. For instructions, see Related
Topics.
If you want to use the interface version of the command, you must also know the MST interface used. This
example uses GigabitEthernet1/0/1 as the interface because that was the interface set up by the instructions
listed under Related Topics.

SUMMARY STEPS
1. enable
2. Enter one of the following commands:
• clear spanning-tree detected-protocols
• clear spanning-tree detected-protocols interface interface-id

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
282
 Layer 2
Configuring PVST+ Simulation

Command or Action Purpose

SwitchDevice> enable

Step 2 Enter one of the following commands: The switch reverts to the MSTP mode, and the protocol
migration process restarts.
• clear spanning-tree detected-protocols
• clear spanning-tree detected-protocols interface
interface-id
Example:
SwitchDevice# clear spanning-tree
detected-protocols

or
SwitchDevice# clear spanning-tree
detected-protocols interface GigabitEthernet1/0/1

What to do next
This procedure may need to be repeated if the switch receives more legacy IEEE 802.1D configuration BPDUs
(BPDUs with the protocol version set to 0).
Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 266
Protocol Migration Process, on page 264

Configuring PVST+ Simulation

•

Before you begin

•

SUMMARY STEPS
1.

DETAILED STEPS

Command or Action Purpose

Step 1 Example:

Example

What to do next
•

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
283
 Layer 2
Examples

Examples
Examples: PVST+ Simulation
This example shows how to prevent the switch from automatically interoperating with a connecting switch
that is running Rapid PVST+:

Switch# configure terminal

Switch(config)# no spanning-tree mst simulate pvst global

This example shows how to prevent a port from automatically interoperating with a connecting device that
is running Rapid PVST+:

Switch(config)# interface gi3/13

Switch(config-if)# spanning-tree mst simulate pvst disable

The following sample output shows the system message you receive when a SSTP BPDU is received on a
port and PVST+ simulation is disabled:

Message
SPANTREE_PVST_PEER_BLOCK: PVST BPDU detected on port %s [port number].

Severity
Critical

Explanation
A PVST+ peer was detected on the specified interface on the switch. PVST+
simulation feature is disabled, as a result of which the interface was
moved to the spanning tree
Blocking state.

Action
Identify the PVST+ switch from the network which might be configured
incorrectly.
The following sample output shows the system message you receive when peer inconsistency on the interface
is cleared:

Message
SPANTREE_PVST_PEER_UNBLOCK: Unblocking port %s [port number].

Severity
Critical

Explanation
The interface specified in the error message has been restored to normal
spanning tree state.

Action
None.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
284
Layer 2
Examples: PVST+ Simulation

This example shows the spanning tree status when port Gi3/14 has been configured to disable PVST+ simulation
and is currently in the peer type inconsistent state:

Switch# show spanning-tree

VLAN0010
Spanning tree enabled protocol mstp
Root ID Priority 32778
Address 0002.172c.f400
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32778 (priority 32768 sys-id-ext 10)
Address 0002.172c.f400
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- -------------------------
Gi3/14 Desg BKN*4 128.270 P2p *PVST_Peer_Inc
This example shows the spanning tree summary when PVST+ simulation is enabled in the MSTP mode:

Switch# show spanning-tree summary

Switch is in mst mode (IEEE Standard)
Root bridge for: MST0
EtherChannel misconfig guard is enabled
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
UplinkFast is disabled
BackboneFast is disabled
Pathcost method used is long
PVST Simulation Default is enabled
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
MST0 2 0 0 0 2
---------------------- -------- --------- -------- ---------- ----------
1 mst 2 0 0 0 2
This example shows the spanning tree summary when PVST+ simulation is disabled in any STP mode:

Switch# show spanning-tree summary

Switch is in mst mode (IEEE Standard)
Root bridge for: MST0
EtherChannel misconfig guard is enabled
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
UplinkFast is disabled
BackboneFast is disabled

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
285
 Layer 2
Examples: PVST+ Simulation

Pathcost method used is long

PVST Simulation Default is disabled
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
MST0 2 0 0 0 2
---------------------- -------- --------- -------- ---------- ----------
1 mst 2 0 0 0 2
This example shows the spanning tree summary when the switch is not in MSTP mode, that is, the switch is
in PVST or Rapid-PVST mode. The output string displays the current STP mode:

Switch# show spanning-tree summary

Switch is in rapid-pvst mode
Root bridge for: VLAN0001, VLAN2001-VLAN2002
EtherChannel misconfig guard is enabled
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
UplinkFast is disabled
BackboneFast is disabled
Pathcost method used is short
PVST Simulation Default is enabled but inactive in rapid-pvst mode
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 2 0 0 0 2
VLAN2001 2 0 0 0 2
VLAN2002 2 0 0 0 2
---------------------- -------- --------- -------- ---------- ----------
3 vlans 6 0 0 0 6
This example shows the interface details when PVST+ simulation is globally enabled, or the default
configuration:

Switch# show spanning-tree interface gi3/13 detail

Port 269 (GigabitEthernet3/13) of VLAN0002 is forwarding
Port path cost 4, Port priority 128, Port Identifier 128.297.
Designated root has priority 32769, address 0013.5f20.01c0
Designated bridge has priority 32769, address 0013.5f20.01c0
Designated port id is 128.297, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
PVST Simulation is enabled by default
BPDU: sent 132, received 1
This example shows the interface details when PVST+ simulation is globally disabled:
Switch# show spanning-tree interface gi3/13 detail
Port 269 (GigabitEthernet3/13) of VLAN0002 is forwarding
Port path cost 4, Port priority 128, Port Identifier 128.297.
Designated root has priority 32769, address 0013.5f20.01c0

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
286
 Layer 2
Monitoring MST Configuration and Status

Designated bridge has priority 32769, address 0013.5f20.01c0

Designated port id is 128.297, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
PVST Simulation is disabled by default
BPDU: sent 132, received 1
This example shows the interface details when PVST+ simulation is explicitly enabled on the port:
Switch# show spanning-tree interface gi3/13 detail
Port 269 (GigabitEthernet3/13) of VLAN0002 is forwarding
Port path cost 4, Port priority 128, Port Identifier 128.297.
Designated root has priority 32769, address 0013.5f20.01c0
Designated bridge has priority 32769, address 0013.5f20.01c0
Designated port id is 128.297, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
PVST Simulation is enabled
BPDU: sent 132, received 1
This example shows the interface details when the PVST+ simulation feature is disabled and a PVST Peer
inconsistency has been detected on the port:

Switch# show spanning-tree interface gi3/13 detail

Port 269 (GigabitEthernet3/13) of VLAN0002 is broken (PVST Peer
Inconsistent)
Port path cost 4, Port priority 128, Port Identifier 128.297.
Designated root has priority 32769, address 0013.5f20.01c0
Designated bridge has priority 32769, address 0013.5f20.01c0
Designated port id is 128.297, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
PVST Simulation is disabled
BPDU: sent 132, received 1

Monitoring MST Configuration and Status

Table 31: Commands for Displaying MST Status

show spanning-tree mst configuration Displays the MST region configuration.

show spanning-tree mst configuration digest Displays the MD5 digest included in the current
MSTCI.

show spanning-tree mst Displays MST information for the all instances.
Note This command displays information for
ports in a link-up operative state.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
287
 Layer 2
Feature Information for MSTP

show spanning-tree mst instance-id Displays MST information for the specified instance.
Note This command displays information only
if the port is in a link-up operative state.

show spanning-tree mst interface interface-id Displays MST information for the specified interface.

Feature Information for MSTP

Release Modification

Cisco IOS 15.0(2)EX This feature was introduced.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
288
 CHAPTER 16
Configuring Optional Spanning-Tree Features
• Finding Feature Information, on page 289
• Restriction for Optional Spanning-Tree Features, on page 289
• Information About Optional Spanning-Tree Features, on page 290
• How to Configure Optional Spanning-Tree Features, on page 299
• Examples, on page 316
• Monitoring the Spanning-Tree Status, on page 318

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Restriction for Optional Spanning-Tree Features

• PortFast minimizes the time that interfaces must wait for spanning tree to converge, so it is effective
only when used on interfaces connected to end stations. If you enable PortFast on an interface connecting
to another switch, you risk creating a spanning-tree loop.

Related Topics
Enabling PortFast , on page 299
PortFast, on page 290

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
289
 Layer 2
Information About Optional Spanning-Tree Features

Information About Optional Spanning-Tree Features

PortFast
PortFast immediately brings an interface configured as an access or trunk port to the forwarding state from a
blocking state, bypassing the listening and learning states.
Figure 20: PortFast-Enabled Interfaces

You can use PortFast on interfaces connected to a single workstation or server to allow those devices to
immediately connect to the network, rather than waiting for the spanning tree to

converge.
Interfaces connected to a single workstation or server should not receive bridge protocol data units (BPDUs).
An interface with PortFast enabled goes through the normal cycle of spanning-tree status changes when the
switch is restarted.
You can enable this feature by enabling it on either the interface or on all nontrunking ports.
Related Topics
Enabling PortFast , on page 299
Restriction for Optional Spanning-Tree Features, on page 289

BPDU Guard
The Bridge Protocol Data Unit (BPDU) guard feature can be globally enabled on the switch or can be enabled
per port, but the feature operates with some differences.
When you enable BPDU guard at the global level on PortFast-enabled ports, spanning tree shuts down ports
that are in a PortFast-operational state if any BPDU is received on them. In a valid configuration,
PortFast-enabled ports do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled port means an invalid
configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the port
in the error-disabled state. When this happens, the switch shuts down the entire port on which the violation
occurred.
When you enable BPDU guard at the interface level on any port without also enabling the PortFast feature,
and the port receives a BPDU, it is put in the error-disabled state.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
290
 Layer 2
BPDU Filtering

The BPDU guard feature provides a secure response to invalid configurations because you must manually
put the interface back in service. Use the BPDU guard feature in a service-provider network to prevent an
access port from participating in the spanning tree.
Related Topics
Enabling BPDU Guard , on page 301

BPDU Filtering
The BPDU filtering feature can be globally enabled on the switch or can be enabled per interface, but the
feature operates with some differences.
Enabling BPDU filtering on PortFast-enabled interfaces at the global level keeps those interfaces that are in
a PortFast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at
link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a
switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a
PortFast-enabled interface, the interface loses its PortFast-operational status, and BPDU filtering is disabled.
Enabling BPDU filtering on an interface without also enabling the PortFast feature keeps the interface from
sending or receiving BPDUs.

Caution Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in
spanning-tree loops.

You can enable the BPDU filtering feature for the entire switch or for an interface.
Related Topics
Enabling BPDU Filtering , on page 302

UplinkFast
Figure 21: Switches in a Hierarchical Network

Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access
switches. This complex network has distribution switches and access switches that each have at least one

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
291
 Layer 2
UplinkFast

redundant link that spanning tree blocks to prevent

loops.
If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new
root port. You can accelerate the choice of a new root port when a link or switch fails or when the spanning
tree reconfigures itself by enabling UplinkFast. The root port transitions to the forwarding state immediately
without going through the listening and learning states, as it would with the normal spanning-tree procedures.
When the spanning tree reconfigures the new root port, other interfaces flood the network with multicast
packets, one for each address that was learned on the interface. You can limit these bursts of multicast traffic
by reducing the max-update-rate parameter (the default for this parameter is 150 packets per second). However,
if you enter zero, station-learning frames are not generated, so the spanning-tree topology converges more
slowly after a loss of connectivity.

Note UplinkFast is most useful in wiring-closet switches at the access or edge of the network. It is not appropriate
for backbone devices. This feature might not be useful for other types of applications.

UplinkFast provides fast convergence after a direct link failure and achieves load-balancing between redundant
Layer 2 links using uplink groups. An uplink group is a set of Layer 2 interfaces (per VLAN), only one of
which is forwarding at any given time. Specifically, an uplink group consists of the root port (which is
forwarding) and a set of blocked ports, except for self-looping ports. The uplink group provides an alternate
path in case the currently forwarding link fails.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
292
 Layer 2
BackboneFast

Figure 22: UplinkFast Example Before Direct Link Failure

This topology has no link failures. Switch A, the root switch, is connected directly to Switch B over link L1
and to Switch C over link L2. The Layer 2 interface on Switch C that is connected directly to Switch B is in

a blocking state.
Figure 23: UplinkFast Example After Direct Link Failure

If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast
unblocks the blocked interface on Switch C and transitions it to the forwarding state without going through
the listening and learning states. This change takes approximately 1 to

5 seconds.
Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 266
MSTP Configuration Guidelines, on page 251
Multiple Spanning-Tree Regions, on page 253
Enabling UplinkFast for Use with Redundant Links , on page 304
Events That Cause Fast Convergence

BackboneFast
BackboneFast detects indirect failures in the core of the backbone. BackboneFast is a complementary technology
to the UplinkFast feature, which responds to failures on links directly connected to access switches.
BackboneFast optimizes the maximum-age timer, which controls the amount of time the switch stores protocol
information received on an interface. When a switch receives an inferior BPDU from the designated port of
another switch, the BPDU is a signal that the other switch might have lost its path to the root, and BackboneFast
tries to find an alternate path to the root.
BackboneFast starts when a root port or blocked interface on a switch receives inferior BPDUs from its
designated switch. An inferior BPDU identifies a switch that declares itself as both the root bridge and the

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
293
 Layer 2
BackboneFast

designated switch. When a switch receives an inferior BPDU, it means that a link to which the switch is not
directly connected (an indirect link) has failed (that is, the designated switch has lost its connection to the root
switch). Under spanning-tree rules, the switch ignores inferior BPDUs for the maximum aging time (default
is 20 seconds).
The switch tries to find if it has an alternate path to the root switch. If the inferior BPDU arrives on a blocked
interface, the root port and other blocked interfaces on the switch become alternate paths to the root switch.
(Self-looped ports are not considered alternate paths to the root switch.) If the inferior BPDU arrives on the
root port, all blocked interfaces become alternate paths to the root switch. If the inferior BPDU arrives on the
root port and there are no blocked interfaces, the switch assumes that it has lost connectivity to the root switch,
causes the maximum aging time on the root port to expire, and becomes the root switch according to normal
spanning-tree rules.
If the switch has alternate paths to the root switch, it uses these alternate paths to send a root link query (RLQ)
request. The switch sends the RLQ request on all alternate paths to learn if any stack member has an alternate
root to the root switch and waits for an RLQ reply from other switches in the network and in the stack. The
switch sends the RLQ request on all alternate paths and waits for an RLQ reply from other switches in the
network.
When a stack member receives an RLQ reply from a nonstack member on a blocked interface and the reply
is destined for another nonstacked switch, it forwards the reply packet, regardless of the spanning-tree interface
state.
When a stack member receives an RLQ reply from a nonstack member and the response is destined for the
stack, the stack member forwards the reply so that all the other stack members receive it.
If the switch discovers that it still has an alternate path to the root, it expires the maximum aging time on the
interface that received the inferior BPDU. If all the alternate paths to the root switch indicate that the switch
has lost connectivity to the root switch, the switch expires the maximum aging time on the interface that
received the RLQ reply. If one or more alternate paths can still connect to the root switch, the switch makes
all interfaces on which it received an inferior BPDU its designated ports and moves them from the blocking
state (if they were in the blocking state), through the listening and learning states, and into the forwarding
state.
Figure 24: BackboneFast Example Before Indirect Link Failure

This is an example topology with no link failures. Switch A, the root switch, connects directly to Switch B
over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that connects directly to Switch

B is in the blocking state.

Figure 25: BackboneFast Example After Indirect Link Failure

If link L1 fails, Switch C cannot detect this failure because it is not connected directly to link L1. However,
because Switch B is directly connected to the root switch over L1, it detects the failure, elects itself the root,
and begins sending BPDUs to Switch C, identifying itself as the root. When Switch C receives the inferior

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
294
Layer 2
BackboneFast

BPDUs from Switch B, Switch C assumes that an indirect failure has occurred. At that point, BackboneFast
allows the blocked interface on Switch C to move immediately to the listening state without waiting for the
maximum aging time for the interface to expire. BackboneFast then transitions the Layer 2 interface on
Switch C to the forwarding state, providing a path from Switch B to Switch A. The root-switch election takes
approximately 30 seconds, twice the Forward Delay time if the default Forward Delay time of 15 seconds is
set. BackboneFast reconfigures the topology to account for the failure of link

L1.
Figure 26: Adding a Switch in a Shared-Medium Topology

If a new switch is introduced into a shared-medium topology, BackboneFast is not activated because the
inferior BPDUs did not come from the recognized designated switch (Switch B). The new switch begins
sending inferior BPDUs that indicate it is the root switch. However, the other switches ignore these inferior
BPDUs, and the new switch learns that Switch B is the designated switch to Switch A, the root

switch.
Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 266
MSTP Configuration Guidelines, on page 251
Multiple Spanning-Tree Regions, on page 253
Enabling BackboneFast , on page 306

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
295
 Layer 2
EtherChannel Guard

EtherChannel Guard
You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a
connected device. A misconfiguration can occur if the switch interfaces are configured in an EtherChannel,
but the interfaces on the other device are not. A misconfiguration can also occur if the channel parameters are
not the same at both ends of the EtherChannel.
If the switch detects a misconfiguration on the other device, EtherChannel guard places the switch interfaces
in the error-disabled state, and displays an error message.
Related Topics
Enabling EtherChannel Guard , on page 307

Root Guard
Figure 27: Root Guard in a Service-Provider Network

The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned
by the SP. In such a topology, the spanning tree can reconfigure itself and select a customer switch as the root
switch. You can avoid this situation by enabling root guard on SP switch interfaces that connect to switches
in your customer’s network. If spanning-tree calculations cause an interface in the customer network to be
selected as the root port, root guard then places the interface in the root-inconsistent (blocked) state to prevent
the customer’s switch from becoming the root switch or being in the path to the root.

If a switch outside the SP network becomes the root switch, the interface is blocked (root-inconsistent state),
and spanning tree selects a new root switch. The customer’s switch does not become the root switch and is
not in the path to the root.
If the switch is operating in multiple spanning-tree (MST) mode, root guard forces the interface to be a
designated port. If a boundary port is blocked in an internal spanning-tree (IST) instance because of root
guard, the interface also is blocked in all MST instances. A boundary port is an interface that connects to a
LAN, the designated switch of which is either an IEEE 802.1D switch or a switch with a different MST region
configuration.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
296
 Layer 2
Loop Guard

Root guard enabled on an interface applies to all the VLANs to which the interface belongs. VLANs can be
grouped and mapped to an MST instance.

Caution Misuse of the root guard feature can cause a loss of connectivity.

Related Topics
Enabling Root Guard , on page 308

Loop Guard
You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure
that leads to a unidirectional link. This feature is most effective when it is enabled on the entire switched
network. Loop guard prevents alternate and root ports from becoming designated ports, and spanning tree
does not send BPDUs on root or alternate ports.
When the switch is operating in PVST+ or rapid-PVST+ mode, loop guard prevents alternate and root ports
from becoming designated ports, and spanning tree does not send BPDUs on root or alternate ports.
When the switch is operating in MST mode, BPDUs are not sent on nonboundary ports only if the interface
is blocked by loop guard in all MST instances. On a boundary port, loop guard blocks the interface in all MST
instances.
Related Topics
Enabling Loop Guard , on page 310

STP PortFast Port Types

You can configure a spanning tree port as an edge port, a network port, or a normal port. A port can be in
only one of these states at a given time. The default spanning tree port type is normal. You can configure the
port type either globally or per interface.
Depending on the type of device to which the interface is connected, you can configure a spanning tree port
as one of these port types:
• A PortFast edge port—is connected to a Layer 2 host. This can be either an access port or an edge trunk
port (portfast edge trunk). This type of port interface immediately transitions to the forwarding state,
bypassing the listening and learning states. Use PortFast edge on Layer 2 access ports connected to a
single workstation or server to allow those devices to connect to the network immediately, rather than
waiting for spanning tree to converge.
Even if the interface receives a bridge protocol data unit (BPDU), spanning tree does not place the port
into the blocking state. Spanning tree sets the port’s operating state to non-port fast even if the configured
state remains port fast edge and starts participating in the topology change.

Note If you configure a port connected to a Layer 2 switch or bridge as an edge port,
you might create a bridging loop.

• A PortFast network port—is connected only to a Layer 2 switch or bridge. Bridge Assurance is enabled
only on PortFast network ports. For more information, refer to Bridge Assurance.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
297
 Layer 2
Bridge Assurance

Note If you configure a port that is connected to a Layer 2 host as a spanning tree
network port, the port will automatically move into the blocking state.

• A PortFast normal port—is the default type of spanning tree port.

Note Beginning with Cisco IOS Release 15.2(4)E, or IOS XE 3.8.0E, if you enter the
spanning-tree portfast [trunk] command in the global or interface configuration
mode, the system automatically saves it as spanning-tree portfast edge [trunk].

Related Topics
Enabling PortFast Port Types, on page 311

Bridge Assurance
You can use Bridge Assurance to help prevent looping conditions that are caused by unidirectional links
(one-way traffic on a link or port), or a malfunction in a neighboring switch. Here a malfunction refers to a
switch that is not able to run STP any more, while still forwarding traffic (a brain dead switch).
BPDUs are sent out on all operational network ports, including alternate and backup ports, for each hello time
period. Bridge Assurance monitors the receipt of BPDUs on point-to-point links on all network ports. When
a port does not receive BPDUs within the alloted hello time period, the port is put into a blocked state (the
same as a port inconsistent state, which stops forwarding of frames). When the port resumes receipt of BPDUs,
the port resumes normal spanning tree operations.

Note Only Rapid PVST+ and MST spanning tree protocols support Bridge Assurance. PVST+ does not support
Bridge Assurance.

The following example shows how Bridge Assurance protects your network from bridging loops.
The following figure shows a network with normal STP topology.
Figure 28: Network with Normal STP Topology

The following figure demonstrates a potential network problem when the device fails (brain dead) and Bridge
Assurance is not enabled on the network.
Figure 29: Network Loop Due to a Malfunctioning Switch

The following figure shows the network with Bridge Assurance enabled, and the STP topology progressing
normally with bidirectional BDPUs issuing from every STP network port.
Figure 30: Network with STP Topology Running Bridge Assurance

The following figure shows how the potential network problem shown in figure Network Loop Due to a
Malfunctioning Switch does not occur when you have Bridge Assurance enabled on your network.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
298
 Layer 2
How to Configure Optional Spanning-Tree Features

Figure 31: Network Problem Averted with Bridge Assurance Enabled

The system generates syslog messages when a port is block and unblocked. The following sample output
shows the log that is generated for each of these states:
BRIDGE_ASSURANCE_BLOCK

Sep 17 09:48:15.962 PDT: %SPANTREE-2-BRIDGE_ASSURANCE_BLOCK: Bridge Assurance blocking port

Port-channel4 on VLAN0001.nf t
Sep 17 09:48:16.249 PDT: %SPANTREE-2-BRIDGE_ASSURANCE_BLOCK: Bridge Assurance blocking port
GigabitEthernet4/0/47 on VLAN0001.

BRIDGE_ASSURANCE_UNBLOCK

Sep 17 09:48:58.101 PDT: %SPANTREE-2-BRIDGE_ASSURANCE_UNBLOCK: Bridge Assurance unblocking

port Port-channel4 on VLAN0001.
Sep 17 09:48:58.426 PDT: %SPANTREE-2-BRIDGE_ASSURANCE_UNBLOCK: Bridge Assurance unblocking
port GigabitEthernet4/0/47 on VLAN0001.

Follow these guidelines when enabling Bridge Assurance:

• It can only be enabled or disabled globally.
• It applies to all operational network ports, including alternate and backup ports.
• Only Rapid PVST+ and MST spanning tree protocols support Bridge Assurance. PVST+ does not support
Bridge Assurance.
• For Bridge Assurance to work properly, it must be supported and configured on both ends of a
point-to-point link. If the device on one side of the link has Bridge Assurance enabled and the device on
the other side does not, the connecting port is blocked and in a Bridge Assurance inconsistent state. We
recommend that you enable Bridge Assurance throughout your network.
• To enable Bridge Assurance on a port, BPDU filtering and BPDU Guard must be disabled.
• You can enable Bridge Assurance in conjunction with Loop Guard.
• You can enable Bridge Assurance in conjunction with Root Guard. The latter is designed to provide a
way to enforce the root bridge placement in the network.

Related Topics
Enabling Bridge Assurance, on page 315

How to Configure Optional Spanning-Tree Features

Enabling PortFast
An interface with the PortFast feature enabled is moved directly to the spanning-tree forwarding state without
waiting for the standard forward-time delay.
If you enable the voice VLAN feature, the PortFast feature is automatically enabled. When you disable voice
VLAN, the PortFast feature is not automatically disabled.
You can enable this feature if your switch is running PVST+, Rapid PVST+, or MSTP.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
299
 Layer 2
Enabling PortFast

Caution Use PortFast only when connecting a single end station to an access or trunk port. Enabling this feature on
an interface connected to a switch or hub could prevent spanning tree from detecting and disabling loops in
your network, which could cause broadcast storms and address-learning problems.

This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. spanning-tree portfast [trunk]
5. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies an interface to configure, and enters interface

configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/2

Step 4 spanning-tree portfast [trunk] Enables PortFast on an access port connected to a single
workstation or server. By specifying the trunk keyword,
Example:
you can enable PortFast on a trunk port.
SwitchDevice(config-if)# spanning-tree portfast Note To enable PortFast on trunk ports, you must use
trunk the spanning-tree portfast trunk interface
configuration command. The spanning-tree
portfast command will not work on trunk ports.
Make sure that there are no loops in the network
between the trunk port and the workstation or
server before you enable PortFast on a trunk port.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
300
 Layer 2
Enabling BPDU Guard

Command or Action Purpose

By default, PortFast is disabled on all interfaces.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

What to do next
You can use the spanning-tree portfast default global configuration command to globally enable the PortFast
feature on all nontrunking ports.
Related Topics
PortFast, on page 290
Restriction for Optional Spanning-Tree Features, on page 289

Enabling BPDU Guard

You can enable the BPDU guard feature if your switch is running PVST+, Rapid PVST+, or MSTP.

Caution Configure PortFast only on ports that connect to end stations; otherwise, an accidental topology loop could
cause a data packet loop and disrupt switch and network operation.

This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree portfast bpduguard default
4. interface interface-id
5. spanning-tree portfast
6. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
301
 Layer 2
Enabling BPDU Filtering

Command or Action Purpose

SwitchDevice# configure terminal

Step 3 spanning-tree portfast bpduguard default Globally enables BPDU guard.

Example: By default, BPDU guard is disabled.

SwitchDevice(config)# spanning-tree portfast

bpduguard default

Step 4 interface interface-id Specifies the interface connected to an end station, and
enters interface configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/2

Step 5 spanning-tree portfast Enables the PortFast feature.

Example:

SwitchDevice(config-if)# spanning-tree portfast

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

What to do next
To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan
global configuration command to shut down just the offending VLAN on the port where the violation occurred.
You also can use the spanning-tree bpduguard enable interface configuration command to enable BPDU
guard on any port without also enabling the PortFast feature. When the port receives a BPDU, it is put it in
the error-disabled state.
Related Topics
BPDU Guard, on page 290

Enabling BPDU Filtering

You can also use the spanning-tree bpdufilter enable interface configuration command to enable BPDU
filtering on any interface without also enabling the PortFast feature. This command prevents the interface
from sending or receiving BPDUs.

Caution Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in
spanning-tree loops.

You can enable the BPDU filtering feature if your switch is running PVST+, Rapid PVST+, or MSTP.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
302
 Layer 2
Enabling BPDU Filtering

Caution Configure PortFast only on interfaces that connect to end stations; otherwise, an accidental topology loop
could cause a data packet loop and disrupt switch and network operation.

This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree portfast bpdufilter default
4. interface interface-id
5. spanning-tree portfast
6. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 spanning-tree portfast bpdufilter default Globally enables BPDU filtering.

Example: By default, BPDU filtering is disabled.

SwitchDevice(config)# spanning-tree portfast

bpdufilter default

Step 4 interface interface-id Specifies the interface connected to an end station, and
enters interface configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/2

Step 5 spanning-tree portfast Enables the PortFast feature on the specified interface.
Example:

SwitchDevice(config-if)# spanning-tree portfast

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
303
 Layer 2
Enabling UplinkFast for Use with Redundant Links

Command or Action Purpose

Step 6 end Returns to privileged EXEC mode.
Example:

SwitchDevice(config-if)# end

Related Topics
BPDU Filtering, on page 291

Enabling UplinkFast for Use with Redundant Links

Note When you enable UplinkFast, it affects all VLANs on the switch or switch stack. You cannot configure
UplinkFast on an individual VLAN.

You can configure the UplinkFast or the Cross-Stack UplinkFast (CSUF) feature for Rapid PVST+ or for the
MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+.
This procedure is optional. Follow these steps to enable UplinkFast and CSUF.

Before you begin

UplinkFast cannot be enabled on VLANs that have been configured with a switch priority. To enable UplinkFast
on a VLAN with switch priority configured, first restore the switch priority on the VLAN to the default value
using the no spanning-tree vlan vlan-id priority global configuration command.

SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree uplinkfast [max-update-rate pkts-per-second]
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
304
 Layer 2
Disabling UplinkFast

Command or Action Purpose

Step 3 spanning-tree uplinkfast [max-update-rate Enables UplinkFast.
pkts-per-second]
(Optional) For pkts-per-second, the range is 0 to 32000
Example: packets per second; the default is 150.
If you set the rate to 0, station-learning frames are not
SwitchDevice(config)# spanning-tree uplinkfast
max-update-rate 200 generated, and the spanning-tree topology converges more
slowly after a loss of connectivity.
When you enter this command, CSUF also is enabled on
all nonstack port interfaces.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

When UplinkFast is enabled, the switch priority of all VLANs is set to 49152. If you change the path cost to
a value less than 3000 and you enable UplinkFast or UplinkFast is already enabled, the path cost of all interfaces
and VLAN trunks is increased by 3000 (if you change the path cost to 3000 or above, the path cost is not
altered). The changes to the switch priority and the path cost reduce the chance that a switch will become the
root switch.
When UplinkFast is disabled, the switch priorities of all VLANs and path costs of all interfaces are set to
default values if you did not modify them from their defaults.
When you enable the UplinkFast feature using these instructions, CSUF is automatically globally enabled on
nonstack port interfaces.
Related Topics
UplinkFast, on page 291
How Cross-Stack UplinkFast Works
Events That Cause Fast Convergence

Disabling UplinkFast
This procedure is optional.
Follow these steps to disable UplinkFast and Cross-Stack UplinkFast (CSUF).

Before you begin

UplinkFast must be enabled.

SUMMARY STEPS
1. enable
2. configure terminal
3. no spanning-tree uplinkfast
4. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
305
 Layer 2
Enabling BackboneFast

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 no spanning-tree uplinkfast Disables UplinkFast and CSUF on the switch and all of its
VLANs.
Example:
SwitchDevice(config)# no spanning-tree uplinkfast

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

When UplinkFast is disabled, the switch priorities of all VLANs and path costs of all interfaces are set to
default values if you did not modify them from their defaults.
When you disable the UplinkFast feature using these instructions, CSUF is automatically globally disabled
on nonstack port interfaces.

Enabling BackboneFast
You can enable BackboneFast to detect indirect link failures and to start the spanning-tree reconfiguration
sooner.
You can configure the BackboneFast feature for Rapid PVST+ or for the MSTP, but the feature remains
disabled (inactive) until you change the spanning-tree mode to PVST+.
This procedure is optional. Follow these steps to enable BackboneFast on the switch.

Before you begin

If you use BackboneFast, you must enable it on all switches in the network. BackboneFast is not supported
on Token Ring VLANs. This feature is supported for use with third-party switches.

SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree backbonefast

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
306
 Layer 2
Enabling EtherChannel Guard

4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 spanning-tree backbonefast Enables BackboneFast.

Example:

SwitchDevice(config)# spanning-tree backbonefast

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Related Topics
BackboneFast, on page 293

Enabling EtherChannel Guard

You can enable EtherChannel guard to detect an EtherChannel misconfiguration if your switch is running
PVST+, Rapid PVST+, or MSTP.
This procedure is optional.
Follow these steps to enable EtherChannel Guard on the switch.

SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree etherchannel guard misconfig
4. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
307
 Layer 2
Enabling Root Guard

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 spanning-tree etherchannel guard misconfig Enables EtherChannel guard.

Example:

SwitchDevice(config)# spanning-tree etherchannel

guard misconfig

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

What to do next
You can use the show interfaces status err-disabled privileged EXEC command to show which switch ports
are disabled because of an EtherChannel misconfiguration. On the remote device, you can enter the show
etherchannel summary privileged EXEC command to verify the EtherChannel configuration.
After the configuration is corrected, enter the shutdown and no shutdown interface configuration commands
on the port-channel interfaces that were misconfigured.
Related Topics
EtherChannel Guard, on page 296

Enabling Root Guard

Root guard enabled on an interface applies to all the VLANs to which the interface belongs. Do not enable
the root guard on interfaces to be used by the UplinkFast feature. With UplinkFast, the backup interfaces (in
the blocked state) replace the root port in the case of a failure. However, if root guard is also enabled, all the
backup interfaces used by the UplinkFast feature are placed in the root-inconsistent state (blocked) and are
prevented from reaching the forwarding state.

Note You cannot enable both root guard and loop guard at the same time.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
308
 Layer 2
Enabling Root Guard

You can enable this feature if your switch is running PVST+, Rapid PVST+, or MSTP.
This procedure is optional.
Follow these steps to enable root guard on the switch.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. spanning-tree guard root
5. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies an interface to configure, and enters interface

configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/2

Step 4 spanning-tree guard root Enables root guard on the interface.

Example: By default, root guard is disabled on all interfaces.

SwitchDevice(config-if)# spanning-tree guard root

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Related Topics
Root Guard, on page 296

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
309
 Layer 2
Enabling Loop Guard

Enabling Loop Guard

You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure
that leads to a unidirectional link. This feature is most effective when it is configured on the entire switched
network. Loop guard operates only on interfaces that are considered point-to-point by the spanning tree.

Note You cannot enable both loop guard and root guard at the same time.

You can enable this feature if your switch is running PVST+, Rapid PVST+, or MSTP.
This procedure is optional. Follow these steps to enable loop guard on the switch.

SUMMARY STEPS
1. Enter one of the following commands:
• show spanning-tree active
• show spanning-tree mst
2. configure terminal
3. spanning-tree loopguard default
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 Enter one of the following commands: Verifies which interfaces are alternate or root ports.
• show spanning-tree active
• show spanning-tree mst
Example:

SwitchDevice# show spanning-tree active

or

SwitchDevice# show spanning-tree mst

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 spanning-tree loopguard default Enables loop guard.

Example: By default, loop guard is disabled.

SwitchDevice(config)# spanning-tree loopguard

default

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
310
 Layer 2
Enabling PortFast Port Types

Command or Action Purpose

Step 4 end Returns to privileged EXEC mode.
Example:

SwitchDevice(config)# end

Related Topics
Loop Guard, on page 297

Enabling PortFast Port Types

This section describes the different steps to enable Portfast Port types.
Related Topics
STP PortFast Port Types, on page 297

Configuring the Default Port State Globally

To configure the default PortFast state, perform this task:

SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree portfast [edge | network | normal] default
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 spanning-tree portfast [edge | network | normal] default Configures the default state for all interfaces on the switch.
You have these options:
Example:
• (Optional) edge—Configures all interfaces as edge
SwitchDevice(config)# spanning-tree portfast ports. This assumes all ports are connected to
default hosts/servers.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
311
 Layer 2
Configuring PortFast Edge on a Specified Interface

Command or Action Purpose

• (Optional) network—Configures all interfaces as
spanning tree network ports. This assumes all ports
are connected to switches and bridges. Bridge
Assurance is enabled on all network ports by default.
• (Optional) normal—Configures all interfaces normal
spanning tree ports. These ports can be connected to
any type of device.
• default—The default port type is normal.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Configuring PortFast Edge on a Specified Interface

Interfaces configured as edge ports immediately transition to the forwarding state, without passing through
the blocking or learning states, on linkup.

Note Because the purpose of this type of port is to minimize the time that access ports must wait for spanning tree
to converge, it is most effective when used on access ports. If you enable PortFast edge on a port connecting
to another switch, you risk creating a spanning tree loop.

To configure an edge port on a specified interface, perform this task:

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id | port-channel port_channel_number
4. spanning-tree portfast edge [trunk]
5. end
6. show running interface interface-id | port-channel port_channel_number

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
312
 Layer 2
Configuring a PortFast Network Port on a Specified Interface

Command or Action Purpose

Step 2 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 3 interface interface-id | port-channel port_channel_number Specifies an interface to configure.

Example:

SwitchDevice(config)# interface gigabitethernet

5/8 | port-channel port_channel_number

Step 4 spanning-tree portfast edge [trunk] Enables edge behavior on a Layer 2 access port connected
to an end workstation or server.
Example:
• (Optional) trunk—Enables edge behavior on a trunk
SwitchDevice(config-if)# spanning-tree portfast port. Use this keyword if the link is a trunk. Use this
trunk command only on ports that are connected to end host
devices that terminate VLANs and from which the
port should never receive STP BPDUs. Such end host
devices include workstations, servers, and ports on
routers that are not configured to support bridging.
• Use the no version of the command to disable PortFast
edge.

Step 5 end Exits configuration mode.

Example:

SwitchDevice(config-if)# end

Step 6 show running interface interface-id | port-channel

port_channel_number
Example:

SwitchDevice# show running interface

gigabitethernet 5/8 | port-channel
port_channel_number

Configuring a PortFast Network Port on a Specified Interface

Ports that are connected to Layer 2 switches and bridges can be configured as network ports.

Note Bridge Assurance is enabled only on PortFast network ports. For more information, refer to Bridge Assurance.

To configure a port as a network port, perform this task.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
313
 Layer 2
Configuring a PortFast Network Port on a Specified Interface

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id | port-channel port_channel_number
4. spanning-tree portfast edge network
5. end
6. show running interface interface-id | port-channel port_channel_number

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id | port-channel port_channel_number Specifies an interface to configure.

Example:

SwitchDevice(config)# interface gigabitethernet

5/8 | port-channel port_channel_number

Step 4 spanning-tree portfast edge network Enables edge behavior on a Layer 2 access port connected
to an end workstation or server.
Example:
• Configures the port as a network port. If you have
SwitchDevice(config-if)# spanning-tree portfast enabled Bridge Assurance globally, it automatically
network runs on a spanning tree network port.
• Use the no version of the command to disable PortFast.

Step 5 end Exits configuration mode.

Example:

SwitchDevice(config-if)# end

Step 6 show running interface interface-id | port-channel

port_channel_number
Example:

SwitchDevice# show running interface

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
314
 Layer 2
Enabling Bridge Assurance

Command or Action Purpose

gigabitethernet 5/8 | port-channel
port_channel_number

Enabling Bridge Assurance

To configure the Bridge Assurance, perform the steps given below:

SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree bridge assurance
4. end
5. show spanning-tree summary

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 spanning-tree bridge assurance Enables Bridge Assurance on all network ports on the
switch.
Example:
Bridge Assurance is enabled by default.
SwitchDevice(config)# spanning-tree bridge
assurance Use the no version of the command to disable the feature.
Disabling Bridge Assurance causes all configured network
ports to behave as normal spanning tree ports.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show spanning-tree summary Displays spanning tree information and shows if Bridge
Assurance is enabled.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
315
 Layer 2
Examples

Command or Action Purpose

SwitchDevice# show spanning-tree summary

Related Topics
Bridge Assurance, on page 298

Examples
Examples: Configuring PortFast Edge on a Specified Interface
This example shows how to enable edge behavior on GigabitEthernet interface 5/8:
Switch# configure terminal
Switch(config)# interface gigabitethernet 5/8
Switch(config-if)# spanning-tree portfast edge
Switch(config-if)# end
Switch#

This example shows how to verify the configuration:

Switch# show running-config interface gigabitethernet 5/8
Building configuration...
Current configuration:
!
interface GigabitEthernet5/8
no ip address
switchport
switchport access vlan 200
switchport mode access
spanning-tree portfast edge
end

This example shows how you can display that port GigabitEthernet 5/8 is currently in the edge state:
Switch# show spanning-tree vlan 200
VLAN0200
Spanning tree enabled protocol rstp
Root ID Priority 2
Address 001b.2a68.5fc0
Cost 3
Port 125 (GigabitEthernet5/9)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 2 (priority 0 sys-id-ext 2)
Address 7010.5c9c.5200
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 0 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi5/8 Desg FWD 4 128.1 P2p Edge

Examples: Configuring a PortFast Network Port on a Specified Interface

This example shows how to configure GigabitEthernet interface 5/8 as a network port:
Switch# configure terminal
Switch(config)# interface gigabitethernet 5/8

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
316
 Layer 2
Example: Configuring Bridge Assurance

Switch(config-if)# spanning-tree portfast network

Switch(config-if)# end
Switch#

This example shows how to verify the configuration:

Switch# show running-config interface gigabitethernet 5/8
Building configuration...
Current configuration:
!
interface GigabitEthernet5/8
no ip address
switchport
switchport access vlan 200
switchport mode access
spanning-tree portfast network
end

This example shows the output for show spanning-tree vlan

Switch# show spanning-tree vlan

Sep 17 09:51:36.370 PDT: %SYS-5-CONFIG_I: Configured from console by console2

VLAN0002
Spanning tree enabled protocol rstp
Root ID Priority 2
Address 7010.5c9c.5200
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 2 (priority 0 sys-id-ext 2)

Address 7010.5c9c.5200
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 0 sec

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------
Gi1/0/1 Desg FWD 4 128.1 P2p Edge
Po4 Desg FWD 3 128.480 P2p Network
Gi4/0/1 Desg FWD 4 128.169 P2p Edge
Gi4/0/47 Desg FWD 4 128.215 P2p Network

Switch#

Example: Configuring Bridge Assurance

This output shows port GigabitEthernet 5/8 has been configured as a network port and it is currently in the
Bridge Assurance inconsistent state.

Note The output shows the port type as network and *BA_Inc, indicating that the port is in an inconsistent state.

Switch# show spanning-tree

VLAN0010
Spanning tree enabled protocol rstp
Root ID Priority 32778
Address 0002.172c.f400
This bridge is the root

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
317
 Layer 2
Monitoring the Spanning-Tree Status

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32778 (priority 32768 sys-id-ext 10)
Address 0002.172c.f400
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio. Nbr Type
---------------- ---- --- --------- --------
--------------------------------
Gi5/8 Desg BKN*4 128.270 Network, P2p *BA_Inc
The example shows the output for show spanning-tree summary.

Switch#sh spanning-tree summary

Switch is in rapid-pvst mode
Root bridge for: VLAN0001-VLAN0002, VLAN0128
EtherChannel misconfig guard is enabled
Extended system ID is enabled
Portfast Default is network
Portfast Edge BPDU Guard Default is disabled
Portfast Edge BPDU Filter Default is disabled
Loopguard Default is enabled
PVST Simulation Default is enabled but inactive in
rapid-pvst mode
Bridge Assurance is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short

Name Blocking Listening Learning Forwarding STP Active

---------------------- -------- --------- -------- ---------- ----------
VLAN0001 0 0 0 5 5
VLAN0002 0 0 0 4 4
VLAN0128 0 0 0 4 4
---------------------- -------- --------- -------- ---------- ----------
3 vlans 0 0 0 13 13

Switch#

Monitoring the Spanning-Tree Status

Table 32: Commands for Monitoring the Spanning-Tree Status

Command Purpose
show spanning-tree active Displays spanning-tree information on active
interfaces only.

show spanning-tree detail Displays a detailed summary of interface information.

show spanning-tree interface interface-id Displays spanning-tree information for the specified
interface.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
318
Layer 2
Monitoring the Spanning-Tree Status

Command Purpose
show spanning-tree mst interface interface-id Displays MST information for the specified interface.

show spanning-tree summary [totals] Displays a summary of interface states or displays the
total lines of the spanning-tree state section.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
319
 Layer 2
Monitoring the Spanning-Tree Status

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
320
 CHAPTER 17
Configuring Bidirection Forwarding Detection
• Finding Feature Information, on page 321
• Prerequisites for Bidirectional Forwarding Detection, on page 321
• Restrictions for Bidirectional Forwarding Detection, on page 322
• Information About Bidirectional Forwarding Detection, on page 322
• How to Configure Bidirectional Forwarding Detection, on page 326
• Configuration Examples for Bidirectional Forwarding Detection, on page 339

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Prerequisites for Bidirectional Forwarding Detection

Prerequisites for BFD include:
• The switch’s feature set is IP Base or higher. The IP Base feature set supports only EIGRP stub routing,
without BFD. The IP service feature set supports EIGRP with BFD.
• IP routing must be enabled on all participating switches
• One of the IP routing protocols supported by BFD must be configured on the switches before BFD is
deployed. You should implement fast convergence for the routing protocol that you plan to use. See the
IP routing documentation for your version of Cisco IOS software for information on configuring fast
convergence.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
321
 Layer 2
Restrictions for Bidirectional Forwarding Detection

Restrictions for Bidirectional Forwarding Detection

Restrictions for BFD include:
• BFD works only for directly connected neighbors. BFD neighbors must be no more than one IP hop
away. Multihop configurations are not supported.
• The switch supports up to 100 BFD sessions with a minimum hello interval of 100 ms and a multiplier
of 3. The multiplier specifies the minimum number of consecutive packets that can be missed before a
session is declared down.
• To enable echo mode the peer system must be configured with the no ip redirects command.

Information About Bidirectional Forwarding Detection

BFD Operation
BFD provides a low-overhead, short-duration method of detecting failures in the forwarding path between
two adjacent routers, including the interfaces, data links, and forwarding planes.
BFD is a detection protocol that you enable at the interface and routing protocol levels. Cisco supports the
BFD asynchronous mode, which depends on the sending of BFD control packets between two systems to
activate and maintain BFD neighbor sessions between routers. Therefore, in order for a BFD session to be
created, you must configure BFD on both systems (or BFD peers). Once BFD has been enabled on the interfaces
and at the router level for the appropriate routing protocols, a BFD session is created, BFD timers are negotiated,
and the BFD peers will begin to send BFD control packets to each other at the negotiated interval.
Cisco supports BFD echo mode. Echo packets are sent by the forwarding engine and are forwarded back along
the same path to perform detection. The BFD session at the other end does not participate in the actual
forwarding of the echo packets.
This section includes the following subsections:
Related Topics
Configuring BFD Echo Mode, on page 336
Configuring BFD Session Parameters on the Interface, on page 326
Monitoring and Troubleshooting BFD, on page 338

Neighbor Relationships
BFD provides fast BFD peer failure detection times independently of all media types, encapsulations, topologies,
and routing protocols BGP, EIGRP, IS-IS, and OSPF. By sending rapid failure detection notices to the routing
protocols in the local router to initiate the routing table recalculation process, BFD contributes to greatly
reduced overall network convergence time. The figure below shows a simple network with two routers running
OSPF and BFD. When OSPF discovers a neighbor (1) it sends a request to the local BFD process to initiate
a BFD neighbor session with the OSPF neighbor router (2). The BFD neighbor session with the OSPF neighbor
router is established (3).

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
322
 Layer 2
BFD Detection of Failures

Figure 32: Establishing a BFD Neighbor Relationship

The figure below shows what happens when a failure occurs in the network (1). The BFD neighbor session
with the OSPF neighbor router is torn down (2). BFD notifies the local OSPF process that the BFD neighbor
is no longer reachable (3). The local OSPF process tears down the OSPF neighbor relationship (4). If an
alternative path is available, the routers will immediately start converging on it.
Figure 33: Tearing Down an OSPF Neighbor Relationship

A routing protocol needs to register with BFD for every neighbor it acquires. Once a neighbor is registered,
BFD initiates a session with the neighbor if a session does not already exist.
OSPF registers with BFD when:
• A neighbor finite state machine (FSM) transitions to full state.
• Both OSPF BFD and BFD are enabled.

On broadcast interfaces, OSPF establishes a BFD session only with the designated router (DR) and backup
designated router (BDR), but not between any two routers in DROTHER state.

BFD Detection of Failures

Once a BFD session has been established and timer negations are complete, BFD peers send BFD control
packets that act in the same manner as an IGP hello protocol to detect liveliness, except at a more accelerated
rate. The following information should be noted:
• BFD is a forwarding path failure detection protocol. BFD detects a failure, but the routing protocol must
take action to bypass a failed peer.
• Typically, BFD can be used at any protocol layer. However, the Cisco implementation of BFD
supports only Layer 3 clients, in particular, the BGP, EIGRP, and OSPF routing protocol, and static
routing.

• Cisco devices will use one BFD session for multiple client protocols in the Cisco implementation of
BFD. For example, if a network is running OSPF and EIGRP across the same link to the same peer, only
one BFD session will be established, and BFD will share session information with both routing protocols.
However, IPv4 and IPv6 clients cannot share a BFD session.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
323
 Layer 2
BFD Version Interoperability

BFD Version Interoperability

The switch supports BFD Version 1 as well as BFD Version 0. All BFD sessions come up as Version 1 by
default and will be interoperable with Version 0. The system automatically performs BFD version detection,
and BFD sessions between neighbors will run in the highest common BFD version between neighbors. For
example, if one BFD neighbor is running BFD Version 0 and the other BFD neighbor is running Version 1,
the session will run BFD Version 0. The output from the show bfd neighbors [details] command will verify
which BFD version a BFD neighbor is running.
See the Example Configuring BFD in an EIGRP Network with Echo Mode Enabled by Default for an example
of BFD version detection.
Related Topics
Example: Configuring BFD in an EIGRP Network with Echo Mode Enabled by Default, on page 339

BFD Session Limits

The minimum number of BFD sessions that can be created varies with the “hello” interval. With “hello”
intervals of 100ms, 100 sessions are permitted. More sessions are permitted at larger hello intervals. For a
VLAN interface, the minimum “hello” interval is 600ms.

BFD Support for Nonbroadcast Media Interfaces

The BFD feature is supported on VLAN interfaces on the switch.
The bfd interval command must be configured on the interface to initiate BFD monitoring.

BFD Support for Nonstop Forwarding with Stateful Switchover

Typically, when a networking device restarts, all routing peers of that device detect that the device went down
and then came back up. This transition results in a routing flap, which could spread across multiple routing
domains. Routing flaps caused by routing restarts create routing instabilities, which are detrimental to the
overall network performance. Nonstop forwarding (NSF) helps to suppress routing flaps in devices that are
enabled with stateful switchover (SSO), thereby reducing network instability.
NSF allows for the forwarding of data packets to continue along known routes while the routing protocol
information is being restored after a switchover. With NSF, peer networking devices do not experience routing
flaps. Data traffic is forwarded through intelligent line cards or dual forwarding processors while the standby
RP assumes control from the failed active RP during a switchover. The ability of line cards and forwarding
processors to remain up through a switchover and to be kept current with the Forwarding Information Base
(FIB) on the active RP is key to NSF operation.
In devices that support dual RPs, SSO establishes one of the RPs as the active processor; the other RP is
designated as the standby processor, and then synchronizes information between them. A switchover from
the active to the standby processor occurs when the active RP fails, when it is removed from the networking
device, or when it is manually taken down for maintenance.

BFD Support for Stateful Switchover

The BFD protocol provides short-duration detection of failures in the path between adjacent forwarding
engines. In network deployments that use dual RP switches (to provide redundancy), the switches have a
graceful restart mechanism that protects the forwarding state during a switchover between the active RP and
the standby RP.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
324
 Layer 2
Stateful BFD on the Standby RP

Stateful BFD on the Standby RP

To ensure a successful switchover to the standby RP, the BFD protocol uses checkpoint messages to send
session information from the active RP Cisco IOS instance to the standby RP Cisco IOS instance. The session
information includes local and remote discriminators, adjacent router timer information, BFD setup information,
and session-specific information such as the type of session and the session version. In addition, the BFD
protocol sends session creation and deletion checkpoint messages to create or delete a session on the standby
RP.
The BFD sessions on the standby RP do not receive or send packets and do not process expired timers. These
sessions wait for a switchover to occur and then send packets for any active sessions so that sessions do not
time out on adjacent switches.
When the BFD protocol on the standby RP is notified of a switchover it changes its state to active, registers
itself with Cisco Express Forwarding so that it can receive packets, and then sends packets for any elements
that have expired.
BFD also uses checkpoint messages to ensure that sessions created by clients on the active RP are maintained
during a switchover. When a switchover occurs, BFD starts an SSO reclaim timer. Clients must reclaim their
sessions within the duration specified by the reclaim timer or else the session is deleted.
Timer values are different based on the number of BFD sessions and the platform.

Table 33: BFD Timer Values on the switch

Maximum Number of BFD BFD Session Type Minimum Timer Value (ms) Clients Comments
Sessions

100 Async/echo 100 multiplier 3 All A multiple of 5 is recommended for SSO

switches.

BFD Support for Static Routing

Unlike dynamic routing protocols, such as OSPF and BGP, static routing has no method of peer discovery.
Therefore, when BFD is configured, the reachability of the gateway is completely dependent on the state of
the BFD session to the specified neighbor. Unless the BFD session is up, the gateway for the static route is
considered unreachable, and therefore the affected routes will not be installed in the appropriate Routing
Information Base (RIB).
For a BFD session to be successfully established, BFD must be configured on the interface on the peer and
there must be a BFD client registered on the peer for the address of the BFD neighbor. When an interface is
used by dynamic routing protocols, the latter requirement is usually met by configuring the routing protocol
instances on each neighbor for BFD. When an interface is used exclusively for static routing, this requirement
must be met by configuring static routes on the peers.
If a BFD configuration is removed from the remote peer while the BFD session is in the up state, the updated
state of the BFD session is not signaled to the static static. This will cause the static route to remain in the
RIB. The only workaround is to remove the IPv4 static BFD neighbor configuration so that the static route
no longer tracks BFD session state.
Related Topics
Example: Configuring BFD Support for Static Routing, on page 348

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
325
 Layer 2
Benefits of Using BFD for Failure Detection

Benefits of Using BFD for Failure Detection

When you deploy any feature, it is important to consider all the alternatives and be aware of any trade-offs
being made.
The closest alternative to BFD in conventional EIGRP, BGP, and OSPF deployments is the use of modified
failure detection mechanisms for EIGRP, BGP, and OSPF routing protocols.
If you set EIGRP hello and hold timers to their absolute minimums, the failure detection rate for EIGRP falls
to within a one- to two-second range.
If you use fast hellos for either BGP or OSPF, these Interior Gateway Protocol (IGP) protocols reduce their
failure detection mechanisms to a minimum of one second.
There are several advantages to implementing BFD over reduced timer mechanisms for routing protocols:
• Although reducing the EIGRP, BGP, and OSPF timers can result in minimum detection timer of one to
two seconds, BFD can provide failure detection in less than one second.
• Because BFD is not tied to any particular routing protocol, it can be used as a generic and consistent
failure detection mechanism for EIGRP, BGP, and OSPF.
• Because some parts of BFD can be distributed to the data plane, it can be less CPU-intensive than the
reduced EIGRP, BGP, and OSPF timers, which exist wholly at the control plane.

How to Configure Bidirectional Forwarding Detection

You start a BFD process by configuring BFD on the interface. When the BFD process is started, no entries
are created in the adjacency database; in other words, no BFD control packets are sent or received. BFD echo
mode, which is supported in BFD Version 1.
BFD echo packets are sent and received, in addition to BFD control packets. The adjacency creation takes
places once you have configured BFD support for the applicable routing protocols. This section contains the
following procedures:

Configuring BFD Session Parameters on the Interface

The steps in this procedure show how to configure BFD on the interface by setting the baseline BFD session
parameters on an interface. Repeat the steps in this procedure for each interface over which you want to run
BFD sessions to BFD neighbors.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. bfd interval milliseconds min_rx milliseconds multiplier interval-multiplier

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
326
 Layer 2
Configuring BFD Support for Dynamic Routing Protocols

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Switch> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Switch# configure terminal

Step 3 interface type number Specifies an interface type and number, and places the
device in interface configuration mode.
Example:

Switch(config)# interface GigabitEthernet 6/1

Step 4 bfd interval milliseconds min_rx milliseconds Enables BFD on the interface.
multiplier interval-multiplier
Disables BFD echo mode to enable Hardware Off-load.
Example:

Switch(config-if)# bfd interval 50 min_rx 50

multiplier 5

Switch(config-if)# no bfd echo

Related Topics
Configuring BFD Echo Mode, on page 336
Configuring BFD Support for EIGRP, on page 329
Configuring BFD Support for BGP, on page 327
BFD Operation, on page 322
Configuring BFD Support for OSPF, on page 331
Configuring BFD Support for OSPF for One or More Interfaces, on page 333
Monitoring and Troubleshooting BFD, on page 338
Configuring BFD Support for OSPF for All Interfaces, on page 331

Configuring BFD Support for Dynamic Routing Protocols

You can enable BFD support for dynamic routing protocols at the router level to enable BFD support globally
for all interfaces or you can configure BFD on a per-interface basis at the interface level.
This section describes the following procedures:

Configuring BFD Support for BGP

This section describes the procedure for configuring BFD support for BGP so that BGP is a registered protocol
with BFD and will receive forwarding path detection failure messages from BFD.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
327
 Layer 2
Configuring BFD Support for BGP

Before you begin

BGP must be running on all participating switches.
The baseline parameters for BFD sessions on the interfaces over which you want to run BFD sessions to BFD
neighbors must be configured. See the Configuring BFD Session Parameters on the Interface section for more
information.

Note Output from the show bfd neighbors details command shows the configured intervals. The output does not
show intervals that were changed because hardware-offloaded BFD sessions were configured with Tx and
Rx intervals that are not multiples of 50 ms.

SUMMARY STEPS
1. enable
2. configure terminal
3. router bgp as-tag
4. neighbor ip-address fall-over bfd
5. end
6. show bfd neighbors [details]
7. show ip bgp neighbor

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Switch> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Switch# configure terminal

Step 3 router bgp as-tag Specifies a BGP process and enters router configuration
mode.
Example:

Switch(config)# router bgp tag1

Step 4 neighbor ip-address fall-over bfd Enables BFD support for fallover.
Example:

Switch(config-router)# neighbor 172.16.10.2

fall-over bfd

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
328
 Layer 2
Configuring BFD Support for EIGRP

Command or Action Purpose

Step 5 end Exits router configuration mode and returns the router to
privileged EXEC mode.
Example:

Switch(config-router)# end

Step 6 show bfd neighbors [details] (Optional) Verifies that the BFD neighbor is active and
displays the routing protocols that BFD has registered.
Example:

Switch# show bfd neighbors detail

Step 7 show ip bgp neighbor (Optional) Displays information about BGP and TCP
connections to neighbors.
Example:

Switch# show ip bgp neighbor

Related Topics
Configuring BFD Session Parameters on the Interface, on page 326
Monitoring and Troubleshooting BFD, on page 338
Configuring BFD Support for OSPF for All Interfaces, on page 331

Configuring BFD Support for EIGRP

This section describes the procedure for configuring BFD support for EIGRP so that EIGRP is a registered
protocol with BFD and will receive forwarding path detection failure messages from BFD. There are two
methods for enabling BFD support for EIGRP:
• You can enable BFD for all of the interfaces for which EIGRP is routing by using the bfd all-interfaces
command in router configuration mode.
• You can enable BFD for a subset of the interfaces for which EIGRP is routing by using the bfd interface
type number command in router configuration mode.

Before you begin

EIGRP must be running on all participating switches.
The baseline parameters for BFD sessions on the interfaces over which you want to run BFD sessions to BFD
neighbors must be configured. For more information, see the "Configuring BFD Session Parameters on the
Interface".

SUMMARY STEPS
1. enable
2. configure terminal
3. router eigrp as-number
4. Do one of the following:
• bfd all-interfaces
• bfd interface type number

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
329
 Layer 2
Configuring BFD Support for EIGRP

5. end
6. show bfd neighbors [details]
7. show ip eigrp interfaces [type number] [as-number] [detail]

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Switch> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Switch# configure terminal

Step 3 router eigrp as-number Configures the EIGRP routing process and enters router
configuration mode.
Example:

Switch(config)# router eigrp 123

Step 4 Do one of the following: Enables BFD globally on all interfaces associated with the
EIGRP routing process.
• bfd all-interfaces
• bfd interface type number or
Example: Enables BFD on a per-interface basis for one or more
interfaces associated with the EIGRP routing process.
Switch(config-router)# bfd all-interfaces

Example:

Switch(config-router)# bfd interface FastEthernet

6/1

Step 5 end Exits router configuration mode and returns the router to
privileged EXEC mode.
Example:

Switch(config-router) end

Step 6 show bfd neighbors [details] (Optional) Verifies that the BFD neighbor is active and
displays the routing protocols that BFD has registered.
Example:

Switch# show bfd neighbors details

Step 7 show ip eigrp interfaces [type number] [as-number] (Optional) Displays the interfaces for which BFD support
[detail] for EIGRP has been enabled.
Example:

Switch# show ip eigrp interfaces detail

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
330
 Layer 2
Configuring BFD Support for OSPF

Related Topics
Configuring BFD Support for OSPF, on page 331
Configuring BFD Session Parameters on the Interface, on page 326
Monitoring and Troubleshooting BFD, on page 338
Configuring BFD Support for OSPF for All Interfaces, on page 331

Configuring BFD Support for OSPF

This section describes the procedures for configuring BFD support for OSPF so that OSPF is a registered
protocol with BFD and will receive forwarding path detection failure messages from BFD. You can either
configure BFD support for OSPF globally on all interfaces or configure it selectively on one or more interfaces.
There are two methods for enabling BFD support for OSPF:
• You can enable BFD for all of the interfaces for which OSPF is routing by using the bfd all-interfaces
command in router configuration mode. You can disable BFD support on individual interfaces using the
ip ospf bfd [disable] command in interface configuration mode.
• You can enable BFD for a subset of the interfaces for which OSPF is routing by using the ip ospf bfd
command in interface configuration mode.

See the following sections for tasks for configuring BFD support for OSPF:
Related Topics
Configuring BFD Support for EIGRP, on page 329
Configuring BFD Session Parameters on the Interface, on page 326
Monitoring and Troubleshooting BFD, on page 338
Configuring BFD Support for OSPF for All Interfaces, on page 331

Configuring BFD Support for OSPF for All Interfaces

To configure BFD for all OSPF interfaces, perform the steps in this section.
If you do not want to configure BFD on all OSPF interfaces and would rather configure BFD support specifically
for one or more interfaces, see the Configuring OSPF Support for BFD over IPv4 for One or More Interfaces
section.

Before you begin

OSPF must be running on all participating switches.
The baseline parameters for BFD sessions on the interfaces over which you want to run BFD sessions to BFD
neighbors must be configured. For more information, see the “Configuring BFD Session Parameters on the
Interface” section.

SUMMARY STEPS
1. enable
2. configure terminal
3. switch ospf process-id
4. bfd all-interfaces
5. end
6. show bfd neighbors [details]

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
331
 Layer 2
Configuring BFD Support for OSPF for All Interfaces

7. show ip ospf

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Switch> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Switch# configure terminal

Step 3 switch ospf process-id Specifies an OSPF process and enters router configuration
mode.
Example:

Switch(config)# router ospf 4

Step 4 bfd all-interfaces Enables BFD globally on all interfaces associated with the
OSPF routing process.
Example:

Switch(config-router)# bfd all-interfaces

Step 5 end Exits interface configuration mode and returns the device
to privileged EXEC mode.
Example:

Switch(config-if)# end

Step 6 show bfd neighbors [details] (Optional) Displays information that can help verify if the
BFD neighbor is active and displays the routing protocols
Example:
that BFD has registered.
Switch# show bfd neighbors detail

Step 7 show ip ospf (Optional) Displays information that can help verify if BFD
for OSPF has been enabled.
Example:

Switch# show ip ospf

Related Topics
Configuring BFD Support for OSPF, on page 331
Configuring BFD Session Parameters on the Interface, on page 326
Configuring BFD Support for EIGRP, on page 329
Configuring BFD Support for BGP, on page 327
Configuring BFD Support for OSPF for One or More Interfaces, on page 333

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
332
 Layer 2
Configuring BFD Support for OSPF for One or More Interfaces

Configuring BFD Support for OSPF for One or More Interfaces

To configure BFD for all OSPF interfaces, perform the steps in this section.
If you do not want to configure BFD on all OSPF interfaces and would rather configure BFD support specifically
for one or more interfaces, see the Configuring OSPF Support for BFD over IPv4 for One or More Interfaces
section.

Before you begin

OSPF must be running on all participating switches.
The baseline parameters for BFD sessions on the interfaces over which you want to run BFD sessions to BFD
neighbors must be configured. For more information, see the “Configuring BFD Session Parameters on the
Interface” section.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip ospf bfd [disable]
5. end
6. show bfd neighbors [details]
7. show ip ospf

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Switch> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Switch# configure terminal

Step 3 interface type number (Optional) Enters interface configuration mode.

Example:

Switch(config)# interface fastethernet 6/1

Step 4 ip ospf bfd [disable] (Optional)Enables or disables BFD on a per-interface basis

for one or more interfaces associated with the OSPF routing
Example:
process.
Switch(config-if)# ip ospf bfd Note Use the disable keyword only if you enabled
BFD on all of the interfaces that OSPF is
associated with using the bfd all-interfaces
command in router configuration mode.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
333
 Layer 2
Configuring BFD Support for Static Routing

Command or Action Purpose

Step 5 end Exits interface configuration mode and returns the device
to privileged EXEC mode.
Example:

Switch(config-if)# end

Step 6 show bfd neighbors [details] (Optional) Displays information that can help verify if the
BFD neighbor is active and displays the routing protocols
Example:
that BFD has registered.
Switch# show bfd neighbors detail

Step 7 show ip ospf (Optional) Displays information that can help verify if BFD
for OSPF has been enabled.
Example:

Switch# show ip ospf

Related Topics
Configuring BFD Session Parameters on the Interface, on page 326
Monitoring and Troubleshooting BFD, on page 338
Configuring BFD Support for OSPF for All Interfaces, on page 331

Configuring BFD Support for Static Routing

Perform this task to configure BFD support for static routing. Repeat the steps in this procedure on each BFD
neighbor. For more information, see the “Example: Configuring BFD Support for Static Routing” section

SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. no switchport
5. ip address ip-address mask
6. bfd interval milliseconds min_rx milliseconds multiplier interval-multiplier
7. exit
8. ip route static bfd interface-type interface-number ip-address [group group-name [passive]]
9. ip route [vrf vrf-name] prefix mask {ip-address | interface-type interface-number [ip-address]} [dhcp]
[distance] [name next-hop-name] [permanent | track number] [tag tag]
10. exit
11. show ip static route
12. show ip static route bfd

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
334
 Layer 2
Configuring BFD Support for Static Routing

Command or Action Purpose

Example: • Enter your password if prompted.

Switch> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Switch# configure terminal

Step 3 interface type number Configures an interface and enters interface configuration
mode.
Example:

Switch(config)# interface gigabitethernet 6/1

Step 4 no switchport Changes the interface to Layer 3.

Example:
Switch(config)# no switchport

Step 5 ip address ip-address mask Configures an IP address for the interface.

Example:

Switch(config-if)# ip address 10.201.201.1

255.255.255.0

Step 6 bfd interval milliseconds min_rx milliseconds multiplier Enables BFD on the interface.
interval-multiplier
Example:

Switch(config-if)# bfd interval 500 min_rx 500

multiplier 5

Step 7 exit Exits interface configuration mode and returns to global

configuration mode.
Example:

Switch(config-if)# exit

Step 8 ip route static bfd interface-type interface-number Specifies a static route BFD neighbor.
ip-address [group group-name [passive]]
• The interface-type, interface-number, and ip-address
Example: arguments are required because BFD support exists
only for directly connected neighbors.
Switch(config)# ip route static bfd serial 2/0
10.1.1.1 group group1 passive

Step 9 ip route [vrf vrf-name] prefix mask {ip-address | Specifies a static route BFD neighbor.
interface-type interface-number [ip-address]} [dhcp]
[distance] [name next-hop-name] [permanent | track
number] [tag tag]
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
335
 Layer 2
Configuring BFD Echo Mode

Command or Action Purpose

Switch(config)# ip route 10.0.0.0 255.0.0.0 Gi6/1

10.201.201.2

Step 10 exit Exits global configuration mode and returns to privileged

EXEC mode.
Example:

Switch(config)# exit

Step 11 show ip static route (Optional) Displays static route database information.
Example:

Switch# show ip static route

Step 12 show ip static route bfd (Optional) Displays information about the static BFD
configuration from the configured BFD groups and
Example:
non-group entries.
Switch# show ip static route bfd

Configuring BFD Echo Mode

BFD echo mode is enabled by default, but you can disable it such that it can run independently in each direction.
BFD echo mode works with asynchronous BFD. Echo packets are sent by the forwarding engine and forwarded
back along the same path in order to perform detection--the BFD session at the other end does not participate
in the actual forwarding of the echo packets. The echo function and the forwarding engine are responsible for
the detection process; therefore, the number of BFD control packets that are sent out between two BFD
neighbors is reduced. In addition, because the forwarding engine is testing the forwarding path on the remote
(neighbor) system without involving the remote system, there is an opportunity to improve the interpacket
delay variance, thereby achieving quicker failure detection times than when using BFD Version 0 with BFD
control packets for the BFD session.
Echo mode is described as without asymmetry when it is running on both sides (both BFD neighbors are
running echo mode).
Related Topics
Configuring BFD Session Parameters on the Interface, on page 326
BFD Operation, on page 322

Prerequisites
BFD must be running on all participating switches.
Before using BFD echo mode, you must disable the sending of Internet Control Message Protocol (ICMP)
redirect messages by entering the no ip redirects command, in order to avoid high CPU utilization.
The baseline parameters for BFD sessions on the interfaces over which you want to run BFD sessions to BFD
neighbors must be configured. See the Configuring BFD Session Parameters on the Interface section for more
information.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
336
 Layer 2
Restrictions

Restrictions
BFD echo mode, which is supported in BFD Version 1.

Note BFD echo mode does not work in conjunction with Unicast Reverse Path Forwarding (uRPF) configuration.
If BFD echo mode and uRPF configurations are enabled, then the sessions will flap.

Configuring the BFD Slow Timer

The steps in this procedure show how to change the value of the BFD slow timer. Repeat the steps in this
procedure for each BFD switch.

SUMMARY STEPS
1. enable
2. configure terminal
3. bfd slow-timer milliseconds

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Switch> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Switch# configure terminal

Step 3 bfd slow-timer milliseconds Configures the BFD slow timer.

Example:

Switch(config)# bfd slow-timer 12000

Disabling BFD Echo Mode Without Asymmetry

The steps in this procedure show how to disable BFD echo mode without asymmetry—no echo packets will
be sent by the switch, and the switch will not forward BFD echo packets that are received from any neighbor
switches.
Repeat the steps in this procedure for each BFD switch.

SUMMARY STEPS
1. enable
2. configure terminal
3. no bfd echo

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
337
 Layer 2
Monitoring and Troubleshooting BFD

4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Switch> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Switch# configure terminal

Step 3 no bfd echo Disables BFD echo mode.

Example: • Use the no form to disable BFD echo mode.

Switch(config)# no bfd echo

Step 4 end Exits global configuration mode and returns to privileged

EXEC mode.
Example:

Switch(config)# end

Monitoring and Troubleshooting BFD

This section describes how to retrieve BFD information for maintenance and troubleshooting. The commands
in these tasks can be entered as needed, in any order.
To monitor and troubleshoot BFD, perform the following steps:

SUMMARY STEPS
1. enable
2. show bfd neighbors [details]
3. debug bfd [packet | event]

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Switch> enable

Step 2 show bfd neighbors [details] (Optional) Displays the BFD adjacency database.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
338
 Layer 2
Configuration Examples for Bidirectional Forwarding Detection

Command or Action Purpose

• The details keyword shows all BFD protocol
Switch# show bfd neighbors details
parameters and timers per neighbor.

Step 3 debug bfd [packet | event] (Optional) Displays debugging information about BFD
packets.
Example:

Switch# debug bfd packet

Related Topics
Configuring BFD Session Parameters on the Interface, on page 326
Configuring BFD Support for EIGRP, on page 329
Configuring BFD Support for BGP, on page 327
BFD Operation, on page 322
Configuring BFD Support for OSPF, on page 331
Configuring BFD Support for OSPF for One or More Interfaces, on page 333

Configuration Examples for Bidirectional Forwarding Detection

This section provides the following configuration examples:

Example: Configuring BFD in an EIGRP Network with Echo Mode Enabled by

Default
In the following example, the EIGRP network contains DeviceA, DeviceB, and DeviceC. Fast Ethernet
interface 1/0 on DeviceA is connected to the same network as Fast Ethernet interface 1/0 on Device B. Fast
Ethernet interface 1/0 on DeviceB is connected to the same network as Fast Ethernet interface 1/0 on DeviceC.
DeviceA and DeviceB are running BFD Version 1, which supports echo mode, and DeviceC is running BFD
Version 0, which does not support echo mode. The BFD sessions between DeviceC and its BFD neighbors
are said to be running echo mode with asymmetry because echo mode will run on the forwarding path for
DeviceA and DeviceB, and their echo packets will return along the same path for BFD sessions and failure
detections, while their BFD neighbor DeviceC runs BFD Version 0 and uses BFD controls packets for BFD
sessions and failure detections.
The figure below shows a large EIGRP network with several devices, three of which are BFD neighbors that
are running EIGRP as their routing protocol.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
339
 Layer 2
Example: Configuring BFD in an EIGRP Network with Echo Mode Enabled by Default

The example, starting in global configuration mode, shows the configuration of BFD.

Configuration for DeviceA

interface Fast Ethernet0/0

no shutdown
ip address 10.4.9.14 255.255.255.0
duplex auto
speed auto
!
interface Fast Ethernet1/0
ip address 172.16.1.1 255.255.255.0
bfd interval 50 min_rx 50 multiplier 3
no shutdown
duplex auto
speed auto
!
router eigrp 11
network 172.16.0.0
bfd all-interfaces
auto-summary
!
ip default-gateway 10.4.9.1
ip default-network 0.0.0.0
ip route 0.0.0.0 0.0.0.0 10.4.9.1
ip route 172.16.1.129 255.255.255.255 10.4.9.1
!
no ip http server
!
logging alarm informational
!
control-plane
!
line con 0
exec-timeout 30 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
340
Layer 2
Example: Configuring BFD in an EIGRP Network with Echo Mode Enabled by Default

Configuration for DeviceB

!
interface Fast Ethernet0/0
no shutdown
ip address 10.4.9.34 255.255.255.0
duplex auto
speed auto
!
interface Fast Ethernet1/0
ip address 172.16.1.2 255.255.255.0
bfd interval 50 min_rx 50 multiplier 3
no shtdown
duplex auto
speed auto
!
router eigrp 11
network 172.16.0.0
bfd all-interfaces
auto-summary
!
ip default-gateway 10.4.9.1
ip default-network 0.0.0.0
ip route 0.0.0.0 0.0.0.0 10.4.9.1
ip route 172.16.1.129 255.255.255.255 10.4.9.1
!
no ip http server
!
logging alarm informational
!
control-plane
!
line con 0
exec-timeout 30 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end

Configuration for DeviceC

!
!
interface Fast Ethernet0/0
no shutdown
ip address 10.4.9.34 255.255.255.0
duplex auto
speed auto
!
interface Fast Ethernet1/0
ip address 172.16.1.2 255.255.255.0
bfd interval 50 min_rx 50 multiplier 3
no shutdown
duplex auto
speed auto
!
router eigrp 11
network 172.16.0.0

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
341
 Layer 2
Example: Configuring BFD in an EIGRP Network with Echo Mode Enabled by Default

bfd all-interfaces
auto-summary
!
ip default-gateway 10.4.9.1
ip default-network 0.0.0.0
ip route 0.0.0.0 0.0.0.0 10.4.9.1
ip route 172.16.1.129 255.255.255.255 10.4.9.1
!
no ip http server
!
logging alarm informational
!
control-plane
!
line con 0
exec-timeout 30 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end

The output from the show bfd neighbors details command from DeviceA verifies that BFD sessions are
created among all three devices and that EIGRP is registered for BFD support. The first group of output shows
that DeviceC with the IP address 172.16.1.3 runs BFD Version 0 and therefore does not use the echo mode.
The second group of output shows that DeviceB with the IP address 172.16.1.2 runs BFD Version 1, and the
50 millisecond BFD interval parameter had been adopted. The relevant command output is shown in bold in
the output.

DeviceA# show bfd neighbors details

OurAddr
NeighAddr
LD/RD RH/RS Holdown(mult) State Int
172.16.1.1 172.16.1.3
5/3 1(RH) 150 (3 ) Up Fa1/0
Session state is UP and not using echo function.
Local Diag: 0, Demand mode: 0, Poll bit: 0
MinTxInt: 50000, MinRxInt: 50000, Multiplier: 3
Received MinRxInt: 50000, Received Multiplier: 3
Holdown (hits): 150(0), Hello (hits): 50(1364284)
Rx Count: 1351813, Rx Interval (ms) min/max/avg: 28/64/49 last: 4 ms ago
Tx Count: 1364289, Tx Interval (ms) min/max/avg: 40/68/49 last: 32 ms ago
Registered protocols: EIGRP
Uptime: 18:42:45
Last packet: Version: 0
- Diagnostic: 0
I Hear You bit: 1 - Demand bit: 0
Poll bit: 0 - Final bit: 0
Multiplier: 3 - Length: 24
My Discr.: 3 - Your Discr.: 5
Min tx interval: 50000 - Min rx interval: 50000
Min Echo interval: 0
OurAddr NeighAddr
LD/RD RH/RS Holdown(mult) State Int
172.16.1.1 172.16.1.2

6/1 Up 0 (3 ) Up Fa1/0

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
342
Layer 2
Example: Configuring BFD in an EIGRP Network with Echo Mode Enabled by Default

Session state is UP and using echo function with 50 ms interval.

Local Diag: 0, Demand mode: 0, Poll bit: 0
MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3
Received MinRxInt: 1000000, Received Multiplier: 3
Holdown (hits): 3000(0), Hello (hits): 1000(317)
Rx Count: 305, Rx Interval (ms) min/max/avg: 1/1016/887 last: 448 ms ago
Tx Count: 319, Tx Interval (ms) min/max/avg: 1/1008/880 last: 532 ms ago
Registered protocols: EIGRP
Uptime: 00:04:30
Last packet: Version: 1

- Diagnostic: 0
State bit: Up - Demand bit: 0
Poll bit: 0 - Final bit: 0
Multiplier: 3 - Length: 24
My Discr.: 1 - Your Discr.: 6
Min tx interval: 1000000 - Min rx interval: 1000000
Min Echo interval: 50000

The output from the show bfd neighbors details command on Device B verifies that BFD sessions have been
created and that EIGRP is registered for BFD support. As previously noted, DeviceA runs BFD Version 1,
therefore echo mode is running, and DeviceC runs BFD Version 0, so echo mode does not run. The relevant
command output is shown in bold in the output.

DeviceB# show bfd neighbors details

OurAddr NeighAddr
LD/RD RH/RS Holdown(mult) State Int
172.16.1.2 172.16.1.1
1/6 Up 0 (3 ) Up Fa1/0
Session state is UP and using echo function with 50 ms interval.
Local Diag: 0, Demand mode: 0, Poll bit: 0
MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3
Received MinRxInt: 1000000, Received Multiplier: 3
Holdown (hits): 3000(0), Hello (hits): 1000(337)
Rx Count: 341, Rx Interval (ms) min/max/avg: 1/1008/882 last: 364 ms ago
Tx Count: 339, Tx Interval (ms) min/max/avg: 1/1016/886 last: 632 ms ago
Registered protocols: EIGRP
Uptime: 00:05:00
Last packet: Version: 1
- Diagnostic: 0
State bit: Up - Demand bit: 0
Poll bit: 0 - Final bit: 0
Multiplier: 3 - Length: 24
My Discr.: 6 - Your Discr.: 1
Min tx interval: 1000000 - Min rx interval: 1000000
Min Echo interval: 50000
OurAddr NeighAddr

LD/RD RH/RS Holdown(mult) State Int

172.16.1.2 172.16.1.3
3/6 1(RH) 118 (3 ) Up Fa1/0
Session state is UP and not using echo function.
Local Diag: 0, Demand mode: 0, Poll bit: 0
MinTxInt: 50000, MinRxInt: 50000, Multiplier: 3
Received MinRxInt: 50000, Received Multiplier: 3
Holdown (hits): 150(0), Hello (hits): 50(5735)
Rx Count: 5731, Rx Interval (ms) min/max/avg: 32/72/49 last: 32 ms ago
Tx Count: 5740, Tx Interval (ms) min/max/avg: 40/64/50 last: 44 ms ago
Registered protocols: EIGRP
Uptime: 00:04:45
Last packet: Version: 0

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
343
 Layer 2
Example: Configuring BFD in an EIGRP Network with Echo Mode Enabled by Default

- Diagnostic: 0
I Hear You bit: 1 - Demand bit: 0
Poll bit: 0 - Final bit: 0
Multiplier: 3 - Length: 24
My Discr.: 6 - Your Discr.: 3
Min tx interval: 50000 - Min rx interval: 50000
Min Echo interval: 0

The figure below shows that Fast Ethernet interface 1/0 on DeviceB has failed. When Fast Ethernet interface
1/0 on DeviceB is shut down, the BFD statistics of the corresponding BFD sessions on DeviceA and DeviceB
are reduced.

When Fast Ethernet interface 1/0 on DeviceB fails, BFD will no longer detect Device B as a BFD neighbor
for DeviceA or for DeviceC. In this example, Fast Ethernet interface 1/0 has been administratively shut down
on DeviceB.
The following output from the show bfd neighbors command on DeviceA now shows only one BFD neighbor
for DeviceA in the EIGRP network. The relevant command output is shown in bold in the output.

DeviceA# show bfd neighbors

OurAddr NeighAddr

LD/RD RH/RS Holdown(mult) State Int

172.16.1.1 172.16.1.3

5/3 1(RH) 134 (3 ) Up Fa1/0

The following output from the show bfd neighbors command on DeviceC also now shows only one BFD
neighbor for DeviceC in the EIGRP network. The relevant command output is shown in bold in the output.

DeviceC# show bfd neighbors

OurAddr NeighAddr

LD/RD RH Holdown(mult) State Int

172.16.1.3 172.16.1.1

3/5 1 114 (3 ) Up Fa1/0

Related Topics
BFD Version Interoperability, on page 324

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
344
 Layer 2
Example: Configuring BFD in an OSPF Network

Example: Configuring BFD in an OSPF Network

The following example shows how to configure BFD in an OSPF network. In the following example, a simple
OSPF network consists of Device A and Device B. Fast Ethernet interface 0/1 on Device A is connected to
the same network as Fast Ethernet interface 6/0 in Device B. The example, starting in global configuration
mode, shows the configuration of BFD. For both Devices A and B, BFD is configured globally for all interfaces
associated with the OSPF process.

Configuration for Device A

!
interface Fast Ethernet 0/1
ip address 172.16.10.1 255.255.255.0
bfd interval 50 min_rx 50 multiplier 3
!
interface Fast Ethernet 3/0.1
ip address 172.17.0.1 255.255.255.0
!
router ospf 123
log-adjacency-changes detail
network 172.16.0.0 0.0.0.255 area 0
network 172.17.0.0 0.0.0.255 area 0
bfd all-interfaces

Configuration for Device B

!
interface Fast Ethernet 6/0
ip address 172.16.10.2 255.255.255.0
bfd interval 50 min_rx 50 multiplier 3
!
interface Fast Ethernet 6/1
ip address 172.18.0.1 255.255.255.0
!
router ospf 123
log-adjacency-changes detail
network 172.16.0.0 0.0.255.255 area 0
network 172.18.0.0 0.0.255.255 area 0
bfd all-interfaces

The output from the show bfd neighbors details command verifies that a BFD session has been created and
that OSPF is registered for BFD support.

Device A

DeviceA# show bfd neighbors details

OurAddr NeighAddr LD/RD RH Holdown(mult) State Int

172.16.10.1 172.16.10.2 1/2 1 532 (3 ) Up Fa0/1
Local Diag: 0, Demand mode: 0, Poll bit: 0
MinTxInt: 200000, MinRxInt: 200000, Multiplier: 5
Received MinRxInt: 1000, Received Multiplier: 3
Holdown (hits): 600(22), Hello (hits): 200(84453)
Rx Count: 49824, Rx Interval (ms) min/max/avg: 208/440/332 last: 68 ms ago
Tx Count: 84488, Tx Interval (ms) min/max/avg: 152/248/196 last: 192 ms ago
Registered protocols: OSPF

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
345
 Layer 2
Example: Configuring BFD in an OSPF Network

Uptime: 02:18:49
Last packet: Version: 0
- Diagnostic: 0
I Hear You bit: 1 - Demand bit: 0
Poll bit: 0 - Final bit: 0
Multiplier: 3 - Length: 24
My Discr.: 2 - Your Discr.: 1
Min tx interval: 50000 - Min rx interval: 1000
Min Echo interval: 0

The output from the show bfd neighbors details command from Device B verifies that a BFD session has
been created:

Device B

DeviceB# attach 6
Entering Console for 8 Port Fast Ethernet in Slot: 6
Type "exit" to end this session
Press RETURN to get started!

Device> show bfd neighbors details

Cleanup timer hits: 0
OurAddr NeighAddr LD/RD RH Holdown(mult) State Int
172.16.10.2 172.16.10.1 8/1 1 1000 (5 ) Up Fa6/0
Local Diag: 0, Demand mode: 0, Poll bit: 0
MinTxInt: 50000, MinRxInt: 1000, Multiplier: 3
Received MinRxInt: 200000, Received Multiplier: 5
Holdown (hits): 1000(0), Hello (hits): 200(5995)
Rx Count: 10126, Rx Interval (ms) min/max/avg: 152/248/196 last: 0 ms ago
Tx Count: 5998, Tx Interval (ms) min/max/avg: 204/440/332 last: 12 ms ago
Last packet: Version: 0 - Diagnostic: 0
I Hear You bit: 1 - Demand bit: 0
Poll bit: 0 - Final bit: 0
Multiplier: 5 - Length: 24
My Discr.: 1 - Your Discr.: 8
Min tx interval: 200000 - Min rx interval: 200000
Min Echo interval: 0
Uptime: 00:33:13
SSO Cleanup Timer called: 0
SSO Cleanup Action Taken: 0
Pseudo pre-emptive process count: 239103 min/max/avg: 8/16/8 last: 0 ms ago
IPC Tx Failure Count: 0
IPC Rx Failure Count: 0
Total Adjs Found: 1

The output from the show ip ospf command verifies that BFD has been enabled for OSPF.

Device A

DeviceA# show ip ospf

Routing Process "ospf 123" with ID 172.16.10.1

Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs
Incremental-SPF disabled
Minimum LSA interval 5 secs

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
346
Layer 2
Example: Configuring BFD in an OSPF Network

Minimum LSA arrival 1000 msecs

LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
Number of external LSA 0. Checksum Sum 0x000000
Number of opaque AS LSA 0. Checksum Sum 0x000000
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
External flood list length 0
BFD is enabled

Area BACKBONE(0)
Number of interfaces in this area is 2 (1 loopback)
Area has no authentication
SPF algorithm last executed 00:00:08.828 ago
SPF algorithm executed 9 times
Area ranges are
Number of LSA 3. Checksum Sum 0x028417
Number of opaque link LSA 0. Checksum Sum 0x000000
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0

Device B

DeviceB# show ip ospf

Routing Process "ospf 123" with ID 172.18.0.1

Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Supports area transit capability
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs
Incremental-SPF disabled
Minimum LSA interval 5 secs
Minimum LSA arrival 1000 msecs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
Number of external LSA 0. Checksum Sum 0x0
Number of opaque AS LSA 0. Checksum Sum 0x0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Number of areas transit capable is 0
External flood list length 0
BFD is enabled

Area BACKBONE(0)
Number of interfaces in this area is 2 (1 loopback)
Area has no authentication
SPF algorithm last executed 02:07:30.932 ago
SPF algorithm executed 7 times
Area ranges are
Number of LSA 3. Checksum Sum 0x28417
Number of opaque link LSA 0. Checksum Sum 0x0
Number of DCbitless LSA 0
Number of indication LSA 0

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
347
 Layer 2
Example: Configuring BFD Support for Static Routing

Number of DoNotAge LSA 0

Flood list length 0

The output from the show ip ospf interface command verifies that BFD has been enabled for OSPF on the
interfaces connecting Device A and Device B.

Device A

DeviceA# show ip ospf interface Fast Ethernet 0/1

show ip ospf interface Fast Ethernet 0/1

Fast Ethernet0/1 is up, line protocol is up
Internet Address 172.16.10.1/24, Area 0
Process ID 123, Router ID 172.16.10.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1, BFD enabled
Designated Router (ID) 172.18.0.1, Interface address 172.16.10.2
Backup Designated router (ID) 172.16.10.1, Interface address 172.16.10.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:03
Supports Link-local Signaling (LLS)
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 172.18.0.1 (Designated Router)
Suppress hello for 0 neighbor(s)

Device B

DeviceB# show ip ospf interface Fast Ethernet 6/1

Fast Ethernet6/1 is up, line protocol is up

Internet Address 172.18.0.1/24, Area 0
Process ID 123, Router ID 172.18.0.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1, BFD enabled
Designated Router (ID) 172.18.0.1, Interface address 172.18.0.1
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:01
Supports Link-local Signaling (LLS)
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)

Example: Configuring BFD Support for Static Routing

In the following example, the network consists of Device A and Device B. Serial interface 2/0 on Device A
is connected to the same network as serial interface 2/0 on Device B. In order for the BFD session to come
up, Device B must be configured.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
348
Layer 2
Example: Configuring BFD Support for Static Routing

Device A

configure terminal
interface Serial 2/0
ip address 10.201.201.1 255.255.255.0
bfd interval 500 min_rx 500 multiplier 5
ip route static bfd Serial 2/0 10.201.201.2
ip route 10.0.0.0 255.0.0.0 Serial 2/0 10.201.201.2

Device B

configure terminal
interface Serial 2/0
ip address 10.201.201.2 255.255.255.0
bfd interval 500 min_rx 500 multiplier 5
ip route static bfd Serial 2/0 10.201.201.1
ip route 10.1.1.1 255.255.255.255 Serial 2/0 10.201.201.1

Note that the static route on Device B exists solely to enable the BFD session between 10.201.201.1 and
10.201.201.2. If there is no useful static route that needs to be configured, select a prefix that will not affect
packet forwarding, for example, the address of a locally configured loopback interface.
In the following example, there is an active static BFD configuration to reach 209.165.200.225 through
Ethernet interface 0/0 in the BFD group testgroup. As soon as the static route is configured that is tracked by
the configured static BFD, a single hop BFD session is initiated to 209.165.200.225 through Ethernet interface
0/0. The prefix 10.0.0.0/8 is added to the RIB if a BFD session is successfully established.

configure terminal
ip route static bfd Ethernet 0/0 209.165.200.225 group testgroup
ip route 10.0.0.0 255.255.255.224 Ethernet 0/0 209.165.200.225

In the following example, a BFD session to 209.165.200.226 through Ethernet interface 0/0.1001 is marked
to use the group testgroup. That is, this configuration is a passive static BFD. Though there are static routes
to be tracked by the second static BFD configuration, a BFD session is not triggered for 209.165.200.226
through Ethernet interface 0/0.1001. The existence of the prefixes 10.1.1.1/8 and 10.2.2.2/8 is controlled by
the active static BFD session (Ethernet interface 0/0 209.165.200.225).

configure terminal
ip route static bfd Ethernet 0/0 209.165.200.225 group testgroup
ip route 10.0.0.0 255.255.255.224 Ethernet 0/0 209.165.200.225
ip route static bfd Ethernet 0/0.1001 209.165.200.226 group testgroup passive
ip route 10.1.1.1 255.255.255.224 Ethernet 0/0.1001 209.165.200.226
ip route 10.2.2.2 255.255.255.224 Ethernet 0/0.1001 209.165.200.226

Related Topics
BFD Support for Static Routing, on page 325

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
349
 Layer 2
Example: Configuring BFD Support for Static Routing

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
350
 CHAPTER 18
Configuring EtherChannels
• Finding Feature Information, on page 351
• Restrictions for EtherChannels, on page 351
• Information About EtherChannels, on page 352
• How to Configure EtherChannels, on page 363
• Monitoring EtherChannel, PAgP, and LACP Status, on page 377
• Configuration Examples for Configuring EtherChannels, on page 378

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Restrictions for EtherChannels

• All ports in an EtherChannel must be assigned to the same VLAN or they must be configured as trunk
ports.
• When the ports in an EtherChannel are configured as trunk ports, all the ports must be configured with
the same mode (either Inter-Switch Link [ISL] or IEEE 802.1Q).
• Port Aggregation Protocol (PAgP) can be enabled only in single-switch EtherChannel configurations;
PAgP cannnot be enabled on cross-stack EtherChannels.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
351
 Layer 2
Information About EtherChannels

Information About EtherChannels

EtherChannel Overview
EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use
the EtherChannel to increase the bandwidth between the wiring closets and the data center, and you can deploy
it anywhere in the network where bottlenecks are likely to occur. EtherChannel provides automatic recovery
for the loss of a link by redistributing the load across the remaining links. If a link fails, EtherChannel redirects
traffic from the failed link to the remaining links in the channel without intervention.
An EtherChannel consists of individual Ethernet links bundled into a single logical link.
Figure 34: Typical EtherChannel Configuration

The EtherChannel provides full-duplex bandwidth up to 8 Gb/s (Gigabit EtherChannel) or 80 Gb/s (10-Gigabit
EtherChannel) between your switch and another switch or host.
Each EtherChannel can consist of up to eight compatibly configured Ethernet ports.
The LAN Lite feature set supports up to six EtherChannels. The LAN Base feature set supports up to 24
EtherChannels.

EtherChannel Modes
You can configure an EtherChannel in one of these modes: Port Aggregation Protocol (PAgP), Link Aggregation
Control Protocol (LACP), or On. Configure both ends of the EtherChannel in the same mode:
• When you configure one end of an EtherChannel in either PAgP or LACP mode, the system negotiates
with the other end of the channel to determine which ports should become active. If the remote port
cannot negotiate an EtherChannel, the local port is put into an independent state and continues to carry
data traffic as would any other single link. The port configuration does not change, but the port does not
participate in the EtherChannel.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
352
 Layer 2
EtherChannel on Switches

• When you configure an EtherChannel in the on mode, no negotiations take place. The switch forces all
compatible ports to become active in the EtherChannel. The other end of the channel (on the other switch)
must also be configured in the on mode; otherwise, packet loss can occur.

EtherChannel on Switches
You can create an EtherChannel on a switch, on a single switch in the stack, or on multiple switches in the
stack (known as cross-stack EtherChannel).
Figure 35: Single-Switch EtherChannel

Figure 36: Cross-Stack EtherChannel

EtherChannel Link Failover

If a link within an EtherChannel fails, traffic previously carried over that failed link moves to the remaining
links within the EtherChannel. If traps are enabled on the switch, a trap is sent for a failure that identifies the

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
353
 Layer 2
Channel Groups and Port-Channel Interfaces

switch, the EtherChannel, and the failed link. Inbound broadcast and multicast packets on one link in an
EtherChannel are blocked from returning on any other link of the EtherChannel.

Channel Groups and Port-Channel Interfaces

An EtherChannel comprises a channel group and a port-channel interface. The channel group binds physical
ports to the port-channel interface. Configuration changes applied to the port-channel interface apply to all
the physical ports bound together in the channel group.
Figure 37: Relationship of Physical Ports, Channel Group and Port-Channel Interface

The channel-group command binds the physical port and the port-channel interface together. Each
EtherChannel has a port-channel logical interface numbered from 1 to 24. This port-channel interface number
corresponds to the one specified with the channel-group interface configuration command.

• With Layer 2 ports, use the channel-group interface configuration command to dynamically create the
port-channel interface.
You also can use the interface port-channel port-channel-number global configuration command to
manually create the port-channel interface, but then you must use the channel-group
channel-group-number command to bind the logical interface to a physical port. The
channel-group-number can be the same as the port-channel-number, or you can use a new number. If
you use a new number, the channel-group command dynamically creates a new port channel.

Port Aggregation Protocol

The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches
and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of
EtherChannels by exchanging PAgP packets between Ethernet ports.
By using PAgP, the switch or switch stack learns the identity of partners capable of supporting PAgP and the
capabilities of each port. It then dynamically groups similarly configured ports (on a single switch in the stack)
into a single logical link (channel or aggregate port). Similarly configured ports are grouped based on hardware,
administrative, and port parameter constraints. For example, PAgP groups the ports with the same speed,
duplex mode, native VLAN, VLAN range, and trunking status and type. After grouping the links into an
EtherChannel, PAgP adds the group to the spanning tree as a single switch port.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
354
 Layer 2
PAgP Modes

PAgP Modes
PAgP modes specify whether a port can send PAgP packets, which start PAgP negotiations, or only respond
to PAgP packets received.

Table 34: EtherChannel PAgP Modes

Mode Description

auto Places a port into a passive negotiating state, in which the port responds to PAgP packets
it receives but does not start PAgP packet negotiation. This setting minimizes the
transmission of PAgP packets.
This mode is not supported when the EtherChannel members are from different switches
in the switch stack (cross-stack EtherChannel).

desirable Places a port into an active negotiating state, in which the port starts negotiations with other
ports by sending PAgP packets. This mode is not supported when the EtherChannel members
are from different switches in the switch stack (cross-stack EtherChannel).

Switch ports exchange PAgP packets only with partner ports configured in the auto or desirable modes. Ports
configured in the on mode do not exchange PAgP packets.
Both the auto and desirable modes enable ports to negotiate with partner ports to form an EtherChannel based
on criteria such as port speed. and for Layer 2 EtherChannels, based on trunk state and VLAN numbers.
Ports can form an EtherChannel when they are in different PAgP modes as long as the modes are compatible.
For example:
• A port in the desirable mode can form an EtherChannel with another port that is in the desirable or auto
mode.
• A port in the auto mode can form an EtherChannel with another port in the desirable mode.

A port in the auto mode cannot form an EtherChannel with another port that is also in the auto mode because
neither port starts PAgP negotiation.

Silent Mode
If your switch is connected to a partner that is PAgP-capable, you can configure the switch port for nonsilent
operation by using the non-silent keyword. If you do not specify non-silent with the auto or desirable mode,
silent mode is assumed.
Use the silent mode when the switch is connected to a device that is not PAgP-capable and seldom, if ever,
sends packets. An example of a silent partner is a file server or a packet analyzer that is not generating traffic.
In this case, running PAgP on a physical port connected to a silent partner prevents that switch port from ever
becoming operational. However, the silent setting allows PAgP to operate, to attach the port to a channel
group, and to use the port for transmission.

PAgP Learn Method and Priority

Network devices are classified as PAgP physical learners or aggregate-port learners. A device is a physical
learner if it learns addresses by physical ports and directs transmissions based on that knowledge. A device
is an aggregate-port learner if it learns addresses by aggregate (logical) ports. The learn method must be
configured the same at both ends of the link.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
355
 Layer 2
PAgP Interaction with Virtual Switches and Dual-Active Detection

When a device and its partner are both aggregate-port learners, they learn the address on the logical port-channel.
The device sends packets to the source by using any of the ports in the EtherChannel. With aggregate-port
learning, it is not important on which physical port the packet arrives.
PAgP cannot automatically detect when the partner device is a physical learner and when the local device is
an aggregate-port learner. Therefore, you must manually set the learning method on the local device to learn
addresses by physical ports. You also must set the load-distribution method to source-based distribution, so
that any given source MAC address is always sent on the same physical port.
You also can configure a single port within the group for all transmissions and use other ports for hot-standby.
The unused ports in the group can be swapped into operation in just a few seconds if the selected single port
loses hardware-signal detection. You can configure which port is always selected for packet transmission by
changing its priority with the pagp port-priority interface configuration command. The higher the priority,
the more likely that the port will be selected.

Note The switch supports address learning only on aggregate ports even though the physical-port keyword is
provided in the CLI. The pagp learn-method command and the pagp port-priority command have no effect
on the switch hardware, but they are required for PAgP interoperability with devices that only support address
learning by physical ports, such as the Catalyst 1900 switch.
When the link partner of the switch is a physical learner, we recommend that you configure the switch as a
physical-port learner by using the pagp learn-method physical-port interface configuration command. Set
the load-distribution method based on the source MAC address by using the port-channel load-balance
src-mac global configuration command. The switch then sends packets to the physcial learner using the same
port in the EtherChannel from which it learned the source address. Only use the pagp learn-method command
in this situation.

PAgP Interaction with Virtual Switches and Dual-Active Detection

A virtual switch can be two or more core switches connected by virtual switch links (VSLs) that carry control
and data traffic between them. One of the switches is in active mode. The others are in standby mode. For
redundancy, remote switches are connected to the virtual switch by remote satellite links (RSLs).
If the VSL between two switches fails, one switch does not know the status of the other. Both switches could
change to the active mode, causing a dual-active situation in the network with duplicate configurations
(including duplicate IP addresses and bridge identifiers). The network might go down.
To prevent a dual-active situation, the core switches send PAgP protocol data units (PDUs) through the RSLs
to the remote switches. The PAgP PDUs identify the active switch, and the remote switches forward the PDUs
to core switches so that the core switches are in sync. If the active switch fails or resets, the standby switch
takes over as the active switch. If the VSL goes down, one core switch knows the status of the other and does
not change its state.

PAgP Interaction with Other Features

The Dynamic Trunking Protocol (DTP) and the Cisco Discovery Protocol (CDP) send and receive packets
over the physical ports in the EtherChannel. Trunk ports send and receive PAgP protocol data units (PDUs)
on the lowest numbered VLAN.
In Layer 2 EtherChannels, the first port in the channel that comes up provides its MAC address to the
EtherChannel. If this port is removed from the bundle, one of the remaining ports in the bundle provides its
MAC address to the EtherChannel.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
356
 Layer 2
Link Aggregation Control Protocol

PAgP sends and receives PAgP PDUs only from ports that are up and have PAgP enabled for the auto or
desirable mode.

Link Aggregation Control Protocol

The LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between
switches that conform to the IEEE 802.3ad protocol. LACP facilitates the automatic creation of EtherChannels
by exchanging LACP packets between Ethernet ports.
By using LACP, the switch or switch stack learns the identity of partners capable of supporting LACP and
the capabilities of each port. It then dynamically groups similarly configured ports into a single logical link
(channel or aggregate port). Similarly configured ports are grouped based on hardware, administrative, and
port parameter constraints. For example, LACP groups the ports with the same speed, duplex mode, native
VLAN, VLAN range, and trunking status and type. After grouping the links into an EtherChannel, LACP
adds the group to the spanning tree as a single switch port.

LACP Modes
LACP modes specify whether a port can send LACP packets or only receive LACP packets.

Table 35: EtherChannel LACP Modes

Mode Description

active Places a port into an active negotiating state in which the port starts negotiations with
other ports by sending LACP packets.

passive Places a port into a passive negotiating state in which the port responds to LACP packets
that it receives, but does not start LACP packet negotiation. This setting minimizes the
transmission of LACP packets.

Both the active and passive LACP modes enable ports to negotiate with partner ports to an EtherChannel
based on criteria such as port speed, and for Layer 2 EtherChannels, based on trunk state and VLAN numbers.
Ports can form an EtherChannel when they are in different LACP modes as long as the modes are compatible.
For example:
• A port in the active mode can form an EtherChannel with another port that is in the active or passive
mode.
• A port in the passive mode cannot form an EtherChannel with another port that is also in the passive
mode because neither port starts LACP negotiation.

LACP Interaction with Other Features

The DTP and the CDP send and receive packets over the physical ports in the EtherChannel. Trunk ports send
and receive LACP PDUs on the lowest numbered VLAN.
In Layer 2 EtherChannels, the first port in the channel that comes up provides its MAC address to the
EtherChannel. If this port is removed from the bundle, one of the remaining ports in the bundle provides its
MAC address to the EtherChannel.
LACP sends and receives LACP PDUs only from ports that are up and have LACP enabled for the active or
passive mode.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
357
 Layer 2
EtherChannel On Mode

EtherChannel On Mode
EtherChannel on mode can be used to manually configure an EtherChannel. The on mode forces a port to
join an EtherChannel without negotiations. The on mode can be useful if the remote device does not support
PAgP or LACP. In the on mode, a usable EtherChannel exists only when the switches at both ends of the link
are configured in the on mode.
Ports that are configured in the on mode in the same channel group must have compatible port characteristics,
such as speed and duplex. Ports that are not compatible are suspended, even though they are configured in
the on mode.

Caution You should use care when using the on mode. This is a manual configuration, and ports on both ends of the
EtherChannel must have the same configuration. If the group is misconfigured, packet loss or spanning-tree
loops can occur.

Load-Balancing and Forwarding Methods

EtherChannel balances the traffic load across the links in a channel by reducing part of the binary pattern
formed from the addresses in the frame to a numerical value that selects one of the links in the channel. You
can specify one of several different load-balancing modes, including load distribution based on MAC addresses,
IP addresses, source addresses, destination addresses, or both source and destination addresses. The selected
mode applies to all EtherChannels configured on the switch.
You configure the load-balancing and forwarding method by using the port-channel load-balance global
configuration command.

MAC Address Forwarding

With source-MAC address forwarding, when packets are forwarded to an EtherChannel, they are distributed
across the ports in the channel based on the source-MAC address of the incoming packet. Therefore, to provide
load-balancing, packets from different hosts use different ports in the channel, but packets from the same host
use the same port in the channel.
With destination-MAC address forwarding, when packets are forwarded to an EtherChannel, they are distributed
across the ports in the channel based on the destination host’s MAC address of the incoming packet. Therefore,
packets to the same destination are forwarded over the same port, and packets to a different destination are
sent on a different port in the channel.
With source-and-destination MAC address forwarding, when packets are forwarded to an EtherChannel, they
are distributed across the ports in the channel based on both the source and destination MAC addresses. This
forwarding method, a combination source-MAC and destination-MAC address forwarding methods of load
distribution, can be used if it is not clear whether source-MAC or destination-MAC address forwarding is
better suited on a particular switch. With source-and-destination MAC-address forwarding, packets sent from
host A to host B, host A to host C, and host C to host B could all use different ports in the channel.

IP Address Forwarding
With source-IP address-based forwarding, packets are distributed across the ports in the EtherChannel based
on the source-IP address of the incoming packet. To provide load balancing, packets from different IP addresses
use different ports in the channel, and packets from the same IP address use the same port in the channel.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
358
 Layer 2
Load-Balancing Advantages

With destination-IP address-based forwarding, packets are distributed across the ports in the EtherChannel
based on the destination-IP address of the incoming packet. To provide load balancing, packets from the same
IP source address sent to different IP destination addresses could be sent on different ports in the channel.
Packets sent from different source IP addresses to the same destination IP address are always sent on the same
port in the channel.
With source-and-destination IP address-based forwarding, packets are distributed across the ports in the
EtherChannel based on both the source and destination IP addresses of the incoming packet. This forwarding
method, a combination of source-IP and destination-IP address-based forwarding, can be used if it is not clear
whether source-IP or destination-IP address-based forwarding is better suited on a particular switch. In this
method, packets sent from the IP address A to IP address B, from IP address A to IP address C, and from IP
address C to IP address B could all use different ports in the channel.

Load-Balancing Advantages
Different load-balancing methods have different advantages, and the choice of a particular load-balancing
method should be based on the position of the switch in the network and the kind of traffic that needs to be
load-distributed.
Figure 38: Load Distribution and Forwarding Methods

In the following figure, an EtherChannel of four workstations communicates with a router. Because the router
is a single MAC-address device, source-based forwarding on the switch EtherChannel ensures that the switch
uses all available bandwidth to the router. The router is configured for destination-based forwarding because
the large number of workstations ensures that the traffic is evenly distributed from the router EtherChannel.

Use the option that provides the greatest variety in your configuration. For example, if the traffic on a channel
is going only to a single MAC address, using the destination-MAC address always chooses the same link in
the channel. Using source addresses or IP addresses might result in better load-balancing.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
359
 Layer 2
EtherChannel Load Deferral Overview

EtherChannel Load Deferral Overview

In an Instant Access system, the EtherChannel Load Deferral feature allows ports to be bundled into port
channels, but prevents the assignment of group mask values to these ports. This prevents the traffic from being
forwarded to new instant access stack members and reduce data loss following a stateful swtichover (SSO).
Cisco Catalyst Instant Access creates a single network touch point and a single point of configuration across
distribution and access layer switches. Instant Access enables the merging of physical distribution and access
layer switches into a single logical entity with a single point of configuration, management, and troubleshooting.
The following illustration represents a sample network where an Instant Access system interacts with a switch
(Catalyst 2960-X Series Switches) that is connected via a port channel to stacked clients (Member 1 and
Member 2).
When the EtherChannel Load Deferral feature is configured and a new Instant Access client stack member
comes up, ports of this newly-joined stack member is bundled into the port channel. In the transition period,
the data path is not fully established on the distribution switch (Catalyst 6000 Series Switches), and traffic
originating from the access layer switch (Catalyst 2960-X Series Switches) reaches the non-established ports
and the traffic gets lost.
When load share deferral is enabled on a port channel, the assignment of a member port’s load share is delayed
for a period that is configured globally by the port-channel load-defer command. During the deferral period,
the load share of a deferred member port is set to 0. In this state, the deferred port is capable of receiving data
and control traffic, and of sending control traffic, but the port is prevented from sending data traffic to the
virtual switching system (VSS). Upon expiration of the global deferral timer, the deferred member port exits
the deferral state and the port assumes its normal configured load share.
Load share deferral is applied only if at least one member port of the port channel is currently active with a
nonzero load share. If a port enabled for load share deferral is the first member bringing up the EtherChannel,
the deferral feature does not apply and the port will forward traffic immediately.
This feature is enabled on a per port-channel basis; however, the load deferral timer is configured globally
and not per port-channel. As a result, when a new port is bundled, the timer starts only if it is not already
running. If some other ports are already deferred then the new port will be deferred only for the remaining
amount of time.
The load deferral is stopped as soon as a member in one of the deferred port channels is unbundled. As a
result, all the ports that were deferred is assigned a group-mask in the event of an unbundling during the
deferral period.

Note When you try to enable this feature on a stack member switch, the following message is displayed:
Load share deferral is supported only on stand-alone stack.

Default EtherChannel Configuration

The default EtherChannel configuration is described in this table.

Table 36: Default EtherChannel Configuration

Feature Default Setting

Channel groups None assigned.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
360
 Layer 2
EtherChannel Configuration Guidelines

Feature Default Setting

Port-channel logical None defined.

interface

PAgP mode No default.

PAgP learn method Aggregate-port learning on all ports.

PAgP priority 128 on all ports.

LACP mode No default.

LACP learn method Aggregate-port learning on all ports.

LACP port priority 32768 on all ports.

LACP system priority 32768.

LACP system ID LACP system priority and the switch or stack MAC address.

Load-balancing Load distribution on the switch is based on the source-MAC address of the
incoming packet.

EtherChannel Configuration Guidelines

If improperly configured, some EtherChannel ports are automatically disabled to avoid network loops and
other problems. Follow these guidelines to avoid configuration problems:
• Configure a PAgP EtherChannel with up to eight Ethernet ports of the same type.
• Configure a LACP EtherChannel with up to 16 Ethernet ports of the same type. Up to eight ports can be
active, and up to eight ports can be in standby mode.
• Configure all ports in an EtherChannel to operate at the same speeds and duplex modes.
• Enable all ports in an EtherChannel. A port in an EtherChannel that is disabled by using the shutdown
interface configuration command is treated as a link failure, and its traffic is transferred to one of the
remaining ports in the EtherChannel.
• When a group is first created, all ports follow the parameters set for the first port to be added to the group.
If you change the configuration of one of these parameters, you must also make the changes to all ports
in the group:
• Allowed-VLAN list
• Spanning-tree path cost for each VLAN
• Spanning-tree port priority for each VLAN
• Spanning-tree Port Fast setting

• Do not configure a port to be a member of more than one EtherChannel group.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
361
 Layer 2
Layer 2 EtherChannel Configuration Guidelines

• Do not configure an EtherChannel in both the PAgP and LACP modes. EtherChannel groups running
PAgP and LACP can coexist on the same switch or on different switches in the stack. Individual
EtherChannel groups can run either PAgP or LACP, but they cannot interoperate.
• Do not configure a secure port as part of an EtherChannel or the reverse.
• Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an IEEE 802.1x
port. If you try to enable IEEE 802.1x on an EtherChannel port, an error message appears, and IEEE
802.1x is not enabled.
• If EtherChannels are configured on switch interfaces, remove the EtherChannel configuration from the
interfaces before globally enabling IEEE 802.1x on a switch by using the dot1x system-auth-control
global configuration command.
• For cross-stack EtherChannel configurations, ensure that all ports targeted for the EtherChannel are either
configured for LACP or are manually configured to be in the channel group using the channel-group
channel-group-number mode on interface configuration command. The PAgP protocol is not supported
on cross- stack EtherChannels.

Layer 2 EtherChannel Configuration Guidelines

When configuring Layer 2 EtherChannels, follow these guidelines:
• Assign all ports in the EtherChannel to the same VLAN, or configure them as trunks. Ports with different
native VLANs cannot form an EtherChannel.
• An EtherChannel supports the same allowed range of VLANs on all the ports in a trunking Layer 2
EtherChannel. If the allowed range of VLANs is not the same, the ports do not form an EtherChannel
even when PAgP is set to the auto or desirable mode.
• Ports with different spanning-tree path costs can form an EtherChannel if they are otherwise compatibly
configured. Setting different spanning-tree path costs does not, by itself, make ports incompatible for
the formation of an EtherChannel.

Auto-LAG
The auto-LAG feature provides the ability to auto create EtherChannels on ports connected to a switch. By
default, auto-LAG is disabled globally and is enabled on all port interfaces. The auto-LAG applies to a switch
only when it is enabled globally.
On enabling auto-LAG globally, the following scenarios are possible:
• All port interfaces participate in creation of auto EtherChannels provided the partner port interfaces have
EtherChannel configured on them. For more information, see the "The supported auto-LAG configurations
between the actor and partner devices" table below.
• Ports that are already part of manual EtherChannels cannot participate in creation of auto EtherChannels.
• When auto-LAG is disabled on a port interface that is already a part of an auto created EtherChannel,
the port interface will unbundle from the auto EtherChannel.

The following table shows the supported auto-LAG configurations between the actor and partner devices:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
362
 Layer 2
Auto-LAG Configuration Guidelines

Table 37: The supported auto-LAG configurations between the actor and partner devices

Actor/Partner Active Passive Auto

Active Yes Yes Yes

Passive Yes No Yes

Auto Yes Yes Yes

On disabling auto-LAG globally, all auto created Etherchannels become manual EtherChannels.
You cannot add any configurations in an existing auto created EtherChannel. To add, you should first convert
it into a manual EtherChannel by executing the port-channel<channel-number>persistent.

Note Auto-LAG uses the LACP protocol to create auto EtherChannel. Only one EtherChannel can be automatically
created with the unique partner devices.

Auto-LAG Configuration Guidelines

Follow these guidelines when configuring the auto-LAG feature.
• When auto-LAG is enabled globally and on the port interface , and if you do not want the port interface
to become a member of the auto EtherChannel, disable the auto-LAG on the port interface.
• A port interface will not bundle to an auto EtherChannel when it is already a member of a manual
EtherChannel. To allow it to bundle with the auto EtherChannel, first unbundle the manual EtherChannel
on the port interface.
• When auto-LAG is enabled and auto EtherChannel is created, you can create multiple EtherChannels
manually with the same partner device. But by default, the port tries to create auto EtherChannel with
the partner device.
• The auto-LAG is supported only on Layer 2 EtherChannel. It is not supported on Layer 3 interface and
Layer 3 EtherChannel.

How to Configure EtherChannels

After you configure an EtherChannel, configuration changes applied to the port-channel interface apply to all
the physical ports assigned to the port-channel interface, and configuration changes applied to the physical
port affect only the port where you apply the configuration.

Configuring Layer 2 EtherChannels

You configure Layer 2 EtherChannels by assigning ports to a channel group with the channel-group interface
configuration command. This command automatically creates the port-channel logical interface.
If you enabled PAgP on a port in the auto or desirable mode, you must reconfigure it for either the on mode
or the LACP mode before adding this port to a cross-stack EtherChannel. PAgP does not support cross-stack
EtherChannels.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
363
 Layer 2
Configuring Layer 2 EtherChannels

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. switchport mode {access | trunk}
4. switchport access vlan vlan-id
5. channel-group channel-group-number mode {auto [non-silent] | desirable [non-silent ] | on } | { active
| passive}
6. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies a physical port, and enters interface configuration
mode.
Example:
Valid interfaces are physical ports.
SwitchDevice(config)# interface
gigabitethernet2/0/1 For a PAgP EtherChannel, you can configure up to eight
ports of the same type and speed for the same group.
For a LACP EtherChannel, you can configure up to 16
Ethernet ports of the same type. Up to eight ports can be
active, and up to eight ports can be in standby mode.

Step 3 switchport mode {access | trunk} Assigns all ports as static-access ports in the same VLAN,
or configure them as trunks.
Example:
If you configure the port as a static-access port, assign it to
SwitchDevice(config-if)# switchport mode access only one VLAN. The range is 1 to 4094.

Step 4 switchport access vlan vlan-id (Optional) If you configure the port as a static-access port,
assign it to only one VLAN. The range is 1 to 4094.
Example:

SwitchDevice(config-if)# switchport access vlan 22

Step 5 channel-group channel-group-number mode {auto Assigns the port to a channel group, and specifies the PAgP
[non-silent] | desirable [non-silent ] | on } | { active | or the LACP mode.
passive}
For channel-group-number, the range is 1 to 24.
Example:
For mode, select one of these keywords:
SwitchDevice(config-if)# channel-group 5 mode auto • auto —Enables PAgP only if a PAgP device is detected.
It places the port into a passive negotiating state, in
which the port responds to PAgP packets it receives

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
364
 Layer 2
Configuring EtherChannel Load-Balancing

Command or Action Purpose

but does not start PAgP packet negotiation.This
keyword is not supported when EtherChannel members
are from different switches in the switch stack.
• desirable —Unconditionally enables PAgP. It places
the port into an active negotiating state, in which the
port starts negotiations with other ports by sending
PAgP packets. This keyword is not supported when
EtherChannel members are from different switches in
the switch stack.
• on —Forces the port to channel without PAgP or LACP.
In the on mode, an EtherChannel exists only when a
port group in the on mode is connected to another port
group in the on mode.
• non-silent —(Optional) If your switch is connected to
a partner that is PAgP-capable, configures the switch
port for nonsilent operation when the port is in the
auto or desirable mode. If you do not specify
non-silent, silent is assumed. The silent setting is for
connections to file servers or packet analyzers. This
setting allows PAgP to operate, to attach the port to a
channel group, and to use the port for transmission.
• active—Enables LACP only if a LACP device is
detected. It places the port into an active negotiating
state in which the port starts negotiations with other
ports by sending LACP packets.
• passive —Enables LACP on the port and places it into
a passive negotiating state in which the port responds
to LACP packets that it receives, but does not start
LACP packet negotiation.

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Configuring EtherChannel Load-Balancing

You can configure EtherChannel load-balancing by using source-based or destination-based forwarding
methods.
This task is optional.

SUMMARY STEPS
1. configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
365
 Layer 2
Configuring Port Channel Load Deferral

2. port-channel load-balance { dst-ip | dst-mac | src-dst-ip | src-dst-mac | src-ip |

src-mac }
3. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 port-channel load-balance { dst-ip | dst-mac | Configures an EtherChannel load-balancing method.

src-dst-ip | src-dst-mac | src-ip | src-mac }
The default is src-mac.
Example:
Select one of these load-distribution methods:
SwitchDevice(config)# port-channel load-balance • dst-ip—Specifies destination-host IP address.
src-mac
• dst-mac—Specifies the destination-host MAC address
of the incoming packet.
• src-dst-ip—Specifies the source and destination host
IP address.
• src-dst-mac—Specifies the source and destination
host MAC address.
• src-ip—Specifies the source host IP address.
• src-mac—Specifies the source MAC address of the
incoming packet.

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Configuring Port Channel Load Deferral

SUMMARY STEPS
1. enable
2. configure terminal
3. port-channel load-defer seconds
4. interface type number
5. port-channel load-defer
6. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
366
 Layer 2
Configuring Port Channel Load Deferral

7. show etherchannel channel-group port-channel

8. show platform pm group-masks

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.
Switch> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Switch# configure terminal

Step 3 port-channel load-defer seconds Configures the port load share deferral interval for all port
channels.
Example:
Switch(config)# port-channel load-defer 60 • seconds—The time interval during which load sharing
is initially 0 for deferred port channels. The range is
1 to 1800 seconds; the default is 120 seconds

Step 4 interface type number Configures a port channel interface and enters interface
configuration mode.
Example:
Switch(config)# interface port-channel 10

Step 5 port-channel load-defer Enables port load share deferral on the port channel.
Example:
Switch(config-if)# port-channel load-defer

Step 6 end Exits interface configuration mode and returns to privileged

EXEC mode.
Example:
Switch(config-if)# end

Step 7 show etherchannel channel-group port-channel Displays port channel information.

Example:
Switch# show etherchannel 1 port-channel

Step 8 show platform pm group-masks Display EtherChannel group masks information.

Example:
Switch# show platform pm group-masks

Example
The following is sample output from the show etherchannel channel-group port-channel command.
If the channel-group argument is not specified; the command displays information about all channel
groups are displayed.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
367
 Layer 2
Configuring the PAgP Learn Method and Priority

Switch# show etherchannel 1 port-channel

Port-channels in the group:

---------------------------

Port-channel: Po1
------------

Age of the Port-channel = 0d:00h:37m:08s

Logical slot/port = 9/1 Number of ports = 0
GC = 0x00000000 HotStandBy port = null
Port state = Port-channel Ag-Not-Inuse
Protocol = -
Port security = Disabled
Load share deferral = Enabled defer period = 120 sec time left = 0 sec

The following is sample output from the show platform pm group-masks command. Deferred ports
have the group mask of 0xFFFF, when the defer timer is running.
Switch# show platform pm group-masks

====================================================================
Etherchannel members and group masks table
Group #ports group frame-dist slot port mask interface index
--------------------------------------------------------------------
1 0 1 src-mac
2 0 2 src-mac
3 0 3 src-mac
4 0 4 src-mac
5 0 5 src-mac
6 0 6 src-mac
7 0 7 src-mac
8 0 8 src-mac
9 0 9 src-mac
10 3 10 src-mac
1 12 0000 Gi1/0/12 3
1 10 FFFF Gi1/0/10 6
1 11 FFFF Gi1/0/11 7
11 0 11 src-mac
12 0 12 src-mac
13 0 13 src-mac
14 0 14 src-mac
15 0 15 src-mac

Configuring the PAgP Learn Method and Priority

This task is optional.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. pagp learn-method physical-port
4. pagp port-priority priority
5. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
368
 Layer 2
Configuring LACP Hot-Standby Ports

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port for transmission, and enters interface
configuration mode.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/2

Step 3 pagp learn-method physical-port Selects the PAgP learning method.

Example: By default, aggregation-port learning is selected, which
means the switch sends packets to the source by using any
SwitchDevice(config-if)# pagp learn-method physical of the ports in the EtherChannel. With aggregate-port
port learning, it is not important on which physical port the
packet arrives.
Selects physical-port to connect with another switch that
is a physical learner. Make sure to configure the
port-channel load-balance global configuration command
to src-mac.
The learning method must be configured the same at both
ends of the link.

Step 4 pagp port-priority priority Assigns a priority so that the selected port is chosen for
packet transmission.
Example:
For priority, the range is 0 to 255. The default is 128. The
SwitchDevice(config-if)# pagp port-priority 200 higher the priority, the more likely that the port will be used
for PAgP transmission.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Configuring LACP Hot-Standby Ports

When enabled, LACP tries to configure the maximum number of LACP-compatible ports in a channel, up to
a maximum of 16 ports. Only eight LACP links can be active at one time. The software places any additional
links in a hot-standby mode. If one of the active links becomes inactive, a link that is in the hot-standby mode
becomes active in its place.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
369
 Layer 2
Configuring the LACP System Priority

If you configure more than eight links for an EtherChannel group, the software automatically decides which
of the hot-standby ports to make active based on the LACP priority. To every link between systems that
operate LACP, the software assigns a unique priority made up of these elements (in priority order):
• LACP system priority
• System ID (the switch MAC address)
• LACP port priority
• Port number

In priority comparisons, numerically lower values have higher priority. The priority decides which ports
should be put in standby mode when there is a hardware limitation that prevents all compatible ports from
aggregating.
Determining which ports are active and which are hot standby is a two-step procedure. First the system with
a numerically lower system priority and system ID is placed in charge of the decision. Next, that system
decides which ports are active and which are hot standby, based on its values for port priority and port number.
The port priority and port number values for the other system are not used.
You can change the default values of the LACP system priority and the LACP port priority to affect how the
software selects active and standby links.

Configuring the LACP System Priority

You can configure the system priority for all the EtherChannels that are enabled for LACP by using the lacp
system-priority global configuration command. You cannot configure a system priority for each
LACP-configured channel. By changing this value from the default, you can affect how the software selects
active and standby links.
You can use the show etherchannel summary privileged EXEC command to see which ports are in the
hot-standby mode (denoted with an H port-state flag).
Follow these steps to configure the LACP system priority. This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. lacp system-priority priority
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
370
 Layer 2
Configuring the LACP Port Priority

Command or Action Purpose

SwitchDevice# configure terminal

Step 3 lacp system-priority priority Configures the LACP system priority.

Example: The range is 1 to 65535. The default is 32768.
The lower the value, the higher the system priority.
SwitchDevice(config)# lacp system-priority 32000

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Configuring the LACP Port Priority

By default, all ports use the same port priority. If the local system has a lower value for the system priority
and the system ID than the remote system, you can affect which of the hot-standby links become active first
by changing the port priority of LACP EtherChannel ports to a lower value than the default. The hot-standby
ports that have lower port numbers become active in the channel first. You can use the show etherchannel
summary privileged EXEC command to see which ports are in the hot-standby mode (denoted with an H
port-state flag).

Note If LACP is not able to aggregate all the ports that are compatible (for example, the remote system might have
more restrictive hardware limitations), all the ports that cannot be actively included in the EtherChannel are
put in the hot-standby state and are used only if one of the channeled ports fails.

Follow these steps to configure the LACP port priority. This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. lacp port-priority priority
5. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
371
 Layer 2
Configuring the LACP Port Channel Min-Links Feature

Command or Action Purpose

Step 2 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the port to be configured, and enters interface
configuration mode.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/2

Step 4 lacp port-priority priority Configures the LACP port priority.

Example: The range is 1 to 65535. The default is 32768. The lower
the value, the more likely that the port will be used for
SwitchDevice(config-if)# lacp port-priority 32000 LACP transmission.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Configuring the LACP Port Channel Min-Links Feature

You can specify the minimum number of active ports that must be in the link-up state and bundled in an
EtherChannel for the port channel interface to transition to the link-up state. Using EtherChannel min-links,
you can prevent low-bandwidth LACP EtherChannels from becoming active. Port channel min-links also
cause LACP EtherChannels to become inactive if they have too few active member ports to supply the
requiredminimum bandwidth.
To configure the minimum number of links that are required for a port channel. Perform the following tasks.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface port-channel channel-number
4. port-channel min-links min-links-number
5. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
372
 Layer 2
Configuring LACP Fast Rate Timer

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface port-channel channel-number Enters interface configuration mode for a port-channel.
Example: For channel-number, the range is 1 to 63.

SwitchDevice(config)# interface port-channel 2

Step 4 port-channel min-links min-links-number Specifies the minimum number of member ports that must
be in the link-up state and bundled in the EtherChannel for
Example:
the port channel interface to transition to the link-up state.
SwitchDevice(config-if)# port-channel min-links 3 For min-links-number , the range is 2 to 8.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Configuring LACP Fast Rate Timer

You can change the LACP timer rate to modify the duration of the LACP timeout. Use the lacp rate command
to set the rate at which LACP control packets are received by an LACP-supported interface. You can change
the timeout rate from the default rate (30 seconds) to the fast rate (1 second). This command is supported only
on LACP-enabled interfaces.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface {fastethernet | gigabitethernet | tengigabitethernet} slot/port
4. lacp rate {normal | fast}
5. end
6. show lacp internal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
373
 Layer 2
Configuring Auto-LAG Globally

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface {fastethernet | gigabitethernet | Configures an interface and enters interface configuration
tengigabitethernet} slot/port mode.
Example:

SwitchDevice(config)# interface gigabitEthernet

2/1

Step 4 lacp rate {normal | fast} Configures the rate at which LACP control packets are
received by an LACP-supported interface.
Example:
• To reset the timeout rate to its default, use the no lacp
SwitchDevice(config-if)# lacp rate fast rate command.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show lacp internal Verifies your configuration.

Example:

SwitchDevice# show lacp internal

SwitchDevice# show lacp counters

Configuring Auto-LAG Globally

SUMMARY STEPS
1. enable
2. configure terminal
3. [no] port-channel auto
4. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
374
 Layer 2
Configuring Auto-LAG on a Port Interface

5. show etherchannel auto

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 [no] port-channel auto Enables the auto-LAG feature on a switch globally. Use the
no form of this command to disable the auto-LAG feature
Example:
on the switch globally.
SwitchDevice(config)# port-channel auto
Note By default, the auto-LAG feature is enabled on
the port.

Step 4 end Returns to privileged EXEC mode.

Example:
SwitchDevice(config)# end

Step 5 show etherchannel auto Displays that EtherChannel is created automatically.

Example:
SwitchDevice# show etherchannel auto

Configuring Auto-LAG on a Port Interface

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. [no] channel-group auto
5. end
6. show etherchannel auto

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
375
 Layer 2
Configuring Persistence with Auto-LAG

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the port interface to be enabled for auto-LAG,
and enters interface configuration mode.
Example:
SwitchDevice(config)# interface gigabitethernet
1/0/1

Step 4 [no] channel-group auto (Optional) Enables auto-LAG feature on individual port
interface. Use the no form of this command to disable the
Example:
auto-LAG feature on individual port interface.
SwitchDevice(config-if)# channel-group auto
Note By default, the auto-LAG feature is enabled on
the port.

Step 5 end Returns to privileged EXEC mode.

Example:
SwitchDevice(config-if)# end

Step 6 show etherchannel auto Displays that EtherChannel is created automatically.

Example:
SwitchDevice# show etherchannel auto

What to do next

Configuring Persistence with Auto-LAG

You use the persistence command to convert the auto created EtherChannel into a manual one and allow you
to add configuration on the existing EtherChannel.

SUMMARY STEPS
1. enable
2. port-channel channel-number persistent
3. show etherchannel summary

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
376
 Layer 2
Monitoring EtherChannel, PAgP, and LACP Status

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 port-channel channel-number persistent Converts the auto created EtherChannel into a manual one
and allows you to add configuration on the EtherChannel.
Example:
SwitchDevice# port-channel 1 persistent

Step 3 show etherchannel summary Displays the EtherChannel information.

Example:
SwitchDevice# show etherchannel summary

Monitoring EtherChannel, PAgP, and LACP Status

You can display EtherChannel, PAgP, and LACP status using the commands listed in this table.

Table 38: Commands for Monitoring EtherChannel, PAgP, and LACP Status

Command Description

clear lacp { channel-group-number counters Clears LACP channel-group information and traffic
| counters } counters.

clear pagp { channel-group-number counters Clears PAgP channel-group information and traffic
| counters } counters.

show etherchannel [ channel-group-number { Displays EtherChannel information in a brief, detailed,

detail | load-balance | port | port-channel and one-line summary form. Also displays the
| protocol | summary }] [detail | load-balance or frame-distribution scheme, port,
load-balance | port | port-channel | port-channel, protocol, and Auto-LAG information.
protocol | auto | summary ]

show pagp [ channel-group-number ] { counters Displays PAgP information such as traffic

| internal | neighbor } information, the internal PAgP configuration, and
neighbor information.

show pagp [ channel-group-number ] dual-active Displays the dual-active detection status.

show lacp [ channel-group-number ] { counters | Displays LACP information such as traffic

internal | neighbor | sys-id} information, the internal LACP configuration, and
neighbor information.

show running-config Verifies your configuration entries.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
377
 Layer 2
Configuration Examples for Configuring EtherChannels

Command Description

show etherchannel load-balance Displays the load balance or frame distribution scheme
among ports in the port channel.

Configuration Examples for Configuring EtherChannels

Configuring Layer 2 EtherChannels: Examples
This example shows how to configure an EtherChannel on a single switch in the stack. It assigns two ports
as static-access ports in VLAN 10 to channel 5 with the PAgP mode desirable:

SwitchDevice# configure terminal

SwitchDevice(config)# interface range gigabitethernet2/0/1 -2
SwitchDevice(config-if-range)# switchport mode access
SwitchDevice(config-if-range)# switchport access vlan 10
SwitchDevice(config-if-range)# channel-group 5 mode desirable non-silent
SwitchDevice(config-if-range)# end

This example shows how to configure an EtherChannel on a single switch in the stack. It assigns two ports
as static-access ports in VLAN 10 to channel 5 with the LACP mode active:

SwitchDevice# configure terminal

SwitchDevice(config)# interface range gigabitethernet2/0/1 -2
SwitchDevice(config-if-range)# switchport mode access
SwitchDevice(config-if-range)# switchport access vlan 10
SwitchDevice(config-if-range)# channel-group 5 mode active
SwitchDevice(config-if-range)# end

This example shows how to configure a cross-stack EtherChannel. It uses LACP passive mode and assigns
two ports on stack member 1 and one port on stack member 2 as static-access ports in VLAN 10 to channel
5:

SwitchDevice# configure terminal

SwitchDevice(config)# interface range gigabitethernet2/0/4 -5
SwitchDevice(config-if-range)# switchport mode access
SwitchDevice(config-if-range)# switchport access vlan 10
SwitchDevice(config-if-range)# channel-group 5 mode passive
SwitchDevice(config-if-range)# exit
SwitchDevice(config)# interface gigabitethernet3/0/3
SwitchDevice(config-if)# switchport mode access
SwitchDevice(config-if)# switchport access vlan 10
SwitchDevice(config-if)# channel-group 5 mode passive
SwitchDevice(config-if)# exit

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
378
 Layer 2
Example: Configuring Port Channel Load Deferral

Example: Configuring Port Channel Load Deferral

Switch# configure terminal
Switch(config)# port-channel load-defer 60
Switch(config)# interface port-channel 10
Switch(config-if)# port-channel load-defer
Switch(config-if)# end

Configuring Auto LAG: Examples

This example shows how to configure Auto-LAG on a switch
switch> enable
switch# configure terminal
switch (config)# port-channel auto
switch (config-if)# end
switch# show etherchannel auto

The following example shows the summary of EtherChannel that was created automatically.
switch# show etherchannel auto
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
A - formed by Auto LAG

Number of channel-groups in use: 1

Number of aggregators: 1

Group Port-channel Protocol Ports

------+-------------+-----------+-----------------------------------------------
1 Po1(SUA) LACP Gi1/0/45(P) Gi2/0/21(P) Gi3/0/21(P)

The following example shows the summary of auto EtherChannel after executing the port-channel 1 persistent
command.
switch# port-channel 1 persistent

switch# show etherchannel summary

Switch# show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
A - formed by Auto LAG

Number of channel-groups in use: 1

Number of aggregators: 1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
379
 Layer 2
Configuring LACP Port Channel Min-Links: Examples

Group Port-channel Protocol Ports

------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Gi1/0/45(P) Gi2/0/21(P) Gi3/0/21(P)

Configuring LACP Port Channel Min-Links: Examples

This example shows how to configure LACP port-channel min-links:
switch > enable
switch# configure terminal
switch(config)# interface port-channel 25
switch(config-if)# port-channel min-links 3
switch# show etherchannel 25 summary
switch# end

When the minimum links requirement is not met in standalone switches, the port-channel is flagged and
assigned SM/SN or RM/RN state.
switch# show etherchannel 25 summary

Flags: D - down P - bundled in port-channel

I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use N- not in use, no aggregration
f - failed to allocate aggregator
M - not in use, no aggregation due to minimum links not met
m- not in use, port not aggregated due to minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 125
Number of aggregators: 125

Group Port-channel Protocol Ports

------+-------------+-----------+-----------------------------------------------
25 Po25(RM) LACP Gi1/3/1(D) Gi1/3/2(D) Gi2/2/25(D) Gi2/2/26(W)

Example: Configuring LACP Fast Rate Timer

This example shows you how to configure the LACP rate:
switch> enable
switch# configure terminal
switch(config)# interface gigabitEthernet 2/1
switch(config-if)# lacp rate fast
switch(config-if)# exit
switch(config)# end
switch# show lacp internal
switch# show lacp counters

The following is sample output from the show lacp internal command:

switch# show lacp internal

Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
Channel group 25
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
380
Layer 2
Example: Configuring LACP Fast Rate Timer

Te1/49 FA bndl 32768 0x19 0x19 0x32 0x3F

Te1/50 FA bndl 32768 0x19 0x19 0x33 0x3F
Te1/51 FA bndl 32768 0x19 0x19 0x34 0x3F
Te1/52 FA bndl 32768 0x19 0x19 0x35 0x3F

The following is sample output from the show lacp counters command:

switch# show lacp counters

LACPDUs Marker Marker Response LACPDUs

Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
Channel group: 24
Te1/1/27 2 2 0 0 0 0 0
Te2/1/25 2 2 0 0 0 0 0

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
381
 Layer 2
Example: Configuring LACP Fast Rate Timer

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
382
 CHAPTER 19
Configuring Link-State Tracking
• Finding Feature Information, on page 383
• Restrictions for Configuring Link-State Tracking, on page 383
• Understanding Link-State Tracking, on page 384
• How to Configure Link-State Tracking , on page 386
• Monitoring Link-State Tracking, on page 387
• Configuring Link-State Tracking: Example, on page 387

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Restrictions for Configuring Link-State Tracking

• You can configure only two link-state groups per switch.
• An interface cannot be a member of more than one link-state group.
• An interface that is defined as an upstream interface in a link-state group cannot also be defined as a
downstream interface in the link-state group.
• Do not enable link-state tracking on individual interfaces that will part of a downstream EtherChannel
interface.

Related Topics
Understanding Link-State Tracking, on page 384
How to Configure Link-State Tracking , on page 386
Monitoring Link-State Tracking Status

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
383
 Layer 2
Understanding Link-State Tracking

Understanding Link-State Tracking

Link-state tracking, also known as trunk failover, binds the link state of multiple interfaces. Link-state tracking
can be with server NIC adapter teaming to provide redundancy in the network. When the server NIC adapters
are configured in a primary or secondary relationship, and the link is lost on the primary interface, network
connectivity is transparently changed to the secondary interface.

Note An interface can be an aggregation of ports (an EtherChannel) or a single physical port in either access or
trunk mode .

The configuration in this figure ensures that the network traffic flow is balanced.
Figure 39: Typical Link-State Tracking Configuration

• For links to switches and other network devices

• Server 1 and server 2 use switch A for primary links and switch B for secondary links.
• Server 3 and server 4 use switch B for primary links and switch A for secondary links.

• Link-state group 1 on switch A

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
384
Layer 2
Understanding Link-State Tracking

• Switch A provides primary links to server 1 and server 2 through link-state group 1. Port 1 is
connected to server 1, and port 2 is connected to server 2. Port 1 and port 2 are the downstream
interfaces in link-state group 1.
• Port 5 and port 6 are connected to distribution switch 1 through link-state group 1. Port 5 and port
6 are the upstream interfaces in link-state group 1.

• Link-state group 2 on switch A

• Switch A provides secondary links to server 3 and server 4 through link-state group 2. Port 3 is
connected to server 3, and port 4 is connected to server 4. Port 3 and port 4 are the downstream
interfaces in link-state group 2.
• Port 7 and port 8 are connected to distribution switch 2 through link-state group 2. Port 7 and port
8 are the upstream interfaces in link-state group 2.

• Link-state group 2 on switch B

• Switch B provides primary links to server 3 and server 4 through link-state group 2. Port 3 is
connected to server 3, and port 4 is connected to server 4. Port 3 and port 4 are the downstream
interfaces in link-state group 2.
• Port 5 and port 6 are connected to distribution switch 2 through link-state group 2. Port 5 and port
6 are the upstream interfaces in link-state group 2.

• Link-state group 1 on switch B

• Switch B provides secondary links to server 1 and server 2 through link-state group 1. Port 1 is
connected to server 1, and port 2 is connected to server 2. Port 1 and port 2 are the downstream
interfaces in link-state group 1.
• Port 7 and port 8 are connected to distribution switch 1 through link-state group 1. Port 7 and port
8 are the upstream interfaces in link-state group 1.

In a link-state group, the upstream ports can become unavailable or lose connectivity because the distribution
switch or router fails, the cables are disconnected, or the link is lost. These are the interactions between the
downstream and upstream interfaces when link-state tracking is enabled:
• If any of the upstream interfaces are in the link-up state, the downstream interfaces can change to or
remain in the link-up state.
• If all of the upstream interfaces become unavailable, link-state tracking automatically puts the downstream
interfaces in the error-disabled state. Connectivity to and from the servers is automatically changed from
the primary server interface to the secondary server interface. For example, in the previous figure, if the
upstream link for port 6 is lost, the link states of downstream ports 1 and 2 do not change. However, if
the link for upstream port 5 is also lost, the link state of the downstream ports changes to the link-down
state. Connectivity to server 1 and server 2 is then changed from link-state group1 to link-state group 2.
The downstream ports 3 and 4 do not change state because they are in link-group 2.
• If the link-state group is configured, link-state tracking is disabled, and the upstream interfaces lose
connectivity, the link states of the downstream interfaces remain unchanged. The server does not recognize
that upstream connectivity has been lost and does not failover to the secondary interface.

You can recover a downstream interface link-down condition by removing the failed downstream port from
the link-state group. To recover multiple downstream interfaces, disable the link-state group.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
385
 Layer 2
How to Configure Link-State Tracking

Related Topics
How to Configure Link-State Tracking , on page 386
Monitoring Link-State Tracking Status
Configuring Link-State Tracking: Example, on page 387
Restrictions for Configuring Link-State Tracking, on page 383

How to Configure Link-State Tracking

To enable link-state tracking, create a link-state group and specify the interfaces that are assigned to the group.
This task is optional.

SUMMARY STEPS
1. configure terminal
2. link state track number
3. interface interface-id
4. link state group [number]{upstream | downstream}
5. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 link state track number Creates a link-state group and enables link-state tracking.
The group number can be 1 or 2; the default is 1.
Example:

SwitchDevice(config)# link state track 2

Step 3 interface interface-id Specifies a physical interface or range of interfaces to

configure, and enters interface configuration mode.
Example:
Valid interfaces include switch ports in access or trunk
SwitchDevice(config)# interface mode (IEEE 802.1q) or routed ports.
gigabitethernet2/0/1
Note Do not enable link-state tracking on individual
interfaces that will be part of an Etherchannel
interface.

Step 4 link state group [number]{upstream | downstream} Specifies a link-state group and configures the interface as
either an upstream or downstream interface in the group.
Example:

SwitchDevice(config-if)# link state group 2

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
386
 Layer 2
Monitoring Link-State Tracking

Command or Action Purpose

upstream

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Related Topics
Understanding Link-State Tracking, on page 384
Configuring Link-State Tracking: Example, on page 387
Restrictions for Configuring Link-State Tracking, on page 383

Monitoring Link-State Tracking

You can display link-state tracking status using the command in this table.

Table 39: Commands for Monitoring Link-State Tracking Status

Command Description

show link state group [number] [detail] Displays the link-state group information.

Configuring Link-State Tracking: Example

This example shows how to create the link-state group 1 and configure the interfaces in the link-state group.

SwitchDevice# configure terminal

SwitchDevice(config)# link state track 1
SwitchDevice(config-if)# interface range gigabitethernet1/0/21-22
SwitchDevice(config-if)# link state group 1 upstream
SwitchDevice(config-if)# interface gigabitethernet1/0/1
SwitchDevice(config-if)# link state group 1 downstream
SwitchDevice(config-if)# interface gigabitethernet1/0/3
SwitchDevice(config-if)# link state group 1 downstream
SwitchDevice(config-if)# interface gigabitethernet1/0/5
SwitchDevice(config-if)# link state group 1 downstream
SwitchDevice(config-if)# end

Related Topics
Understanding Link-State Tracking, on page 384
How to Configure Link-State Tracking , on page 386
Monitoring Link-State Tracking Status

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
387
 Layer 2
Configuring Link-State Tracking: Example

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
388
 CHAPTER 20
Configuring Resilient Ethernet Protocol
• Finding Feature Information, on page 389
• REP Overview, on page 389
• How to Configure REP, on page 394
• Monitoring REP, on page 402
• Configuring Examples for Configuring REP, on page 403

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

REP Overview
Resilient Ethernet Protocol (REP) is a Cisco proprietary protocol that provides an alternative to Spanning
Tree Protocol (STP) to control network loops, handle link failures, and improve convergence time. REP
controls a group of ports connected in a segment, ensures that the segment does not create any bridging loops,
and responds to link failures within the segment. REP provides a basis for constructing more complex networks
and supports VLAN load balancing.

Note REP is supported on Catalyst switches running IP Base, IP Services, or IP Lite licenses. REP is not supported
on the LAN Base license.
REP is supported only on Cisco Catalyst 3560-CX switches.

A REP segment is a chain of ports connected to each other and configured with a segment ID. Each segment
consists of standard (non-edge) segment ports and two user-configured edge ports. A router can have no more
than two ports that belong to the same segment, and each segment port can have only one external neighbor.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
389
 Layer 2
REP Overview

A segment can go through a shared medium, but on any link only two ports can belong to the same segment.
REP is supported only on Trunk Ethernet Flow Point (EFP) interfaces.
The figure below shows an example of a segment consisting of six ports spread across four switches. Ports
E1 and E2 are configured as edge ports. When all ports are operational (as in the segment on the left), a single
port is blocked, shown by the diagonal line. When there is a failure in the network, the blocked port returns
to the forwarding state to minimize network disruption.
Figure 40: REP Open Segment

The segment shown in the figure above is an open segment; there is no connectivity between the two edge
ports. The REP segment cannot cause a bridging loop, and you can safely connect the segment edges to any
network. All hosts connected to routers inside the segment have two possible connections to the rest of the
network through the edge ports, but only one connection is accessible at any time. If a failure occurs on any
segment or on any port on a REP segment, REP unblocks all ports to ensure that connectivity is available
through the other gateway.
The segment shown in the figure below is a ring segment with both edge ports located on the same router.
With this configuration, you can create a redundant connection between any two routers in the segment.
Figure 41: REP Ring Segment

REP segments have the following characteristics:

• If all ports in a segment are operational, one port (referred to as the alternate port) is in the blocked state
for each VLAN. If VLAN load balancing is configured, two ports in the segment control the blocked
state of VLANs.
• If one or more ports in a segment is not operational, and cause a link failure, all ports forward traffic on
all VLANs to ensure connectivity.
• In case of a link failure, alternate ports are unblocked as quickly as possible. When the failed link is up,
a logically blocked port per VLAN is selected with minimal disruption to the network.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
390
 Layer 2
Link Integrity

You can construct almost any type of network based on REP segments. REP also supports VLAN load
balancing, which is controlled by the primary edge port occurring at any port in the segment.
In access ring topologies, the neighboring switch might not support REP as shown in the figure below. In this
case, you can configure the non-REP facing ports (E1 and E2) as edge no-neighbor ports. These ports inherit
all properties of edge ports, and you can configure them the same as any edge port, including configuring
them to send STP or REP topology change notices to the aggregation switch. In this case, the STP topology
change notice (TCN) that is sent is a multiple spanning-tree (MST) STP message.
Figure 42: Edge No-Neighbor Ports

REP has these limitations:

• You must configure each segment port; an incorrect configuration can cause forwarding loops in the
networks.
• REP can manage only a single failed port within the segment; multiple port failures within the REP
segment cause loss of network connectivity.
• You should configure REP only in networks with redundancy. Configuring REP in a network without
redundancy causes loss of connectivity.

Link Integrity
REP does not use an end-to-end polling function between edge ports to verify link integrity. It implements
local link failure detection. The REP Link Status Layer (LSL) detects its REP-aware neighbor and establishes
connectivity within the segment. All VLANs are blocked on an interface until it detects the neighbor. After
the neighbor is identified, REP determines which neighbor port should become the alternate port and which
ports should forward traffic.
Each port in a segment has a unique port ID. The port ID format is similar to that used by the spanning tree
algorithm: a port number (unique on the bridge), associated to a MAC address (unique in the network). When
a segment port is coming up, its LSL starts sending packets that include the segment ID and the port ID. The
port is declared as operational after it performs a three-way handshake with a neighbor in the same segment.
A segment port does not become operational if:
• No neighbor has the same segment ID.
• More than one neighbor has the same segment ID.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
391
 Layer 2
Fast Convergence

• The neighbor does not acknowledge the local port as a peer.

Each port creates an adjacency with its immediate neighbor. Once the neighbor adjacencies are created, the
ports negotiate to determine one blocked port for the segment, the alternate port. All other ports become
unblocked. By default, REP packets are sent to a BPDU class MAC address. The packets can also be sent to
the Cisco multicast address, which is used only to send blocked port advertisement (BPA) messages when
there is a failure in the segment. The packets are dropped by devices not running REP.

Fast Convergence
REP runs on a physical link basis and not on a per-VLAN basis. Only one hello message is required for all
VLANs, and it reduces the load on the protocol. We recommend that you create VLANs consistently on all
switches in a given segment and configure the same allowed VLANs on the REP trunk ports. To avoid the
delay introduced by relaying messages in software, REP also allows some packets to be flooded to a regular
multicast address. These messages operate at the hardware flood layer (HFL) and are flooded to the whole
network, not just the REP segment. Switches that do not belong to the segment treat them as data traffic. You
can control flooding of these messages by configuring an administrative VLAN for the whole domain or for
a particular segment.
The estimated convergence recovery time on fiber interfaces is between 50 ms and 200 ms for the local
segment with 200 VLANs configured. Convergence for VLAN load balancing is 300 ms or less.

VLAN Load Balancing

ne edge port in the REP segment acts as the primary edge port; the other as the secondary edge port. It is the
primary edge port that always participates in VLAN load balancing in the segment. REP VLAN balancing is
achieved by blocking some VLANs at a configured alternate port and all other VLANs at the primary edge
port. When you configure VLAN load balancing, you can specify the alternate port in one of three ways:
• By entering the port ID of the interface. To identify the port ID of a port in the segment, enter the show
interface rep detail interface configuration command for the port.
• By entering the neighbor offset number of a port in the segment, which identifies the downstream neighbor
port of an edge port. The neighbor offset number range is –256 to +256; a value of 0 is invalid. The
primary edge port has an offset number of 1; positive numbers above 1 identify downstream neighbors
of the primary edge port. Negative numbers indicate the secondary edge port (offset number -1) and its
downstream neighbors.

Note You configure offset numbers on the primary edge port by identifying a port’s downstream position from the
primary (or secondary) edge port. You would never enter an offset value of 1 because that is the offset number
of the primary edge port itself.

The figure below shows neighbor offset numbers for a segment where E1 is the primary edge port and E2 is
the secondary edge port. The red numbers inside the ring are numbers offset from the primary edge port; the
black numbers outside of the ring show the offset numbers from the secondary edge port. Note that you can
identify all ports (except the primary edge port) by either a positive offset number (downstream position from
the primary edge port) or a negative offset number (downstream position from the secondary edge port). If
E2 became the primary edge port, its offset number would then be 1 and E1 would be -1.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
392
Layer 2
VLAN Load Balancing

• By entering the preferred keyword to select the port that you previously configured as the preferred
alternate port with the rep segment segment-id preferred interface configuration command.

Figure 43: Neighbor Offset Numbers in a Segment

When the REP segment is complete, all VLANs are blocked. When you configure VLAN load balancing,you
must also configure triggers in one of two ways:
• Manually trigger VLAN load balancing at any time by entering the rep preempt segment segment-id
privileged EXEC command on the switch that has the primary edge port.
• Configure a preempt delay time by entering the rep preempt delay seconds interface configuration
command. After a link failure and recovery, VLAN load balancing begins after the configured preemption
time period elapses. Note that the delay timer restarts if another port fails before the time has elapsed.

Note When VLAN load balancing is configured, it does not start working until triggered by either manual intervention
or a link failure and recovery.

When VLAN load balancing is triggered, the primary edge port sends out a message to alert all interfaces in
the segment about the preemption. When the secondary port receives the message, it is reflected into the
network to notify the alternate port to block the set of VLANs specified in the message and to notify the
primary edge port to block the remaining VLANs.
You can also configure a particular port in the segment to block all VLANs. Only the primary edge port
initiates VLAN load balancing, which is not possible if the segment is not terminated by an edge port on each
end. The primary edge port determines the local VLAN load balancing configuration.
Reconfigure the primary edge port to reconfigure load balancing. When you change the load balancing
configuration, the primary edge port again waits for the rep preempt segment command or for the configured
preempt delay period after a port failure and recovery before executing the new configuration. If you change
an edge port to a regular segment port, the existing VLAN load balancing status does not change. Configuring
a new edge port might cause a new topology configuration.
Related Topics
Configuring REP Interfaces, on page 397

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
393
 Layer 2
Spanning Tree Interaction

Spanning Tree Interaction

REP does not interact with STP or with the Flex Link feature, but can coexist with both. A port that belongs
to a segment is removed from spanning tree control and STP BPDUs are not accepted or sent from segment
ports. Therefore, STP cannot run on a segment.
To migrate from an STP ring configuration to REP segment configuration, begin by configuring a single port
in the ring as part of the segment and continue by configuring contiguous ports to minimize the number of
segments. Each segment always contains a blocked port, so multiple segments means multiple blocked ports
and a potential loss of connectivity. When the segment has been configured in both directions up to the location
of the edge ports, you then configure the edge ports.

REP Ports
REP segments consists of Failed, Open, or Alternate ports.
• A port configured as a regular segment port starts as a failed port.
• After the neighbor adjacencies are determined, the port transitions to alternate port state, blocking all
VLANs on the interface. Blocked port negotiations occur and when the segment settles, one blocked
port remains in the alternate role and all other ports become open ports.
• When a failure occurs in a link, all ports move to the failed state. When the alternate port receives the
failure notification, it changes to the open state, forwarding all VLANs.

A regular segment port converted to an edge port, or an edge port converted to a regular segment port, does
not always result in a topology change. If you convert an edge port into a regular segment port, VLAN load
balancing is not implemented unless it has been configured. For VLAN load balancing, you must configure
two edge ports in the segment.
A segment port that is reconfigured as a spanning tree port restarts according the spanning tree configuration.
By default, this is a designated blocking port. If PortFast is configured or if STP is disabled, the port goes
into the forwarding state.

How to Configure REP

A segment is a collection of ports connected one to the other in a chain and configured with a segment ID.
To configure REP segments, you configure the REP administrative VLAN (or use the default VLAN 1) and
then add the ports to the segment using interface configuration mode. You should configure two edge ports
in the segment, with one of them the primary edge port and the other by default the secondary edge port. A
segment has only one primary edge port. If you configure two ports in a segment as the primary edge port,
for example, ports on different switches, the REP selects one of them to serve as the segment primary edge
port. You can also optionally configure where to send segment topology change notices (STCNs) and VLAN
load balancing.

Default REP Configuration

REP is disabled on all interfaces. When enabled, the interface is a regular segment port unless it is configured
as an edge port.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
394
 Layer 2
REP Configuration Guidelines

When REP is enabled, the sending of segment topology change notices (STCNs) is disabled, all VLANs are
blocked, and the administrative VLAN is VLAN 1.
When VLAN load balancing is enabled, the default is manual preemption with the delay timer disabled. If
VLAN load balancing is not configured, the default after manual preemption is to block all VLANs at the
primary edge port.

REP Configuration Guidelines

Follow these guidelines when configuring REP:
• We recommend that you begin by configuring one port and then configure contiguous ports to minimize
the number of segments and the number of blocked ports.
• If more than two ports in a segment fail when no external neighbors are configured, one port goes into
a forwarding state for the data path to help maintain connectivity during configuration. In the show rep
interface command output, the Port Role for this port shows as “Fail Logical Open”; the Port Role for
the other failed port shows as “Fail No Ext Neighbor”. When the external neighbors for the failed ports
are configured, the ports go through the alternate port state transitions and eventually go to an open state
or remain as the alternate port, based on the alternate port selection mechanism.
• REP ports must be Layer 2 IEEE 802.1Q or Trunk ports.
• We recommend that you configure all trunk ports in the segment with the same set of allowed VLANs.
• Be careful when configuring REP through a Telnet connection. Because REP blocks all VLANs until
another REP interface sends a message to unblock it. You might lose connectivity to the router if you
enable REP in a Telnet session that accesses the router through the same interface.
• You cannot run REP and STP or REP and Flex Links on the same segment or interface.
• If you connect an STP network to a REP segment, be sure that the connection is at the segment edge.
An STP connection that is not at the edge could cause a bridging loop because STP does not run on REP
segments. All STP BPDUs are dropped at REP interfaces.
• You must configure all trunk ports in the segment with the same set of allowed VLANs, or a
misconfiguration occurs.
• If REP is enabled on two ports on a switch, both ports must be either regular segment ports or edge ports.
REP ports follow these rules:
• There is no limit to the number of REP ports on a switch; however, only two ports on a switch can
belong to the same REP segment.
• If only one port on a switch is configured in a segment, the port should be an edge port.
• If two ports on a switch belong to the same segment, they must be both edge ports, both regular
segment ports, or one regular port and one edge no-neighbor port. An edge port and regular segment
port on a switch cannot belong to the same segment.
• If two ports on a switch belong to the same segment and one is configured as an edge port and one
as a regular segment port (a misconfiguration), the edge port is treated as a regular segment port.

• REP interfaces come up in a blocked state and remain in a blocked state until they are safe to be unblocked.
You need to be aware of this status to avoid sudden connection losses.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
395
 Layer 2
Configuring the REP Administrative VLAN

• REP sends all LSL PDUs in untagged frames on the native VLAN. The BPA message sent to the Cisco
multicast address is sent on the administration VLAN, which is VLAN 1 by default.
• You can configure how long a REP interface remains up without receiving a hello from a neighbor. You
can use therep lsl-age-timer value interface configuration command to set the time from 120 ms to
10000 ms. The LSL hello timer is then set to the age-timer value divided by 3. In normal operation, three
LSL hellos are sent before the age timer on the peer switch expires and checks forhello messages.
• EtherChannel port channel interfaces do not support LSL age-timer values less than 1000 ms. If
you try to configure a value less than 1000 ms on a port channel, you receive an error message and
the command is rejected.

• REP ports cannot be configured as one of the following port types:

• Switched Port Analyzer (SPAN) destination port
• Tunnel port
• Access port
• REP is supported on EtherChannels, but not on an individual port that belongs to an EtherChannel.
• There can be a maximum of 64 REP segments per switch.

Configuring the REP Administrative VLAN

To avoid the delay introduced by relaying messages in the software for link-failure or by VLAN-blocking
notifications during load balancing, the REP floods packets to a regular multicast address at the hardware
flood layer (HFL). These messages are flooded to the whole network, not just the REP segment. You can
control flooding of these messages by configuring an administrative VLAN for the whole domain or for a
particular segment.
Follow these guidelines when configuring the REP administrative VLAN:
• If you do not configure an administrative VLAN, the default is VLAN 1.
• We can configure one admin VLAN on the switch for all segments or we can configure admin VLANS
per segment.
• The administrative VLAN cannot be the RSPAN VLAN.

To configure the REP administrative VLAN, follow these steps, beginning in privileged EXEC mode:

SUMMARY STEPS
1. configure terminal
2. rep admin vlan vlan-id segment segment-id
3. end
4. show interface [ interface-id] rep detail
5. copy running-config startup config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
396
 Layer 2
Configuring REP Interfaces

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 rep admin vlan vlan-id segment segment-id Specifies the administrative VLAN. The range is 2 to 4094.
The default is VLAN 1.
Example:
SwitchDevice(config)# rep admin vlan 2 segment 2 To specify the administrative VLAN per segment, enter the
rep admin vlan vlan-id segment segment-id command in
the global configuration mode.
To set the admin VLAN to 1, enter the no rep admin vlan
global configuration command.

Step 3 end Returns to privileged EXEC mode.

Example:
SwitchDevice(config-if)# end

Step 4 show interface [ interface-id] rep detail Verifies the configuration on one of the REP interfaces.
Example:
SwitchDevice# show interface gigabitethernet1/1
rep detail

Step 5 copy running-config startup config (Optional) Saves your entries in the switch startup
configuration file.
Example:
SwitchDevice# copy running-config startup config

Related Topics
Configuring the REP Administrative VLAN: Examples, on page 403

Configuring REP Interfaces

For the REP operation, you must enable REP on each segment interface and identify the segment ID. This
task is required and must be done before other REP configurations. You must also configure a primary and
secondary edge port on each segment. All other steps are optional.
Follow these steps to enable and configure REP on an interface:

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. switchport mode trunk
5. rep segment segment-id [edge [no-neighbor] [ [primary]] [preferred]

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
397
 Layer 2
Configuring REP Interfaces

6. rep stcn {interface interface id | segment id-list | stp}

7. rep block port {id port-id | neighbor-offset | preferred} vlan {vlan-list | all}
8. rep preempt delay seconds
9. rep lsl-age-timer value
10. end
11. show interface [interface-id] rep [detail]
12. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Step 3 interface interface-id Specifies the interface, and enter interface configuration
mode. The interface can be a physical Layer 2 interface or
a port channel (logical interface). The port-channel range
is 1 to 48.

Step 4 switchport mode trunk Configures the interface as a Layer 2 trunk port.

Step 5 rep segment segment-id [edge [no-neighbor] [ Enables REP on the interface and identifies a segment
[primary]] [preferred] number. The segment ID range is from 1 to 1024. These
optional keywords are available:
Note You must configure two edge ports, including
one primary edge port for each segment.

• (Optional) edge—Configures the port as an edge port.

Each segment has only two edge ports. Entering the
edge without the primary keyword configures the
port as the secondary edge port.
• (Optional) primary—Configures the port as the
primary edge port, the port on which you can
configure VLAN load balancing.
• (Optional) no-neighbor—configures a port with no
external REP neighbors as an edge port. The port
inherits all properties of edge ports, and you can
configure them the same as any edge port.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
398
 Layer 2
Configuring REP Interfaces

Command or Action Purpose

Note Although each segment can have only one
primary edge port, if you configure edge ports
on two different switches and enter the primary
keyword on both switches, the configuration is
valid. However, REP selects only one of these
ports as the segment primary edge port. You
can identify the primary edge port for a segment
by entering the show rep topology privileged
EXEC command.

• (Optional) preferred—Indicates that the port is the

preferred alternate port or the preferred port for
VLAN load balancing.

Note Configuring a port as preferred does not

guarantee that it becomes the alternate port; it
merely gives the port a slight edge over equal
contenders. The alternate port is usually a
previously failed port.

Step 6 rep stcn {interface interface id | segment id-list | stp} (Optional) Configures the edge port to send segment
topology change notices (STCNs).
• interface interface -id—designates a physical
interface or port channel to receive STCNs.
• segment id-list—identifies one or more segments to
receive STCNs. The range is from 1 to 1024.
• stp—sends STCNs to STP networks.

Step 7 rep block port {id port-id | neighbor-offset | preferred} (Optional) Configures VLAN load balancing on the
vlan {vlan-list | all} primary edge port, identifies the REP alternate port in one
of three ways, and configures the VLANs to be blocked
on the alternate port.
• idport-id—identifies the alternate port by port ID.
The port ID is automatically generated for each port
in the segment. You can view interface port IDs by
entering the show interface type number rep [detail]
privileged EXEC command.
• neighbor_offset—number to identify the alternate
port as a downstream neighbor from an edge port.
The range is from -256 to 256, with negative numbers
indicating the downstream neighbor from the
secondary edge port. A value of 0 is invalid. Enter -1
to identify the secondary edge port as the alternate
port. See Figure 43: Neighbor Offset Numbers in a
Segment, on page 393 for an example of neighbor
offset numbering.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
399
 Layer 2
Configuring REP Interfaces

Command or Action Purpose

Note Because you enter this command at the primary
edge port (offset number 1), you cannot enter
an offset value of 1 to identify an alternate port.

• preferred—selects the regular segment port

previously identified as the preferred alternate port
for VLAN load balancing.
• vlan vlan-list—blocks one VLAN or a range of
VLANs.
• vlan all— blocks all VLANs.

Note Enter this command only on the REP primary

edge port.

Step 8 rep preempt delay seconds (Optional) Configures a preempt time delay.
• Use this command if you want VLAN load balancing
to automatically trigger after a link failure and
recovery.
• The time delay range is between15 to 300 seconds.
The default is manual preemption with no time delay.

Note Enter this command only on the REP primary

edge port.

Step 9 rep lsl-age-timer value (Optional) Configures a time (in milliseconds) for which
the REP interface remains up without receiving a hello
from a neighbor.
The range is from 120 to 10000 ms in 40-ms increments.
The default is 5000 ms (5 seconds).
Note • EtherChannel port channel interfaces do
not support LSL age-timer values less than
1000 ms.
• Both ports on the link should have the
same LSL-age configured to avoid link
flaps.

Step 10 end Returns to privileged EXEC mode.

Step 11 show interface [interface-id] rep [detail] (Optional) Displays the REP interface configuration.

Step 12 copy running-config startup-config (Optional) Saves your entries in the router startup
configuration file.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
400
 Layer 2
Setting Manual Preemption for VLAN Load Balancing

Related Topics
VLAN Load Balancing, on page 392

Setting Manual Preemption for VLAN Load Balancing

If you do not enter therep preempt delayseconds rep preempt delay seconds interface configuration command
on the primary edge port to configure a preemption time delay, the default is to manually trigger VLAN load
balancing on the segment. Be sure that all other segment configuration has been completed before manually
preempting VLAN load balancing. When you enter the rep preempt delaysegment-id command, a confirmation
message appears before the command is executed because preemption can cause network disruption.

SUMMARY STEPS
1. rep preempt segment segment-id
2. show rep topology segment-id

DETAILED STEPS

Command or Action Purpose

Step 1 rep preempt segment segment-id Manually triggers VLAN load balancing on the segment.
You will need to confirm the command before it is executed.

Step 2 show rep topology segment-id Displays REP topology information.

Configuring SNMP Traps for REP

You can configure the router to send REP-specific traps to notify the Simple Network Management Protocol
(SNMP) server of link operational status changes and any port role changes.

SUMMARY STEPS
1. configure terminal
2. snmp mib rep trap-rate value
3. end
4. show running-config
5. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
Switch# configure terminal

Step 2 snmp mib rep trap-rate value Enables the switch to send REP traps, and sets the number
of traps sent per second.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
401
 Layer 2
Monitoring REP

Command or Action Purpose

Switch(config)# snmp mib rep trap-rate 500 • Enter the number of traps sent per second. The range
is from 0 to 1000. The default is 0 (no limit imposed;
a trap is sent at every occurrence).

Step 3 end Returns to privileged EXEC mode.

Example:

Switch(config)# end

Step 4 show running-config (Optional) Displays the running configuration, which can
be used to verify the REP trap configuration.
Example:

Switch# show running-config

Step 5 copy running-config startup-config (Optional) Saves your entries in the switch startup
configuration file.
Example:

Switch# copy running-config startup-config

Monitoring REP
SUMMARY STEPS
1. show interface [interface-id] rep [detail]
2. show rep topology [segment segment-_id] [archive ] [detail]

DETAILED STEPS

Command or Action Purpose

Step 1 show interface [interface-id] rep [detail] Displays REP configuration and status for an interface or
for all interfaces.
• Optional) detail—displays interface-specific REP
information.

Step 2 show rep topology [segment segment-_id] [archive ] Displays REP topology information for a segment or for
[detail] all segments, including the primary and secondary edge
ports in the segment.
• (Optional) archive—displays the last stable topology.
Note An archive topology is not retained when
the switch reloads.

• (Optional) detail—displays detailed archived

information.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
402
 Layer 2
Configuring Examples for Configuring REP

Configuring Examples for Configuring REP

Configuring the REP Administrative VLAN: Examples
This example shows how to configure the administrative VLAN as VLAN 100 and verify the configuration
by entering the show interface rep detailshow interface rep detail command on one of the REP interfaces:
SwitchDevice# configure terminal
SwitchDevice(config)# rep admin vlan 100
SwitchDevice(config)# end
Switch# show interface gigabitethernet1/1 rep details
GigabitEthernet1/1 REP enabled
Segment-id: 2 (Edge)
PortID: 00010019E7144680
Preferred flag: No
Operational Link Status: TWO_WAY
Current Key: 0002001121A2D5800E4D
Port Role: Open
Blocked Vlan: <empty>
Admin-vlan: 100
Preempt Delay Timer: disabled
LSL Ageout Timer: 5000 ms
Configured Load-balancing Block Port: none
Configured Load-balancing Block VLAN: none
STCN Propagate to: none
LSL PDU rx: 3322, tx: 1722
HFL PDU rx: 32, tx: 5
BPA TLV rx: 16849, tx: 508
BPA (STCN, LSL) TLV rx: 0, tx: 0
BPA (STCN, HFL) TLV rx: 0, tx: 0
EPA-ELECTION TLV rx: 118, tx: 118
EPA-COMMAND TLV rx: 0, tx: 0
EPA-INFO TLV rx: 4214, tx: 4190

The following example shows how to create an administrative VLAN per segment. Here VLAN 2 is configured
as the administrative VLAN only for REP segment 2. All remaining segments that are not configured otherwise
will, by default, have VLAN 1 as the administrative VLAN.
SwitchDevice# configure terminal
SwitchDevice(config)# rep admin vlan 2 segment 2
SwitchDevice (config)# end

Related Topics
Configuring the REP Administrative VLAN, on page 396

Configuring REP Interfaces: Examples

This example shows how to configure an interface as the primary edge port for segment 1, to send STCNs to
segments 2 through 5, and to configure the alternate port as the port with port ID 0009001818D68700 to block
all VLANs after a preemption delay of 60 seconds after a segment port failure and recovery. The interface is
configured to remain up for 6000 milliseconds without receiving a hello from a neighbor.
Switch# configure terminal
Switch (conf)# interface gigabitethernet1/1
Switch (conf-if)# rep segment 1 edge primary

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
403
 Layer 2
Configuring REP Interfaces: Examples

Switch (conf-if)# rep stcn segment 2-5

Switch (conf-if)# rep block port 0009001818D68700 vlan all
Switch (conf-if)# rep preempt delay 60
Switch (conf-if)# rep lsl-age-timer 6000
Switch (conf-if)# end
This example shows how to configure the same configuration when the interface has no external REP neighbor:
Switch# configure terminal
Switch (conf)# interface gigabitethernet1/1
Switch (conf-if)# rep segment 1 edge no-neighbor primary
Switch (conf-if)# rep stcn segment 2-5
Switch (conf-if)# rep block port 0009001818D68700 vlan all
Switch (conf-if)# rep preempt delay 60
Switch (conf-if)# rep lsl-age-timer 6000
Switch (conf-if)# end

This example shows how to configure the VLAN blocking configuration shown in the figure below. The
alternate port is the neighbor with neighbor offset number 4. After manual preemption, VLANs 100 to 200
are blocked at this port, and all other VLANs are blocked at the primary edge port E1 (Gigabit Ethernet port
1/1).
Switch# configure terminal
Switch (conf)# interface gigabitethernet1/1
Switch (conf-if)# rep segment 1 edge primary
Switch (conf-if)# rep block port 4 vlan 100-200
Switch (conf-if)# end

Figure 44: Example of VLAN Blocking

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
404
 CHAPTER 21
Configuring Flex Links and the MAC
Address-Table Move Update Feature
• Finding Feature Information, on page 405
• Restrictions for Configuring Flex Links and MAC Address-Table Move Update, on page 405
• Information About Flex Links and MAC Address-Table Move Update, on page 406
• How to Configure Flex Links and the MAC Address-Table Move Update Feature, on page 410
• Monitoring Flex Links, Multicast Fast Convergence, and MAC Address-Table Move Update, on page
415
• Configuration Examples for Flex Links, on page 416

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Restrictions for Configuring Flex Links and MAC Address-Table

Move Update
• Flex Links are supported only on Layer 2 ports and port channels.
• You can configure up to 16 backup links.
• You can configure only one Flex Links backup link for any active link, and it must be a different interface
from the active interface.
• An interface can belong to only one Flex Links pair. An interface can be a backup link for only one active
link. An active link cannot belong to another Flex Links pair.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
405
 Layer 2
Information About Flex Links and MAC Address-Table Move Update

• Neither of the links can be a port that belongs to an EtherChannel. However, you can configure two port
channels (EtherChannel logical interfaces) as Flex Links, and you can configure a port channel and a
physical interface as Flex Links, with either the port channel or the physical interface as the active link.
• A backup link does not have to be the same type (Gigabit Ethernet or port channel) as the active link.
However, you should configure both Flex Links with similar characteristics so that there are no loops or
changes in behavior if the standby link begins to forward traffic.
• STP is disabled on Flex Links ports. A Flex Links port does not participate in STP, even if the VLANs
present on the port are configured for STP. When STP is not enabled, be sure that there are no loops in
the configured topology.

Information About Flex Links and MAC Address-Table Move

Update
Flex Links
Flex Links are a pair of a Layer 2 interfaces (switch ports or port channels) where one interface is configured
to act as a backup to the other. The feature provides an alternative solution to the Spanning Tree Protocol
(STP). Users can disable STP and still retain basic link redundancy. Flex Links are typically configured in
service provider or enterprise networks where customers do not want to run STP on the switch. If the switch
is running STP, Flex Links are not necessary because STP already provides link-level redundancy or backup.
You configure Flex Links on one Layer 2 interface (the active link) by assigning another Layer 2 interface as
the Flex Links or backup link. On switches, the Flex Links can be on the same switch or on another switch
in the stack. When one of the links is up and forwarding traffic, the other link is in standby mode, ready to
begin forwarding traffic if the other link shuts down. At any given time, only one of the interfaces is in the
linkup state and forwarding traffic. If the primary link shuts down, the standby link starts forwarding traffic.
When the active link comes back up, it goes into standby mode and does not forward traffic. STP is disabled
on Flex Links interfaces.

Flex Links Configuration

In the following figure, ports 1 and 2 on switch A are connected to uplink switches B and C. Because they
are configured as Flex Links, only one of the interfaces is forwarding traffic; the other is in standby mode. If
port 1 is the active link, it begins forwarding traffic between port 1 and switch B; the link between port 2 (the
backup link) and switch C is not forwarding traffic. If port 1 goes down, port 2 comes up and starts forwarding
traffic to switch C. When port 1 comes back up, it goes into standby mode and does not forward traffic; port
2 continues forwarding traffic.
You can also configure a preemption function, specifying the preferred port for forwarding traffic. For example,
you can configure the Flex Links pair with preemption mode. In the scenario shown, when port 1 comes back
up and has more bandwidth than port 2, port 1 begins forwarding traffic after 60 seconds. Port 2 becomes the
standby port. You do this by entering the switchport backup interface preemption mode bandwidth and
switchport backup interface preemption delay interface configuration commands.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
406
 Layer 2
VLAN Flex Links Load Balancing and Support

Figure 45: Flex Links Configuration Example

If a primary (forwarding) link goes down, a trap notifies the network management stations. If the standby link
goes down, a trap notifies the users.
Flex Links are supported only on Layer 2 ports and port channels, not on VLANs or on Layer 3 ports.

VLAN Flex Links Load Balancing and Support

VLAN Flex Links load balancing allows users to configure a Flex Links pair so that both ports simultaneously
forward the traffic for some mutually exclusive VLANs. For example, if Flex Links ports are configured for
1 to 100 VLANs, the traffic of the first 50 VLANs can be forwarded on one port and the rest on the other
port. If one of the ports fail, the other active port forwards all the traffic. When the failed port comes back up,
it resumes forwarding traffic in the preferred VLANs. In addition to providing the redundancy, this Flex Links
pair can be used for load balancing. Flex Links VLAN load balancing does not impose any restrictions on
uplink switches.
Figure 46: VLAN Flex Links Load-Balancing Configuration Example

The following figure displays a VLAN Flex Links load-balancing configuration.

Multicast Fast Convergence with Flex Links Failover

Multicast fast convergence reduces the multicast traffic convergence time after a Flex Links failure. Multicast
fast convergence is implemented by a combination of learning the backup link as an mrouter port, generating
IGMP reports, and leaking IGMP reports.

Learning the Other Flex Links Port as the mrouter Port

In a typical multicast network, there is a querier for each VLAN. A switch deployed at the edge of a network
has one of its Flex Links ports receiving queries. Flex Links ports are also always forwarding at any given
time.
A port that receives queries is added as an mrouter port on the switch. An mrouter port is part of all the
multicast groups learned by the switch. After a changeover, queries are received by the other Flex Links port.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
407
 Layer 2
Generating IGMP Reports

The other Flex Links port is then learned as the mrouter port. After changeover, multicast traffic then flows
through the other Flex Links port. To achieve faster convergence of traffic, both Flex Links ports are learned
as mrouter ports whenever either Flex Links port is learned as the mrouter port. Both Flex Links ports are
always part of multicast groups.
Although both Flex Links ports are part of the groups in normal operation mode, all traffic on the backup port
is blocked. The normal multicast data flow is not affected by the addition of the backup port as an mrouter
port. When the changeover happens, the backup port is unblocked, allowing the traffic to flow. In this case,
the upstream multicast data flows as soon as the backup port is unblocked.

Generating IGMP Reports

When the backup link comes up after the changeover, the upstream new distribution switch does not start
forwarding multicast data, because the port on the upstream router, which is connected to the blocked Flex
Links port, is not part of any multicast group. The reports for the multicast groups were not forwarded by the
downstream switch because the backup link is blocked. The data does not flow on this port, until it learns the
multicast groups, which occurs only after it receives reports.
The reports are sent by hosts when a general query is received, and a general query is sent within 60 seconds
in normal scenarios. When the backup link starts forwarding, to achieve faster convergence of multicast data,
the downstream switch immediately sends proxy reports for all the learned groups on this port without waiting
for a general query.

Leaking IGMP Reports

To achieve multicast traffic convergence with minimal loss, a redundant data path must be set up before the
Flex Links active link goes down. This can be achieved by leaking only IGMP report packets on the Flex
Links backup link. These leaked IGMP report messages are processed by upstream distribution routers, so
multicast data traffic gets forwarded to the backup interface. Because all incoming traffic on the backup
interface is dropped at the ingress of the access switch, no duplicate multicast traffic is received by the host.
When the Flex Links active link fails, the access switch starts accepting traffic from the backup link
immediately. The only disadvantage of this scheme is that it consumes bandwidth on the link between the
distribution switches and on the backup link between the distribution and access switches. This feature is
disabled by default and can be configured by using the switchport backup interface interface-id multicast
fast-convergence command.
When this feature has been enabled at changeover, the switch does not generate the proxy reports on the
backup port, which became the forwarding port.

MAC Address-Table Move Update

The MAC address-table move update feature allows the switch to provide rapid bidirectional convergence
when a primary (forwarding) link goes down and the standby link begins forwarding traffic.
Figure 47: MAC Address-Table Move Update Example

In the following figure, switch A is an access switch, and ports 1 and 2 on switch A are connected to uplink
switches B and D through a Flex Links pair. Port 1 is forwarding traffic, and port 2 is in the backup state.
Traffic from the PC to the server is forwarded from port 1 to port 3. The MAC address of the PC has been

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
408
Layer 2
MAC Address-Table Move Update

learned on port 3 of switch C. Traffic from the server to the PC is forwarded from port 3 to port 1.

If the MAC address-table move update feature is not configured and port 1 goes down, port 2 starts forwarding
traffic. However, for a short time, switch C keeps forwarding traffic from the server to the PC through port
3, and the PC does not get the traffic because port 1 is down. If switch C removes the MAC address of the
PC on port 3 and relearns it on port 4, traffic can then be forwarded from the server to the PC through port 2.
If the MAC address-table move update feature is configured and enabled on the switches, and port 1 goes
down, port 2 starts forwarding traffic from the PC to the server. The switch sends a MAC address-table move
update packet from port 2. Switch C gets this packet on port 4 and immediately learns the MAC address of
the PC on port 4, which reduces the reconvergence time.
You can configure the access switch, switch A, to send MAC address-table move update messages. You can
also configure the uplink switches B, C, and D to get and process the MAC address-table move update
messages. When switch C gets a MAC address-table move update message from switch A, switch C learns
the MAC address of the PC on port 4. Switch C updates the MAC address table, including the forwarding
table entry for the PC.
Switch A does not need to wait for the MAC address-table update. The switch detects a failure on port 1 and
immediately starts forwarding server traffic from port 2, the new forwarding port. This change occurs in less
than 100 milliseconds (ms). The PC is directly connected to switch A, and the connection status does not
change. Switch A does not need to update the PC entry in the MAC address table.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
409
 Layer 2
Flex Links VLAN Load Balancing Configuration Guidelines

Flex Links VLAN Load Balancing Configuration Guidelines

• For Flex Links VLAN load balancing, you must choose the preferred VLANs on the backup interface.
• You cannot configure a preemption mechanism and VLAN load balancing for the same Flex Links pair.

MAC Address-Table Move Update Configuration Guidelines

• You can enable and configure this feature on the access switch to send the MAC address-table move
updates.
• You can enable and configure this feature on the uplink switches to get the MAC address-table move
updates.

Default Flex Links and MAC Address-Table Move Update Configuration

• Flex Links is not configured, and there are no backup interfaces defined.
• The preemption mode is off.
• The preemption delay is 35 seconds.
• The MAC address-table move update feature is not configured on the switch.

How to Configure Flex Links and the MAC Address-Table Move

Update Feature
Configuring Flex Links
SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. switchport backup interface interface-id
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
410
 Layer 2
Configuring a Preemption Scheme for a Pair of Flex Links

Command or Action Purpose

Step 2 interface interface-id Specifies the interface, and enters interface configuration
mode. The interface can be a physical Layer 2 interface or
Example:
a port channel (logical interface). The port-channel range
is 1 to 24.
SwitchDevice(conf)# interface gigabitethernet1/0/1

Step 3 switchport backup interface interface-id Configures a physical Layer 2 interface (or port channel)
as part of a Flex Links pair with the interface. When one
Example:
link is forwarding traffic, the other interface is in standby
mode.
SwitchDevice(conf-if)# switchport backup interface

gigabitethernet1/0/2

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(conf-if)# end

Configuring a Preemption Scheme for a Pair of Flex Links

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. switchport backup interface interface-id
4. switchport backup interface interface-id preemption mode [forced | bandwidth | off]
5. switchport backup interface interface-id preemption delay delay-time
6. end
7. show interface [interface-id] switchport backup
8. copy running-config startup config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the interface, and enters interface configuration
mode. The interface can be a physical Layer 2 interface or
Example:
a port channel (logical interface). The port-channel range
is 1 to 24.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
411
 Layer 2
Configuring a Preemption Scheme for a Pair of Flex Links

Command or Action Purpose

SwitchDevice(conf)# interface gigabitethernet1/0/1

Step 3 switchport backup interface interface-id Configures a physical Layer 2 interface (or port channel)
as part of a Flex Links pair with the interface. When one
Example:
link is forwarding traffic, the other interface is in standby
mode.
SwitchDevice(conf-if)# switchport backup interface
gigabitethernet1/0/2

Step 4 switchport backup interface interface-id preemption Configures a preemption mechanism and delay for a Flex
mode [forced | bandwidth | off] Links interface pair. You can configure the preemption as:
Example: • forced—(Optional) The active interface always
preempts the backup.
SwitchDevice(conf-if)# switchport backup interface
gigabitethernet1/0/2 preemption mode forced • bandwidth—(Optional) The interface with the higher
bandwidth always acts as the active interface.
• off—(Optional) No preemption occurs from active to
backup.

Step 5 switchport backup interface interface-id preemption Configures the time delay until a port preempts another
delay delay-time port.
Example: Note Setting a delay time only works with forced and
bandwidth modes.
SwitchDevice(conf-if)# switchport backup interface
gigabitethernet1/0/2 preemption delay 50

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(conf-if)# end

Step 7 show interface [interface-id] switchport backup Verifies the configuration.

Example:

SwitchDevice# show interface gigabitethernet1/0/2

switchport backup

Step 8 copy running-config startup config (Optional) Saves your entries in the switch startup
configuration file.
Example:

SwitchDevice# copy running-config startup config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
412
 Layer 2
Configuring VLAN Load Balancing on Flex Links

Configuring VLAN Load Balancing on Flex Links

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. switchport backup interface interface-id prefer vlan vlan-range
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the interface, and enters interface configuration
mode. The interface can be a physical Layer 2 interface or
Example:
a port channel (logical interface). The port-channel range
is 1 to 24.
SwitchDevice (config)# interface
gigabitethernet2/0/6

Step 3 switchport backup interface interface-id prefer vlan Configures a physical Layer 2 interface (or port channel)
vlan-range as part of a Flex Links pair with the interface and specifies
the VLANs carried on the interface. The VLAN ID range
Example:
is 1 to 4094.
SwitchDevice (config-if)# switchport backup
interface
gigabitethernet2/0/8 prefer vlan 2

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice (config-if)# end

Configuring MAC Address-Table Move Update

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. Use one of the following:
• switchport backup interface interface-id

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
413
 Layer 2
Configuring MAC Address-Table Move Update

• switchport backup interface interface-id mmu primary vlan vlan-id

4. end
5. mac address-table move update transmit
6. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the interface, and enters interface configuration
mode. The interface can be a physical Layer 2 interface or
Example:
a port channel (logical interface). The port-channel range
is 1 to 24.
SwitchDevice#interface gigabitethernet1/0/1

Step 3 Use one of the following: Configures a physical Layer 2 interface (or port channel),
as part of a Flex Links pair with the interface. The MAC
• switchport backup interface interface-id
address-table move update VLAN is the lowest VLAN ID
• switchport backup interface interface-id mmu on the interface.
primary vlan vlan-id
Configure a physical Layer 2 interface (or port channel)
Example: and specifies the VLAN ID on the interface, which is used
for sending the MAC address-table move update.
SwitchDevice(config-if)# switchport backup
interface When one link is forwarding traffic, the other interface is
gigabitethernet0/2 mmu primary vlan 2 in standby mode.

Step 4 end Returns to global configuration mode.

Example:

SwitchDevice(config-if)# end

Step 5 mac address-table move update transmit Enables the access switch to send MAC address-table move
updates to other switches in the network if the primary link
Example:
goes down and the switch starts forwarding traffic through
the standby link.
SwitchDevice(config)#
mac address-table move update
transmit

Step 6 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
414
 Layer 2
Configuring a Switch to Obtain and Process MAC Address-Table Move Update Messages

Command or Action Purpose

SwitchDevice(config)# end

Configuring a Switch to Obtain and Process MAC Address-Table Move Update Messages

SUMMARY STEPS
1. configure terminal
2. mac address-table move update receive
3. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode
Example:

SwitchDevice# configure terminal

Step 2 mac address-table move update receive Enables the switch to obtain and processes the MAC
address-table move updates.
Example:

SwitchDevice (config)# mac address-table move

update receive

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice (config)# end

Monitoring Flex Links, Multicast Fast Convergence, and MAC

Address-Table Move Update
Command Purpose

show interface [interface-id] switchport backup Displays the Flex Links backup interface configured
for an interface or all the configured Flex Links and
the state of each active and backup interface (up or
standby mode).

show ip igmp profile address-table move update Displays the specified IGMP profile or all the IGMP
profile-id profiles defined on the switch.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
415
 Layer 2
Configuration Examples for Flex Links

Command Purpose

show mac address-table move update Displays the MAC address-table move update
information on the switch.

Configuration Examples for Flex Links

Configuring Flex Links: Examples
This example shows how to verify the configuration after you configure an interface with a backup interface:

SwitchDevice# show interface switchport backup

Switch Backup Interface Pairs:

Active Interface Backup Interface State
------------------------------------------------------------------------
GigabitEthernet1/0/1 GigabitEthernet1/0/2 Active Up/Backup Standby

This example shows how to verify the configuration after you configure the preemption mode as forced for
a backup interface pair:

SwitchDevice# show interface switchport backup detail

Switch Backup Interface Pairs:

Active Interface Backup Interface State

------------------------------------------------------------------------
GigabitEthernet1/0/211 GigabitEthernet1/0/2 Active Up/Backup Standby
Interface Pair : Gi1/0/1, Gi1/0/2
Preemption Mode : forced
Preemption Delay : 50 seconds
Bandwidth : 100000 Kbit (Gi1/0/1), 100000 Kbit (Gi1/0/2)
Mac Address Move Update Vlan : auto

Configuring VLAN Load Balancing on Flex Links: Examples

In the following example, VLANs 1 to 50, 60, and 100 to 120 are configured on the switch:

SwitchDevice(config)# interface gigabitethernet 2/0/6

SwitchDevice(config-if)# switchport backup interface gigabitethernet 2/0/8 prefer vlan
60,100-120

When both interfaces are up, Gi2/0/8 forwards traffic for VLANs 60 and 100 to 120 and Gi2/0/6 forwards
traffic for VLANs 1 to 50.

SwitchDevice# show interfaces switchport backup

Switch Backup Interface Pairs:

Active Interface Backup Interface State

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
416
 Layer 2
Configuring the MAC Address-Table Move Update: Examples

------------------------------------------------------------------------
GigabitEthernet2/0/6 GigabitEthernet2/0/8 Active Up/Backup Standby

Vlans Preferred on Active Interface: 1-50

Vlans Preferred on Backup Interface: 60, 100-120

When a Flex Links interface goes down (LINK_DOWN), VLANs preferred on this interface are moved to
the peer interface of the Flex Links pair. In this example, if interface Gi2/0/6 goes down, Gi2/0/8 carries all
VLANs of the Flex Links pair.

SwitchDevice# show interfaces switchport backup

Switch Backup Interface Pairs:

Active Interface Backup Interface State

------------------------------------------------------------------------
GigabitEthernet2/0/6 GigabitEthernet2/0/8 Active Down/Backup Up

Vlans Preferred on Active Interface: 1-50

Vlans Preferred on Backup Interface: 60, 100-120

When a Flex Links interface comes up, VLANs preferred on this interface are blocked on the peer interface
and moved to the forwarding state on the interface that has just come up. In this example, if interface Gi2/0/6
comes up, VLANs preferred on this interface are blocked on the peer interface Gi2/0/8 and forwarded on
Gi2/0/6.

SwitchDevice# show interfaces switchport backup

Switch Backup Interface Pairs:

Active Interface Backup Interface State

------------------------------------------------------------------------
GigabitEthernet2/0/6 GigabitEthernet2/0/8 Active Up/Backup Standby

Vlans Preferred on Active Interface: 1-50

Vlans Preferred on Backup Interface: 60, 100-120

SwitchDevice# show interfaces switchport backup detail

Switch Backup Interface Pairs:

Active Interface Backup Interface State

------------------------------------------------------------------------
FastEthernet1/0/3 FastEthernet1/0/4 Active Down/Backup Up

Vlans Preferred on Active Interface: 1-2,5-4094

Vlans Preferred on Backup Interface: 3-4
Preemption Mode : off
Bandwidth : 10000 Kbit (Fa1/0/3), 100000 Kbit (Fa1/0/4)
Mac Address Move Update Vlan : auto

Configuring the MAC Address-Table Move Update: Examples

This example shows how to verify the configuration after you configure an access switch to send MAC
address-table move updates:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
417
 Layer 2
Configuring Multicast Fast Convergence with Flex Links Failover: Examples

SwitchDevice# show mac address-table move update

Switch-ID : 010b.4630.1780
Dst mac-address : 0180.c200.0010
Vlans/Macs supported : 1023/8320
Default/Current settings: Rcv Off/On, Xmt Off/On
Max packets per min : Rcv 40, Xmt 60
Rcv packet count : 5
Rcv conforming packet count : 5
Rcv invalid packet count : 0
Rcv packet count this min : 0
Rcv threshold exceed count : 0
Rcv last sequence# this min : 0
Rcv last interface : Po2
Rcv last src-mac-address : 000b.462d.c502
Rcv last switch-ID : 0403.fd6a.8700
Xmt packet count : 0
Xmt packet count this min : 0
Xmt threshold exceed count : 0
Xmt pak buf unavail cnt : 0
Xmt last interface : None

Configuring Multicast Fast Convergence with Flex Links Failover: Examples

These are configuration examples for learning the other Flex Links port as the mrouter port when Flex Links
is configured on GigabitEthernet1/0/11 and GigabitEthernet1/0/12, and output for the show interfaces
switchport backup command:

SwitchDevice# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.
SwitchDevice(config)# interface GigabitEthernet1/0/11
SwitchDevice(config-if)# switchport trunk encapsulation dot1q
SwitchDevice(config-if)# switchport mode trunk
SwitchDevice(config-if)# switchport backup interface GigabitEthernet1/0/12
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface GigabitEthernet1/0/12
SwitchDevice(config-if)# switchport trunk encapsulation dot1q
SwitchDevice(config-if)# switchport mode trunk
SwitchDevice(config-if)# end
SwitchDevice# show interfaces switchport backup detail
Switch Backup Interface Pairs:
Active Interface Backup Interface State
GigabitEthernet1/0/11 GigabitEthernet1/0/12 Active Up/Backup Standby
Preemption Mode : off
Multicast Fast Convergence : Off
Bandwidth : 100000 Kbit (Gi1/0/11), 100000 Kbit (Gi1/0/12)
Mac Address Move Update Vlan : auto

This output shows a querier for VLANs 1 and 401, with their queries reaching the switch through
GigabitEthernet1/0/11:

SwitchDevice# show ip igmp snooping querier

Vlan IP Address IGMP Version Port

-------------------------------------------------------------
1 1.1.1.1 v2 Gi1/0/11

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
418
Layer 2
Configuring Multicast Fast Convergence with Flex Links Failover: Examples

401 41.41.41.1 v2 Gi1/0/11

This example is output for the show ip igmp snooping mrouter command for VLANs 1 and 401:

SwitchDevice# show ip igmp snooping mrouter

Vlan ports
---- -----
1 Gi1/0/11(dynamic), Gi1/0/12(dynamic)
401 Gi1/0/11(dynamic), Gi1/0/12(dynamic)

Similarly, both Flex Links ports are part of learned groups. In this example, GigabitEthernet2/0/11 is a
receiver/host in VLAN 1, which is interested in two multicast groups:

SwitchDevice# show ip igmp snooping groups

Vlan Group Type Version Port List

-----------------------------------------------------------------------
1 228.1.5.1 igmp v2 Gi1/0/11, Gi1/0/12, Gi2/0/11
1 228.1.5.2 igmp v2 Gi1/0/11, Gi1/0/12, Gi2/0/11

When a host responds to the general query, the switch forwards this report on all the mrouter ports. In this
example, when a host sends a report for the group 228.1.5.1, it is forwarded only on GigabitEthernet1/0/11,
because the backup port GigabitEthernet1/0/12 is blocked. When the active link, GigabitEthernet1/0/11, goes
down, the backup port, GigabitEthernet1/0/12, begins forwarding.
As soon as this port starts forwarding, the switch sends proxy reports for the groups 228.1.5.1 and 228.1.5.2
on behalf of the host. The upstream router learns the groups and starts forwarding multicast data. This is the
default behavior of Flex Links. This behavior changes when the user configures fast convergence using the
switchport backup interface gigabitEthernet 1/0/12 multicast fast-convergence command. This example
shows turning on this feature:

SwitchDevice# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.
SwitchDevice(config)# interface gigabitEthernet 1/0/11
SwitchDevice(config-if)# switchport backup interface gigabitEthernet 1/0/12 multicast
fast-convergence
SwitchDevice(config-if)# exit
SwitchDevice# show interfaces switchport backup detail

Switch Backup Interface Pairs:

Active Interface Backup Interface State
------------------------------------------------------------------------
GigabitEthernet1/0/11 GigabitEthernet1/0/12 Active Up/Backup Standby
Preemption Mode : off
Multicast Fast Convergence : On
Bandwidth : 100000 Kbit (Gi1/0/11), 100000 Kbit (Gi1/0/12)
Mac Address Move Update Vlan : auto

This output shows a querier for VLAN 1 and 401 with their queries reaching the switch through
GigabitEthernet1/0/11:

SwitchDevice# show ip igmp snooping querier

Vlan IP Address IGMP Version Port

-------------------------------------------------------------

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
419
 Layer 2
Configuring Multicast Fast Convergence with Flex Links Failover: Examples

1 1.1.1.1 v2 Gi1/0/11
401 41.41.41.1 v2 Gi1/0/11

This is output for the show ip igmp snooping mrouter command for VLAN 1 and 401:

SwitchDevice# show ip igmp snooping mrouter

Vlan ports
---- -----
1 Gi1/0/11(dynamic), Gi1/0/12(dynamic)
401 Gi1/0/11(dynamic), Gi1/0/12(dynamic)

Similarly, both the Flex Links ports are a part of the learned groups. In this example, GigabitEthernet2/0/11
is a receiver/host in VLAN 1, which is interested in two multicast groups:

SwitchDevice# show ip igmp snooping groups

Vlan Group Type Version Port List

-----------------------------------------------------------------------
1 228.1.5.1 igmp v2 Gi1/0/11, Gi1/0/12, Gi2/0/11
1 228.1.5.2 igmp v2 Gi1/0/11, Gi1/0/12, Gi2/0/11

Whenever a host responds to the general query, the switch forwards this report on all the mrouter ports. When
you turn on this feature through the command-line port, and when a report is forwarded by the switch on
GigabitEthernet1/0/11, it is also leaked to the backup port GigabitEthernet1/0/12. The upstream router learns
the groups and starts forwarding multicast data, which is dropped at the ingress because GigabitEthernet1/0/12
is blocked. When the active link, GigabitEthernet1/0/11, goes down, the backup port, GigabitEthernet1/0/12,
begins forwarding. You do not need to send any proxy reports as the multicast data is already being forwarded
by the upstream router. By leaking reports to the backup port, a redundant multicast path has been set up, and
the time taken for the multicast traffic convergence is very minimal.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
420
 CHAPTER 22
Configuring UniDirectional Link Detection
• Finding Feature Information, on page 421
• Restrictions for Configuring UDLD, on page 421
• Information About UDLD, on page 422
• How to Configure UDLD, on page 424
• Monitoring and Maintaining UDLD, on page 427

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Restrictions for Configuring UDLD

The following are restrictions for configuring UniDirectional Link Detection (UDLD):
• A UDLD-capable port cannot detect a unidirectional link if it is connected to a UDLD-incapable port of
another switch.
• When configuring the mode (normal or aggressive), make sure that the same mode is configured on both
sides of the link.

Caution Loop guard works only on point-to-point links. We recommend that each end of the link has a directly connected
device that is running STP.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
421
 Layer 2
Information About UDLD

Information About UDLD

UniDirectional Link Detection (UDLD) is a Layer 2 protocol that enables devices connected through fiber-optic
or twisted-pair Ethernet cables to monitor the physical configuration of the cables and detect when a
unidirectional link exists. All connected devices must support UDLD for the protocol to successfully identify
and disable unidirectional links. When UDLD detects a unidirectional link, it disables the affected port and
alerts you. Unidirectional links can cause a variety of problems, including spanning-tree topology loops.

Modes of Operation
UDLD supports two modes of operation: normal (the default) and aggressive. In normal mode, UDLD can
detect unidirectional links due to misconnected ports on fiber-optic connections. In aggressive mode, UDLD
can also detect unidirectional links due to one-way traffic on fiber-optic and twisted-pair links and to
misconnected ports on fiber-optic links.
In normal and aggressive modes, UDLD works with the Layer 1 mechanisms to learn the physical status of
a link. At Layer 1, autonegotiation takes care of physical signaling and fault detection. UDLD performs tasks
that autonegotiation cannot perform, such as detecting the identities of neighbors and shutting down
misconnected ports. When you enable both autonegotiation and UDLD, the Layer 1 and Layer 2 detections
work together to prevent physical and logical unidirectional connections and the malfunctioning of other
protocols.
A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from
the neighbor is not received by the local device.

Normal Mode
In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected
and the Layer 1 mechanisms do not detect this misconnection. If the ports are connected correctly but the
traffic is one way, UDLD does not detect the unidirectional link because the Layer 1 mechanism, which is
supposed to detect this condition, does not do so. In this case, the logical link is considered undetermined,
and UDLD does not disable the port.
When UDLD is in normal mode, if one of the fiber strands in a pair is disconnected, as long as autonegotiation
is active, the link does not stay up because the Layer 1 mechanisms detects a physical problem with the link.
In this case, UDLD does not take any action and the logical link is considered undetermined.
Related Topics
Enabling UDLD Globally , on page 424
Enabling UDLD on an Interface , on page 426

Aggressive Mode
In aggressive mode, UDLD detects a unidirectional link by using the previous detection methods. UDLD in
aggressive mode can also detect a unidirectional link on a point-to-point link on which no failure between the
two devices is allowed. It can also detect a unidirectional link when one of these problems exists:
• On fiber-optic or twisted-pair links, one of the ports cannot send or receive traffic.
• On fiber-optic or twisted-pair links, one of the ports is down while the other is up.
• One of the fiber strands in the cable is disconnected.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
422
 Layer 2
Methods to Detect Unidirectional Links

In these cases, UDLD disables the affected port.

In a point-to-point link, UDLD hello packets can be considered as a heart beat whose presence guarantees the
health of the link. Conversely, the loss of the heart beat means that the link must be shut down if it is not
possible to reestablish a bidirectional link.
If both fiber strands in a cable are working normally from a Layer 1 perspective, UDLD in aggressive mode
detects whether those fiber strands are connected correctly and whether traffic is flowing bidirectionally
between the correct neighbors. This check cannot be performed by autonegotiation because autonegotiation
operates at Layer 1.
Related Topics
Enabling UDLD Globally , on page 424
Enabling UDLD on an Interface , on page 426

Methods to Detect Unidirectional Links

UDLD operates by using two methods:
• Neighbor database maintenance
• Event-driven detection and echoing

Related Topics
Enabling UDLD Globally , on page 424
Enabling UDLD on an Interface , on page 426

Neighbor Database Maintenance

UDLD learns about other UDLD-capable neighbors by periodically sending a hello packet (also called an
advertisement or probe) on every active port to keep each device informed about its neighbors.
When the switch receives a hello message, it caches the information until the age time (hold time or time-to-live)
expires. If the switch receives a new hello message before an older cache entry ages, the switch replaces the
older entry with the new one.
Whenever a port is disabled and UDLD is running, whenever UDLD is disabled on a port, or whenever the
switch is reset, UDLD clears all existing cache entries for the ports affected by the configuration change.
UDLD sends at least one message to inform the neighbors to flush the part of their caches affected by the
status change. The message is intended to keep the caches synchronized.

Event-Driven Detection and Echoing

UDLD relies on echoing as its detection operation. Whenever a UDLD device learns about a new neighbor
or receives a resynchronization request from an out-of-sync neighbor, it restarts the detection window on its
side of the connection and sends echo messages in reply. Because this behavior is the same on all UDLD
neighbors, the sender of the echoes expects to receive an echo in reply.
If the detection window ends and no valid reply message is received, the link might shut down, depending on
the UDLD mode. When UDLD is in normal mode, the link might be considered undetermined and might not
be shut down. When UDLD is in aggressive mode, the link is considered unidirectional, and the port is disabled.
Related Topics
Enabling UDLD Globally , on page 424

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
423
 Layer 2
UDLD Reset Options

Enabling UDLD on an Interface , on page 426

UDLD Reset Options

If an interface becomes disabled by UDLD, you can use one of the following options to reset UDLD:
• The udld reset interface configuration command.
• The shutdown interface configuration command followed by the no shutdown interface configuration
command restarts the disabled port.
• The no udld {aggressive | enable} global configuration command followed by the udld {aggressive |
enable} global configuration command reenables the disabled ports.
• The no udld port interface configuration command followed by the udld port [aggressive] interface
configuration command reenables the disabled fiber-optic port.
• The errdisable recovery cause udld global configuration command enables the timer to automatically
recover from the UDLD error-disabled state, and the errdisable recovery interval interval global
configuration command specifies the time to recover from the UDLD error-disabled state.

Related Topics
Enabling UDLD Globally , on page 424
Enabling UDLD on an Interface , on page 426

Default UDLD Configuration

Table 40: Default UDLD Configuration

Feature Default Setting

UDLD global enable state Globally disabled

UDLD per-port enable state for fiber-optic media Disabled on all Ethernet fiber-optic ports

UDLD per-port enable state for twisted-pair (copper) Disabled on all Ethernet 10/100 and 1000BASE-TX
media ports

UDLD aggressive mode Disabled

Related Topics
Enabling UDLD Globally , on page 424
Enabling UDLD on an Interface , on page 426

How to Configure UDLD

Enabling UDLD Globally
Follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message
timer on all fiber-optic ports on the switch.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
424
 Layer 2
Enabling UDLD Globally

SUMMARY STEPS
1. configure terminal
2. udld {aggressive | enable | message time message-timer-interval}
3. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 udld {aggressive | enable | message time Specifies the UDLD mode of operation:
message-timer-interval}
• aggressive—Enables UDLD in aggressive mode on
Example: all fiber-optic ports.

SwitchDevice(config)# udld enable

• enable—Enables UDLD in normal mode on all
message time 10 fiber-optic ports on the switch. UDLD is disabled by
default.
An individual interface configuration overrides the
setting of the udld enable global configuration
command.
• message time message-timer-interval—Configures
the period of time between UDLD probe messages on
ports that are in the advertisement phase and are
detected to be bidirectional. The range is from 1 to 90
seconds; the default value is 15.
Note This command affects fiber-optic ports
only. Use the udld interface configuration
command to enable UDLD on other port
types.

Use the no form of this command, to disable UDLD.

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Related Topics
Monitoring and Maintaing UDLD
Aggressive Mode, on page 422
Normal Mode, on page 422

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
425
 Layer 2
Enabling UDLD on an Interface

Methods to Detect Unidirectional Links, on page 423

Event-Driven Detection and Echoing, on page 423
UDLD Reset Options, on page 424
Default UDLD Configuration, on page 424

Enabling UDLD on an Interface

Follow these steps either to enable UDLD in the aggressive or normal mode or to disable UDLD on a port.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. udld port [aggressive]
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port to be enabled for UDLD, and enters
interface configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet 1/0/1

Step 3 udld port [aggressive] UDLD is disabled by default.

Example: • udld port—Enables UDLD in normal mode on the
specified port.
SwitchDevice(config-if)# udld port aggressive
• udld port aggressive—(Optional) Enables UDLD in
aggressive mode on the specified port.

Note Use the no udld port interface configuration

command to disable UDLD on a specified
fiber-optic port.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
426
 Layer 2
Monitoring and Maintaining UDLD

Related Topics
Monitoring and Maintaing UDLD
Aggressive Mode, on page 422
Normal Mode, on page 422
Methods to Detect Unidirectional Links, on page 423
Event-Driven Detection and Echoing, on page 423
UDLD Reset Options, on page 424
Default UDLD Configuration, on page 424

Monitoring and Maintaining UDLD

Command Purpose
show udld [interface-id | neighbors] Displays the UDLD status for the specified port or
for all ports.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
427
 Layer 2
Monitoring and Maintaining UDLD

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
428
PA R T IV
High Availability
• Configuring HSRP and VRRP, on page 431
• Configuring Service Level Agreements, on page 453
• Configuring Enhanced Object Tracking, on page 475
 CHAPTER 23
Configuring HSRP and VRRP
• Configuring HSRP , on page 431

Configuring HSRP
This chapter describes how to use Hot Standby Router Protocol (HSRP) to provide routing redundancy for
routing IP traffic without being dependent on the availability of any single router.
You can also use a version of HSRP in Layer 2 mode to configure a redundant command switch to take over
cluster management if the cluster command switch fails.

Note HSRP and VRRP features are supported only on Cisco Catalyst 3560-CX switches.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Information About Configuring HSRP

HSRP Overview
HSRP is Cisco's standard method of providing high network availability by providing first-hop redundancy
for IP hosts on an IEEE 802 LAN configured with a default gateway IP address. HSRP routes IP traffic without
relying on the availability of any single router. It enables a set of router interfaces to work together to present
the appearance of a single virtual router or default gateway to the hosts on a LAN. When HSRP is configured
on a network or segment, it provides a virtual Media Access Control (MAC) address and an IP address that
is shared among a group of configured routers. HSRP allows two or more HSRP-configured routers to use

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
431
 High Availability
HSRP Overview

the MAC address and IP network address of a virtual router. The virtual router does not exist; it represents
the common target for routers that are configured to provide backup to each other. One of the routers is selected
to be the active router and another to be the standby router, which assumes control of the group MAC address
and IP address should the designated active router fail.

Note Routers in an HSRP group can be any router interface that supports HSRP, including routed ports and switch
virtual interfaces (SVIs).

HSRP provides high network availability by providing redundancy for IP traffic from hosts on networks. In
a group of router interfaces, the active router is the router of choice for routing packets; the standby router is
the router that takes over the routing duties when an active router fails or when preset conditions are met.
HSRP is useful for hosts that do not support a router discovery protocol and cannot switch to a new router
when their selected router reloads or loses power. When HSRP is configured on a network segment, it provides
a virtual MAC address and an IP address that is shared among router interfaces in a group of router interfaces
running HSRP. The router selected by the protocol to be the active router receives and routes packets destined
for the group's MAC address. For n routers running HSRP, there are n +1 IP and MAC addresses assigned.
HSRP detects when the designated active router fails, and a selected standby router assumes control of the
Hot Standby group's MAC and IP addresses. A new standby router is also selected at that time. Devices
running HSRP send and receive multicast UDP-based hello packets to detect router failure and to designate
active and standby routers. When HSRP is configured on an interface, Internet Control Message Protocol
(ICMP) redirect messages are automatically enabled for the interface.
You can configure multiple Hot Standby groups among switches and switch stacks that are operating in Layer
3 to make more use of the redundant routers. To do so, specify a group number for each Hot Standby command
group you configure for an interface. For example, you might configure an interface on switch 1 as an active
router and one on switch 2 as a standby router and also configure another interface on switch 2 as an active
router with another interface on switch 1 as its standby router.
The following figure shows a segment of a network configured for HSRP. Each router is configured with the
MAC address and IP network address of the virtual router. Instead of configuring hosts on the network with
the IP address of Router A, you configure them with the IP address of the virtual router as their default router.
When Host C sends packets to Host B, it sends them to the MAC address of the virtual router. If for any
reason, Router A stops transferring packets, Router B responds to the virtual IP address and virtual MAC
address and becomes the active router, assuming the active router duties. Host C continues to use the IP address
of the virtual router to address packets destined for Host B, which Router B now receives and sends to Host
B. Until Router A resumes operation, HSRP allows Router B to provide uninterrupted service to users on
Host C's segment that need to communicate with users on Host B's segment and also continues to perform its
normal function of handling packets between the Host A segment and Host B.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
432
 High Availability
HSRP Versions

Figure 48: Typical HSRP Configuration

You can configure multiple Hot Standby groups among switches and switch stacks that are operating in Layer
3 to make more use of the redundant routers. To do so, specify a group number for each Hot Standby command
group you configure for an interface. For example, you might configure an interface on switch 1 as an active
router and one on switch 2 as a standby router and also configure another interface on switch 2 as an active
router with another interface on switch 1 as its standby router.

HSRP Versions
Cisco IOS XE Release 3.3SE and later support these Hot Standby Router Protocol (HSRP) versions:
The switch supports these HSRP versions:
• HSRPv1- Version 1 of the HSRP, the default version of HSRP. It has these features:
• The HSRP group number can be from 0 to 255.
• HSRPv1 uses the multicast address 224.0.0.2 to send hello packets, which can conflict with Cisco
Group Management Protocol (CGMP) leave processing. You cannot enable HSRPv1 and CGMP
at the same time; they are mutually exclusive.
• HSRPv2- Version 2 of the HSRP has these features:
• HSRPv2 uses the multicast address 224.0.0.102 to send hello packets. HSRPv2 and CGMP leave
processing are no longer mutually exclusive, and both can be enabled at the same time.
• HSRPv2 has a different packet format than HRSPv1.

A switch running HSRPv1 cannot identify the physical router that sent a hello packet because the source MAC
address of the router is the virtual MAC address.
HSRPv2 has a different packet format than HSRPv1. A HSRPv2 packet uses the type-length-value (TLV)
format and has a 6-byte identifier field with the MAC address of the physical router that sent the packet.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
433
 High Availability
Multiple HSRP

If an interface running HSRPv1 gets an HSRPv2 packet, the type field is ignored.

Multiple HSRP
The switch supports Multiple HSRP (MHSRP), an extension of HSRP that allows load sharing between two
or more HSRP groups. You can configure MHSRP to achieve load-balancing and to use two or more standby
groups (and paths) from a host network to a server network.
In the figure below, half the clients are configured for Router A, and half the clients are configured for Router
B. Together, the configuration for Routers A and B establishes two HSRP groups. For group 1, Router A is
the default active router because it has the assigned highest priority, and Router B is the standby router. For
group 2, Router B is the default active router because it has the assigned highest priority, and Router A is the
standby router. During normal operation, the two routers share the IP traffic load. When either router becomes
unavailable, the other router becomes active and assumes the packet-transfer functions of the router that is
unavailable.

Note For MHSRP, you need to enter the standby preempt interface configuration command on the HSRP interfaces
so that if a router fails and then comes back up, preemption restores load sharing.

Figure 49: MSHRP Load Sharing

Related Topics
Configuring MHSRP, on page 440

SSO HSRP
SSO HSRP alters the behavior of HSRP when a device with redundant Route Processors (RPs) is configured
for stateful switchover (SSO) redundancy mode. When an RP is active and the other RP is standby, SSO
enables the standby RP to take over if the active RP fails.
With this functionality, HSRP SSO information is synchronized to the standby RP, allowing traffic that is
sent using the HSRP virtual IP address to be continuously forwarded during a switchover without a loss of
data or a path change. Additionally, if both RPs fail on the active HSRP device, then the standby HSRP device
takes over as the active HSRP device.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
434
 High Availability
How to Configure HSRP

The feature is enabled by default when the redundancy mode of operation is set to SSO.

How to Configure HSRP

Default HSRP Configuration
Table 41: Default HSRP Configuration

Feature Default Setting

HSRP version Version 1
HSRP groups None configured
Standby group number 0
Standby MAC address System assigned as: 0000.0c07.acXX, where XX is the HSRP group number
Standby priority 100
Standby delay 0 (no delay)
Standby track interface 10
priority
Standby hello time 3 seconds
Standby holdtime 10 seconds

HSRP Configuration Guidelines

• HSRPv2 and HSRPv1 are mutually exclusive. HSRPv2 is not interoperable with HSRPv1 on an interface
and the reverse.
• In the procedures, the specified interface must be one of these Layer 3 interfaces:
• Routed port: A physical port configured as a Layer 3 port by entering the no switchport command
in interface configuration mode.
• SVI: A VLAN interface created by using the interface vlan vlan_id in global configuration mode,
and by default a Layer 3 interface.
• Etherchannel port channel in Layer 3 mode: A port-channel logical interface created by using the
interface port-channel port-channel-number in global configuration mode, and binding the Ethernet
interface into the channel group.

• All Layer 3 interfaces must have IP addresses assigned to them.

•
• If you change the HSRP version on an interface, each HSRP group resets because it now has a new virtual
MAC address.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
435
 High Availability
Enabling HSRP

Enabling HSRP
The standby ip interface configuration command activates HSRP on the configured interface. If an IP address
is specified, that address is used as the designated address for the Hot Standby group. If no IP address is
specified, the address is learned through the standby function. You must configure at least one Layer 3 port
on the LAN with the designated address. Configuring an IP address always overrides another designated
address currently in use.
When the standby ip command is enabled on an interface and proxy ARP is enabled, if the interface's Hot
Standby state is active, proxy ARP requests are answered using the Hot Standby group MAC address. If the
interface is in a different state, proxy ARP responses are suppressed.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. standby version { 1 | 2 }
4. standby [group-number] ip [ip-address [secondary]]
5. end
6. show standby [interface-id [group]]
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
Switch(config)# configure terminal

Step 2 interface interface-id Enters interface configuration mode, and enter the Layer 3
interface on which you want to enable HSRP.
Example:
Switch(config)# interface gigabitethernet1/0/1

Step 3 standby version { 1 | 2 } (Optional) Configures the HSRP version on the interface.
Example: • 1- Selects HSRPv1.
Switch(config-if)# standby version 1 • 2- Selects HSRPv2.
If you do not enter this command or do not specify a
keyword, the interface runs the default HSRP version, HSRP
v1.

Step 4 standby [group-number] ip [ip-address [secondary]] Creates (or enable) the HSRP group using its number and
virtual IP address.
Example:
Switch(config-if)# standby 1 ip • Optional) group-number- The group number on the
interface for which HSRP is being enabled. The range
is 0 to 255; the default is 0. If there is only one HSRP
group, you do not need to enter a group number.
• (Optional on all but one interface) ip-address- The
virtual IP address of the hot standby router interface.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
436
 High Availability
Configuring HSRP Priority

Command or Action Purpose

You must enter the virtual IP address for at least one
of the interfaces; it can be learned on the other
interfaces.
• (Optional) secondary- The IP address is a secondary
hot standby router interface. If neither router is
designated as a secondary or standby router and no
priorities are set, the primary IP addresses are
compared and the higher IP address is the active router,
with the next highest as the standby router.

Step 5 end Returns to privileged EXEC mode

Example:

Switch(config-if)# end

Step 6 show standby [interface-id [group]] Verifies the configuration of the standby groups.
Example:

Switch # show standby

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

Switch# copy running-config startup-config

Related Topics
Enabling HSRP: Example, on page 449

Configuring HSRP Priority

The standby priority, standby preempt, and standby track interface configuration commands are all used
to set characteristics for finding active and standby routers and behavior regarding when a new active router
takes over.
When configuring HSRP priority, follow these guidelines:
• Assigning a priority allows you to select the active and standby routers. If preemption is enabled, the
router with the highest priority becomes the active router. If priorities are equal, the current active router
does not change.
• The highest number (1 to 255) represents the highest priority (most likely to become the active router).
• When setting the priority, preempt, or both, you must specify at least one keyword (priority, preempt,
or both)
• The priority of the device can change dynamically if an interface is configured with the standby track
command and another interface on the router goes down.
• The standby track interface configuration command ties the router hot standby priority to the availability
of its interfaces and is useful for tracking interfaces that are not configured for HSRP. When a tracked
interface fails, the hot standby priority on the device on which tracking has been configured decreases
by 10. If an interface is not tracked, its state changes do not affect the hot standby priority of the configured

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
437
 High Availability
Configuring HSRP Priority

device. For each interface configured for hot standby, you can configure a separate list of interfaces to
be tracked
• The standby track interface-priority interface configuration command specifies how much to decrement
the hot standby priority when a tracked interface goes down. When the interface comes back up, the
priority is incremented by the same amount.
• When multiple tracked interfaces are down and interface-priority values have been configured, the
configured priority decrements are cumulative. If tracked interfaces that were not configured with priority
values fail, the default decrement is 10, and it is noncumulative.
• When routing is first enabled for the interface, it does not have a complete routing table. If it is configured
to preempt, it becomes the active router, even though it is unable to provide adequate routing services.
To solve this problem, configure a delay time to allow the router to update its routing table.
Beginning in privileged EXEC mode, use one or more of these steps to configure HSRP priority characteristics
on an interface:

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. standby [group-number] prioritypriority
4. standby [group-number] preempt [delay [minimumseconds] [reloadseconds] [syncseconds]]
5. standby [group-number] track type number [interface-priority]
6. end
7. show running-config
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
Switch # configure terminal

Step 2 interface interface-id Enters interface configuration mode, and enter the HSRP
interface on which you want to set priority.
Example:
Switch(config)# interface gigabitethernet1/0/1

Step 3 standby [group-number] prioritypriority Sets a priority value used in choosing the active router.
The range is 1 to 255; the default priority is 100. The highest
Example:
number represents the highest priority.
Switch(config-if)# standby 120 priority 50
• (Optional) group-number—The group number to which
the command applies.
Use the no form of the command to restore the default
values.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
438
 High Availability
Configuring HSRP Priority

Command or Action Purpose

Step 4 standby [group-number] preempt [delay Configures the router to preempt, which means that when
[minimumseconds] [reloadseconds] [syncseconds]] the local router has a higher priority than the active router,
it becomes the active router.
Example:
Switch(config-if)# standby 1 preempt delay 300 • (Optional) group-number-The group number to which
the command applies.
• (Optional) delay minimum—Set to cause the local
router to postpone taking over the active role for the
number of seconds shown. The range is 0 to 3600
seconds (1 hour); the default is 0 (no delay before
taking over).
• (Optional) delay reload—Set to cause the local router
to postpone taking over the active role after a reload
for the number of seconds shown. The range is 0 to
3600 seconds (1 hour); the default is 0 (no delay before
taking over after a reload).
• (Optional) delay sync—Set to cause the local router
to postpone taking over the active role so that IP
redundancy clients can reply (either with an ok or wait
reply) for the number of seconds shown. The range is
0 to 3600 seconds (1 hour); the default is 0 (no delay
before taking over).
Use the no form of the command to restore the default
values.

Step 5 standby [group-number] track type number Configures an interface to track other interfaces so that if
[interface-priority] one of the other interfaces goes down, the device's Hot
Standby priority is lowered.
Example:
Switch(config-if)# standby track interface • (Optional) group-number- The group number to which
gigabitethernet1/1/1 the command applies.
• type- Enter the interface type (combined with interface
number) that is tracked.
• number- Enter the interface number (combined with
interface type) that is tracked.
• (Optional) interface-priority- Enter the amount by
which the hot standby priority for the router is
decremented or incremented when the interface goes
down or comes back up. The default value is 10.

Step 6 end Returns to privileged EXEC mode.

Example:

Switch(config-if)# end

Step 7 show running-config Verifies the configuration of the standby groups.

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
439
 High Availability
Configuring MHSRP

Related Topics
Configuring HSRP Priority: Example, on page 449

Configuring MHSRP
To enable MHSRP and load-balancing, you configure two routers as active routers for their groups, with
virtual routers as standby routers as shown in the MHSRP Load Sharing figure in the Multiple HSRP section.
You need to enter the standby preempt interface configuration command on each HSRP interface so that if
a router fails and comes back up, the preemption occurs and restores load-balancing.
Router A is configured as the active router for group 1, and Router B is configured as the active router for
group 2. The HSRP interface for Router A has an IP address of 10.0.0.1 with a group 1 standby priority of
110 (the default is 100). The HSRP interface for Router B has an IP address of 10.0.0.2 with a group 2 standby
priority of 110.
Group 1 uses a virtual IP address of 10.0.0.3 and group 2 uses a virtual IP address of 10.0.0.4.
Related Topics
Multiple HSRP, on page 434

Configuring Router A

SUMMARY STEPS
1. configure terminal
2. interface type number
3. no switchport
4. ip address ip-address mask
5. standby [group-number] ip [ip-address [secondary]]
6. standby [group-number] priority priority
7. standby [group-number] preempt [delay [minimum seconds] [reload seconds] [sync seconds]]
8. standby [group-number] ip [ip-address [secondary]]
9. standby [group-number] preempt [delay [minimum seconds] [reload seconds] [sync seconds]]
10. end
11. show running-config
12. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
Switch # configure terminal

Step 2 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Switch (config)# interface gigabitethernet1/0/1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
440
 High Availability
Configuring Router A

Command or Action Purpose

Step 3 no switchport Switches an interface that is in Layer 2 mode into Layer
3 mode for Layer 3 configuration.
Example:
Switch (config)# no switchport

Step 4 ip address ip-address mask Specifies an IP address for an interface.

Example:
Switch (config-if)# 10.0.0.1 255.255.255.0

Step 5 standby [group-number] ip [ip-address [secondary]] Creates the HSRP group using its number and virtual IP
address.
Example:
Switch (config-if)# standby 1 ip 10.0.0.3 • (Optional) group-number- The group number on the
interface for which HSRP is being enabled. The range
is 0 to 255; the default is 0. If there is only one HSRP
group, you do not need to enter a group number.
• (Optional on all but one interface) ip-address- The
virtual IP address of the hot standby router interface.
You must enter the virtual IP address for at least one
of the interfaces; it can be learned on the other
interfaces.
• (Optional) secondary- The IP address is a secondary
hot standby router interface. If neither router is
designated as a secondary or standby router and no
priorities are set, the primary IP addresses are
compared and the higher IP address is the active
router, with the next highest as the standby router.

Step 6 standby [group-number] priority priority Sets a priority value used in choosing the active router.
The range is 1 to 255; the default priority is 100. The
Example:
highest number represents the highest priority.
Switch(config-if)# standby 1 priority 110
• (Optional) group-number—The group number to
which the command applies.
Use the no form of the command to restore the default
values.

Step 7 standby [group-number] preempt [delay [minimum Configures the router to preempt, which means that when
seconds] [reload seconds] [sync seconds]] the local router has a higher priority than the active router,
it becomes the active router.
Example:
Switch(config-if)# standby 1 preempt delay 300 • (Optional) group-number-The group number to which
the command applies.
• (Optional) delay minimum—Set to cause the local
router to postpone taking over the active role for the
number of seconds shown. The range is 0 to 3600
seconds (1 hour); the default is 0 (no delay before
taking over).
• (Optional) delay reload—Set to cause the local router
to postpone taking over the active role after a reload

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
441
 High Availability
Configuring Router A

Command or Action Purpose

for the number of seconds shown. The range is 0 to
3600 seconds (1 hour); the default is 0 (no delay
before taking over after a reload).
• (Optional) delay sync—Set to cause the local router
to postpone taking over the active role so that IP
redundancy clients can reply (either with an ok or
wait reply) for the number of seconds shown. The
range is 0 to 3600 seconds (1 hour); the default is 0
(no delay before taking over).
Use the no form of the command to restore the default
values.

Step 8 standby [group-number] ip [ip-address [secondary]] Creates the HSRP group using its number and virtual IP
address.
Example:
Switch (config-if)# standby 2 ip 10.0.0.4 • (Optional) group-number- The group number on the
interface for which HSRP is being enabled. The range
is 0 to 255; the default is 0. If there is only one HSRP
group, you do not need to enter a group number.
• (Optional on all but one interface) ip-address- The
virtual IP address of the hot standby router interface.
You must enter the virtual IP address for at least one
of the interfaces; it can be learned on the other
interfaces.
• (Optional) secondary- The IP address is a secondary
hot standby router interface. If neither router is
designated as a secondary or standby router and no
priorities are set, the primary IP addresses are
compared and the higher IP address is the active
router, with the next highest as the standby router.

Step 9 standby [group-number] preempt [delay [minimum Configures the router to preempt, which means that when
seconds] [reload seconds] [sync seconds]] the local router has a higher priority than the active router,
it becomes the active router.
Example:
Switch(config-if)# standby 2 preempt delay 300 • (Optional) group-number-The group number to which
the command applies.
• (Optional) delay minimum—Set to cause the local
router to postpone taking over the active role for the
number of seconds shown. The range is 0 to 3600
seconds (1 hour); the default is 0 (no delay before
taking over).
• (Optional) delay reload—Set to cause the local router
to postpone taking over the active role after a reload
for the number of seconds shown. The range is 0 to
3600 seconds (1 hour); the default is 0 (no delay
before taking over after a reload).
• (Optional) delay sync—Set to cause the local router
to postpone taking over the active role so that IP
redundancy clients can reply (either with an ok or

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
442
 High Availability
Configuring Router B

Command or Action Purpose

wait reply) for the number of seconds shown. The
range is 0 to 3600 seconds (1 hour); the default is 0
(no delay before taking over).
Use the no form of the command to restore the default
values.

Step 10 end Returns to privileged EXEC mode.

Example:
Switch(config-if)# end

Step 11 show running-config Verifies the configuration of the standby groups.

Step 12 copy running-config startup-config (Optional) Saves your entries in the configuration file.

Related Topics
Configuring MHSRP: Example, on page 449

Configuring Router B

SUMMARY STEPS
1. configure terminal
2. interface type number
3. no switchport
4. ip address ip-address mask
5. standby [group-number] ip [ip-address [secondary]]
6. standby [group-number] priority priority
7. standby [group-number] preempt [delay [minimum seconds] [reload seconds] [sync seconds]]
8. standby [group-number] ip [ip-address [secondary]]
9. standby [group-number] preempt [delay [minimum seconds] [reload seconds] [sync seconds]]
10. end
11. show running-config
12. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
Switch # configure terminal

Step 2 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Switch (config)# interface gigabitethernet1/0/1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
443
 High Availability
Configuring Router B

Command or Action Purpose

Step 3 no switchport Switches an interface that is in Layer 2 mode into Layer
3 mode for Layer 3 configuration.
Example:
Switch (config)# no switchport

Step 4 ip address ip-address mask Specifies an IP address for an interface.

Example:
Switch (config-if)# 10.0.0.2 255.255.255.0

Step 5 standby [group-number] ip [ip-address [secondary]] Creates the HSRP group using its number and virtual IP
address.
Example:
Switch (config-if)# standby 1 ip 10.0.0.3 • (Optional) group-number- The group number on the
interface for which HSRP is being enabled. The range
is 0 to 255; the default is 0. If there is only one HSRP
group, you do not need to enter a group number.
• (Optional on all but one interface) ip-address- The
virtual IP address of the hot standby router interface.
You must enter the virtual IP address for at least one
of the interfaces; it can be learned on the other
interfaces.
• (Optional) secondary- The IP address is a secondary
hot standby router interface. If neither router is
designated as a secondary or standby router and no
priorities are set, the primary IP addresses are
compared and the higher IP address is the active
router, with the next highest as the standby router.

Step 6 standby [group-number] priority priority Sets a priority value used in choosing the active router.
The range is 1 to 255; the default priority is 100. The
Example:
highest number represents the highest priority.
Switch(config-if)# standby 1 priority 110
• (Optional) group-number—The group number to
which the command applies.
Use the no form of the command to restore the default
values.

Step 7 standby [group-number] preempt [delay [minimum Configures the router to preempt, which means that when
seconds] [reload seconds] [sync seconds]] the local router has a higher priority than the active router,
it becomes the active router.
Example:
Switch(config-if)# standby 1 preempt delay 300 • (Optional) group-number-The group number to which
the command applies.
• (Optional) delay minimum—Set to cause the local
router to postpone taking over the active role for the
number of seconds shown. The range is 0 to 3600
seconds (1 hour); the default is 0 (no delay before
taking over).
• (Optional) delay reload—Set to cause the local router
to postpone taking over the active role after a reload

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
444
 High Availability
Configuring Router B

Command or Action Purpose

for the number of seconds shown. The range is 0 to
3600 seconds (1 hour); the default is 0 (no delay
before taking over after a reload).
• (Optional) delay sync—Set to cause the local router
to postpone taking over the active role so that IP
redundancy clients can reply (either with an ok or
wait reply) for the number of seconds shown. The
range is 0 to 3600 seconds (1 hour); the default is 0
(no delay before taking over).
Use the no form of the command to restore the default
values.

Step 8 standby [group-number] ip [ip-address [secondary]] Creates the HSRP group using its number and virtual IP
address.
Example:
Switch (config-if)# standby 2 ip 10.0.0.4 • (Optional) group-number- The group number on the
interface for which HSRP is being enabled. The range
is 0 to 255; the default is 0. If there is only one HSRP
group, you do not need to enter a group number.
• (Optional on all but one interface) ip-address- The
virtual IP address of the hot standby router interface.
You must enter the virtual IP address for at least one
of the interfaces; it can be learned on the other
interfaces.
• (Optional) secondary- The IP address is a secondary
hot standby router interface. If neither router is
designated as a secondary or standby router and no
priorities are set, the primary IP addresses are
compared and the higher IP address is the active
router, with the next highest as the standby router.

Step 9 standby [group-number] preempt [delay [minimum Configures the router to preempt, which means that when
seconds] [reload seconds] [sync seconds]] the local router has a higher priority than the active router,
it becomes the active router.
Example:
Switch(config-if)# standby 2 preempt delay 300 • (Optional) group-number-The group number to which
the command applies.
• (Optional) delay minimum—Set to cause the local
router to postpone taking over the active role for the
number of seconds shown. The range is 0 to 3600
seconds (1 hour); the default is 0 (no delay before
taking over).
• (Optional) delay reload—Set to cause the local router
to postpone taking over the active role after a reload
for the number of seconds shown. The range is 0 to
3600 seconds (1 hour); the default is 0 (no delay
before taking over after a reload).
• (Optional) delay sync—Set to cause the local router
to postpone taking over the active role so that IP
redundancy clients can reply (either with an ok or

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
445
 High Availability
Configuring HSRP Authentication and Timers

Command or Action Purpose

wait reply) for the number of seconds shown. The
range is 0 to 3600 seconds (1 hour); the default is 0
(no delay before taking over).
Use the no form of the command to restore the default
values.

Step 10 end Returns to privileged EXEC mode.

Example:
Switch(config-if)# end

Step 11 show running-config Verifies the configuration of the standby groups.

Step 12 copy running-config startup-config (Optional) Saves your entries in the configuration file.

Related Topics
Configuring MHSRP: Example, on page 449

Configuring HSRP Authentication and Timers

You can optionally configure an HSRP authentication string or change the hello-time interval and holdtime.
When configuring these attributes, follow these guidelines:
• The authentication string is sent unencrypted in all HSRP messages. You must configure the same
authentication string on all routers and access servers on a cable to ensure interoperation. Authentication
mismatch prevents a device from learning the designated Hot Standby IP address and timer values from
other routers configured with HSRP.
• Routers or access servers on which standby timer values are not configured can learn timer values from
the active or standby router. The timers configured on an active router always override any other timer
settings.
• All routers in a Hot Standby group should use the same timer values. Normally, the holdtime is greater
than or equal to 3 times the hellotime.
Beginning in privileged EXEC mode, use one or more of these steps to configure HSRP authentication and
timers on an interface:

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. standby [group-number] authentication string
4. standby [group-number] timers hellotime holdtime
5. end
6. show running-config
7. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
446
 High Availability
Enabling HSRP Support for ICMP Redirect Messages

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
Switch # configure terminal

Step 2 interface interface-id Enters interface configuration mode, and enter the HSRP
interface on which you want to set priority.
Example:
Switch(config) # interface gigabitethernet1/0/1

Step 3 standby [group-number] authentication string (Optional) authentication string—Enter a string to be

carried in all HSRP messages. The authentication string can
Example:
be up to eight characters in length; the default string is cisco.
Switch(config-if) # standby 1 authentication word
(Optional) group-number—The group number to which the
command applies.

Step 4 standby [group-number] timers hellotime holdtime (Optional) Configure the time between hello packets and
the time before other routers declare the active router to be
Example:
down.
Switch(config-if) # standby 1 timers 5 15
• group-number—The group number to which the
command applies.
• hellotime —Set to cause the local router to postpone
taking over the active role for the number of seconds
shown. The range is 0 to 3600 seconds (1 hour); the
default is 0 (no delay before taking over).
• holdtime—Set to cause the local router to postpone
taking over the active role after a reload for the number
of seconds shown. The range is 0 to 3600 seconds (1
hour); the default is 0 (no delay before taking over
after a reload).

Step 5 end Returns to privileged EXEC mode.

Example:

Switch(config-if) # end

Step 6 show running-config Verifies the configuration of the standby groups.

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.

Related Topics
Configuring HSRP Authentication and Timer: Example, on page 450

Enabling HSRP Support for ICMP Redirect Messages

ICMP redirect messages are automatically enabled on interfaces configured with HSRP. ICMP is a network
layer Internet protocol that provides message packets to report errors and other information relevant to IP

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
447
 High Availability
Configuring HSRP Groups and Clustering

processing. ICMP provides diagnostic functions, such as sending and directing error packets to the host. This
feature filters outgoing ICMP redirect messages through HSRP, in which the next hop IP address might be
changed to an HSRP virtual IP address. For more information, see the Cisco IOS IP Configuration Guide,
Release 12.4.

Configuring HSRP Groups and Clustering

When a device is participating in an HSRP standby routing and clustering is enabled, you can use the same
standby group for command switch redundancy and HSRP redundancy. Use the cluster standby-group
HSRP-group-name [routing-redundancy] global configuration command to enable the same HSRP standby
group to be used for command switch and routing redundancy. If you create a cluster with the same HSRP
standby group name without entering the routing-redundancy keyword, HSRP standby routing is disabled
for the group.
Related Topics
Configuring HSRP Groups and Clustering: Example, on page 451

Troubleshooting HSRP
If one of the situations as shown in the following table occurs, this message appears:
%FHRP group not consistent with already configured groups on the switch stack - virtual MAC
reservation failed

Table 42: Troubleshooting HSRP

Situation Action
You configure more than 32 HSRP group Remove HSRP groups so that up to 32 group instances
instances. are configured.

Verifying HSRP
Verifying HSRP Configurations
From privileged EXEC mode, use this command to display HSRP settings:
show standby [interface-id [group]] [brief] [detail]
You can display HSRP information for the whole switch, for a specific interface, for an HSRP group, or for
an HSRP group on an interface. You can also specify whether to display a concise overview of HSRP
information or detailed HSRP information. The default display is detail. If there are a large number of HSRP
groups, using the show standby command without qualifiers can result in an unwieldy display.

Example
Switch #show standby
VLAN1 - Group 1
Local state is Standby, priority 105, may preempt
Hellotime 3 holdtime 10
Next hello sent in 00:00:02.182
Hot standby IP address is 172.20.128.3 configured
Active router is 172.20.128.1 expires in 00:00:09
Standby router is local

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
448
 High Availability
Configuration Examples for Configuring HSRP

Standby virtual mac address is 0000.0c07.ac01

Name is bbb

VLAN1 - Group 100

Local state is Standby, priority 105, may preempt
Hellotime 3 holdtime 10
Next hello sent in 00:00:02.262
Hot standby IP address is 172.20.138.51 configured
Active router is 172.20.128.1 expires in 00:00:09
Active router is local
Standby router is unknown expired
Standby virtual mac address is 0000.0c07.ac64
Name is test

Configuration Examples for Configuring HSRP

Enabling HSRP: Example
This example shows how to activate HSRP for group 1 on an interface. The IP address used by the hot standby
group is learned by using HSRP.

Note This procedure is the minimum number of steps required to enable HSRP. Other configurations are optional.

Switch # configure terminal

Switch(config) # interface gigabitethernet1/0/1
Switch(config-if)# no switchport
Switch(config-if)# standby 1 ip
Switch(config-if)# end
Switch # show standby

Related Topics
Enabling HSRP, on page 436

Configuring HSRP Priority: Example

This example activates a port, sets an IP address and a priority of 120 (higher than the default value), and
waits for 300 seconds (5 minutes) before attempting to become the active router:

Switch # configure terminal

Switch(config) # interface gigabitethernet1/0/1
Switch(config-if)# no switchport
Switch(config-if)# standby ip 172.20.128.3
Switch(config-if)# standby priority 120 preempt delay 300
Switch(config-if)# end
Switch # show standby

Related Topics
Configuring HSRP Priority, on page 437

Configuring MHSRP: Example

This example shows how to enable the MHSRP configuration shown in the figure MHSRP Load Sharing

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
449
 High Availability
Configuring HSRP Authentication and Timer: Example

Router A Configuration
Switch # configure terminal
Switch(config) # interface gigabitethernet1/0/1
Switch(config-if)# no switchport
Switch(config-if)# ip address 10.0.0.1 255.255.255.0
Switch(config-if)# standby ip 10.0.0.3
Switch(config-if)# standby 1 priority 110
Switch(config-if)# standby 1 preempt
Switch(config-if)# standby 2 ip 10.0.0.4
Switch(config-if)# standby 2 preempt
Switch(config-if)# end

Router B Configuration
Switch # configure terminal
Switch(config) # interface gigabitethernet1/0/1
Switch(config-if)# no switchport
Switch(config-if)# ip address 10.0.0.2 255.255.255.0
Switch(config-if)# standby ip 10.0.0.3
Switch(config-if)# standby 1 preempt
Switch(config-if)# standby 2 ip 10.0.0.4
Switch(config-if)# standby 1 priority 110
Switch(config-if)# standby 2 preempt
Switch(config-if)# end

Related Topics
Configuring Router A, on page 440
Configuring Router B, on page 443

Configuring HSRP Authentication and Timer: Example

This example shows how to configure word as the authentication string required to allow Hot Standby routers
in group 1 to interoperate:

Switch # configure terminal

Switch(config) # interface gigabitethernet1/0/1
Switch(config-if)# no switchport
Switch(config-if)# standby 1 authentication word
Switch(config-if)# end

This example shows how to set the timers on standby group 1 with the time between hello packets at 5 seconds
and the time after which a router is considered down to be 15 seconds:

Switch # configure terminal

Switch(config) # interface gigabitethernet1/0/1
Switch(config-if)# no switchport
Switch(config-if)# standby 1 ip
Switch(config-if)# standby 1 timers 5 15
Switch(config-if)# end

Related Topics
Configuring HSRP Authentication and Timers, on page 446

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
450
 High Availability
Configuring HSRP Groups and Clustering: Example

Configuring HSRP Groups and Clustering: Example

This example shows how to bind standby group my_hsrp to the cluster and enable the same HSRP group to
be used for command switch redundancy and router redundancy. The command can only be executed on the
cluster command switch. If the standby group name or number does not exist, or if the switch is a cluster
member switch, an error message appears.

Switch # configure terminal

Switch(config) # cluster standby-group my_hsrp routing-redundancy
Switch(config-if)# end

Related Topics
Configuring HSRP Groups and Clustering , on page 448

Information About VRRP

Configuring VRRP
Virtual Router Redundancy Protocol (VRRP) is an election protocol that enables a group of routers to form
a single virtual router to provide redundancy. In a VRRP configuration, one router is elected as the virtual
router master, and the other routers act as backups in case it fails. The LAN clients can then be configured
with the virtual router as their default gateway, allowing several routers on a multi-access link to use the same
virtual IP address. The virtual router, representing a group of routers, forms a VRRP group.
Both HSRP and VRRP perform the same function. You can choose to configure either IETF standard VRRP
or Cisco’s more powerful HSRP protocol on a switch or switch stack.

Restrictions for VRRP

• The VRRP implementation on the switch does not support the MIB specified in RFC 2787.
• The VRRP implementation on the switch supports only text-based authentication.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
451
 High Availability
Restrictions for VRRP

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
452
 CHAPTER 24
Configuring Service Level Agreements
This chapter describes how to use Cisco IOS IP Service Level Agreements (SLAs) on the switch.
Unless otherwise noted, the term switch refers to a standalone switch or a switch stack.
• Finding Feature Information, on page 453
• Restrictions on SLAs, on page 453
• Information About SLAs, on page 454
• How to Configure IP SLAs Operations, on page 459
• Monitoring IP SLA Operations, on page 472
• Monitoring IP SLA Operation Examples, on page 473

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Restrictions on SLAs
This section lists the restrictions on SLAs.
The following are restrictions on IP SLAs network performance measurement:
• The switch does not support VoIP service levels using the gatekeeper registration delay operations
measurements.
• Only a Cisco IOS device can be a source for a destination IP SLAs responder.
• You cannot configure the IP SLAs responder on non-Cisco devices and Cisco IOS IP SLAs can send
operational packets only to services native to those devices.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
453
 High Availability
Information About SLAs

Related Topics
Implementing IP SLA Network Performance Measurement, on page 461
Network Performance Measurement with Cisco IOS IP SLAs, on page 455
IP SLA Responder and IP SLA Control Protocol, on page 455

Information About SLAs

Cisco IOS IP Service Level Agreements (SLAs)
Cisco IOS IP SLAs send data across the network to measure performance between multiple network locations
or across multiple network paths. They simulate network data and IP services and collect network performance
information in real time. Cisco IOS IP SLAs generate and analyze traffic either between Cisco IOS devices
or from a Cisco IOS device to a remote IP device such as a network application server. Measurements provided
by the various Cisco IOS IP SLA operations can be used for troubleshooting, for problem analysis, and for
designing network topologies.
Depending on the specific Cisco IOS IP SLA operations, various network performance statistics are monitored
within the Cisco device and stored in both command-line interface (CLI) and Simple Network Management
Protocol (SNMP) MIBs. IP SLA packets have configurable IP and application layer options such as source
and destination IP address, User Datagram Protocol (UDP)/TCP port numbers, a type of service (ToS) byte
(including Differentiated Services Code Point [DSCP] and IP Prefix bits), Virtual Private Network (VPN)
routing/forwarding instance (VRF), and URL web address.
Because Cisco IP SLAs are Layer 2 transport independent, you can configure end-to-end operations over
disparate networks to best reflect the metrics that an end user is likely to experience. IP SLAs collect and
analyze the following performance metrics:
• Delay (both round-trip and one-way)
• Jitter (directional)
• Packet loss (directional)
• Packet sequencing (packet ordering)
• Path (per hop)
• Connectivity (directional)
• Server or website download time

Because Cisco IOS IP SLAs is SNMP-accessible, it can also be used by performance-monitoring applications
like Cisco Prime Internetwork Performance Monitor (IPM) and other third-party Cisco partner performance
management products.
Using IP SLAs can provide the following benefits:
• Service-level agreement monitoring, measurement, and verification.
• Network performance monitoring
• Measurement of jitter, latency, or packet loss in the network.
• Continuous, reliable, and predictable measurements.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
454
 High Availability
Network Performance Measurement with Cisco IOS IP SLAs

• IP service network health assessment to verify that the existing QoS is sufficient for new IP services.
• Edge-to-edge network availability monitoring for proactive verification and connectivity testing of
network resources (for example, shows the network availability of an NFS server used to store business
critical data from a remote site).
• Network operation troubleshooting by providing consistent, reliable measurement that immediately
identifies problems and saves troubleshooting time.
• Multiprotocol Label Switching (MPLS) performance monitoring and network verification (if the switch
supports MPLS).

Network Performance Measurement with Cisco IOS IP SLAs

You can use IP SLAs to monitor the performance between any area in the network—core, distribution, and
edge—without deploying a physical probe. It uses generated traffic to measure network performance between
two networking devices.
Figure 50: Cisco IOS IP SLAs Operation

The following figure shows how IP SLAs begin when the source device sends a generated packet to the
destination device. After the destination device receives the packet, depending on the type of IP SLAs operation,
it responds with time-stamp information for the source to make the calculation on performance metrics. An
IP SLAs operation performs a network measurement from the source device to a destination in the network
using a specific protocol such as UDP.

Related Topics
Implementing IP SLA Network Performance Measurement, on page 461
Restrictions on SLAs, on page 453

IP SLA Responder and IP SLA Control Protocol

The IP SLA responder is a component embedded in the destination Cisco device that allows the system to
anticipate and respond to IP SLA request packets. The responder provides accurate measurements without
the need for dedicated probes. The responder uses the Cisco IOS IP SLA Control Protocol to provide a
mechanism through which it can be notified on which port it should listen and respond.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
455
 High Availability
Response Time Computation for IP SLAs

Note The IP SLA responder can be a Cisco IOS Layer 2, responder-configurable switch. The responder does not
need to support full IP SLA functionality.

The following figure shows where the Cisco IOS IP SLA responder fits in the IP network. The responder
listens on a specific port for control protocol messages sent by an IP SLA operation. Upon receipt of the
control message, it enables the specified UDP or TCP port for the specified duration. During this time, the
responder accepts the requests and responds to them. It disables the port after it responds to the IP SLA packet,
or when the specified time expires. MD5 authentication for control messages is available for added security.
Figure 51: Cisco IOS IP SLAs Operation

You do not need to enable the responder on the destination device for all IP SLA operations. For example, a
responder is not required for services that are already provided by the destination router (such as Telnet or
HTTP).
Related Topics
Restrictions on SLAs, on page 453

Response Time Computation for IP SLAs

Switches, controllers, and routers can take tens of milliseconds to process incoming packets due to other high
priority processes. This delay affects the response times because the test-packet reply might be in a queue
while waiting to be processed. In this situation, the response times would not accurately represent true network
delays. IP SLAs minimize these processing delays on the source device as well as on the target device (if the
responder is being used) to determine true round-trip times. IP SLA test packets use time stamping to minimize
the processing delays.
When the IP SLA responder is enabled, it allows the target device to take time stamps when the packet arrives
on the interface at interrupt level and again just as it is leaving, eliminating the processing time. This time
stamping is made with a granularity of sub-milliseconds (ms).
Figure 52: Cisco IOS IP SLA Responder Time Stamping

The following figure demonstrates how the responder works. Four time stamps are taken to make the calculation
for round-trip time. At the target router, with the responder functionality enabled, time stamp 2 (TS2) is
subtracted from time stamp 3 (TS3) to produce the time spent processing the test packet as represented by
delta. This delta value is then subtracted from the overall round-trip time. Notice that the same principle is

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
456
 High Availability
IP SLAs Operation Scheduling

applied by IP SLAs on the source router where the incoming time stamp 4 (TS4) is also taken at the interrupt

leveltoallowforgreateraccuracy.
An additional benefit of the two time stamps at the target device is the ability to track one-way delay, jitter,
and directional packet loss. Because much network behavior is asynchronous, it is critical to have these
statistics. However, to capture one-way delay measurements, you must configure both the source router and
target router with Network Time Protocol (NTP) so that the source and target are synchronized to the same
clock source. One-way jitter measurements do not require clock synchronization.

IP SLAs Operation Scheduling

When you configure an IP SLAs operation, you must schedule the operation to begin capturing statistics and
collecting error information. You can schedule an operation to start immediately or to start at a certain month,
day, and hour. You can use the pending option to set the operation to start at a later time. The pending option
is an internal state of the operation that is visible through SNMP. The pending state is also used when an
operation is a reaction (threshold) operation waiting to be triggered. You can schedule a single IP SLAs
operation or a group of operations at one time.
You can schedule several IP SLAs operations by using a single command through the Cisco IOS CLI or the
CISCO RTTMON-MIB. Scheduling the operations to run at evenly distributed times allows you to control
the amount of IP SLAs monitoring traffic. This distribution of IP SLA operations helps minimize the CPU
utilization and thus improves network scalability.
For more details about the IP SLA multi-operations scheduling functionality, see the “IP SLAs—Multiple
Operation Scheduling” chapter of the Cisco IOS IP SLAs Configuration Guide.

IP SLA Operation Threshold Monitoring

To support successful service level agreement monitoring, you must have mechanisms that notify you
immediately of any possible violation. IP SLAs can send SNMP traps that are triggered by events such as the
following:
• Connection loss
• Timeout
• Round-trip time threshold
• Average jitter threshold
• One-way packet loss
• One-way jitter
• One-way mean opinion score (MOS)
• One-way latency

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
457
 High Availability
UDP Jitter

An IP SLA threshold violation can also trigger another IP SLA operation for further analysis. For example,
the frequency could be increased or an Internet Control Message Protocol (ICMP) path echo or ICMP path
jitter operation could be initiated for troubleshooting.

ICMP Echo
The ICMP echo operation measures the end-to-end response time between a Cisco device and any other device
that uses IP. The response time is computed by measuring the time it takes to send an ICMP echo request
message to a destination and receive an ICMP echo reply. Many customers use IP SLA ICMP-based operations,
in-house ping testing, or ping-based dedicated probes to measure this response time. The IP SLA ICMP echo
operation conforms to the same specifications as ICMP ping testing, and both methods result in the same
response times.
Related Topics
Analyzing IP Service Levels by Using the ICMP Echo Operation, on page 469

UDP Jitter
Jitter is a simple term that describes interpacket delay variance. When multiple packets are sent consecutively
at an interval of 10 ms from source to destination, the destination should receive them 10 ms apart (if the
network is behaving correctly). However, if there are delays in the network (such as queuing, arriving through
alternate routes, and so on), the time interval between packet arrivals might be more or less than 10 ms. A
positive jitter value indicates that the packets arrived more than 10 ms apart. A negative jitter value indicates
that the packets arrived less than 10 ms apart. If the packets arrive 12 ms apart, the positive jitter is 2 ms; if
the packets arrive 8 ms apart, the negative jitter is 2 ms. For delay-sensitive networks, positive jitter values
are undesirable, and a jitter value of 0 is ideal.
In addition to monitoring jitter, the IP SLA UDP jitter operation can be used as a multipurpose data gathering
operation. The packets generated by IP SLAs carry sequence information and time stamps from the source
and operational target that include packet sending and receiving data. Based on this data, UDP jitter operations
measure the following:
• Per-direction jitter (source to destination and destination to source)
• Per-direction packet-loss
• Per-direction delay (one-way delay)
• Round-trip delay (average round-trip time)

Because the paths for the sending and receiving of data can be different (asymmetric), you can use the
per-direction data to more readily identify where congestion or other problems are occurring in the network.
The UDP jitter operation generates synthetic (simulated) UDP traffic and sends a number of UDP packets,
each of a specified size, sent a specified number of milliseconds apart, from a source router to a target router,
at a given frequency. By default, ten packet-frames, each with a payload size of 10 bytes are generated every
10 ms, and the operation is repeated every 60 seconds. You can configure each of these parameters to best
simulate the IP service you want to provide.
To provide accurate one-way delay (latency) measurements, time synchronization (as provided by NTP) is
required between the source and the target device. Time synchronization is not required for the one-way jitter
and packet loss measurements. If the time is not synchronized between the source and target devices, one-way
jitter and packet loss data is returned, but values of 0 are returned for the one-way delay measurements provided
by the UDP jitter operation.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
458
 High Availability
How to Configure IP SLAs Operations

Related Topics
Analyzing IP Service Levels by Using the UDP Jitter Operation, on page 465

How to Configure IP SLAs Operations

This section does not include configuration information for all available operations as the configuration
information details are included in the Cisco IOS IP SLAs Configuration Guide. It does include several
operations as examples, including configuring the responder, configuring a UDP jitter operation, which requires
a responder, and configuring an ICMP echo operation, which does not require a responder. For details about
configuring other operations, see the Cisco IOS IP SLAs Configuration Guide.

Default Configuration
No IP SLAs operations are configured.

Configuration Guidelines
For information on the IP SLA commands, see the Cisco IOS IP SLAs Command Reference, Release 12.4T
command reference.
For detailed descriptions and configuration procedures, see the Cisco IOS IP SLAs Configuration Guide,
Release 12.4TL.
Not all of the IP SLA commands or operations described in the referenced guide are supported on the switch.
The switch supports IP service level analysis by using UDP jitter, UDP echo, HTTP, TCP connect, ICMP
echo, ICMP path echo, ICMP path jitter, FTP, DNS, and DHCP, as well as multiple operation scheduling and
proactive threshold monitoring. It does not support VoIP service levels using the gatekeeper registration delay
operations measurements.
Before configuring any IP SLAs application, you can use the show ip sla application privileged EXEC
command to verify that the operation type is supported on your software image. This is an example of the
output from the command:

SwitchDevice# show ip sla application

IP Service Level Agreements

Version: Round Trip Time MIB 2.2.0, Infrastructure Engine-III

Supported Operation Types:

icmpEcho, path-echo, path-jitter, udpEcho, tcpConnect, http
dns, udpJitter, dhcp, ftp, udpApp, wspApp

Supported Features:
IPSLAs Event Publisher

IP SLAs low memory water mark: 33299323

Estimated system max number of entries: 24389

Estimated number of configurable operations: 24389

Number of Entries configured : 0
Number of active Entries : 0
Number of pending Entries : 0
Number of inactive Entries : 0

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
459
 High Availability
Configuring the IP SLA Responder

Time of last change in whole IP SLAs: *13:04:37.668 UTC Wed Dec 19 2012

Configuring the IP SLA Responder

The IP SLA responder is available only on Cisco IOS software-based devices, including some Layer 2 switches
that do not support full IP SLA functionality.
Follow these steps to configure the IP SLA responder on the target device (the operational target):

SUMMARY STEPS
1. enable
2. configure terminal
3. ip sla responder {tcp-connect | udp-echo} ipaddress ip-address port port-number
4. end
5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip sla responder {tcp-connect | udp-echo} ipaddress Configures the switch as an IP SLA responder.
ip-address port port-number
The keywords have these meanings:
Example:
• tcp-connect—Enables the responder for TCP connect
operations.
SwitchDevice(config)# ip sla responder udp-echo
172.29.139.134 5000 • udp-echo—Enables the responder for User Datagram
Protocol (UDP) echo or jitter operations.
• ipaddress ip-address—Enter the destination IP
address.
• port port-number—Enter the destination port number.
Note The IP address and port number must match
those configured on the source device for
the IP SLA operation.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
460
 High Availability
Implementing IP SLA Network Performance Measurement

Command or Action Purpose

Step 4 end Returns to privileged EXEC mode.
Example:

SwitchDevice(config)# end

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Implementing IP SLA Network Performance Measurement

Follow these steps to implement IP SLA network performance measurement on your switch:

Before you begin

Use the show ip sla application privileged EXEC command to verify that the desired operation type is
supported on your software image.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip sla operation-number
4. udp-jitter {destination-ip-address | destination-hostname} destination-port [source-ip {ip-address |
hostname}] [source-port port-number] [control {enable | disable}] [num-packets number-of-packets]
[interval interpacket-interval]
5. frequency seconds
6. threshold milliseconds
7. exit
8. ip sla schedule operation-number [life {forever | seconds}] [start-time {hh:mm [:ss] [month day | day
month] | pending | now | after hh:mm:ss] [ageout seconds] [recurring]
9. end
10. show running-config
11. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
461
 High Availability
Implementing IP SLA Network Performance Measurement

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip sla operation-number Creates an IP SLA operation, and enters IP SLA

configuration mode.
Example:

SwitchDevice(config)# ip sla 10

Step 4 udp-jitter {destination-ip-address | destination-hostname} Configures the IP SLA operation as the operation type of
destination-port [source-ip {ip-address | hostname}] your choice (a UDP jitter operation is used in the example),
[source-port port-number] [control {enable | disable}] and enters its configuration mode (UDP jitter configuration
[num-packets number-of-packets] [interval mode is used in the example).
interpacket-interval]
• destination-ip-address |
Example: destination-hostname—Specifies the destination IP
address or hostname.
SwitchDevice(config-ip-sla)# udp-jitter
172.29.139.134 5000 • destination-port—Specifies the destination port
number in the range from 1 to 65535.
• (Optional) source-ip {ip-address |
hostname}—Specifies the source IP address or
hostname. When a source IP address or hostname is
not specified, IP SLA chooses the IP address nearest
to the destination
• (Optional) source-port port-number—Specifies the
source port number in the range from 1 to 65535.
When a port number is not specified, IP SLA chooses
an available port.
• (Optional) control—Enables or disables sending of
IP SLA control messages to the IP SLA responder.
By default, IP SLA control messages are sent to the
destination device to establish a connection with the
IP SLA responder
• (Optional) num-packets number-of-packets—Enters
the number of packets to be generated. The range is
1 to 6000; the default is 10.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
462
 High Availability
Implementing IP SLA Network Performance Measurement

Command or Action Purpose

• (Optional) interval inter-packet-interval—Enters the
interval between sending packets in milliseconds. The
range is 1 to 6000; the default value is 20 ms.

Step 5 frequency seconds (Optional) Configures options for the SLA operation. This
example sets the rate at which a specified IP SLA operation
Example:
repeats. The range is from 1 to 604800 seconds; the default
is 60 seconds.
SwitchDevice(config-ip-sla-jitter)# frequency 45

Step 6 threshold milliseconds (Optional) Configures threshold conditions. This example

sets the threshold of the specified IP SLA operation to 200.
Example:
The range is from 0 to 60000 milliseconds.
SwitchDevice(config-ip-sla-jitter)# threshold 200

Step 7 exit Exits the SLA operation configuration mode (UDP jitter
configuration mode in this example), and returns to global
Example:
configuration mode.
SwitchDevice(config-ip-sla-jitter)# exit

Step 8 ip sla schedule operation-number [life {forever | Configures the scheduling parameters for an individual IP
seconds}] [start-time {hh:mm [:ss] [month day | day SLA operation.
month] | pending | now | after hh:mm:ss] [ageout seconds]
• operation-number—Enter the RTR entry number.
[recurring]
Example: • (Optional) life—Sets the operation to run indefinitely
(forever) or for a specific number of seconds. The
SwitchDevice(config)# ip sla schedule 10
range is from 0 to 2147483647. The default is 3600
start-time now life forever seconds (1 hour).
• (Optional) start-time—Enters the time for the
operation to begin collecting information:
To start at a specific time, enter the hour, minute,
second (in 24-hour notation), and day of the month.
If no month is entered, the default is the current
month.
Enter pending to select no information collection
until a start time is selected.
Enter now to start the operation immediately.
Enter after hh:mm:ss to show that the operation
should start after the entered time has elapsed.
• (Optional) ageout seconds—Enter the number of
seconds to keep the operation in memory when it is
not actively collecting information. The range is 0 to

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
463
 High Availability
Implementing IP SLA Network Performance Measurement

Command or Action Purpose

2073600 seconds, the default is 0 seconds (never ages
out).
• (Optional) recurring—Set the operation to
automatically run every day.

Step 9 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 10 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

UDP Jitter Configuration

This example shows how to configure a UDP jitter IP SLA operation:

SwitchDevice(config)# ip sla 10
SwitchDevice(config-ip-sla)# udp-jitter 172.29.139.134 5000
SwitchDevice(config-ip-sla-jitter)# frequency 30
SwitchDevice(config-ip-sla-jitter)# exit
SwitchDevice(config)# ip sla schedule 5 start-time now life forever
SwitchDevice(config)# end
SwitchDevice# show ip sla configuration 10
IP SLAs, Infrastructure Engine-II.

Entry number: 10
Owner:
Tag:
Type of operation to perform: udp-jitter
Target address/Source address: 1.1.1.1/0.0.0.0
Target port/Source port: 2/0
Request size (ARR data portion): 32
Operation timeout (milliseconds): 5000
Packet Interval (milliseconds)/Number of packets: 20/10
Type Of Service parameters: 0x0
Verify data: No
Vrf Name:
Control Packets: enabled
Schedule:
Operation frequency (seconds): 30

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
464
 High Availability
Analyzing IP Service Levels by Using the UDP Jitter Operation

Next Scheduled Start Time: Pending trigger

Group Scheduled : FALSE
Randomly Scheduled : FALSE
Life (seconds): 3600
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): notInService
Threshold (milliseconds): 5000
Distribution Statistics:
Number of statistic hours kept: 2
Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20
Enhanced History:

Related Topics
Network Performance Measurement with Cisco IOS IP SLAs, on page 455
Restrictions on SLAs, on page 453

Analyzing IP Service Levels by Using the UDP Jitter Operation

Follow these steps to configure a UDP jitter operation on the source device:

Before you begin

You must enable the IP SLA responder on the target device (the operational target) to configure a UDP jitter
operation on the source device.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip sla operation-number
4. udp-jitter {destination-ip-address | destination-hostname} destination-port [source-ip {ip-address |
hostname}] [source-port port-number] [control {enable | disable}] [num-packets number-of-packets]
[interval interpacket-interval]
5. frequency seconds
6. exit
7. ip sla schedule operation-number [life {forever | seconds}] [start-time {hh:mm [:ss] [month day | day
month] | pending | now | after hh:mm:ss] [ageout seconds] [recurring]
8. end
9. show running-config
10. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
465
 High Availability
Analyzing IP Service Levels by Using the UDP Jitter Operation

Command or Action Purpose

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip sla operation-number Creates an IP SLA operation, and enters IP SLA

configuration mode.
Example:

SwitchDevice(config)# ip sla 10

Step 4 udp-jitter {destination-ip-address | destination-hostname} Configures the IP SLA operation as a UDP jitter operation,
destination-port [source-ip {ip-address | hostname}] and enters UDP jitter configuration mode.
[source-port port-number] [control {enable | disable}]
• destination-ip-address |
[num-packets number-of-packets] [interval
destination-hostname—Specifies the destination IP
interpacket-interval]
address or hostname.
Example:
• destination-port—Specifies the destination port
SwitchDevice(config-ip-sla)# udp-jitter
number in the range from 1 to 65535.
172.29.139.134 5000
• (Optional) source-ip {ip-address |
hostname}—Specifies the source IP address or
hostname. When a source IP address or hostname is
not specified, IP SLA chooses the IP address nearest
to the destination.
• (Optional) source-port port-number—Specifies the
source port number in the range from 1 to 65535.
When a port number is not specified, IP SLA chooses
an available port.
• (Optional) control—Enables or disables sending of
IP SLA control messages to the IP SLA responder.
By default, IP SLA control messages are sent to the
destination device to establish a connection with the
IP SLA responder.
• (Optional) num-packets number-of-packets—Enters
the number of packets to be generated. The range is
1 to 6000; the default is 10.
• (Optional) interval inter-packet-interval—Enters the
interval between sending packets in milliseconds. The
range is 1 to 6000; the default value is 20 ms.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
466
 High Availability
Analyzing IP Service Levels by Using the UDP Jitter Operation

Command or Action Purpose

Step 5 frequency seconds (Optional) Sets the rate at which a specified IP SLA
operation repeats. The range is from 1 to 604800 seconds;
Example:
the default is 60 seconds.
SwitchDevice(config-ip-sla-jitter)# frequency 45

Step 6 exit Exits UDP jitter configuration mode, and returns to global
configuration mode.
Example:

SwitchDevice(config-ip-sla-jitter)# exit

Step 7 ip sla schedule operation-number [life {forever | Configures the scheduling parameters for an individual IP
seconds}] [start-time {hh:mm [:ss] [month day | day SLA operation.
month] | pending | now | after hh:mm:ss] [ageout seconds]
• operation-number—Enter the RTR entry number.
[recurring]
Example: • (Optional) life—Sets the operation to run indefinitely
(forever) or for a specific number of seconds. The
SwitchDevice(config)# ip sla schedule 10
range is from 0 to 2147483647. The default is 3600
start-time now life forever seconds (1 hour).
• (Optional) start-time—Enters the time for the
operation to begin collecting information:
To start at a specific time, enter the hour, minute,
second (in 24-hour notation), and day of the month.
If no month is entered, the default is the current
month.
Enter pending to select no information collection
until a start time is selected.
Enter now to start the operation immediately.
Enter after hh:mm:ss to show that the operation
should start after the entered time has elapsed.
• (Optional) ageout seconds—Enter the number of
seconds to keep the operation in memory when it is
not actively collecting information. The range is 0 to
2073600 seconds, the default is 0 seconds (never ages
out).
• (Optional) recurring—Set the operation to
automatically run every day.

Step 8 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
467
 High Availability
Analyzing IP Service Levels by Using the UDP Jitter Operation

Command or Action Purpose

Step 9 show running-config Verifies your entries.
Example:

SwitchDevice# show running-config

Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring a UDP Jitter IP SLA Operation

This example shows how to configure a UDP jitter IP SLA operation:

SwitchDevice(config)# ip sla 10
SwitchDevice(config-ip-sla)# udp-jitter 172.29.139.134 5000
SwitchDevice(config-ip-sla-jitter)# frequency 30
SwitchDevice(config-ip-sla-jitter)# exit
SwitchDevice(config)# ip sla schedule 5 start-time now life forever
SwitchDevice(config)# end
SwitchDevice# show ip sla configuration 10
IP SLAs, Infrastructure Engine-II.

Entry number: 10
Owner:
Tag:
Type of operation to perform: udp-jitter
Target address/Source address: 1.1.1.1/0.0.0.0
Target port/Source port: 2/0
Request size (ARR data portion): 32
Operation timeout (milliseconds): 5000
Packet Interval (milliseconds)/Number of packets: 20/10
Type Of Service parameters: 0x0
Verify data: No
Vrf Name:
Control Packets: enabled
Schedule:
Operation frequency (seconds): 30
Next Scheduled Start Time: Pending trigger
Group Scheduled : FALSE
Randomly Scheduled : FALSE
Life (seconds): 3600
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): notInService
Threshold (milliseconds): 5000
Distribution Statistics:
Number of statistic hours kept: 2
Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20
Enhanced History:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
468
 High Availability
Analyzing IP Service Levels by Using the ICMP Echo Operation

Related Topics
UDP Jitter, on page 458

Analyzing IP Service Levels by Using the ICMP Echo Operation

Follow these steps to configure an ICMP echo operation on the source device:

Before you begin

This operation does not require the IP SLA responder to be enabled.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip sla operation-number
4. icmp-echo {destination-ip-address | destination-hostname} [source-ip {ip-address | hostname} |
source-interface interface-id]
5. frequency seconds
6. exit
7. ip sla schedule operation-number [life {forever | seconds}] [start-time {hh:mm [:ss] [month day | day
month] | pending | now | after hh:mm:ss] [ageout seconds] [recurring]
8. end
9. show running-config
10. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip sla operation-number Creates an IP SLA operation and enters IP SLA

configuration mode.
Example:

SwitchDevice(config)# ip sla 10

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
469
 High Availability
Analyzing IP Service Levels by Using the ICMP Echo Operation

Command or Action Purpose

Step 4 icmp-echo {destination-ip-address | destination-hostname} Configures the IP SLA operation as an ICMP Echo
[source-ip {ip-address | hostname} | source-interface operation and enters ICMP echo configuration mode.
interface-id]
• destination-ip-address |
Example: destination-hostname—Specifies the destination IP
address or hostname.
SwitchDevice(config-ip-sla)# icmp-echo
172.29.139.134 • (Optional) source-ip {ip-address |
hostname}—Specifies the source IP address or
hostname. When a source IP address or hostname is
not specified, IP SLA chooses the IP address nearest
to the destination.
• (Optional) source-interface interface-id—Specifies
the source interface for the operation.

Step 5 frequency seconds (Optional) Sets the rate at which a specified IP SLA
operation repeats. The range is from 1 to 604800 seconds;
Example:
the default is 60 seconds.
SwitchDevice(config-ip-sla-echo)# frequency 30

Step 6 exit Exits UDP echo configuration mode, and returns to global
configuration mode.
Example:

SwitchDevice(config-ip-sla-echo)# exit

Step 7 ip sla schedule operation-number [life {forever | Configures the scheduling parameters for an individual IP
seconds}] [start-time {hh:mm [:ss] [month day | day SLA operation.
month] | pending | now | after hh:mm:ss] [ageout seconds]
• operation-number—Enter the RTR entry number.
[recurring]
Example: • (Optional) life—Sets the operation to run indefinitely
(forever) or for a specific number of seconds. The
SwitchDevice(config)# ip sla schedule 5 start-time
range is from 0 to 2147483647. The default is 3600
now life forever seconds (1 hour)
• (Optional) start-time—Enter the time for the
operation to begin collecting information:
To start at a specific time, enter the hour, minute,
second (in 24-hour notation), and day of the month.
If no month is entered, the default is the current
month.
Enter pending to select no information collection
until a start time is selected.
Enter now to start the operation immediately.
Enter after hh:mm:ss to indicate that the operation
should start after the entered time has elapsed.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
470
 High Availability
Analyzing IP Service Levels by Using the ICMP Echo Operation

Command or Action Purpose

• (Optional) ageout seconds—Enter the number of
seconds to keep the operation in memory when it is
not actively collecting information. The range is 0 to
2073600 seconds; the default is 0 seconds (never ages
out).
• (Optional) recurring—Sets the operation to
automatically run every day.

Step 8 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 9 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring an ICMP Echo IP SLA Operation

This example shows how to configure an ICMP echo IP SLA operation:

SwitchDevice(config)# ip sla 12
SwitchDevice(config-ip-sla)# icmp-echo 172.29.139.134
SwitchDevice(config-ip-sla-echo)# frequency 30
SwitchDevice(config-ip-sla-echo)# exit
SwitchDevice(config)# ip sla schedule 5 start-time now life forever
SwitchDevice(config)# end
SwitchDevice# show ip sla configuration 22
IP SLAs, Infrastructure Engine-II.

Entry number: 12
Owner:
Tag:
Type of operation to perform: echo
Target address: 2.2.2.2
Source address: 0.0.0.0
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Vrf Name:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
471
 High Availability
Monitoring IP SLA Operations

Schedule:
Operation frequency (seconds): 60
Next Scheduled Start Time: Pending trigger
Group Scheduled : FALSE
Randomly Scheduled : FALSE
Life (seconds): 3600
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): notInService
Threshold (milliseconds): 5000
Distribution Statistics:
Number of statistic hours kept: 2
Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20
History Statistics:
Number of history Lives kept: 0
Number of history Buckets kept: 15
History Filter Type: None
Enhanced History:

Related Topics
IP SLA Operation Threshold Monitoring, on page 457

Monitoring IP SLA Operations

The following table describes the commands used to display IP SLA operation configurations and results:

Table 43: Monitoring IP SLA Operations

show ip sla application Displays global information about Cisco IOS IP SLAs.

show ip sla authentication Displays IP SLA authentication information.

show ip sla configuration [entry-number] Displays configuration values including all defaults
for all IP SLA operations or a specific operation.

show ip sla enhanced-history {collection-statistics Displays enhanced history statistics for collected
| distribution statistics} [entry-number] history buckets or distribution statistics for all IP SLA
operations or a specific operation.

show ip sla ethernet-monitor configuration Displays IP SLA automatic Ethernet configuration.

[entry-number]

show ip sla group schedule [schedule-entry-number] Displays IP SLA group scheduling configuration and
details.

show ip sla history [entry-number | full | tabular] Displays history collected for all IP SLA operations.

show ip sla mpls-lsp-monitor {collection-statistics Displays MPLS label switched path (LSP) Health
| configuration | ldp operational-state | scan-queue Monitor operations.
| summary [entry-number] | neighbors}

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
472
 High Availability
Monitoring IP SLA Operation Examples

show ip sla reaction-configuration [entry-number] Displays the configured proactive threshold

monitoring settings for all IP SLA operations or a
specific operation.

show ip sla reaction-trigger [entry-number] Displays the reaction trigger information for all IP
SLA operations or a specific operation.

show ip sla responder Displays information about the IP SLA responder.

show ip sla statistics [entry-number | aggregated | Displays current or aggregated operational status and
details] statistics.

Monitoring IP SLA Operation Examples

The following example shows all IP SLAs by application:
SwitchDevice# show ip sla application

IP Service Level Agreements

Version: Round Trip Time MIB 2.2.0, Infrastructure Engine-III

Supported Operation Types:

icmpEcho, path-echo, path-jitter, udpEcho, tcpConnect, http
dns, udpJitter, dhcp, ftp, udpApp, wspApp

Supported Features:
IPSLAs Event Publisher

IP SLAs low memory water mark: 33299323

Estimated system max number of entries: 24389

Estimated number of configurable operations: 24389

Number of Entries configured : 0
Number of active Entries : 0
Number of pending Entries : 0
Number of inactive Entries : 0
Time of last change in whole IP SLAs: *13:04:37.668 UTC Wed Dec 19 2012

The following example shows all IP SLA distribution statistics:

SwitchDevice# show ip sla enhanced-history distribution-statistics

Point by point Enhanced History

Entry = Entry Number
Int = Aggregation Interval
BucI = Bucket Index
StartT = Aggregation Start Time
Pth = Path index
Hop = Hop in path index
Comps = Operations completed
OvrTh = Operations completed over thresholds
SumCmp = Sum of RTT (milliseconds)
SumCmp2L = Sum of RTT squared low 32 bits (milliseconds)
SumCmp2H = Sum of RTT squared high 32 bits (milliseconds)
TMax = RTT maximum (milliseconds)
TMin = RTT minimum (milliseconds)

Entry Int BucI StartT Pth Hop Comps OvrTh SumCmp SumCmp2L SumCmp2H T
Max TMin

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
473
 High Availability
Monitoring IP SLA Operation Examples

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
474
 CHAPTER 25
Configuring Enhanced Object Tracking
• Finding Feature Information, on page 475
• Information About Enhanced Object Tracking, on page 475
• How to Configure Enhanced Object Tracking, on page 478
• Monitoring Enhanced Object Tracking, on page 491

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Information About Enhanced Object Tracking

Enhanced Object Tracking Overview
Before the introduction of the Enhanced Object Tracking feature, Hot Standby Router Protocol (HSRP) had
a simple tracking mechanism that allowed you to track the interface line-protocol state only. If the line-protocol
state of the interface went down, the HSRP priority of the router was reduced, allowing another HSRP router
with a higher priority to become active.
The Enhanced Object Tracking feature separates the tracking mechanism from HSRP and creates a separate
standalone tracking process that can be used by processes other than HSRP. This feature allows the tracking
of other objects in addition to the interface line-protocol state.
A client process such as HSRP, Virtual Router Redundancy Protocol (VRRP), or Gateway Load Balancing
Protocol (GLBP), can register its interest in tracking objects and then be notified when the tracked object
changes state.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
475
 High Availability
Tracking Interface Line-Protocol or IP Routing State

Note Enhanced Object Tracking is not supported on switches running the LAN Base image.
Enhanced Object Tracking is supported only on Cisco Catalyst 3560-CX switches.

Each tracked object has a unique number that is specified in the tracking command-line interface (CLI). Client
processes use this number to track a specific object. The tracking process periodically polls the tracked object
for value changes and sends any changes (as up or down values) to interested client processes, either
immediately or after a specified delay. Several clients can track the same object, and can take different actions
when the object changes state.
You can also track a combination of objects in a list by using either a weight threshold or a percentage threshold
to measure the state of the list. You can combine objects using Boolean logic. A tracked list with a Boolean
“AND” function requires that each object in the list be in an up state for the tracked object to be up. A tracked
list with a Boolean “OR” function needs only one object in the list to be in the up state for the tracked object
to be up.

Tracking Interface Line-Protocol or IP Routing State

You can track either the interface line protocol state or the interface IP routing state. When you track the IP
routing state, these three conditions are required for the object to be up:
• IP routing must be enabled and active on the interface.
• The interface line-protocol state must be up.
• The interface IP address must be known.

If all three of these conditions are not met, the IP routing state is down.
Related Topics
Configuring Tracking for Line State Protocol or IP Routing State on an Interface, on page 478

Tracked Lists
You can configure a tracked list of objects with a Boolean expression, a weight threshold, or a percentage
threshold. A tracked list contains one or more objects. An object must exist before it can be added to the
tracked list.
• You configure a Boolean expression to specify calculation by using either “AND” or “OR” operators.
• When you measure the tracked list state by a weight threshold, you assign a weight number to each object
in the tracked list. The state of the tracked list is determined by whether or not the threshold was met.
The state of each object is determined by comparing the total weight of all objects against a threshold
weight for each object.
• When you measure the tracked list by a percentage threshold, you assign a percentage threshold to all
objects in the tracked list. The state of each object is determined by comparing the assigned percentages
of each object to the list.

Related Topics
Configuring a Tracked List with a Boolean Expression

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
476
 High Availability
Tracking Other Characteristics

Configuring a Tracked List with a Weight Threshold, on page 479

Configuring a Tracked List with a Percentage Threshold, on page 481

Tracking Other Characteristics

You can also use the enhanced object tracking for tracking other characteristics.
• You can track the reachability of an IP route by using the track ip route reachability global configuration
command.
• You can use the track ip route metric threshold global configuration command to determine if a route
is above or below threshold.
• You can use the track resolution global configuration command to change the metric resolution default
values for routing protocols.
• You can use the track timer tracking configuration command to configure the tracking process to
periodically poll tracked objects.

Use the show track privileged EXEC command to verify enhanced object tracking configuration.

IP SLAs Object Tracking

Cisco IOS IP Service Level Agreements (IP SLAs) is a network performance measurement and diagnostics
tool that uses active monitoring by generating traffic to measure network performance. Cisco IP SLAs
operations collects real-time metrics that you can use for network troubleshooting, design, and analysis.
Object tracking of IP SLAs operations allows clients to track the output from IP SLAs objects and use this
information to trigger an action. Every IP SLAs operation maintains an SNMP operation return-code value,
such as OK or OverThreshold, that can be interpreted by the tracking process. You can track two aspects of
IP SLAs operation: state and reachability. For state, if the return code is OK, the track state is up; if the return
code is not OK, the track state is down. For reachability, if the return code is OK or OverThreshold, reachability
is up; if not OK, reachability is down.
Related Topics
Configuring IP SLAs Object Tracking, on page 485

Static Route Object Tracking

Static routing support using enhanced object tracking provides the ability for the switch to use ICMP pings
to identify when a pre-configured static route or a DHCP route goes down. When tracking is enabled, the
system tracks the state of the route and informs the client when that state changes. Static route object tracking
uses Cisco IP SLAs to generate ICMP pings to monitor the state of the connection to the primary gateway.
This feature is supported only on the IP Services image
Related Topics
Configuring a Primary Interface for Static Routing , on page 486
Configuring a Primary Interface for DHCP, on page 487
Configuring IP SLAs Monitoring Agent, on page 488
Configuring a Routing Policy and a Default Route, on page 489

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
477
 High Availability
How to Configure Enhanced Object Tracking

How to Configure Enhanced Object Tracking

Configuring Tracking for Line State Protocol or IP Routing State on an Interface
Follow these steps to track the line-protocol state or IP routing state of an interface:

SUMMARY STEPS
1. enable
2. configure terminal
3. track object-numberinterface interface-idline-protocol
4. delay { object-numberupseconds[downseconds]|[upseconds]downseconds}
5. exit
6. track object-numberinterface interface-idip routing
7. delay { object-numberupseconds[downseconds]|[upseconds]downseconds}
8. end
9. show trackobject-number

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 track object-numberinterface interface-idline-protocol (Optional) Creates a tracking list to track the line-protocol
state of an interface and enter tracking configuration mode.
Example:
SwitchDevice(config)# track 33 interface • The object-number identifies the tracked object and
gigabitethernet 1/0/1 line-protocol can be from 1 to 500.
• Theinterface interface-id is the interface being
tracked.

Step 4 delay { (Optional) Specifies a period of time in seconds to delay

object-numberupseconds[downseconds]|[upseconds]downseconds} communicating state changes of a tracked object. The range
is from 1 to 180 seconds.

Step 5 exit Returns to global configuration mode.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
478
 High Availability
Configuring Tracked Lists

Command or Action Purpose

Step 6 track object-numberinterface interface-idip routing (Optional) Creates a tracking list to track the IP routing
state of an interface and enter tracking configuration mode.
Example:
IP route tracking tracks an IP route in the routing table and
SwitchDevice(config)# track 33 interface the ability of an interface to route IP packets.
gigabitethernet 1/0/1 ip routing
• The object-number identifies the tracked object and
can be from 1 to 500.
• Theinterface interface-id is the interface being
tracked.

Step 7 delay { (Optional) Specifies a period of time in seconds to delay

object-numberupseconds[downseconds]|[upseconds]downseconds} communicating state changes of a tracked object. The range
is from 1 to 180 seconds.

Step 8 end Returns to privileged EXEC mode.

Step 9 show trackobject-number Verifies that the specified objects are being tracked.

Related Topics
Tracking Interface Line-Protocol or IP Routing State, on page 476

Configuring Tracked Lists

Configuring a Tracked List with a Weight Threshold
To track by weight threshold, configure a tracked list of objects, specify that weight is used as the threshold,
and configure a weight for each of its objects. The state of each object is determined by comparing the total
weight of all objects that are up against a threshold weight for each object.
You cannot use the Boolean “NOT” operator in a weight threshold list.
Follow these steps to configure a tracked list of objects by using a weight threshold and to configure a weight
for each object:

SUMMARY STEPS
1. enable
2. configure terminal
3. track track-numberlist threshold {weight}
4. object object-number[weightweight-number]
5. threshold weight {upnumber|[downnumber]}
6. delay { upseconds[downseconds]|[upseconds]downseconds}
7. end
8. show trackobject-number
9. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
479
 High Availability
Configuring a Tracked List with a Weight Threshold

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 track track-numberlist threshold {weight} Configures a tracked list object, and enters tracking
configuration mode. The track-number can be from 1 to
Example:
500.
SwitchDevice(config)# track 4 list threshold weight
• threshold—Specifies the state of the tracked list based
on a threshold.
• weight— Specifies that the threshold is based on
weight.

Step 4 object object-number[weightweight-number] Specifies the object to be tracked. The range is from 1 to
500. The optionalweightweight-number specifies the
Example:
threshold weight for the object. The range is from 1 to 255.
SwitchDevice(config)# object 2 weight 15
Note An object must exist before you can add it to a
tracked list.

Step 5 threshold weight {upnumber|[downnumber]} (Optional) Specifies the threshold weight.

Example: • upnumber—The range is from 1 to 255.
SwitchDevice(config-track)# threshold weight up 30
down 10
• downnumber—(Optional)The range depends on the
number selected for the upnumber. If you configure
the upnumber as 25, the range shown for the down
number is 0 to 24.

Step 6 delay { (Optional) Specifies a period of time in seconds to delay

upseconds[downseconds]|[upseconds]downseconds} communicating state changes of a tracked object. The range
is from 1 to 180 seconds.

Step 7 end Returns to privileged EXEC mode.

Step 8 show trackobject-number Verify that the specified objects are being tracked.

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
480
 High Availability
Configuring a Tracked List with a Percentage Threshold

Command or Action Purpose

SwitchDevice# copy running-config startup-config

Related Topics
Tracked Lists, on page 476

Configuring a Tracked List with a Percentage Threshold

To track by percentage threshold, configure a tracked list of objects, specify that a percentage will be used as
the threshold, and specify a percentage for all objects in the list. The state of the list is determined by comparing
the assigned percentage of each object to the list.
You cannot use the Boolean “NOT” operator in a percentage threshold list.
Follow these steps to configure a tracked list of objects by using a percentage threshold:

SUMMARY STEPS
1. enable
2. configure terminal
3. track track-numberlist threshold {percentage}
4. object object-number
5. threshold percentage {upnumber|[downnumber]}
6. delay { upseconds[downseconds]|[upseconds]downseconds}
7. end
8. show trackobject-number
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 track track-numberlist threshold {percentage} Configures a tracked list object, and enters tracking
configuration mode. The track-number can be from 1 to
Example:
500.
SwitchDevice(config)# track 4 list threshold
percentage • threshold—Specifies the state of the tracked list based
on a threshold.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
481
 High Availability
Configuring HSRP Object Tracking

Command or Action Purpose

• percentage— Specifies that the threshold is based on
percentage.

Step 4 object object-number Specifies the object to be tracked. The range is from 1 to
500.
Example:
SwitchDevice(config)# object 1 Note An object must exist before you can add it to a
tracked list.

Step 5 threshold percentage {upnumber|[downnumber]} (Optional) Specifies the threshold percentage.

Example: • upnumber—The range is from 1 to 100.
SwitchDevice(config)# threshold percentage up 51
down 10
• downnumber—(Optional)The range depends on the
number selected for the upnumber. If you configure
the upnumber as 25, the range shown for the down
number is 0 to 24.

Step 6 delay { (Optional) Specifies a period of time in seconds to delay

upseconds[downseconds]|[upseconds]downseconds} communicating state changes of a tracked object. The range
is from 1 to 180 seconds.

Step 7 end Returns to privileged EXEC mode.

Step 8 show trackobject-number Verify that the specified objects are being tracked.

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Tracked Lists, on page 476

Configuring HSRP Object Tracking

Follow these steps to configure a standby HSRP group to track an object and change the HSRP priority based
on the object state:

SUMMARY STEPS
1. enable
2. configure terminal
3. track object-number{interface interface-id{line-protocol|ip routing}|ip routeip
address/prefix-length{metric
threshold|reachability}list{boolean{and|or}}|{threshold{weight|percentage}}}
4. exit
5. interface { interface-id

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
482
 High Availability
Configuring HSRP Object Tracking

6. standby[group-number]ip[ip-addresssecondary]]
7. standby[group-number]track[object-number[decrement priority-decrement]]
8. end
9. show standby
10. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 track object-number{interface (Optional) Create a tracking list to track the configured
interface-id{line-protocol|ip routing}|ip routeip state and enter tracking configuration mode.
address/prefix-length{metric
• The object-number identifies the tracked object and
threshold|reachability}list{boolean{and|or}}|{threshold{weight|percentage}}}
can be from 1 to 500.
• Enterinterface interface-id to select an interface to
track.
• Enterline-protocol to track the interface line protocol
state or enter ip routing to track the interface IP
routing state .
• Enterip routeip-address/prefix-length to track the
state of an IP route.
• Entermetric threshold to track the threshold metric
or enter reachability to track if the route is reachable.
The default up threshold is 254 and the default down
threshold is 255.
• Enter list to track objects grouped in a list.
Note Repeat this step for each interface to be
tracked.

Step 4 exit Return to global configuration mode.

Step 5 interface { interface-id Enter interface configuration mode.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
483
 High Availability
Configuring HSRP Object Tracking

Command or Action Purpose

Step 6 standby[group-number]ip[ip-addresssecondary]] Creates (or enables) the HSRP group by using its number
and virtual IP address.
• (Optional) group-number—Enters a group number
on the interface for which HSRP is being enabled.
The range is 0 to 255; the default is 0. If there is only
one HSRP group, you do not need to enter a group
number.
• (Optional on all but one interface)
ip-address—Specifies the virtual IP address of the
hot standby router interface. You must enter the
virtual IP address for at least one of the interfaces; it
can be learned on the other interfaces.
• (Optional) secondary—Specifies that the IP address
is a secondary hot standby router interface. If this
keyword is omitted, the configured address is the
primary IP address.

Step 7 standby[group-number]track[object-number[decrement Configures HSRP to track an object and change the hot
priority-decrement]] standby priority based on the state of the object.
• (Optional) group-number—Enters the group number
to which the tracking applies.
• object-number—Enters a number representing the
object to be tracked. The range is from 1 to 500; the
default is 1.
• (Optional) secondary—Specifies that the IP address
is a secondary hot standby router interface. If this
keyword is omitted, the configured address is the
primary IP address.
• (Optional)decrementpriority-decrement—Specifies
the amount by which the hot standby priority for the
router is decremented (or incremented) when the
tracked object goes down (or comes back up). The
range is from 1 to 255; the default is 10.

Step 8 end Returns to privileged EXEC mode.

Step 9 show standby Verifies the standby router IP address and tracking states.

Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
484
 High Availability
Configuring IP SLAs Object Tracking

Configuring IP SLAs Object Tracking

Follow these steps to track the state of an IP SLAs operation or the reachability of an IP SLAs IP host:

SUMMARY STEPS
1. enable
2. configure terminal
3. track object-numberrtr operation-numberstate
4. delay { upseconds[downseconds]|[upseconds]downseconds}
5. exit
6. track object-numberrtr operation-numberstate
7. end
8. show trackobject-number
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 track object-numberrtr operation-numberstate Enters tracking configuration mode to track the state of an
IP SLAs operation.
Example:
SwitchDevice(config)# track 2 200 state • object-number range is from 1 to 500.
• operation-number range is from 1 to 2147483647.

Step 4 delay { (Optional) Specifies a period of time in seconds to delay

upseconds[downseconds]|[upseconds]downseconds} communicating state changes of a tracked object. The range
is from 1 to 180 seconds.

Step 5 exit Returns to global configuration mode.

Step 6 track object-numberrtr operation-numberstate Enters tracking configuration mode to track the state of an
IP SLAs operation.
• object-number range is from 1 to 500.
• operation-number range is from 1 to 2147483647.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
485
 High Availability
Configuring Static Route Object Tracking

Command or Action Purpose

Step 7 end Returns to privileged EXEC mode.

Step 8 show trackobject-number Verifies that the specified objects are being tracked.

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
IP SLAs Object Tracking, on page 477

Configuring Static Route Object Tracking

Configuring a Primary Interface for Static Routing
Follow these steps to configure a primary interface for static routing:

SUMMARY STEPS
1. enable
2. configure terminal
3. interfaceinterface-id
4. descriptionstring
5. ip addressip-address mask[secondary]
6. exit

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interfaceinterface-id Selects a primary or secondary interface and enters interface

configuration mode.

Step 4 descriptionstring Adds a description to the interface.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
486
 High Availability
Configuring a Primary Interface for DHCP

Command or Action Purpose

Step 5 ip addressip-address mask[secondary] Sets the primary or secondary IP address for the interface.

Step 6 exit Returns to global configuration mode.

Related Topics
Static Route Object Tracking, on page 477

Configuring a Primary Interface for DHCP

Follow these steps to configure a primary interface for DHCP:

SUMMARY STEPS
1. enable
2. configure terminal
3. interfaceinterface-id
4. descriptionstring
5. ip dhcp client route tracknumber
6. exit

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interfaceinterface-id Selects a primary or secondary interface and enters interface

configuration mode.

Step 4 descriptionstring Adds a description to the interface.

Step 5 ip dhcp client route tracknumber Configures the DCHP client to associate any added routes
with the specified track number. Valid numbers are from 1
to 500.

Step 6 exit Returns to global configuration mode.

Related Topics
Static Route Object Tracking, on page 477

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
487
 High Availability
Configuring IP SLAs Monitoring Agent

Configuring IP SLAs Monitoring Agent

You can configure an IP SLAs agent to ping an IP address using a primary interface and a track object to
monitor the state of the agent.
Follow these steps to configure network monitoring with Cisco IP SLAs:

SUMMARY STEPS
1. enable
2. configure terminal
3. ip slaoperation number
4. icmp-echo{ destination ip-address|destination hostname[source -
ipaddr{ip-address|hostnamesource-interfaceinterface-id]
5. timeoutmilliseconds
6. frequencyseconds
7. thresholdmilliseconds
8. exit
9. ip sla schedule operation-number[life
{forever|seconds}]start-timetime|pending|now|aftertime]ageoutseconds][recurring]
10. track object-numberrtr operation-numberstatereachability
11. end
12. show trackobject-number
13. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip slaoperation number Begins configuring a Cisco IP SLAs operation and enters
IP SLA configuration mode.

Step 4 icmp-echo{ destination ip-address|destination Configures a Cisco IP SLAs end-to-end ICMP echo
hostname[source - response time operation and enter IP SLAs ICMP echo
ipaddr{ip-address|hostnamesource-interfaceinterface-id] configuration mode.

Step 5 timeoutmilliseconds Sets the amount of time for which the operation waits for
a response from its request packet.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
488
 High Availability
Configuring a Routing Policy and a Default Route

Command or Action Purpose

Step 6 frequencyseconds Sets the rate at which the operation is sent into the network.

Step 7 thresholdmilliseconds Sets the rising threshold (hysteresis) that generates a

reaction event and stores history information for the
operation.

Step 8 exit Exits IP SLAs ICMP echo configuration mode.

Step 9 ip sla schedule operation-number[life Configures the scheduling parameters for a single IP SLAs
{forever|seconds}]start-timetime|pending|now|aftertime]ageoutseconds][recurring] operation.
Example: • object-number range is from 1 to 500.
SwitchDevice(config)# track 2 200 state
• operation-number range is from 1 to 2147483647.

Step 10 track object-numberrtr Tracks the state of a Cisco IOS IP SLAs operation and
operation-numberstatereachability enter tracking configuration mode.

Step 11 end Returns to privileged EXEC mode.

Step 12 show trackobject-number Verifies that the specified objects are being tracked.

Step 13 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Static Route Object Tracking, on page 477

Configuring a Routing Policy and a Default Route

Follow these steps to configure a routing policy for backup static routing by using object tracking.

SUMMARY STEPS
1. enable
2. configure terminal
3. access-listaccess-list-number
4. route-mapmap tag[permit|deny][sequence-number]
5. match ip address{access-list number[permit|deny][sequence-number]
6. set ip next-hop dynamic dhcp
7. set interfaceinterface-id
8. exit
9. ip local policy route-mapmap tag
10. ip routeprefix mask{ip address|interface-id[ip
address]}[distance][name][permanent|tracktrack-number][tag tag]
11. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
489
 High Availability
Configuring a Routing Policy and a Default Route

12. show ip route track table

13. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 access-listaccess-list-number Defines an extended IP access list. Configure any optional

characteristics.

Step 4 route-mapmap tag[permit|deny][sequence-number] Enters route-map configuration mode and define conditions
for redistributing routes from one routing protocol to
another.

Step 5 match ip address{access-list Distribute any routes that have a destination network
number[permit|deny][sequence-number] number address that is permitted by a standard or extended
access list or performs policy routing on packets. You can
enter multiple numbers or names.

Step 6 set ip next-hop dynamic dhcp For DHCP networks only. Sets the next hop to the gateway
that was most recently learned by the DHCP client.

Step 7 set interfaceinterface-id For static routing networks only. Indicates where to send
output packets that pass a match clause of a route map for
policy routing.

Step 8 exit Returns to global configuration mode.

Step 9 ip local policy route-mapmap tag Identifies a route map to use for local policy routing.

Step 10 ip routeprefix mask{ip address|interface-id[ip For static routing networks only. Establishes static routes.
address]}[distance][name][permanent|tracktrack-number][tag Entering tracktrack-number specifies that the static route
tag] is installed only if the configured track object is up.

Step 11 end Returns to privileged EXEC mode.

Step 12 show ip route track table Displays information about the IP route track table.

Step 13 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
490
 High Availability
Monitoring Enhanced Object Tracking

Command or Action Purpose

SwitchDevice# copy running-config startup-config

Related Topics
Static Route Object Tracking, on page 477

Monitoring Enhanced Object Tracking

Use the privileged EXEC or user EXEC commands in the table below, to display enhanced object tracking
information.
.

Table 44: Commands for Displaying Tracking Information

Command Purpose

show ip route track table Displays information about the IP route track table.

show track [object-number] Displays information about the all tracking lists or the
specified list.

show track brief Displays VTP status and configuration for all
interfaces or the specified interface.

show track interface [brief] Displays information about tracked interface objects.

show track ip [object-number][brief]route Displays information about tracked IP-route objects

show track resolution Displays the resolution of tracked parameters.

show track timer Displays tracked polling interval timers.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
491
 High Availability
Monitoring Enhanced Object Tracking

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
492
PA R T V
Network Management
• Configuring Cisco IOS Configuration Engine, on page 495
• Configuring the Cisco Discovery Protocol, on page 515
• Configuring Simple Network Management Protocol, on page 525
• Configuring SPAN and RSPAN, on page 549
• Configuring RMON, on page 591
• Configuring Embedded Event Manager, on page 599
• Configuring NetFlow Lite, on page 607
• Configuring Cache Services Using the Web Cache Communication Protocol, on page 631
 CHAPTER 26
Configuring Cisco IOS Configuration Engine
• Finding Feature Information, on page 495
• Prerequisites for Configuring the Configuration Engine, on page 495
• Restrictions for Configuring the Configuration Engine, on page 496
• Information About Configuring the Configuration Engine, on page 496
• How to Configure the Configuration Engine, on page 502
• Monitoring CNS Configurations, on page 514

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Prerequisites for Configuring the Configuration Engine

• Obtain the name of the configuration engine instance to which you are connecting.
• Because the CNS uses both the event bus and the configuration server to provide configurations to
devices, you must define both ConfigID and Device ID for each configured switch.
• All switches configured with the cns config partial global configuration command must access the event
bus. The DeviceID, as originated on the switch, must match the DeviceID of the corresponding switch
definition in the Cisco Configuration Engine. You must know the hostname of the event bus to which
you are connecting.

Related Topics
Cisco Networking Services IDs and Device Hostnames, on page 498
DeviceID, on page 498

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
495
 Network Management
Restrictions for Configuring the Configuration Engine

Restrictions for Configuring the Configuration Engine

• Within the scope of a single instance of the configuration server, no two configured switches can share
the same value for ConfigID.
• Within the scope of a single instance of the event bus, no two configured switches can share the same
value for DeviceID.

Related Topics
Cisco Networking Services IDs and Device Hostnames, on page 498

Information About Configuring the Configuration Engine

Cisco Configuration Engine Software
The Cisco Configuration Engine is network management utility software that acts as a configuration service
for automating the deployment and management of network devices and services. Each Cisco Configuration
Engine manages a group of Cisco devices (switches and routers) and the services that they deliver, storing
their configurations and delivering them as needed. The Cisco Configuration Engine automates initial
configurations and configuration updates by generating device-specific configuration changes, sending them
to the device, executing the configuration change, and logging the results.
The Cisco Configuration Engine supports standalone and server modes and has these Cisco Networking
Services (CNS) components:
• Configuration service:
• Web server
• File manager
• Namespace mapping server

• Event service (event gateway)

• Data service directory (data models and schema)

In standalone mode, the Cisco Configuration Engine supports an embedded directory service. In this mode,
no external directory or other data store is required. In server mode, the Cisco Configuration Engine supports
the use of a user-defined external directory.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
496
 Network Management
Configuration Service

Figure 53: Cisco Configuration Engine Architectural Overview

Configuration Service
The Configuration Service is the core component of the Cisco Configuration Engine. It consists of a
Configuration Server that works with Cisco IOS CNS agents on the switch. The Configuration Service delivers
device and service configurations to the switch for initial configuration and mass reconfiguration by logical
groups. Switches receive their initial configuration from the Configuration Service when they start up on the
network for the first time.
The Configuration Service uses the CNS Event Service to send and receive configuration change events and
to send success and failure notifications.
The Configuration Server is a web server that uses configuration templates and the device-specific configuration
information stored in the embedded (standalone mode) or remote (server mode) directory.
Configuration templates are text files containing static configuration information in the form of CLI commands.
In the templates, variables are specified by using Lightweight Directory Access Protocol (LDAP) URLs that
reference the device-specific configuration information stored in a directory.
The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show
the success or failure of the syntax check. The configuration agent can either apply configurations immediately
or delay the application until receipt of a synchronization event from the configuration server.

Event Service
The Cisco Configuration Engine uses the Event Service for receipt and generation of configuration events.
The Event Service consists of an event agent and an event gateway. The event agent is on the switch and
facilitates the communication between the switch and the event gateway on the Cisco Configuration Engine.
The Event Service is a highly capable publish-and-subscribe communication method. The Event Service uses
subject-based addressing to send messages to their destinations. Subject-based addressing conventions define
a simple, uniform namespace for messages and their destinations.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
497
 Network Management
NameSpace Mapper

Related Topics
Enabling the CNS Event Agent, on page 502

NameSpace Mapper
The Cisco Configuration Engine includes the NameSpace Mapper (NSM) that provides a lookup service for
managing logical groups of devices based on application, device or group ID, and event.
Cisco IOS devices recognize only event subject-names that match those configured in Cisco IOS software;
for example, cisco.cns.config.load. You can use the namespace mapping service to designate events by using
any desired naming convention. When you have populated your data store with your subject names, NSM
changes your event subject-name strings to those known by Cisco IOS.
For a subscriber, when given a unique device ID and event, the namespace mapping service returns a set of
events to which to subscribe. Similarly, for a publisher, when given a unique group ID, device ID, and event,
the mapping service returns a set of events on which to publish.

Cisco Networking Services IDs and Device Hostnames

The Cisco Configuration Engine assumes that a unique identifier is associated with each configured switch.
This unique identifier can take on multiple synonyms, where each synonym is unique within a particular
namespace. The event service uses namespace content for subject-based addressing of messages.
The Cisco Configuration Engine intersects two namespaces, one for the event bus and the other for the
configuration server. Within the scope of the configuration server namespace, the term ConfigID is the unique
identifier for a device. Within the scope of the event bus namespace, the term DeviceID is the CNS unique
identifier for a device.
Related Topics
Prerequisites for Configuring the Configuration Engine, on page 495
Restrictions for Configuring the Configuration Engine, on page 496

ConfigID
Each configured switch has a unique ConfigID, which serves as the key into the Cisco Configuration Engine
directory for the corresponding set of switch CLI attributes. The ConfigID defined on the switch must match
the ConfigID for the corresponding switch definition on the Cisco Configuration Engine.
The ConfigID is fixed at startup time and cannot be changed until the device restarts, even if the switch
hostname is reconfigured.

DeviceID
Each configured switch participating on the event bus has a unique DeviceID, which is analogous to the switch
source address so that the switch can be targeted as a specific destination on the bus.
The origin of the DeviceID is defined by the Cisco IOS hostname of the switch. However, the DeviceID
variable and its usage reside within the event gateway adjacent to the switch.
The logical Cisco IOS termination point on the event bus is embedded in the event gateway, which in turn
functions as a proxy on behalf of the switch. The event gateway represents the switch and its corresponding
DeviceID to the event bus.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
498
 Network Management
Hostname and DeviceID

The switch declares its hostname to the event gateway immediately after the successful connection to the
event gateway. The event gateway couples the DeviceID value to the Cisco IOS hostname each time this
connection is established. The event gateway retains this DeviceID value for the duration of its connection to
the switch.
Related Topics
Prerequisites for Configuring the Configuration Engine, on page 495

Hostname and DeviceID

The DeviceID is fixed at the time of the connection to the event gateway and does not change even when the
switch hostname is reconfigured.
When changing the switch hostname on the switch, the only way to refresh the DeviceID is to break the
connection between the switch and the event gateway. For instructions on refreshing DeviceIDs, see "Related
Topics."
When the connection is reestablished, the switch sends its modified hostname to the event gateway. The event
gateway redefines the DeviceID to the new value.

Caution When using the Cisco Configuration Engine user interface, you must first set the DeviceID field to the hostname
value that the switch acquires after, not before, and you must reinitialize the configuration for your Cisco IOS
CNS agent. Otherwise, subsequent partial configuration command operations may malfunction.

Related Topics
Refreshing DeviceIDs, on page 510

Hostname, DeviceID, and ConfigID

In standalone mode, when a hostname value is set for a switch, the configuration server uses the hostname as
the DeviceID when an event is sent on hostname. If the hostname has not been set, the event is sent on the
cn=<value> of the device.
In server mode, the hostname is not used. In this mode, the unique DeviceID attribute is always used for
sending an event on the bus. If this attribute is not set, you cannot update the switch.
These and other associated attributes (tag value pairs) are set when you run Setup on the Cisco Configuration
Engine.

Cisco IOS CNS Agents

The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works
with the Cisco IOS CNS agent. These agents, embedded in the switch Cisco IOS software, allow the switch
to be connected and automatically configured.
Related Topics
Enabling the Cisco IOS CNS Agent, on page 503

Initial Configuration
When the switch first comes up, it attempts to get an IP address by broadcasting a Dynamic Host Configuration
Protocol (DHCP) request on the network. Assuming there is no DHCP server on the subnet, the distribution

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
499
 Network Management
Incremental (Partial) Configuration

switch acts as a DHCP relay agent and forwards the request to the DHCP server. Upon receiving the request,
the DHCP server assigns an IP address to the new switch and includes the Trivial File Transfer Protocol
(TFTP) server Internet Protocol (IP) address, the path to the bootstrap configuration file, and the default
gateway IP address in a unicast reply to the DHCP relay agent. The DHCP relay agent forwards the reply to
the switch.
The switch automatically configures the assigned IP address on interface VLAN 1 (the default) and downloads
the bootstrap configuration file from the TFTP server. Upon successful download of the bootstrap configuration
file, the switch loads the file in its running configuration.
The Cisco IOS CNS agents initiate communication with the Configuration Engine by using the appropriate
ConfigID and EventID. The Configuration Engine maps the Config ID to a template and downloads the full
configuration file to the switch.
The following figure shows a sample network configuration for retrieving the initial bootstrap configuration
file by using DHCP-based autoconfiguration.
Figure 54: Initial Configuration

Related Topics
Enabling an Initial Configuration for Cisco IOS CNS Agent, on page 505
Monitoring CNS Configurations, on page 514

Incremental (Partial) Configuration

After the network is running, new services can be added by using the Cisco IOS CNS agent. Incremental
(partial) configurations can be sent to the switch. The actual configuration can be sent as an event payload by
way of the event gateway (push operation) or as a signal event that triggers the switch to initiate a pull operation.
The switch can check the syntax of the configuration before applying it. If the syntax is correct, the switch
applies the incremental configuration and publishes an event that signals success to the configuration server.
If the switch does not apply the incremental configuration, it publishes an event showing an error status. When
the switch has applied the incremental configuration, it can write it to nonvolatile random-access memory
(NVRAM) or wait until signaled to do so.
Related Topics
Enabling a Partial Configuration for Cisco IOS CNS Agent, on page 512
Monitoring CNS Configurations, on page 514

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
500
 Network Management
Synchronized Configuration

Synchronized Configuration
When the switch receives a configuration, it can defer application of the configuration upon receipt of a
write-signal event. The write-signal event tells the switch not to save the updated configuration into its
NVRAM. The switch uses the updated configuration as its running configuration. This ensures that the switch
configuration is synchronized with other network activities before saving the configuration in NVRAM for
use at the next reboot.

Automated CNS Configuration

To enable automated CNS configuration of the switch, you must first complete the prerequisites listed in this
topic. When you complete them, power on the switch. At the setup prompt, do nothing; the switch begins the
initial configuration. When the full configuration file is loaded on your switch, you do not need to do anything
else.
For more information on what happens during initial configuration, see "Related Topics."

Table 45: Prerequisites for Enabling Automatic Configuration

Device Required Configuration

Access switch Factory default (no configuration file)

Distribution switch • IP helper address

• Enable DHCP relay agent1
• IP routing (if used as default gateway)

DHCP server • IP address assignment

• TFTP server IP address
• Path to bootstrap configuration file on the TFTP server
• Default gateway IP address

TFTP server • A bootstrap configuration file that includes the CNS configuration
commands that enable the switch to communicate with the Configuration
Engine
• The switch configured to use either the switch MAC address or the serial
number (instead of the default hostname) to generate the ConfigID and
EventID
• The CNS event agent configured to push the configuration file to the switch

CNS Configuration Engine One or more templates for each type of device, with the ConfigID of the device
mapped to the template.
1
A DHCP Relay is needed only when the DHCP Server is on a different subnet from the client.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
501
 Network Management
How to Configure the Configuration Engine

How to Configure the Configuration Engine

Enabling the CNS Event Agent

Note You must enable the CNS event agent on the switch before you enable the CNS configuration agent.

Follow these steps to enable the CNS event agent on the switch.

SUMMARY STEPS
1. enable
2. configure terminal
3. cns event {hostname | ip-address} [port-number] [ [keepalive seconds retry-count] [failover-time
seconds ] [reconnect-time time] | backup]
4. end
5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 cns event {hostname | ip-address} [port-number] [ Enables the event agent, and enters the gateway parameters.
[keepalive seconds retry-count] [failover-time seconds ]
• For {hostname | ip-address}, enter either the hostname
[reconnect-time time] | backup]
or the IP address of the event gateway.
Example:
• (Optional) For port number, enter the port number for
SwitchDevice(config)# cns event 10.180.1.27
the event gateway. The default port number is 11011.
keepalive 120 10
• (Optional) For keepalive seconds, enter how often the
switch sends keepalive messages. For retry-count,
enter the number of unanswered keepalive messages
that the switch sends before the connection is
terminated. The default for each is 0.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
502
 Network Management
Enabling the Cisco IOS CNS Agent

Command or Action Purpose

• (Optional) For failover-time seconds, enter how long
the switch waits for the primary gateway route after
the route to the backup gateway is established.
• (Optional) For reconnect-time time, enter the
maximum time interval that the switch waits before
trying to reconnect to the event gateway.
• (Optional) Enter backup to show that this is the
backup gateway. (If omitted, this is the primary
gateway.)

Note Though visible in the command-line help string,

the encrypt and the clock-timeout time
keywords are not supported.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
To verify information about the event agent, use the show cns event connections command in privileged
EXEC mode.
To disable the CNS event agent, use the no cns event { ip-address | hostname } global configuration command.
Related Topics
Event Service, on page 497

Enabling the Cisco IOS CNS Agent

Follow these steps to enable the Cisco IOS CNS agent on the switch.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
503
 Network Management
Enabling the Cisco IOS CNS Agent

Before you begin

You must enable the CNS event agent on the switch before you enable this agent.

SUMMARY STEPS
1. enable
2. configure terminal
3. cns config initial {hostname | ip-address} [port-number]
4. cns config partial {hostname | ip-address} [port-number]
5. end
6. show running-config
7. copy running-config startup-config
8. Start the Cisco IOS CNS agent on the switch.

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 cns config initial {hostname | ip-address} [port-number] Enables the Cisco IOS CNS agent, and enters the
configuration server parameters.
Example:
• For {hostname | ip-address}, enter either the hostname
SwitchDevice(config)# cns config initial or the IP address of the configuration server.
10.180.1.27 10
• (Optional) For port number, enter the port number for
the configuration server.

This command enables the Cisco IOS CNS agent and

initiates an initial configuration on the switch.

Step 4 cns config partial {hostname | ip-address} [port-number] Enables the Cisco IOS CNS agent, and enters the
configuration server parameters.
Example:
• For {hostname | ip-address}, enter either the hostname
SwitchDevice(config)# cns config partial or the IP address of the configuration server.
10.180.1.27 10
• (Optional) For port number, enter the port number for
the configuration server.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
504
 Network Management
Enabling an Initial Configuration for Cisco IOS CNS Agent

Command or Action Purpose

Enables the Cisco IOS CNS agent and initiates a partial
configuration on the switch.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Step 8 Start the Cisco IOS CNS agent on the switch.

What to do next
You can now use the Cisco Configuration Engine to remotely send incremental configurations to the switch.
Related Topics
Cisco IOS CNS Agents, on page 499

Enabling an Initial Configuration for Cisco IOS CNS Agent

Follow these steps to enable the CNS configuration agent and initiate an initial configuration on the switch.

SUMMARY STEPS
1. enable
2. configure terminal
3. cns template connect name
4. cli config-text
5. Repeat Steps 3 to 4 to configure another CNS connect template.
6. exit
7. cns connect name [retries number] [retry-interval seconds] [sleep seconds] [timeout seconds]
8. discover {controller controller-type | dlci [subinterface subinterface-number] | interface [interface-type]
| line line-type}
9. template name [... name]
10. Repeat Steps 8 to 9 to specify more interface parameters and CNS connect templates in the CNS connect
profile.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
505
 Network Management
Enabling an Initial Configuration for Cisco IOS CNS Agent

11. exit
12. hostname name
13. ip route network-number
14. cns id interface num {dns-reverse | ipaddress | mac-address} [event] [image]
15. cns id {hardware-serial | hostname | string string | udi} [event] [image]
16. cns config initial {hostname | ip-address} [port-number] [event] [no-persist] [page page] [source
ip-address] [syntax-check]
17. end
18. show running-config
19. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 cns template connect name Enters CNS template connect configuration mode, and
specifies the name of the CNS connect template.
Example:

SwitchDevice(config)# cns template connect

template-dhcp

Step 4 cli config-text Enters a command line for the CNS connect template.
Repeat this step for each command line in the template.
Example:

SwitchDevice(config-tmpl-conn)# cli ip address

dhcp

Step 5 Repeat Steps 3 to 4 to configure another CNS connect

template.
Step 6 exit Returns to global configuration mode.
Example:

SwitchDevice(config)# exit

Step 7 cns connect name [retries number] [retry-interval Enters CNS connect configuration mode, specifies the
seconds] [sleep seconds] [timeout seconds] name of the CNS connect profile, and defines the profile

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
506
 Network Management
Enabling an Initial Configuration for Cisco IOS CNS Agent

Command or Action Purpose

Example: parameters. The switch uses the CNS connect profile to
connect to the Configuration Engine.
SwitchDevice(config)# cns connect dhcp
• Enter the name of the CNS connect profile.
• (Optional) For retries number, enter the number of
connection retries. The range is 1 to 30. The default
is 3.
• (Optional) For retry-interval seconds, enter the
interval between successive connection attempts to
the Configuration Engine. The range is 1 to 40
seconds. The default is 10 seconds.
• (Optional) For sleep seconds, enter the amount of
time before which the first connection attempt occurs.
The range is 0 to 250 seconds. The default is 0.
• (Optional) For timeout seconds, enter the amount of
time after which the connection attempts end. The
range is 10 to 2000 seconds. The default is 120.

Step 8 discover {controller controller-type | dlci [subinterface Specifies the interface parameters in the CNS connect
subinterface-number] | interface [interface-type] | line profile.
line-type}
• For controller controller-type, enter the controller
Example: type.

SwitchDevice(config-cns-conn)# discover interface

• For dlci, enter the active data-link connection
gigabitethernet identifiers (DLCIs).
(Optional) For subinterface subinterface-number,
specify the point-to-point subinterface number that
is used to search for active DLCIs.
• For interface [interface-type], enter the type of
interface.
• For line line-type, enter the line type.

Step 9 template name [... name] Specifies the list of CNS connect templates in the CNS
connect profile to be applied to the switch configuration.
Example:
You can specify more than one template.
SwitchDevice(config-cns-conn)# template
template-dhcp

Step 10 Repeat Steps 8 to 9 to specify more interface parameters

and CNS connect templates in the CNS connect profile.
Step 11 exit Returns to global configuration mode.
Example:

SwitchDevice(config-cns-conn)# exit

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
507
 Network Management
Enabling an Initial Configuration for Cisco IOS CNS Agent

Command or Action Purpose

Step 12 hostname name Enters the hostname for the switch.
Example:

SwitchDevice(config)# hostname device1

Step 13 ip route network-number (Optional) Establishes a static route to the Configuration

Engine whose IP address is network-number.
Example:

RemoteSwitchDevice(config)# ip route 172.28.129.22

255.255.255.255 11.11.11.1

Step 14 cns id interface num {dns-reverse | ipaddress | (Optional) Sets the unique EventID or ConfigID used by
mac-address} [event] [image] the Configuration Engine. If you enter this command, do
not enter the cns id {hardware-serial | hostname | string
Example:
string | udi} [event] [image] command.
RemoteSwitchDevice(config)# cns id • For interface num, enter the type of interface. For
GigabitEthernet1/0/1 ipaddress example, ethernet, group-async, loopback, or
virtual-template. This setting specifies from which
interface the IP or MAC address should be retrieved
to define the unique ID.
• For {dns-reverse | ipaddress | mac-address}, enter
dns-reverse to retrieve the hostname and assign it as
the unique ID, enter ipaddress to use the IP address,
or enter mac-address to use the MAC address as
the unique ID.
• (Optional) Enter event to set the ID to be the event-id
value used to identify the switch.
• (Optional) Enter image to set the ID to be the
image-id value used to identify the switch.

Note If both the event and image keywords are

omitted, the image-id value is used to identify
the switch.

Step 15 cns id {hardware-serial | hostname | string string | udi} (Optional) Sets the unique EventID or ConfigID used by
[event] [image] the Configuration Engine. If you enter this command, do
not enter the cns id interface num {dns-reverse | ipaddress
Example:
| mac-address} [event] [image] command.
RemoteSwitchDevice(config)# cns id hostname • For { hardware-serial | hostname | string string
| udi }, enter hardware-serial to set the switch
serial number as the unique ID, enter hostname (the
default) to select the switch hostname as the unique
ID, enter an arbitrary text string for string string as
the unique ID, or enter udi to set the unique device
identifier (UDI) as the unique ID.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
508
 Network Management
Enabling an Initial Configuration for Cisco IOS CNS Agent

Command or Action Purpose

Step 16 cns config initial {hostname | ip-address} [port-number] Enables the Cisco IOS agent, and initiates an initial
[event] [no-persist] [page page] [source ip-address] configuration.
[syntax-check]
• For {hostname | ip-address}, enter the hostname or
Example: the IP address of the configuration server.

RemoteSwitchDevice(config)# cns config initial

• (Optional) For port-number, enter the port number
10.1.1.1 no-persist of the configuration server. The default port number
is 80.
• (Optional) Enable event for configuration success,
failure, or warning messages when the configuration
is finished.
• (Optional) Enable no-persist to suppress the
automatic writing to NVRAM of the configuration
pulled as a result of entering the cns config initial
global configuration command. If the no-persist
keyword is not entered, using the cns config initial
command causes the resultant configuration to be
automatically written to NVRAM.
• (Optional) For page page, enter the web page of the
initial configuration. The default is
/Config/config/asp.
• (Optional) Enter source ip-address to use for source
IP address.
• (Optional) Enable syntax-check to check the syntax
when this parameter is entered.

Note Though visible in the command-line help string,

the encrypt, status url, and inventory
keywords are not supported.

Step 17 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 18 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 19 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
509
 Network Management
Refreshing DeviceIDs

Command or Action Purpose

SwitchDevice# copy running-config startup-config

What to do next
To verify information about the configuration agent, use the show cns config connections command in
privileged EXEC mode.
To disable the CNS Cisco IOS agent, use the no cns config initial { ip-address | hostname } global configuration
command.
Related Topics
Initial Configuration, on page 499
Monitoring CNS Configurations, on page 514

Refreshing DeviceIDs
Follow these steps to refresh a DeviceID when changing the hostname on the switch.

SUMMARY STEPS
1. enable
2. show cns config connections
3. Make sure that the CNS event agent is properly connected to the event gateway.
4. show cns event connections
5. Record from the output of Step 4 the information for the currently connected connection listed below.
You will be using the IP address and port number in subsequent steps of these instructions.
6. configure terminal
7. no cns event ip-address port-number
8. cns event ip-address port-number
9. end
10. Make sure that you have reestablished the connection between the switch and the event connection by
examining the output from show cns event connections.
11. show running-config
12. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
510
 Network Management
Refreshing DeviceIDs

Command or Action Purpose

Step 2 show cns config connections Displays whether the CNS event agent is connecting to
the gateway, connected, or active, and the gateway used
Example:
by the event agent, its IP address and port number.
SwitchDevice# show cns config connections

Step 3 Make sure that the CNS event agent is properly connected Examine the output of show cns config connections for
to the event gateway. the following:
• Connection is active.
• Connection is using the currently configured switch
hostname. The DeviceID will be refreshed to
correspond to the new hostname configuration using
these instructions.

Step 4 show cns event connections Displays the event connection information for your switch.
Example:

SwitchDevice# show cns event connections

Step 5 Record from the output of Step 4 the information for the
currently connected connection listed below. You will be
using the IP address and port number in subsequent steps
of these instructions.
Step 6 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 7 no cns event ip-address port-number Specifies the IP address and port number that you recorded
in Step 5 in this command.
Example:
SwitchDevice(config)# no cns event 172.28.129.22 This command breaks the connection between the switch
2012 and the event gateway. It is necessary to first break, then
reestablish, this connection to refresh the DeviceID.

Step 8 cns event ip-address port-number Specifies the IP address and port number that you recorded
in Step 5 in this command.
Example:
SwitchDevice(config)# cns event 172.28.129.22 2012 This command reestablishes the connection between the
switch and the event gateway.

Step 9 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
511
 Network Management
Enabling a Partial Configuration for Cisco IOS CNS Agent

Command or Action Purpose

Step 10 Make sure that you have reestablished the connection
between the switch and the event connection by examining
the output from show cns event connections.
Step 11 show running-config Verifies your entries.
Example:

SwitchDevice# show running-config

Step 12 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Hostname and DeviceID, on page 499

Enabling a Partial Configuration for Cisco IOS CNS Agent

Follow these steps to enable the Cisco IOS CNS agent and to initiate a partial configuration on the switch.

SUMMARY STEPS
1. enable
2. configure terminal
3. cns config partial {ip-address | hostname} [port-number] [source ip-address]
4. end
5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
512
 Network Management
Enabling a Partial Configuration for Cisco IOS CNS Agent

Command or Action Purpose

Step 3 cns config partial {ip-address | hostname} [port-number] Enables the configuration agent, and initiates a partial
[source ip-address] configuration.
Example: • For {ip-address | hostname}, enter the IP address or
the hostname of the configuration server.
SwitchDevice(config)# cns config partial
172.28.129.22 2013 • (Optional) For port-number, enter the port number of
the configuration server. The default port number is
80.
• (Optional) Enter source ip-address to use for the
source IP address.

Note Though visible in the command-line help string,

the encrypt keyword is not supported.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
To verify information about the configuration agent, use either the show cns config stats or the show cns
config outstanding command in privileged EXEC mode.
To disable the Cisco IOS agent, use the no cns config partial { ip-address | hostname } global configuration
command. To cancel a partial configuration, use the cns config cancel global configuration command.
Related Topics
Incremental (Partial) Configuration, on page 500
Monitoring CNS Configurations, on page 514

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
513
 Network Management
Monitoring CNS Configurations

Monitoring CNS Configurations

Table 46: CNS show Commands

Command Purpose

show cns config connections Displays the status of the CNS Cisco IOS CNS agent
connections.
SwitchDevice# show cns config connections

show cns config outstanding Displays information about incremental (partial) CNS
configurations that have started but are not yet completed.
SwitchDevice# show cns config outstanding

show cns config stats Displays statistics about the Cisco IOS CNS agent.

SwitchDevice# show cns config stats

show cns event connections Displays the status of the CNS event agent connections.

SwitchDevice# show cns event connections

show cns event gateway Displays the event gateway information for your switch.

SwitchDevice# show cns event gateway

show cns event stats Displays statistics about the CNS event agent.

SwitchDevice# show cns event stats

show cns event subject Displays a list of event agent subjects that are subscribed
to by applications.
SwitchDevice# show cns event subject

Related Topics
Enabling a Partial Configuration for Cisco IOS CNS Agent, on page 512
Incremental (Partial) Configuration, on page 500
Enabling an Initial Configuration for Cisco IOS CNS Agent, on page 505
Initial Configuration, on page 499

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
514
 CHAPTER 27
Configuring the Cisco Discovery Protocol
• Finding Feature Information, on page 515
• Information About CDP, on page 515
• How to Configure CDP, on page 516
• Monitoring and Maintaining CDP, on page 524

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Information About CDP

CDP Overview
CDP is a device discovery protocol that runs over Layer 2 (the data-link layer) on all Cisco-manufactured
devices (routers, bridges, access servers, controllers, and switches) and allows network management applications
to discover Cisco devices that are neighbors of already known devices. With CDP, network management
applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address
of neighboring devices running lower-layer, transparent protocols. This feature enables applications to send
SNMP queries to neighboring devices.
CDP runs on all media that support Subnetwork Access Protocol (SNAP). Because CDP runs over the data-link
layer only, two systems that support different network-layer protocols can learn about each other.
Each CDP-configured device sends periodic messages to a multicast address, advertising at least one address
at which it can receive SNMP messages. The advertisements also contain time-to-live, or holdtime information,
which is the length of time a receiving device holds CDP information before discarding it. Each device also
listens to the messages sent by other devices to learn about neighboring devices.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
515
 Network Management
Default CDP Configuration

On the switch, CDP enables Network Assistant to display a graphical view of the network. The switch uses
CDP to find cluster candidates and maintain information about cluster members and other devices up to three
cluster-enabled devices away from the command switch by default.
Related Topics
Configuring CDP Characteristics, on page 516
Monitoring and Maintaining CDP, on page 524

Default CDP Configuration

This table shows the default CDP configuration.

Feature Default Setting

CDP global state Enabled
CDP interface state Enabled
CDP timer (packet update frequency) 60 seconds
CDP holdtime (before discarding) 180 seconds
CDP Version-2 advertisements Enabled

Related Topics
Enabling CDP, on page 519
Disabling CDP, on page 518
Enabling CDP on an Interface, on page 522
Disabling CDP on an Interface, on page 521

How to Configure CDP

Configuring CDP Characteristics
You can configure these CDP characteristics:
• Frequency of CDP updates
• Amount of time to hold the information before discarding it
• Whether or not to send Version-2 advertisements

Note Steps 3 through 5 are all optional and can be performed in any order.

Follow these steps to configure the CDP characteristics.

SUMMARY STEPS
1. enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
516
 Network Management
Configuring CDP Characteristics

2. configure terminal
3. cdp timer seconds
4. cdp holdtime seconds
5. cdp advertise-v2
6. end
7. show running-config
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 cdp timer seconds (Optional) Sets the transmission frequency of CDP updates
in seconds.
Example:
The range is 5 to 254; the default is 60 seconds.
SwitchDevice(config)# cdp timer 20

Step 4 cdp holdtime seconds (Optional) Specifies the amount of time a receiving device
should hold the information sent by your device before
Example:
discarding it.
SwitchDevice(config)# cdp holdtime 60 The range is 10 to 255 seconds; the default is 180 seconds.

Step 5 cdp advertise-v2 (Optional) Configures CDP to send Version-2

advertisements.
Example:
This is the default state.
SwitchDevice(config)# cdp advertise-v2

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
517
 Network Management
Disabling CDP

Command or Action Purpose

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
Use the no form of the CDP commands to return to the default settings.
Related Topics
CDP Overview, on page 515
Monitoring and Maintaining CDP, on page 524

Disabling CDP
CDP is enabled by default.

Note Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Disabling
CDP can interrupt cluster discovery and device connectivity.

Follow these steps to disable the CDP device discovery capability.

SUMMARY STEPS
1. enable
2. configure terminal
3. no cdp run
4. end
5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
518
 Network Management
Enabling CDP

Command or Action Purpose

SwitchDevice# configure terminal

Step 3 no cdp run Disables CDP.

Example:
SwitchDevice(config)# no cdp run

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
You must reenable CDP to use it.
Related Topics
Enabling CDP, on page 519
Default CDP Configuration, on page 516

Enabling CDP
CDP is enabled by default.

Note Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Disabling
CDP can interrupt cluster discovery and device connectivity.

Follow these steps to enable CDP when it has been disabled.

Before you begin

CDP must be disabled, or it cannot be enabled.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
519
 Network Management
Enabling CDP

SUMMARY STEPS
1. enable
2. configure terminal
3. cdp run
4. end
5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 cdp run Enables CDP if it has been disabled.

Example:
SwitchDevice(config)# cdp run

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
520
 Network Management
Disabling CDP on an Interface

What to do next
Use the show run all command to show that CDP has been enabled. If you enter only show run, the enabling
of CDP may not be displayed.
Related Topics
Default CDP Configuration, on page 516
Disabling CDP, on page 518

Disabling CDP on an Interface

CDP is enabled by default on all supported interfaces to send and to receive CDP information.

Note Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Disabling
CDP can interrupt cluster discovery and device connectivity.

Follow these steps to disable CDP on a port.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. no cdp enable
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface on which you are disabling CDP,
and enters interface configuration mode.
Example:
SwitchDevice(config)# interface
gigabitethernet1/0/1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
521
 Network Management
Enabling CDP on an Interface

Command or Action Purpose

Step 4 no cdp enable Disables CDP on the interface specified in Step 3.
Example:
SwitchDevice(config-if)# no cdp enable

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Enabling CDP on an Interface, on page 522
Default CDP Configuration, on page 516

Enabling CDP on an Interface

CDP is enabled by default on all supported interfaces to send and to receive CDP information.

Note Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Disabling
CDP can interrupt cluster discovery and device connectivity.

Follow these steps to enable CDP on a port on which it has been disabled.

Before you begin

CDP must be disabled on the port that you are trying to CDP enable on, or it cannot be enabled.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. cdp enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
522
 Network Management
Enabling CDP on an Interface

5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface on which you are enabling CDP, and
enters interface configuration mode.
Example:
SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 4 cdp enable Enables CDP on a disabled interface.

Example:
SwitchDevice(config-if)# cdp enable

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Default CDP Configuration, on page 516

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
523
 Network Management
Monitoring and Maintaining CDP

Disabling CDP on an Interface, on page 521

Monitoring and Maintaining CDP

Table 47: Commands for Displaying CDP Information

Command Description
clear cdp counters Resets the traffic counters to zero.

clear cdp table Deletes the CDP table of information about neighbors.

show cdp Displays global information, such as frequency of

transmissions and the holdtime for packets being sent.

show cdp entry entry-name [version] [protocol] Displays information about a specific neighbor.
You can enter an asterisk (*) to display all CDP
neighbors, or you can enter the name of the neighbor
about which you want information.
You can also limit the display to information about
the protocols enabled on the specified neighbor or
information about the version of software running on
the device.

show cdp interface [interface-id] Displays information about interfaces where CDP is
enabled.
You can limit the display to the interface about which
you want information.

show cdp neighbors [interface-id] [detail] Displays information about neighbors, including
device type, interface type and number, holdtime
settings, capabilities, platform, and port ID.
You can limit the display to neighbors of a specific
interface or expand the display to provide more
detailed information.

show cdp traffic Displays CDP counters, including the number of

packets sent and received and checksum errors.

Related Topics
Configuring CDP Characteristics, on page 516
CDP Overview, on page 515

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
524
 CHAPTER 28
Configuring Simple Network Management
Protocol
• Finding Feature Information, on page 525
• Prerequisites for SNMP, on page 525
• Restrictions for SNMP, on page 527
• Information About SNMP, on page 528
• How to Configure SNMP, on page 532
• Monitoring SNMP Status, on page 546
• SNMP Examples, on page 547

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Prerequisites for SNMP

Supported SNMP Versions
This software release supports the following SNMP versions:
• SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in RFC 1157.
• SNMPv2C replaces the Party-based Administrative and Security Framework of SNMPv2Classic with
the community-string-based Administrative Framework of SNMPv2C while retaining the bulk retrieval
and improved error handling of SNMPv2Classic. It has these features:
• SNMPv2—Version 2 of the Simple Network Management Protocol, a Draft Internet Standard,
defined in RFCs 1902 through 1907.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
525
 Network Management
Prerequisites for SNMP

• SNMPv2C—The community-string-based Administrative Framework for SNMPv2, an Experimental

Internet Protocol defined in RFC 1901.

• SNMPv3—Version 3 of the SNMP is an interoperable standards-based protocol defined in RFCs 2273

to 2275. SNMPv3 provides secure access to devices by authenticating and encrypting packets over the
network and includes these security features:
• Message integrity—Ensures that a packet was not tampered with in transit.
• Authentication—Determines that the message is from a valid source.
• Encryption—Mixes the contents of a package to prevent it from being read by an unauthorized
source.

Note To select encryption, enter the priv keyword.

Both SNMPv1 and SNMPv2C use a community-based form of security. The community of managers able to
access the agent’s MIB is defined by an IP address access control list and password.
SNMPv2C includes a bulk retrieval function and more detailed error message reporting to management
stations. The bulk retrieval function retrieves tables and large quantities of information, minimizing the number
of round-trips required. The SNMPv2C improved error-handling includes expanded error codes that distinguish
different kinds of error conditions; these conditions are reported through a single error code in SNMPv1. Error
return codes in SNMPv2C report the error type.
SNMPv3 provides for both security models and security levels. A security model is an authentication strategy
set up for a user and the group within which the user resides. A security level is the permitted level of security
within a security model. A combination of the security level and the security model determine which security
method is used when handling an SNMP packet. Available security models are SNMPv1, SNMPv2C, and
SNMPv3.
The following table identifies characteristics and compares different combinations of security models and
levels:

Table 48: SNMP Security Models and Levels

Model Level Authentication Encryption Result

SNMPv1 noAuthNoPriv Community string No Uses a community
string match for
authentication.
SNMPv2C noAuthNoPriv Community string No Uses a community
string match for
authentication.
SNMPv3 noAuthNoPriv Username No Uses a username
match for
authentication.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
526
 Network Management
Restrictions for SNMP

Model Level Authentication Encryption Result

SNMPv3 authNoPriv Message Digest 5 No Provides
(MD5) or Secure authentication based
Hash Algorithm on the HMAC-MD5
(SHA) or HMAC-SHA
algorithms.
SNMPv3 authPriv MD5 or SHA Data Encryption Provides
Standard (DES) or authentication based
Advanced on the HMAC-MD5
Encryption Standard or HMAC-SHA
(AES) algorithms.
Allows specifying
the User-based
Security Model
(USM) with these
encryption
algorithms:
• DES 56-bit
encryption in
addition to
authentication
based on the
CBC-DES
(DES-56)
standard.
• 3DES 168-bit
encryption
• AES 128-bit,
192-bit, or
256-bit
encryption

You must configure the SNMP agent to use the SNMP version supported by the management station. Because
an agent can communicate with multiple managers, you can configure the software to support communications
using SNMPv1, SNMPv2C, or SNMPv3.

Restrictions for SNMP

Version Restrictions
• SNMPv1 does not support informs.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
527
 Network Management
Information About SNMP

Information About SNMP

SNMP Overview
SNMP is an application-layer protocol that provides a message format for communication between managers
and agents. The SNMP system consists of an SNMP manager, an SNMP agent, and a management information
base (MIB). The SNMP manager can be part of a network management system (NMS) such as Cisco Prime
Infrastructure. The agent and MIB reside on the switch. To configure SNMP on the switch, you define the
relationship between the manager and the agent.
The SNMP agent contains MIB variables whose values the SNMP manager can request or change. A manager
can get a value from an agent or store a value into the agent. The agent gathers data from the MIB, the repository
for information about device parameters and network data. The agent can also respond to a manager's requests
to get or set data.
An agent can send unsolicited traps to the manager. Traps are messages alerting the SNMP manager to a
condition on the network. Traps can mean improper user authentication, restarts, link status (up or down),
MAC address tracking, closing of a TCP connection, loss of connection to a neighbor, or other significant
events.

SNMP Manager Functions

The SNMP manager uses information in the MIB to perform the operations described in the following table:

Table 49: SNMP Operations

Operation Description
get-request Retrieves a value from a specific variable.
get-next-request Retrieves a value from a variable within a table.2
get-bulk-request3 Retrieves large blocks of data, such as multiple rows in a table, that would otherwise require
the transmission of many small blocks of data.
get-response Replies to a get-request, get-next-request, and set-request sent by an NMS.
set-request Stores a value in a specific variable.
trap An unsolicited message sent by an SNMP agent to an SNMP manager when some event
has occurred.
2
With this operation, an SNMP manager does not need to know the exact variable name. A sequential
search is performed to find the needed variable from within a table.
3
The get-bulk command only works with SNMPv2 or later.

SNMP Agent Functions

The SNMP agent responds to SNMP manager requests as follows:
• Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The
agent retrieves the value of the requested MIB variable and responds to the NMS with that value.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
528
 Network Management
SNMP Community Strings

• Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS. The
SNMP agent changes the value of the MIB variable to the value requested by the NMS.

The SNMP agent also sends unsolicited trap messages to notify an NMS that a significant event has occurred
on the agent. Examples of trap conditions include, but are not limited to, when a port or module goes up or
down, when spanning-tree topology changes occur, and when authentication failures occur.
Related Topics
Disabling the SNMP Agent, on page 532
Monitoring SNMP Status, on page 546
Setting the Agent Contact and Location Information, on page 544

SNMP Community Strings

SNMP community strings authenticate access to MIB objects and function as embedded passwords. In order
for the NMS to access the switch, the community string definitions on the NMS must match at least one of
the three community string definitions on the switch.
A community string can have one of the following attributes:
• Read-only (RO)—Gives all objects in the MIB except the community strings read access to authorized
management stations, but does not allow write access.
• Read-write (RW)—Gives all objects in the MIB read and write access to authorized management stations,
but does not allow access to the community strings.
• When a cluster is created, the command switch manages the exchange of messages among member
switches and the SNMP application. The Network Assistant software appends the member switch number
(@esN, where N is the switch number) to the first configured RW and RO community strings on the
command switch and propagates them to the member switches.

Related Topics
Configuring Community Strings, on page 533

SNMP MIB Variables Access

An example of an NMS is the Cisco Prime Infrastructure network management software. Cisco Prime
Infrastructure 2.0 software uses the switch MIB variables to set device variables and to poll devices on the
network for specific information. The results of a poll can be displayed as a graph and analyzed to troubleshoot
internetworking problems, increase network performance, verify the configuration of devices, monitor traffic
loads, and more.
As shown in the figure, the SNMP agent gathers data from the MIB. The agent can send traps, or notification
of certain events, to the SNMP manager, which receives and processes the traps. Traps alert the SNMP manager
to a condition on the network such as improper user authentication, restarts, link status (up or down), MAC
address tracking, and so forth. The SNMP agent also responds to MIB-related queries sent by the SNMP
manager in get-request, get-next-request, and set-request format.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
529
 Network Management
SNMP Notifications

Figure 55: SNMP Network

SNMP Notifications
SNMP allows the switch to send notifications to SNMP managers when particular events occur. SNMP
notifications can be sent as traps or inform requests. In command syntax, unless there is an option in the
command to select either traps or informs, the keyword traps refers to either traps or informs, or both. Use
the snmp-server host command to specify whether to send SNMP notifications as traps or informs.

Note SNMPv1 does not support informs.

Traps are unreliable because the receiver does not send an acknowledgment when it receives a trap, and the
sender cannot determine if the trap was received. When an SNMP manager receives an inform request, it
acknowledges the message with an SNMP response protocol data unit (PDU). If the sender does not receive
a response, the inform request can be sent again. Because they can be resent, informs are more likely than
traps to reach their intended destination.
The characteristics that make informs more reliable than traps also consume more resources in the switch and
in the network. Unlike a trap, which is discarded as soon as it is sent, an inform request is held in memory
until a response is received or the request times out. Traps are sent only once, but an inform might be resent
or retried several times. The retries increase traffic and contribute to a higher overhead on the network.
Therefore, traps and informs require a trade-off between reliability and resources. If it is important that the
SNMP manager receive every notification, use inform requests. If traffic on the network or memory in the
switch is a concern and notification is not required, use traps.
Related Topics
Configuring SNMP Notifications, on page 539
Monitoring SNMP Status, on page 546

SNMP ifIndex MIB Object Values

In an NMS, the IF-MIB generates and assigns an interface index (ifIndex) object value that is a unique number
greater than zero to identify a physical or a logical interface. When the switch reboots or the switch software
is upgraded, the switch uses this same value for the interface. For example, if the switch assigns a port 2 an
ifIndex value of 10003, this value is the same after the switch reboots.
The switch uses one of the values in the following table to assign an ifIndex value to an interface:

Table 50: ifIndex Values

Interface Type ifIndex Range

SVI4 1–4999
EtherChannel 5001–5048

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
530
 Network Management
Default SNMP Configuration

Interface Type ifIndex Range

Tunnel 5078–5142
Physical (such as Gigabit Ethernet or SFP5-module interfaces) based on type and 10000–14500
port numbers
Null 14501
Loopback and Tunnel 24567+
4
SVI = switch virtual interface
5
SFP = small form-factor pluggable

Default SNMP Configuration

Feature Default Setting
SNMP agent Disabled6.
SNMP trap receiver None configured.
SNMP traps None enabled except the trap for TCP connections (tty).
SNMP version If no version keyword is present, the default is Version 1.
SNMPv3 authentication If no keyword is entered, the default is the noauth (noAuthNoPriv) security
level.
SNMP notification type If no type is specified, all notifications are sent.
6
This is the default when the switch starts and the startup configuration does not have any snmp-server
global configuration commands.

SNMP Configuration Guidelines

If the switch starts and the switch startup configuration has at least one snmp-server global configuration
command, the SNMP agent is enabled.
An SNMP group is a table that maps SNMP users to SNMP views. An SNMP user is a member of an SNMP
group. An SNMP host is the recipient of an SNMP trap operation. An SNMP engine ID is a name for the local
or remote SNMP engine.
When configuring SNMP, follow these guidelines:
• When configuring an SNMP group, do not specify a notify view. The snmp-server host global
configuration command auto-generates a notify view for the user and then adds it to the group associated
with that user. Modifying the group's notify view affects all users associated with that group.
• To configure a remote user, specify the IP address or port number for the remote SNMP agent of the
device where the user resides.
• Before you configure remote users for a particular agent, configure the SNMP engine ID, using the
snmp-server engineID global configuration command with the remote option. The remote agent's
SNMP engine ID and user password are used to compute the authentication and privacy digests. If you
do not configure the remote engine ID first, the configuration command fails.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
531
 Network Management
How to Configure SNMP

• When configuring SNMP informs, you need to configure the SNMP engine ID for the remote agent in
the SNMP database before you can send proxy requests or informs to it.
• If a local user is not associated with a remote host, the switch does not send informs for the auth
(authNoPriv) and the priv (authPriv) authentication levels.
• Changing the value of the SNMP engine ID has significant results. A user's password (entered on the
command line) is converted to an MD5 or SHA security digest based on the password and the local
engine ID. The command-line password is then destroyed, as required by RFC 2274. Because of this
deletion, if the value of the engine ID changes, the security digests of SNMPv3 users become invalid,
and you need to reconfigure SNMP users by using the snmp-server user username global configuration
command. Similar restrictions require the reconfiguration of community strings when the engine ID
changes.

Related Topics
Configuring SNMP Groups and Users, on page 536
Monitoring SNMP Status, on page 546

How to Configure SNMP

Disabling the SNMP Agent
The no snmp-server global configuration command disables all running versions (Version 1, Version 2C,
and Version 3) of the SNMP agent on the device. You reenable all versions of the SNMP agent by the first
snmp-server global configuration command that you enter. There is no Cisco IOS command specifically
designated for enabling SNMP.
Follow these steps to disable the SNMP agent.

Before you begin

The SNMP Agent must be enabled before it can be disabled. The SNMP agent is enabled by the first
snmp-server global configuration command entered on the device.

SUMMARY STEPS
1. enable
2. configure terminal
3. no snmp-server
4. end
5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
532
 Network Management
Configuring Community Strings

Command or Action Purpose

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 no snmp-server Disables the SNMP agent operation.

Example:

SwitchDevice(config)# no snmp-server

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
SNMP Agent Functions, on page 528
Monitoring SNMP Status, on page 546

Configuring Community Strings

You use the SNMP community string to define the relationship between the SNMP manager and the agent.
The community string acts like a password to permit access to the agent on the switch. Optionally, you can
specify one or more of these characteristics associated with the string:
• An access list of IP addresses of the SNMP managers that are permitted to use the community string to
gain access to the agent
• A MIB view, which defines the subset of all MIB objects accessible to the given community
• Read and write or read-only permission for the MIB objects accessible to the community

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
533
 Network Management
Configuring Community Strings

Follow these steps to configure a community string on the switch.

SUMMARY STEPS
1. enable
2. configure terminal
3. snmp-server community string [view view-name] [ro | rw] [access-list-number]
4. access-list access-list-number {deny | permit} source [source-wildcard]
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 snmp-server community string [view view-name] [ro Configures the community string.
| rw] [access-list-number]
Note The @ symbol is used for delimiting the context
Example: information. Avoid using the @ symbol as part
of the SNMP community string when
SwitchDevice(config)# snmp-server community configuring this command.
comaccess ro 4
• For string, specify a string that acts like a password
and permits access to the SNMP protocol. You can
configure one or more community strings of any
length.
• (Optional) For view, specify the view record accessible
to the community.
• (Optional) Specify either read-only (ro) if you want
authorized management stations to retrieve MIB
objects, or specify read-write (rw) if you want
authorized management stations to retrieve and modify
MIB objects. By default, the community string permits
read-only access to all objects.
• (Optional) For access-list-number, enter an IP standard
access list numbered from 1 to 99 and 1300 to 1999.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
534
 Network Management
Configuring Community Strings

Command or Action Purpose

Step 4 access-list access-list-number {deny | permit} source (Optional) If you specified an IP standard access list number
[source-wildcard] in Step 3, then create the list, repeating the command as
many times as necessary.
Example:
• For access-list-number, enter the access list number
SwitchDevice(config)# access-list 4 deny any specified in Step 3.
• The deny keyword denies access if the conditions are
matched. The permit keyword permits access if the
conditions are matched.
• For source, enter the IP address of the SNMP managers
that are permitted to use the community string to gain
access to the agent.
• (Optional) For source-wildcard, enter the wildcard
bits in dotted decimal notation to be applied to the
source. Place ones in the bit positions that you want
to ignore.

Recall that the access list is always terminated by an implicit

deny statement for everything.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
To disable access for an SNMP community, set the community string for that community to the null string
(do not enter a value for the community string).
To remove a specific community string, use the no snmp-server community string global configuration
command.
You can specify an identification name (engine ID) for the local or remote SNMP server engine on the switch.
You can configure an SNMP server group that maps SNMP users to SNMP views, and you can add new users
to the SNMP group.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
535
 Network Management
Configuring SNMP Groups and Users

Related Topics
SNMP Community Strings, on page 529

Configuring SNMP Groups and Users

You can specify an identification name (engine ID) for the local or remote SNMP server engine on the switch.
You can configure an SNMP server group that maps SNMP users to SNMP views, and you can add new users
to the SNMP group.
Follow these steps to configure SNMP groups and users on the switch.

SUMMARY STEPS
1. enable
2. configure terminal
3. snmp-server engineID {local engineid-string | remote ip-address [udp-port port-number]
engineid-string}
4. snmp-server group group-name {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write
writeview] [notify notifyview] [access access-list]
5. snmp-server user username group-name {remote host [ udp-port port]} {v1 [access access-list] |
v2c [access access-list] | v3 [encrypted] [access access-list] [auth {md5 | sha} auth-password]
} [priv {des | 3des | aes {128 | 192 | 256}} priv-password]
6. end
7. show running-config
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 snmp-server engineID {local engineid-string | remote Configures a name for either the local or remote copy of
ip-address [udp-port port-number] engineid-string} SNMP.
Example: • The engineid-string is a 24-character ID string with
the name of the copy of SNMP. You need not specify
SwitchDevice(config)# snmp-server engineID local the entire 24-character engine ID if it has trailing zeros.
1234 Specify only the portion of the engine ID up to the
point where only zeros remain in the value. The Step

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
536
 Network Management
Configuring SNMP Groups and Users

Command or Action Purpose

Example configures an engine ID of
123400000000000000000000.
• If you select remote, specify the ip-address of the
device that contains the remote copy of SNMP and the
optional User Datagram Protocol (UDP) port on the
remote device. The default is 162.

Step 4 snmp-server group group-name {v1 | v2c | v3 {auth | Configures a new SNMP group on the remote device.
noauth | priv}} [read readview] [write writeview]
For group-name, specify the name of the group.
[notify notifyview] [access access-list]
Specify one of the following security models:
Example:
• v1 is the least secure of the possible security models.
SwitchDevice(config)# snmp-server group public v2c
access lmnop • v2c is the second least secure model. It allows
transmission of informs and integers twice the normal
width.
• v3, the most secure, requires you to select one of the
following authentication levels:
auth—Enables the Message Digest 5 (MD5) and the
Secure Hash Algorithm (SHA) packet authentication.
noauth—Enables the noAuthNoPriv security level.
This is the default if no keyword is specified.
priv—Enables Data Encryption Standard (DES) packet
encryption (also called privacy).

(Optional) Enter read readview with a string (not to exceed

64 characters) that is the name of the view in which you
can only view the contents of the agent.
(Optional) Enter write writeview with a string (not to exceed
64 characters) that is the name of the view in which you
enter data and configure the contents of the agent.
(Optional) Enter notify notifyview with a string (not to
exceed 64 characters) that is the name of the view in which
you specify a notify, inform, or trap.
(Optional) Enter access access-list with a string (not to
exceed 64 characters) that is the name of the access list.

Step 5 snmp-server user username group-name {remote host [ Adds a new user for an SNMP group.
udp-port port]} {v1 [access access-list] | v2c [access
The username is the name of the user on the host that
access-list] | v3 [encrypted] [access access-list] [auth
connects to the agent.
{md5 | sha} auth-password] } [priv {des | 3des | aes
{128 | 192 | 256}} priv-password] The group-name is the name of the group to which the user
is associated.
Example:
Enter remote to specify a remote SNMP entity to which
the user belongs and the hostname or IP address of that

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
537
 Network Management
Configuring SNMP Groups and Users

Command or Action Purpose

entity with the optional UDP port number. The default is
SwitchDevice(config)# snmp-server user Pat public
162.
v2c
Enter the SNMP version number (v1, v2c, or v3). If you
enter v3, you have these additional options:
• encrypted specifies that the password appears in
encrypted format. This keyword is available only when
the v3 keyword is specified.
• auth is an authentication level setting session that can
be either the HMAC-MD5-96 (md5) or the
HMAC-SHA-96 (sha) authentication level and requires
a password string auth-password (not to exceed 64
characters).

If you enter v3 you can also configure a private (priv)

encryption algorithm and password string priv-password
using the following keywords (not to exceed 64 characters):
• priv specifies the User-based Security Model (USM).
• des specifies the use of the 56-bit DES algorithm.
• 3des specifies the use of the 168-bit DES algorithm.
• aes specifies the use of the DES algorithm. You must
select either 128-bit, 192-bit, or 256-bit encryption.

(Optional) Enter access access-list with a string (not to

exceed 64 characters) that is the name of the access list.

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
SNMP Configuration Guidelines, on page 531

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
538
 Network Management
Configuring SNMP Notifications

Monitoring SNMP Status, on page 546

Configuring SNMP Notifications

A trap manager is a management station that receives and processes traps. Traps are system alerts that the
switch generates when certain events occur. By default, no trap manager is defined, and no traps are sent.
Switches running this Cisco IOS release can have an unlimited number of trap managers.

Note Many commands use the word traps in the command syntax. Unless there is an option in the command to
select either traps or informs, the keyword traps refers to traps, informs, or both. Use the snmp-server host
global configuration command to specify whether to send SNMP notifications as traps or informs.

You can use the snmp-server host global configuration command for a specific host to receive the notification
types listed in the following table. You can enable any or all of these traps and configure a trap manager to
receive them.

Table 51: Device Notification Types

Notification Type Keyword Description

bridge Generates STP bridge MIB traps.
cluster Generates a trap when the cluster configuration changes.
config Generates a trap for SNMP configuration changes.
copy-config Generates a trap for SNMP copy configuration changes.
cpu threshold Allow CPU-related traps.
entity Generates a trap for SNMP entity changes.
envmon Generates environmental monitor traps. You can enable any or all
of these environmental traps: fan, shutdown, status, supply,
temperature.
errdisable Generates a trap for a port VLAN errdisabled. You can also set a
maximum trap rate per minute. The range is from 0 to 10000; the
default is 0, which means there is no rate limit.
flash Generates SNMP FLASH notifications. In a switch stack, you can
optionally enable notification for flash insertion or removal, which
would cause a trap to be issued whenever a switch in the stack is
removed or inserted (physical removal, power cycle, or reload).
fru-ctrl Generates entity field-replaceable unit (FRU) control traps. In the
switch stack, this trap refers to the insertion or removal of a switch
in the stack.
hsrp Generates a trap for Hot Standby Router Protocol (HSRP) changes.
ipmulticast Generates a trap for IP multicast routing changes.
mac-notification Generates a trap for MAC address notifications.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
539
 Network Management
Configuring SNMP Notifications

Notification Type Keyword Description

msdp Generates a trap for Multicast Source Discovery Protocol (MSDP)
changes.
ospf Generates a trap for Open Shortest Path First (OSPF) changes. You
can enable any or all of these traps: Cisco specific, errors, link-state
advertisement, rate limit, retransmit, and state changes.
pim Generates a trap for Protocol-Independent Multicast (PIM) changes.
You can enable any or all of these traps: invalid PIM messages,
neighbor changes, and rendezvous point (RP)-mapping changes.
port-security Generates SNMP port security traps. You can also set a maximum
trap rate per second. The range is from 0 to 1000; the default is 0,
which means that there is no rate limit.
Note When you configure a trap by using the notification type
port-security, configure the port security trap first, and
then configure the port security trap rate:
1. snmp-server enable traps port-security
2. snmp-server enable traps port-security trap-rate rate

ipsla Generates a trap for the SNMP IP Service Level Agreements (SLAs).
snmp Generates a trap for SNMP-type notifications for authentication,
cold start, warm start, link up or link down.
storm-control Generates a trap for SNMP storm-control. You can also set a
maximum trap rate per minute. The range is from 0 to 1000; the
default is 0 (no limit is imposed; a trap is sent at every occurrence).
stpx Generates SNMP STP Extended MIB traps.
syslog Generates SNMP syslog traps.
tty Generates a trap for TCP connections. This trap is enabled by default.
vlan-membership Generates a trap for SNMP VLAN membership changes.
vlancreate Generates SNMP VLAN created traps.
vlandelete Generates SNMP VLAN deleted traps.
vtp Generates a trap for VLAN Trunking Protocol (VTP) changes.

Follow these steps to configure the switch to send traps or informs to a host.

SUMMARY STEPS
1. enable
2. configure terminal
3. snmp-server engineID remote ip-address engineid-string
4. snmp-server user username group-name {remote host [ udp-port port]} {v1 [access access-list]
| v2c [access access-list] | v3 [encrypted] [access access-list] [auth {md5 | sha} auth-password]
}

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
540
 Network Management
Configuring SNMP Notifications

5. snmp-server group group-name {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write
writeview] [notify notifyview] [access access-list]
6. snmp-server host host-addr [informs | traps] [version {1 | 2c | 3 {auth | noauth | priv}}]
community-string [notification-type]
7. snmp-server enable traps notification-types
8. snmp-server trap-source interface-id
9. snmp-server queue-length length
10. snmp-server trap-timeout seconds
11. end
12. show running-config
13. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 snmp-server engineID remote ip-address engineid-string Specifies the engine ID for the remote host.
Example:
SwitchDevice(config)# snmp-server engineID remote
192.180.1.27 00000063000100a1c0b4011b

Step 4 snmp-server user username group-name {remote host Configures an SNMP user to be associated with the remote
[ udp-port port]} {v1 [access access-list] | v2c host created in Step 3.
[access access-list] | v3 [encrypted] [access
Note You cannot configure a remote user for an
access-list] [auth {md5 | sha} auth-password] }
address without first configuring the engine ID
Example: for the remote host. Otherwise, you receive an
SwitchDevice(config)# snmp-server user Pat public error message, and the command is not
v2c executed.

Step 5 snmp-server group group-name {v1 | v2c | v3 {auth Configures an SNMP group.
| noauth | priv}} [read readview] [write writeview]
[notify notifyview] [access access-list]
Example:
SwitchDevice(config)# snmp-server group public
v2c access lmnop

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
541
 Network Management
Configuring SNMP Notifications

Command or Action Purpose

Step 6 snmp-server host host-addr [informs | traps] [version Specifies the recipient of an SNMP trap operation.
{1 | 2c | 3 {auth | noauth | priv}}] community-string
For host-addr, specify the name or Internet address of the
[notification-type]
host (the targeted recipient).
Example:
(Optional) Specify traps (the default) to send SNMP traps
SwitchDevice(config)# snmp-server host 203.0.113.1 to the host.
comaccess snmp
(Optional) Specify informs to send SNMP informs to the
host.
(Optional) Specify the SNMP version (1, 2c, or 3).
SNMPv1 does not support informs.
(Optional) For Version 3, select authentication level auth,
noauth, or priv.
Note The priv keyword is available only when the
cryptographic software image is installed.

For community-string, when version 1 or version 2c is

specified, enter the password-like community string sent
with the notification operation. When version 3 is
specified, enter the SNMPv3 username.
The @ symbol is used for delimiting the context
information. Avoid using the @ symbol as part of the
SNMP community string when configuring this command.
(Optional) For notification-type, use the keywords listed
in the table above. If no type is specified, all notifications
are sent.

Step 7 snmp-server enable traps notification-types Enables the switch to send traps or informs and specifies
the type of notifications to be sent. For a list of notification
Example:
types, see the table above, or enter snmp-server enable
SwitchDevice(config)# snmp-server enable traps traps ?
snmp
To enable multiple types of traps, you must enter a separate
snmp-server enable traps command for each trap type.
Note When you configure a trap by using the
notification type port-security, configure the
port security trap first, and then configure the
port security trap rate:
1. snmp-server enable traps port-security
2. snmp-server enable traps port-security
trap-rate rate

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
542
 Network Management
Configuring SNMP Notifications

Command or Action Purpose

Step 8 snmp-server trap-source interface-id (Optional) Specifies the source interface, which provides
the IP address for the trap message. This command also
Example:
sets the source IP address for informs.
SwitchDevice(config)# snmp-server trap-source
gigabitethernet 1/0/1

Step 9 snmp-server queue-length length (Optional) Establishes the message queue length for each
trap host. The range is 1 to 5000; the default is 10.
Example:
SwitchDevice(config)# snmp-server queue-length 20

Step 10 snmp-server trap-timeout seconds (Optional) Defines how often to resend trap messages. The
range is 1 to 1000; the default is 30 seconds.
Example:
SwitchDevice(config)# snmp-server trap-timeout 60

Step 11 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 12 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 13 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
The snmp-server host command specifies which hosts receive the notifications. The snmp-server enable
traps command globally enables the method for the specified notification (for traps and informs). To enable
a host to receive an inform, you must configure an snmp-server host informs command for the host and
globally enable informs by using the snmp-server enable traps command.
To remove the specified host from receiving traps, use the no snmp-server host host global configuration
command. The no snmp-server host command with no keywords disables traps, but not informs, to the host.
To disable informs, use the no snmp-server host informs global configuration command. To disable a specific
trap type, use the no snmp-server enable traps notification-types global configuration command.
Related Topics
SNMP Notifications, on page 530
Monitoring SNMP Status, on page 546

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
543
 Network Management
Setting the Agent Contact and Location Information

Setting the Agent Contact and Location Information

Follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be
accessed through the configuration file.

SUMMARY STEPS
1. enable
2. configure terminal
3. snmp-server contact text
4. snmp-server location text
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 snmp-server contact text Sets the system contact string.

Example:
SwitchDevice(config)# snmp-server contact Dial
System Operator at beeper 21555

Step 4 snmp-server location text Sets the system location string.

Example:
SwitchDevice(config)# snmp-server location Building
3/Room 222

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
544
 Network Management
Limiting TFTP Servers Used Through SNMP

Command or Action Purpose

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
SNMP Agent Functions, on page 528

Limiting TFTP Servers Used Through SNMP

Follow these steps to limit the TFTP servers used for saving and loading configuration files through SNMP
to the servers specified in an access list.

SUMMARY STEPS
1. enable
2. configure terminal
3. snmp-server tftp-server-list access-list-number
4. access-list access-list-number {deny | permit} source [source-wildcard]
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 snmp-server tftp-server-list access-list-number Limits the TFTP servers used for configuration file copies
through SNMP to the servers in the access list.
Example:
SwitchDevice(config)# snmp-server tftp-server-list For access-list-number, enter an IP standard access list
44 numbered from 1 to 99 and 1300 to 1999.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
545
 Network Management
Monitoring SNMP Status

Command or Action Purpose

Step 4 access-list access-list-number {deny | permit} source Creates a standard access list, repeating the command as
[source-wildcard] many times as necessary.
Example: For access-list-number, enter the access list number
SwitchDevice(config)# access-list 44 permit specified in Step 3.
10.1.1.2
The deny keyword denies access if the conditions are
matched. The permit keyword permits access if the
conditions are matched.
For source, enter the IP address of the TFTP servers that
can access the switch.
(Optional) For source-wildcard, enter the wildcard bits, in
dotted decimal notation, to be applied to the source. Place
ones in the bit positions that you want to ignore.
The access list is always terminated by an implicit deny
statement for everything.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Monitoring SNMP Status

To display SNMP input and output statistics, including the number of illegal community string entries, errors,
and requested variables, use the show snmp privileged EXEC command. You also can use the other privileged
EXEC commands listed in the table to display SNMP information.

Table 52: Commands for Displaying SNMP Information

Command Purpose
show snmp Displays SNMP statistics.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
546
Network Management
SNMP Examples

Command Purpose
Displays information on the local SNMP engine and
all remote engines that have been configured on the
device.

show snmp group Displays information on each SNMP group on the

network.

show snmp pending Displays information on pending SNMP requests.

show snmp sessions Displays information on the current SNMP sessions.

show snmp user Displays information on each SNMP user name in the
SNMP users table.
Note You must use this command to display
SNMPv3 configuration information for
auth | noauth | priv mode. This
information is not displayed in the show
running-config output.

Related Topics
Disabling the SNMP Agent, on page 532
SNMP Agent Functions, on page 528
Configuring SNMP Groups and Users, on page 536
SNMP Configuration Guidelines, on page 531
Configuring SNMP Notifications, on page 539
SNMP Notifications, on page 530

SNMP Examples
This example shows how to enable all versions of SNMP. The configuration permits any SNMP manager to
access all objects with read-only permissions using the community string public. This configuration does not
cause the switch to send any traps.
SwitchDevice(config)# snmp-server community public

This example shows how to permit any SNMP manager to access all objects with read-only permission using
the community string public. The switch also sends VTP traps to the hosts 192.180.1.111 and 192.180.1.33
using SNMPv1 and to the host 192.180.1.27 using SNMPv2C. The community string public is sent with the
traps.
SwitchDevice(config)# snmp-server community public
SwitchDevice(config)# snmp-server enable traps vtp
SwitchDevice(config)# snmp-server host 192.180.1.27 version 2c public
SwitchDevice(config)# snmp-server host 192.180.1.111 version 1 public
SwitchDevice(config)# snmp-server host 192.180.1.33 public

This example shows how to allow read-only access for all objects to members of access list 4 that use the
comaccess community string. No other SNMP managers have access to any objects. SNMP Authentication
Failure traps are sent by SNMPv2C to the host cisco.com using the community string public.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
547
 Network Management
SNMP Examples

SwitchDevice(config)# snmp-server community comaccess ro 4

SwitchDevice(config)# snmp-server enable traps snmp authentication
SwitchDevice(config)# snmp-server host cisco.com version 2c public

This example shows how to send Entity MIB traps to the host cisco.com. The community string is restricted.
The first line enables the switch to send Entity MIB traps in addition to any traps previously enabled. The
second line specifies the destination of these traps and overwrites any previous snmp-server host commands
for the host cisco.com.
SwitchDevice(config)# snmp-server enable traps entity
SwitchDevice(config)# snmp-server host cisco.com restricted entity

This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community
string public:
SwitchDevice(config)# snmp-server enable traps
SwitchDevice(config)# snmp-server host myhost.cisco.com public

This example shows how to associate a user with a remote host and to send auth (authNoPriv)
authentication-level informs when the user enters global configuration mode:
SwitchDevice(config)# snmp-server engineID remote 192.180.1.27 00000063000100a1c0b4011b
SwitchDevice(config)# snmp-server group authgroup v3 auth
SwitchDevice(config)# snmp-server user authuser authgroup remote 192.180.1.27 v3 auth md5
mypassword
SwitchDevice(config)# snmp-server user authuser authgroup v3 auth md5 mypassword
SwitchDevice(config)# snmp-server host 192.180.1.27 informs version 3 auth authuser config
SwitchDevice(config)# snmp-server enable traps
SwitchDevice(config)# snmp-server inform retries 0

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
548
 CHAPTER 29
Configuring SPAN and RSPAN
• Finding Feature Information, on page 549
• Prerequisites for SPAN and RSPAN, on page 549
• Restrictions for SPAN and RSPAN, on page 550
• Information About SPAN and RSPAN, on page 551
• How to Configure SPAN and RSPAN, on page 563
• Monitoring SPAN and RSPAN Operations, on page 586
• SPAN and RSPAN Configuration Examples, on page 586

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Prerequisites for SPAN and RSPAN

SPAN
• You can limit SPAN traffic to specific VLANs by using the filter vlan keyword. If a trunk port is being
monitored, only traffic on the VLANs specified with this keyword is monitored. By default, all VLANs
are monitored on a trunk port.

RSPAN
• We recommend that you configure an RSPAN VLAN before you configure an RSPAN source or a
destination session.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
549
 Network Management
Restrictions for SPAN and RSPAN

Restrictions for SPAN and RSPAN

SPAN
The restrictions for SPAN are as follows:
• On each switch, you can configure 66 sessions. A maximum of source sessions can be configured and
the remaining sessions can be configured as RSPAN destinations sessions. A source session is either a
local SPAN session or an RSPAN source session.
• For SPAN sources, you can monitor traffic for a single port or VLAN or a series or range of ports or
VLANs for each session. You cannot mix source ports and source VLANs within a single SPAN session.
• The destination port cannot be a source port; a source port cannot be a destination port.
• You cannot have two SPAN sessions using the same destination port.
• When you configure a switch port as a SPAN destination port, it is no longer a normal switch port; only
monitored traffic passes through the SPAN destination port.
• Entering SPAN configuration commands does not remove previously configured SPAN parameters. You
must enter the no monitor session {session_number | all | local | remote} global configuration command
to delete configured SPAN parameters.
• For local SPAN, outgoing packets through the SPAN destination port carry the original encapsulation
headers—untagged, ISL, or IEEE 802.1Q—if the encapsulation replicate keywords are specified. If
the keywords are not specified, the packets are sent in native form.
• You can configure a disabled port to be a source or destination port, but the SPAN function does not
start until the destination port and at least one source port or source VLAN are enabled.
• You cannot mix source VLANs and filter VLANs within a single SPAN session.

Traffic monitoring in a SPAN session has the following restrictions:

• Sources can be ports or VLANs, but you cannot mix source ports and source VLANs in the same session.
• Wireshark does not capture egress packets when egress span is active.
• The switch supports up to four local SPAN or RSPAN source sessions. However if this switch is stacked
with Catalyst 2960-S switches, you are limited to 2 local SPAN or RSPAN source sessions.
• You can run both a local SPAN and an RSPAN source session in the same switch or switch stack. The
switch or switch stack supports a total of 66 source and RSPAN destination sessions.
• You can configure two separate SPAN or RSPAN source sessions with separate or overlapping sets of
SPAN source ports and VLANs. Both switched and routed ports can be configured as SPAN sources
and destinations.
• You can have multiple destination ports in a SPAN session, but no more than 64 destination ports per
switch stack.
• SPAN sessions do not interfere with the normal operation of the switch. However, an oversubscribed
SPAN destination, for example, a 10-Mb/s port monitoring a 100-Mb/s port, can result in dropped or
lost packets.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
550
 Network Management
Information About SPAN and RSPAN

• When SPAN or RSPAN is enabled, each packet being monitored is sent twice, once as normal traffic
and once as a monitored packet. Monitoring a large number of ports or VLANs could potentially generate
large amounts of network traffic.
• You can configure SPAN sessions on disabled ports; however, a SPAN session does not become active
unless you enable the destination port and at least one source port or VLAN for that session.
• The switch does not support a combination of local SPAN and RSPAN in a single session.
• An RSPAN source session cannot have a local destination port.
• An RSPAN destination session cannot have a local source port.
• An RSPAN destination session and an RSPAN source session that are using the same RSPAN
VLAN cannot run on the same switch or switch stack.

RSPAN
The restrictions for RSPAN are as follows:
• RSPAN does not support BPDU packet monitoring or other Layer 2 switch protocols.
• The RSPAN VLAN is configured only on trunk ports and not on access ports. To avoid unwanted traffic
in RSPAN VLANs, make sure that the VLAN remote-span feature is supported in all the participating
switches.
• RSPAN VLANs are included as sources for port-based RSPAN sessions when source trunk ports have
active RSPAN VLANs. RSPAN VLANs can also be sources in SPAN sessions. However, since the
switch does not monitor spanned traffic, it does not support egress spanning of packets on any RSPAN
VLAN identified as the destination of an RSPAN source session on the switch.
• CDP packets are not forwarded in RSPAN configured VLAN due to limitation in hardware. The
workaround is to disable CDP on all the interfaces carrying RSPAN VLAN on the devices connected to
the switch.
• If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted
flooding of RSPAN traffic across the network for VLAN IDs that are lower than 1005.
• To use RSPAN, the switch must be running the LAN Base image.

Information About SPAN and RSPAN

SPAN and RSPAN
You can analyze network traffic passing through ports or VLANs by using SPAN or RSPAN to send a copy
of the traffic to another port on the switch or on another switch that has been connected to a network analyzer
or other monitoring or security device. SPAN copies (or mirrors) traffic received or sent (or both) on source
ports or source VLANs to a destination port for analysis. SPAN does not affect the switching of network
traffic on the source ports or VLANs. You must dedicate the destination port for SPAN use. Except for traffic
that is required for the SPAN or RSPAN session, destination ports do not receive or forward traffic.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
551
 Network Management
Local SPAN

Only traffic that enters or leaves source ports or traffic that enters or leaves source VLANs can be monitored
by using SPAN; traffic routed to a source VLAN cannot be monitored. For example, if incoming traffic is
being monitored, traffic that gets routed from another VLAN to the source VLAN cannot be monitored;
however, traffic that is received on the source VLAN and routed to another VLAN can be monitored.
You can use the SPAN or RSPAN destination port to inject traffic from a network security device. For example,
if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a destination port, the IDS device
can send TCP reset packets to close down the TCP session of a suspected attacker.

Local SPAN
Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and
destination ports are in the same switch or switch stack. Local SPAN copies traffic from one or more source
ports in any VLAN or from one or more VLANs to a destination port for analysis.
Figure 56: Example of Local SPAN Configuration on a Single Device

All traffic on port 5 (the source port) is mirrored to port 10 (the destination port). A network analyzer on port
10 receives all network traffic from port 5 without being physically attached to port

5.
Figure 57: Example of Local SPAN Configuration on a Device Stack

This is an example of a local SPAN in a switch stack, where the source and destination ports reside on different
stack members.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
552
 Network Management
Remote SPAN

Related Topics
Creating a Local SPAN Session, on page 563
Creating a Local SPAN Session and Configuring Incoming Traffic, on page 566
Example: Configuring Local SPAN, on page 586

Remote SPAN
RSPAN supports source ports, source VLANs, and destination ports on different switches (or different switch
stacks), enabling remote monitoring of multiple switches across your network.
Figure 58: Example of RSPAN Configuration

The figure below shows source ports on Switch A and Switch B. The traffic for each RSPAN session is carried
over a user-specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches.
The RSPAN traffic from the source ports or VLANs is copied into the RSPAN VLAN and forwarded over
trunk ports carrying the RSPAN VLAN to a destination session monitoring the RSPAN VLAN. Each RSPAN

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
553
 Network Management
SPAN and RSPAN Concepts and Terminology

source switch must have either ports or VLANs as RSPAN sources. The destination is always a physical port,

as shown on Switch C in the figure.

Related Topics
Creating an RSPAN Source Session, on page 572
Creating an RSPAN Destination Session, on page 576
Creating an RSPAN Destination Session and Configuring Incoming Traffic, on page 578
Examples: Creating an RSPAN VLAN, on page 588

SPAN and RSPAN Concepts and Terminology

• SPAN Sessions
• Monitored Traffic
• Source Ports
• Source VLANs
• VLAN Filtering
• Destination Port
• RSPAN VLAN

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
554
 Network Management
SPAN Sessions

SPAN Sessions
SPAN sessions (local or remote) allow you to monitor traffic on one or more ports, or one or more VLANs,
and send the monitored traffic to one or more destination ports.
A local SPAN session is an association of a destination port with source ports or source VLANs, all on a
single network device. Local SPAN does not have separate source and destination sessions. Local SPAN
sessions gather a set of ingress and egress packets specified by the user and form them into a stream of SPAN
data, which is directed to the destination port.
RSPAN consists of at least one RSPAN source session, an RSPAN VLAN, and at least one RSPAN destination
session. You separately configure RSPAN source sessions and RSPAN destination sessions on different
network devices. To configure an RSPAN source session on a device, you associate a set of source ports or
source VLANs with an RSPAN VLAN. The output of this session is the stream of SPAN packets that are
sent to the RSPAN VLAN. To configure an RSPAN destination session on another device, you associate the
destination port with the RSPAN VLAN. The destination session collects all RSPAN VLAN traffic and sends
it out the RSPAN destination port.
An RSPAN source session is very similar to a local SPAN session, except for where the packet stream is
directed. In an RSPAN source session, SPAN packets are relabeled with the RSPAN VLAN ID and directed
over normal trunk ports to the destination switch.
An RSPAN destination session takes all packets received on the RSPAN VLAN, strips off the VLAN tagging,
and presents them on the destination port. The session presents a copy of all RSPAN VLAN packets (except
Layer 2 control packets) to the user for analysis.
More than one source session and more than one destination session can be active in the same RSPAN VLAN.
Intermediate switches also can separate the RSPAN source and destination sessions. These switches are unable
to run RSPAN, but they must respond to the requirements of the RSPAN VLAN.
Traffic monitoring in a SPAN session has these restrictions:
• Sources can be ports or VLANs, but you cannot mix source ports and source VLANs in the same session.
• You can run both a local SPAN and an RSPAN source session in the same switch or switch stack. The
switch or switch stack supports a total of 64 source and RSPAN destination sessions.
• You can configure two separate SPAN or RSPAN source sessions with separate or overlapping sets of
SPAN source ports and VLANs. Both switched and routed ports can be configured as SPAN sources
and destinations.
• You can have multiple destination ports in a SPAN session, but no more than 64 destination ports per
switch stack.
• SPAN sessions do not interfere with the normal operation of the switch. However, an oversubscribed
SPAN destination, for example, a 10-Mb/s port monitoring a 100-Mb/s port, can result in dropped or
lost packets.
• When SPAN or RSPAN is enabled, each packet being monitored is sent twice, once as normal traffic
and once as a monitored packet. Therefore monitoring a large number of ports or VLANs could potentially
generate large amounts of network traffic.
• You can configure SPAN sessions on disabled ports; however, a SPAN session does not become active
unless you enable the destination port and at least one source port or VLAN for that session.
• The switch does not support a combination of local SPAN and RSPAN in a single session.
• An RSPAN source session cannot have a local destination port.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
555
 Network Management
Monitored Traffic

• An RSPAN destination session cannot have a local source port.

• An RSPAN destination session and an RSPAN source session that are using the same RSPAN
VLAN cannot run on the same switch or switch stack.

Related Topics
Creating a Local SPAN Session, on page 563
Creating a Local SPAN Session and Configuring Incoming Traffic, on page 566
Example: Configuring Local SPAN, on page 586

Monitored Traffic
SPAN sessions can monitor these traffic types:
• Receive (Rx) SPAN—Receive (or ingress) SPAN monitors as much as possible all of the packets received
by the source interface or VLAN before any modification or processing is performed by the switch. A
copy of each packet received by the source is sent to the destination port for that SPAN session.
Packets that are modified because of routing or Quality of Service (QoS)—for example, modified
Differentiated Services Code Point (DSCP)—are copied before modification.
Features that can cause a packet to be dropped during receive processing have no effect on ingress SPAN;
the destination port receives a copy of the packet even if the actual incoming packet is dropped. These
features include IP standard and extended input Access Control Lists (ACLs), ingress QoS policing,
VLAN ACLs, and egress QoS policing.
• Transmit (Tx) SPAN—Transmit (or egress) SPAN monitors as much as possible all of the packets sent
by the source interface after all modification and processing is performed by the switch. A copy of each
packet sent by the source is sent to the destination port for that SPAN session. The copy is provided after
the packet is modified.
Packets that are modified because of routing (for example, with modified time-to-live (TTL), MAC
address, or QoS values) are duplicated (with the modifications) at the destination port.
Features that can cause a packet to be dropped during transmit processing also affect the duplicated copy
for SPAN. These features include IP standard and extended output ACLs and egress QoS policing.
• Both—In a SPAN session, you can also monitor a port or VLAN for both received and sent packets.
This is the default.

The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not
normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery
Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol
(STP), and Port Aggregation Protocol (PAgP). However, when you enter the encapsulation replicate keywords
when configuring a destination port, these changes occur:
• Packets are sent on the destination port with the same encapsulation (untagged or IEEE 802.1Q) that
they had on the source port.
• Packets of all types, including BPDU and Layer 2 protocol packets, are monitored.

Therefore, a local SPAN session with encapsulation replicate enabled can have a mixture of untagged and
IEEE 802.1Q tagged packets appear on the destination port.
Switch congestion can cause packets to be dropped at ingress source ports, egress source ports, or SPAN
destination ports. In general, these characteristics are independent of one another. For example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
556
 Network Management
Source Ports

• A packet might be forwarded normally but dropped from monitoring due to an oversubscribed SPAN
destination port.
• An ingress packet might be dropped from normal forwarding, but still appear on the SPAN destination
port.
• An egress packet dropped because of switch congestion is also dropped from egress SPAN.

In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN destination
port. For example, a bidirectional (both Rx and Tx) SPAN session is configured for the Rx monitor on port
A and Tx monitor on port B. If a packet enters the switch through port A and is switched to port B, both
incoming and outgoing packets are sent to the destination port. Both packets are the same unless a Layer 3
rewrite occurs, in which case the packets are different because of the packet modification.

Source Ports
A source port (also called a monitored port) is a switched or routed port that you monitor for network traffic
analysis. In a local SPAN session or RSPAN source session, you can monitor source ports or VLANs for
traffic in one or both directions. The switch supports any number of source ports (up to the maximum number
of available ports on the switch) and any number of source VLANs (up to the maximum number of VLANs
supported). However, the switch supports a maximum of four sessions (two sessions if switch is in a stack
with Catalyst 2960-S switches) (local or RSPAN) with source ports or VLANs. You cannot mix ports and
VLANs in a single session.
A source port has these characteristics:
• It can be monitored in multiple SPAN sessions.
• Each source port can be configured with a direction (ingress, egress, or both) to monitor.
• It can be any port type (for example, EtherChannel, Gigabit Ethernet, and so forth).
• For EtherChannel sources, you can monitor traffic for the entire EtherChannel or individually on a
physical port as it participates in the port channel.
• It can be an access port, trunk port, routed port, or voice VLAN port.
• It cannot be a destination port.
• Source ports can be in the same or different VLANs.
• You can monitor multiple source ports in a single session.

Source VLANs
VLAN-based SPAN (VSPAN) is the monitoring of the network traffic in one or more VLANs. The SPAN
or RSPAN source interface in VSPAN is a VLAN ID, and traffic is monitored on all the ports for that VLAN.
VSPAN has these characteristics:
• All active ports in the source VLAN are included as source ports and can be monitored in either or both
directions.
• On a given port, only traffic on the monitored VLAN is sent to the destination port.
• If a destination port belongs to a source VLAN, it is excluded from the source list and is not monitored.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
557
 Network Management
VLAN Filtering

• If ports are added to or removed from the source VLANs, the traffic on the source VLAN received by
those ports is added to or removed from the sources being monitored.
• You cannot use filter VLANs in the same session with VLAN sources.
• You can monitor only Ethernet VLANs.

VLAN Filtering
When you monitor a trunk port as a source port, by default, all VLANs active on the trunk are monitored.
You can limit SPAN traffic monitoring on trunk source ports to specific VLANs by using VLAN filtering.
• VLAN filtering applies only to trunk ports or to voice VLAN ports.
• VLAN filtering applies only to port-based sessions and is not allowed in sessions with VLAN sources.
• When a VLAN filter list is specified, only those VLANs in the list are monitored on trunk ports or on
voice VLAN access ports.
• SPAN traffic coming from other port types is not affected by VLAN filtering; that is, all VLANs are
allowed on other ports.
• VLAN filtering affects only traffic forwarded to the destination SPAN port and does not affect the
switching of normal traffic.

Destination Port
Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring
port) that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets to the user,
usually a network analyzer.
A destination port has these characteristics:
• For a local SPAN session, the destination port must reside on the same switch or switch stack as the
source port. For an RSPAN session, it is located on the switch containing the RSPAN destination session.
There is no destination port on a switch or switch stack running only an RSPAN source session.
• When a port is configured as a SPAN destination port, the configuration overwrites the original port
configuration. When the SPAN destination configuration is removed, the port reverts to its previous
configuration. If a configuration change is made to the port while it is acting as a SPAN destination port,
the change does not take effect until the SPAN destination configuration had been removed.

Note When QoS is configured on the SPAN destination port, QoS takes effect
immediately.

• If the port was in an EtherChannel group, it is removed from the group while it is a destination port. If
it was a routed port, it is no longer a routed port.
• It can be any Ethernet physical port.
• It cannot be a secure port.
• It cannot be a source port.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
558
 Network Management
RSPAN VLAN

• It can participate in only one SPAN session at a time (a destination port in one SPAN session cannot be
a destination port for a second SPAN session).
• When it is active, incoming traffic is disabled. The port does not transmit any traffic except that required
for the SPAN session. Incoming traffic is never learned or forwarded on a destination port.
• If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic
at Layer 2.
• It does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP).
• A destination port that belongs to a source VLAN of any SPAN session is excluded from the source list
and is not monitored.
• The maximum number of destination ports in a switch or switch stack is 64.

Local SPAN and RSPAN destination ports function differently with VLAN tagging and encapsulation:
• For local SPAN, if the encapsulation replicate keywords are specified for the destination port, these
packets appear with the original encapsulation (untagged, ISL, or IEEE 802.1Q). If these keywords are
not specified, packets appear in the untagged format. Therefore, the output of a local SPAN session with
encapsulation replicate enabled can contain a mixture of untagged, ISL, or IEEE 802.1Q-tagged packets.
• For RSPAN, the original VLAN ID is lost because it is overwritten by the RSPAN VLAN identification.
Therefore, all packets appear on the destination port as untagged.

RSPAN VLAN
The RSPAN VLAN carries SPAN traffic between RSPAN source and destination sessions. RSPAN VLAN
has these special characteristics:
• All traffic in the RSPAN VLAN is always flooded.
• No MAC address learning occurs on the RSPAN VLAN.
• RSPAN VLAN traffic only flows on trunk ports.
• RSPAN VLANs must be configured in VLAN configuration mode by using the remote-span VLAN
configuration mode command.
• STP can run on RSPAN VLAN trunks but not on SPAN destination ports.
• An RSPAN VLAN cannot be a private-VLAN primary or secondary VLAN.

For VLANs 1 to 1005 that are visible to VLAN Trunking Protocol (VTP), the VLAN ID and its associated
RSPAN characteristic are propagated by VTP. If you assign an RSPAN VLAN ID in the extended VLAN
range (1006 to 4094), you must manually configure all intermediate switches.
It is normal to have multiple RSPAN VLANs in a network at the same time with each RSPAN VLAN defining
a network-wide RSPAN session. That is, multiple RSPAN source sessions anywhere in the network can
contribute packets to the RSPAN session. It is also possible to have multiple RSPAN destination sessions
throughout the network, monitoring the same RSPAN VLAN and presenting traffic to the user. The RSPAN
VLAN ID separates the sessions.
Related Topics
Creating an RSPAN Source Session, on page 572
Creating an RSPAN Destination Session, on page 576

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
559
 Network Management
SPAN and RSPAN Interaction with Other Features

Creating an RSPAN Destination Session and Configuring Incoming Traffic, on page 578
Examples: Creating an RSPAN VLAN, on page 588

SPAN and RSPAN Interaction with Other Features

SPAN interacts with these features:
• Routing—SPAN does not monitor routed traffic. VSPAN only monitors traffic that enters or exits the
switch, not traffic that is routed between VLANs. For example, if a VLAN is being Rx-monitored and
the switch routes traffic from another VLAN to the monitored VLAN, that traffic is not monitored and
not received on the SPAN destination port.
• STP—A destination port does not participate in STP while its SPAN or RSPAN session is active. The
destination port can participate in STP after the SPAN or RSPAN session is disabled. On a source port,
SPAN does not affect the STP status. STP can be active on trunk ports carrying an RSPAN VLAN.
• CDP—A SPAN destination port does not participate in CDP while the SPAN session is active. After the
SPAN session is disabled, the port again participates in CDP.
Due to limitation in the ASIC, CDP packets are not dropped in RSPAN configured VLAN.
• VTP—You can use VTP to prune an RSPAN VLAN between switches.
• VLAN and trunking—You can modify VLAN membership or trunk settings for source or destination
ports at any time. However, changes in VLAN membership or trunk settings for a destination port do
not take effect until you remove the SPAN destination configuration. Changes in VLAN membership or
trunk settings for a source port immediately take effect, and the respective SPAN sessions automatically
adjust accordingly.
• EtherChannel—You can configure an EtherChannel group as a source port a SPAN destination port.
When a group is configured as a SPAN source, the entire group is monitored.
If a physical port is added to a monitored EtherChannel group, the new port is added to the SPAN source
port list. If a port is removed from a monitored EtherChannel group, it is automatically removed from
the source port list.
A physical port that belongs to an EtherChannel group can be configured as a SPAN source port and still
be a part of the EtherChannel. In this case, data from the physical port is monitored as it participates in
the EtherChannel. However, if a physical port that belongs to an EtherChannel group is configured as a
SPAN destination, it is removed from the group. After the port is removed from the SPAN session, it
rejoins the EtherChannel group. Ports removed from an EtherChannel group remain members of the
group, but they are in the inactive or suspended state.
If a physical port that belongs to an EtherChannel group is a destination port and the EtherChannel group
is a source, the port is removed from the EtherChannel group and from the list of monitored ports.
• Multicast traffic can be monitored. For egress and ingress port monitoring, only a single unedited packet
is sent to the SPAN destination port. It does not reflect the number of times the multicast packet is sent.
• A private-VLAN port cannot be a SPAN destination port.
• A secure port cannot be a SPAN destination port.
For SPAN sessions, do not enable port security on ports with monitored egress when ingress forwarding
is enabled on the destination port. For RSPAN source sessions, do not enable port security on any ports
with monitored egress.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
560
 Network Management
Flow-Based SPAN

• An IEEE 802.1x port can be a SPAN source port. You can enable IEEE 802.1x on a port that is a SPAN
destination port; however, IEEE 802.1x is disabled until the port is removed as a SPAN destination.
For SPAN sessions, do not enable IEEE 802.1x on ports with monitored egress when ingress forwarding
is enabled on the destination port. For RSPAN source sessions, do not enable IEEE 802.1x on any ports
that are egress monitored.

Flow-Based SPAN
You can control the type of network traffic to be monitored in SPAN or RSPAN sessions by using flow-based
SPAN (FSPAN) or flow-based RSPAN (FRSPAN), which apply access control lists (ACLs) to the monitored
traffic on the source ports. The FSPAN ACLs can be configured to filter IPv4, IPv6, and non-IP monitored
traffic.
You apply an ACL to a SPAN session through the interface. It is applied to all the traffic that is monitored
on all interfaces in the SPAN session.The packets that are permitted by this ACL are copied to the SPAN
destination port. No other packets are copied to the SPAN destination port.
The original traffic continues to be forwarded, and any port, VLAN, and router ACLs attached are applied.
The FSPAN ACL does not have any effect on the forwarding decisions. Similarly, the port, VLAN, and router
ACLs do not have any effect on the traffic monitoring. If a security input ACL denies a packet and it is not
forwarded, the packet is still copied to the SPAN destination ports if the FSPAN ACL permits it. But if the
security output ACL denies a packet and it is not sent, it is not copied to the SPAN destination ports. However,
if the security output ACL permits the packet to go out, it is only copied to the SPAN destination ports if the
FSPAN ACL permits it. This is also true for an RSPAN session.
You can attach three types of FSPAN ACLs to the SPAN session:
• IPv4 FSPAN ACL— Filters only IPv4 packets.
• IPv6 FSPAN ACL— Filters only IPv6 packets.
• MAC FSPAN ACL— Filters only non-IP packets.

The security ACLs have higher priority than the FSPAN ACLs on a switch. If FSPAN ACLs are applied, and
you later add more security ACLs that cannot fit in the hardware memory, the FSPAN ACLs that you applied
are removed from memory to allow space for the security ACLs. A system message notifies you of this action,
which is called unloading. When there is again space for the FSPAN ACLs to reside in memory, they are
added to the hardware memory on the switch. A system message notifies you of this action, which is called
reloading. The IPv4, IPv6 and MAC FSPAN ACLs can be unloaded or reloaded independently.
If a VLAN-based FSPAN session configured on a stack cannot fit in the hardware memory on one or more
switches, it is treated as unloaded on those switches, and traffic meant for the FSPAN ACL and sourcing on
that switch is not copied to the SPAN destination ports. The FSPAN ACL continues to be correctly applied,
and traffic is copied to the SPAN destination ports on the switches where the FSPAN ACL fits in the hardware
memory.
When an empty FSPAN ACL is attached, some hardware functions copy all traffic to the SPAN destination
ports for that ACL. If sufficient hardware resources are not available, even an empty FSPAN ACL can be
unloaded.
IPv4 and MAC FSPAN ACLs are supported on all feature sets. IPv6 FSPAN ACLs are supported only in the
advanced IP Services feature set.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
561
 Network Management
Default SPAN and RSPAN Configuration

Related Topics
Configuring an FSPAN Session, on page 580
Configuring an FRSPAN Session, on page 583

Default SPAN and RSPAN Configuration

Table 53: Default SPAN and RSPAN Configuration

Feature Default Setting

SPAN state (SPAN and RSPAN) Disabled.

Source port traffic to monitor Both received and sent traffic (both).

Encapsulation type (destination port) Native form (untagged packets).

Ingress forwarding (destination port) Disabled.

VLAN filtering On a trunk interface used as a source port, all VLANs

are monitored.

RSPAN VLANs None configured.

Configuration Guidelines
SPAN Configuration Guidelines
• To remove a source or destination port or VLAN from the SPAN session, use the no monitor session
session_number source {interface interface-id | vlan vlan-id} global configuration command or the no
monitor session session_number destination interface interface-id global configuration command. For
destination interfaces, the encapsulation options are ignored with the no form of the command.
• To monitor all VLANs on the trunk port, use the no monitor session session_number filter global
configuration command.

Related Topics
Creating a Local SPAN Session, on page 563
Creating a Local SPAN Session and Configuring Incoming Traffic, on page 566
Example: Configuring Local SPAN, on page 586

RSPAN Configuration Guidelines

• All the SPAN configuration guidelines apply to RSPAN.
• As RSPAN VLANs have special properties, you should reserve a few VLANs across your network for
use as RSPAN VLANs; do not assign access ports to these VLANs.
• You can apply an output ACL to RSPAN traffic to selectively filter or monitor specific packets. Specify
these ACLs on the RSPAN VLAN in the RSPAN source switches.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
562
 Network Management
FSPAN and FRSPAN Configuration Guidelines

• For RSPAN configuration, you can distribute the source ports and the destination ports across multiple
switches in your network.
• Access ports (including voice VLAN ports) on the RSPAN VLAN are put in the inactive state.
• You can configure any VLAN as an RSPAN VLAN as long as these conditions are met:
• The same RSPAN VLAN is used for an RSPAN session in all the switches.
• All participating switches support RSPAN.

Related Topics
Creating an RSPAN Source Session, on page 572
Creating an RSPAN Destination Session, on page 576
Creating an RSPAN Destination Session and Configuring Incoming Traffic, on page 578
Examples: Creating an RSPAN VLAN, on page 588

FSPAN and FRSPAN Configuration Guidelines

• When at least one FSPAN ACL is attached, FSPAN is enabled.
• When you attach at least one FSPAN ACL that is not empty to a SPAN session, and you have not attached
one or more of the other FSPAN ACLs (for instance, you have attached an IPv4 ACL that is not empty,
and have not attached IPv6 and MAC ACLs), FSPAN blocks the traffic that would have been filtered
by the unattached ACLs. Therefore, this traffic is not monitored.

Related Topics
Configuring an FSPAN Session, on page 580
Configuring an FRSPAN Session, on page 583

How to Configure SPAN and RSPAN

Creating a Local SPAN Session
Follow these steps to create a SPAN session and specify the source (monitored) ports or VLANs and the
destination (monitoring) ports.

SUMMARY STEPS
1. enable
2. configure terminal
3. no monitor session {session_number | all | local | remote}
4. monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx]
5. monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]}
6. end
7. show running-config
8. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
563
 Network Management
Creating a Local SPAN Session

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 no monitor session {session_number | all | local | remote} Removes any existing SPAN configuration for the session.
Example: • For session_number, the range is 1 to 66.

SwitchDevice(config)# no monitor session all

• all—Removes all SPAN sessions.
• local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.

Step 4 monitor session session_number source {interface Specifies the SPAN session and the source port (monitored
interface-id | vlan vlan-id} [, | -] [both | rx | tx] port).
Example: • For session_number, the range is 1 to 66.

SwitchDevice(config)# monitor session 1 source

• For interface-id, specify the source port to monitor.
interface gigabitethernet1/0/1 Valid interfaces include physical interfaces and
port-channel logical interfaces (port-channel
port-channel-number). Valid port-channel numbers
are 1 to 48.
• For vlan-id, specify the source VLAN to monitor. The
range is 1 to 4094 (excluding the RSPAN VLAN).
Note A single session can include multiple
sources (ports or VLANs) defined in a
series of commands, but you cannot
combine source ports and source VLANs
in one session.

• (Optional) [, | -] Specifies a series or range of

interfaces. Enter a space before and after the comma;
enter a space before and after the hyphen.
• (Optional) both | rx | tx—Specifies the direction of
traffic to monitor. If you do not specify a traffic
direction, the source interface sends both sent and
received traffic.
• both—Monitors both received and sent traffic.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
564
 Network Management
Creating a Local SPAN Session

Command or Action Purpose

• rx—Monitors received traffic.
• tx—Monitors sent traffic.
Note You can use the monitor session
session_number source command
multiple times to configure multiple
source ports.

Step 5 monitor session session_number destination {interface Specifies the SPAN session and the destination port
interface-id [, | -] [encapsulation replicate]} (monitoring port).
Example: Note For local SPAN, you must use the same session
number for the source and destination interfaces.
SwitchDevice(config)# monitor session 1 destination
interface gigabitethernet1/0/2 encapsulation • For session_number, specify the session number
replicate
entered in step 4.
• For interface-id, specify the destination port. The
destination interface must be a physical port; it cannot
be an EtherChannel, and it cannot be a VLAN.
• (Optional) [, | -] Specifies a series or range of
interfaces. Enter a space before and after the comma;
enter a space before and after the hyphen.

(Optional) encapsulation replicate specifies that the

destination interface replicates the source interface
encapsulation method. If not selected, the default is to send
packets in native form (untagged).
Note You can use monitor session session_number
destination command multiple times to
configure multiple destination ports.

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
565
 Network Management
Creating a Local SPAN Session and Configuring Incoming Traffic

Command or Action Purpose

SwitchDevice# copy running-config startup-config

Related Topics
Local SPAN, on page 552
SPAN Sessions, on page 555
SPAN Configuration Guidelines, on page 562

Creating a Local SPAN Session and Configuring Incoming Traffic

Follow these steps to create a SPAN session, to specify the source ports or VLANs and the destination ports,
and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS
Sensor Appliance).

SUMMARY STEPS
1. enable
2. configure terminal
3. no monitor session {session_number | all | local | remote}
4. monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx]
5. monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]
[ingress {dot1q vlan vlan-id | untagged vlan vlan-id | vlan vlan-id}]}
6. end
7. show running-config
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 no monitor session {session_number | all | local | remote} Removes any existing SPAN configuration for the session.
Example: • For session_number, the range is 1 to 66.

SwitchDevice(config)# no monitor session all

• all—Removes all SPAN sessions.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
566
 Network Management
Creating a Local SPAN Session and Configuring Incoming Traffic

Command or Action Purpose

• local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.

Step 4 monitor session session_number source {interface Specifies the SPAN session and the source port (monitored
interface-id | vlan vlan-id} [, | -] [both | rx | tx] port).
Example:

SwitchDevice(config)# monitor session 2 source

gigabitethernet1/0/1 rx

Step 5 monitor session session_number destination {interface Specifies the SPAN session, the destination port, the packet
interface-id [, | -] [encapsulation replicate] [ingress {dot1q encapsulation, and the ingress VLAN and encapsulation.
vlan vlan-id | untagged vlan vlan-id | vlan vlan-id}]}
• For session_number, specify the session number
Example: entered in Step 4.

SwitchDevice(config)# monitor session 2 destination

• For interface-id, specify the destination port. The
interface gigabitethernet1/0/2 encapsulation destination interface must be a physical port; it cannot
replicate ingress dot1q vlan 6 be an EtherChannel, and it cannot be a VLAN.
• (Optional) [, | -]—Specifies a series or range of
interfaces. Enter a space before and after the comma
or hyphen.
• (Optional) encapsulation replicate specifies that the
destination interface replicates the source interface
encapsulation method. If not selected, the default is to
send packets in native form (untagged).
• ingress enables forwarding of incoming traffic on the
destination port and to specify the encapsulation type:
• dot1q vlan vlan-id—Accepts incoming packets
with IEEE 802.1Q encapsulation with the
specified VLAN as the default VLAN.
• untagged vlan vlan-id or vlan vlan-id—Accepts
incoming packets with untagged encapsulation
type with the specified VLAN as the default
VLAN.

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 show running-config Verifies your entries.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
567
 Network Management
Specifying VLANs to Filter

Command or Action Purpose

SwitchDevice# show running-config

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Local SPAN, on page 552
SPAN Sessions, on page 555
SPAN Configuration Guidelines, on page 562
Example: Configuring Local SPAN, on page 586

Specifying VLANs to Filter

Follow these steps to limit SPAN source traffic to specific VLANs.

SUMMARY STEPS
1. enable
2. configure terminal
3. no monitor session {session_number | all | local | remote}
4. monitor session session_number source interface interface-id
5. monitor session session_number filter vlan vlan-id [, | -]
6. monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]}
7. end
8. show running-config
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
568
 Network Management
Specifying VLANs to Filter

Command or Action Purpose

Step 3 no monitor session {session_number | all | local | remote} Removes any existing SPAN configuration for the session.
Example: • For session_number, the range is 1 to 66.

SwitchDevice(config)# no monitor session all

• all—Removes all SPAN sessions.
• local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.

Step 4 monitor session session_number source interface Specifies the characteristics of the source port (monitored
interface-id port) and SPAN session.
Example: • For session_number, the range is 1 to 66.

SwitchDevice(config)# monitor session 2 source

• For interface-id, specify the source port to monitor.
interface gigabitethernet1/0/2 rx The interface specified must already be configured as
a trunk port.

Step 5 monitor session session_number filter vlan vlan-id [, | -] Limits the SPAN source traffic to specific VLANs.
Example: • For session_number, enter the session number
specified in Step 4.
SwitchDevice(config)# monitor session 2 filter vlan
1 - 5 , 9 • For vlan-id, the range is 1 to 4094.
• (Optional) Use a comma (,) to specify a series of
VLANs, or use a hyphen (-) to specify a range of
VLANs. Enter a space before and after the comma;
enter a space before and after the hyphen.

Step 6 monitor session session_number destination {interface Specifies the SPAN session and the destination port
interface-id [, | -] [encapsulation replicate]} (monitoring port).
Example: • For session_number, specify the session number
entered in Step 4.
SwitchDevice(config)# monitor session 2 destination
interface gigabitethernet1/0/1 • For interface-id, specify the destination port. The
destination interface must be a physical port; it cannot
be an EtherChannel, and it cannot be a VLAN.
• (Optional) [, | -] Specifies a series or range of
interfaces. Enter a space before and after the comma;
enter a space before and after the hyphen.
• (Optional) encapsulation replicate specifies that the
destination interface replicates the source interface
encapsulation method. If not selected, the default is to
send packets in native form (untagged).

Step 7 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
569
 Network Management
Configuring a VLAN as an RSPAN VLAN

Command or Action Purpose

SwitchDevice(config)# end

Step 8 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring a VLAN as an RSPAN VLAN

Follow these steps to create a new VLAN, then configure it to be the RSPAN VLAN for the RSPAN session.

SUMMARY STEPS
1. enable
2. configure terminal
3. vlan vlan-id
4. remote-span
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
570
 Network Management
Configuring a VLAN as an RSPAN VLAN

Command or Action Purpose

Step 3 vlan vlan-id Enters a VLAN ID to create a VLAN, or enters the VLAN
ID of an existing VLAN, and enters VLAN configuration
Example:
mode. The range is 2 to 1001 and 1006 to 4094.
SwitchDevice(config)# vlan 100 The RSPAN VLAN cannot be VLAN 1 (the default VLAN)
or VLAN IDs 1002 through 1005 (reserved for Token Ring
and FDDI VLANs).

Step 4 remote-span Configures the VLAN as an RSPAN VLAN.

Example:

SwitchDevice(config-vlan)# remote-span

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-vlan)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
You must create the RSPAN VLAN in all switches that will participate in RSPAN. If the RSPAN VLAN-ID
is in the normal range (lower than 1005) and VTP is enabled in the network, you can create the RSPAN VLAN
in one switch, and VTP propagates it to the other switches in the VTP domain. For extended-range VLANs
(greater than 1005), you must configure RSPAN VLAN on both source and destination switches and any
intermediate switches.
Use VTP pruning to get an efficient flow of RSPAN traffic, or manually delete the RSPAN VLAN from all
trunks that do not need to carry the RSPAN traffic.
To remove the remote SPAN characteristic from a VLAN and convert it back to a normal VLAN, use the no
remote-span VLAN configuration command.
To remove a source port or VLAN from the SPAN session, use the no monitor session session_number
source {interface interface-id | vlan vlan-id} global configuration command. To remove the RSPAN VLAN
from the session, use the no monitor session session_number destination remote vlan vlan-id.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
571
 Network Management
Creating an RSPAN Source Session

Creating an RSPAN Source Session

Follow these steps to create and start an RSPAN source session and to specify the monitored source and the
destination RSPAN VLAN.

SUMMARY STEPS
1. enable
2. configure terminal
3. no monitor session {session_number | all | local | remote}
4. monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx]
5. monitor session session_number destination remote vlan vlan-id
6. end
7. show running-config
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 no monitor session {session_number | all | local | remote} Removes any existing SPAN configuration for the session.
Example: • For session_number, the range is 1 to 66.

SwitchDevice(config)# no monitor session 1

• all—Removes all SPAN sessions.
• local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.

Step 4 monitor session session_number source {interface Specifies the RSPAN session and the source port (monitored
interface-id | vlan vlan-id} [, | -] [both | rx | tx] port).
Example: • For session_number, the range is 1 to 66.

SwitchDevice(config)# monitor session 1 source

• Enter a source port or source VLAN for the RSPAN
interface gigabitethernet1/0/1 tx session:
• For interface-id, specifies the source port to
monitor. Valid interfaces include physical
interfaces and port-channel logical interfaces

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
572
 Network Management
Creating an RSPAN Source Session

Command or Action Purpose

(port-channel port-channel-number). Valid
port-channel numbers are 1 to 48.
• For vlan-id, specifies the source VLAN to
monitor. The range is 1 to 4094 (excluding the
RSPAN VLAN).
A single session can include multiple sources
(ports or VLANs), defined in a series of
commands, but you cannot combine source ports
and source VLANs in one session.

• (Optional) [, | -]—Specifies a series or range of

interfaces. Enter a space before and after the comma;
enter a space before and after the hyphen.
• (Optional) both | rx | tx—Specifies the direction of
traffic to monitor. If you do not specify a traffic
direction, the source interface sends both sent and
received traffic.
• both—Monitors both received and sent traffic.
• rx—Monitors received traffic.
• tx—Monitors sent traffic.

Step 5 monitor session session_number destination remote vlan Specifies the RSPAN session, the destination RSPAN
vlan-id VLAN, and the destination-port group.
Example: • For session_number, enter the number defined in Step
4.
SwitchDevice(config)# monitor session 1 destination
remote vlan 100 • For vlan-id, specify the source RSPAN VLAN to
monitor.

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
573
 Network Management
Specifying VLANs to Filter

Command or Action Purpose

SwitchDevice# copy running-config startup-config

Related Topics
Remote SPAN, on page 553
RSPAN VLAN, on page 559
RSPAN Configuration Guidelines, on page 562

Specifying VLANs to Filter

Follow these steps to configure the RSPAN source session to limit RSPAN source traffic to specific VLANs.

SUMMARY STEPS
1. enable
2. configure terminal
3. no monitor session {session_number | all | local | remote}
4. monitor session session_number source interface interface-id
5. monitor session session_number filter vlan vlan-id [, | -]
6. monitor session session_number destination remote vlan vlan-id
7. end
8. show running-config
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 no monitor session {session_number | all | local | remote} Removes any existing SPAN configuration for the session.
Example: • For session_number, the range is 1 to 66.

SwitchDevice(config)# no monitor session 2

• all—Removes all SPAN sessions.
• local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
574
 Network Management
Specifying VLANs to Filter

Command or Action Purpose

Step 4 monitor session session_number source interface Specifies the characteristics of the source port (monitored
interface-id port) and SPAN session.
Example: • For session_number, the range is 1 to 66.

SwitchDevice(config)# monitor session 2 source

• For interface-id, specify the source port to monitor.
interface gigabitethernet1/0/2 rx The interface specified must already be configured as
a trunk port.

Step 5 monitor session session_number filter vlan vlan-id [, | -] Limits the SPAN source traffic to specific VLANs.
Example: • For session_number, enter the session number
specified in step 4.
SwitchDevice(config)# monitor session 2 filter vlan
1 - 5 , 9 • For vlan-id, the range is 1 to 4094.
• (Optional) , | - Use a comma (,) to specify a series of
VLANs or use a hyphen (-) to specify a range of
VLANs. Enter a space before and after the comma;
enter a space before and after the hyphen.

Step 6 monitor session session_number destination remote vlan Specifies the RSPAN session and the destination remote
vlan-id VLAN (RSPAN VLAN).
Example: • For session_number, enter the session number
specified in Step 4.
SwitchDevice(config)# monitor session 2 destination
remote vlan 902 • For vlan-id, specify the RSPAN VLAN to carry the
monitored traffic to the destination port.

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 8 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
575
 Network Management
Creating an RSPAN Destination Session

Creating an RSPAN Destination Session

You configure an RSPAN destination session on a different switch or switch stack; that is, not the switch or
switch stack on which the source session was configured.
Follow these steps to define the RSPAN VLAN on that switch, to create an RSPAN destination session, and
to specify the source RSPAN VLAN and the destination port.

SUMMARY STEPS
1. enable
2. configure terminal
3. vlan vlan-id
4. remote-span
5. exit
6. no monitor session {session_number | all | local | remote}
7. monitor session session_number source remote vlan vlan-id
8. monitor session session_number destination interface interface-id
9. end
10. show running-config
11. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 vlan vlan-id Specifies the VLAN ID of the RSPAN VLAN created
from the source switch, and enters VLAN configuration
Example:
mode.
SwitchDevice(config)# vlan 901 If both switches are participating in VTP and the RSPAN
VLAN ID is from 2 to 1005, Steps 3 through 5 are not
required because the RSPAN VLAN ID is propagated
through the VTP network.

Step 4 remote-span Identifies the VLAN as the RSPAN VLAN.

Example:

SwitchDevice(config-vlan)# remote-span

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
576
 Network Management
Creating an RSPAN Destination Session

Command or Action Purpose

Step 5 exit Returns to global configuration mode.
Example:

SwitchDevice(config-vlan)# exit

Step 6 no monitor session {session_number | all | local | remote} Removes any existing SPAN configuration for the session.
Example: • For session_number, the range is 1 to 66.

SwitchDevice(config)# no monitor session 1

• all—Removes all SPAN sessions.
• local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.

Step 7 monitor session session_number source remote vlan Specifies the RSPAN session and the source RSPAN
vlan-id VLAN.
Example: • For session_number, the range is 1 to 66.

SwitchDevice(config)# monitor session 1 source

• For vlan-id, specify the source RSPAN VLAN to
remote vlan 901 monitor.

Step 8 monitor session session_number destination interface Specifies the RSPAN session and the destination interface.
interface-id
• For session_number, enter the number defined in Step
Example: 7.
In an RSPAN destination session, you must use the
SwitchDevice(config)# monitor session 1
destination interface gigabitethernet2/0/1 same session number for the source RSPAN VLAN
and the destination port.
• For interface-id, specify the destination interface. The
destination interface must be a physical interface.
• Though visible in the command-line help string,
encapsulation replicate is not supported for RSPAN.
The original VLAN ID is overwritten by the RSPAN
VLAN ID, and all packets appear on the destination
port as untagged.

Step 9 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 10 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
577
 Network Management
Creating an RSPAN Destination Session and Configuring Incoming Traffic

Command or Action Purpose

Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Remote SPAN, on page 553
RSPAN VLAN, on page 559
RSPAN Configuration Guidelines, on page 562

Creating an RSPAN Destination Session and Configuring Incoming Traffic

Follow these steps to create an RSPAN destination session, to specify the source RSPAN VLAN and the
destination port, and to enable incoming traffic on the destination port for a network security device (such as
a Cisco IDS Sensor Appliance).

SUMMARY STEPS
1. enable
2. configure terminal
3. no monitor session {session_number | all | local | remote}
4. monitor session session_number source remote vlan vlan-id
5. monitor session session_number destination {interface interface-id [, | -] [ingress {dot1q vlan vlan-id
| untagged vlan vlan-id | vlan vlan-id}]}
6. end
7. show running-config
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 no monitor session {session_number | all | local | remote} Removes any existing SPAN configuration for the session.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
578
 Network Management
Creating an RSPAN Destination Session and Configuring Incoming Traffic

Command or Action Purpose

Example: • For session_number, the range is 1 to 66.

SwitchDevice(config)# no monitor session 2

• all—Removes all SPAN sessions.
• local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.

Step 4 monitor session session_number source remote vlan Specifies the RSPAN session and the source RSPAN
vlan-id VLAN.
Example: • For session_number, the range is 1 to 66.

SwitchDevice(config)# monitor session 2 source

• For vlan-id, specify the source RSPAN VLAN to
remote vlan 901 monitor.

Step 5 monitor session session_number destination {interface Specifies the SPAN session, the destination port, the packet
interface-id [, | -] [ingress {dot1q vlan vlan-id | untagged encapsulation, and the incoming VLAN and encapsulation.
vlan vlan-id | vlan vlan-id}]}
• For session_number, enter the number defined in Step
Example: 5.
In an RSPAN destination session, you must use the
SwitchDevice(config)# monitor session 2 destination
interface gigabitethernet1/0/2 ingress vlan 6
same session number for the source RSPAN VLAN
and the destination port.
• For interface-id, specify the destination interface. The
destination interface must be a physical interface.
• Though visible in the command-line help string,
encapsulation replicate is not supported for RSPAN.
The original VLAN ID is overwritten by the RSPAN
VLAN ID, and all packets appear on the destination
port as untagged.
• (Optional) [, | -] Specifies a series or range of
interfaces. Enter a space before and after the comma;
enter a space before and after the hyphen.
• Enter ingress with additional keywords to enable
forwarding of incoming traffic on the destination port
and to specify the encapsulation type:
• dot1q vlan vlan-id—Forwards incoming packets
with IEEE 802.1Q encapsulation with the
specified VLAN as the default VLAN.
• untagged vlan vlan-id or vlan vlan-id—Forwards
incoming packets with untagged encapsulation
type with the specified VLAN as the default
VLAN.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
579
 Network Management
Configuring an FSPAN Session

Command or Action Purpose

Step 6 end Returns to privileged EXEC mode.
Example:

SwitchDevice(config)# end

Step 7 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Remote SPAN, on page 553
RSPAN VLAN, on page 559
RSPAN Configuration Guidelines, on page 562
Examples: Creating an RSPAN VLAN, on page 588

Configuring an FSPAN Session

Follow these steps to create a SPAN session, specify the source (monitored) ports or VLANs and the destination
(monitoring) ports, and configure FSPAN for the session.

SUMMARY STEPS
1. enable
2. configure terminal
3. no monitor session {session_number | all | local | remote}
4. monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx]
5. monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]}
6. monitor session session_number filter {ip | ipv6 | mac} access-group {access-list-number | name}
7. end
8. show running-config
9. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
580
 Network Management
Configuring an FSPAN Session

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 no monitor session {session_number | all | local | remote} Removes any existing SPAN configuration for the session.
Example: • For session_number, the range is 1 to 66.

SwitchDevice(config)# no monitor session 2

• all—Removes all SPAN sessions.
• local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.

Step 4 monitor session session_number source {interface Specifies the SPAN session and the source port (monitored
interface-id | vlan vlan-id} [, | -] [both | rx | tx] port).
Example: • For session_number, the range is 1 to 66.

SwitchDevice(config)# monitor session 2 source

• For interface-id, specifies the source port to monitor.
interface gigabitethernet1/0/1 Valid interfaces include physical interfaces and
port-channel logical interfaces (port-channel
port-channel-number). Valid port-channel numbers
are 1 to 48.
• For vlan-id, specify the source VLAN to monitor. The
range is 1 to 4094 (excluding the RSPAN VLAN).
Note A single session can include multiple
sources (ports or VLANs) defined in a
series of commands, but you cannot
combine source ports and source VLANs
in one session.

• (Optional) [, | -]—Specifies a series or range of

interfaces. Enter a space before and after the comma;
enter a space before and after the hyphen.
• (Optional) [both | rx | tx]—Specifies the direction of
traffic to monitor. If you do not specify a traffic
direction, the SPAN monitors both sent and received
traffic.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
581
 Network Management
Configuring an FSPAN Session

Command or Action Purpose

• both—Monitors both sent and received traffic.
This is the default.
• rx—Monitors received traffic.
• tx—Monitors sent traffic.
Note You can use the monitor session
session_number source command
multiple times to configure multiple
source ports.

Step 5 monitor session session_number destination {interface Specifies the SPAN session and the destination port
interface-id [, | -] [encapsulation replicate]} (monitoring port).
Example: • For session_number, specify the session number
entered in Step 4.
SwitchDevice(config)# monitor session 2 destination
interface gigabitethernet1/0/2 encapsulation • For destination, specify the following parameters:
replicate
• For interface-id, specify the destination port. The
destination interface must be a physical port; it
cannot be an EtherChannel, and it cannot be a
VLAN.
• (Optional) [, | -] Specifies a series or range of
interfaces. Enter a space before and after the
comma; enter a space before and after the hyphen.
• (Optional) encapsulation replicate specifies that
the destination interface replicates the source
interface encapsulation method. If not selected,
the default is to send packets in native form
(untagged).

Note For local SPAN, you must use the same session
number for the source and destination interfaces.
You can use monitor session session_number
destination command multiple times to
configure multiple destination ports.

Step 6 monitor session session_number filter {ip | ipv6 | mac} Specifies the SPAN session, the types of packets to filter,
access-group {access-list-number | name} and the ACLs to use in an FSPAN session.
Example: • For session_number, specify the session number
entered in Step 4.
SwitchDevice(config)# monitor session 2 filter ipv6
access-group 4 • For access-list-number, specify the ACL number that
you want to use to filter traffic.
• For name, specify the ACL name that you want to use
to filter traffic.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
582
 Network Management
Configuring an FRSPAN Session

Command or Action Purpose

Step 7 end Returns to privileged EXEC mode.
Example:

SwitchDevice(config)# end

Step 8 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Flow-Based SPAN, on page 561
FSPAN and FRSPAN Configuration Guidelines, on page 563

Configuring an FRSPAN Session

Follow these steps to start an RSPAN source session, specify the monitored source and the destination RSPAN
VLAN, and configure FRSPAN for the session.

SUMMARY STEPS
1. enable
2. configure terminal
3. no monitor session {session_number | all | local | remote}
4. monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx]
5. monitor session session_number destination remote vlan vlan-id
6. vlan vlan-id
7. remote-span
8. exit
9. monitor session session_number filter {ip | ipv6 | mac} access-group {access-list-number | name}
10. end
11. show running-config
12. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
583
 Network Management
Configuring an FRSPAN Session

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 no monitor session {session_number | all | local | remote} Removes any existing SPAN configuration for the session.
Example: • For session_number, the range is 1 to 66.

SwitchDevice(config)# no monitor session 2

• all—Removes all SPAN sessions.
• local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.

Step 4 monitor session session_number source {interface Specifies the SPAN session and the source port (monitored
interface-id | vlan vlan-id} [, | -] [both | rx | tx] port).
Example: • For session_number, the range is 1 to 66.

SwitchDevice(config)# monitor session 2 source

• For interface-id, specifies the source port to monitor.
interface gigabitethernet1/0/1 Valid interfaces include physical interfaces and
port-channel logical interfaces (port-channel
port-channel-number). Valid port-channel numbers
are 1 to 48.
• For vlan-id, specify the source VLAN to monitor.
The range is 1 to 4094 (excluding the RSPAN
VLAN).
Note A single session can include multiple
sources (ports or VLANs) defined in a
series of commands, but you cannot
combine source ports and source VLANs
in one session.

• (Optional) [, | -]—Specifies a series or range of

interfaces. Enter a space before and after the comma;
enter a space before and after the hyphen.
• (Optional) [both | rx | tx]—Specifies the direction of
traffic to monitor. If you do not specify a traffic
direction, the SPAN monitors both sent and received
traffic.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
584
 Network Management
Configuring an FRSPAN Session

Command or Action Purpose

• both—Monitors both sent and received traffic. This
is the default.
• rx—Monitors received traffic.
• tx—Monitors sent traffic.
Note You can use the monitor session
session_number source command multiple
times to configure multiple source ports.

Step 5 monitor session session_number destination remote vlan Specifies the RSPAN session and the destination RSPAN
vlan-id VLAN.
Example: • For session_number, enter the number defined in Step
4.
SwitchDevice(config)# monitor session 2
destination remote vlan 5 • For vlan-id, specify the destination RSPAN VLAN
to monitor.

Step 6 vlan vlan-id Enters the VLAN configuration mode. For vlan-id, specify
the source RSPAN VLAN to monitor.
Example:

SwitchDevice(config)# vlan 10

Step 7 remote-span Specifies that the VLAN you specified in Step 5 is part of
the RSPAN VLAN.
Example:

SwitchDevice(config-vlan)# remote-span

Step 8 exit Returns to global configuration mode.

Example:

SwitchDevice(config-vlan)# exit

Step 9 monitor session session_number filter {ip | ipv6 | mac} Specifies the RSPAN session, the types of packets to filter,
access-group {access-list-number | name} and the ACLs to use in an FRSPAN session.
Example: • For session_number, specify the session number
entered in Step 4.
SwitchDevice(config)# monitor session 2 filter ip
access-group 7 • For access-list-number, specify the ACL number that
you want to use to filter traffic.
• For name, specify the ACL name that you want to
use to filter traffic.

Step 10 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
585
 Network Management
Monitoring SPAN and RSPAN Operations

Command or Action Purpose

SwitchDevice(config)# end

Step 11 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 12 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Flow-Based SPAN, on page 561
FSPAN and FRSPAN Configuration Guidelines, on page 563

Monitoring SPAN and RSPAN Operations

The following table describes the command used to display SPAN and RSPAN operations configuration and
results to monitor operations:

Table 54: Monitoring SPAN and RSPAN Operations

Command Purpose
show monitor Displays the current SPAN, RSPAN, FSPAN, or
FRSPAN configuration.

SPAN and RSPAN Configuration Examples

Example: Configuring Local SPAN
This example shows how to set up SPAN session 1 for monitoring source port traffic to a destination port.
First, any existing SPAN configuration for session 1 is deleted, and then bidirectional traffic is mirrored from
source Gigabit Ethernet port 1 to destination Gigabit Ethernet port 2, retaining the encapsulation method.

SwitchDevice> enable
SwitchDevice# configure terminal
SwitchDevice(config)# no monitor session 1
SwitchDevice(config)# monitor session 1 source interface gigabitethernet1/0/1
SwitchDevice(config)# monitor session 1 destination interface gigabitethernet1/0/2
encapsulation replicate
SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
586
Network Management
Example: Configuring Local SPAN

This example shows how to remove port 1 as a SPAN source for SPAN session 1:

SwitchDevice> enable
SwitchDevice# configure terminal
SwitchDevice(config)# no monitor session 1 source interface gigabitethernet1/0/1
SwitchDevice(config)# end

This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional
monitoring:

SwitchDevice> enable
SwitchDevice# configure terminal
SwitchDevice(config)# no monitor session 1 source interface gigabitethernet1/0/1 rx

The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be monitored.
This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session
2 to monitor received traffic on all ports belonging to VLANs 1 through 3, and send it to destination Gigabit
Ethernet port 2. The configuration is then modified to also monitor all traffic on all ports belonging to VLAN
10.

SwitchDevice> enable
SwitchDevice# configure terminal
SwitchDevice(config)# no monitor session 2
SwitchDevice(config)# monitor session 2 source vlan 1 - 3 rx
SwitchDevice(config)# monitor session 2 destination interface gigabitethernet1/0/2
SwitchDevice(config)# monitor session 2 source vlan 10
SwitchDevice(config)# end

This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session
2 to monitor received traffic on Gigabit Ethernet source port 1, and send it to destination Gigabit Ethernet
port 2 with the same egress encapsulation type as the source port, and to enable ingress forwarding with IEEE
802.1Q encapsulation and VLAN 6 as the default ingress VLAN:

SwitchDevice> enable
SwitchDevice# configure terminal
SwitchDevice(config)# no monitor session 2
SwitchDevice(config)# monitor session 2 source gigabitethernet1/0/1 rx
SwitchDevice(config)# monitor session 2 destination interface gigabitethernet1/0/2
encapsulation replicate ingress dot1q vlan 6
SwitchDevice(config)# end

This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session
2 to monitor traffic received on Gigabit Ethernet trunk port 2, and send traffic for only VLANs 1 through 5
and VLAN 9 to destination Gigabit Ethernet port 1:

SwitchDevice> enable
SwitchDevice# configure terminal
SwitchDevice(config)# no monitor session 2
SwitchDevice(config)# monitor session 2 source interface gigabitethernet1/0/2 rx
SwitchDevice(config)# monitor session 2 filter vlan 1 - 5 , 9
SwitchDevice(config)# monitor session 2 destination interface gigabitethernet1/0/1
SwitchDevice(config)# end

Related Topics
Creating a Local SPAN Session and Configuring Incoming Traffic, on page 566
Local SPAN, on page 552

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
587
 Network Management
Examples: Creating an RSPAN VLAN

SPAN Sessions, on page 555

SPAN Configuration Guidelines, on page 562

Examples: Creating an RSPAN VLAN

This example shows how to create the RSPAN VLAN 901:

SwitchDevice> enable
SwitchDevice# configure terminal
SwitchDevice(config)# vlan 901
SwitchDevice(config-vlan)# remote span
SwitchDevice(config-vlan)# end

This example shows how to remove any existing RSPAN configuration for session 1, configure RSPAN
session 1 to monitor multiple source interfaces, and configure the destination as RSPAN VLAN 901:

SwitchDevice> enable
SwitchDevice# configure terminal
SwitchDevice(config)# no monitor session 1
SwitchDevice(config)# monitor session 1 source interface gigabitethernet1/0/1 tx
SwitchDevice(config)# monitor session 1 source interface gigabitethernet1/0/2 rx
SwitchDevice(config)# monitor session 1 source interface port-channel 2
SwitchDevice(config)# monitor session 1 destination remote vlan 901
SwitchDevice(config)# end

This example shows how to remove any existing configuration on RSPAN session 2, configure RSPAN
session 2 to monitor traffic received on trunk port 2, and send traffic for only VLANs 1 through 5 and 9 to
destination RSPAN VLAN 902:

SwitchDevice> enable
SwitchDevice# configure terminal
SwitchDevice(config)# no monitor session 2
SwitchDevice(config)# monitor session 2 source interface gigabitethernet1/0/2 rx
SwitchDevice(config)# monitor session 2 filter vlan 1 - 5 , 9
SwitchDevice(config)# monitor session 2 destination remote vlan 902
SwitchDevice(config)# end

This example shows how to configure VLAN 901 as the source remote VLAN and port 1 as the destination
interface:

SwitchDevice> enable
SwitchDevice# configure terminal
SwitchDevice(config)# monitor session 1 source remote vlan 901
SwitchDevice(config)# monitor session 1 destination interface gigabitethernet2/0/1
SwitchDevice(config)# end

This example shows how to configure VLAN 901 as the source remote VLAN in RSPAN session 2, to
configure Gigabit Ethernet source port 2 as the destination interface, and to enable forwarding of incoming
traffic on the interface with VLAN 6 as the default receiving VLAN:

SwitchDevice> enable
SwitchDevice# configure terminal
SwitchDevice(config)# monitor session 2 source remote vlan 901
SwitchDevice(config)# monitor session 2 destination interface gigabitethernet1/0/2 ingress
vlan 6
SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
588
Network Management
Examples: Creating an RSPAN VLAN

Related Topics
Creating an RSPAN Destination Session and Configuring Incoming Traffic, on page 578
Remote SPAN, on page 553
RSPAN VLAN, on page 559
RSPAN Configuration Guidelines, on page 562

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
589
 Network Management
Examples: Creating an RSPAN VLAN

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
590
 CHAPTER 30
Configuring RMON
• Finding Feature Information, on page 591
• Information About RMON, on page 591
• How to Configure RMON, on page 593
• Monitoring RMON Status, on page 598

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Information About RMON

Understanding RMON
RMON is an Internet Engineering Task Force (IETF) standard monitoring specification that defines a set of
statistics and functions that can be exchanged between RMON-compliant console systems and network probes.
RMON provides comprehensive network-fault diagnosis, planning, and performance-tuning information.
The following figure shows a sample configuration of the RMON feature with the Simple Network Management
Protocol (SNMP) agent in the switch. This monitors all the traffic flowing among all the switches on all
connected LAN segments.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
591
 Network Management
Understanding RMON

Figure 59: Remote Monitoring Sample

The switch supports these RMON groups (defined in RFC 1757):

• Statistics (RMON group 1)—Collects Ethernet statistics (including Fast Ethernet and Gigabit Ethernet
statistics, depending on the switch type and supported interfaces) on an interface.
• History (RMON group 2)—Collects a history group of statistics on Ethernet ports (including Fast Ethernet
and Gigabit Ethernet statistics, depending on the switch type and supported interfaces) for a specified
polling interval.
• Alarm (RMON group 3)—Monitors a specific management information base (MIB) object for a specified
interval, triggers an alarm at a specified value (rising threshold), and resets the alarm at another value
(falling threshold). Alarms can be used with events; the alarm triggers an event, which can generate a
log entry or an SNMP trap.
• Event (RMON group 9)—Specifies the action to take when an event is triggered by an alarm. The action
can be to generate a log entry or an SNMP trap.
Because switches supported by this software release use hardware counters for RMON data processing, the
monitoring is more efficient, and little processing power is required.

Note 64-bit counters are not supported for RMON alarms.

Related Topics
Configuring RMON Alarms and Events, on page 593
Monitoring RMON Status, on page 598

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
592
 Network Management
How to Configure RMON

How to Configure RMON

Default RMON Configuration
RMON is disabled by default. No alarms or events are configured.
Related Topics
Configuring RMON Alarms and Events, on page 593
Monitoring RMON Status, on page 598

Configuring RMON Alarms and Events

Before you begin
You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible
network management station.

Note 64-bit counters are not supported for RMON alarms.

Follow these steps to enable RMON alarms and events.

• It is recommended to use a generic RMON console application on the network management station
(NMS) to take advantage of the RMON network management capabilities.
• You must also configure SNMP on the switch to access RMON MIB objects.

SUMMARY STEPS
1. enable
2. configure terminal
3. rmon alarm {number variable interval absolute | delta } rising-thresholdvalue [event-number]
falling-threshold value [event-number] [ownerstring ]
4. rmon event number [description string] [log] [owner string] [trap community]
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
593
 Network Management
Configuring RMON Alarms and Events

Command or Action Purpose

Step 2 configure terminal Enters global configuration mode.
Example:
SwitchDeviceconfigure terminal

Step 3 rmon alarm {number variable interval absolute | delta } Sets an alarm on a MIB object.
rising-thresholdvalue [event-number] falling-threshold
For number, specify the alarm number. The range is 1 to
value [event-number] [ownerstring ]
65535.
Example:
For variable, specify the MIB object to monitor
Switch(config)# rmon alarm 10 ifEntry.20.1 20 delta
rising-threshold 15 1 falling-threshold 0 owner For interval, specify the time in seconds the alarm monitors
jjohnson the MIB variable. The range is 1 to 4294967295 seconds.
Specify the absolute keyword to test each MIB variable
directly. Specify the delta keyword to test the change
between samples of a MIB variable.
For value, specify a number at which the alarm is triggered
and one for when the alarm is reset. The range for the rising
threshold and falling threshold values is -2147483648 to
2147483647.
(Optional) For event-number, specify the event number to
trigger when the rising or falling threshold exceeds its limit.
(Optional) For owner string, specify the owner of the alarm.

Step 4 rmon event number [description string] [log] [owner Adds an event in the RMON event table that is associated
string] [trap community] with an RMON event number.
Example: For number, assign an event number. The range is 1 to
SwitchDevice(config)# rmon event 1 log trap 65535.
eventtrap description "High ifOutErrors" owner
jjones
(Optional) For description string, specify a description of
the event.
(Optional) Use the log keyword to generate an RMON log
entry when the event is triggered.
(Optional) For owner string, specify the owner of this event.
(Optional) For trap community, enter the SNMP community
string used for this trap.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
594
 Network Management
Collecting Group History Statistics on an Interface

Command or Action Purpose

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
To disable an alarm, use the no rmon alarm number global configuration command on each alarm you
configured. You cannot disable at once all the alarms that you configured. To disable an event, use the no
rmon event number global configuration command.
Related Topics
Understanding RMON, on page 591
Default RMON Configuration, on page 593
Monitoring RMON Status, on page 598

Collecting Group History Statistics on an Interface

Follow these steps to collect group history statistics on an interface. This procedure is optional.

Before you begin

You must first configure RMON alarms and events to display collection information.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. rmon collection history index [buckets bucket-number] [interval seconds] [owner ownername]
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
595
 Network Management
Collecting Group History Statistics on an Interface

Command or Action Purpose

Step 2 configure terminal Enters the global configuration mode.
Example:
SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface on which to collect history, and enter
interface configuration mode.
Example:
SwitchDevice(config)# interface
gigabitethernet2/0/1

Step 4 rmon collection history index [buckets bucket-number] Enables history collection for the specified number of
[interval seconds] [owner ownername] buckets and time period.
Example: For index, identify the RMON group of statistics The range
is 1 to 65535.
(Optional) For buckets bucket-number, specify the
maximum number of buckets desired for the RMON
collection history group of statistics. The range is 1 to
65535. The default is 50 buckets.
(Optional) For interval seconds, specify the number of
seconds in each polling cycle. The range is 1 to 3600. The
default is 1800 seconds.
(Optional) For owner ownername, enter the name of the
owner of the RMON group of statistics.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
To disable history collection, use the no rmon collection history index interface configuration command.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
596
 Network Management
Collecting Group Ethernet Statistics on an Interface

Collecting Group Ethernet Statistics on an Interface

Follow these steps to collect group Ethernet statistics on an interface. This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. rmon collection stats index [owner ownername]
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:
SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface on which to collect statistics, and
enter interface configuration mode.
Example:
SwitchDevice(config)# interface
gigabitethernet2/0/1

Step 4 rmon collection stats index [owner ownername] Enables RMON statistic collection on the interface.
Example: For index, specify the RMON group of statistics. The range
SwitchDevice(config-if)# rmon collection stats 2 is from 1 to 65535.
owner root
(Optional) For owner ownername, enter the name of the
owner of the RMON group of statistics.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
597
 Network Management
Monitoring RMON Status

Command or Action Purpose

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
To disable the collection of group Ethernet statistics, use the no rmon collection stats index interface
configuration command.

Monitoring RMON Status

Table 55: Commands for Displaying RMON Status

Command Purpose
show rmon Displays general RMON statistics.
show rmon alarms Displays the RMON alarm table.
show rmon events Displays the RMON event table.
show rmon history Displays the RMON history table.
show rmon statistics Displays the RMON statistics table.

Related Topics
Configuring RMON Alarms and Events, on page 593
Understanding RMON, on page 591
Default RMON Configuration, on page 593

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
598
 CHAPTER 31
Configuring Embedded Event Manager
• Information about Embedded Event Manager, on page 599
• How to Configure Embedded Event Manager, on page 602
• Monitoring Embedded Event Manager, on page 605
• Configuration Examples for Embedded Event Manager, on page 605

Information about Embedded Event Manager

Understanding Embedded Event Manager
Embedded Event Manager (EEM) is a distributed and customized approach to event detection and recovery
within a Cisco IOS device. EEM offers the ability to monitor events and take informational, corrective, or
any other EEM action when the monitored events occur or when a threshold is reached. An EEM policy
defines an event and the actions to be taken when that event occurs.
EEM monitors key system events and then acts on them through a set policy. This policy is a programmed
script that you can use to customize a script to invoke an action based on a given set of events occurring. The
script generates actions such as generating custom syslog or Simple Network Management Protocol (SNMP)
traps, invoking CLI commands, forcing a failover, and so forth. The event management capabilities of EEM
are useful because not all event management can be managed from the switch and because some problems
compromise communication between the switch and the external network management device. Network
availability is improved if automatic recovery actions are performed without rebooting the switch.
This example shows the relationship between the EEM server, the core event publishers (event detectors),
and the event subscribers (policies). The event publishers screen events and when there is a match on an event
specification that is provided by the event subscriber. Event detectors notify the EEM server when an event
occurs. The EEM policies then implement recovery based on the current state of the system and the actions
specified in the policy for the given event.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
599
 Network Management
Embedded Event Manager Actions

Figure 60: Embedded Event Manager Core Event Detectors

Note EEM is supported only on Cisco Catalyst 3560-CX switches.

EEM is supported only on Catalyst switches running IP Base and IP Services licenses.

Embedded Event Manager Actions

These actions occur in response to an event:
• Modifying a named counter.
• Publishing an application-specific event.
• Generating an SNMP trap.
• Generating prioritized syslog messages.
• Reloading the Cisco IOS software.
• Reloading the switch stack.
• Reloading the master switch in the event of a master switchover. If this occurs, a new master switch is
elected.

Embedded Event Manager Policies

EEM can monitor events and provide information, or take corrective action when the monitored events occur
or a threshold is reached. An EEM policy is an entity that defines an event and the actions to be taken when
that event occurs.
There are two types of EEM policies: an applet or a script. An applet is a simple policy that is defined within
the CLI configuration. It is a concise method for defining event screening criteria and the actions to be taken

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
600
 Network Management
Embedded Event Manager Environment Variables

when that event occurs. Scripts are defined on the networking device by using an ASCII editor. The script,
which can be a bytecode (.tbc) and text (.tcl) script, is then copied to the networking device and registered
with EEM. You can also register multiple events in a .tcl file.
You use EEM to write and implement your own policies using the EEM policy tool command language (TCL)
script. When you configure a TCL script on the master switch and the file is automatically sent to the member
switches. The user-defined TCL scripts must be available in the member switches so that if the master switch
changes, the TCL scripts policies continue to work.
Cisco enhancements to TCL in the form of keyword extensions facilitate the development of EEM policies.
These keywords identify the detected event, the subsequent action, utility information, counter values, and
system information.
Related Topics
Registering and Defining an Embedded Event Manager Applet, on page 602
Example: Generating SNMP Notifications, on page 605
Example: Responding to EEM Events, on page 605

Embedded Event Manager Environment Variables

EEM uses environment variables in EEM policies. These variables are defined in a EEM policy tool command
language (TCL) script by running a CLI command and the event manager environment command.
• User-defined variables —Defined by the user for a user-defined policy.
• Cisco-defined variables —Defined by Cisco for a specific sample policy.
• Cisco built-in variables (available in EEM applets) —Defined by Cisco and can be read-only or read-write.
The read-only variables are set by the system before an applet starts to execute. The single read-write
variable, _exit_status, allows you to set the exit status for policies triggered from synchronous events.
Cisco-defined environment variables and Cisco system-defined environment variables might apply to one
specific event detector or to all event detectors. Environment variables that are user-defined or defined by
Cisco in a sample policy are set by using the event manager environment global configuration command. You
must defined the variables in the EEM policy before you register the policy.

Embedded Event Manager 3.2

Embedded Event Manager 3.2 provides support for the following event detectors:
• Neighbor Discovery—Neighbor Discovery event detector provides the ability to publish a policy to
respond to automatic neighbor detection when:
• a Cisco Discovery Protocol (CDP) cache entry is added, deleted, or updated.
• a Link Layer Discovery Protocol (LLDP) cache entry is added, deleted or updated.
• an interface link status changes.
• an interface line status changes.
• Identity—Identity event detector generates an event when AAA authorization and authentication is
successful, when failure occurs, or after normal user traffic on the port is allowed to flow.
• Mac-Address-Table—Mac-Address-Table event detector generates an event when a MAC address is
learned in the MAC address table.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
601
 Network Management
How to Configure Embedded Event Manager

Note The Mac-Address-Table event detector is supported only on switch platforms and can be used only on Layer
2 interfaces where MAC addresses are learned. Layer 3 interfaces do not learn addresses,and routers do not
usually support the MAC address-table infrastructure needed to notify EEM of a learned MAC address.

EEM 3.2 also introduces CLI commands to support the applets to work with the new event detectors.

How to Configure Embedded Event Manager

Registering and Defining an Embedded Event Manager Applet
Beginning in privileged EXEC mode, perform this task to register an applet with EEM and to define the EEM
applet using the event applet and action applet configuration commands.

Note Only one event applet command is allowed in an EEM applet. Multiple action applet commands are permitted.
If you do not specify the no event and no action commands, the applet is removed when you exit configuration
mode.

SUMMARY STEPS
1. configure terminal
2. event manager appletapplet-name
3. event snmp oid oid-value get-type {exact|next} entry-op { eq|ge|gt|le|lt|ne} entry-val entry-val
[exit-comb {or|and}] [exit-op{eq|ge|gt|le|lt|nc}] [exit-val exit-val] [exit-time exit-time-val] poll interval
poll-int-val
4. action label syslog [priority priority-level] msg msg-text
5. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:
SwitchDevice# configure terminal

Step 2 event manager appletapplet-name Register the applet with EEM and enter applet configuration
mode.

Step 3 event snmp oid oid-value get-type {exact|next} entry-op Specify the event criteria that causes the EEM applet to run.
{ eq|ge|gt|le|lt|ne} entry-val entry-val [exit-comb
(Optional) Exit criteria. If exit criteria are not specified,
{or|and}] [exit-op{eq|ge|gt|le|lt|nc}] [exit-val exit-val]
event monitoring is re-enabled immediately.
[exit-time exit-time-val] poll interval poll-int-val

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
602
 Network Management
Registering and Defining an Embedded Event Manager TCL Script

Command or Action Purpose

Step 4 action label syslog [priority priority-level] msg msg-text Specify the action when an EEM applet is triggered. Repeat
this action to add other CLI commands to the applet.
• (Optional) The priority keyword specifies the priority
level of the syslog messages. If selected, you need to
define the priority-level argument.
• For msg-text, the argument can be character text, an
environment variable, or a combination of the two.

Step 5 end Exit applet configuration mode and return to privileged

EXEC mode.

Example
This example shows the output for EEM when one of the fields specified by an SNMP object ID
crosses a defined threshold:
SwitchDevice(config-applet)# event snmp oid 1.3.6.1.4.1.9.9.48.1.1.1.6.1 get-type exact
entry-op lt entry-val 5120000 poll-interval 10

These examples show actions that are taken in response to an EEM event:
SwitchDevice(config-applet)# action 1.0 syslog priority critical msg "Memory exhausted;
current available memory is $_snmp_oid_val bytes"
SwitchDevice (config-applet)# action 2.0 force-switchover

Related Topics
Embedded Event Manager Policies, on page 600
Example: Generating SNMP Notifications, on page 605
Example: Responding to EEM Events, on page 605

Registering and Defining an Embedded Event Manager TCL Script

Beginning in privileged EXEC mode, perform this task to register a TCL script with EEM and to define the
TCL script and policy commands.

SUMMARY STEPS
1. configure terminal
2. show event manager environment [all | variable-name]
3. configure terminal
4. event manager environment variable-name string
5. event manager policy policy-file-name [type system] [trap]
6. exit

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
603
 Network Management
Registering and Defining an Embedded Event Manager TCL Script

Command or Action Purpose

Step 2 show event manager environment [all | variable-name] (Optional) The show event manager environment
command displays the name and value of the EEM
environment variables.
(Optional) The all keyword displays the EEM environment
variables.
(Optional) The variable-name argument displays
information about the specified environment variable.

Step 3 configure terminal Enters the global configuration mode.

Step 4 event manager environment variable-name string Configures the value of the specified EEM environment
variable. Repeat this step for all the required environment
variables.
Step 5 event manager policy policy-file-name [type system] Registers the EEM policy to be run when the specified event
[trap] defined within the policy occurs.
Step 6 exit Exits the global configuration mode and return to the
privileged EXEC mode.

Example
This example shows the sample output for the show event manager environment command:
SwitchDevice# show event manager environment all
No. Name Value
1 _cron_entry 0-59/2 0-23/1 * * 0-6
2 _show_cmd show ver
3 _syslog_pattern .*UPDOWN.*Ethernet1/0.*

This example shows a CRON timer environment variable, which is assigned by the software, to be
set to every second minute, every hour of every day:
SwitchDevice (config)# event manager environment_cron_entry 0-59/2 0-23/1 * * 0-6

This example shows the sample EEM policy named tm_cli_cmd.tcl registered as a system policy.
The system policies are part of the Cisco IOS image. User-defined TCL scripts must first be copied
to flash memory.
SwitchDevice (config)# event manager policy tm_cli_cmd.tcl type system

Related Topics
Example: Displaying EEM Environment Variables, on page 605

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
604
 Network Management
Monitoring Embedded Event Manager

Monitoring Embedded Event Manager

Displaying Embedded Event Manager Information
Table 56: Commands for displaying EEM information

Command Purpose
show event manager environment[all| Displays the name and value of the EEM environment
variable-name] variables.

To display information about EEM, including EEM registered policies and EEM history data, see the Cisco
IOS Network Management Command Reference.

Configuration Examples for Embedded Event Manager

Example: Generating SNMP Notifications
This example shows the output for EEM when one of the fields specified by an SNMP object ID crosses a
defined threshold.

SwitchDevice(config-applet)# event snmp oid 1.3.6.1.4.1.9.9.48.1.1.1.6.1 get-type exact

entry-op lt entry-val 5120000 poll-interval 10

Related Topics
Embedded Event Manager Policies, on page 600
Registering and Defining an Embedded Event Manager Applet, on page 602

Example: Responding to EEM Events

These examples show actions that are taken in response to an EEM event:
SwitchDevice(config-applet)# action 1.0 syslog priority critical msg "Memory exhausted;
current available memory is $_snmp_oid_val bytes"
SwitchDevice(config-applet)# action 2.0 force-switchover

Related Topics
Embedded Event Manager Policies, on page 600
Registering and Defining an Embedded Event Manager Applet, on page 602

Example: Displaying EEM Environment Variables

This example shows the sample output for the show event manager environment command:

SwitchDevice# show event manager environment all

No. Name Value
1 _cron_entry 0-59/2 0-23/1 * * 0-6

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
605
 Network Management
Example: Displaying EEM Environment Variables

2 _show_cmd show ver

3 _syslog_pattern .*UPDOWN.*Ethernet1/0.*
4 _config_cmd1 interface Ethernet1/0
5 _config_cmd2 no shut

This example shows a CRON timer environment variable, which is assigned by the software, to be set to every
second minute, every hour of every day:
SwitchDevice(config)# event manager environment_cron_entry 0-59/2 0-23/1 * * 0-6

This example shows the sample EEM policy named tm_cli_cmd.tcl registered as a system policy. The system
policies are part of the Cisco IOS image. User-defined TCL scripts must first be copied to flash memory.
SwitchDevice(config)# event manager policy tm_cli_cmd.tcl type system

Related Topics
Registering and Defining an Embedded Event Manager TCL Script, on page 603

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
606
 CHAPTER 32
Configuring NetFlow Lite
• Finding Feature Information, on page 607
• Prerequisites for NetFlow Lite, on page 607
• Restrictions for NetFlow Lite, on page 607
• Information About NetFlow Lite, on page 609
• How to Configure NetFlow Lite, on page 616
• Monitoring Flexible NetFlow, on page 629
• Configuration Examples for NetFlow Lite, on page 629

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for NetFlow Lite

The following two targets for attaching a NetFlow Lite monitor are supported:
• Port—Monitor attachment is only supported on physical interfaces and not on logical interfaces, such
as EtherChannels. The physical interface could be a routed port or a switched port.
• VLAN—Monitor attachment is supported on VLAN interfaces only (SVI) and not on a Layer 2 VLAN.

Restrictions for NetFlow Lite

The following are restrictions for NetFlow Lite:
• Monitor restrictions:
• Monitor attachment is only supported in the ingress direction.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
607
 Network Management
Restrictions for NetFlow Lite

• One monitor per interface is supported, although multiple exporters per interface are supported.
• Only permanent and normal cache is supported for the monitor; immediate cache is not supported.
• Changing any monitor parameter will not be supported when it is applied on any of the interfaces
or VLANs.
• When both the port and VLANs have monitors attached, then VLAN monitor will overwrite the
port monitor for traffic coming on the port.
• Flow monitor type and traffic type (type means IPv4, IPv6, and data link) should be same for the
flows to be created.
• You cannot attach an IP and port-based monitor to an interface at the same time on the switch. A
48-port switch supports a maximum of 48 monitors (IP or port-based) and for 256 SVIs, you can
configure up to 256 monitors (IP or port-based).
• When running the show flow monitor flow_name cache command, the switch displays cache
information from an earlier switch software version (Catalyst 2960-S) with all fields entered as zero.
Ignore these fields, as they are inapplicable to the switch.

• Sampler restrictions:
• Only sampled NetFlow is supported.
• For both port and VLANS, a total of only 4 samplers (random or deterministic) are supported on
the switch.
• The sampling minimum rate for both modes is 1 out of 32 flows, and the sampling maximum rate
for both modes is 1 out of 1022 flows.
• You must associate a sampler with a monitor while attaching it to an interface. Otherwise, the
command will be rejected. Use the ip flow monitor monitor_name sampler sampler_name input
interface configuration command to perform this task.
• When you attach a monitor using a deterministic sampler, every attachment with the same sampler
uses one new free sampler from the switch (hardware) out of 4 available samplers. You are not
allowed to attach a monitor with any sampler, beyond 4 attachments.
When you attach a monitor using a random sampler, only the first attachment uses a new sampler
from the switch (hardware). The remainder of all of the attachments using the same sampler, share
the same sampler.
Because of this behavior, when using a deterministic sampler, you can always make sure that the
correct number of flows are sampled by comparing the sampling rate and what the switch sends. If
the same random sampler is used with multiple interfaces, flows from any interface can always be
sampled, and flows from other interfaces can always be skipped.

• Network flows and statistics are collected at the line rate.

• ACL-based NetFlow is not supported.
• Only NetFlow Version 9 is supported for Flexible NetFlow exporter using the export-protocol command
option. If you configure NetFlow Version 5, this version will be accepted, but the NetFlow Version 5
export functionality is neither currently available nor supported.
• The switch supports homogeneous stacking, but does not support mixed stacking.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
608
 Network Management
Information About NetFlow Lite

Information About NetFlow Lite

NetFlow Lite Overview
NetFlow Lite uses flows to provide statistics for accounting, network monitoring, and network planning.
A flow is a unidirectional stream of packets that arrives on a source interface and has the same values for the
keys. A key is an identified value for a field within the packet. You create a flow using a flow record to define
the unique keys for your flow.
The switch supports the NetFlow Lite feature that enables enhanced network anomalies and security detection.
NetFlow Lite allows you to define an optimal flow record for a particular application by selecting the keys
from a large collection of predefined fields.
All key values must match for the packet to count in a given flow. A flow might gather other fields of interest,
depending on the export record version that you configure. Flows are stored in the NetFlow Lite cache.
You can export the data that NetFlow Lite gathers for your flow by using an exporter and export this data to
a remote system such as a NetFlow Lite collector. The NetFlow Lite collector can use an IPv4 address.
You define the size of the data that you want to collect for a flow using a monitor. The monitor combines the
flow record and exporter with the NetFlow Lite cache information.

Flexible NetFlow Components

Flexible NetFlow consists of components that can be used together in several variations to perform traffic
analysis and data export. The user-defined flow records and the component structure of Flexible NetFlow
facilitates the creation of various configurations for traffic analysis and data export on a networking device
with a minimum number of configuration commands. Each flow monitor can have a unique combination of
flow record, flow exporter, and cache type. If you change a parameter such as the destination IP address for
a flow exporter, it is automatically changed for all the flow monitors that use the flow exporter. The same
flow monitor can be used in conjunction with different flow samplers to sample the same type of network
traffic at different rates on different interfaces. The following sections provide more information on Flexible
NetFlow components:

Flow Records
In Flexible NetFlow a combination of key and nonkey fields is called a record. Flexible NetFlow records are
assigned to Flexible NetFlow flow monitors to define the cache that is used for storing flow data.
A flow record defines the keys that Flexible NetFlow uses to identify packets in the flow, as well as other
fields of interest that Flexible NetFlow gathers for the flow. You can define a flow record with any combination
of keys and fields of interest. The switch supports a rich set of keys. A flow record also defines the types of
counters gathered per flow. You can configure 64-bit packet or byte counters. The switch enables the following
match fields as the defaults when you create a flow record:
• match datalink—Layer 2 attributes
• match ipv4—IPv4 attributes
• match ipv6—IPv6 attributes
• match transport—Transport layer fields

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
609
 Network Management
NetFlow Predefined Records

• match wireless—Wireless fields

Related Topics
Creating a Flow Record, on page 617
Example: Configuring a Flow, on page 629

NetFlow Predefined Records

Flexible NetFlow includes several predefined records that you can use to start monitoring traffic in your
network. The predefined records are available to help you quickly deploy Flexible NetFlow and are easier to
use than user-defined flow records. You can choose from a list of already defined records that may meet the
needs for network monitoring. As Flexible NetFlow evolves, popular user-defined flow records will be made
available as predefined records to make them easier to implement.
The predefined records ensure backward compatibility with your existing NetFlow collector configurations
for the data that is exported. Each of the predefined records has a unique combination of key and nonkey
fields that offer you the built-in ability to monitor various types of traffic in your network without customizing
Flexible NetFlow on your router.
Two of the predefined records (NetFlow original and NetFlow IPv4/IPv6 original output), which are functionally
equivalent, emulate original (ingress) NetFlow and the Egress NetFlow Accounting feature in original NetFlow,
respectively. Some of the other Flexible NetFlow predefined records are based on the aggregation cache
schemes available in original NetFlow. The Flexible NetFlow predefined records that are based on the
aggregation cache schemes available in original NetFlow do not perform aggregation. Instead each flow is
tracked separately by the predefined records.

User-Defined Records
Flexible NetFlow enables you to define your own records for a Flexible NetFlow flow monitor cache by
specifying the key and nonkey fields to customize the data collection to your specific requirements. When
you define your own records for a Flexible NetFlow flow monitor cache, they are referred to as user-defined
records. The values in nonkey fields are added to flows to provide additional information about the traffic in
the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for
nonkey fields are taken from only the first packet in the flow. Flexible NetFlow enables you to capture counter
values such as the number of bytes and packets in a flow as nonkey fields.
Flexible NetFlow adds a new Version 9 export format field type for the header and packet section types.
Flexible NetFlow will communicate to the NetFlow collector the configured section sizes in the corresponding
Version 9 export template fields. The payload sections will have a corresponding length field that can be used
to collect the actual size of the collected section.

NetFlow Lite Match Parameters

You can match these key fields for the flow record:
• IPv4 or IPv6 destination address
• Datalink fields (source and destination MAC address, and MAC ethertype (type of networking protocol)).
• Transport field source and destination ports to identify the type of application: ICMP, IGMP, or TCP
traffic.

The following table describes NetFlow Lite match parameters. You must configure at least one of the following
match parameters for the flow records.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
610
Network Management
NetFlow Lite Match Parameters

Table 57: Match Parameters

Command Purpose

match datalink {ethertype | mac {destination Specifies a match to datalink or Layer 2 fields. The
address input | source address input}} following command options are available:
• ethertype—Matches to the ethertype of the
packet.
• mac—Matches the source or destination MAC
address from packets at input.

Note When a datalink flow monitor is assigned

to an interface or VLAN, it only creates
flows for non-IPv6 or non-IPv4 traffic.

match ipv4 {destination {address} | protocol | Specifies a match to the IPv4 fields. The following
source {address} | tos} command options are available:
• destination—Matches to the IPv4 destination
address-based fields.
• protocol—Matches to the IPv4 protocols.
• source—Matches to the IPv4 source address
based fields.
• tos—Matches to the IPv4 Type of Service fields.

match ipv6 {destination {address} | flow-label | Specifies a match to the IPv6 fields. The following
protocol | source {address} | traffic-class} command options are available:
• destination—Matches to the IPv6 destination
address-based fields.
• flow-label—Matches to the IPv6 flow-label
fields.
• protocol—Matches to the IPv6 payload protocol
fields.
• source—Matches to the IPv6 source address
based fields.
• traffic-class—Matches to the IPv6 traffic class.

match transport {destination-port | source-port} Specifies a match to the Transport Layer fields. The
following command options are available:
• destination-port—Matches to the transport
destination port.
• source-port—Matches to the transport source
port.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
611
 Network Management
NetFlow Lite Collect Parameters

Command Purpose

Specifies the use of SSID of the wireless network as

a key field for a flow record.

NetFlow Lite Collect Parameters

You can collect these key fields in the flow record:
• The total number of bytes, flows or packets sent by the exporter (exporter) or the number of bytes or
packets in a 64-bit counter (long).
• The timestamp based on system uptime from the time the first packet was sent or from the time the most
recent (last) packet was seen.
• The SNMP index of the input interface. The interface for traffic entering the service module is based on
the switch forwarding cache. This field is typically used in conjunction with datalink, IPv4, and IPv6
addresses, and provides the actual first-hop interface for directly connected hosts.
• A value of 0 means that interface information is not available in the cache.
• Some NetFlow collectors require this information in the flow record.

The following table describes NetFlow Lite collect parameters.

Table 58: Collect Parameters

Command Purpose

collect counter {bytes {long | permanent } | packets Collects the counter fields total bytes and total
{ long | permanent}} packets.

collect flow {sampler} Collects the flow sampler identifier (ID).

collect interface {input} Collects the fields from the input interface.

collect timestamp sys-uptime {first | last} Collects the fields for the time the first packet was
seen or the time the most recent packet was last seen
(in milliseconds).

collect transport tcp flags Collects the following transport TCP flags:
• ack—TCP acknowledgement flag
• cwr—TCP congestion window reduced flag
• ece—TCP ECN echo flag
• fin—TCP finish flag
• psh—TCP push flag
• rst—TCP reset flag
• syn—TCP synchronize flag
• urg—TCP urgent flag

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
612
 Network Management
Flow Exporters

Command Purpose

Collects the MAC addresses of the access points that

the wireless client is associated with.

Flow Exporters
Flow exporters export the data in the flow monitor cache to a remote system, such as a server running NetFlow
collector, for analysis and storage. Flow exporters are created as separate entities in the configuration. Flow
exporters are assigned to flow monitors to provide data export capability for the flow monitors. You can create
several flow exporters and assign them to one or more flow monitors to provide several export destinations.
You can create one flow exporter and apply it to several flow monitors.

NetFlow Data Export Format Version 9

The basic output of NetFlow is a flow record. Several different formats for flow records have evolved as
NetFlow has matured. The most recent evolution of the NetFlow export format is known as Version 9. The
distinguishing feature of the NetFlow Version 9 export format is that it is template-based. Templates provide
an extensible design to the record format, a feature that should allow future enhancements to NetFlow services
without requiring concurrent changes to the basic flow-record format. Using templates provides several key
benefits:
• Third-party business partners who produce applications that provide collector or display services for
NetFlow do not have to recompile their applications each time a new NetFlow feature is added. Instead,
they should be able to use an external data file that documents the known template formats.
• New features can be added to NetFlow quickly without breaking current implementations.
• NetFlow is “future-proofed” against new or developing protocols because the Version 9 format can be
adapted to provide support for them.

The Version 9 export format consists of a packet header followed by one or more template flow or data flow
sets. A template flow set provides a description of the fields that will be present in future data flow sets. These
data flow sets may occur later within the same export packet or in subsequent export packets. Template flow
and data flow sets can be intermingled within a single export packet, as illustrated in the figure below.
Figure 61: Version 9 Export Packet

NetFlow Version 9 will periodically export the template data so the NetFlow collector will understand what
data is to be sent and also export the data flow set for the template. The key advantage to Flexible NetFlow
is that the user configures a flow record, which is effectively converted to a Version 9 template and then
forwarded to the collector. The figure below is a detailed example of the NetFlow Version 9 export format,
including the header, template flow, and data flow sets.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
613
 Network Management
Flow Monitors

Figure 62: Detailed Example of the NetFlow Version 9 Export Format

For more information on the Version 9 export format, refer to the white paper titled Cisco IOS NetFlow
Version 9 Flow-Record Format, available at this URL:
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_white_paper09186a00800a3db9.shtml.

Flow Monitors
Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network traffic
monitoring.
Flow data is collected from the network traffic and added to the flow monitor cache during the monitoring
process based on the key and nonkey fields in the flow record.
Flexible NetFlow can be used to perform different types of analysis on the same traffic. In the figure below,
packet 1 is analyzed using a record designed for standard traffic analysis on the input interface and a record
designed for security analysis on the output interface.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
614
Network Management
Flow Monitors

Figure 63: Example of Using Two Flow Monitors to Analyze the Same Traffic

The figure below shows a more complex example of how you can apply different types of flow monitors with
custom records.
Figure 64: Complex Example of Using Multiple Types of Flow Monitors with Custom Records

Normal
The default cache type is “normal”. In this mode, the entries in the cache are aged out according to the timeout
active and timeout inactive settings. When a cache entry is aged out, it is removed from the cache and exported
via any exporters configured.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
615
 Network Management
Flow Samplers

Flow Samplers
Flow samplers are created as separate components in a router’s configuration. Flow samplers are used to
reduce the load on the device that is running NetFlow Lite by limiting the number of packets that are selected
for analysis.
Samplers use random sampling techniques (modes); that is, a randomly selected sampling position is used
each time a sample is taken.
Flow sampling exchanges monitoring accuracy for router performance. When you apply a sampler to a flow
monitor, the overhead load on the router of running the flow monitor is reduced because the number of packets
that the flow monitor must analyze is reduced. The reduction in the number of packets that are analyzed by
the flow monitor causes a corresponding reduction in the accuracy of the information stored in the flow
monitor’s cache.
Samplers are combined with flow monitors when they are applied to an interface with the ip flow monitor
command.

Default Settings
The following table lists the NetFlow Lite default settings for the switch.

Table 59: Default NetFlow Lite Settings

Setting Default

Flow active timeout 1800 seconds

Note The default value for this setting may be
too high for your specific NetFlow Lite
configuration. You may want to consider
changing it to a lower value of 180 or 300
seconds.

Flow timeout inactive Enabled, 30 seconds

Flow update timeout 1800 seconds

Default cache size 16640 bits

How to Configure NetFlow Lite

To configure NetFlow Lite, follow these general steps:
1. Create a flow record by specifying keys and non-key fields to the flow.
2. Create an optional flow exporter by specifying the protocol and transport destination port, destination,
and other parameters.
3. Create a flow monitor based on the flow record and flow exporter.
4. Create an optional sampler.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
616
 Network Management
Creating a Flow Record

5. Apply the flow monitor to a Layer 2 port, Layer 3 port, or VLAN.

Creating a Flow Record

You can create a flow record and add keys to match on and fields to collect in the flow.

SUMMARY STEPS
1. configure terminal
2. flow record name
3. description string
4. match type
5. collect type
6. end
7. show flow record [name record-name]
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 flow record name Creates a flow record and enters flow record configuration
mode.
Example:

SwitchDevice(config)# flow record test

SwitchDevice(config-flow-record)#

Step 3 description string (Optional) Describes this flow record as a maximum

63-character string.
Example:

SwitchDevice(config-flow-record)# description
Ipv4Flow

Step 4 match type Specifies a match key.

Example:

SwitchDevice(config-flow-record)# match ipv4 source

address
SwitchDevice(config-flow-record)# match ipv4
destination address
SwitchDevice(config-flow-record)# match flow
direction

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
617
 Network Management
Creating a Flow Record

Command or Action Purpose

Step 5 collect type Specifies the collection field.
Example: Note When a flow monitor has the collect interface
output as the collect field in the flow record,
SwitchDevice(config-flow-record)# collect counter then the output interface is detected based on the
bytes layer2 long destination address in the switch. Hence, for the
SwitchDevice(config-flow-record)# collect counter
different flow monitors, the following are
bytes long
SwitchDevice(config-flow-record)# collect timestamp required to be configured:
absolute first
• For ipv4 flow monitor, configure "match
SwitchDevice(config-flow-record)# collect transport
tcp flags ip destination address"
SwitchDevice(config-flow-record)# collect interface
output • For ipv6 flow monitor, configure "match
ipv6 destination address"
• For datalink flow monitor, configure
"match datalink mac output"

The collect interface output field will return a

value of NULL when a flow gets created for any
of the following addresses:
• L3 broadcast
• L2 broadcast
• L3 Multicast
• L2 Multicast
• L2 unknown destination.

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-flow-record)# end

Step 7 show flow record [name record-name] (Optional) Displays information about NetFlow flow
records.
Example:

SwitchDevice show flow record test

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config

startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
618
 Network Management
Creating a Flow Exporter

What to do next
Define an optional flow exporter by specifying the export format, protocol, destination, and other parameters.
Related Topics
Flow Records, on page 609
Example: Configuring a Flow, on page 629

Creating a Flow Exporter

You can create a flow export to define the export parameters for a flow.

Note Each flow exporter supports only one destination. If you want to export the data to multiple destinations, you
must configure multiple flow exporters and assign them to the flow monitor.
You can export to a destination using IPv4 address.

SUMMARY STEPS
1. configure terminal
2. flow exporter name
3. description string
4. destination {ipv4-address} [ vrf vrf-name]
5. dscp value
6. source { source type }
7. transport udp number
8. ttl seconds
9. export-protocol {netflow-v9}
10. end
11. show flow exporter [name record-name]
12. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 flow exporter name Creates a flow exporter and enters flow exporter
configuration mode.
Example:

SwitchDevice(config)# flow exporter ExportTest

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
619
 Network Management
Creating a Flow Exporter

Command or Action Purpose

Step 3 description string (Optional) Describes this flow record as a maximum
63-character string.
Example:

SwitchDevice(config-flow-exporter)# description
ExportV9

Step 4 destination {ipv4-address} [ vrf vrf-name] Sets the IPv4 destination address or hostname for this
exporter.
Example:

SwitchDevice(config-flow-exporter)# destination
192.0.2.1 (IPv4 destination)

Step 5 dscp value (Optional) Specifies the differentiated services codepoint

value. The range is from 0 to 63. The default is 0.
Example:

SwitchDevice(config-flow-exporter)# dscp 0

Step 6 source { source type } (Optional) Specifies the interface to use to reach the
NetFlow collector at the configured destination. The
Example:
following interfaces can be configured as source:
SwitchDevice(config-flow-exporter)# source
gigabitEthernet1/0/1

Step 7 transport udp number (Optional) Specifies the UDP port to use to reach the
NetFlow collector. The range is from 1 to 65536
Example:

SwitchDevice(config-flow-exporter)# transport udp

200

Step 8 ttl seconds (Optional) Configures the time-to-live (TTL) value for
datagrams sent by the exporter. The range is from 1 to 255
Example:
seconds. The default is 255.
SwitchDevice(config-flow-exporter)# ttl 210

Step 9 export-protocol {netflow-v9} Specifies the version of the NetFlow export protocol used
by the exporter.
Example:

SwitchDevice(config-flow-exporter)#
export-protocol netflow-v9

Step 10 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
620
 Network Management
Creating a Flow Monitor

Command or Action Purpose

SwitchDevice(config-flow-record)# end

Step 11 show flow exporter [name record-name] (Optional) Displays information about NetFlow flow
exporters.
Example:

SwitchDevice show flow exporter ExportTest

Step 12 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config

startup-config

What to do next
Define a flow monitor based on the flow record and flow exporter.
Related Topics
Exporters
Example: Configuring a Flow, on page 629

Creating a Flow Monitor

You can create a flow monitor and associate it with a flow record and a flow exporter.

SUMMARY STEPS
1. configure terminal
2. flow monitor name
3. description string
4. exporter name
5. record name
6. cache { timeout {active | inactive} seconds | type normal }
7. end
8. show flow monitor [name record-name]
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
621
 Network Management
Creating a Flow Monitor

Command or Action Purpose

SwitchDevice# configure terminal

Step 2 flow monitor name Creates a flow monitor and enters flow monitor
configuration mode.
Example:

SwitchDevice(config)# flow monitor MonitorTest

SwitchDevice (config-flow-monitor)#

Step 3 description string (Optional) Describes this flow record as a maximum

63-character string.
Example:

SwitchDevice(config-flow-monitor)# description
Ipv4Monitor

Step 4 exporter name Associates a flow exporter with this flow monitor.
Example:

SwitchDevice(config-flow-monitor)# exporter
ExportTest

Step 5 record name Associates a flow record with the specified flow monitor.
Example:

SwitchDevice(config-flow-monitor)# record test

Step 6 cache { timeout {active | inactive} seconds | type normal Associates a flow cache with the specified flow monitor.
}
Example:

SwitchDevice(config-flow-monitor)# cache timeout

active 15000

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-flow-monitor)# end

Step 8 show flow monitor [name record-name] (Optional) Displays information about NetFlow flow
monitors.
Example:

SwitchDevice show flow monitor name MonitorTest

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
622
 Network Management
Creating a Sampler

Command or Action Purpose

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config

startup-config

What to do next
Apply the flow monitor to a Layer 2 interface, Layer 3 interface, or VLAN.
Related Topics
Monitors
Example: Configuring a Flow, on page 629

Creating a Sampler
You can create a sampler to define the NetFlow sampling rate for a flow.

SUMMARY STEPS
1. configure terminal
2. sampler name
3. description string
4. mode { deterministic { m - n } | random { m - n }}
5. end
6. show sampler [name]
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 sampler name Creates a sampler and enters flow sampler configuration
mode.
Example:

SwitchDevice(config)# sampler SampleTest

SwitchDevice(config-flow-sampler)#

Step 3 description string (Optional) Describes this flow record as a maximum

63-character string.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
623
 Network Management
Creating a Sampler

Command or Action Purpose

SwitchDevice(config-flow-sampler)# description
samples

Step 4 mode { deterministic { m - n } | random { m - n }} Defines the random sample mode.

Example: You can configure either a random or deterministic sampler
to an interface. Select m packets out of an n packet window.
SwitchDevice(config-flow-sampler)# mode random 1 The window size to select packets from ranges from 32 to
out-of 1022 1022.
Note the following when configuring a sampler to an
interface:
• When you attach a monitor using deterministic sampler
(for example, s1), every attachment with same sampler
s1 uses one new free sampler from the switch
(hardware) out of 4 available samplers. Therefore,
beyond 4 attachments, you are not allowed to attach a
monitor with any sampler.
• In contrast, when you attach a monitor using random
sampler (for example-again, s1), only the first
attachment uses a new sampler from the switch
(hardware). The rest of all attachments using the same
sampler s1, share the same sampler.

Due to this behavior, when using a deterministic sampler,

you can always make sure the correct number of flows are
sampled by comparing the sampling rate and what the
switch sends. If the same random sampler is used with
multiple interfaces, flows from an interface can always be
sampled, and the flows from other interfaces could be
always skipped.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-flow-sampler)# end

Step 6 show sampler [name] (Optional) Displays information about NetFlow samplers.
Example:
SwitchDevice show sample SampleTest

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
624
 Network Management
Applying a Flow to an Interface

Command or Action Purpose

startup-config

What to do next
Apply the flow monitor to a source interface or a VLAN.

Applying a Flow to an Interface

You can apply a flow monitor and an optional sampler to an interface.

SUMMARY STEPS
1. configure terminal
2. interface type
3. {ip flow monitor | ipv6 flow monitor}name [|sampler name] { input |output }
4. end
5. show flow interface [interface-type number]
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface type Enters interface configuration mode and configures an

interface.
Example:
Command parameters for the interface configuration
SwitchDevice(config)# interface include:
GigabitEthernet1/0/1
You cannot attach a NetFlow monitor to a port channel
interface. If both service module interfaces are part of an
EtherChannel, you should attach the monitor to both
physical interfaces.

Step 3 {ip flow monitor | ipv6 flow monitor}name [|sampler Associate an IPv4 or an IPv6 flow monitor, and an optional
name] { input |output } sampler to the interface for input or output packets.
Example: To monitor datalink L2 traffic flows, you would use
datalink flow monitor name sampler sampler-name
SwitchDevice(config-if)# ip flow monitor {input} interface command. This specific command
MonitorTest input associates a datalink L2 flow monitor and required sampler
to the interface for input packets. When a datalink flow
monitor is assigned to an interface or VLAN record, it only
creates flows for non-IPv6 or non-IPv4 traffic.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
625
 Network Management
Configuring a Bridged NetFlow on a VLAN

Command or Action Purpose

Note Whenever you assign a flow monitor to an
interface, you must configure a sampler. If the
sampler is missing, you will receive an error
message.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-flow-monitor)# end

Step 5 show flow interface [interface-type number] (Optional) Displays information about NetFlow on an
interface.
Example:

SwitchDevice# show flow interface

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config

startup-config

Configuring a Bridged NetFlow on a VLAN

You can apply a flow monitor and an optional sampler to a VLAN.

SUMMARY STEPS
1. configure terminal
2. vlan [configuration] vlan-id
3. interface {vlan} vlan-id
4. ip flow monitor monitor name [sampler sampler name] {input |output}
5. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 vlan [configuration] vlan-id Enters VLAN or VLAN configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
626
 Network Management
Configuring Layer 2 NetFlow

Command or Action Purpose

SwitchDevice(config)# vlan configuration 30

SwitchDevice(config-vlan-config)#

Step 3 interface {vlan} vlan-id Specifies the SVI for the configuration.
Example:

SwitchDevice(config)# interface vlan 30

Step 4 ip flow monitor monitor name [sampler sampler name] Associates a flow monitor and an optional sampler to the
{input |output} VLAN for input or output packets.
Example:

SwitchDevice(config-vlan-config)# ip flow monitor

MonitorTest input

Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config

startup-config

Configuring Layer 2 NetFlow

You can define Layer 2 keys in NetFlow Lite records that you can use to capture flows in Layer 2 interfaces.

SUMMARY STEPS
1. configure terminal
2. flow record name
3. match datalink { ethertype | mac { destination { address input } | source { address input } } }
4. match { ipv4 {destination | protocol | source | tos } | ipv6 {destination | flow-label| protocol| source|
traffic-class } | transport {destination-port | source-port} }
5. end
6. show flow record [name ]
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
627
 Network Management
Configuring Layer 2 NetFlow

Command or Action Purpose

SwitchDevice# configure terminal

Step 2 flow record name Enters flow record configuration mode.

Example:

SwitchDevice(config)# flow record L2_record

SwitchDevice(config-flow-record)#

Step 3 match datalink { ethertype | mac { destination { address Specifies the Layer 2 attribute as a key. In this example,
input } | source { address input } } } the keys are the source and destination MAC addresses from
the packet at input.
Example:
Note When a datalink flow monitor is assigned to an
SwitchDevice(config-flow-record)# match datalink interface or VLAN record, it only creates flows
mac source address input for non-IPv4 or non-IPv6 traffic.
SwitchDevice(config-flow-record)# match datalink
mac destination address input

Step 4 match { ipv4 {destination | protocol | source | tos } | ipv6 Specifies additional Layer 2 attributes as a key. In this
{destination | flow-label| protocol| source| traffic-class example, the keys are IPv4 protocol and ToS.
} | transport {destination-port | source-port} }
Example:

SwitchDevice(config-flow-record)# match ipv4

protocol
SwitchDevice(config-flow-record)# match ipv4 tos

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-flow-record)# end

Step 6 show flow record [name ] (Optional) Displays information about NetFlow on an
interface.
Example:

SwitchDevice# show flow record

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config

startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
628
 Network Management
Monitoring Flexible NetFlow

Monitoring Flexible NetFlow

The commands in the following table can be used to monitor Flexible NetFlow.

Table 60: Flexible NetFlow Monitoring Commands

Command Purpose

show flow exporter [broker | export-ids | name | Displays information about NetFlow flow exporters
name | statistics | templates] and statistics.

show flow exporter [ name exporter-name] Displays information about NetFlow flow exporters
and statistics.

show flow interface Displays information about NetFlow interfaces.

show flow monitor [ name exporter-name] Displays information about NetFlow flow monitors
and statistics.

show flow monitor statistics Displays the statistics for the flow monitor

show flow monitor cache format {table | record | Displays the contents of the cache for the flow
csv} monitor, in the format specified.

show flow record [ name record-name] Displays information about NetFlow flow records.

show flow ssid Displays NetFlow monitor installation status for a

WLAN.

show sampler [broker | name | name] Displays information about NetFlow samplers.

show wlan wlan-name Displays the WLAN configured on the device.

Configuration Examples for NetFlow Lite

Example: Configuring a Flow

Note When configuring a flow, you need to have the protocol, source port, destination port, first and last timestamps,
and packet and bytes counters defined in the flow record. Otherwise, you will get the following error message:
"Warning: Cannot set protocol distribution with this Flow Record. Require protocol, source and destination
ports, first and last timestamps and packet and bytes counters."

This example shows how to create a flow and apply it to an interface:

SwitchDevice# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
629
 Network Management
Example: Configuring a Flow

SwitchDevice(config)# flow exporter export1

SwitchDevice(config-flow-exporter)# destination 10.0.101.254
SwitchDevice(config-flow-exporter)# transport udp 2055
SwitchDevice(config-flow-exporter)# template data timeout 60
SwitchDevice(config-flow-exporter)# exit
SwitchDevice(config)# flow record record1
SwitchDevice(config-flow-record)# match ipv4 source address
SwitchDevice(config-flow-record)# match ipv4 destination address
SwitchDevice(config-flow-record)# match ipv4 protocol
SwitchDevice(config-flow-record)# match transport source-port
SwitchDevice(config-flow-record)# match transport destination-port
SwitchDevice(config-flow-record)# collect counter bytes long
SwitchDevice(config-flow-record)# collect counter packets long
SwitchDevice(config-flow-record)# collect timestamp sys-uptime first
SwitchDevice(config-flow-record)# collect timestamp sys-uptime last
SwitchDevice(config-flow-record)# exit
SwitchDevice(config)# sampler SampleTest
SwitchDevice(config-sampler)# mode random 1 out-of 100
SwitchDevice(config-sampler)# exit
SwitchDevice(config)# flow monitor monitor1
SwitchDevice(config-flow-monitor)# cache timeout active 300
SwitchDevice(config-flow-monitor)# cache timeout inactive 120
SwitchDevice(config-flow-monitor)# record record1
SwitchDevice(config-flow-monitor)# exporter export1
SwitchDevice(config-flow-monitor)# exit
SwitchDevice(config)# interface GigabitEthernet1/0/1
SwitchDevice(config-if)# ip flow monitor monitor1 sampler SampleTest input
SwitchDevice(config-if)# end

Related Topics
Creating a Flow Record, on page 617
Flow Records, on page 609
Creating a Flow Exporter, on page 619
Exporters
Creating a Flow Monitor, on page 621
Monitors
Creating a Sampler
Samplers

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
630
 CHAPTER 33
Configuring Cache Services Using the Web
Cache Communication Protocol
• Finding Feature Information, on page 631
• Prerequisites for WCCP, on page 631
• Restrictions for WCCP, on page 632
• Information About WCCP, on page 633
• How to Configure WCCP, on page 636

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Prerequisites for WCCP

Before configuring WCCP on your switch, make sure you adhere to the following configuration prerequisites:
• The application engines and switches in the same service group must be in the same subnetwork directly
connected to the switch that has WCCP enabled.
• Configure the switch interfaces that are connected to the clients, the application engines, and the server
as Layer 3 interfaces (routed ports and switch virtual interfaces [SVIs]). For WCCP packet redirection
to work, the servers, application engines, and clients must be on different subnets.
• Use only nonreserved multicast addresses when configuring a single multicast address for each application
engine.
• WCCP entries and PBR entries use the same TCAM region. WCCP is supported only on the templates
that support PBR: access, routing, and dual IPv4/v6 routing.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
631
 Network Management
Restrictions for WCCP

• When TCAM entries are not available to add WCCP entries, packets are not redirected and are forwarded
by using the standard routing tables.
• The number of available policy-based routing (PBR) labels are reduced as more interfaces are enabled
for WCCP ingress redirection. For every interface that supports service groups, one label is consumed.
The WCCP labels are taken from the PBR labels. You need to monitor and manage the labels that are
available between PBR and WCCP. When labels are not available, the switch cannot add service groups.
However, if another interface has the same sequence of service groups, a new label is not needed, and
the group can be added to the interface.
• The routing maximum transmission unit (MTU) size configured on the stack member switches should
be larger than the client MTU size. The MAC-layer MTU size configured on ports connected to application
engines should consider the GRE tunnel header bytes.

Restrictions for WCCP

Unsupported WCCP Features
The following WCCP features are not supported in this software release:
• Packet redirection on an outbound interface that is configured by using the ip wccp redirect out interface
configuration command.
• The GRE forwarding method for packet redirection.
• GRE redirect and return.
• On the Cisco Catalyst 3650-CX switches, to avoid packet loss you must use the flow control interface
configuration command on the 1 gigabyte port connected to the Customer Edge (CE).
• WCCP over GRE
• The hash assignment method for load balancing.
• SNMP support for WCCP.
• Hash assignments in hardware. You can load balance using mask assignments only.
• Redirection for fragmented packets. This is a security feature.

General Restrictions
• Maximum number of service groups: eight ingress and eight egress.
• You cannot configure WCCP and VPN routing/forwarding (VRF) on the same switch interface.
• You cannot configure WCCP and PBR on the same switch interface.
• You cannot configure WCCP and a private VLAN (PVLAN) on the same switch interface.
• The ip wccp redirect exclude in command allows you to exclude ingress packets from egress WCCP
methods. It is not needed on the interface to CE.
• When no cache engine is available, matching packets are dropped. This is closed group support. There
is no VRF-aware WCCP support and no IPv6 WCCP.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
632
 Network Management
Information About WCCP

• When the device is configured with the ip wccp check services all command, if the redirect ACL fails
to match on packet, it will be checked against the next priority service group.

Information About WCCP

WCCP Overview

Note To use this feature, the device must be running the IP Services feature set.
WCCP is supported only on Cisco Catalyst 3560-CX switches.

WCCP is a Cisco-developed content-routing technology that you can use to integrate wide-area application
engines (referred to as application engines) into your network infrastructure. The application engines
transparently store frequently accessed content and then fulfill successive requests for the same content,
eliminating repetitive transmissions of identical content from servers. Application engines accelerate content
delivery and ensure maximum scalability and availability of content. In a service-provider network, you can
deploy the WCCP and application engine solution at the points of presence (POPs). In an enterprise network,
you can deploy the WCCP and application engine solution at a regional site or small branch office.
The WCCP and Cisco cache engines (or other application engines running WCCP) localize traffic patterns
in the network, enabling content requests to be fulfilled locally.
WCCP enables supported Cisco routers and switches to transparently redirect content requests. With transparent
redirection, users do not have to configure their browsers to use a web proxy. Instead, they can use the target
URL to request content, and their requests are automatically redirected to an application engine. The word
transparent means that the end user does not know that a requested file (such as a web page) came from the
application engine instead of from the originally specified server.
When an application engine receives a request, it attempts to service it from its own local cache. If the requested
information is not present, the application engine sends a separate request to the end server to retrieve the
requested information. After receiving the requested information, the application engine forwards it to the
requesting client and also caches it to fulfill future requests.
With WCCP, the application-engine cluster (a series of application engines) can service multiple routers or
switches.

WCCP Message Exchange

The following sequence of events describes the WCCP message exchange:
1. The application engines send their IP addresses to the WCCP-enabled switch by using WCCP, signaling
their presence through a Here I am message. The switch and application engines communicate to each
other through a control channel based on UDP port 2048.
2. The WCCP-enabled switch uses the application engine IP information to create a cluster view (a list of
application engines in the cluster). This view is sent through an I see you message to each application
engine in the cluster, essentially making all the application engines aware of each other. A stable view is
established after the membership of the cluster remains the same for a certain amount of time.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
633
 Network Management
WCCP Negotiation

3. When a stable view is established, the application engine in the cluster with the lowest IP address is elected
as the designated application engine.

WCCP Negotiation
In the exchange of WCCP protocol messages, the designated application engine and the WCCP-enabled switch
negotiate these items:
• Forwarding method (the method by which the switch forwards packets to the application engine). The
switch rewrites the Layer 2 header by replacing the packet destination MAC address with the target
application engine MAC address. It then forwards the packet to the application engine. This forwarding
method requires the target application engine to be directly connected to the switch at Layer 2.
• Assignment method (the method by which packets are distributed among the application engines in the
cluster). The switch uses some bits of the destination IP address, the source IP address, the destination
Layer 4 port, and the source Layer 4 port to determine which application engine receives the redirected
packets.
• Packet-return method (the method by which packets are returned from the application engine to the
switch for normal forwarding). These are the typical reasons why an application engine rejects packets
and starts the packet-return feature:
• The application engine is overloaded and has no room to service the packets.
• The application engine receives an error message (such as a protocol or authentication error) from
the server and uses the dynamic client bypass feature. The bypass enables clients to bypass the
application engines and to connect directly to the server.

The application engine returns a packet to the WCCP-enabled switch to forward to the server as if the application
engine is not present. The application engine does not intercept the reconnection attempt. In this way, the
application engine effectively cancels the redirection of a packet to the application engine and creates a bypass
flow. If the return method is Layer 2 rewrite, the packets are forwarded in hardware to the target server. When
the server responds with the information, the switch uses normal Layer 3 forwarding to return the information
to the requesting client.

MD5 Security
WCCP provides an optional security component in each protocol message to enable the switch to use MD5
authentication on messages between the switch and the application engine. Messages that do not authenticate
by MD5 (when authentication of the switch is enabled) are discarded by the switch. The password string is
combined with the MD5 value to create security for the connection between the switch and the application
engine. You must configure the same password on each application engine.

Packet Redirection and Service Groups

You can configure WCCP to classify traffic for redirection, such as FTP, proxy-web-cache handling, and
audio and video applications. This classification, known as a service group, is based on the protocol type
(TCP or UDP) and the Layer 4 source destination port numbers. The service groups are identified either by
well-known names such as web-cache, which means TCP port 80, or a service number, 0 to 99. Service groups
are configured to map to a protocol and Layer 4 port numbers and are established and maintained independently.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
634
Network Management
Packet Redirection and Service Groups

WCCP allows dynamic service groups, where the classification criteria are provided dynamically by a
participating application engine.
You can configure up to 8 service groups on a switch or switch stack and up to 32 cache engines per service
group. WCCP maintains the priority of the service group in the group definition. WCCP uses the priority to
configure the service groups in the switch hardware. For example, if service group 1 has a priority of 100 and
looks for destination port 80, and service group 2 has a priority of 50 and looks for source port 80, the incoming
packet with source and destination port 80 is forwarded by using service group 1 because it has the higher
priority.
WCCP supports a cluster of application engines for every service group. Redirected traffic can be sent to any
one of the application engines. The switch supports the mask assignment method of load balancing the traffic
among the application engines in the cluster for a service group.
After WCCP is configured on the switch, the switch forwards all service group packets received from clients
to the application engines. However, the following packets are not redirected:
• Packets originating from the application engine and targeted to the server.
• Packets originating from the application engine and targeted to the client.
• Packets returned or rejected by the application engine. These packets are sent to the server.

You can configure a single multicast address per service group for sending and receiving protocol messages.
When there is a single multicast address, the application engine sends a notification to one address, which
provides coverage for all routers in the service group, for example, 225.0.0.0. If you add and remove routers
dynamically, using a single multicast address provides easier configuration because you do not need to
specifically enter the addresses of all devices in the WCCP network.
You can use a router group list to validate the protocol packets received from the application engine. Packets
matching the address in the group list are processed, packets not matching the group list address are dropped.
To disable caching for specific clients, servers, or client/server pairs, you can use a WCCP redirect access
control list (ACL). Packets that do not match the redirect ACL bypass the cache and are forwarded normally.
Before WCCP packets are redirected, the switch examines ACLs associated with all inbound features configured
on the interface and permits or denies packet forwarding based on how the packet matches the entries in the
ACL.

Note Both permit and deny ACL entries are supported in WCCP redirect lists.

When packets are redirected, the output ACLs associated with the redirected interface are applied to the
packets. Any ACLs associated with the original port are not applied unless you specifically configure the
required output ACLs on the redirected interfaces.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
635
 Network Management
How to Configure WCCP

How to Configure WCCP

Default WCCP Configuration
Feature Default Setting
WCCP enable state WCCP services are disabled.
Protocol version WCCPv2.
Redirecting traffic received on an interface Disabled.

Related Topics
Enabling the Cache Service, on page 636

Enabling the Cache Service

For WCCP packet redirection to operate, you must configure the switch interface connected to the client to
redirect inbound packets.
This procedure shows how to configure these features on routed ports. To configure these features on SVIs,
see the configuration examples that follow the procedure.
Follow these steps to enable the cache service, to set a multicast group address or group list, to configure
routed interfaces, to redirect inbound packets received from a client to the application engine, enable an
interface to listen for a multicast address, and to set a password. This procedure is required.

Before you begin

Configure the SDM template, and reboot the device.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip wccp {web-cache | service-number} [group-address groupaddress] [group-list
access-list] [redirect-list access-list] [password encryption-number password]
4. interface interface-id
5. no switchport
6. ip address ip-address subnet-mask
7. no shutdown
8. exit
9. interface interface-id
10. no switchport
11. ip address ip-address subnet-mask
12. no shutdown
13. ip wccp {web-cache | service-number} redirect in
14. ip wccp {web-cache | service-number} group-listen

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
636
 Network Management
Enabling the Cache Service

15. exit
16. end
17. show running-config
18. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip wccp {web-cache | service-number} Enables the cache service, and specifies the service number
[group-address groupaddress] [group-list that corresponds to a dynamic service that is defined by
access-list] [redirect-list access-list] [password the application engine. By default, this feature is disabled.
encryption-number password]
(Optional) For group-address groupaddress, specifies
Example: the multicast group address used by the switches and the
application engines to participate in the service group.
SwitchDevice(config)# ip wccp web-cache
(Optional) For group-list access-list, if a multicast group
address is not used, specify a list of valid IP addresses that
correspond to the application engines that are participating
in the service group.
(Optional) For redirect-list access-list, specify the redirect
service for specific hosts or specific packets from hosts.
(Optional) For password encryption-number password,
specify an encryption number. The range is 0 to 7. Use 0
for not encrypted, and use 7 for proprietary. Specify a
password name up to seven characters in length. The switch
combines the password with the MD5 authentication value
to create security for the connection between the switch
and the application engine. By default, no password is
configured, and no authentication is performed.
You must configure the same password on each application
engine.
When authentication is enabled, the switch discards
messages that are not authenticated.

Step 4 interface interface-id Specifies the interface connected to the application engine
or the server, and enters interface configuration mode.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
637
 Network Management
Enabling the Cache Service

Command or Action Purpose

SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 5 no switchport Enters Layer 3 mode.

Example:

SwitchDevice(config-if)# no switchport

Step 6 ip address ip-address subnet-mask Configures the IP address and subnet mask.
Example:

SwitchDevice(config-if)# ip address 172.20.10.30

255.255.255.0

Step 7 no shutdown Enables the interface.

Example:

SwitchDevice(config-if)# no shutdown

Step 8 exit Returns to global configuration mode. Repeat Steps 4

through 8 for each application engine and server.
Example:

SwitchDevice(config-if)# exit

Step 9 interface interface-id Specifies the interface connected to the client, and enters
interface configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/2

Step 10 no switchport Enters Layer 3 mode.

Example:

SwitchDevice(config-if)# no switchport

Step 11 ip address ip-address subnet-mask Configures the IP address and subnet mask.
Example:

SwitchDevice(config-if)# ip address 175.20.20.10

255.255.255.0

Step 12 no shutdown Enables the interface.

Example:

SwitchDevice(config-if)# no shutdown

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
638
 Network Management
Enabling the Cache Service

Command or Action Purpose

Step 13 ip wccp {web-cache | service-number} redirect in Redirects packets received from the client to the application
engine. Enable this on the interface connected to the client.
Example:

SwitchDevice(config-if)# ip wccp web-cache

redirect in

Step 14 ip wccp {web-cache | service-number} group-listen (Optional) When using a multicast group address, the
group-listen keyword enables the interface to listen for
Example:
the multicast address. Enable this on the interface
connected to the application engine.
SwitchDevice(config-if)# ip wccp web-cache
group-listen

Step 15 exit Returns to global configuration mode. Repeat Steps 9

through 15 for each client.
Example:

SwitchDevice(config-if)# exit

Step 16 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 17 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 18 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuration Examples
This example shows how to configure routed interfaces and to enable the cache service with a
multicast group address and a redirect access list. Gigabit Ethernet port 1 is connected to the
application engine, is configured as a routed port with an IP address of 172.20.10.30, and is reenabled.
Gigabit Ethernet port 2 is connected through the Internet to the server, is configured as a routed port
with an IP address of 175.20.20.10, and is reenabled. Gigabit Ethernet ports 3 to 6 are connected to
the clients and are configured as routed ports with IP addresses 175.20.30.20, 175.20.40.30,
175.20.50.40, and 175.20.60.50. The switch listens for multicast traffic and redirects packets received
from the client interfaces to the application engine.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
639
 Network Management
Enabling the Cache Service

SwitchDevice# configure terminal

SwitchDevice(config)# ip wccp web-cache group-address 224.1.1.100 redirect list 12
SwitchDevice(config)# access-list 12 permit host 10.1.1.1
SwitchDevice(config)# interface gigabitethernet1/0/1
SwitchDevice(config-if)# no switchport
SwitchDevice(config-if)# ip address 172.20.10.30 255.255.255.0
SwitchDevice(config-if)# no shutdown
SwitchDevice(config-if)# ip wccp web-cache group-listen
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface gigabitethernet1/0/2
SwitchDevice(config-if)# no switchport
SwitchDevice(config-if)# ip address 175.20.20.10 255.255.255.0
SwitchDevice(config-if)# no shutdown
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface gigabitethernet1/0/3
SwitchDevice(config-if)# no switchport
SwitchDevice(config-if)# ip address 175.20.30.20 255.255.255.0
SwitchDevice(config-if)# no shutdown
SwitchDevice(config-if)# ip wccp web-cache redirect in
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface gigabitethernet1/0/4
SwitchDevice(config-if)# no switchport
SwitchDevice(config-if)# ip address 175.20.40.30 255.255.255.0
SwitchDevice(config-if)# no shutdown
SwitchDevice(config-if)# ip wccp web-cache redirect in
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface gigabitethernet1/0/5
SwitchDevice(config-if)# no switchport
SwitchDevice(config-if)# ip address 175.20.50.40 255.255.255.0
SwitchDevice(config-if)# no shutdown
SwitchDevice(config-if)# ip wccp web-cache redirect in
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface gigabitethernet1/0/6
SwitchDevice(config-if)# no switchport
SwitchDevice(config-if)# ip address 175.20.60.50 255.255.255.0
SwitchDevice(config-if)# no shutdown
SwitchDevice(config-if)# ip wccp web-cache redirect in
SwitchDevice(config-if)# exit

This example shows how to configure SVIs and how to enable the cache service with a multicast
group list. VLAN 299 is created and configured with an IP address of 175.20.20.10. Gigabit Ethernet
port 1 is connected through the Internet to the server and is configured as an access port in VLAN
299. VLAN 300 is created and configured with an IP address of 172.20.10.30. Gigabit Ethernet port
2 is connected to the application engine and is configured as an access port in VLAN 300. VLAN
301 is created and configured with an IP address of 175.20.30.50. Fast Ethernet ports 3 to 6, which
are connected to the clients, are configured as access ports in VLAN 301. The switch redirects packets
received from the client interfaces to the application engine.

Note Both permit and deny ACL entries are supported in WCCP redirect lists.

SwitchDevice# configure terminal

SwitchDevice(config)# ip wccp web-cache group-list 15
SwitchDevice(config)# access-list 15 permit host 171.69.198.102
SwitchDevice(config)# access-list 15 permit host 171.69.198.104
SwitchDevice(config)# access-list 15 permit host 171.69.198.106
SwitchDevice(config)# vlan 299
SwitchDevice(config-vlan)# exit
SwitchDevice(config)# interface vlan 299

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
640
Network Management
Enabling the Cache Service

SwitchDevice(config-if)# ip address 175.20.20.10 255.255.255.0

SwitchDevice(config-if)# exit
SwitchDevice(config)# interface gigabitethernet1/0/1
SwitchDevice(config-if)# switchport mode access
SwitchDevice(config-if)# switchport access vlan 299
SwitchDevice(config)# vlan 300
SwitchDevice(config-vlan)# exit
SwitchDevice(config)# interface vlan 300
SwitchDevice(config-if)# ip address 171.69.198.100 255.255.255.0
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface gigabitethernet1/0/2
SwitchDevice(config-if)# switchport mode access
SwitchDevice(config-if)# switchport access vlan 300
SwitchDevice(config-if)# exit
SwitchDevice(config)# vlan 301
SwitchDevice(config-vlan)# exit
SwitchDevice(config)# interface vlan 301
SwitchDevice(config-if)# ip address 175.20.30.20 255.255.255.0
SwitchDevice(config-if)# ip wccp web-cache redirect in
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface range gigabitethernet1/0/3 - 6
SwitchDevice(config-if-range)# switchport mode access
SwitchDevice(config-if-range)# switchport access vlan 301
SwitchDevice(config-if-range)# exit

What to do next
To disable the cache service, use the no ip wccp web-cache global configuration command. To disable
inbound packet redirection, use the no ip wccp web-cache redirect in interface configuration command.
After completing this procedure, configure the application engines in the network.
Related Topics
Default WCCP Configuration, on page 636

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
641
 Network Management
Enabling the Cache Service

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
642
PA R T VI
QoS
• Configuring QoS, on page 645
• Configuring Auto-QoS, on page 745
 CHAPTER 34
Configuring QoS
• Finding Feature Information, on page 645
• Prerequisites for QoS, on page 645
• Restrictions for QoS, on page 647
• Information About QoS, on page 648
• How to Configure QoS, on page 675
• Monitoring Standard QoS, on page 732
• Configuration Examples for QoS, on page 733
• Where to Go Next, on page 744

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Prerequisites for QoS

Before configuring standard QoS, you must have a thorough understanding of these items:
• The types of applications used and the traffic patterns on your network.
• Traffic characteristics and needs of your network. For example, is the traffic on your network bursty?
Do you need to reserve bandwidth for voice and video streams?
• Bandwidth requirements and speed of the network.
• Location of congestion points in the network.

QoS ACL Guidelines

Follow these guidelines when configuring QoS with access control lists (ACLs):

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
645
 QoS
Policing Guidelines

• It is not possible to match IP fragments against configured IP extended ACLs to enforce QoS. IP fragments
are sent as best-effort. IP fragments are denoted by fields in the IP header.
• Only one ACL per class map and only one match class-map configuration command per class map are
supported. The ACL can have multiple ACEs, which match fields against the contents of the packet.
• A trust statement in a policy map requires multiple hardware entries per ACL line. If an input service
policy map contains a trust statement in an ACL, the access list might be too large to fit into the available
QoS hardware memory, and an error can occur when you apply the policy map to a port. Whenever
possible, you should minimize the number of lines is a QoS ACL.

Related Topics
Creating an IP Standard ACL for IPv4 Traffic, on page 687
Creating an IP Extended ACL for IPv4 Traffic, on page 688
Creating an IPv6 ACL for IPv6 Traffic, on page 690
Creating a Layer 2 MAC ACL for Non-IP Traffic, on page 692

Policing Guidelines
• The port ASIC device, which controls more than one physical port, supports 256 policers (255
user-configurable policers plus 1 policer reserved for system internal use). The maximum number of
user-configurable policers supported per port is 63. Policers are allocated on demand by the software
and are constrained by the hardware and ASIC boundaries.
You cannot reserve policers per port; there is no guarantee that a port will be assigned to any policer.
• Only one policer is applied to a packet on an ingress port. Only the average rate and committed burst
parameters are configurable.
• On a port configured for QoS, all traffic received through the port is classified, policed, and marked
according to the policy map attached to the port. On a trunk port configured for QoS, traffic in all VLANs
received through the port is classified, policed, and marked according to the policy map attached to the
port.
• If you have EtherChannel ports configured on your switch, you must configure QoS classification,
policing, mapping, and queueing on the individual physical ports that comprise the EtherChannel. You
must decide whether the QoS configuration should match on all ports in the EtherChannel.
• If you need to modify a policy map of an existing QoS policy, first remove the policy map from all
interfaces, and then modify or copy the policy map. After you finish the modification, apply the modified
policy map to the interfaces. If you do not first remove the policy map from all interfaces, high CPU
usage can occur, which, in turn, can cause the console to pause for a very long time.

General QoS Guidelines

These are the general QoS guidelines:
• You configure QoS only on physical ports; there is no support for it at the VLAN level.
• Control traffic (such as spanning-tree bridge protocol data units [BPDUs] and routing update packets)
received by the switch are subject to all ingress QoS processing.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
646
 QoS
Restrictions for QoS

• You are likely to lose data when you change queue settings; therefore, try to make changes when traffic
is at a minimum.
• The switch supports homogeneous stacking and mixed stacking. Mixed stacking is supported only with
the Catalyst 2960-S switches. A homogenous stack can have up to eight stack members, while a mixed
stack can have up to four stack members. All switches in a switch stack must be running the LAN Base
image.

Restrictions for QoS

The following are the restrictions for QoS:
• To use these features, the switch must be running the LAN Base image: stacking, DSCP, auto-QoS,
trusted boundary, policing, marking, mapping tables, and weighted tail drop.
• Ingress queueing is not supported.
• The switch supports 4 default egress queues, with the option to enable an additional 4 egress queues for
a total of 8. This option is only available on a standalone switch running the LAN Base image.
• We recommend that you do not enable 8 egress queues by using the mls qos srr-queue output queues
8 command, when running the following features in your configuration:
• Auto-QoS
• Auto SmartPort
• EnergyWise

Running these features with 8 egress queue enabled in a single configuration is not supported on the
switch.
• You can configure QoS only on physical ports. VLAN-based QoS is not supported. You configure the
QoS settings, such as classification, queueing, and scheduling, and apply the policy map to a port. When
configuring QoS on a physical port, you apply a nonhierarchical policy map to a port.
• If the switch is running the LAN Lite image you can:
• Configure ACLs, but you cannot attach them to physical interfaces. You can attach them to VLAN
interfaces to filter traffic to the CPU.
• Enable only cos trust at interface level.
• Enable SRR shaping and sharing at interface level.
• Enable Priority queueing at interface level.
• Enable or disable mls qos rewrite ip dscp.

• The switch must be running the LAN Base image to use the following QoS features:
• Policy maps
• Policing and marking
• Mapping tables

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
647
 QoS
Information About QoS

• WTD

Information About QoS

QoS Implementation
Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and
an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance
of being dropped.
When you configure the QoS feature, you can select specific network traffic, prioritize it according to its
relative importance, and use congestion-management and congestion-avoidance techniques to provide
preferential treatment. Implementing QoS in your network makes network performance more predictable and
bandwidth utilization more effective.
The QoS implementation is based on the Differentiated Services (Diff-Serv) architecture, a standard from the
Internet Engineering Task Force (IETF). This architecture specifies that each packet is classified upon entry
into the network.
The classification is carried in the IP packet header, using 6 bits from the deprecated IP type of service (ToS)
field to carry the classification (class) information. Classification can also be carried in the Layer 2 frame.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
648
 QoS
Layer 2 Frame Prioritization Bits

Figure 65: QoS Classification Layers in Frames and Packets

The special bits in the Layer 2 frame or a Layer 3 packet are shown in the following

figure:

Layer 2 Frame Prioritization Bits

Layer 2 Inter-Switch Link (ISL) frame headers have a 1-byte User field that carries an IEEE 802.1p class of
service (CoS) value in the three least-significant bits. On ports configured as Layer 2 ISL trunks, all traffic is
in ISL frames.
Layer 2 802.1Q frame headers have a 2-byte Tag Control Information field that carries the CoS value in the
three most-significant bits, which are called the User Priority bits. On ports configured as Layer 2 802.1Q
trunks, all traffic is in 802.1Q frames except for traffic in the native VLAN.
Other frame types cannot carry Layer 2 CoS values.
Layer 2 CoS values range from 0 for low priority to 7 for high priority.

Layer 3 Packet Prioritization Bits

Layer 3 IP packets can carry either an IP precedence value or a Differentiated Services Code Point (DSCP)
value. QoS supports the use of either value because DSCP values are backward-compatible with IP precedence
values.
IP precedence values range from 0 to 7. DSCP values range from 0 to 63.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
649
 QoS
End-to-End QoS Solution Using Classification

End-to-End QoS Solution Using Classification

All switches and routers that access the Internet rely on the class information to provide the same forwarding
treatment to packets with the same class information and different treatment to packets with different class
information. The class information in the packet can be assigned by end hosts or by switches or routers along
the way, based on a configured policy, detailed examination of the packet, or both. Detailed examination of
the packet is expected to occur closer to the edge of the network, so that the core switches and routers are not
overloaded with this task.
Switches and routers along the path can use the class information to limit the amount of resources allocated
per traffic class. The behavior of an individual device when handling traffic in the Diff-Serv architecture is
called per-hop behavior. If all devices along a path provide a consistent per-hop behavior, you can construct
an end-to-end QoS solution.
Implementing QoS in your network can be a simple task or complex task and depends on the QoS features
offered by your internetworking devices, the traffic types and patterns in your network, and the granularity
of control that you need over incoming and outgoing traffic.

QoS Basic Model

To implement QoS, the switch must distinguish packets or flows from one another (classify), assign a label
to indicate the given quality of service as the packets move through the switch, make the packets comply with
the configured resource usage limits (police and mark), and provide different treatment (queue and schedule)
in all situations where resource contention exists. The switch also needs to ensure that traffic sent from it
meets a specific traffic profile (shape).
Figure 66: QoS Basic Wired Model

Actions at Ingress Port

Actions at the ingress port include classifying traffic, policing, marking, and scheduling:
• Classifying a distinct path for a packet by associating it with a QoS label. The switch maps the CoS or
DSCP in the packet to a QoS label to distinguish one kind of traffic from another. The QoS label that is
generated identifies all future QoS actions to be performed on this packet.
• Policing determines whether a packet is in or out of profile by comparing the rate of the incoming traffic
to the configured policer. The policer limits the bandwidth consumed by a flow of traffic. The result is
passed to the marker.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
650
 QoS
Actions at Egress Port

• Marking evaluates the policer and configuration information for the action to be taken when a packet is
out of profile and determines what to do with the packet (pass through a packet without modification,
marking down the QoS label in the packet, or dropping the packet).

Note Queueing and scheduling are only supported at egress and not at ingress on the switch.

Actions at Egress Port

Actions at the egress port include queueing and scheduling:
• Queueing evaluates the QoS packet label and the corresponding DSCP or CoS value before selecting
which of the four egress queues to use. Because congestion can occur when multiple ingress ports
simultaneously send data to an egress port, WTD differentiates traffic classes and subjects the packets
to different thresholds based on the QoS label. If the threshold is exceeded, the packet is dropped.
• Scheduling services the four egress queues based on their configured SRR shared or shaped weights.
One of the queues (queue 1) can be the expedited queue, which is serviced until empty before the other
queues are serviced.

Classification Overview
Classification is the process of distinguishing one kind of traffic from another by examining the fields in the
packet. Classification is enabled only if QoS is globally enabled on the switch. By default, QoS is globally
disabled, so no classification occurs.
During classification, the switch performs a lookup and assigns a QoS label to the packet. The QoS label
identifies all QoS actions to be performed on the packet and from which queue the packet is sent.
The QoS label is based on the DSCP or the CoS value in the packet and decides the queueing and scheduling
actions to perform on the packet. The label is mapped according to the trust setting and the packet type as
shown in Classification Flowchart, on page 654.
You specify which fields in the frame or packet that you want to use to classify incoming traffic.
Related Topics
Ingress Port Activity
Egress Port Activity
Configuring a QoS Policy, on page 686

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
651
 QoS
Non-IP Traffic Classification

Non-IP Traffic Classification

The following table describes the non-IP traffic classification options for your QoS configuration.

Table 61: Non- IP Traffic Classifications

Non-IP Traffic Classification Description

Trust the CoS value Trust the CoS value in the incoming frame (configure the
port to trust CoS), and then use the configurable
CoS-to-DSCP map to generate a DSCP value for the packet.
Layer 2 ISL frame headers carry the CoS value in the 3
least-significant bits of the 1-byte User field.
Layer 2 802.1Q frame headers carry the CoS value in the 3
most-significant bits of the Tag Control Information field.
CoS values range from 0 for low priority to 7 for high
priority.

Trust the DSCP or trust IP precedence value Trust the DSCP or trust IP precedence value in the incoming
frame. These configurations are meaningless for non-IP
traffic. If you configure a port with either of these options
and non-IP traffic is received, the switch assigns a CoS value
and generates an internal DSCP value from the CoS-to-DSCP
map. The switch uses the internal DSCP value to generate
a CoS value representing the priority of the traffic.

Perform classification based on configured Perform the classification based on a configured Layer 2
Layer 2 MAC ACL MAC access control list (ACL), which can examine the MAC
source address, the MAC destination address, and other
fields. If no ACL is configured, the packet is assigned 0 as
the DSCP and CoS values, which means best-effort traffic.
Otherwise, the policy-map action specifies a DSCP or CoS
value to assign to the incoming frame.

After classification, the packet is sent to the policing and marking stages.

IP Traffic Classification
The following table describes the IP traffic classification options for your QoS configuration.

Table 62: IP Traffic Classifications

IP Traffic Classification Description

Trust the DSCP value Trust the DSCP value in the incoming packet (configure the port to trust
DSCP), and assign the same DSCP value to the packet. The IETF defines
the 6 most-significant bits of the 1-byte ToS field as the DSCP. The priority
represented by a particular DSCP value is configurable. DSCP values range
from 0 to 63.
You can also classify IP traffic based on IPv6 DSCP.
For ports that are on the boundary between two QoS administrative domains,
you can modify the DSCP to another value by using the configurable
DSCP-to-DSCP-mutation map.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
652
QoS
IP Traffic Classification

IP Traffic Classification Description

Trust the IP precedence value Trust the IP precedence value in the incoming packet (configure the port
to trust IP precedence), and generate a DSCP value for the packet by using
the configurable IP-precedence-to-DSCP map. The IP Version 4
specification defines the 3 most-significant bits of the 1-byte ToS field as
the IP precedence. IP precedence values range from 0 for low priority to
7 for high priority.
You can also classify IP traffic based on IPv6 precedence.

Trust the CoS value Trust the CoS value (if present) in the incoming packet, and generate a
DSCP value for the packet by using the CoS-to-DSCP map. If the CoS
value is not present, use the default port CoS value.

IP standard or an extended ACL Perform the classification based on a configured IP standard or an extended
ACL, which examines various fields in the IP header. If no ACL is
configured, the packet is assigned 0 as the DSCP and CoS values, which
means best-effort traffic. Otherwise, the policy-map action specifies a
DSCP or CoS value to assign to the incoming frame.

Override configured CoS Override the configured CoS of incoming packets, and apply the default
port CoS value to them. For IPv6 packets, the DSCP value is rewritten by
using the CoS-to-DSCP map and by using the default CoS of the port. You
can do this for both IPv4 and IPv6 traffic.

After classification, the packet is sent to the policing and marking stages.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
653
 QoS
Classification Flowchart

Classification Flowchart
Figure 67: Classification Flowchart

Access Control Lists

You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same
characteristics (class). You can also classify IP traffic based on IPv6 ACLs.
In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings
from security ACLs:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
654
 QoS
Classification Based on Class Maps and Policy Maps

• If a match with a permit action is encountered (first-match principle), the specified QoS-related action
is taken.
• If a match with a deny action is encountered, the ACL being processed is skipped, and the next ACL is
processed.
• If no match with a permit action is encountered and all the ACEs have been examined, no QoS processing
occurs on the packet, and the switch offers best-effort service to the packet.
• If multiple ACLs are configured on a port, the lookup stops after the packet matches the first ACL with
a permit action, and QoS processing begins.

Note When creating an access list, note that by default the end of the access list contains
an implicit deny statement for everything if it did not find a match before reaching
the end.

After a traffic class has been defined with the ACL, you can attach a policy to it. A policy might contain
multiple classes with actions specified for each one of them. A policy might include commands to classify
the class as a particular aggregate (for example, assign a DSCP) or rate-limit the class. This policy is then
attached to a particular port on which it becomes effective.
You implement IP ACLs to classify IP traffic by using the access-list global configuration command; you
implement Layer 2 MAC ACLs to classify non-IP traffic by using the mac access-list extended global
configuration command.
Related Topics
Creating an IP Standard ACL for IPv4 Traffic, on page 687
Creating an IP Extended ACL for IPv4 Traffic, on page 688
Creating an IPv6 ACL for IPv6 Traffic, on page 690
Creating a Layer 2 MAC ACL for Non-IP Traffic, on page 692

Classification Based on Class Maps and Policy Maps

To use policy maps, the switch must be running the LAN Base image.
A class map is a mechanism that you use to name a specific traffic flow (or class) and to isolate it from all
other traffic. The class map defines the criteria used to match against a specific traffic flow to further classify
it. The criteria can include matching the access group defined by the ACL or matching a specific list of DSCP
or IP precedence values. If you have more than one type of traffic that you want to classify, you can create
another class map and use a different name. After a packet is matched against the class-map criteria, you
further classify it through the use of a policy map.
A policy map specifies which traffic class to act on. Actions can include trusting the CoS, DSCP, or IP
precedence values in the traffic class; setting a specific DSCP or IP precedence value in the traffic class; or
specifying the traffic bandwidth limitations and the action to take when the traffic is out of profile. Before a
policy map can be effective, you must attach it to a port.
You create a class map by using the class-map global configuration command or the class policy-map
configuration command. You should use the class-map command when the map is shared among many ports.
When you enter the class-map command, the switch enters the class-map configuration mode. In this mode,
you define the match criterion for the traffic by using the match class-map configuration command.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
655
 QoS
Policing and Marking Overview

You can configure a default class by using the class class-default policy-map configuration command.
Unclassified traffic (traffic specified in the other traffic classes configured on the policy-map) is treated as
default traffic.
You create and name a policy map by using the policy-map global configuration command. When you enter
this command, the switch enters the policy-map configuration mode. In this mode, you specify the actions to
take on a specific traffic class by using the class, trust, or set policy-map configuration and policy-map class
configuration commands.
The policy map can contain the police and police aggregate policy-map class configuration commands, which
define the policer, the bandwidth limitations of the traffic, and the action to take if the limits are exceeded.
To enable the policy map, you attach it to a port by using the service-policy interface configuration command.

Policing and Marking Overview

After a packet is classified and has a DSCP-based or CoS-based QoS label assigned to it, the policing and
marking process can begin.
Policing involves creating a policer that specifies the bandwidth limits for the traffic. Packets that exceed the
limits are out of profile or nonconforming. Each policer decides on a packet-by-packet basis whether the
packet is in or out of profile and specifies the actions on the packet. These actions, carried out by the marker,
include passing through the packet without modification, dropping the packet, or modifying (marking down)
the assigned DSCP of the packet and allowing the packet to pass through. The configurable policed-DSCP
map provides the packet with a new DSCP-based QoS label. Marked-down packets use the same queues as
the original QoS label to prevent packets in a flow from getting out of order.

Note All traffic, regardless of whether it is bridged or routed, is subjected to a policer, if one is configured. As a
result, bridged packets might be dropped or might have their DSCP or CoS fields modified when they are
policed and marked.

You can configure policing on a physical port. After you configure the policy map and policing actions, attach
the policy to a port by using the service-policy interface configuration command.
Related Topics
Ingress Port Activity
Class Maps
Policy Maps
Configuring a QoS Policy, on page 686
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps, on page 699
Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps
Classifying, Policing, and Marking Traffic by Using Aggregate Policers, on page 704

Physical Port Policing

In policy maps on physical ports, you can create the following types of policers:
• Individual—QoS applies the bandwidth limits specified in the policer separately to each matched traffic
class. You configure this type of policer within a policy map by using the police policy-map class
configuration command.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
656
QoS
Physical Port Policing

• Aggregate—QoS applies the bandwidth limits specified in an aggregate policer cumulatively to all
matched traffic flows. You configure this type of policer by specifying the aggregate policer name within
a policy map by using the police aggregate policy-map class configuration command. You specify the
bandwidth limits of the policer by using the mls qos aggregate-policer global configuration command.
In this way, the aggregate policer is shared by multiple classes of traffic within a policy map.

Policing uses a token-bucket algorithm. As each frame is received by the switch, a token is added to the bucket.
The bucket has a hole in it and leaks at a rate that you specify as the average traffic rate in bits per second.
Each time a token is added to the bucket, the switch verifies that there is enough room in the bucket. If there
is not enough room, the packet is marked as nonconforming, and the specified policer action is taken (dropped
or marked down).
How quickly the bucket fills is a function of the bucket depth (burst-byte), the rate at which the tokens are
removed (rate-bps), and the duration of the burst above the average rate. The size of the bucket imposes an
upper limit on the burst length and limits the number of frames that can be transmitted back-to-back. If the
burst is short, the bucket does not overflow, and no action is taken against the traffic flow. However, if a burst
is long and at a higher rate, the bucket overflows, and the policing actions are taken against the frames in that
burst.
You configure the bucket depth (the maximum burst that is tolerated before the bucket overflows) by using
the burst-byte option of the police policy-map class configuration command or the mls qos aggregate-policer
global configuration command. You configure how fast (the average rate) that the tokens are removed from
the bucket by using the rate-bps option of the police policy-map class configuration command or the mls qos
aggregate-policer global configuration command.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
657
 QoS
Mapping Tables Overview

Figure 68: Policing and Marking Flowchart on Physical Ports

Related Topics
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps, on page 699

Mapping Tables Overview

During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with a QoS
label based on the DSCP or CoS value from the classification stage.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
658
 QoS
Queueing and Scheduling Overview

The following table describes QoS processing and mapping tables.

Table 63: QoS Processing and Mapping Tables

QoS Processing Mapping Table Usage

Stage

Classification During the classification stage, QoS uses configurable mapping tables to derive a
corresponding DSCP or CoS value from a received CoS, DSCP, or IP precedence
value. These maps include the CoS-to-DSCP map and the IP-precedence-to-DSCP
map.
You configure these maps by using the mls qos map cos-dscp and the mls qos map
ip-prec-dscp global configuration commands.
On an ingress port configured in the DSCP-trusted state, if the DSCP values are
different between the QoS domains, you can apply the configurable
DSCP-to-DSCP-mutation map to the port that is on the boundary between the two
QoS domains.
You configure this map by using the mls qos map dscp-mutation global configuration
command.

Policing During policing stage, QoS can assign another DSCP value to an IP or a non-IP packet
(if the packet is out of profile and the policer specifies a marked-down value). This
configurable map is called the policed-DSCP map.
You configure this map by using the mls qos map policed-dscp global configuration
command.

Pre-scheduling Before the traffic reaches the scheduling stage, QoS stores the packet in an egress
queue according to the QoS label. The QoS label is based on the DSCP or the CoS
value in the packet and selects the queue through the DSCP output queue threshold
maps or through the CoS output queue threshold maps. In addition to an egress queue,
the QOS label also identifies the WTD threshold value.
You configure these maps by using the mls qos srr-queue { output} dscp-map and
the mls qos srr-queue { output} cos-map global configuration commands.

The CoS-to-DSCP, DSCP-to-CoS, and the IP-precedence-to-DSCP maps have default values that might or
might not be appropriate for your network.
The default DSCP-to-DSCP-mutation map and the default policed-DSCP map are null maps; they map an
incoming DSCP value to the same DSCP value. The DSCP-to-DSCP-mutation map is the only map you apply
to a specific port. All other maps apply to the entire switch.
Related Topics
Configuring DSCP Maps, on page 706
Queueing and Scheduling on Ingress Queues
Queueing and Scheduling on Egress Queues

Queueing and Scheduling Overview

The switch has queues at specific points to help prevent congestion.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
659
 QoS
Weighted Tail Drop

Figure 69: Egress Queue Location on Switch

Note The switch supports 4 egress queues by default and there is an option to enable a total of 8 egress queues. The
8 egress queue configuration is only supported on a standalone switch.

Weighted Tail Drop

Egress queues use an enhanced version of the tail-drop congestion-avoidance mechanism called weighted tail
drop (WTD). WTD is implemented on queues to manage the queue lengths and to provide drop precedences
for different traffic classifications.
As a frame is enqueued to a particular queue, WTD uses the frame’s assigned QoS label to subject it to different
thresholds. If the threshold is exceeded for that QoS label (the space available in the destination queue is less
than the size of the frame), the switch drops the frame.
Each queue has three threshold values. The QoS label determines which of the three threshold values is
subjected to the frame. Of the three thresholds, two are configurable (explicit) and one is not (implicit).
Figure 70: WTD and Queue Operation

The following figure shows an example of WTD operating on a queue whose size is 1000 frames. Three drop
percentages are configured: 40 percent (400 frames), 60 percent (600 frames), and 100 percent (1000 frames).
These percentages indicate that up to 400 frames can be queued at the 40-percent threshold, up to 600 frames
at the 60-percent threshold, and up to 1000 frames at the 100-percent

threshold.
In the example, CoS values 6 and 7 have a greater importance than the other CoS values, and they are assigned
to the 100-percent drop threshold (queue-full state). CoS values 4 and 5 are assigned to the 60-percent threshold,
and CoS values 0 to 3 are assigned to the 40-percent threshold.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
660
 QoS
SRR Shaping and Sharing

Suppose the queue is already filled with 600 frames, and a new frame arrives. It contains CoS values 4 and
5 and is subjected to the 60-percent threshold. If this frame is added to the queue, the threshold will be exceeded,
so the switch drops it.
Related Topics
Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds, on page 713
Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set, on page 720
Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID, on page 724
WTD Thresholds, on page 663
Queues and WTD Thresholds, on page 667

SRR Shaping and Sharing

Egress queues are serviced by shaped round robin (SRR), which controls the rate at which packets are sent.
On the egress queues, SRR sends packets to the egress port.
You can configure SRR on egress queues for sharing or for shaping.
In shaped mode, the egress queues are guaranteed a percentage of the bandwidth, and they are rate-limited to
that amount. Shaped traffic does not use more than the allocated bandwidth even if the link is idle. Shaping
provides a more even flow of traffic over time and reduces the peaks and valleys of bursty traffic. With shaping,
the absolute value of each weight is used to compute the bandwidth available for the queues.
In shared mode, the queues share the bandwidth among them according to the configured weights. The
bandwidth is guaranteed at this level but not limited to it. For example, if a queue is empty and no longer
requires a share of the link, the remaining queues can expand into the unused bandwidth and share it among
them. With sharing, the ratio of the weights controls the frequency of dequeuing; the absolute values are
meaningless. Shaping and sharing is configured per interface. Each interface can be uniquely configured.
Related Topics
Ingress Port Activity
Allocating Bandwidth Between the Ingress Queues, on page 717
Configuring SRR Shaped Weights on Egress Queues, on page 726
Configuring SRR Shared Weights on Egress Queues, on page 727
Shaped or Shared Mode, on page 667

Queueing and Scheduling on Ingress Queues

The following figure shows queueing and scheduling flowcharts for ingress ports on the switch.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
661
 QoS
Configurable Ingress Queue Types

Figure 71: Queueing and Scheduling Flowchart for Ingress Ports on the Switch

Note SRR services the priority queue for its configured share before servicing the other queue.

Configurable Ingress Queue Types

The switch supports two configurable ingress queue types, which are serviced by SRR in shared mode only.

Note The switch also uses two nonconfigurable queues for traffic that are essential for proper network and stack
operation.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
662
 QoS
WTD Thresholds

The following table describes the two configurable ingress queues.

Table 64: Configurable Ingress Queue Types

Queue Type Function

Normal User traffic that is considered to be normal priority.

You can configure three different thresholds to
differentiate among the flows.
Use the following global configuration commands:
• mls qos srr-queue input threshold
• mls qos srr-queue input dscp-map
• mls qos srr-queue input cos-map

Expedite High-priority user traffic such as differentiated

services (DF) expedited forwarding or voice traffic.
You can configure the bandwidth required for this
traffic as a percentage of the total traffic or total stack
traffic on the switches by using the mls qos srr-queue
input priority-queue global configuration command.
The expedite queue has guaranteed bandwidth.

You assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map
DSCP or CoS values to an ingress queue and map DSCP or CoS values to a threshold ID. You use the mls
qos srr-queue input dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or
the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8}
global configuration command. You can display the DSCP input queue threshold map and the CoS input
queue threshold map by using the show mls qos maps privileged EXEC command.

WTD Thresholds
The queues use WTD to support distinct drop percentages for different traffic classes. Each queue has three
drop thresholds: two configurable (explicit) WTD thresholds and one nonconfigurable (implicit) threshold
preset to the queue-full state.
You assign the two explicit WTD threshold percentages for threshold ID 1 and ID 2 to the ingress queues by
using the mls qos srr-queue input threshold queue-id threshold-percentage1 threshold-percentage2 global
configuration command. Each threshold value is a percentage of the total number of allocated buffers for the
queue. The drop threshold for threshold ID 3 is preset to the queue-full state, and you cannot modify it.
Related Topics
Weighted Tail Drop, on page 660

Buffer and Bandwidth Allocation

You define the ratio (allocate the amount of space) with which to divide the ingress buffers between the two
queues (normal and expedite) by using the mls qos srr-queue input buffers percentage1 percentage2 global
configuration command. The buffer allocation together with the bandwidth allocation control how much data
can be buffered and sent before packets are dropped. You allocate bandwidth as a percentage by using the

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
663
 QoS
Priority Queueing

mls qos srr-queue input bandwidth weight1 weight2 global configuration command. The ratio of the weights
is the ratio of the frequency in which the SRR scheduler sends packets from each queue.

Priority Queueing
You can configure one ingress queue as the priority queue by using the mls qos srr-queue input priority-queue
queue-id bandwidth weight global configuration command. The priority queue should be used for traffic
(such as voice) that requires guaranteed delivery because this queue is guaranteed part of the bandwidth
regardless of the load on the stack or internal ring.
SRR services the priority queue for its configured weight as specified by the bandwidth keyword in the mls
qos srr-queue input priority-queue queue-id bandwidth weight global configuration command. Then, SRR
shares the remaining bandwidth with both ingress queues and services them as specified by the weights
configured with the mls qos srr-queue input bandwidth weight1 weight2 global configuration command.
You can combine the above commands to prioritize traffic by placing packets with particular DSCPs or CoSs
into certain queues, by allocating a large queue size or by servicing the queue more frequently, and by adjusting
queue thresholds so that packets with lower priorities are dropped.
Related Topics
Configuring Ingress Queue Characteristics, on page 713

Queueing and Scheduling on Egress Queues

The following figure shows queueing and scheduling flowcharts for egress ports on the switch.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
664
 QoS
Egress Expedite Queue

Figure 72: Queueing and Scheduling Flowchart for Egress Ports on the Switch

Note If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues.

Egress Expedite Queue

Each port supports four egress queues, one of which (queue 1) can be the egress expedite queue. These queues
are assigned to a queue-set. All traffic exiting the switch flows through one of these four queues and is subjected
to a threshold based on the QoS label assigned to the packet.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
665
 QoS
Egress Queue Buffer Allocation

Note If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues.

Egress Queue Buffer Allocation

The following figure shows the egress queue buffer.
Figure 73: Egress Queue Buffer Allocation

The buffer space is divided between the common pool and the reserved pool. The switch uses a buffer allocation
scheme to reserve a minimum amount of buffers for each egress queue, to prevent any queue or port from
consuming all the buffers and depriving other queues, and to control whether to grant buffer space to a
requesting queue. The switch detects whether the target queue has not consumed more buffers than its reserved
amount (under-limit), whether it has consumed all of its maximum buffers (over limit), and whether the
common pool is empty (no free buffers) or not empty (free buffers). If the queue is not over-limit, the switch
can allocate buffer space from the reserved pool or from the common pool (if it is not empty). If there are no
free buffers in the common pool or if the queue is over-limit, the switch drops the

frame.

Buffer and Memory Allocation

You guarantee the availability of buffers, set drop thresholds, and configure the maximum memory allocation
for a queue-set by using the mls qos queue-set output qset-id threshold queue-id drop-threshold1
drop-threshold2 reserved-threshold maximum-threshold global configuration command. Each threshold value
is a percentage of the queue’s allocated memory, which you specify by using the mls qos queue-set output
qset-id buffers allocation1 ... allocation4 global configuration command. The sum of all the allocated buffers
represents the reserved pool, and the remaining buffers are part of the common pool.
Through buffer allocation, you can ensure that high-priority traffic is buffered. For example, if the buffer
space is 400, you can allocate 70 percent of it to queue 1 and 10 percent to queues 2 through 4. Queue 1 then
has 280 buffers allocated to it, and queues 2 through 4 each have 40 buffers allocated to them.
You can guarantee that the allocated buffers are reserved for a specific queue in a queue-set. For example, if
there are 100 buffers for a queue, you can reserve 50 percent (50 buffers). The switch returns the remaining
50 buffers to the common pool. You also can enable a queue in the full condition to obtain more buffers than
are reserved for it by setting a maximum threshold. The switch can allocate the needed buffers from the
common pool if the common pool is not empty.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
666
 QoS
Queues and WTD Thresholds

Note The switch supports 4 egress queues by default, although there is an option to enable a total of 8 egress queues.
Use the mls qos srr-queue output queues 8 global configuration command to enable all 8 egress queues.
Once 8 egress queues are enabled, you are able to configure thresholds and buffers for all 8 queues. The 8
egress queue configuration is only supported on a standalone switch.

Queues and WTD Thresholds

You can assign each packet that flows through the switch to a queue and to a threshold.
Specifically, you map DSCP or CoS values to an egress queue and map DSCP or CoS values to a threshold
ID. You use the mls qos srr-queue output dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id
dscp1...dscp8} or the mls qos srr-queue output cos-map queue queue-id {cos1...cos8 | threshold threshold-id
cos1...cos8} global configuration command. You can display the DSCP output queue threshold map and the
CoS output queue threshold map by using the show mls qos maps privileged EXEC command.
The queues use WTD to support distinct drop percentages for different traffic classes. Each queue has three
drop thresholds: two configurable (explicit) WTD thresholds and one nonconfigurable (implicit) threshold
preset to the queue-full state. You assign the two WTD threshold percentages for threshold ID 1 and ID 2.
The drop threshold for threshold ID 3 is preset to the queue-full state, and you cannot modify it. You map a
port to queue-set by using the queue-set qset-id interface configuration command. Modify the queue-set
configuration to change the WTD threshold percentages.

Note The switch supports 4 egress queues by default, although there is an option to enable a total of 8 egress queues.
Use the mls qos srr-queue output queues 8 global configuration command to enable all 8 egress queues.
Once 8 egress queues are enabled, you are able to configure thresholds and buffers for all 8 queues. The 8
egress queue configuration is only supported on a standalone switch.

Related Topics
Weighted Tail Drop, on page 660

Shaped or Shared Mode

SRR services each queue-set in shared or shaped mode. You map a port to a queue-set by using the queue-set
qset-id interface configuration command. You assign shared or shaped weights to the port by using the
srr-queue bandwidth share weight1 weight2 weight3 weight4 or the srr-queue bandwidth shape weight1
weight2 weight3 weight4 interface configuration command.
The buffer allocation together with the SRR weight ratios control how much data can be buffered and sent
before packets are dropped. The weight ratio is the ratio of the frequency in which the SRR scheduler sends
packets from each queue.
All four queues participate in the SRR unless the expedite queue is enabled, in which case the first bandwidth
weight is ignored and is not used in the ratio calculation. The expedite queue is a priority queue, and it is
serviced until empty before the other queues are serviced. You enable the expedite queue by using the
priority-queue out interface configuration command.
You can combine the commands described in this section to prioritize traffic by placing packets with particular
DSCPs or CoSs into certain queues, by allocating a large queue size or by servicing the queue more frequently,
and by adjusting queue thresholds so that packets with lower priorities are dropped.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
667
 QoS
Packet Modification

Note The egress queue default settings are suitable for most situations. You should change them only when you
have a thorough understanding of the egress queues and if these settings do not meet your QoS solution.

Note The switch supports 4 egress queues by default, although there is an option to enable a total of 8 egress queues.
Use the mls qos srr-queue output queues 8 global configuration command to enable all 8 egress queues.
Once 8 egress queues are enabled, you are able to configure thresholds, buffers, bandwidth share weights,
and bandwidth shape weights for all 8 queues. The 8 egress queue configuration is only supported on a
standalone switch.

Related Topics
Configuring Egress Queue Characteristics, on page 720
SRR Shaping and Sharing, on page 661

Packet Modification
A packet is classified, policed, and queued to provide QoS. The following packet modifications can occur
during the process to provide QoS:
• For IP and non-IP packets, classification involves assigning a QoS label to a packet based on the DSCP
or CoS of the received packet. However, the packet is not modified at this stage; only an indication of
the assigned DSCP or CoS value is carried along.
• During policing, IP and non-IP packets can have another DSCP assigned to them (if they are out of profile
and the policer specifies a markdown DSCP). Once again, the DSCP in the packet is not modified, but
an indication of the marked-down value is carried along. For IP packets, the packet modification occurs
at a later stage; for non-IP packets the DSCP is converted to CoS and used for queueing and scheduling
decisions.
• Depending on the QoS label assigned to a frame and the mutation chosen, the DSCP and CoS values of
the frame are rewritten. If you do not configure a table map and if you configure the port to trust the
DSCP of the incoming frame, the DSCP value in the frame is not changed, but the CoS is rewritten
according to the DSCP-to-CoS map. If you configure the port to trust the CoS of the incoming frame
and it is an IP packet, the CoS value in the frame is not changed, but the DSCP might be changed according
to the CoS-to-DSCP map.
The input mutation causes the DSCP to be rewritten depending on the new value of DSCP chosen. The
set action in a policy map also causes the DSCP to be rewritten.

Standard QoS Default Configuration

Standard QoS is disabled by default.
When QoS is disabled, there is no concept of trusted or untrusted ports because the packets are not modified.
The CoS, DSCP, and IP precedence values in the packet are not changed.
Traffic is switched in pass-through mode. The packets are switched without any rewrites and classified as
best effort without any policing.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
668
 QoS
Default Ingress Queue Configuration

When QoS is enabled using the mls qos global configuration command and all other QoS settings are at their
defaults, traffic is classified as best effort (the DSCP and CoS value is set to 0) without any policing. No
policy maps are configured. The default port trust state on all ports is untrusted.

Note Starting Cisco IOS Release 15.2(1)E, IPv6 QoS is supported on switches running the LAN base license with
lanbase-routing template.

Related Topics
Enabling QoS Globally, on page 675
Default Egress Queue Configuration, on page 670
Default Ingress Queue Configuration, on page 669

Default Ingress Queue Configuration

The following tables describe the default ingress queue configurations.
The following table shows the default ingress queue configuration when QoS is enabled. For the bandwidth
allocation feature, bandwidth is equally shared between the queues. SRR sends packets in shared mode only.
Queue 2 is the priority queue. SRR services the priority queue for its configured share before servicing the
other queue.

Table 65: Default Ingress Queue Configuration

Feature Queue 1 Queue 2

Buffer allocation 90 percent 10 percent

Bandwidth allocation 4 4

Priority queue bandwidth 0 10

WTD drop threshold 1 100 percent 100 percent

WTD drop threshold 2 100 percent 100 percent

The following table shows the default CoS input queue threshold map when QoS is enabled.

Table 66: Default CoS Input Queue Threshold Map

CoS Value Queue ID–Threshold ID

0–4 1–1

5 2–1

6, 7 1–1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
669
 QoS
Default Egress Queue Configuration

The following table shows the default DSCP input queue threshold map when QoS is enabled.

Table 67: Default DSCP Input Queue Threshold Map

DSCP Value Queue ID–Threshold ID

0–39 1–1

40–47 2–1

48–63 1–1

Related Topics
Enabling QoS Globally, on page 675
Standard QoS Default Configuration, on page 668

Default Egress Queue Configuration

The following tables describe the default egress queue configurations.

Note The switch supports 4 egress queues by default, although there is an option to enable a total of 8 egress queues.
Use the mls qos srr-queue output queues 8 global configuration command to enable all 8 egress queues.
Once 8 egress queues are enabled, you are able to configure thresholds and buffers for all 8 queues. The 8
egress queue configuration is only supported on a standalone switch.

The following table shows the default egress queue configuration for each queue-set when QoS is enabled.
All ports are mapped to queue-set 1. The port bandwidth limit is set to 100 percent and rate unlimited. Note
that for the SRR shaped weights (absolute) feature, a shaped weight of zero indicates that the queue is operating
in shared mode. Note that for the SRR shared weights feature, one quarter of the bandwidth is allocated to
each queue.

Table 68: Default Egress Queue Configuration

Feature Queue 1 Queue 2 Queue 3 Queue 4

Buffer allocation 25 percent 25 percent 25 percent 25 percent

WTD drop threshold 100 percent 200 percent 100 percent 100 percent
1

WTD drop threshold 100 percent 200 percent 100 percent 100 percent
2

Reserved threshold 50 percent 50 percent 50 percent 50 percent

Maximum threshold 400 percent 400 percent 400 percent 400 percent

SRR shaped weights 25 0 0 0

(absolute)

SRR shared weights 25 25 25 25

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
670
QoS
Default Egress Queue Configuration

The following table shows the default CoS output queue threshold map when QoS is enabled.

Table 69: Default CoS Output Queue Threshold Map

CoS Value Queue ID–Threshold ID

0, 1 2–1

2, 3 3–1

4 4–1

5 1–1

6, 7 4–1

The following table shows the default DSCP output queue threshold map when QoS is enabled.

Table 70: Default DSCP Output Queue Threshold Map

DSCP Value Queue ID–Threshold ID

0–15 2–1

16–31 3–1

32–39 4–1

40–47 1–1

48–63 4–1

The following table displays the default egress queue configuration when the 8 egress queue configuration is
enabled using the mls qos srr-queue output queues 8 command.

Table 71: Default 8 Egress Queue Configuration

Feature Queue 1 Queue 2 Queue 3 Queue 4 Queue 5 Queue 6 Queue 7 Queue 8

Buffer 10 30 10 10 10 10 10 10
allocation

WTD 100 1600 100 100 100 100 100 100

drop
threshold
1

WTD 100 2000 100 100 100 100 100 100

drop
threshold
2

Reserved 100 100 100 100 100 100 100 100

threshold

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
671
 QoS
Default Egress Queue Configuration

Feature Queue 1 Queue 2 Queue 3 Queue 4 Queue 5 Queue 6 Queue 7 Queue 8

Maximum 400 2400 400 400 400 400 400 400

threshold

SRR 25 0 0 0 0 0 0 0
shaped
weights

SRR 25 25 25 25 25 25 25 25
shared
weights

The following table displays the default CoS output queue threshold map when QoS is enabled and the 8
egress queue configuration is enabled using the mls qos srr-queue output queues 8 command.

Table 72: Default CoS Output 8 Queue Threshold Map

CoS Egress Queue Threshold ID 4 Egress Queue Mapping

0 2 1 2

1 3 1 2

2 4 1 3

3 5 1 3

4 6 1 4

5 1 1 1

6 7 1 4

7 8 1 4

The following table displays the default DSCP output queue threshold map when QoS is enabled and the 8
egress queue configuration is enabled using the mls qos srr-queue output queues 8 command.

Table 73: Default DSCP Output 8 Queue Threshold Map

DSCP Egress Queue Threshold ID 4 Egress Queue Mapping

0-7 2 1 2

8-15 3 1 2

16-23 4 1 3

24-31 5 1 3

32-39 6 1 4

40-47 1 1 1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
672
 QoS
Default Mapping Table Configuration

DSCP Egress Queue Threshold ID 4 Egress Queue Mapping

48-55 7 1 4

56-63 8 1 4

Related Topics
Enabling QoS Globally, on page 675
Standard QoS Default Configuration, on page 668

Default Mapping Table Configuration

The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same
DSCP value.
The default policed-DSCP map is a null map, which maps an incoming DSCP value to the same DSCP value
(no markdown).
Related Topics
Default CoS-to-DSCP Map, on page 673
Default IP-Precedence-to-DSCP Map, on page 674
Default DSCP-to-CoS Map, on page 674

DSCP Maps
Default CoS-to-DSCP Map
You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses
internally to represent the priority of the traffic. The following table shows the default CoS-to-DSCP map. If
these values are not appropriate for your network, you need to modify them.

Table 74: Default CoS-to-DSCP Map

CoS Value DSCP Value

0 0

1 8

2 16

3 24

4 32

5 40

6 48

7 56

Related Topics
Default Mapping Table Configuration, on page 673

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
673
 QoS
Default IP-Precedence-to-DSCP Map

Configuring the CoS-to-DSCP Map, on page 706

Configuring the Policed-DSCP Map, on page 709

Default IP-Precedence-to-DSCP Map

You use the IP-precedence-to-DSCP map to map IP precedence values in incoming packets to a DSCP value
that QoS uses internally to represent the priority of the traffic. The following table shows the default
IP-precedence-to-DSCP map. If these values are not appropriate for your network, you need to modify them.

Table 75: Default IP-Precedence-to-DSCP Map

IP Precedence Value DSCP Value

0 0

1 8

2 16

3 24

4 32

5 40

6 48

7 56

Related Topics
Default Mapping Table Configuration, on page 673
Configuring the IP-Precedence-to-DSCP Map, on page 707
Configuring the Policed-DSCP Map, on page 709

Default DSCP-to-CoS Map

You use the DSCP-to-CoS map to generate a CoS value, which is used to select one of the four egress queues.
The following table shows the default DSCP-to-CoS map. If these values are not appropriate for your network,
you need to modify them.

Table 76: Default DSCP-to-CoS Map

DSCP Value CoS Value

0–7 0

8–15 1

16–23 2

24–31 3

32–39 4

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
674
 QoS
How to Configure QoS

DSCP Value CoS Value

40–47 5

48–55 6

56–63 7

Related Topics
Default Mapping Table Configuration, on page 673
Configuring the DSCP-to-CoS Map, on page 710
Configuring the Policed-DSCP Map, on page 709

How to Configure QoS

Enabling QoS Globally
By default, QoS is disabled on the switch.
The following procedure to enable QoS globally is required.

SUMMARY STEPS
1. configure terminal
2. mls qos
3. end
4. show mls qos
5. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 mls qos Enables QoS globally.

Example: QoS operates with the default settings described in the
related topic sections below.
SwitchDevice(config)# mls qos
Note To disable QoS, use the no mls qos global
configuration command.

Step 3 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
675
 QoS
Configuring Classification Using Port Trust States

Command or Action Purpose

SwitchDevice(config)# end

Step 4 show mls qos Verifies the QoS configuration.

Example:

SwitchDevice# show mls qos

Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config

startup-config

Related Topics
Standard QoS Default Configuration, on page 668
Default Egress Queue Configuration, on page 670
Default Ingress Queue Configuration, on page 669

Configuring Classification Using Port Trust States

These sections describe how to classify incoming traffic by using port trust states.

Note Depending on your network configuration, you must perform one or more of these tasks in this module or
one or more of the tasks in the Configuring a QoS Policy.

Configuring the Trust State on Ports Within the QoS Domain

Packets entering a QoS domain are classified at the edge of the QoS domain. When the packets are classified
at the edge, the switch port within the QoS domain can be configured to one of the trusted states because there
is no need to classify the packets at every switch within the QoS domain.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
676
 QoS
Configuring the Trust State on Ports Within the QoS Domain

Figure 74: Port Trusted States on Ports Within the QoS Domain

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. mls qos trust [cos | dscp | ip-precedence]
4. end
5. show mls qos interface
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port to be trusted, and enters interface
configuration mode. Valid interfaces are physical ports.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
677
 QoS
Configuring the Trust State on Ports Within the QoS Domain

Command or Action Purpose

SwitchDevice(config)# interface
gigabitethernet 1/0/2

Step 3 mls qos trust [cos | dscp | ip-precedence] Configures the port trust state.
Example: By default, the port is not trusted. If no keyword is specified,
the default is dscp.
SwitchDevice(config-if)# mls qos trust cos
The keywords have these meanings:
• cos—Classifies an ingress packet by using the packet
CoS value. For an untagged packet, the port default
CoS value is used. The default port CoS value is 0.
• dscp—Classifies an ingress packet by using the packet
DSCP value. For a non-IP packet, the packet CoS value
is used if the packet is tagged; for an untagged packet,
the default port CoS is used. Internally, the switch
maps the CoS value to a DSCP value by using the
CoS-to-DSCP map.
• ip-precedence—Classifies an ingress packet by using
the packet IP-precedence value. For a non-IP packet,
the packet CoS value is used if the packet is tagged;
for an untagged packet, the default port CoS is used.
Internally, the switch maps the CoS value to a DSCP
value by using the CoS-to-DSCP map.

To return a port to its untrusted state, use the no mls qos

trust interface configuration command.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 5 show mls qos interface Verifies your entries.

Example:

SwitchDevice# show mls qos interface

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config

startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
678
 QoS
Configuring the CoS Value for an Interface

Related Topics
Configuring the CoS Value for an Interface, on page 679
Configuring the CoS-to-DSCP Map, on page 706

Configuring the CoS Value for an Interface

QoS assigns the CoS value specified with the mls qos cos interface configuration command to untagged
frames received on trusted and untrusted ports.
Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port or to assign
the default CoS to all incoming packets on the port.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. mls qos cos {default-cos | override}
4. end
5. show mls qos interface
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port to be configured, and enters interface
configuration mode.
Example:
Valid interfaces include physical ports.
SwitchDevice(config)# interface
gigabitethernet 1/1/1

Step 3 mls qos cos {default-cos | override} Configures the default CoS value for the port.
Example: • For default-cos, specify a default CoS value to be
assigned to a port. If the packet is untagged, the default
SwitchDevice(config-if)# mls qos CoS value becomes the packet CoS value. The CoS
override range is 0 to 7. The default is 0.
• Use the override keyword to override the previously
configured trust state of the incoming packet and to
apply the default port CoS value to the port on all
incoming packets. By default, CoS override is disabled.
Use the override keyword when all incoming packets
on specified ports deserve higher or lower priority than
packets entering from other ports. Even if a port was

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
679
 QoS
Configuring a Trusted Boundary to Ensure Port Security

Command or Action Purpose

previously set to trust DSCP, CoS, or IP precedence,
this command overrides the previously configured trust
state, and all the incoming CoS values are assigned
the default CoS value configured with this command.
If an incoming packet is tagged, the CoS value of the
packet is modified with the default CoS of the port at
the ingress port.

Note To return to the default setting, use the no mls

qos cos {default-cos | override} interface
configuration command.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 5 show mls qos interface Verifies your entries.

Example:

SwitchDevice# show mls qos interface

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config

startup-config

Related Topics
Configuring the Trust State on Ports Within the QoS Domain, on page 676

Configuring a Trusted Boundary to Ensure Port Security

In a typical network, you connect a Cisco IP Phone to a switch port and cascade devices that generate data
packets from the back of the telephone. The Cisco IP Phone guarantees the voice quality through a shared
data link by marking the CoS level of the voice packets as high priority (CoS = 5) and by marking the data
packets as low priority (CoS = 0). Traffic sent from the telephone to the switch is typically marked with a tag
that uses the 802.1Q header. The header contains the VLAN information and the class of service (CoS) 3-bit
field, which is the priority of the packet.
For most Cisco IP Phone configurations, the traffic sent from the telephone to the switch should be trusted to
ensure that voice traffic is properly prioritized over other types of traffic in the network. By using the mls qos
trust cos interface configuration command, you configure the switch port to which the telephone is connected
to trust the CoS labels of all traffic received on that port. Use the mls qos trust dscp interface configuration
command to configure a routed port to which the telephone is connected to trust the DSCP labels of all traffic
received on that port.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
680
 QoS
Configuring a Trusted Boundary to Ensure Port Security

With the trusted setting, you also can use the trusted boundary feature to prevent misuse of a high-priority
queue if a user bypasses the telephone and connects the PC directly to the switch. Without trusted boundary,
the CoS labels generated by the PC are trusted by the switch (because of the trusted CoS setting). By contrast,
trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910,
7935, 7940, and 7960) on a switch port. If the telephone is not detected, the trusted boundary feature disables
the trusted setting on the switch port and prevents misuse of a high-priority queue. Note that the trusted
boundary feature is not effective if the PC and Cisco IP Phone are connected to a hub that is connected to the
switch.
In some situations, you can prevent a PC connected to the Cisco IP Phone from taking advantage of a
high-priority data queue. You can use the switchport priority extend cos interface configuration command
to configure the telephone through the switch CLI to override the priority of the traffic received from the PC.

SUMMARY STEPS
1. configure terminal
2. cdp run
3. interface interface-id
4. cdp enable
5. Use one of the following:
• mls qos trust cos
• mls qos trust dscp
6. mls qos trust device cisco-phone
7. end
8. show mls qos interface
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 cdp run Enables CDP globally. By default, CDP is enabled.

Example:

SwitchDevice(config)# cdp run

Step 3 interface interface-id Specifies the port connected to the Cisco IP Phone, and
enters interface configuration mode.
Example:
Valid interfaces include physical ports.
SwitchDevice(config)# interface
gigabitethernet 2/1/1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
681
 QoS
Enabling DSCP Transparency Mode

Command or Action Purpose

Step 4 cdp enable Enables CDP on the port. By default, CDP is enabled.
Example:

SwitchDevice(config-if)# cdp enable

Step 5 Use one of the following: Configures the switch port to trust the CoS value in traffic
received from the Cisco IP Phone.
• mls qos trust cos
• mls qos trust dscp or
Example: Configures the routed port to trust the DSCP value in traffic
received from the Cisco IP Phone.
SwitchDevice(config-if)# mls qos trust cos
By default, the port is not trusted.

Step 6 mls qos trust device cisco-phone Specifies that the Cisco IP Phone is a trusted device.
Example: You cannot enable both trusted boundary and auto-QoS
(auto qos voip interface configuration command) at the
SwitchDevice(config-if)# mls qos trust same time; they are mutually exclusive.
device cisco-phone
Note To disable the trusted boundary feature, use the
no mls qos trust device interface configuration
command.

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 8 show mls qos interface Verifies your entries.

Example:

SwitchDevice# show mls qos interface

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config

startup-config

Enabling DSCP Transparency Mode

The switch supports the DSCP transparency feature. It affects only the DSCP field of a packet at egress. By
default, DSCP transparency is disabled. The switch modifies the DSCP field in an incoming packet, and the
DSCP field in the outgoing packet is based on the quality of service (QoS) configuration, including the port
trust setting, policing and marking, and the DSCP-to-DSCP mutation map.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
682
 QoS
Enabling DSCP Transparency Mode

If DSCP transparency is enabled by using the no mls qos rewrite ip dscp command, the switch does not
modify the DSCP field in the incoming packet, and the DSCP field in the outgoing packet is the same as that
in the incoming packet.
Regardless of the DSCP transparency configuration, the switch modifies the internal DSCP value of the packet,
which the switch uses to generate a class of service (CoS) value that represents the priority of the traffic. The
switch also uses the internal DSCP value to select an egress queue and threshold.

SUMMARY STEPS
1. configure terminal
2. mls qos
3. no mls qos rewrite ip dscp
4. end
5. show mls qos interface [interface-id]
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 mls qos Enables QoS globally.

Example:

SwitchDevice(config)# mls qos

Step 3 no mls qos rewrite ip dscp Enables DSCP transparency. The switch is configured to
not modify the DSCP field of the IP packet.
Example:

SwitchDevice(config)# no mls qos rewrite ip dscp

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show mls qos interface [interface-id] Verifies your entries.

Example:

SwitchDevice# show mls qos interface

gigabitethernet 2/1/1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
683
 QoS
DSCP Transparency Mode

Command or Action Purpose

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

DSCP Transparency Mode

To configure the switch to modify the DSCP value based on the trust setting or on an ACL by disabling DSCP
transparency, use the mls qos rewrite ip dscp global configuration command.
If you disable QoS by using the no mls qos global configuration command, the CoS and DSCP values are
not changed (the default QoS setting).
If you enter the no mls qos rewrite ip dscp global configuration command to enable DSCP transparency and
then enter the mls qos trust [cos | dscp] interface configuration command, DSCP transparency is still enabled.

Configuring the DSCP Trust State on a Port Bordering Another QoS Domain
If you are administering two separate QoS domains between which you want to implement QoS features for
IP traffic, you can configure the switch ports bordering the domains to a DSCP-trusted state. The receiving
port accepts the DSCP-trusted value and avoids the classification stage of QoS. If the two domains use different
DSCP values, you can configure the DSCP-to-DSCP-mutation map to translate a set of DSCP values to match
the definition in the other domain.
Figure 75: DSCP-Trusted State on a Port Bordering Another QoS Domain

Beginning in privileged EXEC mode, follow these steps to configure the DSCP-trusted state on a port and
modify the DSCP-to-DSCP-mutation map. To ensure a consistent mapping strategy across both QoS domains,
you must perform this procedure on the ports in both domains.

SUMMARY STEPS
1. configure terminal
2. mls qos map dscp-mutation dscp-mutation-name in-dscp to out-dscp
3. interface interface-id

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
684
 QoS
Configuring the DSCP Trust State on a Port Bordering Another QoS Domain

4. mls qos trust dscp

5. mls qos dscp-mutation dscp-mutation-name
6. end
7. show mls qos maps dscp-mutation
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 mls qos map dscp-mutation dscp-mutation-name in-dscp Modifies the DSCP-to-DSCP-mutation map.
to out-dscp
The default DSCP-to-DSCP-mutation map is a null map,
Example: which maps an incoming DSCP value to the same DSCP
value.
SwitchDevice(config)# mls qos map
dscp-mutation • For dscp-mutation-name, enter the mutation map name.
gigabitethernet1/0/2-mutation You can create more than one map by specifying a
10 11 12 13 to 30 new name.
• For in-dscp, enter up to eight DSCP values separated
by spaces. Then enter the to keyword.
• For out-dscp, enter a single DSCP value.

The DSCP range is 0 to 63.

Step 3 interface interface-id Specifies the port to be trusted, and enter interface
configuration mode.
Example:
Valid interfaces include physical ports.
SwitchDevice(config)# interface
gigabitethernet1/0/2

Step 4 mls qos trust dscp Configures the ingress port as a DSCP-trusted port. By
default, the port is not trusted.
Example:
Note To return a port to its non-trusted state, use the
SwitchDevice(config-if)# mls qos trust dscp no mls qos trust interface configuration
command.

Step 5 mls qos dscp-mutation dscp-mutation-name Applies the map to the specified ingress DSCP-trusted port.
Example: For dscp-mutation-name, specify the mutation map name
created in Step 2.
SwitchDevice(config-if)# mls qos dscp-mutation
gigabitethernet1/0/2-mutation You can configure multiple DSCP-to-DSCP-mutation maps
on an ingress port.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
685
 QoS
Configuring a QoS Policy

Command or Action Purpose

Note To return to the default DSCP-to-DSCP-mutation
map values, use the no mls qos map
dscp-mutation dscp-mutation-name global
configuration command.

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 7 show mls qos maps dscp-mutation Verifies your entries.

Example:

SwitchDevice# show mls qos maps

dscp-mutation

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example: Note To return a port to its non-trusted state, use the
no mls qos trust interface configuration
SwitchDevice# copy-running-config command. To return to the default
startup-config DSCP-to-DSCP-mutation map values, use the
no mls qos map dscp-mutation
dscp-mutation-name global configuration
command.

Related Topics
Example: Configuring Port to the DSCP-Trusted State and Modifying the DSCP-to-DSCP-Mutation
Map, on page 733

Configuring a QoS Policy

Configuring a QoS policy typically requires the following tasks:
• Classifying traffic into classes
• Configuring policies applied to those traffic classes
• Attaching policies to ports

These sections describe how to classify, police, and mark traffic. Depending on your network configuration,
you must perform one or more of the modules in this section.
Related Topics
Policing and Marking Overview, on page 656
Classification Overview, on page 651

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
686
 QoS
Classifying Traffic by Using ACLs

Classifying Traffic by Using ACLs

You can classify IP traffic by using IPv4 standard ACLS, IPv4 extended ACLs, or IPv6 ACLs.
You can classify non-IP traffic by using Layer 2 MAC ACLs.

Creating an IP Standard ACL for IPv4 Traffic

Before you begin

Before you perform this task, determine which access lists you will be using for your QoS configuration.

SUMMARY STEPS
1. configure terminal
2. access-list access-list-number {deny | permit} source [source-wildcard]
3. end
4. show access-lists
5. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 access-list access-list-number {deny | permit} source Creates an IP standard ACL, repeating the command as
[source-wildcard] many times as necessary.
Example: • For access-list-number, enter the access list number.
The range is 1 to 99 and 1300 to 1999.
SwitchDevice(config)# access-list 1
permit 192.2.255.0 1.1.1.255 • Use the permit keyword to permit a certain type of
traffic if the conditions are matched. Use the deny
keyword to deny a certain type of traffic if conditions
are matched.
• For source, enter the network or host from which the
packet is being sent. You can use the any keyword as
an abbreviation for 0.0.0.0 255.255.255.255.
• (Optional) For source-wildcard, enter the wildcard
bits in dotted decimal notation to be applied to the
source. Place ones in the bit positions that you want
to ignore.

When you create an access list, remember that by default

the end of the access list contains an implicit deny statement
for everything if it did not find a match before reaching the
end.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
687
 QoS
Creating an IP Extended ACL for IPv4 Traffic

Command or Action Purpose

Note To delete an access list, use the no access-list
access-list-number global configuration
command.

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 4 show access-lists Verifies your entries.

Example:
SwitchDevice# show access-lists

Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy-running-config
startup-config

Related Topics
Access Control Lists, on page 654
QoS ACL Guidelines, on page 645
Examples: Classifying Traffic by Using ACLs, on page 733

Creating an IP Extended ACL for IPv4 Traffic

Before you begin

Before you perform this task, determine which access lists you will be using for your QoS configuration.

SUMMARY STEPS
1. configure terminal
2. access-list access-list-number {deny | permit} protocol source source-wildcard destination
destination-wildcard
3. end
4. show access-lists
5. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
688
 QoS
Creating an IP Extended ACL for IPv4 Traffic

Command or Action Purpose

SwitchDevice# configure terminal

Step 2 access-list access-list-number {deny | permit} protocol Creates an IP extended ACL, repeating the command as
source source-wildcard destination destination-wildcard many times as necessary.
Example: • For access-list-number, enter the access list number.
The range is 100 to 199 and 2000 to 2699.
SwitchDevice(config)# access-list 100 permit ip
any any dscp 32 • Use the permit keyword to permit a certain type of
traffic if the conditions are matched. Use the deny
keyword to deny a certain type of traffic if conditions
are matched.
• For protocol, enter the name or number of an IP
protocol. Use the question mark (?) to see a list of
available protocol keywords.
• For source, enter the network or host from which the
packet is being sent. You specify this by using dotted
decimal notation, by using the any keyword as an
abbreviation for source 0.0.0.0 source-wildcard
255.255.255.255, or by using the host keyword for
source 0.0.0.0.
• For source-wildcard, enter the wildcard bits by placing
ones in the bit positions that you want to ignore. You
specify the wildcard by using dotted decimal notation,
by using the any keyword as an abbreviation for source
0.0.0.0 source-wildcard 255.255.255.255, or by using
the host keyword for source 0.0.0.0.
• For destination, enter the network or host to which the
packet is being sent. You have the same options for
specifying the destination and destination-wildcard
as those described by source and source-wildcard.

When creating an access list, remember that, by default, the

end of the access list contains an implicit deny statement
for everything if it did not find a match before reaching the
end.
Note To delete an access list, use the no access-list
access-list-number global configuration
command.

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
689
 QoS
Creating an IPv6 ACL for IPv6 Traffic

Command or Action Purpose

Step 4 show access-lists Verifies your entries.
Example:
SwitchDevice# show access-lists

Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
SwitchDevice# copy-running-config
startup-config

Related Topics
Access Control Lists, on page 654
QoS ACL Guidelines, on page 645
Examples: Classifying Traffic by Using ACLs, on page 733

Creating an IPv6 ACL for IPv6 Traffic

Before you begin

Before you perform this task, determine which access lists you will be using for your QoS configuration.

SUMMARY STEPS
1. configure terminal
2. ipv6 access-list access-list-name
3. {deny | permit} protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator
[port-number]] {destination-ipv6-prefix/ prefix-length | any | host destination-ipv6-address} [operator
[port-number]] [dscp value] [fragments] [log] [log-input] [routing] [sequence value] [time-range name]
4. end
5. show ipv6 access-list
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ipv6 access-list access-list-name Creates an IPv6 ACL and enters IPv6 access-list
configuration mode.
Example:
Accesses list names cannot contain a space or quotation
SwitchDevice(config)# ipv6 mark or begin with a numeric.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
690
 QoS
Creating an IPv6 ACL for IPv6 Traffic

Command or Action Purpose

access-list ipv6_Name_ACL Note To delete an access list, use the no ipv6
access-list access-list-number global
configuration command.

Step 3 {deny | permit} protocol {source-ipv6-prefix/prefix-length Enters deny or permit to specify whether to deny or permit
| any | host source-ipv6-address} [operator [port-number]] the packet if conditions are matched. These are the
{destination-ipv6-prefix/ prefix-length | any | host conditions:
destination-ipv6-address} [operator [port-number]] [dscp
For protocol, enter the name or number of an Internet
value] [fragments] [log] [log-input] [routing] [sequence
protocol: ahp, esp, icmp, ipv6, pcp, stcp, tcp, or udp, or
value] [time-range name]
an integer in the range 0 to 255 representing an IPv6
Example: protocol number.
• The source-ipv6-prefix/prefix-length or
SwitchDevice(config-ipv6-acl)#
permit ip host 10::1 host
destination-ipv6-prefix/ prefix-length is the source or
11::2 host destination IPv6 network or class of networks for
which to set deny or permit conditions, specified in
hexadecimal and using 16-bit values between colons
(see RFC 2373).
• Enter any as an abbreviation for the IPv6 prefix ::/0.
• For host source-ipv6-address or
destination-ipv6-address, enter the source or
destination IPv6 host address for which to set deny or
permit conditions, specified in hexadecimal using
16-bit values between colons.
• (Optional) For operator, specify an operand that
compares the source or destination ports of the
specified protocol. Operands are lt (less than), gt
(greater than), eq (equal), neq (not equal), and range.
If the operator follows the
source-ipv6-prefix/prefix-length argument, it must
match the source port. If the operator follows the
destination-ipv6- prefix/prefix-length argument, it must
match the destination port.
• (Optional) The port-number is a decimal number from
0 to 65535 or the name of a TCP or UDP port. You
can use TCP port names only when filtering TCP. You
can use UDP port names only when filtering UDP.
• (Optional) Enter dscp value to match a differentiated
services code point value against the traffic class value
in the Traffic Class field of each IPv6 packet header.
The acceptable range is from 0 to 63.
• (Optional) Enter fragments to check noninitial
fragments. This keyword is visible only if the protocol
is IPv6.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
691
 QoS
Creating a Layer 2 MAC ACL for Non-IP Traffic

Command or Action Purpose

• (Optional) Enter log to cause a logging message to be
sent to the console about the packet that matches the
entry. Enter log-input to include the input interface in
the log entry. Logging is supported only for router
ACLs.
• (Optional) Enter routing to specify that IPv6 packets
be routed.
• (Optional) Enter sequence value to specify the
sequence number for the access list statement. The
acceptable range is from 1 to 4294967295.
• (Optional) Enter time-range name to specify the time
range that applies to the deny or permit statement.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-ipv6-acl)# end

Step 5 show ipv6 access-list Verifies the access list configuration.

Example:

SwitchDevice# show ipv6

access-list

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy-running-config
startup-config

Related Topics
Access Control Lists, on page 654
QoS ACL Guidelines, on page 645
Examples: Classifying Traffic by Using ACLs, on page 733
QoS ACL IPv6 Guidelines

Creating a Layer 2 MAC ACL for Non-IP Traffic

Before you begin

Before you perform this task, determine that Layer 2 MAC access lists are required for your QoS configuration.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
692
 QoS
Creating a Layer 2 MAC ACL for Non-IP Traffic

SUMMARY STEPS
1. configure terminal
2. mac access-list extended name
3. {permit | deny} {host src-MAC-addr mask | any | host dst-MAC-addr | dst-MAC-addr mask} [type mask]
4. end
5. show access-lists [access-list-number | access-list-name]
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 mac access-list extended name Creates a Layer 2 MAC ACL by specifying the name of
the list.
Example:
After entering this command, the mode changes to extended
SwitchDevice(config)# mac access-list MAC ACL configuration.
extended maclist1
Note To delete an access list, use the no mac
access-list extended access-list-name global
configuration command.

Step 3 {permit | deny} {host src-MAC-addr mask | any | host Specifies the type of traffic to permit or deny if the
dst-MAC-addr | dst-MAC-addr mask} [type mask] conditions are matched, entering the command as many
times as necessary.
Example:
• For src-MAC-addr, enter the MAC address of the host
SwitchDevice(config-ext-mac1) # permit from which the packet is being sent. You specify this
0001.0000.0001 by using the hexadecimal format (H.H.H), by using
0.0.0 0002.0000.0001 0.0.0
the any keyword as an abbreviation for source 0.0.0,
source-wildcard ffff.ffff.ffff, or by using the host
keyword for source 0.0.0.
SwitchDevice(config-ext-mac1) # permit
0001.0000.0002 • For mask, enter the wildcard bits by placing ones in
0.0.0 0002.0000.0002 0.0.0 xns-idp
the bit positions that you want to ignore.
• For dst-MAC-addr, enter the MAC address of the host
to which the packet is being sent. You specify this by
using the hexadecimal format (H.H.H), by using the
any keyword as an abbreviation for source 0.0.0,
source-wildcard ffff.ffff.ffff, or by using the host
keyword for source 0.0.0.
• (Optional) For type mask, specify the Ethertype number
of a packet with Ethernet II or SNAP encapsulation to
identify the protocol of the packet. For type, the range
is from 0 to 65535, typically specified in hexadecimal.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
693
 QoS
Classifying Traffic by Using Class Maps

Command or Action Purpose

For mask, enter the don’t care bits applied to the
Ethertype before testing for a match.

When creating an access list, remember that, by default, the

end of the access list contains an implicit deny statement
for everything if it did not find a match before reaching the
end.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-ext-mac1)# end

Step 5 show access-lists [access-list-number | access-list-name] Verifies your entries.

Example:

SwitchDevice# show access-lists

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy-running-config
startup-config

Related Topics
Access Control Lists, on page 654
QoS ACL Guidelines, on page 645
Examples: Classifying Traffic by Using ACLs, on page 733

Classifying Traffic by Using Class Maps

You use the class-map global configuration command to name and to isolate a specific traffic flow (or class)
from all other traffic. The class map defines the criteria to use to match against a specific traffic flow to further
classify it. Match statements can include criteria such as an ACL, IP precedence values, or DSCP values. The
match criterion is defined with one match statement entered within the class-map configuration mode.

Note You can also create class maps during policy map creation by using the class policy-map configuration
command.

SUMMARY STEPS
1. configure terminal
2. Use one of the following:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
694
 QoS
Classifying Traffic by Using Class Maps

• access-list access-list-number {deny | permit} source [source-wildcard]

• access-list access-list-number {deny | permit} protocol source [source-wildcard] destination
[destination-wildcard]
• ipv6 access-list access-list-name {deny | permit} protocol {source-ipv6-prefix/prefix-length | any
| host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/ prefix-length | any
| host destination-ipv6-address} [operator [port-number]] [dscp value] [fragments] [log] [log-input]
[routing] [sequence value] [time-range name]
• mac access-list extended name {permit | deny} {host src-MAC-addr mask | any | host dst-MAC-addr
| dst-MAC-addr mask} [type mask]
3. class-map [match-all | match-any] class-map-name
4. match {access-group acl-index-or-name | ip dscp dscp-list | ip precedence ip-precedence-list}
5. end
6. show class-map
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 Use one of the following: Creates an IP standard or extended ACL, an IPv6 ACL for
IP traffic, or a Layer 2 MAC ACL for non-IP traffic,
• access-list access-list-number {deny | permit} source
repeating the command as many times as necessary.
[source-wildcard]
• access-list access-list-number {deny | permit} When creating an access list, remember that, by default, the
protocol source [source-wildcard] destination end of the access list contains an implicit deny statement
[destination-wildcard] for everything if it did not find a match before reaching the
• ipv6 access-list access-list-name {deny | permit} end.
protocol {source-ipv6-prefix/prefix-length | any | host
source-ipv6-address} [operator [port-number]]
{destination-ipv6-prefix/ prefix-length | any | host
destination-ipv6-address} [operator [port-number]]
[dscp value] [fragments] [log] [log-input] [routing]
[sequence value] [time-range name]
• mac access-list extended name {permit | deny} {host
src-MAC-addr mask | any | host dst-MAC-addr |
dst-MAC-addr mask} [type mask]
Example:

SwitchDevice(config)# access-list 103 permit ip

any
any dscp 10

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
695
 QoS
Classifying Traffic by Using Class Maps

Command or Action Purpose

Step 3 class-map [match-all | match-any] class-map-name Creates a class map, and enters class-map configuration
mode.
Example:
By default, no class maps are defined.
SwitchDevice(config)# class-map class1
• (Optional) Use the match-all keyword to perform a
logical-AND of all matching statements under this
class map. All match criteria in the class map must be
matched.
• (Optional) Use the match-any keyword to perform a
logical-OR of all matching statements under this class
map. One or more match criteria must be matched.
• For class-map-name, specify the name of the class
map.

If neither the match-all or match-any keyword is specified,

the default is match-all.
Note To delete an existing class map, use the no
class-map [match-all | match-any]
class-map-name global configuration command.

Step 4 match {access-group acl-index-or-name | ip dscp dscp-list Defines the match criterion to classify traffic.
| ip precedence ip-precedence-list}
By default, no match criterion is defined.
Example:
Only one match criterion per class map is supported, and
only one ACL per class map is supported.
SwitchDevice(config-cmap)# match ip dscp 10 11 12
• For access-group acl-index-or-name, specify the
number or name of the ACL created in Step 2.
• To filter IPv6 traffic with the match access-group
command, create an IPv6 ACL, as described in Step 2.
• For ip dscp dscp-list, enter a list of up to eight IP
DSCP values to match against incoming packets.
Separate each value with a space. The range is 0 to 63.
• For ip precedence ip-precedence-list, enter a list of
up to eight IP-precedence values to match against
incoming packets. Separate each value with a space.
The range is 0 to 7.

Note To remove a match criterion, use the no match

{access-group acl-index-or-name | ip dscp | ip
precedence} class-map configuration command.

Step 5 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
696
 QoS
Classifying Traffic by Using Class Maps and Filtering IPv6 Traffic

Command or Action Purpose

SwitchDevice(config-cmap)# end

Step 6 show class-map Verifies your entries.

Example:

SwitchDevice# show class-map

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy-running-config startup-config

Related Topics
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps, on page 699
Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps
Examples: Classifying Traffic by Using Class Maps, on page 735

Classifying Traffic by Using Class Maps and Filtering IPv6 Traffic

To apply the primary match criteria to only IPv4 traffic, use the match protocol command with the ip keyword.
To apply the primary match criteria to only IPv6 traffic, use the match protocol command with the ipv6
keyword.

SUMMARY STEPS
1. configure terminal
2. class-map {match-all} class-map-name
3. match protocol [ip | ipv6]
4. match {ip dscp dscp-list | ip precedence ip-precedence-list}
5. end
6. show class-map
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 class-map {match-all} class-map-name Creates a class map, and enters class-map configuration
mode.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
697
 QoS
Classifying Traffic by Using Class Maps and Filtering IPv6 Traffic

Command or Action Purpose

By default, no class maps are defined.
SwitchDevice(config)# class-map cm-1
When you use the match protocol command, only the
match-all keyword is supported.
• For class-map-name, specify the name of the class
map.

If neither the match-all or match-any keyword is specified,

the default is match-all.
Note To delete an existing class map, use the no
class-map [match-all | match-any]
class-map-name global configuration command.

Step 3 match protocol [ip | ipv6] (Optional) Specifies the IP protocol to which the class map
applies:
Example:
• Use the argument ip to specify IPv4 traffic and ipv6
SwitchDevice(config-cmap)# match protocol ip to specify IPv6 traffic.
• When you use the match protocol command, only the
match-all keyword is supported for the class-map
command.

Step 4 match {ip dscp dscp-list | ip precedence Defines the match criterion to classify traffic.
ip-precedence-list}
By default, no match criterion is defined.
Example:
• For ip dscp dscp-list, enter a list of up to eight IP
DSCP values to match against incoming packets.
SwitchDevice(config-cmap)# match ip dscp 10
Separate each value with a space. The range is 0 to 63.
• For ip precedence ip-precedence-list, enter a list of
up to eight IP-precedence values to match against
incoming packets. Separate each value with a space.
The range is 0 to 7.

Note To remove a match criterion, use the no match

{access-group acl-index-or-name | ip dscp | ip
precedence} class-map configuration command.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-cmap)# end

Step 6 show class-map Verifies your entries.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
698
 QoS
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps

Command or Action Purpose

SwitchDevice# show class-map

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy-running-config startup-config

Related Topics
Examples: Classifying Traffic by Using Class Maps, on page 735

Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps
You can configure a policy map on a physical port that specifies which traffic class to act on. Actions can
include trusting the CoS, DSCP, or IP precedence values in the traffic class; setting a specific DSCP or IP
precedence value in the traffic class; and specifying the traffic bandwidth limitations for each matched traffic
class (policer) and the action to take when the traffic is out of profile (marking).
A policy map also has these characteristics:
• A policy map can contain multiple class statements, each with different match criteria and policers.
• A policy map can contain a predefined default traffic class explicitly placed at the end of the map.
• A separate policy-map class can exist for each type of traffic received through a port.

Follow these guidelines when configuring policy maps on physical ports:

• You can attach only one policy map per ingress port.
• If you configure the IP-precedence-to-DSCP map by using the mls qos map ip-prec-dscp dscp1...dscp8
global configuration command, the settings only affect packets on ingress interfaces that are configured
to trust the IP precedence value. In a policy map, if you set the packet IP precedence value to a new value
by using the set ip precedence new-precedence policy-map class configuration command, the egress
DSCP value is not affected by the IP-precedence-to-DSCP map. If you want the egress DSCP value to
be different than the ingress value, use the set dscp new-dscp policy-map class configuration command.
• If you enter or have used the set ip dscp command, the switch changes this command to set dscp in its
configuration.
• You can use the set ip precedence or the set precedence policy-map class configuration command to
change the packet IP precedence value. This setting appears as set ip precedence in the switch
configuration.
• A policy-map and a port trust state can both run on a physical interface. The policy-map is applied before
the port trust state.
• When you configure a default traffic class by using the class class-default policy-map configuration
command, unclassified traffic (traffic that does not meet the match criteria specified in the traffic classes)
is treated as the default traffic class (class-default).

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
699
 QoS
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps

SUMMARY STEPS
1. configure terminal
2. class-map [match-all | match-any] class-map-name
3. policy-map policy-map-name
4. class [class-map-name | class-default]
5. trust [cos | dscp | ip-precedence]
6. set {dscp new-dscp | ip precedence new-precedence}
7. police rate-bps burst-byte [exceed-action {drop | policed-dscp-transmit}]
8. exit
9. exit
10. interface interface-id
11. service-policy input policy-map-name
12. end
13. show policy-map [policy-map-name [class class-map-name]]
14. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 class-map [match-all | match-any] class-map-name Creates a class map, and enters class-map configuration
mode.
Example:
By default, no class maps are defined.
SwitchDevice(config)# class-map ipclass1
• (Optional) Use the match-all keyword to perform a
logical-AND of all matching statements under this
class map. All match criteria in the class map must
be matched.
• (Optional) Use the match-any keyword to perform
a logical-OR of all matching statements under this
class map. One or more match criteria must be
matched.
• For class-map-name, specify the name of the class
map.

If neither the match-all or match-any keyword is

specified, the default is match-all.

Step 3 policy-map policy-map-name Creates a policy map by entering the policy map name,
and enters policy-map configuration mode.
Example:
By default, no policy maps are defined.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
700
 QoS
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps

Command or Action Purpose

The default behavior of a policy map is to set the DSCP
SwitchDevice(config-cmap)# policy-map flowit
to 0 if the packet is an IP packet and to set the CoS to 0 if
the packet is tagged. No policing is performed.
Note To delete an existing policy map, use the no
policy-map policy-map-name global
configuration command.

Step 4 class [class-map-name | class-default] Defines a traffic classification, and enters policy-map class
configuration mode.
Example:
By default, no policy map class-maps are defined.
SwitchDevice(config-pmap)# class ipclass1
If a traffic class has already been defined by using the
class-map global configuration command, specify its name
for class-map-name in this command.
A class-default traffic class is pre-defined and can be
added to any policy. It is always placed at the end of a
policy map. With an implied match any included in the
class-default class, all packets that have not already
matched the other traffic classes will match class-default.
Note To delete an existing class map, use the no class
class-map-name policy-map configuration
command.

Step 5 trust [cos | dscp | ip-precedence] Configures the trust state, which QoS uses to generate a
CoS-based or DSCP-based QoS label.
Example:
This command is mutually exclusive with the set command
SwitchDevice(config-pmap-c)# trust dscp within the same policy map. If you enter the trust
command, go to Step 6.
By default, the port is not trusted. If no keyword is
specified when the command is entered, the default is dscp.
The keywords have these meanings:
• cos—QoS derives the DSCP value by using the
received or default port CoS value and the
CoS-to-DSCP map.
• dscp—QoS derives the DSCP value by using the
DSCP value from the ingress packet. For non-IP
packets that are tagged, QoS derives the DSCP value
by using the received CoS value; for non-IP packets
that are untagged, QoS derives the DSCP value by
using the default port CoS value. In either case, the
DSCP value is derived from the CoS-to-DSCP map.
• ip-precedence—QoS derives the DSCP value by
using the IP precedence value from the ingress packet
and the IP-precedence-to-DSCP map. For non-IP

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
701
 QoS
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps

Command or Action Purpose

packets that are tagged, QoS derives the DSCP value
by using the received CoS value; for non-IP packets
that are untagged, QoS derives the DSCP value by
using the default port CoS value. In either case, the
DSCP value is derived from the CoS-to-DSCP map.

Note To return to the untrusted state, use the no trust

policy-map configuration command

Step 6 set {dscp new-dscp | ip precedence new-precedence} Classifies IP traffic by setting a new value in the packet.
Example: • For dscp new-dscp, enter a new DSCP value to be
assigned to the classified traffic. The range is 0 to 63.
SwitchDevice(config-pmap-c)# set dscp 45
• For ip precedence new-precedence, enter a new
IP-precedence value to be assigned to the classified
traffic. The range is 0 to 7.

Note To remove an assigned DSCP or IP precedence

value, use the no set {dscp new-dscp | ip
precedence new-precedence} policy-map
configuration command.

Step 7 police rate-bps burst-byte [exceed-action {drop | Defines a policer for the classified traffic.
policed-dscp-transmit}]
By default, no policer is defined.
Example:
• For rate-bps, specify average traffic rate in bits per
second (b/s). The range is 8000 to 10000000000.
SwitchDevice(config-pmap-c)# police 100000
80000 drop • For burst-byte, specify the normal burst size in bytes.
The range is 8000 to 1000000.
• (Optional) Specifies the action to take when the rates
are exceeded. Use the exceed-action drop keywords
to drop the packet. Use the exceed-action
policed-dscp-transmit keywords to mark down the
DSCP value (by using the policed-DSCP map) and
to send the packet.

Note To remove an existing policer, use the no police

rate-bps burst-byte [exceed-action {drop |
policed-dscp-transmit}] policy-map
configuration command.

Step 8 exit Returns to policy map configuration mode.

Example:

SwitchDevice(config-pmap-c)# exit

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
702
 QoS
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps

Command or Action Purpose

Step 9 exit Returns to global configuration mode.
Example:

SwitchDevice(config-pmap)# exit

Step 10 interface interface-id Specifies the port to attach to the policy map, and enters
interface configuration mode.
Example:
Valid interfaces include physical ports.
SwitchDevice(config)# interface
gigabitethernet 2/0/1

Step 11 service-policy input policy-map-name Specifies the policy-map name, and applies it to an ingress
port.
Example:
Only one policy map per ingress port is supported.
SwitchDevice(config-if)# service-policy
input flowit
Note To remove the policy map and port association,
use the no service-policy input
policy-map-name interface configuration
command.

Step 12 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 13 show policy-map [policy-map-name [class Verifies your entries.

class-map-name]]
Example:

SwitchDevice# show policy-map

Step 14 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy-running-config
startup-config

Related Topics
Policing and Marking Overview, on page 656
Physical Port Policing, on page 656
Classifying Traffic by Using Class Maps, on page 694
Policy Map on Physical Port
Examples: Classifying, Policing, and Marking Traffic on Physical Ports Using Policy Maps, on page 736

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
703
 QoS
Classifying, Policing, and Marking Traffic by Using Aggregate Policers

Policy Map on Physical Port Guidelines

Classifying, Policing, and Marking Traffic by Using Aggregate Policers

By using an aggregate policer, you can create a policer that is shared by multiple traffic classes within the
same policy map. However, you cannot use the aggregate policer across different policy maps or ports.
You can configure aggregate policers only in nonhierarchical policy maps on physical ports.

SUMMARY STEPS
1. configure terminal
2. mls qos aggregate-policer aggregate-policer-name rate-bps burst-byte exceed-action {drop |
policed-dscp-transmit}
3. class-map [match-all | match-any] class-map-name
4. policy-map policy-map-name
5. class [class-map-name | class-default]
6. police aggregate aggregate-policer-name
7. exit
8. interface interface-id
9. service-policy input policy-map-name
10. end
11. show mls qos aggregate-policer [aggregate-policer-name]
12. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 mls qos aggregate-policer aggregate-policer-name Defines the policer parameters that can be applied to
rate-bps burst-byte exceed-action {drop | multiple traffic classes within the same policy map.
policed-dscp-transmit}
By default, no aggregate policer is defined.
Example:
• For aggregate-policer-name, specify the name of the
aggregate policer.
SwitchDevice(config)# mls qos aggregate-police
transmit1 48000 8000 exceed-action • For rate-bps, specify average traffic rate in bits per
policed-dscp-transmit
second (b/s). The range is 8000 to 10000000000.
• For burst-byte, specify the normal burst size in bytes.
The range is 8000 to 1000000.
• Specifies the action to take when the rates are
exceeded. Use the exceed-action drop keywords to
drop the packet. Use the exceed-action
policed-dscp-transmit keywords to mark down the

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
704
 QoS
Classifying, Policing, and Marking Traffic by Using Aggregate Policers

Command or Action Purpose

DSCP value (by using the policed-DSCP map) and
to send the packet.

Step 3 class-map [match-all | match-any] class-map-name Creates a class map to classify traffic as necessary.
Example:

SwitchDevice(config)# class-map ipclass1

Step 4 policy-map policy-map-name Creates a policy map by entering the policy map name,
and enters policy-map configuration mode.
Example:

SwitchDevice(config-cmap)# policy-map aggflow1

Step 5 class [class-map-name | class-default] Defines a traffic classification, and enters policy-map class
configuration mode.
Example:

SwitchDevice(config-cmap-p)# class ipclass1

Step 6 police aggregate aggregate-policer-name Applies an aggregate policer to multiple classes in the
same policy map.
Example:
For aggregate-policer-name, enter the name specified in
SwitchDevice(configure-cmap-p)# police aggregate Step 2.
transmit1
To remove the specified aggregate policer from a policy
map, use the no police aggregate aggregate-policer-name
policy map configuration command. To delete an aggregate
policer and its parameters, use the no mls qos
aggregate-policer aggregate-policer-name global
configuration command.

Step 7 exit Returns to global configuration mode.

Example:

SwitchDevice(configure-cmap-p)# exit

Step 8 interface interface-id Specifies the port to attach to the policy map, and enters
interface configuration mode.
Example:
Valid interfaces include physical ports.
SwitchDevice(config)# interface gigabitethernet
2/0/1

Step 9 service-policy input policy-map-name Specifies the policy-map name, and applies it to an ingress
port.
Example:
Only one policy map per ingress port is supported.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
705
 QoS
Configuring DSCP Maps

Command or Action Purpose

SwitchDevice(config-if)# service-policy input

aggflow1

Step 10 end Returns to privileged EXEC mode.

Example:

SwitchDevice(configure-if)# end

Step 11 show mls qos aggregate-policer [aggregate-policer-name] Verifies your entries.

Example:

SwitchDevice# show mls qos aggregate-policer

transmit1

Step 12 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy-running-config startup-config

Related Topics
Policing and Marking Overview, on page 656
Examples: Classifying, Policing, and Marking Traffic by Using Aggregate Policers, on page 739

Configuring DSCP Maps

Related Topics
Mapping Tables Overview, on page 658

Configuring the CoS-to-DSCP Map

You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses
internally to represent the priority of the traffic.
Beginning in privileged EXEC mode, follow these steps to modify the CoS-to-DSCP map. This procedure is
optional.

SUMMARY STEPS
1. configure terminal
2. mls qos map cos-dscp dscp1...dscp8
3. end
4. show mls qos maps cos-dscp
5. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
706
 QoS
Configuring the IP-Precedence-to-DSCP Map

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 mls qos map cos-dscp dscp1...dscp8 Modifies the CoS-to-DSCP map.
Example: For dscp1...dscp8, enter eight DSCP values that correspond
to CoS values 0 to 7. Separate each DSCP value with a
SwitchDevice(config)# mls qos map space.
cos-dscp 10 15 20 25 30 35 40 45
The DSCP range is 0 to 63.
Note To return to the default map, use the no mls qos
cos-dscp global configuration command.

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 4 show mls qos maps cos-dscp Verifies your entries.

Example:

SwitchDevice# show mls qos maps cos-dscp

Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy-running-config
startup-config

Related Topics
Default CoS-to-DSCP Map, on page 673
Configuring the Trust State on Ports Within the QoS Domain, on page 676
Examples: Configuring DSCP Maps, on page 740

Configuring the IP-Precedence-to-DSCP Map

You use the IP-precedence-to-DSCP map to map IP precedence values in incoming packets to a DSCP value
that QoS uses internally to represent the priority of the traffic.
Beginning in privileged EXEC mode, follow these steps to modify the IP-precedence-to-DSCP map. This
procedure is optional.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
707
 QoS
Configuring the IP-Precedence-to-DSCP Map

SUMMARY STEPS
1. configure terminal
2. mls qos map ip-prec-dscp dscp1...dscp8
3. end
4. show mls qos maps ip-prec-dscp
5. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 mls qos map ip-prec-dscp dscp1...dscp8 Modifies the IP-precedence-to-DSCP map.
Example: For dscp1...dscp8, enter eight DSCP values that correspond
to the IP precedence values 0 to 7. Separate each DSCP
SwitchDevice(config)# mls qos map value with a space.
ip-prec-dscp 10 15 20 25 30 35 40
45 The DSCP range is 0 to 63.
Note To return to the default map, use the no mls qos
ip-prec-dscp global configuration command.

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 4 show mls qos maps ip-prec-dscp Verifies your entries.

Example:
SwitchDevice# show mls qos maps ip-prec-dscp

Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy-running-config
startup-config

Related Topics
Default IP-Precedence-to-DSCP Map, on page 674
Examples: Configuring DSCP Maps, on page 740

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
708
 QoS
Configuring the Policed-DSCP Map

Configuring the Policed-DSCP Map

You use the policed-DSCP map to mark down a DSCP value to a new value as the result of a policing and
marking action.
The default policed-DSCP map is a null map, which maps an incoming DSCP value to the same DSCP value.
Beginning in privileged EXEC mode, follow these steps to modify the policed-DSCP map. This procedure
is optional.

SUMMARY STEPS
1. configure terminal
2. mls qos map policed-dscp dscp-list to mark-down-dscp
3. end
4. show mls qos maps policed-dscp
5. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 mls qos map policed-dscp dscp-list to mark-down-dscp Modifies the policed-DSCP map.
Example: • For dscp-list, enter up to eight DSCP values separated
by spaces. Then enter the to keyword.
SwitchDevice(config)# mls qos map
policed-dscp 50 51 52 53 54 55 56 • For mark-down-dscp, enter the corresponding policed
57 to 0 (marked down) DSCP value.

Note To return to the default map, use the no mls qos

policed-dscp global configuration command.

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 4 show mls qos maps policed-dscp Verifies your entries.

Example:

SwitchDevice(config)# show mls qos maps

policed-dscp

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
709
 QoS
Configuring the DSCP-to-CoS Map

Command or Action Purpose

Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice#

Related Topics
Default CoS-to-DSCP Map, on page 673
Default IP-Precedence-to-DSCP Map, on page 674
Default DSCP-to-CoS Map, on page 674
Examples: Configuring DSCP Maps, on page 740

Configuring the DSCP-to-CoS Map

You use the DSCP-to-CoS map to generate a CoS value, which is used to select one of the four egress queues.
Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-CoS map. This procedure is
optional.

SUMMARY STEPS
1. configure terminal
2. mls qos map dscp-cos dscp-list to cos
3. end
4. show mls qos maps dscp-to-cos
5. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 mls qos map dscp-cos dscp-list to cos Modifies the DSCP-to-CoS map.
Example: • For dscp-list, enter up to eight DSCP values separated
by spaces. Then enter the to keyword.
SwitchDevice# mls qos map dscp-cos 0 8
16 24 32 40 48 50 to 0 • For cos, enter the CoS value to which the DSCP values
correspond.

The DSCP range is 0 to 63; the CoS range is 0 to 7.

Note To return to the default map, use the no mls qos
dscp-cos global configuration command.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
710
 QoS
Configuring the DSCP-to-DSCP-Mutation Map

Command or Action Purpose

Step 3 end Returns to privileged EXEC mode.
Example:

SwitchDevice(config)# end

Step 4 show mls qos maps dscp-to-cos Verifies your entries.

Example:

SwitchDevice# show mls qos maps

dscp-to-cos

Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy-running-config
startup-config

Related Topics
Default DSCP-to-CoS Map, on page 674
Examples: Configuring DSCP Maps, on page 740

Configuring the DSCP-to-DSCP-Mutation Map

If two QoS domains have different DSCP definitions, use the DSCP-to-DSCP-mutation map to translate one
set of DSCP values to match the definition of another domain. You apply the DSCP-to-DSCP-mutation map
to the receiving port (ingress mutation) at the boundary of a QoS administrative domain.
With ingress mutation, the new DSCP value overwrites the one in the packet, and QoS applies the new value
to the packet. The switch sends the packet out the port with the new DSCP value.
You can configure multiple DSCP-to-DSCP-mutation maps on an ingress port. The default
DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value.
Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-DSCP-mutation map. This
procedure is optional.

SUMMARY STEPS
1. configure terminal
2. mls qos map dscp-mutation dscp-mutation-name in-dscp to out-dscp
3. interface interface-id
4. mls qos trust dscp
5. mls qos dscp-mutation dscp-mutation-name
6. end
7. show mls qos maps dscp-mutation
8. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
711
 QoS
Configuring the DSCP-to-DSCP-Mutation Map

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 mls qos map dscp-mutation dscp-mutation-name in-dscp Modifies the DSCP-to-DSCP-mutation map.
to out-dscp
• For dscp-mutation-name, enter the mutation map name.
Example: You can create more than one map by specifying a
new name.
SwitchDevice(config)# mls qos map dscp-mutation
mutation1 1 2 3 4 5 6 7 to 0 • For in-dscp, enter up to eight DSCP values separated
by spaces. Then enter the to keyword.
• For out-dscp, enter a single DSCP value.

The DSCP range is 0 to 63.

Note To return to the default map, use the no mls qos
dscp-mutation dscp-mutation-name global
configuration command.

Step 3 interface interface-id Specifies the port to which to attach the map, and enters
interface configuration mode.
Example:
Valid interfaces include physical ports.
SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 4 mls qos trust dscp Configures the ingress port as a DSCP-trusted port. By
default, the port is not trusted.
Example:

SwitchDevice(config-if)# mls qos trust dscp

Step 5 mls qos dscp-mutation dscp-mutation-name Applies the map to the specified ingress DSCP-trusted port.
Example: For dscp-mutation-name, enter the mutation map name
specified in Step 2.
SwitchDevice(config-if)# mls qos dscp-mutation
mutation1

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
712
 QoS
Configuring Ingress Queue Characteristics

Command or Action Purpose

Step 7 show mls qos maps dscp-mutation Verifies your entries.
Example:

SwitchDevice# show mls qos maps dscp-mutation

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy-running-config startup-config

Related Topics
Examples: Configuring DSCP Maps, on page 740

Configuring Ingress Queue Characteristics

Depending on the complexity of your network and your QoS solution, you might need to perform all of the
tasks in the next modules. You need to make decisions about these characteristics:
• Which packets are assigned (by DSCP or CoS value) to each queue?
• What drop percentage thresholds apply to each queue, and which CoS or DSCP values map to each
threshold?
• How much of the available buffer space is allocated between the queues?
• How much of the available bandwidth is allocated between the queues?
• Is there traffic (such as voice) that should be given high priority?

Related Topics
Priority Queueing, on page 664
Ingress Port Activity

Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds
You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting
the queue thresholds so that packets with lower priorities are dropped.
Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an ingress queue and
to set WTD thresholds. This procedure is optional.

SUMMARY STEPS
1. configure terminal
2. Use one of the following:
• mls qos srr-queue input dscp-map queue queue-id threshold threshold-id dscp1...dscp8
• mls qos srr-queue input cos-map queue queue-id threshold threshold-id cos1...cos8

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
713
 QoS
Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds

3. mls qos srr-queue input threshold queue-id threshold-percentage1 threshold-percentage2

4. end
5. show mls qos maps
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 Use one of the following: Maps DSCP or CoS values to an ingress queue and to a
threshold ID.
• mls qos srr-queue input dscp-map queue queue-id
threshold threshold-id dscp1...dscp8 By default, DSCP values 0–39 and 48–63 are mapped to
• mls qos srr-queue input cos-map queue queue-id queue 1 and threshold 1. DSCP values 40–47 are mapped
threshold threshold-id cos1...cos8 to queue 2 and threshold 1.
Example: By default, CoS values 0–4, 6, and 7 are mapped to queue
1 and threshold 1. CoS value 5 is mapped to queue 2 and
SwitchDevice(config)# mls qos srr-queue input threshold 1.
dscp-map queue 1 threshold 2 20 21 22 23 24 25 26
• For queue-id, the range is 1 to 2.
• For threshold-id, the range is 1 to 3. The
drop-threshold percentage for threshold 3 is predefined.
It is set to the queue-full state.
• For dscp1...dscp8, enter up to eight values, and
separate each value with a space. The range is 0 to 63.
• For cos1...cos8, enter up to eight values, and separate
each value with a space. The range is 0 to 7.

Step 3 mls qos srr-queue input threshold queue-id Assigns the two WTD threshold percentages for (threshold
threshold-percentage1 threshold-percentage2 1 and 2) to an ingress queue. The default, both thresholds
are set to 100 percent.
Example:
• For queue-id, the range is 1 to 2.
SwitchDevice(config)# mls qos srr-queue
input threshold 1 50 70 • For threshold-percentage1 threshold-percentage2, the
range is 1 to 100. Separate each value with a space.

Each threshold value is a percentage of the total number of

queue descriptors allocated for the queue.

Step 4 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
714
 QoS
Allocating Buffer Space Between the Ingress Queues

Command or Action Purpose

SwitchDevice(config)# end

Step 5 show mls qos maps Verifies your entries.

Example: The DSCP input queue threshold map appears as a matrix.
The d1 column specifies the most-significant digit of the
SwitchDevice# show mls qos maps DSCP number; the d2 row specifies the least-significant
digit in the DSCP number. The intersection of the d1 and
the d2 values provides the queue ID and threshold ID; for
example, queue 2 and threshold 1 (02-01).
The CoS input queue threshold map shows the CoS value
in the top row and the corresponding queue ID and threshold
ID in the second row; for example, queue 2 and threshold
2 (2-2).

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example: To return to the default CoS input queue threshold map or
the default DSCP input queue threshold map, use the no
SwitchDevice# copy running-config mls qos srr-queue input cos-map or the no mls qos
startup-config srr-queue input dscp-map global configuration command.
To return to the default WTD threshold percentages, use
the no mls qos srr-queue input threshold queue-id global
configuration command

Related Topics
Queueing and Scheduling on Ingress Queues
Weighted Tail Drop, on page 660

Allocating Buffer Space Between the Ingress Queues

You define the ratio (allocate the amount of space) with which to divide the ingress buffers between the two
queues. The buffer and the bandwidth allocation control how much data can be buffered before packets are
dropped.
Beginning in privileged EXEC mode, follow these steps to allocate the buffers between the ingress queues.
This procedure is optional.

SUMMARY STEPS
1. configure terminal
2. mls qos srr-queue input buffers percentage1 percentage2
3. end
4. Use one of the following:
• show mls qos interface buffer
• show mls qos input-queue
5. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
715
 QoS
Allocating Buffer Space Between the Ingress Queues

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 mls qos srr-queue input buffers percentage1 percentage2 Allocates the buffers between the ingress queues
Example: By default 90 percent of the buffers are allocated to queue
1, and 10 percent of the buffers are allocated to queue 2.
SwitchDevice(config)# mls qos srr-queue input
buffers 60 40 For percentage1 percentage2, the range is 0 to 100. Separate
each value with a space.
You should allocate the buffers so that the queues can
handle any incoming bursty traffic.

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 4 Use one of the following: Verifies your entries.

• show mls qos interface buffer
• show mls qos input-queue
Example:

SwitchDevice# show mls qos interface buffer

or
SwitchDevice# show mls qos input-queue

Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example: To return to the default setting, use the no mls qos
srr-queue input buffers global configuration command.
SwitchDevice# copy-running-config startup-config

Related Topics
Queueing and Scheduling on Ingress Queues
Examples: Configuring Ingress Queue Characteristics, on page 742

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
716
 QoS
Allocating Bandwidth Between the Ingress Queues

Allocating Bandwidth Between the Ingress Queues

You need to specify how much of the available bandwidth is allocated between the ingress queues. The ratio
of the weights is the ratio of the frequency in which the SRR scheduler sends packets from each queue. The
bandwidth and the buffer allocation control how much data can be buffered before packets are dropped. On
ingress queues, SRR operates only in shared mode.
Beginning in privileged EXEC mode, follow these steps to allocate bandwidth between the ingress queues.
This procedure is optional.

SUMMARY STEPS
1. configure terminal
2. mls qos srr-queue input bandwidth weight1 weight2
3. end
4. Use one of the following:
• show mls qos interface queueing
• show mls qos input-queue
5. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 mls qos srr-queue input bandwidth weight1 weight2 Assigns shared round robin weights to the ingress queues.
Example: The default setting for weight1 and weight2 is 4 (1/2 of the
bandwidth is equally shared between the two queues).
SwitchDevice(config)# mls qos srr-queue input
bandwidth 25 75 For weight1 and weight2, the range is 1 to 100. Separate
each value with a space.
SRR services the priority queue for its configured weight
as specified by the bandwidth keyword in the mls qos
srr-queue input priority-queue queue-id bandwidth
weight global configuration command. Then, SRR shares
the remaining bandwidth with both ingress queues and
services them as specified by the weights configured with
the mls qos srr-queue input bandwidth weight1 weight2
global configuration command.

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
717
 QoS
Configuring the Ingress Priority Queue

Command or Action Purpose

Step 4 Use one of the following: Verifies your entries.
• show mls qos interface queueing
• show mls qos input-queue
Example:

SwitchDevice# show mls qos interface queueing

or
SwitchDevice# show mls qos input-queue

Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example: To return to the default setting, use the no mls qos
srr-queue input bandwidth global configuration command.
SwitchDevice# copy running-config startup-config

Related Topics
Queueing and Scheduling on Ingress Queues
Examples: Configuring Ingress Queue Characteristics, on page 742
SRR Shaping and Sharing, on page 661

Configuring the Ingress Priority Queue

You should use the priority queue only for traffic that needs to be expedited (for example, voice traffic, which
needs minimum delay and jitter).
The priority queue is guaranteed part of the bandwidth to reduce the delay and jitter under heavy network
traffic on an oversubscribed ring (when there is more traffic than the backplane can carry, and the queues are
full and dropping frames).
SRR services the priority queue for its configured weight as specified by the bandwidth keyword in the mls
qos srr-queue input priority-queue queue-id bandwidth weight global configuration command. Then, SRR
shares the remaining bandwidth with both ingress queues and services them as specified by the weights
configured with the mls qos srr-queue input bandwidth weight1 weight2 global configuration command.
Beginning in privileged EXEC mode, follow these steps to configure the priority queue. This procedure is
optional.

SUMMARY STEPS
1. configure terminal
2. mls qos srr-queue input priority-queue queue-id bandwidth weight
3. end
4. Use one of the following:
• show mls qos interface queueing
• show mls qos input-queue

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
718
 QoS
Configuring the Ingress Priority Queue

5. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 mls qos srr-queue input priority-queue queue-id Assigns a queue as the priority queue and guarantee
bandwidth weight bandwidth on the stack or internal ring if the ring is
congested.
Example:
By default, the priority queue is queue 2, and 10 percent of
SwitchDevice(config)# mls qos srr-queue the bandwidth is allocated to it.
input priority-queue 1 bandwidth 10
• For queue-id, the range is 1 to 2.
• For bandwidth weight, assign the bandwidth
percentage of the stack or internal ring. The range is
0 to 40. The amount of bandwidth that can be
guaranteed is restricted because a large value affects
the entire ring and can degrade the switch or stack
performance.

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 4 Use one of the following: Verifies your entries.

• show mls qos interface queueing
• show mls qos input-queue
Example:

SwitchDevice# show mls qos input-queue

Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example: To return to the default setting, use the no mls qos
srr-queue input priority-queue queue-id global
SwitchDevice# copy-running-config configuration command. To disable priority queueing, set
startup-config the bandwidth weight to 0, for example, mls qos srr-queue
input priority-queue queue-id bandwidth 0.

Related Topics
Queueing and Scheduling on Ingress Queues

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
719
 QoS
Configuring Egress Queue Characteristics

Examples: Configuring Ingress Queue Characteristics, on page 742

Configuring Egress Queue Characteristics

Depending on the complexity of your network and your QoS solution, you might need to perform all of the
tasks in the following modules. You need to make decisions about these characteristics:
• Which packets are mapped by DSCP or CoS value to each queue and threshold ID?
• What drop percentage thresholds apply to the queue-set (four egress queues per port), and how much
reserved and maximum memory is needed for the traffic type?
• How much of the fixed buffer space is allocated to the queue-set?
• Does the bandwidth of the port need to be rate limited?
• How often should the egress queues be serviced and which technique (shaped, shared, or both) should
be used?

Related Topics
Shaped or Shared Mode, on page 667

Configuration Guidelines
Follow these guidelines when the expedite queue is enabled or the egress queues are serviced based on their
SRR weights:
• If the egress expedite queue is enabled, it overrides the SRR shaped and shared weights for queue 1.
• If the egress expedite queue is disabled and the SRR shaped and shared weights are configured, the
shaped mode overrides the shared mode for queue 1, and SRR services this queue in shaped mode.
• If the egress expedite queue is disabled and the SRR shaped weights are not configured, SRR services
this queue in shared mode.

Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set
You can guarantee the availability of buffers, set WTD thresholds, and configure the maximum allocation for
a queue-set by using the mls qos queue-set output qset-id threshold queue-id drop-threshold1 drop-threshold2
reserved-threshold maximum-threshold global configuration command.
Each threshold value is a percentage of the queue’s allocated buffers, which you specify by using the mls qos
queue-set output qset-id buffers allocation1 ... allocation4 global configuration command. The queues use
WTD to support distinct drop percentages for different traffic classes.

Note The switch supports 4 egress queues by default, although there is an option to enable a total of 8 egress queues.
Use the mls qos srr-queue output queues 8 global configuration command to enable all 8 egress queues.
Once 8 egress queues are enabled, you are able to configure thresholds, buffers, bandwidth share weights,
and bandwidth shape weights for all 8 queues. The 8 egress queue configuration is only supported on a
standalone switch.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
720
 QoS
Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set

Note The egress queue default settings are suitable for most situations. You should change them only when you
have a thorough understanding of the egress queues and if these settings do not meet your QoS solution.

Beginning in privileged EXEC mode, follow these steps to configure the memory allocation and to drop
thresholds for a queue-set. This procedure is optional.

SUMMARY STEPS
1. configure terminal
2. mls qos srr-queue output queues 8
3. mls qos queue-set output qset-id buffers allocation1 ... allocation8
4. mls qos queue-set output qset-id threshold queue-id drop-threshold1 drop-threshold2 reserved-threshold
maximum-threshold
5. interface interface-id
6. queue-set qset-id
7. end
8. show mls qos interface [interface-id] buffers
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 mls qos srr-queue output queues 8 (Optional) The switch supports 4 egress queues by default,
although you can enable a total of 8 egress queues. Use the
Example:
optional mls qos srr-queue output queues 8 command to
enable the additional 4 egress queues.
SwitchDevice(config)# mls qos srr-queue output
queues 8 Once 8 queue support is enabled, you can then proceed to
configure the additional 4 queues. Any existing egress queue
configuration commands are then modified to support the
additional queue parameters.
Note The option to enable 8 queues is only available
on a standalone switch.

Step 3 mls qos queue-set output qset-id buffers allocation1 ... Allocates buffers to a queue set.
allocation8
By default, all allocation values are equally mapped among
Example: the four queues (25, 25, 25, 25). Each queue has 1/4 of the
buffer space. When eight egress queues are configured, then
SwitchDevice(config)# mls qos queue-set output 2 by default 30 percent of the total buffer space is allocated
buffers 40 20 20 20 10 10 10 10

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
721
 QoS
Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set

Command or Action Purpose

to queue 2 and 10 percent (each) to queues 1,3,4,5,6,7, and
8.
If you enabled 8 egress queues as described in Step 2 above,
then the following applies:
• For qset-id, enter the ID of the queue set. The range
is 1 to 2. Each port belongs to a queue set, which
defines all the characteristics of the four egress queues
per port.
• For allocation1 ... allocation8, specify eight
percentages, one for each queue in the queue set. For
allocation1, allocation3, and allocation4 to
allocation8, the range is 0 to 99. For allocation2, the
range is 1 to 100 (including the CPU buffer).

Allocate buffers according to the importance of the traffic;

for example, give a large percentage of the buffer to the
queue with the highest-priority traffic.
Note To return to the default setting, use the no mls
qos queue-set output qset-id buffers global
configuration command.

Step 4 mls qos queue-set output qset-id threshold queue-id Configures the WTD thresholds, guarantee the availability
drop-threshold1 drop-threshold2 reserved-threshold of buffers, and configure the maximum memory allocation
maximum-threshold for the queue-set (four egress queues per port).
Example: By default, the WTD thresholds for queues 1, 3, and 4 are
set to 100 percent. The thresholds for queue 2 are set to 200
SwitchDevice(config)# mls qos queue-set output 2 percent. The reserved thresholds for queues 1, 2, 3, and 4
threshold 2 40 60 100 200 are set to 50 percent. The maximum thresholds for all
queues are set to 400 percent by default.
If you enabled 8 egress queues as described in Step 2 above,
then the following applies:
• For qset-id, enter the ID of the queue-set specified in
Step 2. The range is 1 to 2.
• For queue-id, enter the specific queue in the queue set
on which the command is performed. The queue-id
range is 1-4 by default and 1-8 when 8 queues are
enabled.
• For drop-threshold1 drop-threshold2, specify the two
WTD thresholds expressed as a percentage of the
queue’s allocated memory. The range is 1 to 3200
percent.
• For reserved-threshold, enter the amount of memory
to be guaranteed (reserved) for the queue expressed

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
722
 QoS
Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set

Command or Action Purpose

as a percentage of the allocated memory. The range is
1 to 100 percent.
• For maximum-threshold, enable a queue in the full
condition to obtain more buffers than are reserved for
it. This is the maximum memory the queue can have
before the packets are dropped if the common pool is
not empty. The range is 1 to 3200 percent.

Note To return to the default WTD threshold

percentages, use the no mls qos queue-set
output qset-id threshold [queue-id] global
configuration command.

Step 5 interface interface-id Specifies the port of the outbound traffic, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 6 queue-set qset-id Maps the port to a queue-set.

Example: For qset-id, enter the ID of the queue-set specified in Step
2. The range is 1 to 2. The default is 1.
SwitchDevice(config-id)# queue-set 2

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-id)# end

Step 8 show mls qos interface [interface-id] buffers Verifies your entries.
Example:

SwitchDevice# show mls qos interface buffers

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example: To return to the default setting, use the no mls qos
queue-set output qset-id buffers global configuration
SwitchDevice# copy-running-config startup-config command. To return to the default WTD threshold
percentages, use the no mls qos queue-set output qset-id
threshold [queue-id] global configuration command.

Related Topics
Queueing and Scheduling on Egress Queues

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
723
 QoS
Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID

Examples: Configuring Egress Queue Characteristics, on page 743

Weighted Tail Drop, on page 660

Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID

You can prioritize traffic by placing packets with particular DSCPs or costs of service into certain queues and
adjusting the queue thresholds so that packets with lower priorities are dropped.

Note The egress queue default settings are suitable for most situations. You should change them only when you
have a thorough understanding of egress queues and if these settings do not meet your QoS solution.

Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an egress queue and
to a threshold ID. This procedure is optional.

SUMMARY STEPS
1. configure terminal
2. Use one of the following:
• mls qos srr-queue output dscp-map queue queue-id threshold threshold-id dscp1...dscp8
• mls qos srr-queue output cos-map queue queue-id threshold threshold-id cos1...cos8
3. end
4. show mls qos maps
5. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 Use one of the following: Maps DSCP or CoS values to an egress queue and to a
threshold ID.
• mls qos srr-queue output dscp-map queue queue-id
threshold threshold-id dscp1...dscp8 By default, DSCP values 0–15 are mapped to queue 2 and
• mls qos srr-queue output cos-map queue queue-id threshold 1. DSCP values 16–31 are mapped to queue 3
threshold threshold-id cos1...cos8 and threshold 1. DSCP values 32–39 and 48–63 are mapped
to queue 4 and threshold 1. DSCP values 40–47 are mapped
Example: to queue 1 and threshold 1.
SwitchDevice(config)# mls qos srr-queue output By default, CoS values 0 and 1 are mapped to queue 2 and
dscp-map queue 1 threshold 2 10 11 threshold 1. CoS values 2 and 3 are mapped to queue 3 and
threshold 1. CoS values 4, 6, and 7 are mapped to queue 4
and threshold 1. CoS value 5 is mapped to queue 1 and
threshold 1.
• For queue-id, the range is 1 to 4.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
724
 QoS
Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID

Command or Action Purpose

Note If you enabled 8 egress queues using the
mls qos srr-queue output queues 8 global
configuration command, then the queue-id
range would be from 1 to 8.

• For threshold-id, the range is 1 to 3. The

drop-threshold percentage for threshold 3 is predefined.
It is set to the queue-full state.
• For dscp1...dscp8, enter up to eight values, and
separate each value with a space. The range is 0 to 63.
• For cos1...cos8, enter up to eight values, and separate
each value with a space. The range is 0 to 7.

Note To return to the default DSCP output queue

threshold map or the default CoS output queue
threshold map, use the no mls qos srr-queue
output dscp-map or the no mls qos srr-queue
output cos-map global configuration command.

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 4 show mls qos maps Verifies your entries.

Example: The DSCP output queue threshold map appears as a matrix.
The d1 column specifies the most-significant digit of the
SwitchDevice# show mls qos maps DSCP number; the d2 row specifies the least-significant
digit in the DSCP number. The intersection of the d1 and
the d2 values provides the queue ID and threshold ID; for
example, queue 2 and threshold 1 (02-01).
The CoS output queue threshold map shows the CoS value
in the top row and the corresponding queue ID and threshold
ID in the second row; for example, queue 2 and threshold
2 (2-2).

Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example: To return to the default DSCP output queue threshold map
or the default CoS output queue threshold map, use the no
SwitchDevice# copy-running-config mls qos srr-queue output dscp-map or the no mls qos
startup-config srr-queue output cos-map global configuration command.

Related Topics
Queueing and Scheduling on Egress Queues

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
725
 QoS
Configuring SRR Shaped Weights on Egress Queues

Examples: Configuring Egress Queue Characteristics, on page 743

Weighted Tail Drop, on page 660

Configuring SRR Shaped Weights on Egress Queues

You can specify how much of the available bandwidth is allocated to each queue. The ratio of the weights is
the ratio of frequency in which the SRR scheduler sends packets from each queue.
You can configure the egress queues for shaped or shared weights, or both. Use shaping to smooth bursty
traffic or to provide a smoother output over time.
Beginning in privileged EXEC mode, follow these steps to assign the shaped weights and to enable bandwidth
shaping on the four egress queues mapped to a port. This procedure is optional.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. srr-queue bandwidth shape weight1 weight2 weight3 weight4
4. end
5. show mls qos interface interface-id queueing
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port of the outbound traffic, and enters
interface configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet2/0/1

Step 3 srr-queue bandwidth shape weight1 weight2 weight3 Assigns SRR weights to the egress queues. By default,
weight4 weight1 is set to 25; weight2, weight3, and weight4 are set
to 0, and these queues are in shared mode.
Example:
For weight1 weight2 weight3 weight4, enter the weights to
SwitchDevice(config-if)# srr-queue control the percentage of the port that is shaped. The inverse
bandwidth shape 8 0 0 0 ratio (1/weight) controls the shaping bandwidth for this
queue. Separate each value with a space. The range is 0 to
65535.
If you configure a weight of 0, the corresponding queue
operates in shared mode. The weight specified with the
srr-queue bandwidth shape command is ignored, and the

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
726
 QoS
Configuring SRR Shared Weights on Egress Queues

Command or Action Purpose

weights specified with the srr-queue bandwidth share
interface configuration command for a queue come into
effect. When configuring queues in the same queue-set for
both shaping and sharing, make sure that you configure the
lowest number queue for shaping.
The shaped mode overrides the shared mode.
To return to the default setting, use the no srr-queue
bandwidth shape interface configuration command.
Note If you enabled 8 egress queues using the mls qos
srr-queue output queues 8 global configuration
command, then you would be able to assign SRR
weights to a total of 8 queues.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 5 show mls qos interface interface-id queueing Verifies your entries.
Example:

SwitchDevice# show mls qos interface

interface-id queuing

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example: To return to the default setting, use the no srr-queue
bandwidth shape interface configuration command.
SwitchDevice# copy running-config
startup-config

Related Topics
Queueing and Scheduling on Egress Queues
Examples: Configuring Egress Queue Characteristics, on page 743
SRR Shaping and Sharing, on page 661

Configuring SRR Shared Weights on Egress Queues

In shared mode, the queues share the bandwidth among them according to the configured weights. The
bandwidth is guaranteed at this level but not limited to it. For example, if a queue empties and does not require
a share of the link, the remaining queues can expand into the unused bandwidth and share it among them.
With sharing, the ratio of the weights controls the frequency of dequeuing; the absolute values are meaningless.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
727
 QoS
Configuring SRR Shared Weights on Egress Queues

Note The egress queue default settings are suitable for most situations. You should change them only when you
have a thorough understanding of the egress queues and if these settings do not meet your QoS solution.

Beginning in privileged EXEC mode, follow these steps to assign the shared weights and to enable bandwidth
sharing on the four egress queues mapped to a port. This procedure is optional.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. srr-queue bandwidth share weight1 weight2 weight3 weight4
4. end
5. show mls qos interface interface-id queueing
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port of the outbound traffic, and enters
interface configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet2/0/1

Step 3 srr-queue bandwidth share weight1 weight2 weight3 Assigns SRR weights to the egress queues. By default, all
weight4 four weights are 25 (1/4 of the bandwidth is allocated to
each queue).
Example:
For weight1 weight2 weight3 weight4, enter the weights to
SwitchDevice(config-id)# srr-queue control the ratio of the frequency in which the SRR
bandwidth share 1 2 3 4 scheduler sends packets. Separate each value with a space.
The range is 1 to 255.
To return to the default setting, use the no srr-queue
bandwidth share interface configuration command.
Note If you enabled 8 egress queues using the mls qos
srr-queue output queues 8 global configuration
command, then you would be able to assign SRR
weights to a total of 8 queues.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
728
 QoS
Configuring the Egress Expedite Queue

Command or Action Purpose

Step 4 end Returns to privileged EXEC mode.
Example:

SwitchDevice(config-id)# end

Step 5 show mls qos interface interface-id queueing Verifies your entries.
Example:

SwitchDevice# show mls qos interface

interface_id queuing

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example: To return to the default setting, use the no srr-queue
bandwidth share interface configuration command.
SwitchDevice# copy-running-config
startup-config

Related Topics
Queueing and Scheduling on Egress Queues
Examples: Configuring Egress Queue Characteristics, on page 743
SRR Shaping and Sharing, on page 661

Configuring the Egress Expedite Queue

You can ensure that certain packets have priority over all others by queuing them in the egress expedite queue.
SRR services this queue until it is empty before servicing the other queues.
Beginning in privileged EXEC mode, follow these steps to enable the egress expedite queue. This procedure
is optional.

SUMMARY STEPS
1. configure terminal
2. mls qos
3. interface interface-id
4. priority-queue out
5. end
6. show running-config
7. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
729
 QoS
Configuring the Egress Expedite Queue

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 mls qos Enables QoS on a switch.

Example:

SwitchDevice(config)# mls qos

Step 3 interface interface-id Specifies the egress port, and enters interface configuration
mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 4 priority-queue out Enables the egress expedite queue, which is disabled by
default.
Example:
When you configure this command, the SRR weight and
SwitchDevice(config-if)# priority-queue out queue size ratios are affected because there is one fewer
queue participating in SRR. This means that weight1 in the
srr-queue bandwidth shape or the srr-queue bandwidth
share command is ignored (not used in the ratio
calculation).
Note To disable the egress expedite queue, use the no
priority-queue out interface configuration
command.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example: To disable the egress expedite queue, use the no
priority-queue out interface configuration command.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
730
 QoS
Limiting the Bandwidth on an Egress Interface

Command or Action Purpose

SwitchDevice# copy running-config

startup-config

Related Topics
Queueing and Scheduling on Egress Queues
Examples: Configuring Egress Queue Characteristics, on page 743

Limiting the Bandwidth on an Egress Interface

You can limit the bandwidth on an egress port. For example, if a customer pays only for a small percentage
of a high-speed link, you can limit the bandwidth to that amount.

Note The egress queue default settings are suitable for most situations. You should change them only when you
have a thorough understanding of the egress queues and if these settings do not meet your QoS solution.

Beginning in privileged EXEC mode, follow these steps to limit the bandwidth on an egress port. This procedure
is optional.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. srr-queue bandwidth limit weight1
4. end
5. show mls qos interface [interface-id] queueing
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port to be rate-limited, and enters interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet2/0/1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
731
 QoS
Monitoring Standard QoS

Command or Action Purpose

Step 3 srr-queue bandwidth limit weight1 Specifies the percentage of the port speed to which the port
should be limited. The range is 10 to 90.
Example:
By default, the port is not rate-limited and is set to 100
SwitchDevice(config-if)# srr-queue percent.
bandwidth limit 80
Note To return to the default setting, use the no
srr-queue bandwidth limit interface
configuration command.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 5 show mls qos interface [interface-id] queueing Verifies your entries.
Example:

SwitchDevice# show mls qos interface

interface_id queueing

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example: To return to the default setting, use the no srr-queue
bandwidth limit interface configuration command.
SwitchDevice# copy-running-config
startup-config

Related Topics
Queueing and Scheduling on Egress Queues
Examples: Configuring Egress Queue Characteristics, on page 743

Monitoring Standard QoS

Table 77: Commands for Monitoring Standard QoS on the Switch

Command Description

show class-map [class-map-name] Displays QoS class maps, which define the match
criteria to classify traffic.

show mls qos Displays global QoS configuration information.

show mls qos aggregate-policer Displays the aggregate policer configuration.

[aggregate-policer-name]

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
732
 QoS
Configuration Examples for QoS

Command Description

show mls qos interface [interface-id] [buffers | Displays QoS information at the port level, including
policers | queueing | statistics] the buffer allocation, which ports have configured
policers, the queueing strategy, and the ingress and
egress statistics.

show mls qos maps [cos-dscp | |cos-output-q | Displays QoS mapping information.
dscp-cos | |dscp-mutation dscp-mutation-name |
dscp-output-q | ip-prec-dscp | policed-dscp]

show mls qos queue-set [qset-id] Displays QoS settings for the egress queues.

show policy-map [policy-map-name [class Displays QoS policy maps, which define classification
class-map-name]] criteria for incoming traffic.
Do not use the show policy-map interface privileged
EXEC command to display classification information
for incoming traffic. The control-plane and interface
keywords are not supported, and the statistics shown
in the display should be ignored.

show running-config | include rewrite Displays the DSCP transparency setting.

Configuration Examples for QoS

Example: Configuring Port to the DSCP-Trusted State and Modifying the
DSCP-to-DSCP-Mutation Map
This example shows how to configure a port to the DSCP-trusted state and to modify the
DSCP-to-DSCP-mutation map (named gi1/0/2-mutation) so that incoming DSCP values 10 to 13 are mapped
to DSCP 30:

SwitchDevice(config)# mls qos map dscp-mutation gigabitethernet1/0/2-mutation

10 11 12 13 to 30
SwitchDevice(config)# interface gigabitethernet1/0/2
SwitchDevice(config-if)# mls qos trust dscp
SwitchDevice(config-if)# mls qos dscp-mutation gigabitethernet1/0/2-mutation
SwitchDevice(config-if)# end

Related Topics
Configuring the DSCP Trust State on a Port Bordering Another QoS Domain, on page 684

Examples: Classifying Traffic by Using ACLs

This example shows how to allow access for only those hosts on the three specified networks. The wildcard
bits apply to the host portions of the network addresses. Any host with a source address that does not match
the access list statements is rejected.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
733
 QoS
Examples: Classifying Traffic by Using ACLs

SwitchDevice(config)# access-list 1 permit 192.5.255.0 0.0.0.255

SwitchDevice(config)# access-list 1 permit 128.88.0.0 0.0.255.255
SwitchDevice(config)# access-list 1 permit 36.0.0.0 0.0.0.255
! (Note: all other access implicitly denied)

This example shows how to create an ACL that permits IP traffic from any source to any destination that has
the DSCP value set to 32:

SwitchDevice(config)# access-list 100 permit ip any any dscp 32

This example shows how to create an ACL that permits IP traffic from a source host at 10.1.1.1 to a destination
host at 10.1.1.2 with a precedence value of 5:

SwitchDevice(config)# access-list 100 permit ip host 10.1.1.1 host 10.1.1.2 precedence 5

This example shows how to create an ACL that permits PIM traffic from any source to a destination group
address of 224.0.0.2 with a DSCP set to 32:

SwitchDevice(config)# access-list 102 permit pim any 224.0.0.2 dscp 32

This example shows how to create an ACL that permits IPv6 traffic from any source to any destination that
has the DSCP value set to 32:

SwitchDevice(config)# ipv6 access-list 100 permit ip any any dscp 32

This example shows how to create an ACL that permits IPv6 traffic from a source host at 10.1.1.1 to a
destination host at 10.1.1.2 with a precedence value of 5:

SwitchDevice(config)# ipv6 access-list ipv6_Name_ACL permit ip host 10::1 host 10.1.1.2

precedence 5

This example shows how to create a Layer 2 MAC ACL with two permit statements. The first statement
allows traffic from the host with MAC address 0001.0000.0001 to the host with MAC address 0002.0000.0001.
The second statement allows only Ethertype XNS-IDP traffic from the host with MAC address 0001.0000.0002
to the host with MAC address 0002.0000.0002.

SwitchDevice(config)# mac access-list extended maclist1

SwitchDevice(config-ext-macl)# permit 0001.0000.0001 0.0.0 0002.0000.0001 0.0.0
SwitchDevice(config-ext-macl)# permit 0001.0000.0002 0.0.0 0002.0000.0002 0.0.0 xns-idp
! (Note: all other access implicitly denied)

Related Topics
Creating an IP Standard ACL for IPv4 Traffic, on page 687
Creating an IP Extended ACL for IPv4 Traffic, on page 688
Creating an IPv6 ACL for IPv6 Traffic, on page 690
Creating a Layer 2 MAC ACL for Non-IP Traffic, on page 692

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
734
 QoS
Examples: Classifying Traffic by Using Class Maps

Examples: Classifying Traffic by Using Class Maps

This example shows how to configure the class map called class1. The class1 has one match criterion, which
is access list 103. It permits traffic from any host to any destination that matches a DSCP value of 10.

SwitchDevice(config)# access-list 103 permit ip any any dscp 10

SwitchDevice(config)# class-map class1
SwitchDevice(config-cmap)# match access-group 103
SwitchDevice(config-cmap)# end
SwitchDevice#

This example shows how to create a class map called class2, which matches incoming traffic with DSCP
values of 10, 11, and 12.

SwitchDevice(config)# class-map class2

SwitchDevice(config-cmap)# match ip dscp 10 11 12
SwitchDevice(config-cmap)# end
SwitchDevice#

This example shows how to create a class map called class3, which matches incoming traffic with IP-precedence
values of 5, 6, and 7:

SwitchDevice(config)# class-map class3

SwitchDevice(config-cmap)# match ip precedence 5 6 7
SwitchDevice(config-cmap)# end
SwitchDevice#

This example shows how to configure a class map to match IP DSCP and IPv6:

SwitchDevice(config)# Class-map cm-1

SwitchDevice(config-cmap)# match ip dscp 10
SwitchDevice(config-cmap)# match protocol ipv6
SwitchDevice(config-cmap)# exit
SwitchDevice(config)# Class-map cm-2
SwitchDevice(config-cmap)# match ip dscp 20
SwitchDevice(config-cmap)# match protocol ip
SwitchDevice(config-cmap)# exit
SwitchDevice(config)# Policy-map pm1
SwitchDevice(config-pmap)# class cm-1
SwitchDevice(config-pmap-c)# set dscp 4
SwitchDevice(config-pmap-c)# exit
SwitchDevice(config-pmap)# class cm-2
SwitchDevice(config-pmap-c)# set dscp 6
SwitchDevice(config-pmap-c)# exit
SwitchDevice(config-pmap)# exit
SwitchDevice(config)# interface G1/0/1
SwitchDevice(config-if)# service-policy input pm1

This example shows how to configure a class map that applies to both IPv4 and IPv6 traffic:

SwitchDevice(config)# ip access-list 101 permit ip any any

SwitchDevice(config)# ipv6 access-list ipv6-any permit ip any any
SwitchDevice(config)# Class-map cm-1
SwitchDevice(config-cmap)# match access-group 101
SwitchDevice(config-cmap)# exit

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
735
 QoS
Examples: Classifying, Policing, and Marking Traffic on Physical Ports Using Policy Maps

SwitchDevice(config)# class-map cm-2

SwitchDevice(config-cmap)# match access-group name ipv6-any
SwitchDevice(config-cmap)# exit
SwitchDevice(config)# Policy-map pm1
SwitchDevice(config-pmap)# class cm-1
SwitchDevice(config-pmap-c)# set dscp 4
SwitchDevice(config-pmap-c)# exit
SwitchDevice(config-pmap)# class cm-2
SwitchDevice(config-pmap-c)# set dscp 6
SwitchDevice(config-pmap-c)# exit
SwitchDevice(config-pmap)# exit
SwitchDevice(config)# interface G0/1
SwitchDevice(config-if)# switch mode access
SwitchDevice(config-if)# service-policy input pm1

Related Topics
Classifying Traffic by Using Class Maps, on page 694
Classifying Traffic by Using Class Maps and Filtering IPv6 Traffic, on page 697

Examples: Classifying, Policing, and Marking Traffic on Physical Ports Using

Policy Maps
This example shows how to create a policy map and attach it to an ingress port. In the configuration, the IP
standard ACL permits traffic from network 10.1.0.0. For traffic matching this classification, the DSCP value
in the incoming packet is trusted. If the matched traffic exceeds an average traffic rate of 48000 b/s and a
normal burst size of 8000 bytes, its DSCP is marked down (based on the policed-DSCP map) and sent:

SwitchDevice(config)# access-list 1 permit 10.1.0.0 0.0.255.255

SwitchDevice(config)# class-map ipclass1
SwitchDevice(config-cmap)# match access-group 1
SwitchDevice(config-cmap)# exit
SwitchDevice(config)# policy-map flow1t
SwitchDevice(config-pmap)# class ipclass1
SwitchDevice(config-pmap-c)# trust dscp
SwitchDevice(config-pmap-c)# police 1000000 8000 exceed-action policed-dscp-transmit
SwitchDevice(config-pmap-c)# exit
SwitchDevice(config-pmap)# exit
SwitchDevice(config)# interface gigabitethernet2/0/1
SwitchDevice(config-if)# service-policy input flow1t

This example shows how to create a Layer 2 MAC ACL with two permit statements and attach it to an ingress
port. The first permit statement allows traffic from the host with MAC address 0001.0000.0001 destined for
the host with MAC address 0002.0000.0001. The second permit statement allows only Ethertype XNS-IDP
traffic from the host with MAC address 0001.0000.0002 destined for the host with MAC address
0002.0000.0002.

SwitchDevice(config)# mac access-list extended maclist1

SwitchDevice(config-ext-mac)# permit 0001.0000.0001 0.0.0 0002.0000.0001 0.0.0
SwitchDevice(config-ext-mac)# permit 0001.0000.0002 0.0.0 0002.0000.0002 0.0.0 xns-idp
SwitchDevice(config-ext-mac)# exit
SwitchDevice(config)# mac access-list extended maclist2
SwitchDevice(config-ext-mac)# permit 0001.0000.0003 0.0.0 0002.0000.0003 0.0.0
SwitchDevice(config-ext-mac)# permit 0001.0000.0004 0.0.0 0002.0000.0004 0.0.0 aarp
SwitchDevice(config-ext-mac)# exit
SwitchDevice(config)# class-map macclass1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
736
 QoS
Examples: Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps

SwitchDevice(config-cmap)# match access-group maclist1

SwitchDevice(config-cmap)# exit
SwitchDevice(config)# policy-map macpolicy1
SwitchDevice(config-pmap)# class macclass1
SwitchDevice(config-pmap-c)# set dscp 63
SwitchDevice(config-pmap-c)# exit
SwitchDevice(config-pmap)# class macclass2 maclist2
SwitchDevice(config-pmap-c)# set dscp 45
SwitchDevice(config-pmap-c)# exit
SwitchDevice(config-pmap)# exit
SwitchDevice(config)# interface gigabitethernet1/0/1
SwitchDevice(config-if)# mls qos trust cos
SwitchDevice(config-if)# service-policy input macpolicy1

This example shows how to create a class map that applies to both IPv4 and IPv6 traffic with the default class
applied to unclassified traffic:

SwitchDevice(config)# ip access-list 101 permit ip any any

SwitchDevice(config)# ipv6 access-list ipv6-any permit ip any any
SwitchDevice(config)# class-map cm-1
SwitchDevice(config-cmap)# match access-group 101
SwitchDevice(config-cmap)# exit
SwitchDevice(config)# class-map cm-2
SwitchDevice(config-cmap)# match access-group name ipv6-any
SwitchDevice(config-cmap)# exit
SwitchDevice(config)# policy-map pm1
SwitchDevice(config-pmap)# class cm-1
SwitchDevice(config-pmap-c)# set dscp 4
SwitchDevice(config-pmap-c)# exit
SwitchDevice(config-pmap)# class cm-2
SwitchDevice(config-pmap-c)# set dscp 6
SwitchDevice(config-pmap-c)# exit
SwitchDevice(config-pmap)# class class-default
SwitchDevice(config-pmap-c)# set dscp 10
SwitchDevice(config-pmap-c)# exit
SwitchDevice(config-pmap)# exit
SwitchDevice(config)# interface G0/1
SwitchDevice(config-if)# switch mode access
SwitchDevice(config-if)# service-policy input pm1

Related Topics
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps, on page 699
Policy Map on Physical Port

Examples: Classifying, Policing, and Marking Traffic on SVIs by Using

Hierarchical Policy Maps
This example shows how to create a hierarchical policy map:

Switch> enable
SwitchDevice# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SwitchDevice(config)# access-list 101 permit ip any any
SwitchDevice(config)# class-map cm-1
SwitchDevice(config-cmap)# match access 101
SwitchDevice(config-cmap)# exit

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
737
 QoS
Examples: Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps

SwitchDevice(config)# exit
SwitchDevice#
SwitchDevice#

This example shows how to attach the new map to an SVI:

SwitchDevice# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.
SwitchDevice(config)# class-map cm-interface-1
SwitchDevice(config-cmap)# match input gigabitethernet3/0/1 - gigabitethernet3/0/2
SwitchDevice(config-cmap)# exit
SwitchDevice(config)# policy-map port-plcmap
SwitchDevice(config-pmap)# class cm-interface-1
SwitchDevice(config-pmap-c)# police 900000 9000 exc policed-dscp-transmit
SwitchDevice(config-pmap-c)# exit
SwitchDevice(config-pmap)# exit
SwitchDevice(config)# policy-map vlan-plcmap
SwitchDevice(config-pmap)# class cm-1
SwitchDevice(config-pmap-c)# set dscp 7
SwitchDevice(config-pmap-c)# service-policy port-plcmap-1
SwitchDevice(config-pmap-c)# exit
SwitchDevice(config-pmap)# class cm-2
SwitchDevice(config-pmap-c)# service-policy port-plcmap-1
SwitchDevice(config-pmap-c)# set dscp 10
SwitchDevice(config-pmap)# exit
SwitchDevice(config-pmap)# class cm-3
SwitchDevice(config-pmap-c)# service-policy port-plcmap-2
SwitchDevice(config-pmap-c)# set dscp 20
SwitchDevice(config-pmap)# exit
SwitchDevice(config-pmap)# class cm-4
SwitchDevice(config-pmap-c)# trust dscp
SwitchDevice(config-pmap)# exit
SwitchDevice(config)# interface vlan 10
SwitchDevice(config-if)# service-policy input vlan-plcmap
SwitchDevice(config-if)# exit
SwitchDevice(config)# exit
SwitchDevice#

This example shows that when a child-level policy map is attached below a class, an action must be specified
for the class:

SwitchDevice(config)# policy-map vlan-plcmap

SwitchDevice(config-pmap)# class cm-5
SwitchDevice(config-pmap-c)# set dscp 7
SwitchDevice(config-pmap-c)# service-policy port-plcmap-1

This example shows how to configure a class map to match IP DSCP and IPv6:

SwitchDevice(config)# class-map cm-1

SwitchDevice(config-cmap)# match ip dscp 10
SwitchDevice(config-cmap)# match protocol ipv6
SwitchDevice(config-cmap)# exit
SwitchDevice(config)# class-map cm-2
SwitchDevice(config-cmap)# match ip dscp 20
SwitchDevice(config-cmap)# match protocol ip
SwitchDevice(config-cmap)# exit
SwitchDevice(config)# policy-map pm1
SwitchDevice(config-pmap)# class cm-1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
738
 QoS
Examples: Classifying, Policing, and Marking Traffic by Using Aggregate Policers

SwitchDevice(config-pmap-c)# set dscp 4

SwitchDevice(config-pmap-c)# exit
SwitchDevice(config-pmap)# class cm-2
SwitchDevice(config-pmap-c)# set dscp 6
SwitchDevice(config-pmap-c)# exit
SwitchDevice(config-pmap)# exit
SwitchDevice(config)# interface G1/0/1
SwitchDevice(config-if)# service-policy input pm1

This example shows how to configure default traffic class to a policy map:

SwitchDevice# configure terminal

SwitchDevice(config)# class-map cm-3
SwitchDevice(config-cmap)# match ip dscp 30
SwitchDevice(config-cmap)# match protocol ipv6
SwitchDevice(config-cmap)# exit
SwitchDevice(config)# class-map cm-4
SwitchDevice(config-cmap)# match ip dscp 40
SwitchDevice(config-cmap)# match protocol ip
SwitchDevice(config-cmap)# exit
SwitchDevice(config)# policy-map pm3
SwitchDevice(config-pmap)# class class-default
SwitchDevice(config-pmap)# set dscp 10
SwitchDevice(config-pmap-c)# exit
SwitchDevice(config-pmap)# class cm-3
SwitchDevice(config-pmap-c) set dscp 4
SwitchDevice(config-pmap-c)# exit
SwitchDevice(config-pmap)# class cm-4
SwitchDevice(config-pmap-c)# trust cos
SwitchDevice(config-pmap-c)# exit
SwitchDevice(config-pmap)# exit

This example shows how the default traffic class is automatically placed at the end of policy-map pm3 even
though class-default was configured first:

SwitchDevice# show policy-map pm3

Policy Map pm3
Class cm-3
set dscp 4
Class cm-4
trust cos
Class class-default
police 8000 80000 exceed-action drop
SwitchDevice#

Related Topics
Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps
Hierarchical Policy Maps on SVI Guidelines

Examples: Classifying, Policing, and Marking Traffic by Using Aggregate

Policers
This example shows how to create an aggregate policer and attach it to multiple classes within a policy map.
In the configuration, the IP ACLs permit traffic from network 10.1.0.0 and from host 11.3.1.1. For traffic
coming from network 10.1.0.0, the DSCP in the incoming packets is trusted. For traffic coming from host

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
739
 QoS
Examples: Configuring DSCP Maps

11.3.1.1, the DSCP in the packet is changed to 56. The traffic rate from the 10.1.0.0 network and from host
11.3.1.1 is policed. If the traffic exceeds an average rate of 48000 b/s and a normal burst size of 8000 bytes,
its DSCP is marked down (based on the policed-DSCP map) and sent. The policy map is attached to an ingress
port.

SwitchDevice(config)# access-list 1 permit 10.1.0.0 0.0.255.255

SwitchDevice(config)# access-list 2 permit 11.3.1.1
SwitchDevice(config)# mls qos aggregate-police transmit1 48000 8000 exceed-action
policed-dscp-transmit
SwitchDevice(config)# class-map ipclass1
SwitchDevice(config-cmap)# match access-group 1
SwitchDevice(config-cmap)# exit
SwitchDevice(config)# class-map ipclass2
SwitchDevice(config-cmap)# match access-group 2
SwitchDevice(config-cmap)# exit
SwitchDevice(config)# policy-map aggflow1
SwitchDevice(config-pmap)# class ipclass1
SwitchDevice(config-pmap-c)# trust dscp
SwitchDevice(config-pmap-c)# police aggregate transmit1
SwitchDevice(config-pmap-c)# exit
SwitchDevice(config-pmap)# class ipclass2
SwitchDevice(config-pmap-c)# set dscp 56
SwitchDevice(config-pmap-c)# police aggregate transmit1
SwitchDevice(config-pmap-c)# exit
SwitchDevice(config-pmap)# class class-default
SwitchDevice(config-pmap-c)# set dscp 10
SwitchDevice(config-pmap-c)# exit
SwitchDevice(config-pmap)# exit
SwitchDevice(config)# interface gigabitethernet2/0/1
SwitchDevice(config-if)# service-policy input aggflow1
SwitchDevice(config-if)# exit

Related Topics
Classifying, Policing, and Marking Traffic by Using Aggregate Policers, on page 704

Examples: Configuring DSCP Maps

This example shows how to modify and display the CoS-to-DSCP map:

SwitchDevice(config)# mls qos map cos-dscp 10 15 20 25 30 35 40 45

SwitchDevice(config)# end
SwitchDevice# show mls qos maps cos-dscp

Cos-dscp map:
cos: 0 1 2 3 4 5 6 7
--------------------------------
dscp: 10 15 20 25 30 35 40 45

This example shows how to modify and display the IP-precedence-to-DSCP map:

SwitchDevice(config)# mls qos map ip-prec-dscp 10 15 20 25 30 35 40 45

SwitchDevice(config)# end
SwitchDevice# show mls qos maps ip-prec-dscp

IpPrecedence-dscp map:
ipprec: 0 1 2 3 4 5 6 7

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
740
QoS
Examples: Configuring DSCP Maps

--------------------------------
dscp: 10 15 20 25 30 35 40 45

This example shows how to map DSCP 50 to 57 to a marked-down DSCP value of 0:

SwitchDevice(config)# mls qos map policed-dscp 50 51 52 53 54 55 56 57 to 0

SwitchDevice(config)# end
SwitchDevice# show mls qos maps policed-dscp
Policed-dscp map:
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
0 : 00 01 02 03 04 05 06 07 08 09
1 : 10 11 12 13 14 15 16 17 18 19
2 : 20 21 22 23 24 25 26 27 28 29
3 : 30 31 32 33 34 35 36 37 38 39
4 : 40 41 42 43 44 45 46 47 48 49
5 : 00 00 00 00 00 00 00 00 58 59
6 : 60 61 62 63

Note In this policed-DSCP map, the marked-down DSCP values are shown in the body of the matrix. The d1 column
specifies the most-significant digit of the original DSCP; the d2 row specifies the least-significant digit of the
original DSCP. The intersection of the d1 and d2 values provides the marked-down value. For example, an
original DSCP value of 53 corresponds to a marked-down DSCP value of 0.

This example shows how to map DSCP values 0, 8, 16, 24, 32, 40, 48, and 50 to CoS value 0 and to display
the map:

SwitchDevice(config)# mls qos map dscp-cos 0 8 16 24 32 40 48 50 to 0

SwitchDevice(config)# end
SwitchDevice# show mls qos maps dscp-cos
Dscp-cos map:
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
0 : 00 00 00 00 00 00 00 00 00 01
1 : 01 01 01 01 01 01 00 02 02 02
2 : 02 02 02 02 00 03 03 03 03 03
3 : 03 03 00 04 04 04 04 04 04 04
4 : 00 05 05 05 05 05 05 05 00 06
5 : 00 06 06 06 06 06 07 07 07 07
6 : 07 07 07 07

Note In the above DSCP-to-CoS map, the CoS values are shown in the body of the matrix. The d1 column specifies
the most-significant digit of the DSCP; the d2 row specifies the least-significant digit of the DSCP. The
intersection of the d1 and d2 values provides the CoS value. For example, in the DSCP-to-CoS map, a DSCP
value of 08 corresponds to a CoS value of 0.

This example shows how to define the DSCP-to-DSCP-mutation map. All the entries that are not explicitly
configured are not modified (remains as specified in the null map):

SwitchDevice(config)# mls qos map dscp-mutation mutation1 1 2 3 4 5 6 7 to 0

SwitchDevice(config)# mls qos map dscp-mutation mutation1 8 9 10 11 12 13 to 10

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
741
 QoS
Examples: Configuring Ingress Queue Characteristics

SwitchDevice(config)# mls qos map dscp-mutation mutation1 20 21 22 to 20

SwitchDevice(config)# mls qos map dscp-mutation mutation1 30 31 32 33 34 to 30
SwitchDevice(config)# interface gigabitethernet1/0/1
SwitchDevice(config-if)# mls qos trust dscp
SwitchDevice(config-if)# mls qos dscp-mutation mutation1
SwitchDevice(config-if)# end
SwitchDevice# show mls qos maps dscp-mutation mutation1
Dscp-dscp mutation map:
mutation1:
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
0 : 00 00 00 00 00 00 00 00 10 10
1 : 10 10 10 10 14 15 16 17 18 19
2 : 20 20 20 23 24 25 26 27 28 29
3 : 30 30 30 30 30 35 36 37 38 39
4 : 40 41 42 43 44 45 46 47 48 49
5 : 50 51 52 53 54 55 56 57 58 59
6 : 60 61 62 63

Note In the above DSCP-to-DSCP-mutation map, the mutated values are shown in the body of the matrix. The d1
column specifies the most-significant digit of the original DSCP; the d2 row specifies the least-significant
digit of the original DSCP. The intersection of the d1 and d2 values provides the mutated value. For example,
a DSCP value of 12 corresponds to a mutated value of 10.

Related Topics
Configuring the CoS-to-DSCP Map, on page 706
Configuring the IP-Precedence-to-DSCP Map, on page 707
Configuring the Policed-DSCP Map, on page 709
Configuring the DSCP-to-CoS Map, on page 710
Configuring the DSCP-to-DSCP-Mutation Map, on page 711

Examples: Configuring Ingress Queue Characteristics

This example shows how to map DSCP values 0 to 6 to ingress queue 1 and to threshold 1 with a drop threshold
of 50 percent. It maps DSCP values 20 to 26 to ingress queue 1 and to threshold 2 with a drop threshold of
70 percent:

SwitchDevice(config)# mls qos srr-queue input dscp-map queue 1 threshold 1 0 1 2 3 4 5 6

SwitchDevice(config)# mls qos srr-queue input dscp-map queue 1 threshold 2 20 21 22 23 24
25 26
SwitchDevice(config)# mls qos srr-queue input threshold 1 50 70

In this example, the DSCP values (0 to 6) are assigned the WTD threshold of 50 percent and will be dropped
sooner than the DSCP values (20 to 26) assigned to the WTD threshold of 70 percent.
This example shows how to allocate 60 percent of the buffer space to ingress queue 1 and 40 percent of the
buffer space to ingress queue 2:

SwitchDevice(config)# mls qos srr-queue input buffers 60 40

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
742
 QoS
Examples: Configuring Egress Queue Characteristics

This example shows how to assign the ingress bandwidth to the queues. Priority queueing is disabled, and
the shared bandwidth ratio allocated to queue 1 is 25/(25+75) and to queue 2 is 75/(25+75):

SwitchDevice(config)# mls qos srr-queue input priority-queue 2 bandwidth 0

SwitchDevice(config)# mls qos srr-queue input bandwidth 25 75

This example shows how to assign the ingress bandwidths to the queues. Queue 1 is the priority queue with
10 percent of the bandwidth allocated to it. The bandwidth ratios allocated to queues 1 and 2 is 4/(4+4). SRR
services queue 1 (the priority queue) first for its configured 10 percent bandwidth. Then SRR equally shares
the remaining 90 percent of the bandwidth between queues 1 and 2 by allocating 45 percent to each queue:

SwitchDevice(config)# mls qos srr-queue input priority-queue 1 bandwidth 10

SwitchDevice(config)# mls qos srr-queue input bandwidth 4 4

Related Topics
Allocating Buffer Space Between the Ingress Queues, on page 715
Queueing and Scheduling on Ingress Queues
Allocating Bandwidth Between the Ingress Queues, on page 717
Configuring the Ingress Priority Queue, on page 718

Examples: Configuring Egress Queue Characteristics

This example shows how to map a port to queue-set 2. It allocates 40 percent of the buffer space to egress
queue 1 and 20 percent to egress queues 2, 3, and 4. It configures the drop thresholds for queue 2 to 40 and
60 percent of the allocated memory, guarantees (reserves) 100 percent of the allocated memory, and configures
200 percent as the maximum memory that this queue can have before packets are dropped:

SwitchDevice(config)# mls qos queue-set output 2 buffers 40 20 20 20

SwitchDevice(config)# mls qos queue-set output 2 threshold 2 40 60 100 200
SwitchDevice(config)# interface gigabitethernet1/0/1
SwitchDevice(config-if)# queue-set 2

This example shows how to map DSCP values 10 and 11 to egress queue 1 and to threshold 2:

SwitchDevice(config)# mls qos srr-queue output dscp-map queue 1 threshold 2 10 11

This example shows how to configure bandwidth shaping on queue 1. Because the weight ratios for queues
2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which
is 12.5 percent:

SwitchDevice(config)# interface gigabitethernet2/0/1

SwitchDevice(config-if)# srr-queue bandwidth shape 8 0 0 0

This example shows how to configure the weight ratio of the SRR scheduler running on an egress port. Four
queues are used, and the bandwidth ratio allocated for each queue in shared mode is 1/(1+2+3+4), 2/(1+2+3+4),
3/(1+2+3+4), and 4/(1+2+3+4), which is 10 percent, 20 percent, 30 percent, and 40 percent for queues 1, 2,
3, and 4. This means that queue 4 has four times the bandwidth of queue 1, twice the bandwidth of queue 2,
and one-and-a-third times the bandwidth of queue 3.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
743
 QoS
Where to Go Next

SwitchDevice(config)# interface gigabitethernet2/0/1

SwitchDevice(config-if)# srr-queue bandwidth share 1 2 3 4

This example shows how to enable the egress expedite queue when the SRR weights are configured. The
egress expedite queue overrides the configured SRR weights.

SwitchDevice(config)# interface gigabitethernet1/0/1

SwitchDevice(config-if)# srr-queue bandwidth shape 25 0 0 0
SwitchDevice(config-if)# srr-queue bandwidth share 30 20 25 25
SwitchDevice(config-if)# priority-queue out
SwitchDevice(config-if)# end

This example shows how to limit the bandwidth on a port to 80 percent:

SwitchDevice(config)# interface gigabitethernet2/0/1

SwitchDevice(config-if)# srr-queue bandwidth limit 80

When you configure this command to 80 percent, the port is idle 20 percent of the time. The line rate drops
to 80 percent of the connected speed, which is 800 Mb/s. These values are not exact because the hardware
adjusts the line rate in increments of six.
Related Topics
Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set, on page 720
Queueing and Scheduling on Egress Queues
Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID, on page 724
Configuring SRR Shaped Weights on Egress Queues, on page 726
Configuring SRR Shared Weights on Egress Queues, on page 727
Configuring the Egress Expedite Queue, on page 729
Limiting the Bandwidth on an Egress Interface, on page 731

Where to Go Next
Review the auto-QoS documentation to see if you can use these automated capabilities for your QoS
configuration.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
744
 CHAPTER 35
Configuring Auto-QoS
• Finding Feature Information, on page 745
• Prerequisites for Auto-QoS, on page 745
• Information about Configuring Auto-QoS, on page 746
• How to Configure Auto-QoS, on page 750
• Monitoring Auto-QoS, on page 752
• Configuration Examples for Auto-Qos, on page 753
• Where to Go Next for Auto-QoS, on page 763

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Prerequisites for Auto-QoS

Before configuring standard QoS or auto-QoS, you must have a thorough understanding of these items:
• The types of applications used and the traffic patterns on your network.
• Traffic characteristics and needs of your network. Is the traffic bursty? Do you need to reserve bandwidth
for voice and video streams?
• Bandwidth requirements and speed of the network.
• Location of congestion points in the network.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
745
 QoS
Information about Configuring Auto-QoS

Information about Configuring Auto-QoS

Auto-QoS Overview
You can use the auto-QoS feature to simplify the deployment of QoS features. Auto-QoS determines the
network design and enables QoS configurations so that the switch can prioritize different traffic flows. It uses
the egress queues instead of using the default (disabled) QoS behavior. The switch offers best-effort service
to each packet, regardless of the packet contents or size, and sends it from a single queue.
When you enable auto-QoS, it automatically classifies traffic based on the traffic type and ingress packet
label. The switch uses the classification results to choose the appropriate egress queue.
You can use auto-QoS commands to identify ports connected to the following Cisco devices:
• Cisco IP Phones
• Devices running the Cisco SoftPhone application
• Cisco TelePresence
• Cisco IP Camera
• Cisco digital media player

You also use the auto-QoS commands to identify ports that receive trusted traffic through an uplink. Auto-QoS
then performs these functions:
• Detects the presence or absence of auto-QoS devices through conditional trusted interfaces.
• Configures QoS classification
• Configures egress queues

Related Topics
QoS Overview

Generated Auto-QoS Configuration

By default, auto-QoS is disabled on all ports. Packets are not modified--the CoS, DSCP and IP precedence
values in the packet are not changed.
When you enable the auto-QoS feature on the first port of the interface:
• Ingress packet label is used to categorize traffic, to assign packet labels, and to configure the ingress and
egress queues.
• QoS is globally enabled (mls qos global configuration command), and other global configuration
commands are automatically generated. (See Examples: Global Auto-QoS Configuration, on page 753).
• Switch enables the trusted boundary feature and uses the Cisco Discovery Protocol (CDP) to detect the
presence of a supported device.
• Policing is used to determine whether a packet is in or out of profile and specifies the action on the packet.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
746
 QoS
VoIP Device Specifics

VoIP Device Specifics

The following activities occur when you issue these auto-QoS commands on a port:
• When you enter the auto qos voip cisco-phone command on a port at the network edge connected to a
Cisco IP Phone, the switch enables the trusted boundary feature. If the packet does not have a DSCP
value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. When there is no
Cisco IP Phone, the ingress classification is set to not trust the QoS label in the packet. The policing is
applied to the traffic matching the policy-map classification before the switch enables the trust boundary
feature.
• When you enter the auto qos voip cisco-softphone interface configuration command on a port at the
network edge that is connected to a device running the Cisco SoftPhone, the switch uses policing to
determine whether a packet is in or out of profile and to specify the action on the packet. If the packet
does not have a DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to
0.
• When you enter the auto qos voip trust interface configuration command on a port connected to the
network interior, the switch trusts the CoS value for nonrouted ports or the DSCP value for routed ports
in ingress packets (the assumption is that traffic has already been classified by other edge devices).

Table 78: Traffic Types, Packet Labels, and Queues

VoIP Data VoIP Routing STP BPDU Real-Time All Other Traffic
Traffic Control Protocol Traffic Video
Traffic Traffic Traffic

DSCP value 46 24, 26 48 56 34 –

CoS value 5 3 6 7 3 –

CoS-to-Ingress 4, 5 (queue 2) 0, 1, 2, 3, 6, 7(queue 1)

queue map

CoS-to-Egress 4, 5 (queue 2, 3, 6, 7 (queue 2) 0 (queue 3) 2 (queue 3) 0, 1 (queue

queue map 1) 4)

The switch configures ingress queues on the port according to the settings in the following table. This table
shows the generated auto-QoS configuration for the ingress queues.

Table 79: Auto-QoS Configuration for the Ingress Queues

Ingress Queue Queue Number CoS-to-Queue Map Queue Weight Queue (Buffer) Size
(Bandwidth)

SRR shared 1 0, 1, 2, 3, 6, 7 70 percent 90 percent

Priority 2 4, 5 30 percent 10 percent

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
747
 QoS
Enhanced Auto-QoS for Video, Trust, and Classification

The switch configures egress queues on the port according to the settings in the following table. This table
shows the generated auto-QoS configuration for the egress queues.

Table 80: Auto-QoS Configuration for the Egress Queues

Egress Queue Egress Queue Queue Number Queue Weight Queue (Buffer) Queue (Buffer)
(Bandwidth) Size for Size for 10/100
Gigabit-Capable Ethernet Ports
Ports

Priority 1 4, 5 up to100 percent 25 percent 15 percent

SRR shared 2 2, 3, 6, 7 10 percent 25 percent 25 percent

SRR shared 3 0 60 percent 25 percent 40 percent

SRR shared 4 1 20 percent 25 percent 20 percent

• When you enable auto-QoS by using the auto qos voip cisco-phone, the auto qos voip cisco-softphone,
or the auto qos voip trust interface configuration command, the switch automatically generates a QoS
configuration based on the traffic type and ingress packet label and applies the commands listed in
Examples: Global Auto-QoS Configuration, on page 753 to the port.

Enhanced Auto-QoS for Video, Trust, and Classification

Auto-QoS is enhanced to support video. Automatic configurations are generated that classify and trust traffic
from Cisco TelePresence systems and Cisco IP cameras.

Auto-QoS Configuration Migration

Auto-QoS configuration migration from legacy auto-QoS to enhanced auto-QoS occurs when:
• A switch is booted with a 12.2(55)SE image and QoS is not enabled.
Any video or voice trust configuration on the interface automatically generates enhanced auto-QoS
commands.
• A switch is enabled with QoS, these guidelines take effect:
• If you configure the interface for conditional trust on a voice device, only the legacy auto-QoS VoIP
configuration is generated.
• If you configure the interface for conditional trust on a video device, the enhanced auto-QoS
configuration is generated.
• If you configure the interface with classification or conditional trust based on the new interface
auto-QoS commands, enhanced auto-QoS configuration is generated.

• Auto-QoS migration happens after a new device is connected when the auto qos srnd4 global
configuration command is enabled.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
748
 QoS
Auto-QoS Configuration Guidelines

Note If an interface previously configured with legacy auto-QoS migrates to enhanced auto-QoS, voice commands
and configuration are updated to match the new global QoS commands.

Auto-QoS configuration migration from enhanced auto-QoS to legacy auto-QoS can occur only when you
disable all existing auto-QoS configurations from the interface.

Auto-QoS Configuration Guidelines

Before configuring auto-QoS, you should be aware of this information:
• After auto-QoS is enabled, do not modify a policy map that includes AutoQoS in its name. If you need
to modify the policy map, make a copy of it, and change the copied policy map. To use this new policy
map instead of the generated one, remove the generated policy map from the interface, and apply the
new policy map to the interface.
• To take advantage of the auto-QoS defaults, you should enable auto-QoS before you configure other
QoS commands. If necessary, you can fine-tune the QoS configuration, but we recommend that you do
so only after the auto-QoS configuration is completed.
• You can enable auto-QoS on static, dynamic-access, voice VLAN access, and trunk ports.
• By default, the CDP is enabled on all ports. For auto-QoS to function properly, do not disable CDP.

Auto-QoS VoIP Considerations

Before configuring auto-QoS for VoIP, you should be aware of this information:
• Auto-QoS configures the switch for VoIP with Cisco IP Phones on nonrouted and routed ports. Auto-QoS
also configures the switch for VoIP with devices running the Cisco SoftPhone application.

Note When a device running Cisco SoftPhone is connected to a nonrouted or routed

port, the switch supports only one Cisco SoftPhone application per port.

• When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address to
the IP phone.
• This release supports only Cisco IP SoftPhone Version 1.3(3) or later.
• Connected devices must use Cisco Call Manager Version 4 or later.

Auto-QoS Enhanced Considerations

Auto-QoS is enhanced to support video. Automatic configurations are generated that classify and trust traffic
from Cisco TelePresence systems and Cisco IP cameras.
Before configuring auto-QoS enhanced, you should be aware of this information:
• The auto qos srnd4 global configuration command is generated as a result of enhanced auto-QoS
configuration.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
749
 QoS
Effects of Auto-QoS on Running Configuration

Effects of Auto-QoS on Running Configuration

When auto-QoS is enabled, the auto qos interface configuration commands and the generated global
configuration are added to the running configuration.
The switch applies the auto-QoS-generated commands as if the commands were entered from the CLI. An
existing user configuration can cause the application of the generated commands to fail or to be overridden
by the generated commands. These actions may occur without warning. If all the generated commands are
successfully applied, any user-entered configuration that was not overridden remains in the running
configuration. Any user-entered configuration that was overridden can be retrieved by reloading the switch
without saving the current configuration to memory. If the generated commands are not applied, the previous
running configuration is restored.

How to Configure Auto-QoS

Configuring Auto-QoS
Enabling Auto-QoS
For optimum QoS performance, enable auto-QoS on all the devices in your network.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. Use one of the following:
• auto qos voip {cisco-phone | cisco-softphone | trust}
• auto qos video {cts | ip-camera | media-player}
• auto qos classify [police]
• auto qos trust {cos | dscp}
4. exit
5. interface interface-id
6. auto qos trust
7. end
8. show auto qos interface interface-id

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
750
 QoS
Enabling Auto-QoS

Command or Action Purpose

Step 2 interface interface-id Specifies the port that is connected to a video device or the
uplink port that is connected to another trusted switch or
Example:
router in the network interior, and enters interface
configuration mode.
SwitchDevice(config)# interface
gigabitethernet 3/0/1

Step 3 Use one of the following: Enables auto-QoS for VoIP.

• auto qos voip {cisco-phone | cisco-softphone | trust} • cisco-phone—If the port is connected to a Cisco IP
• auto qos video {cts | ip-camera | media-player} Phone, the QoS labels of incoming packets are trusted
• auto qos classify [police] only when the telephone is detected.
• auto qos trust {cos | dscp} • cisco-softphone—The port is connected to device
Example: running the Cisco SoftPhone feature.
SwitchDevice(config-if)# auto qos trust dscp • trust—The uplink port is connected to a trusted switch
or router, and the VoIP traffic classification in the
ingress packet is trusted.

Enables auto-QoS for a video device.

• cts—A port connected to a Cisco Telepresence system.
• ip-camera—A port connected to a Cisco video
surveillance camera.
• media-player—A port connected to a CDP-capable
Cisco digital media player.

QoS labels of incoming packets are trusted only when the

system is detected.
Enables auto-QoS for classification.
• police—Policing is set up by defining the QoS policy
maps and applying them to ports (port-based QoS).

Enables auto-QoS for trusted interfaces.

• cos—Class of service.
• dscp—Differentiated Services Code Point.
• <cr>—Trust interface.

Step 4 exit Returns to global configuration mode.

Example:

SwitchDevice(config-if)# exit

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
751
 QoS
Troubleshooting Auto-QoS

Command or Action Purpose

Step 5 interface interface-id Specifies the switch port identified as connected to a trusted
switch or router, and enters interface configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet 2/0/1

Step 6 auto qos trust Enables auto-QoS on the port, and specifies that the port is
connected to a trusted router or switch.
Example:

SwitchDevice(config-if)# auto qos trust

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 8 show auto qos interface interface-id Verifies your entries.

Example: This command displays the auto-QoS command on the
interface on which auto-QoS was enabled. You can use the
SwitchDevice# show auto qos interface show running-config privileged EXEC command to display
gigabitethernet 2/0/1 the auto-QoS configuration and the user modifications.

Troubleshooting Auto-QoS
To troubleshoot auto-QoS, use the debug auto qos privileged EXEC command. For more information, see
the debug auto qos command in the command reference for this release.
To disable auto-QoS on a port, use the no form of the auto qos command interface configuration command,
such as no auto qos voip. Only the auto-QoS-generated interface configuration commands for this port are
removed. If this is the last port on which auto-QoS is enabled and you enter the no auto qos voip command,
auto-QoS is considered disabled even though the auto-QoS-generated global configuration commands remain
(to avoid disrupting traffic on other ports affected by the global configuration).

Monitoring Auto-QoS
Table 81: Commands for Monitoring Auto-QoS

Command Description

show auto qos [interface [interface-type]] Displays the initial auto-QoS configuration.
You can compare the show auto qos and the show
running-config command output to identify the
user-defined QoS settings.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
752
 QoS
Configuration Examples for Auto-Qos

Command Description

show mls qos [ aggregate policer | interface | maps Displays information about the QoS configuration
| queue-set | stack-port | stack-qset ] that might be affected by auto-QoS.

show mls qos aggregate policer policer_name Displays information about the QoS aggregate policer
configuration that might be affected by auto-QoS.

show mls qos interface [interface-type | buffers | Displays information about the QoS interface
policers | queueing | statistics ] configuration that might be affected by auto-QoS.

show mls qos maps [cos-dscp | cos-output-q | Displays information about the QoS maps
dscp-cos | dscp-mutation | dscp-output-q | configuration that might be affected by auto-QoS.
ip-prec-dscp | policed-dscp ]

show mls qos queue-set queue-set ID Displays information about the QoS queue-set
configuration that might be affected by auto-QoS.

show mls qos stack-port buffers Displays information about the QoS stack port buffer
configuration that might be affected by auto-QoS.

show mls qos stack-qset Displays information about the QoS stack queue set
configuration that might be affected by auto-QoS.

show running-config Displays information about the QoS configuration

that might be affected by auto-QoS.
You can compare the show auto qos and the show
running-config command output to identify the
user-defined QoS settings.

Configuration Examples for Auto-Qos

Examples: Global Auto-QoS Configuration
The following table describes the automatically generated commands for auto-QoS and enhanced auto-QoS
by the switch.

Table 82: Generated Auto-QoS Configuration

Description Automatically Generated Command Enhanced Automatically Generated

{voip} Command {Video|Trust|Classify}

The switch automatically enables

SwitchDevice(config)# mls qos SwitchDevice(config)# mls qos
standard QoS and configures the
SwitchDevice(config)# mls qos SwitchDevice(config)# mls qos
CoS-to-DSCP map (maps CoS map cos-dscp map cos-dscp
values in incoming packets to a 0 8 16 26 32 46 48 56 0 8 16 24 32 46 48 56
DSCP value).

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
753
 QoS
Examples: Global Auto-QoS Configuration

Description Automatically Generated Command Enhanced Automatically Generated

{voip} Command {Video|Trust|Classify}

The switch automatically maps CoS

SwitchDevice(config)# no mls SwitchDevice(config)# no mls
values to an egress queue and to a
qos srr-queue qos srr-queue
threshold ID. output cos-map output cos-map
SwitchDevice(config)# mls qos SwitchDevice(config)# mls qos
srr-queue srr-queue
output cos-map queue 1 output cos-map queue 1
threshold 3 5 threshold 3 4 5
SwitchDevice(config)# mls qos SwitchDevice(config)# mls qos
srr-queue srr-queue
output cos-map queue 2 output cos-map queue 2
threshold 3 3 threshold 3 6 7
6 7 SwitchDevice(config)# mls qos
SwitchDevice(config)# mls qos srr-queue
srr-queue output cos-map queue 2
output cos-map queue 3 threshold 1 2
threshold 3 2 SwitchDevice(config)# mls qos
4 srr-queue
SwitchDevice(config)# mls qos output cos-map queue 2
srr-queue threshold 2 3
output cos-map queue 4 SwitchDevice(config)# mls qos
threshold 2 1 srr-queue
SwitchDevice(config)# mls qos output cos-map queue 3
srr-queue threshold 3 0
output cos-map queue 4
threshold 3 0 SwitchDevice(config)# mls qos
srr-queue
output cos-map queue 4
threshold 3 1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
754
QoS
Examples: Global Auto-QoS Configuration

Description Automatically Generated Command Enhanced Automatically Generated

{voip} Command {Video|Trust|Classify}

The switch automatically maps

SwitchDevice(config)# no mls SwitchDevice(config)# no mls
DSCP values to an egress queue
qos srr-queue qos srr-queue
and to a threshold ID. output dscp-map output dscp-map
SwitchDevice(config)# mls qos SwitchDevice(config)# mls qos
srr-queue srr-queue
output dscp-map queue 1 output dscp-map queue 1
threshold 3 threshold 3 32
40 41 42 43 44 45 46 47 33 40 41 42 43 44 45 46 47
SwitchDevice(config)# mls qos
srr-queue
output dscp-map queue 2
threshold 1 16
17 18 19 20 21 22 23
SwitchDevice(config)# mls qos
srr-queue
output dscp-map queue 2
SwitchDevice(config)# mls qos threshold 1 26
srr-queue 27 28 29 30 31 34 35 36 37 38
output dscp-map queue 2 39
threshold 3 SwitchDevice(config)# mls qos
24 25 26 27 28 29 30 31 srr-queue
SwitchDevice(config)# mls qos output dscp-map queue 2
srr-queue threshold 2 24
output dscp-map queue 2 SwitchDevice(config)# mls qos
threshold 3 srr-queue
48 49 50 51 52 53 54 55 output dscp-map queue 2
SwitchDevice(config)# mls qos threshold 3 48
srr-queue 49 50 51 52 53 54 55 56
output dscp-map queue 2 SwitchDevice(config)# mls qos
threshold 3 srr-queue
56 57 58 59 60 61 62 63 output dscp-map queue 2
SwitchDevice(config)# mls qos threshold 3 57
srr-queue 58 59 60 61 62 63
output dscp-map queue 3
threshold 3
16 17 18 19 20 21 22 23
SwitchDevice(config)# mls qos SwitchDevice(config)# mls qos
srr-queue srr-queue
output dscp-map queue 3 output dscp-map queue 3
threshold 3 threshold 3 0
32 33 34 35 36 37 38 39 1 2 3 4 5 6 7
SwitchDevice(config)# mls qos
srr-queue
output dscp-map queue 4
threshold 1 8 SwitchDevice(config)# mls qos
srr-queue
SwitchDevice(config)# mls qos output dscp-map queue 4
srr-queue threshold 1 8
output dscp-map queue 4 9 11 13 15
threshold 2 9 SwitchDevice(config)# mls qos
10 11 12 13 14 15 srr-queue
SwitchDevice(config)# mls qos output dscp-map queue 4
srr-queue threshold 2 10
output dscp-map queue 12 14
4 threshold 3 0 1 2 3 4 5 6 7

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
755
 QoS
Examples: Global Auto-QoS Configuration

Description Automatically Generated Command Enhanced Automatically Generated

{voip} Command {Video|Trust|Classify}

The switch automatically

SwitchDevice(config)# mls qos SwitchDevice(config)# mls qos
configures the egress queue buffer
queue-set queue-set
sizes. It configures the bandwidth output 1 threshold 1 138 138 output 1 threshold 2 100 100
and the SRR mode (shaped or 92 138 50 200
shared) on the egress queues SwitchDevice(config)# mls qos SwitchDevice(config)# mls qos
mapped to the port. queue-set queue-set
output 1 threshold 2 138 138 output 1 threshold 2 125 125
92 400 100 400
SwitchDevice(config)# mls qos SwitchDevice(config)# mls qos
queue-set queue-set
output 1 threshold 3 36 77 100 output 1 threshold 3 100 100
318 100 400
SwitchDevice(config)# mls qos SwitchDevice(config)# mls qos
queue-set queue-set
output 1 threshold 4 20 50 67 output 1 threshold 4 60 150 50
400 200
SwitchDevice(config)# mls qos
queue-set
output 2 threshold 1 149 149
100 149
SwitchDevice(config)# mls qos
queue-set
output 2 threshold 2 118 118
100 235
SwitchDevice(config)# mls qos SwitchDevice(config)# mls qos
queue-set queue-set
output 2 threshold 3 41 68 100 output 1 buffers 15 25 40 20
272
SwitchDevice(config)# mls qos
queue-set
output 2 threshold 4 42 72 100
242
SwitchDevice(config)# mls qos
queue-set
output 1 buffers 10 10 26 54
SwitchDevice(config)# mls qos
queue-set
output 2 buffers 16 6 17 61
SwitchDevice(config-if)#
priority-queue
out
SwitchDevice(config-if)#
srr-queue
bandwidth share 10 10 60 20

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
756
 QoS
Examples: Auto-QoS Generated Configuration for VoIP Devices

Examples: Auto-QoS Generated Configuration for VoIP Devices

The following table describes the automatically generated commands for auto-QoS for VoIP devices by the
switch.

Table 83: Generated Auto-QoS Configuration for VoIP Devices

Description Automatically Generated Command (VoIP)

The switch automatically

SwitchDevice(config)# mls qos
enables standard QoS and
SwitchDevice(config)# mls qos map cos-dscp 0 8 16 26 32
configures the CoS-to-DSCP 46 48 56
map (maps CoS values in
incoming packets to a DSCP
value).

The switch automatically maps

SwitchDevice(config)# no mls qos srr-queue output cos-map
CoS values to an egress queue
SwitchDevice(config)# mls qos srr-queue output cos-map queue 1
and to a threshold ID. threshold 3 5
SwitchDevice(config)# mls qos srr-queue output cos-map queue 2
threshold 3 3 6 7
SwitchDevice(config)# mls qos srr-queue output cos-map queue 3
threshold 3 2 4
SwitchDevice(config)# mls qos srr-queue output cos-map queue 4
threshold 2 1
SwitchDevice(config)# mls qos srr-queue output cos-map queue 4
threshold 3 0

The switch automatically maps

SwitchDevice(config)# no mls qos srr-queue output dscp-map
DSCP values to an egress
SwitchDevice(config)# mls qos srr-queue output dscp-map queue 1
queue and to a threshold ID. threshold 3 40 41 42 43 44 45 46 47
SwitchDevice(config)# mls qos srr-queue output dscp-map queue 2
threshold 3 24 25 26 27 28 29 30 31
SwitchDevice(config)# mls qos srr-queue output dscp-map queue 2
threshold 3 48 49 50 51 52 53 54 55
SwitchDevice(config)# mls qos srr-queue output dscp-map queue 2
threshold 3 56 57 58 59 60 61 62 63
SwitchDevice(config)# mls qos srr-queue output dscp-map queue 3
threshold 3 16 17 18 19 20 21 22 23
SwitchDevice(config)# mls qos srr-queue output dscp-map queue 3
threshold 3 32 33 34 35 36 37 38 39
SwitchDevice(config)# mls qos srr-queue output dscp-map queue 4
threshold 1 8
SwitchDevice(config)# mls qos srr-queue output dscp-map queue 4
threshold 2 9 10 11 12 13 14 15
SwitchDevice(config)# mls qos srr-queue output dscp-map queue 4
threshold 3 0 1 2 3 4 5 6 7

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
757
 QoS
Examples: Auto-QoS Generated Configuration for VoIP Devices

Description Automatically Generated Command (VoIP)

The switch automatically

configures the egress queue
SwitchSwitchDeviceconfig)# mls qos queue-set output 1 threshold
buffer sizes. It configures the 1 138
bandwidth and the SRR mode 138 92 138
(shaped or shared) on the SwitchDevice(config)# mls qos queue-set output 1 threshold 2 138
egress queues mapped to the 138 92 400
SwitchDevice(config)# mls qos queue-set output 1 threshold 3 36
port.
77
100 318
SwitchDevice(config)# mls qos queue-set output 1 threshold 4 20
50
67 400
SwitchDevice(config)# mls qos queue-set output 2 threshold 1 149
149 100 149
SwitchDevice(config)# mls qos queue-set output 2 threshold 2 118
118 100 235
SwitchDevice(config)# mls qos queue-set output 2 threshold 3 41
68
100 272
SwitchDevice(config)# mls qos queue-set output 2 threshold 4 42
72
100 242
SwitchDevice(config)# mls qos queue-set output 1 buffers 10 10
26
54
SwitchDevice(config)# mls qos queue-set output 2 buffers 16 6
17
61
SwitchDevice(config-if)# priority-que out
SwitchDevice(config-if)# srr-queue bandwidth share 10 10 60 20

If you entered the auto qos voip cisco-phone command, the switch automatically enables the trusted boundary
feature, which uses the CDP to detect the presence or absence of a Cisco IP Phone (as shown below).

SwitchDevice(config-if)# mls qos trust device cisco-phone

If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and
policy maps (as shown below).

SwitchDevice(config)# mls qos map policed-dscp 24 26 46 to 0

SwitchDevice(config)# class-map match-all AutoQoS-VoIP-RTP-Trust
SwitchDevice(config-cmap)# match ip dscp ef
SwitchDevice(config)# class-map match-all AutoQoS-VoIP-Control-Trust
SwitchDevice(config-cmap)# match ip dscp cs3 af31
SwitchDevice(config)# policy-map AutoQoS-Police-SoftPhone
SwitchDevice(config-pmap)# class AutoQoS-VoIP-RTP-Trust
SwitchDevice(config-pmap-c)# set dscp ef
SwitchDevice(config-pmap-c)# police 320000 8000 exceed-action policed-dscp-transmit
SwitchDevice(config-pmap)# class AutoQoS-VoIP-Control-Trust
SwitchDevice(config-pmap-c)# set dscp cs3
SwitchDevice(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmit

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
758
 QoS
Examples: Auto-QoS Generated Configuration for VoIP Devices

After creating the class maps and policy maps, the switch automatically applies the policy map called
AutoQoS-Police-SoftPhone to an ingress interface on which auto-QoS with the Cisco SoftPhone feature is
enabled (as shown below).

SwitchDevice(config-if)# service-policy input AutoQoS-Police-SoftPhone

Examples: Auto-QoS Generated Configuration for VoIP Devices

If you entered the auto qos voip cisco-phone command, the switch automatically enables the trusted boundary
feature, which uses the CDP to detect the presence or absence of a Cisco IP Phone.

SwitchDevice(config-if)# mls qos trust device cisco-phone

If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and
policy maps.

SwitchDevice(config)# mls qos map policed-dscp 24 26 46 to 0

SwitchDevice(config)# class-map match-all AutoQoS-VoIP-RTP-Trust
SwitchDevice(config-cmap)# match ip dscp ef
SwitchDevice(config)# class-map match-all AutoQoS-VoIP-Control-Trust
SwitchDevice(config-cmap)# match ip dscp cs3 af31
SwitchDevice(config)# policy-map AutoQoS-Police-SoftPhone
SwitchDevice(config-pmap)# class AutoQoS-VoIP-RTP-Trust
SwitchDevice(config-pmap-c)# set dscp ef
SwitchDevice(config-pmap-c)# police 320000 8000 exceed-action policed-dscp-transmit
SwitchDevice(config-pmap)# class AutoQoS-VoIP-Control-Trust
SwitchDevice(config-pmap-c)# set dscp cs3
SwitchDevice(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmit

After creating the class maps and policy maps, the switch automatically applies the policy map called
AutoQoS-Police-SoftPhone to an ingress interface on which auto-QoS with the Cisco SoftPhone feature is
enabled.

SwitchDevice(config-if)# service-policy input AutoQoS-Police-SoftPhone

If you entered the auto qos voip cisco-phone command, the switch automatically creates class maps and
policy maps.

SwitchDevice(config-if)# mls qos trust device cisco-phone

If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and
policy maps.

SwitchDevice(config)# mls qos map policed-dscp 24 26 46 to 0

SwitchDevice(config)# class-map match-all AutoQoS-VoIP-RTP-Trust
SwitchDevice(config-cmap)# match ip dscp ef
SwitchDevice(config)# class-map match-all AutoQoS-VoIP-Control-Trust
SwitchDevice(config-cmap)# match ip dscp cs3 af31
SwitchDevice(config)# policy-map AutoQoS-Police-CiscoPhone
SwitchDevice(config-pmap)# class AutoQoS-VoIP-RTP-Trust
SwitchDevice(config-pmap-c)# set dscp ef

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
759
 QoS
Examples: Auto-QoS Generated Configuration For Enhanced Video, Trust, and Classify Devices

SwitchDevice(config-pmap-c)# police 320000 8000 exceed-action policed-dscp-transmit

SwitchDevice(config-pmap)# class AutoQoS-VoIP-Control-Trust
SwitchDevice(config-pmap-c)# set dscp cs3
SwitchDevice(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmit

After creating the class maps and policy maps, the switch automatically applies the policy map called
AutoQoS-Police-SoftPhone to an ingress interface on which auto-QoS with the Cisco SoftPhone feature is
enabled.

SwitchDevice(config-if)# service-policy input AutoQoS-Police-SoftPhone

Examples: Auto-QoS Generated Configuration For Enhanced Video, Trust, and

Classify Devices
If you entered the following enhanced auto-QoS commands, the switch configures a CoS-to-DSCP map (maps
CoS values in incoming packets to a DSCP value):
• auto qos video cts
• auto qos video ip-camera
• auto qos video media-player
• auto qos trust
• auto qos trust cos
• auto qos trust dscp
The following command is initiated after entering one of the above auto-QoS commands:

SwitchDevice(config)# mls qos map cos-dscp 0 8 16 24 32 46 48 56

Note No class maps and policy maps are configured.

If you entered the auto qos classify command, the switch automatically creates class maps and policy maps
(as shown below).

SwitchDevice(config)# mls qos map policed-dscp 0 10 18 24 26 46 to 8

SwitchDevice(config)# mls qos map cos-dscp 0 8 16 24 32 46 48 56
SwitchDevice(config)# class-map match-all AUTOQOS_MULTIENHANCED_CONF_CLASS
SwitchDevice(config-cmap)# match access-group name AUTOQOS-ACL-MULTIENHANCED-CONF
SwitchDevice(config)# class-map match-all AUTOQOS_DEFAULT_CLASS
SwitchDevice(config-cmap)# match access-group name AUTOQOS-ACL-DEFAULT
SwitchDevice(config)# class-map match-all AUTOQOS_TRANSACTION_CLASS
SwitchDevice(config-cmap)# match access-group name AUTOQOS-ACL-TRANSACTIONAL-DATA
SwitchDevice(config)# class-map match-all AUTOQOS_SIGNALING_CLASS
SwitchDevice(config-cmap)# match access-group name AUTOQOS-ACL-SIGNALING
SwitchDevice(config)# class-map match-all AUTOQOS_BULK_DATA_CLASS
SwitchDevice(config-cmap)# match access-group name AUTOQOS-ACL-BULK-DATA
SwitchDevice(config)# class-map match-all AUTOQOS_SCAVANGER_CLASS

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
760
QoS
Examples: Auto-QoS Generated Configuration For Enhanced Video, Trust, and Classify Devices

SwitchDevice(config-cmap)# match access-group name AUTOQOS-ACL-SCAVANGER

SwitchDevice(config)# policy-map AUTOQOS-SRND4-CLASSIFY-POLICY
SwitchDevice(config-pmap)# class AUTOQOS_MULTIENHANCED_CONF_CLASS
SwitchDevice(config-pmap-c)# set dscp af41
SwitchDevice(config-pmap)# class AUTOQOS_BULK_DATA_CLASS
SwitchDevice(config-pmap-c)# set dscp af11
SwitchDevice(config-pmap)# class AUTOQOS_TRANSACTION_CLASS
SwitchDevice(config-pmap-c)# set dscp af21
SwitchDevice(config-pmap)# class AUTOQOS_SCAVANGER_CLASS
SwitchDevice(config-pmap-c)# set dscp cs1
SwitchDevice(config-pmap)# class AUTOQOS_SIGNALING_CLASS
SwitchDevice(config-pmap-c)# set dscp cs3
SwitchDevice(config-pmap)# class AUTOQOS_DEFAULT_CLASS
SwitchDevice(config-pmap-c)# set dscp default
;
SwitchDevice(config-if)# service-policy input AUTOQOS-SRND4-CLASSIFY-POLICY

If you entered the auto qos classify police command, the switch automatically creates class maps and policy
maps (as shown below).

SwitchDevice(config)# mls qos map policed-dscp 0 10 18 24 26 46 to 8

SwitchDevice(config)# mls qos map cos-dscp 0 8 16 24 32 46 48 56
SwitchDevice(config)# class-map match-all AUTOQOS_MULTIENHANCED_CONF_CLASS
SwitchDevice(config-cmap)# match access-group name AUTOQOS-ACL-MULTIENHANCED-CONF
SwitchDevice(config)# class-map match-all AUTOQOS_DEFAULT_CLASS
SwitchDevice(config-cmap)# match access-group name AUTOQOS-ACL-DEFAULT
SwitchDevice(config)# class-map match-all AUTOQOS_TRANSACTION_CLASS
SwitchDevice(config-cmap)# match access-group name AUTOQOS-ACL-TRANSACTIONAL-DATA
SwitchDevice(config)# class-map match-all AUTOQOS_SIGNALING_CLASS
SwitchDevice(config-cmap)# match access-group name AUTOQOS-ACL-SIGNALING
SwitchDevice(config)# class-map match-all AUTOQOS_BULK_DATA_CLASS
SwitchDevice(config-cmap)# match access-group name AUTOQOS-ACL-BULK-DATA
SwitchDevice(config)# class-map match-all AUTOQOS_SCAVANGER_CLASS
SwitchDevice(config-cmap)# match access-group name AUTOQOS-ACL-SCAVANGER
SwitchDevice(config)# policy-map AUTOQOS-SRND4-CLASSIFY-POLICE-POLICY
SwitchDevice(config-pmap)# class AUTOQOS_MULTIENHANCED_CONF_CLASS
SwitchDevice(config-pmap-c)# set dscp af41
SwitchDevice(config-pmap-c)# police 5000000 8000 exceed-action drop
SwitchDevice(config-pmap)# class AUTOQOS_BULK_DATA_CLASS
SwitchDevice(config-pmap-c)# set dscp af11
SwitchDevice(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit
SwitchDevice(config-pmap)# class AUTOQOS_TRANSACTION_CLASS
SwitchDevice(config-pmap-c)# set dscp af21
SwitchDevice(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit
SwitchDevice(config-pmap)# class AUTOQOS_SCAVANGER_CLASS
SwitchDevice(config-pmap-c)# set dscp cs1
SwitchDevice(config-pmap-c)# police 10000000 8000 exceed-action drop
SwitchDevice(config-pmap)# class AUTOQOS_SIGNALING_CLASS
SwitchDevice(config-pmap-c)# set dscp cs3
SwitchDevice(config-pmap-c)# police 32000 8000 exceed-action drop
SwitchDevice(config-pmap)# class AUTOQOS_DEFAULT_CLASS
SwitchDevice(config-pmap-c)# set dscp default
SwitchDevice(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit
;
SwitchDevice(config-if)# service-policy input AUTOQOS-SRND4-CLASSIFY-POLICE-POLICY

This is the enhanced configuration for the auto qos voip cisco-phone command:

SwitchDevice(config)# mls qos map policed-dscp 0 10 18 24 26 46 to 8

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
761
 QoS
Examples: Auto-QoS Generated Configuration For Enhanced Video, Trust, and Classify Devices

SwitchDevice(config)# mls qos map cos-dscp 0 8 16 24 32 46 48 56

SwitchDevice(config)# class-map match-all AUTOQOS_VOIP_DATA_CLASS
SwitchDevice(config-cmap)# match ip dscp ef
SwitchDevice(config)# class-map match-all AUTOQOS_DEFAULT_CLASS
SwitchDevice(config-cmap)# match access-group name AUTOQOS-ACL-DEFAULT
SwitchDevice(config)# class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS
SwitchDevice(config-cmap)# match ip dscp cs3
SwitchDevice(config)# policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY
SwitchDevice(config-pmap)# class AUTOQOS_VOIP_DATA_CLASS
SwitchDevice(config-pmap-c)# set dscp ef
SwitchDevice(config-pmap-c)# police 128000 8000 exceed-action policed-dscp-transmit
SwitchDevice(config-pmap)# class AUTOQOS_VOIP_SIGNAL_CLASS
SwitchDevice(config-pmap-c)# set dscp cs3
SwitchDevice(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmit
SwitchDevice(config-pmap)# class AUTOQOS_DEFAULT_CLASS
SwitchDevice(config-pmap-c)# set dscp default
SwitchDevice(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit
;
SwitchDevice(config-if)# service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

This is the enhanced configuration for the auto qos voip cisco-softphone command:

SwitchDevice(config)# mls qos map policed-dscp 0 10 18 24 26 46 to 8

SwitchDevice(config)# mls qos map cos-dscp 0 8 16 24 32 46 48 56
SwitchDevice(config)# class-map match-all AUTOQOS_MULTIENHANCED_CONF_CLASS
SwitchDevice(config-cmap)# match access-group name AUTOQOS-ACL-MULTIENHANCED-CONF
SwitchDevice(config)# class-map match-all AUTOQOS_VOIP_DATA_CLASS
SwitchDevice(config-cmap)# match ip dscp ef
SwitchDevice(config)# class-map match-all AUTOQOS_DEFAULT_CLASS
SwitchDevice(config-cmap)# match access-group name AUTOQOS-ACL-DEFAULT
SwitchDevice(config)# class-map match-all AUTOQOS_TRANSACTION_CLASS
SwitchDevice(config-cmap)# match access-group name AUTOQOS-ACL-TRANSACTIONAL-DATA
SwitchDevice(config)# class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS
SwitchDevice(config-cmap)# match ip dscp cs3
SwitchDevice(config)# class-map match-all AUTOQOS_SIGNALING_CLASS
SwitchDevice(config-cmap)# match access-group name AUTOQOS-ACL-SIGNALING
SwitchDevice(config)# class-map match-all AUTOQOS_BULK_DATA_CLASS
SwitchDevice(config-cmap)# match access-group name AUTOQOS-ACL-BULK-DATA
SwitchDevice(config)# class-map match-all AUTOQOS_SCAVANGER_CLASS
SwitchDevice(config-cmap)# match access-group name AUTOQOS-ACL-SCAVANGER

SwitchDevice(config)# policy-map AUTOQOS-SRND4-SOFTPHONE-POLICY

SwitchDevice(config-pmap)# class AUTOQOS_VOIP_DATA_CLASS
SwitchDevice(config-pmap-c)# set dscp ef
SwitchDevice(config-pmap-c)# police 128000 8000 exceed-action policed-dscp-transmit
SwitchDevice(config-pmap)# class AUTOQOS_VOIP_SIGNAL_CLASS
SwitchDevice(config-pmap-c)# set dscp cs3
SwitchDevice(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmit
SwitchDevice(config-pmap)#class AUTOQOS_MULTIENHANCED_CONF_CLASS
SwitchDevice(config-pmap-c)#set dscp af41
SwitchDevice(config-pmap-c)# police 5000000 8000 exceed-action drop
SwitchDevice(config-pmap)# class AUTOQOS_BULK_DATA_CLASS
SwitchDevice(config-pmap-c)# set dscp af11
SwitchDevice(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit
SwitchDevice(config-pmap)# class AUTOQOS_TRANSACTION_CLASS
SwitchDevice(config-pmap-c)# set dscp af21
SwitchDevice(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit
SwitchDevice(config-pmap)# class AUTOQOS_SCAVANGER_CLASS
SwitchDevice(config-pmap-c)# set dscp cs1
SwitchDevice(config-pmap-c)# police 10000000 8000 exceed-action drop
SwitchDevice(config-pmap)# class AUTOQOS_SIGNALING_CLASS

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
762
 QoS
Where to Go Next for Auto-QoS

SwitchDevice(config-pmap-c)# set dscp cs3

SwitchDevice(config-pmap-c)# police 32000 8000 exceed-action drop
SwitchDevice(config-pmap)# class AUTOQOS_DEFAULT_CLASS
SwitchDevice(config-pmap-c)# set dscp default
;
SwitchDevice(config-if)# service-policy input AUTOQOS-SRND4-SOFTPHONE-POLICY

Where to Go Next for Auto-QoS

Review the QoS documentation if you require any specific QoS changes to your auto-QoS configuration.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
763
 QoS
Where to Go Next for Auto-QoS

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
764
PA R T VII
Routing
• Configuring IP Unicast Routing, on page 767
• Configuring Fallback Bridging, on page 917
 CHAPTER 36
Configuring IP Unicast Routing
• Finding Feature Information, on page 767
• Information About Configuring IP Unicast Routing, on page 768
• Information About IP Routing, on page 768
• How to Configure IP Routing, on page 769
• How to Configure IP Addressing, on page 770
• Monitoring and Maintaining IP Addressing, on page 791
• How to Configure IP Unicast Routing, on page 792
• Information About RIP, on page 793
• How to Configure RIP, on page 794
• Information About OSPF, on page 802
• Monitoring OSPF, on page 816
• Information About EIGRP, on page 817
• How to Configure EIGRP, on page 818
• Monitoring and Maintaining EIGRP, on page 827
• Information About BGP, on page 827
• How to Configure BGP, on page 829
• Monitoring and Maintaining BGP, on page 857
• Information About ISO CLNS Routing, on page 858
• How to Configure ISO CLNS Routing, on page 859
• Monitoring and Maintaining ISO IGRP and IS-IS, on page 871
• Information About Multi-VRF CE, on page 872
• How to Configure Multi-VRF CE, on page 875
• Configuring Unicast Reverse Path Forwarding, on page 893
• Protocol-Independent Features, on page 894
• Monitoring and Maintaining the IP Network, on page 916

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
767
 Routing
Information About Configuring IP Unicast Routing

Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Information About Configuring IP Unicast Routing

This module describes how to configure IP Version 4 (IPv4) unicast routing on the switch.
Basic routing functions like static routing are available with . IP Base feature set and the IP Services feature
set on Catalyst 3560-CX switches. Catalyst 2960-CX switches support only static routing.

Note In addition to IPv4 traffic, you can also enable IP Version 6 (IPv6) unicast routing and configure interfaces
to forward IPv6 traffic.

Information About IP Routing

In some network environments, VLANs are associated with individual networks or subnetworks. In an IP
network, each subnetwork is mapped to an individual VLAN. Configuring VLANs helps control the size of
the broadcast domain and keeps local traffic local. However, network devices in different VLANs cannot
communicate with one another without a Layer 3 device (router) to route traffic between the VLAN, referred
to as inter-VLAN routing. You configure one or more routers to route traffic to the appropriate destination
VLAN.
Figure 76: Routing Topology Example

This figure shows a basic routing topology. Switch A is in VLAN 10, and Switch B is in VLAN 20. The router

has an interface in each VLAN.

When Host A in VLAN 10 needs to communicate with Host B in VLAN 10, it sends a packet addressed to
that host. Switch A forwards the packet directly to Host B, without sending it to the router.
When Host A sends a packet to Host C in VLAN 20, Switch A forwards the packet to the router, which
receives the traffic on the VLAN 10 interface. The router checks the routing table, finds the correct outgoing
interface, and forwards the packet on the VLAN 20 interface to Switch B. Switch B receives the packet and
forwards it to Host C.

Types of Routing
Routers and Layer 3 switches can route packets in these ways:
• By using default routing
• By using preprogrammed static routes for the traffic

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
768
 Routing
How to Configure IP Routing

• By dynamically calculating routes by using a routing protocol

The switch supports static routes and default routes, It does not support routing protocols.

How to Configure IP Routing

By default, IP routing is disabled on the Switch, and you must enable it before routing can take place. For
detailed IP routing configuration information, see the Cisco IOS IP Configuration Guide.
In the following procedures, the specified interface must be one of these Layer 3 interfaces:
• A routed port: a physical port configured as a Layer 3 port by using the no switchport interface
configuration command.
• A switch virtual interface (SVI): a VLAN interface created by using the interface vlan vlan_id global
configuration command and by default a Layer 3 interface.
• An EtherChannel port channel in Layer 3 mode: a port-channel logical interface created by using the
interface port-channel port-channel-number global configuration command and binding the Ethernet
interface into the channel group. For more information, see the “Configuring Layer 3 EtherChannels”
chapter in the Layer 2 Configuration Guide.

Note The switch does not support tunnel interfaces for unicast routed traffic.

All Layer 3 interfaces on which routing will occur must have IP addresses assigned to them.

Note A Layer 3 switch can have an IP address assigned to each routed port and SVI.

Configuring routing consists of several main procedures:

• To support VLAN interfaces, create and configure VLANs on the Switch or switch stack, and assign
VLAN membership to Layer 2 interfaces. For more information, see the "Configuring VLANs” chapter
in the VLAN Configuration Guide.
• Configure Layer 3 interfaces.
• Enable IP routing on the switch.
• Assign IP addresses to the Layer 3 interfaces.
• Enable selected routing protocols on the switch.
• Configure routing protocol parameters (optional).

Related Topics
Assigning IP Addresses to Network Interfaces, on page 771

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
769
 Routing
How to Configure IP Addressing

How to Configure IP Addressing

A required task for configuring IP routing is to assign IP addresses to Layer 3 network interfaces to enable
the interfaces and allow communication with the hosts on those interfaces that use IP. The following sections
describe how to configure various IP addressing features. Assigning IP addresses to the interface is required;
the other procedures are optional.
• Default Addressing Configuration
• Assigning IP Addresses to Network Interfaces
• Configuring Address Resolution Methods
• Routing Assistance When IP Routing is Disabled
• Configuring Broadcast Packet Handling
• Monitoring and Maintaining IP Addressing

Default IP Addressing Configuration

Table 84: Default Addressing Configuration

Feature Default Setting

IP address None defined.

ARP No permanent entries in the Address Resolution

Protocol (ARP) cache.
Encapsulation: Standard Ethernet-style ARP.
Timeout: 14400 seconds (4 hours).

IP broadcast address 255.255.255.255 (all ones).

IP classless routing Enabled.

IP default gateway Disabled.

IP directed broadcast Disabled (all IP directed broadcasts are dropped).

IP domain Domain list: No domain names defined.

Domain lookup: Enabled.
Domain name: Enabled.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
770
 Routing
Assigning IP Addresses to Network Interfaces

Feature Default Setting

IP forward-protocol If a helper address is defined or User Datagram

Protocol (UDP) flooding is configured, UDP
forwarding is enabled on default ports.
Any-local-broadcast: Disabled.
Spanning Tree Protocol (STP): Disabled.
Turbo-flood: Disabled.

IP helper address Disabled.

IP host Disabled.

IRDP Disabled.
Defaults when enabled:
• Broadcast IRDP advertisements.
• Maximum interval between advertisements: 600
seconds.
• Minimum interval between advertisements: 0.75
times max interval
• Preference: 0.

IP proxy ARP Enabled.

IP routing Disabled.

IP subnet-zero Disabled.

Assigning IP Addresses to Network Interfaces

An IP address identifies a location to which IP packets can be sent. Some IP addresses are reserved for special
uses and cannot be used for host, subnet, or network addresses. RFC 1166, “Internet Numbers,” contains the
official description of IP addresses.
An interface can have one primary IP address. A mask identifies the bits that denote the network number in
an IP address. When you use the mask to subnet a network, the mask is referred to as a subnet mask. To
receive an assigned network number, contact your Internet service provider.

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
771
 Routing
Assigning IP Addresses to Network Interfaces

Command or Action Purpose

Step 2 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Enters interface configuration mode, and specifies the
Layer 3 interface to configure.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 4 no switchport Removes the interface from Layer 2 configuration mode

(if it is a physical interface).
Example:

SwitchDevice(config-if)# no switchport

Step 5 ip address ip-address subnet-mask Configures the IP address and IP subnet mask.
Example:

SwitchDevice(config-if)# ip address 10.1.5.1

255.255.255.0

Step 6 no shutdown Enables the physical interface.

Example:

SwitchDevice(config-if)# no shutdown

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 8 show ip route Verifies your entries.

Example:

SwitchDevice# show ip route

Step 9 show ip interface [interface-id] Verifies your entries.

Example:

SwitchDevice# show ip interface gigabitethernet

1/0/1

Step 10 show running-config Verifies your entries.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
772
 Routing
Using Subnet Zero

Command or Action Purpose

SwitchDevice# show running-config

Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
How to Configure IP Routing, on page 769

Using Subnet Zero

Subnetting with a subnet address of zero is strongly discouraged because of the problems that can arise if a
network and a subnet have the same addresses. For example, if network 131.108.0.0 is subnetted as
255.255.255.0, subnet zero would be written as 131.108.0.0, which is the same as the network address.
You can use the all ones subnet (131.108.255.0) and even though it is discouraged, you can enable the use of
subnet zero if you need the entire subnet space for your IP address.
Use the no ip subnet-zero global configuration command to restore the default and disable the use of subnet
zero.

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip subnet-zero Enables the use of subnet zero for interface addresses and
routing updates.
Example:

SwitchDevice(config)# ip subnet-zero

Step 4 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
773
 Routing
Classless Routing

Command or Action Purpose

SwitchDevice(config)# end

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Classless Routing
By default, classless routing behavior is enabled on the Switch when it is configured to route. With classless
routing, if a router receives packets for a subnet of a network with no default route, the router forwards the
packet to the best supernet route. A supernet consists of contiguous blocks of Class C address spaces used to
simulate a single, larger address space and is designed to relieve the pressure on the rapidly depleting Class
B address space.
In the figure, classless routing is enabled. When the host sends a packet to 120.20.4.1, instead of discarding
the packet, the router forwards it to the best supernet route. If you disable classless routing and a router receives
packets destined for a subnet of a network with no network default route, the router discards the packet.
Figure 77: IP Classless Routing

In the figure , the router in network 128.20.0.0 is connected to subnets 128.20.1.0, 128.20.2.0, and 128.20.3.0.
If the host sends a packet to 120.20.4.1, because there is no network default route, the router discards the
packet.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
774
 Routing
Disabling Classless Routing

Figure 78: No IP Classless Routing

To prevent the Switch from forwarding packets destined for unrecognized subnets to the best supernet route
possible, you can disable classless routing behavior.

Disabling Classless Routing

To prevent the Switch from forwarding packets destined for unrecognized subnets to the best supernet route
possible, you can disable classless routing behavior.

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 no ip classless Disables classless routing behavior.

Example:

SwitchDevice(config)#no ip classless

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
775
 Routing
Configuring Address Resolution Methods

Command or Action Purpose

Step 5 show running-config Verifies your entries.
Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring Address Resolution Methods

You can perform the following tasks to configure address resolution.

Address Resolution
You can control interface-specific handling of IP by using address resolution. A device using IP can have
both a local address or MAC address, which uniquely defines the device on its local segment or LAN, and a
network address, which identifies the network to which the device belongs.

Note In a switch stack, network communication uses a single MAC address and the IP address of the stack.

The local address or MAC address is known as a data link address because it is contained in the data link
layer (Layer 2) section of the packet header and is read by data link (Layer 2) devices. To communicate with
a device on Ethernet, the software must learn the MAC address of the device. The process of learning the
MAC address from an IP address is called address resolution. The process of learning the IP address from
the MAC address is called reverse address resolution.
The Switch can use these forms of address resolution:
• Address Resolution Protocol (ARP) is used to associate IP address with MAC addresses. Taking an IP
address as input, ARP learns the associated MAC address and then stores the IP address/MAC address
association in an ARP cache for rapid retrieval. Then the IP datagram is encapsulated in a link-layer
frame and sent over the network. Encapsulation of IP datagrams and ARP requests or replies on IEEE
802 networks other than Ethernet is specified by the Subnetwork Access Protocol (SNAP).
• Proxy ARP helps hosts with no routing tables learn the MAC addresses of hosts on other networks or
subnets. If the Switch (router) receives an ARP request for a host that is not on the same interface as the
ARP request sender, and if the router has all of its routes to the host through other interfaces, it generates
a proxy ARP packet giving its own local data link address. The host that sent the ARP request then sends
its packets to the router, which forwards them to the intended host.

The Switch also uses the Reverse Address Resolution Protocol (RARP), which functions the same as ARP
does, except that the RARP packets request an IP address instead of a local MAC address. Using RARP
requires a RARP server on the same network segment as the router interface. Use the ip rarp-server address
interface configuration command to identify the server.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
776
 Routing
Defining a Static ARP Cache

For more information on RARP, see the Cisco IOS Configuration Fundamentals Configuration Guide

Defining a Static ARP Cache

ARP and other address resolution protocols provide dynamic mapping between IP addresses and MAC
addresses. Because most hosts support dynamic address resolution, you usually do not need to specify static
ARP cache entries. If you must define a static ARP cache entry, you can do so globally, which installs a
permanent entry in the ARP cache that the Switch uses to translate IP addresses into MAC addresses. Optionally,
you can also specify that the Switch respond to ARP requests as if it were the owner of the specified IP address.
If you do not want the ARP entry to be permanent, you can specify a timeout period for the ARP entry.

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 arp ip-address hardware-address type Associates an IP address with a MAC (hardware) address
in the ARP cache, and specifies encapsulation type as one
Example:
of these:
SwitchDevice(config)# ip 10.1.5.1 c2f3.220a.12f4 • arpa—ARP encapsulation for Ethernet interfaces
arpa
• snap—Subnetwork Address Protocol encapsulation
for Token Ring and FDDI interfaces
• sap—HP’s ARP type

Step 4 arp ip-address hardware-address type [alias] (Optional) Specifies that the switch respond to ARP
requests as if it were the owner of the specified IP address.
Example:

SwitchDevice(config)# ip 10.1.5.3 d7f3.220d.12f5

arpa alias

Step 5 interface interface-id Enters interface configuration mode, and specifies the
interface to configure.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
777
 Routing
Setting ARP Encapsulation

Command or Action Purpose

Step 6 arp timeout seconds (Optional) Sets the length of time an ARP cache entry will
stay in the cache. The default is 14400 seconds (4 hours).
Example:
The range is 0 to 2147483 seconds.
SwitchDevice(config-if)# arp 20000

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 8 show interfaces [interface-id] Verifies the type of ARP and the timeout value used on
all interfaces or a specific interface.
Example:

SwitchDevice# show interfaces gigabitethernet

1/0/1

Step 9 show arp Views the contents of the ARP cache.

Example:

SwitchDevice# show arp

Step 10 show ip arp Views the contents of the ARP cache.

Example:

SwitchDevice# show ip arp

Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Setting ARP Encapsulation

By default, Ethernet ARP encapsulation (represented by the arpa keyword) is enabled on an IP interface.
You can change the encapsulation methods to SNAP if required by your network.
To disable an encapsulation type, use the no arp arpa or no arp snap interface configuration command.

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
778
 Routing
Enabling Proxy ARP

Command or Action Purpose

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Enters interface configuration mode, and specifies the Layer
3 interface to configure.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/2

Step 4 arp {arpa | snap} Specifies the ARP encapsulation method:

Example: • arpa—Address Resolution Protocol

SwitchDevice(config-if)# arp arpa

• snap—Subnetwork Address Protocol

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show interfaces [interface-id] Verifies ARP encapsulation configuration on all interfaces
or the specified interface.
Example:

SwitchDevice# show interfaces

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Enabling Proxy ARP

By default, the Switch uses proxy ARP to help hosts learn MAC addresses of hosts on other networks or
subnets.

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
779
 Routing
Routing Assistance When IP Routing is Disabled

Command or Action Purpose

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Enters interface configuration mode, and specifies the Layer
3 interface to configure.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/2

Step 4 ip proxy-arp Enables proxy ARP on the interface.

Example:

SwitchDevice(config-if)# ip proxy-arp

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show ip interface [interface-id] Verifies the configuration on the interface or all interfaces.
Example:

SwitchDevice# show ip interface gigabitethernet

1/0/2

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Routing Assistance When IP Routing is Disabled

These mechanisms allow the Switch to learn about routes to other networks when it does not have IP routing
enabled:
• Proxy ARP
• Default Gateway
• ICMP Router Discovery Protocol (IRDP)

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
780
 Routing
Proxy ARP

Proxy ARP
Proxy ARP, the most common method for learning about other routes, enables an Ethernet host with no routing
information to communicate with hosts on other networks or subnets. The host assumes that all hosts are on
the same local Ethernet and that they can use ARP to learn their MAC addresses. If a Switch receives an ARP
request for a host that is not on the same network as the sender, the Switch evaluates whether it has the best
route to that host. If it does, it sends an ARP reply packet with its own Ethernet MAC address, and the host
that sent the request sends the packet to the Switch, which forwards it to the intended host. Proxy ARP treats
all networks as if they are local and performs ARP requests for every IP address.

Proxy ARP
Proxy ARP is enabled by default. To enable it after it has been disabled, see the “Enabling Proxy ARP” section.
Proxy ARP works as long as other routers support it.

Default Gateway
Another method for locating routes is to define a default router or default gateway. All non-local packets are
sent to this router, which either routes them appropriately or sends an IP Control Message Protocol (ICMP)
redirect message back, defining which local router the host should use. The Switch caches the redirect messages
and forwards each packet as efficiently as possible. A limitation of this method is that there is no means of
detecting when the default router has gone down or is unavailable.

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip default-gateway ip-address Sets up a default gateway (router).

Example:

SwitchDevice(config)# ip default gateway 10.1.5.1

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
781
 Routing
ICMP Router Discovery Protocol

Command or Action Purpose

Step 5 show ip redirects Displays the address of the default gateway router to verify
the setting.
Example:

SwitchDevice# show ip redirects

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

ICMP Router Discovery Protocol

Router discovery allows the Switch to dynamically learn about routes to other networks using ICMP router
discovery protocol (IRDP). IRDP allows hosts to locate routers. When operating as a client, the Switch
generates router discovery packets. When operating as a host, the Switch receives router discovery packets.
The Switch can also listen to Routing Information Protocol (RIP) routing updates and use this information to
infer locations of routers. The Switch does not actually store the routing tables sent by routing devices; it
merely keeps track of which systems are sending the data. The advantage of using IRDP is that it allows each
router to specify both a priority and the time after which a device is assumed to be down if no further packets
are received.
Each device discovered becomes a candidate for the default router, and a new highest-priority router is selected
when a higher priority router is discovered, when the current default router is declared down, or when a TCP
connection is about to time out because of excessive retransmissions.

ICMP Router Discovery Protocol (IRDP)

The only required task for IRDP routing on an interface is to enable IRDP processing on that interface. When
enabled, the default parameters apply.
You can optionally change any of these parameters. If you change the maxadvertinterval value, the holdtime
and minadvertinterval values also change, so it is important to first change the maxadvertinterval value,
before manually changing either the holdtime or minadvertinterval values.

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
782
 Routing
ICMP Router Discovery Protocol (IRDP)

Command or Action Purpose

Step 3 interface interface-id Enters interface configuration mode, and specifies the
Layer 3 interface to configure.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 4 ip irdp Enables IRDP processing on the interface.

Example:

SwitchDevice(config-if)# ip irdp

Step 5 ip irdp multicast (Optional) Sends IRDP advertisements to the multicast

address (224.0.0.1) instead of IP broadcasts.
Example:
Note This command allows for compatibility with
SwitchDevice(config-if)# ip irdp multicast Sun Microsystems Solaris, which requires IRDP
packets to be sent out as multicasts. Many
implementations cannot receive these
multicasts; ensure end-host ability before using
this command.

Step 6 ip irdp holdtime seconds (Optional) Sets the IRDP period for which advertisements
are valid. The default is three times the maxadvertinterval
Example:
value. It must be greater than maxadvertinterval and
cannot be greater than 9000 seconds. If you change the
SwitchDevice(config-if)# ip irdp holdtime 1000
maxadvertinterval value, this value also changes.

Step 7 ip irdp maxadvertinterval seconds (Optional) Sets the IRDP maximum interval between
advertisements. The default is 600 seconds.
Example:

SwitchDevice(config-if)# ip irdp maxadvertinterval

650

Step 8 ip irdp minadvertinterval seconds (Optional) Sets the IRDP minimum interval between
advertisements. The default is 0.75 times the
Example:
maxadvertinterval. If you change the maxadvertinterval,
this value changes to the new default (0.75 of
SwitchDevice(config-if)# ip irdp minadvertinterval
500 maxadvertinterval).

Step 9 ip irdp preference number (Optional) Sets a device IRDP preference level. The
allowed range is –231 to 231. The default is 0. A higher
Example:
value increases the router preference level.
SwitchDevice(config-if)# ip irdp preference 2

Step 10 ip irdp address address [number] (Optional) Specifies an IRDP address and preference to
proxy-advertise.
Example:

SwitchDevice(config-if)# ip irdp address

10.1.10.10

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
783
 Routing
Configuring Broadcast Packet Handling

Command or Action Purpose

Step 11 end Returns to privileged EXEC mode.
Example:

SwitchDevice(config)# end

Step 12 show ip irdp Verifies settings by displaying IRDP values.

Example:

SwitchDevice# show ip irdp

Step 13 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring Broadcast Packet Handling

Perform the tasks in these sections to enable these schemes:
• Enabling Directed Broadcast-to-Physical Broadcast Translation
• Forwarding UDP Broadcast Packets and Protocols
• Establishing an IP Broadcast Address
• Flooding IP Broadcasts

Broadcast Packet Handling

After configuring an IP interface address, you can enable routing and configure one or more routing protocols,
or you can configure the way the Switch responds to network broadcasts. A broadcast is a data packet destined
for all hosts on a physical network. The Switch supports two kinds of broadcasting:
• A directed broadcast packet is sent to a specific network or series of networks. A directed broadcast
address includes the network or subnet fields.
• A flooded broadcast packet is sent to every network.

Note You can also limit broadcast, unicast, and multicast traffic on Layer 2 interfaces
by using the storm-control interface configuration command to set traffic
suppression levels.

Routers provide some protection from broadcast storms by limiting their extent to the local cable. Bridges
(including intelligent bridges), because they are Layer 2 devices, forward broadcasts to all network segments,
thus propagating broadcast storms. The best solution to the broadcast storm problem is to use a single broadcast

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
784
 Routing
Enabling Directed Broadcast-to-Physical Broadcast Translation

address scheme on a network. In most modern IP implementations, you can set the address to be used as the
broadcast address. Many implementations, including the one in the Switch, support several addressing schemes
for forwarding broadcast messages.

Enabling Directed Broadcast-to-Physical Broadcast Translation

By default, IP directed broadcasts are dropped; they are not forwarded. Dropping IP-directed broadcasts makes
routers less susceptible to denial-of-service attacks.
You can enable forwarding of IP-directed broadcasts on an interface where the broadcast becomes a physical
(MAC-layer) broadcast. Only those protocols configured by using the ip forward-protocol global configuration
command are forwarded.
You can specify an access list to control which broadcasts are forwarded. When an access list is specified,
only those IP packets permitted by the access list are eligible to be translated from directed broadcasts to
physical broadcasts. For more information on access lists, see the “Information about Network Security with
ACLs" section in the Security Configuration Guide.

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Enters interface configuration mode, and specifies the
interface to configure.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/2

Step 4 ip directed-broadcast [access-list-number] Enables directed broadcast-to-physical broadcast

translation on the interface. You can include an access list
Example:
to control which broadcasts are forwarded. When an access
list, only IP packets permitted by the access list can be
SwitchDevice(config-if)# ip directed-broadcast
103 translated.

Step 5 exit Returns to global configuration mode.

Example:

SwitchDevice(config-if)# exit

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
785
 Routing
UDP Broadcast Packets and Protocols

Command or Action Purpose

Step 6 ip forward-protocol {udp [port] | nd | sdns} Specifies which protocols and ports the router forwards
when forwarding broadcast packets.
Example:
• udp—Forward UPD datagrams.
SwitchDevice(config)# ip forward-protocol nd
port: (Optional) Destination port that controls which
UDP services are forwarded.
• nd—Forward ND datagrams.
• sdns—Forward SDNS datagrams

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 8 show ip interface [interface-id] Verifies the configuration on the interface or all interfaces
Example:

SwitchDevice# show ip interface

Step 9 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

UDP Broadcast Packets and Protocols

User Datagram Protocol (UDP) is an IP host-to-host layer protocol, as is TCP. UDP provides a low-overhead,
connectionless session between two end systems and does not provide for acknowledgment of received
datagrams. Network hosts occasionally use UDP broadcasts to find address, configuration, and name
information. If such a host is on a network segment that does not include a server, UDP broadcasts are normally
not forwarded. You can remedy this situation by configuring an interface on a router to forward certain classes
of broadcasts to a helper address. You can use more than one helper address per interface.
You can specify a UDP destination port to control which UDP services are forwarded. You can specify multiple
UDP protocols. You can also specify the Network Disk (ND) protocol, which is used by older diskless Sun
workstations and the network security protocol SDNS.
By default, both UDP and ND forwarding are enabled if a helper address has been defined for an interface.
The description for the ip forward-protocol interface configuration command in the Cisco IOS IP Command

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
786
 Routing
Forwarding UDP Broadcast Packets and Protocols

Reference, Volume 1 of 3: Addressing and Services lists the ports that are forwarded by default if you do not
specify any UDP ports.

Forwarding UDP Broadcast Packets and Protocols

If you do not specify any UDP ports when you configure the forwarding of UDP broadcasts, you are configuring
the router to act as a BOOTP forwarding agent. BOOTP packets carry DHCP information.

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Enters interface configuration mode, and specifies the
Layer 3 interface to configure.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 4 ip helper-address address Enables forwarding and specifies the destination address
for forwarding UDP broadcast packets, including BOOTP.
Example:

SwitchDevice(config-if)# ip helper address

10.1.10.1

Step 5 exit Returns to global configuration mode.

Example:

SwitchDevice(config-if)# exit

Step 6 ip forward-protocol {udp [port] | nd | sdns} Specifies which protocols the router forwards when
forwarding broadcast packets.
Example:

SwitchDevice(config)# ip forward-protocol sdns

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
787
 Routing
Establishing an IP Broadcast Address

Command or Action Purpose

Step 8 show ip interface [interface-id] Verifies the configuration on the interface or all interfaces.
Example:

SwitchDevice# show ip interface gigabitethernet

1/0/1

Step 9 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Establishing an IP Broadcast Address

The most popular IP broadcast address (and the default) is an address consisting of all ones (255.255.255.255).
However, the Switch can be configured to generate any form of IP broadcast address.

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Enters interface configuration mode, and specifies the
interface to configure.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 4 ip broadcast-address ip-address Enters a broadcast address different from the default, for
example 128.1.255.255.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
788
 Routing
IP Broadcast Flooding

Command or Action Purpose

SwitchDevice(config-if)# ip broadcast-address
128.1.255.255

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show ip interface [interface-id] Verifies the broadcast address on the interface or all
interfaces.
Example:

SwitchDevice# show ip interface

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

IP Broadcast Flooding
You can allow IP broadcasts to be flooded throughout your internetwork in a controlled fashion by using the
database created by the bridging STP. Using this feature also prevents loops. To support this capability,
bridging must be configured on each interface that is to participate in the flooding. If bridging is not configured
on an interface, it still can receive broadcasts. However, the interface never forwards broadcasts it receives,
and the router never uses that interface to send broadcasts received on a different interface.
Packets that are forwarded to a single network address using the IP helper-address mechanism can be flooded.
Only one copy of the packet is sent on each network segment.
To be considered for flooding, packets must meet these criteria. (Note that these are the same conditions used
to consider packet forwarding using IP helper addresses.)
• The packet must be a MAC-level broadcast.
• The packet must be an IP-level broadcast.
• The packet must be a TFTP, DNS, Time, NetBIOS, ND, or BOOTP packet, or a UDP specified by the
ip forward-protocol udp global configuration command.
• The time-to-live (TTL) value of the packet must be at least two.

A flooded UDP datagram is given the destination address specified with the ip broadcast-address interface
configuration command on the output interface. The destination address can be set to any address. Thus, the
destination address might change as the datagram propagates through the network. The source address is never
changed. The TTL value is decremented.
When a flooded UDP datagram is sent out an interface (and the destination address possibly changed), the
datagram is handed to the normal IP output routines and is, therefore, subject to access lists, if they are present
on the output interface.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
789
 Routing
Flooding IP Broadcasts

In the Switch, the majority of packets are forwarded in hardware; most packets do not go through the Switch
CPU. For those packets that do go to the CPU, you can speed up spanning tree-based UDP flooding by a
factor of about four to five times by using turbo-flooding. This feature is supported over Ethernet interfaces
configured for ARP encapsulation.

Flooding IP Broadcasts

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip forward-protocol spanning-tree Uses the bridging spanning-tree database to flood UDP
datagrams.
Example:

SwitchDevice(config)# ip forward-protocol
spanning-tree

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Step 7 configure terminal Enters the global configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
790
 Routing
Monitoring and Maintaining IP Addressing

Command or Action Purpose

SwitchDevice# configure terminal

Step 8 ip forward-protocol turbo-flood Uses the spanning-tree database to speed up flooding of

UDP datagrams.
Example:

SwitchDevice(config)# ip forward-protocol
turbo-flood

Step 9 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 10 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Monitoring and Maintaining IP Addressing

When the contents of a particular cache, table, or database have become or are suspected to be invalid, you
can remove all its contents by using the clear privileged EXEC commands. The Table lists the commands for
clearing contents.

Table 85: Commands to Clear Caches, Tables, and Databases

clear arp-cache Clears the IP ARP cache and the fast-switching cache.

clear host {name | *} Removes one or all entries from the hostname and the
address cache.

clear ip route {network [mask] | *} Removes one or more routes from the IP routing table.

You can display specific statistics, such as the contents of IP routing tables, caches, and databases; the
reachability of nodes; and the routing path that packets are taking through the network. The Table lists the
privileged EXEC commands for displaying IP statistics.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
791
 Routing
How to Configure IP Unicast Routing

Table 86: Commands to Display Caches, Tables, and Databases

show arp Displays the entries in the ARP table.

show hosts Displays the default domain name, style of lookup

service, name server hosts, and the cached list of
hostnames and addresses.

show ip aliases Displays IP addresses mapped to TCP ports (aliases).

show ip arp Displays the IP ARP cache.

show ip interface [interface-id] Displays the IP status of interfaces.

show ip irdp Displays IRDP values.

show ip masks address Displays the masks used for network addresses and
the number of subnets using each mask.

show ip redirects Displays the address of a default gateway.

show ip route [address [mask]] | [protocol] Displays the current state of the routing table.

show ip route summary Displays the current state of the routing table in
summary form.

How to Configure IP Unicast Routing

Enabling IP Unicast Routing
By default, the Switch is in Layer 2 switching mode and IP routing is disabled. To use the Layer 3 capabilities
of the Switch, you must enable IP routing.

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
792
 Routing
Example of Enabling IP Unicast Routing

Command or Action Purpose

Step 3 ip routing Enables IP routing.
Example:

SwitchDevice(config)# ip routing

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Example of Enabling IP Unicast Routing

This example shows how to enable IP routing on a SwitchDevice:

SwitchDevice# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.
SwitchDevice(config)# ip routing

SwitchDevice(config-router)# end

Information About RIP

The Routing Information Protocol (RIP) is an interior gateway protocol (IGP) created for use in small,
homogeneous networks. It is a distance-vector routing protocol that uses broadcast User Datagram Protocol
(UDP) data packets to exchange routing information. The protocol is documented in RFC 1058. You can find
detailed information about RIP in IP Routing Fundamentals, published by Cisco Press.

Note RIP is supported in the .

Using RIP, the Switch sends routing information updates (advertisements) every 30 seconds. If a router does
not receive an update from another router for 180 seconds or more, it marks the routes served by that router

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
793
 Routing
How to Configure RIP

as unusable. If there is still no update after 240 seconds, the router removes all routing table entries for the
non-updating router.
RIP uses hop counts to rate the value of different routes. The hop count is the number of routers that can be
traversed in a route. A directly connected network has a hop count of zero; a network with a hop count of 16
is unreachable. This small range (0 to 15) makes RIP unsuitable for large networks.
If the router has a default network path, RIP advertises a route that links the router to the pseudonetwork
0.0.0.0. The 0.0.0.0 network does not exist; it is treated by RIP as a network to implement the default routing
feature. The Switch advertises the default network if a default was learned by RIP or if the router has a gateway
of last resort and RIP is configured with a default metric. RIP sends updates to the interfaces in specified
networks. If an interface’s network is not specified, it is not advertised in any RIP update.

How to Configure RIP

Default RIP Configuration
Table 87: Default RIP Configuration

Feature Default Setting

Auto summary Enabled.

Default-information originate Disabled.

Default metric Built-in; automatic metric translations.

IP RIP authentication key-chain No authentication.

Authentication mode: clear text.

IP RIP triggered Disabled

IP split horizon Varies with media.

Neighbor None defined.

Network None specified.

Offset list Disabled.

Output delay 0 milliseconds.

Timers basic • Update: 30 seconds.

• Invalid: 180 seconds.
• Hold-down: 180 seconds.
• Flush: 240 seconds.

Validate-update-source Enabled.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
794
 Routing
Configuring Basic RIP Parameters

Feature Default Setting

Version Receives RIP Version 1 and 2 packets; sends Version

1 packets.

Configuring Basic RIP Parameters

To configure RIP, you enable RIP routing for a network and optionally configure other parameters. On the
Switch, RIP configuration commands are ignored until you configure the network number.

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip routing Enables IP routing. (Required only if IP routing is

disabled.)
Example:

SwitchDevice(config)# ip routing

Step 4 router rip Enables a RIP routing process, and enter router
configuration mode.
Example:

SwitchDevice(config)# router rip

Step 5 network network number Associates a network with a RIP routing process. You can
specify multiple network commands. RIP routing updates
Example:
are sent and received through interfaces only on these
networks.
SwitchDevice(config)# network 12
Note You must configure a network number for the
RIP commands to take effect.

Step 6 neighbor ip-address (Optional) Defines a neighboring router with which to

exchange routing information. This step allows routing
Example:
updates from RIP (normally a broadcast protocol) to reach
nonbroadcast networks.
SwitchDevice(config)# neighbor 10.2.5.1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
795
 Routing
Configuring Basic RIP Parameters

Command or Action Purpose

Step 7 offset-list [access-list number | name] {in | out} offset (Optional) Applies an offset list to routing metrics to
[type number] increase incoming and outgoing metrics to routes learned
through RIP. You can limit the offset list with an access
Example:
list or an interface.
SwitchDevice(config)# offset-list 103 in 10

Step 8 timers basic update invalid holddown flush (Optional) Adjusts routing protocol timers. Valid ranges
for all timers are 0 to 4294967295 seconds.
Example:
• update—The time between sending routing updates.
SwitchDevice(config)# timers basic 45 360 400 300 The default is 30 seconds.
• invalid—The timer after which a route is declared
invalid. The default is 180 seconds.
• holddown—The time before a route is removed from
the routing table. The default is 180 seconds.
• flush—The amount of time for which routing updates
are postponed. The default is 240 seconds.

Step 9 version {1 | 2} (Optional) Configures the switch to receive and send only
RIP Version 1 or RIP Version 2 packets. By default, the
Example:
switch receives Version 1 and 2 but sends only Version 1.
You can also use the interface commands ip rip {send |
SwitchDevice(config)# version 2
receive} version 1 | 2 | 1 2} to control what versions are
used for sending and receiving on interfaces.

Step 10 no auto summary (Optional) Disables automatic summarization. By default,

the switch summarizes subprefixes when crossing classful
Example:
network boundaries. Disable summarization (RIP Version
2 only) to advertise subnet and host routing information
SwitchDevice(config)# no auto summary
to classful network boundaries.

Step 11 no validate-update-source (Optional) Disables validation of the source IP address of

incoming RIP routing updates. By default, the switch
Example:
validates the source IP address of incoming RIP routing
updates and discards the update if the source address is
SwitchDevice(config)# no validdate-update-source
not valid. Under normal circumstances, disabling this
feature is not recommended. However, if you have a router
that is off-network and you want to receive its updates,
you can use this command.

Step 12 output-delay delay (Optional) Adds interpacket delay for RIP updates sent.
By default, packets in a multiple-packet RIP update have
Example:
no delay added between packets. If you are sending packets
to a lower-speed device, you can add an interpacket delay
SwitchDevice(config)# output-delay 8
in the range of 8 to 50 milliseconds.

Step 13 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
796
 Routing
Configuring RIP Authentication

Command or Action Purpose

SwitchDevice(config)# end

Step 14 show ip protocols Verifies your entries.

Example:

SwitchDevice# show ip protocols

Step 15 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring RIP Authentication

RIP Version 1 does not support authentication. If you are sending and receiving RIP Version 2 packets, you
can enable RIP authentication on an interface. The key chain specifies the set of keys that can be used on the
interface. If a key chain is not configured, no authentication is performed, not even the default.
The Switch supports two modes of authentication on interfaces for which RIP authentication is enabled: plain
text and MD5. The default is plain text.

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Enters interface configuration mode, and specifies the
interface to configure.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 4 ip rip authentication key-chain name-of-chain Enables RIP authentication.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
797
 Routing
Summary Addresses and Split Horizon

Command or Action Purpose

SwitchDevice(config-if)# ip rip authentication

key-chain trees

Step 5 ip rip authentication mode {text | md5} Configures the interface to use plain text authentication (the
default) or MD5 digest authentication.
Example:

SwitchDevice(config-if)# ip rip authentication mode

md5

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Summary Addresses and Split Horizon

Routers connected to broadcast-type IP networks and using distance-vector routing protocols normally use
the split-horizon mechanism to reduce the possibility of routing loops. Split horizon blocks information about
routes from being advertised by a router on any interface from which that information originated. This feature
usually optimizes communication among multiple routers, especially when links are broken.

Configuring Summary Addresses and Split Horizon

Note In general, disabling split horizon is not recommended unless you are certain that your application requires
it to properly advertise routes.

If you want to configure an interface running RIP to advertise a summarized local IP address pool on a network
access server for dial-up clients, use the ip summary-address rip interface configuration command.

Note If split horizon is enabled, neither autosummary nor interface IP summary addresses are advertised.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
798
 Routing
Configuring Summary Addresses and Split Horizon

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Enters interface configuration mode, and specifies the Layer
3 interface to configure.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 4 ip address ip-address subnet-mask Configures the IP address and IP subnet.

Example:

SwitchDevice(config-if)# ip address 10.1.1.10

255.255.255.0

Step 5 ip summary-address rip ip address ip-network mask Configures the IP address to be summarized and the IP
network mask.
Example:

SwitchDevice(config-if)# ip summary-address rip ip

address 10.1.1.30 255.255.255.0

Step 6 no ip split horizon Disables split horizon on the interface.

Example:

SwitchDevice(config-if)# no ip split horizon

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 8 show ip interface interface-id Verifies your entries.

Example:

SwitchDevice# show ip interface gigabitethernet

1/0/1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
799
 Routing
Configuring Split Horizon

Command or Action Purpose

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring Split Horizon

Routers connected to broadcast-type IP networks and using distance-vector routing protocols normally use
the split-horizon mechanism to reduce the possibility of routing loops. Split horizon blocks information about
routes from being advertised by a router on any interface from which that information originated. This feature
can optimize communication among multiple routers, especially when links are broken.

Note In general, we do not recommend disabling split horizon unless you are certain that your application requires
it to properly advertise routes.

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Enters interface configuration mode, and specifies the
interface to configure.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 4 ip address ip-address subnet-mask Configures the IP address and IP subnet.

Example:

SwitchDevice(config-if)# ip address 10.1.1.10

255.255.255.0

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
800
 Routing
Configuration Example for Summary Addresses and Split Horizon

Command or Action Purpose

Step 5 no ip split-horizon Disables split horizon on the interface.
Example:

SwitchDevice(config-if)# no ip split-horizon

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 show ip interface interface-id Verifies your entries.

Example:

SwitchDevice# show ip interface gigabitethernet

1/0/1

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuration Example for Summary Addresses and Split Horizon

In this example, the major net is 10.0.0.0. The summary address 10.2.0.0 overrides the autosummary address
of 10.0.0.0 so that 10.2.0.0 is advertised out interface Gigabit Ethernet port 2, and 10.0.0.0 is not advertised.
In the example, if the interface is still in Layer 2 mode (the default), you must enter a no switchport interface
configuration command before entering the ip address interface configuration command.

Note If split horizon is enabled, neither autosummary nor interface summary addresses (those configured with the
ip summary-address rip router configuration command) are advertised.

SwitchDevice(config)# router rip

SwitchDevice(config-router)# interface gigabitethernet1/0/2
SwitchDevice(config-if)# ip address 10.1.5.1 255.255.255.0
SwitchDevice(config-if)# ip summary-address rip 10.2.0.0 255.255.0.0
SwitchDevice(config-if)# no ip split-horizon
SwitchDevice(config-if)# exit
SwitchDevice(config)# router rip
SwitchDevice(config-router)# network 10.0.0.0
SwitchDevice(config-router)# neighbor 2.2.2.2 peer-group mygroup
SwitchDevice(config-router)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
801
 Routing
Information About OSPF

Information About OSPF

OSPF is an Interior Gateway Protocol (IGP) designed expressly for IP networks, supporting IP subnetting
and tagging of externally derived routing information. OSPF also allows packet authentication and uses IP
multicast when sending and receiving packets. The Cisco implementation supports RFC 1253, OSPF
management information base (MIB).
The Cisco implementation conforms to the OSPF Version 2 specifications with these key features:
• Definition of stub areas is supported.
• Routes learned through any IP routing protocol can be redistributed into another IP routing protocol. At
the intradomain level, this means that OSPF can import routes learned through EIGRP and RIP. OSPF
routes can also be exported into RIP.
• Plain text and MD5 authentication among neighboring routers within an area is supported.
• Configurable routing interface parameters include interface output cost, retransmission interval, interface
transmit delay, router priority, router dead and hello intervals, and authentication key.
• Virtual links are supported.
• Not-so-stubby-areas (NSSAs) per RFC 1587are supported.

OSPF typically requires coordination among many internal routers, area border routers (ABRs) connected to
multiple areas, and autonomous system boundary routers (ASBRs). The minimum configuration would use
all default parameter values, no authentication, and interfaces assigned to areas. If you customize your
environment, you must ensure coordinated configuration of all routers.

How to Configure OSPF

Default OSPF Configuration
Table 88: Default OSPF Configuration

Feature Default Setting

Interface parameters Cost: No default cost predefined

Retransmit interval: 5 seconds.
Transmit delay: 1 second.
Priority: 1.
Hello interval: 10 seconds.
Dead interval: 4 times the hello interval.
No authentication.
No password specified.
MD5 authentication disabled.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
802
Routing
Default OSPF Configuration

Feature Default Setting

Area Authentication type: 0 (no authentication).

Default cost: 1.
Range: Disabled.
Stub: No stub area defined.
NSSA: No NSSA area defined.

Auto cost 100 Mb/s.

Default-information originate Disabled. When enabled, the default metric setting is

10, and the external route type default is Type 2.

Default metric Built-in, automatic metric translation, as appropriate

for each routing protocol.

Distance OSPF dist1 (all routes within an area): 110.

dist2 (all routes from one area to another): 110.
dist3 (routes from other routing domains): 110.

OSPF database filter Disabled. All outgoing link-state advertisements

(LSAs) are flooded to the interface.

IP OSPF name lookup Disabled.

Log adjacency changes Enabled.

Neighbor None specified.

Neighbor database filter Disabled. All outgoing LSAs are flooded to the
neighbor.

Network area Disabled.

Nonstop Forwarding (NSF) awareness Enabled. Allows Layer 3 Switch to continue

forwarding packets from a neighboring NSF-capable
router during hardware or software changes.

NSF capability Disabled.

Note The Switch stack supports OSPF
NSF-capable routing for IPv4.

Router ID No OSPF routing process defined.

Summary address Disabled.

Timers LSA group pacing 240 seconds.

Timers shortest path first (spf) spf delay: 5 seconds.; spf-holdtime: 10 seconds.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
803
 Routing
OSPF for Routed Access

Feature Default Setting

Virtual link No area ID or router ID defined.

Hello interval: 10 seconds.
Retransmit interval: 5 seconds.
Transmit delay: 1 second.
Dead interval: 40 seconds.
Authentication key: no key predefined.
Message-digest key (MD5): no key predefined.

OSPF for Routed Access

With Cisco IOS Release 12.2(55)SE, the IP Base image supports OSPF for routed access. The IP services
image is required if you need multiple OSPFv2 and OSPFv3 instances without route restrictions. Additionally,
the IP services image is required to enable the multi-VRF-CE feature.
OSPF for Routed Access is specifically designed so that you can extend Layer 3 routing capabilities to the
wiring closet.

Note OSPF for Routed Access supports only one OSPFv2 and one OSPFv3 instance with a combined total of 200
dynamically learned routes. The IP Base image provides OSPF for routed access.
However, these restrictions are not enforced in this release.

With the typical topology (hub and spoke) in a campus environment, where the wiring closets (spokes) are
connected to the distribution switch (hub) that forwards all nonlocal traffic to the distribution layer, the wiring
closet Switch need not hold a complete routing table. A best practice design, where the distribution Switch
sends a default route to the wiring closet Switch to reach interarea and external routes (OSPF stub or totally
stub area configuration) should be used when OSPF for Routed Access is used in the wiring closet.
For more details, see the “High Availability Campus Network Design—Routed Access Layer using EIGRP
or OSPF” document.

OSPF Nonstop Forwarding

The Switch or switch stack supports two levels of nonstop forwarding (NSF):
• OSPF NSF Awareness, on page 804
• OSPF NSF Capability, on page 805

OSPF NSF Awareness

The IP-services feature set supports OSPF NSF Awareness supported for IPv4. When the neighboring router
is NSF-capable, the Layer 3 Switch continues to forward packets from the neighboring router during the
interval between the primary Route Processor (RP) in a router crashing and the backup RP taking over, or
while the primary RP is manually reloaded for a non-disruptive software upgrade.
This feature cannot be disabled.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
804
 Routing
OSPF NSF Capability

OSPF NSF Capability

The IP services feature set supports the OSPFv2 NSF IETF format in addition to the OSPFv2 NSF Cisco
format that is supported in earlier releases. For information about this feature, see : NSF—OSPF (RFC 3623
OSPF Graceful Restart).
The IP-services feature set also supports OSPF NSF-capable routing for IPv4 for better convergence and
lower traffic loss following a stack master change. When a stack master change occurs in an OSPF NSF-capable
stack, the new stack master must do two things to resynchronize its link-state database with its OSPF neighbors:
• Release the available OSPF neighbors on the network without resetting the neighbor relationship.
• Reacquire the contents of the link-state database for the network.

After a stack master change, the new master sends an OSPF NSF signal to neighboring NSF-aware devices.
A device recognizes this signal to mean that it should not reset the neighbor relationship with the stack. As
the NSF-capable stack master receives signals from other routes on the network, it begins to rebuild its neighbor
list.
When the neighbor relationships are reestablished, the NSF-capable stack master resynchronizes its database
with its NSF-aware neighbors, and routing information is exchanged between the OSPF neighbors. The new
stack master uses this routing information to remove stale routes, to update the routing information database
(RIB), and to update the forwarding information base (FIB) with the new information. The OSPF protocols
then fully converge.

Note OSPF NSF requires that all neighbor networking devices be NSF-aware. If an NSF-capable router discovers
non-NSF aware neighbors on a network segment, it disables NSF capabilities for that segment. Other network
segments where all devices are NSF-aware or NSF-capable continue to provide NSF capabilities.

Use the nsf OSPF routing configuration command to enable OSPF NSF routing. Use the show ip ospf
privileged EXEC command to verify that it is enabled.
For more information, see Cisco Nonstop Forwarding:
http://www.cisco.com/en/US/docs/ios/ha/configuration/guide/ha-nonstp_fwdg.html

Configuring Basic OSPF Parameters

To enable OSPF, create an OSPF routing process, specify the range of IP addresses to associate with the
routing process, and assign area IDs to be associated with that range.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 router ospf process-id Enables OSPF routing, and enter router configuration mode.
The process ID is an internally used identification parameter
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
805
 Routing
Example: Configuring Basic OSPF Parameters

Command or Action Purpose

that is locally assigned and can be any positive integer. Each
SwitchDevice(config)# router ospf 15
OSPF routing process has a unique value.
Note OSPF for Routed Access supports only one
OSPFv2 and one OSPFv3 instance with a
maximum number of 200 dynamically learned
routes.

Step 3 network address wildcard-mask area area-id Define an interface on which OSPF runs and the area ID
for that interface. You can use the wildcard-mask to use a
Example:
single command to define one or more multiple interfaces
to be associated with a specific OSPF area. The area ID can
SwitchDevice(config)# network 10.1.1.1 255.240.0.0
area 20 be a decimal value or an IP address.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show ip protocols Verifies your entries.

Example:

SwitchDevice# show ip protocols

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Example: Configuring Basic OSPF Parameters

This example shows how to configure an OSPF routing process and assign it a process number of 109:

SwitchDevice(config)# router ospf 109

SwitchDevice(config-router)# network 131.108.0.0 255.255.255.0 area 24

Configuring OSPF Interfaces

You can use the ip ospf interface configuration commands to modify interface-specific OSPF parameters.
You are not required to modify any of these parameters, but some interface parameters (hello interval, dead
interval, and authentication key) must be consistent across all routers in an attached network. If you modify
these parameters, be sure all routers in the network have compatible values.

Note The ip ospf interface configuration commands are all optional.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
806
 Routing
Configuring OSPF Interfaces

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Enters interface configuration mode, and specifies the
Layer 3 interface to configure.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 3 ip ospf cost (Optional) Explicitly specifies the cost of sending a packet
on the interface.
Example:

SwitchDevice(config-if)# ip ospf 8

Step 4 ip ospf retransmit-interval seconds (Optional) Specifies the number of seconds between link
state advertisement transmissions. The range is 1 to 65535
Example:
seconds. The default is 5 seconds.
SwitchDevice(config-if)# ip ospf transmit-interval
10

Step 5 ip ospf transmit-delay seconds (Optional) Sets the estimated number of seconds to wait
before sending a link state update packet. The range is 1
Example:
to 65535 seconds. The default is 1 second.
SwitchDevice(config-if)# ip ospf transmit-delay
2

Step 6 ip ospf priority number (Optional) Sets priority to help find the OSPF designated
router for a network. The range is from 0 to 255. The
Example:
default is 1.
SwitchDevice(config-if)# ip ospf priority 5

Step 7 ip ospf hello-interval seconds (Optional) Sets the number of seconds between hello
packets sent on an OSPF interface. The value must be the
Example:
same for all nodes on a network. The range is 1 to 65535
seconds. The default is 10 seconds.
SwitchDevice(config-if)# ip ospf hello-interval
12

Step 8 ip ospf dead-interval seconds (Optional) Sets the number of seconds after the last device
hello packet was seen before its neighbors declare the
Example:
OSPF router to be down. The value must be the same for
all nodes on a network. The range is 1 to 65535 seconds.
SwitchDevice(config-if)# ip ospf dead-interval 8
The default is 4 times the hello interval.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
807
 Routing
Configuring OSPF Interfaces

Command or Action Purpose

Step 9 ip ospf authentication-key key (Optional) Assign a password to be used by neighboring
OSPF routers. The password can be any string of
Example:
keyboard-entered characters up to 8 bytes in length. All
neighboring routers on the same network must have the
SwitchDevice(config-if)# ip ospf
authentication-key password same password to exchange OSPF information.

Step 10 ip ospf message digest-key keyid md5 key (Optional) Enables MDS authentication.
Example: • keyid—An identifier from 1 to 255.

SwitchDevice(config-if)# ip ospf message

• key—An alphanumeric password of up to 16 bytes.
digest-key 16 md5 your1pass

Step 11 ip ospf database-filter all out (Optional) Block flooding of OSPF LSA packets to the
interface. By default, OSPF floods new LSAs over all
Example:
interfaces in the same area, except the interface on which
the LSA arrives.
SwitchDevice(config-if)# ip ospf database-filter
all out

Step 12 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 13 show ip ospf interface [interface-name] Displays OSPF-related interface information.

Example:

SwitchDevice# show ip ospf interface

Step 14 show ip ospf neighbor detail Displays NSF awareness status of neighbor switch. The
output matches one of these examples:
Example:
• Options is 0x52
SwitchDevice# show ip ospf neighbor detail
LLS Options is 0x1 (LR)
When both of these lines appear, the neighbor switch
is NSF aware.
• Options is 0x42—This means the neighbor switch is
not NSF aware.

Step 15 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
808
 Routing
OSPF Area Parameters

Related Topics
Configuring Other OSPF Parameters, on page 812

OSPF Area Parameters

You can optionally configure several OSPF area parameters. These parameters include authentication for
password-based protection against unauthorized access to an area, stub areas, and not-so-stubby-areas (NSSAs).
Stub areas are areas into which information on external routes is not sent. Instead, the area border router (ABR)
generates a default external route into the stub area for destinations outside the autonomous system (AS). An
NSSA does not flood all LSAs from the core into the area, but can import AS external routes within the area
by redistribution.
Route summarization is the consolidation of advertised addresses into a single summary route to be advertised
by other areas. If network numbers are contiguous, you can use the area range router configuration command
to configure the ABR to advertise a summary route that covers all networks in the range.

Configuring OSPF Area Parameters

Before you begin

Note The OSPF area router configuration commands are all optional.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 router ospf process-id Enables OSPF routing, and enter router configuration
mode.
Example:

SwitchDevice(config)# router ospf 109

Step 3 area area-id authentication (Optional) Allow password-based protection against

unauthorized access to the identified area. The identifier
Example:
can be either a decimal value or an IP address.
SwitchDevice(config-router)# area 1 authentication

Step 4 area area-id authentication message-digest (Optional) Enables MD5 authentication on the area.
Example:

SwitchDevice(config-router)# area 1 authentication

message-digest

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
809
 Routing
Configuring OSPF Area Parameters

Command or Action Purpose

Step 5 area area-id stub [no-summary] (Optional) Define an area as a stub area. The no-summary
keyword prevents an ABR from sending summary link
Example:
advertisements into the stub area.
SwitchDevice(config-router)# area 1 stub

Step 6 area area-id nssa [no-redistribution] (Optional) Defines an area as a not-so-stubby-area. Every
[default-information-originate] [no-summary] router within the same area must agree that the area is
NSSA. Select one of these keywords:
Example:
• no-redistribution—Select when the router is an
SwitchDevice(config-router)# area 1 nssa NSSA ABR and you want the redistribute command
default-information-originate to import routes into normal areas, but not into the
NSSA.
• default-information-originate—Select on an ABR
to allow importing type 7 LSAs into the NSSA.
• no-redistribution—Select to not send summary LSAs
into the NSSA.

Step 7 area area-id range address mask (Optional) Specifies an address range for which a single
route is advertised. Use this command only with area
Example:
border routers.
SwitchDevice(config-router)# area 1 range
255.240.0.0

Step 8 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 9 show ip ospf [process-id] Displays information about the OSPF routing process in
general or for a specific process ID to verify configuration.
Example:

SwitchDevice# show ip ospf

Step 10 show ip ospf [process-id [area-id]] database Displays lists of information related to the OSPF database
for a specific router.
Example:

SwitchDevice# show ip osfp database

Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
810
 Routing
Other OSPF Parameters

Other OSPF Parameters

You can optionally configure other OSPF parameters in router configuration mode.
• Route summarization: When redistributing routes from other protocols. Each route is advertised
individually in an external LSA. To help decrease the size of the OSPF link state database, you can use
the summary-address router configuration command to advertise a single router for all the redistributed
routes included in a specified network address and mask.
• Virtual links: In OSPF, all areas must be connected to a backbone area. You can establish a virtual link
in case of a backbone-continuity break by configuring two Area Border Routers as endpoints of a virtual
link. Configuration information includes the identity of the other virtual endpoint (the other ABR) and
the nonbackbone link that the two routers have in common (the transit area). Virtual links cannot be
configured through a stub area.
• Default route: When you specifically configure redistribution of routes into an OSPF routing domain,
the route automatically becomes an autonomous system boundary router (ASBR). You can force the
ASBR to generate a default route into the OSPF routing domain.
• Domain Name Server (DNS) names for use in all OSPF show privileged EXEC command displays makes
it easier to identify a router than displaying it by router ID or neighbor ID.
• Default Metrics: OSPF calculates the OSPF metric for an interface according to the bandwidth of the
interface. The metric is calculated as ref-bw divided by bandwidth, where ref is 10 by default, and
bandwidth (bw) is specified by the bandwidth interface configuration command. For multiple links with
high bandwidth, you can specify a larger number to differentiate the cost on those links.
• Administrative distance is a rating of the trustworthiness of a routing information source, an integer
between 0 and 255, with a higher value meaning a lower trust rating. An administrative distance of 255
means the routing information source cannot be trusted at all and should be ignored. OSPF uses three
different administrative distances: routes within an area (interarea), routes to another area (interarea),
and routes from another routing domain learned through redistribution (external). You can change any
of the distance values.
• Passive interfaces: Because interfaces between two devices on an Ethernet represent only one network
segment, to prevent OSPF from sending hello packets for the sending interface, you must configure the
sending device to be a passive interface. Both devices can identify each other through the hello packet
for the receiving interface.
• Route calculation timers: You can configure the delay time between when OSPF receives a topology
change and when it starts the shortest path first (SPF) calculation and the hold time between two SPF
calculations.
• Log neighbor changes: You can configure the router to send a syslog message when an OSPF neighbor
state changes, providing a high-level view of changes in the router.

Related Topics
Information About Route Maps, on page 901
How to Configure a Route Map
How to Control Route Distribution, on page 905

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
811
 Routing
Configuring Other OSPF Parameters

Configuring Other OSPF Parameters

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 router ospf process-id Enables OSPF routing, and enter router configuration
mode.
Example:

SwitchDevice(config)# router ospf 10

Step 3 summary-address address mask (Optional) Specifies an address and IP subnet mask for
redistributed routes so that only one summary route is
Example:
advertised.
SwitchDevice(config)# summary-address 10.1.1.1
255.255.255.0

Step 4 area area-id virtual-link router-id [hello-interval (Optional) Establishes a virtual link and set its parameters.
seconds] [retransmit-interval seconds] [trans]
[[authentication-key key] | message-digest-key keyid
md5 key]]
Example:

SwitchDevice(config)# area 2 virtual-link

192.168.255.1 hello-interval 5

Step 5 default-information originate [always] [metric (Optional) Forces the ASBR to generate a default route
metric-value] [metric-type type-value] [route-map into the OSPF routing domain. Parameters are all optional.
map-name]
Example:

SwitchDevice(config)# default-information
originate metric 100 metric-type 1

Step 6 ip ospf name-lookup (Optional) Configures DNS name lookup. The default is
disabled.
Example:

SwitchDevice(config)# ip ospf name-lookup

Step 7 ip auto-cost reference-bandwidth ref-bw (Optional) Specifies an address range for which a single
route will be advertised. Use this command only with area
Example:
border routers.
SwitchDevice(config)# ip auto-cost
reference-bandwidth 5

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
812
 Routing
Configuring Other OSPF Parameters

Command or Action Purpose

Step 8 distance ospf {[inter-area dist1] [inter-area dist2] (Optional) Changes the OSPF distance values. The default
[external dist3]} distance for each type of route is 110. The range is 1 to
255.
Example:

SwitchDevice(config)# distance ospf inter-area

150

Step 9 passive-interface type number (Optional) Suppresses the sending of hello packets through
the specified interface.
Example:

SwitchDevice(config)# passive-interface
gigabitethernet 1/0/6

Step 10 timers throttle spf spf-delay spf-holdtime spf-wait (Optional) Configures route calculation timers.
Example: • spf-delay—Delay between receiving a change to SPF
calculation. The range is from 1 to 600000
SwitchDevice(config)# timers throttle spf 200 100 miliseconds.
100
• spf-holdtime—Delay between first and second SPF
calculation. The range is form 1 to 600000 in
milliseconds.
• spf-wait—Maximum wait time in milliseconds for
SPF calculations. The range is from 1 to 600000 in
milliseconds.

Step 11 ospf log-adj-changes (Optional) Sends syslog message when a neighbor state
changes.
Example:

SwitchDevice(config)# ospf log-adj-changes

Step 12 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 13 show ip ospf [process-id [area-id]] database Displays lists of information related to the OSPF database
for a specific router.
Example:

SwitchDevice# show ip ospf database

Step 14 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
813
 Routing
LSA Group Pacing

Related Topics
Configuring OSPF Interfaces, on page 806
Monitoring OSPF, on page 816

LSA Group Pacing

The OSPF LSA group pacing feature allows the router to group OSPF LSAs and pace the refreshing,
check-summing, and aging functions for more efficient router use. This feature is enabled by default with a
4-minute default pacing interval, and you will not usually need to modify this parameter. The optimum group
pacing interval is inversely proportional to the number of LSAs the router is refreshing, check-summing, and
aging. For example, if you have approximately 10,000 LSAs in the database, decreasing the pacing interval
would benefit you. If you have a very small database (40 to 100 LSAs), increasing the pacing interval to 10
to 20 minutes might benefit you slightly.

Changing LSA Group Pacing

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 router ospf process-id Enables OSPF routing, and enter router configuration mode.
Example:

SwitchDevice(config)# router ospf 25

Step 3 timers lsa-group-pacing seconds Changes the group pacing of LSAs.

Example:

SwitchDevice(config-router)# timers
lsa-group-pacing 15

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
814
 Routing
Loopback Interfaces

Command or Action Purpose

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Loopback Interfaces
OSPF uses the highest IP address configured on the interfaces as its router ID. If this interface is down or
removed, the OSPF process must recalculate a new router ID and resend all its routing information out its
interfaces. If a loopback interface is configured with an IP address, OSPF uses this IP address as its router
ID, even if other interfaces have higher IP addresses. Because loopback interfaces never fail, this provides
greater stability. OSPF automatically prefers a loopback interface over other interfaces, and it chooses the
highest IP address among all loopback interfaces.

Configuring a Loopback Interface

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface loopback 0 Creates a loopback interface, and enter interface

configuration mode.
Example:

SwitchDevice(config)# interface loopback 0

Step 3 ip address address mask Assign an IP address to this interface.

Example:

SwitchDevice(config-if)# ip address 10.1.1.5

255.255.240.0

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show ip interface Verifies your entries.

Example:

SwitchDevice# show ip interface

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
815
 Routing
Monitoring OSPF

Command or Action Purpose

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Monitoring OSPF
You can display specific statistics such as the contents of IP routing tables, caches, and databases.

Table 89: Show IP OSPF Statistics Commands

show ip ospf [process-id] Displays general information about OSPF routing

processes.

show ip ospf [process-id] database [router] Displays lists of information related to the OSPF
[link-state-id] database.
show ip ospf [process-id] database [router]
[self-originate]
show ip ospf [process-id] database [router]
[adv-router [ip-address]]
show ip ospf [process-id] database [network]
[link-state-id]
show ip ospf [process-id] database [summary]
[link-state-id]
show ip ospf [process-id] database [asbr-summary]
[link-state-id]
show ip ospf [process-id] database [external]
[link-state-id]
show ip ospf [process-id area-id] database
[database-summary]

show ip ospf border-routes Displays the internal OSPF routing ABR and ASBR
table entries.

show ip ospf interface [interface-name] Displays OSPF-related interface information.

show ip ospf neighbor [interface-name] [neighbor-id] Displays OSPF interface neighbor information.
detail

show ip ospf virtual-links Displays OSPF-related virtual links information.

Related Topics
Configuring Other OSPF Parameters, on page 812

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
816
 Routing
Information About EIGRP

Information About EIGRP

Enhanced IGRP (EIGRP) is a Cisco proprietary enhanced version of the IGRP. EIGRP uses the same distance
vector algorithm and distance information as IGRP; however, the convergence properties and the operating
efficiency of EIGRP are significantly improved.
The convergence technology employs an algorithm referred to as the Diffusing Update Algorithm (DUAL),
which guarantees loop-free operation at every instant throughout a route computation and allows all devices
involved in a topology change to synchronize at the same time. Routers that are not affected by topology
changes are not involved in recomputations.
IP EIGRP provides increased network width. With RIP, the largest possible width of your network is 15 hops.
Because the EIGRP metric is large enough to support thousands of hops, the only barrier to expanding the
network is the transport-layer hop counter. EIGRP increments the transport control field only when an IP
packet has traversed 15 routers and the next hop to the destination was learned through EIGRP. When a RIP
route is used as the next hop to the destination, the transport control field is incremented as usual.

EIGRP Features
EIGRP offers these features:
• Fast convergence.
• Incremental updates when the state of a destination changes, instead of sending the entire contents of the
routing table, minimizing the bandwidth required for EIGRP packets.
• Less CPU usage because full update packets need not be processed each time they are received.
• Protocol-independent neighbor discovery mechanism to learn about neighboring routers.
• Variable-length subnet masks (VLSMs).
• Arbitrary route summarization.
• EIGRP scales to large networks.

EIGRP Components
EIGRP has these four basic components:
• Neighbor discovery and recovery is the process that routers use to dynamically learn of other routers on
their directly attached networks. Routers must also discover when their neighbors become unreachable
or inoperative. Neighbor discovery and recovery is achieved with low overhead by periodically sending
small hello packets. As long as hello packets are received, the Cisco IOS software can learn that a neighbor
is alive and functioning. When this status is determined, the neighboring routers can exchange routing
information.
• The reliable transport protocol is responsible for guaranteed, ordered delivery of EIGRP packets to all
neighbors. It supports intermixed transmission of multicast and unicast packets. Some EIGRP packets
must be sent reliably, and others need not be. For efficiency, reliability is provided only when necessary.
For example, on a multiaccess network that has multicast capabilities (such as Ethernet), it is not necessary
to send hellos reliably to all neighbors individually. Therefore, EIGRP sends a single multicast hello
with an indication in the packet informing the receivers that the packet need not be acknowledged. Other

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
817
 Routing
How to Configure EIGRP

types of packets (such as updates) require acknowledgment, which is shown in the packet. The reliable
transport has a provision to send multicast packets quickly when there are unacknowledged packets
pending. Doing so helps ensure that convergence time remains low in the presence of varying speed
links.
• The DUAL finite state machine embodies the decision process for all route computations. It tracks all
routes advertised by all neighbors. DUAL uses the distance information (known as a metric) to select
efficient, loop-free paths. DUAL selects routes to be inserted into a routing table based on feasible
successors. A successor is a neighboring router used for packet forwarding that has a least-cost path to
a destination that is guaranteed not to be part of a routing loop. When there are no feasible successors,
but there are neighbors advertising the destination, a recomputation must occur. This is the process
whereby a new successor is determined. The amount of time it takes to recompute the route affects the
convergence time. Recomputation is processor-intensive; it is advantageous to avoid recomputation if it
is not necessary. When a topology change occurs, DUAL tests for feasible successors. If there are feasible
successors, it uses any it finds to avoid unnecessary recomputation.
• The protocol-dependent modules are responsible for network layer protocol-specific tasks. An example
is the IP EIGRP module, which is responsible for sending and receiving EIGRP packets that are
encapsulated in IP. It is also responsible for parsing EIGRP packets and informing DUAL of the new
information received. EIGRP asks DUAL to make routing decisions, but the results are stored in the IP
routing table. EIGRP is also responsible for redistributing routes learned by other IP routing protocols.

Note To enable EIGRP, the Switch or stack master must be running the IP services
feature set.

How to Configure EIGRP

To create an EIGRP routing process, you must enable EIGRP and associate networks. EIGRP sends updates
to the interfaces in the specified networks. If you do not specify an interface network, it is not advertised in
any EIGRP update.

Note If you have routers on your network that are configured for IGRP, and you want to change to EIGRP, you
must designate transition routers that have both IGRP and EIGRP configured. In these cases, perform Steps
1 through 3 in the next section and also see the “Configuring Split Horizon” section. You must use the same
AS number for routes to be automatically redistributed.

Default EIGRP Configuration

Table 90: Default EIGRP Configuration

Feature Default Setting

Auto summary Disabled.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
818
Routing
Default EIGRP Configuration

Feature Default Setting

Default-information Exterior routes are accepted and default information

is passed between EIGRP processes when doing
redistribution.

Default metric Only connected routes and interface static routes can
be redistributed without a default metric. The metric
includes:
• Bandwidth: 0 or greater kb/s.
• Delay (tens of microseconds): 0 or any positive
number that is a multiple of 39.1 nanoseconds.
• Reliability: any number between 0 and 255 (255
means 100 percent reliability).
• Loading: effective bandwidth as a number
between 0 and 255 (255 is 100 percent loading).
• MTU: maximum transmission unit size of the
route in bytes. 0 or any positive integer.

Distance Internal distance: 90.

External distance: 170.

EIGRP log-neighbor changes Disabled. No adjacency changes logged.

IP authentication key-chain No authentication provided.

IP authentication mode No authentication provided.

IP bandwidth-percent 50 percent.

IP hello interval For low-speed nonbroadcast multiaccess (NBMA)

networks: 60 seconds; all other networks: 5 seconds.

IP hold-time For low-speed NBMA networks: 180 seconds; all

other networks: 15 seconds.

IP split-horizon Enabled.

IP summary address No summary aggregate addresses are predefined.

Metric weights tos: 0; k1 and k3: 1; k2, k4, and k5: 0

Network None specified.

Nonstop Forwarding (NSF) Awareness Enabled for IPv4 on switches running the IP services
feature set. Allows Layer 3 switches to continue
forwarding packets from a neighboring NSF-capable
router during hardware or software changes.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
819
 Routing
EIGRP Nonstop Forwarding

Feature Default Setting

NSF capability Disabled.

Note The Switch supports EIGRP NSF-capable
routing for IPv4.

Offset-list Disabled.

Router EIGRP Disabled.

Set metric No metric set in the route map.

Traffic-share Distributed proportionately to the ratios of the metrics.

Variance 1 (equal-cost load-balancing).

EIGRP Nonstop Forwarding

The Switch stack supports two levels of EIGRP nonstop forwarding:
• EIGRP NSF Awareness
• EIGRP NSF Capability

EIGRP NSF Awareness

The IP-services feature set supports EIGRP NSF Awareness for IPv4. When the neighboring router is
NSF-capable, the Layer 3 Switch continues to forward packets from the neighboring router during the interval
between the primary Route Processor (RP) in a router failing and the backup RP taking over, or while the
primary RP is manually reloaded for a nondisruptive software upgrade.
This feature cannot be disabled. For more information on this feature, see the “EIGRP Nonstop Forwarding
(NSF) Awareness” section of the Cisco IOS IP Routing Protocols Configuration Guide, Release 12.4.

EIGRP NSF Capability

The IP services feature set supports EIGRP Cisco NSF routing to speed up convergence and to eliminate
traffic loss after a stack master change. For details about this NSF capability, see the “Configuring Nonstop
Forwarding” chapter in the High Availability Configuration Guide, Cisco IOS XE Release 3S.
The IP-services feature set also supports EIGRP NSF-capable routing for IPv4 for better convergence and
lower traffic loss following a stack master change. When an EIGRP NSF-capable stack master restarts or a
new stack master starts up and NSF restarts, the Switch has no neighbors, and the topology table is empty.
The Switch must bring up the interfaces, reacquire neighbors, and rebuild the topology and routing tables
without interrupting the traffic directed toward the Switch stack. EIGRP peer routers maintain the routes
learned from the new stack master and continue forwarding traffic through the NSF restart process.
To prevent an adjacency reset by the neighbors, the new stack master uses a new Restart (RS) bit in the EIGRP
packet header to show the restart. When the neighbor receives this, it synchronizes the stack in its peer list
and maintains the adjacency with the stack. The neighbor then sends its topology table to the stack master
with the RS bit set to show that it is NSF-aware and is aiding the new stack master.
If at least one of the stack peer neighbors is NSF-aware, the stack master receives updates and rebuilds its
database. Each NSF-aware neighbor sends an end of table (EOT) marker in the last update packet to mark the

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
820
 Routing
Configuring Basic EIGRP Parameters

end of the table content. The stack master recognizes the convergence when it receives the EOT marker, and
it then begins sending updates. When the stack master has received all EOT markers from its neighbors or
when the NSF converge timer expires, EIGRP notifies the routing information database (RIB) of convergence
and floods its topology table to all NSF-aware peers.

Configuring Basic EIGRP Parameters

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 router eigrp autonomous-system Enables an EIGRP routing process, and enter router
configuration mode. The AS number identifies the routes
Example:
to other EIGRP routers and is used to tag routing
information.
SwitchDevice(config)# router eigrp 10

Step 3 nsf (Optional) Enables EIGRP NSF. Enter this command on

the stack master and on all of its peers.
Example:

SwitchDevice(config)# nsf

Step 4 network network-number Associate networks with an EIGRP routing process. EIGRP
sends updates to the interfaces in the specified networks.
Example:

SwitchDevice(config)# network 192.168.0.0

Step 5 eigrp log-neighbor-changes (Optional) Enables logging of EIGRP neighbor changes

to monitor routing system stability.
Example:

SwitchDevice(config)# eigrp log-neighbor-changes

Step 6 metric weights tos k1 k2 k3 k4 k5 (Optional) Adjust the EIGRP metric. Although the defaults
have been carefully set to provide excellent operation in
Example:
most networks, you can adjust them.
SwitchDevice(config)# metric weights 0 2 0 2 0 0 Caution Setting metrics is complex and is not
recommended without guidance from an
experienced network designer.

Step 7 offset-list [access-list number | name] {in | out} offset (Optional) Applies an offset list to routing metrics to
[type number] increase incoming and outgoing metrics to routes learned
through EIGRP. You can limit the offset list with an access
Example:
list or an interface.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
821
 Routing
Configuring EIGRP Interfaces

Command or Action Purpose

SwitchDevice(config)# offset-list 21 out 10

Step 8 auto-summary (Optional) Enables automatic summarization of subnet

routes into network-level routes.
Example:

SwitchDevice(config)# auto-summary

Step 9 ip summary-address eigrp autonomous-system-number (Optional) Configures a summary aggregate.

address mask
Example:

SwitchDevice(config)# ip summary-address eigrp 1

192.168.0.0 255.255.0.0

Step 10 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 11 show ip protocols Verifies your entries.

Example: For NSF awareness, the output shows:
*** IP Routing is NSF aware *** EIGRP NSF enabled
SwitchDevice# show ip protocols

Step 12 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring EIGRP Interfaces

Other optional EIGRP parameters can be configured on an interface basis.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
822
 Routing
Configuring EIGRP Interfaces

Command or Action Purpose

Step 2 interface interface-id Enters interface configuration mode, and specifies the
Layer 3 interface to configure.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 3 ip bandwidth-percent eigrp percent (Optional) Configures the percentage of bandwidth that
can be used by EIGRP on an interface. The default is 50
Example:
percent.
SwitchDevice(config-if)# ip bandwidth-percent
eigrp 60

Step 4 ip summary-address eigrp autonomous-system-number (Optional) Configures a summary aggregate address for a
address mask specified interface (not usually necessary if auto-summary
is enabled).
Example:

SwitchDevice(config-if)# ip summary-address eigrp

109 192.161.0.0 255.255.0.0

Step 5 ip hello-interval eigrp autonomous-system-number (Optional) Change the hello time interval for an EIGRP
seconds routing process. The range is 1 to 65535 seconds. The
default is 60 seconds for low-speed NBMA networks and
Example:
5 seconds for all other networks.
SwitchDevice(config-if)# ip hello-interval eigrp
109 10

Step 6 ip hold-time eigrp autonomous-system-number seconds (Optional) Change the hold time interval for an EIGRP
routing process. The range is 1 to 65535 seconds. The
Example:
default is 180 seconds for low-speed NBMA networks and
15 seconds for all other networks.
SwitchDevice(config-if)# ip hold-time eigrp 109
40 Caution Do not adjust the hold time without consulting
Cisco technical support.

Step 7 no ip split-horizon eigrp autonomous-system-number (Optional) Disables split horizon to allow route information
to be advertised by a router out any interface from which
Example:
that information originated.
SwitchDevice(config-if)# no ip split-horizon eigrp
109

Step 8 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 9 show ip eigrp interface Displays which interfaces EIGRP is active on and
information about EIGRP relating to those interfaces.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
823
 Routing
Configuring EIGRP Route Authentication

Command or Action Purpose

SwitchDevice# show ip eigrp interface

Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring EIGRP Route Authentication

EIGRP route authentication provides MD5 authentication of routing updates from the EIGRP routing protocol
to prevent the introduction of unauthorized or false routing messages from unapproved sources.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Enters interface configuration mode, and specifies the
Layer 3 interface to configure.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 3 ip authentication mode eigrp autonomous-system md5 Enables MD5 authentication in IP EIGRP packets.
Example:

SwitchDevice(config-if)# ip authentication mode

eigrp 104 md5

Step 4 ip authentication key-chain eigrp autonomous-system Enables authentication of IP EIGRP packets.

key-chain
Example:

SwitchDevice(config-if)# ip authentication
key-chain eigrp 105 chain1

Step 5 exit Returns to global configuration mode.

Example:

SwitchDevice(config-if)# exit

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
824
 Routing
Configuring EIGRP Route Authentication

Command or Action Purpose

Step 6 key chain name-of-chain Identify a key chain and enter key-chain configuration
mode. Match the name configured in Step 4.
Example:

SwitchDevice(config)# key chain chain1

Step 7 key number In key-chain configuration mode, identify the key number.
Example:

SwitchDevice(config-keychain)# key 1

Step 8 key-string text In key-chain key configuration mode, identify the key
string.
Example:

SwitchDevice(config-keychain-key)# key-string key1

Step 9 accept-lifetime start-time {infinite | end-time | duration (Optional) Specifies the time period during which the key
seconds} can be received.
Example: The start-time and end-time syntax can be either hh:mm:ss
Month date year or hh:mm:ss date Month year. The default
SwitchDevice(config-keychain-key)# accept-lifetime is forever with the default start-time and the earliest
13:30:00 Jan 25 2011 duration 7200 acceptable date as January 1, 1993. The default end-time
and duration is infinite.

Step 10 send-lifetime start-time {infinite | end-time | duration (Optional) Specifies the time period during which the key
seconds} can be sent.
Example: The start-time and end-time syntax can be either hh:mm:ss
Month date year or hh:mm:ss date Month year. The default
SwitchDevice(config-keychain-key)# send-lifetime is forever with the default start-time and the earliest
14:00:00 Jan 25 2011 duration 3600 acceptable date as January 1, 1993. The default end-time
and duration is infinite.

Step 11 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 12 show key chain Displays authentication key information.

Example:

SwitchDevice# show key chain

Step 13 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
825
 Routing
EIGRP Stub Routing

Command or Action Purpose

EIGRP Stub Routing

The EIGRP stub routing feature reduces resource utilization by moving routed traffic closer to the end user.

Note The feature set contains EIGRP stub routing capability, which only advertises connected or summary routes
from the routing tables to other Switches in the network. The Switch uses EIGRP stub routing at the access
layer to eliminate the need for other types of routing advertisements.

In a network using EIGRP stub routing, the only allowable route for IP traffic to the user is through a Switch
that is configured with EIGRP stub routing. The Switch sends the routed traffic to interfaces that are configured
as user interfaces or are connected to other devices.
When using EIGRP stub routing, you need to configure the distribution and remote routers to use EIGRP and
to configure only the Switch as a stub. Only specified routes are propagated from the Switch. The Switch
responds to all queries for summaries, connected routes, and routing updates.
Any neighbor that receives a packet informing it of the stub status does not query the stub router for any
routes, and a router that has a stub peer does not query that peer. The stub router depends on the distribution
router to send the proper updates to all peers.
In the figure given below, Switch B is configured as an EIGRP stub router. Switches A and C are connected
to the rest of the WAN. Switch B advertises connected, static, redistribution, and summary routes to Switch
A and C. Switch B does not advertise any routes learned from Switch A (and the reverse).
Figure 79: EIGRP Stub Router Configuration

For more information about EIGRP stub routing, see “Configuring EIGRP Stub Routing” section of the Cisco
IOS IP Configuration Guide, Volume 2 of 3: Routing Protocols.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
826
 Routing
Monitoring and Maintaining EIGRP

Monitoring and Maintaining EIGRP

You can delete neighbors from the neighbor table. You can also display various EIGRP routing statistics. The
table given below lists the privileged EXEC commands for deleting neighbors and displaying statistics. For
explanations of fields in the resulting display, see the Cisco IOS IP Command Reference, Volume 2 of 3:
Routing Protocols, Release 12.4.

Table 91: IP EIGRP Clear and Show Commands

clear ip eigrp neighbors [if-address | interface] Deletes neighbors from the neighbor table.

show ip eigrp interface [interface] [as number] Displays information about interfaces configured for
EIGRP.

show ip eigrp neighbors [type-number] Displays EIGRP discovered neighbors.

show ip eigrp topology Displays the EIGRP topology table for a given
[autonomous-system-number] | [[ip-address] mask]] process.

show ip eigrp traffic [autonomous-system-number] Displays the number of packets sent and received for
all or a specified EIGRP process.

Information About BGP

The Border Gateway Protocol (BGP) is an exterior gateway protocol used to set up an interdomain routing
system that guarantees the loop-free exchange of routing information between autonomous systems.
Autonomous systems are made up of routers that operate under the same administration and that run Interior
Gateway Protocols (IGPs), such as RIP or OSPF, within their boundaries and that interconnect by using an
Exterior Gateway Protocol (EGP). BGP Version 4 is the standard EGP for interdomain routing in the Internet.
The protocol is defined in RFCs 1163, 1267, and 1771. You can find detailed information about BGP in
Internet Routing Architectures, published by Cisco Press, and in the “Configuring BGP” chapter in the Cisco
IP and IP Routing Configuration Guide.
For details about BGP commands and keywords, see the “IP Routing Protocols” part of the Cisco IOS IP
Command Reference, Volume 2 of 3: Routing Protocols .

BGP Network Topology

Routers that belong to the same autonomous system (AS) and that exchange BGP updates run internal BGP
(IBGP), and routers that belong to different autonomous systems and that exchange BGP updates run external
BGP (EBGP). Most configuration commands are the same for configuring EBGP and IBGP. The difference
is that the routing updates are exchanged either between autonomous systems (EBGP) or within an AS (IBGP).
The figure given below shows a network that is running both EBGP and IBGP.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
827
 Routing
BGP Network Topology

Figure 80: EBGP, IBGP, and Multiple Autonomous Systems

Before exchanging information with an external AS, BGP ensures that networks within the AS can be reached
by defining internal BGP peering among routers within the AS and by redistributing BGP routing information
to IGPs that run within the AS, such as IGRP and OSPF.
Routers that run a BGP routing process are often referred to as BGP speakers. BGP uses the Transmission
Control Protocol (TCP) as its transport protocol (specifically port 179). Two BGP speakers that have a TCP
connection to each other for exchanging routing information are known as peers or neighbors. In the above
figure, Routers A and B are BGP peers, as are Routers B and C and Routers C and D. The routing information
is a series of AS numbers that describe the full path to the destination network. BGP uses this information to
construct a loop-free map of autonomous systems.
The network has these characteristics:
• Routers A and B are running EBGP, and Routers B and C are running IBGP. Note that the EBGP peers
are directly connected and that the IBGP peers are not. As long as there is an IGP running that allows
the two neighbors to reach one another, IBGP peers do not have to be directly connected.
• All BGP speakers within an AS must establish a peer relationship with each other. That is, the BGP
speakers within an AS must be fully meshed logically. BGP4 provides two techniques that reduce the
requirement for a logical full mesh: confederations and route reflectors.
• AS 200 is a transit AS for AS 100 and AS 300—that is, AS 200 is used to transfer packets between AS
100 and AS 300.

BGP peers initially exchange their full BGP routing tables and then send only incremental updates. BGP peers
also exchange keepalive messages (to ensure that the connection is up) and notification messages (in response
to errors or special conditions).
In BGP, each route consists of a network number, a list of autonomous systems that information has passed
through (the autonomous system path), and a list of other path attributes. The primary function of a BGP
system is to exchange network reachability information, including information about the list of AS paths,
with other BGP systems. This information can be used to determine AS connectivity, to prune routing loops,
and to enforce AS-level policy decisions.
A router or Switch running Cisco IOS does not select or use an IBGP route unless it has a route available to
the next-hop router and it has received synchronization from an IGP (unless IGP synchronization is disabled).
When multiple routes are available, BGP bases its path selection on attribute values. See the “Configuring
BGP Decision Attributes” section for information about BGP attributes.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
828
 Routing
How to Configure BGP

BGP Version 4 supports classless interdomain routing (CIDR) so you can reduce the size of your routing
tables by creating aggregate routes, resulting in supernets. CIDR eliminates the concept of network classes
within BGP and supports the advertising of IP prefixes.

How to Configure BGP

Default BGP Configuration
The table given below shows the basic default BGP configuration. For the defaults for all characteristics, see
the specific commands in the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols,
Release 12.4.

Table 92: Default BGP Configuration

Feature Default Setting

Aggregate address Disabled: None defined.

AS path access list None defined.

Auto summary Disabled.

Best path • The router considers as-path in choosing a route

and does not compare similar routes from
external BGP peers.
• Compare router ID: Disabled.

BGP community list • Number: None defined. When you permit a value
for the community number, the list defaults to
an implicit deny for everything else that has not
been permitted.
• Format: Cisco default format (32-bit number).

BGP confederation identifier/peers • Identifier: None configured.

• Peers: None identified.

BGP Fast external fallover Enabled.

BGP local preference 100. The range is 0 to 4294967295 with the higher
value preferred.

BGP network None specified; no backdoor route advertised.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
829
 Routing
Default BGP Configuration

Feature Default Setting

BGP route dampening Disabled by default. When enabled:

• Half-life is 15 minutes.
• Re-use is 750 (10-second increments).
• Suppress is 2000 (10-second increments).
• Max-suppress-time is 4 times half-life; 60
minutes.

BGP router ID The IP address of a loopback interface if one is

configured or the highest IP address configured for a
physical interface on the router.

Default information originate (protocol or network Disabled.

redistribution)

Default metric Built-in, automatic metric translations.

Distance • External route administrative distance: 20

(acceptable values are from 1 to 255).
• Internal route administrative distance: 200
(acceptable values are from 1 to 255).
• Local route administrative distance: 200
(acceptable values are from 1 to 255).

Distribute list • In (filter networks received in updates): Disabled.

• Out (suppress networks from being advertised
in updates): Disabled.

Internal route redistribution Disabled.

IP prefix list None defined.

Multi exit discriminator (MED) • Always compare: Disabled. Does not compare
MEDs for paths from neighbors in different
autonomous systems.
• Best path compare: Disabled.
• MED missing as worst path: Disabled.
• Deterministic MED comparison is disabled.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
830
Routing
Default BGP Configuration

Feature Default Setting

Neighbor • Advertisement interval: 30 seconds for external

peers; 5 seconds for internal peers.
• Change logging: Enabled.
• Conditional advertisement: Disabled.
• Default originate: No default route is sent to the
neighbor.
• Description: None.
• Distribute list: None defined.
• External BGP multihop: Only directly connected
neighbors are allowed.
• Filter list: None used.
• Maximum number of prefixes received: No limit.
• Next hop (router as next hop for BGP neighbor):
Disabled.
• Password: Disabled.
• Peer group: None defined; no members assigned.
• Prefix list: None specified.
• Remote AS (add entry to neighbor BGP table):
No peers defined.
• Private AS number removal: Disabled.
• Route maps: None applied to a peer.
• Send community attributes: None sent to
neighbors.
• Shutdown or soft reconfiguration: Not enabled.
• Timers: keepalive: 60 seconds; holdtime: 180
seconds.
• Update source: Best local address.
• Version: BGP Version 4.
• Weight: Routes learned through BGP peer: 0;
routes sourced by the local router: 32768.

NSF7 Awareness Disabled8. If enabled, allows Layer 3 switches to

continue forwarding packets from a neighboring
NSF-capable router during hardware or software
changes.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
831
 Routing
Nonstop Forwarding Awareness

Feature Default Setting

Route reflector None configured.

Synchronization (BGP and IGP) Disabled.

Table map update Disabled.

Timers Keepalive: 60 seconds; holdtime: 180 seconds.

7
Nonstop Forwarding
8
NSF Awareness can be enabled for IPv4 on switches with the IP services feature set by enabling Graceful
Restart.

Nonstop Forwarding Awareness

The BGP NSF Awareness feature is supported for IPv4 in the IP services feature set. To enable this feature
with BGP routing, you need to enable Graceful Restart. When the neighboring router is NSF-capable, and
this feature is enabled, the Layer 3 Switch continues to forward packets from the neighboring router during
the interval between the primary Route Processor (RP) in a router failing and the backup RP taking over, or
while the primary RP is manually reloaded for a nondisruptive software upgrade.
For more information, see the “BGP Nonstop Forwarding (NSF) Awareness” section of the Cisco IOS IP
Routing Protocols Configuration Guide, Release 12.4.

Information About BGP Routing

To enable BGP routing, you establish a BGP routing process and define the local network. Because BGP must
completely recognize the relationships with its neighbors, you must also specify a BGP neighbor.
BGP supports two kinds of neighbors: internal and external. Internal neighbors are in the same AS; external
neighbors are in different autonomous systems. External neighbors are usually adjacent to each other and
share a subnet, but internal neighbors can be anywhere in the same AS.
The switch supports the use of private AS numbers, usually assigned by service providers and given to systems
whose routes are not advertised to external neighbors. The private AS numbers are from 64512 to 65535. You
can configure external neighbors to remove private AS numbers from the AS path by using the neighbor
remove-private-as router configuration command. Then when an update is passed to an external neighbor,
if the AS path includes private AS numbers, these numbers are dropped.
If your AS will be passing traffic through it from another AS to a third AS, it is important to be consistent
about the routes it advertises. If BGP advertised a route before all routers in the network had learned about
the route through the IGP, the AS might receive traffic that some routers could not yet route. To prevent this
from happening, BGP must wait until the IGP has propagated information across the AS so that BGP is
synchronized with the IGP. Synchronization is enabled by default. If your AS does not pass traffic from one
AS to another AS, or if all routers in your autonomous systems are running BGP, you can disable
synchronization, which allows your network to carry fewer routes in the IGP and allows BGP to converge
more quickly.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
832
 Routing
Enabling BGP Routing

Enabling BGP Routing

Before you begin

Note To enable BGP, the switch or stack master must be running the IP services feature set.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ip routing Enables IP routing.

Example:

SwitchDevice(config)# ip routing

Step 3 router bgp autonomous-system Enables a BGP routing process, assign it an AS number,
and enter router configuration mode. The AS number can
Example:
be from 1 to 65535, with 64512 to 65535 designated as
private autonomous numbers.
SwitchDevice(config)# router bgp 45000

Step 4 network network-number [mask network-mask] Configures a network as local to this AS, and enter it in
[route-map route-map-name] the BGP table.
Example:

SwitchDevice(config)# network 10.108.0.0

Step 5 neighbor {ip-address | peer-group-name} remote-as Adds an entry to the BGP neighbor table specifying that
number the neighbor identified by the IP address belongs to the
specified AS.
Example:
For EBGP, neighbors are usually directly connected, and
SwitchDevice(config)# neighbor 10.108.1.2 the IP address is the address of the interface at the other
remote-as 65200 end of the connection.
For IBGP, the IP address can be the address of any of the
router interfaces.

Step 6 neighbor {ip-address | peer-group-name} (Optional) Removes private AS numbers from the AS-path
remove-private-as in outbound routing updates.
Example:

SwitchDevice(config)# neighbor 172.16.2.33

remove-private-as

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
833
 Routing
Example: Configuring BGP on Routers

Command or Action Purpose

Step 7 synchronization (Optional) Enables synchronization between BGP and an
IGP.
Example:

SwitchDevice(config)# synchronization

Step 8 auto-summary (Optional) Enables automatic network summarization.

When a subnet is redistributed from an IGP into BGP, only
Example:
the network route is inserted into the BGP table.
SwitchDevice(config)# auto-summary

Step 9 bgp graceful-restart (Optional) Enables NSF awareness on switch. By default,

NSF awareness is disabled.
Example:

SwitchDevice(config)# bgp graceful-start

Step 10 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 11 show ip bgp network network-number Verifies the configuration.

Example:

SwitchDevice# show ip bgp network 10.108.0.0

Step 12 show ip bgp neighbor Verifies that NSF awareness (Graceful Restart) is enabled
on the neighbor.
Example:
If NSF awareness is enabled on the switch and the
SwitchDevice# show ip bgp neighbor neighbor, this message appears:
Graceful Restart Capability: advertised and received
If NSF awareness is enabled on the switch, but not on the
neighbor, this message appears:
Graceful Restart Capability: advertised

Step 13 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Example: Configuring BGP on Routers

These examples show how to configure BGP on the routers in the figure below,

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
834
Routing
Example: Configuring BGP on Routers

Figure 81: EBGP, IBGP, and Multiple Autonomous Systems

Router A:

SwitchDevice(config)# router bgp 100

SwitchDevice(config-router)# neighbor 129.213.1.1 remote-as 200

Router B:

SwitchDevice(config)# router bgp 200

SwitchDevice(config-router)# neighbor 129.213.1.2 remote-as 100
SwitchDevice(config-router)# neighbor 175.220.1.2 remote-as 200

Router C:

SwitchDevice(config)# router bgp 200

SwitchDevice(config-router)# neighbor 175.220.212.1 remote-as 200
SwitchDevice(config-router)# neighbor 192.208.10.1 remote-as 300

Router D:

SwitchDevice(config)# router bgp 300

SwitchDevice(config-router)# neighbor 192.208.10.2 remote-as 200

To verify that BGP peers are running, use the show ip bgp neighbors privileged EXEC command. This is the
output of this command on Router A:

SwitchDevice# show ip bgp neighbors

BGP neighbor is 129.213.1.1, remote AS 200, external link

BGP version 4, remote router ID 175.220.212.1
BGP state = established, table version = 3, up for 0:10:59
Last read 0:00:29, hold time is 180, keepalive interval is 60 seconds
Minimum time between advertisement runs is 30 seconds
Received 2828 messages, 0 notifications, 0 in queue
Sent 2826 messages, 0 notifications, 0 in queue
Connections established 11; dropped 10

Anything other than state = established means that the peers are not running. The remote router ID is the
highest IP address on that router (or the highest loopback interface). Each time the table is updated with new
information, the table version number increments. A table version number that continually increments means
that a route is flapping, causing continual routing updates.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
835
 Routing
Routing Policy Changes

For exterior protocols, a reference to an IP network from the network router configuration command controls
only which networks are advertised. This is in contrast to Interior Gateway Protocols (IGPs), such as EIGRP,
which also use the network command to specify where to send updates.
For detailed descriptions of BGP configuration, see the “IP Routing Protocols” part of the Cisco IOS IP
Configuration Guide, Release 12.4. For details about specific commands, see the Cisco IOS IP Command
Reference, Volume 2 of 3: Routing Protocols, Release 12.4.

Routing Policy Changes

Routing policies for a peer include all the configurations that might affect inbound or outbound routing table
updates. When you have defined two routers as BGP neighbors, they form a BGP connection and exchange
routing information. If you later change a BGP filter, weight, distance, version, or timer, or make a similar
configuration change, you must reset the BGP sessions so that the configuration changes take effect.
There are two types of reset, hard reset and soft reset. Cisco IOS Releases 12.1 and later support a soft reset
without any prior configuration. To use a soft reset without preconfiguration, both BGP peers must support
the soft route refresh capability, which is advertised in the OPEN message sent when the peers establish a
TCP session. A soft reset allows the dynamic exchange of route refresh requests and routing information
between BGP routers and the subsequent re-advertisement of the respective outbound routing table.
• When soft reset generates inbound updates from a neighbor, it is called dynamic inbound soft reset.
• When soft reset sends a set of updates to a neighbor, it is called outbound soft reset.

A soft inbound reset causes the new inbound policy to take effect. A soft outbound reset causes the new local
outbound policy to take effect without resetting the BGP session. As a new set of updates is sent during
outbound policy reset, a new inbound policy can also take effect.
The table given below lists the advantages and disadvantages hard reset and soft reset.

Table 93: Advantages and Disadvantages of Hard and Soft Resets

Type of Reset Advantages Disadvantages

Hard reset No memory overhead The prefixes in the BGP, IP, and
FIB tables provided by the neighbor
are lost. Not recommended.

Outbound soft reset No configuration, no storing of Does not reset inbound routing
routing table updates table updates.

Dynamic inbound soft reset Does not clear the BGP session and Both BGP routers must support the
cache route refresh capability (in Cisco
IOS Release 12.1 and later).
Does not require storing of routing
table updates and has no memory
overhead

Managing Routing Policy Changes

To learn if a BGP peer supports the route refresh capability and to reset the BGP session:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
836
 Routing
BGP Decision Attributes

Procedure

Command or Action Purpose

Step 1 show ip bgp neighbors Displays whether a neighbor supports the route refresh
capability. When supported, this message appears for the
Example:
router:
SwitchDevice# show ip bgp neighbors Received route refresh capability from peer.

Step 2 clear ip bgp {* | address | peer-group-name} Resets the routing table on the specified connection.
Example: • Enter an asterisk (*) to specify that all connections be
reset.
SwitchDevice# clear ip bgp *
• Enter an IP address to specify the connection to be
reset.
• Enter a peer group name to reset the peer group.

Step 3 clear ip bgp {* | address | peer-group-name} soft out (Optional) Performs an outbound soft reset to reset the
inbound routing table on the specified connection. Use this
Example:
command if route refresh is supported.
SwitchDevice# clear ip bgp * soft out • Enter an asterisk (*) to specify that all connections be
reset.
• Enter an IP address to specify the connection to be
reset.
• Enter a peer group name to reset the peer group.

Step 4 show ip bgp Verifies the reset by checking information about the routing
table and about BGP neighbors.
Example:

SwitchDevice# show ip bgp

Step 5 show ip bgp neighbors Verifies the reset by checking information about the routing
table and about BGP neighbors.
Example:

SwitchDevice# show ip bgp neighbors

BGP Decision Attributes

When a BGP speaker receives updates from multiple autonomous systems that describe different paths to the
same destination, it must choose the single best path for reaching that destination. When chosen, the selected
path is entered into the BGP routing table and propagated to its neighbors. The decision is based on the value
of attributes that the update contains and other BGP-configurable factors.
When a BGP peer learns two EBGP paths for a prefix from a neighboring AS, it chooses the best path and
inserts that path in the IP routing table. If BGP multipath support is enabled and the EBGP paths are learned
from the same neighboring autonomous systems, instead of a single best path, multiple paths are installed in
the IP routing table. Then, during packet switching, per-packet or per-destination load-balancing is performed

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
837
 Routing
BGP Decision Attributes

among the multiple paths. The maximum-paths router configuration command controls the number of paths
allowed.
These factors summarize the order in which BGP evaluates the attributes for choosing the best path:
1. If the path specifies a next hop that is inaccessible, drop the update. The BGP next-hop attribute,
automatically determined by the software, is the IP address of the next hop that is going to be used to
reach a destination. For EBGP, this is usually the IP address of the neighbor specified by the neighbor
remote-as router configuration command. You can disable next-hop processing by using route maps
or the neighbor next-hop-self router configuration command.
2. Prefer the path with the largest weight (a Cisco proprietary parameter). The weight attribute is local to
the router and not propagated in routing updates. By default, the weight attribute is 32768 for paths that
the router originates and zero for other paths. Routes with the largest weight are preferred. You can use
access lists, route maps, or the neighbor weight router configuration command to set weights.
3. Prefer the route with the highest local preference. Local preference is part of the routing update and
exchanged among routers in the same AS. The default value of the local preference attribute is 100.
You can set local preference by using the bgp default local-preference router configuration command
or by using a route map.
4. Prefer the route that was originated by BGP running on the local router.
5. Prefer the route with the shortest AS path.
6. Prefer the route with the lowest origin type. An interior route or IGP is lower than a route learned by
EGP, and an EGP-learned route is lower than one of unknown origin or learned in another way.
7. Prefer the route with the lowest multi -exit discriminator (MED) metric attribute if the neighboring AS
is the same for all routes considered. You can configure the MED by using route maps or by using the
default-metric router configuration command. When an update is sent to an IBGP peer, the MED is
included.
8. Prefer the external (EBGP) path over the internal (IBGP) path.
9. Prefer the route that can be reached through the closest IGP neighbor (the lowest IGP metric). This
means that the router will prefer the shortest internal path within the AS to reach the destination (the
shortest path to the BGP next-hop).
10. If the following conditions are all true, insert the route for this path into the IP routing table:
Both the best route and this route are external.
Both the best route and this route are from the same neighboring autonomous system.
Maximum-paths is enabled.
11. If multipath is not enabled, prefer the route with the lowest IP address value for the BGP router ID. The
router ID is usually the highest IP address on the router or the loopback (virtual) address, but might be
implementation-specific.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
838
 Routing
Configuring BGP Decision Attributes

Configuring BGP Decision Attributes

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 router bgp autonomous-system Enables a BGP routing process, assign it an AS number,
and enter router configuration mode.
Example:

SwitchDevice(config)# router bgp 4500

Step 3 bgp best-path as-path ignore (Optional) Configures the router to ignore AS path length
in selecting a route.
Example:

SwitchDevice(config-router)# bgp bestpath as-path

ignore

Step 4 neighbor {ip-address | peer-group-name} next-hop-self (Optional) Disables next-hop processing on BGP updates
to a neighbor by entering a specific IP address to be used
Example:
instead of the next-hop address.
SwitchDevice(config-router)# neighbor 10.108.1.1
next-hop-self

Step 5 neighbor {ip-address | peer-group-name} weight weight (Optional) Assign a weight to a neighbor connection.
Acceptable values are from 0 to 65535; the largest weight
Example:
is the preferred route. Routes learned through another BGP
peer have a default weight of 0; routes sourced by the local
SwitchDevice(config-router)# neighbor 172.16.12.1
weight 50 router have a default weight of 32768.

Step 6 default-metric number (Optional) Sets a MED metric to set preferred paths to
external neighbors. All routes without a MED will also be
Example:
set to this value. The range is 1 to 4294967295. The lowest
value is the most desirable.
SwitchDevice(config-router)# default-metric 300

Step 7 bgp bestpath med missing-as-worst (Optional) Configures the switch to consider a missing
MED as having a value of infinity, making the path without
Example:
a MED value the least desirable path.
SwitchDevice(config-router)# bgp bestpath med
missing-as-worst

Step 8 bgp always-compare med (Optional) Configures the switch to compare MEDs for
paths from neighbors in different autonomous systems. By
Example:
default, MED comparison is only done among paths in the
same AS.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
839
 Routing
Configuring BGP Decision Attributes

Command or Action Purpose

SwitchDevice(config-router)# bgp
always-compare-med

Step 9 bgp bestpath med confed (Optional) Configures the switch to consider the MED in
choosing a path from among those advertised by different
Example:
subautonomous systems within a confederation.
SwitchDevice(config-router)# bgp bestpath med
confed

Step 10 bgp deterministic med (Optional) Configures the switch to consider the MED
variable when choosing among routes advertised by
Example:
different peers in the same AS.
SwitchDevice(config-router)# bgp deterministic
med

Step 11 bgp default local-preference value (Optional) Change the default local preference value. The
range is 0 to 4294967295; the default value is 100. The
Example:
highest local preference value is preferred.
SwitchDevice(config-router)# bgp default
local-preference 200

Step 12 maximum-paths number (Optional) Configures the number of paths to be added to

the IP routing table. The default is to only enter the best
Example:
path in the routing table. The range is from 1 to 16. Having
multiple paths allows load-balancing among the paths.
SwitchDevice(config-router)# maximum-paths 8
(Although the switch software allows a maximum of
32 equal-cost routes, the switch hardware will never use
more than 16 paths per route.)

Step 13 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 14 show ip bgp Verifies the reset by checking information about the routing
table and about BGP neighbors.
Example:

SwitchDevice# show ip bgp

Step 15 show ip bgp neighbors Verifies the reset by checking information about the routing
table and about BGP neighbors.
Example:

SwitchDevice# show ip bgp neighbors

Step 16 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
840
 Routing
Route Maps

Command or Action Purpose

Route Maps
Within BGP, route maps can be used to control and to modify routing information and to define the conditions
by which routes are redistributed between routing domains. See the “Using Route Maps to Redistribute Routing
Information” section for more information about route maps. Each route map has a name that identifies the
route map (map tag) and an optional sequence number.

Configuring BGP Filtering with Route Maps

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 route-map map-tag [permit | deny] [sequence-number] Creates a route map, and enter route-map configuration
mode.
Example:

SwitchDevice(config)# route-map set-peer-address

permit 10

Step 3 set ip next-hop ip-address [...ip-address] [peer-address] (Optional) Sets a route map to disable next-hop processing
Example: • In an inbound route map, set the next hop of matching
routes to be the neighbor peering address, overriding
SwitchDevice(config)# set ip next-hop 10.1.1.3 third-party next hops.
• In an outbound route map of a BGP peer, set the next
hop to the peering address of the local router, disabling
the next-hop calculation.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show route-map [map-name] Displays all route maps configured or only the one specified
to verify configuration.
Example:

SwitchDevice# show route-map

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
841
 Routing
BGP Filtering

Command or Action Purpose

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

BGP Filtering
You can filter BGP advertisements by using AS-path filters, such as the as-path access-list global configuration
command and the neighbor filter-list router configuration command. You can also use access lists with the
neighbor distribute-list router configuration command. Distribute-list filters are applied to network numbers.
See the “Controlling Advertising and Processing in Routing Updates” section for information about the
distribute-list command.
You can use route maps on a per-neighbor basis to filter updates and to modify various attributes. A route
map can be applied to either inbound or outbound updates. Only the routes that pass the route map are sent
or accepted in updates. On both inbound and outbound updates, matching is supported based on AS path,
community, and network numbers. Autonomous system path matching requires the match as-path access-list
route-map command, community based matching requires the match community-list route-map command,
and network-based matching requires the ip access-list global configuration command.

Configuring BGP Filtering by Neighbor

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 router bgp autonomous-system Enables a BGP routing process, assign it an AS number,
and enter router configuration mode.
Example:

SwitchDevice(config)# router bgp 109

Step 3 neighbor {ip-address | peer-group name} distribute-list (Optional) Filters BGP routing updates to or from neighbors
{access-list-number | name} {in | out} as specified in an access list.
Example: Note You can also use the neighbor prefix-list router
configuration command to filter updates, but you
SwitchDevice(config-router)# neighbor 172.16.4.1 cannot use both commands to configure the same
distribute-list 39 in BGP peer.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
842
 Routing
Configuring BGP Filtering by Access Lists and Neighbors

Command or Action Purpose

Step 4 neighbor {ip-address | peer-group name} route-map (Optional) Applies a route map to filter an incoming or
map-tag {in | out} outgoing route.
Example:

SwitchDevice(config-router)# neighbor 172.16.70.24

route-map internal-map in

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show ip bgp neighbors Verifies the configuration.

Example:

SwitchDevice# show ip bgp neighbors

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring BGP Filtering by Access Lists and Neighbors

Another method of filtering is to specify an access list filter on both incoming and outbound updates, based
on the BGP autonomous system paths. Each filter is an access list based on regular expressions. (See the
“Regular Expressions” appendix in the Cisco IOS Dial Technologies Command Reference, Release 12.4 for
more information on forming regular expressions.) To use this method, define an autonomous system path
access list, and apply it to updates to and from particular neighbors.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ip as-path access-list access-list-number {permit | deny} Defines a BGP-related access list.
as-regular-expressions
Example:

SwitchDevice(config)# ip as-path access-list 1 deny

_65535_

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
843
 Routing
Prefix List for BGP Filtering

Command or Action Purpose

Step 3 router bgp autonomous-system Enters BGP router configuration mode.
Example:

SwitchDevice(config)# router bgp 110

Step 4 neighbor {ip-address | peer-group name} filter-list Establishes a BGP filter based on an access list.
{access-list-number | name} {in | out | weight weight}
Example:

SwitchDevice(config-router)# neighbor 172.16.1.1

filter-list 1 out

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show ip bgp neighbors [paths regular-expression] Verifies the configuration.

Example:

SwitchDevice# show ip bgp neighbors

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Prefix List for BGP Filtering

You can use prefix lists as an alternative to access lists in many BGP route filtering commands, including the
neighbor distribute-list router configuration command. The advantages of using prefix lists include
performance improvements in loading and lookup of large lists, incremental update support, easier CLI
configuration, and greater flexibility.
Filtering by a prefix list involves matching the prefixes of routes with those listed in the prefix list, as when
matching access lists. When there is a match, the route is used. Whether a prefix is permitted or denied is
based upon these rules:
• An empty prefix list permits all prefixes.
• An implicit deny is assumed if a given prefix does not match any entries in a prefix list.
• When multiple entries of a prefix list match a given prefix, the sequence number of a prefix list entry
identifies the entry with the lowest sequence number.

By default, sequence numbers are generated automatically and incremented in units of five. If you disable the
automatic generation of sequence numbers, you must specify the sequence number for each entry. You can

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
844
 Routing
Configuring Prefix Lists for BGP Filtering

specify sequence values in any increment. If you specify increments of one, you cannot insert additional
entries into the list; if you choose very large increments, you might run out of values.

Configuring Prefix Lists for BGP Filtering

You do not need to specify a sequence number when removing a configuration entry. Show commands include
the sequence numbers in their output.
Before using a prefix list in a command, you must set up the prefix list.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ip prefix-list list-name [seq seq-value] deny | permit Creates a prefix list with an optional sequence number to
network/len [ge ge-value] [le le-value] deny or permit access for matching conditions. You must
enter at least one permit or deny clause.
Example:
• network/len is the network number and length (in bits)
SwitchDevice(config)# ip prefix-list BLUE permit of the network mask.
172.16.1.0/24
• (Optional) ge and le values specify the range of the
prefix length to be matched.The specified ge-value
and le-value must satisfy this condition: len < ge-value
< le-value < 32

Step 3 ip prefix-list list-name seq seq-value deny | permit (Optional) Adds an entry to a prefix list, and assign a
network/len [ge ge-value] [le le-value] sequence number to the entry.
Example:

SwitchDevice(config)# ip prefix-list BLUE seq 10

permit 172.24.1.0/24

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show ip prefix list [detail | summary] name [network/len] Verifies the configuration by displaying information about
[seq seq-num] [longer] [first-match] a prefix list or prefix list entries.
Example:

SwitchDevice# show ip prefix list summary test

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
845
 Routing
BGP Community Filtering

Command or Action Purpose

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

BGP Community Filtering

One way that BGP controls the distribution of routing information based on the value of the COMMUNITIES
attribute. The attribute is a way to groups destinations into communities and to apply routing decisions based
on the communities. This method simplifies configuration of a BGP speaker to control distribution of routing
information.
A community is a group of destinations that share some common attribute. Each destination can belong to
multiple communities. AS administrators can define to which communities a destination belongs. By default,
all destinations belong to the general Internet community. The community is identified by the COMMUNITIES
attribute, an optional, transitive, global attribute in the numerical range from 1 to 4294967200. These are some
predefined, well-known communities:
• internet—Advertise this route to the Internet community. All routers belong to it.
• no-export—Do not advertise this route to EBGP peers.
• no-advertise—Do not advertise this route to any peer (internal or external).
• local-as—Do not advertise this route to peers outside the local autonomous system.

Based on the community, you can control which routing information to accept, prefer, or distribute to other
neighbors. A BGP speaker can set, append, or modify the community of a route when learning, advertising,
or redistributing routes. When routes are aggregated, the resulting aggregate has a COMMUNITIES attribute
that contains all communities from all the initial routes.
You can use community lists to create groups of communities to use in a match clause of a route map. As
with an access list, a series of community lists can be created. Statements are checked until a match is found.
As soon as one statement is satisfied, the test is concluded.
To set the COMMUNITIES attribute and match clauses based on communities, see the match community-list
and set community route-map configuration commands in the “Using Route Maps to Redistribute Routing
Information” section.

Configuring BGP Community Filtering

By default, no COMMUNITIES attribute is sent to a neighbor. You can specify that the COMMUNITIES
attribute be sent to the neighbor at an IP address by using the neighbor send-community router configuration
command.

SUMMARY STEPS
1. configure terminal
2. ip community-list community-list-number {permit | deny} community-number

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
846
 Routing
Configuring BGP Community Filtering

3. router bgp autonomous-system

4. neighbor {ip-address | peer-group name} send-community
5. set comm-list list-num delete
6. exit
7. ip bgp-community new-format
8. end
9. show ip bgp community
10. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ip community-list community-list-number {permit | deny} Creates a community list, and assigns it a number.
community-number
• The community-list-number is an integer from 1 to
Example: 99 that identifies one or more permit or deny groups
of communities.
SwitchDevice(config)# ip community-list 1 permit
50000:10 • The community-number is the number configured by
a set community route-map configuration command.

Step 3 router bgp autonomous-system Enters BGP router configuration mode.

Example:

SwitchDevice(config)# router bgp 108

Step 4 neighbor {ip-address | peer-group name} Specifies that the COMMUNITIES attribute be sent to the
send-community neighbor at this IP address.
Example:

SwitchDevice(config-router)# neighbor 172.16.70.23

send-community

Step 5 set comm-list list-num delete (Optional) Removes communities from the community
attribute of an inbound or outbound update that match a
Example:
standard or extended community list specified by a route
map.
SwitchDevice(config-router)# set comm-list 500
delete

Step 6 exit Returns to global configuration mode.

Example:

SwitchDevice(config-router)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
847
 Routing
BGP Neighbors and Peer Groups

Command or Action Purpose

Step 7 ip bgp-community new-format (Optional) Displays and parses BGP communities in the
format AA:NN.
Example:
A BGP community is displayed in a two-part format 2
SwitchDevice(config)# ip bgp-community new format bytes long. The Cisco default community format is in the
format NNAA. In the most recent RFC for BGP, a
community takes the form AA:NN, where the first part is
the AS number and the second part is a 2-byte number.

Step 8 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 9 show ip bgp community Verifies the configuration.

Example:

SwitchDevice# show ip bgp community

Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

BGP Neighbors and Peer Groups

Often many BGP neighbors are configured with the same update policies (that is, the same outbound route
maps, distribute lists, filter lists, update source, and so on). Neighbors with the same update policies can be
grouped into peer groups to simplify configuration and to make updating more efficient. When you have
configured many peers, we recommend this approach.
To configure a BGP peer group, you create the peer group, assign options to the peer group, and add neighbors
as peer group members. You configure the peer group by using the neighbor router configuration commands.
By default, peer group members inherit all the configuration options of the peer group, including the remote-as
(if configured), version, update-source, out-route-map, out-filter-list, out-dist-list,
minimum-advertisement-interval, and next-hop-self. All peer group members also inherit changes made to
the peer group. Members can also be configured to override the options that do not affect outbound updates.

Configuring BGP Neighbors and Peer Groups

To assign configuration options to an individual neighbor, specify any of these router configuration commands
by using the neighbor IP address. To assign the options to a peer group, specify any of the commands by using
the peer group name. You can disable a BGP peer or peer group without removing all the configuration
information by using the neighbor shutdown router configuration command.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
848
 Routing
Configuring BGP Neighbors and Peer Groups

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 router bgp autonomous-system Enters BGP router configuration mode.

Step 3 neighbor peer-group-name peer-group Creates a BGP peer group.

Step 4 neighbor ip-address peer-group peer-group-name Makes a BGP neighbor a member of the peer group.

Step 5 neighbor {ip-address | peer-group-name} remote-as Specifies a BGP neighbor. If a peer group is not configured
number with a remote-as number, use this command to create peer
groups containing EBGP neighbors. The range is 1 to
65535.

Step 6 neighbor {ip-address | peer-group-name} description (Optional) Associates a description with a neighbor.
text
Step 7 neighbor {ip-address | peer-group-name} (Optional) Allows a BGP speaker (the local router) to send
default-originate [route-map map-name] the default route 0.0.0.0 to a neighbor for use as a default
route.

Step 8 neighbor {ip-address | peer-group-name} (Optional) Specifies that the COMMUNITIES attribute
send-community be sent to the neighbor at this IP address.

Step 9 neighbor {ip-address | peer-group-name} update-source (Optional) Allows internal BGP sessions to use any
interface operational interface for TCP connections.

Step 10 neighbor {ip-address | peer-group-name} ebgp-multihop (Optional) Allows BGP sessions, even when the neighbor
is not on a directly connected segment. The multihop
session is not established if the only route to the multihop
peer’s address is the default route (0.0.0.0).

Step 11 neighbor {ip-address | peer-group-name} local-as number (Optional) Specifies an AS number to use as the local AS.
The range is 1 to 65535.

Step 12 neighbor {ip-address | peer-group-name} (Optional) Sets the minimum interval between sending
advertisement-interval seconds BGP routing updates.

Step 13 neighbor {ip-address | peer-group-name} (Optional) Controls how many prefixes can be received
maximum-prefix maximum [threshold] from a neighbor. The range is 1 to 4294967295. The
threshold (optional) is the percentage of maximum at which
a warning message is generated. The default is 75 percent.

Step 14 neighbor {ip-address | peer-group-name} next-hop-self (Optional) Disables next-hop processing on the BGP
updates to a neighbor.

Step 15 neighbor {ip-address | peer-group-name} password string (Optional) Sets MD5 authentication on a TCP connection
to a BGP peer. The same password must be configured on

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
849
 Routing
Configuring BGP Neighbors and Peer Groups

Command or Action Purpose

both BGP peers, or the connection between them is not
made.

Step 16 neighbor {ip-address | peer-group-name} route-map (Optional) Applies a route map to incoming or outgoing
map-name {in | out} routes.

Step 17 neighbor {ip-address | peer-group-name} (Optional) Specifies that the COMMUNITIES attribute
send-community be sent to the neighbor at this IP address.

Step 18 neighbor {ip-address | peer-group-name} timers keepalive (Optional) Sets timers for the neighbor or peer group.
holdtime
• The keepalive interval is the time within which
keepalive messages are sent to peers. The range is 1
to 4294967295 seconds; the default is 60.
• The holdtime is the interval after which a peer is
declared inactive after not receiving a keepalive
message from it. The range is 1 to 4294967295
seconds; the default is 180.

Step 19 neighbor {ip-address | peer-group-name} weight weight (Optional) Specifies a weight for all routes from a
neighbor.

Step 20 neighbor {ip-address | peer-group-name} distribute-list (Optional) Filter BGP routing updates to or from neighbors,
{access-list-number | name} {in | out} as specified in an access list.

Step 21 neighbor {ip-address | peer-group-name} filter-list (Optional) Establish a BGP filter.

access-list-number {in | out | weight weight}
Step 22 neighbor {ip-address | peer-group-name} version value (Optional) Specifies the BGP version to use when
communicating with a neighbor.

Step 23 neighbor {ip-address | peer-group-name} (Optional) Configures the software to start storing received
soft-reconfiguration inbound updates.

Step 24 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 25 show ip bgp neighbors Verifies the configuration.

Step 26 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
850
 Routing
Aggregate Routes

Aggregate Routes
Classless interdomain routing (CIDR) enables you to create aggregate routes (or supernets) to minimize the
size of routing tables. You can configure aggregate routes in BGP either by redistributing an aggregate route
into BGP or by creating an aggregate entry in the BGP routing table. An aggregate address is added to the
BGP table when there is at least one more specific entry in the BGP table.

Configuring Aggregate Addresses in a Routing Table

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 router bgp autonomous-system Enters BGP router configuration mode.

Example:

SwitchDevice(config)# router bgp 106

Step 3 aggregate-address address mask Creates an aggregate entry in the BGP routing table. The
aggregate route is advertised as coming from the AS, and
Example:
the atomic aggregate attribute is set to indicate that
information might be missing.
SwitchDevice(config-router)# aggregate-address
10.0.0.0 255.0.0.0

Step 4 aggregate-address address mask as-set (Optional) Generates AS set path information. This
command creates an aggregate entry following the same
Example:
rules as the previous command, but the advertised path
will be an AS_SET consisting of all elements contained
SwitchDevice(config-router)# aggregate-address
10.0.0.0 255.0.0.0 as-set in all paths. Do not use this keyword when aggregating
many paths because this route must be continually
withdrawn and updated.

Step 5 aggregate-address address-mask summary-only (Optional) Advertises summary addresses only.

Example:

SwitchDevice(config-router)# aggregate-address
10.0.0.0 255.0.0.0 summary-only

Step 6 aggregate-address address mask suppress-map (Optional) Suppresses selected, more specific routes.
map-name
Example:

SwitchDevice(config-router)# aggregate-address
10.0.0.0 255.0.0.0 suppress-map map1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
851
 Routing
Routing Domain Confederations

Command or Action Purpose

Step 7 aggregate-address address mask advertise-map (Optional) Generates an aggregate based on conditions
map-name specified by the route map.
Example:

SwitchDevice(config-router)# aggregate-address
10.0.0.0 255.0.0.0 advertise-map map2

Step 8 aggregate-address address mask attribute-map (Optional) Generates an aggregate with attributes specified
map-name in the route map.
Example:

SwitchDevice(config-router)# aggregate-address
10.0.0.0 255.0.0.0 attribute-map map3

Step 9 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 10 show ip bgp neighbors [advertised-routes] Verifies the configuration.

Example:

SwitchDevice# show ip bgp neighbors

Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Routing Domain Confederations

One way to reduce the IBGP mesh is to divide an autonomous system into multiple subautonomous systems
and to group them into a single confederation that appears as a single autonomous system. Each autonomous
system is fully meshed within itself and has a few connections to other autonomous systems in the same
confederation. Even though the peers in different autonomous systems have EBGP sessions, they exchange
routing information as if they were IBGP peers. Specifically, the next hop, MED, and local preference
information is preserved. You can then use a single IGP for all of the autonomous systems.

Configuring Routing Domain Confederations

You must specify a confederation identifier that acts as the autonomous system number for the group of
autonomous systems.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
852
 Routing
Configuring Routing Domain Confederations

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 router bgp autonomous-system Enters BGP router configuration mode.

Example:

SwitchDevice(config)# router bgp 100

Step 3 bgp confederation identifier autonomous-system Configures a BGP confederation identifier.

Example:

SwitchDevice(config)# bgp confederation identifier

50007

Step 4 bgp confederation peers autonomous-system Specifies the autonomous systems that belong to the
[autonomous-system ...] confederation and that will be treated as special EBGP peers.
Example:

SwitchDevice(config)# bgp confederation peers 51000

51001 51002

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show ip bgp neighbor Verifies the configuration.

Example:

SwitchDevice# show ip bgp neighbor

Step 7 show ip bgp network Verifies the configuration.

Example:

SwitchDevice# show ip bgp network

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
853
 Routing
BGP Route Reflectors

BGP Route Reflectors

BGP requires that all of the IBGP speakers be fully meshed. When a router receives a route from an external
neighbor, it must advertise it to all internal neighbors. To prevent a routing information loop, all IBPG speakers
must be connected. The internal neighbors do not send routes learned from internal neighbors to other internal
neighbors.
With route reflectors, all IBGP speakers need not be fully meshed because another method is used to pass
learned routes to neighbors. When you configure an internal BGP peer to be a route reflector, it is responsible
for passing IBGP learned routes to a set of IBGP neighbors. The internal peers of the route reflector are divided
into two groups: client peers and nonclient peers (all the other routers in the autonomous system). A route
reflector reflects routes between these two groups. The route reflector and its client peers form a cluster. The
nonclient peers must be fully meshed with each other, but the client peers need not be fully meshed. The
clients in the cluster do not communicate with IBGP speakers outside their cluster.
When the route reflector receives an advertised route, it takes one of these actions, depending on the neighbor:
• A route from an external BGP speaker is advertised to all clients and nonclient peers.
• A route from a nonclient peer is advertised to all clients.
• A route from a client is advertised to all clients and nonclient peers. Hence, the clients need not be fully
meshed.

Usually a cluster of clients have a single route reflector, and the cluster is identified by the route reflector
router ID. To increase redundancy and to avoid a single point of failure, a cluster might have more than one
route reflector. In this case, all route reflectors in the cluster must be configured with the same 4-byte cluster
ID so that a route reflector can recognize updates from route reflectors in the same cluster. All the route
reflectors serving a cluster should be fully meshed and should have identical sets of client and nonclient peers.

Configuring BGP Route Reflectors

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 router bgp autonomous-system Enters BGP router configuration mode.

Example:

SwitchDevice(config)# router bgp 101

Step 3 neighbor {ip-address | peer-group-name} Configures the local router as a BGP route reflector and the
route-reflector-client specified neighbor as a client.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
854
 Routing
Route Dampening

Command or Action Purpose

SwitchDevice(config-router)# neighbor 172.16.70.24

route-reflector-client

Step 4 bgp cluster-id cluster-id (Optional) Configures the cluster ID if the cluster has more
than one route reflector.
Example:

SwitchDevice(config-router)# bgp cluster-id

10.0.1.2

Step 5 no bgp client-to-client reflection (Optional) Disables client-to-client route reflection. By

default, the routes from a route reflector client are reflected
Example:
to other clients. However, if the clients are fully meshed,
the route reflector does not need to reflect routes to clients.
SwitchDevice(config-router)# no bgp
client-to-client reflection

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 show ip bgp Verifies the configuration. Displays the originator ID and
the cluster-list attributes.
Example:

SwitchDevice# show ip bgp

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Route Dampening
Route flap dampening is a BGP feature designed to minimize the propagation of flapping routes across an
internetwork. A route is considered to be flapping when it is repeatedly available, then unavailable, then
available, then unavailable, and so on. When route dampening is enabled, a numeric penalty value is assigned
to a route when it flaps. When a route’s accumulated penalties reach a configurable limit, BGP suppresses
advertisements of the route, even if the route is running. The reuse limit is a configurable value that is compared
with the penalty. If the penalty is less than the reuse limit, a suppressed route that is up is advertised again.
Dampening is not applied to routes that are learned by IBGP. This policy prevents the IBGP peers from having
a higher penalty for routes external to the AS.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
855
 Routing
Configuring Route Dampening

Configuring Route Dampening

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 router bgp autonomous-system Enters BGP router configuration mode.

Example:

SwitchDevice(config)# router bgp 100

Step 3 bgp dampening Enables BGP route dampening.

Example:

SwitchDevice(config-router)# bgp dampening

Step 4 bgp dampening half-life reuse suppress max-suppress (Optional) Changes the default values of route dampening
[route-map map] factors.
Example:

SwitchDevice(config-router)# bgp dampening 30 1500

10000 120

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show ip bgp flap-statistics [{regexp regexp} | {filter-list (Optional) Monitors the flaps of all paths that are flapping.
list} | {address mask [longer-prefix]}] The statistics are deleted when the route is not suppressed
and is stable.
Example:

SwitchDevice# show ip bgp flap-statistics

Step 7 show ip bgp dampened-paths (Optional) Displays the dampened routes, including the
time remaining before they are suppressed.
Example:

SwitchDevice# show pi bgp dampened-paths

Step 8 clear ip bgp flap-statistics [{regexp regexp} | {filter-list (Optional) Clears BGP flap statistics to make it less likely
list} | {address mask [longer-prefix]} that a route will be dampened.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
856
 Routing
More BGP Information

Command or Action Purpose

SwitchDevice# clear ip bgp flap-statistics

Step 9 clear ip bgp dampening (Optional) Clears route dampening information, and
unsuppress the suppressed routes.
Example:

SwitchDevice# clear ip bgp dampening

Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

More BGP Information

For detailed descriptions of BGP configuration, see the “Configuring BGP” chapter in the “IP Routing
Protocols” part of the Cisco IOS IP Configuration Guide, Release 12.4. For details about specific commands,
see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.4.

Monitoring and Maintaining BGP

You can remove all contents of a particular cache, table, or database. This might be necessary when the
contents of the particular structure have become or are suspected to be invalid.
You can display specific statistics, such as the contents of BGP routing tables, caches, and databases. You
can use the information to get resource utilization and solve network problems. You can also display information
about node reachability and discover the routing path your device’s packets are taking through the network.
The table given below lists the privileged EXEC commands for clearing and displaying BGP. For explanations
of the display fields, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.4.

Table 94: IP BGP Clear and Show Commands

clear ip bgp address Resets a particular BGP connection.

clear ip bgp * Resets all BGP connections.

clear ip bgp peer-group tag Removes all members of a BGP peer group.

show ip bgp prefix Displays peer groups and peers not in peer groups to
which the prefix has been advertised. Also displays
prefix attributes such as the next hop and the local
prefix.

show ip bgp cidr-only Displays all BGP routes that contain subnet and
supernet network masks.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
857
 Routing
Information About ISO CLNS Routing

show ip bgp community [community-number] [exact] Displays routes that belong to the specified
communities.

show ip bgp community-list community-list-number Displays routes that are permitted by the community
[exact-match] list.

show ip bgp filter-list access-list-number Displays routes that are matched by the specified AS
path access list.

show ip bgp inconsistent-as Displays the routes with inconsistent originating

autonomous systems.

show ip bgp regexp regular-expression Displays the routes that have an AS path that matches
the specified regular expression entered on the
command line.

show ip bgp Displays the contents of the BGP routing table.

show ip bgp neighbors [address] Displays detailed information on the BGP and TCP
connections to individual neighbors.

show ip bgp neighbors [address] [advertised-routes Displays routes learned from a particular BGP
| dampened-routes | flap-statistics | paths neighbor.
regular-expression | received-routes | routes]

show ip bgp paths Displays all BGP paths in the database.

show ip bgp peer-group [tag] [summary] Displays information about BGP peer groups.

show ip bgp summary Displays the status of all BGP connections.

The bgp log-neighbor changes command is enabled by default. It allows to log messages that are generated
when a BGP neighbor resets, comes up, or goes down.

Information About ISO CLNS Routing

Connectionless Routing
The International Organization for Standardization (ISO) Connectionless Network Service (CLNS) protocol
is a standard for the network layer of the Open System Interconnection (OSI) model. Addresses in the ISO
network architecture are referred to as network service access point (NSAP) addresses and network entity
titles (NETs). Each node in an OSI network has one or more NETs. In addition, each node has many NSAP
addresses.
When you enable connectionless routing on the Switch by using the clns routing global configuration command,
the Switch makes only forwarding decisions, with no routing-related functionality. For dynamic routing, you
must also enable a routing protocol. The Switch supports the Intermediate System-to-Intermediate System
(IS-IS) dynamic routing protocol that is based on the OSI routing protocol for ISO CLNS networks.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
858
 Routing
How to Configure ISO CLNS Routing

When dynamically routing, you use IS-IS. This routing protocol supports the concept of areas. Within an area,
all routers know how to reach all the system IDs. Between areas, routers know how to reach the proper area.
IS-IS supports two levels of routing: station routing (within an area) and area routing (between areas).
The key difference between the ISO IGRP and IS-IS NSAP addressing schemes is in the definition of area
addresses. Both use the system ID for Level 1 routing (routing within an area). However, they differ in the
way addresses are specified for area routing. An ISO IGRP NSAP address includes three separate fields for
routing: the domain, area, and system ID. An IS-IS address includes two fields: a single continuous area field
(comprising the domain and area fields) and the system ID.

Note For more detailed information about ISO CLNS, see the Cisco IOS Apollo Domain, Banyan VINES, DECnet,
ISO CLNS and XNS Configuration Guide, Release 12.4. For complete syntax and usage information for the
commands used in this chapter, see the Cisco IOS Apollo Domain, Banyan VINES, DECnet, ISO CLNS and
XNS Command Reference, Release 12.4, use the IOS command reference master index, or search online.

How to Configure ISO CLNS Routing

IS-IS Dynamic Routing
IS-IS is an ISO dynamic routing protocol (described in ISO 105890). Unlike other routing protocols, enabling
IS-IS requires that you create an IS-IS routing process and assign it to a specific interface, rather than to a
network. You can specify more than one IS-IS routing process per Layer 3 Switch or router by using the
multiarea IS-IS configuration syntax. You then configure the parameters for each instance of the IS-IS routing
process.
Small IS-IS networks are built as a single area that includes all the routers in the network. As the network
grows larger, it is usually reorganized into a backbone area made up of the connected set of all Level 2 routers
from all areas, which is in turn connected to local areas. Within a local area, routers know how to reach all
system IDs. Between areas, routers know how to reach the backbone, and the backbone routers know how to
reach other areas.
Routers establish Level 1 adjacencies to perform routing within a local area (station routing). Routers establish
Level 2 adjacencies to perform routing between Level 1 areas (area routing).
A single Cisco router can participate in routing in up to 29 areas and can perform Level 2 routing in the
backbone. In general, each routing process corresponds to an area. By default, the first instance of the routing
process configured performs both Level 1and Level 2 routing. You can configure additional router instances,
which are automatically treated as Level 1 areas. You must configure the parameters for each instance of the
IS-IS routing process individually.
For IS-IS multiarea routing, you can configure only one process to perform Level 2 routing, although you can
define up to 29 Level 1 areas for each Cisco unit. If Level 2 routing is configured on any process, all additional
processes are automatically configured as Level 1. You can configure this process to perform Level 1 routing
at the same time. If Level 2 routing is not desired for a router instance, remove the Level 2 capability using
the is-type global configuration command. Use the is-type command also to configure a different router
instance as a Level 2 router.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
859
 Routing
Default IS-IS Configuration

Note For more detailed information about IS-IS, see the “IP Routing Protocols” chapter of the Cisco IOS IP
Configuration Guide, Release 12.4. For complete syntax and usage information for the commands used in
this section, see the Cisco IOS IP Command Reference, Release 12.4.

Default IS-IS Configuration

Table 95: Default IS-IS Configuration

Feature Default Setting

Ignore link-state PDU (LSP) errors Enabled.

IS-IS type Conventional IS-IS: the router acts as both a Level 1

(station) and a Level 2 (area) router.
Multiarea IS-IS: the first instance of the IS-IS routing
process is a Level 1-2 router. Remaining instances
are Level 1 routers.

Default-information originate Disabled.

Log IS-IS adjacency state changes. Disabled.

LSP generation throttling timers Maximum interval between two consecutive

occurrences: 5 seconds.
Initial LSP generation delay: 50 ms.
Hold time between the first and second LSP
generation: 5000 ms.

LSP maximum lifetime (without a refresh) 1200 seconds (20 minutes) before t.he LSP packet is
deleted.

LSP refresh interval Send LSP refreshes every 900 seconds (15 minutes).

Maximum LSP packet size 1497 bytes.

NSF Awareness Enabled. Allows Layer 3 Switches to continue

forwarding packets from a neighboring NSF-capable
router during hardware or software changes.

Partial route computation (PRC) throttling timers Maximum PRC wait interval: 5 seconds.
Initial PRC calculation delay after a topology change:
2000 ms.
Hold time between the first and second PRC
calculation: 5000 ms.

Partition avoidance Disabled.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
860
 Routing
Nonstop Forwarding Awareness

Feature Default Setting

Password No area or domain password is defined, and

authentication is disabled.

Set-overload-bit Disabled. When enabled, if no arguments are entered,

the overload bit is set immediately and remains set
until you enter the no set-overload-bit command.

Shortest path first (SPF) throttling timers Maximum interval between consecutive SFPs: 10
seconds.
Initial SFP calculation after a topology change:
5500 ms.
Holdtime between the first and second SFP
calculation: 5500 ms.

Summary-address Disabled.

Nonstop Forwarding Awareness

The integrated IS-IS NSF Awareness feature is supported for IPv4G. The feature allows customer premises
equipment (CPE) routers that are NSF-aware to help NSF-capable routers perform nonstop forwarding of
packets. The local router is not necessarily performing NSF, but its awareness of NSF allows the integrity
and accuracy of the routing database and link-state database on the neighboring NSF-capable router to be
maintained during the switchover process.
This feature is automatically enabled and requires no configuration. For more information on this feature, see
the Integrated IS-IS Nonstop Forwarding (NSF) Awareness Feature Guide.

Enabling IS-IS Routing

To enable IS-IS, you specify a name and NET for each routing process. You then enable IS-IS routing on the
interface and specify the area for each instance of the routing process.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 clns routing Enables ISO connectionless routing on the switch.

Example:

SwitchDevice(config)# clns routing

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
861
 Routing
Enabling IS-IS Routing

Command or Action Purpose

Step 3 router isis [area tag] Enables the IS-IS routing for the specified routing process
and enter IS-IS routing configuration mode.
Example:
(Optional) Use the area tag argument to identify the area
SwitchDevice(config)# router isis tag1 to which the IS-IS router is assigned. You must enter a
value if you are configuring multiple IS-IS areas.
The first IS-IS instance configured is Level 1-2 by default.
Later instances are automatically Level 1. You can change
the level of routing by using the is-type global
configuration command.

Step 4 net network-entity-title Configures the NETs for the routing process. If you are
configuring multiarea IS-IS, specify a NET for each routing
Example:
process. You can specify a name for a NET and for an
address.
SwitchDevice(config-router)# net
47.0004.004d.0001.0001.0c11.1111.00

Step 5 is-type {level-1 | level-1-2 | level-2-only} (Optional) Configures the router to act as a Level 1
(station) router, a Level 2 (area) router for multi-area
Example:
routing, or both (the default):
SwitchDevice(config-router)# is-type level-2-only • level-1—act as a station router only
• level-1-2—act as both a station router and an area
router
• level 2—act as an area router only

Step 6 exit Returns to global configuration mode.

Example:

SwitchDevice(config-router)# end

Step 7 interface interface-id Specifies an interface to route IS-IS, and enter interface
configuration mode. If the interface is not already
Example:
configured as a Layer 3 interface, enter the no switchport
command to put it into Layer 3 mode.
SwitchDevice(config)# interface gigabitethernet
1/0/1

Step 8 ip router isis [area tag] Configures an IS-IS routing process for ISO CLNS on the
interface and attach an area designator to the routing
Example:
process.
SwitchDevice(config-if)# ip router isis tag1

Step 9 clns router isis [area tag] Enables ISO CLNS on the interface.
Example:

SwitchDevice(config-if)# clns router isis tag1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
862
 Routing
Example: Configuring IS-IS Routing

Command or Action Purpose

Step 10 ip address ip-address-mask Define the IP address for the interface. An IP address is
required on all interfaces in an area enabled for IS-IS if
Example:
any one interface is configured for IS-IS routing.
SwitchDevice(config-if)# ip address 10.0.0.5
255.255.255.0

Step 11 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 12 show isis [area tag] database detail Verifies your entries.
Example:

SwitchDevice# show isis database detail

Step 13 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Example: Configuring IS-IS Routing

This example shows how to configure three routers to run conventional IS-IS as an IP routing protocol. In
conventional IS-IS, all routers act as Level 1 and Level 2 routers (by default).
Router A:

SwitchDevice(config)# clns routing

SwitchDevice(config)# router isis
SwitchDevice(config-router)# net 49.0001.0000.0000.000a.00
SwitchDevice(config-router)# exit
SwitchDevice(config)# interface gigabitethernet1/0/1
SwitchDevice(config-if)# ip router isis
SwitchDevice(config-if)# clns router isis
SwitchDevice(config)# interface gigabitethernet1/0/2
SwitchDevice(config-if)# ip router isis
SwitchDevice(config-if)# clns router isis
SwitchDevice(config-router)# exit

Router B:

SwitchDevice(config)# clns routing

SwitchDevice(config)# router isis
SwitchDevice(config-router)# net 49.0001.0000.0000.000b.00
SwitchDevice(config-router)# exit
SwitchDevice(config)# interface gigabitethernet1/0/1
SwitchDevice(config-if)# ip router isis
SwitchDevice(config-if)# clns router isis

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
863
 Routing
IS-IS Global Parameters

SwitchDevice(config)# interface gigabitethernet1/0/2

SwitchDevice(config-if)# ip router isis
SwitchDevice(config-if)# clns router isis
SwitchDevice(config-router)# exit

Router C:

SwitchDevice(config)# clns routing

SwitchDevice(config)# router isis
SwitchDevice(config-router)# net 49.0001.0000.0000.000c.00
SwitchDevice(config-router)# exit
SwitchDevice(config)# interface gigabitethernet1/0/1
SwitchDevice(config-if)# ip router isis
SwitchDevice(config-if)# clns router isis
SwitchDevice(config)# interface gigabitethernet1/0/2
SwitchDevice(config-if)# ip router isis
SwitchDevice(config-if)# clns router isis
SwitchDevice(config-router)# exit

IS-IS Global Parameters

These are some optional IS-IS global parameters that you can configure:
• You can force a default route into an IS-IS routing domain by configuring a default route controlled by
a route map. You can also specify other filtering options configurable under a route map.
• You can configure the router to ignore IS-IS LSPs that are received with internal checksum errors or to
purge corrupted LSPs, which causes the initiator of the LSP to regenerate it.
• You can assign passwords to areas and domains.
• You can create aggregate addresses that are represented in the routing table by a summary address
(route-summarization). Routes learned from other routing protocols can also be summarized. The metric
used to advertise the summary is the smallest metric of all the specific routes.
• You can set an overload bit.
• You can configure the LSP refresh interval and the maximum time that an LSP can remain in the router
database without a refresh.
• You can set the throttling timers for LSP generation, shortest path first computation, and partial route
computation.
• You can configure the Switch to generate a log message when an IS-IS adjacency changes state (up or
down).
• If a link in the network has a maximum transmission unit (MTU) size of less than 1500 bytes, you can
lower the LSP MTU so that routing will still occur.
• The partition avoidance router configuration command prevents an area from becoming partitioned when
full connectivity is lost among a Level1-2 border router, adjacent Level 1 routers, and end hosts.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
864
 Routing
Configuring IS-IS Global Parameters

Configuring IS-IS Global Parameters

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 clns routing Enables ISO connectionless routing on the switch.

Example:

SwitchDevice(config)# clns routing

Step 3 router isis Specifies the IS-IS routing protocol and enters router
configuration mode.
Example:

SwitchDevice(config)# router isis

Step 4 default-information originate [route-map map-name] (Optional) Forces a default route into the IS-IS routing
domain. If you enter route-map map-name, the routing
Example:
process generates the default route if the route map is
satisfied.
SwitchDevice(config-router)# default-information
originate route-map map1

Step 5 ignore-lsp-errors (Optional) Configures the router to ignore LSPs with

internal checksum errors, instead of purging the LSPs.
Example:
This command is enabled by default (corrupted LSPs are
dropped). To purge the corrupted LSPs, enter the no
SwitchDevice(config-router)# ignore-lsp-errors
ignore-lsp-errors router configuration command.

Step 6 area-password password (Optional Configures the area authentication password,

which is inserted in Level 1 (station router level) LSPs.
Example:

SwitchDevice(config-router)# area-password
1password

Step 7 domain-password password (Optional) Configures the routing domain authentication

password, which is inserted in Level 2 (area router level)
Example:
LSPs.
SwitchDevice(config-router)# domain-password
2password

Step 8 summary-address address mask [level-1 | level-1-2 | (Optional) Creates a summary of addresses for a given
level-2] level.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
865
 Routing
Configuring IS-IS Global Parameters

Command or Action Purpose

SwitchDevice(config-router)# summary-address
10.1.0.0 255.255.0.0 level-2

Step 9 set-overload-bit [on-startup {seconds | wait-for-bgp}] (Optional) Sets an overload bit (a hippity bit) to allow other
routers to ignore the router in their shortest path first (SPF)
Example:
calculations if the router is having problems.
SwitchDevice(config-router)# set-overload-bit • (Optional) on-startup—sets the overload bit only on
on-startup wait-for-bgp startup. If on-startup is not specified, the overload
bit is set immediately and remains set until you enter
the no set-overload-bit command. If on-startup is
specified, you must enter a number of seconds or
wait-for-bgp.
• seconds—When the on-startup keyword is
configured, causes the overload bit to be set upon
system startup and remain set for this number of
seconds. The range is from 5 to 86400 seconds.
• wait-for-bgp—When the on-startup keyword is
configured, causes the overload bit to be set upon
system startup and remain set until BGP has
converged. If BGP does not signal IS-IS that it is
converged, IS-IS will turn off the overload bit after
10 minutes.

Step 10 lsp-refresh-interval seconds (Optional) Sets an LSP refresh interval in seconds. The
range is from 1 to 65535 seconds. The default is to send
Example:
LSP refreshes every 900 seconds (15 minutes).
SwitchDevice(config-router)# lsp-refresh-interval
1080

Step 11 max-lsp-lifetime seconds (Optional) Sets the maximum time that LSP packets remain
in the router database without being refreshed. The range
Example:
is from 1 to 65535 seconds. The default is 1200 seconds
(20 minutes). After the specified time interval, the LSP
SwitchDevice(config-router)# max-lsp-lifetime 1000
packet is deleted.

Step 12 lsp-gen-interval [level-1 | level-2] lsp-max-wait (Optional) Sets the IS-IS LSP generation throttling timers:
[lsp-initial-wait lsp-second-wait]
• lsp-max-wait—the maximum interval (in seconds)
Example: between two consecutive occurrences of an LSP being
generated. The range is 1 to 120, the default is 5.
SwitchDevice(config-router)# lsp-gen-interval
level-2 2 50 100 • lsp-initial-wait—the initial LSP generation delay (in
milliseconds). The range is 1 to 10000; the default is
50.
• lsp-second-wait—the hold time between the first and
second LSP generation (in milliseconds). The range
is 1 to 10000; the default is 5000.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
866
 Routing
Configuring IS-IS Global Parameters

Command or Action Purpose

Step 13 spf-interval [level-1 | level-2] spf-max-wait (Optional) Sets IS-IS shortest path first (SPF) throttling
[spf-initial-wait spf-second-wait] timers.
Example: • spf-max-wait—the maximum interval between
consecutive SFPs (in seconds). The range is 1 to 120,
SwitchDevice(config-router)# spf-interval level-2 the default is 10.
5 10 20
• spf-initial-wait—the initial SFP calculation after a
topology change (in milliseconds). The range is 1 to
10000; the default is 5500.
• spf-second-wait—the holdtime between the first and
second SFP calculation (in milliseconds). The range
is 1 to 10000; the default is 5500.

Step 14 prc-interval prc-max-wait [prc-initial-wait (Optional) Sets IS-IS partial route computation (PRC)
prc-second-wait] throttling timers.
Example: • prc-max-wait—the maximum interval (in seconds)
between two consecutive PRC calculations. The range
SwitchDevice(config-router)# prc-interval 5 10 20 is 1 to 120; the default is 5.
• prc-initial-wait—the initial PRC calculation delay (in
milliseconds) after a topology change. The range is
1 to 10,000; the default is 2000.
• prc-second-wait—the hold time between the first and
second PRC calculation (in milliseconds). The range
is 1 to 10,000; the default is 5000.

Step 15 log-adjacency-changes [all] (Optional) Sets the router to log IS-IS adjacency state
changes. Enter all to include all changes generated by
Example:
events that are not related to the Intermediate
System-to-Intermediate System Hellos, including End
SwitchDevice(config-router)# log-adjacency-changes
all System-to-Intermediate System PDUs and link state
packets (LSPs).

Step 16 lsp-mtu size (Optional) Specifies the maximum LSP packet size in
bytes. The range is 128 to 4352; the default is 1497 bytes.
Example:
Note If any link in the network has a reduced MTU
SwitchDevice(config-router)# lsp mtu 1560 size, you must change the LSP MTU size on all
routers in the network.

Step 17 partition avoidance (Optional) Causes an IS-IS Level 1-2 border router to stop
advertising the Level 1 area prefix into the Level 2
Example:
backbone when full connectivity is lost among the border
router, all adjacent level 1 routers, and end hosts.
SwitchDevice(config-router)# partition avoidance

Step 18 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
867
 Routing
IS-IS Interface Parameters

Command or Action Purpose

SwitchDevice(config)# end

Step 19 show clns Verifies your entries.

Example:

SwitchDevice# show clns

Step 20 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

IS-IS Interface Parameters

You can optionally configure certain interface-specific IS-IS parameters, independently from other attached
routers. However, if you change some values from the defaults, such as multipliers and time intervals, it makes
sense to also change them on multiple routers and interfaces. Most of the interface parameters can be configured
for level 1, level 2, or both.
These are some interface level parameters you can configure:
• The default metric on the interface, which is used as a value for the IS-IS metric and assigned when there
is no quality of service (QoS) routing performed.
• The hello interval (length of time between hello packets sent on the interface) or the default hello packet
multiplier used on the interface to determine the hold time sent in IS-IS hello packets. The hold time
determines how long a neighbor waits for another hello packet before declaring the neighbor down. This
determines how quickly a failed link or neighbor is detected so that routes can be recalculated. Change
the hello-multiplier in circumstances where hello packets are lost frequently and IS-IS adjacencies are
failing unnecessarily. You can raise the hello multiplier and lower the hello interval correspondingly to
make the hello protocol more reliable without increasing the time required to detect a link failure.
• Other time intervals:
• Complete sequence number PDU (CSNP) interval. CSNPs are sent by the designated router to
maintain database synchronization
• Retransmission interval. This is the time between retransmission of IS-IS LSPs for point-to-point
links.
• IS-IS LSP retransmission throttle interval. This is the maximum rate (number of milliseconds
between packets) at which IS-IS LSPs are re-sent on point-to-point links This interval is different
from the retransmission interval, which is the time between successive retransmissions of the same
LSP

• Designated router election priority, which allows you to reduce the number of adjacencies required on
a multiaccess network, which in turn reduces the amount of routing protocol traffic and the size of the
topology database.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
868
 Routing
Configuring IS-IS Interface Parameters

• The interface circuit type, which is the type of adjacency desired for neighbors on the specified interface
• Password authentication for the interface

Configuring IS-IS Interface Parameters

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the interface to be configured and enter interface
configuration mode. If the interface is not already
Example:
configured as a Layer 3 interface, enter the no switchport
command to put it into Layer 3 mode.
SwitchDevice(config)# interface gigabitethernet
1/0/1

Step 3 isis metric default-metric [level-1 | level-2] (Optional) Configures the metric (or cost) for the specified
interface. The range is from 0 to 63. The default is 10. If
Example:
no level is entered, the default is to apply to both Level 1
and Level 2 routers.
SwitchDevice(config-if)# isis metric 15

Step 4 isis hello-interval {seconds | minimal} [level-1 | level-2] (Optional) Specifies the length of time between hello
packets sent by the switch. By default, a value three times
Example:
the hello interval seconds is advertised as the holdtime in
the hello packets sent. With smaller hello intervals,
SwitchDevice(config-if)# isis hello-interval
minimal topological changes are detected faster, but there is more
routing traffic.
• minimal—causes the system to compute the hello
interval based on the hello multiplier so that the
resulting hold time is 1 second.
• seconds—the range is from 1 to 65535. The default
is 10 seconds.

Step 5 isis hello-multiplier multiplier [level-1 | level-2] (Optional) Specifies the number of IS-IS hello packets a
neighbor must miss before the router should declare the
Example:
adjacency as down. The range is from 3 to 1000. The
default is 3. Using a smaller hello-multiplier causes fast
SwitchDevice(config-if)# isis hello-multiplier 5
convergence, but can result in more routing instability.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
869
 Routing
Configuring IS-IS Interface Parameters

Command or Action Purpose

Step 6 isis csnp-interval seconds [level-1 | level-2] (Optional) Configures the IS-IS complete sequence number
PDU (CSNP) interval for the interface. The range is from
Example:
0 to 65535. The default is 10 seconds.
SwitchDevice(config-if)# isis csnp-interval 15

Step 7 isis retransmit-interval seconds (Optional) Configures the number of seconds between
retransmission of IS-IS LSPs for point-to-point links. The
Example:
value you specify should be an integer greater than the
expected round-trip delay between any two routers on the
SwitchDevice(config-if)# isis retransmit-interval
7 network. The range is from 0 to 65535. The default is 5
seconds.

Step 8 isis retransmit-throttle-interval milliseconds (Optional) Configures the IS-IS LSP retransmission throttle
interval, which is the maximum rate (number of
Example:
milliseconds between packets) at which IS-IS LSPs will
be re-sent on point-to-point links. The range is from 0 to
SwitchDevice(config-if)# isis
retransmit-throttle-interval 4000 65535. The default is determined by the isis lsp-interval
command.

Step 9 isis priority value [level-1 | level-2] (Optional) Configures the priority to use for designated
router election. The range is from 0 to 127. The default is
Example:
64.
SwitchDevice(config-if)# isis priority 50

Step 10 isis circuit-type {level-1 | level-1-2 | level-2-only} (Optional) Configures the type of adjacency desired for
neighbors on the specified interface (specify the interface
Example:
circuit type).
SwitchDevice(config-if)# isis circuit-type • level-1—a Level 1 adjacency is established if there
level-1-2 is at least one area address common to both this node
and its neighbors.
• level-1-2—a Level 1 and 2 adjacency is established
if the neighbor is also configured as both Level 1 and
Level 2 and there is at least one area in common.
If there is no area in common, a Level 2 adjacency is
established. This is the default.
• level 2—a Level 2 adjacency is established. If the
neighbor router is a Level 1 router, no adjacency is
established.

Step 11 isis password password [level-1 | level-2] (Optional) Configures the authentication password for an
interface. By default, authentication is disabled. Specifying
Example:
Level 1 or Level 2 enables the password only for Level 1
or Level 2 routing, respectively. If you do not specify a
SwitchDevice(config-if)# isis password secret
level, the default is Level 1 and Level 2.

Step 12 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
870
 Routing
Monitoring and Maintaining ISO IGRP and IS-IS

Command or Action Purpose

SwitchDevice(config)# end

Step 13 show clns interface interface-id Verifies your entries.

Example:

SwitchDevice# show clns interface gigabitethernet

1/0/1

Step 14 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Monitoring and Maintaining ISO IGRP and IS-IS

You can remove all contents of a CLNS cache or remove information for a particular neighbor or route. You
can display specific CLNS or IS-IS statistics, such as the contents of routing tables, caches, and databases.
You can also display information about specific interfaces, filters, or neighbors.
The following table lists the privileged EXEC commands for clearing and displaying ISO CLNS and IS-IS
routing. For explanations of the display fields, see the Cisco IOS Apollo Domain, Banyan VINES, DECnet,
ISO CLNS and XNS Command Reference ,use the Cisco IOS command reference master index, or search
online.

Table 96: ISO CLNS and IS-IS Clear and Show Commands

Command Purpose
clear clns cache Clears and reinitializes the CLNS routing cache.

clear clns es-neighbors Removes end system (ES) neighbor information from
the adjacency database.

clear clns is-neighbors Removes intermediate system (IS) neighbor

information from the adjacency database.

clear clns neighbors Removes CLNS neighbor information from the

adjacency database.

clear clns route Removes dynamically derived CLNS routing

information.

show clns Displays information about the CLNS network.

show clns cache Displays the entries in the CLNS routing cache.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
871
 Routing
Information About Multi-VRF CE

Command Purpose
show clns es-neighbors Displays ES neighbor entries, including the associated
areas.

show clns filter-expr Displays filter expressions.

show clns filter-set Displays filter sets.

show clns interface [interface-id] Displays the CLNS-specific or ES-IS information

about each interface.

show clns neighbor Displays information about IS-IS neighbors.

show clns protocol List the protocol-specific information for each IS-IS
or ISO IGRP routing process in this router.

show clns route Displays all the destinations to which this router
knows how to route CLNS packets.

show clns traffic Displays information about the CLNS packets this
router has seen.

show ip route isis Displays the current state of the ISIS IP routing table.

show isis database Displays the IS-IS link-state database.

show isis routes Displays the IS-IS Level 1 routing table.

show isis spf-log Displays a history of the shortest path first (SPF)
calculations for IS-IS.

show isis topology Displays a list of all connected routers in all areas.

show route-map Displays all route maps configured or only the one
specified.

trace clns destination Discover the paths taken to a specified destination by

packets in the network.

which-route {nsap-address | clns-name} Displays the routing table in which the specified
CLNS destination is found.

Information About Multi-VRF CE

Virtual Private Networks (VPNs) provide a secure way for customers to share bandwidth over an ISP backbone
network. A VPN is a collection of sites sharing a common routing table. A customer site is connected to the
service-provider network by one or more interfaces, and the service provider associates each interface with
a VPN routing table, called a VPN routing/forwarding (VRF) table.
The switch supports multiple VPN routing/forwarding (multi-VRF) instances in customer edge (CE) devices
(multi-VRF CE) when the it is running the IP services or advanced IP Services feature set. Multi-VRF CE
allows a service provider to support two or more VPNs with overlapping IP addresses.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
872
 Routing
Understanding Multi-VRF CE

Note The switch does not use Multiprotocol Label Switching (MPLS) to support VPNs.

Understanding Multi-VRF CE
Multi-VRF CE is a feature that allows a service provider to support two or more VPNs, where IP addresses
can be overlapped among the VPNs. Multi-VRF CE uses input interfaces to distinguish routes for different
VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each
VRF. Interfaces in a VRF can be either physical, such as Ethernet ports, or logical, such as VLAN SVIs, but
an interface cannot belong to more than one VRF at any time.

Note Multi-VRF CE interfaces must be Layer 3 interfaces.

Multi-VRF CE includes these devices:

• Customer edge (CE) devices provide customers access to the service-provider network over a data link
to one or more provider edge routers. The CE device advertises the site’s local routes to the router and
learns the remote VPN routes from it. A switch can be a CE.
• Provider edge (PE) routers exchange routing information with CE devices by using static routing or a
routing protocol such as BGP, RIPv2, OSPF, or EIGRP. The PE is only required to maintain VPN routes
for those VPNs to which it is directly attached, eliminating the need for the PE to maintain all of the
service-provider VPN routes. Each PE router maintains a VRF for each of its directly connected sites.
Multiple interfaces on a PE router can be associated with a single VRF if all of these sites participate in
the same VPN. Each VPN is mapped to a specified VRF. After learning local VPN routes from CEs, a
PE router exchanges VPN routing information with other PE routers by using internal BGP (IBPG).
• Provider routers or core routers are any routers in the service provider network that do not attach to CE
devices.

With multi-VRF CE, multiple customers can share one CE, and only one physical link is used between the
CE and the PE. The shared CE maintains separate VRF tables for each customer and switches or routes packets
for each customer based on its own routing table. Multi-VRF CE extends limited PE functionality to a CE
device, giving it the ability to maintain separate VRF tables to extend the privacy and security of a VPN to
the branch office.

Network Topology
The figure shows a configuration using switches as multiple virtual CEs. This scenario is suited for customers
who have low bandwidth requirements for their VPN service, for example, small companies. In this case,
multi-VRF CE support is required in the switches. Because multi-VRF CE is a Layer 3 feature, each interface
in a VRF must be a Layer 3 interface.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
873
 Routing
Packet-Forwarding Process

Figure 82: Switches Acting as Multiple Virtual CEs

When the CE switch receives a command to add a Layer 3 interface to a VRF, it sets up the appropriate
mapping between the VLAN ID and the policy label (PL) in multi-VRF-CE-related data structures and adds
the VLAN ID and PL to the VLAN database.
When multi-VRF CE is configured, the Layer 3 forwarding table is conceptually partitioned into two sections:
• The multi-VRF CE routing section contains the routes from different VPNs.
• The global routing section contains routes to non-VPN networks, such as the Internet.

VLAN IDs from different VRFs are mapped into different policy labels, which are used to distinguish the
VRFs during processing. For each new VPN route learned, the Layer 3 setup function retrieves the policy
label by using the VLAN ID of the ingress port and inserts the policy label and new route to the multi-VRF
CE routing section. If the packet is received from a routed port, the port internal VLAN ID number is used;
if the packet is received from an SVI, the VLAN number is used.

Packet-Forwarding Process
This is the packet-forwarding process in a multi-VRF-CE-enabled network:
• When the switch receives a packet from a VPN, the switch looks up the routing table based on the input
policy label number. When a route is found, the switch forwards the packet to the PE.
• When the ingress PE receives a packet from the CE, it performs a VRF lookup. When a route is found,
the router adds a corresponding MPLS label to the packet and sends it to the MPLS network.
• When an egress PE receives a packet from the network, it strips the label and uses the label to identify
the correct VPN routing table. Then it performs the normal route lookup. When a route is found, it
forwards the packet to the correct adjacency.
• When a CE receives a packet from an egress PE, it uses the input policy label to look up the correct VPN
routing table. If a route is found, it forwards the packet within the VPN.

Network Components
To configure VRF, you create a VRF table and specify the Layer 3 interface associated with the VRF. Then
configure the routing protocols in the VPN and between the CE and the PE. BGP is the preferred routing
protocol used to distribute VPN routing information across the provider’s backbone. The multi-VRF CE
network has three major components:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
874
 Routing
VRF-Aware Services

• VPN route target communities—lists of all other members of a VPN community. You need to configure
VPN route targets for each VPN community member.
• Multiprotocol BGP peering of VPN community PE routers—propagates VRF reachability information
to all members of a VPN community. You need to configure BGP peering in all PE routers within a VPN
community.
• VPN forwarding—transports all traffic between all VPN community members across a VPN
service-provider network.

VRF-Aware Services
IP services can be configured on global interfaces, and these services run within the global routing instance.
IP services are enhanced to run on multiple routing instances; they are VRF-aware. Any configured VRF in
the system can be specified for a VRF-aware service.
VRF-Aware services are implemented in platform-independent modules. VRF means multiple routing instances
in Cisco IOS. Each platform has its own limit on the number of VRFs it supports.
VRF-aware services have the following characteristics:
• The user can ping a host in a user-specified VRF.
• ARP entries are learned in separate VRFs. The user can display Address Resolution Protocol (ARP)
entries for specific VRFs.

How to Configure Multi-VRF CE

Default Multi-VRF CE Configuration
Table 97: Default VRF Configuration

Feature Default Setting

VRF Disabled. No VRFs are defined.

Maps No import maps, export maps, or route maps are

defined.

VRF maximum routes Fast Ethernet switches: 8000 Gigabit Ethernet

switches: 12000.

Forwarding table The default for an interface is the global routing table.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
875
 Routing
Multi-VRF CE Configuration Guidelines

Multi-VRF CE Configuration Guidelines

Note To use multi-VRF CE, you must have the IP services or advanced IP services feature set enabled on your
switch.
• A switch with multi-VRF CE is shared by multiple customers, and each customer has its own routing
table.
• Because customers use different VRF tables, the same IP addresses can be reused. Overlapped IP addresses
are allowed in different VPNs.
• Multi-VRF CE lets multiple customers share the same physical link between the PE and the CE. Trunk
ports with multiple VLANs separate packets among customers. Each customer has its own VLAN.
• Multi-VRF CE does not support all MPLS-VRF functionality. It does not support label exchange, LDP
adjacency, or labeled packets.
• For the PE router, there is no difference between using multi-VRF CE or using multiple CEs. In
Figure 41-6, multiple virtual Layer 3 interfaces are connected to the multi-VRF CE device.
• The switch supports configuring VRF by using physical ports, VLAN SVIs, or a combination of both.
The SVIs can be connected through an access port or a trunk port.
• A customer can use multiple VLANs as long as they do not overlap with those of other customers. A
customer’s VLANs are mapped to a specific routing table ID that is used to identify the appropriate
routing tables stored on the switch.
• The switch supports one global network and up to 26 VRFs.
• Most routing protocols (BGP, OSPF, RIP, and static routing) can be used between the CE and the PE.
However, we recommend using external BGP (EBGP) for these reasons:
• BGP does not require multiple algorithms to communicate with multiple CEs.
• BGP is designed for passing routing information between systems run by different administrations.
• BGP makes it easy to pass attributes of the routes to the CE.

• Multi-VRF CE does not affect the packet switching rate.

• VPN multicast is not supported.
• You can enable VRF on a private VLAN, and the reverse.
• You cannot enable VRF when policy-based routing (PBR) is enabled on an interface, and the reverse.
• You cannot enable VRF when Web Cache Communication Protocol (WCCP) is enabled on an interface,
and the reverse.

Configuring VRFs
For complete syntax and usage information for the commands, see the switch command reference for this
release and the Cisco IOS Switching Services Command Reference.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
876
 Routing
Configuring VRFs

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ip routing Enables IP routing.

Example:

SwitchDevice(config)# ip routing

Step 3 ip vrf vrf-name Names the VRF, and enter VRF configuration mode.
Example:

SwitchDevice(config)# ip vrf vpn1

Step 4 rd route-distinguisher Creates a VRF table by specifying a route distinguisher.

Enter either an AS number and an arbitrary number (xxx:y)
Example:
or an IP address and arbitrary number (A.B.C.D:y)
SwitchDevice(config-vrf)# rd 100:2

Step 5 route-target {export | import | both} Creates a list of import, export, or import and export route
route-target-ext-community target communities for the specified VRF. Enter either an
AS system number and an arbitrary number (xxx:y) or an
Example:
IP address and an arbitrary number (A.B.C.D:y). The
route-target-ext-community should be the same as the
SwitchDevice(config-vrf)# route-target both 100:2
route-distinguisher entered in Step 4.

Step 6 import map route-map (Optional) Associates a route map with the VRF.
Example:

SwitchDevice(config-vrf)# import map importmap1

Step 7 interface interface-id Specifies the Layer 3 interface to be associated with the
VRF, and enter interface configuration mode. The interface
Example:
can be a routed port or SVI.
SwitchDevice(config-vrf)# interface
gigabitethernet 1/0/1

Step 8 ip vrf forwarding vrf-name Associates the VRF with the Layer 3 interface.
Example:

SwitchDevice(config-if)# ip vrf forwarding vpn1

Step 9 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
877
 Routing
Configuring VRF-Aware Services

Command or Action Purpose

SwitchDevice(config)# end

Step 10 show ip vrf [brief | detail | interfaces] [vrf-name] Verifies the configuration. Displays information about the
configured VRFs.
Example:

SwitchDevice# show ip vrf interfaces vpn1

Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring VRF-Aware Services

These services are VRF-Aware:
• ARP
• Ping
• Simple Network Management Protocol (SNMP)
• Unicast Reverse Path Forwarding (uRPF)
• Syslog
• Traceroute
• FTP and TFTP

Note The switch does not support VRF-aware services for Unicast Reverse Path
Forwarding (uRPF) or Network Time Protocol (NTP).

Configuring VRF-Aware Services for ARP

For complete syntax and usage information for the commands, see the switch command reference for this
release and the Cisco IOS Switching Services Command Reference, Release 12.4.

Procedure

Command or Action Purpose

Step 1 show ip arp vrf vrf-name Displays the ARP table in the specified VRF.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
878
 Routing
Configuring VRF-Aware Services for Ping

Command or Action Purpose

SwitchDevice# show ip arp vrf vpn1

Configuring VRF-Aware Services for Ping

For complete syntax and usage information for the commands, see the switch command reference for this
release and the Cisco IOS Switching Services Command Reference, Release 12.4.

Procedure

Command or Action Purpose

Step 1 ping vrfvrf-nameip-host Displays the ARP table in the specified VRF.
Example:

SwitchDevice# ping vrf vpn1 ip-host

Configuring VRF-Aware Services for SNMP

For complete syntax and usage information for the commands, refer to the switch command reference for this
release and the Cisco IOS Switching Services Command Reference, Release 12.4.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 snmp-server trap authentication vrf Enables SNMP traps for packets on a VRF.
Example:

SwitchDevice(config)# snmp-server trap

authentication vrf

Step 3 snmp-server engineID remote host vrf vpn-instance Configures a name for the remote SNMP engine on a switch.
engine-id string
Example:

SwitchDevice(config)# snmp-server engineID remote

172.16.20.3 vrf vpn1 80000009030000B064EFE100

Step 4 snmp-server host host vrf vpn-instance traps community Specifies the recipient of an SNMP trap operation and
specifies the VRF table to be used for sending SNMP traps.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
879
 Routing
Configuring VRF-Aware Servcies for HSRP

Command or Action Purpose

SwitchDevice(config)# snmp-server host 172.16.20.3

vrf vpn1 traps comaccess

Step 5 snmp-server host host vrf vpn-instance informs community Specifies the recipient of an SNMP inform operation and
specifies the VRF table to be used for sending SNMP
Example:
informs.
SwitchDevice(config)# snmp-server host 172.16.20.3
vrf vpn1 informs comaccess

Step 6 snmp-server user user group remote host vrf vpn-instance Adds a user to an SNMP group for a remote host on a VRF
security model for SNMP access.
Example:

SwitchDevice(config)# snmp-server user abcd remote

172.16.20.3 vrf vpn1 priv v2c 3des secure3des

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Configuring VRF-Aware Servcies for HSRP

HSRP support for VRFs ensures that HSRP virtual IP addresses are added to the correct IP routing table.
For complete syntax and usage information for the commands, refer to the switch command reference for this
release and the Cisco IOS Switching Services Command Reference, Release 12.4.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interfaceinterface-id Enters interface configuration mode, and specifies the Layer
3 interface to configure.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 3 no switchport Removes the interface from Layer 2 configuration mode if

it is a physical interface.
Example:

SwitchDevice(config-if)# no switchport

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
880
 Routing
Configuring VRF-Aware Servcies for uRPF

Command or Action Purpose

Step 4 ip vrf forwarding vrf-name Configures VRF on the interface.
Example:

SwitchDevice(config-if)# ip vrf forwarding vpn1

Step 5 ip address ip-address Enters the IP address for the interface.

Example:

SwitchDevice(config-if)# ip address 10.1.5.1

Step 6 standby 1 ip ip-address Enables HSRP and configure the virtual IP address.
Example:

SwitchDevice(config-if)#standby 1 ip 10.1.1.254

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Configuring VRF-Aware Servcies for uRPF

uRPF can be configured on an interface assigned to a VRF, and source lookup is done in the VRF table.
For complete syntax and usage information for the commands, refer to the switch command reference for this
release and the Cisco IOS Switching Services Command Reference, Release 12.4.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Enters interface configuration mode, and specifies the Layer
3 interface to configure.
Example:
SwitchDevice(config)#
interface gigabitethernet 1/0/1

Step 3 no switchport Removes the interface from Layer 2 configuration mode if

it is a physical interface.
Example:

SwitchDevice(config-if)# no switchport

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
881
 Routing
Configuring VRF-Aware RADIUS

Command or Action Purpose

Step 4 ip vrf forwarding vrf-name Configures VRF on the interface.
Example:

SwitchDevice(config-if)# ip vrf forwarding vpn2

Step 5 ip address ip-address Enters the IP address for the interface.

Example:

SwitchDevice(config-if)# ip address 10.1.5.1

Step 6 ip verify unicast reverse-path Enables uRPF on the interface.

Example:

SwitchDevice(config-if)# ip verify unicast

reverse-path

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Configuring VRF-Aware RADIUS

To configure VRF-Aware RADIUS, you must first enable AAA on a RADIUS server. The switch supports
the ip vrf forwarding vrf-name server-group configuration and the ip radius source-interface global
configuration commands, as described in the Per VRF AAA Feature Guide.

Configuring VRF-Aware Services for Syslog

For complete syntax and usage information for the commands, refer to the switch command reference for this
release and the Cisco IOS Switching Services Command Reference, Release 12.4.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 logging on Enables or temporarily disables logging of storage router

event message.
Example:

SwitchDevice(config)# logging on

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
882
 Routing
Configuring VRF-Aware Services for Traceroute

Command or Action Purpose

Step 3 logging host ip-address vrf vrf-name Specifies the host address of the syslog server where logging
messages are to be sent.
Example:

SwitchDevice(config)# logging host 10.10.1.0 vrf

vpn1

Step 4 logging buffered logging buffered size debugging Logs messages to an internal buffer.
Example:

SwitchDevice(config)# logging buffered critical

6000 debugging

Step 5 logging trap debugging Limits the logging messages sent to the syslog server.
Example:

SwitchDevice(config)# logging trap debugging

Step 6 logging facility facility Sends system logging messages to a logging facility.
Example:

SwitchDevice(config)# logging facility user

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Configuring VRF-Aware Services for Traceroute

For complete syntax and usage information for the commands, refer to the switch command reference for this
release and the Cisco IOS Switching Services Command Reference, Release 12.4.

Procedure

Command or Action Purpose

Step 1 traceroute vrf vrf-name ipaddress Specifies the name of a VPN VRF in which to find the
destination address.
Example:

SwitchDevice(config)# traceroute vrf vpn2 10.10.1.1

Configuring VRF-Aware Services for FTP and TFTP

So that FTP and TFTP are VRF-aware, you must configure some FTP/TFTP CLIs. For example, if you want
to use a VRF table that is attached to an interface, say E1/0, you need to configure the ip tftp source-interface
E1/0 or the ip ftp source-interface E1/0 command to inform TFTP or FTP server to use a specific routing

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
883
 Routing
Configuring VRF-Aware Services for FTP and TFTP

table. In this example, the VRF table is used to look up the destination IP address. These changes are
backward-compatible and do not affect existing behavior. That is, you can use the source-interface CLI to
send packets out a particular interface even if no VRF is configured on that interface.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ip ftp source-interface interface-type interface-number Specifies the source IP address for FTP connections.
Example:

SwitchDevice(config)# ip ftp source-interface

gigabitethernet 1/0/2

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)#end

Step 4 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 5 ip tftp source-interface interface-type interface-number Specifies the source IP address for TFTP connections.
Example:

SwitchDevice(config)# ip tftp source-interface

gigabitethernet 1/0/2

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)#end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
884
 Routing
Configuring Multicast VRFs

Configuring Multicast VRFs

For complete syntax and usage information for the commands, see the switch command reference for this
release and the Cisco IOS IP Multicast Command Reference.
For more information about configuring a multicast within a Multi-VRF CE, see the IP Routing:
Protocol-Independent Configuration Guide, Cisco IOS Release 15S.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ip routing Enables IP routing mode.

Example:

SwitchDevice(config)# ip routing

Step 3 ip vrf vrf-name Names the VRF, and enter VRF configuration mode.
Example:

SwitchDevice(config)# ip vrf vpn1

Step 4 rd route-distinguisher Creates a VRF table by specifying a route distinguisher.

Enter either an AS number and an arbitrary number (xxx:y)
Example:
or an IP address and an arbitrary number (A.B.C.D:y)
SwitchDevice(config-vrf)# rd 100:2

Step 5 route-target {export | import | both} Creates a list of import, export, or import and export route
route-target-ext-community target communities for the specified VRF. Enter either an
AS system number and an arbitrary number (xxx:y) or an
Example:
IP address and an arbitrary number (A.B.C.D:y). The
route-target-ext-community should be the same as the
SwitchDevice(config-vrf)# route-target import
100:2 route-distinguisher entered in Step 4.

Step 6 import map route-map (Optional) Associates a route map with the VRF.
Example:

SwitchDevice(config-vrf)# import map importmap1

Step 7 ip multicast-routing vrf vrf-name distributed (Optional) Enables global multicast routing for VRF table.
Example:

SwitchDevice(config-vrf)# ip multicast-routing
vrf vpn1 distributed

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
885
 Routing
Configuring a VPN Routing Session

Command or Action Purpose

Step 8 interface interface-id Specifies the Layer 3 interface to be associated with the
VRF, and enter interface configuration mode. The interface
Example:
can be a routed port or an SVI.
SwitchDevice(config-vrf)# interface
gigabitethernet 1/0/2

Step 9 ip vrf forwarding vrf-name Associates the VRF with the Layer 3 interface.
Example:

SwitchDevice(config-if)# ip vrf forwarding vpn1

Step 10 ip address ip-address mask Configures IP address for the Layer 3 interface.
Example:

SwitchDevice(config-if)# ip address 10.1.5.1

255.255.255.0

Step 11 ip pim sparse-dense mode Enables PIM on the VRF-associated Layer 3 interface.
Example:

SwitchDevice(config-if)# ip pim sparse-dense mode

Step 12 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 13 show ip vrf [brief | detail | interfaces] [vrf-name] Verifies the configuration. Displays information about the
configured VRFs.
Example:

SwitchDevice# show ip vrf detail vpn1

Step 14 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring a VPN Routing Session

Routing within the VPN can be configured with any supported routing protocol (RIP, OSPF, EIGRP, or BGP)
or with static routing. The configuration shown here is for OSPF, but the process is the same for other protocols.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
886
 Routing
Configuring a VPN Routing Session

Note To configure an EIGRP routing process to run within a VRF instance, you must configure an
autonomous-system number by entering the autonomous-system autonomous-system-number address-family
configuration mode command.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 router ospf process-id vrf vrf-name Enables OSPF routing, specifies a VPN forwarding table,
and enter router configuration mode.
Example:

SwitchDevice(config)# router ospf 1 vrf vpn1

Step 3 log-adjacency-changes (Optional) Logs changes in the adjacency state. This is the
default state.
Example:

SwitchDevice(config-router)# log-adjacency-changes

Step 4 redistribute bgp autonomous-system-number subnets Sets the switch to redistribute information from the BGP
network to the OSPF network.
Example:

SwitchDevice(config-router)# redistribute bgp 10

subnets

Step 5 network network-number area area-id Defines a network address and mask on which OSPF runs
and the area ID for that network address.
Example:

SwitchDevice(config-router)# network 1 area 2

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-router)# end

Step 7 show ip ospf process-id Verifies the configuration of the OSPF network.
Example:

SwitchDevice# show ip ospf 1

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
887
 Routing
Configuring BGP PE to CE Routing Sessions

Command or Action Purpose

SwitchDevice# copy running-config startup-config

Configuring BGP PE to CE Routing Sessions

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 router bgp autonomous-system-number Configures the BGP routing process with the AS number
passed to other BGP routers, and enter router configuration
Example:
mode.
SwitchDevice(config)# router bgp 2

Step 3 network network-number mask network-mask Specifies a network and mask to announce using BGP.
Example:

SwitchDevice(config-router)# network 5 mask

255.255.255.0

Step 4 redistribute ospf process-id match internal Sets the switch to redistribute OSPF internal routes.
Example:

SwitchDevice(config-router)# redistribute ospf 1

match internal

Step 5 network network-number area area-id Defines a network address and mask on which OSPF runs
and the area ID for that network address.
Example:

SwitchDevice(config-router)# network 5 area 2

Step 6 address-family ipv4 vrf vrf-name Defines BGP parameters for PE to CE routing sessions,
and enter VRF address-family mode.
Example:

SwitchDevice(config-router)# address-family ipv4

vrf vpn1

Step 7 neighbor address remote-as as-number Defines a BGP session between PE and CE routers.
Example:

SwitchDevice(config-router)# neighbor 10.1.1.2

remote-as 2

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
888
 Routing
Multi-VRF CE Configuration Example

Command or Action Purpose

Step 8 neighbor address activate Activates the advertisement of the IPv4 address family.
Example:

SwitchDevice(config-router)# neighbor 10.2.1.1

activate

Step 9 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-router)# end

Step 10 show ip bgp [ipv4] [neighbors] Verifies BGP configuration.

Example:

SwitchDevice# show ip bgp ipv4 neighbors

Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Multi-VRF CE Configuration Example

OSPF is the protocol used in VPN1, VPN2, and the global network. BGP is used in the CE to PE connections.
The examples following the illustration show how to configure a switch as CE Switch A, and the VRF
configuration for customer switches D and F. Commands for configuring CE Switch C and the other customer
switches are not included but would be similar. The example also includes commands for configuring traffic
to Switch A for a Catalyst 6000 or Catalyst 6500 switch acting as a PE router.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
889
 Routing
Multi-VRF CE Configuration Example

Figure 83: Multi-VRF CE Configuration Example

On Switch A, enable routing and configure VRF.

SwitchDevice# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.
SwitchDevice(config)# ip routing
SwitchDevice(config)# ip vrf v11
SwitchDevice(config-vrf)# rd 800:1
SwitchDevice(config-vrf)# route-target export 800:1
SwitchDevice(config-vrf)# route-target import 800:1
SwitchDevice(config-vrf)# exit
SwitchDevice(config)# ip vrf v12
SwitchDevice(config-vrf)# rd 800:2
SwitchDevice(config-vrf)# route-target export 800:2
SwitchDevice(config-vrf)# route-target import 800:2
SwitchDevice(config-vrf)# exit

Configure the loopback and physical interfaces on Switch A. Gigabit Ethernet port 1 is a trunk connection to
the PE. Gigabit Ethernet ports 8 and 11 connect to VPNs:

SwitchDevice(config)# interface loopback1

SwitchDevice(config-if)# ip vrf forwarding v11
SwitchDevice(config-if)# ip address 8.8.1.8 255.255.255.0
SwitchDevice(config-if)# exit

SwitchDevice(config)# interface loopback2

SwitchDevice(config-if)# ip vrf forwarding v12
SwitchDevice(config-if)# ip address 8.8.2.8 255.255.255.0
SwitchDevice(config-if)# exit

SwitchDevice(config)# interface gigabitethernet1/0/5

SwitchDevice(config-if)# switchport trunk encapsulation dot1q

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
890
Routing
Multi-VRF CE Configuration Example

SwitchDevice(config-if)# switchport mode trunk

SwitchDevice(config-if)# no ip address
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface gigabitethernet1/0/8
SwitchDevice(config-if)# switchport access vlan 208
SwitchDevice(config-if)# no ip address
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface gigabitethernet1/0/11
SwitchDevice(config-if)# switchport trunk encapsulation dot1q
SwitchDevice(config-if)# switchport mode trunk
SwitchDevice(config-if)# no ip address
SwitchDevice(config-if)# exit

Configure the VLANs used on Switch A. VLAN 10 is used by VRF 11 between the CE and the PE. VLAN
20 is used by VRF 12 between the CE and the PE. VLANs 118 and 208 are used for the VPNs that include
Switch F and Switch D, respectively:

SwitchDevice(config)# interface vlan10

SwitchDevice(config-if)# ip vrf forwarding v11
SwitchDevice(config-if)# ip address 38.0.0.8 255.255.255.0
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface vlan20
SwitchDevice(config-if)# ip vrf forwarding v12
SwitchDevice(config-if)# ip address 83.0.0.8 255.255.255.0
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface vlan118
SwitchDevice(config-if)# ip vrf forwarding v12
SwitchDevice(config-if)# ip address 118.0.0.8 255.255.255.0
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface vlan208
SwitchDevice(config-if)# ip vrf forwarding v11
SwitchDevice(config-if)# ip address 208.0.0.8 255.255.255.0
SwitchDevice(config-if)# exit

Configure OSPF routing in VPN1 and VPN2.

SwitchDevice(config)# router ospf 1 vrf vl1

SwitchDevice(config-router)# redistribute bgp 800 subnets
SwitchDevice(config-router)# network 208.0.0.0 0.0.0.255 area 0
SwitchDevice(config-router)# exit
SwitchDevice(config)# router ospf 2 vrf vl2
SwitchDevice(config-router)# redistribute bgp 800 subnets
SwitchDevice(config-router)# network 118.0.0.0 0.0.0.255 area 0
SwitchDevice(config-router)# exit

Configure BGP for CE to PE routing.

SwitchDevice(config)# router bgp 800

SwitchDevice(config-router)# address-family ipv4 vrf vl2
SwitchDevice(config-router-af)# redistribute ospf 2 match internal
SwitchDevice(config-router-af)# neighbor 83.0.0.3 remote-as 100
SwitchDevice(config-router-af)# neighbor 83.0.0.3 activate
SwitchDevice(config-router-af)# network 8.8.2.0 mask 255.255.255.0
SwitchDevice(config-router-af)# exit
SwitchDevice(config-router)# address-family ipv4 vrf vl1
SwitchDevice(config-router-af)# redistribute ospf 1 match internal
SwitchDevice(config-router-af)# neighbor 38.0.0.3 remote-as 100
SwitchDevice(config-router-af)# neighbor 38.0.0.3 activate
SwitchDevice(config-router-af)# network 8.8.1.0 mask 255.255.255.0
SwitchDevice(config-router-af)# end

Switch D belongs to VPN 1. Configure the connection to Switch A by using these commands.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
891
 Routing
Multi-VRF CE Configuration Example

SwitchDevice# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.
SwitchDevice(config)# ip routing
SwitchDevice(config)# interface gigabitethernet1/0/2
SwitchDevice(config-if)# no switchport
SwitchDevice(config-if)# ip address 208.0.0.20 255.255.255.0
SwitchDevice(config-if)# exit

SwitchDevice(config)# router ospf 101

SwitchDevice(config-router)# network 208.0.0.0 0.0.0.255 area 0
SwitchDevice(config-router)# end

Switch F belongs to VPN 2. Configure the connection to Switch A by using these commands.

SwitchDevice# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.
SwitchDevice(config)# ip routing
SwitchDevice(config)# interface gigabitethernet1/0/1
SwitchDevice(config-if)# switchport trunk encapsulation dot1q
SwitchDevice(config-if)# switchport mode trunk
SwitchDevice(config-if)# no ip address
SwitchDevice(config-if)# exit

SwitchDevice(config)# interface vlan118

SwitchDevice(config-if)# ip address 118.0.0.11 255.255.255.0
SwitchDevice(config-if)# exit

SwitchDevice(config)# router ospf 101

SwitchDevice(config-router)# network 118.0.0.0 0.0.0.255 area 0
SwitchDevice(config-router)# end

When used on switch B (the PE router), these commands configure only the connections to the CE device,
Switch A.

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip vrf v1
Router(config-vrf)# rd 100:1
Router(config-vrf)# route-target export 100:1
Router(config-vrf)# route-target import 100:1
Router(config-vrf)# exit

Router(config)# ip vrf v2
Router(config-vrf)# rd 100:2
Router(config-vrf)# route-target export 100:2
Router(config-vrf)# route-target import 100:2
Router(config-vrf)# exit
Router(config)# ip cef
Router(config)# interface Loopback1
Router(config-if)# ip vrf forwarding v1
Router(config-if)# ip address 3.3.1.3 255.255.255.0
Router(config-if)# exit

Router(config)# interface Loopback2

Router(config-if)# ip vrf forwarding v2
Router(config-if)# ip address 3.3.2.3 255.255.255.0
Router(config-if)# exit

Router(config)# interface gigabitethernet1/1/0.10

Router(config-if)# encapsulation dot1q 10
Router(config-if)# ip vrf forwarding v1
Router(config-if)# ip address 38.0.0.3 255.255.255.0

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
892
 Routing
Monitoring Multi-VRF CE

Router(config-if)# exit

Router(config)# interface gigabitethernet1/1/0.20

Router(config-if)# encapsulation dot1q 20
Router(config-if)# ip vrf forwarding v2
Router(config-if)# ip address 83.0.0.3 255.255.255.0
Router(config-if)# exit

Router(config)# router bgp 100

Router(config-router)# address-family ipv4 vrf v2
Router(config-router-af)# neighbor 83.0.0.8 remote-as 800
Router(config-router-af)# neighbor 83.0.0.8 activate
Router(config-router-af)# network 3.3.2.0 mask 255.255.255.0
Router(config-router-af)# exit
Router(config-router)# address-family ipv4 vrf vl
Router(config-router-af)# neighbor 38.0.0.8 remote-as 800
Router(config-router-af)# neighbor 38.0.0.8 activate
Router(config-router-af)# network 3.3.1.0 mask 255.255.255.0
Router(config-router-af)# end

Monitoring Multi-VRF CE
Table 98: Commands for Displaying Multi-VRF CE Information

show ip protocols vrf vrf-name Displays routing protocol information associated with
a VRF.

show ip route vrf vrf-name [connected] [protocol Displays IP routing table information associated with
[as-number]] [list] [mobile] [odr] [profile] [static] a VRF.
[summary] [supernets-only]

show ip vrf [brief | detail | interfaces] [vrf-name] Displays information about the defined VRF instances.

For more information about the information in the displays, see the Cisco IOS Switching Services Command
Reference, Release 12.4.

Configuring Unicast Reverse Path Forwarding

The unicast reverse path forwarding (unicast RPF) feature helps to mitigate problems that are caused by the
introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets
that lack a verifiable IP source address. For example, a number of common types of denial-of-service (DoS)
attacks, including Smurf and Tribal Flood Network (TFN), can take advantage of forged or rapidly changing
source IP addresses to allow attackers to thwart efforts to locate or filter the attacks. For Internet service
providers (ISPs) that provide public access, Unicast RPF deflects such attacks by forwarding only packets
that have source addresses that are valid and consistent with the IP routing table. This action protects the
network of the ISP, its customer, and the rest of the Internet.

Note • Unicast RPF is supported in .

For detailed IP unicast RPF configuration information, see the Other Security Features chapter in the Cisco
IOS Security Configuration Guide.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
893
 Routing
Protocol-Independent Features

Protocol-Independent Features
This section describes IP routing protocol-independent features that are available on switches running the
feature set . For a complete description of the IP routing protocol-independent commands in this chapter, see
the “IP Routing Protocol-Independent Commands” chapter of the Cisco IOS IP Command Reference, Volume
2 of 3: Routing Protocols.

Distributed Cisco Express Forwarding

Information About Cisco Express Forwarding
Cisco Express Forwarding (CEF) is a Layer 3 IP switching technology used to optimize network performance.
CEF implements an advanced IP look-up and forwarding algorithm to deliver maximum Layer 3 switching
performance. CEF is less CPU-intensive than fast switching route caching, allowing more CPU processing
power to be dedicated to packet forwarding. In a switch stack, the hardware uses distributed CEF (dCEF) in
the stack. In dynamic networks, fast switching cache entries are frequently invalidated because of routing
changes, which can cause traffic to be process switched using the routing table, instead of fast switched using
the route cache. CEF and dCEF use the Forwarding Information Base (FIB) lookup table to perform
destination-based switching of IP packets.
The two main components in CEF and dCEF are the distributed FIB and the distributed adjacency tables.
• The FIB is similar to a routing table or information base and maintains a mirror image of the forwarding
information in the IP routing table. When routing or topology changes occur in the network, the IP routing
table is updated, and those changes are reflected in the FIB. The FIB maintains next-hop address
information based on the information in the IP routing table. Because the FIB contains all known routes
that exist in the routing table, CEF eliminates route cache maintenance, is more efficient for switching
traffic, and is not affected by traffic patterns.
• Nodes in the network are said to be adjacent if they can reach each other with a single hop across a link
layer. CEF uses adjacency tables to prepend Layer 2 addressing information. The adjacency table maintains
Layer 2 next-hop addresses for all FIB entries.

Because the switch or switch stack uses Application Specific Integrated Circuits (ASICs) to achieve
Gigabit-speed line rate IP traffic, CEF or dCEF forwarding applies only to the software-forwarding path, that
is, traffic that is forwarded by the CPU.

How to Configure Cisco Express Forwarding

CEF or distributed CEF is enabled globally by default. If for some reason it is disabled, you can re-enable it
by using the ip cef or ip cef distributed global configuration command.
The default configuration is CEF or dCEF enabled on all Layer 3 interfaces. Entering the no ip route-cache
cef interface configuration command disables CEF for traffic that is being forwarded by software. This
command does not affect the hardware forwarding path. Disabling CEF and using the debug ip packet detail
privileged EXEC command can be useful to debug software-forwarded traffic. To enable CEF on an interface
for the software-forwarding path, use the ip route-cache cef interface configuration command.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
894
 Routing
How to Configure Cisco Express Forwarding

Caution Although the no ip route-cache cef interface configuration command to disable CEF on an interface is visible
in the CLI, we strongly recommend that you do not disable CEF or dCEF on interfaces except for debugging
purposes.

To enable CEF or dCEF globally and on an interface for software-forwarded traffic if it has been disabled:

SUMMARY STEPS
1. configure terminal
2. ip cef
3. ip cef distributed
4. interface interface-id
5. ip route-cache cef
6. end
7. show ip cef
8. show cef linecard [detail]
9. show cef linecard [slot-number] [detail]
10. show cef interface [interface-id]
11. show adjacency
12. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ip cef Enables CEF operation on a non-stacking switch.

Example: Go to Step 4.

SwitchDevice(config)# ip cef

Step 3 ip cef distributed Enables CEF operation on a active switch.

Example:

SwitchDevice(config)# ip cef distributed

Step 4 interface interface-id Enters interface configuration mode, and specifies the
Layer 3 interface to configure.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
895
 Routing
How to Configure Cisco Express Forwarding

Command or Action Purpose

Step 5 ip route-cache cef Enables CEF on the interface for software-forwarded
traffic.
Example:

SwitchDevice(config-if)# ip route-cache cef

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 7 show ip cef Displays the CEF status on all interfaces.

Example:

SwitchDevice# show ip cef

Step 8 show cef linecard [detail] (Optional) Displays CEF-related interface information on
a non-stacking switch.
Example:

SwitchDevice# show cef linecard detail

Step 9 show cef linecard [slot-number] [detail] (Optional) Displays CEF-related interface information on
a switch by stack member for all switches in the stack or
Example:
for the specified switch.
SwitchDevice# show cef linecard 5 detail (Optional) For slot-number, enter the stack member switch
number.

Step 10 show cef interface [interface-id] Displays detailed CEF information for all interfaces or the
specified interface.
Example:

SwitchDevice# show cef interface gigabitethernet

1/0/1

Step 11 show adjacency Displays CEF adjacency table information.

Example:

SwitchDevice# show adjacency

Step 12 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
896
 Routing
Number of Equal-Cost Routing Paths

Number of Equal-Cost Routing Paths

Information About Equal-Cost Routing Paths
When a router has two or more routes to the same network with the same metrics, these routes can be thought
of as having an equal cost. The term parallel path is another way to see occurrences of equal-cost routes in a
routing table. If a router has two or more equal-cost paths to a network, it can use them concurrently. Parallel
paths provide redundancy in case of a circuit failure and also enable a router to load balance packets over the
available paths for more efficient use of available bandwidth. Equal-cost routes are supported across switches
in a stack.
Even though the router automatically learns about and configures equal-cost routes, you can control the
maximum number of parallel paths supported by an IP routing protocol in its routing table. Although the
switch software allows a maximum of 32 equal-cost routes, the switch hardware will never use more than 16
paths per route.

How to Configure Equal-Cost Routing Paths

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 router {rip | ospf | eigrp} Enters router configuration mode.

Example:

SwitchDevice(config)# router eigrp

Step 3 maximum-paths maximum Sets the maximum number of parallel paths for the protocol
routing table. The range is from 1 to 16; the default is 4 for
Example:
most IP routing protocols, but only 1 for BGP.
SwitchDevice(config-router)# maximum-paths 2

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-router)# end

Step 5 show ip protocols Verifies the setting in the Maximum path field.
Example:

SwitchDevice# show ip protocols

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
897
 Routing
Static Unicast Routes

Command or Action Purpose

SwitchDevice# copy running-config startup-config

Static Unicast Routes

Information About Static Unicast Routes
Static unicast routes are user-defined routes that cause packets moving between a source and a destination to
take a specified path. Static routes can be important if the router cannot build a route to a particular destination
and are useful for specifying a gateway of last resort to which all unroutable packets are sent.
The switch retains static routes until you remove them. However, you can override static routes with dynamic
routing information by assigning administrative distance values. Each dynamic routing protocol has a default
administrative distance, as listed in Table 41-16. If you want a static route to be overridden by information
from a dynamic routing protocol, set the administrative distance of the static route higher than that of the
dynamic protocol.

Table 99: Dynamic Routing Protocol Default Administrative Distances

Route Source Default Distance

Connected interface 0

Static route 1

Enhanced IRGP summary route 5

Internal Enhanced IGRP 90

IGRP 100

OSPF 110

Unknown 225

Static routes that point to an interface are advertised through RIP, IGRP, and other dynamic routing protocols,
whether or not static redistribute router configuration commands were specified for those routing protocols.
These static routes are advertised because static routes that point to an interface are considered in the routing
table to be connected and hence lose their static nature. However, if you define a static route to an interface
that is not one of the networks defined in a network command, no dynamic routing protocols advertise the
route unless a redistribute static command is specified for these protocols.
When an interface goes down, all static routes through that interface are removed from the IP routing table.
When the software can no longer find a valid next hop for the address specified as the forwarding router's
address in a static route, the static route is also removed from the IP routing table.

Configuring Static Unicast Routes

Static unicast routes are user-defined routes that cause packets moving between a source and a destination to
take a specified path. Static routes can be important if the router cannot build a route to a particular destination
and are useful for specifying a gateway of last resort to which all unroutable packets are sent.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
898
 Routing
Configuring Static Unicast Routes

Follow these steps to configure a static route:

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip route prefix mask {address | interface} [distance] Establish a static route.
Example:

SwitchDevice(config)# ip route prefix mask

gigabitethernet 1/0/4

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show ip route Displays the current state of the routing table to verify the
configuration.
Example:

SwitchDevice# show ip route

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
Use the no ip route prefix mask {address| interface} global configuration command to remove a static route.
The switch retains static routes until you remove them.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
899
 Routing
Default Routes and Networks

Default Routes and Networks

Information About Default Routes and Networks
A router might not be able to learn the routes to all other networks. To provide complete routing capability,
you can use some routers as smart routers and give the remaining routers default routes to the smart router.
(Smart routers have routing table information for the entire internetwork.) These default routes can be
dynamically learned or can be configured in the individual routers. Most dynamic interior routing protocols
include a mechanism for causing a smart router to generate dynamic default information that is then forwarded
to other routers.
If a router has a directly connected interface to the specified default network, the dynamic routing protocols
running on that device generate a default route. In RIP, it advertises the pseudonetwork 0.0.0.0.
A router that is generating the default for a network also might need a default of its own. One way a router
can generate its own default is to specify a static route to the network 0.0.0.0 through the appropriate device.
When default information is passed through a dynamic routing protocol, no further configuration is required.
The system periodically scans its routing table to choose the optimal default network as its default route. In
IGRP networks, there might be several candidate networks for the system default. Cisco routers use
administrative distance and metric information to set the default route or the gateway of last resort.
If dynamic default information is not being passed to the system, candidates for the default route are specified
with the ip default-network global configuration command. If this network appears in the routing table from
any source, it is flagged as a possible choice for the default route. If the router has no interface on the default
network, but does have a path to it, the network is considered as a possible candidate, and the gateway to the
best default path becomes the gateway of last resort.

How to Configure Default Routes and Networks

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ip default-network network number Specifies a default network.

Example:

SwitchDevice(config)# ip default-network 1

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 4 show ip route Displays the selected default route in the gateway of last
resort display.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
900
 Routing
Route Maps to Redistribute Routing Information

Command or Action Purpose

SwitchDevice# show ip route

Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Route Maps to Redistribute Routing Information

Information About Route Maps
The switch can run multiple routing protocols simultaneously, and it can redistribute information from one
routing protocol to another. Redistributing information from one routing protocol to another applies to all
supported IP-based routing protocols.
You can also conditionally control the redistribution of routes between routing domains by defining enhanced
packet filters or route maps between the two domains. The match and set route-map configuration commands
define the condition portion of a route map. The match command specifies that a criterion must be matched.
The set command specifies an action to be taken if the routing update meets the conditions defined by the
match command. Although redistribution is a protocol-independent feature, some of the match and set
route-map configuration commands are specific to a particular protocol.
One or more match commands and one or more set commands follow a route-map command. If there are
no match commands, everything matches. If there are no set commands, nothing is done, other than the match.
Therefore, you need at least one match or set command.

Note A route map with no set route-map configuration commands is sent to the CPU, which causes high CPU
utilization.

You can also identify route-map statements as permit or deny. If the statement is marked as a deny, the
packets meeting the match criteria are sent back through the normal forwarding channels (destination-based
routing). If the statement is marked as permit, set clauses are applied to packets meeting the match criteria.
Packets that do not meet the match criteria are forwarded through the normal routing channel.
Related Topics
Information About Policy-Based Routing, on page 907
Other OSPF Parameters, on page 811

How to Configure a Route Map

Although each of Steps 3 through 14 in the following section is optional, you must enter at least one match
route-map configuration command and one set route-map configuration command.

Note The keywords are the same as defined in the procedure to control the route distribution.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
901
 Routing
How to Configure a Route Map

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 route-mapmap-tag [permit | deny] [sequence number] Defines any route maps used to control redistribution and
enter route-map configuration mode.
Example:
map-tag—A meaningful name for the route map. The
SwitchDevice(config)# route-map rip-to-ospf permit redistribute router configuration command uses this name
4 to reference this route map. Multiple route maps might
share the same map tag name.
(Optional) If permit is specified and the match criteria are
met for this route map, the route is redistributed as
controlled by the set actions. If deny is specified, the route
is not redistributed.
sequence number (Optional)— Number that indicates the
position a new route map is to have in the list of route maps
already configured with the same name.

Step 3 match as-path path-list-number Matches a BGP AS path access list.

Example:

SwitchDevice(config-route-map)#match as-path 10

Step 4 match community-list community-list-number [exact] Matches a BGP community list.

Example:

SwitchDevice(config-route-map)# match
community-list 150

Step 5 match ip address {access-list-number | access-list-name} Matches a standard access list by specifying the name or
[...access-list-number | ...access-list-name] number. It can be an integer from 1 to 199.
Example:

SwitchDevice(config-route-map)# match ip address

5 80

Step 6 match metric metric-value Matches the specified route metric. The metric-value can
be an EIGRP metric with a specified value from 0
Example:
to 4294967295.
SwitchDevice(config-route-map)# match metric 2000

Step 7 match ip next-hop {access-list-number | access-list-name} Matches a next-hop router address passed by one of the
[...access-list-number | ...access-list-name] access lists specified (numbered from 1 to 199).
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
902
 Routing
How to Configure a Route Map

Command or Action Purpose

SwitchDevice(config-route-map)# match ip next-hop

8 45

Step 8 match tag tag value [...tag-value] Matches the specified tag value in a list of one or more
route tag values. Each can be an integer from 0 to
Example:
4294967295.
SwitchDevice(config-route-map)# match tag 3500

Step 9 match interfacetype number [...type-number] Matches the specified next hop route out one of the
specified interfaces.
Example:

SwitchDevice(config-route-map)# match interface

gigabitethernet 1/0/1

Step 10 match ip route-source {access-list-number | Matches the address specified by the specified advertised
access-list-name} [...access-list-number | access lists.
...access-list-name]
Example:

SwitchDevice(config-route-map)# match ip
route-source 10 30

Step 11 match route-type {local | internal | external [type-1 | Matches the specified route-type:
type-2]}
• local—Locally generated BGP routes.
Example:
• internal—OSPF intra-area and interarea routes or
SwitchDevice(config-route-map)# match route-type
EIGRP internal routes.
local
• external—OSPF external routes (Type 1 or Type 2)
or EIGRP external routes.

Step 12 set dampening halflife reuse suppress max-suppress-time Sets BGP route dampening factors.
Example:

SwitchDevice(config-route-map)# set dampening 30

1500 10000 120

Step 13 set local-preference value Assigns a value to a local BGP path.

Example:

SwitchDevice(config-route-map)# set
local-preference 100

Step 14 set origin {igp | egp as | incomplete} Sets the BGP origin code.
Example:

SwitchDevice(config-route-map)#set origin igp

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
903
 Routing
How to Configure a Route Map

Command or Action Purpose

Step 15 set as-path {tag | prepend as-path-string} Modifies the BGP autonomous system path.
Example:

SwitchDevice(config-route-map)# set as-path tag

Step 16 set level {level-1 | level-2 | level-1-2 | stub-area | Sets the level for routes that are advertised into the
backbone} specified area of the routing domain. The stub-area and
backbone are OSPF NSSA and backbone areas.
Example:

SwitchDevice(config-route-map)# set level

level-1-2

Step 17 set metric metric value Sets the metric value to give the redistributed routes (for
EIGRP only). The metric value is an integer
Example:
from -294967295 to 294967295.
SwitchDevice(config-route-map)# set metric 100

Step 18 set metricbandwidth delay reliability loading mtu Sets the metric value to give the redistributed routes (for
EIGRP only):
Example:
• bandwidth—Metric value or IGRP bandwidth of the
SwitchDevice(config-route-map)# set metric 10000 route in kilobits per second in the range 0 to
10 255 1 1500 4294967295
• delay—Route delay in tens of microseconds in the
range 0 to 4294967295.
• reliability—Likelihood of successful packet
transmission expressed as a number between 0 and
255, where 255 means 100 percent reliability and 0
means no reliability.
• loading—Effective bandwidth of the route expressed
as a number from 0 to 255 (255 is 100 percent
loading).
• mtu—Minimum maximum transmission unit (MTU)
size of the route in bytes in the range 0 to
4294967295.

Step 19 set metric-type {type-1 | type-2} Sets the OSPF external metric type for redistributed routes.
Example:

SwitchDevice(config-route-map)# set metric-type

type-2

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
904
 Routing
How to Control Route Distribution

Command or Action Purpose

Step 20 set metric-type internal Sets the multi-exit discriminator (MED) value on prefixes
advertised to external BGP neighbor to match the IGP
Example:
metric of the next hop.
SwitchDevice(config-route-map)# set metric-type
internal

Step 21 set weight number Sets the BGP weight for the routing table. The value can
be from 1 to 65535.
Example:

SwitchDevice(config-route-map)# set weight 100

Step 22 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-route-map)# end

Step 23 show route-map Displays all route maps configured or only the one
specified to verify configuration.
Example:

SwitchDevice# show route-map

Step 24 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

How to Control Route Distribution

Although each of Steps 3 through 14 in the following section is optional, you must enter at least one match
route-map configuration command and one set route-map configuration command.

Note The keywords are the same as defined in the procedure to configure the route map for redistritbution.

The metrics of one routing protocol do not necessarily translate into the metrics of another. For example, the
RIP metric is a hop count, and the IGRP metric is a combination of five qualities. In these situations, an
artificial metric is assigned to the redistributed route. Uncontrolled exchanging of routing information between
different routing protocols can create routing loops and seriously degrade network operation.
If you have not defined a default redistribution metric that replaces metric conversion, some automatic metric
translations occur between routing protocols:
• RIP can automatically redistribute static routes. It assigns static routes a metric of 1 (directly connected).
• Any protocol can redistribute other routing protocols if a default mode is in effect.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
905
 Routing
How to Control Route Distribution

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 router { rip | ospf | eigrp} Enters router configuration mode.

Example:

SwitchDevice(config)# router eigrp 10

Step 3 redistribute protocol [process-id] {level-1 | level-1-2 | Redistributes routes from one routing protocol to another
level-2} [metric metric-value] [metric-type type-value] routing protocol. If no route-maps are specified, all routes
[match internal | external type-value] [tag tag-value] are redistributed. If the keyword route-map is specified
[route-map map-tag] [weight weight] [subnets] with no map-tag, no routes are distributed.
Example:

SwitchDevice(config-router)# redistribute eigrp 1

Step 4 default-metric number Cause the current routing protocol to use the same metric
value for all redistributed routes ( RIP and OSPF).
Example:

SwitchDevice(config-router)# default-metric 1024

Step 5 default-metric bandwidth delay reliability loading mtu Cause the EIGRP routing protocol to use the same metric
value for all non-EIGRP redistributed routes.
Example:

SwitchDevice(config-router)# default-metric 1000

100 250 100 1500

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-router)# end

Step 7 show route-map Displays all route maps configured or only the one specified
to verify configuration.
Example:

SwitchDevice# show route-map

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
906
 Routing
Policy-Based Routing

Related Topics
Information About Policy-Based Routing, on page 907
Other OSPF Parameters, on page 811

Policy-Based Routing
Information About Policy-Based Routing
You can use policy-based routing (PBR) to configure a defined policy for traffic flows. By using PBR, you
can have more control over routing by reducing the reliance on routes derived from routing protocols. PBR
can specify and implement routing policies that allow or deny paths based on:
• Identity of a particular end system
• Application
• Protocol

You can use PBR to provide equal-access and source-sensitive routing, routing based on interactive versus
batch traffic, or routing based on dedicated links. For example, you could transfer stock records to a corporate
office on a high-bandwidth, high-cost link for a short time while transmitting routine application data such
as e-mail over a low-bandwidth, low-cost link.
With PBR, you classify traffic using access control lists (ACLs) and then make traffic go through a different
path. PBR is applied to incoming packets. All packets received on an interface with PBR enabled are passed
through route maps. Based on the criteria defined in the route maps, packets are forwarded (routed) to the
appropriate next hop.
• Route map statement marked as permit is processed as follows:
• A match command can match on length or multiple ACLs. A route map statement can contain
multiple match commands. Logical or algorithm function is performed across all the match commands
to reach a permit or deny decision.
For example:
match length A B
match ip address acl1 acl2
match ip address acl3

A packet is permitted if it is permitted by match length A B or acl1 or acl2 or acl3

• If the decision reached is permit, then the action specified by the set command is applied on the
packet .
• If the decision reached is deny, then the PBR action (specified in the set command) is not applied.
Instead the processing logic moves forward to look at the next route-map statement in the sequence
(the statement with the next higher sequence number). If no next statement exists, PBR processing
terminates, and the packet is routed using the default IP routing table.
• For PBR, route-map statements marked as deny are not supported.
You can use standard IP ACLs to specify match criteria for a source address or extended IP ACLs to specify
match criteria based on an application, a protocol type, or an end station. The process proceeds through the

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
907
 Routing
How to Configure PBR

route map until a match is found. If no match is found, normal destination-based routing occurs. There is an
implicit deny at the end of the list of match statements.
If match clauses are satisfied, you can use a set clause to specify the IP addresses identifying the next hop
router in the path.
For details about PBR commands and keywords, see Cisco IOS IP Command Reference, Volume 2 of 3:
Routing Protocols.
Related Topics
Information About Route Maps, on page 901
How to Configure a Route Map
How to Control Route Distribution, on page 905

How to Configure PBR

• To use PBR, you must have the feature set enabled on the switch or stack master.
• Multicast traffic is not policy-routed. PBR applies to only to unicast traffic.
• You can enable PBR on a routed port or an SVI.
• The switch supports PBR based on match length.
• You can apply a policy route map to an EtherChannel port channel in Layer 3 mode, but you cannot
apply a policy route map to a physical interface that is a member of the EtherChannel. If you try to do
so, the command is rejected. When a policy route map is applied to a physical interface, that interface
cannot become a member of an EtherChannel.
• You can define a maximum of 128 IP policy route maps on the switch or switch stack.
• You can define a maximum of 512 access control entries (ACEs) for PBR on the switch or switch stack.
• When configuring match criteria in a route map, follow these guidelines:
• Do not match ACLs that permit packets destined for a local address. PBR would forward these
packets, which could cause ping or Telnet failure or route protocol flappping.

• VRF and PBR are mutually exclusive on a switch interface. You cannot enable VRF when PBR is enabled
on an interface. The reverse is also true, you cannot enable PBR when VRF is enabled on an interface.
• The number of hardware entries used by PBR depends on the route map itself, the ACLs used, and the
order of the ACLs and route-map entries.
• PBR based on TOS, DSCP and IP Precedence are not supported.
• Set interface, set default next-hop and set default interface are not supported.
• Policy-maps with no set actions are supported. Matching packets are routed normally.
• Policy-maps with no match clauses are supported. Set actions are applied to all packets.

By default, PBR is disabled on the switch. To enable PBR, you must create a route map that specifies the
match criteria and the resulting action. Then, you must enable PBR for that route map on an interface. All
packets arriving on the specified interface matching the match clauses are subject to PBR.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
908
 Routing
How to Configure PBR

Packets that are generated by the switch, or local packets, are not normally policy-routed. When you globally
enable local PBR on the switch, all packets that originate on the switch are subject to local PBR. Local PBR
is disabled by default.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
SwitchDevice# configure terminal

Step 2 route-map map-tag [permit] [sequence number] Defines route maps that are used to control where packets
are output, and enters route-map configuration mode.
Example:
• map-tag — A meaningful name for the route map.
SwitchDevice(config)# route-map pbr-map permit The ip policy route-map interface configuration
command uses this name to reference the route map.
Multiple route-map statements with the same map
tag define a single route map.
• (Optional) permit — If permit is specified and
the match criteria are met for this route map, the route
is policy routed as defined by the set actions.
• (Optional) sequence number — The sequence
number shows the position of the route-map statement
in the given route map.

Step 3 match ip address {access-list-number | access-list-name} Matches the source and destination IP addresses that are
[access-list-number |...access-list-name] permitted by one or more standard or extended access lists.
ACLs can match on more than one source and destination
Example:
IP address.
SwitchDevice(config-route-map)# match ip address
110 140 If you do not specify a match command, the route map is
applicable to all packets.

Step 4 match length min max Matches the length of the packet.
Example:
SwitchDevice(config-route-map)# match length 64
1500

Step 5 set ip next-hop ip-address [...ip-address] Specifies the action to be taken on the packets that match
the criteria. Sets next hop to which to route the packet (the
Example:
next hop must be adjacent).
SwitchDevice(config-route-map)# set ip next-hop
10.1.6.2

Step 6 set ip next-hop verify-availability [next-hop-address Configures the route map to verify the reachability of the
sequence track object] tracked object.
Example: See Configuring IP SLAs Object Tracking for configuring
SwitchDevice(config-route-map)# set ip next-hop a track object.
verify-availability 95.1.1.2.1 track 100

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
909
 Routing
How to Configure PBR

Command or Action Purpose

Note This command is not supported on IPv6 and
VRF.

Step 7 exit Returns to global configuration mode.

Example:
SwitchDevice(config-route-map)# exit

Step 8 interface interface-id Enters interface configuration mode, and specifies the
interface to be configured.
Example:
SwitchDevice(config)# interface gigabitethernet
1/0/1

Step 9 ip policy route-map map-tag Enables PBR on a Layer 3 interface, and identify the route
map to use. You can configure only one route map on an
Example:
interface. However, you can have multiple route map
SwitchDevice(config-if)# ip policy route-map entries with different sequence numbers. These entries are
pbr-map
evaluated in the order of sequence number until the first
match. If there is no match, packets are routed as usual.

Step 10 ip route-cache policy (Optional) Enables fast-switching PBR. You must enable
PBR before enabling fast-switching PBR.
Example:
SwitchDevice(config-if)# ip route-cache policy

Step 11 exit Returns to global configuration mode.

Example:
SwitchDevice(config-if)# exit

Step 12 ip local policy route-map map-tag (Optional) Enables local PBR to perform policy-based
routing on packets originating at the switch. This applies
Example:
to packets generated by the switch, and not to incoming
SwitchDevice(config)# ip local policy route-map packets.
local-pbr

Step 13 end Returns to privileged EXEC mode.

Example:
SwitchDevice(config)# end

Step 14 show route-map [map-name] (Optional) Displays all the route maps configured or only
the one specified to verify configuration.
Example:
SwitchDevice# show route-map

Step 15 show ip policy (Optional) Displays policy route maps attached to the
interface.
Example:
SwitchDevice# show ip policy

Step 16 show ip local policy (Optional) Displays whether or not local policy routing is
enabled and, if so, the route map being used.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
910
 Routing
Filtering Routing Information

Command or Action Purpose

SwitchDevice# show ip local policy

Filtering Routing Information

You can filter routing protocol information by performing the tasks described in this section.

Note When routes are redistributed between OSPF processes, no OSPF metrics are preserved.

Setting Passive Interfaces

To prevent other routers on a local network from dynamically learning about routes, you can use the
passive-interface router configuration command to keep routing update messages from being sent through
a router interface. When you use this command in the OSPF protocol, the interface address you specify as
passive appears as a stub network in the OSPF domain. OSPF routing information is neither sent nor received
through the specified router interface.
In networks with many interfaces, to avoid having to manually set them as passive, you can set all interfaces
to be passive by default by using the passive-interface default router configuration command and manually
setting interfaces where adjacencies are desired.
Use a network monitoring privileged EXEC command such as show ip ospf interface to verify the interfaces
that you enabled as passive, or use the show ip interface privileged EXEC command to verify the interfaces
that you enabled as active.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 router { rip | ospf | eigrp} Enters router configuration mode.

Example:

SwitchDevice(config)# router ospf

Step 3 passive-interface interface-id Suppresses sending routing updates through the specified
Layer 3 interface.
Example:

SwitchDevice(config-router)# passive-interface
gigabitethernet 1/0/1

Step 4 passive-interface default (Optional) Sets all interfaces as passive by default.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
911
 Routing
Controlling Advertising and Processing in Routing Updates

Command or Action Purpose

SwitchDevice(config-router)# passive-interface
default

Step 5 no passive-interface interface type (Optional) Activates only those interfaces that need to have
adjacencies sent.
Example:

SwitchDevice(config-router)# no passive-interface
gigabitethernet1/0/3 gigabitethernet 1/0/5

Step 6 network network-address (Optional) Specifies the list of networks for the routing
process. The network-address is an IP address.
Example:

SwitchDevice(config-router)# network 10.1.1.1

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-router)# end

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Controlling Advertising and Processing in Routing Updates

You can use the distribute-list router configuration command with access control lists to suppress routes
from being advertised in routing updates and to prevent other routers from learning one or more routes. When
used in OSPF, this feature applies to only external routes, and you cannot specify an interface name.
You can also use a distribute-list router configuration command to avoid processing certain routes listed in
incoming updates. (This feature does not apply to OSPF.)

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 router { rip | eigrp} Enters router configuration mode.

Example:

SwitchDevice(config)# router eigrp 10

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
912
 Routing
Filtering Sources of Routing Information

Command or Action Purpose

Step 3 distribute-list {access-list-number | access-list-name} out Permits or denies routes from being advertised in routing
[interface-name | routing process | updates, depending upon the action listed in the access list.
autonomous-system-number]
Example:

SwitchDevice(config-router)# distribute 120 out

gigabitethernet 1/0/7

Step 4 distribute-list {access-list-number | access-list-name} in Suppresses processing in routes listed in updates.

[type-number]
Example:

SwitchDevice(config-router)# distribute-list 125

in

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-router)# end

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Filtering Sources of Routing Information

Because some routing information might be more accurate than others, you can use filtering to prioritize
information coming from different sources. An administrative distance is a rating of the trustworthiness of a
routing information source, such as a router or group of routers. In a large network, some routing protocols
can be more reliable than others. By specifying administrative distance values, you enable the router to
intelligently discriminate between sources of routing information. The router always picks the route whose
routing protocol has the lowest administrative distance.
Because each network has its own requirements, there are no general guidelines for assigning administrative
distances.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 router { rip | ospf | eigrp} Enters router configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
913
 Routing
Managing Authentication Keys

Command or Action Purpose

SwitchDevice(config)# router eigrp 10

Step 3 distance weight {ip-address {ip-address mask}} [ip access Defines an administrative distance.
list]
weight—The administrative distance as an integer from 10
Example: to 255. Used alone, weight specifies a default administrative
distance that is used when no other specification exists for
SwitchDevice(config-router)# distance 50 10.1.5.1 a routing information source. Routes with a distance of 255
are not installed in the routing table.
(Optional) ip access list—An IP standard or extended access
list to be applied to incoming routing updates.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-router)# end

Step 5 show ip protocols Displays the default administrative distance for a specified
routing process.
Example:

SwitchDevice# show ip protocols

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Managing Authentication Keys

Key management is a method of controlling authentication keys used by routing protocols. Not all protocols
can use key management. Authentication keys are available for EIGRP and RIP Version 2.

Prerequisites
Before you manage authentication keys, you must enable authentication. See the appropriate protocol section
to see how to enable authentication for that protocol. To manage authentication keys, define a key chain,
identify the keys that belong to the key chain, and specify how long each key is valid. Each key has its own
key identifier (specified with the key number key chain configuration command), which is stored locally. The
combination of the key identifier and the interface associated with the message uniquely identifies the
authentication algorithm and Message Digest 5 (MD5) authentication key in use.

How to Configure Authentication Keys

You can configure multiple keys with life times. Only one authentication packet is sent, regardless of how
many valid keys exist. The software examines the key numbers in order from lowest to highest, and uses the
first valid key it encounters. The lifetimes allow for overlap during key changes. Note that the router must
know these lifetimes.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
914
 Routing
How to Configure Authentication Keys

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 key chain name-of-chain Identifies a key chain, and enter key chain configuration
mode.
Example:

SwitchDevice(config)# key chain key10

Step 3 key number Identifies the key number. The range is 0 to 2147483647.
Example:

SwitchDevice(config-keychain)# key 2000

Step 4 key-string text Identifies the key string. The string can contain from 1 to
80 uppercase and lowercase alphanumeric characters, but
Example:
the first character cannot be a number.
SwitchDevice(config-keychain)# Room 20, 10th floor

Step 5 accept-lifetime start-time {infinite | end-time | duration (Optional) Specifies the time period during which the key
seconds} can be received.
Example: The start-time and end-time syntax can be either hh:mm:ss
Month date year or hh:mm:ss date Month year. The default
SwitchDevice(config-keychain)# accept-lifetime is forever with the default start-time and the earliest
12:30:00 Jan 25 1009 infinite acceptable date as January 1, 1993. The default end-time
and duration is infinite.

Step 6 send-lifetime start-time {infinite | end-time | duration (Optional) Specifies the time period during which the key
seconds} can be sent.
Example: The start-time and end-time syntax can be either hh:mm:ss
Month date year or hh:mm:ss date Month year. The default
SwitchDevice(config-keychain)# accept-lifetime is forever with the default start-time and the earliest
23:30:00 Jan 25 1019 infinite acceptable date as January 1, 1993. The default end-time
and duration is infinite.

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-keychain)# end

Step 8 show key chain Displays authentication key information.

Example:

SwitchDevice# show key chain

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
915
 Routing
Monitoring and Maintaining the IP Network

Command or Action Purpose

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Monitoring and Maintaining the IP Network

You can remove all contents of a particular cache, table, or database. You can also display specific statistics.

Table 100: Commands to Clear IP Routes or Display Route Status

show ip route [address [mask] [longer-prefixes]] Displays the current state of the routing table.

show ip route summary Displays the current state of the routing table in
summary form.

show platform ip unicast Displays platform-dependent IP unicast information.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
916
 CHAPTER 37
Configuring Fallback Bridging
• Finding Feature Information, on page 917
• Restrictions for Fallback Bridging, on page 917
• Information about Fallback Bridging, on page 918
• How to Configure Fallback Bridging, on page 919
• Default Fallback Bridging Configuration, on page 930

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Restrictions for Fallback Bridging

• Up to 32 bridge groups can be configured on the switch.
• An interface (an SVI or routed port) can be a member of only one bridge group.
• Use a bridge group for each separately bridged (topologically distinct) network connected to the switch.
• Do not configure fallback bridging on a switch configured with private VLANs.
• All protocols except IP (Version 4 and Version 6), Address Resolution Protocol (ARP), reverse
ARP(RARP), LOOPBACK, Frame Relay ARP, and shared STP packets are fallback bridged.

Note Fallback Bridging is supported only on Cisco Catalyst 3560-CX switches.

Fallback Bridging CCP is supported only on Catalyst switches running IP Services licenses.

Related Topics
Changing the VLAN Bridge Spanning Tree Priority, on page 921
Changing the Interface Priority, on page 922

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
917
 Routing
Information about Fallback Bridging

Assigning Path Cost, on page 924

Adjusting the Intervals Between Hello BPDUs, on page 925
Changing the Forward-Delay Interval, on page 926
Changing the Maximum-Idle Interval, on page 927

Information about Fallback Bridging

Fallback Bridging Overview
With fallback bridging, the switch bridges together two or more VLANs or routed ports, essentially connecting
multiple VLANs within one bridge domain. Fallback bridging forwards traffic that the switch does not route
and forwards traffic belonging to a nonroutable protocol such as DECnet. A VLAN bridge domain is represented
with switch virtual interfaces (SVIs). A set of SVIs and routed ports (which do not have any VLANs associated
with them) can be configured (grouped together) to form a bridge group. Recall that an SVI represents a
VLAN of switch ports as one interface to the routing ports (which do not have any VLANs associated with
them) can be configured (grouped together) to form a bridge group. Recall that an SVI represents a VLAN
of switch ports as one interface to the routing or bridging function in the system. You associate only one SVI
with a VLAN, and you configure an SVI for a VLAN only when you want to route between VLANs, to
fallback-bridge nonroutable protocols between VLANs, or to provide IP host connectivity to the switch. A
routed port is a physical port that acts like a port on a router, but it is not connected to a router. A routed port
is not associated with a particular VLAN, does not support VLAN subinterfaces, but behaves like a normal
routed port.
A bridge group is an internal organization of network interfaces on a switch. You cannot use bridge groups
to identify traffic switched within the bridge group outside the switch on which they are defined. Bridge
groups on the switch function as distinct bridges; that is, bridged traffic and bridge protocol data units (BPDUs)
are not exchanged between different bridge groups on a switch.
Fallback bridging does not allow the spanning trees from the VLANs being bridged to collapse. Each VLAN
has its own spanning-tree instance and a separate spanning tree, called the VLAN-bridge spanning tree, which
runs on top of the bridge group to prevent loops.
The switch creates a VLAN-bridge spanning-tree instance when a bridge group is created. The switch runs
the bridge group and treats the SVIs and routed ports in the bridge group as its spanning-tree ports.
These are the reasons for placing network interfaces into a bridge group:
• To bridge all non-routed traffic among the network interfaces making up the bridge group. If the packet
destination address is in the bridge table, the packet is forwarded on a single interface in the bridge group.
If the packet destination address is not in the bridge table, the packet is flooded on all forwarding interfaces
in the bridge group. A source MAC address is learned on a bridge group only when the address is learned
on a VLAN (the reverse is not true). Any address that is learned on a stack member is learned by all
switchesin the stack.
• To participate in the spanning-tree algorithm by receiving, and in some cases sending, BPDUs on the
LANs to which they are attached. A separate spanning-tree process runs for each configured bridge
group. Each bridge group participates in a separate spanning-tree instance. A bridge group establishes a
spanning-tree instance based on the BPDUs it receives on only its member interfaces. If the bridge STP
BPDU is received on a port whose VLAN does not belong to a bridge group, the BPDU is flooded on
all the forwarding ports of the VLAN.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
918
 Routing
Example: Fallback Bridging Network

Example: Fallback Bridging Network

The following figure shows a fallback bridging network example. The switch has two ports configured as
SVIs with different assigned IP addresses and attached to two different VLANs. Another port is configured
as a routed port with its own IP address. If all three of these ports are assigned to the same bridge group,
non-IP protocol frames can be forwarded among the end stations connected to the switch even though they
are on different networks and in different VLANs. IP addresses do not need to be assigned to routed ports or
SVIs for fallback bridging to work.
Figure 84: Fallback Bridging Network Example

How to Configure Fallback Bridging

Creating a Bridge Group
To configure fallback bridging for a set of SVIs or routed ports, these interfaces must be assigned to bridge
groups. All interfaces in the same group belong to the same bridge domain. Each SVI or routed port can be
assigned to only one bridge group.

Note The protected port feature is not compatible with fallback bridging. When fallback bridging is enabled, it is
possible for packets to be forwarded from one protected port on to another protected port on the same switch
if the ports are in different VLANs.

SUMMARY STEPS
1. enable
2. configure terminal
3. bridge bridge-groupprioritynumber
4. interfaceinterface -id
5. bridge-group bridge-group
6. show running-config
7. copy running-config startup-config
8. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
919
 Routing
Creating a Bridge Group

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 bridge bridge-groupprioritynumber Assign a bridge group number, and specify the
VLAN-bridge spanning-tree protocol to run in the bridge
Example:
group. The ibm and dec keywords are not supported.
SwitchDevice(config)# bridge 10 protocol
vlan-bridge For bridge-group, specify the bridge group number. The
range is 1 to 255. You can create up to 32 bridge groups.
Frames are bridged only among interfaces in the same
group.

Step 4 interfaceinterface -id Specify the interface on which you want to assign the bridge
group, and enter interface configuration mode. The specified
Example:
interface must be one of these:
SwitchDevice(config)# interface
gigabitethernet3/0/1 • A routed port: a physical port that you have configured
as a Layer 3 port by entering the no switchport
interface configuration command.
• An SVI: a VLAN interface that you created by using
the interface vlanvlan-id global configuration
command.

Note You can assign an IP address to the routed port

or to the SVI, but it is not required.

Step 5 bridge-group bridge-group Assign a bridge group number, and specify the
VLAN-bridge spanning-tree protocol to run in the bridge
Example:
group. The ibm and dec keywords are not supported.
SwitchDevice(config)# bridge-group 10
For bridge-group, specify the bridge group number. The
range is 1 to 255. You can create up to 32 bridge groups.
Frames are bridged only among interfaces in the same
group.

Step 6 show running-config Verifies your entries.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
920
 Routing
Adjusting Spanning Tree Parameters

Command or Action Purpose

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Step 8 end Returns to privileged EXEC mode.

Adjusting Spanning Tree Parameters

You might need to adjust certain spanning-tree parameters if the default values are not suitable. You configure
parameters affecting the entire spanning tree by using variations of the bridge global configuration command.
You configure interface-specific parameters by using variations of the bridge-group interface configuration
command.

Note Only network administrators with a good understanding of how switchesand STP function should make
adjustments to spanning-tree parameters. Poorly planned adjustments can have a negative impact on
performance. A good source on switching is the IEEE 802.1D specification.

Changing the VLAN Bridge Spanning Tree Priority

You can globally configure the VLAN-bridge spanning-tree priority of a switch when it ties with another
switch for the position as the root switch. You also can configure the likelihood that the switch will be selected
as the root switch. Follow these steps to change the switch priority. This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. bridge bridge-groupprioritynumber
4. end
5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
921
 Routing
Changing the Interface Priority

Command or Action Purpose

Step 2 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 3 bridge bridge-groupprioritynumber Changes the VLAN-bridge spanning-tree priority of the

SwitchDevice.
Example:
SwitchDevice(config)# bridge 10 priority 100 • For bridge-group, specify the bridge group number.
The range is 1 to 255.
• For number, enter a number from 0 to 65535. The
default is 32768. The lower the number, the more
likely the SwitchDevice will be chosen as the root.

Step 4 end Returns to privileged EXEC mode.

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Restrictions for Fallback Bridging, on page 917
Default Fallback Bridging Configuration, on page 930

Changing the Interface Priority

You can change the priority for a port. When two switches tie for position as the root switch, you configure
a port priority to break the tie. The switch with the lowest interface value is elected. Follow these steps to
change the interface priority. This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. bridge-group bridge-groupprioritynumber
5. end
6. show running-config
7. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
922
 Routing
Changing the Interface Priority

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id

Example:
SwitchDevice(config)# interface
gigabitethernet2/0/1

Step 4 bridge-group bridge-groupprioritynumber Changes the VLAN-bridge spanning-tree priority of the

switch.
Example:
SwitchDevice(config)# bridge-group 10 priority 20 • For bridge-group, specify the bridge group number.
The range is 1 to 255.
• For number, enter a number from 0 to 255 in
increments of 4. The lower the number, the more likely
that the port on the switch will be chosen as the root.
The default is 128.

Step 5 end Returns to privileged EXEC mode.

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Restrictions for Fallback Bridging, on page 917
Default Fallback Bridging Configuration, on page 930

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
923
 Routing
Assigning Path Cost

Assigning Path Cost

Each port has a path cost associated with it. By convention, the path cost is 1000/data rate of the attached
LAN, in Mb/s. Follow these steps to assign a path cost. This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. bridge-group bridge-grouppath costcost
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id

Example:
SwitchDevice(config)# interface
gigabitethernet2/0/1

Step 4 bridge-group bridge-grouppath costcost Assigns the path cost of a port.

Example: • For bridge-group, specify the bridge group number.
SwitchDevice(config)# bridge-group 10 path-cost 20 The range is 1 to 255.
• For cost, enter a number from 0 to 65535. The higher
the value, the higher the cost.

• For 10 Mb/s, the default path cost is 100.

• For 100 Mb/s, the default path cost is 19.
• For 1000 Mb/s, the default path cost is 4.

Step 5 end Returns to privileged EXEC mode.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
924
 Routing
Adjusting BPDU Intervals

Command or Action Purpose

Step 6 show running-config Verifies your entries.
Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Restrictions for Fallback Bridging, on page 917
Default Fallback Bridging Configuration, on page 930

Adjusting BPDU Intervals

Adjusting the Intervals Between Hello BPDUs
Each switch in a spanning tree adopts the interval between hello BPDUs, the forward delay interval, and the
maximum idle interval parameters of the root switch, regardless of what its individual configuration might
be.
Follow these steps to adjust the interval between hello BPDUs. This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. bridge bridge-grouphello-timeseconds
4. end
5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
925
 Routing
Changing the Forward-Delay Interval

Command or Action Purpose

SwitchDevice# configure terminal

Step 3 bridge bridge-grouphello-timeseconds Specifies the interval between hello BPDUs.

Example: • For bridge-group, specify the bridge group number.
SwitchDevice(config)# bridge 10 hello-time 5 The range is 1 to 255.
• For seconds, enter a number from 1 to 10. The default
is 2.

Step 4 end Returns to privileged EXEC mode.

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Restrictions for Fallback Bridging, on page 917
Default Fallback Bridging Configuration, on page 930

Changing the Forward-Delay Interval

The forward-delay interval is the amount of time spent listening for topology change information after a port
has been activated for switching and before forwarding actually begins.
Follow these steps to change the forward-delay interval. This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. bridge bridge-groupforward-timeseconds
4. end
5. show running-config
6. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
926
 Routing
Changing the Maximum-Idle Interval

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 bridge bridge-groupforward-timeseconds Specifies the forward-time interval.

Example: • For bridge-group, specify the bridge group number.
SwitchDevice(config)# bridge 10 forward-time 10 The range is 1 to 255.
• For seconds, enter a number from 4 to 200. The default
is 20.

Step 4 end Returns to privileged EXEC mode.

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Restrictions for Fallback Bridging, on page 917
Default Fallback Bridging Configuration, on page 930

Changing the Maximum-Idle Interval

If a switch does not receive BPDUs from the root switch within a specified interval, it re-computes the
spanning-tree topology.
Follow these steps to change the maximum-idle interval (maximum aging time). This procedure is optional.

SUMMARY STEPS
1. enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
927
 Routing
Changing the Maximum-Idle Interval

2. configure terminal
3. bridge bridge-groupmax-ageseconds
4. end
5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 bridge bridge-groupmax-ageseconds Specifies the interval that the switch waits to hear BPDUs
from the root switch.
Example:
SwitchDevice(config)# bridge 10 max-age 30 • For bridge-group, specify the bridge group number.
The range is 1 to 255.
• For seconds, enter a number from 6 to 200. The default
is 30.

Step 4 end Returns to privileged EXEC mode.

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Restrictions for Fallback Bridging, on page 917
Default Fallback Bridging Configuration, on page 930

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
928
 Routing
Disabling the Spanning Tree on an Interface

Disabling the Spanning Tree on an Interface

When a loop-free path exists between any two switched subnetworks, you can prevent BPDUs generated in
one switching subnetwork from impacting devices in the other switching subnetwork, yet still permit switching
throughout the network as a whole. For example, when switched LAN subnetworks are separated by a WAN,
BPDUs can be prevented from traveling across the WAN link.
Follow these steps to disable spanning tree on a port. This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. bridge-group bridge-grouppriorityspanning-disabled
5. show running-config
6. copy running-config startup-config
7. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id

Example:
SwitchDevice(config)# interface
gigabitethernet2/0/1

Step 4 bridge-group bridge-grouppriorityspanning-disabled Disables spanning tree on the port.

Example: For bridge-group, specify the bridge group number. The
SwitchDevice(config)# bridge group 10 range is 1 to 255.
spanning-disabled

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
929
 Routing
Monitoring and Maintaining Fallback Bridging

Command or Action Purpose

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Step 7 end Returns to privileged EXEC mode.

Monitoring and Maintaining Fallback Bridging

Table 101: Commands for Monitoring and Maintaining Fallback Bridging

Command Purpose
clear bridge bridge-group Removes any learned entries from the forwarding
database.
show bridge[bridge-group] group Displays details about the bridge group.
show bridge [bridge-group] interface-id\mac Displays MAC addresses learned in the bridge group.
-address\verbose

Default Fallback Bridging Configuration

Table 102: Default Fallback Bridging Configuration

Feature Default Setting

Bridge groups None are defined or assigned to a port. No

VLAN-bridge STP is defined.

Switch forwards frames for stations that it has Enabled

dynamically learned

Switch priority 32768

Port priority 128

Port path cost • 10 Mb/s: 100

• 100 Mb/s: 19
• 1000 Mb/s: 4

Hello BPDU interval 2 seconds

Forward-delay interval 20 seconds

Maximum-idle interval 30 seconds

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
930
Routing
Default Fallback Bridging Configuration

Related Topics
Changing the VLAN Bridge Spanning Tree Priority, on page 921
Changing the Interface Priority, on page 922
Assigning Path Cost, on page 924
Adjusting the Intervals Between Hello BPDUs, on page 925
Changing the Forward-Delay Interval, on page 926
Changing the Maximum-Idle Interval, on page 927

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
931
 Routing
Default Fallback Bridging Configuration

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
932
PA R T VIII
Multicast Routing
• IP Multicast Routing Technology Overview, on page 935
• Configuring IGMP, on page 943
• Configuring CGMP, on page 963
• Configuring PIM, on page 969
• Configuring HSRP Aware PIM, on page 1021
• Configuring VRRP Aware PIM, on page 1027
• Configuring Basic IP Multicast Routing, on page 1031
• Configuring SSM, on page 1043
• Configuring IGMP Snooping and Multicast VLAN Registration, on page 1065
• Configuring MSDP, on page 1111
 CHAPTER 38
IP Multicast Routing Technology Overview
• Finding Feature Information, on page 935
• Information About IP Multicast Technology, on page 935

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Information About IP Multicast Technology

Role of IP Multicast in Information Delivery
IP multicast is a bandwidth-conserving technology that reduces traffic by delivering a single stream of
information simultaneously to potentially thousands of businesses and homes. Applications that take advantage
of multicast include video conferencing, corporate communications, distance learning, and distribution of
software, stock quotes, and news.
IP multicast routing enables a host (source) to send packets to a group of hosts (receivers) anywhere within
the IP network by using a special form of IP address called the IP multicast group address. The sending host
inserts the multicast group address into the IP destination address field of the packet and IP multicast routers
and multilayer switches forward incoming IP multicast packets out all interfaces that lead to the members of
the multicast group. Any host, regardless of whether it is a member of a group, can send to a group. However,
only the members of a group receive the message.

IP Multicast Routing Protocols

The software supports the following protocols to implement IP multicast routing:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
935
 Multicast Routing
Multicast Group Transmission Scheme

• IGMP is used between hosts on a LAN and the routers on that LAN to track the multicast groups of
which hosts are members.
• Protocol Independent Multicast (PIM) is used between routers so that they can track which multicast
packets to forward to each other and to their directly connected LANs.

This figure shows where these protocols operate within the IP multicast environment.

Multicast Group Transmission Scheme

IP communication consists of hosts that act as senders and receivers of traffic as shown in the first figure.
Senders are called sources. Traditional IP communication is accomplished by a single host source sending
packets to another single host (unicast transmission) or to all hosts (broadcast transmission). IP multicast
provides a third scheme, allowing a host to send packets to a subset of all hosts (multicast transmission). This
subset of receiving hosts is called a multicast group. The hosts that belong to a multicast group are called
group members.
Multicast is based on this group concept. A multicast group is an arbitrary number of receivers that join a
group in order to receive a particular data stream. This multicast group has no physical or geographical
boundaries--the hosts can be located anywhere on the Internet or on any private internetwork. Hosts that are
interested in receiving data from a source to a particular group must join that group. Joining a group is
accomplished by a host receiver by way of the Internet Group Management Protocol (IGMP).
In a multicast environment, any host, regardless of whether it is a member of a group, can send to a group.
However, only the members of a group can receive packets sent to that group. Multicast packets are delivered
to a group using best-effort reliability, just like IP unicast packets.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
936
Multicast Routing
Multicast Group Transmission Scheme

In the next figure, the receivers (the designated multicast group) are interested in receiving the video data
stream from the source. The receivers indicate their interest by sending an IGMP host report to the routers in
the network. The routers are then responsible for delivering the data from the source to the receivers. The
routers use Protocol Independent Multicast (PIM) to dynamically create a multicast distribution tree. The
video data stream will then be delivered only to the network segments that are in the path between the source
and the receivers.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
937
 Multicast Routing
IP Multicast Boundary

IP Multicast Boundary
As shown in the figure, address scoping defines domain boundaries so that domains with RPs that have the
same IP address do not leak into each other. Scoping is performed on the subnet boundaries within large
domains and on the boundaries between the domain and the Internet.
Figure 85: Address Scoping at Boundaries

You can set up an administratively scoped boundary on an interface for multicast group addresses using the
ip multicast boundary command with the access-list argument. A standard access list defines the range of
addresses affected. When a boundary is set up, no multicast data packets are allowed to flow across the
boundary from either direction. The boundary allows the same multicast group address to be reused in different
administrative domains.
The Internet Assigned Numbers Authority (IANA) has designated the multicast address range 239.0.0.0 to
239.255.255.255 as the administratively scoped addresses. This range of addresses can be reused in domains
administered by different organizations. They would be considered local, not globally unique.
You can configure the filter-autorp keyword to examine and filter Auto-RP discovery and announcement
messages at the administratively scoped boundary. Any Auto-RP group range announcements from the
Auto-RP packets that are denied by the boundary access control list (ACL) are removed. An Auto-RP group

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
938
 Multicast Routing
IP Multicast Group Addressing

range announcement is permitted and passed by the boundary only if all addresses in the Auto-RP group range
are permitted by the boundary ACL. If any address is not permitted, the entire group range is filtered and
removed from the Auto-RP message before the Auto-RP message is forwarded. In order to block all multicast
traffic coming in on interface but allow multicast traffic coming out of the interface, use the{ ip | ipv6 }
multicast boundary block sources command.

IP Multicast Group Addressing

A multicast group is identified by its multicast group address. Multicast packets are delivered to that multicast
group address. Unlike unicast addresses that uniquely identify a single host, multicast IP addresses do not
identify a particular host. To receive the data sent to a multicast address, a host must join the group that address
identifies. The data is sent to the multicast address and received by all the hosts that have joined the group
indicating that they wish to receive traffic sent to that group. The multicast group address is assigned to a
group at the source. Network administrators who assign multicast group addresses must make sure the addresses
conform to the multicast address range assignments reserved by the Internet Assigned Numbers Authority
(IANA).

IP Class D Addresses
IP multicast addresses have been assigned to the IPv4 Class D address space by IANA. The high-order four
bits of a Class D address are 1110. Therefore, host group addresses can be in the range 224.0.0.0 to
239.255.255.255. A multicast address is chosen at the source (sender) for the receivers in a multicast group.

Note The Class D address range is used only for the group address or destination address of IP multicast traffic.
The source address for multicast datagrams is always the unicast source address.

IP Multicast Address Scoping

The multicast address range is subdivided to provide predictable behavior for various address ranges and for
address reuse within smaller domains. The table provides a summary of the multicast address ranges. A brief
summary description of each range follows.

Table 103: Multicast Address Range Assignments

Name Range Description

Reserved Link-Local Addresses 224.0.0.0 to 224.0.0.255 Reserved for use by network protocols on a local network segment.

Globally Scoped Addresses 224.0.1.0 to 238.255.255.255 Reserved to send multicast data between organizations and across
the Internet.

Source Specific Multicast 232.0.0.0 to 232.255.255.255 Reserved for use with the SSM datagram delivery model where
data is forwarded only to receivers that have explicitly joined the
group.

GLOP Addresses 233.0.0.0 to 233.255.255.255 Reserved for statically defined addresses by organizations that
already have an assigned autonomous system (AS) domain number.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
939
 Multicast Routing
IP Multicast Address Scoping

Name Range Description

Limited Scope Address 239.0.0.0 to 239.255.255.255 Reserved as administratively or limited scope addresses for use in
private multicast domains.

Reserved Link-Local Addresses

The IANA has reserved the range 224.0.0.0 to 224.0.0.255 for use by network protocols on a local network
segment. Packets with an address in this range are local in scope and are not forwarded by IP routers. Packets
with link local destination addresses are typically sent with a time-to-live (TTL) value of 1 and are not
forwarded by a router.
Within this range, reserved link-local addresses provide network protocol functions for which they are reserved.
Network protocols use these addresses for automatic router discovery and to communicate important routing
information. For example, Open Shortest Path First (OSPF) uses the IP addresses 224.0.0.5 and 224.0.0.6 to
exchange link-state information.
IANA assigns single multicast address requests for network protocols or network applications out of the
224.0.1.xxx address range. Multicast routers forward these multicast addresses.

Globally Scoped Addresses

Addresses in the range 224.0.1.0 to 238.255.255.255 are called globally scoped addresses. These addresses
are used to send multicast data between organizations across the Internet. Some of these addresses have been
reserved by IANA for use by multicast applications. For example, the IP address 224.0.1.1 is reserved for
Network Time Protocol (NTP).

Source Specific Multicast Addresses

Addresses in the range 232.0.0.0/8 are reserved for Source Specific Multicast (SSM) by IANA. In Cisco IOS
software, you can use the ip pim ssmcommand to configure SSM for arbitrary IP multicast addresses also.
SSM is an extension of Protocol Independent Multicast (PIM) that allows for an efficient data delivery
mechanism in one-to-many communications. SSM is described in the IP Multicast Delivery Modes, on page
941 section.

GLOP Addresses
GLOP addressing (as proposed by RFC 2770, GLOP Addressing in 233/8) proposes that the 233.0.0.0/8 range
be reserved for statically defined addresses by organizations that already have an AS number reserved. This
practice is called GLOP addressing. The AS number of the domain is embedded into the second and third
octets of the 233.0.0.0/8 address range. For example, AS 62010 is written in hexadecimal format as F23A.
Separating the two octets F2 and 3A results in 242 and 58 in decimal format. These values result in a subnet
of 233.242.58.0/24 that would be globally reserved for AS 62010 to use.

Limited Scope Addresses

The range 239.0.0.0 to 239.255.255.255 is reserved as administratively or limited scoped addresses for use
in private multicast domains. These addresses are constrained to a local group or organization. Companies,
universities, and other organizations can use limited scope addresses to have local multicast applications that
will not be forwarded outside their domain. Routers typically are configured with filters to prevent multicast
traffic in this address range from flowing outside an autonomous system (AS) or any user-defined domain.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
940
 Multicast Routing
Layer 2 Multicast Addresses

Within an AS or domain, the limited scope address range can be further subdivided so that local multicast
boundaries can be defined.

Note Network administrators may use multicast addresses in this range, inside a domain, without conflicting with
others elsewhere in the Internet.

Layer 2 Multicast Addresses

Historically, network interface cards (NICs) on a LAN segment could receive only packets destined for their
burned-in MAC address or the broadcast MAC address. In IP multicast, several hosts need to be able to receive
a single data stream with a common destination MAC address. Some means had to be devised so that multiple
hosts could receive the same packet and still be able to differentiate between several multicast groups. One
method to accomplish this is to map IP multicast Class D addresses directly to a MAC address. Using this
method, NICs can receive packets destined to many different MAC address.
Cisco Group Management Protocol ( CGMP) is used on routers connected to Catalyst switches to perform
tasks similar to those performed by IGMP. CGMP is necessary for those Catalyst switches that cannot
distinguish between IP multicast data packets and IGMP report messages, both of which are addressed to the
same group address at the MAC level.

IP Multicast Delivery Modes

IP multicast delivery modes differ only for the receiver hosts, not for the source hosts. A source host sends
IP multicast packets with its own IP address as the IP source address of the packet and a group address as the
IP destination address of the packet.

Source Specific Multicast

Source Specific Multicast (SSM) is a datagram delivery model that best supports one-to-many applications,
also known as broadcast applications. SSM is a core network technology for the Cisco implementation of IP
multicast targeted for audio and video broadcast application environments.
For the SSM delivery mode, an IP multicast receiver host must use IGMP Version 3 (IGMPv3) to subscribe
to channel (S,G). By subscribing to this channel, the receiver host is indicating that it wants to receive IP
multicast traffic sent by source host S to group G. The network will deliver IP multicast packets from source
host S to group G to all hosts in the network that have subscribed to the channel (S, G).
SSM does not require group address allocation within the network, only within each source host. Different
applications running on the same source host must use different SSM groups. Different applications running
on different source hosts can arbitrarily reuse SSM group addresses without causing any excess traffic on the
network.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
941
 Multicast Routing
Source Specific Multicast

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
942
 CHAPTER 39
Configuring IGMP
• Finding Feature Information, on page 943
• Prerequisites for IGMP, on page 943
• Restrictions for Configuring IGMP, on page 944
• Information About IGMP, on page 944
• How to Configure IGMP, on page 950
• Monitoring IGMP, on page 960
• Configuration Examples for IGMP, on page 961

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for IGMP

• Before performing the tasks in this module, you should be familiar with the concepts explained in the
"IP Multicast Routing Technology Overview" module.
• The tasks in this module assume that IP multicast has been enabled and that the Protocol Independent
Multicast (PIM) interfaces have been configured using the tasks described in the "Configuring IP Multicast
Routing” module.

Related Topics
Configuring the Switch as a Member of a Group , on page 950
IGMP Join Process, on page 948
IGMP Leave Process, on page 948

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
943
 Multicast Routing
Restrictions for Configuring IGMP

Restrictions for Configuring IGMP

The following are the restrictions for configuring IGMP:
• The switch supports IGMP Versions 1, 2 , and 3.

Note For IGMP Version 3, only IGMP Version 3 BISS (Basic IGMPv3 Snooping
Support) is supported.

• IGMP Version 3 uses new membership report messages that might not be correctly recognized by older
IGMP snooping switches.
• IGMPv3 can operate with both ISM and SSM. In ISM, both exclude and include mode reports are
applicable. In SSM, only include mode reports are accepted by the last-hop router. Exclude mode reports
are ignored.

Related Topics
IGMP Version 3, on page 945

Information About IGMP

Role of the Internet Group Management Protocol
IGMP is used to dynamically register individual hosts in a multicast group on a particular LAN. Enabling
PIM on an interface also enables IGMP. IGMP provides a means to automatically control and limit the flow
of multicast traffic throughout your network with the use of special multicast queriers and hosts.
• A querier is a network device, such as a router, that sends query messages to discover which network
devices are members of a given multicast group.
• A host is a receiver, including routers, that sends report messages (in response to query messages) to
inform the querier of a host membership. Hosts use IGMP messages to join and leave multicast groups.

Hosts identify group memberships by sending IGMP messages to their local multicast device. Under IGMP,
devices listen to IGMP messages and periodically send out queries to discover which groups are active or
inactive on a particular subnet.

IGMP Multicast Addresses

IP multicast traffic uses group addresses, which are Class D IP addresses. The high-order four bits of a Class
D address are 1110. Therefore, host group addresses can be in the range 224.0.0.0 to 239.255.255.255.
Multicast addresses in the range 224.0.0.0 to 224.0.0.255 are reserved for use by routing protocols and other
network control traffic. The address 224.0.0.0 is guaranteed not to be assigned to any group.
IGMP packets are transmitted using IP multicast group addresses as follows:
• IGMP general queries are destined to the address 224.0.0.1 (all systems on a subnet).

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
944
 Multicast Routing
IGMP Versions

• IGMP group-specific queries are destined to the group IP address for which the device is querying.
• IGMP group membership reports are destined to the group IP address for which the device is reporting.
• IGMPv2 leave-group messages are destined to the address 224.0.0.2 (all devices on a subnet).
• IGMPv3 membership reports are destined to the address 224.0.0.22; all IGMPv3-capable multicast
devices must listen to this address.

IGMP Versions
The switch supports IGMP version 1, IGMP version 2, and IGMP version 3. These versions are interoperable
on the switch. For example, if IGMP snooping is enabled and the querier's version is IGMPv2, and the switch
receives an IGMPv3 report from a host, then the switch can forward the IGMPv3 report to the multicast router.
An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific
Multicast (SSM) feature.
Related Topics
Changing the IGMP Version, on page 953
Restrictions for IGMP Snooping, on page 1066

IGMP Version 1
IGMP version 1 (IGMPv1) primarily uses a query-response model that enables the multicast router and
multilayer switch to find which multicast groups are active (have one or more hosts interested in a multicast
group) on the local subnet. IGMPv1 has other processes that enable a host to join and leave a multicast group.
For more information, see RFC 1112.

IGMP Version 2
IGMPv2 extends IGMP functionality by providing such features as the IGMP leave process to reduce leave
latency, group-specific queries, and an explicit maximum query response time. IGMPv2 also adds the capability
for routers to elect the IGMP querier without depending on the multicast protocol to perform this task. For
more information, see RFC 2236.

Note IGMP version 2 is the default version for the switch.

IGMP Version 3
The switch supports IGMP version 3.
An IGMPv3 switch supports Basic IGMPv3 Snooping Support (BISS), which includes support for the snooping
features on IGMPv1 and IGMPv2 switches and for IGMPv3 membership report messages. BISS constrains
the flooding of multicast traffic when your network includes IGMPv3 hosts. It constrains traffic to approximately
the same set of ports as the IGMP snooping feature on IGMPv2 or IGMPv1 hosts.
An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific
Multicast (SSM) feature.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
945
 Multicast Routing
IGMPv3 Host Signalling

Related Topics
Restrictions for Configuring IGMP, on page 944

IGMPv3 Host Signalling

In IGMPv3, hosts signal membership to last hop routers of multicast groups. Hosts can signal group membership
with filtering capabilities with respect to sources. A host can either signal that it wants to receive traffic from
all sources sending to a group except for some specific sources (called exclude mode), or that it wants to
receive traffic only from some specific sources sending to the group (called include mode).
IGMPv3 can operate with both Internet Standard Multicast (ISM) and Source Specific Multicast (SSM). In
ISM, both exclude and include mode reports are applicable. In SSM, only include mode reports are accepted
by the last-hop router. Exclude mode reports are ignored.

IGMP Versions Differences

There are three versions of IGMP, as defined by Request for Comments (RFC) documents of the Internet
Engineering Task Force (IETF). IGMPv2 improves over IGMPv1 by adding the ability for a host to signal
desire to leave a multicast group and IGMPv3 improves over IGMPv2 mainly by adding the ability to listen
to multicast originating from a set of source IP addresses only.

Table 104: IGMP Versions

IGMP Version Description

IGMPv1 Provides the basic query-response mechanism that allows the multicast
device to determine which multicast groups are active and other
processes that enable hosts to join and leave a multicast group. RFC
1112 defines the IGMPv1 host extensions for IP multicasting.

IGMPv2 Extends IGMP, allowing such capabilities as the IGMP leave process,
group-specific queries, and an explicit maximum response time field.
IGMPv2 also adds the capability for devices to elect the IGMP querier
without dependence on the multicast protocol to perform this task. RFC
2236 defines IGMPv2.

Note By default, enabling a PIM on an interface enables IGMPv2 on that device. IGMPv2 was designed to be as
backward compatible with IGMPv1 as possible. To accomplish this backward compatibility, RFC 2236 defined
special interoperability rules. If your network contains legacy IGMPv1 hosts, you should be familiar with
these operability rules. For more information about IGMPv1 and IGMPv2 interoperability, see RFC 2236,
Internet Group Management Protocol, Version 2 .

Devices That Run IGMPv1

IGMPv1 devices send IGMP queries to the “all-hosts” multicast address of 224.0.0.1 to solicit multicast
groups with active multicast receivers. The multicast receivers also can send IGMP reports to the device to
notify it that they are interested in receiving a particular multicast stream. Hosts can send the report
asynchronously or in response to the IGMP queries sent by the device. If more than one multicast receiver

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
946
Multicast Routing
IGMP Versions Differences

exists for the same multicast group, only one of these hosts sends an IGMP report message; the other hosts
suppress their report messages.
In IGMPv1, there is no election of an IGMP querier. If more than one device on the segment exists, all the
devices send periodic IGMP queries. IGMPv1 has no special mechanism by which the hosts can leave the
group. If the hosts are no longer interested in receiving multicast packets for a particular group, they simply
do not reply to the IGMP query packets sent from the device. The device continues sending query packets. If
the device does not hear a response in three IGMP queries, the group times out and the device stops sending
multicast packets on the segment for the group. If the host later wants to receive multicast packets after the
timeout period, the host simply sends a new IGMP join to the device, and the device begins to forward the
multicast packet again.
If there are multiple devices on a LAN, a designated router (DR) must be elected to avoid duplicating multicast
traffic for connected hosts. PIM devices follow an election process to select a DR. The PIM device with the
highest IP address becomes the DR.
The DR is responsible for the following tasks:
• Sending PIM register and PIM Join and Prune messages toward the rendezvous point (RP) to inform it
about host group membership.
• Sending IGMP host-query messages.
• Sending host-query messages by default every 60 seconds in order to keep the IGMP overhead on hosts
and networks very low.

Devices That Run IGMPv2

IGMPv2 improves the query messaging capabilities of IGMPv1.
The query and membership report messages in IGMPv2 are identical to the IGMPv1 messages with two
exceptions:
• IGMPv2 query messages are broken into two categories: general queries (identical to IGMPv1 queries)
and group-specific queries.
• IGMPv1 membership reports and IGMPv2 membership reports have different IGMP type codes.

IGMPv2 also enhances IGMP by providing support for the following capabilities:
• Querier election process--Provides the capability for IGMPv2 devices to elect the IGMP querier without
having to rely on the multicast routing protocol to perform the process.
• Maximum Response Time field--A new field in query messages permits the IGMP querier to specify the
maximum query-response time. This field permits the tuning of the query-response process to control
response burstiness and to fine-tune leave latencies.
• Group-Specific Query messages--Permits the IGMP querier to perform the query operation on a specific
group instead of all groups.
• Leave-Group messages--Provides hosts with a method of notifying devices on the network that they wish
to leave the group.

Unlike IGMPv1, in which the DR and the IGMP querier are typically the same device, in IGMPv2 the two
functions are decoupled. The DR and the IGMP querier are selected based on different criteria and may be
different devices on the same subnet. The DR is the device with the highest IP address on the subnet, whereas
the IGMP querier is the device with the lowest IP address.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
947
 Multicast Routing
IGMP Join and Leave Process

Query messages are used to elect the IGMP querier as follows:

1. When IGMPv2 devices start, they each multicast a general query message to the all-systems group address
of 224.0.0.1 with their interface address in the source IP address field of the message.
2. When an IGMPv2 device receives a general query message, the device compares the source IP address
in the message with its own interface address. The device with the lowest IP address on the subnet is
elected the IGMP querier.
3. All devices (excluding the querier) start the query timer, which is reset whenever a general query message
is received from the IGMP querier. If the query timer expires, it is assumed that the IGMP querier has
gone down, and the election process is performed again to elect a new IGMP querier.

By default, the timer is two times the query interval.

IGMP Join and Leave Process

IGMP Join Process
When a host wants to join a multicast group, the host sends one or more unsolicited membership reports for
the multicast group it wants to join. The IGMP join process is the same for IGMPv1 and IGMPv2 hosts.
In IGMPv3, the join process for hosts proceeds as follows:
• When a hosts wants to join a group, it sends an IGMPv3 membership report to 224.0.0.22 with an empty
EXCLUDE list.
• When a host wants to join a specific channel, it sends an IGMPv3 membership report to 224.0.0.22 with
the address of the specific source included in the INCLUDE list.
• When a host wants to join a group excluding particular sources, it sends an IGMPv3 membership report
to 224.0.0.22 excluding those sources in the EXCLUDE list.

Note If some IGMPv3 hosts on a LAN wish to exclude a source and others wish to include the source, then the
device will send traffic for the source on the LAN (that is, inclusion trumps exclusion in this situation).

Related Topics
Configuring the Switch as a Member of a Group , on page 950
Prerequisites for IGMP, on page 943
Example: Configuring the Switch as a Member of a Multicast Group, on page 961

IGMP Leave Process

The method that hosts use to leave a group varies depending on the version of IGMP in operation.

IGMPv1 Leave Process

There is no leave-group message in IGMPv1 to notify the devices on the subnet that a host no longer wants
to receive the multicast traffic from a specific group. The host simply stops processing traffic for the multicast
group and ceases responding to IGMP queries with IGMP membership reports for the group. As a result, the
only way IGMPv1 devices know that there are no longer any active receivers for a particular multicast group

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
948
 Multicast Routing
Default IGMP Configuration

on a subnet is when the devices stop receiving membership reports. To facilitate this process, IGMPv1 devices
associate a countdown timer with an IGMP group on a subnet. When a membership report is received for the
group on the subnet, the timer is reset. For IGMPv1 devices, this timeout interval is typically three times the
query interval (3 minutes). This timeout interval means that the device may continue to forward multicast
traffic onto the subnet for up to 3 minutes after all hosts have left the multicast group.

IGMPv2 Leave Process

IGMPv2 incorporates a leave-group message that provides the means for a host to indicate that it wishes to
stop receiving multicast traffic for a specific group. When an IGMPv2 host leaves a multicast group, if it was
the last host to respond to a query with a membership report for that group, it sends a leave-group message
to the all-devices multicast group (224.0.0.2).

IGMPv3 Leave Process

IGMPv3 enhances the leave process by introducing the capability for a host to stop receiving traffic from a
particular group, source, or channel in IGMP by including or excluding sources, groups, or channels in IGMPv3
membership reports.
Related Topics
Configuring the Switch as a Member of a Group , on page 950
Prerequisites for IGMP, on page 943
Example: Configuring the Switch as a Member of a Multicast Group, on page 961

Default IGMP Configuration

This table displays the default IGMP configuration for the switch.

Table 105: Default IGMP Configuration

Feature Default Setting

Multilayer switch as a member of a multicast group No group memberships are defined.

Access to multicast groups All groups are allowed on an interface.

IGMP version Version 2 on all interfaces.

IGMP host-query message interval 60 seconds on all interfaces.

IGMP query timeout 60 seconds on all interfaces.

IGMP maximum query response time 10 seconds on all interfaces.

Multilayer switch as a statically connected member Disabled.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
949
 Multicast Routing
How to Configure IGMP

How to Configure IGMP

Configuring the Switch as a Member of a Group
You can configure the switch as a member of a multicast group and discover multicast reachability in a
network. If all the multicast-capable routers and multilayer switches that you administer are members of a
multicast group, pinging that group causes all of these devices to respond. The devices respond to ICMP
echo-request packets addressed to a group of which they are members. Another example is the multicast
trace-route tools provided in the software.

Caution Performing this procedure might impact the CPU performance because the CPU will receive all data traffic
for the group address.

This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. ip igmp join-group group-address
5. end
6. show ip igmp interface [interface-id]
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface on which you want to enable
multicast routing, and enters interface configuration mode.
Example:

SwitchDevice(config)# interface

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
950
 Multicast Routing
Controlling Access to IP Multicast Group

Command or Action Purpose

gigabitethernet 1/0/1

Step 4 ip igmp join-group group-address Configures the switch to join a multicast group.
Example: By default, no group memberships are defined.
For group-address, specify the multicast IP address in dotted
SwitchDevice(config-if)# ip igmp
join-group 225.2.2.2 decimal notation.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show ip igmp interface [interface-id] Verifies your entries.

Example:

SwitchDevice# show ip igmp interface

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
IGMP Join Process, on page 948
IGMP Leave Process, on page 948
Prerequisites for IGMP, on page 943
Example: Configuring the Switch as a Member of a Multicast Group, on page 961

Controlling Access to IP Multicast Group

The switch sends IGMP host-query messages to find which multicast groups have members on attached local
networks. The switch then forwards to these group members all packets addressed to the multicast group.
You can place a filter on each interface to restrict the multicast groups that hosts on the subnet serviced by
the interface can join.
This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. ip igmp access-group access-list-number

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
951
 Multicast Routing
Controlling Access to IP Multicast Group

5. exit
6. access-list access-list-number {deny | permit} source [source-wildcard]
7. end
8. show ip igmp interface [interface-id]

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface to be configured, and enters interface
configuration mode.
Example:

SwitchDevice(config)# interface GigabitEthernet

1/0/12

Step 4 ip igmp access-group access-list-number Specifies the multicast groups that hosts on the subnet
serviced by an interface can join.
Example:
By default, all groups are allowed on an interface.
SwitchDevice(config-if)# ip igmp access-group 10
For access-list-number, specify an IP standard access list
number.
The range is 1 to 199.
Note To disable groups on an interface, use the no ip
igmp access-group interface configuration
command.

Step 5 exit Returns to global configuration mode.

Example:

SwitchDevice(config-if)# exit

Step 6 access-list access-list-number {deny | permit} source Creates a standard access list.
[source-wildcard]
• For access-list-number, specify the access list created
Example: in Step 3.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
952
 Multicast Routing
Changing the IGMP Version

Command or Action Purpose

• The deny keyword denies access if the conditions are
SwitchDevice(config)# access-list 10 permit
matched. The permit keyword permits access if the
conditions are matched.
• For source, specify the multicast group that hosts on
the subnet can join.
• (Optional) For source-wildcard, enter the wildcard
bits in dotted decimal notation to be applied to the
source. Place ones in the bit positions that you want
to ignore.

Recall that the access list is always terminated by an implicit

deny statement for everything.

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-igmp-profile)# end

Step 8 show ip igmp interface [interface-id] Verifies your entries.

Example:

SwitchDevice# show ip igmp interface

Related Topics
Example: Controlling Access to IP Multicast Groups, on page 962

Changing the IGMP Version

By default, the switch uses IGMP Version 2, which provides features such as the IGMP query timeout and
the maximum query response time.
All systems on the subnet must support the same version. The switch does not automatically detect Version
1 systems and switch to Version 1. You can mix Version 1 and Version 2 hosts on the subnet because Version
2 routers or switches always work correctly with IGMPv1 hosts.
Configure the switch for Version 1 if your hosts do not support Version 2.
This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. ip igmp version {1 | 2 | 3 }
5. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
953
 Multicast Routing
Changing the IGMP Version

6. show ip igmp interface [interface-id]

7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface to be configured, and enters the
interface configuration mode.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 4 ip igmp version {1 | 2 | 3 } Specifies the IGMP version that the switch uses.
Example: Note If you change to Version 1, you cannot configure
the ip igmp query-interval or the ip igmp
SwitchDevice(config-if)# ip igmp version 2 query-max-response-time interface
configuration commands.

To return to the default setting, use the no ip igmp version

interface configuration command.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show ip igmp interface [interface-id] Verifies your entries.

Example:

SwitchDevice# show ip igmp interface

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
954
 Multicast Routing
Modifying the IGMP Host-Query Message Interval

Command or Action Purpose

SwitchDevice# copy running-config startup-config

Related Topics
IGMP Versions, on page 945

Modifying the IGMP Host-Query Message Interval

The switch periodically sends IGMP host-query messages to discover which multicast groups are present on
attached networks. These messages are sent to the all-hosts multicast group (224.0.0.1) with a time-to-live
(TTL) of 1. The switch sends host-query messages to refresh its knowledge of memberships present on the
network. If, after some number of queries, the software discovers that no local hosts are members of a multicast
group, the software stops forwarding multicast packets to the local network from remote origins for that group
and sends a prune message upstream toward the source.
The switch elects a PIM designated router (DR) for the LAN (subnet). The designated router is responsible
for sending IGMP host-query messages to all hosts on the LAN. In sparse mode, the designated router also
sends PIM register and PIM join messages toward the RP router. With IGMPv2, the DR is the router or
multilayer switch with the highest IP address. With IGMPv1, the DR is elected according to the multicast
routing protocol that runs on the LAN.
This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. ip igmp query-interval seconds
5. end
6. show ip igmp interface [interface-id]
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
955
 Multicast Routing
Changing the IGMP Query Timeout for IGMPv2

Command or Action Purpose

Step 3 interface interface-id Specifies the interface on which you want to enable
multicast routing, and enters interface configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet 1/0/1

Step 4 ip igmp query-interval seconds Configures the frequency at which the designated router
sends IGMP host-query messages.
Example:
By default, the designated router sends IGMP host-query
SwitchDevice(config-if)# ip igmp messages every 60 seconds to keep the IGMP overhead
query-interval 75 very low on hosts and networks.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show ip igmp interface [interface-id] Verifies your entries.

Example:

SwitchDevice# show ip igmp interface

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Changing the IGMP Query Timeout for IGMPv2

If you are using IGMPv2, you can specify the period of time before the switch takes over as the querier for
the interface. By default, the switch waits twice the query interval period controlled by the ip igmp
query-interval interface configuration command. After that time, if the switch has received no queries, it
becomes the querier.
This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. ip igmp querier-timeout seconds
5. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
956
 Multicast Routing
Changing the IGMP Query Timeout for IGMPv2

6. show ip igmp interface [interface-id]

7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface on which you want to enable
multicast routing, and enters interface configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet 1/0/1

Step 4 ip igmp querier-timeout seconds Specifies the IGMP query timeout.

Example: The default is 60 seconds (twice the query interval). The
range is 60 to 300.
SwitchDevice(config-if)# ip igmp
querier-timeout 120

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show ip igmp interface [interface-id] Verifies your entries.

Example:

SwitchDevice# show ip igmp interface

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
957
 Multicast Routing
Changing the Maximum Query Response Time for IGMPv2

Changing the Maximum Query Response Time for IGMPv2

If you are using IGMPv2, you can change the maximum query response time advertised in IGMP queries.
The maximum query response time enables the switch to quickly detect that there are no more directly
connected group members on a LAN. Decreasing the value enables the switch to prune groups faster.
This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. ip igmp query-max-response-time seconds
5. end
6. show ip igmp interface [interface-id]
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface on which you want to enable
multicast routing, and enters interface configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet 1/0/1

Step 4 ip igmp query-max-response-time seconds Changes the maximum query response time advertised in
IGMP queries.
Example:
The default is 10 seconds. The range is 1 to 25.
SwitchDevice(config-if)# ip igmp
query-max-response-time 15

Step 5 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
958
 Multicast Routing
Configuring the Switch as a Statically Connected Member

Command or Action Purpose

SwitchDevice(config)# end

Step 6 show ip igmp interface [interface-id] Verifies your entries.

Example:

SwitchDevice# show ip igmp interface

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring the Switch as a Statically Connected Member

At various times, either there is not a group member on a network segment or a host that cannot report its
group membership by using IGMP. However, you may want multicast traffic to be sent to that network
segment. The following commands are used to pull multicast traffic down to a network segment:
• ip igmp join-group—The switch accepts the multicast packets in addition to forwarding them. Accepting
the multicast packets prevents the switch from fast switching.
• ip igmp static-group—The switch does not accept the packets itself, but only forwards them. This
method enables fast switching. The outgoing interface appears in the IGMP cache, but the switch itself
is not a member, as evidenced by lack of an L (local) flag in the multicast route entry.

This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. ip igmp static-group group-address
5. end
6. show ip igmp interface [interface-id]
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
959
 Multicast Routing
Monitoring IGMP

Command or Action Purpose

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface on which you want to enable
multicast routing, and enters interface configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet 1/0/1

Step 4 ip igmp static-group group-address Configures the switch as a statically connected member of
a group.
Example:
By default, this feature is disabled.
SwitchDevice(config-if)# ip igmp static-group
239.100.100.101

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show ip igmp interface [interface-id] Verifies your entries.

Example:

SwitchDevice# show ip igmp interface

gigabitethernet 1/0/1

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Monitoring IGMP
You can display specific statistics, such as the contents of IP routing tables, caches, and databases.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
960
 Multicast Routing
Configuration Examples for IGMP

Note This release does not support per-route statistics.

You can display information to learn resource usage and solve network problems. You can also display
information about node reachability and discover the routing path that packets of your device are taking
through the network.
You can use any of the privileged EXEC commands in the following table to display various routing statistics.

Table 106: Commands for Displaying System and Network Statistics

Command Purpose

show ip igmp groups [type-number | detail ] Displays the multicast groups that are directly
connected to the switch and that were learned through
IGMP.

show ip igmp interface [type number] Displays multicast-related information about an

interface.

show ip igmp profile [ profile_number] Displays IGMP profile information.

show ip igmp ssm-mapping [ hostname/IP address Displays IGMP SSM mapping information.
]

show ip igmp static-group {class-map [ interface Displays static group information.

[ type ] ]
show ip igmp vrf Displays the selected VPN routing/forwarding
instance by name.

Configuration Examples for IGMP

Example: Configuring the Switch as a Member of a Multicast Group
This example shows how to enable the switch to join multicast group 255.2.2.2:

SwitchDevice(config)# interface gigabitethernet1/0/1

SwitchDevice(config-if)# ip igmp join-group 255.2.2.2
SwitchDevice(config-if)#

Related Topics
Configuring the Switch as a Member of a Group , on page 950
IGMP Join Process, on page 948
IGMP Leave Process, on page 948

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
961
 Multicast Routing
Example: Controlling Access to IP Multicast Groups

Example: Controlling Access to IP Multicast Groups

This example shows how to configure hosts attached to a port as able to join only group 255.2.2.2:

Switch(config)# access-list 1 255.2.2.2 0.0.0.0

Switch(config-if)# interface gigabitethernet1/0/1
Switch(config-if)# ip igmp access-group 1

Related Topics
Controlling Access to IP Multicast Group, on page 951

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
962
 CHAPTER 40
Configuring CGMP
• Finding Feature Information, on page 963
• Prerequisites for Configuring CGMP, on page 963
• Restrictions for CGMP, on page 963
• Information About CGMP, on page 964
• Enabling CGMP Server Support, on page 964
• Monitoring CGMP, on page 966

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Configuring CGMP

The following are the prerequisites for configuring CGMP:
• When multiple Cisco CGMP-capable devices are connected to a switched network and the ip cgmp
proxy command is needed, we recommend that all devices be configured with the same CGMP option
and have precedence for becoming the IGMP querier over non-Cisco routers.
• To use CGMP, you must have IP Services feature set enabled on the 3560-CX switch.

Restrictions for CGMP

The following are the restrictions for CGMP:
• CGMP is mutually exclusive with HSRPv1. You cannot enable CGMP leaving processing and HSRPv1
at the same time. However, you can enable CGMP and HSRPv2 at the same time.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
963
 Multicast Routing
Information About CGMP

Information About CGMP

Cisco Group Management Protocol or CGMP-server support is provided on the switch; no client-side
functionality is provided. The switch serves as a CGMP server for devices that do not support IGMP snooping
but have CGMP-client functionality.
CGMP is a protocol used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to
perform tasks similar to those performed by IGMP. CGMP permits Layer 2 group membership information
to be communicated from the CGMP server to the switch. The switch can then learn on which interfaces
multicast members reside instead of flooding multicast traffic to all switch interfaces. (IGMP snooping is
another method to constrain the flooding of multicast packets.)
CGMP is necessary because the Layer 2 switch cannot distinguish between IP multicast data packets and
IGMP report messages, which are both at the MAC level and are addressed to the same group address.

Enabling CGMP Server Support

When multiple Cisco CGMP-capable devices are connected to a switched network and you configure the ip
cgmp proxy command, we recommend that all devices be configured with the same CGMP option and have
precedence for becoming the IGMP querier over non-Cisco routers. Perform these steps to enable the CGMP
server on the switch interface:
This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. ip cgmp [proxy | router-only]
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
964
 Multicast Routing
Enabling CGMP Server Support

Command or Action Purpose

Step 3 interface interface-id Specifies the interface that is connected to the Layer 2
Catalyst switch, and enters interface configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet 1/0/1

Step 4 ip cgmp [proxy | router-only] Enables CGMP on the interface.

Example: By default, CGMP is disabled on all interfaces.
Enabling CGMP triggers a CGMP join message. Enable
SwitchDevice(config-if)# ip cgmp proxy
CGMP only on Layer 3 interfaces connected to Layer 2
Catalyst switches.
(Optional) When you enter the proxy keyword, the CGMP
proxy function is enabled. The proxy router advertises the
existence of non-CGMP-capable routers by sending a
CGMP join message with the non-CGMP-capable router
MAC address and a group address of 0000.0000.0000.
Note To perform CGMP proxy, the switch must be
the IGMP querier. If you configure the ip cgmp
proxy command, you must manipulate the IP
addresses so that the switch is the IGMP querier,
which might be the highest or lowest IP address,
depending on which version of IGMP is running
on the network. An IGMP Version 2 querier is
selected based on the lowest IP address on the
interface. An IGMP Version 1 querier is selected
based on the multicast routing protocol used on
the interface.

Note To disable CGMP on the interface, use the no

ip cgmp interface configuration command.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
965
 Multicast Routing
Monitoring CGMP

Command or Action Purpose

SwitchDevice# copy running-config

startup-config

What to do next
Verify the Layer 2 Catalyst switch CGMP-client configuration. For more information, see the documentation
that shipped with the product

Monitoring CGMP
You can display specific statistics, such as the contents of IP routing tables, caches, and databases.

Note This release does not support per-route statistics.

You can display information to learn resource usage and solve network problems. You can also display
information about node reachability and discover the routing path that packets of your device are taking
through the network.
You can use any of the privileged EXEC commands in the following table to display various routing statistics.

Table 107: Commands for Displaying System and Network Statistics

Command Purpose

ping [group-name | group-address] Sends an ICMP Echo Request to a multicast group

address.

show ip igmp groups [group-name | group-address Displays the multicast groups that are directly
| type number] connected to the switch and that were learned through
IGMP.

show ip igmp interface [type number] Displays multicast-related information about an

interface.

show ip mcache [group [source]] Displays the contents of the IP fast-switching cache.

show ip mpacket [source-address | name] Displays the contents of the circular cache-header
[group-address | name] [detail] buffer.

show ip mroute [group-name | group-address] Displays the contents of the IP multicast routing table.
[source] [summary] [count] [active kbps]

show ip pim interface [type number] [count] [detail] Displays information about interfaces configured for
PIM. This command is available in all software
images.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
966
Multicast Routing
Monitoring CGMP

Command Purpose

show ip pim neighbor [type number] Lists the PIM neighbors discovered by the switch.
This command is available in all software images.

show ip pim rp [group-name | group-address] Displays the RP routers associated with a sparse-mode
multicast group. This command is available in all
software images.

show ip rpf {source-address | name} Displays how the switch is doing Reverse-Path
Forwarding (that is, from the unicast routing table,
DVMRP routing table, or static mroutes).

show ip sap [group | session-name | detail] Displays the Session Announcement Protocol (SAP)
Version 2 cache.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
967
 Multicast Routing
Monitoring CGMP

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
968
 CHAPTER 41
Configuring PIM
• Prerequisites for PIM, on page 969
• Restrictions for PIM, on page 970
• Information About PIM, on page 972
• How to Configure PIM, on page 984
• Monitoring and Troubleshooting PIM, on page 1016
• Configuration Examples for PIM, on page 1017

Prerequisites for PIM

• Before you begin the PIM configuration process, decide which PIM mode to use. This is based on the
applications you intend to support on your network. Use the following guidelines:
• In general, if the application is one-to-many or many-to-many in nature, then PIM-SM can be used
successfully.
• For optimal one-to-many application performance, SSM is appropriate but requires IGMP version
3 support.

• Before you configure PIM stub routing, check that you have met these conditions:
• You must have IP multicast routing configured on both the stub router and the central router. You
must also have PIM mode (dense-mode, sparse-mode, or sparse-dense-mode) configured on the
uplink interface of the stub router.
• You must also configure Enhanced Interior Gateway Routing Protocol (EIGRP) stub routing on the
switch.
• The PIM stub router does not route the transit traffic between the distribution routers. Unicast
(EIGRP) stub routing enforces this behavior. You must configure unicast stub routing to assist the
PIM stub router behavior.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
969
 Multicast Routing
Restrictions for PIM

Restrictions for PIM

PIMv1 and PIMv2 Interoperability
To avoid misconfiguring multicast routing on your switch, review the information in this section.
The Cisco PIMv2 implementation provides interoperability and transition between Version 1 and Version 2,
although there might be some minor problems.
You can upgrade to PIMv2 incrementally. PIM Versions 1 and 2 can be configured on different routers and
multilayer switches within one network. Internally, all routers and multilayer switches on a shared media
network must run the same PIM version. Therefore, if a PIMv2 device detects a PIMv1 device, the Version
2 device downgrades itself to Version 1 until all Version 1 devices have been shut down or upgraded.
PIMv2 uses the BSR to discover and announce RP-set information for each group prefix to all the routers and
multilayer switches in a PIM domain. PIMv1, together with the Auto-RP feature, can perform the same tasks
as the PIMv2 BSR. However, Auto-RP is a standalone protocol, separate from PIMv1, and is a proprietary
Cisco protocol. PIMv2 is a standards track protocol in the IETF.

Note We recommend that you use PIMv2. The BSR function interoperates with Auto-RP on Cisco routers and
multilayer switches.

When PIMv2 devices interoperate with PIMv1 devices, Auto-RP should have already been deployed. A PIMv2
BSR that is also an Auto-RP mapping agent automatically advertises the RP elected by Auto-RP. That is,
Auto-RP sets its single RP on every router or multilayer switch in the group. Not all routers and switches in
the domain use the PIMv2 hash function to select multiple RPs.
Dense-mode groups in a mixed PIMv1 and PIMv2 region need no special configuration; they automatically
interoperate.
Sparse-mode groups in a mixed PIMv1 and PIMv2 region are possible because the Auto-RP feature in PIMv1
interoperates with the PIMv2 RP feature. Although all PIMv2 devices can also use PIMv1, we recommend
that the RPs be upgraded to PIMv2. To ease the transition to PIMv2, we recommend:
• Using Auto-RP throughout the region.
• Configuring sparse-dense mode throughout the region.

If Auto-RP is not already configured in the PIMv1 regions, configure Auto-RP.

Restrictions for Configuring PIM Stub Routing

• The IP services image contains complete multicast routing.
• Only directly connected multicast (IGMP) receivers and sources are allowed in the Layer 2 access
domains. The PIM protocol is not supported in access domains.
• In a network using PIM stub routing, the only allowable route for IP traffic to the user is through a switch
that is configured with PIM stub routing.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
970
 Multicast Routing
Restrictions for Configuring Auto-RP and BSR

• The redundant PIM stub router topology is not supported. Only the nonredundant access router topology
is supported by the PIM stub feature.

Restrictions for Configuring Auto-RP and BSR

Take into consideration your network configuration, and the following restrictions when configuring Auto-RP
and BSR:

Restrictions for Configuring Auto-RP

The following are restrictions for configuring Auto-RP (if used in your network configuration):
• If you configure PIM in sparse mode or sparse-dense mode and do not configure Auto-RP, you must
manually configure an RP.
• If routed interfaces are configured in sparse mode, Auto-RP can still be used if all devices are configured
with a manual RP address for the Auto-RP groups.
• If routed interfaces are configured in sparse mode and you enter the ip pim autorp listener global
configuration command, Auto-RP can still be used even if all devices are not configured with a manual
RP address for the Auto-RP groups.

Restrictions for Configuring BSR

The following are the restrictions for configuring BSR (if used in your network configuration):
• Configure the candidate BSRs as the RP-mapping agents for Auto-RP.
• For group prefixes advertised through Auto-RP, the PIMv2 BSR mechanism should not advertise a
subrange of these group prefixes served by a different set of RPs. In a mixed PIMv1 and PIMv2 domain,
have backup RPs serve the same group prefixes. This prevents the PIMv2 DRs from selecting a different
RP from those PIMv1 DRs, due to the longest match lookup in the RP-mapping database.

Restrictions and Guidelines for Configuring Auto-RP and BSR

The following are restrictions for configuring Auto-RP and BSR (if used in your network configuration):
• If your network is all Cisco routers and multilayer switches, you can use either Auto-RP or BSR.
• If you have non-Cisco routers in your network, you must use BSR.
• If you have Cisco PIMv1 and PIMv2 routers and multilayer switches and non-Cisco routers, you must
use both Auto-RP and BSR. If your network includes routers from other vendors, configure the Auto-RP
mapping agent and the BSR on a Cisco PIMv2 device. Ensure that no PIMv1 device is located in the
path a between the BSR and a non-Cisco PIMv2 device.

Note There are two approaches to using PIMv2. You can use Version 2 exclusively in
your network or migrate to Version 2 by employing a mixed PIM version
environment.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
971
 Multicast Routing
Information About PIM

• Because bootstrap messages are sent hop-by-hop, a PIMv1 device prevents these messages from reaching
all routers and multilayer switches in your network. Therefore, if your network has a PIMv1 device in
it and only Cisco routers and multilayer switches, it is best to use Auto-RP.
• If you have a network that includes non-Cisco routers, configure the Auto-RP mapping agent and the
BSR on a Cisco PIMv2 router or multilayer switch. Ensure that no PIMv1 device is on the path between
the BSR and a non-Cisco PIMv2 router.
• If you have non-Cisco PIMv2 routers that need to interoperate with Cisco PIMv1 routers and multilayer
switches, both Auto-RP and a BSR are required. We recommend that a Cisco PIMv2 device be both the
Auto-RP mapping agent and the BSR.

Information About PIM

Protocol Independent Multicast
The Protocol Independent Multicast (PIM) protocol maintains the current IP multicast service mode of
receiver-initiated membership. PIM is not dependent on a specific unicast routing protocol; it is IP routing
protocol independent and can leverage whichever unicast routing protocols are used to populate the unicast
routing table, including Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First
(OSPF), Border Gateway Protocol (BGP), and static routes. PIM uses unicast routing information to perform
the multicast forwarding function.
Although PIM is called a multicast routing protocol, it actually uses the unicast routing table to perform the
reverse path forwarding (RPF) check function instead of building up a completely independent multicast
routing table. Unlike other routing protocols, PIM does not send and receive routing updates between routers.
PIM can operate in dense mode or sparse mode. The router can also handle both sparse groups and dense
groups at the same time. The mode determines how the router populates its multicast routing table and how
the router forwards multicast packets it receives from its directly connected LANs.
PIM is supported only on 3560-CX switches.
For information about PIM forwarding (interface) modes, see the following sections:

PIM Dense Mode

PIM dense mode (PIM-DM) uses a push model to flood multicast traffic to every corner of the network. This
push model is a method for delivering data to the receivers without the receivers requesting the data. This
method is efficient in certain deployments in which there are active receivers on every subnet in the network.
In dense mode, a router assumes that all other routers want to forward multicast packets for a group. If a router
receives a multicast packet and has no directly connected members or PIM neighbors present, a prune message
is sent back to the source. Subsequent multicast packets are not flooded to this router on this pruned branch.
PIM builds source-based multicast distribution trees.
PIM-DM initially floods multicast traffic throughout the network. Routers that have no downstream neighbors
prune back the unwanted traffic. This process repeats every 3 minutes.
Routers accumulate state information by receiving data streams through the flood and prune mechanism.
These data streams contain the source and group information so that downstream routers can build up their
multicast forwarding table. PIM-DM supports only source trees--that is, (S,G) entries--and cannot be used to
build a shared distribution tree.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
972
 Multicast Routing
PIM Sparse Mode

Note Dense mode is not often used and its use is not recommended. For this reason it is not specified in the
configuration tasks in related modules.

PIM Sparse Mode

PIM sparse mode (PIM-SM) uses a pull model to deliver multicast traffic. Only network segments with active
receivers that have explicitly requested the data will receive the traffic.
Unlike dense mode interfaces, sparse mode interfaces are added to the multicast routing table only when
periodic Join messages are received from downstream routers, or when a directly connected member is on
the interface. When forwarding from a LAN, sparse mode operation occurs if an RP is known for the group.
If so, the packets are encapsulated and sent toward the RP. When no RP is known, the packet is flooded in a
dense mode fashion. If the multicast traffic from a specific source is sufficient, the first hop router of the
receiver may send Join messages toward the source to build a source-based distribution tree.
PIM-SM distributes information about active sources by forwarding data packets on the shared tree. Because
PIM-SM uses shared trees (at least, initially), it requires the use of a rendezvous point (RP). The RP must be
administratively configured in the network. See the Rendezvous Points, on page 976 section for more
information.
In sparse mode, a router assumes that other routers do not want to forward multicast packets for a group,
unless there is an explicit request for the traffic. When hosts join a multicast group, the directly connected
routers send PIM Join messages toward the RP. The RP keeps track of multicast groups. Hosts that send
multicast packets are registered with the RP by the first hop router of that host. The RP then sends Join
messages toward the source. At this point, packets are forwarded on a shared distribution tree. If the multicast
traffic from a specific source is sufficient, the first hop router of the host may send Join messages toward the
source to build a source-based distribution tree.
Sources register with the RP and then data is forwarded down the shared tree to the receivers. The edge routers
learn about a particular source when they receive data packets on the shared tree from that source through the
RP. The edge router then sends PIM (S,G) Join messages toward that source. Each router along the reverse
path compares the unicast routing metric of the RP address to the metric of the source address. If the metric
for the source address is better, it will forward a PIM (S,G) Join message toward the source. If the metric for
the RP is the same or better, then the PIM (S,G) Join message will be sent in the same direction as the RP. In
this case, the shared tree and the source tree would be considered congruent.
If the shared tree is not an optimal path between the source and the receiver, the routers dynamically create
a source tree and stop traffic from flowing down the shared tree. This behavior is the default behavior in
software. Network administrators can force traffic to stay on the shared tree by using the ip pim spt-threshold
infinity command.
PIM-SM scales well to a network of any size, including those with WAN links. The explicit join mechanism
prevents unwanted traffic from flooding the WAN links.

Sparse-Dense Mode
If you configure either sparse mode or dense mode on an interface, then sparseness or denseness is applied
to the interface as a whole. However, some environments might require PIM to run in a single region in sparse
mode for some groups and in dense mode for other groups.
An alternative to enabling only dense mode or only sparse mode is to enable sparse-dense mode. In this case,
the interface is treated as dense mode if the group is in dense mode; the interface is treated in sparse mode if

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
973
 Multicast Routing
PIM Versions

the group is in sparse mode. You must have an RP if the interface is in sparse-dense mode and you want to
treat the group as a sparse group.
If you configure sparse-dense mode, the idea of sparseness or denseness is applied to the groups for which
the router is a member.
Another benefit of sparse-dense mode is that Auto-RP information can be distributed in a dense mode; yet,
multicast groups for user groups can be used in a sparse mode manner. Therefore there is no need to configure
a default RP at the leaf routers.
When an interface is treated in dense mode, it is populated in the outgoing interface list of a multicast routing
table when either of the following conditions is true:
• Members or DVMRP neighbors are on the interface.
• There are PIM neighbors and the group has not been pruned.

When an interface is treated in sparse mode, it is populated in the outgoing interface list of a multicast routing
table when either of the following conditions is true:
• Members or DVMRP neighbors are on the interface.
• An explicit Join message has been received by a PIM neighbor on the interface.

PIM Versions
PIMv2 includes these improvements over PIMv1:
• A single, active rendezvous point (RP) exists per multicast group, with multiple backup RPs. This single
RP compares to multiple active RPs for the same group in PIMv1.
• A bootstrap router (BSR) provides a fault-tolerant, automated RP discovery and distribution function
that enables routers and multilayer switches to dynamically learn the group-to-RP mappings.
• Sparse mode and dense mode are properties of a group, as opposed to an interface.

Note We strongly recommend using sparse-dense mode as opposed to either sparse

mode or dense mode only.

• PIM join and prune messages have more flexible encoding for multiple address families.
• A more flexible hello packet format replaces the query packet to encode current and future capability
options.
• Register messages sent to an RP specify whether they are sent by a border router or a designated router.
• PIM packets are no longer inside IGMP packets; they are standalone packets.

PIM Stub Routing

The PIM stub routing feature, available in all of the switch software images, reduces resource usage by moving
routed traffic closer to the end user.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
974
 Multicast Routing
IGMP Helper

The PIM stub routing feature supports multicast routing between the distribution layer and the access layer.
It supports two types of PIM interfaces, uplink PIM interfaces, and PIM passive interfaces. A routed interface
configured with the PIM passive mode does not pass or forward PIM control traffic, it only passes and forwards
IGMP traffic.
In a network using PIM stub routing, the only allowable route for IP traffic to the user is through a switch
that is configured with PIM stub routing. PIM passive interfaces are connected to Layer 2 access domains,
such as VLANs, or to interfaces that are connected to other Layer 2 devices. Only directly connected multicast
(IGMP) receivers and sources are allowed in the Layer 2 access domains. The PIM passive interfaces do not
send or process any received PIM control packets.
When using PIM stub routing, you should configure the distribution and remote routers to use IP multicast
routing and configure only the switch as a PIM stub router. The switch does not route transit traffic between
distribution routers. You also need to configure a routed uplink port on the switch. The switch uplink port
cannot be used with SVIs. If you need PIM for an SVI uplink port, you should upgrade to the IP Services
feature set.

Note You must also configure EIGRP stub routing when configuring PIM stub routing on the switch

The redundant PIM stub router topology is not supported. The redundant topology exists when there is more
than one PIM router forwarding multicast traffic to a single access domain. PIM messages are blocked, and
the PIM asset and designated router election mechanisms are not supported on the PIM passive interfaces.
Only the nonredundant access router topology is supported by the PIM stub feature. By using a nonredundant
topology, the PIM passive interface assumes that it is the only interface and designated router on that access
domain.
Figure 86: PIM Stub Router Configuration

In the following figure, the Switch A routed uplink port 25 is connected to the router and PIM stub routing
is enabled on the VLAN 100 interfaces and on Host 3. This configuration allows the directly connected hosts
to receive traffic from multicast source 200.1.1.3.

IGMP Helper
PIM stub routing moves routed traffic closer to the end user and reduces network traffic. You can also reduce
traffic by configuring a stub router (switch) with the IGMP helper feature.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
975
 Multicast Routing
Rendezvous Points

You can configure a stub router (switch) with the ip igmp helper-address ip-address interface configuration
command to enable the switch to send reports to the next-hop interface. Hosts that are not directly connected
to a downstream router can then join a multicast group sourced from an upstream network. The IGMP packets
from a host wanting to join a multicast stream are forwarded upstream to the next-hop device when this feature
is configured. When the upstream central router receives the helper IGMP reports or leaves, it adds or removes
the interfaces from its outgoing interface list for that group.

Rendezvous Points
A rendezvous point (RP) is a role that a device performs when operating in Protocol Independent Multicast
(PIM) Sparse Mode (SM). An RP is required only in networks running PIM SM. In the PIM-SM model, only
network segments with active receivers that have explicitly requested multicast data will be forwarded the
traffic. This method of delivering multicast data is in contrast to PIM Dense Mode (PIM DM). In PIM DM,
multicast traffic is initially flooded to all segments of the network. Routers that have no downstream neighbors
or directly connected receivers prune back the unwanted traffic.
An RP acts as the meeting place for sources and receivers of multicast data. In a PIM-SM network, sources
must send their traffic to the RP. This traffic is then forwarded to receivers down a shared distribution tree.
By default, when the first hop device of the receiver learns about the source, it will send a Join message directly
to the source, creating a source-based distribution tree from the source to the receiver. This source tree does
not include the RP unless the RP is located within the shortest path between the source and receiver.
In most cases, the placement of the RP in the network is not a complex decision. By default, the RP is needed
only to start new sessions with sources and receivers. Consequently, the RP experiences little overhead from
traffic flow or processing. In PIM version 2, the RP performs less processing than in PIM version 1 because
sources must only periodically register with the RP to create state.

Auto-RP
In the first version of PIM-SM, all leaf routers (routers directly connected to sources or receivers) were required
to be manually configured with the IP address of the RP. This type of configuration is also known as static
RP configuration. Configuring static RPs is relatively easy in a small network, but it can be laborious in a
large, complex network.
Following the introduction of PIM-SM version 1, Cisco implemented a version of PIM-SM with the Auto-RP
feature. Auto-RP automates the distribution of group-to-RP mappings in a PIM network. Auto-RP has the
following benefits:
• Configuring the use of multiple RPs within a network to serve different groups is easy.
• Auto-RP allows load splitting among different RPs and arrangement of RPs according to the location of
group participants.
• Auto-RP avoids inconsistent, manual RP configurations that can cause connectivity problems.

Multiple RPs can be used to serve different group ranges or serve as backups to each other. For Auto-RP to
work, a router must be designated as an RP-mapping agent, which receives the RP-announcement messages
from the RPs and arbitrates conflicts. The RP-mapping agent then sends the consistent group-to-RP mappings
to all other routers. Thus, all routers automatically discover which RP to use for the groups they support.

Note If you configure PIM in sparse mode or sparse-dense mode and do not configure Auto-RP, you must statically
configure an RP.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
976
 Multicast Routing
Sparse-Dense Mode for Auto-RP

Note If router interfaces are configured in sparse mode, Auto-RP can still be used if all routers are configured with
a static RP address for the Auto-RP groups.

To make Auto-RP work, a router must be designated as an RP mapping agent, which receives the RP
announcement messages from the RPs and arbitrates conflicts. The RP mapping agent then sends the consistent
group-to-RP mappings to all other routers by dense mode flooding. Thus, all routers automatically discover
which RP to use for the groups they support. The Internet Assigned Numbers Authority (IANA) has assigned
two group addresses, 224.0.1.39 and 224.0.1.40, for Auto-RP. One advantage of Auto-RP is that any change
to the RP designation must be configured only on the routers that are RPs and not on the leaf routers. Another
advantage of Auto-RP is that it offers the ability to scope the RP address within a domain. Scoping can be
achieved by defining the time-to-live (TTL) value allowed for the Auto-RP advertisements.
Each method for configuring an RP has its own strengths, weaknesses, and level of complexity. In conventional
IP multicast network scenarios, we recommend using Auto-RP to configure RPs because it is easy to configure,
well-tested, and stable. The alternative ways to configure an RP are static RP, Auto-RP, and bootstrap router.

Sparse-Dense Mode for Auto-RP

A prerequisite of Auto-RP is that all interfaces must be configured in sparse-dense mode using the ip pim
sparse-dense-mode interface configuration command. An interface configured in sparse-dense mode is treated
in either sparse mode or dense mode of operation, depending on which mode the multicast group operates. If
a multicast group has a known RP, the interface is treated in sparse mode. If a group has no known RP, by
default the interface is treated in dense mode and data will be flooded over this interface. (You can prevent
dense-mode fallback; see the module “Configuring Basic IP Multicast.”)
To successfully implement Auto-RP and prevent any groups other than 224.0.1.39 and 224.0.1.40 from
operating in dense mode, we recommend configuring a “sink RP” (also known as “RP of last resort”). A sink
RP is a statically configured RP that may or may not actually exist in the network. Configuring a sink RP
does not interfere with Auto-RP operation because, by default, Auto-RP messages supersede static RP
configurations. We recommend configuring a sink RP for all possible multicast groups in your network,
because it is possible for an unknown or unexpected source to become active. If no RP is configured to limit
source registration, the group may revert to dense mode operation and be flooded with data.

Bootstrap Router
Another RP selection model called bootstrap router (BSR) was introduced after Auto-RP in PIM-SM version
2. BSR performs similarly to Auto-RP in that it uses candidate routers for the RP function and for relaying
the RP information for a group. RP information is distributed through BSR messages, which are carried within
PIM messages. PIM messages are link-local multicast messages that travel from PIM router to PIM router.
Because of this single hop method of disseminating RP information, TTL scoping cannot be used with BSR.
A BSR performs similarly as an RP, except that it does not run the risk of reverting to dense mode operation,
and it does not offer the ability to scope within a domain.

PIM Domain Border

As IP multicast becomes more widespread, the chance of one PIMv2 domain bordering another PIMv2 domain
increases. Because two domains probably do not share the same set of RPs, BSR, candidate RPs, and candidate
BSRs, you need to constrain PIMv2 BSR messages from flowing into or out of the domain. Allowing messages
to leak across the domain borders could adversely affect the normal BSR election mechanism and elect a

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
977
 Multicast Routing
Multicast Forwarding

single BSR across all bordering domains and comingle candidate RP advertisements, resulting in the election
of RPs in the wrong domain.

Multicast Forwarding
Forwarding of multicast traffic is accomplished by multicast-capable routers. These routers create distribution
trees that control the path that IP multicast traffic takes through the network in order to deliver traffic to all
receivers.
Multicast traffic flows from the source to the multicast group over a distribution tree that connects all of the
sources to all of the receivers in the group. This tree may be shared by all sources (a shared tree) or a separate
distribution tree can be built for each source (a source tree). The shared tree may be one-way or bidirectional.
Before describing the structure of source and shared trees, it is helpful to explain the notations that are used
in multicast routing tables. These notations include the following:
• (S,G) = (unicast source for the multicast group G, multicast group G)
• (*,G) = (any source for the multicast group G, multicast group G)

The notation of (S,G), pronounced “S comma G,” enumerates a shortest path tree where S is the IP address
of the source and G is the multicast group address.
Shared trees are (*,G) and the source trees are (S,G) and always routed at the sources.

Multicast Distribution Source Tree

The simplest form of a multicast distribution tree is a source tree. A source tree has its root at the source host
and has branches forming a spanning tree through the network to the receivers. Because this tree uses the
shortest path through the network, it is also referred to as a shortest path tree (SPT).
The figure shows an example of an SPT for group 224.1.1.1 rooted at the source, Host A, and connecting two
receivers, Hosts B and C.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
978
 Multicast Routing
Multicast Distribution Shared Tree

Using standard notation, the SPT for the example shown in the figure would be (192.168.1.1, 224.1.1.1).
The (S,G) notation implies that a separate SPT exists for each individual source sending to each group--which
is correct.

Multicast Distribution Shared Tree

Unlike source trees that have their root at the source, shared trees use a single common root placed at some
chosen point in the network. This shared root is called a rendezvous point (RP).
The following figure shows a shared tree for the group 224.2.2.2 with the root located at Router D. This shared
tree is unidirectional. Source traffic is sent towards the RP on a source tree. The traffic is then forwarded down
the shared tree from the RP to reach all of the receivers (unless the receiver is located between the source and
the RP, in which case it will be serviced directly).
Figure 87: Shared Tree

In this example, multicast traffic from the sources, Hosts A and D, travels to the root (Router D) and then
down the shared tree to the two receivers, Hosts B and C. Because all sources in the multicast group use a
common shared tree, a wildcard notation written as (*, G), pronounced “star comma G,” represents the tree.
In this case, * means all sources, and G represents the multicast group. Therefore, the shared tree shown in
the figure would be written as (*, 224.2.2.2).
Both source trees and shared trees are loop-free. Messages are replicated only where the tree branches. Members
of multicast groups can join or leave at any time; therefore the distribution trees must be dynamically updated.
When all the active receivers on a particular branch stop requesting the traffic for a particular multicast group,
the routers prune that branch from the distribution tree and stop forwarding traffic down that branch. If one
receiver on that branch becomes active and requests the multicast traffic, the router will dynamically modify
the distribution tree and start forwarding traffic again.

Source Tree Advantage

Source trees have the advantage of creating the optimal path between the source and the receivers. This
advantage guarantees the minimum amount of network latency for forwarding multicast traffic. However,

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
979
 Multicast Routing
Shared Tree Advantage

this optimization comes at a cost. The routers must maintain path information for each source. In a network
that has thousands of sources and thousands of groups, this overhead can quickly become a resource issue on
the routers. Memory consumption from the size of the multicast routing table is a factor that network designers
must take into consideration.

Shared Tree Advantage

Shared trees have the advantage of requiring the minimum amount of state in each router. This advantage
lowers the overall memory requirements for a network that only allows shared trees. The disadvantage of
shared trees is that under certain circumstances the paths between the source and receivers might not be the
optimal paths, which might introduce some latency in packet delivery. For example, in the figure above the
shortest path between Host A (source 1) and Host B (a receiver) would be Router A and Router C. Because
we are using Router D as the root for a shared tree, the traffic must traverse Routers A, B, D and then C.
Network designers must carefully consider the placement of the rendezvous point (RP) when implementing
a shared tree-only environment.
In unicast routing, traffic is routed through the network along a single path from the source to the destination
host. A unicast router does not consider the source address; it considers only the destination address and how
to forward the traffic toward that destination. The router scans through its routing table for the destination
address and then forwards a single copy of the unicast packet out the correct interface in the direction of the
destination.
In multicast forwarding, the source is sending traffic to an arbitrary group of hosts that are represented by a
multicast group address. The multicast router must determine which direction is the upstream direction (toward
the source) and which one is the downstream direction (or directions) toward the receivers. If there are multiple
downstream paths, the router replicates the packet and forwards it down the appropriate downstream paths
(best unicast route metric)--which is not necessarily all paths. Forwarding multicast traffic away from the
source, rather than to the receiver, is called Reverse Path Forwarding (RPF). RPF is described in the following
section.

PIM Shared Tree and Source Tree

By default, members of a group receive data from senders to the group across a single data-distribution tree
rooted at the RP.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
980
Multicast Routing
PIM Shared Tree and Source Tree

Figure 88: Shared Tree and Source Tree (Shortest-Path Tree)

The following figure shows this type of shared-distribution tree. Data from senders is delivered to the RP for
distribution to group members joined to the shared tree.

If the data rate warrants, leaf routers (routers without any downstream connections) on the shared tree can
use the data distribution tree rooted at the source. This type of distribution tree is called a shortest-path tree
or source tree. By default, the software switches to a source tree upon receiving the first data packet from a
source.
This process describes the move from a shared tree to a source tree:
1. A receiver joins a group; leaf Router C sends a join message toward the RP.
2. The RP puts a link to Router C in its outgoing interface list.
3. A source sends data; Router A encapsulates the data in a register message and sends it to the RP.
4. The RP forwards the data down the shared tree to Router C and sends a join message toward the source.
At this point, data might arrive twice at Router C, once encapsulated and once natively.
5. When data arrives natively (unencapsulated) at the RP, it sends a register-stop message to Router A.
6. By default, reception of the first data packet prompts Router C to send a join message toward the source.
7. When Router C receives data on (S, G), it sends a prune message for the source up the shared tree.
8. The RP deletes the link to Router C from the outgoing interface of (S, G). The RP triggers a prune message
toward the source.

Join and prune messages are sent for sources and RPs. They are sent hop-by-hop and are processed by each
PIM device along the path to the source or RP. Register and register-stop messages are not sent hop-by-hop.
They are sent by the designated router that is directly connected to a source and are received by the RP for
the group.
Multiple sources sending to groups use the shared tree. You can configure the PIM device to stay on the shared
tree.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
981
 Multicast Routing
Reverse Path Forwarding

The change from shared to source tree happens when the first data packet arrives at the last-hop router. This
change depends upon the threshold that is configured by using the ip pim spt-threshold global configuration
command.
The shortest-path tree requires more memory than the shared tree but reduces delay. You may want to postpone
its use. Instead of allowing the leaf router to immediately move to the shortest-path tree, you can specify that
the traffic must first reach a threshold.
You can configure when a PIM leaf router should join the shortest-path tree for a specified group. If a source
sends at a rate greater than or equal to the specified kbps rate, the multilayer switch triggers a PIM join message
toward the source to construct a source tree (shortest-path tree). If the traffic rate from the source drops below
the threshold value, the leaf router switches back to the shared tree and sends a prune message toward the
source.
You can specify to which groups the shortest-path tree threshold applies by using a group list (a standard
access list). If a value of 0 is specified or if the group list is not used, the threshold applies to all groups.

Reverse Path Forwarding

In unicast routing, traffic is routed through the network along a single path from the source to the destination
host. A unicast router does not consider the source address; it considers only the destination address and how
to forward the traffic toward that destination. The router scans through its routing table for the destination
network and then forwards a single copy of the unicast packet out the correct interface in the direction of the
destination.
In multicast forwarding, the source is sending traffic to an arbitrary group of hosts that are represented by a
multicast group address. The multicast router must determine which direction is the upstream direction (toward
the source) and which one is the downstream direction (or directions) toward the receivers. If there are multiple
downstream paths, the router replicates the packet and forwards it down the appropriate downstream paths
(best unicast route metric)--which is not necessarily all paths. Forwarding multicast traffic away from the
source, rather than to the receiver, is called Reverse Path Forwarding (RPF). RPF is an algorithm used for
forwarding multicast datagrams.
Protocol Independent Multicast (PIM) uses the unicast routing information to create a distribution tree along
the reverse path from the receivers towards the source. The multicast routers then forward packets along the
distribution tree from the source to the receivers. RPF is a key concept in multicast forwarding. It enables
routers to correctly forward multicast traffic down the distribution tree. RPF makes use of the existing unicast
routing table to determine the upstream and downstream neighbors. A router will forward a multicast packet
only if it is received on the upstream interface. This RPF check helps to guarantee that the distribution tree
will be loop-free.

RPF Check
When a multicast packet arrives at a router, the router performs an RPF check on the packet. If the RPF check
succeeds, the packet is forwarded. Otherwise, it is dropped.
For traffic flowing down a source tree, the RPF check procedure works as follows:
1. The router looks up the source address in the unicast routing table to determine if the packet has arrived
on the interface that is on the reverse path back to the source.
2. If the packet has arrived on the interface leading back to the source, the RPF check succeeds and the
packet is forwarded out the interfaces present in the outgoing interface list of a multicast routing table
entry.
3. If the RPF check in Step 2 fails, the packet is dropped.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
982
 Multicast Routing
Default PIM Routing Configuration

The figure shows an example of an unsuccessful RPF check.

Figure 89: RPF Check Fails

As the figure illustrates, a multicast packet from source 151.10.3.21 is received on serial interface 0 (S0). A
check of the unicast route table shows that S1 is the interface this router would use to forward unicast data to
151.10.3.21. Because the packet has arrived on interface S0, the packet is discarded.
The figure shows an example of a successful RPF check.
Figure 90: RPF Check Succeeds

In this example, the multicast packet has arrived on interface S1. The router refers to the unicast routing table
and finds that S1 is the correct interface. The RPF check passes, and the packet is forwarded.

Default PIM Routing Configuration

This table displays the default PIM routing configuration for the switch.

Table 108: Default Multicast Routing Configuration

Feature Default Setting

Multicast routing Disabled on all interfaces.

PIM version Version 2.

PIM mode No mode is defined.

PIM stub routing None configured.

PIM RP address None configured.

PIM domain border Disabled.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
983
 Multicast Routing
How to Configure PIM

Feature Default Setting

PIM multicast boundary None.

Candidate BSRs Disabled.

Candidate RPs Disabled.

Shortest-path tree threshold rate 0 kb/s.

PIM router query message interval 30 seconds.

How to Configure PIM

Enabling PIM Stub Routing
This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. ip pim passive
5. end
6. show ip pim interface
7. show running-config
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface on which you want to enable PIM
stub routing, and enters interface configuration mode.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
984
 Multicast Routing
Configuring a Rendezvous Point

Command or Action Purpose

SwitchDevice(config)# interface
gigabitethernet 1/0/1

Step 4 ip pim passive Configures the PIM stub feature on the interface.
Example:

SwitchDevice(config-if)# ip pim passive

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show ip pim interface (Optional) Displays the PIM stub that is enabled on each
interface.
Example:

SwitchDevice# show ip pim interface

Step 7 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring a Rendezvous Point

You must have a rendezvous point (RP), if the interface is in sparse-dense mode and if you want to handle
the group as a sparse group. You can use these methods:
• By manually assigning an RP to multicast groups.
• As a standalone, Cisco-proprietary protocol separate from PIMv1, which includes:
• Setting up Auto-RP in a new internetwork
• Adding Auto-RP to an existing sparse-mode cloud
• Preventing join messages to false RPs
• Filtering incoming RP announcement messages

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
985
 Multicast Routing
Manually Assigning an RP to Multicast Groups

• By using a standards track protocol in the Internet Engineering Task Force (IETF), which includes
configuring PIMv2 BSR .

Note You can use Auto-RP, BSR, or a combination of both, depending on the PIM version that you are running
and the types of routers in your network. For information about working with different PIM versions in your
network, see PIMv1 and PIMv2 Interoperability, on page 970.

Manually Assigning an RP to Multicast Groups

If the rendezvous point (RP) for a group is learned through a dynamic mechanism (such as Auto-RP or BSR),
you need not perform this task for that RP.
Senders of multicast traffic announce their existence through register messages received from the source
first-hop router (designated router) and forwarded to the RP. Receivers of multicast packets use RPs to join
a multicast group by using explicit join messages.

Note RPs are not members of the multicast group; they serve as a meeting place for multicast sources and group
members.

You can configure a single RP for multiple groups defined by an access list. If there is no RP configured for
a group, the multilayer switch responds to the group as dense and uses the dense-mode PIM techniques.
This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip pim rp-address ip-address [access-list-number] [override]
4. access-list access-list-number {deny | permit} source [source-wildcard]
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
986
 Multicast Routing
Manually Assigning an RP to Multicast Groups

Command or Action Purpose

SwitchDevice# configure terminal

Step 3 ip pim rp-address ip-address [access-list-number] Configures the address of a PIM RP.
[override]
By default, no PIM RP address is configured. You must
Example: configure the IP address of RPs on all routers and multilayer
switches (including the RP).
SwitchDevice(config)# ip pim rp-address
10.1.1.1 20 override
Note If there is no RP configured for a group, the
switch treats the group as dense, using the
dense-mode PIM techniques.
A PIM device can be an RP for more than one group. Only
one RP address can be used at a time within a PIM domain.
The access list conditions specify for which groups the
device is an RP.
• For ip-address, enter the unicast address of the RP in
dotted-decimal notation.
• (Optional) For access-list-number, enter an IP standard
access list number from 1 to 99. If no access list is
configured, the RP is used for all groups.
• (Optional) The override keyword indicates that if there
is a conflict between the RP configured with this
command and one learned by Auto-RP or BSR, the
RP configured with this command prevails.

Step 4 access-list access-list-number {deny | permit} source Creates a standard access list, repeating the command as
[source-wildcard] many times as necessary.
Example: • For access-list-number, enter the access list number
specified in Step 2.
SwitchDevice(config)# access-list 25
permit 10.5.0.1 255.224.0.0 • The deny keyword denies access if the conditions are
matched.
• The permit keyword permits access if the conditions
are matched.
• For source, enter the multicast group address for which
the RP should be used.
• (Optional) For source-wildcard, enter the wildcard
bits in dotted decimal notation to be applied to the
source. Place ones in the bit positions that you want
to ignore.

The access list is always terminated by an implicit deny

statement for everything.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
987
 Multicast Routing
Setting Up Auto-RP in a New Internetwork

Command or Action Purpose

Step 5 end Returns to privileged EXEC mode.
Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Setting Up Auto-RP in a New Internetwork

If you are setting up Auto-RP in a new internetwork, you do not need a default RP because you configure all
the interfaces for sparse-dense mode.

Note Omit Step 3 in the following procedure, if you want to configure a PIM router as the RP for the local group.

SUMMARY STEPS
1. enable
2. show running-config
3. configure terminal
4. ip pim send-rp-announce interface-id scope ttl group-list access-list-number interval seconds
5. access-list access-list-number {deny | permit} source [source-wildcard]
6. ip pim send-rp-discovery scope ttl
7. end
8. show running-config
9. show ip pim rp mapping
10. show ip pim rp
11. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
988
 Multicast Routing
Setting Up Auto-RP in a New Internetwork

Command or Action Purpose

SwitchDevice> enable

Step 2 show running-config Verifies that a default RP is already configured on all PIM
devices and the RP in the sparse-mode network. It was
Example:
previously configured with the ip pim rp-address global
configuration command.
SwitchDevice# show running-config
Note This step is not required for spare-dense-mode
environments.

The selected RP should have good connectivity and be

available across the network. Use this RP for the global
groups (for example, 224.x.x.x and other global groups).
Do not reconfigure the group address range that this RP
serves. RPs dynamically discovered through Auto-RP take
precedence over statically configured RPs. Assume that it
is desirable to use a second RP for the local groups.

Step 3 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 4 ip pim send-rp-announce interface-id scope ttl group-list Configures another PIM device to be the candidate RP for
access-list-number interval seconds local groups.
Example: • For interface-id, enter the interface type and number
that identifies the RP address. Valid interfaces include
SwitchDevice(config)# ip pim send-rp-announce physical ports, port channels, and VLANs.
gigabitethernet
1/0/5 scope 20 group-list 10 interval 120 • For scope ttl, specify the time-to-live value in hops.
Enter a hop count that is high enough so that the
RP-announce messages reach all mapping agents in
the network. There is no default setting. The range is
1 to 255.
• For group-list access-list-number, enter an IP
standard access list number from 1 to 99. If no access
list is configured, the RP is used for all groups.
• For interval seconds, specify how often the
announcement messages must be sent. The default is
60 seconds. The range is 1 to 16383.

Step 5 access-list access-list-number {deny | permit} source Creates a standard access list, repeating the command as
[source-wildcard] many times as necessary.
Example: • For access-list-number, enter the access list number
specified in Step 3.
SwitchDevice(config)# access-list 10 permit

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
989
 Multicast Routing
Setting Up Auto-RP in a New Internetwork

Command or Action Purpose

10.10.0.0 • The deny keyword denies access if the conditions are
matched.
• The permit keyword permits access if the conditions
are matched.
• For source, enter the multicast group address range
for which the RP should be used.
• (Optional) For source-wildcard, enter the wildcard
bits in dotted decimal notation to be applied to the
source. Place ones in the bit positions that you want
to ignore.

Note Recall that the access list is always terminated

by an implicit deny statement for everything.

Step 6 ip pim send-rp-discovery scope ttl Finds a switch whose connectivity is not likely to be
interrupted, and assign it the role of RP-mapping agent.
Example:
For scope ttl, specify the time-to-live value in hops to limit
SwitchDevice(config)# ip pim send-rp-discovery the RP discovery packets. All devices within the hop count
scope 50 from the source device receive the Auto-RP discovery
messages. These messages tell other devices which
group-to-RP mapping to use to avoid conflicts (such as
overlapping group-to-RP ranges). There is no default
setting. The range is 1 to 255.

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 8 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 9 show ip pim rp mapping Displays active RPs that are cached with associated
multicast routing entries.
Example:
SwitchDevice# show ip pim rp mapping

Step 10 show ip pim rp Displays the information cached in the routing table.
Example:

SwitchDevice# show ip pim rp

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
990
 Multicast Routing
Adding Auto-RP to an Existing Sparse-Mode Cloud

Command or Action Purpose

Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Adding Auto-RP to an Existing Sparse-Mode Cloud

This section contains suggestions for the initial deployment of Auto-RP into an existing sparse-mode cloud
to minimize disruption of the existing multicast infrastructure.
This procedure is optional.

SUMMARY STEPS
1. enable
2. show running-config
3. configure terminal
4. ip pim send-rp-announce interface-id scope ttl group-list access-list-number interval seconds
5. access-list access-list-number {deny | permit} source [source-wildcard]
6. ip pim send-rp-discovery scope ttl
7. end
8. show running-config
9. show ip pim rp mapping
10. show ip pim rp
11. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 show running-config Verifies that a default RP is already configured on all PIM
devices and the RP in the sparse-mode network. It was
Example:
previously configured with the ip pim rp-address global
configuration command.
SwitchDevice# show running-config
Note This step is not required for spare-dense-mode
environments.

The selected RP should have good connectivity and be

available across the network. Use this RP for the global
groups (for example, 224.x.x.x and other global groups).

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
991
 Multicast Routing
Adding Auto-RP to an Existing Sparse-Mode Cloud

Command or Action Purpose

Do not reconfigure the group address range that this RP
serves. RPs dynamically discovered through Auto-RP take
precedence over statically configured RPs. Assume that it
is desirable to use a second RP for the local groups.

Step 3 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 4 ip pim send-rp-announce interface-id scope ttl group-list Configures another PIM device to be the candidate RP for
access-list-number interval seconds local groups.
Example: • For interface-id, enter the interface type and number
that identifies the RP address. Valid interfaces include
SwitchDevice(config)# ip pim send-rp-announce physical ports, port channels, and VLANs.
gigabitethernet
1/0/5 scope 20 group-list 10 interval 120 • For scope ttl, specify the time-to-live value in hops.
Enter a hop count that is high enough so that the
RP-announce messages reach all mapping agents in
the network. There is no default setting. The range is
1 to 255.
• For group-list access-list-number, enter an IP
standard access list number from 1 to 99. If no access
list is configured, the RP is used for all groups.
• For interval seconds, specify how often the
announcement messages must be sent. The default is
60 seconds. The range is 1 to 16383.

Step 5 access-list access-list-number {deny | permit} source Creates a standard access list, repeating the command as
[source-wildcard] many times as necessary.
Example: • For access-list-number, enter the access list number
specified in Step 3.
SwitchDevice(config)# access-list 10
permit 224.0.0.0 15.255.255.255 • The deny keyword denies access if the conditions are
matched.
• The permit keyword permits access if the conditions
are matched.
• For source, enter the multicast group address range
for which the RP should be used.
• (Optional) For source-wildcard, enter the wildcard
bits in dotted decimal notation to be applied to the
source. Place ones in the bit positions that you want
to ignore.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
992
 Multicast Routing
Adding Auto-RP to an Existing Sparse-Mode Cloud

Command or Action Purpose

Recall that the access list is always terminated by an
implicit deny statement for everything.

Step 6 ip pim send-rp-discovery scope ttl Finds a switch whose connectivity is not likely to be
interrupted, and assigns it the role of RP-mapping agent.
Example:
For scope ttl, specify the time-to-live value in hops to limit
SwitchDevice(config)# ip pim send-rp-discovery the RP discovery packets. All devices within the hop count
scope 50 from the source device receive the Auto-RP discovery
messages. These messages tell other devices which
group-to-RP mapping to use to avoid conflicts (such as
overlapping group-to-RP ranges). There is no default
setting. The range is 1 to 255.
Note To remove the switch as the RP-mapping agent,
use the no ip pim send-rp-discovery global
configuration command.

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 8 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 9 show ip pim rp mapping Displays active RPs that are cached with associated
multicast routing entries.
Example:
SwitchDevice#
show ip pim rp mapping

Step 10 show ip pim rp Displays the information cached in the routing table.
Example:

SwitchDevice# show ip pim rp

Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
993
 Multicast Routing
Configuring Sparse Mode with a Single Static RP

Configuring Sparse Mode with a Single Static RP

A rendezvous point (RP) is required in networks running Protocol Independent Multicast sparse mode
(PIM-SM). In PIM-SM, traffic will be forwarded only to network segments with active receivers that have
explicitly requested multicast data.
This section describes how to configure sparse mode with a single static RP.

Before you begin

All access lists that are needed when sparse mode is configured with a single static RP should be configured
prior to beginning the configuration task.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip multicast-routing [distributed]
4. interface type number
5. ip pim sparse-mode
6. Repeat Steps 1 through 5 on every interface that uses IP multicast.
7. exit
8. ip pim rp-address rp-address [access-list] [override]
9. end
10. show ip pim rp [mapping] [rp-address]
11. show ip igmp groups [group-name | group-address| interface-type interface-number] [detail]
12. show ip mroute
13. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip multicast-routing [distributed] Enables IP multicast routing.

Example: • Use the distributed keyword to enable Multicast
Distributed Switching.
SwitchDevice(config)# ip multicast-routing

Step 4 interface type number Selects an interface that is connected to hosts on which
PIM can be enabled.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
994
 Multicast Routing
Configuring Sparse Mode with a Single Static RP

Command or Action Purpose

SwitchDevice(config)# interface gigabitethernet

1/0/0

Step 5 ip pim sparse-mode Enables PIM on an interface. You must use sparse mode.
Example:

SwitchDevice(config-if)# ip pim sparse-mode

Step 6 Repeat Steps 1 through 5 on every interface that uses IP --

multicast.
Step 7 exit Returns to global configuration mode.
Example:

SwitchDevice(config-if)# exit

Step 8 ip pim rp-address rp-address [access-list] [override] Configures the address of a PIM RP for a particular group.
Example: • The optional access-list argument is used to specify
the number or name a standard access list that defines
SwitchDevice(config)# ip pim rp-address the multicast groups to be statically mapped to the
192.168.0.0 RP.

Note If no access list is defined, the RP will map to

all multicast groups, 224/4.

• The optional override keyword is used to specify that

if dynamic and static group-to-RP mappings are used
together and there is an RP address conflict, the RP
address configured for a static group-to-RP mapping
will take precedence.

Note If the override keyword is not specified and

there is RP address conflict, dynamic
group-to-RP mappings will take precedence
over static group-to-RP mappings.

Step 9 end Ends the current configuration session and returns to EXEC
mode.
Example:

SwitchDevice(config)# end

Step 10 show ip pim rp [mapping] [rp-address] (Optional) Displays RPs known in the network and shows
how the router learned about each RP.
Example:

SwitchDevice# show ip pim rp mapping

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
995
 Multicast Routing
Preventing Join Messages to False RPs

Command or Action Purpose

Step 11 show ip igmp groups [group-name | group-address| (Optional) Displays the multicast groups having receivers
interface-type interface-number] [detail] that are directly connected to the router and that were
learned through IGMP.
Example:
• A receiver must be active on the network at the time
SwitchDevice# show ip igmp groups that this command is issued in order for receiver
information to be present on the resulting display.

Step 12 show ip mroute (Optional) Displays the contents of the IP mroute table.
Example:

SwitchDevice# show ip mroute

Step 13 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Preventing Join Messages to False RPs

Determine whether the ip pim accept-rp command was previously configured throughout the network by
using the show running-config privileged EXEC command. If the ip pim accept-rp command is not configured
on any device, this problem can be addressed later. In those routers or multilayer switches already configured
with the ip pim accept-rp command, you must enter the command again to accept the newly advertised RP.
To accept all RPs advertised with Auto-RP and reject all other RPs by default, use the ip pim accept-rp
auto-rp global configuration command.
This procedure is optional.

Filtering Incoming RP Announcement Messages

You can add configuration commands to the mapping agents to prevent a maliciously configured router from
masquerading as a candidate RP and causing problems.
This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip pim rp-announce-filter rp-list access-list-number group-list access-list-number
4. access-list access-list-number {deny | permit} source [source-wildcard]
5. end
6. show running-config
7. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
996
 Multicast Routing
Filtering Incoming RP Announcement Messages

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip pim rp-announce-filter rp-list access-list-number Filters incoming RP announcement messages.

group-list access-list-number
Enter this command on each mapping agent in the network.
Example: Without this command, all incoming RP-announce messages
are accepted by default.
SwitchDevice(config)# ip pim rp-announce-filter
rp-list 10 group-list 14 For rp-list access-list-number, configure an access list of
candidate RP addresses that, if permitted, is accepted for
the group ranges supplied in the group-list
access-list-number variable. If this variable is omitted, the
filter applies to all multicast groups.
If more than one mapping agent is used, the filters must be
consistent across all mapping agents to ensure that no
conflicts occur in the group-to-RP mapping information.

Step 4 access-list access-list-number {deny | permit} source Creates a standard access list, repeating the command as
[source-wildcard] many times as necessary.
Example: • For access-list-number, enter the access list number
specified in Step 2.
SwitchDevice(config)# access-list 10 permit
10.8.1.0 255.255.224.0 • The deny keyword denies access if the conditions are
matched.
• The permit keyword permits access if the conditions
are matched.
• Create an access list that specifies from which routers
and multilayer switches the mapping agent accepts
candidate RP announcements (rp-list ACL).
• Create an access list that specifies the range of
multicast groups from which to accept or deny
(group-list ACL).
• For source, enter the multicast group address range
for which the RP should be used.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
997
 Multicast Routing
Configuring PIMv2 BSR

Command or Action Purpose

• (Optional) For source-wildcard, enter the wildcard
bits in dotted decimal notation to be applied to the
source. Place ones in the bit positions that you want
to ignore.

The access list is always terminated by an implicit deny

statement for everything.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring PIMv2 BSR

The process for configuring PIMv2 BSR may involve the following optional tasks:
• Defining the PIM domain border
• Defining the IP multicast boundary
• Configuring candidate BSRs
• Configuring candidate RPs

Defining the PIM Domain Border

Perform the following steps to configure the PIM domain border. This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. ip pim bsr-border
5. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
998
 Multicast Routing
Defining the PIM Domain Border

6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface to be configured, and enters interface
configuration mode.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 4 ip pim bsr-border Defines a PIM bootstrap message boundary for the PIM
domain.
Example:
Enter this command on each interface that connects to other
SwitchDevice(config-if)# ip pim bsr-border bordering PIM domains. This command instructs the switch
to neither send nor receive PIMv2 BSR messages on this
interface.
Note To remove the PIM border, use the no ip pim
bsr-border interface configuration command.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
999
 Multicast Routing
Defining the IP Multicast Boundary

Command or Action Purpose

SwitchDevice# copy running-config startup-config

Defining the IP Multicast Boundary

You define a multicast boundary to prevent Auto-RP messages from entering the PIM domain. You create
an access list to deny packets destined for 224.0.1.39 and 224.0.1.40, which carry Auto-RP information.
This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. access-list access-list-number deny source [source-wildcard]
4. interface interface-id
5. ip multicast boundary access-list-number
6. end
7. show running-config
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 access-list access-list-number deny source Creates a standard access list, repeating the command as
[source-wildcard] many times as necessary.
Example: • For access-list-number, the range is 1 to 99.
SwitchDevice(config)#
access-list 12 deny 224.0.1.39
• The deny keyword denies access if the conditions are
access-list 12 deny 224.0.1.40 matched.
• For source, enter multicast addresses 224.0.1.39 and
224.0.1.40, which carry Auto-RP information.
• (Optional) For source-wildcard, enter the wildcard
bits in dotted decimal notation to be applied to the

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1000
 Multicast Routing
Configuring Candidate BSRs

Command or Action Purpose

source. Place ones in the bit positions that you want
to ignore.

The access list is always terminated by an implicit deny

statement for everything.

Step 4 interface interface-id Specifies the interface to be configured, and enters interface
configuration mode.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 5 ip multicast boundary access-list-number Configures the boundary, specifying the access list you
created in Step 2.
Example:

SwitchDevice(config-if)# ip multicast boundary 12

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring Candidate BSRs

You can configure one or more candidate BSRs. The devices serving as candidate BSRs should have good
connectivity to other devices and be in the backbone portion of the network.
This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip pim bsr-candidate interface-id hash-mask-length [priority]
4. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1001
 Multicast Routing
Configuring Candidate BSRs

5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip pim bsr-candidate interface-id hash-mask-length Configures your switch to be a candidate BSR.
[priority]
• For interface-id, enter the interface on this switch from
Example: which the BSR address is derived to make it a
candidate. This interface must be enabled with PIM.
SwitchDevice(config)# ip pim bsr-candidate Valid interfaces include physical ports, port channels,
gigabitethernet 1/0/3 28 100 and VLANs.
• For hash-mask-length, specify the mask length (32 bits
maximum) that is to be ANDed with the group address
before the hash function is called. All groups with the
same seed hash correspond to the same RP. For
example, if this value is 24, only the first 24 bits of the
group addresses matter.
• (Optional) For priority, enter a number from 0 to 255.
The BSR with the larger priority is preferred. If the
priority values are the same, the device with the highest
IP address is selected as the BSR. The default is 0.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1002
 Multicast Routing
Configuring the Candidate RPs

Command or Action Purpose

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring the Candidate RPs

You can configure one or more candidate RPs. Similar to BSRs, the RPs should also have good connectivity
to other devices and be in the backbone portion of the network. An RP can serve the entire IP multicast address
space or a portion of it. Candidate RPs send candidate RP advertisements to the BSR.
This procedure is optional.

Before you begin

When deciding which devices should be RPs, consider these options:
• In a network of Cisco routers and multilayer switches where only Auto-RP is used, any device can be
configured as an RP.
• In a network that includes only Cisco PIMv2 routers and multilayer switches and with routers from other
vendors, any device can be used as an RP.
• In a network of Cisco PIMv1 routers, Cisco PIMv2 routers, and routers from other vendors, configure
only Cisco PIMv2 routers and multilayer switches as RPs.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip pim rp-candidate interface-id [group-list access-list-number]
4. access-list access-list-number {deny | permit} source [source-wildcard]
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1003
 Multicast Routing
Configuring the Candidate RPs

Command or Action Purpose

SwitchDevice# configure terminal

Step 3 ip pim rp-candidate interface-id [group-list Configures your switch to be a candidate RP.
access-list-number]
• For interface-id, specify the interface whose associated
Example: IP address is advertised as a candidate RP address.
Valid interfaces include physical ports, port channels,
SwitchDevice(config)# ip pim rp-candidate and VLANs.
gigabitethernet 1/0/5 group-list 10
• (Optional) For group-list access-list-number, enter an
IP standard access list number from 1 to 99. If no
group-list is specified, the switch is a candidate RP for
all groups.

Step 4 access-list access-list-number {deny | permit} source Creates a standard access list, repeating the command as
[source-wildcard] many times as necessary.
Example: • For access-list-number, enter the access list number
specified in Step 2.
SwitchDevice(config)# access-list 10 permit
239.0.0.0 0.255.255.255 • The deny keyword denies access if the conditions are
matched. The permit keyword permits access if the
conditions are matched.
• For source, enter the number of the network or host
from which the packet is being sent.
• (Optional) For source-wildcard, enter the wildcard
bits in dotted decimal notation to be applied to the
source. Place ones in the bit positions that you want
to ignore.

The access list is always terminated by an implicit deny

statement for everything.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1004
 Multicast Routing
Delaying the Use of PIM Shortest-Path Tree

Command or Action Purpose

SwitchDevice# copy running-config startup-config

Delaying the Use of PIM Shortest-Path Tree

Perform these steps to configure a traffic rate threshold that must be reached before multicast routing is
switched from the source tree to the shortest-path tree.
This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. access-list access-list-number {deny | permit} source [source-wildcard]
4. ip pim spt-threshold {kbps | infinity} [group-list access-list-number]
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 access-list access-list-number {deny | permit} source Creates a standard access list.
[source-wildcard]
• For access-list-number, the range is 1 to 99.
Example:
• The deny keyword denies access if the conditions are
SwitchDevice(config)# access-list 16 permit
matched.
225.0.0.0 0.255.255.255
• The permit keyword permits access if the conditions
are matched.
• For source, specify the multicast group to which the
threshold will apply.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1005
 Multicast Routing
Delaying the Use of PIM Shortest-Path Tree

Command or Action Purpose

• (Optional) For source-wildcard, enter the wildcard
bits in dotted decimal notation to be applied to the
source. Place ones in the bit positions that you want
to ignore.

The access list is always terminated by an implicit deny

statement for everything.

Step 4 ip pim spt-threshold {kbps | infinity} [group-list Specifies the threshold that must be reached before moving
access-list-number] to shortest-path tree (spt).
Example: • For kbps, specify the traffic rate in kilobits per second.
The default is 0 kbps.
SwitchDevice(config)# ip pim spt-threshold
infinity group-list 16
Note Because of switch hardware limitations, 0
kbps is the only valid entry even though the
range is 0 to 4294967.

• Specify infinity if you want all sources for the

specified group to use the shared tree, never switching
to the source tree.
• (Optional) For group-list access-list-number, specify
the access list created in Step 2. If the value is 0 or if
the group list is not used, the threshold applies to all
groups.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1006
 Multicast Routing
Modifying the PIM Router-Query Message Interval

Modifying the PIM Router-Query Message Interval

PIM routers and multilayer switches send PIM router-query messages to find which device will be the
designated router (DR) for each LAN segment (subnet). The DR is responsible for sending IGMP host-query
messages to all hosts on the directly connected LAN.
With PIM DM operation, the DR has meaning only if IGMPv1 is in use. IGMPv1 does not have an IGMP
querier election process, so the elected DR functions as the IGMP querier. With PIM-SM operation, the DR
is the device that is directly connected to the multicast source. It sends PIM register messages to notify the
RP that multicast traffic from a source needs to be forwarded down the shared tree. In this case, the DR is the
device with the highest IP address.
This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. ip pim query-interval seconds
5. end
6. show ip igmp interface [interface-id]
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface to be configured, and enters interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet 1/0/1

Step 4 ip pim query-interval seconds Configures the frequency at which the switch sends PIM
router-query messages.
Example:
The default is 30 seconds. The range is 1 to 65535.
SwitchDevice(config-if)# ip pim

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1007
 Multicast Routing
Verifying PIM Operations

Command or Action Purpose

query-interval 45

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show ip igmp interface [interface-id] Verifies your entries.

Example:

SwitchDevice# show ip igmp interface

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Verifying PIM Operations

Verifying IP Multicast Operation in a PIM-SM or a PIM-SSM Network
Perform the following optional tasks to verify IP multicast operation in a PIM-SM or a PIM-SSM network.
The steps in these tasks help to locate a faulty hop when sources and receivers are not operating as expected.

Note If packets are not reaching their expected destinations, you might want consider disabling IP multicast fast
switching, which would place the router in process switching mode. If packets begin reaching their proper
destinations after IP multicast fast switching has been disabled, then the issue most likely was related to IP
multicast fast switching.

Verifying IP Multicast on the First Hop Router

Enter these commands on the first hop router to verify IP multicast operations on the first hop router:

SUMMARY STEPS
1. enable
2. show ip mroute [group-address]
3. show ip mroute active [kb/s]

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1008
 Multicast Routing
Verifying IP Multicast on Routers Along the SPT

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 show ip mroute [group-address] Confirms that the F flag has been set for mroutes on the
first hop router.
Example:
SwitchDevice# show ip mroute 239.1.2.3
(*, 239.1.2.3), 00:18:10/stopped, RP 172.16.0.1,
flags: SPF
Incoming interface: Serial1/0, RPF nbr
172.31.200.2
Outgoing interface list: Null

(10.0.0.1, 239.1.2.3), 00:18:10/00:03:22, flags:

FT
Incoming interface: GigabitEthernet0/0/0, RPF
nbr 0.0.0.0
Outgoing interface list:
Serial1/0, Forward/Sparse-Dense,
00:18:10/00:03:19

Step 3 show ip mroute active [kb/s] Displays information about active multicast sources sending
to groups. The output of this command provides information
Example:
about the multicast packet rate for active sources.
SwitchDevice# show ip mroute active
Active IP Multicast Sources - sending >= 4 kbps Note By default, the output of the show ip mroute
command with the active keyword displays
Group: 239.1.2.3, (?)
Source: 10.0.0.1 (?)
information about active sources sending traffic
Rate: 20 pps/4 kbps(1sec), 4 kbps(last 30 to groups at a rate greater than or equal to 4 kb/s.
secs), 4 kbps(life avg) To display information about active sources
sending low-rate traffic to groups (that is, traffic
less than 4 kb/s), specify a value of 1 for the kb/s
argument. Specifying a value of 1 for this
argument displays information about active
sources sending traffic to groups at a rate equal
to or greater than 1 kb/s, which effectively
displays information about all possible active
source traffic.

Verifying IP Multicast on Routers Along the SPT

Enter these commands on routers along the SPT to verify IP multicast operations on routers along the SPT in
a PIM-SM or PIM-SSM network:

SUMMARY STEPS
1. enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1009
 Multicast Routing
Verifying IP Multicast Operation on the Last Hop Router

2. show ip mroute [group-address]

3. show ip mroute active

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 show ip mroute [group-address] Confirms the RPF neighbor towards the source for a
particular group or groups.
Example:
SwitchDevice# show ip mroute 239.1.2.3
(*, 239.1.2.3), 00:17:56/00:03:02, RP 172.16.0.1,
flags: S
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
GigabitEthernet0/0/0, Forward/Sparse-Dense,
00:17:56/00:03:02

(10.0.0.1, 239.1.2.3), 00:15:34/00:03:28, flags:

T
Incoming interface: Serial1/0, RPF nbr
172.31.200.1
Outgoing interface list:
GigabitEthernet0/0/0, Forward/Sparse-Dense,
00:15:34/00:03:02

Step 3 show ip mroute active Displays information about active multicast sources sending
to groups. The output of this command provides information
Example:
about the multicast packet rate for active sources.
SwitchDevice# show ip mroute active
Active IP Multicast Sources - sending >= 4 kbps Note By default, the output of the show ip mroute
command with the active keyword displays
Group: 239.1.2.3, (?)
Source: 10.0.0.1 (?)
information about active sources sending traffic
Rate: 20 pps/4 kbps(1sec), 4 kbps(last 30 to groups at a rate greater than or equal to 4 kb/s.
secs), 4 kbps(life avg) To display information about active sources
sending low-rate traffic to groups (that is, traffic
less than 4 kb/s), specify a value of 1 for the kb/s
argument. Specifying a value of 1 for this
argument displays information about active
sources sending traffic to groups at a rate equal
to or greater than 1 kb/s, which effectively
displays information about all possible active
source traffic.

Verifying IP Multicast Operation on the Last Hop Router

Enter these commands on the last hop router to verify IP multicast operations on the last hop router:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1010
 Multicast Routing
Verifying IP Multicast Operation on the Last Hop Router

SUMMARY STEPS
1. enable
2. show ip igmp groups
3. show ip pim rp mapping
4. show ip mroute
5. show ip interface [type number]
6. show ip pim interface count
7. show ip mroute count
8. show ip mroute active [kb/s]

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 show ip igmp groups Verifies IGMP memberships on the last hop router. This
information will confirm the multicast groups with receivers
Example:
that are directly connected to the last hop router and that
SwitchDevice# show ip igmp groups are learned through IGMP.
IGMP Connected Group Membership
Group Address Interface Uptime
Expires Last Reporter
239.1.2.3 GigabitEthernet1/0/0 00:05:14
00:02:14 10.1.0.6
224.0.1.39 GigabitEthernet0/0/0 00:09:11
00:02:08 172.31.100.1

Step 3 show ip pim rp mapping Confirms that the group-to-RP mappings are being
populated correctly on the last hop router.
Example:
SwitchDevice# show ip pim rp mapping Note Ignore this step if you are verifying a last hop
PIM Group-to-RP Mappings router in a PIM-SSM network. The show ip pim
rp mappingcommand does not work with
Group(s) 224.0.0.0/4
RP 172.16.0.1 (?), v2v1
routers in a PIM-SSM network because
Info source: 172.16.0.1 (?), elected via PIM-SSM does not use RPs. In addition, if
Auto-RP configured correctly, PIM-SSM groups do not
Uptime: 00:09:11, expires: 00:02:47 appear in the output of the show ip pim rp
mappingcommand.

Step 4 show ip mroute Verifies that the mroute table is being populated properly
on the last hop router.
Example:
SwitchDevice# show ip mroute
(*, 239.1.2.3), 00:05:14/00:03:04, RP 172.16.0.1,
flags: SJC
Incoming interface: GigabitEthernet0/0/0, RPF
nbr 172.31.100.1
Outgoing interface list:
GigabitEthernet1/0, Forward/Sparse-Dense,

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1011
 Multicast Routing
Verifying IP Multicast Operation on the Last Hop Router

Command or Action Purpose

00:05:10/00:03:04

(10.0.0.1, 239.1.2.3), 00:02:49/00:03:29, flags:

T
Incoming interface: GigabitEthernet0/0/0, RPF
nbr 172.31.100.1
Outgoing interface list:
GigabitEthernet1/0, Forward/Sparse-Dense,
00:02:49/00:03:04

(*, 224.0.1.39), 00:10:05/stopped, RP 0.0.0.0,

flags: DC
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
GigabitEthernet1/0, Forward/Sparse-Dense,
00:05:15/00:00:00
GigabitEthernet0/0, Forward/Sparse-Dense,
00:10:05/00:00:00

(172.16.0.1, 224.0.1.39), 00:02:00/00:01:33, flags:

PTX
Incoming interface: GigabitEthernet0/0/0, RPF
nbr 172.31.100.1

Step 5 show ip interface [type number] Verifies that multicast fast switching is enabled for optimal
performance on the outgoing interface on the last hop router.
Example:
SwitchDevice# show ip interface GigabitEthernet Note Using the no ip mroute-cache interface
0/0/0 command disables IP multicast fast-switching.
GigabitEthernet0/0 is up, line protocol is up When IP multicast fast switching is disabled,
Internet address is 172.31.100.2/24
packets are forwarded through the
Broadcast address is 255.255.255.255
Address determined by setup command process-switched path.
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.1
224.0.0.22 224.0.0.13
224.0.0.5 224.0.0.6
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is
disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is
disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1012
 Multicast Routing
Verifying IP Multicast Operation on the Last Hop Router

Command or Action Purpose

RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled

Step 6 show ip pim interface count Confirms that multicast traffic is being forwarded on the
last hop router.
Example:
SwitchDevice# show ip pim interface count

State: * - Fast Switched, D - Distributed Fast

Switched
H - Hardware Switching Enabled
Address Interface FS
Mpackets In/Out
172.31.100.2 GigabitEthernet0/0/0 *
4122/0
10.1.0.1 GigabitEthernet1/0/0 *
0/3193

Step 7 show ip mroute count Confirms that multicast traffic is being forwarded on the
last hop router.
Example:
SwitchDevice# show ip mroute count
IP Multicast Statistics
6 routes using 4008 bytes of memory
3 groups, 1.00 average sources per group
Forwarding Counts: Pkt Count/Pkts per second/Avg
Pkt Size/Kilobits per second
Other counts: Total/RPF failed/Other
drops(OIF-null, rate-limit etc)

Group: 239.1.2.3, Source count: 1, Packets

forwarded: 3165, Packets received: 3165
RP-tree: Forwarding: 0/0/0/0, Other: 0/0/0
Source: 10.0.0.1/32, Forwarding: 3165/20/28/4,
Other: 0/0/0

Group: 224.0.1.39, Source count: 1, Packets

forwarded: 21, Packets received: 120
Source: 172.16.0.1/32, Forwarding: 21/1/48/0,
Other: 120/0/99

Group: 224.0.1.40, Source count: 1, Packets

forwarded: 10, Packets received: 10
Source: 172.16.0.1/32, Forwarding: 10/1/48/0,
Other: 10/0/0

Step 8 show ip mroute active [kb/s] Displays information about active multicast sources sending
traffic to groups on the last hop router. The output of this
Example:
command provides information about the multicast packet
SwitchDevice# show ip mroute active rate for active sources.
Active IP Multicast Sources - sending >= 4 kbps

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1013
 Multicast Routing
Using PIM-Enabled Routers to Test IP Multicast Reachability

Command or Action Purpose

Group: 239.1.2.3, (?) Note By default, the output of the show ip mroute
Source: 10.0.0.1 (?)
command with the active keyword displays
Rate: 20 pps/4 kbps(1sec), 4 kbps(last 50
secs), 4 kbps(life avg) information about active sources sending traffic
to groups at a rate greater than or equal to 4 kb/s.
To display information about active sources
sending low-rate traffic to groups (that is, traffic
less than 4 kb/s), specify a value of 1 for the kb/s
argument. Specifying a value of 1 for this
argument displays information about active
sources sending traffic to groups at a rate equal
to or greater than 1 kb/s, which effectively
displays information about all possible active
source traffic.

Using PIM-Enabled Routers to Test IP Multicast Reachability

If all the PIM-enabled routers and access servers that you administer are members of a multicast group, pinging
that group causes all routers to respond, which can be a useful administrative and debugging tool.
To use PIM-enabled routers to test IP multicast reachability, perform the following tasks:

Configuring Routers to Respond to Multicast Pings

SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip igmp join-group group-address
5. Repeat Step 3 and Step 4 for each interface on the router participating in the multicast network.
6. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface type number Enters interface configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1014
 Multicast Routing
Pinging Routers Configured to Respond to Multicast Pings

Command or Action Purpose

For the type and number arguments, specify an interface
SwitchDevice(config)# interface gigabitethernet
that is directly connected to hosts or is facing hosts.
1/0/0

Step 4 ip igmp join-group group-address (Optional) Configures an interface on the router to join the
specified group.
Example:
For the purpose of this task, configure the same group
SwitchDevice(config-if)# ip igmp join-group address for the group-address argument on all interfaces
225.2.2.2 on the router participating in the multicast network.
Note With this method, the router accepts the multicast
packets in addition to forwarding them.
Accepting the multicast packets prevents the
router from fast switching.

Step 5 Repeat Step 3 and Step 4 for each interface on the router --
participating in the multicast network.
Step 6 end Ends the current configuration session and returns to
privileged EXEC mode.
Example:

SwitchDevice(config-if)# end

Pinging Routers Configured to Respond to Multicast Pings

on a router to initiate a ping test to the routers configured to respond to multicast pings. This task is used to
test IP multicast reachability in a network.

SUMMARY STEPS
1. enable
2. ping group-address

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 ping group-address Pings an IP multicast group address.

Example: A successful response indicates that the group address is
functioning.
SwitchDevice# ping 225.2.2.2

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1015
 Multicast Routing
Monitoring and Troubleshooting PIM

Monitoring and Troubleshooting PIM

Monitoring PIM Information
Use the privileged EXEC commands in the following table to monitor your PIM configurations.

Table 109: PIM Monitoring Commands

Command Purpose

show ip pim interface Displays information about interfaces configured for

Protocol Independent Multicast (PIM).

show ip pim neighbor Displays the PIM neighbor information.

show ip pim rp[group-name | group-address] Displays RP routers associated with a sparse-mode

multicast group. This command is available in all
software images.

Monitoring the RP Mapping and BSR Information

Use the privileged EXEC mode in the following table to verify the consistency of group-to-RP mappings:

Table 110: RP Mapping Monitoring Commands

Command Purpose

show ip pim rp [ hostname or IP address | Displays all available RP mappings and metrics. This tells you
mapping [ hostname or IP address | elected how the switch learns of the RP (through the BSR or the
| in-use ] | metric [ hostname or IP address Auto-RP mechanism).
]]
• (Optional) For the hostname, specify the IP name of the
group about which to display RPs.
• (Optional) For the IP address, specify the IP address of
the group about which to display RPs.
• (Optional) Use the mapping keyword to display all
group-to-RP mappings of which the Cisco device is aware
(either configured or learned from Auto-RP).
• (Optional) Use the metric keyword to display the RP
RPF metric.

show ip pim rp-hash group Displays the RP that was selected for the specified group. That
is, on a PIMv2 router or multilayer switch, confirms that the
same RP is the one that a PIMv1 system chooses. For group,
enter the group address for which to display RP information.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1016
 Multicast Routing
Troubleshooting PIMv1 and PIMv2 Interoperability Problems

Use the privileged EXEC commands in the following table to monitor BSR information:

Table 111: BSR Monitoring Commands

Command Purpose

show ip pim bsr Displays information about the elected BSR.

Troubleshooting PIMv1 and PIMv2 Interoperability Problems

When debugging interoperability problems between PIMv1 and PIMv2, check these in the order shown:
1. Verify RP mapping with the show ip pim rp-hash privileged EXEC command, making sure that all
systems agree on the same RP for the same group.
2. Verify interoperability between different versions of DRs and RPs. Make sure that the RPs are interacting
with the DRs properly (by responding with register-stops and forwarding decapsulated data packets from
registers).

Configuration Examples for PIM

Example: Enabling PIM Stub Routing
In this example, IP multicast routing is enabled, Switch A PIM uplink port 25 is configured as a routed uplink
port with spare-dense-mode enabled. PIM stub routing is enabled on the VLAN 100 interfaces and on Gigabit
Ethernet port 20.

SwitchDevice(config)# ip multicast-routing distributed

SwitchDevice(config)# interface GigabitEthernet3/0/25
SwitchDevice(config-if)# no switchport
SwitchDevice(config-if)# ip address 3.1.1.2 255.255.255.0
SwitchDevice(config-if)# ip pim sparse-dense-mode
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface vlan100
SwitchDevice(config-if)# ip pim passive
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface GigabitEthernet3/0/20
SwitchDevice(config-if)# ip pim passive
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface vlan100
SwitchDevice(config-if)# ip address 100.1.1.1 255.255.255.0
SwitchDevice(config-if)# ip pim passive
SwitchDevice(config-if)# exit
SwitchDevice(config)# interface GigabitEthernet3/0/20
SwitchDevice(config-if)# no switchport
SwitchDevice(config-if)# ip address 10.1.1.1 255.255.255.0
SwitchDevice(config-if)# ip pim passive
SwitchDevice(config-if)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1017
 Multicast Routing
Example: Verifying PIM Stub Routing

Example: Verifying PIM Stub Routing

To verify that PIM stub is enabled for each interface, use the show ip pim interface privileged EXEC
command:

SwitchDevice# show ip pim interface

Address Interface Ver/ Nbr Query DR DR
Mode Count Intvl Prior
3.1.1.2 GigabitEthernet3/0/25 v2/SD 1 30 1 3.1.1.2
100.1.1.1 Vlan100 v2/P 0 30 1 100.1.1.1
10.1.1.1 GigabitEthernet3/0/20 v2/P 0 30 1 10.1.1.1

Example: Manually Assigning an RP to Multicast Groups

This example shows how to configure the address of the RP to 147.106.6.22 for multicast group 225.2.2.2
only:

SwitchDevice(config)# access-list 1 permit 225.2.2.2 0.0.0.0

SwitchDevice(config)# ip pim rp-address 147.106.6.22 1

Example: Configuring Auto-RP

This example shows how to send RP announcements out all PIM-enabled interfaces for a maximum of 31
hops. The IP address of port 1 is the RP. Access list 5 describes the group for which this switch serves as RP:

SwitchDevice(config)# ip pim send-rp-announce gigabitethernet1/0/1 scope 31 group-list 5

SwitchDevice(config)# access-list 5 permit 224.0.0.0 15.255.255.255

Example: Defining the IP Multicast Boundary to Deny Auto-RP Information

This example shows a portion of an IP multicast boundary configuration that denies Auto-RP information:

SwitchDevice(config)# access-list 1 deny 224.0.1.39

SwitchDevice(config)# access-list 1 deny 224.0.1.40
SwitchDevice(config)# access-list 1 permit all
SwitchDevice(config)# interface gigabitethernet1/0/1
SwitchDevice(config-if)# ip multicast boundary 1

Example: Filtering Incoming RP Announcement Messages

This example shows a sample configuration on an Auto-RP mapping agent that is used to prevent candidate
RP announcements from being accepted from unauthorized candidate RPs:

SwitchDevice(config)# ip pim rp-announce-filter rp-list 10 group-list 20

SwitchDevice(config)# access-list 10 permit host 172.16.5.1
SwitchDevice(config)# access-list 10 permit host 172.16.2.1
SwitchDevice(config)# access-list 20 deny 239.0.0.0 0.0.255.255

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1018
 Multicast Routing
Example: Preventing Join Messages to False RPs

SwitchDevice(config)# access-list 20 permit 224.0.0.0 15.255.255.255

The mapping agent accepts candidate RP announcements from only two devices, 172.16.5.1 and 172.16.2.1.
The mapping agent accepts candidate RP announcements from these two devices only for multicast groups
that fall in the group range of 224.0.0.0 to 239.255.255.255. The mapping agent does not accept candidate
RP announcements from any other devices in the network. Furthermore, the mapping agent does not accept
candidate RP announcements from 172.16.5.1 or 172.16.2.1 if the announcements are for any groups in the
239.0.0.0 through 239.255.255.255 range. This range is the administratively scoped address range.

Example: Preventing Join Messages to False RPs

If all interfaces are in sparse mode, use a default-configured RP to support the two well-known
groups 224.0.1.39 and 224.0.1.40. Auto-RP uses these two well-known groups to collect and distribute
RP-mapping information. When this is the case and the ip pim accept-rp auto-rp command is configured,
another ip pim accept-rp command accepting the RP must be configured as follows:

SwitchDevice(config)# ip pim accept-rp 172.10.20.1 1

SwitchDevice(config)# access-list 1 permit 224.0.1.39
SwitchDevice(config)# access-list 1 permit 224.0.1.40

Example: Configuring Candidate BSRs

This example shows how to configure a candidate BSR, which uses the IP address 172.21.24.18 on a port as
the advertised BSR address, uses 30 bits as the hash-mask-length, and has a priority of 10.

SwitchDevice(config)# interface gigabitethernet1/0/2

SwitchDevice(config-if)# ip address 172.21.24.18 255.255.255.0
SwitchDevice(config-if)# ip pim sparse-dense-mode
SwitchDevice(config-if)# ip pim bsr-candidate gigabitethernet1/0/2 30 10

Example: Configuring Candidate RPs

This example shows how to configure the switch to advertise itself as a candidate RP to the BSR in its PIM
domain. Standard access list number 4 specifies the group prefix associated with the RP that has the address
identified by a port. That RP is responsible for the groups with the prefix 239.

SwitchDevice(config)# ip pim rp-candidate gigabitethernet1/0/2 group-list 4

SwitchDevice(config)# access-list 4 permit 239.0.0.0 0.255.255.255

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1019
 Multicast Routing
Example: Configuring Candidate RPs

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1020
 CHAPTER 42
Configuring HSRP Aware PIM
• HSRP Aware PIM, on page 1021

HSRP Aware PIM

This module describes how to configure the HSRP Aware PIM feature for enabling multicast traffic to be
forwarded through the Hot Standby Router Protocol (HSRP) active router (AR), allowing Protocol Independent
Multicast (PIM) to leverage HSRP redundancy, avoid potential duplicate traffic, and enable failover.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Restrictions for HSRP Aware PIM

• HSRP IPv6 is not supported.
• Stateful failover is not supported. During PIM stateless failover, the HSRP group's virtual IP address
transfers to the standby router but no mrouting sate information is transferred. PIM listens and responds
to state change events and creates mroute states upon failover.
• The maximum number of HSRP groups that can be tracked by PIM on each interface is 16.
• The redundancy priority for a PIM DR must be greater than the configured or default value (1) of the
PIM DR priority on any device for which the same HSRP group is enabled or the HSRP Active will fail
to win the DR election.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1021
 Multicast Routing
Information About HSRP Aware PIM

Information About HSRP Aware PIM

HSRP
Hot Standby Router Protocol (HSRP) is a Cisco proprietary redundancy protocol for establishing a fault-tolerant
default gateway.
The protocol establishes a framework between network devices in order to achieve default gateway failover
if the primary gateway becomes inaccessible. By sharing an IP address and a MAC (Layer 2) address, two or
more devices can act as a single virtual router. The members of a virtual router group continually exchange
status messages and one device can assume the routing responsibility of another, should it go out of commission
for either planned or unplanned reasons. Hosts continue to forward IP packets to a consistent IP and MAC
addres,s and the changeover of devices doing the routing is transparent.
HSRP is useful for hosts that do not support a router discovery protocol and cannot switch to a new device
when their selected device reloads or loses power. Because existing TCP sessions can survive the failover,
this protocol also provides a more transparent recovery for hosts that dynamically choose a next hop for
routing IP traffic.
When HSRP is configured on a network segment, it provides a virtual MAC address and an IP address that
is shared among a group of devices running HSRP. The address of this HSRP group is referred to as the virtual
IP address. One of these devices is selected by the protocol to be the active router (AR). The AR receives and
routes packets destined for the MAC address of the group.
HSRP uses a priority mechanism to determine which HSRP configured device is to be the default AR. To
configure a device as the AR, you assign it a priority that is higher than the priority of all the other
HSRP-configured devices. The default priority is 100, so if you configure just one device to have a higher
priority, that device will be the default AR.
Devices that are running HSRP send and receive multicast User Datagram Protocol (UDP)-based hello
messages to detect device failure and to designate active and standby devices. When the AR fails to send a
hello message within a configurable period of time, the standby device with the highest priority becomes the
AR. The transition of packet forwarding functions between devices is completely transparent to all hosts on
the network.
You can configure multiple Hot Standby groups on an interface, thereby making fuller use of redundant
devices and load sharing.
HSRP is not a routing protocol as it does not advertise IP routes or affect the routing table in any way.
HSRP has the ability to trigger a failover if one or more interfaces on the device fail. This can be useful for
dual branch devices each with a single serial link back to the head end. If the serial link of the primary device
goes down, the backup device takes over the primary functionality and thus retains connectivity to the head
end.

HSRP Aware PIM

Protocol Independent Multicast (PIM) has no inherent redundancy capabilities and its operation is completely
independent of Hot Standby Router Protocol (HSRP) group states. As a result, IP multicast traffic is forwarded
not necessarily by the same device as is elected by HSRP. The HSRP Aware PIM feature provides consistent
IP multicast forwarding in a redundant network with virtual routing groups enabled.
HSRP Aware PIM enables multicast traffic to be forwarded through the HSRP active router (AR), allowing
PIM to leverage HSRP redundancy, avoid potential duplicate traffic, and enable failover, depending on the

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1022
 Multicast Routing
How to Configure HSRP Aware PIM

HSRP states in the device. The PIM designated router (DR) runs on the same gateway as the HSRP AR and
maintains mroute states.
In a multiaccess segment (such as LAN), PIM DR election is unaware of the redundancy configuration, and
the elected DR and HSRP AR may not be the same router. In order to ensure that the PIM DR is always able
to forward PIM Join/Prune message towards RP or FHR, the HSRP AR becomes the PIM DR (if there is only
one HSRP group). PIM is responsible for adjusting DR priority based on the group state. When a failover
occurs, multicast states are created on the new AR elected by the HSRP group and the AR assumes responsibility
for the routing and forwarding of all the traffic addressed to the HSRP virtual IP address.
With HSRP Aware PIM enabled, PIM sends an additional PIM Hello message using the HSRP virtual IP
addresses as the source address for each active HSRP group when a device becomes HSRP Active. The PIM
Hello will carry a new GenID in order to trigger other routers to respond to the failover. When a downstream
device receives this PIM Hello, it will add the virtual address to its PIM neighbor list. The new GenID carried
in the PIM Hello will trigger downstream routers to resend PIM Join messages towards the virtual address.
Upstream routers will process PIM Join/Prunes (J/P) based on HSRP group state.
If the J/P destination matches the HSRP group virtual address and if the destination device is in HSRP active
state, the new AR processes the PIM Join because it is now the acting PIM DR. This allows all PIM Join/Prunes
to reach the HSRP group virtual address and minimizes changes and configurations at the downstream routers
side.
The IP routing service utilizes the existing virtual routing protocol to provide basic stateless failover services
to client applications, such as PIM. Changes in the local HSRP group state and standby router responsibility
are communicated to interested client applications. Client applications may build on top of IRS to provide
stateful or stateless failover. PIM, as an HSRP client, listens to the state change notifications from HSRP and
automatically adjusts the priority of the PIM DR based on the HSRP state. The PIM client also triggers
communication between upstream and downstream devices upon failover in order to create an mroute state
on the new AR.

How to Configure HSRP Aware PIM

Configuring an HSRP Group on an Interface

Before you begin

• IP multicast must already be configured on the device.
• PIM must already be configured on the interface.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number [name-tag]
4. ip address ip-address mask
5. standby [group-number] ip [ip-address [secondary]]
6. standby [group-number] timers [msec] hellotime [msec] holdtime
7. standby [group-number] priority priority
8. standby [group-number] name group-name
9. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1023
 Multicast Routing
Configuring an HSRP Group on an Interface

10. show standby [type number [group]] [all | brief]

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 interface type number [name-tag] Specifies an interface to be configured and enters interface
configuration mode.
Example:
Device(config)# interface ethernet 0/0

Step 4 ip address ip-address mask Sets a primary or secondary IP address for an interface.
Example:
Device(config-if)# ip address 10.0.0.2
255.255.255.0

Step 5 standby [group-number] ip [ip-address [secondary]] Activates HSRP and defines an HRSP group.
Example:
Device(config-if)# standby 1 ip 192.0.2.99

Step 6 standby [group-number] timers [msec] hellotime [msec] (Optional) Configures the time between hello packets and
holdtime the time before other devices declare an HSRP active or
standby router to be down.
Example:
Device(config-if)# standby 1 timers 5 15

Step 7 standby [group-number] priority priority (Optional) Assigns the HSRP priority to be used to help
select the HSRP active and standby routers.
Example:
Device(config-if)# standby 1 priority 120

Step 8 standby [group-number] name group-name (Optional) Defines a name for the HSRP group.
Example: Note We recommend that you always configure the
Device(config-if)# standby 1 name HSRP1 standby ip name command when configuring
an HSRP group to be used for HSRP Aware
PIM.

Step 9 end Returns to privileged EXEC mode.

Example:
Device(config-if)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1024
 Multicast Routing
Configuring PIM Redundancy

Command or Action Purpose

Step 10 show standby [type number [group]] [all | brief] Displays HSRP group information for verifying the
configuration.
Example:
Device# show standby

Configuring PIM Redundancy

Before you begin

The HSRP group must already be configured on the interface. See the “Configuring an HSRP Group on an
Interface” section.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number [name-tag]
4. ip address ip-address mask
5. ip pim redundancy group dr-priority priority
6. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 interface type number [name-tag] Specifies an interface to be configured and enters interface
configuration mode.
Example:
Device(config)# interface ethernet 0/0

Step 4 ip address ip-address mask Sets a primary or secondary IP address for an interface.
Example:
Device(config-if)# ip address 10.0.0.2
255.255.255.0

Step 5 ip pim redundancy group dr-priority priority Enables PIM redundancy and assigns a redundancy priority
value to the active PIM designated router (DR).
Example:
Device(config-if)# ip pim redundancy HSRP1 • Because HSRP group names are case sensitive, the
dr-priority 60 value of the group argument must match the group

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1025
 Multicast Routing
Configuration Examples for HSRP Aware PIM

Command or Action Purpose

name configured by using the standby ip name
command.
• The redundancy priority for a PIM DR must be greater
than the configured or default value (1) of the PIM DR
priority on any device for which the same HSRP group
is enabled.

Step 6 end Returns to privileged EXEC mode.

Example:
Device(config-if)# end

Configuration Examples for HSRP Aware PIM

Example: Configuring an HSRP Group on an Interface

interface ethernet 0/0

ip address 10.0.0.2 255.255.255.0
standby 1 ip 192.0.2.99
standby 1 timers 5 15
standby 1 priority 120
standby 1 name HSRP1
!
!

Example: Configuring PIM Redundancy

interface ethernet 0/0

ip address 10.0.0.2 255.255.255.0
ip pim redundancy HSRP1 dr-priority 60
!
!

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1026
 CHAPTER 43
Configuring VRRP Aware PIM
• VRRP Aware PIM, on page 1027

VRRP Aware PIM

The Virtual Router Redundancy Protocol (VRRP) eliminates the single point of failure inherent in the static
default routed environment. VRRP is an election protocol that dynamically assigns responsibility for one or
more virtual routers to the VRRP routers on a LAN, allowing several routers on a multi access link to utilize
the same virtual IP address.
VRRP Aware PIM is a redundancy mechanism for the Protocol Independent Multicast (PIM) to interoperate
with VRRP. It allows PIM to track VRRP state and to preserve multicast traffic upon fail over in a redundant
network with virtual routing groups enabled.
This module explains how to configure VRRP Aware PIM in a network.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Restrictions for VRRP Aware PIM

• Only PIM sparse mode (SM) and source specific multicast (SSM) modes are supported. Bidirectional
(BiDir) PIM is not supported.
• PIM interoperability with Hot Standby Router Protocol (HSRP) IPv6 is not supported.
• PIM tracks only one virtual group, either Virtual Router Redundancy Protocol (VRRP) or HSRP, per
interface.
• VRRP Aware PIM is not supported on a Transit network. PIM redundancy enabled interface does not
support the PIM joining the network from down stream.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1027
 Multicast Routing
Information About VRRP Aware PIM

Information About VRRP Aware PIM

Overview of VRRP Aware PIM
Virtual Router Redundancy Protocol (VRRP) is a redundancy protocol for establishing a fault-tolerant default
gateway. The protocol establishes a framework between network devices in order to achieve default gateway
failover if the primary gateway becomes inaccessible.
Protocol Independent Multicast (PIM) has no inherent redundancy capabilities and its operation is completely
independent of VRRP group states. As a result, IP multicast traffic is forwarded not necessarily by the same
device as is elected by VRRP. The VRRP Aware PIM feature provides consistent IP multicast forwarding in
a redundant network with virtual routing groups enabled.
In a multi-access segment (such as LAN), PIM designated router (DR) election is unaware of the redundancy
configuration, and the elected DR and VRRP master router (MR) may not be the same router. In order to
ensure that the PIM DR is always able to forward PIM Join/Prune message towards RP or FHR, the VRRP
MR becomes the PIM DR (if there is only one VRRP group). PIM is responsible for adjusting DR priority
based on the group state. When a fail over occurs, multicast states are created on the new MR elected by the
VRRP group and the MR assumes responsibility for the routing and forwarding of all the traffic addressed to
the VRRP virtual IP address. This ensures the PIM DR runs on the same gateway as the VRRP MR and
maintains mroute states. It enables multicast traffic to be forwarded through the VRRP MR, allowing PIM to
leverage VRRP redundancy, avoid potential duplicate traffic, and enable fail over, depending on the VRRP
states in the device.
Virtual Router Redundancy Service (VRRS) provides public APIs for a client to communicate with VRRP.
VRRP Aware PIM is a feature of VRRS that supports VRRPv3 (unified VRRP) in both IPv4 and IPv6.
PIM, as a VRRS client, uses the VRRS client API to obtain generic First Hop Redundancy Protocol (FHRP)
state and configuration information in order to provide multicast redundancy functionalities.
PIM performs the following as a VRRS client:
• Listens to state change and update notification from VRRS server (i.e., VRRP).
• Automatically adjust PIM DR priority based on VRRP state.
• Upon VRRP fail over, PIM receives state change notification from VRRS for the tracked VRRP group
and ensures traffic is forwarded through VRRP MR.

How to Configure VRRP Aware PIM

Configuring VRRP Aware PIM

SUMMARY STEPS
1. enable
2. configure terminal
3. fhrp version vrrp version
4. interface type number
5. ip address address
6. vrrp group id address-family ipv4
7. vrrs leader group name

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1028
 Multicast Routing
Configuring VRRP Aware PIM

8. vrrp group id ip ip address

9. exit
10. interface type number
11. ip pim redundancy group name vrrp dr-priority priority-value
12. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 fhrp version vrrp version Enables the ability to configure VRRPv3 and VRRS.
Example:

Device(config)# fhrp version vrrp v3

Step 4 interface type number Specifies an interface to be configured and enters interface
configuration mode.
Example:

Device(config)# interface Ethernet0/0

Step 5 ip address address Specifies a primary or secondary address for the VRRP
group.
Example:

Device(config-if)# ip address 192.0.2.2

Step 6 vrrp group id address-family ipv4 Creates a VRRP group and enters VRRP configuration
mode.
Example:

Device(config-if)# vrrp 1 address-family ipv4

Step 7 vrrs leader group name Enables community and (or) extended community
exchange with the specified neighbor.
Example:

Device(config-if-vrrp)# vrrs leader VRRP1

Step 8 vrrp group id ip ip address Exits address family configuration mode and returns to
router configuration mode.
Example:

Device(config-if-vrrp)# vrrp 1 ip 10.1.6.1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1029
 Multicast Routing
Configuration Examples for VRRP Aware PIM

Command or Action Purpose

Step 9 exit Exits VRRP configuration mode and returns to global
configuration mode.
Example:

Device(config-if-vrrp)# exit

Step 10 interface type number Specifies an interface to be configured and enters interface
configuration mode.
Example:

Device(config)# interface Ethernet0/0

Step 11 ip pim redundancy group name vrrp dr-priority sets the priority for which a router is elected as the
priority-value designated router (DR).
Example: • The redundancy dr-priority value should be same on
all routers that are enabled with VRRP Aware PIM
Device(config-if)# ip pim redundancy VRRP1 vrrp feature.
dr-priority 90

Step 12 end Exits interface configuration mode and returns to privileged

EXEC mode.
Example:

Device(config-if)# end

Configuration Examples for VRRP Aware PIM

Example: VRRP Aware PIM

conf terminal
fhrp version vrrp v3
interface Ethernet0/0
ip address 192.0.2.2
vrrp 1 address-family ipv4

vrrp 1 ip 10.1.6.1

vrrs leader VRRP1

interface Ethernet0/0
ip pim redundancy VRRP1 vrrp dr-priority 90
!

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1030
 CHAPTER 44
Configuring Basic IP Multicast Routing
• Finding Feature Information, on page 1031
• Prerequisites for Basic IP Multicast Routing, on page 1031
• Restrictions for Basic IP Multicast Routing, on page 1032
• Information About Basic IP Multicast Routing, on page 1032
• How to Configure Basic IP Multicast Routing, on page 1033
• Monitoring and Maintaining Basic IP Multicast Routing, on page 1040

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Basic IP Multicast Routing

The following are the prerequisites for configuring basic IP multicast routing:
•
• You must configure the PIM version and the PIM mode in order to perform IP multicast routing. The
switch populates its multicast routing table and forwards multicast packets it receives from its directly
connected LANs according to the mode setting. You can configure an interface to be in the PIM dense
mode, sparse mode, or sparse-dense mode.
• Enabling PIM on an interface also enables IGMP operation on that interface. (To participate in IP
multicasting, the multicast hosts, routers, and multilayer device must have IGMP operating. )
If you enable PIM on multiple interfaces, when most of these interfaces are not on the outgoing interface
list, and IGMP snooping is disabled, the outgoing interface might not be able to sustain line rate for
multicast traffic because of the extra replication.

Related Topics
Configuring Basic IP Multicast Routing, on page 1033

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1031
 Multicast Routing
Restrictions for Basic IP Multicast Routing

Information About Basic IP Multicast Routing, on page 1032

Restrictions for Basic IP Multicast Routing

The following are the restrictions for IP multicast routing:
• IP Multicast routing is supported only on Catalyst 3560-CX switches.

Information About Basic IP Multicast Routing

IP multicasting is an efficient way to use network resources, especially for bandwidth-intensive services such
as audio and video. IP multicast routing enables a host (source) to send packets to a group of hosts (receivers)
anywhere within the IP network by using a special form of IP address called the IP multicast group address.
The sending host inserts the multicast group address into the IP destination address field of the packet, and
IP multicast routers and multilayer switches forward incoming IP multicast packets out all interfaces that lead
to members of the multicast group. Any host, regardless of whether it is a member of a group, can send to a
group. However, only the members of a group receive the message.
Related Topics
Configuring Basic IP Multicast Routing, on page 1033
Default IP Multicast Routing Configuration, on page 1032
Prerequisites for Basic IP Multicast Routing, on page 1031

Default IP Multicast Routing Configuration

This table displays the default IP multicast routing configuration.

Table 112: Default IP Multicast Routing Configuration

Feature Default Setting

Multicast routing Disabled on all interfaces.

PIM version Version 2.

PIM mode No mode is defined.

PIM stub routing None configured.

PIM RP address None configured.

PIM domain border Disabled.

PIM multicast boundary None.

Candidate BSRs Disabled.

Candidate RPs Disabled.

Shortest-path tree threshold rate 0 kb/s.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1032
 Multicast Routing
sdr Listener Support

Feature Default Setting

PIM router query message interval 30 seconds.

Related Topics
Configuring Basic IP Multicast Routing, on page 1033
Information About Basic IP Multicast Routing, on page 1032

sdr Listener Support

The MBONE is the small subset of Internet routers and hosts that are interconnected and capable of forwarding
IP multicast traffic. Other multimedia content is often broadcast over the MBONE. Before you can join a
multimedia session, you need to know what multicast group address and port are being used for the session,
when the session is going to be active, and what sort of applications (audio, video, and so forth) are required
on your workstation. The MBONE Session Directory Version 2 (sdr) tool provides this information. This
freeware application can be downloaded from several sites on the World Wide Web, one of which is
http://www.video.ja.net/mice/index.html.
SDR is a multicast application that listens to a well-known multicast group address and port for Session
Announcement Protocol (SAP) multicast packets from SAP clients, which announce their conference sessions.
These SAP packets contain a session description, the time the session is active, its IP multicast group addresses,
media format, contact person, and other information about the advertised multimedia session. The information
in the SAP packet is displayed in the SDR Session Announcement window.

How to Configure Basic IP Multicast Routing

Configuring Basic IP Multicast Routing
By default, multicast routing is disabled, and there is no default mode setting.
This procedure is required.

Before you begin

You must configure the PIM version and the PIM mode. The switch populates its multicast routing table and
forwards multicast packets it receives from its directly connected LANs according to the mode setting.
In populating the multicast routing table, dense-mode interfaces are always added to the table. Sparse-mode
interfaces are added to the table only when periodic join messages are received from downstream devices or
when there is a directly connected member on the interface. When forwarding from a LAN, sparse-mode
operation occurs if there is an RP known for the group. If so, the packets are encapsulated and sent toward
the RP. When no RP is known, the packet is flooded in a dense-mode fashion. If the multicast traffic from a
specific source is sufficient, the receiver’s first-hop router might send join messages toward the source to
build a source-based distribution tree.

SUMMARY STEPS
1. enable
2. configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1033
 Multicast Routing
Configuring Basic IP Multicast Routing

3. interface interface-id
4. ip pim {dense-mode | sparse-mode | sparse-dense-mode}
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the Layer 3 interface on which you want to enable
multicast routing, and enters interface configuration mode.
Example:
The specified interface must be one of the following:
SwitchDevice(config)# interface
gigabitethernet 1/0/1 • A routed port—A physical port that has been
configured as a Layer 3 port by entering the no
switchport interface configuration command. You
will also need to enable IP PIM sparse-dense-mode on
the interface, and join the interface as a statically
connected member to an IGMP static group.
• An SVI—A VLAN interface created by using the
interface vlan vlan-id global configuration command.
You will also need to enable IP PIM
sparse-dense-mode on the VLAN, join the VLAN as
a statically connected member to an IGMP static group,
and then enable IGMP snooping on the VLAN, the
IGMP static group, and physical interface.

These interfaces must have IP addresses assigned to them.

Step 4 ip pim {dense-mode | sparse-mode | sparse-dense-mode} Enables a PIM mode on the interface.
Example: By default, no mode is configured.
The keywords have these meanings:
SwitchDevice(config-if)# ip pim
sparse-dense-mode • dense-mode—Enables dense mode of operation.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1034
 Multicast Routing
Configuring Optional IP Multicast Routing Features

Command or Action Purpose

• sparse-mode—Enables sparse mode of operation. If
you configure sparse mode, you must also configure
an RP.
• sparse-dense-mode—Causes the interface to be treated
in the mode in which the group belongs. Sparse-dense
mode is the recommended setting.

Note To disable PIM on an interface, use the no ip

pim interface configuration command.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Information About Basic IP Multicast Routing, on page 1032
Default IP Multicast Routing Configuration, on page 1032
Prerequisites for Basic IP Multicast Routing, on page 1031

Configuring Optional IP Multicast Routing Features

Defining the IP Multicast Boundary
You define a multicast boundary to prevent Auto-RP messages from entering the PIM domain. You create
an access list to deny packets destined for 224.0.1.39 and 224.0.1.40, which carry Auto-RP information.
This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. access-list access-list-number deny source [source-wildcard]

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1035
 Multicast Routing
Defining the IP Multicast Boundary

4. interface interface-id
5. ip multicast boundary access-list-number
6. end
7. show running-config
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 access-list access-list-number deny source Creates a standard access list, repeating the command as
[source-wildcard] many times as necessary.
Example: • For access-list-number, the range is 1 to 99.
SwitchDevice(config)#
access-list 12 deny 224.0.1.39
• The deny keyword denies access if the conditions are
access-list 12 deny 224.0.1.40 matched.
• For source, enter multicast addresses 224.0.1.39 and
224.0.1.40, which carry Auto-RP information.
• (Optional) For source-wildcard, enter the wildcard
bits in dotted decimal notation to be applied to the
source. Place ones in the bit positions that you want
to ignore.

The access list is always terminated by an implicit deny

statement for everything.

Step 4 interface interface-id Specifies the interface to be configured, and enters interface
configuration mode.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 5 ip multicast boundary access-list-number Configures the boundary, specifying the access list you
created in Step 2.
Example:

SwitchDevice(config-if)# ip multicast boundary 12

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1036
 Multicast Routing
Configuring Multicast VRFs

Command or Action Purpose

Step 6 end Returns to privileged EXEC mode.
Example:

SwitchDevice(config)# end

Step 7 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring Multicast VRFs

For complete syntax and usage information for the commands, see the switch command reference for this
release and the Cisco IOS IP Multicast Command Reference.
For more information about configuring a multicast within a Multi-VRF CE, see the IP Routing:
Protocol-Independent Configuration Guide, Cisco IOS Release 15S.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ip routing Enables IP routing mode.

Example:

SwitchDevice(config)# ip routing

Step 3 ip vrf vrf-name Names the VRF, and enter VRF configuration mode.
Example:

SwitchDevice(config)# ip vrf vpn1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1037
 Multicast Routing
Configuring Multicast VRFs

Command or Action Purpose

Step 4 rd route-distinguisher Creates a VRF table by specifying a route distinguisher.
Enter either an AS number and an arbitrary number (xxx:y)
Example:
or an IP address and an arbitrary number (A.B.C.D:y)
SwitchDevice(config-vrf)# rd 100:2

Step 5 route-target {export | import | both} Creates a list of import, export, or import and export route
route-target-ext-community target communities for the specified VRF. Enter either an
AS system number and an arbitrary number (xxx:y) or an
Example:
IP address and an arbitrary number (A.B.C.D:y). The
route-target-ext-community should be the same as the
SwitchDevice(config-vrf)# route-target import
100:2 route-distinguisher entered in Step 4.

Step 6 import map route-map (Optional) Associates a route map with the VRF.
Example:

SwitchDevice(config-vrf)# import map importmap1

Step 7 ip multicast-routing vrf vrf-name distributed (Optional) Enables global multicast routing for VRF table.
Example:

SwitchDevice(config-vrf)# ip multicast-routing
vrf vpn1 distributed

Step 8 interface interface-id Specifies the Layer 3 interface to be associated with the
VRF, and enter interface configuration mode. The interface
Example:
can be a routed port or an SVI.
SwitchDevice(config-vrf)# interface
gigabitethernet 1/0/2

Step 9 ip vrf forwarding vrf-name Associates the VRF with the Layer 3 interface.
Example:

SwitchDevice(config-if)# ip vrf forwarding vpn1

Step 10 ip address ip-address mask Configures IP address for the Layer 3 interface.
Example:

SwitchDevice(config-if)# ip address 10.1.5.1

255.255.255.0

Step 11 ip pim sparse-dense mode Enables PIM on the VRF-associated Layer 3 interface.
Example:

SwitchDevice(config-if)# ip pim sparse-dense mode

Step 12 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1038
 Multicast Routing
Advertising Multicast Multimedia Sessions Using SAP Listener

Command or Action Purpose

SwitchDevice(config)# end

Step 13 show ip vrf [brief | detail | interfaces] [vrf-name] Verifies the configuration. Displays information about the
configured VRFs.
Example:

SwitchDevice# show ip vrf detail vpn1

Step 14 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Advertising Multicast Multimedia Sessions Using SAP Listener

Enable SAP listener support when you want to use session description and announcement protocols and
applications to assist the advertisement of multicast multimedia conferences and other multicast sessions and
to communicate the relevant session setup information to prospective participants.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip sap cache-timeout minutes
4. interface type number
5. ip sap listen
6. end
7. clear ip sap [group-address | “ session-name ”]
8. show ip sap [group-address | “ session-name ”| detail]

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1039
 Multicast Routing
Monitoring and Maintaining Basic IP Multicast Routing

Command or Action Purpose

Step 3 ip sap cache-timeout minutes (Optional) Limits how long a SAP cache entry stays active
in the cache.
Example:
• By default, SAP cache entries are deleted 24 hours
Router(config)# ip sap cache-timeout 600 after they are received from the network.

Step 4 interface type number Selects an interface that is connected to hosts on which
IGMPv3 can be enabled.
Example:

Router(config)# interface ethernet 1

Step 5 ip sap listen Enables the software to listen to session directory

announcements.
Example:

Router(config-if)# ip sap listen

Step 6 end Ends the session and returns to EXEC mode.

Example:

Router(config-if)# end

Step 7 clear ip sap [group-address | “ session-name ”] Deletes a SAP cache entry or the entire SAP cache.
Example:

Router# clear ip sap "Sample Session"

Step 8 show ip sap [group-address | “ session-name ”| detail] (Optional) Displays the SAP cache.
Example:

Router# show ip sap 224.2.197.250 detail

Monitoring and Maintaining Basic IP Multicast Routing

Clearing Caches, Tables, and Databases
You can remove all contents of a particular cache, table, or database. Clearing a cache, table, or database
might be necessary when the contents of the particular structure are or suspected to be invalid.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1040
 Multicast Routing
Displaying System and Network Statistics

You can use any of the privileged EXEC commands in the following table to clear IP multicast caches, tables,
and databases.

Table 113: Commands for Clearing Caches, Tables, and Databases

Command Purpose

clear ip igmp group {group [ hostname | IP address] Deletes entries from the IGMP cache.
| vrf name group [ hostname | IP address] }

clear ip mroute { * | [hostname | IP address] | vrf Deletes entries from the IP multicast routing table.
name group [ hostname | IP address] }

clear ip sap [group-address | “session-name”] Deletes the Session Directory Protocol Version 2
cache or an sdr cache entry.

Displaying System and Network Statistics

You can display specific statistics, such as the contents of IP routing tables, caches, and databases.

Note This release does not support per-route statistics.

You can display information to learn resource usage and solve network problems. You can also display
information about node reachability and discover the routing path that packets of your device are taking
through the network.
You can use any of the privileged EXEC commands in the following table to display various routing statistics.

Table 114: Commands for Displaying System and Network Statistics

Command Purpose

ping [group-name | group-address] Sends an ICMP Echo Request to a multicast group

address.

show ip igmp groups Displays the multicast groups that are directly
[group-name|group-address|type-number] connected to the switch and that were learned through
IGMP.

show ip igmp interface [type number] Displays multicast-related information about an

interface.

show ip mroute [group-name | group-address] Displays the contents of the IP multicast routing table.
[source] [ count | interface | proxy | pruned |
summary | verbose]

show ip pim interface [type number] [count | detail Displays information about interfaces configured for
| df | stats ] PIM. This command is available in all software
images.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1041
 Multicast Routing
Displaying System and Network Statistics

Command Purpose

show ip pim neighbor [type number] Lists the PIM neighbors discovered by the switch.
This command is available in all software images.

show ip pim rp [group-name | group-address] Displays the RP routers associated with a sparse-mode
multicast group. This command is available in all
software images.

show ip rpf {source-address | name} Displays how the switch is doing Reverse-Path
Forwarding (that is, from the unicast routing table,
DVMRP routing table, or static mroutes).
Command parameters include:
• Host name or IP address—IP name or group
address.
• Select—Group-based VRF select information.
• vrf—Selects VPN Routing/Forwarding instance.

show ip sap [group | “session-name” | detail] Displays the Session Announcement Protocol (SAP)
Version 2 cache.
Command parameters include:
• A.B.C.D—IP group address.
• WORD—Session name (in double quotes).
• detail—Session details.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1042
 CHAPTER 45
Configuring SSM
• Finding Feature Information, on page 1043
• Prerequisites for Configuring SSM, on page 1043
• Restrictions for Configuring SSM, on page 1044
• Information About SSM and SSM Mapping, on page 1045
• How to Configure SSM and SSM Mapping, on page 1050
• Monitoring SSM and SSM Mapping, on page 1059
• Configuration Examples for SSM and SSM Mapping, on page 1060

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Configuring SSM

The following are the prerequisites for configuring source-specific multicast (SSM) and SSM mapping:
• To use SSM and SSM mapping, you must enable IP Services feature set on 3560-CX switches.
• Before you configure SSM mapping, you must perform the following tasks:
• Enable IP multicast routing.
• Enable PIM sparse mode.
• Configure SSM.

• Before you configure static SSM mapping, you must configure access control lists (ACLs) that define
the group ranges to be mapped to source addresses.
• Before you can configure and use SSM mapping with DNS lookups, you need to add records to a running
DNS server. If you do not already have a DNS server running, you need to install one.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1043
 Multicast Routing
Restrictions for Configuring SSM

Note You can use a product such as Cisco Network Registrar to add records to a running
DNS server.

Restrictions for Configuring SSM

The following are the restrictions for configuring SSM:
• To run SSM with IGMPv3, SSM must be supported in the Cisco IOS router, the host where the application
is running, and the application itself.
• Existing applications in a network predating SSM will not work within the SSM range unless they are
modified to support (S, G) channel subscriptions. Therefore, enabling SSM in a network may cause
problems for existing applications if they use addresses within the designated SSM range.
• IGMP Snooping—IGMPv3 uses new membership report messages that might not be correctly recognized
by older IGMP snooping switches.
• Address management is still necessary to some degree when SSM is used with Layer 2 switching
mechanisms. Cisco Group Management Protocol (CGMP), IGMP snooping, or Router-Port Group
Management Protocol (RGMP) support only group-specific filtering, not (S, G) channel-specific filtering.
If different receivers in a switched network request different (S, G) channels sharing the same group,
they do not benefit from these existing mechanisms. Instead, both receivers receive all (S, G) channel
traffic and filter out the unwanted traffic on input. Because SSM can re-use the group addresses in the
SSM range for many independent applications, this situation can lead to decreased traffic filtering in a
switched network. For this reason, it is important to use random IP addresses from the SSM range for
an application to minimize the chance for re-use of a single address within the SSM range between
different applications. For example, an application service providing a set of television channels should,
even with SSM, use a different group for each television (S, G) channel. This setup guarantees that
multiple receivers to different channels within the same application service never experience traffic
aliasing in networks that include Layer 2 devices.
• In PIM-SSM, the last hop router will continue to periodically send (S, G) join messages if appropriate
(S, G) subscriptions are on the interfaces. Therefore, as long as receivers send (S, G) subscriptions, the
shortest path tree (SPT) state from the receivers to the source will be maintained, even if the source is
not sending traffic for longer periods of time (or even never).
The opposite situation occurs with PIM-SM, where (S, G) state is maintained only if the source is sending
traffic and receivers are joining the group. If a source stops sending traffic for more than 3 minutes in
PIM-SM, the (S, G) state is deleted and only reestablished after packets from the source arrive again
through the RPT (rendezvous point tree). Because no mechanism in PIM-SSM notifies a receiver that a
source is active, the network must maintain the (S, G) state in PIM-SSM as long as receivers are requesting
receipt of that channel.

The following are the restrictions for configuring SSM mapping:

• The SSM Mapping feature does not share the benefit of full SSM. SSM mapping takes a group G join
from a host and identifies this group with an application associated with one or more sources, therefore,
it can only support one such application per group G. Nevertheless, full SSM applications may still share
the same group also used in SSM mapping.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1044
 Multicast Routing
Information About SSM and SSM Mapping

• Enable IGMPv3 with care on the last hop router when you rely solely on SSM mapping as a transition
solution for full SSM.

Information About SSM and SSM Mapping

SSM Components
SSM is a datagram delivery model that best supports one-to-many applications, also known as broadcast
applications.
SSM is a core networking technology for Cisco's implementation of IP multicast solutions targeted for audio
and video broadcast application environments and is described in RFC 3569. The following components
together support the implementation of SSM:
• Protocol Independent Multicast source-specific mode (PIM-SSM)
• Internet Group Management Protocol Version 3 (IGMPv3)

Protocol Independent Multicast (PIM) SSM, or PIM-SSM, is the routing protocol that supports the
implementation of SSM and is derived from PIM sparse mode (PIM-SM). IGMP is the Internet Engineering
Task Force (IETF) standards track protocol used for hosts to signal multicast group membership to routers.
IGMP Version 3 supports source filtering, which is required for SSM. IGMP For SSM to run with IGMPv3,
SSM must be supported in the router, the host where the application is running, and the application itself.
Related Topics
Configuring SSM , on page 1050
SSM with IGMPv3 Example, on page 1060

How SSM Differs from Internet Standard Multicast

The standard IP multicast infrastructure in the Internet and many enterprise intranets is based on the PIM-SM
protocol and Multicast Source Discovery Protocol (MSDP). These protocols have proved to be reliable,
extensive, and efficient. However, they are bound to the complexity and functionality limitations of the Internet
Standard Multicast (ISM) service model. For example, with ISM, the network must maintain knowledge about
which hosts in the network are actively sending multicast traffic. With SSM, this information is provided by
receivers through the source addresses relayed to the last-hop devices by IGMPv3. SSM is an incremental
response to the issues associated with ISM and is intended to coexist in the network with the protocols
developed for ISM. In general, SSM provides IP multicast service for applications that utilize SSM.
ISM service is described in RFC 1112. This service consists of the delivery of IP datagrams from any source
to a group of receivers called the multicast host group. The datagram traffic for the multicast host group
consists of datagrams with an arbitrary IP unicast source address S and the multicast group address G as the
IP destination address. Systems will receive this traffic by becoming members of the host group. Membership
in a host group simply requires signaling the host group through IGMP Version 1, 2, or 3.
In SSM, delivery of datagrams is based on (S, G) channels. Traffic for one (S, G) channel consists of datagrams
with an IP unicast source address S and the multicast group address G as the IP destination address. Systems
will receive this traffic by becoming members of the (S, G) channel. In both SSM and ISM, no signaling is
required to become a source. However, in SSM, receivers must subscribe or unsubscribe to (S, G) channels
to receive or not receive traffic from specific sources. In other words, receivers can receive traffic only from

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1045
 Multicast Routing
SSM Operations

(S, G) channels to which they are subscribed, whereas in ISM, receivers need not know the IP addresses of
sources from which they receive their traffic. The proposed standard approach for channel subscription
signaling utilizes IGMP INCLUDE mode membership reports, which are supported only in IGMP Version
3.
SSM can coexist with the ISM service by applying the SSM delivery model to a configured subset of the IP
multicast group address range. The Internet Assigned Numbers Authority (IANA) has reserved the address
range from 232.0.0.0 through 232.255.255.255 for SSM applications and protocols. The software allows SSM
configuration for an arbitrary subset of the IP multicast address range from 224.0.0.0 through 239.255.255.255.
When an SSM range is defined, an existing IP multicast receiver application will not receive any traffic when
it tries to use addresses in the SSM range unless the application is modified to use explicit (S, G) channel
subscription or is SSM-enabled through a URL Rendezvous Directory (URD).

SSM Operations
An established network in which IP multicast service is based on PIM-SM can support SSM services. SSM
can also be deployed alone in a network without the full range of protocols that are required for interdomain
PIM-SM. That is, SSM does not require an RP, so there is no need for an RP mechanism such as Auto-RP,
MSDP, or bootstrap router (BSR).
If SSM is deployed in a network that is already configured for PIM-SM, then only the last-hop routers must
be upgraded to a software image that supports SSM. Routers that are not directly connected to receivers do
not have to upgrade to a software image that supports SSM. In general, these non-last-hop routers must only
run PIM-SM in the SSM range. They may need additional access control configuration to suppress MSDP
signaling, registering, or PIM-SM shared-tree operations from occurring within the SSM range.
The SSM mode of operation is enabled by configuring the SSM range using the ip pim ssm global configuration
command. This configuration has the following effects:
• For groups within the SSM range, (S, G) channel subscriptions are accepted through IGMPv3 INCLUDE
mode membership reports.
• PIM operations within the SSM range of addresses change to PIM-SSM, a mode derived from PIM-SM.
In this mode, only PIM (S, G) Join and Prune messages are generated by the router. Incoming messages
related to rendezvous point tree (RPT) operations are ignored or rejected, and incoming PIM register
messages are immediately answered with Register-Stop messages. PIM-SSM is backward-compatible
with PIM-SM unless a router is a last-hop router. Therefore, routers that are not last-hop routers can run
PIM-SM for SSM groups (for example, if they do not yet support SSM).
• For groups within the SSM range, no MSDP Source-Active (SA) messages within the SSM range will
be accepted, generated, or forwarded.

IGMPv3 Host Signaling

IGMPv3 is the third version of the IETF standards track protocol in which hosts signal membership to last-hop
routers of multicast groups. IGMPv3 introduces the ability for hosts to signal group membership that allows
filtering capabilities with respect to sources. A host can signal either that it wants to receive traffic from all
sources sending to a group except for some specific sources (a mode called EXCLUDE) or that it wants to
receive traffic only from some specific sources sending to the group (a mode called INCLUDE).
IGMPv3 can operate with both ISM and SSM. In ISM, both EXCLUDE and INCLUDE mode reports are
accepted by the last-hop router. In SSM, only INCLUDE mode reports are accepted by the last-hop router.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1046
 Multicast Routing
Benefits of

Benefits of
IP Multicast Address Management Not Required
In the ISM service, applications must acquire a unique IP multicast group address because traffic distribution
is based only on the IP multicast group address used. If two applications with different sources and receivers
use the same IP multicast group address, then receivers of both applications will receive traffic from the
senders of both applications. Even though the receivers, if programmed appropriately, can filter out the
unwanted traffic, this situation would cause generally unacceptable levels of unwanted traffic.
Allocating a unique IP multicast group address for an application is still a problem. Most short-lived applications
use mechanisms like Session Description Protocol (SDP) and Session Announcement Protocol (SAP) to get
a random address, a solution that does not work well with a rising number of applications in the Internet. The
best current solution for long-lived applications is described in RFC 2770, but this solution suffers from the
restriction that each autonomous system is limited to only 255 usable IP multicast addresses.
In SSM, traffic from each source is forwarded between routers in the network independent of traffic from
other sources. Thus different sources can reuse multicast group addresses in the SSM range.

Denial of Service Attacks from Unwanted Sources Inhibited

In SSM, multicast traffic from each individual source will be transported across the network only if it was
requested (through IGMPv3, IGMP v3lite, or URD memberships) from a receiver. In contrast, ISM forwards
traffic from any active source sending to a multicast group to all receivers requesting that multicast group. In
Internet broadcast applications, this ISM behavior is highly undesirable because it allows unwanted sources
to easily disturb the actual Internet broadcast source by simply sending traffic to the same multicast group.
This situation depletes bandwidth at the receiver side with unwanted traffic and thus disrupts the undisturbed
reception of the Internet broadcast. In SSM, this type of denial of service (DoS) attack cannot be made by
simply sending traffic to a multicast group.

Easy to Install and Manage

SSM is easy to install and provision in a network because it does not require the network to maintain which
active sources are sending to multicast groups. This requirement exists in ISM (with IGMPv1, IGMPv2, or
IGMPv3).
The current standard solutions for ISM service are PIM-SM and MSDP. Rendezvous point (RP) management
in PIM-SM (including the necessity for Auto-RP or BSR) and MSDP is required only for the network to learn
about active sources. This management is not necessary in SSM, which makes SSM easier than ISM to install
and manage, and therefore easier than ISM to operationally scale in deployment. Another factor that contributes
to the ease of installation of SSM is the fact that it can leverage preexisting PIM-SM networks and requires
only the upgrade of last hop routers to support IGMPv3, IGMP v3lite, or URD.

Ideal for Internet Broadcast Applications

The three benefits previously described make SSM ideal for Internet broadcast-style applications for the
following reasons:
• The ability to provide Internet broadcast services through SSM without the need for unique IP multicast
addresses allows content providers to easily offer their service (IP multicast address allocation has been
a serious problem for content providers in the past).
• The prevention against DoS attacks is an important factor for Internet broadcast services because, with
their exposure to a large number of receivers, they are the most common targets for such attacks.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1047
 Multicast Routing
SSM Mapping Overview

• The ease of installation and operation of SSM makes it ideal for network operators, especially in those
cases where content needs to be forwarded between multiple independent PIM domains (because there
is no need to manage MSDP for SSM between PIM domains).

SSM Mapping Overview

SSM mapping supports SSM transition when supporting SSM on the end system is impossible or unwanted
due to administrative or technical reasons. Using SSM to deliver live streaming video to legacy STBs that do
not support IGMPv3 is a typical application of SSM mapping.
In a typical STB deployment, each TV channel uses one separate IP multicast group and has one active server
host sending the TV channel. A single server may of course send multiple TV channels, but each to a different
group. In this network environment, if a router receives an IGMPv1 or IGMPv2 membership report for a
particular group G, the report implicitly addresses the well-known TV server for the TV channel associated
with the multicast group.
SSM mapping introduces a means for the last hop router to discover sources sending to groups. When SSM
mapping is configured, if a router receives an IGMPv1 or IGMPv2 membership report for a particular group
G, the router translates this report into one or more (S, G) channel memberships for the well-known sources
associated with this group.
When the router receives an IGMPv1 or IGMPv2 membership report for group G, the router uses SSM mapping
to determine one or more source IP addresses for group G. SSM mapping then translates the membership
report as an IGMPv3 report INCLUDE (G, [S1, G], [S2, G]...[Sn, G] and continues as if it had received an
IGMPv3 report. The router then sends out PIM joins toward (S1, G) to (Sn, G) and continues to be joined to
these groups as long as it continues to receive the IGMPv1 or IGMPv2 membership reports and as long as
the SSM mapping for the group remains the same. SSM mapping, thus, enables you to leverage SSM for
video delivery to legacy STBs that do not support IGMPv3 or for applications that do not take advantage of
the IGMPv3 host stack.
SSM mapping enables the last hop router to determine the source addresses either by a statically configured
table on the router or by consulting a DNS server. When the statically configured table is changed, or when
the DNS mapping changes, the router will leave the current sources associated with the joined groups.

Static SSM Mapping

SSM static mapping enables you to configure the last hop router to use a static map to determine the sources
sending to groups. Static SSM mapping requires that you configure access lists (ACLs) to define group ranges.
The groups permitted by those ACLs then can be mapped to sources using the ip igmp static ssm-map global
configuration command.
You can configure static SSM mapping in smaller networks when a DNS is not needed or to locally override
DNS mappings that may be temporarily incorrect. When configured, static SSM mappings take precedence
over DNS mappings.
Related Topics
Configuring Static SSM Mapping , on page 1052
Verifying SSM Mapping Configuration and Operation, on page 1057

DNS-Based SSM Mapping

DNS-based SSM mapping enables you to configure the last hop router to perform a reverse DNS lookup to
determine sources sending to groups (see the figure below). When DNS-based SSM mapping is configured,

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1048
Multicast Routing
DNS-Based SSM Mapping

the router constructs a domain name that includes the group address G and performs a reverse lookup into the
DNS. The router looks up IP address resource records (IP A RRs) to be returned for this constructed domain
name and uses the returned IP addresses as the source addresses associated with this group. SSM mapping
supports up to 20 sources for each group. The router joins all sources configured for a group.
Figure 91: DNS-Based SSM-Mapping

The SSM mapping mechanism that enables the last hop router to join multiple sources for a group can be used
to provide source redundancy for a TV broadcast. In this context, the redundancy is provided by the last hop
router using SSM mapping to join two video sources simultaneously for the same TV channel. However, to
prevent the last hop router from duplicating the video traffic, it is necessary that the video sources utilize a
server-side switchover mechanism where one video source is active while the other backup video source is
passive. The passive source waits until an active source failure is detected before sending the video traffic for
the TV channel. The server-side switchover mechanism, thus, ensures that only one of the servers is actively
sending the video traffic for the TV channel.
To look up one or more source addresses for a group G that includes G1, G2, G3, and G4, the following DNS
resource records (RRs) must be configured on the DNS server:

G4.G3.G2.G1 [multicast-domain] [timeout] IN A source-address-1

IN A source-address-2

IN A source-address-n

The multicast-domain argument is a configurable DNS prefix. The default DNS prefix is in-addr.arpa. You
should only use the default prefix when your installation is either separate from the internet or if the group
names that you map are global scope group addresses (RFC 2770 type addresses that you configure for SSM)
that you own.
The timeout argument configures the length of time for which the router performing SSM mapping will cache
the DNS lookup. This argument is optional and defaults to the timeout of the zone in which this entry is
configured. The timeout indicates how long the router will keep the current mapping before querying the DNS
server for this group. The timeout is derived from the cache time of the DNS RR entry and can be configured
for each group/source entry on the DNS server. You can configure this time for larger values if you want to
minimize the number of DNS queries generated by the router. Configure this time for a low value if you want
to be able to quickly update all routers with new source addresses.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1049
 Multicast Routing
SSM Mapping Benefits

Note Refer to your DNS server documentation for more information about configuring DNS RRs.

To configure DNS-based SSM mapping in the software, you must configure a few global commands but no
per-channel specific configuration is needed. There is no change to the configuration for SSM mapping if
additional channels are added. When DNS-based SSM mapping is configured, the mappings are handled
entirely by one or more DNS servers. All DNS techniques for configuration and redundancy management
can be applied to the entries needed for DNS-based SSM mapping.
Related Topics
Configuring DNS-Based SSM Mapping, on page 1054
Configuring Static Traffic Forwarding with SSM Mapping , on page 1056

SSM Mapping Benefits

• The SSM Mapping feature provides almost the same ease of network installation and management as a
pure SSM solution based on IGMPv3. Some additional configuration is necessary to enable SSM mapping.
• The SSM benefit of inhibition of DoS attacks applies when SSM mapping is configured. When SSM
mapping is configured the only segment of the network that may still be vulnerable to DoS attacks are
receivers on the LAN connected to the last hop router. Since those receivers may still be using IGMPv1
and IGMPv2, they are vulnerable to attacks from unwanted sources on the same LAN. SSM mapping,
however, does protect those receivers (and the network path leading towards them) from multicast traffic
from unwanted sources anywhere else in the network.
• Address assignment within a network using SSM mapping needs to be coordinated, but it does not need
assignment from outside authorities, even if the content from the network is to be transited into other
networks.

How to Configure SSM and SSM Mapping

Configuring SSM
Follow these steps to configure SSM:
This procedure is optional.

Before you begin

If you want to use an access list to define the Source Specific Multicast (SSM) range, configure the access
list before you reference the access list in the ip pim ssm command.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip pim ssm [default | range access-list]
4. interface type number

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1050
 Multicast Routing
Configuring SSM

5. ip pim {sparse-mode | sparse-dense-mode}

6. ip igmp version 3
7. end
8. show running-config
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip pim ssm [default | range access-list] Defines the SSM range of IP multicast addresses.
Example:

SwitchDevice(config)# ip pim ssm range 20

Step 4 interface type number Selects an interface that is connected to hosts on which
IGMPv3 can be enabled, and enters the interface
Example:
configuration mode.
SwitchDevice(config)# interface gigabitethernet
1/0/1

Step 5 ip pim {sparse-mode | sparse-dense-mode} Enables PIM on an interface. You must use either sparse
mode or sparse-dense mode.
Example:

SwitchDevice(config-if)# ip pim sparse-dense-mode

Step 6 ip igmp version 3 Enables IGMPv3 on this interface. The default version of
IGMP is set to Version 2.
Example:

SwitchDevice(config-if)# ip igmp version 3

Step 7 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1051
 Multicast Routing
Configuring SSM Mapping

Command or Action Purpose

SwitchDevice(config)# end

Step 8 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
SSM Components , on page 1045
SSM with IGMPv3 Example, on page 1060

Configuring SSM Mapping

Configuring Static SSM Mapping
Follow these steps to configure static SSM Mapping:

SUMMARY STEPS
1. enable
2. configure terminal
3. ip igmp ssm-map enable
4. no ip igmp ssm-map query dns
5. ip igmp ssm-map static access-list source-address
6. end
7. show running-config
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1052
 Multicast Routing
Configuring Static SSM Mapping

Command or Action Purpose

Step 2 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 3 ip igmp ssm-map enable Enables SSM mapping for groups in the configured SSM
range.
Example:
Note By default, this command enables DNS-based
SwitchDevice(config)# ip igmp ssm-map enable SSM mapping.

Step 4 no ip igmp ssm-map query dns (Optional) Disables DNS-based SSM mapping.
Example: Note Disable DNS-based SSM mapping if you only
want to rely on static SSM mapping. By default,
SwitchDevice(config)# no ip igmp ssm-map query dns the ip igmp ssm-map command enables
DNS-based SSM mapping.

Step 5 ip igmp ssm-map static access-list source-address Configures static SSM mapping.
Example: • The ACL supplied for the access-list argument defines
the groups to be mapped to the source IP address
SwitchDevice(config)# ip igmp ssm-map static 11 entered for the source-address argument.
172.16.8.11
Note You can configure additional static SSM
mappings. If additional SSM mappings are
configured and the router receives an IGMPv1
or IGMPv2 membership report for a group in
the SSM range, the switch determines the source
addresses associated with the group by walking
each configured ip igmp ssm-map static
command. The switch associates up to 20 sources
per group.

Repeat Step to configure additional static SSM mappings,

if required.

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1053
 Multicast Routing
Configuring DNS-Based SSM Mapping

Command or Action Purpose

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Static SSM Mapping, on page 1048

Configuring DNS-Based SSM Mapping

Perform this task to configure the last hop router to perform DNS lookups to learn the IP addresses of sources
sending to a group.

Before you begin

• Enable IP multicast routing, enable PIM sparse mode, and configure SSM before performing this task.
.
• Before you can configure and use SSM mapping with DNS lookups, you need to be able to add records
to a running DNS server. If you do not already have a DNS server running, you need to install one.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip igmp ssm-map enable
4. ip igmp ssm-map query dns
5. ip domain multicast domain-prefix
6. ip name-server server-address1 [server-address2...server-address6]
7. Repeat Step Step 6, on page 1055 to configure additional DNS servers for redundancy, if required.
8. end
9. show running-config
10. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: Enter your password if prompted.

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1054
 Multicast Routing
Configuring DNS-Based SSM Mapping

Command or Action Purpose

Step 3 ip igmp ssm-map enable Enables SSM mapping for groups in a configured SSM
range.
Example:

SwitchDevice(config)# ip igmp ssm-map enable

Step 4 ip igmp ssm-map query dns (Optional) Enables DNS-based SSM mapping.
Example: • By default, the ip igmp ssm-map command enables
DNS-based SSM mapping. Only the noform of this
SwitchDevice(config)# ip igmp ssm-map query dns command is saved to the running configuration.

Note Use this command to reenable DNS-based SSM

mapping if DNS-based SSM mapping is
disabled.

Step 5 ip domain multicast domain-prefix (Optional) Changes the domain prefix used for DNS-based
SSM mapping.
Example:
• By default, the software uses the ip-addr.arpa domain
SwitchDevice(config)# ip domain multicast prefix.
ssm-map.cisco.com

Step 6 ip name-server server-address1 Specifies the address of one or more name servers to use
[server-address2...server-address6] for name and address resolution.
Example:

SwitchDevice(config)# ip name-server 10.48.81.21

Step 7 Repeat Step Step 6, on page 1055 to configure additional --

DNS servers for redundancy, if required.
Step 8 end Returns to privileged EXEC mode.
Example:

SwitchDevice(config-if)# end

Step 9 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1055
 Multicast Routing
Configuring Static Traffic Forwarding with SSM Mapping

Related Topics
DNS-Based SSM Mapping, on page 1048

Configuring Static Traffic Forwarding with SSM Mapping

Follow these steps to configure static traffic forwarding with SSM mapping on the last hop router:

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. ip igmp static-group group-address source ssm-map
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Selects an interface on which to statically forward traffic

for a multicast group using SSM mapping, and enters
Example:
interface configuration mode.
SwitchDevice(config)# interface Note Static forwarding of traffic with SSM mapping
gigabitethernet 1/0/1 works with either DNS-based SSM mapping or
statically configured SSM mapping.

Step 4 ip igmp static-group group-address source ssm-map Configures SSM mapping to statically forward a (S, G)
channel from the interface.
Example:
Use this command if you want to statically forward SSM
SwitchDevice(config-if)# ip igmp traffic for certain groups. Use DNS-based SSM mapping
static-group 239.1.2.1 source to determine the source addresses of the channels.
ssm-map

Step 5 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1056
 Multicast Routing
Verifying SSM Mapping Configuration and Operation

Command or Action Purpose

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
DNS-Based SSM Mapping, on page 1048

Verifying SSM Mapping Configuration and Operation

Follow these steps to verify SSM mapping configuration and operation:

SUMMARY STEPS
1. enable
2. show ip igmp ssm-mapping
3. show ip igmp ssm-mapping group-address
4. show ip igmp groups [group-name | group-address | interface-type interface-number] [detail]
5. show host
6. debug ip igmp group-address

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 show ip igmp ssm-mapping (Optional) Displays information about SSM mapping
configuration.
Example:

SwitchDevice# show ip igmp ssm-mapping

SSM Mapping : Enabled
DNS Lookup : Enabled
Mcast domain : ssm-map.cisco.com

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1057
 Multicast Routing
Verifying SSM Mapping Configuration and Operation

Command or Action Purpose

Name servers : 10.0.0.3
10.0.0.4

Step 3 show ip igmp ssm-mapping group-address (Optional) Displays the sources that SSM mapping uses for
a particular group.
Example:
The example here shows information about the configured
SwitchDevice# show ip igmp ssm-mapping 232.1.1.4 DNS-based SSM mapping. Here the router has used
Group address: 232.1.1.4 DNS-based mapping to map group 232.1.1.4 to sources
Database : DNS
DNS name : 4.1.1.232.ssm-map.cisco.com
172.16.8.5 and 172.16.8.6. The timeout for this entry is
Expire time : 860000 860000 milliseconds (860 seconds).
Source list : 172.16.8.5
: 172.16.8.6

Step 4 show ip igmp groups [group-name | group-address | (Optional) Displays the multicast groups with receivers that
interface-type interface-number] [detail] are directly connected to the router and that were learned
through IGMP.
Example:
In the example the “M” flag indicates that SSM mapping
SwitchDevice# show ip igmp group 232.1.1.4 detail is configured.
Interface: GigabitEthernet2/0/0
Group: 232.1.1.4 SSM
Uptime: 00:03:20
Group mode: INCLUDE
Last reporter: 0.0.0.0
CSR Grp Exp: 00:02:59
Group source list: (C - Cisco Src
Report, U - URD, R - Remote,
S - Static, M -
SSM Mapping)
Source Address Uptime v3 Exp
CSR Exp Fwd Flags
172.16.8.3 00:03:20 stopped
00:02:59 Yes CM
172.16.8.4 00:03:20 stopped
00:02:59 Yes CM
172.16.8.5 00:03:20 stopped
00:02:59 Yes CM
172.16.8.6 00:03:20 stopped
00:02:59 Yes CM

Step 5 show host (Optional) Displays the default domain name, the style of
name lookup service, a list of name server hosts, and the
Example:
cached list of hostnames and addresses.
SwitchDevice# show host
Default domain is cisco.com
Name/address lookup uses domain service
Name servers are 10.48.81.21
Codes: UN - unknown, EX - expired, OK - OK, ?? -
revalidate
temp - temporary, perm - permanent
NA - Not Applicable None - Not defined
Host Port Flags Age
Type Address(es)
10.0.0.0.ssm-map.cisco.c None (temp, OK) 0
IP 172.16.8.5

172.16.8.6

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1058
 Multicast Routing
Monitoring SSM and SSM Mapping

Command or Action Purpose

172.16.8.3

Step 6 debug ip igmp group-address (Optional) Displays the IGMP packets received and sent
and IGMP host-related events.
Example:
SwitchDevice# debug ip igmp In the first example, the output indicates that the router is
IGMP(0): Convert IGMPv2 report (*,232.1.2.3) to converting an IGMPv2 join for group G into an IGMPv3
IGMPv3 with 2 source(s) using STATIC. join.
SwitchDevice# debug ip igmp
In the second example, the output indicates that a DNS
IGMP(0): Convert IGMPv2 report (*,232.1.2.3) to
IGMPv3 with 2 source(s) using DNS. lookup has succeeded.
SwitchDevice# debug ip igmp In the third example, the output indicates that DNS-based
IGMP(0): DNS source lookup failed for (*, SSM mapping is enabled and a DNS lookup has failed:
232.1.2.3), IGMPv2 report failed

Related Topics
Static SSM Mapping, on page 1048

Monitoring SSM and SSM Mapping

Monitoring SSM
To monitor SSM, use the following commands in privileged EXEC mode, as needed:

Command Purpose

Displays the (S, G) channel subscription through IGMPv3.

SwitchDevice# show ip igmp groups
detail

Displays whether a multicast group supports SSM service or

SwitchDevice# show ip mroute whether a source-specific host report was received.

Monitoring SSM Mapping

Use the privileged EXEC commands in the following table to monitor SSM mapping.

Table 115: SSM Mapping Monitoring Commands

Command Purpose

SwitchDevice# show ip igmp ssm-mapping Displays information about SSM mapping.

SwitchDevice#show ip igmp ssm-mapping Displays the sources that SSM mapping uses for a
group-address particular group.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1059
 Multicast Routing
Configuration Examples for SSM and SSM Mapping

Command Purpose

SwitchDevice#show ip igmp groups [group-name | Displays the multicast groups with receivers that are
group-address | interface-type interface-number] directly connected to the router and that were learned
[detail] through IGMP.

SwitchDevice#show host Displays the default domain name, the style of name
lookup service, a list of name server hosts, and the
cached list of hostnames and addresses.

SwitchDevice#debug ip igmp group-address Displays the IGMP packets received and sent and
IGMP host-related events.

Configuration Examples for SSM and SSM Mapping

SSM with IGMPv3 Example
The following example shows how to configure a device (running IGMPv3) for SSM:

ip multicast-routing
!
interface GigabitEthernet3/1/0
ip address 172.21.200.203 255.255.255.0
description backbone interface
ip pim sparse-mode
!
interface GigabitEthernet3/2/0
ip address 131.108.1.2 255.255.255.0
ip pim sparse-mode
description ethernet connected to hosts
ip igmp version 3
!
ip pim ssm default

Related Topics
Configuring SSM , on page 1050
SSM Components , on page 1045

SSM Filtering Example

The following example shows how to configure filtering on legacy RP routers running software releases that
do not support SSM routing. This filtering will suppress all unwanted PIM-SM and MSDP traffic in the SSM
range. Without this filtering, SSM will still operate, but there may be additional RPT traffic if legacy first hop
and last hop routers exist in the network.

ip access-list extended no-ssm-range

deny ip any 232.0.0.0 0.255.255.255 ! SSM range
permit ip any any
! Deny registering in SSM range
ip pim accept-register list no-ssm-range
ip access-list extended msdp-nono-list
deny ip any 232.0.0.0 0.255.255.255 ! SSM Range

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1060
 Multicast Routing
SSM Mapping Example

! .
! .
! .
! See ftp://ftpeng.cisco.com/ipmulticast/config-notes/msdp-sa-filter.txt for other SA
! messages that typically need to be filtered.
permit ip any any
! Filter generated SA messages in SSM range. This configuration is only needed if there
! are directly connected sources to this router. The “ip pim accept-register” command
! filters remote sources.
ip msdp redistribute list msdp-nono-list
! Filter received SA messages in SSM range. “Filtered on receipt” means messages are
! neither processed or forwarded. Needs to be configured for each MSDP peer.
ip msdp sa-filter in msdp-peer1 list msdp-nono-list
! .
! .
! .
ip msdp sa-filter in msdp-peerN list msdp-nono-list

SSM Mapping Example

The following configuration example shows a router configuration for SSM mapping. This example also
displays a range of other IGMP and SSM configuration options to show compatibility between features. Do
not use this configuration example as a model unless you understand all of the features used in the example.

Note Address assignment in the global SSM range 232.0.0.0/8 should be random. If you copy parts or all of this
sample configuration, make sure to select a random address range but not 232.1.1.x as shown in this example.
Using a random address range minimizes the possibility of address collision and may prevent conflicts when
other SSM content is imported while SSM mapping is used.

!
no ip domain lookup
ip domain multicast ssm.map.cisco.com
ip name-server 10.48.81.21
!
!
ip multicast-routing distributed
ip igmp ssm-map enable
ip igmp ssm-map static 10 172.16.8.10
ip igmp ssm-map static 11 172.16.8.11
!
!
.
.
.
!
interface GigabitEthernet0/0/0
description Sample IGMP Interface Configuration for SSM-Mapping Example
ip address 10.20.1.2 255.0.0.0
ip pim sparse-mode
ip igmp last-member-query-interval 100
ip igmp static-group 232.1.2.1 source ssm-map
ip igmp version 3
ip igmp explicit-tracking
ip igmp limit 2
ip igmp v3lite
ip urd
!

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1061
 Multicast Routing
SSM Mapping Example

.
.
.
!
ip pim ssm default
!
access-list 10 permit 232.1.2.10
access-list 11 permit 232.1.2.0 0.0.0.255
!

This table describes the significant commands shown in the SSM mapping configuration example.

Table 116: SSM Mapping Configuration Example Command Descriptions

Command Description

no ip domain lookup Disables IP DNS-based hostname-to-address translation.

Note The no ip domain-list command is shown in the configuration
only to demonstrate that disabling IP DNS-based
hostname-to-address translation does not conflict with
configuring SSM mapping. If this command is enabled, the
Cisco IOS XE software will try to resolve unknown strings as
hostnames.

ip domain multicast Specifies ssm-map.cisco.com as the domain prefix for SSM mapping.
ssm-map.cisco.com

ip name-server 10.48.81.21 Specifies 10.48.81.21 as the IP address of the DNS server to be used by
SSM mapping and any other service in the software that utilizes DNS.

ip multicast-routing Enables IP multicast routing.

ip igmp ssm-map enable Enables SSM mapping.

ip igmp ssm-map static 10 Configures the groups permitted by ACL 10 to use source address
172.16.8.10 172.16.8.10.
• In this example, ACL 10 permits all groups in the 232.1.2.0/25 range
except 232.1.2.10.

ip igmp ssm-map static 11 Configures the groups permitted by ACL 11 to use source address
172.16.8.11 172.16.8.11.
• In this example, ACL 11 permits group 232.1.2.10.

ip pim sparse-mode Enables PIM sparse mode.

ip igmp Reduces the leave latency for IGMPv2 hosts.

last-member-query-interval 100
Note This command is not required for configuring SSM mapping;
however, configuring this command can be beneficial for
IGMPv2 hosts relying on SSM mapping.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1062
 Multicast Routing
DNS Server Configuration Example

Command Description

ip igmp static-group 232.1.2.1 Configures SSM mapping to be used to determine the sources associated
source ssm-map with group 232.1.2.1. The resulting (S, G) channels are statically
forwarded.

ip igmp version 3 Enables IGMPv3 on this interface.

Note This command is shown in the configuration only to
demonstrate that IGMPv3 can be configured simultaneously
with SSM mapping; however, it is not required.

ip igmp explicit-tracking Minimizes the leave latency for IGMPv3 host leaving a multicast channel.
Note This command is not required for configuring SSM mapping.

ip igmp limit 2 Limits the number of IGMP states resulting from IGMP membership states
on a per-interface basis.
Note This command is not required for configuring SSM mapping.

ip igmp v3lite Enables the acceptance and processing of IGMP v3lite membership reports
on this interface.
Note This command is shown in the configuration only to
demonstrate that IGMP v3lite can be configured simultaneously
with SSM mapping; however, it is not required.

ip urd Enables interception of TCP packets sent to the reserved URD port 465
on an interface and processing of URD channel subscription reports.
Note This command is shown in the configuration only to
demonstrate that URD can be configured simultaneously with
SSM mapping; however, it is not required.

ip pim ssm default Configures SSM service.

• The default keyword defines the SSM range access list as 232/8.

access-list 10 permit 232.1.2.10 Configures the ACLs to be used for static SSM mapping.
access-list 11 permit 232.1.2.0
Note These are the ACLs that are referenced by the ip igmp
0.0.0.255
ssm-map static commands in this configuration example.

DNS Server Configuration Example

To configure DNS-based SSM mapping, you need to create a DNS server zone or add records to an existing
zone. If the routers that are using DNS-based SSM mapping are also using DNS for other purposes besides
SSM mapping, you should use a normally-configured DNS server. If DNS-based SSM mapping is the only
DNS implementation being used on the router, you can configure a fake DNS setup with an empty root zone,
or a root zone that points back to itself.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1063
 Multicast Routing
DNS Server Configuration Example

The following example shows how to create a zone and import the zone data using Network Registrar:

Router> zone 1.1.232.ssm-map.cisco.com. create primary file=named.ssm-map

100 Ok
Router> dns reload
100 Ok

The following example shows how to import the zone files from a named.conf file for BIND 8:

Router> ::import named.conf /etc/named.conf

Router> dns reload
100 Ok:

Note Network Registrar version 8.0 and later support import BIND 8 format definitions.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1064
 CHAPTER 46
Configuring IGMP Snooping and Multicast VLAN
Registration
• Finding Feature Information, on page 1065
• Prerequisites for Configuring IGMP Snooping and MVR, on page 1065
• Restrictions for Configuring IGMP Snooping and MVR, on page 1066
• Information About IGMP Snooping and MVR, on page 1068
• How to Configure IGMP Snooping and MVR, on page 1076
• Monitoring IGMP Snooping and MVR, on page 1105
• Configuration Examples for IGMP Snooping and MVR, on page 1108

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Configuring IGMP Snooping and MVR

Prerequisites for IGMP Snooping
Observe these guidelines when configuring the IGMP snooping querier:
• Configure the VLAN in global configuration mode.
• Configure an IP address on the VLAN interface. When enabled, the IGMP snooping querier uses the IP
address as the query source address.
• If there is no IP address configured on the VLAN interface, the IGMP snooping querier tries to use the
configured global IP address for the IGMP querier. If there is no global IP address specified, the IGMP
querier tries to use the VLAN switch virtual interface (SVI) IP address (if one exists). If there is no SVI

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1065
 Multicast Routing
Prerequisites for MVR

IP address, the switch uses the first available IP address configured on the switch. The first IP address
available appears in the output of the show ip interface privileged EXEC command. The IGMP snooping
querier does not generate an IGMP general query if it cannot find an available IP address on the switch.
• The IGMP snooping querier supports IGMP Versions 1 and 2.
• When administratively enabled, the IGMP snooping querier moves to the nonquerier state if it detects
the presence of a multicast router in the network.
• When it is administratively enabled, the IGMP snooping querier moves to the operationally disabled
state under these conditions:
• IGMP snooping is disabled in the VLAN.
• PIM is enabled on the SVI of the corresponding VLAN.

Related Topics
Configuring the IGMP Snooping Querier , on page 1090
IGMP Snooping, on page 1068

Prerequisites for MVR

The following are the prerequisites for Multicast VLAN Registration (MVR):
• To use MVR, the switch must be running the LAN Base image.

Restrictions for Configuring IGMP Snooping and MVR

Restrictions for IGMP Snooping
The following are the restrictions for IGMP snooping:
• The switch supports homogeneous stacking and mixed stacking. Mixed stacking is supported only with
the Catalyst 2960-S switches. A homogenous stack can have up to eight stack members, while a mixed
stack can have up to four stack members. All switches in a switch stack must be running the LAN Base
image.
• IGMPv3 join and leave messages are not supported on switches running IGMP filtering or Multicast
VLAN registration (MVR).
• IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports.
This feature is not supported when the query includes IGMPv3 reports.
• The IGMP configurable leave time is only supported on hosts running IGMP Version 2. IGMP version
2 is the default version for the switch.
The actual leave latency in the network is usually the configured leave time. However, the leave time
might vary around the configured time, depending on real-time CPU load conditions, network delays
and the amount of traffic sent through the interface.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1066
 Multicast Routing
Restrictions for MVR

• The IGMP throttling action restriction can be applied only to Layer 2 ports. You can use ip igmp
max-groups action replace interface configuration command on a logical EtherChannel interface but
cannot use it on ports that belong to an EtherChannel port group.
When the maximum group limitation is set to the default (no maximum), entering the ip igmp max-groups
action {deny | replace} command has no effect.
If you configure the throttling action and set the maximum group limitation after an interface has added
multicast entries to the forwarding table, the forwarding-table entries are either aged out or removed,
depending on the throttling action.

Related Topics
IGMP Versions, on page 945
Configuring IGMP Profiles , on page 1098
Applying IGMP Profiles , on page 1100
Setting the Maximum Number of IGMP Groups , on page 1101
Configuring the IGMP Throttling Action , on page 1103
IGMP Filtering and Throttling, on page 1075

Restrictions for MVR

The following are restrictions for MVR:
• Only Layer 2 ports participate in MVR. You must configure ports as MVR receiver ports.
• Only one MVR multicast VLAN per switch or switch stack is supported.
• Receiver ports can only be access ports; they cannot be trunk ports. Receiver ports on a switch can be
in different VLANs, but should not belong to the multicast VLAN.
• The maximum number of multicast entries (MVR group addresses) that can be configured on a switch
(that is, the maximum number of television channels that can be received) is 256.
• MVR multicast data received in the source VLAN and leaving from receiver ports has its time-to-live
(TTL) decremented by 1 in the switch.
• Because MVR on the switch uses IP multicast addresses instead of MAC multicast addresses, alias IP
multicast addresses are allowed on the switch. However, if the switch is interoperating with Catalyst
3550 or Catalyst 3500 XL switches, you should not configure IP addresses that alias between themselves
or with the reserved IP multicast addresses (in the range 224.0.0.xxx).
• Do not configure MVR on private VLAN ports.
• MVR is not supported when multicast routing is enabled on a switch. If you enable multicast routing
and a multicast routing protocol while MVR is enabled, MVR is disabled, and you receive a warning
message. If you try to enable MVR while multicast routing and a multicast routing protocol are enabled,
the operation to enable MVR is cancelled, and you receive an error message
• MVR data received on an MVR receiver port is not forwarded to MVR source ports.
• MVR does not support IGMPv3 messages.
• The switch supports homogeneous stacking and mixed stacking. Mixed stacking is supported only with
the Catalyst 2960-S switches. A homogenous stack can have up to eight stack members, while a mixed

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1067
 Multicast Routing
Information About IGMP Snooping and MVR

stack can have up to four stack members. All switches in a switch stack must be running the LAN Base
image.

Information About IGMP Snooping and MVR

IGMP Snooping
Layer 2 switches can use IGMP snooping to constrain the flooding of multicast traffic by dynamically
configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces associated with
IP multicast devices. As the name implies, IGMP snooping requires the LAN switch to snoop on the IGMP
transmissions between the host and the router and to keep track of multicast groups and member ports. When
the switch receives an IGMP report from a host for a particular multicast group, the switch adds the host port
number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes
the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership
reports from the multicast clients.

Note For more information on IP multicast and IGMP, see RFC 1112 and RFC 2236.

The multicast router ) sends out periodic general queries to all VLANs. All hosts interested in this multicast
traffic send join requests and are added to the forwarding table entry. The switch creates one entry per VLAN
in the IGMP snooping IP multicast forwarding table for each group from which it receives an IGMP join
request.
The switch supports IP multicast group-based bridging, instead of MAC-addressed based groups. With
multicast MAC address-based groups, if an IP address being configured translates (aliases) to a previously
configured MAC address or to any reserved multicast MAC addresses (in the range 224.0.0.xxx), the command
fails. Because the switch uses IP multicast groups, there are no address aliasing issues.
The IP multicast groups learned through IGMP snooping are dynamic. However, you can statically configure
multicast groups by using the ip igmp snooping vlan vlan-id static ip_address interface interface-id global
configuration command. If you specify group membership for a multicast group address statically, your setting
supersedes any automatic manipulation by IGMP snooping. Multicast group membership lists can consist of
both user-defined and IGMP snooping-learned settings.
You can configure an IGMP snooping querier to support IGMP snooping in subnets without multicast interfaces
because the multicast traffic does not need to be routed.
If a port spanning-tree, a port group, or a VLAN ID change occurs, the IGMP snooping-learned multicast
groups from this port on the VLAN are deleted.
These sections describe IGMP snooping characteristics:
Related Topics
Configuring the IGMP Snooping Querier , on page 1090
Prerequisites for IGMP Snooping, on page 1065
Example: Setting the IGMP Snooping Querier Source Address, on page 1108
Example: Setting the IGMP Snooping Querier Maximum Response Time, on page 1109
Example: Setting the IGMP Snooping Querier Timeout, on page 1109

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1068
 Multicast Routing
IGMP Versions

Example: Setting the IGMP Snooping Querier Feature, on page 1109

IGMP Versions
The switch supports IGMP version 1, IGMP version 2, and IGMP version 3. These versions are interoperable
on the switch. For example, if IGMP snooping is enabled and the querier's version is IGMPv2, and the switch
receives an IGMPv3 report from a host, then the switch can forward the IGMPv3 report to the multicast router.
An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific
Multicast (SSM) feature.
Related Topics
Changing the IGMP Version, on page 953
Restrictions for IGMP Snooping, on page 1066

Joining a Multicast Group

Figure 92: Initial IGMP Join Message

When a host connected to the switch wants to join an IP multicast group and it is an IGMP version 2 client,
it sends an unsolicited IGMP join message, specifying the IP multicast group to join. Alternatively, when the
switch receives a general query from the router, it forwards the query to all ports in the VLAN. IGMP version
1 or version 2 hosts wanting to join the multicast group respond by sending a join message to the switch. The
switch CPU creates a multicast forwarding-table entry for the group if it is not already present. The CPU also
adds the interface where the join message was received to the forwarding-table entry. The host associated
with that interface receives multicast traffic for that multicast group.

Router A sends a general query to the switch, which forwards the query to ports 2 through 5, all of which are
members of the same VLAN. Host 1 wants to join multicast group 224.1.2.3 and multicasts an IGMP
membership report (IGMP join message) to the group. The switch CPU uses the information in the IGMP
report to set up a forwarding-table entry that includes the port numbers connected to Host 1 and to the router.

Table 117: IGMP Snooping Forwarding Table

Destination Address Type of Packet Ports

224.1.2.3 IGMP 1, 2

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1069
 Multicast Routing
Leaving a Multicast Group

The switch hardware can distinguish IGMP information packets from other packets for the multicast group.
The information in the table tells the switching engine to send frames addressed to the 224.1.2.3 multicast IP
address that are not IGMP packets to the router and to the host that has joined the group.
Figure 93: Second Host Joining a Multicast Group

If another host (for example, Host 4) sends an unsolicited IGMP join message for the same group, the CPU
receives that message and adds the port number of Host 4 to the forwarding table. Because the forwarding
table directs IGMP messages only to the CPU, the message is not flooded to other ports on the switch. Any
known multicast traffic is forwarded to the group and not to the CPU.

Table 118: Updated IGMP Snooping Forwarding Table

Destination Address Type of Packet Ports

224.1.2.3 IGMP 1, 2, 5

Related Topics
Configuring a Host Statically to Join a Group , on page 1082
Example: Configuring a Host Statically to Join a Group, on page 1108

Leaving a Multicast Group

The router sends periodic multicast general queries, and the switch forwards these queries through all ports
in the VLAN. Interested hosts respond to the queries. If at least one host in the VLAN wants to receive
multicast traffic, the router continues forwarding the multicast traffic to the VLAN. The switch forwards
multicast group traffic only to those hosts listed in the forwarding table for that IP multicast group maintained
by IGMP snooping.
When hosts want to leave a multicast group, they can silently leave, or they can send a leave message. When
the switch receives a leave message from a host, it sends a group-specific query to learn if any other devices
connected to that interface are interested in traffic for the specific multicast group. The switch then updates
the forwarding table for that MAC group so that only those hosts interested in receiving multicast traffic for
the group are listed in the forwarding table. If the router receives no reports from a VLAN, it removes the
group for the VLAN from its IGMP cache.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1070
 Multicast Routing
Immediate Leave

Immediate Leave
The switch uses IGMP snooping Immediate Leave to remove from the forwarding table an interface that sends
a leave message without the switch sending group-specific queries to the interface. The VLAN interface is
pruned from the multicast tree for the multicast group specified in the original leave message. Immediate
Leave ensures optimal bandwidth management for all hosts on a switched network, even when multiple
multicast groups are simultaneously in use.
Immediate Leave is only supported on IGMP version 2 hosts. IGMP version 2 is the default version for the
switch.

Note You should use the Immediate Leave feature only on VLANs where a single host is connected to each port.
If Immediate Leave is enabled on VLANs where more than one host is connected to a port, some hosts may
be dropped inadvertently.

Related Topics
Enabling IGMP Immediate Leave , on page 1083
Example: Enabling IGMP Immediate Leave, on page 1108

IGMP Configurable-Leave Timer

You can configure the time that the switch waits after sending a group-specific query to determine if hosts
are still interested in a specific multicast group. The IGMP leave response time can be configured from 100
to 32767 milliseconds.
Related Topics
Configuring the IGMP Leave Timer , on page 1084

IGMP Report Suppression

Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. This
feature is not supported when the query includes IGMPv3 reports.

The switch uses IGMP report suppression to forward only one IGMP report per multicast router query to
multicast devices. When IGMP report suppression is enabled (the default), the switch sends the first IGMP
report from all hosts for a group to all the multicast routers. The switch does not send the remaining IGMP
reports for the group to the multicast routers. This feature prevents duplicate reports from being sent to the
multicast devices.
If the multicast router query includes requests only for IGMPv1 and IGMPv2 reports, the switch forwards
only the first IGMPv1 or IGMPv2 report from all hosts for a group to all the multicast routers.
If the multicast router query also includes requests for IGMPv3 reports, the switch forwards all IGMPv1,
IGMPv2, and IGMPv3 reports for a group to the multicast devices.
If you disable IGMP report suppression, all IGMP reports are forwarded to the multicast routers.
Related Topics
Disabling IGMP Report Suppression , on page 1092

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1071
 Multicast Routing
Default IGMP Snooping Configuration

Default IGMP Snooping Configuration

This table displays the default IGMP snooping configuration for the switch.

Table 119: Default IGMP Snooping Configuration

Feature Default Setting

IGMP snooping Enabled globally and per VLAN

Multicast routers None configured

IGMP snooping Immediate Leave Disabled

Static groups None configured

TCN9 flood query count 2

TCN query solicitation Disabled

IGMP snooping querier Disabled

IGMP report suppression Enabled

9
(1) TCN = Topology Change Notification
Related Topics
Enabling or Disabling IGMP Snooping on a Switch , on page 1076
Enabling or Disabling IGMP Snooping on a VLAN Interface, on page 1078

Multicast VLAN Registration

Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast
traffic across an Ethernet ring-based service-provider network (for example, the broadcast of multiple television
channels over a service-provider network). MVR allows a subscriber on a port to subscribe and unsubscribe
to a multicast stream on the network-wide multicast VLAN. It allows the single multicast VLAN to be shared
in the network while subscribers remain in separate VLANs. MVR provides the ability to continuously send
multicast streams in the multicast VLAN, but to isolate the streams from the subscriber VLANs for bandwidth
and security reasons.
These sections describe MVR:

MVR and IGMP

Note MVR can coexist with IGMP snooping on a switch.

MVR assumes that subscriber ports subscribe and unsubscribe (join and leave) these multicast streams by
sending out IGMP join and leave messages. These messages can originate from an IGMP version-2-compatible
host with an Ethernet connection. Although MVR operates on the underlying method of IGMP snooping, the
two features operate independently of each other. One can be enabled or disabled without affecting the behavior
of the other feature. However, if IGMP snooping and MVR are both enabled, MVR reacts only to join and

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1072
 Multicast Routing
Modes of Operation

leave messages from multicast groups configured under MVR. Join and leave messages from all other multicast
groups are managed by IGMP snooping.
The switch CPU identifies the MVR IP multicast streams and their associated IP multicast group in the switch
forwarding table, intercepts the IGMP messages, and modifies the forwarding table to include or remove the
subscriber as a receiver of the multicast stream, even though the receivers might be in a different VLAN from
the source. This forwarding behavior selectively allows traffic to cross between different VLANs.

Modes of Operation
You can set the switch for compatible or dynamic mode of MVR operation:
• In compatible mode, multicast data received by MVR hosts is forwarded to all MVR data ports, regardless
of MVR host membership on those ports. The multicast data is forwarded only to those receiver ports
that MVR hosts have joined, either by IGMP reports or by MVR static configuration. IGMP reports
received from MVR hosts are never forwarded from MVR data ports that were configured in the switch.
• In dynamic mode, multicast data received by MVR hosts on the switch is forwarded from only those
MVR data and client ports that the MVR hosts have joined, either by IGMP reports or by MVR static
configuration. Any IGMP reports received from MVR hosts are also forwarded from all the MVR data
ports in the host. This eliminates using unnecessary bandwidth on MVR data port links, which occurs
when the switch runs in compatible mode.

MVR in a Multicast Television Application

In a multicast television application, a PC or a television with a set-top box can receive the multicast stream.
Multiple set-top boxes or PCs can be connected to one subscriber port, which is a switch port configured as
an MVR receiver port.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1073
 Multicast Routing
MVR in a Multicast Television Application

Figure 94: Multicast VLAN Registration Example

The following is an example

configuration.
In this example configuration, DHCP assigns an IP address to the set-top box or the PC. When a subscriber
selects a channel, the set-top box or PC sends an IGMP report to Switch A to join the appropriate multicast.
If the IGMP report matches one of the configured IP multicast group addresses, the switch CPU modifies the
hardware address table to include this receiver port and VLAN as a forwarding destination of the specified
multicast stream when it is received from the multicast VLAN. Uplink ports that send and receive multicast
data to and from the multicast VLAN are called MVR source ports.
When a subscriber changes channels or turns off the television, the set-top box sends an IGMP leave message
for the multicast stream. The switch CPU sends a MAC-based general query through the receiver port VLAN.
If there is another set-top box in the VLAN still subscribing to this group, that set-top box must respond within
the maximum response time specified in the query. If the CPU does not receive a response, it eliminates the
receiver port as a forwarding destination for this group.
Without Immediate Leave, when the switch receives an IGMP leave message from a subscriber on a receiver
port, it sends out an IGMP query on that port and waits for IGMP group membership reports. If no reports

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1074
 Multicast Routing
Default MVR Configuration

are received in a configured time period, the receiver port is removed from multicast group membership. With
Immediate Leave, an IGMP query is not sent from the receiver port on which the IGMP leave was received.
As soon as the leave message is received, the receiver port is removed from multicast group membership,
which speeds up leave latency. Enable the Immediate-Leave feature only on receiver ports to which a single
receiver device is connected.
MVR eliminates the need to duplicate television-channel multicast traffic for subscribers in each VLAN.
Multicast traffic for all channels is only sent around the VLAN trunk once—only on the multicast VLAN.
The IGMP leave and join messages are in the VLAN to which the subscriber port is assigned. These messages
dynamically register for streams of multicast traffic in the multicast VLAN on the Layer 3 device. The access
layer switch, Switch A, modifies the forwarding behavior to allow the traffic to be forwarded from the multicast
VLAN to the subscriber port in a different VLAN, selectively allowing traffic to cross between two VLANs.
IGMP reports are sent to the same IP multicast group address as the multicast data. The Switch A CPU must
capture all IGMP join and leave messages from receiver ports and forward them to the multicast VLAN of
the source (uplink) port, based on the MVR mode.

Default MVR Configuration

Table 120: Default MVR Configuration

Feature Default Setting

MVR Disabled globally and per interface

Multicast addresses None configured

Query response time 0.5 second

Multicast VLAN VLAN 1

Mode Compatible

Interface (per port) default Neither a receiver nor a source port

Immediate Leave Disabled on all ports

IGMP Filtering and Throttling

In some environments, for example, metropolitan or multiple-dwelling unit (MDU) installations, you might
want to control the set of multicast groups to which a user on a switch port can belong. You can control the
distribution of multicast services, such as IP/TV, based on some type of subscription or service plan. You
might also want to limit the number of multicast groups to which a user on a switch port can belong.
With the IGMP filtering feature, you can filter multicast joins on a per-port basis by configuring IP multicast
profiles and associating them with individual switch ports. An IGMP profile can contain one or more multicast
groups and specifies whether access to the group is permitted or denied. If an IGMP profile denying access
to a multicast group is applied to a switch port, the IGMP join report requesting the stream of IP multicast
traffic is dropped, and the port is not allowed to receive IP multicast traffic from that group. If the filtering
action permits access to the multicast group, the IGMP report from the port is forwarded for normal processing.
You can also set the maximum number of IGMP groups that a Layer 2 interface can join.
IGMP filtering controls only group-specific query and membership reports, including join and leave reports.
It does not control general IGMP queries. IGMP filtering has no relationship with the function that directs

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1075
 Multicast Routing
Default IGMP Filtering and Throttling Configuration

the forwarding of IP multicast traffic. The filtering feature operates in the same manner whether CGMP or
MVR is used to forward the multicast traffic.
IGMP filtering applies only to the dynamic learning of IP multicast group addresses, not static configuration.
With the IGMP throttling feature, you can set the maximum number of IGMP groups that a Layer 2 interface
can join. If the maximum number of IGMP groups is set, the IGMP snooping forwarding table contains the
maximum number of entries, and the interface receives an IGMP join report, you can configure an interface
to drop the IGMP report or to replace the randomly selected multicast entry with the received IGMP report.

Note IGMPv3 join and leave messages are not supported on switches running IGMP filtering.

Related Topics
Configuring IGMP Profiles , on page 1098
Applying IGMP Profiles , on page 1100
Setting the Maximum Number of IGMP Groups , on page 1101
Configuring the IGMP Throttling Action , on page 1103
Restrictions for IGMP Snooping, on page 1066

Default IGMP Filtering and Throttling Configuration

This table displays the default IGMP filtering and throttling configuration for the switch.

Table 121: Default IGMP Filtering Configuration

Feature Default Setting

IGMP filters None applied.

IGMP maximum number of IGMP groups No maximum set.

Note When the maximum number of groups is
in the forwarding table, the default IGMP
throttling action is to deny the IGMP
report.

IGMP profiles None defined.

IGMP profile action Deny the range addresses.

How to Configure IGMP Snooping and MVR

Enabling or Disabling IGMP Snooping on a Switch
When IGMP snooping is globally enabled or disabled, it is also enabled or disabled in all existing VLAN
interfaces. IGMP snooping is enabled on all VLANs by default, but can be enabled and disabled on a per-VLAN
basis.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1076
 Multicast Routing
Enabling or Disabling IGMP Snooping on a Switch

Global IGMP snooping overrides the VLAN IGMP snooping. If global snooping is disabled, you cannot
enable VLAN snooping. If global snooping is enabled, you can enable or disable VLAN snooping.
Follow these steps to globally enable IGMP snooping on the switch:

SUMMARY STEPS
1. enable
2. configure terminal
3. ip igmp snooping
4. end
5. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip igmp snooping Globally enables IGMP snooping in all existing VLAN
interfaces.
Example:
Note To globally disable IGMP snooping on all VLAN
SwitchDevice(config)# ip igmp snooping interfaces, use the no ip igmp snooping global
configuration command.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Default IGMP Snooping Configuration, on page 1072

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1077
 Multicast Routing
Enabling or Disabling IGMP Snooping on a VLAN Interface

Enabling or Disabling IGMP Snooping on a VLAN Interface

Follow these steps to enable IGMP snooping on a VLAN interface:

SUMMARY STEPS
1. enable
2. configure terminal
3. ip igmp snooping vlan vlan-id
4. end
5. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip igmp snooping vlan vlan-id Enables IGMP snooping on the VLAN interface. The VLAN
ID range is 1 to 1001 and 1006 to 4094.
Example:
IGMP snooping must be globally enabled before you can
SwitchDevice(config)# ip igmp snooping vlan 7 enable VLAN snooping.
Note To disable IGMP snooping on a VLAN interface,
use the no ip igmp snooping vlan vlan-id global
configuration command for the specified VLAN
number.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1078
 Multicast Routing
Setting the Snooping Method

Related Topics
Default IGMP Snooping Configuration, on page 1072

Setting the Snooping Method

Multicast-capable router ports are added to the forwarding table for every Layer 2 multicast entry. The switch
learns of the ports through one of these methods:
• Snooping on IGMP queries, Protocol-Independent Multicast (PIM) packets, and Distance Vector Multicast
Routing Protocol (DVMRP) packets.
• Listening to Cisco Group Management Protocol (CGMP) packets from other routers.
• Statically connecting to a multicast router port using the ip igmp snooping mrouter global configuration
command.

You can configure the switch either to snoop on IGMP queries and PIM/DVMRP packets or to listen to CGMP
self-join or proxy-join packets. By default, the switch snoops on PIM/DVMRP packets on all VLANs. To
learn of multicast router ports through only CGMP packets, use the ip igmp snooping vlan vlan-id mrouter
learn cgmp global configuration command. When this command is entered, the router listens to only CGMP
self-join and CGMP proxy-join packets and to no other CGMP packets. To learn of multicast router ports
through only PIM-DVMRP packets, use the ip igmp snooping vlan vlan-id mrouter learn pim-dvmrp
global configuration command.
If you want to use CGMP as the learning method and no multicast routers in the VLAN are CGMP
proxy-enabled, you must enter the ip cgmp router-only command to dynamically access the router.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip igmp snooping vlan vlan-id mrouter learn {cgmp | pim-dvmrp }
4. end
5. show ip igmp snooping
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1079
 Multicast Routing
Configuring a Multicast Router Port

Command or Action Purpose

Step 3 ip igmp snooping vlan vlan-id mrouter learn {cgmp | Specifies the multicast router learning method:
pim-dvmrp }
• cgmp—Listens for CGMP packets. This method is
Example: useful for reducing control traffic.
SwitchDevice(config)# ip igmp snooping
vlan 1 mrouter learn cgmp
• pim-dvmrp—Snoops on IGMP queries and
PIM-DVMRP packets. This is the default.

Note To return to the default learning method, use the

no ip igmp snooping vlan vlan-id mrouter
learn cgmp global configuration command.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show ip igmp snooping Verifies the configuration.

Example:

SwitchDevice# show ip igmp snooping

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring a Multicast Router Port

Perform these steps to add a multicast router port (enable a static connection to a multicast router) on the
switch.

Note Static connections to multicast routers are supported only on switch ports.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip igmp snooping vlan vlan-id mrouter interface interface-id
4. end
5. show ip igmp snooping mrouter [vlan vlan-id]
6. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1080
 Multicast Routing
Configuring a Multicast Router Port

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip igmp snooping vlan vlan-id mrouter interface Specifies the multicast router VLAN ID and the interface
interface-id to the multicast router.
Example: • The VLAN ID range is 1 to 1001 and 1006 to 4094.

SwitchDevice(config)# ip igmp snooping vlan 5

• The interface can be a physical interface or a port
mrouter interface gigabitethernet1/0/1 channel. The port-channel range is 1 to 128.

Note To remove a multicast router port from the

VLAN, use the no ip igmp snooping vlan
vlan-id mrouter interface interface-id global
configuration command.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show ip igmp snooping mrouter [vlan vlan-id] Verifies that IGMP snooping is enabled on the VLAN
interface.
Example:

SwitchDevice# show ip igmp snooping mrouter vlan

5

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Example: Enabling a Static Connection to a Multicast Router, on page 1108

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1081
 Multicast Routing
Configuring a Host Statically to Join a Group

Configuring a Host Statically to Join a Group

Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure a
host on an interface.
Follow these steps to add a Layer 2 port as a member of a multicast group:

SUMMARY STEPS
1. enable
2. configure terminal
3. ip igmp snooping vlan vlan-id static ip_address interface interface-id
4. end
5. show ip igmp snooping groups
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip igmp snooping vlan vlan-id static ip_address interface Statically configures a Layer 2 port as a member of a
interface-id multicast group:
Example: • vlan-id is the multicast group VLAN ID. The range is
1 to 1001 and 1006 to 4094.
SwitchDevice(config)# ip igmp snooping vlan 105
static 230.0.0.1 interface gigabitethernet1/0/1 • ip-address is the group IP address.
• interface-id is the member port. It can be a physical
interface or a port channel (1 to 128).

Note To remove the Layer 2 port from the multicast

group, use the no ip igmp snooping vlan vlan-id
static mac-address interface interface-id global
configuration command.

Step 4 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1082
 Multicast Routing
Enabling IGMP Immediate Leave

Command or Action Purpose

SwitchDevice(config)# end

Step 5 show ip igmp snooping groups Verifies the member port and the IP address.
Example:

SwitchDevice# show ip igmp snooping groups

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Joining a Multicast Group, on page 1069
Example: Configuring a Host Statically to Join a Group, on page 1108

Enabling IGMP Immediate Leave

When you enable IGMP Immediate Leave, the switch immediately removes a port when it detects an IGMP
Version 2 leave message on that port. You should use the Immediate-Leave feature only when there is a single
receiver present on every port in the VLAN.

Note Immediate Leave is supported only on IGMP Version 2 hosts. IGMP Version 2 is the default version for the
switch.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip igmp snooping vlan vlan-id immediate-leave
4. end
5. show ip igmp snooping vlan vlan-id
6. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1083
 Multicast Routing
Configuring the IGMP Leave Timer

Command or Action Purpose

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip igmp snooping vlan vlan-id immediate-leave Enables IGMP Immediate Leave on the VLAN interface.
Example: Note To disable IGMP Immediate Leave on a VLAN,
use the no ip igmp snooping vlan vlan-id
SwitchDevice(config)# ip igmp snooping vlan 21 immediate-leave global configuration command.
immediate-leave

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show ip igmp snooping vlan vlan-id Verifies that Immediate Leave is enabled on the VLAN
interface.
Example:

SwitchDevice# show ip igmp snooping vlan 21

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Related Topics
Immediate Leave , on page 1071
Example: Enabling IGMP Immediate Leave, on page 1108

Configuring the IGMP Leave Timer

You can configure the leave time globally or on a per-VLAN basis. Follow these steps to enable the IGMP
configurable-leave timer:

SUMMARY STEPS
1. enable
2. configure terminal
3. ip igmp snooping last-member-query-interval time

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1084
 Multicast Routing
Configuring the IGMP Leave Timer

4. ip igmp snooping vlan vlan-id last-member-query-interval time

5. end
6. show ip igmp snooping
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip igmp snooping last-member-query-interval time Configures the IGMP leave timer globally. The range is
100 to 32767 milliseconds.
Example:
The default leave time is 1000 milliseconds.
SwitchDevice(config)# ip igmp snooping
last-member-query-interval 1000
Note To globally reset the IGMP leave timer to the
default setting, use the no ip igmp snooping
last-member-query-interval global
configuration command.

Step 4 ip igmp snooping vlan vlan-id (Optional) Configures the IGMP leave time on the VLAN
last-member-query-interval time interface. The range is 100 to 32767 milliseconds.
Example: Note Configuring the leave time on a VLAN overrides
the globally configured timer.
SwitchDevice(config)# ip igmp snooping vlan 210
last-member-query-interval 1000 Note To remove the configured IGMP leave-time
setting from the specified VLAN, use the no ip
igmp snooping vlan vlan-id
last-member-query-interval global
configuration command.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show ip igmp snooping (Optional) Displays the configured IGMP leave time.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1085
 Multicast Routing
Configuring TCN-Related Commands

Command or Action Purpose

SwitchDevice# show ip igmp snooping

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
IGMP Configurable-Leave Timer, on page 1071

Configuring TCN-Related Commands

Controlling the Multicast Flooding Time After a TCN Event
You can configure the number of general queries by which multicast data traffic is flooded after a topology
change notification (TCN) event. If you set the TCN flood query count to 1 the flooding stops after receiving
1 general query. If you set the count to 7, the flooding continues until 7 general queries are received. Groups
are relearned based on the general queries received during the TCN event.
Some examples of TCN events are when the client location is changed and the receiver is on same port that
was blocked but is now forwarding, and when a port goes down without sending a leave message.
Follow these steps to configure the TCN flood query count:

SUMMARY STEPS
1. enable
2. configure terminal
3. ip igmp snooping tcn flood query count count
4. end
5. show ip igmp snooping
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1086
 Multicast Routing
Recovering from Flood Mode

Command or Action Purpose

SwitchDevice# configure terminal

Step 3 ip igmp snooping tcn flood query count count Specifies the number of IGMP general queries for which
the multicast traffic is flooded.
Example:
The range is 1 to 10. The default, the flooding query count
SwitchDevice(config)# ip igmp snooping tcn flood is 2.
query count 3
Note To return to the default flooding query count,
use the no ip igmp snooping tcn flood query
count global configuration command.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show ip igmp snooping Verifies the TCN settings.

Example:

SwitchDevice# show ip igmp snooping

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Recovering from Flood Mode

When a topology change occurs, the spanning-tree root sends a special IGMP leave message (also known as
global leave) with the group multicast address 0.0.0.0. However, you can enable the switch to send the global
leave message whether it is the spanning-tree root or not. When the router receives this special leave, it
immediately sends general queries, which expedite the process of recovering from the flood mode during the
TCN event. Leaves are always sent if the switch is the spanning-tree root regardless of this configuration.
Follow these steps to enable sending of leave messages:

SUMMARY STEPS
1. enable
2. configure terminal
3. ip igmp snooping tcn query solicit
4. end
5. show ip igmp snooping
6. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1087
 Multicast Routing
Disabling Multicast Flooding During a TCN Event

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip igmp snooping tcn query solicit Sends an IGMP leave message (global leave) to speed the
process of recovering from the flood mode caused during
Example:
a TCN event. By default, query solicitation is disabled.
SwitchDevice(config)# ip igmp snooping tcn query Note To return to the default query solicitation, use
solicit the no ip igmp snooping tcn query solicit
global configuration command.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show ip igmp snooping Verifies the TCN settings.

Example:

SwitchDevice# show ip igmp snooping

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Disabling Multicast Flooding During a TCN Event

When the switch receives a TCN, multicast traffic is flooded to all the ports until 2 general queries are received.
If the switch has many ports with attached hosts that are subscribed to different multicast groups, this flooding
might exceed the capacity of the link and cause packet loss. Follow these steps to control TCN flooding:

SUMMARY STEPS
1. enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1088
 Multicast Routing
Disabling Multicast Flooding During a TCN Event

2. configure terminal
3. interface interface-id
4. no ip igmp snooping tcn flood
5. end
6. show ip igmp snooping
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface to be configured, and enters interface
configuration mode.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 4 no ip igmp snooping tcn flood Disables the flooding of multicast traffic during a
spanning-tree TCN event.
Example:
By default, multicast flooding is enabled on an interface.
SwitchDevice(config-if)# no ip igmp snooping tcn
flood
Note To re-enable multicast flooding on an interface,
use the ip igmp snooping tcn flood interface
configuration command.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show ip igmp snooping Verifies the TCN settings.

Example:

SwitchDevice# show ip igmp snooping

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1089
 Multicast Routing
Configuring the IGMP Snooping Querier

Command or Action Purpose

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring the IGMP Snooping Querier

Follow these steps to enable the IGMP snooping querier feature in a VLAN:

SUMMARY STEPS
1. enable
2. configure terminal
3. ip igmp snooping querier
4. ip igmp snooping querier address ip_address
5. ip igmp snooping querier query-interval interval-count
6. ip igmp snooping querier tcn query [count count | interval interval]
7. ip igmp snooping querier timer expiry timeout
8. ip igmp snooping querier version version
9. end
10. show ip igmp snooping vlan vlan-id
11. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip igmp snooping querier Enables the IGMP snooping querier.

Example:

SwitchDevice(config)# ip igmp snooping querier

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1090
 Multicast Routing
Configuring the IGMP Snooping Querier

Command or Action Purpose

Step 4 ip igmp snooping querier address ip_address (Optional) Specifies an IP address for the IGMP snooping
querier. If you do not specify an IP address, the querier
Example:
tries to use the global IP address configured for the IGMP
querier.
SwitchDevice(config)# ip igmp snooping querier
address 172.16.24.1 Note The IGMP snooping querier does not generate
an IGMP general query if it cannot find an IP
address on the switch.

Step 5 ip igmp snooping querier query-interval interval-count (Optional) Sets the interval between IGMP queriers. The
range is 1 to 18000 seconds.
Example:

SwitchDevice(config)# ip igmp snooping querier

query-interval 30

Step 6 ip igmp snooping querier tcn query [count count | (Optional) Sets the time between Topology Change
interval interval] Notification (TCN) queries. The count range is 1 to 10.
The interval range is 1 to 255 seconds.
Example:

SwitchDevice(config)# ip igmp snooping querier

tcn query interval 20

Step 7 ip igmp snooping querier timer expiry timeout (Optional) Sets the length of time until the IGMP querier
expires. The range is 60 to 300 seconds.
Example:

SwitchDevice(config)# ip igmp snooping querier

timer expiry 180

Step 8 ip igmp snooping querier version version (Optional) Selects the IGMP version number that the
querier feature uses. Select 1 or 2.
Example:

SwitchDevice(config)# ip igmp snooping querier

version 2

Step 9 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 10 show ip igmp snooping vlan vlan-id (Optional) Verifies that the IGMP snooping querier is
enabled on the VLAN interface. The VLAN ID range is
Example:
1 to 1001 and 1006 to 4094.
SwitchDevice# show ip igmp snooping vlan 30

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1091
 Multicast Routing
Disabling IGMP Report Suppression

Command or Action Purpose

Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
IGMP Snooping, on page 1068
Prerequisites for IGMP Snooping, on page 1065
Example: Setting the IGMP Snooping Querier Source Address, on page 1108
Example: Setting the IGMP Snooping Querier Maximum Response Time, on page 1109
Example: Setting the IGMP Snooping Querier Timeout, on page 1109
Example: Setting the IGMP Snooping Querier Feature, on page 1109

Disabling IGMP Report Suppression

Follow these steps to disable IGMP report suppression:

SUMMARY STEPS
1. enable
2. configure terminal
3. no ip igmp snooping report-suppression
4. end
5. show ip igmp snooping
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1092
 Multicast Routing
Configuring MVR Global Parameters

Command or Action Purpose

Step 3 no ip igmp snooping report-suppression Disables IGMP report suppression. When report suppression
is disabled, all IGMP reports are forwarded to the multicast
Example:
routers.
SwitchDevice(config)# no ip igmp snooping IGMP report suppression is enabled by default.
report-suppression
When IGMP report supression is enabled, the switch
forwards only one IGMP report per multicast router query.
Note To re-enable IGMP report suppression, use the
ip igmp snooping report-suppression global
configuration command.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show ip igmp snooping Verifies that IGMP report suppression is disabled.
Example:

SwitchDevice# show ip igmp snooping

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
IGMP Report Suppression, on page 1071

Configuring MVR Global Parameters

You do not need to set the optional MVR parameters if you choose to use the default settings. If you want to
change the default parameters (except for the MVR VLAN), you must first enable MVR.

Note For complete syntax and usage information for the commands used in this section, see the command reference
for this release.

SUMMARY STEPS
1. enable
2. configure terminal
3. mvr

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1093
 Multicast Routing
Configuring MVR Global Parameters

4. mvr group ip-address [count]

5. mvr querytime value
6. mvr vlan vlan-id
7. mvr mode {dynamic | compatible}
8. end
9. Use one of the following:
• show mvr
• show mvr members
10. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 mvr Enables MVR on the switch.

Example:

SwitchDevice (config)# mvr

Step 4 mvr group ip-address [count] Configures an IP multicast address on the switch or use
the count parameter to configure a contiguous series of
Example:
MVR group addresses (the range for count is 1 to 256; the
default is 1). Any multicast data sent to this address is sent
SwitchDevice(config)# mvr group
228.1.23.4 to all source ports on the switch and all receiver ports that
have elected to receive data on that multicast address. Each
multicast address would correspond to one television
channel.
Note To return the switch to its default settings, use
the no mvr [mode | group ip-address |
querytime | vlan] global configuration
commands.

Step 5 mvr querytime value (Optional) Defines the maximum time to wait for IGMP
report memberships on a receiver port before removing
Example:
the port from multicast group membership. The value is

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1094
 Multicast Routing
Configuring MVR Global Parameters

Command or Action Purpose

in units of tenths of a second. The range is 1 to 100, and
SwitchDevice(config)# mvr querytime
the default is 5 tenths or one-half second.
10

Step 6 mvr vlan vlan-id (Optional) Specifies the VLAN in which multicast data is
received; all source ports must belong to this VLAN. The
Example:
VLAN range is 1 to 1001 and 1006 to 4094. The default
is VLAN 1.
SwitchDevice(config)# mvr vlan 22

Step 7 mvr mode {dynamic | compatible} (Optional) Specifies the MVR mode of operation:
Example: • dynamic—Allows dynamic MVR membership on
source ports.
SwitchDevice(config)# mvr mode
dynamic • compatible—Is compatible with Catalyst 3500 XL
and Catalyst 2900 XL switches and does not support
IGMP dynamic joins on source ports.

The default is compatible mode.

Note To return the switch to its default settings, use
the no mvr [mode | group ip-address |
querytime | vlan] global configuration
commands.

Step 8 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 9 Use one of the following: Verifies the configuration.

• show mvr
• show mvr members
Example:

SwitchDevice# show mvr

OR

SwitchDevice# show mvr members

Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1095
 Multicast Routing
Configuring MVR Interfaces

Configuring MVR Interfaces

Follow these steps to configure Layer 2 MVR interfaces:

SUMMARY STEPS
1. enable
2. configure terminal
3. mvr
4. interface interface-id
5. mvr type {source | receiver}
6. mvr vlan vlan-id group [ip-address]
7. mvr immediate
8. end
9. Use one of the following:
• show mvr
• show mvr interface
• show mvr members
10. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 mvr Enables MVR on the switch.

Example:

SwitchDevice (config)# mvr

Step 4 interface interface-id Specifies the Layer 2 port to configure, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/2

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1096
 Multicast Routing
Configuring MVR Interfaces

Command or Action Purpose

Step 5 mvr type {source | receiver} Configures an MVR port as one of these:
Example: • source—Configures uplink ports that receive and
send multicast data as source ports. Subscribers
SwitchDevice(config-if)# mvr type receiver cannot be directly connected to source ports. All
source ports on a switch belong to the single multicast
VLAN.
• receiver—Configures a port as a receiver port if it is
a subscriber port and should only receive multicast
data. It does not receive data unless it becomes a
member of the multicast group, either statically or by
using IGMP leave and join messages. Receiver ports
cannot belong to the multicast VLAN.

The default configuration is as a non-MVR port. If you

attempt to configure a non-MVR port with MVR
characteristics, the operation fails.
Note To return the interface to its default settings,
use the no mvr [type | immediate | vlan vlan-id
| group] interface configuration commands.

Step 6 mvr vlan vlan-id group [ip-address] (Optional) Statically configures a port to receive multicast
traffic sent to the multicast VLAN and the IP multicast
Example:
address. A port statically configured as a member of a
group remains a member of the group until statically
SwitchDevice(config-if)# mvr vlan 22 group
228.1.23.4 removed.
Note In compatible mode, this command applies to
only receiver ports. In dynamic mode, it applies
to receiver ports and source ports.

Receiver ports can also dynamically join multicast groups

by using IGMP join and leave messages.

Step 7 mvr immediate (Optional) Enables the Immediate-Leave feature of MVR

on the port.
Example:
Note This command applies to only receiver ports
SwitchDevice(config-if)# mvr immediate and should only be enabled on receiver ports to
which a single receiver device is connected.

Step 8 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 9 Use one of the following: Verifies the configuration.

• show mvr

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1097
 Multicast Routing
Configuring IGMP Profiles

Command or Action Purpose

• show mvr interface
• show mvr members
Example:

SwitchDevice# show mvr interface

Port Type Status Immediate
Leave
---- ---- -------
---------------
Gi1/0/2 RECEIVER ACTIVE/DOWN ENABLED

Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring IGMP Profiles

Follow these steps to create an IGMP profile:
This task is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip igmp profile profile number
4. permit | deny
5. range ip multicast address
6. end
7. show ip igmp profile profile number
8. show running-config
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1098
 Multicast Routing
Configuring IGMP Profiles

Command or Action Purpose

SwitchDevice# configure terminal

Step 3 ip igmp profile profile number Assigns a number to the profile you are configuring, and
enters IGMP profile configuration mode. The profile
Example:
number range is 1 to 4294967295. When you are in IGMP
profile configuration mode, you can create the profile by
SwitchDevice(config)# ip igmp profile 3
using these commands:
• deny—Specifies that matching addresses are denied;
this is the default.
• exit—Exits from igmp-profile configuration mode.
• no—Negates a command or returns to its defaults.
• permit—Specifies that matching addresses are
permitted.
• range—Specifies a range of IP addresses for the
profile. You can enter a single IP address or a range
with a start and an end address.

The default is for the switch to have no IGMP profiles

configured.
Note To delete a profile, use the no ip igmp profile
profile number global configuration command.

Step 4 permit | deny (Optional) Sets the action to permit or deny access to the
IP multicast address. If no action is configured, the default
Example:
for the profile is to deny access.
SwitchDevice(config-igmp-profile)# permit

Step 5 range ip multicast address Enters the IP multicast address or range of IP multicast
addresses to which access is being controlled. If entering a
Example:
range, enter the low IP multicast address, a space, and the
high IP multicast address.
SwitchDevice(config-igmp-profile)# range 229.9.9.0
You can use the range command multiple times to enter
multiple addresses or ranges of addresses.
Note To delete an IP multicast address or range of IP
multicast addresses, use the no range ip
multicast address IGMP profile configuration
command.

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1099
 Multicast Routing
Applying IGMP Profiles

Command or Action Purpose

Step 7 show ip igmp profile profile number Verifies the profile configuration.
Example:

SwitchDevice# show ip igmp profile 3

Step 8 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
IGMP Filtering and Throttling, on page 1075
Restrictions for IGMP Snooping, on page 1066

Applying IGMP Profiles

To control access as defined in an IGMP profile, you have to apply the profile to the appropriate interfaces.
You can apply IGMP profiles only to Layer 2 access ports; you cannot apply IGMP profiles to routed ports
or SVIs. You cannot apply profiles to ports that belong to an EtherChannel port group. You can apply a profile
to multiple interfaces, but each interface can have only one profile applied to it.
Follow these steps to apply an IGMP profile to a switch port:

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. ip igmp filter profile number
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1100
 Multicast Routing
Setting the Maximum Number of IGMP Groups

Command or Action Purpose

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the physical interface, and enters interface
configuration mode. The interface must be a Layer 2 port
Example:
that does not belong to an EtherChannel port group.
SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 4 ip igmp filter profile number Applies the specified IGMP profile to the interface. The
range is 1 to 4294967295.
Example:
Note To remove a profile from an interface, use the
SwitchDevice(config-if)# ip igmp filter 321 no ip igmp filter profile number interface
configuration command.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
IGMP Filtering and Throttling, on page 1075
Restrictions for IGMP Snooping, on page 1066

Setting the Maximum Number of IGMP Groups

Follow these steps to set the maximum number of IGMP groups that a Layer 2 interface can join:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1101
 Multicast Routing
Setting the Maximum Number of IGMP Groups

Before you begin

This restriction can be applied to Layer 2 ports only; you cannot set a maximum number of IGMP groups on
routed ports or SVIs. You also can use this command on a logical EtherChannel interface but cannot use it
on ports that belong to an EtherChannel port group.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. ip igmp max-groups number
5. end
6. show running-config interface interface-id
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface to be configured, and enters interface
configuration mode. The interface can be a Layer 2 port
Example:
that does not belong to an EtherChannel group or a
EtherChannel interface.
SwitchDevice(config)# interface
gigabitethernet1/0/2

Step 4 ip igmp max-groups number Sets the maximum number of IGMP groups that the
interface can join. The range is 0 to 4294967294. The
Example:
default is to have no maximum set.
SwitchDevice(config-if)# ip igmp max-groups 20 Note To remove the maximum group limitation and
return to the default of no maximum, use the no
ip igmp max-groups interface configuration
command.

Step 5 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1102
 Multicast Routing
Configuring the IGMP Throttling Action

Command or Action Purpose

SwitchDevice(config)# end

Step 6 show running-config interface interface-id Verifies your entries.

Example:

SwitchDevice# show running-config interface

gigabitethernet1/0/1

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
IGMP Filtering and Throttling, on page 1075
Restrictions for IGMP Snooping, on page 1066

Configuring the IGMP Throttling Action

After you set the maximum number of IGMP groups that a Layer 2 interface can join, you can configure an
interface to replace the existing group with the new group for which the IGMP report was received.
Follow these steps to configure the throttling action when the maximum number of entries is in the forwarding
table:

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. ip igmp max-groups action {deny | replace}
5. end
6. show running-config interface interface-id
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1103
 Multicast Routing
Configuring the IGMP Throttling Action

Command or Action Purpose

Step 2 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the physical interface to be configured, and enters
interface configuration mode. The interface can be a Layer
Example:
2 port that does not belong to an EtherChannel group or an
EtherChannel interface. The interface cannot be a trunk
SwitchDevice(config)# interface gigabitethernet
1/0/1 port.

Step 4 ip igmp max-groups action {deny | replace} When an interface receives an IGMP report and the
maximum number of entries is in the forwarding table,
Example:
specifies the action that the interface takes:
SwitchDevice(config-if)# ip igmp max-groups action • deny—Drops the report. If you configure this throttling
replace action, the entries that were previously in the
forwarding table are not removed but are aged out.
After these entries are aged out and the maximum
number of entries is in the forwarding table, the switch
drops the next IGMP report received on the interface.
• replace—Replaces the existing group with the new
group for which the IGMP report was received. If you
configure this throttling action, the entries that were
previously in the forwarding table are removed. When
the maximum number of entries is in the forwarding
table, the switch replaces a randomly selected entry
with the received IGMP report.

To prevent the switch from removing the forwarding-table

entries, you can configure the IGMP throttling action before
an interface adds entries to the forwarding table.
Note To return to the default action of dropping the
report, use the no ip igmp max-groups action
interface configuration command.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config interface interface-id Verifies your entries.

Example:

SwitchDevice# show running-config interface

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1104
 Multicast Routing
Monitoring IGMP Snooping and MVR

Command or Action Purpose

gigabitethernet1/0/1

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
IGMP Filtering and Throttling, on page 1075
Restrictions for IGMP Snooping, on page 1066

Monitoring IGMP Snooping and MVR

Monitoring IGMP Snooping Information
You can display IGMP snooping information for dynamically learned and statically configured router ports
and VLAN interfaces. You can also display MAC address multicast entries for a VLAN configured for IGMP
snooping.

Table 122: Commands for Displaying IGMP Snooping Information

Command Purpose

show ip igmp snooping [vlan vlan-id Displays the snooping configuration information for all VLANs
[detail] ] on the switch or for a specified VLAN.
(Optional) Enter vlan vlan-id to display information for a single
VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094.

show ip igmp snooping groups [count Displays multicast table information for the switch or about a
|dynamic [count] | user [count]] specific parameter:
• count—Displays the total number of entries for the
specified command options instead of the actual entries.
• dynamic—Displays entries learned through IGMP
snooping.
• user—Displays only the user-configured multicast entries.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1105
 Multicast Routing
Monitoring MVR

Command Purpose

show ip igmp snooping groups vlan Displays multicast table information for a multicast VLAN or
vlan-id [ip_address | count | dynamic about a specific parameter for the VLAN:
[count] | user[count]]
• vlan-id—The VLAN ID range is 1 to 1001 and 1006 to
4094.
• count—Displays the total number of entries for the
specified command options instead of the actual entries.
• dynamic—Displays entries learned through IGMP
snooping.
• ip_address—Displays characteristics of the multicast group
with the specified group IP address.
• user—Displays only the user-configured multicast entries.

show ip igmp snooping mrouter [vlan Displays information on dynamically learned and manually
vlan-id] configured multicast router interfaces.
Note When you enable IGMP snooping, the switch
automatically learns the interface to which a
multicast router is connected. These are dynamically
learned interfaces.

(Optional) Enter the vlan vlan-id to display information for a

particular VLAN.

show ip igmp snooping querier [vlan Displays information about the IP address and receiving port
vlan-id] detail of the most-recently received IGMP query message in the
VLAN and the configuration and operational state of the IGMP
snooping querier in the VLAN.

Monitoring MVR
You can monitor MVR for the switch or for a specified interface by displaying the following MVR information.

Table 123: Commands for Displaying MVR Information

Command Purpose

show mvr Displays MVR status and values for the

switch—whether MVR is enabled or disabled, the
multicast VLAN, the maximum (256) and current (0
through 256) number of multicast groups, the query
response time, and the MVR mode.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1106
 Multicast Routing
Monitoring IGMP Filtering and Throttling Configuration

Command Purpose

show mvr interface [interface-id] [members [vlan Displays all MVR interfaces and their MVR
vlan-id]] configurations.
When a specific interface is entered, displays this
information:
• Type—Receiver or Source
• Status—One of these:
• Active means the port is part of a VLAN.
• Up/Down means that the port is forwarding
or nonforwarding.
• Inactive means that the port is not part of
any VLAN.

• Immediate Leave—Enabled or Disabled

If the members keyword is entered, displays all

multicast group members on this port or, if a VLAN
identification is entered, all multicast group members
on the VLAN. The VLAN ID range is 1 to 1001 and
1006 to 4094.

show mvr members [ip-address] Displays all receiver and source ports that are
members of any IP multicast group or the specified
IP multicast group IP address.

Monitoring IGMP Filtering and Throttling Configuration

You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group
configuration for all interfaces on the switch or for a specified interface. You can also display the IGMP
throttling configuration for all interfaces on the switch or for a specified interface.

Table 124: Commands for Displaying IGMP Filtering and Throttling Configuration

Command Purpose

show ip igmp profile [profile number] Displays the specified IGMP profile or all the IGMP
profiles defined on the switch.

show running-config [interface interface-id] Displays the configuration of the specified interface
or the configuration of all interfaces on the switch,
including (if configured) the maximum number of
IGMP groups to which an interface can belong and
the IGMP profile applied to the interface.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1107
 Multicast Routing
Configuration Examples for IGMP Snooping and MVR

Configuration Examples for IGMP Snooping and MVR

Example: Configuring IGMP Snooping Using CGMP Packets
This example shows how to configure IGMP snooping to use CGMP packets as the learning method:
SwitchDevice# configure terminal
SwitchDevice(config)# ip igmp snooping vlan 1 mrouter learn cgmp
SwitchDevice(config)# end

Example: Enabling a Static Connection to a Multicast Router

This example shows how to enable a static connection to a multicast router:
SwitchDevice configure terminal
SwitchDevice ip igmp snooping vlan 200 mrouter interface gigabitethernet1/0/2
SwitchDevice end

Related Topics
Configuring a Multicast Router Port , on page 1080

Example: Configuring a Host Statically to Join a Group

This example shows how to statically configure a host on a port:
SwitchDevice# configure terminal
SwitchDevice# ip igmp snooping vlan 105 static 224.2.4.12 interface gigabitethernet1/0/1
SwitchDevice# end

Related Topics
Configuring a Host Statically to Join a Group , on page 1082
Joining a Multicast Group, on page 1069

Example: Enabling IGMP Immediate Leave

This example shows how to enable IGMP Immediate Leave on VLAN 130:
SwitchDevice# configure terminal
SwitchDevice(config)# ip igmp snooping vlan 130 immediate-leave
SwitchDevice(config)# end

Related Topics
Enabling IGMP Immediate Leave , on page 1083
Immediate Leave , on page 1071

Example: Setting the IGMP Snooping Querier Source Address

This example shows how to set the IGMP snooping querier source address to 10.0.0.64:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1108
 Multicast Routing
Example: Setting the IGMP Snooping Querier Maximum Response Time

SwitchDevice# configure terminal

SwitchDevice(config)# ip igmp snooping querier 10.0.0.64
SwitchDevice(config)# end

Related Topics
Configuring the IGMP Snooping Querier , on page 1090
IGMP Snooping, on page 1068

Example: Setting the IGMP Snooping Querier Maximum Response Time

This example shows how to set the IGMP snooping querier maximum response time to 25 seconds:
SwitchDevice# configure terminal
SwitchDevice(config)# ip igmp snooping querier query-interval 25
SwitchDevice(config)# end

Related Topics
Configuring the IGMP Snooping Querier , on page 1090
IGMP Snooping, on page 1068

Example: Setting the IGMP Snooping Querier Timeout

This example shows how to set the IGMP snooping querier timeout to 60 seconds:
SwitchDevice# configure terminal
SwitchDevice(config)# ip igmp snooping querier timeout expiry 60
SwitchDevice(config)# end

Related Topics
Configuring the IGMP Snooping Querier , on page 1090
IGMP Snooping, on page 1068

Example: Setting the IGMP Snooping Querier Feature

This example shows how to set the IGMP snooping querier feature to Version 2:
SwitchDevice# configure terminal
SwitchDevice(config)# no ip igmp snooping querier version 2
SwitchDevice(config)# end

Related Topics
Configuring the IGMP Snooping Querier , on page 1090
IGMP Snooping, on page 1068

Example: Configuring IGMP Profiles

This example shows how to create IGMP profile 4 allowing access to the single IP multicast address and how
to verify the configuration. If the action was to deny (the default), it would not appear in the show ip igmp
profile output display.
SwitchDevice(config)# ip igmp profile 4
SwitchDevice(config-igmp-profile)# permit
SwitchDevice(config-igmp-profile)# range 229.9.9.0

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1109
 Multicast Routing
Example: Applying IGMP Profile

SwitchDevice(config-igmp-profile)# end
SwitchDevice# show ip igmp profile 4
IGMP Profile 4
permit
range 229.9.9.0 229.9.9.0

Example: Applying IGMP Profile

This example shows how to apply IGMP profile 4 to a port:
SwitchDevice(config)# interface gigabitethernet1/0/2
SwitchDevice(config-if)# ip igmp filter 4
SwitchDevice(config-if)# end

Example: Setting the Maximum Number of IGMP Groups

This example shows how to limit to 25 the number of IGMP groups that a port can join:
SwitchDevice(config)# interface gigabitethernet1/0/2
SwitchDevice(config-if)# ip igmp max-groups 25
SwitchDevice(config-if)# end

Example: Configuring MVR Global Parameters

This example shows how to enable MVR, configure the group address, set the query time to 1 second (10
tenths), specify the MVR multicast VLAN as VLAN 22, and set the MVR mode as dynamic:
SwitchDevice(config)# mvr
SwitchDevice(config)# mvr group 228.1.23.4
SwitchDevice(config)# mvr querytime 10
SwitchDevice(config)# mvr vlan 22
SwitchDevice(config)# mvr mode dynamic
SwitchDevice(config)# end

Example: Configuring MVR Interfaces

This example shows how to configure a port as a receiver port, statically configure the port to receive multicast
traffic sent to the multicast group address, configure Immediate Leave on the port, and verify the results:
SwitchDevice(config)# mvr
SwitchDevice(config)# interface gigabitethernet1/0/2
SwitchDevice(config-if)# mvr type receiver
SwitchDevice(config-if)# mvr vlan 22 group 228.1.23.4
SwitchDevice(config-if)# mvr immediate
SwitchDevice(config)# end
SwitchDevice# show mvr interface

Port Type Status Immediate Leave

---- ---- ------- ---------------
Gi1/0/2 RECEIVER ACTIVE/DOWN ENABLED

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1110
 CHAPTER 47
Configuring MSDP
• Finding Feature Information, on page 1111
• Prerequisites for MSDP, on page 1111
• Information About Multicast Source Discovery Protocol, on page 1111
• How to Configure MSDP, on page 1118
• Monitoring and Maintaining MSDP, on page 1137
• Configuration Examples for Configuring MSDP, on page 1141

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for MSDP

To use MSDP, you must enable IP services feature set on Catalyst 3560-CX switches.

Information About Multicast Source Discovery Protocol

MSDP is a mechanism to connect multiple PIM-SM domains. The purpose of MSDP is to discover multicast
sources in other PIM domains. The main advantage of MSDP is that it reduces the complexity of interconnecting
multiple PIM-SM domains by allowing PIM-SM domains to use an interdomain source tree (rather than a
common shared tree). When MSDP is configured in a network, RPs exchange source information with RPs
in other domains. An RP can join the interdomain source tree for sources that are sending to groups for which
it has receivers. The RP can do that because it is the root of the shared tree within its domain, which has
branches to all points in the domain where there are active receivers. When a last-hop device learns of a new
source outside the PIM-SM domain (through the arrival of a multicast packet from the source down the shared
tree), it then can send a join toward the source and join the interdomain source tree.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1111
 Multicast Routing

Note If the RP either has no shared tree for a particular group or a shared tree whose outgoing interface list is null,
it does not send a join to the source in another domain.

When MSDP is enabled, an RP in a PIM-SM domain maintains MSDP peering relationships with
MSDP-enabled devices in other domains. This peering relationship occurs over a TCP connection, where
primarily a list of sources sending to multicast groups is exchanged. MSDP uses TCP (port 639) for its peering
connections. As with BGP, using point-to-point TCP peering means that each peer must be explicitly configured.
The TCP connections between RPs, moreover, are achieved by the underlying routing system. The receiving
RP uses the source lists to establish a source path. If the multicast sources are of interest to a domain that has
receivers, multicast data is delivered over the normal, source-tree building mechanism provided by PIM-SM.
MSDP is also used to announce sources sending to a group. These announcements must originate at the RP
of the domain.
The figure illustrates MSDP operating between two MSDP peers. PIM uses MSDP as the standard mechanism
to register a source with the RP of a domain.
Figure 95: MSDP Running Between RP Peers

When MSDP is implemented, the following sequence of events occurs:

1. When a PIM designated device (DR) registers a source with its RP as illustrated in the figure, the RP
sends a Source-Active (SA) message to all of its MSDP peers.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1112
 Multicast Routing
MSDP Benefits

Note The DR sends the encapsulated data to the RP only once per source (when the source goes active). If the
source times out, this process happens again when it goes active again. This situation is different from the
periodic SA message that contains all sources that are registered to the originating RP. Those SA messages
are MSDP control packets, and, thus, do not contain encapsulated data from active sources.

1. The SA message identifies the source address, the group that the source is sending to, and the address or
the originator ID of the RP, if configured.
2. Each MSDP peer that receives the SA message floods the SA message to all of its peers downstream from
the originator. In some cases (such as the case with the RPs in PIM-SM domains B and C in the figure),
an RP may receive a copy of an SA message from more than one MSDP peer. To prevent looping, the
RP consults the BGP next-hop database to determine the next hop toward the originator of the SA message.
If both MBGP and unicast BGP are configured, MBGP is checked first, and then unicast BGP. That
next-hop neighbor is the RPF-peer for the originator. SA messages that are received from the originator
on any interface other than the interface to the RPF peer are dropped. The SA message flooding process,
therefore, is referred to as peer-RPF flooding. Because of the peer-RPF flooding mechanism, BGP or
MBGP must be running in conjunction with MSDP.

1. When an RP receives an SA message, it checks to see whether there are any members of the advertised
groups in its domain by checking to see whether there are interfaces on the group’s (*, G) outgoing
interface list. If there are no group members, the RP does nothing. If there are group members, the RP
sends an (S, G) join toward the source. As a result, a branch of the interdomain source tree is constructed
across autonomous system boundaries to the RP. As multicast packets arrive at the RP, they are then
forwarded down its own shared tree to the group members in the RP’s domain. The members’ DRs then
have the option of joining the rendezvous point tree (RPT) to the source using standard PIM-SM procedures.
2. The originating RP continues to send periodic SA messages for the (S, G) state every 60 seconds for as
long as the source is sending packets to the group. When an RP receives an SA message, it caches the SA
message. Suppose, for example, that an RP receives an SA message for (172.16.5.4, 228.1.2.3) from
originating RP 10.5.4.3. The RP consults its mroute table and finds that there are no active members for
group 228.1.2.3, so it passes the SA message to its peers downstream of 10.5.4.3. If a host in the domain
then sends a join to the RP for group 228.1.2.3, the RP adds the interface toward the host to the outgoing
interface list of its (*, 224.1.2.3) entry. Because the RP caches SA messages, the device will have an entry
for (172.16.5.4, 228.1.2.3) and can join the source tree as soon as a host requests a join.

Note In all current and supported software releases, caching of MSDP SA messages is mandatory and cannot be
manually enabled or disabled. By default, when an MSDP peer is configured, the ip multicast cache-sa-state
command will automatically be added to the running configuration.

MSDP Benefits
MSDP has these benefits:
• It breaks up the shared multicast distribution tree. You can make the shared tree local to your domain.
Your local members join the local tree, and join messages for the shared tree never need to leave your
domain.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1113
 Multicast Routing
Default MSDP Peers

• PIM sparse-mode domains can rely only on their own RPs, decreasing reliance on RPs in another domain.
This increases security because you can prevent your sources from being known outside your domain.
• Domains with only receivers can receive data without globally advertising group membership.
• Global source multicast routing table state is not required, saving memory.

Default MSDP Peers

A stub autonomous system also might want to have MSDP peerings with more than one RP for the sake of
redundancy. For example, SA messages cannot just be accepted from multiple default peers, because there is
no RPF check mechanism. Instead, SA messages are accepted from only one peer. If that peer fails, SA
messages are then accepted from the other peer. The underlying assumption here, of course, is that both default
peers are sending the same SA messages.
The figure illustrates a scenario where default MSDP peers might be used. In the figure, a customer that owns
Device B is connected to the Internet through two Internet service providers (ISPs), one that owns Device A
and the other that owns Device C. They are not running BGP or MBGP between them. In order for the customer
to learn about sources in the ISP domain or in other domains, Device B identifies Device A as its default
MSDP peer. Device B advertises SA messages to both Device A and Device C, but accepts SA messages
either from Device A only or Device C only. If Device A is the first default peer in the configuration, it will
be used if it is up and running. Only if Device A is not running will Device B accept SA messages from Device
C.
The ISP will also likely use a prefix list to define which prefixes it will accept from the customer device. The
customer will define multiple default peers, each having one or more prefixes associated with it.
The customer has two ISPs to use. The customer defines both ISPs as default peers. As long as the first default
peer identified in the configuration is up and running, it will be the default peer and the customer will accept
all SA messages it receives from that peer.
Figure 96: Default MSDP Peer Scenario

Device B advertises SAs to Device A and Device C, but uses only Device A or Device C to accept SA messages.
If Device A is first in the configuration, it will be used if it is up and running. Only when Device A is not
running will Device B accept SAs from Device C. This is the behavior without a prefix list.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1114
 Multicast Routing
MSDP Mesh Groups

If you specify a prefix list, the peer will be a default peer only for the prefixes in the list. You can have multiple
active default peers when you have a prefix list associated with each. When you do not have any prefix lists,
you can configure multiple default peers, but only the first one is the active default peer as long as the device
has connectivity to this peer and the peer is alive. If the first configured peer goes down or the connectivity
to this peer goes down, the second configured peer becomes the active default, and so on.

MSDP Mesh Groups

An MSDP mesh group is a group of MSDP speakers that have fully meshed MSDP connectivity between one
another. In other words, each of the MSDP peers in the group must have an MSDP peering relationship (MSDP
connection) to every other MSDP peer in the group. When an MSDP mesh group is configured between a
group of MSDP peers, SA message flooding is reduced. Because when an MSDP peer in the group receives
an SA message from another MSDP peer in the group, it assumes that this SA message was sent to all the
other MSDP peers in the group. As a result, it is not necessary for the receiving MSDP peer to flood the SA
message to the other MSDP peers in the group.

Benefits of MSDP Mesh Groups

• Optimizes SA flooding--MSDP mesh groups are particularly useful for optimizing SA flooding when
two or more peers are in a group.
• Reduces the amount of SA traffic across the Internet--When MSDP mesh groups are used, SA messages
are not flooded to other mesh group peers.
• Eliminates RPF checks on arriving SA messages--When an MSDP mesh group is configured, SA messages
are always accepted from mesh group peers.

SA Origination Filters
By default, an RP that is configured to run MSDP will originate SA messages for all local sources for which
it is the RP. Local sources that register with an RP, therefore, will be advertised in SA messages, which in
some cases is not desirable. For example, if sources inside a PIM-SM domain are using private addresses (for
example, network 10.0.0.0/8), you should configure an SA origination filter to restrict those addresses from
being advertised to other MSDP peers across the Internet.
To control what sources are advertised in SA messages, you can configure SA origination filters on an RP.
By creating SA origination filters, you can control the sources advertised in SA messages as follows:
• You can configure an RP to prevent the device from advertising local sources in SA messages. The device
will still forward SA messages from other MSDP peers in the normal fashion; it will just not originate
any SA messages for local sources.
• You can configure the device to only originate SA messages for local sources sending to specific groups
that match (S, G) pairs defined in the extended access list. All other local sources will not be advertised
in SA messages.
• You can configure the device to only originate SA messages for local sources sending to specific groups
that the match AS paths defined in an AS-path access list. All other local sources will not be advertised
in SA messages.
• You can configure the device to only originate SA messages for local sources that match the criteria
defined in the route map. All other local sources will not be advertised in SA messages.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1115
 Multicast Routing
Use of Outgoing Filter Lists in MSDP

• You configure an SA origination filter that includes an extended access list, an AS-path access list, and
route map, or a combination thereof. In this case, all conditions must be true before any local sources
are advertised in SA messages.

Use of Outgoing Filter Lists in MSDP

By default, an MSDP-enabled device forwards all SA messages it receives to all of its MSDP peers. However,
you can prevent SA messages from being forwarded to MSDP peers by creating outgoing filter lists. Outgoing
filter lists apply to all SA messages, whether locally originated or received from another MSDP peer, whereas
SA origination filters apply only to locally originated SA messages. For more information about enabling a
filter for MSDP SA messages originated by the local device, see the Controlling SA Messages Originated by
an RP for Local Sources section.
By creating an outgoing filter list, you can control the SA messages that a device forwards to a peer as follows:
• You can filter all outgoing SA messages forwarded to a specified MSDP peer by configuring the device
to stop forwarding its SA messages to the MSDP peer.
• You can filter a subset of outgoing SA messages forwarded to a specified MSDP peer based on (S, G)
pairs defined in an extended access list by configuring the device to only forward SA messages to the
MSDP peer that match the (S, G) pairs permitted in an extended access list. The forwarding of all other
SA messages to the MSDP peer will be stopped.
• You can filter a subset of outgoing SA messages forwarded to a specified MSDP peer based on match
criteria defined in a route map by configuring the device to only forward SA messages that match the
criteria defined in the route map. The forwarding of all other SA messages to the MSDP peer will be
stopped.
• You can filter a subset of outgoing SA messages from a specified peer based on the announcing RP
address contained in the SA message by configuring the device to filter outgoing SA messages based on
their origin, even after an SA message has been transmitted across one or more MSDP peers. The
forwarding of all other SA messages to the MSDP peer will be stopped.
• You can configure an outgoing filter list that includes an extended access list, a route map, and either an
RP access list or an RP route map. In this case, all conditions must be true for the MSDP peer to forward
the outgoing SA message.

Caution Arbitrary filtering of SA messages can result in downstream MSDP peers being starved of SA messages for
legitimate active sources. Care, therefore, should be taken when using these sorts of filters. Normally, outgoing
filter lists are used only to reject undesirable sources, such as sources using private addresses.

Use of Incoming Filter Lists in MSDP

By default, an MSDP-enabled device receives all SA messages sent to it from its MSDP peers. However, you
can control the source information that a device receives from its MSDP peers by creating incoming filter
lists.
By creating incoming filter lists, you can control the incoming SA messages that a device receives from its
peers as follows:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1116
 Multicast Routing
TTL Thresholds in MSDP

• You can filter all incoming SA messages from a specified MSDP peer by configuring the device to ignore
all SA messages sent to it from the specified MSDP peer.
• You can filter a subset of incoming SA messages from a specified peer based on (S, G) pairs defined in
an extended access list by configuring the device to only receive SA messages from the MSDP peer that
match the (S, G) pairs defined in the extended access list. All other incoming SA messages from the
MSDP peer will be ignored.
• You can filter a subset of incoming SA request messages from a specified peer based on match criteria
defined in a route map by configuring the device to only receive SA messages that match the criteria
defined in the route map. All other incoming SA messages from the MSDP peer will be ignored.
• You can filter a subset of incoming SA messages from a specified peer based on both (S, G) pairs defined
in an extended access list and on match criteria defined in a route map by configuring the device to only
receive incoming SA messages that both match the (S, G) pairs defined in the extended access list and
match the criteria defined in the route map. All other incoming SA messages from the MSDP peer will
be ignored.
• You can filter a subset of incoming SA messages from a specified peer based on the announcing RP
address contained in the SA message by configuring the device to filter incoming SA messages based
on their origin, even after the SA message may have already been transmitted across one or more MSDP
peers.
• You can configure an incoming filter list that includes an extended access list, a route map, and either
an RP access list or an RP route map. In this case, all conditions must be true for the MSDP peer to
receive the incoming SA message.

Caution Arbitrary filtering of SA messages can result in downstream MSDP peers being starved of SA messages for
legitimate active sources. Care, therefore, should be taken when using these sorts of filters. Normally, incoming
filter lists are used only to reject undesirable sources, such as sources using private addresses.

TTL Thresholds in MSDP

The time-to-live (TTL) value provides a means to limit the number of hops a packet can take before being
dropped. The ip multicast ttl-threshold command is used to specify a TTL for data-encapsulated SA messages
sent to specified MSDP peers. By default, multicast data packets in SA messages are sent to an MSDP peer,
provided the TTL value of the packet is greater than 0, which is standard TTL behavior.
In general, a TTL-threshold problem can be introduced by the encapsulation of a source’s initial multicast
packet in an SA message. Because the multicast packet is encapsulated inside of the unicast SA message
(whose TTL is 255), its TTL is not decremented as the SA message travels to the MSDP peer. Furthermore,
the total number of hops that the SA message traverses can be drastically different than a normal multicast
packet because multicast and unicast traffic may follow completely different paths to the MSDP peer and
hence the remote PIM-SM domain. As a result, encapsulated packets can end up violating TTL thresholds.
The solution to this problem is to configure a TTL threshold that is associated with any multicast packet that
is encapsulated in an SA message sent to a particular MSDP peer using the ip multicast ttl-threshold command.
The ip msdp ttl-threshold command prevents any multicast packet whose TTL in the IP header is less than
the TTL value specified for the ttl-valueargument from being encapsulated in SA messages sent to that peer.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1117
 Multicast Routing
MSDP Message Types

MSDP Message Types

There are four basic MSDP message types, each encoded in their own Type, Length, and Value (TLV) data
format.

SA Messages
SA messages are used to advertise active sources in a domain. In addition, these SA messages may contain
the initial multicast data packet that was sent by the source.
SA messages contain the IP address of the originating RP and one or more (S, G) pairs being advertised. In
addition, the SA message may contain an encapsulated data packet.

SA Request Messages
SA request messages are used to request a list of active sources for a specific group. These messages are sent
to an MSDP SA cache that maintains a list of active (S, G) pairs in its SA cache. Join latency can be reduced
by using SA request messages to request the list of active sources for a group instead of having to wait up to
60 seconds for all active sources in the group to be readvertised by originating RPs.

SA Response Messages
SA response messages are sent by the MSDP peer in response to an SA request message. SA response messages
contain the IP address of the originating RP and one or more (S, G) pairs of the active sources in the originating
RP’s domain that are stored in the cache.

Keepalive Messages
Keepalive messages are sent every 60 seconds in order to keep the MSDP session active. If no keepalive
messages or SA messages are received for 75 seconds, the MSDP session is reset.

Default MSDP Configuration

MSDP is not enabled, and no default MSDP peer exists.

How to Configure MSDP

Configuring a Default MSDP Peer
Before you begin
Configure an MSDP peer.

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1118
 Multicast Routing
Configuring a Default MSDP Peer

Command or Action Purpose

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip msdp default-peer ip-address | name [prefix-list list] Defines a default peer from which to accept all MSDP SA
messages.
Example:
• For ip-address | name, enter the IP address or Domain
Router(config)# ip msdp default-peer 10.1.1.1 Name System (DNS) server name of the MSDP default
prefix-list site-a peer.
• (Optional) For prefix-list list, enter the list name that
specifies the peer to be the default peer only for the
listed prefixes. You can have multiple active default
peers when you have a prefix list associated with each.
When you enter multiple ip msdp default-peer
commands with the prefix-list keyword, you use all
the default peers at the same time for different RP
prefixes. This syntax is typically used in a service
provider cloud that connects stub site clouds.
When you enter multiple ip msdp default-peer
commands without the prefix-list keyword, a single
active peer accepts all SA messages. If that peer fails,
the next configured default peer accepts all SA
messages. This syntax is typically used at a stub site.

Step 4 ip prefix-list name [description string] | seq number (Optional) Creates a prefix list using the name specified in
{permit | deny} network length Step 2.
Example: • (Optional) For description string, enter a description
of up to 80 characters to describe this prefix list.
Router(config)# prefix-list site-a seq 3 permit 12
network length 128 • For seq number, enter the sequence number of the
entry. The range is 1 to 4294967294.
• The deny keyword denies access to matching
conditions.
• The permit keyword permits access to matching
conditions.
• For network length, specify the network number and
length (in bits) of the network mask that is permitted
or denied.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1119
 Multicast Routing
Caching Source-Active State

Command or Action Purpose

Step 5 ip msdp description {peer-name | peer-address} text (Optional) Configures a description for the specified peer
to make it easier to identify in a configuration or in show
Example:
command output.
Router(config)# ip msdp description peer-name By default, no description is associated with an MSDP peer.
site-b

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Caching Source-Active State

If you want to sacrifice some memory in exchange for reducing the latency of the source information, you
can configure the Switch to cache SA messages. Perform the following steps to enable the caching of
source/group pairs:
Follow these steps to enable the caching of source/group pairs:

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1120
 Multicast Routing
Caching Source-Active State

Command or Action Purpose

Step 3 ip msdp cache-sa-state [list access-list-number] Enables the caching of source/group pairs (create an SA
state). Those pairs that pass the access list are cached.
Example:
For list access-list-number, the range is 100 to 199.
SwitchDevice(config)# ip msdp cache-sa-state 100
Note An alternative to this command is the ip msdp
sa-reques global configuration command, which
causes the Switch to send an SA request message
to the MSDP peer when a new member for a
group becomes active.

Step 4 access-list access-list-number {deny | permit} protocol Creates an IP extended access list, repeating the command
source source-wildcard destination destination-wildcard as many times as necessary.
Example: • For access-list-number, the range is 100 to 199. Enter
the same number created in Step 2.
SwitchDevice(config)# access-list 100 permit ip
171.69.0.0 0.0.255.255 224.2.0.0 0.0.255.255 • The deny keyword denies access if the conditions are
matched. The permit keyword permits access if the
conditions are matched.
• For protocol, enter ip as the protocol name.
• For source, enter the number of the network or host
from which the packet is being sent.
• For source-wildcard, enter the wildcard bits in dotted
decimal notation to be applied to the source. Place
ones in the bit positions that you want to ignore.
• For destination, enter the number of the network or
host to which the packet is being sent.
• For destination-wildcard, enter the wildcard bits in
dotted decimal notation to be applied to the destination.
Place ones in the bit positions that you want to ignore.

Recall that the access list is always terminated by an implicit

deny statement for everything.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1121
 Multicast Routing
Requesting Source Information from an MSDP Peer

Command or Action Purpose

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Requesting Source Information from an MSDP Peer

If you want a new member of a group to learn the active multicast sources in a connected PIM sparse-mode
domain that are sending to a group, perform this task for the Switch to send SA request messages to the
specified MSDP peer when a new member joins a group. The peer replies with the information in its SA
cache. If the peer does not have a cache configured, this command has no result. Configuring this feature
reduces join latency but sacrifices memory.
Follow these steps to configure the Switch to send SA request messages to the MSDP peer when a new member
joins a group and wants to receive multicast traffic:

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip msdp sa-request {ip-address | name} Configure the Switch to send SA request messages to the
specified MSDP peer.
Example:
For ip-address | name, enter the IP address or name of the
SwitchDevice(config)# ip msdp sa-request 171.69.1.1 MSDP peer from which the local Switch requests SA
messages when a new member for a group becomes active.
Repeat the command for each MSDP peer that you want to
supply with SA messages.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1122
 Multicast Routing
Controlling Source Information that Your Switch Originates

Command or Action Purpose

Step 5 show running-config Verifies your entries.
Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Controlling Source Information that Your Switch Originates

You can control the multicast source information that originates with your Switch:
• Sources you advertise (based on your sources)
• Receivers of source information (based on knowing the requestor)

For more information, see the Redistributing Sources, on page 1123 and the Filtering Source-Active Request
Messages, on page 1125.

Redistributing Sources
SA messages originate on RPs to which sources have registered. By default, any source that registers with an
RP is advertised. The A flag is set in the RP when a source is registered, which means the source is advertised
in an SA unless it is filtered.
Follow these steps to further restrict which registered sources are advertised:

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip msdp redistribute [list access-list-name] [asn Configures which (S,G) entries from the multicast routing
aspath-access-list-number] [route-map map] table are advertised in SA messages.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1123
 Multicast Routing
Redistributing Sources

Command or Action Purpose

Example: By default, only sources within the local domain are
advertised.
SwitchDevice(config)# ip msdp redistribute list 21
• (Optional) list access-list-name— Enters the name or
number of an IP standard or extended access list. The
range is 1 to 99 for standard access lists and 100 to
199 for extended lists. The access list controls which
local sources are advertised and to which groups they
send.
• (Optional) asn aspath-access-list-number—Enters the
IP standard or extended access list number in the range
1 to 199. This access list number must also be
configured in the ip as-path access-list command.
• (Optional) route-map map—Enters the IP standard
or extended access list number in the range 1 to 199.
This access list number must also be configured in the
ip as-path access-list command.

The Switch advertises (S,G) pairs according to the access

list or autonomous system path access list.

Step 4 Use one of the following: Creates an IP standard access list, repeating the command
as many times as necessary.
• access-listaccess-list-number
{deny|permit} or
source
Creates an IP extended access list, repeating the command
[source-wildcard]
as many times as necessary.
• access-listaccess-list-number
{deny|permit} • access-list-number—Enters the same number created
protocol source source-wildcard destination in Step 2. The range is 1 to 99 for standard access lists
destination-wildcard and 100 to 199 for extended lists.

Example: • deny—Denies access if the conditions are matched.

SwitchDevice(config)# access list 21 permit The permit keyword permits access if the conditions
194.1.22.0 are matched.
• protocol—Enters ip as the protocol name.
or
• source—Enters the number of the network or host
SwitchDevice(config)# access list 21 permit ip
194.1.22.0 1.1.1.1 194.3.44.0 1.1.1.1 from which the packet is being sent.
• source-wildcard—Enters the wildcard bits in dotted
decimal notation to be applied to the source. Place
ones in the bit positions that you want to ignore.
• destination—Enters the number of the network or host
to which the packet is being sent.
• destination-wildcard—Enters the wildcard bits in
dotted decimal notation to be applied to the destination.
Place ones in the bit positions that you want to ignore.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1124
 Multicast Routing
Filtering Source-Active Request Messages

Command or Action Purpose

Recall that the access list is always terminated by an implicit
deny statement for everything.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Filtering Source-Active Request Messages

By default, only Switch that are caching SA information can respond to SA requests. By default, such a Switch
honors all SA request messages from its MSDP peers and supplies the IP addresses of the active sources.
However, you can configure the Switch to ignore all SA requests from an MSDP peer. You can also honor
only those SA request messages from a peer for groups described by a standard access list. If the groups in
the access list pass, SA request messages are accepted. All other such messages from the peer for other groups
are ignored.
To return to the default setting, use the no ip msdp filter-sa-request {ip-address| name} global configuration
command.
Follow these steps to configure one of these options:

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1125
 Multicast Routing
Filtering Source-Active Request Messages

Command or Action Purpose

Step 3 Use one of the following: Filters all SA request messages from the specified MSDP
peer.
• ip msdp filter-sa-request
{ip-addressname} or
• ip msdp filter-sa-request Filters SA request messages from the specified MSDP peer
{ip-addressname} for groups that pass the standard access list. The access list
list access-list-number describes a multicast group address. The range for the
Example: access-list-number is 1 to 99.
SwitchDevice(config)# ip msdp filter sa-request
171.69.2.2

Step 4 access-list access-list-number {deny | permit} source Creates an IP standard access list, repeating the command
[source-wildcard] as many times as necessary.
Example: • For access-list-number, the range is 1 to 99.

SwitchDevice(config)# access-list 1 permit

• The deny keyword denies access if the conditions are
192.4.22.0 0.0.0.255 matched. The permit keyword permits access if the
conditions are matched.
• For source, enter the number of the network or host
from which the packet is being sent.
• (Optional) For source-wildcard, enter the wildcard
bits in dotted decimal notation to be applied to the
source. Place ones in the bit positions that you want
to ignore.

Recall that the access list is always terminated by an implicit

deny statement for everything.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1126
 Multicast Routing
Controlling Source Information that Your Switch Forwards

Controlling Source Information that Your Switch Forwards

By default, the Switch forwards all SA messages it receives to all its MSDP peers. However, you can prevent
outgoing messages from being forwarded to a peer by using a filter or by setting a time-to-live (TTL) value.

Using a Filter
By creating a filter, you can perform one of these actions:
• Filter all source/group pairs
• Specify an IP extended access list to pass only certain source/group pairs
• Filter based on match criteria in a route map

Follow these steps to apply a filter:

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 Use one of the following: • Filters all SA messages to the specified MSDP peer.
• ip msdp sa-filter out • Passes only those SA messages that pass the IP
extended access list to the specified peer. The range
{ip-address name} for the extended access-list-number is 100 to 199.
• ip msdp sa-filter out
If both the list and the route-map keywords are used,
all conditions must be true to pass any (S,G) pair in
{ip-address name}
outgoing SA messages.
list access-list-number
• ip msdp sa-filter out • Passes only those SA messages that meet the match
criteria in the route map map-tag to the specified
{ip-address name} MSDP peer.
route-map map-tag
If all match criteria are true, a permit from the route
Example: map passes routes through the filter. A deny filters
SwitchDevice(config)# ip msdp sa-filter out routes.
switch.cisco.com

or

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1127
 Multicast Routing
Using a Filter

Command or Action Purpose

SwitchDevice(config)# ip msdp sa-filter out list
100

or
SwitchDevice(config)# ip msdp sa-filter out
switch.cisco.com route-map 22

Step 4 access-list access-list-number {deny | permit} protocol (Optional) Creates an IP extended access list, repeating the
source source-wildcard destination destination-wildcard command as many times as necessary.
Example: • For access-list-number, enter the number specified in
Step 2.
SwitchDevice(config)# access list 100 permit ip
194.1.22.0 1.1.1.1 194.3.44.0 1.1.1.1 • The deny keyword denies access if the conditions are
matched. The permit keyword permits access if the
conditions are matched.
• For protocol, enter ip as the protocol name.
• For source, enter the number of the network or host
from which the packet is being sent.
• For source-wildcard, enter the wildcard bits in dotted
decimal notation to be applied to the source. Place
ones in the bit positions that you want to ignore.
• For destination, enter the number of the network or
host to which the packet is being sent.
• For destination-wildcard, enter the wildcard bits in
dotted decimal notation to be applied to the destination.
Place ones in the bit positions that you want to ignore.

Recall that the access list is always terminated by an implicit

deny statement for everything.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1128
 Multicast Routing
Using TTL to Limit the Multicast Data Sent in SA Messages

Command or Action Purpose

SwitchDevice# copy running-config startup-config

Using TTL to Limit the Multicast Data Sent in SA Messages

You can use a TTL value to control what data is encapsulated in the first SA message for every source. Only
multicast packets with an IP-header TTL greater than or equal to the ttl argument are sent to the specified
MSDP peer. For example, you can limit internal traffic to a TTL of 8. If you want other groups to go to external
locations, you must send those packets with a TTL greater than 8.
Follow these steps to establish a TTL threshold:

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip msdp ttl-threshold {ip-address | name} ttl Limits which multicast data is encapsulated in the first SA
message to the specified MSDP peer.
Example:
• For ip-address | name, enter the IP address or name of
SwitchDevice(config)# ip msdp ttl-threshold the MSDP peer to which the TTL limitation applies.
switch.cisco.com 0
• For ttl, enter the TTL value. The default is 0, which
means all multicast data packets are forwarded to the
peer until the TTL is exhausted. The range is 0 to 255.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1129
 Multicast Routing
Controlling Source Information that Your Switch Receives

Command or Action Purpose

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Controlling Source Information that Your Switch Receives

By default, the Switch receives all SA messages that its MSDP RPF peers send to it. However, you can control
the source information that you receive from MSDP peers by filtering incoming SA messages. In other words,
you can configure the Switch to not accept them.
You can perform one of these actions:
• Filter all incoming SA messages from an MSDP peer
• Specify an IP extended access list to pass certain source/group pairs
• Filter based on match criteria in a route map

Follow these steps to apply a filter:

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 Use one of the following: • Filters all SA messages to the specified MSDP peer.
• ip msdp sa-filter in • Passes only those SA messages from the specified peer
that pass the IP extended access list. The range for the
{ip-address name} extended access-list-number is 100 to 199.
• ip msdp sa-filter in
If both the list and the route-map keywords are used,
all conditions must be true to pass any (S,G) pair in
{ip-address name}
outgoing SA messages.
list access-list-number
• ip msdp sa-filter in • Passes only those SA messages from the specified
MSDP peer that meet the match criteria in the route
{ip-address name} map map-tag.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1130
 Multicast Routing
Controlling Source Information that Your Switch Receives

Command or Action Purpose

route-map map-tag If all match criteria are true, a permit from the route
map passes routes through the filter. A deny filters
Example:
routes.
SwitchDevice(config)# ip msdp sa-filter in
switch.cisco.com

or
SwitchDevice(config)# ip msdp sa-filter in list
100

or
SwitchDevice(config)# ip msdp sa-filter in
switch.cisco.com route-map 22

Step 4 access-list access-list-number {deny | permit} protocol (Optional) Creates an IP extended access list, repeating the
source source-wildcard destination destination-wildcard command as many times as necessary.
Example: • access-list-number, enter the number specified in Step
2.
SwitchDevice(config)# access list 100 permit ip
194.1.22.0 1.1.1.1 194.3.44.0 1.1.1.1 • The deny keyword denies access if the conditions are
matched. The permit keyword permits access if the
conditions are matched.
• For protocol, enter ip as the protocol name.
• For source, enter the number of the network or host
from which the packet is being sent.
• For source-wildcard, enter the wildcard bits in dotted
decimal notation to be applied to the source. Place
ones in the bit positions that you want to ignore.
• For destination, enter the number of the network or
host to which the packet is being sent.
• For destination-wildcard, enter the wildcard bits in
dotted decimal notation to be applied to the destination.
Place ones in the bit positions that you want to ignore.

Recall that the access list is always terminated by an implicit

deny statement for everything.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1131
 Multicast Routing
Configuring an MSDP Mesh Group

Command or Action Purpose

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring an MSDP Mesh Group

Perform this optional task to configure an MSDP mesh group.

Note You can configure multiple mesh groups per device.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip msdp mesh-group mesh-name {peer-address | peer-name}
4. Repeat Step 3 to add MSDP peers as members of the mesh group.
5. exit
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip msdp mesh-group mesh-name {peer-address | Configures an MSDP mesh group and indicates that an
peer-name} MSDP peer belongs to that mesh group.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1132
 Multicast Routing
Shutting Down an MSDP Peer

Command or Action Purpose

Note All MSDP peers on a device that participate in
SwitchDevice(config)# ip msdp mesh-group peermesh
a mesh group must be fully meshed with all other
MSDP peers in the group. Each MSDP peer on
each device must be configured as a peer using
the ip msdp peer command and also as a
member of the mesh group using the ip msdp
mesh-group command.

Step 4 Repeat Step 3 to add MSDP peers as members of the mesh --

group.
Step 5 exit Exits global configuration mode and returns to privileged
EXEC mode.
Example:

SwitchDevice(config)# exit

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Shutting Down an MSDP Peer

Perform this optional task to shut down an MSDP peer.
If you are configuring several MSDP peers and you do not want any of the peers to go active until you have
finished configuring all of them, you can shut down each peer, configure each peer, and later bring each peer
up. You might also want to shut down an MSDP session without losing the configuration for that MSDP peer.

Note When an MSDP peer is shut down, the TCP connection is terminated and not restarted until the peer is brought
back up using the no ip msdp shutdown command (for the specified peer).

Before you begin

MSDP is running and the MSDP peers must be configured.

SUMMARY STEPS
1. enable
2. configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1133
 Multicast Routing
Including a Bordering PIM Dense-Mode Region in MSDP

3. ip msdp shutdown {peer-name | peer-address}

4. Repeat Step 3 to shut down additional MSDP peers.
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip msdp shutdown {peer-name | peer-address} Administratively shuts down the specified MSDP peer.
Example:

SwitchDevice(config)# ip msdp shutdown 192.168.1.3

Step 4 Repeat Step 3 to shut down additional MSDP peers. --

Step 5 end Exits global configuration mode and returns to privileged

EXEC mode.
Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Including a Bordering PIM Dense-Mode Region in MSDP

You can configure MSDP on a Switch that borders a PIM sparse-mode region with a dense-mode region. By
default, active sources in the dense-mode region do not participate in MSDP.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1134
 Multicast Routing
Including a Bordering PIM Dense-Mode Region in MSDP

Note We do not recommend using the ip msdp border sa-address global configuration command. It is better to
configure the border router in the sparse-mode domain to proxy-register sources in the dense-mode domain
to the RP of the sparse-mode domain and have the sparse-mode domain use standard MSDP procedures to
advertise these sources.

The ip msdp originator-id global configuration command also identifies an interface to be used as the RP
address. If both the ip msdp border sa-address and the ip msdp originator-id global configuration commands
are configured, the address derived from the ip msdp originator-id command specifies the RP address.
Follow these steps to configure the border router to send SA messages for sources active in the dense-mode
region to the MSDP peers:

Procedure

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip msdp border sa-address interface-id Configures the switch on the border between a dense-mode
and sparse-mode region to send SA messages about active
Example:
sources in the dense-mode region.
SwitchDevice(config)# ip msdp border sa-address For interface-id, specifies the interface from which the IP
0/1 address is derived and used as the RP address in SA
messages.
The IP address of the interface is used as the Originator-ID,
which is the RP field in the SA message.

Step 4 ip msdp redistribute [list access-list-name] [asn Configures which (S,G) entries from the multicast routing
aspath-access-list-number] [route-map map] table are advertised in SA messages.
Example: For more information, see the Redistributing Sources, on
page 1123.
SwitchDevice(config)# ip msdp redistribute list
100

Step 5 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1135
 Multicast Routing
Configuring an Originating Address other than the RP Address

Command or Action Purpose

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring an Originating Address other than the RP Address

Perform this optional task to allow an MSDP speaker that originates an SA message to use the IP address of
its interface as the RP address in the SA message.
You can also change the originator ID for any one of the following reasons:
• If you configure multiple devices in an MSDP mesh group for Anycast RP.
• If you have a device that borders a PIM-SM domain and a PIM-DM domain. If a device borders a PIM-SM
domain and a PIM-DM domain and you want to advertise active sources within the PIM-DM domain,
configure the RP address in SA messages to be the address of the originating device’s interface.

Before you begin

MSDP is enabled and the MSDP peers are configured. For more information about configuring MSDP peers,
see the Configuring an MSDP Peer section.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip msdp originator-id
4. exit
5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1136
 Multicast Routing
Monitoring and Maintaining MSDP

Command or Action Purpose

SwitchDevice> enable

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip msdp originator-id Configures the RP address in SA messages to be the address

of the originating device’s interface.
Example:

SwitchDevice(config)# ip msdp originator-id

ethernet 1

Step 4 exit Exits global configuration mode and returns to privileged

EXEC mode.
Example:

SwitchDevice(config)# exit

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Monitoring and Maintaining MSDP

Monitoring MSDP
Perform this optional task to monitor MSDP SA messages, peers, state, and peer status.

SUMMARY STEPS
1. enable
2. debug ip msdp [peer-address | peer-name] [detail] [routes]
3. debug ip msdp resets
4. show ip msdp count [as-number]
5. show ip msdp peer [peer-address | peer-name]
6. show ip msdp sa-cache [group-address | source-address | group-name | source-name] [as-number]
7. show ip msdp summary

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1137
 Multicast Routing
Monitoring MSDP

DETAILED STEPS

Step 1 enable
Example:

Device# enable

Enables privileged EXEC mode.

• Enter your password if prompted.

Step 2 debug ip msdp [peer-address | peer-name] [detail] [routes]

Use this command to debug MSDP activity.
Use the optional peer-address or peer-name argument to specify for which peer debug events are logged.
The following is sample output from the debug ip msdp command:
Example:

Device# debug ip msdp

MSDP debugging is on
Device#
MSDP: 224.150.44.254: Received 1388-byte message from peer
MSDP: 224.150.44.254: SA TLV, len: 1388, ec: 115, RP: 172.31.3.92
MSDP: 224.150.44.254: Peer RPF check passed for 172.31.3.92, used EMBGP peer
MSDP: 224.150.44.250: Forward 1388-byte SA to peer
MSDP: 224.150.44.254: Received 1028-byte message from peer
MSDP: 224.150.44.254: SA TLV, len: 1028, ec: 85, RP: 172.31.3.92
MSDP: 224.150.44.254: Peer RPF check passed for 172.31.3.92, used EMBGP peer
MSDP: 224.150.44.250: Forward 1028-byte SA to peer
MSDP: 224.150.44.254: Received 1388-byte message from peer
MSDP: 224.150.44.254: SA TLV, len: 1388, ec: 115, RP: 172.31.3.111
MSDP: 224.150.44.254: Peer RPF check passed for 172.31.3.111, used EMBGP peer
MSDP: 224.150.44.250: Forward 1388-byte SA to peer
MSDP: 224.150.44.250: Received 56-byte message from peer
MSDP: 224.150.44.250: SA TLV, len: 56, ec: 4, RP: 192.168.76.241
MSDP: 224.150.44.250: Peer RPF check passed for 192.168.76.241, used EMBGP peer
MSDP: 224.150.44.254: Forward 56-byte SA to peer
MSDP: 224.150.44.254: Received 116-byte message from peer
MSDP: 224.150.44.254: SA TLV, len: 116, ec: 9, RP: 172.31.3.111
MSDP: 224.150.44.254: Peer RPF check passed for 172.31.3.111, used EMBGP peer
MSDP: 224.150.44.250: Forward 116-byte SA to peer
MSDP: 224.150.44.254: Received 32-byte message from peer
MSDP: 224.150.44.254: SA TLV, len: 32, ec: 2, RP: 172.31.3.78
MSDP: 224.150.44.254: Peer RPF check passed for 172.31.3.78, used EMBGP peer
MSDP: 224.150.44.250: Forward 32-byte SA to peer

Step 3 debug ip msdp resets

Use this command to debug MSDP peer reset reasons.
Example:

Device# debug ip msdp resets

Step 4 show ip msdp count [as-number]

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1138
 Multicast Routing
Monitoring MSDP

Use this command to display the number of sources and groups originated in MSDP SA messages and the number of SA
messages from an MSDP peer in the SA cache. The ip msdp cache-sa-state command must be configured for this
command to produce any output.
The following is sample output from the show ip msdp countcommand:
Example:

Device# show ip msdp count

SA State per Peer Counters, <Peer>: <# SA learned>
192.168.4.4: 8
SA State per ASN Counters, <asn>: <# sources>/<# groups>
Total entries: 8
?: 8/8

Step 5 show ip msdp peer [peer-address | peer-name]

Use this command to display detailed information about MSDP peers.
Use the optional peer-address or peer-name argument to display information about a particular peer.
The following is sample output from the show ip msdp peercommand:
Example:

Device# show ip msdp peer 192.168.4.4

MSDP Peer 192.168.4.4 (?), AS 64512 (configured AS)
Connection status:
State: Up, Resets: 0, Connection source: Loopback0 (2.2.2.2)
Uptime(Downtime): 00:07:55, Messages sent/received: 8/18
Output messages discarded: 0
Connection and counters cleared 00:08:55 ago
SA Filtering:
Input (S,G) filter: none, route-map: none
Input RP filter: none, route-map: none
Output (S,G) filter: none, route-map: none
Output RP filter: none, route-map: none
SA-Requests:
Input filter: none
Peer ttl threshold: 0
SAs learned from this peer: 8
Input queue size: 0, Output queue size: 0
MD5 signature protection on MSDP TCP connection: not enabled

Step 6 show ip msdp sa-cache [group-address | source-address | group-name | source-name] [as-number]

Use this command to display the (S, G) state learned from MSDP peers.
The following is sample output from the show ip msdp sa-cachecommand:
Example:

Device# show ip msdp sa-cache

MSDP Source-Active Cache - 8 entries
(10.44.44.5, 239.232.1.0), RP 192.168.4.4, BGP/AS 64512, 00:01:20/00:05:32, Peer 192.168.4.4
(10.44.44.5, 239.232.1.1), RP 192.168.4.4, BGP/AS 64512, 00:01:20/00:05:32, Peer 192.168.4.4
(10.44.44.5, 239.232.1.2), RP 192.168.4.4, BGP/AS 64512, 00:01:19/00:05:32, Peer 192.168.4.4
(10.44.44.5, 239.232.1.3), RP 192.168.4.4, BGP/AS 64512, 00:01:19/00:05:32, Peer 192.168.4.4
(10.44.44.5, 239.232.1.4), RP 192.168.4.4, BGP/AS 64512, 00:01:19/00:05:32, Peer 192.168.4.4
(10.44.44.5, 239.232.1.5), RP 192.168.4.4, BGP/AS 64512, 00:01:19/00:05:32, Peer 192.168.4.4
(10.44.44.5, 239.232.1.6), RP 192.168.4.4, BGP/AS 64512, 00:01:19/00:05:32, Peer 192.168.4.4
(10.44.44.5, 239.232.1.7), RP 192.168.4.4, BGP/AS 64512, 00:01:19/00:05:32, Peer 192.168.4.4

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1139
 Multicast Routing
Clearing MSDP Connections Statistics and SA Cache Entries

Step 7 show ip msdp summary

Use this command to display MSDP peer status.
The following is sample output from the show ip msdp summary command:
Example:

Device# show ip msdp summary

MSDP Peer Status Summary
Peer Address AS State Uptime/ Reset SA Peer Name
Downtime Count Count
192.168.4.4 4 Up 00:08:05 0 8 ?

Clearing MSDP Connections Statistics and SA Cache Entries

Perform this optional task to clear MSDP connections, statistics, and SA cache entries.

SUMMARY STEPS
1. enable
2. clear ip msdp peer [peer-address | peer-name]
3. clear ip msdp statistics [peer-address | peer-name]
4. clear ip msdp sa-cache [group-address]

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 clear ip msdp peer [peer-address | peer-name] Clears the TCP connection to the specified MSDP peer and
resets all MSDP message counters.
Example:

Device# clear ip msdp peer

Step 3 clear ip msdp statistics [peer-address | peer-name] Clears the statistics counters for the specified MSDP peer
and resets all MSDP message counters.
Example:

Device# clear ip msdp statistics

Step 4 clear ip msdp sa-cache [group-address] Clears SA cache entries.

Example: • If the clear ip msdp sa-cache is specified with the
optional group-address argument or
Device# clear ip msdp sa-cache source-addressargument, all SA cache entries are
cleared.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1140
 Multicast Routing
Configuration Examples for Configuring MSDP

Command or Action Purpose

• Use the optional group-address argument to clear all
SA cache entries associated with a specific group.

Configuration Examples for Configuring MSDP

Configuring a Default MSDP Peer: Example
This example shows a partial configuration of Router A and Router C in . Each of these ISPs have more than
one customer (like the customer in ) who use default peering (no BGP or MBGP). In that case, they might
have similar configurations. That is, they accept SAs only from a default peer if the SA is permitted by the
corresponding prefix list.
Router A

Router(config)# ip msdp default-peer 10.1.1.1

Router(config)# ip msdp default-peer 10.1.1.1 prefix-list site-a
Router(config)# ip prefix-list site-b permit 10.0.0.0/1

Router C

Router(config)# ip msdp default-peer 10.1.1.1 prefix-list site-a

Router(config)# ip prefix-list site-b permit 10.0.0.0/1

Caching Source-Active State: Example

This example shows how to enable the cache state for all sources in 171.69.0.0/16 sending to
groups 224.2.0.0/16:

SwitchDevice(config)# ip msdp cache-sa-state 100

SwitchDevice(config)# access-list 100 permit ip 171.69.0.0 0.0.255.255 224.2.0.0 0.0.255.255

Requesting Source Information from an MSDP Peer: Example

This example shows how to configure the switch to send SA request messages to the MSDP peer at 171.69.1.1:

SwitchDevice(config)# ip msdp sa-request 171.69.1.1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1141
 Multicast Routing
Controlling Source Information that Your Switch Originates: Example

Controlling Source Information that Your Switch Originates: Example

This example shows how to configure the switch to filter SA request messages from the MSDP peer
at 171.69.2.2. SA request messages from sources on network 192.4.22.0 pass access list 1 and are accepted;
all others are ignored.

SwitchDevice(config)# ip msdp filter sa-request 171.69.2.2 list 1

SwitchDevice(config)# access-list 1 permit 192.4.22.0 0.0.0.255

Controlling Source Information that Your Switch Forwards: Example

This example shows how to allow only (S,G) pairs that pass access list 100 to be forwarded in an SA message
to the peer named switch.cisco.com:

SwitchDevice(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet1/0/1

SwitchDevice(config)# ip msdp sa-filter out switch.cisco.com list 100
SwitchDevice(config)# access-list 100 permit ip 171.69.0.0 0.0.255.255 224.20 0 0.0.255.255

Controlling Source Information that Your Switch Receives: Example

This example shows how to filter all SA messages from the peer named switch.cisco.com:

SwitchDevice(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet1/0/1

SwitchDevice(config)# ip msdp sa-filter in switch.cisco.com

Example: Configuring MSDP Mesh Groups

The following example shows how to configure three devices to be fully meshed members of an MSDP mesh
group:

Device A Configuration

ip msdp peer 10.2.2.2

ip msdp peer 10.3.3.3
ip msdp mesh-group test-mesh-group 10.2.2.2
ip msdp mesh-group test-mesh-group 10.3.3.3

Device B Configuration

ip msdp peer 10.1.1.1

ip msdp peer 10.3.3.3
ip msdp mesh-group test-mesh-group 10.1.1.1
ip msdp mesh-group test-mesh-group 10.3.3.3

Device C Configuration

ip msdp peer 10.1.1.1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1142
 Multicast Routing
Requesting Source Information from an MSDP Peer: Example

ip msdp peer 10.2.2.2

ip msdp mesh-group test-mesh-group 10.1.1.1
ip msdp mesh-group test-mesh-group 10.2.2.2

Requesting Source Information from an MSDP Peer: Example

This example shows how to configure the switch to send SA request messages to the MSDP peer at 171.69.1.1:

SwitchDevice(config)# ip msdp sa-request 171.69.1.1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1143
 Multicast Routing
Requesting Source Information from an MSDP Peer: Example

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1144
PA R T IX
Security
• Security Features Overview, on page 1147
• Preventing Unauthorized Access , on page 1151
• Controlling Switch Access with Passwords and Privilege Levels , on page 1153
• Configuring TACACS+ , on page 1171
• Configuring RADIUS , on page 1185
• Configuring Kerberos , on page 1231
• Configuring Local Authentication and Authorization , on page 1237
• Configuring Secure Shell (SSH) , on page 1241
• Configuring Secure Socket Layer HTTP , on page 1251
• Configuring IPv4 ACLs , on page 1263
• Configuring IPv6 ACLs, on page 1313
• Configuring DHCP , on page 1323
• Configuring IP Source Guard , on page 1345
• Configuring Dynamic ARP Inspection, on page 1353
• Configuring IEEE 802.1x Port-Based Authentication, on page 1371
• Configuring Web-Based Authentication , on page 1461
• Configuring Port-Based Traffic Control, on page 1487
• Configuring IPv6 First Hop Security, on page 1533
• Configuring FIPS, on page 1565
 CHAPTER 48
Security Features Overview
• Security Features Overview, on page 1147

Security Features Overview

The security features are as follows:
• IPv6 First Hop Security—A suite of security features to be applied at the first hop switch to protect
against vulnerabilities inherent in IPv6 networks. These include, Binding Integrity Guard (Binding Table),
Router Advertisement Guard (RA Guard), DHCP Guard, IPv6 Neighbor Discovery Inspection (ND
Guard), and IPv6 Source Guard.
• Web Authentication—Allows a supplicant (client) that does not support IEEE 802.1x functionality to
be authenticated using a web browser.
• Local Web Authentication Banner—A custom banner or an image file displayed at a web authentication
login screen.
• IEEE 802.1x Authentication with ACLs and the RADIUS Filter-Id Attribute
• Password-protected access (read-only and read-write access) to management interfaces (device manager,
Network Assistant, and the CLI) for protection against unauthorized configuration changes
• Multilevel security for a choice of security level, notification, and resulting actions
• Static MAC addressing for ensuring security
• Protected port option for restricting the forwarding of traffic to designated ports on the same switch
• Port security option for limiting and identifying MAC addresses of the stations allowed to access the
port
• VLAN aware port security option to shut down the VLAN on the port when a violation occurs,instead
of shutting down the entire port.
• Port security aging to set the aging time for secure addresses on a port.
• Protocol storm protection to control the rate of incoming protocol traffic to a switch by dropping packets
that exceed a specified ingress rate.
• BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1147
 Security
Security Features Overview

• Standard and extended IP access control lists (ACLs) for defining inbound security policies on Layer 2
interfaces (port ACLs).
• Extended MAC access control lists for defining security policies in the inbound direction on Layer 2
interfaces.
• Source and destination MAC-based ACLs for filtering non-IP traffic.
• DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers.
• IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP snooping
database and IP source bindings
• Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP requests
and responses to other ports in the same VLAN
• IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining access to
the network. These 802.1x features are supported:
• Multidomain authentication (MDA) to allow both a data device and a voice device, such as an IP
phone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.1x-enabled switch
port.
• Dynamic voice virtual LAN (VLAN) for MDA to allow a dynamic voice VLAN on an MDA-enabled
port.
• VLAN assignment for restricting 802.1x-authenticated users to a specified VLAN.
• Support for VLAN assignment on a port configured for multi-auth mode. The RADIUS server
assigns a VLAN to the first host to authenticate on the port, and subsequent hosts use the same
VLAN. Voice VLAN assignment is supported for one IP phone.
• Port security for controlling access to 802.1x ports.
• Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized or
unauthorized state of the port.
• IP phone detection enhancement to detect and recognize a Cisco IP phone.
• Guest VLAN to provide limited services to non-802.1x-compliant users.
• Restricted VLAN to provide limited services to users who are 802.1x compliant, but do not have
the credentials to authenticate via the standard 802.1x processes.
• 802.1x accounting to track network usage.
• 802.1x with wake-on-LAN to allow dormant PCs to be powered on based on the receipt of a specific
Ethernet frame.
• 802.1x readiness check to determine the readiness of connected end hosts before configuring IEEE
802.1x on the switch.
• Voice aware 802.1x security to apply traffic violation actions only on the VLAN on which a security
violation occurs.
• MAC authentication bypass (MAB) to authorize clients based on the client MAC address.
• Network Admission Control (NAC) Layer 2 802.1x validation of the antivirus condition or posture
of endpoint systems or clients before granting the devices network access.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1148
Security
Security Features Overview

• Network Edge Access Topology (NEAT) with 802.1X switch supplicant, host authorization with
CISP, and auto enablement to authenticate a switch outside a wiring closet as a supplicant to another
switch.
• IEEE 802.1x with open access to allow a host to access the network before being authenticated.
• IEEE 802.1x authentication with downloadable ACLs and redirect URLs to allow per-user ACL
downloads from a Cisco Secure ACS server to an authenticated switch.
• Support for dynamic creation or attachment of an auth-default ACL on a port that has no configured
static ACLs.
• Flexible-authentication sequencing to configure the order of the authentication methods that a port
tries when authenticating a new host.
• Multiple-user authentication to allow more than one host to authenticate on an 802.1x-enabled port.

• TACACS+, a proprietary feature for managing network security through a TACACS server for both
IPv4 and IPv6.
• RADIUS for verifying the identity of, granting access to, and tracking the actions of remote users through
authentication, authorization, and accounting (AAA) services for both IPv4 and IPv6.
• Enhancements to RADIUS, TACACS+, and SSH to function over IPv6.
• Secure Socket Layer (SSL) Version 3.0 support for the HTTP 1.1 server authentication, encryption, and
message integrity and HTTP client authentication to allow secure HTTP communications (requires the
cryptographic version of the software).
• IEEE 802.1x Authentication with ACLs and the RADIUS Filter-Id Attribute.
• Support for IP source guard on static hosts.
• RADIUS Change of Authorization (CoA) to change the attributes of a certain session after it is
authenticated. When there is a change in policy for a user or user group in AAA, administrators can send
the RADIUS CoA packets from the AAA server, such as Cisco Identity Services Engine, or Cisco Secure
ACS to reinitialize authentication, and apply to the new policies.
• IEEE 802.1x User Distribution to allow deployments with multiple VLANs (for a group of users) to
improve scalability of the network by load balancing users across different VLANs. Authorized users
are assigned to the least populated VLAN in the group, assigned by RADIUS server.
• Support for critical VLAN with multiple-host authentication so that when a port is configured for
multi-auth, and an AAA server becomes unreachable, the port is placed in a critical VLAN in order to
still permit access to critical resources.
• Support for Network Edge Access Topology (NEAT) to change the port host mode and to apply a standard
port configuration on the authenticator switch port.
• VLAN-ID based MAC authentication to use the combined VLAN and MAC address information for
user authentication to prevent network access from unauthorized VLANs.
• MAC move to allow hosts (including the hosts connected behind an IP phone) to move across ports
within the same switch without any restrictions to enable mobility. With MAC move, the switch treats
the reappearance of the same MAC address on another port in the same way as a completely new MAC
address.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1149
 Security
Security Features Overview

• Support for 3DES and AES with version 3 of the Simple Network Management Protocol (SNMPv3).
This release adds support for the 168-bit Triple Data Encryption Standard (3DES) and the 128-bit, 192-bit,
and 256-bit Advanced Encryption Standard (AES) encryption algorithms to SNMPv3.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1150
 CHAPTER 49
Preventing Unauthorized Access
• Finding Feature Information, on page 1151
• Preventing Unauthorized Access, on page 1151

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Preventing Unauthorized Access

You can prevent unauthorized users from reconfiguring your switch and viewing configuration information.
Typically, you want network administrators to have access to your switch while you restrict access to users
who dial from outside the network through an asynchronous port, connect from outside the network through
a serial port, or connect through a terminal or workstation from within the local network.
To prevent unauthorized access into your switch, you should configure one or more of these security features:
• At a minimum, you should configure passwords and privileges at each switch port. These passwords are
locally stored on the switch. When users attempt to access the switch through a port or line, they must
enter the password specified for the port or line before they can access the switch.
• For an additional layer of security, you can also configure username and password pairs, which are locally
stored on the switch. These pairs are assigned to lines or ports and authenticate each user before that user
can access the switch. If you have defined privilege levels, you can also assign a specific privilege level
(with associated rights and privileges) to each username and password pair.
• If you want to use username and password pairs, but you want to store them centrally on a server instead
of locally, you can store them in a database on a security server. Multiple networking devices can then
use the same database to obtain user authentication (and, if necessary, authorization) information.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1151
 Security
Preventing Unauthorized Access

• You can also enable the login enhancements feature, which logs both failed and unsuccessful login
attempts. Login enhancements can also be configured to block future login attempts after a set number
of unsuccessful attempts are made. For more information, see the Cisco IOS Login Enhancements
documentation.

Related Topics
Configuring Username and Password Pairs, on page 1162
TACACS+ and Switch Access, on page 1173
Setting a Telnet Password for a Terminal Line, on page 1161

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1152
 CHAPTER 50
Controlling Switch Access with Passwords and
Privilege Levels
• Finding Feature Information, on page 1153
• Restrictions for Controlling Switch Access with Passwords and Privileges, on page 1153
• Information About Passwords and Privilege Levels, on page 1154
• How to Control Switch Access with Passwords and Privilege Levels, on page 1156
• Monitoring Switch Access, on page 1168
• Configuration Examples for Setting Passwords and Privilege Levels, on page 1168

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Restrictions for Controlling Switch Access with Passwords

and Privileges
The following are the restrictions for controlling switch access with passwords and privileges:
• Disabling password recovery will not work if you have set the switch to boot up manually by using the
boot manual global configuration command. This command produces the boot loader prompt (switch:)
after the switch is power cycled.

Related Topics
Disabling Password Recovery, on page 1159
Password Recovery, on page 1154

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1153
 Security
Information About Passwords and Privilege Levels

Information About Passwords and Privilege Levels

Default Password and Privilege Level Configuration
A simple way of providing terminal access control in your network is to use passwords and assign privilege
levels. Password protection restricts access to a network or network device. Privilege levels define what
commands users can enter after they have logged into a network device.
This table shows the default password and privilege level configuration.

Table 125: Default Password and Privilege Levels

Feature Default Setting

Enable password and privilege level No password is defined. The default is level 15 (privileged EXEC
level). The password is not encrypted in the configuration file.

Enable secret password and privilege No password is defined. The default is level 15 (privileged EXEC
level level). The password is encrypted before it is written to the
configuration file.

Line password No password is defined.

Additional Password Security

To provide an additional layer of security, particularly for passwords that cross the network or that are stored
on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret
global configuration commands. Both commands accomplish the same thing; that is, you can establish an
encrypted password that users must enter to access privileged EXEC mode (the default) or any privilege level
you specify.
We recommend that you use the enable secret command because it uses an improved encryption algorithm.
If you configure the enable secret command, it takes precedence over the enable password command; the
two commands cannot be in effect simultaneously.
If you enable password encryption, it applies to all passwords including username passwords, authentication
key passwords, the privileged command password, and console and virtual terminal line passwords.
Related Topics
Protecting Enable and Enable Secret Passwords with Encryption, on page 1158
Example: Protecting Enable and Enable Secret Passwords with Encryption, on page 1168

Password Recovery
By default, any end user with physical access to the switch can recover from a lost password by interrupting
the boot process while the switch is powering on and then by entering a new password.
The password-recovery disable feature protects access to the switch password by disabling part of this
functionality. When this feature is enabled, the end user can interrupt the boot process only by agreeing to set

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1154
 Security
Terminal Line Telnet Configuration

the system back to the default configuration. With password recovery disabled, you can still interrupt the boot
process and change the password, but the configuration file (config.text) and the VLAN database file (vlan.dat)
are deleted.
If you disable password recovery, we recommend that you keep a backup copy of the configuration file on a
secure server in case the end user interrupts the boot process and sets the system back to default values. Do
not keep a backup copy of the configuration file on the switch. If the switch is operating in VTP transparent
mode, we recommend that you also keep a backup copy of the VLAN database file on a secure server. When
the switch is returned to the default system configuration, you can download the saved files to the switch by
using the Xmodem protocol.
To re-enable password recovery, use the service password-recovery global configuration command.
Related Topics
Disabling Password Recovery, on page 1159
Restrictions for Controlling Switch Access with Passwords and Privileges, on page 1153

Terminal Line Telnet Configuration

When you power-up your switch for the first time, an automatic setup program runs to assign IP information
and to create a default configuration for continued use. The setup program also prompts you to configure your
switch for Telnet access through a password. If you did not configure this password during the setup program,
you can configure it when you set a Telnet password for a terminal line.
Related Topics
Setting a Telnet Password for a Terminal Line, on page 1161
Example: Setting a Telnet Password for a Terminal Line, on page 1168

Username and Password Pairs

You can configure username and password pairs, which are locally stored on the switch. These pairs are
assigned to lines or ports and authenticate each user before that user can access the switch. If you have defined
privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each
username and password pair.
Related Topics
Configuring Username and Password Pairs, on page 1162

Privilege Levels
Cisco switches (and other devices) use privilege levels to provide password security for different levels of
switch operation. By default, the Cisco IOS software operates in two modes (privilege levels) of password
security: user EXEC (Level 1) and privileged EXEC (Level 15). You can configure up to 16 hierarchical
levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users
to have access to specified commands.

Privilege Levels on Lines

Users can override the privilege level you set using the privilege level line configuration command by logging
in to the line and enabling a different privilege level. They can lower the privilege level by using the disable
command. If users know the password to a higher privilege level, they can use that password to enable the

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1155
 Security
How to Control Switch Access with Passwords and Privilege Levels

higher privilege level. You might specify a high level or privilege level for your console line to restrict line
usage.
For example, if you want many users to have access to the clear line command, you can assign it level 2 security
and distribute the level 2 password fairly widely. But if you want more restricted access to the configure
command, you can assign it level 3 security and distribute that password to a more restricted group of users.

Command Privilege Levels

When you set a command to a privilege level, all commands whose syntax is a subset of that command are
also set to that level. For example, if you set the show ip traffic command to level 15, the show commands
and show ip commands are automatically set to privilege level 15 unless you set them individually to different
levels.
Related Topics
Setting the Privilege Level for a Command, on page 1164
Example: Setting the Privilege Level for a Command, on page 1169
Changing the Default Privilege Level for Lines, on page 1166
Logging into and Exiting a Privilege Level, on page 1167

How to Control Switch Access with Passwords and Privilege

Levels
Setting or Changing a Static Enable Password
The enable password controls access to the privileged EXEC mode. Follow these steps to set or change a
static enable password:

SUMMARY STEPS
1. enable
2. configure terminal
3. enable password password
4. end
5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1156
 Security
Setting or Changing a Static Enable Password

Command or Action Purpose

Step 2 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 3 enable password password Defines a new password or changes an existing password
for access to privileged EXEC mode.
Example:
By default, no password is defined.
SwitchDevice(config)# enable password secret321
For password, specify a string from 1 to 25 alphanumeric
characters. The string cannot start with a number, is case
sensitive, and allows spaces but ignores leading spaces. It
can contain the question mark (?) character if you precede
the question mark with the key combination Crtl-v when
you create the password; for example, to create the password
abc?123, do this:
1. Enter abc.
2. Enter Crtl-v.
3. Enter ?123.

When the system prompts you to enter the enable password,

you need not precede the question mark with the Ctrl-v;
you can simply enter abc?123 at the password prompt.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Example: Setting or Changing a Static Enable Password, on page 1168

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1157
 Security
Protecting Enable and Enable Secret Passwords with Encryption

Protecting Enable and Enable Secret Passwords with Encryption

Follow these steps to establish an encrypted password that users must enter to access privileged EXEC mode
(the default) or any privilege level you specify:

SUMMARY STEPS
1. enable
2. configure terminal
3. Use one of the following:
• enable password [level level]
{password encryption-type encrypted-password}
• enable secret [level level]
{password encryption-type encrypted-password}
4. service password-encryption
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 Use one of the following: • Defines a new password or changes an existing
password for access to privileged EXEC mode.
• enable password [level level]
{password encryption-type encrypted-password} • Defines a secret password, which is saved using a
• enable secret [level level] nonreversible encryption method.
{password encryption-type encrypted-password}
• (Optional) For level, the range is from 0 to 15.
Example: Level 1 is normal user EXEC mode privileges.
SwitchDevice(config)# enable password example102 The default level is 15 (privileged EXEC mode
privileges).
or • For password, specify a string from 1 to 25
SwitchDevice(config)# enable secret level 1 alphanumeric characters. The string cannot start
password secret123sample with a number, is case sensitive, and allows
spaces but ignores leading spaces. By default, no
password is defined.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1158
 Security
Disabling Password Recovery

Command or Action Purpose

• (Optional) For encryption-type, only type 5, a
Cisco proprietary encryption algorithm, is
available. If you specify an encryption type, you
must provide an encrypted password—an
encrypted password that you copy from another
switch configuration.

Note If you specify an encryption type and then

enter a clear text password, you can not
re-enter privileged EXEC mode. You
cannot recover a lost encrypted password
by any method.

Step 4 service password-encryption (Optional) Encrypts the password when the password is
defined or when the configuration is written.
Example:
Encryption prevents the password from being readable in
SwitchDevice(config)# service password-encryption the configuration file.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Additional Password Security, on page 1154
Example: Protecting Enable and Enable Secret Passwords with Encryption, on page 1168

Disabling Password Recovery

Follow these steps to disable password recovery to protect the security of your switch:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1159
 Security
Disabling Password Recovery

Before you begin

If you disable password recovery, we recommend that you keep a backup copy of the configuration file on a
secure server in case the end user interrupts the boot process and sets the system back to default values. Do
not keep a backup copy of the configuration file on the switch. If the switch is operating in VTP transparent
mode, we recommend that you also keep a backup copy of the VLAN database file on a secure server. When
the switch is returned to the default system configuration, you can download the saved files to the switch by
using the Xmodem protocol.

SUMMARY STEPS
1. enable
2. configure terminal
3. no service password-recovery
4. end
5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 no service password-recovery Disables password recovery.

Example: This setting is saved in an area of the flash memory that is
accessible by the boot loader and the Cisco IOS image, but
SwitchDevice(config)# no service password-recovery it is not part of the file system and is not accessible by any
user.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show running-config Verifies your entries.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1160
 Security
Setting a Telnet Password for a Terminal Line

Command or Action Purpose

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
To re-enable password recovery, use the service password-recovery global configuration command.
Related Topics
Password Recovery, on page 1154
Restrictions for Controlling Switch Access with Passwords and Privileges, on page 1153

Setting a Telnet Password for a Terminal Line

Beginning in user EXEC mode, follow these steps to set a Telnet password for the connected terminal line:

Before you begin

• Attach a PC or workstation with emulation software to the switch console port, or attach a PC to the
Ethernet management port.
• The default data characteristics of the console port are 9600, 8, 1, no parity. You might need to press the
Return key several times to see the command-line prompt.

SUMMARY STEPS
1. enable
2. configure terminal
3. line vty 0 15
4. password password
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Note If a password is required for access to privileged
EXEC mode, you will be prompted for it.
Example:
Enters privileged EXEC mode.
SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1161
 Security
Configuring Username and Password Pairs

Command or Action Purpose

Step 2 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 3 line vty 0 15 Configures the number of Telnet sessions (lines), and enters
line configuration mode.
Example:
There are 16 possible sessions on a command-capable
SwitchDevice(config)# line vty 0 15 SwitchDevice. The 0 and 15 mean that you are configuring
all 16 possible Telnet sessions.

Step 4 password password Sets a Telnet password for the line or lines.
Example: For password, specify a string from 1 to 25 alphanumeric
characters. The string cannot start with a number, is case
SwitchDevice(config-line)# password abcxyz543 sensitive, and allows spaces but ignores leading spaces. By
default, no password is defined.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-line)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Preventing Unauthorized Access, on page 1151
Terminal Line Telnet Configuration, on page 1155
Example: Setting a Telnet Password for a Terminal Line, on page 1168

Configuring Username and Password Pairs

Follow these steps to configure username and password pairs:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1162
 Security
Configuring Username and Password Pairs

SUMMARY STEPS
1. enable
2. configure terminal
3. username name [privilege level] {password encryption-type password}
4. Use one of the following:
• line console 0
• line vty 0 15
5. login local
6. end
7. show running-config
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 username name [privilege level] {password Sets the username, privilege level, and password for each
encryption-type password} user.
Example: • For name, specify the user ID as one word or the MAC
address. Spaces and quotation marks are not allowed.
SwitchDevice(config)# username adamsample privilege
1 password secret456 • You can configure a maximum of 12000 clients each,
for both username and MAC filter.
SwitchDevice(config)# username 111111111111 mac • (Optional) For level, specify the privilege level the
attribute user has after gaining access. The range is 0 to 15.
Level 15 gives privileged EXEC mode access. Level
1 gives user EXEC mode access.
• For encryption-type, enter 0 to specify that an
unencrypted password will follow. Enter 7 to specify
that a hidden password will follow.
• For password, specify the password the user must enter
to gain access to the SwitchDevice. The password must
be from 1 to 25 characters, can contain embedded
spaces, and must be the last option specified in the
username command.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1163
 Security
Setting the Privilege Level for a Command

Command or Action Purpose

Step 4 Use one of the following: Enters line configuration mode, and configures the console
port (line 0) or the VTY lines (line 0 to 15).
• line console 0
• line vty 0 15
Example:
SwitchDevice(config)# line console 0

or
SwitchDevice(config)# line vty 15

Step 5 login local Enables local password checking at login time.

Authentication is based on the username specified in Step
Example:
3.
SwitchDevice(config-line)# login local

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Preventing Unauthorized Access, on page 1151
Username and Password Pairs, on page 1155

Setting the Privilege Level for a Command

Follow these steps to set the privilege level for a command:

SUMMARY STEPS
1. enable
2. configure terminal
3. privilege mode level level command

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1164
 Security
Setting the Privilege Level for a Command

4. enable password level level password

5. end
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 privilege mode level level command Sets the privilege level for a command.
Example: • For mode, enter configure for global configuration
mode, exec for EXEC mode, interface for interface
SwitchDevice(config)# privilege exec level 14 configuration mode, or line for line configuration
configure mode.
• For level, the range is from 0 to 15. Level 1 is for
normal user EXEC mode privileges. Level 15 is the
level of access permitted by the enable password.
• For command, specify the command to which you want
to restrict access.

Step 4 enable password level level password Specifies the password to enable the privilege level.
Example: • For level, the range is from 0 to 15. Level 1 is for
normal user EXEC mode privileges.
SwitchDevice(config)# enable password level 14
SecretPswd14 • For password, specify a string from 1 to 25
alphanumeric characters. The string cannot start with
a number, is case sensitive, and allows spaces but
ignores leading spaces. By default, no password is
defined.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1165
 Security
Changing the Default Privilege Level for Lines

Command or Action Purpose

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Privilege Levels, on page 1155
Example: Setting the Privilege Level for a Command, on page 1169

Changing the Default Privilege Level for Lines

Follow these steps to change the default privilege level for the specified line:

SUMMARY STEPS
1. enable
2. configure terminal
3. line vty line
4. privilege level level
5. end
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 line vty line Selects the virtual terminal line on which to restrict access.
Example:

SwitchDevice(config)# line vty 10

Step 4 privilege level level Changes the default privilege level for the line.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1166
 Security
Logging into and Exiting a Privilege Level

Command or Action Purpose

For level, the range is from 0 to 15. Level 1 is for normal
SwitchDevice(config)# privilege level 15
user EXEC mode privileges. Level 15 is the level of access
permitted by the enable password.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
Users can override the privilege level you set using the privilege level line configuration command by logging
in to the line and enabling a different privilege level. They can lower the privilege level by using the disable
command. If users know the password to a higher privilege level, they can use that password to enable the
higher privilege level. You might specify a high level or privilege level for your console line to restrict line
usage.
Related Topics
Privilege Levels, on page 1155

Logging into and Exiting a Privilege Level

Beginning in user EXEC mode, follow these steps to log into a specified privilege level and exit a specified
privilege level.

SUMMARY STEPS
1. enable level
2. disable level

DETAILED STEPS

Command or Action Purpose

Step 1 enable level Logs in to a specified privilege level.
Example: Following the example, Level 15 is privileged EXEC mode.
For level, the range is 0 to 15.
SwitchDevice> enable 15

Step 2 disable level Exits to a specified privilege level.

Example: Following the example, Level 1 is user EXEC mode.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1167
 Security
Monitoring Switch Access

Command or Action Purpose

For level, the range is 0 to 15.
SwitchDevice# disable 1

Related Topics
Privilege Levels, on page 1155

Monitoring Switch Access

Table 126: Commands for Displaying DHCP Information

show privilege Displays the privilege level configuration.

Configuration Examples for Setting Passwords and Privilege

Levels
Example: Setting or Changing a Static Enable Password
This example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted and
provides access to level 15 (traditional privileged EXEC mode access):

SwitchDevice(config)# enable password l1u2c3k4y5

Related Topics
Setting or Changing a Static Enable Password, on page 1156

Example: Protecting Enable and Enable Secret Passwords with Encryption

This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege
level 2:

SwitchDevice(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8

Related Topics
Protecting Enable and Enable Secret Passwords with Encryption, on page 1158
Additional Password Security, on page 1154

Example: Setting a Telnet Password for a Terminal Line

This example shows how to set the Telnet password to let45me67in89:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1168
 Security
Example: Setting the Privilege Level for a Command

SwitchDevice(config)# line vty 10

SwitchDevice(config-line)# password let45me67in89

Related Topics
Setting a Telnet Password for a Terminal Line, on page 1161
Terminal Line Telnet Configuration, on page 1155

Example: Setting the Privilege Level for a Command

This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the
password users must enter to use level 14 commands:

SwitchDevice(config)# privilege exec level 14 configure

SwitchDevice(config)# enable password level 14 SecretPswd14

Related Topics
Setting the Privilege Level for a Command, on page 1164
Privilege Levels, on page 1155

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1169
 Security
Example: Setting the Privilege Level for a Command

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1170
 CHAPTER 51
Configuring TACACS+
• Finding Feature Information, on page 1171
• Prerequisites for TACACS+, on page 1171
• Information About TACACS+, on page 1173
• How to Configure TACACS+, on page 1176
• Monitoring TACACS+, on page 1184

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Prerequisites for TACACS+

The following are the prerequisites for set up and configuration of switch access with TACACS+ (must be
performed in the order presented):
1. Configure the switches with the TACACS+ server addresses.
2. Set an authentication key.
3. Configure the key from Step 2 on the TACACS+ servers.
4. Enable authentication, authorization, and accounting (AAA).
5. Create a login authentication method list.
6. Apply the list to the terminal lines.
7. Create an authorization and accounting method list.

The following are the prerequisites for controlling switch access with TACACS+:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1171
 Security
Prerequisites for TACACS+

• You must have access to a configured TACACS+ server to configure TACACS+ features on your switch.
Also, you must have access to TACACS+ services maintained in a database on a TACACS+ daemon
typically running on a LINUX or Windows workstation.
• We recommend a redundant connection between a switch stack and the TACACS+ server. This is to
help ensure that the TACACS+ server remains accessible in case one of the connected stack members
is removed from the switch stack.
• You need a system running the TACACS+ daemon software to use TACACS+ on your switch.
• To use TACACS+, it must be enabled.
• Authorization must be enabled on the switch to be used.
• Users must first successfully complete TACACS+ authentication before proceeding to TACACS+
authorization.
• To use any of the AAA commands listed in this section or elsewhere, you must first enable AAA with
the aaa new-model command.
• At a minimum, you must identify the host or hosts maintaining the TACACS+ daemon and define the
method lists for TACACS+ authentication. You can optionally define method lists for TACACS+
authorization and accounting.
• The method list defines the types of authentication to be performed and the sequence in which they are
performed; it must be applied to a specific port before any of the defined authentication methods are
performed. The only exception is the default method list (which, by coincidence, is named default). The
default method list is automatically applied to all ports except those that have a named method list
explicitly defined. A defined method list overrides the default method list.
• Use TACACS+ for privileged EXEC access authorization if authentication was performed by using
TACACS+.
• Use the local database if authentication was not performed by using TACACS+.

Related Topics
TACACS+ Overview, on page 1173
TACACS+ Operation, on page 1174
How to Configure TACACS+, on page 1176
Method List, on page 1175
Configuring TACACS+ Login Authentication, on page 1178
TACACS+ Login Authentication, on page 1175
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, on page 1181
TACACS+ Authorization for Privileged EXEC Access and Network Services, on page 1176

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1172
 Security
Information About TACACS+

Information About TACACS+

TACACS+ and Switch Access
This section describes TACACS+. TACACS+ provides detailed accounting information and flexible
administrative control over the authentication and authorization processes. It is facilitated through authentication,
authorization, accounting (AAA) and can be enabled only through AAA commands.
Related Topics
Preventing Unauthorized Access, on page 1151
Configuring the Switch for Local Authentication and Authorization, on page 1237
SSH Servers, Integrated Clients, and Supported Versions, on page 1243

TACACS+ Overview
TACACS+ is a security application that provides centralized validation of users attempting to gain access to
your switch.
TACACS+ provides for separate and modular authentication, authorization, and accounting facilities. TACACS+
allows for a single access control server (the TACACS+ daemon) to provide each service—authentication,
authorization, and accounting—independently. Each service can be tied into its own database to take advantage
of other services available on that server or on the network, depending on the capabilities of the daemon.
The goal of TACACS+ is to provide a method for managing multiple network access points from a single
management service. Your switch can be a network access server along with other Cisco routers and access
servers.
Figure 97: Typical TACACS+ Network Configuration

TACACS+, administered through the AAA security services, can provide these services:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1173
 Security
TACACS+ Operation

• Authentication—Provides complete control of authentication through login and password dialog, challenge
and response, and messaging support.
The authentication facility can conduct a dialog with the user (for example, after a username and password
are provided, to challenge a user with several questions, such as home address, mother’s maiden name,
service type, and social security number). The TACACS+ authentication service can also send messages
to user screens. For example, a message could notify users that their passwords must be changed because
of the company’s password aging policy.
• Authorization—Provides fine-grained control over user capabilities for the duration of the user’s session,
including but not limited to setting autocommands, access control, session duration, or protocol support.
You can also enforce restrictions on what commands a user can execute with the TACACS+ authorization
feature.
• Accounting—Collects and sends information used for billing, auditing, and reporting to the TACACS+
daemon. Network managers can use the accounting facility to track user activity for a security audit or
to provide information for user billing. Accounting records include user identities, start and stop times,
executed commands (such as PPP), number of packets, and number of bytes.

The TACACS+ protocol provides authentication between the switch and the TACACS+ daemon, and it
ensures confidentiality because all protocol exchanges between the switch and the TACACS+ daemon are
encrypted.
Related Topics
Prerequisites for TACACS+, on page 1171

TACACS+ Operation
When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs:
1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username
prompt to show to the user. The user enters a username, and the switch then contacts the TACACS+
daemon to obtain a password prompt. The switch displays the password prompt to the user, the user enters
a password, and the password is then sent to the TACACS+ daemon.
TACACS+ allows a dialog between the daemon and the user until the daemon receives enough information
to authenticate the user. The daemon prompts for a username and password combination, but can include
other items, such as the user’s mother’s maiden name.
2. The switch eventually receives one of these responses from the TACACS+ daemon:
• ACCEPT—The user is authenticated and service can begin. If the switch is configured to require
authorization, authorization begins at this time.
• REJECT—The user is not authenticated. The user can be denied access or is prompted to retry the
login sequence, depending on the TACACS+ daemon.
• ERROR—An error occurred at some time during authentication with the daemon or in the network
connection between the daemon and the switch. If an ERROR response is received, the switch
typically tries to use an alternative method for authenticating the user.
• CONTINUE—The user is prompted for additional authentication information.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1174
 Security
Method List

After authentication, the user undergoes an additional authorization phase if authorization has been enabled
on the switch. Users must first successfully complete TACACS+ authentication before proceeding to
TACACS+ authorization.
3. If TACACS+ authorization is required, the TACACS+ daemon is again contacted, and it returns an
ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response contains
data in the form of attributes that direct the EXEC or NETWORK session for that user and the services
that the user can access:
• Telnet, Secure Shell (SSH), rlogin, or privileged EXEC services
• Connection parameters, including the host or client IP address, access list, and user timeouts

Related Topics
Prerequisites for TACACS+, on page 1171

Method List
A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts
on a user. You can use method lists to designate one or more security protocols to be used, thus ensuring a
backup system if the initial method fails. The software uses the first method listed to authenticate, to authorize,
or to keep accounts on users; if that method does not respond, the software selects the next method in the list.
This process continues until there is successful communication with a listed method or the method list is
exhausted.
Related Topics
How to Configure TACACS+, on page 1176
Prerequisites for TACACS+, on page 1171

TACACS+ Configuration Options

You can configure the switch to use a single server or AAA server groups to group existing server hosts for
authentication. You can group servers to select a subset of the configured server hosts and use them for a
particular service. The server group is used with a global server-host list and contains the list of IP addresses
of the selected server hosts.
Related Topics
Identifying the TACACS+ Server Host and Setting the Authentication Key, on page 1177

TACACS+ Login Authentication

A method list describes the sequence and authentication methods to be queried to authenticate a user. You
can designate one or more security protocols to be used for authentication, thus ensuring a backup system for
authentication in case the initial method fails. The software uses the first method listed to authenticate users;
if that method fails to respond, the software selects the next authentication method in the method list. This
process continues until there is successful communication with a listed authentication method or until all
defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security
server or local username database responds by denying the user access—the authentication process stops, and
no other authentication methods are attempted.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1175
 Security
TACACS+ Authorization for Privileged EXEC Access and Network Services

Related Topics
Configuring TACACS+ Login Authentication, on page 1178
Prerequisites for TACACS+, on page 1171

TACACS+ Authorization for Privileged EXEC Access and Network Services

AAA authorization limits the services available to a user. When AAA authorization is enabled, the switch
uses information retrieved from the user’s profile, which is located either in the local user database or on the
security server, to configure the user’s session. The user is granted access to a requested service only if the
information in the user profile allows it.
Related Topics
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, on page 1181
Prerequisites for TACACS+, on page 1171

TACACS+ Accounting
The AAA accounting feature tracks the services that users are accessing and the amount of network resources
that they are consuming. When AAA accounting is enabled, the switch reports user activity to the TACACS+
security server in the form of accounting records. Each accounting record contains accounting attribute-value
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client
billing, or auditing.
Related Topics
Starting TACACS+ Accounting, on page 1182

Default TACACS+ Configuration

TACACS+ and AAA are disabled by default.
To prevent a lapse in security, you cannot configure TACACS+ through a network management application.
When enabled, TACACS+ can authenticate users accessing the switch through the CLI.

Note Although TACACS+ configuration is performed through the CLI, the TACACS+ server authenticates HTTP
connections that have been configured with a privilege level of 15.

How to Configure TACACS+

This section describes how to configure your switch to support TACACS+.
Related Topics
Method List, on page 1175
Prerequisites for TACACS+, on page 1171

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1176
 Security
Identifying the TACACS+ Server Host and Setting the Authentication Key

Identifying the TACACS+ Server Host and Setting the Authentication Key
Follow these steps to identify the TACACS+ server host and set the authentication key:

SUMMARY STEPS
1. enable
2. configure terminal
3. tacacs-server host hostname
4. aaa new-model
5. aaa group server tacacs+ group-name
6. server ip-address
7. end
8. show running-config
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 tacacs-server host hostname Identifies the IP host or hosts maintaining a TACACS+
server. Enter this command multiple times to create a list
Example:
of preferred hosts. The software searches for hosts in the
order in which you specify them.
SwitchDevice(config)# tacacs-server host yourserver
For hostname, specify the name or IP address of the host.

Step 4 aaa new-model Enables AAA.

Example:

SwitchDevice(config)# aaa new-model

Step 5 aaa group server tacacs+ group-name (Optional) Defines the AAA server-group with a group
name.
Example:
This command puts the SwitchDevice in a server group
SwitchDevice(config)# aaa group server tacacs+ subconfiguration mode.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1177
 Security
Configuring TACACS+ Login Authentication

Command or Action Purpose

your_server_group

Step 6 server ip-address (Optional) Associates a particular TACACS+ server with

the defined server group. Repeat this step for each
Example:
TACACS+ server in the AAA server group.
SwitchDevice(config)# server 10.1.2.3 Each server in the group must be previously defined in Step
3.

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 8 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
TACACS+ Configuration Options, on page 1175

Configuring TACACS+ Login Authentication

Follow these steps to configure TACACS+ login authentication:

Before you begin

To configure AAA authentication, you define a named list of authentication methods and then apply that list
to various ports.

Note To secure the switch for HTTP access by using AAA methods, you must configure the switch with the ip
http authentication aaa global configuration command. Configuring AAA authentication does not secure
the switch for HTTP access by using AAA methods.

For more information about the ip http authentication command, see the Cisco IOS Security Command
Reference, Release 12.4.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1178
 Security
Configuring TACACS+ Login Authentication

SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
4. aaa authentication login {default | list-name} method1 [method2...]
5. line [console | tty | vty] line-number [ending-line-number]
6. login authentication {default | list-name}
7. end
8. show running-config
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 aaa new-model Enables AAA.

Example:

SwitchDevice(config)# aaa new-model

Step 4 aaa authentication login {default | list-name} method1 Creates a login authentication method list.
[method2...]
• To create a default list that is used when a named list
Example: is not specified in the login authentication command,
use the default keyword followed by the methods that
SwitchDevice(config)# aaa authentication login are to be used in default situations. The default method
default tacacs+ local list is automatically applied to all ports.
• For list-name, specify a character string to name the
list you are creating.
• For method1..., specify the actual method the
authentication algorithm tries. The additional methods
of authentication are used only if the previous method
returns an error, not if it fails.

Select one of these methods:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1179
 Security
Configuring TACACS+ Login Authentication

Command or Action Purpose

• enable—Use the enable password for authentication.
Before you can use this authentication method, you
must define an enable password by using the enable
password global configuration command.
• group tacacs+—Uses TACACS+ authentication.
Before you can use this authentication method, you
must configure the TACACS+ server. For more
information, see the Identifying the TACACS+ Server
Host and Setting the Authentication Key, on page 1177.
• line —Use the line password for authentication. Before
you can use this authentication method, you must
define a line password. Use the password password
line configuration command.
• local—Use the local username database for
authentication. You must enter username information
in the database. Use the username password global
configuration command.
• local-case—Use a case-sensitive local username
database for authentication. You must enter username
information in the database by using the username
name password global configuration command.
• none—Do not use any authentication for login.

Step 5 line [console | tty | vty] line-number [ending-line-number] Enters line configuration mode, and configures the lines to
which you want to apply the authentication list.
Example:

SwitchDevice(config)# line 2 4

Step 6 login authentication {default | list-name} Applies the authentication list to a line or set of lines.
Example: • If you specify default, use the default list created with
the aaa authentication login command.
SwitchDevice(config-line)# login authentication
default • For list-name, specify the list created with the aaa
authentication login command.

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-line)# end

Step 8 show running-config Verifies your entries.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1180
 Security
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services

Command or Action Purpose

SwitchDevice# show running-config

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
TACACS+ Login Authentication, on page 1175
Prerequisites for TACACS+, on page 1171

Configuring TACACS+ Authorization for Privileged EXEC Access and Network

Services
You can use the aaa authorization global configuration command with the tacacs+ keyword to set parameters
that restrict a user’s network access to privileged EXEC mode.

Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been
configured.

Follow these steps to specify TACACS+ authorization for privileged EXEC access and network services:

SUMMARY STEPS
1. enable
2. configure terminal
3. aaa authorization network tacacs+
4. aaa authorization exec tacacs+
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1181
 Security
Starting TACACS+ Accounting

Command or Action Purpose

Step 2 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 3 aaa authorization network tacacs+ Configures the switch for user TACACS+ authorization for
all network-related service requests.
Example:

SwitchDevice(config)# aaa authorization network

tacacs+

Step 4 aaa authorization exec tacacs+ Configures the switch for user TACACS+ authorization if
the user has privileged EXEC access.
Example:
The exec keyword might return user profile information
SwitchDevice(config)# aaa authorization exec (such as autocommand information).
tacacs+

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
TACACS+ Authorization for Privileged EXEC Access and Network Services, on page 1176
Prerequisites for TACACS+, on page 1171

Starting TACACS+ Accounting

Follow these steps to start TACACS+ Accounting:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1182
 Security
Starting TACACS+ Accounting

SUMMARY STEPS
1. enable
2. configure terminal
3. aaa accounting network start-stop tacacs+
4. aaa accounting exec start-stop tacacs+
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 aaa accounting network start-stop tacacs+ Enables TACACS+ accounting for all network-related
service requests.
Example:

SwitchDevice(config)# aaa accounting network

start-stop tacacs+

Step 4 aaa accounting exec start-stop tacacs+ Enables TACACS+ accounting to send a start-record
accounting notice at the beginning of a privileged EXEC
Example:
process and a stop-record at the end.
SwitchDevice(config)# aaa accounting exec
start-stop tacacs+

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1183
 Security
Establishing a Session with a Router if the AAA Server is Unreachable

Command or Action Purpose

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
To establish a session with a router if the AAA server is unreachable, use the aaa accounting system
guarantee-first command. It guarantees system accounting as the first record, which is the default condition.
In some situations, users might be prevented from starting a session on the console or terminal connection
until after the system reloads, which can take more than 3 minutes.
To establish a console or Telnet session with the router if the AAA server is unreachable when the router
reloads, use the no aaa accounting system guarantee-first command.
Related Topics
TACACS+ Accounting, on page 1176

Establishing a Session with a Router if the AAA Server is Unreachable

To establishing a session with a router if the AAA server is unreachable, use the aaa accounting system
guarantee-first command. It guarantees system accounting as the first record, which is the default condition.
In some situations, users might be prevented from starting a session on the console or terminal connection
until after the system reloads, which can take more than 3 minutes.
To establish a console or Telnet session with the router if the AAA server is unreachable when the router
reloads, use the no aaa accounting system guarantee-first command.

Monitoring TACACS+
Table 127: Commands for Displaying TACACS+ Information

Command Purpose
show tacacs Displays TACACS+ server statistics.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1184
 CHAPTER 52
Configuring RADIUS
• Finding Feature Information, on page 1185
• Prerequisites for Configuring RADIUS, on page 1185
• Restrictions for Configuring RADIUS, on page 1186
• Information about RADIUS, on page 1187
• How to Configure RADIUS, on page 1209
• Monitoring CoA Functionality, on page 1227
• Configuration Examples for Controlling Switch Access with RADIUS, on page 1228

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Prerequisites for Configuring RADIUS

This section lists the prerequisites for controlling SwitchDevice access with RADIUS.
General:
• RADIUS and Authentication, Authorization, and Accounting (AAA) must be enabled to use any of the
configuration commands in this chapter.
• RADIUS is facilitated through AAA and can be enabled only through AAA commands.
• Use the aaa new-model global configuration command to enable AAA.
• Use the aaa authentication global configuration command to define method lists for RADIUS
authentication.
• Use line and interface commands to enable the defined method lists to be used.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1185
 Security
Restrictions for Configuring RADIUS

• At a minimum, you must identify the host or hosts that run the RADIUS server software and define the
method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization
and accounting.
• You should have access to and should configure a RADIUS server before configuring RADIUS features
on your SwitchDevice.
• The RADIUS host is normally a multiuser system running RADIUS server software from Cisco (Cisco
Secure Access Control Server Version 3.0), Livingston, Merit, Microsoft, or another software provider.
For more information, see the RADIUS server documentation.
• To use the Change-of-Authorization (CoA) interface, a session must already exist on the switch. CoA
can be used to identify a session and enforce a disconnect request. The update affects only the specified
session.

For RADIUS operation:

• Users must first successfully complete RADIUS authentication before proceeding to RADIUS
authorization, if it is enabled.

Related Topics
RADIUS and Switch Access, on page 1187
RADIUS Operation, on page 1188

Restrictions for Configuring RADIUS

This topic covers restrictions for controlling SwitchDevice access with RADIUS.
General:
• To prevent a lapse in security, you cannot configure RADIUS through a network management application.

RADIUS is not suitable in the following network security situations:

• Multiprotocol access environments. RADIUS does not support AppleTalk Remote Access (ARA),
NetBIOS Frame Control Protocol (NBFCP), NetWare Asynchronous Services Interface (NASI), or X.25
PAD connections.
• Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication.
RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device
requires authentication.
• Networks using a variety of services. RADIUS generally binds a user to one service model.

Related Topics
RADIUS Overview, on page 1187

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1186
 Security
Information about RADIUS

Information about RADIUS

RADIUS and Switch Access
This section describes how to enable and configure RADIUS. RADIUS provides detailed accounting information
and flexible administrative control over the authentication and authorization processes.
Related Topics
Prerequisites for Configuring RADIUS, on page 1185
Configuring the Switch for Local Authentication and Authorization, on page 1237
SSH Servers, Integrated Clients, and Supported Versions, on page 1243

RADIUS Overview
RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS
clients run on supported Cisco routers and switches. Clients send authentication requests to a central RADIUS
server, which contains all user authentication and network service access information.
Use RADIUS in these network environments that require access security:
• Networks with multiple-vendor access servers, each supporting RADIUS. For example, access servers
from several vendors use a single RADIUS server-based security database. In an IP-based network with
multiple vendors’ access servers, dial-in users are authenticated through a RADIUS server that has been
customized to work with the Kerberos security system.
• Turnkey network security environments in which applications support the RADIUS protocol, such as in
an access environment that uses a smart card access control system. In one case, RADIUS has been used
with Enigma’s security cards to validates users and to grant access to network resources.
• Networks already using RADIUS. You can add a Cisco SwitchDevice containing a RADIUS client to
the network. This might be the first step when you make a transition to a TACACS+ server. See Figure
2: Transitioning from RADIUS to TACACS+ Services below.
• Network in which the user must only access a single service. Using RADIUS, you can control user access
to a single host, to a single utility such as Telnet, or to the network through a protocol such as IEEE
802.1x. For more information about this protocol, see Chapter 11, “Configuring IEEE 802.1x Port-Based
Authentication.”
• Networks that require resource accounting. You can use RADIUS accounting independently of RADIUS
authentication or authorization. The RADIUS accounting functions allow data to be sent at the start and
end of services, showing the amount of resources (such as time, packets, bytes, and so forth) used during
the session. An Internet service provider might use a freeware-based version of RADIUS access control
and accounting software to meet special security and billing needs.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1187
 Security
RADIUS Operation

Figure 98: Transitioning from RADIUS to TACACS+ Services

Related Topics
Restrictions for Configuring RADIUS, on page 1186

RADIUS Operation
When a user attempts to log in and authenticate to a SwitchDevice that is access controlled by a RADIUS
server, these events occur:
1. The user is prompted to enter a username and password.
2. The username and encrypted password are sent over the network to the RADIUS server.
3. The user receives one of the following responses from the RADIUS server:
• ACCEPT—The user is authenticated.
• REJECT—The user is either not authenticated and is prompted to re-enter the username and password,
or access is denied.
• CHALLENGE—A challenge requires additional data from the user.
• CHALLENGE PASSWORD—A response requests the user to select a new password.

The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or
network authorization. The additional data included with the ACCEPT or REJECT packets includes these
items:

• Telnet, SSH, rlogin, or privileged EXEC services

• Connection parameters, including the host or client IP address, access list, and user timeouts

Related Topics
Prerequisites for Configuring RADIUS, on page 1185

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1188
 Security
RADIUS Change of Authorization

RADIUS Change of Authorization

The RADIUS Change of Authorization (CoA) provides a mechanism to change the attributes of an
authentication, authorization, and accounting (AAA) session after it is authenticated. When a policy changes
for a user or user group in AAA, administrators can send RADIUS CoA packets from the AAA server such
as a Cisco Secure Access Control Server (ACS) to reinitialize authentication and apply the new policy. This
section provides an overview of the RADIUS interface including available primitives and how they are used
during a CoA.
• Change-of-Authorization Requests
• CoA Request Response Code
• CoA Request Commands
• Session Reauthentication
• Stacking Guidelines for Session Termination

A standard RADIUS interface is typically used in a pulled model where the request originates from a network
attached device and the response come from the queried servers. Catalyst switches support the RADIUS CoA
extensions defined in RFC 5176 that are typically used in a pushed model and allow for the dynamic
reconfiguring of sessions from external AAA or policy servers.
The switch supports these per-session CoA requests:
• Session reauthentication
• Session termination
• Session termination with port shutdown
• Session termination with port bounce

This feature is integrated with Cisco Secure Access Control Server (ACS) 5.1.
The RADIUS interface is enabled by default on Catalyst switches. However, some basic configuration is
required for the following attributes:
• Security and Password—refer to the “Preventing Unauthorized Access to Your Switch” section in this
guide.
• Accounting—refer to the “Starting RADIUS Accounting” section in the Configuring Switch-Based
Authentication chapter in this guide.

Cisco IOS software supports the RADIUS CoA extensions defined in RFC 5176 that are typically used in a
push model to allow the dynamic reconfiguring of sessions from external AAA or policy servers. Per-session
CoA requests are supported for session identification, session termination, host reauthentication, port shutdown,
and port bounce. This model comprises one request (CoA-Request) and two possible response codes:
• CoA acknowledgement (ACK) [CoA-ACK]
• CoA nonacknowledgement (NAK) [CoA-NAK]

The request is initiated from a CoA client (typically a AAA or policy server) and directed to the device that
acts as a listener.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1189
 Security
Change-of-Authorization Requests

The table below shows the RADIUS CoA commands and vendor-specific attributes (VSAs) supported by
Identity-Based Networking Services. All CoA commands must include the session identifier between the
device and the CoA client.

Table 128: RADIUS CoA Commands Supported by Identity-Based Networking Services

CoA Command Cisco VSA

Activate service Cisco:Avpair=“subscriber:command=activate-service”

Cisco:Avpair=“subscriber:service-name=<service-name>”
Cisco:Avpair=“subscriber:precedence=<precedence-number>”
Cisco:Avpair=“subscriber:activation-mode=replace-all”

Deactivate service Cisco:Avpair=“subscriber:command=deactivate-service”

Cisco:Avpair=“subscriber:service-name=<service-name>”

Bounce host port Cisco:Avpair=“subscriber:command=bounce-host-port”

Disable host port Cisco:Avpair=“subscriber:command=disable-host-port”

Session query Cisco:Avpair=“subscriber:command=session-query”

Session reauthenticate Cisco:Avpair=“subscriber:command=reauthenticate”

Cisco:Avpair=“subscriber:reauthenticate-type=last” or
Cisco:Avpair=“subscriber:reauthenticate-type=rerun”

Session terminate This is a standard disconnect request and does not require a VSA.

Interface template Cisco:AVpair="interface-template-name=<interfacetemplate>"

Change-of-Authorization Requests
Change of Authorization (CoA) requests, as described in RFC 5176, are used in a push model to allow for
session identification, host reauthentication, and session termination. The model is comprised of one request
(CoA-Request) and two possible response codes:
• CoA acknowledgment (ACK) [CoA-ACK]
• CoA non-acknowledgment (NAK) [CoA-NAK]

The request is initiated from a CoA client (typically a RADIUS or policy server) and directed to the switch
that acts as a listener.

RFC 5176 Compliance

The Disconnect Request message, which is also referred to as Packet of Disconnect (POD), is supported by
the switch for session termination.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1190
Security
RFC 5176 Compliance

This table shows the IETF attributes are supported for this feature.

Table 129: Supported IETF Attributes

Attribute Attribute Name

Number

24 State

31 Calling-Station-ID

44 Acct-Session-ID

80 Message-Authenticator

101 Error-Cause

This table shows the possible values for the Error-Cause attribute.

Table 130: Error-Cause Values

Value Explanation

201 Residual Session Context Removed

202 Invalid EAP Packet (Ignored)

401 Unsupported Attribute

402 Missing Attribute

403 NAS Identification Mismatch

404 Invalid Request

405 Unsupported Service

406 Unsupported Extension

407 Invalid Attribute Value

501 Administratively Prohibited

502 Request Not Routable (Proxy)

503 Session Context Not Found

504 Session Context Not Removable

505 Other Proxy Processing Error

506 Resources Unavailable

507 Request Initiated

508 Multiple Session Selection Unsupported

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1191
 Security
CoA Request Response Code

CoA Request Response Code

The CoA Request response code can be used to convey a command to the switch.
The packet format for a CoA Request Response code as defined in RFC 5176 consists of the following fields:
Code, Identifier, Length, Authenticator, and Attributes in the Type:Length:Value (TLV) format. The Attributes
field is used to carry Cisco vendor-specific attributes (VSAs).
Related Topics
CoA Request Commands, on page 1193

Session Identification
For disconnect and CoA requests targeted at a particular session, the switch locates the session based on one
or more of the following attributes:
• Acct-Session-Id (IETF attribute #44)
• Audit-Session-Id (Cisco VSA)
• Calling-Station-Id (IETF attribute #31 which contains the host MAC address)
• IPv6 Attributes, which can be one of the following:
• Framed-IPv6-Prefix (IETF attribute #97) and Framed-Interface-Id (IETF attribute #96), which
together create a full IPv6 address per RFC 3162
• Framed-IPv6-Address
• Plain IP Address (IETF attribute #8)

Unless all session identification attributes included in the CoA message match the session, the switch returns
a Disconnect-NAK or CoA-NAK with the “Invalid Attribute Value” error-code attribute.
If more than one session identification attribute is included in the message, all the attributes must match the
session or the switch returns a Disconnect- negative acknowledgment (NAK) or CoA-NAK with the error
code “Invalid Attribute Value.”
The packet format for a CoA Request code as defined in RFC 5176 consists of the fields: Code, Identifier,
Length, Authenticator, and Attributes in Type:Length:Value (TLV) format.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-

The attributes field is used to carry Cisco vendor-specific attributes (VSAs).

For CoA requests targeted at a particular enforcement policy, the device returns a CoA-NAK with the error
code “Invalid Attribute Value” if any of the above session identification attributes are included in the message.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1192
 Security
CoA ACK Response Code

Related Topics
CoA Disconnect-Request, on page 1194
CoA Request: Disable Host Port, on page 1194
CoA Request: Bounce-Port, on page 1195

CoA ACK Response Code

If the authorization state is changed successfully, a positive acknowledgment (ACK) is sent. The attributes
returned within CoA ACK will vary based on the CoA Request and are discussed in individual CoA Commands.

CoA NAK Response Code

A negative acknowledgment (NAK) indicates a failure to change the authorization state and can include
attributes that indicate the reason for the failure. Use show commands to verify a successful CoA.

CoA Request Commands

Table 131: CoA Commands Supported on the switch

Command Cisco VSA

10

Reauthenticate host Cisco:Avpair=“subscriber:command=reauthenticate”

Terminate session This is a standard disconnect request that does not require a VSA.

Bounce host port Cisco:Avpair=“subscriber:command=bounce-host-port”

Disable host port Cisco:Avpair=“subscriber:command=disable-host-port”

10
All CoA commands must include the session identifier between the switch and the CoA client.
Related Topics
CoA Request Response Code, on page 1192

Session Reauthentication
The AAA server typically generates a session reauthentication request when a host with an unknown identity
or posture joins the network and is associated with a restricted access authorization profile (such as a guest
VLAN). A reauthentication request allows the host to be placed in the appropriate authorization group when
its credentials are known.
To initiate session authentication, the AAA server sends a standard CoA-Request message which contains a
Cisco VSA in this form: Cisco:Avpair=“subscriber:command=reauthenticate” and one or more session
identification attributes.
The current session state determines the switch response to the message. If the session is currently authenticated
by IEEE 802.1x, the switch responds by sending an EAPoL (Extensible Authentication Protocol over Lan)
-RequestId message to the server.
If the session is currently authenticated by MAC authentication bypass (MAB), the switch sends an
access-request to the server, passing the same identity attributes used for the initial successful authentication.
If session authentication is in progress when the switch receives the command, the switch terminates the
process, and restarts the authentication sequence, starting with the method configured to be attempted first.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1193
 Security
Session Termination

If the session is not yet authorized, or is authorized via guest VLAN, or critical VLAN, or similar policies,
the reauthentication message restarts the access control methods, beginning with the method configured to
be attempted first. The current authorization of the session is maintained until the reauthentication leads to a
different authorization result.

Session Termination
There are three types of CoA requests that can trigger session termination. A CoA Disconnect-Request
terminates the session, without disabling the host port. This command causes re-initialization of the authenticator
state machine for the specified host, but does not restrict that host access to the network.
To restrict a host’s access to the network, use a CoA Request with the
Cisco:Avpair="subscriber:command=disable-host-port" VSA. This command is useful when a host is known
to be causing problems on the network, and you need to immediately block network access for the host. When
you want to restore network access on the port, re-enable it using a non-RADIUS mechanism.
When a device with no supplicant, such as a printer, needs to acquire a new IP address (for example, after a
VLAN change), terminate the session on the host port with port-bounce (temporarily disable and then re-enable
the port).

CoA Disconnect-Request
This command is a standard Disconnect-Request. If the session cannot be located, the switch returns a
Disconnect-NAK message with the “Session Context Not Found” error-code attribute. If the session is located,
the switch terminates the session. After the session has been completely removed, the switch returns a
Disconnect-ACK.
If the switch fails-over to a standby switch before returning a Disconnect-ACK to the client, the process is
repeated on the new active switch when the request is re-sent from the client. If the session is not found
following re-sending, a Disconnect-ACK is sent with the “Session Context Not Found” error-code attribute.
Related Topics
Session Identification, on page 1192

CoA Request: Disable Host Port

The RADIUS server CoA disable port command administratively shuts down the authentication port that is
hosting a session, resulting in session termination. This command is useful when a host is known to cause
problems on the network and network access needs to be immediately blocked for the host. To restore network
access on the port, reenable it using a non-RADIUS mechanism. This command is carried in a standard
CoA-Request message that has this new vendor-specific attribute (VSA):
Cisco:Avpair="subscriber:command=disable-host-port"
Because this command is session-oriented, it must be accompanied by one or more of the session identification
attributes described in the “Session Identification” section. If the session cannot be located, the switch returns
a CoA-NAK message with the “Session Context Not Found” error-code attribute. If the session is located,
the switch disables the hosting port and returns a CoA-ACK message.
If the switch fails before returning a CoA-ACK to the client, the process is repeated on the new active switch
when the request is re-sent from the client. If the switch fails after returning a CoA-ACK message to the client
but before the operation has completed, the operation is restarted on the new active switch.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1194
 Security
CoA Request: Bounce-Port

Note A Disconnect-Request failure following command re-sending could be the result of either a successful session
termination before change-over (if the Disconnect-ACK was not sent) or a session termination by other means
(for example, a link failure) that occurred after the original command was issued and before the standby switch
became active.

Related Topics
Session Identification, on page 1192

CoA Request: Bounce-Port

A RADIUS server CoA bounce port sent from a RADIUS server can cause a link flap on an authentication
port, which triggers DHCP renegotiation from one or more hosts connected to this port. This incident can
occur when there is a VLAN change and the endpoint is a device (such as a printer) that does not have a
mechanism to detect a change on this authentication port. The CoA bounce port is carried in a standard
CoA-Request message that contains the following VSA:
Cisco:Avpair="subscriber:command=bounce-host-port"
Because this command is session-oriented, it must be accompanied by one or more of the session identification
attributes. If the session cannot be located, the switch returns a CoA-NAK message with the “Session Context
Not Found” error-code attribute. If the session is located, the switch disables the hosting port for a period of
10 seconds, re-enables it (port-bounce), and returns a CoA-ACK.
If the switch fails before returning a CoA-ACK to the client, the process is repeated on the new active switch
when the request is re-sent from the client. If the switch fails after returning a CoA-ACK message to the client
but before the operation has completed, the operation is re-started on the new active switch.
Related Topics
Session Identification, on page 1192

Default RADIUS Configuration

RADIUS and AAA are disabled by default.
To prevent a lapse in security, you cannot configure RADIUS through a network management application.
When enabled, RADIUS can authenticate users accessing the switch through the CLI.

RADIUS Server Host

Switch-to-RADIUS-server communication involves several components:
• Hostname or IP address
• Authentication destination port
• Accounting destination port
• Key string
• Timeout period
• Retransmission value

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1195
 Security
RADIUS Login Authentication

You identify RADIUS security servers by their hostname or IP address, hostname and specific UDP port
numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP
port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts
providing a specific AAA service. This unique identifier enables RADIUS requests to be sent to multiple
UDP ports on a server at the same IP address.
If two different host entries on the same RADIUS server are configured for the same service—for example,
accounting—the second host entry configured acts as a fail-over backup to the first one. Using this example,
if the first host entry fails to provide accounting services, the %RADIUS-4-RADIUS_DEAD message appears,
and then the switch tries the second host entry configured on the same device for accounting services. (The
RADIUS host entries are tried in the order that they are configured.)
A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange responses.
To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS
server daemon and a secret text (key) string that it shares with the switch.
The timeout, retransmission, and encryption key values can be configured globally for all RADIUS servers,
on a per-server basis, or in some combination of global and per-server settings.
Related Topics
Identifying the RADIUS Server Host, on page 1209
Defining AAA Server Groups, on page 1214
Configuring Settings for All RADIUS Servers, on page 1220
Configuring RADIUS Login Authentication, on page 1212

RADIUS Login Authentication

To configure AAA authentication, you define a named list of authentication methods and then apply that list
to various ports. The method list defines the types of authentication to be performed and the sequence in which
they are performed; it must be applied to a specific port before any of the defined authentication methods are
performed. The only exception is the default method list. The default method list is automatically applied to
all ports except those that have a named method list explicitly defined.
A method list describes the sequence and authentication methods to be queried to authenticate a user. You
can designate one or more security protocols to be used for authentication, thus ensuring a backup system for
authentication in case the initial method fails. The software uses the first method listed to authenticate users;
if that method fails to respond, the software selects the next authentication method in the method list. This
process continues until there is successful communication with a listed authentication method or until all
defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security
server or local username database responds by denying the user access—the authentication process stops, and
no other authentication methods are attempted.
Related Topics
Configuring RADIUS Login Authentication, on page 1212

AAA Server Groups

You can configure the switch to use AAA server groups to group existing server hosts for authentication. You
select a subset of the configured server hosts and use them for a particular service. The server group is used
with a global server-host list, which lists the IP addresses of the selected server hosts.
Server groups also can include multiple host entries for the same server if each entry has a unique identifier
(the combination of the IP address and UDP port number), allowing different ports to be individually defined

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1196
 Security
AAA Authorization

as RADIUS hosts providing a specific AAA service. This unique identifier enables RADIUS requests to be
sent to different UDP ports on a server at the same IP address. If you configure two different host entries on
the same RADIUS server for the same service, (for example, accounting), the second configured host entry
acts as a fail-over backup to the first one. If the first host entry fails to provide accounting services, the network
access server tries the second host entry configured on the same device for accounting services. (The RADIUS
host entries are tried in the order in which they are configured.)
Related Topics
Defining AAA Server Groups, on page 1214

AAA Authorization
AAA authorization limits the services available to a user. When AAA authorization is enabled, the switch
uses information retrieved from the user’s profile, which is in the local user database or on the security server,
to configure the user’s session. The user is granted access to a requested service only if the information in the
user profile allows it.
Related Topics
Configuring RADIUS Authorization for User Privileged Access and Network Services, on page 1217

RADIUS Accounting
The AAA accounting feature tracks the services that users are using and the amount of network resources that
they are consuming. When you enable AAA accounting, the switch reports user activity to the RADIUS
security server in the form of accounting records. Each accounting record contains accounting attribute-value
(AV) pairs and is stored on the security server. You can then analyze the data for network management, client
billing, or auditing.
Related Topics
Starting RADIUS Accounting, on page 1218

Vendor-Specific RADIUS Attributes

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating
vendor-specific information between the switch and the RADIUS server by using the vendor-specific attribute
(attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not
suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option by using
the format recommended in the specification. Cisco’s vendor-ID is 9, and the supported option has vendor-type
1, which is named cisco-avpair. The value is a string with this format:

protocol : attribute sep value *

Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value
are an appropriate attributevalue (AV) pair defined in the Cisco TACACS+ specification, and sep is = for
mandatory attributes and is * for optional attributes. The full set of features available for TACACS+
authorization can then be used for RADIUS.
For example, the following AV pair causes Cisco’s “multiple named IP address pools” feature to be activated
during IP authorization (during PPP’s Internet Protocol Control Protocol (IPCP) address assignment):

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1197
 Security
Vendor-Specific RADIUS Attributes

cisco-avpair= ”ip:addr-pool=first“

If you insert an “*”, the AV pair “ip:addr-pool=first” becomes optional. Note that any AV pair can be made
optional:
cisco-avpair= ”ip:addr-pool*first“

The following example shows how to cause a user logging in from a network access server to have immediate
access to EXEC commands:
cisco-avpair= ”shell:priv-lvl=15“

Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information about
vendor-IDs and VSAs, see RFC 2138, “Remote Authentication Dial-In User Service (RADIUS).”
Attribute 26 contains the following three elements:
• Type
• Length
• String (also known as data)
• Vendor-Id
• Vendor-Type
• Vendor-Length
• Vendor-Data

The figure below shows the packet format for a VSA encapsulated “behind” attribute 26.
Figure 99: VSA Encapsulated Behind Attribute 26

Note It is up to the vendor to specify the format of their VSA. The Attribute-Specific field (also known as
Vendor-Data) is dependent on the vendor's definition of that attribute.

The table below describes significant fields listed in the Vendor-Specific RADIUS IETF Attributes table
(second table below), which lists supported vendor-specific RADIUS attributes (IETF attribute 26).

Table 132: Vendor-Specific Attributes Table Field Descriptions

Field Description

Number All attributes listed in the following table are extensions of IETF attribute 26.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1198
 Security
Vendor-Specific RADIUS Attributes

Field Description

Vendor-Specific Command Codes A defined code used to identify a particular vendor. Code 9 defines Cisco VSAs, 311 defines
Microsoft VSAs, and 529 defines Ascend VSAs.

Sub-Type Number The attribute ID number. This number is much like the ID numbers of IETF attributes, except
it is a “second layer” ID number encapsulated behind attribute 26.

Attribute The ASCII string name of the attribute.

Description Description of the attribute.

Table 133: Vendor-Specific RADIUS IETF Attributes

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

MS-CHAP Attributes

26 311 1 MSCHAP-Response Contains the response

value provided by a PPP
MS-CHAP user in
response to the challenge.
It is only used in
Access-Request packets.
This attribute is identical
to the PPP CHAP
Identifier. ( RFC 2548

26 311 11 MSCHAP-Challenge Contains the challenge sent

by a network access server
to an MS-CHAP user. It
can be used in both
Access-Request and
Access-Challenge packets.
( RFC 2548 )

VPDN Attributes

26 9 1 l2tp-cm-local-window-size Specifies the maximum

receive window size for
L2TP control messages.
This value is advertised to
the peer during tunnel
establishment.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1199
 Security
Vendor-Specific RADIUS Attributes

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

26 9 1 l2tp-drop-out-of-order Respects sequence

numbers on data packets
by dropping those that are
received out of order. This
does not ensure that
sequence numbers will be
sent on data packets, just
how to handle them if they
are received.

26 9 1 l2tp-hello-interval Specifies the number of

seconds for the hello
keepalive interval. Hello
packets are sent when no
data has been sent on a
tunnel for the number of
seconds configured here.

26 9 1 l2tp-hidden-avp When enabled, sensitive

AVPs in L2TP control
messages are scrambled or
hidden.

26 9 1 l2tp-nosession-timeout Specifies the number of

seconds that a tunnel will
stay active with no sessions
before timing out and
shutting down.

26 9 1 tunnel-tos-reflect Copies the IP ToS field

from the IP header of each
payload packet to the IP
header of the tunnel packet
for packets entering the
tunnel at the LNS.

26 9 1 l2tp-tunnel-authen If this attribute is set, it

performs L2TP tunnel
authentication.

26 9 1 l2tp-tunnel-password Shared secret used for

L2TP tunnel authentication
and AVP hiding.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1200
Security
Vendor-Specific RADIUS Attributes

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

26 9 1 l2tp-udp-checksum This is an authorization

attribute and defines
whether L2TP should
perform UDP checksums
for data packets. Valid
values are “yes” and “no.”
The default is no.

Store and Forward Fax Attributes

26 9 3 Fax-Account-Id-Origin Indicates the account ID

origin as defined by system
administrator for the
mmoip aaa receive-id or
the mmoip aaa send-id
commands.

26 9 4 Fax-Msg-Id= Indicates a unique fax

message identification
number assigned by Store
and Forward Fax.

26 9 5 Fax-Pages Indicates the number of

pages transmitted or
received during this fax
session. This page count
includes cover pages.

26 9 6 Fax-Coverpage-Flag Indicates whether or not a

cover page was generated
by the off-ramp gateway
for this fax session. True
indicates that a cover page
was generated; false means
that a cover page was not
generated.

26 9 7 Fax-Modem-Time Indicates the amount of

time in seconds the modem
sent fax data (x) and the
amount of time in seconds
of the total fax session (y),
which includes both
fax-mail and PSTN time,
in the form x/y. For
example, 10/15 means that
the transfer time took 10
seconds, and the total fax
session took 15 seconds.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1201
 Security
Vendor-Specific RADIUS Attributes

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

26 9 8 Fax-Connect-Speed Indicates the modem speed

at which this fax-mail was
initially transmitted or
received. Possible values
are 1200, 4800, 9600, and
14400.

26 9 9 Fax-Recipient-Count Indicates the number of

recipients for this fax
transmission. Until e-mail
servers support Session
mode, the number should
be 1.

26 9 10 Fax-Process-Abort-Flag Indicates that the fax

session was aborted or
successful. True means that
the session was aborted;
false means that the session
was successful.

26 9 11 Fax-Dsn-Address Indicates the address to

which DSNs will be sent.

26 9 12 Fax-Dsn-Flag Indicates whether or not

DSN has been enabled.
True indicates that DSN
has been enabled; false
means that DSN has not
been enabled.

26 9 13 Fax-Mdn-Address Indicates the address to

which MDNs will be sent.

26 9 14 Fax-Mdn-Flag Indicates whether or not

message delivery
notification (MDN) has
been enabled. True
indicates that MDN had
been enabled; false means
that MDN had not been
enabled.

26 9 15 Fax-Auth-Status Indicates whether or not

authentication for this fax
session was successful.
Possible values for this
field are success, failed,
bypassed, or unknown.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1202
Security
Vendor-Specific RADIUS Attributes

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

26 9 16 Email-Server-Address Indicates the IP address of

the e-mail server handling
the on-ramp fax-mail
message.

26 9 17 Email-Server-Ack-Flag Indicates that the on-ramp

gateway has received a
positive acknowledgment
from the e-mail server
accepting the fax-mail
message.

26 9 18 Gateway-Id Indicates the name of the

gateway that processed the
fax session. The name
appears in the following
format:
hostname.domain-name.

26 9 19 Call-Type Describes the type of fax

activity: fax receive or fax
send.

26 9 20 Port-Used Indicates the slot/port

number of the Cisco
AS5300 used to either
transmit or receive this
fax-mail.

26 9 21 Abort-Cause If the fax session aborts,

indicates the system
component that signaled
the abort. Examples of
system components that
could trigger an abort are
FAP (Fax Application
Process), TIFF (the TIFF
reader or the TIFF writer),
fax-mail client, fax-mail
server, ESMTP client, or
ESMTP server.

H323 Attributes

26 9 23 Remote-Gateway-ID Indicates the IP address of

(h323-remote-address) the remote gateway.

26 9 24 Connection-ID Identifies the conference

ID.
(h323-conf-id)

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1203
 Security
Vendor-Specific RADIUS Attributes

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

26 9 25 Setup-Time Indicates the setup time for

this connection in
(h323-setup-time)
Coordinated Universal
Time (UTC) formerly
known as Greenwich Mean
Time (GMT) and Zulu
time.

26 9 26 Call-Origin Indicates the origin of the

call relative to the gateway.
(h323-call-origin)
Possible values are
originating and terminating
(answer).

26 9 27 Call-Type Indicates call leg type.

Possible values are
(h323-call-type)
telephony and VoIP.

26 9 28 Connect-Time Indicates the connection

time for this call leg in
(h323-connect-time)
UTC.

26 9 29 Disconnect-Time Indicates the time this call

leg was disconnected in
(h323-disconnect-time)
UTC.

26 9 30 Disconnect-Cause Specifies the reason a

connection was taken
(h323-disconnect-cause)
offline per Q.931
specification.

26 9 31 Voice-Quality Specifies the impairment

factor (ICPIF) affecting
(h323-voice-quality)
voice quality for a call.

26 9 33 Gateway-ID Indicates the name of the

underlying gateway.
(h323-gw-id)

Large Scale Dialout Attributes

26 9 1 callback-dialstring Defines a dialing string to

be used for callback.

26 9 1 data-service No description available.

26 9 1 dial-number Defines the number to dial.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1204
Security
Vendor-Specific RADIUS Attributes

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

26 9 1 force-56 Determines whether the

network access server uses
only the 56 K portion of a
channel, even when all 64
K appear to be available.

26 9 1 map-class Allows the user profile to

reference information
configured in a map class
of the same name on the
network access server that
dials out.

26 9 1 send-auth Defines the protocol to use

(PAP or CHAP) for
username-password
authentication following
CLID authentication.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1205
 Security
Vendor-Specific RADIUS Attributes

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

26 9 1 send-name PPP name authentication.

To apply for PAP, do not
configure the ppp pap
sent-name password
command on the interface.
For PAP,
“preauth:send-name” and
“preauth:send-secret” will
be used as the PAP
username and PAP
password for outbound
authentication. For CHAP,
“preauth:send-name” will
be used not only for
outbound authentication,
but also for inbound
authentication. For a
CHAP inbound case, the
NAS will use the name
defined in
“preauth:send-name” in the
challenge packet to the
caller box.
Note The send-name
attribute has
changed over
time: Initially, it
performed the
functions now
provided by
both the
send-name and
remote-name
attributes.
Because the
remote-name
attribute has
been added, the
send-name
attribute is
restricted to its
current
behavior.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1206
Security
Vendor-Specific RADIUS Attributes

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

26 9 1 send-secret PPP password

authentication. The
vendor-specific attributes
(VSAs)
“preauth:send-name” and
“preauth:send-secret” will
be used as the PAP
username and PAP
password for outbound
authentication. For a
CHAP outbound case, both
“preauth:send-name” and
“preauth:send-secret” will
be used in the response
packet.

26 9 1 remote-name Provides the name of the

remote host for use in
large-scale dial-out. Dialer
checks that the large-scale
dial-out remote name
matches the authenticated
name, to protect against
accidental user RADIUS
misconfiguration. (For
example, dialing a valid
phone number but
connecting to the wrong
device.)

Miscellaneous Attributes

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1207
 Security
Vendor-Specific RADIUS Attributes

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

26 9 2 Cisco-NAS-Port Specifies additional vendor

specific attribute (VSA)
information for NAS-Port
accounting. To specify
additional NAS-Port
information in the form an
Attribute-Value Pair
(AVPair) string, use the
radius-server vsa send
global configuration
command.
Note This VSA is
typically used in
Accounting, but
may also be used
in Authentication
(Access-Request)
packets.

26 9 1 min-links Sets the minimum number

of links for MLP.

26 9 1 proxyacl#<n> Allows users to configure

the downloadable user
profiles (dynamic ACLs)
by using the authentication
proxy feature so that users
can have the configured
authorization to permit
traffic going through the
configured interfaces.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1208
 Security
Vendor-Proprietary RADIUS Server Communication

Number Vendor-Specific Sub-Type Number Attribute Description

Company Code

26 9 1 spi Carries the authentication

information needed by the
home agent to authenticate
a mobile node during
registration. The
information is in the same
syntax as the ip mobile
secure host <addr>
configuration command.
Basically it contains the
rest of the configuration
command that follows that
string, verbatim. It
provides the Security
Parameter Index (SPI),
key, authentication
algorithm, authentication
mode, and replay
protection timestamp
range.

Related Topics
Configuring the Switch to Use Vendor-Specific RADIUS Attributes, on page 1222

Vendor-Proprietary RADIUS Server Communication

Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary
information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute
set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must
specify the host running the RADIUS server daemon and the secret text string it shares with the switch. You
specify the RADIUS host and secret text string by using the radius-server global configuration commands.
Related Topics
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication, on page 1223

How to Configure RADIUS

Identifying the RADIUS Server Host
To apply these settings globally to all RADIUS servers communicating with the SwitchDevice, use the three
unique global configuration commands: radius-server timeout, radius-server retransmit, and radius-server
key. To apply these values on a specific RADIUS server, use the radius-server host global configuration
command.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1209
 Security
Identifying the RADIUS Server Host

You can configure the SwitchDevice to use AAA server groups to group existing server hosts for authentication.
For more information, see Related Topics below.
You also need to configure some settings on the RADIUS server. These settings include the IP address of the
SwitchDevice and the key string to be shared by both the server and the SwitchDevice. For more information,
see the RADIUS server documentation.
Follow these steps to configure per-server RADIUS server communication.

Before you begin

If you configure both global and per-server functions (timeout, retransmission, and key commands) on the
switch, the per-server timer, retransmission, and key value commands override global timer, retransmission,
and key value commands. For information on configuring these settings on all RADIUS servers, see Related
Topics below.

SUMMARY STEPS
1. enable
2. configure terminal
3. radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout
seconds] [retransmit retries] [key string]
4. end
5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 radius-server host {hostname | ip-address} [auth-port Specifies the IP address or hostname of the remote RADIUS
port-number] [acct-port port-number] [timeout seconds] server host.
[retransmit retries] [key string]
• (Optional) For auth-port port-number, specify the
Example: UDP destination port for authentication requests.

SwitchDevice(config)# radius-server host

• (Optional) For acct-port port-number, specify the
172.29.36.49 auth-port 1612 key rad1 UDP destination port for accounting requests.
• (Optional) For timeout seconds, specify the time
interval that the SwitchDevice waits for the RADIUS
server to reply before resending. The range is 1 to

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1210
 Security
Identifying the RADIUS Server Host

Command or Action Purpose

1000. This setting overrides the radius-server timeout
global configuration command setting. If no timeout
is set with the radius-server host command, the
setting of the radius-server timeout command is used.
• (Optional) For retransmit retries, specify the number
of times a RADIUS request is resent to a server if that
server is not responding or responding slowly. The
range is 1 to 1000. If no retransmit value is set with
the radius-server host command, the setting of the
radius-server retransmit global configuration
command is used.
• (Optional) For key string, specify the authentication
and encryption key used between the SwitchDevice
and the RADIUS daemon running on the RADIUS
server.

Note The key is a text string that must match the

encryption key used on the RADIUS server.
Always configure the key as the last item in the
radius-server host command. Leading spaces
are ignored, but spaces within and at the end of
the key are used. If you use spaces in your key,
do not enclose the key in quotation marks unless
the quotation marks are part of the key.

To configure the SwitchDevice to recognize more than one

host entry associated with a single IP address, enter this
command as many times as necessary, making sure that
each UDP port number is different. The SwitchDevice
software searches for hosts in the order in which you specify
them. Set the timeout, retransmit, and encryption key values
to use with the specific RADIUS host.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1211
 Security
Configuring RADIUS Login Authentication

Command or Action Purpose

SwitchDevice# copy running-config startup-config

Related Topics
RADIUS Server Host, on page 1195
Defining AAA Server Groups, on page 1214
Configuring Settings for All RADIUS Servers, on page 1220

Configuring RADIUS Login Authentication

Follow these steps to configure RADIUS login authentication:

Before you begin

To secure the switch for HTTP access by using AAA methods, you must configure the switch with the ip
http authentication aaa global configuration command. Configuring AAA authentication does not secure
the switch for HTTP access by using AAA methods.

SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
4. aaa authentication login {default | list-name} method1 [method2...]
5. line [console | tty | vty] line-number [ending-line-number]
6. login authentication {default | list-name}
7. end
8. show running-config
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1212
 Security
Configuring RADIUS Login Authentication

Command or Action Purpose

Step 3 aaa new-model Enables AAA.
Example:

SwitchDevice(config)# aaa new-model

Step 4 aaa authentication login {default | list-name} method1 Creates a login authentication method list.
[method2...]
• To create a default list that is used when a named list
Example: is not specified in the login authentication command,
use the default keyword followed by the methods that
SwitchDevice(config)# aaa authentication login are to be used in default situations. The default method
default local list is automatically applied to all ports.
• For list-name, specify a character string to name the
list you are creating.
• For method1..., specify the actual method the
authentication algorithm tries. The additional methods
of authentication are used only if the previous method
returns an error, not if it fails.
Select one of these methods:
• enable—Use the enable password for
authentication. Before you can use this
authentication method, you must define an enable
password by using the enable password global
configuration command.
• group radius—Use RADIUS authentication.
Before you can use this authentication method,
you must configure the RADIUS server.
• line—Use the line password for authentication.
Before you can use this authentication method,
you must define a line password. Use the
password password line configuration command.
• local—Use the local username database for
authentication. You must enter username
information in the database. Use the username
name password global configuration command.
• local-case—Use a case-sensitive local username
database for authentication. You must enter
username information in the database by using
the username password global configuration
command.
• none—Do not use any authentication for login.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1213
 Security
Defining AAA Server Groups

Command or Action Purpose

Step 5 line [console | tty | vty] line-number [ending-line-number] Enters line configuration mode, and configure the lines to
which you want to apply the authentication list.
Example:

SwitchDevice(config)# line 1 4

Step 6 login authentication {default | list-name} Applies the authentication list to a line or set of lines.
Example: • If you specify default, use the default list created with
the aaa authentication login command.
SwitchDevice(config)# login authentication default
• For list-name, specify the list created with the aaa
authentication login command.

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 8 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
RADIUS Login Authentication, on page 1196
RADIUS Server Host, on page 1195

Defining AAA Server Groups

You use the server group server configuration command to associate a particular server with a defined group
server. You can either identify the server by its IP address or identify multiple host instances or entries by
using the optional auth-port and acct-port keywords.
Follow these steps to define AAA server groups:

SUMMARY STEPS
1. enable
2. configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1214
 Security
Defining AAA Server Groups

3. radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout

seconds] [retransmit retries] [key string]
4. aaa new-model
5. aaa group server radius group-name
6. server ip-address
7. end
8. show running-config
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 radius-server host {hostname | ip-address} [auth-port Specifies the IP address or hostname of the remote RADIUS
port-number] [acct-port port-number] [timeout seconds] server host.
[retransmit retries] [key string]
• (Optional) For auth-port port-number, specify the
Example: UDP destination port for authentication requests.

SwitchDevice(config)# radius-server host

• (Optional) For acct-port port-number, specify the
172.29.36.49 auth-port 1612 key rad1 UDP destination port for accounting requests.
• (Optional) For timeout seconds, specify the time
interval that the switch waits for the RADIUS server
to reply before resending. The range is 1 to 1000. This
setting overrides the radius-server timeout global
configuration command setting. If no timeout is set
with the radius-server host command, the setting of
the radius-server timeout command is used.
• (Optional) For retransmit retries, specify the number
of times a RADIUS request is resent to a server if that
server is not responding or responding slowly. The
range is 1 to 1000. If no retransmit value is set with
the radius-server host command, the setting of the
radius-server retransmit global configuration
command is used.
• (Optional) For key string, specify the authentication
and encryption key used between the switch and the
RADIUS daemon running on the RADIUS server.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1215
 Security
Defining AAA Server Groups

Command or Action Purpose

Note The key is a text string that must match the
encryption key used on the RADIUS server.
Always configure the key as the last item in the
radius-server host command. Leading spaces
are ignored, but spaces within and at the end of
the key are used. If you use spaces in your key,
do not enclose the key in quotation marks unless
the quotation marks are part of the key.

To configure the switch to recognize more than one host

entry associated with a single IP address, enter this
command as many times as necessary, making sure that
each UDP port number is different. The switch software
searches for hosts in the order in which you specify them.
Set the timeout, retransmit, and encryption key values to
use with the specific RADIUS host.

Step 4 aaa new-model Enables AAA.

Example:

SwitchDevice(config)# aaa new-model

Step 5 aaa group server radius group-name Defines the AAA server-group with a group name.
Example: This command puts the switch in a server group
configuration mode.
SwitchDevice(config)# aaa group server radius
group1

Step 6 server ip-address Associates a particular RADIUS server with the defined
server group. Repeat this step for each RADIUS server in
Example:
the AAA server group.
SwitchDevice(config-sg-radius)# server 172.20.0.1 Each server in the group must be previously defined in Step
auth-port 1000 acct-port 1001 2.

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 8 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1216
 Security
Configuring RADIUS Authorization for User Privileged Access and Network Services

Command or Action Purpose

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Identifying the RADIUS Server Host, on page 1209
RADIUS Server Host, on page 1195
AAA Server Groups, on page 1196

Configuring RADIUS Authorization for User Privileged Access and Network

Services

Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been
configured.

Follow these steps to configure RADIUS authorization for user priviledged access and network services:

SUMMARY STEPS
1. enable
2. configure terminal
3. aaa authorization network radius
4. aaa authorization exec radius
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1217
 Security
Starting RADIUS Accounting

Command or Action Purpose

Step 3 aaa authorization network radius Configures the switch for user RADIUS authorization for
all network-related service requests.
Example:

SwitchDevice(config)# aaa authorization network

radius

Step 4 aaa authorization exec radius Configures the switch for user RADIUS authorization if
the user has privileged EXEC access.
Example:
The exec keyword might return user profile information
SwitchDevice(config)# aaa authorization exec radius (such as autocommand information).

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
You can use the aaa authorization global configuration command with the radius keyword to set parameters
that restrict a user’s network access to privileged EXEC mode.
The aaa authorization exec radius local command sets these authorization parameters:
• Use RADIUS for privileged EXEC access authorization if authentication was performed by using
RADIUS.
• Use the local database if authentication was not performed by using RADIUS.

Related Topics
AAA Authorization, on page 1197

Starting RADIUS Accounting

Follow these steps to start RADIUS accounting:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1218
 Security
Starting RADIUS Accounting

SUMMARY STEPS
1. enable
2. configure terminal
3. aaa accounting network start-stop radius
4. aaa accounting exec start-stop radius
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 aaa accounting network start-stop radius Enables RADIUS accounting for all network-related service
requests.
Example:

SwitchDevice(config)# aaa accounting network

start-stop radius

Step 4 aaa accounting exec start-stop radius Enables RADIUS accounting to send a start-record
accounting notice at the beginning of a privileged EXEC
Example:
process and a stop-record at the end.
SwitchDevice(config)# aaa accounting exec
start-stop radius

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1219
 Security
Configuring Settings for All RADIUS Servers

Command or Action Purpose

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
To establishing a session with a router if the AAA server is unreachable, use the aaa accounting system
guarantee-first command. This command guarantees system accounting as the first record, which is the
default condition. In some situations, users might be prevented from starting a session on the console or
terminal connection until after the system reloads, which can take more than 3 minutes.
To establish a console or Telnet session with the router if the AAA server is unreachable when the router
reloads, use the no aaa accounting system guarantee-first command.
Related Topics
RADIUS Accounting, on page 1197

Configuring Settings for All RADIUS Servers

Beginning in privileged EXEC mode, follow these steps to configure settings for all RADIUS servers:

SUMMARY STEPS
1. configure terminal
2. radius-server key string
3. radius-server retransmit retries
4. radius-server timeout seconds
5. radius-server deadtime minutes
6. end
7. show running-config
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 radius-server key string Specifies the shared secret text string used between the
switch and all RADIUS servers.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1220
 Security
Configuring Settings for All RADIUS Servers

Command or Action Purpose

Note The key is a text string that must match the
SwitchDevice(config)# radius-server key
encryption key used on the RADIUS server.
your_server_key
Leading spaces are ignored, but spaces within
and at the end of the key are used. If you use
spaces in your key, do not enclose the key in
quotation marks unless the quotation marks are
part of the key.

Step 3 radius-server retransmit retries Specifies the number of times the switch sends each
RADIUS request to the server before giving up. The default
Example:
is 3; the range 1 to 1000.
SwitchDevice(config)# radius-server retransmit 5

Step 4 radius-server timeout seconds Specifies the number of seconds a switch waits for a reply
to a RADIUS request before resending the request. The
Example:
default is 5 seconds; the range is 1 to 1000.
SwitchDevice(config)# radius-server timeout 3

Step 5 radius-server deadtime minutes When a RADIUS server is not responding to authentication
requests, this command specifies a time to stop the request
Example:
on that server. This avoids the wait for the request to timeout
before trying the next configured server. The default is 0;
SwitchDevice(config)# radius-server deadtime 0
the range is 1 to 1440 minutes.

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Identifying the RADIUS Server Host, on page 1209
RADIUS Server Host, on page 1195

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1221
 Security
Configuring the Switch to Use Vendor-Specific RADIUS Attributes

Configuring the Switch to Use Vendor-Specific RADIUS Attributes

Follow these steps to configure the switch to use vendor-specific RADIUS attributes:

SUMMARY STEPS
1. enable
2. configure terminal
3. radius-server vsa send [accounting | authentication]
4. end
5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 radius-server vsa send [accounting | authentication] Enables the switch to recognize and use VSAs as defined
by RADIUS IETF attribute 26.
Example:
• (Optional) Use the accounting keyword to limit the
SwitchDevice(config)# radius-server vsa send set of recognized vendor-specific attributes to only
accounting attributes.
• (Optional) Use the authentication keyword to limit
the set of recognized vendor-specific attributes to only
authentication attributes.

If you enter this command without keywords, both

accounting and authentication vendor-specific attributes
are used.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1222
 Security
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication

Command or Action Purpose

Step 5 show running-config Verifies your entries.
Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Vendor-Specific RADIUS Attributes, on page 1197

Configuring the Switch for Vendor-Proprietary RADIUS Server Communication

Follow these steps to configure the switch to use vendor-proprietary RADIUS server communication:

SUMMARY STEPS
1. enable
2. configure terminal
3. radius-server host {hostname | ip-address} non-standard
4. radius-server key string
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1223
 Security
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication

Command or Action Purpose

Step 3 radius-server host {hostname | ip-address} non-standard Specifies the IP address or hostname of the remote RADIUS
server host and identifies that it is using a vendor-proprietary
Example:
implementation of RADIUS.
SwitchDevice(config)# radius-server host
172.20.30.15 nonstandard

Step 4 radius-server key string Specifies the shared secret text string used between the
switch and the vendor-proprietary RADIUS server. The
Example:
switch and the RADIUS server use this text string to encrypt
passwords and exchange responses.
SwitchDevice(config)# radius-server key rad124
Note The key is a text string that must match the
encryption key used on the RADIUS server.
Leading spaces are ignored, but spaces within
and at the end of the key are used. If you use
spaces in your key, do not enclose the key in
quotation marks unless the quotation marks are
part of the key.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
This feature allows access and authentication requests to be evenly across all RADIUS servers in a server
group. For more information, see the “RADIUS Server Load Balancing” chapter of the Cisco IOS Security
Configuration Guide, Release 12.4.
Related Topics
Vendor-Proprietary RADIUS Server Communication, on page 1209

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1224
 Security
Configuring CoA on the Switch

Configuring CoA on the Switch

Follow these steps to configure CoA on a switch. This procedure is required.

SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
4. aaa server radius dynamic-author
5. client {ip-address | name} [vrf vrfname] [server-key string]
6. server-key [0 | 7] string
7. port port-number
8. auth-type {any | all | session-key}
9. ignore session-key
10. ignore server-key
11. authentication command bounce-port ignore
12. authentication command disable-port ignore
13. end
14. show running-config
15. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 aaa new-model Enables AAA.

Example:

SwitchDevice(config)# aaa new-model

Step 4 aaa server radius dynamic-author Configures the switch as an authentication, authorization,
and accounting (AAA) server to facilitate interaction with
Example:
an external policy server.
SwitchDevice(config)# aaa server radius

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1225
 Security
Configuring CoA on the Switch

Command or Action Purpose

dynamic-author

Step 5 client {ip-address | name} [vrf vrfname] [server-key Enters dynamic authorization local server configuration
string] mode and specifies a RADIUS client from which a device
will accept CoA and disconnect requests.

Step 6 server-key [0 | 7] string Configures the RADIUS key to be shared between a device
and RADIUS clients.
Example:

SwitchDevice(config-sg-radius)# server-key
your_server_key

Step 7 port port-number Specifies the port on which a device listens for RADIUS
requests from configured RADIUS clients.
Example:

SwitchDevice(config-sg-radius)# port 25

Step 8 auth-type {any | all | session-key} Specifies the type of authorization the switch uses for
RADIUS clients.
Example:
The client must match all the configured attributes for
SwitchDevice(config-sg-radius)# auth-type any authorization.

Step 9 ignore session-key (Optional) Configures the switch to ignore the session-key.
For more information about the ignore command, see the
Cisco IOS Intelligent Services Gateway Command
Reference on Cisco.com.

Step 10 ignore server-key (Optional) Configures the switch to ignore the server-key.
Example: For more information about the ignore command, see the
Cisco IOS Intelligent Services Gateway Command
SwitchDevice(config-sg-radius)# ignore server-key Reference on Cisco.com.

Step 11 authentication command bounce-port ignore (Optional) Configures the switch to ignore a CoA request
to temporarily disable the port hosting a session. The
Example:
purpose of temporarily disabling the port is to trigger a
DHCP renegotiation from the host when a VLAN change
SwitchDevice(config-sg-radius)# authentication
command bounce-port ignore occurs and there is no supplicant on the endpoint to detect
the change.

Step 12 authentication command disable-port ignore (Optional) Configures the switch to ignore a nonstandard
command requesting that the port hosting a session be
Example:
administratively shut down. Shutting down the port results
in termination of the session.
SwitchDevice(config-sg-radius)# authentication

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1226
 Security
Monitoring CoA Functionality

Command or Action Purpose

command disable-port ignore Use standard CLI or SNMP commands to re-enable the
port.

Step 13 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-sg-radius)# end

Step 14 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 15 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Monitoring CoA Functionality

Table 134: Privileged EXEC show Commands

Command Purpose

show aaa attributes protocol radius Displays AAA attributes of RADIUS commands.

Table 135: Global Troubleshooting Commands

Command Purpose

debug radius Displays information for troubleshooting RADIUS.

debug aaa coa Displays information for troubleshooting CoA processing.

debug aaa pod Displays information for troubleshooting POD packets.

debug aaa subsys Displays information for troubleshooting POD packets.

debug cmdhd [detail | error | events] Displays information for troubleshooting command headers.

For detailed information about the fields in these displays, see the command reference for this release.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1227
 Security
Configuration Examples for Controlling Switch Access with RADIUS

Configuration Examples for Controlling Switch Access with

RADIUS
Examples: Identifying the RADIUS Server Host
This example shows how to configure one RADIUS server to be used for authentication and another to be
used for accounting:

SwitchDevice(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1

SwitchDevice(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2

This example shows how to configure host1 as the RADIUS server and to use the default ports for both
authentication and accounting:

SwitchDevice(config)# radius-server host host1

Example: Using Two Different RADIUS Group Servers

In this example, the switch is configured to recognize two different RADIUS group servers (group1 and
group2). Group1 has two different host entries on the same RADIUS server configured for the same services.
The second host entry acts as a fail-over backup to the first entry.

SwitchDevice(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001

SwitchDevice(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646
SwitchDevice(config)# aaa new-model
SwitchDevice(config)# aaa group server radius group1
SwitchDevice(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001
SwitchDevice(config-sg-radius)# exit
SwitchDevice(config)# aaa group server radius group2
SwitchDevice(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001
SwitchDevice(config-sg-radius)# exit

Examples: Configuring the Switch to Use Vendor-Specific RADIUS Attributes

For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization
(during PPP IPCP address assignment):

cisco-avpair= ”ip:addr-pool=first“

This example shows how to provide a user logging in from a switch with immediate access to privileged
EXEC commands:

cisco-avpair= ”shell:priv-lvl=15“

This example shows how to specify an authorized VLAN in the RADIUS server database:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1228
 Security
Example: Configuring the Switch for Vendor-Proprietary RADIUS Server Communication

cisco-avpair= ”tunnel-type(#64)=VLAN(13)”
cisco-avpair= ”tunnel-medium-type(#65)=802 media(6)”
cisco-avpair= ”tunnel-private-group-id(#81)=vlanid”

This example shows how to apply an input ACL in ASCII format to an interface for the duration of this
connection:

cisco-avpair= “ip:inacl#1=deny ip 10.10.10.10 0.0.255.255 20.20.20.20 255.255.0.0”

cisco-avpair= “ip:inacl#2=deny ip 10.10.10.10 0.0.255.255 any”
cisco-avpair= “mac:inacl#3=deny any any decnet-iv”

This example shows how to apply an output ACL in ASCII format to an interface for the duration of this
connection:

cisco-avpair= “ip:outacl#2=deny ip 10.10.10.10 0.0.255.255 any”

Example: Configuring the Switch for Vendor-Proprietary RADIUS Server

Communication
This example shows how to specify a vendor-proprietary RADIUS host and to use a secret key of rad124
between the switch and the server:

SwitchDevice(config)# radius-server host 172.20.30.15 nonstandard

SwitchDevice(config)# radius-server key rad124

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1229
 Security
Example: Configuring the Switch for Vendor-Proprietary RADIUS Server Communication

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1230
 CHAPTER 53
Configuring Kerberos
• Finding Feature Information, on page 1231
• Prerequisites for Controlling Switch Access with Kerberos, on page 1231
• Information about Kerberos, on page 1232
• How to Configure Kerberos, on page 1235
• Monitoring the Kerberos Configuration, on page 1235

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Prerequisites for Controlling Switch Access with Kerberos

The following are the prerequisites for controlling switch access with Kerberos.
• So that remote users can authenticate to network services, you must configure the hosts and the KDC in
the Kerberos realm to communicate and mutually authenticate users and network services. To do this,
you must identify them to each other. You add entries for the hosts to the Kerberos database on the KDC
and add KEYTAB files generated by the KDC to all hosts in the Kerberos realm. You also create entries
for the users in the KDC database.
• A Kerberos server can be a switch that is configured as a network security server and that can authenticate
users by using the Kerberos protocol.

When you add or create entries for the hosts and users, follow these guidelines:
• The Kerberos principal name must be in all lowercase characters.
• The Kerberos instance name must be in all lowercase characters.
• The Kerberos realm name must be in all uppercase characters.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1231
 Security
Information about Kerberos

Information about Kerberos

This section provides Kerberos information.

Kerberos and Switch Access

This section describes how to enable and configure the Kerberos security system, which authenticates requests
for network resources by using a trusted third party.

Note In the Kerberos configuration examples, the trusted third party can be any switch that supports Kerberos, that
is configured as a network security server, and that can authenticate users by using the Kerberos protocol.

Kerberos Overview
Kerberos is a secret-key network authentication protocol, which was developed at the Massachusetts Institute
of Technology (MIT). It uses the Data Encryption Standard (DES) cryptographic algorithm for encryption
and authentication and authenticates requests for network resources. Kerberos uses the concept of a trusted
third party to perform secure verification of users and services. This trusted third party is called the key
distribution center (KDC).
Kerberos verifies that users are who they claim to be and the network services that they use are what the
services claim to be. To do this, a KDC or trusted Kerberos server issues tickets to users. These tickets, which
have a limited life span, are stored in user credential caches. The Kerberos server uses the tickets instead of
user names and passwords to authenticate users and network services.

Note A Kerberos server can be any switch that is configured as a network security server and that can authenticate
users by using the Kerberos protocol.

The Kerberos credential scheme uses a process called single logon. This process authenticates a user once
and then allows secure authentication (without encrypting another password) wherever that user credential is
accepted.
This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to
use the same Kerberos authentication database on the KDC that they are already using on their other network
hosts (such as UNIX servers and PCs).
Kerberos supports these network services:
• Telnet
• rlogin
• rsh

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1232
Security
Kerberos Overview

This table lists the common Kerberos-related terms and definitions.

Table 136: Kerberos Terms

Term Definition

Authentication A process by which a user or service identifies itself to another service. For example, a
client can authenticate to a switch or a switch can authenticate to another switch.

Authorization A means by which the switch identifies what privileges the user has in a network or on
the switch and what actions the user can perform.

Credential A general term that refers to authentication tickets, such as TGTs11 and service credentials.
Kerberos credentials verify the identity of a user or service. If a network service decides
to trust the Kerberos server that issued a ticket, it can be used in place of re-entering a
username and password. Credentials have a default life span of eight hours.

Instance An authorization level label for Kerberos principals. Most Kerberos principals are of the
form user@REALM (for example, [email protected]). A Kerberos principal with
a Kerberos instance has the form user/instance@REALM (for example,
smith/[email protected]). The Kerberos instance can be used to specify the
authorization level for the user if authentication is successful. The server of each network
service might implement and enforce the authorization mappings of Kerberos instances
but is not required to do so.
Note The Kerberos principal and instance names must be in all lowercase characters.

Note The Kerberos realm name must be in all uppercase characters.

KDC12 Key distribution center that consists of a Kerberos server and database program that is
running on a network host.

Kerberized A term that describes applications and services that have been modified to support the
Kerberos credential infrastructure.

Kerberos realm A domain consisting of users, hosts, and network services that are registered to a Kerberos
server. The Kerberos server is trusted to verify the identity of a user or network service
to another user or network service.
Note The Kerberos realm name must be in all uppercase characters.

Kerberos server A daemon that is running on a network host. Users and network services register their
identity with the Kerberos server. Network services query the Kerberos server to
authenticate to other network services.

KEYTAB13 A password that a network service shares with the KDC. In Kerberos 5 and later Kerberos
versions, the network service authenticates an encrypted service credential by using the
KEYTAB to decrypt it. In Kerberos versions earlier than Kerberos 5, KEYTAB is referred
to as SRVTAB14.

Principal Also known as a Kerberos identity, this is who you are or what a service is according to
the Kerberos server.
Note The Kerberos principal name must be in all lowercase characters.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1233
 Security
Kerberos Operation

Term Definition

Service A credential for a network service. When issued from the KDC, this credential is encrypted
credential with the password shared by the network service and the KDC. The password is also
shared with the user TGT.

SRVTAB A password that a network service shares with the KDC. In Kerberos 5 or later Kerberos
versions, SRVTAB is referred to as KEYTAB.

TGT Ticket granting ticket that is a credential that the KDC issues to authenticated users. When
users receive a TGT, they can authenticate to network services within the Kerberos realm
represented by the KDC.
11
ticket granting ticket
12
key distribution center
13
key table
14
server table

Kerberos Operation
A Kerberos server can be a switch that is configured as a network security server and that can authenticate
remote users by using the Kerberos protocol. Although you can customize Kerberos in a number of ways,
remote users attempting to access network services must pass through three layers of security before they can
access network services.
To authenticate to network services by using a switch as a Kerberos server, remote users must follow these
steps:

Authenticating to a Boundary Switch

This section describes the first layer of security through which a remote user must pass. The user must first
authenticate to the boundary switch. This process then occurs:
1. The user opens an un-Kerberized Telnet connection to the boundary switch.
2. The switch prompts the user for a username and password.
3. The switch requests a TGT from the KDC for this user.
4. The KDC sends an encrypted TGT that includes the user identity to the switch.
5. The switch attempts to decrypt the TGT by using the password that the user entered.
• If the decryption is successful, the user is authenticated to the switch.
• If the decryption is not successful, the user repeats Step 2 either by re-entering the username and
password (noting if Caps Lock or Num Lock is on or off) or by entering a different username and
password.

A remote user who initiates a un-Kerberized Telnet session and authenticates to a boundary switch is inside
the firewall, but the user must still authenticate directly to the KDC before getting access to the network
services. The user must authenticate to the KDC because the TGT that the KDC issues is stored on the switch
and cannot be used for additional authentication until the user logs on to the switch.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1234
 Security
Obtaining a TGT from a KDC

Obtaining a TGT from a KDC

This section describes the second layer of security through which a remote user must pass. The user must now
authenticate to a KDC and obtain a TGT from the KDC to access network services.
For instructions about how to authenticate to a KDC, see the “Obtaining a TGT from a KDC” section in the
“Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.4.

Authenticating to Network Services

This section describes the third layer of security through which a remote user must pass. The user with a TGT
must now authenticate to the network services in a Kerberos realm.
For instructions about how to authenticate to a network service, see the “Authenticating to Network Services”
section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.4.

How to Configure Kerberos

To set up a Kerberos-authenticated server-client system, follow these steps:
• Configure the KDC by using Kerberos commands.
• Configure the switch to use the Kerberos protocol.

Monitoring the Kerberos Configuration

To display the Kerberos configuration, use the following commands:
• show running-config
• show kerberos creds: Lists the credentials in a current user’s credentials cache.
• clear kerberos creds: Destroys all credentials in a current user’s credentials cache, including those
forwarded.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1235
 Security
Monitoring the Kerberos Configuration

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1236
 CHAPTER 54
Configuring Local Authentication and
Authorization
• Finding Feature Information, on page 1237
• How to Configure Local Authentication and Authorization, on page 1237
• Monitoring Local Authentication and Authorization, on page 1240

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

How to Configure Local Authentication and Authorization

Configuring the Switch for Local Authentication and Authorization
You can configure AAA to operate without a server by setting the switch to implement AAA in local mode.
The switch then handles authentication and authorization. No accounting is available in this configuration.

Note To secure the switch for HTTP access by using AAA methods, you must configure the switch with the ip
http authentication aaa global configuration command. Configuring AAA authentication does not secure
the switch for HTTP access by using AAA methods.

Follow these steps to configure AAA to operate without a server by setting the switch to implement AAA in
local mode:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1237
 Security
Configuring the Switch for Local Authentication and Authorization

SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
4. aaa authentication login default local
5. aaa authorization exec local
6. aaa authorization network local
7. username name [privilege level] {password encryption-type password}
8. end
9. show running-config
10. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 aaa new-model Enables AAA.

Example:

SwitchDevice(config)# aaa new-model

Step 4 aaa authentication login default local Sets the login authentication to use the local username
database. The default keyword applies the local user
Example:
database authentication to all ports.
SwitchDevice(config)# aaa authentication login
default local

Step 5 aaa authorization exec local Configures user AAA authorization, check the local
database, and allow the user to run an EXEC shell.
Example:

SwitchDevice(config)# aaa authorization exec local

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1238
 Security
Configuring the Switch for Local Authentication and Authorization

Command or Action Purpose

Step 6 aaa authorization network local Configures user AAA authorization for all network-related
service requests.
Example:

SwitchDevice(config)# aaa authorization network

local

Step 7 username name [privilege level] {password Enters the local database, and establishes a username-based
encryption-type password} authentication system.
Example: Repeat this command for each user.
• For name, specify the user ID as one word. Spaces
SwitchDevice(config)# username your_user_name
privilege 1 password 7 secret567 and quotation marks are not allowed.
• (Optional) For level, specify the privilege level the
user has after gaining access. The range is 0 to 15.
Level 15 gives privileged EXEC mode access. Level
0 gives user EXEC mode access.
• For encryption-type, enter 0 to specify that an
unencrypted password follows. Enter 7 to specify that
a hidden password follows.
• For password, specify the password the user must
enter to gain access to the switch. The password must
be from 1 to 25 characters, can contain embedded
spaces, and must be the last option specified in the
username command.

Step 8 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 9 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
SSH Servers, Integrated Clients, and Supported Versions, on page 1243

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1239
 Security
Monitoring Local Authentication and Authorization

TACACS+ and Switch Access, on page 1173

RADIUS and Switch Access, on page 1187
Setting Up the SwitchDevice to Run SSH, on page 1245
SSH Configuration Guidelines, on page 1243

Monitoring Local Authentication and Authorization

To display Local Authentication and Authorization configuration, use the show running-config privileged
EXEC command.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1240
 CHAPTER 55
Configuring Secure Shell (SSH)
• Finding Feature Information, on page 1241
• Prerequisites for Configuring Secure Shell, on page 1241
• Restrictions for Configuring Secure Shell, on page 1242
• Information about SSH, on page 1242
• How to Configure SSH, on page 1245
• Monitoring the SSH Configuration and Status, on page 1249

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Prerequisites for Configuring Secure Shell

The following are the prerequisites for configuring the switch for secure shell (SSH):
• For SSH to work, the switch needs an Rivest, Shamir, and Adleman (RSA) public/private key pair. This
is the same with Secure Copy Protocol (SCP), which relies on SSH for its secure transport.
• Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch.
• Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and Adelman
(RSA) key pair.
• SCP relies on SSH for security.
• SCP requires that authentication, authorization, and accounting (AAA) authorization be configured so
the router can determine whether the user has the correct privilege level.
• A user must have appropriate authorization to use SCP.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1241
 Security
Restrictions for Configuring Secure Shell

• A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System
(IFS) to and from a switch by using the copy command. An authorized administrator can also do this
from a workstation.
• The Secure Shell (SSH) server requires an IPsec (Data Encryption Standard [DES] or 3DES) encryption
software image; the SSH client requires an IPsec (DES or 3DES) encryption software image.)
• Configure a hostname and host domain for your device by using the hostname and ip domain-name
commands in global configuration mode.
Related Topics
Secure Copy Protocol, on page 1244

Restrictions for Configuring Secure Shell

The following are restrictions for configuring the SwitchDevice for secure shell.
• The switch supports Rivest, Shamir, and Adelman (RSA) authentication.
• SSH supports only the execution-shell application.
• The SSH server and the SSH client are supported only on Data Encryption Standard (DES) (56-bit) and
3DES (168-bit) data encryption software. In DES software images, DES is the only encryption algorithm
available. In 3DES software images, both DES and 3DES encryption algorithms are available.
• The SwitchDevice supports the Advanced Encryption Standard (AES) encryption algorithm with a 128-bit
key, 192-bit key, or 256-bit key. However, symmetric cipher AES to encrypt the keys is not supported.
• This software release does not support IP Security (IPSec).
• When using SCP, you cannot enter the password into the copy command. You must enter the password
when prompted.
• The login banner is not supported in Secure Shell Version 1. It is supported in Secure Shell Version 2.
• The -l keyword and userid :{number} {ip-address} delimiter and arguments are mandatory when
configuring the alternative method of Reverse SSH for console access.
Related Topics
Secure Copy Protocol, on page 1244

Information about SSH

Secure Shell (SSH) is a protocol that provides a secure, remote connection to a device. SSH provides more
security for remote connections than Telnet does by providing strong encryption when a device is authenticated.
This software release supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2).

SSH and Switch Access

Secure Shell (SSH) is a protocol that provides a secure, remote connection to a device. SSH provides more
security for remote connections than Telnet does by providing strong encryption when a device is authenticated.
This software release supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2).

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1242
 Security
SSH Servers, Integrated Clients, and Supported Versions

SSH functions the same in IPv6 as in IPv4. For IPv6, SSH supports IPv6 addresses and enables secure,
encrypted connections with remote IPv6 nodes over an IPv6 transport.

SSH Servers, Integrated Clients, and Supported Versions

The Secure Shell (SSH) Integrated Client feature is an application that runs over the SSH protocol to provide
device authentication and encryption. The SSH client enables a Cisco device to make a secure, encrypted
connection to another Cisco device or to any other device running the SSH server. This connection provides
functionality similar to that of an outbound Telnet connection except that the connection is encrypted. With
authentication and encryption, the SSH client allows for secure communication over an unsecured network.
The SSH server and SSH integrated client are applications that run on the switch. The SSH server works with
the SSH client supported in this release and with non-Cisco SSH clients. The SSH client works with publicly
and commercially available SSH servers. The SSH client supports the ciphers of Data Encryption Standard
(DES), 3DES, and password authentication.
The switch supports an SSHv1 or an SSHv2 server.
The switch supports an SSHv1 client.

Note The SSH client functionality is available only when the SSH server is enabled.

User authentication is performed like that in the Telnet session to the device. SSH also supports the following
user authentication methods:
• TACACS+
• RADIUS
• Local authentication and authorization

Related Topics
Configuring the Switch for Local Authentication and Authorization, on page 1237
TACACS+ and Switch Access, on page 1173
RADIUS and Switch Access, on page 1187

SSH Configuration Guidelines

Follow these guidelines when configuring the switch as an SSH server or SSH client:
• An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server, and the reverse.
• If the SSH server is running on a stack master and the stack master fails, the new stack master uses the
RSA key pair generated by the previous stack master.
• If you get CLI error messages after entering the crypto key generate rsa global configuration command,
an RSA key pair has not been generated. Reconfigure the hostname and domain, and then enter the crypto
key generate rsa command. For more information, see Related Topics below.
• When generating the RSA key pair, the message No host name specified might appear. If it does, you
must configure a hostname by using the hostname global configuration command.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1243
 Security
Secure Copy Protocol Overview

• When generating the RSA key pair, the message No domain specified might appear. If it does, you must
configure an IP domain name by using the ip domain-name global configuration command.
• When configuring the local authentication and authorization authentication method, make sure that AAA
is disabled on the console.

Related Topics
Setting Up the SwitchDevice to Run SSH, on page 1245
Configuring the Switch for Local Authentication and Authorization, on page 1237

Secure Copy Protocol Overview

The Secure Copy Protocol (SCP) feature provides a secure and authenticated method for copying switch
configurations or switch image files. SCP relies on Secure Shell (SSH), an application and a protocol that
provides a secure replacement for the Berkeley r-tools.
For SSH to work, the switch needs an RSA public/private key pair. This is the same with SCP, which relies
on SSH for its secure transport.
Because SSH also relies on AAA authentication, and SCP relies further on AAA authorization, correct
configuration is necessary.
• Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch.
• Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and Adelman
(RSA) key pair.

Note When using SCP, you cannot enter the password into the copy command. You must enter the password when
prompted.

Secure Copy Protocol

The Secure Copy Protocol (SCP) feature provides a secure and authenticated method for copying switch
configurations or switch image files. The behavior of SCP is similar to that of remote copy (rcp), which comes
from the Berkeley r-tools suite, except that SCP relies on SSH for security. SCP also requires that authentication,
authorization, and accounting (AAA) authorization be configured so the switch can determine whether the
user has the correct privilege level. To configure the Secure Copy feature, you should understand the SCP
concepts.
Related Topics
Prerequisites for Configuring Secure Shell, on page 1241
Restrictions for Configuring Secure Shell, on page 1242

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1244
 Security
How to Configure SSH

How to Configure SSH

Setting Up the SwitchDevice to Run SSH
Follow these steps to set up your SwitchDevice to run SSH:

Before you begin

Configure user authentication for local or remote access. This step is required. For more information, see
Related Topics below.

SUMMARY STEPS
1. enable
2. configure terminal
3. hostname hostname
4. ip domain-name domain_name
5. crypto key generate rsa
6. end
7. show running-config
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 hostname hostname Configures a hostname and IP domain name for your
SwitchDevice.
Example:
Note Follow this procedure only if you are configuring
SwitchDevice(config)# hostname your_hostname the SwitchDevice as an SSH server.

Step 4 ip domain-name domain_name Configures a host domain for your SwitchDevice.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1245
 Security
Configuring the SSH Server

Command or Action Purpose

SwitchDevice(config)# ip domain-name your_domain

Step 5 crypto key generate rsa Enables the SSH server for local and remote authentication
on the SwitchDevice and generates an RSA key pair.
Example:
Generating an RSA key pair for the SwitchDevice
automatically enables SSH.
SwitchDevice(config)# crypto key generate rsa
We recommend that a minimum modulus size of 1024 bits.
When you generate RSA keys, you are prompted to enter
a modulus length. A longer modulus length might be more
secure, but it takes longer to generate and to use.
Note Follow this procedure only if you are configuring
the SwitchDevice as an SSH server.

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
SSH Configuration Guidelines, on page 1243
Configuring the Switch for Local Authentication and Authorization, on page 1237

Configuring the SSH Server

Follow these steps to configure the SSH server:

Note This procedure is only required if you are configuring the SwitchDevice as an SSH server.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1246
 Security
Configuring the SSH Server

SUMMARY STEPS
1. enable
2. configure terminal
3. ip ssh version [1 | 2]
4. ip ssh {timeout seconds | authentication-retries number}
5. Use one or both of the following:
• line vtyline_number[ending_line_number]
• transport input ssh
6. end
7. show running-config
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip ssh version [1 | 2] (Optional) Configures the SwitchDevice to run SSH Version
1 or SSH Version 2.
Example:
• 1—Configure the SwitchDevice to run SSH Version
SwitchDevice(config)# ip ssh version 1 1.
• 2—Configure the SwitchDevice to run SSH Version
2.

If you do not enter this command or do not specify a

keyword, the SSH server selects the latest SSH version
supported by the SSH client. For example, if the SSH client
supports SSHv1 and SSHv2, the SSH server selects SSHv2.

Step 4 ip ssh {timeout seconds | authentication-retries number} Configures the SSH control parameters:
Example: • Specify the time-out value in seconds; the default is
120 seconds. The range is 0 to 120 seconds. This
SwitchDevice(config)# ip ssh timeout 90 parameter applies to the SSH negotiation phase. After
authentication-retries 2 the connection is established, the SwitchDevice uses
the default time-out values of the CLI-based sessions.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1247
 Security
Configuring the SSH Server

Command or Action Purpose

By default, up to five simultaneous, encrypted SSH
connections for multiple CLI-based sessions over the
network are available (session 0 to session 4). After
the execution shell starts, the CLI-based session
time-out value returns to the default of 10 minutes.
• Specify the number of times that a client can
re-authenticate to the server. The default is 3; the range
is 0 to 5.

Repeat this step when configuring both parameters.

Step 5 Use one or both of the following: (Optional) Configures the virtual terminal line settings.
• line vtyline_number[ending_line_number] • Enters line configuration mode to configure the virtual
• transport input ssh terminal line settings. For line_number and
ending_line_number, specify a pair of lines. The range
Example: is 0 to 15.
SwitchDevice(config)# line vty 1 10
• Specifies that the SwitchDevice prevent non-SSH
Telnet connections. This limits the router to only SSH
or
connections.
SwitchDevice(config-line)# transport input ssh

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-line)# end

Step 7 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1248
 Security
Monitoring the SSH Configuration and Status

Monitoring the SSH Configuration and Status

This table displays the SSH server configuration and status.

Table 137: Commands for Displaying the SSH Server Configuration and Status

Command Purpose

show ip Shows the version and configuration information for the SSH server.
ssh

show ssh Shows the status of the SSH server.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1249
 Security
Monitoring the SSH Configuration and Status

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1250
 CHAPTER 56
Configuring Secure Socket Layer HTTP
• Finding Feature Information, on page 1251
• Information about Secure Sockets Layer (SSL) HTTP, on page 1251
• How to Configure Secure HTTP Servers and Clients, on page 1254
• Monitoring Secure HTTP Server and Client Status, on page 1260

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Information about Secure Sockets Layer (SSL) HTTP

Secure HTTP Servers and Clients Overview
On a secure HTTP connection, data to and from an HTTP server is encrypted before being sent over the
Internet. HTTP with SSL encryption provides a secure connection to allow such functions as configuring a
switch from a Web browser. Cisco's implementation of the secure HTTP server and secure HTTP client uses
an implementation of SSL Version 3.0 with application-layer encryption. HTTP over SSL is abbreviated as
HTTPS; the URL of a secure connection begins with https:// instead of http://.

Note SSL evolved into Transport Layer Security (TLS) in 1999, but is still used in this particular context.

The primary role of the HTTP secure server (the switch) is to listen for HTTPS requests on a designated port
(the default HTTPS port is 443) and pass the request to the HTTP 1.1 Web server. The HTTP 1.1 server
processes requests and passes responses (pages) back to the HTTP secure server, which, in turn, responds to
the original request.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1251
 Security
Certificate Authority Trustpoints

The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests
for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response
back to the application.

Certificate Authority Trustpoints

Certificate authorities (CAs) manage certificate requests and issue certificates to participating network devices.
These services provide centralized security key and certificate management for the participating devices.
Specific CA servers are referred to as trustpoints.
When a connection attempt is made, the HTTPS server provides a secure connection by issuing a certified
X.509v3 certificate, obtained from a specified CA trustpoint, to the client. The client (usually a Web browser),
in turn, has a public key that allows it to authenticate the certificate.
For secure HTTP connections, we highly recommend that you configure a CA trustpoint. If a CA trustpoint
is not configured for the device running the HTTPS server, the server certifies itself and generates the needed
RSA key pair. Because a self-certified (self-signed) certificate does not provide adequate security, the connecting
client generates a notification that the certificate is self-certified, and the user has the opportunity to accept
or reject the connection. This option is useful for internal network topologies (such as testing).
If you do not configure a CA trustpoint, when you enable a secure HTTP connection, either a temporary or
a persistent self-signed certificate for the secure HTTP server (or client) is automatically generated.
• If the switch is not configured with a hostname and a domain name, a temporary self-signed certificate
is generated. If the switch reboots, any temporary self-signed certificate is lost, and a new temporary
new self-signed certificate is assigned.
• If the switch has been configured with a host and domain name, a persistent self-signed certificate is
generated. This certificate remains active if you reboot the switch or if you disable the secure HTTP
server so that it will be there the next time you re-enable a secure HTTP connection.

Note The certificate authorities and trustpoints must be configured on each device individually. Copying them from
other devices makes them invalid on the switch.

If a self-signed certificate has been generated, this information is included in the output of the show
running-config privileged EXEC command. This is a partial sample output from that command displaying
a self-signed certificate.

SwitchDevice# show running-config

Building configuration...

<output truncated>

crypto pki trustpoint TP-self-signed-3080755072

enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3080755072
revocation-check none
rsakeypair TP-self-signed-3080755072
!
!
crypto ca certificate chain TP-self-signed-3080755072
certificate self-signed 01
3082029F 30820208 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
59312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1252
 Security
CipherSuites

69666963 6174652D 33303830 37353530 37323126 30240609 2A864886 F70D0109

02161743 45322D33 3535302D 31332E73 756D6D30 342D3335 3530301E 170D3933
30333031 30303030 35395A17 0D323030 31303130 30303030 305A3059 312F302D

<output truncated>

You can remove this self-signed certificate by disabling the secure HTTP server and entering the no crypto
pki trustpoint TP-self-signed-30890755072 global configuration command. If you later re-enable a secure
HTTP server, a new self-signed certificate is generated.

Note The values that follow TP self-signed depend on the serial number of the device.

You can use an optional command (ip http secure-client-auth) to allow the HTTPS server to request an
X.509v3 certificate from the client. Authenticating the client provides more security than server authentication
by itself.
For additional information on Certificate Authorities, see the “Configuring Certification Authority
Interoperability” chapter in the Cisco IOS Security Configuration Guide, Release 12.4.

CipherSuites
A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection. When
connecting to the HTTPS server, the client Web browser offers a list of supported CipherSuites, and the client
and server negotiate the best encryption algorithm to use from those on the list that are supported by both.
For example, Netscape Communicator 4.76 supports U.S. security with RSA Public Key Cryptography, MD2,
MD5, RC2-CBC, RC4, DES-CBC, and DES-EDE3-CBC.
For the best possible encryption, you should use a client browser that supports 128-bit encryption, such as
Microsoft Internet Explorer Version 5.5 (or later) or Netscape Communicator Version 4.76 (or later). The
SSL_RSA_WITH_DES_CBC_SHA CipherSuite provides less security than the other CipherSuites, as it does
not offer 128-bit encryption.
The more secure and more complex CipherSuites require slightly more processing time. This list defines the
CipherSuites supported by the switch and ranks them from fastest to slowest in terms of router processing
load (speed):
1. SSL_RSA_WITH_DES_CBC_SHA—RSA key exchange (RSA Public Key Cryptography) with
DES-CBC for message encryption and SHA for message digest
2. SSL_RSA_WITH_NULL_SHA key exchange with NULL for message encryption and SHA for message
digest (only for SSL 3.0).
3. SSL_RSA_WITH_NULL_MD5 key exchange with NULL for message encryption and MD5 for message
digest (only for SSL 3.0).
4. SSL_RSA_WITH_RC4_128_MD5—RSA key exchange with RC4 128-bit encryption and MD5 for
message digest
5. SSL_RSA_WITH_RC4_128_SHA—RSA key exchange with RC4 128-bit encryption and SHA for
message digest
6. SSL_RSA_WITH_3DES_EDE_CBC_SHA—RSA key exchange with 3DES and DES-EDE3-CBC for
message encryption and SHA for message digest

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1253
 Security
Default SSL Configuration

7. SSL_RSA_WITH_AES_128_CBC_SHA—RSA key exchange with AES 128-bit encryption and SHA

for message digest (only for SSL 3.0).
8. SSL_RSA_WITH_AES_256_CBC_SHA—RSA key exchange with AES 256-bit encryption and SHA
for message digest (only for SSL 3.0).
9. SSL_RSA_WITH_DHE_AES_128_CBC_SHA—RSA key exchange with AES 128-bit encryption and
SHA for message digest (only for SSL 3.0).
10. SSL_RSA_WITH_DHE_AES_256_CBC_SHA—RSA key exchange with AES 256-bit encryption and
SHA for message digest (only for SSL 3.0).

Note The latest versions of Chrome do not support the four original cipher suites, thus disallowing access to both
web GUI and guest portals.

RSA (in conjunction with the specified encryption and digest algorithm combinations) is used for both key
generation and authentication on SSL connections. This usage is independent of whether or not a CA trustpoint
is configured.

Default SSL Configuration

The standard HTTP server is enabled.
SSL is enabled.
No CA trustpoints are configured.
No self-signed certificates are generated.

SSL Configuration Guidelines

When SSL is used in a switch cluster, the SSL session terminates at the cluster commander. Cluster member
switches must run standard HTTP.
Before you configure a CA trustpoint, you should ensure that the system clock is set. If the clock is not set,
the certificate is rejected due to an incorrect date.
In a switch stack, the SSL session terminates at the stack master.

How to Configure Secure HTTP Servers and Clients

Configuring a CA Trustpoint
For secure HTTP connections, we recommend that you configure an official CA trustpoint. A CA trustpoint
is more secure than a self-signed certificate.
Beginning in privileged EXEC mode, follow these steps to configure a CA Trustpoint:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1254
 Security
Configuring a CA Trustpoint

SUMMARY STEPS
1. configure terminal
2. hostname hostname
3. ip domain-name domain-name
4. crypto key generate rsa
5. crypto ca trustpoint name
6. enrollment url url
7. enrollment http-proxy host-name port-number
8. crl query url
9. primary name
10. exit
11. crypto ca authentication name
12. crypto ca enroll name
13. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 hostname hostname Specifies the hostname of the switch (required only if you
have not previously configured a hostname). The hostname
Example:
is required for security keys and certificates.
SwitchDevice(config)# hostname your_hostname

Step 3 ip domain-name domain-name Specifies the IP domain name of the switch (required only
if you have not previously configured an IP domain name).
Example:
The domain name is required for security keys and
certificates.
SwitchDevice(config)# ip domain-name your_domain

Step 4 crypto key generate rsa (Optional) Generates an RSA key pair. RSA key pairs are
required before you can obtain a certificate for the switch.
Example:
RSA key pairs are generated automatically. You can use
this command to regenerate the keys, if needed.
SwitchDevice(config)# crypto key generate rsa

Step 5 crypto ca trustpoint name Specifies a local configuration name for the CA trustpoint
and enter CA trustpoint configuration mode.
Example:

SwitchDevice(config)# crypto ca trustpoint

your_trustpoint

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1255
 Security
Configuring a CA Trustpoint

Command or Action Purpose

Step 6 enrollment url url Specifies the URL to which the switch should send
certificate requests.
Example:

SwitchDevice(ca-trustpoint)# enrollment url

http://your_server:80

Step 7 enrollment http-proxy host-name port-number (Optional) Configures the switch to obtain certificates from
the CA through an HTTP proxy server.
Example:
• For host-name , specify the proxy server used to get
SwitchDevice(ca-trustpoint)# enrollment http-proxy the CA.
your_host 49 • For port-number, specify the port number used to
access the CA.

Step 8 crl query url Configures the switch to request a certificate revocation
list (CRL) to ensure that the certificate of the peer has not
Example:
been revoked.
SwitchDevice(ca-trustpoint)# crl query
ldap://your_host:49

Step 9 primary name (Optional) Specifies that the trustpoint should be used as
the primary (default) trustpoint for CA requests.
Example:
• For name, specify the trustpoint that you just
SwitchDevice(ca-trustpoint)# primary configured.
your_trustpoint

Step 10 exit Exits CA trustpoint configuration mode and return to global

configuration mode.
Example:

SwitchDevice(ca-trustpoint)# exit

Step 11 crypto ca authentication name Authenticates the CA by getting the public key of the CA.
Use the same name used in Step 5.
Example:

SwitchDevice(config)# crypto ca authentication

your_trustpoint

Step 12 crypto ca enroll name Obtains the certificate from the specified CA trustpoint.
This command requests a signed certificate for each RSA
Example:
key pair.
SwitchDevice(config)# crypto ca enroll
your_trustpoint

Step 13 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1256
 Security
Configuring the Secure HTTP Server

Command or Action Purpose

SwitchDevice(config)# end

Configuring the Secure HTTP Server

Beginning in privileged EXEC mode, follow these steps to configure a secure HTTP server:

Before you begin

If you are using a certificate authority for certification, you should use the previous procedure to configure
the CA trustpoint on the switch before enabling the HTTP server. If you have not configured a CA trustpoint,
a self-signed certificate is generated the first time that you enable the secure HTTP server. After you have
configured the server, you can configure options (path, access list to apply, maximum number of connections,
or timeout policy) that apply to both standard and secure HTTP servers.
To verify the secure HTTP connection by using a Web browser, enter https://URL, where the URL is the IP
address or hostname of the server switch. If you configure a port other than the default port, you must also
specify the port number after the URL. For example:

https://209.165.129:1026

or

https://host.domain.com:1026

SUMMARY STEPS
1. show ip http server status
2. configure terminal
3. ip http secure-server
4. ip http secure-port port-number
5. ip http secure-ciphersuite {[3des-ede-cbc-sha] [rc4-128-md5] [rc4-128-sha] [des-cbc-sha]}
6. ip http secure-client-auth
7. ip http secure-trustpoint name
8. ip http path path-name
9. ip http access-class access-list-number
10. ip http max-connections value
11. ip http timeout-policy idle seconds life seconds requests value
12. end

DETAILED STEPS

Command or Action Purpose

Step 1 show ip http server status (Optional) Displays the status of the HTTP server to
determine if the secure HTTP server feature is supported
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1257
 Security
Configuring the Secure HTTP Server

Command or Action Purpose

in the software. You should see one of these lines in the
SwitchDevice# show ip http server status
output:

HTTP secure server capability: Present

or

HTTP secure server capability: Not present

Step 2 configure terminal Enters global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip http secure-server Enables the HTTPS server if it has been disabled. The
HTTPS server is enabled by default.
Example:

SwitchDevice(config)# ip http secure-server

Step 4 ip http secure-port port-number (Optional) Specifies the port number to be used for the
HTTPS server. The default port number is 443. Valid
Example:
options are 443 or any number in the range 1025 to 65535.
SwitchDevice(config)# ip http secure-port 443

Step 5 ip http secure-ciphersuite {[3des-ede-cbc-sha] (Optional) Specifies the CipherSuites (encryption

[rc4-128-md5] [rc4-128-sha] [des-cbc-sha]} algorithms) to be used for encryption over the HTTPS
connection. If you do not have a reason to specify a
Example:
particularly CipherSuite, you should allow the server and
client to negotiate a CipherSuite that they both support.
SwitchDevice(config)# ip http secure-ciphersuite
rc4-128-md5 This is the default.

Step 6 ip http secure-client-auth (Optional) Configures the HTTP server to request an

X.509v3 certificate from the client for authentication
Example:
during the connection process. The default is for the client
to request a certificate from the server, but the server does
SwitchDevice(config)# ip http secure-client-auth
not attempt to authenticate the client.

Step 7 ip http secure-trustpoint name Specifies the CA trustpoint to use to get an X.509v3
security certificate and to authenticate the client certificate
Example:
connection.
SwitchDevice(config)# ip http secure-trustpoint Note Use of this command assumes you have already
your_trustpoint configured a CA trustpoint according to the
previous procedure.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1258
 Security
Configuring the Secure HTTP Client

Command or Action Purpose

Step 8 ip http path path-name (Optional) Sets a base HTTP path for HTML files. The
path specifies the location of the HTTP server files on the
Example:
local system (usually located in system flash memory).
SwitchDevice(config)# ip http path /your_server:80

Step 9 ip http access-class access-list-number (Optional) Specifies an access list to use to allow access
to the HTTP server.
Example:

SwitchDevice(config)# ip http access-class 2

Step 10 ip http max-connections value (Optional) Sets the maximum number of concurrent
connections that are allowed to the HTTP server. We
Example:
recommend that the value be at least 10 and not less. This
is required for the UI to function as expected.
SwitchDevice(config)# ip http max-connections 4

Step 11 ip http timeout-policy idle seconds life seconds requests (Optional) Specifies how long a connection to the HTTP
value server can remain open under the defined circumstances:
Example: • idle—the maximum time period when no data is
received or response data cannot be sent. The range
SwitchDevice(config)# ip http timeout-policy idle is 1 to 600 seconds. The default is 180 seconds (3
120 life 240 requests 1 minutes).
• life—the maximum time period from the time that
the connection is established. The range is 1 to 86400
seconds (24 hours). The default is 180 seconds.
• requests—the maximum number of requests
processed on a persistent connection. The maximum
value is 86400. The default is 1.

Step 12 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Configuring the Secure HTTP Client

Beginning in privileged EXEC mode, follow these steps to configure a secure HTTP client:

Before you begin

The standard HTTP client and secure HTTP client are always enabled. A certificate authority is required for
secure HTTP client certification. This procedure assumes that you have previously configured a CA trustpoint

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1259
 Security
Monitoring Secure HTTP Server and Client Status

on the switch. If a CA trustpoint is not configured and the remote HTTPS server requires client authentication,
connections to the secure HTTP client fail.

SUMMARY STEPS
1. configure terminal
2. ip http client secure-trustpoint name
3. ip http client secure-ciphersuite {[3des-ede-cbc-sha] [rc4-128-md5] [rc4-128-sha] [des-cbc-sha]}
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 ip http client secure-trustpoint name (Optional) Specifies the CA trustpoint to be used if the
remote HTTP server requests client authentication. Using
Example:
this command assumes that you have already configured a
CA trustpoint by using the previous procedure. The
SwitchDevice(config)# ip http client
secure-trustpoint your_trustpoint command is optional if client authentication is not needed
or if a primary trustpoint has been configured.

Step 3 ip http client secure-ciphersuite {[3des-ede-cbc-sha] (Optional) Specifies the CipherSuites (encryption
[rc4-128-md5] [rc4-128-sha] [des-cbc-sha]} algorithms) to be used for encryption over the HTTPS
connection. If you do not have a reason to specify a
Example:
particular CipherSuite, you should allow the server and
client to negotiate a CipherSuite that they both support. This
SwitchDevice(config)# ip http client
secure-ciphersuite rc4-128-md5 is the default.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Monitoring Secure HTTP Server and Client Status

To monitor the SSL secure server and client status, use the privileged EXEC commands in the following table.

Table 138: Commands for Displaying the SSL Secure Server and Client Status

Command Purpose

show ip http client secure status Shows the HTTP secure client configuration.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1260
Security
Monitoring Secure HTTP Server and Client Status

Command Purpose

show ip http server secure status Shows the HTTP secure server configuration.

show running-config Shows the generated self-signed certificate for secure HTTP connections.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1261
 Security
Monitoring Secure HTTP Server and Client Status

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1262
 CHAPTER 57
Configuring IPv4 ACLs
• Finding Feature Information, on page 1263
• Prerequisites for Configuring IPv4 Access Control Lists, on page 1263
• Restrictions for Configuring IPv4 Access Control Lists, on page 1263
• Information about Network Security with ACLs, on page 1265
• How to Configure ACLs, on page 1276
• Monitoring IPv4 ACLs, on page 1297
• Configuration Examples for ACLs, on page 1298

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Prerequisites for Configuring IPv4 Access Control Lists

This section lists the prerequisites for configuring network security with access control lists (ACLs).
• On switches running the LAN base feature set, VLAN maps are not supported.

Restrictions for Configuring IPv4 Access Control Lists

General Network Security
The following are restrictions for configuring network security with ACLs:
• Not all commands that accept a numbered ACL accept a named ACL. ACLs for packet filters and route
filters on interfaces can use a name. VLAN maps also accept a name.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1263
 Security
Restrictions for Configuring IPv4 Access Control Lists

• A standard ACL and an extended ACL cannot have the same name.
• Though visible in the command-line help strings, appletalk is not supported as a matching condition for
the deny and permit MAC access-list configuration mode commands.

IPv4 ACL Network Interfaces

The following restrictions apply to IPv4 ACLs to network interfaces:
• When controlling access to an interface, you can use a named or numbered ACL.
• If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL takes
precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied to the
VLAN.
• If you apply an ACL to a Layer 3 interface and routing is not enabled on the switch, the ACL only filters
packets that are intended for the CPU, such as SNMP, Telnet, or web traffic.
• You do not have to enable routing to apply ACLs to Layer 2 interfaces.

Note By default, the router sends Internet Control Message Protocol (ICMP) unreachable messages when a packet
is denied by an access group on a Layer 3 interface. These access-group denied packets are not dropped in
hardware but are bridged to the switch CPU so that it can generate the ICMP-unreachable message. They do
not generate ICMP unreachable messages. ICMP unreachable messages can be disabled on router ACLs with
the no ip unreachables interface command.

MAC ACLs on a Layer 2 Interface

After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in that
interface. When you apply the MAC ACL, consider these guidelines:
• You can apply no more than one IP access list and one MAC access list to the same Layer 2 interface.
The IP access list filters only IP packets, and the MAC access list filters non-IP packets.
• A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2
interface that has a MAC ACL configured, the new ACL replaces the previously configured one.

Note The mac access-group interface configuration command is only valid when applied to a physical Layer 2
interface. You cannot use the command on EtherChannel port channels.

IP Access List Entry Sequence Numbering

• This feature does not support dynamic, reflexive, or firewall access lists.
Related Topics
Applying an IPv4 ACL to an Interface, on page 1288
IPv4 ACL Interface Considerations, on page 1276
Creating Named MAC Extended ACLs, on page 1290
Applying a MAC ACL to a Layer 2 Interface, on page 1291

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1264
 Security
Information about Network Security with ACLs

Information about Network Security with ACLs

This chapter describes how to configure network security on the switch by using access control lists (ACLs),
which in commands and tables are also referred to as access lists.

ACL Overview
Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs filter
traffic as it passes through a router or switch and permit or deny packets crossing specified interfaces or
VLANs. An ACL is a sequential collection of permit and deny conditions that apply to packets. When a packet
is received on an interface, the switch compares the fields in the packet against any applied ACLs to verify
that the packet has the required permissions to be forwarded, based on the criteria specified in the access lists.
One by one, it tests packets against the conditions in an access list. The first match decides whether the switch
accepts or rejects the packets. Because the switch stops testing after the first match, the order of conditions
in the list is critical. If no conditions match, the switch rejects the packet. If there are no restrictions, the switch
forwards the packet; otherwise, the switch drops the packet. The switch can use ACLs on all packets it forwards,
including packets bridged within a VLAN.
You configure access lists on a router or Layer 3 switch to provide basic security for your network. If you do
not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network.
You can use ACLs to control which hosts can access different parts of a network or to decide which types of
traffic are forwarded or blocked at router interfaces. For example, you can allow e-mail traffic to be forwarded
but not Telnet traffic. ACLs can be configured to block inbound traffic, outbound traffic, or both.

Access Control Entries

An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny and a
set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny depends
on the context in which the ACL is used.

ACL Supported Types

The switch supports IP ACLs and Ethernet (MAC) ACLs:
• IP ACLs filter IPv4 traffic, including TCP, User Datagram Protocol (UDP), Internet Group Management
Protocol (IGMP), and Internet Control Message Protocol (ICMP).
• Ethernet ACLs filter non-IP traffic.

This switch also supports quality of service (QoS) classification ACLs.

Supported ACLs
The switch supports three types of ACLs to filter traffic:
• Port ACLs access-control traffic entering a Layer 2 interface. You can apply only one IP access list and
one MAC access list to a Layer 2 interface.
• Router ACLs access-control routed traffic between VLANs and are applied to Layer 3 interfaces in a
specific direction (inbound or outbound).

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1265
 Security
ACL Precedence

• VLAN ACLs or VLAN maps access-control all packets (bridged and routed). You can use VLAN maps
to filter traffic between devices in the same VLAN. VLAN maps are configured to provide access control
based on Layer 3 addresses for IPv4. Unsupported protocols are access-controlled through MAC addresses
using Ethernet ACEs. After a VLAN map is applied to a VLAN, all packets (routed or bridged) entering
the VLAN are checked against the VLAN map. Packets can either enter the VLAN through a switch port
or through a routed port after being routed.

ACL Precedence
When VLAN maps, Port ACLs, and router ACLs are configured on the same switch, the filtering precedence,
from greatest to least, is port ACL, router ACL, then VLAN map. The following examples describe simple
use cases:
• When both an input port ACL and a VLAN map are applied, incoming packets received on ports with a
port ACL applied are filtered by the port ACL. Other packets are filtered by the VLAN map
• When an input router ACL and input port ACL exist in a switch virtual interface (SVI), incoming packets
received on ports to which a port ACL is applied are filtered by the port ACL. Incoming routed IP packets
received on other ports are filtered by the router ACL. Other packets are not filtered.
• When an output router ACL and input port ACL exist in an SVI, incoming packets received on the ports
to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are filtered by
the router ACL. Other packets are not filtered.
• When a VLAN map, input router ACL, and input port ACL exist in an SVI, incoming packets received
on the ports to which a port ACL is applied are only filtered by the port ACL. Incoming routed IP packets
received on other ports are filtered by both the VLAN map and the router ACL. Other packets are filtered
only by the VLAN map.
• When a VLAN map, output router ACL, and input port ACL exist in an SVI, incoming packets received
on the ports to which a port ACL is applied are only filtered by the port ACL. Outgoing routed IP packets
are filtered by both the VLAN map and the router ACL. Other packets are filtered only by the VLAN
map.

Related Topics
Restrictions for Configuring IPv4 Access Control Lists, on page 1263

Port ACLs
Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch. Port ACLs are supported only on
physical interfaces and not on EtherChannel interfaces. Port ACLs can be applied on outbound and inbound
interfaces. The following access lists are supported:
• Standard IP access lists using source addresses
• Extended IP access lists using source and destination addresses and optional protocol type information
• MAC extended access lists using source and destination MAC addresses and optional protocol type
information

The switch examines ACLs on an interface and permits or denies packet forwarding based on how the packet
matches the entries in the ACL. In this way, ACLs control access to a network or to part of a network.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1266
 Security
Router ACLs

Figure 100: Using ACLs to Control Traffic in a Network

This is an example of using port ACLs to control access to a network when all workstations are in the same
VLAN. ACLs applied at the Layer 2 input would allow Host A to access the Human Resources network, but
prevent Host B from accessing the same network. Port ACLs can only be applied to Layer 2 interfaces in the

inbound direction.
When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port.
When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses.
You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and
a MAC access list to the interface.

Note You cannot apply more than one IP access list and one MAC access list to a Layer 2 interface. If an IP access
list or MAC access list is already configured on a Layer 2 interface and you apply a new IP access list or MAC
access list to the interface, the new ACL replaces the previously configured one.

Router ACLs
You can apply router ACLs on switch virtual interfaces (SVIs), which are Layer 3 interfaces to VLANs; on
physical Layer 3 interfaces; and on Layer 3 EtherChannel interfaces. You apply router ACLs on interfaces
for specific directions (inbound or outbound). You can apply one router ACL in each direction on an interface.
The switch supports these access lists for IPv4 traffic:
• Standard IP access lists use source addresses for matching operations.
• Extended IP access lists use source and destination addresses and optional protocol type information for
matching operations.

As with port ACLs, the switch examines ACLs associated with features configured on a given interface. As
packets enter the switch on an interface, ACLs associated with all inbound features configured on that interface
are examined. After packets are routed and before they are forwarded to the next hop, all ACLs associated
with outbound features configured on the egress interface are examined.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1267
 Security
VLAN Maps

ACLs permit or deny packet forwarding based on how the packet matches the entries in the ACL, and can be
used to control access to a network or to part of a network.

VLAN Maps
Use VLAN ACLs or VLAN maps to access-control all traffic. You can apply VLAN maps to all packets that
are routed into or out of a VLAN or are bridged within a VLAN in the switch or switch stack.
Use VLAN maps for security packet filtering. VLAN maps are not defined by direction (input or output).
You can configure VLAN maps to match Layer 3 addresses for IPv4 traffic.
All non-IP protocols are access-controlled through MAC addresses and Ethertype using MAC VLAN maps.
(IP traffic is not access controlled by MAC VLAN maps.) You can enforce VLAN maps only on packets
going through the switch; you cannot enforce VLAN maps on traffic between hosts on a hub or on another
switch connected to this switch.
With VLAN maps, forwarding of packets is permitted or denied, based on the action specified in the map.
Figure 101: Using VLAN Maps to Control Traffic

This shows how a VLAN map is applied to prevent a specific type of traffic from Host A in VLAN 10 from
being forwarded. You can apply only one VLAN map to a

VLAN.

ACEs and Fragmented and Unfragmented Traffic

IP packets can be fragmented as they cross the network. When this happens, only the fragment containing the
beginning of the packet contains the Layer 4 information, such as TCP or UDP port numbers, ICMP type and
code, and so on. All other fragments are missing this information.
Some access control entries (ACEs) do not check Layer 4 information and therefore can be applied to all
packet fragments. ACEs that do test Layer 4 information cannot be applied in the standard manner to most
of the fragments in a fragmented IP packet. When the fragment contains no Layer 4 information and the ACE
tests some Layer 4 information, the matching rules are modified:
• Permit ACEs that check the Layer 3 information in the fragment (including protocol type, such as TCP,
UDP, and so on) are considered to match the fragment regardless of what the missing Layer 4 information
might have been.
• Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains Layer
4 information.

ACEs and Fragmented and Unfragmented Traffic Examples

Consider access list 102, configured with these commands, applied to three fragmented packets:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1268
 Security
Standard and Extended IPv4 ACLs

SwitchDevice(config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp

SwitchDevice(config)# access-list 102 deny tcp any host 10.1.1.2 eq telnet
SwitchDevice(config)# access-list 102 permit tcp any host 10.1.1.2
SwitchDevice(config)# access-list 102 deny tcp any any

Note In the first and second ACEs in the examples, the eq keyword after the destination address means to test for
the TCP-destination-port well-known numbers equaling Simple Mail Transfer Protocol (SMTP) and Telnet,
respectively.

• Packet A is a TCP packet from host 10.2.2.2., port 65000, going to host 10.1.1.1 on the SMTP port. If
this packet is fragmented, the first fragment matches the first ACE (a permit) as if it were a complete
packet because all Layer 4 information is present. The remaining fragments also match the first ACE,
even though they do not contain the SMTP port information, because the first ACE only checks Layer
3 information when applied to fragments. The information in this example is that the packet is TCP and
that the destination is 10.1.1.1.
• Packet B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on the Telnet port. If this packet is
fragmented, the first fragment matches the second ACE (a deny) because all Layer 3 and Layer 4
information is present. The remaining fragments in the packet do not match the second ACE because
they are missing Layer 4 information. Instead, they match the third ACE (a permit).
Because the first fragment was denied, host 10.1.1.2 cannot reassemble a complete packet, so packet B
is effectively denied. However, the later fragments that are permitted will consume bandwidth on the
network and resources of host 10.1.1.2 as it tries to reassemble the packet.
• Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port ftp. If this packet is
fragmented, the first fragment matches the fourth ACE (a deny). All other fragments also match the
fourth ACE because that ACE does not check any Layer 4 information and because Layer 3 information
in all fragments shows that they are being sent to host 10.1.1.3, and the earlier permit ACEs were checking
different hosts.

Standard and Extended IPv4 ACLs

This section describes IP ACLs.
An ACL is a sequential collection of permit and deny conditions. One by one, the switch tests packets against
the conditions in an access list. The first match determines whether the switch accepts or rejects the packet.
Because the switch stops testing after the first match, the order of the conditions is critical. If no conditions
match, the switch denies the packet.
The software supports these types of ACLs or access lists for IPv4:
• Standard IP access lists use source addresses for matching operations.
• Extended IP access lists use source and destination addresses for matching operations and optional
protocol-type information for finer granularity of control.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1269
 Security
IPv4 ACL Switch Unsupported Features

IPv4 ACL Switch Unsupported Features

Configuring IPv4 ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and
routers.
The following ACL-related features are not supported:
• Non-IP protocol ACLs
• IP accounting
• Reflexive ACLs and dynamic ACLs are not supported.
• ACL logging for port ACLs and VLAN maps

Access List Numbers

The number you use to denote your ACL shows the type of access list that you are creating.
This lists the access-list number and corresponding access list type and shows whether or not they are supported
in the switch. The switch supports IPv4 standard and extended access lists, numbers 1 to 199 and 1300 to
2699.

Table 139: Access List Numbers

Access List Number Type Supported

1–99 IP standard access list Yes

100–199 IP extended access list Yes

200–299 Protocol type-code access list No

300–399 DECnet access list No

400–499 XNS standard access list No

500–599 XNS extended access list No

600–699 AppleTalk access list No

700–799 48-bit MAC address access list No

800–899 IPX standard access list No

900–999 IPX extended access list No

1000–1099 IPX SAP access list No

1100–1199 Extended 48-bit MAC address No

access list

1200–1299 IPX summary address access list No

1300–1999 IP standard access list (expanded Yes

range)

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1270
 Security
Numbered Standard IPv4 ACLs

Access List Number Type Supported

2000–2699 IP extended access list (expanded Yes

range)

In addition to numbered standard and extended ACLs, you can also create standard and extended named IP
ACLs by using the supported numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of
an extended IP ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that
you can delete individual entries from a named list.

Numbered Standard IPv4 ACLs

When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny statement
for all packets that it did not find a match for before reaching the end. With standard access lists, if you omit
the mask from an associated IP host address ACL specification, 0.0.0.0 is assumed to be the mask.
The switch always rewrites the order of standard access lists so that entries with host matches and entries
with matches having a don’t care mask of 0.0.0.0 are moved to the top of the list, above any entries with
non-zero don’t care masks. Therefore, in show command output and in the configuration file, the ACEs do
not necessarily appear in the order in which they were entered.
After creating a numbered standard IPv4 ACL, you can apply it to VLANs, to terminal lines, or to interfaces.

Numbered Extended IPv4 ACLs

Although standard ACLs use only source addresses for matching, you can use extended ACL source and
destination addresses for matching operations and optional protocol type information for finer granularity of
control. When you are creating ACEs in numbered extended access lists, remember that after you create the
ACL, any additions are placed at the end of the list. You cannot reorder the list or selectively add or remove
ACEs from a numbered list.
The switch does not support dynamic or reflexive access lists. It also does not support filtering based on the
type of service (ToS) minimize-monetary-cost bit.
Some protocols also have specific parameters and keywords that apply to that protocol.
You can define an extended TCP, UDP, ICMP, IGMP, or other IP ACL. The switch also supports these IP
protocols:

Note ICMP echo-reply cannot be filtered. All other ICMP codes or types can be filtered.

These IP protocols are supported:

• Authentication Header Protocol (ahp)
• Encapsulation Security Payload (esp)
• Enhanced Interior Gateway Routing Protocol (eigrp)
• generic routing encapsulation (gre)
• Internet Control Message Protocol (icmp)
• Internet Group Management Protocol (igmp)

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1271
 Security
Named IPv4 ACLs

• any Interior Protocol (ip)

• IP in IP tunneling (ipinip)
• KA9Q NOS-compatible IP over IP tunneling (nos)
• Open Shortest Path First routing (ospf)
• Payload Compression Protocol (pcp)
• Protocol-Independent Multicast (pim)
• Transmission Control Protocol (tcp)
• User Datagram Protocol (udp)

Named IPv4 ACLs

You can identify IPv4 ACLs with an alphanumeric string (a name) rather than a number. You can use named
ACLs to configure more IPv4 access lists in a router than if you were to use numbered access lists. If you
identify your access list with a name rather than a number, the mode and command syntax are slightly different.
However, not all commands that use IP access lists accept a named access list.

Note The name you give to a standard or extended ACL can also be a number in the supported range of access list
numbers. That is, the name of a standard IP ACL can be 1 to 99 and . The advantage of using named ACLs
instead of numbered lists is that you can delete individual entries from a named list.

Consider these guidelines before configuring named ACLs:

• Numbered ACLs are also available.
• A standard ACL and an extended ACL cannot have the same name.
• You can use standard or extended ACLs (named or numbered) in VLAN maps.

ACL Logging
The switch software can provide logging messages about packets permitted or denied by a standard IP access
list. That is, any packet that matches the ACL causes an informational logging message about the packet to
be sent to the console. The level of messages logged to the console is controlled by the logging console
commands controlling the syslog messages.

Note Because routing is done in hardware and logging is done in software, if a large number of packets match a
permit or deny ACE containing a log keyword, the software might not be able to match the hardware processing
rate, and not all packets will be logged.

The first packet that triggers the ACL causes a logging message right away, and subsequent packets are
collected over 5-minute intervals before they appear or logged. The logging message includes the access list
number, whether the packet was permitted or denied, the source IP address of the packet, and the number of
packets from that source permitted or denied in the prior 5-minute interval.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1272
 Security
Hardware and Software Treatment of IP ACLs

Note The logging facility might drop some logging message packets if there are too many to be handled or if there
is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing
due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an
accurate source of the number of matches to an access list.

Hardware and Software Treatment of IP ACLs

ACL processing is performed in hardware. If the hardware reaches its capacity to store ACL configurations,
all packets on that interface are dropped.

Note If an ACL configuration cannot be implemented in hardware due to an out-of-resource condition on a switch
or stack member, then only the traffic in that VLAN arriving on that switch is affected.

For router ACLs, other factors can cause packets to be sent to the CPU:
• Using the log keyword
• Generating ICMP unreachable messages

When traffic flows are both logged and forwarded, forwarding is done by hardware, but logging must be done
by software. Because of the difference in packet handling capacity between hardware and software, if the sum
of all flows being logged (both permitted flows and denied flows) is of great enough bandwidth, not all of the
packets that are forwarded can be logged.
When you enter the show ip access-lists privileged EXEC command, the match count displayed does not
account for packets that are access controlled in hardware. Use the show platform acl counters hardware
privileged EXEC command to obtain some basic hardware ACL statistics for switched and routed packets.
Router ACLs function as follows:
• The hardware controls permit and deny actions of standard and extended ACLs (input and output) for
security access control.
• If log has not been specified, the flows that match a deny statement in a security ACL are dropped by
the hardware if ip unreachables is disabled. The flows matching a permit statement are switched in
hardware.
• Adding the log keyword to an ACE in a router ACL causes a copy of the packet to be sent to the CPU
for logging only. If the ACE is a permit statement, the packet is still switched and routed in hardware.

VLAN Map Configuration Guidelines

VLAN maps are the only way to control filtering within a VLAN. VLAN maps have no direction. To filter
traffic in a specific direction by using a VLAN map, you need to include an ACL with specific source or
destination addresses. If there is a match clause for that type of packet (IP or MAC) in the VLAN map, the
default action is to drop the packet if the packet does not match any of the entries within the map. If there is
no match clause for that type of packet, the default is to forward the packet.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1273
 Security
VLAN Maps with Router ACLs

The following are the VLAN map configuration guidelines:

• If there is no ACL configured to deny traffic on an interface and no VLAN map is configured, all traffic
is permitted.
• Each VLAN map consists of a series of entries. The order of entries in an VLAN map is important. A
packet that comes into the switch is tested against the first entry in the VLAN map. If it matches, the
action specified for that part of the VLAN map is taken. If there is no match, the packet is tested against
the next entry in the map.
• If the VLAN map has at least one match clause for the type of packet (IP or MAC) and the packet does
not match any of these match clauses, the default is to drop the packet. If there is no match clause for
that type of packet in the VLAN map, the default is to forward the packet.
• Logging is not supported for VLAN maps.
• When a switch has an IP access list or MAC access list applied to a Layer 2 interface, and you apply a
VLAN map to a VLAN that the port belongs to, the port ACL takes precedence over the VLAN map.
• If a VLAN map configuration cannot be applied in hardware, all packets in that VLAN are dropped.

VLAN Maps with Router ACLs

To access control both bridged and routed traffic, you can use VLAN maps only or a combination of router
ACLs and VLAN maps. You can define router ACLs on both input and output routed VLAN interfaces, and
you can define a VLAN map to access control the bridged traffic.
If a packet flow matches a VLAN-map deny clause in the ACL, regardless of the router ACL configuration,
the packet flow is denied.

Note When you use router ACLs with VLAN maps, packets that require logging on the router ACLs are not logged
if they are denied by a VLAN map.

If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not match the
type, the default is to drop the packet. If there is no match clause in the VLAN map, and no action specified,
the packet is forwarded if it does not match any VLAN map entry.

VLAN Maps and Router ACL Configuration Guidelines

These guidelines are for configurations where you need to have an router ACL and a VLAN map on the same
VLAN. These guidelines do not apply to configurations where you are mapping router ACLs and VLAN
maps on different VLANs.
If you must configure a router ACL and a VLAN map on the same VLAN, use these guidelines for both router
ACL and VLAN map configuration:
• You can configure only one VLAN map and one router ACL in each direction (input/output) on a VLAN
interface.
• Whenever possible, try to write the ACL with all entries having a single action except for the final, default
action of the other type. That is, write the ACL using one of these two forms:
permit... permit... permit... deny ip any any

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1274
 Security
VACL Logging

or
deny... deny... deny... permit ip any any
• To define multiple actions in an ACL (permit, deny), group each action type together to reduce the
number of entries.
• Avoid including Layer 4 information in an ACL; adding this information complicates the merging process.
The best merge results are obtained if the ACLs are filtered based on IP addresses (source and destination)
and not on the full flow (source IP address, destination IP address, protocol, and protocol ports). It is
also helpful to use don’t care bits in the IP address, whenever possible.
If you need to specify the full-flow mode and the ACL contains both IP ACEs and TCP/UDP/ICMP
ACEs with Layer 4 information, put the Layer 4 ACEs at the end of the list. This gives priority to the
filtering of traffic based on IP addresses.

VACL Logging
When you configure VACL logging, syslog messages are generated for denied IP packets under these
circumstances:
• When the first matching packet is received.
• For any matching packets received within the last 5 minutes.
• If the threshold is reached before the 5-minute interval.

Log messages are generated on a per-flow basis. A flow is defined as packets with the same IP addresses and
Layer 4 (UDP or TCP) port numbers. If a flow does not receive any packets in the 5-minute interval, that flow
is removed from the cache. When a syslog message is generated, the timer and packet counter are reset.
VACL logging restrictions:
• Only denied IP packets are logged.
• Packets that require logging on the outbound port ACLs are not logged if they are denied by a VACL.

Time Ranges for ACLs

You can selectively apply extended ACLs based on the time of day and the week by using the time-range
global configuration command. First, define a time-range name and set the times and the dates or the days of
the week in the time range. Then enter the time-range name when applying an ACL to set restrictions to the
access list. You can use the time range to define when the permit or deny statements in the ACL are in effect,
for example, during a specified time period or on specified days of the week. The time-range keyword and
argument are referenced in the named and numbered extended ACL task tables.
These are some benefits of using time ranges:
• You have more control over permitting or denying a user access to resources, such as an application
(identified by an IP address/mask pair and a port number).
• You can control logging messages. ACL entries can be set to log traffic only at certain times of the day.
Therefore, you can simply deny access without needing to analyze many logs generated during peak
hours.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1275
 Security
IPv4 ACL Interface Considerations

Time-based access lists trigger CPU activity because the new configuration of the access list must be merged
with other features and the combined configuration loaded into the hardware memory. For this reason, you
should be careful not to have several access lists configured to take affect in close succession (within a small
number of minutes of each other.)

Note The time range relies on the switch system clock; therefore, you need a reliable clock source. We recommend
that you use Network Time Protocol (NTP) to synchronize the switch clock.

Related Topics
Configuring Time Ranges for ACLs, on page 1285

IPv4 ACL Interface Considerations

When you apply the ip access-group interface configuration command to a Layer 3 interface (an SVI, a Layer
3 EtherChannel, or a routed port), the interface must have been configured with an IP address. Layer 3 access
groups filter packets that are routed or are received by Layer 3 processes on the CPU. They do not affect
packets bridged within a VLAN.
For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL permits
the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch discards the
packet.
For outbound ACLs, after receiving and routing a packet to a controlled interface, the switch checks the packet
against the ACL. If the ACL permits the packet, the switch sends the packet. If the ACL rejects the packet,
the switch discards the packet.
By default, the input interface sends ICMP Unreachable messages whenever a packet is discarded, regardless
of whether the packet was discarded because of an ACL on the input interface or because of an ACL on the
output interface. ICMP Unreachables are normally limited to no more than one every one-half second per
input interface, but this can be changed by using the ip icmp rate-limit unreachable global configuration
command.
When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the
interface and permits all packets. Remember this behavior if you use undefined ACLs for network security.
Related Topics
Applying an IPv4 ACL to an Interface, on page 1288
Restrictions for Configuring IPv4 Access Control Lists, on page 1263

How to Configure ACLs

Configuring IPv4 ACLs
These are the steps to use IP ACLs on the switch:

SUMMARY STEPS
1. Create an ACL by specifying an access list number or name and the access conditions.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1276
 Security
Creating a Numbered Standard ACL

2. Apply the ACL to interfaces or terminal lines. You can also apply standard and extended IP ACLs to
VLAN maps.

DETAILED STEPS

Command or Action Purpose

Step 1 Create an ACL by specifying an access list number or name
and the access conditions.
Step 2 Apply the ACL to interfaces or terminal lines. You can also
apply standard and extended IP ACLs to VLAN maps.

Creating a Numbered Standard ACL

Follow these steps to create a numbered standard ACL:

SUMMARY STEPS
1. enable
2. configure terminal
3. access-list access-list-number {deny | permit} source source-wildcard [log]
4. end
5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 access-list access-list-number {deny | permit} source Defines a standard IPv4 access list by using a source address
source-wildcard [log] and wildcard.
Example: The access-list-number is a decimal number from 1 to 99
or 1300 to 1999.
SwitchDevice(config)# access-list 2 deny your_host
Enter deny or permit to specify whether to deny or permit
access if conditions are matched.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1277
 Security
Creating a Numbered Extended ACL

Command or Action Purpose

The source is the source address of the network or host
from which the packet is being sent specified as:
• The 32-bit quantity in dotted-decimal format.
• The keyword any as an abbreviation for source and
source-wildcard of 0.0.0.0 255.255.255.255. You do
not need to enter a source-wildcard.
• The keyword host as an abbreviation for source and
source-wildcard of source 0.0.0.0.

(Optional) The source-wildcard applies wildcard bits to the

source.
(Optional) Enter log to cause an informational logging
message about the packet that matches the entry to be sent
to the console.
Note Logging is supported only on ACLs attached to
Layer 3 interfaces.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Configuring VLAN Maps, on page 1293

Creating a Numbered Extended ACL

Follow these steps to create a numbered extended ACL:

SUMMARY STEPS
1. configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1278
 Security
Creating a Numbered Extended ACL

2. access-list access-list-number {deny | permit} protocol source source-wildcard destination

destination-wildcard [precedence precedence] [tos tos] [fragments] [log [log-input] [time-range
time-range-name] [dscp dscp]
3. access-list access-list-number {deny | permit} tcp source source-wildcard [operator port] destination
destination-wildcard [operator port] [established] [precedence precedence] [tos tos] [fragments] [log
[log-input] [time-range time-range-name] [dscp dscp] [flag]
4. access-list access-list-number {deny | permit} udp source source-wildcard [operator port] destination
destination-wildcard [operator port] [precedence precedence] [tos tos] [fragments] [log [log-input]
[time-range time-range-name] [dscp dscp]
5. access-list access-list-number {deny | permit} icmp source source-wildcard destination
destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence]
[tos tos] [fragments] [time-range time-range-name] [dscp dscp]
6. access-list access-list-number {deny | permit} igmp source source-wildcard destination
destination-wildcard [igmp-type] [precedence precedence] [tos tos] [fragments] [log [log-input]
[time-range time-range-name] [dscp dscp]
7. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 access-list access-list-number {deny | permit} protocol Defines an extended IPv4 access list and the access
source source-wildcard destination destination-wildcard conditions.
[precedence precedence] [tos tos] [fragments] [log
The access-list-number is a decimal number from 100 to
[log-input] [time-range time-range-name] [dscp dscp]
199 or 2000 to 2699.
Example:
Enter deny or permit to specify whether to deny or permit
the packet if conditions are matched.
SwitchDevice(config)# access-list 101 permit ip
host 10.1.1.2 any precedence 0 tos 0 log For protocol, enter the name or number of an P protocol:
ahp, eigrp, esp, gre, icmp, igmp, igrp, ip, ipinip, nos,
ospf, pcp, pim, tcp, or udp, or an integer in the range 0 to
255 representing an IP protocol number. To match any
Internet protocol (including ICMP, TCP, and UDP), use
the keyword ip.
Note This step includes options for most IP protocols.
For additional specific parameters for TCP, UDP,
ICMP, and IGMP, see the following steps.
The source is the number of the network or host from which
the packet is sent.
The source-wildcard applies wildcard bits to the source.
The destination is the network or host number to which the
packet is sent.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1279
 Security
Creating a Numbered Extended ACL

Command or Action Purpose

The destination-wildcard applies wildcard bits to the
destination.
Source, source-wildcard, destination, and
destination-wildcard can be specified as:
• The 32-bit quantity in dotted-decimal format.
• The keyword any for 0.0.0.0 255.255.255.255 (any
host).
• The keyword host for a single host 0.0.0.0.

The other keywords are optional and have these meanings:

• precedence—Enter to match packets with a
precedence level specified as a number from 0 to 7 or
by name: routine (0), priority (1), immediate (2),
flash (3), flash-override (4), critical (5), internet (6),
network (7).
• fragments—Enter to check non-initial fragments.
• tos—Enter to match by type of service level, specified
by a number from 0 to 15 or a name: normal (0),
max-reliability (2), max-throughput (4), min-delay
(8).
• log—Enter to create an informational logging message
to be sent to the console about the packet that matches
the entry or log-input to include the input interface in
the log entry.
• time-range—Specify the time-range name.
• dscp—Enter to match packets with the DSCP value
specified by a number from 0 to 63, or use the question
mark (?) to see a list of available values.

Note If you enter a dscp value, you cannot enter tos

or precedence. You can enter both a tos and a
precedence value with no dscp.

Step 3 access-list access-list-number {deny | permit} tcp source Defines an extended TCP access list and the access
source-wildcard [operator port] destination conditions.
destination-wildcard [operator port] [established]
The parameters are the same as those described for an
[precedence precedence] [tos tos] [fragments] [log
extended IPv4 ACL, with these exceptions:
[log-input] [time-range time-range-name] [dscp dscp]
[flag] (Optional) Enter an operator and port to compare source
(if positioned after source source-wildcard) or destination
Example:
(if positioned after destination destination-wildcard) port.
Possible operators include eq (equal), gt (greater than), lt
SwitchDevice(config)# access-list 101 permit tcp
(less than), neq (not equal), and range (inclusive range).

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1280
 Security
Creating a Numbered Extended ACL

Command or Action Purpose

any any eq 500 Operators require a port number (range requires two port
numbers separated by a space).
Enter the port number as a decimal number (from 0 to
65535) or the name of a TCP port. Use only TCP port
numbers or names when filtering TCP.
The other optional keywords have these meanings:
• established—Enter to match an established
connection. This has the same function as matching
on the ack or rst flag.
• flag—Enter one of these flags to match by the specified
TCP header bits: ack (acknowledge), fin (finish), psh
(push), rst (reset), syn (synchronize), or urg (urgent).

Step 4 access-list access-list-number {deny | permit} udp source (Optional) Defines an extended UDP access list and the
source-wildcard [operator port] destination access conditions.
destination-wildcard [operator port] [precedence
The UDP parameters are the same as those described for
precedence] [tos tos] [fragments] [log [log-input]
TCP except that the [operator [port]] port number or name
[time-range time-range-name] [dscp dscp]
must be a UDP port number or name, and the flag and
Example: established keywords are not valid for UDP.

SwitchDevice(config)# access-list 101 permit udp

any any eq 100

Step 5 access-list access-list-number {deny | permit} icmp source Defines an extended ICMP access list and the access
source-wildcard destination destination-wildcard [icmp-type conditions.
| [[icmp-type icmp-code] | [icmp-message]] [precedence
The ICMP parameters are the same as those described for
precedence] [tos tos] [fragments] [time-range
most IP protocols in an extended IPv4 ACL, with the
time-range-name] [dscp dscp]
addition of the ICMP message type and code parameters.
Example: These optional keywords have these meanings:
• icmp-type—Enter to filter by ICMP message type, a
SwitchDevice(config)# access-list 101 permit icmp
any any 200
number from 0 to 255.
• icmp-code—Enter to filter ICMP packets that are
filtered by the ICMP message code type, a number
from 0 to 255.
• icmp-message—Enter to filter ICMP packets by the
ICMP message type name or the ICMP message type
and code name.

Step 6 access-list access-list-number {deny | permit} igmp source (Optional) Defines an extended IGMP access list and the
source-wildcard destination destination-wildcard access conditions.
[igmp-type] [precedence precedence] [tos tos] [fragments]
The IGMP parameters are the same as those described for
[log [log-input] [time-range time-range-name] [dscp dscp]
most IP protocols in an extended IPv4 ACL, with this
Example: optional parameter.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1281
 Security
Creating Named Standard ACLs

Command or Action Purpose

igmp-type—To match IGMP message type, enter a number
SwitchDevice(config)# access-list 101 permit igmp
from 0 to 15, or enter the message name: dvmrp,
any any 14
host-query, host-report, pim, or trace.

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Related Topics
Configuring VLAN Maps, on page 1293

Creating Named Standard ACLs

Follow these steps to create a standard ACL using names:

SUMMARY STEPS
1. enable
2. configure terminal
3. ip access-list standard name
4. Use one of the following:
• deny {source [source-wildcard] | host source | any} [log]
• permit {source [source-wildcard] | host source | any} [log]
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1282
 Security
Creating Extended Named ACLs

Command or Action Purpose

Step 3 ip access-list standard name Defines a standard IPv4 access list using a name, and enter
access-list configuration mode.
Example:
The name can be a number from 1 to 99.
SwitchDevice(config)# ip access-list standard 20

Step 4 Use one of the following: In access-list configuration mode, specify one or more
conditions denied or permitted to decide if the packet is
• deny {source [source-wildcard] | host source | any}
forwarded or dropped.
[log]
• permit {source [source-wildcard] | host source | any} • host source—A source and source wildcard of source
[log] 0.0.0.0.
Example: • any—A source and source wildcard of 0.0.0.0
255.255.255.255.
SwitchDevice(config-std-nacl)# deny 192.168.0.0
0.0.255.255 255.255.0.0 0.0.255.255

or

SwitchDevice(config-std-nacl)# permit 10.108.0.0

0.0.0.0 255.255.255.0 0.0.0.0

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-std-nacl)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Creating Extended Named ACLs

Follow these steps to create an extended ACL using names:

SUMMARY STEPS
1. enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1283
 Security
Creating Extended Named ACLs

2. configure terminal
3. ip access-list extended name
4. {deny | permit} protocol {source [source-wildcard] | host source | any} {destination [destination-wildcard]
| host destination | any} [precedence precedence] [tos tos] [established] [log] [time-range
time-range-name]
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip access-list extended name Defines an extended IPv4 access list using a name, and
enter access-list configuration mode.
Example:
The name can be a number from 100 to 199.
SwitchDevice(config)# ip access-list extended 150

Step 4 {deny | permit} protocol {source [source-wildcard] | host In access-list configuration mode, specify the conditions
source | any} {destination [destination-wildcard] | host allowed or denied. Use the log keyword to get access list
destination | any} [precedence precedence] [tos tos] logging messages, including violations.
[established] [log] [time-range time-range-name]
• host source—A source and source wildcard of source
Example: 0.0.0.0.

SwitchDevice(config-ext-nacl)# permit 0 any any

• host destintation—A destination and destination
wildcard of destination 0.0.0.0.
• any—A source and source wildcard or destination and
destination wildcard of 0.0.0.0 255.255.255.255.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-ext-nacl)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1284
 Security
Configuring Time Ranges for ACLs

Command or Action Purpose

Step 6 show running-config Verifies your entries.
Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

When you are creating extended ACLs, remember that, by default, the end of the ACL contains an implicit
deny statement for everything if it did not find a match before reaching the end. For standard ACLs, if you
omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask.
After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACL
entries to a specific ACL. However, you can use no permit and no deny access-list configuration mode
commands to remove entries from a named ACL.
Being able to selectively remove lines from a named ACL is one reason you might use named ACLs instead
of numbered ACLs.

What to do next
After creating a named ACL, you can apply it to interfaces or to VLANs .

Configuring Time Ranges for ACLs

Follow these steps to configure a time-range parameter for an ACL:

SUMMARY STEPS
1. enable
2. configure terminal
3. time-range time-range-name
4. Use one of the following:
• absolute [start time date] [end time date]
• periodic day-of-the-week hh:mm to [day-of-the-week] hh:mm
• periodic {weekdays | weekend | daily} hh:mm to hh:mm
5. end
6. show running-config
7. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1285
 Security
Configuring Time Ranges for ACLs

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice(config)# enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 time-range time-range-name Assigns a meaningful name (for example, workhours) to

the time range to be created, and enter time-range
Example:
configuration mode. The name cannot contain a space or
quotation mark and must begin with a letter.
SwitchDevice(config)# time-range workhours

Step 4 Use one of the following: Specifies when the function it will be applied to is
operational.
• absolute [start time date] [end time date]
• periodic day-of-the-week hh:mm to [day-of-the-week] • You can use only one absolute statement in the time
hh:mm range. If you configure more than one absolute
• periodic {weekdays | weekend | daily} hh:mm to statement, only the one configured last is executed.
hh:mm • You can enter multiple periodic statements. For
Example: example, you could configure different hours for
weekdays and weekends.
SwitchDevice(config-time-range)# absolute start
00:00 1 Jan 2006 end 23:59 1 Jan 2006 See the example configurations.

or

SwitchDevice(config-time-range)# periodic weekdays

8:00 to 12:00

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1286
 Security
Applying an IPv4 ACL to a Terminal Line

Command or Action Purpose

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
Repeat the steps if you have multiple items that you want in effect at different times.
Related Topics
Time Ranges for ACLs, on page 1275

Applying an IPv4 ACL to a Terminal Line

You can use numbered ACLs to control access to one or more terminal lines. You cannot apply named ACLs
to lines. You must set identical restrictions on all the virtual terminal lines because a user can attempt to
connect to any of them.
Follow these steps to restrict incoming and outgoing connections between a virtual terminal line and the
addresses in an ACL:

SUMMARY STEPS
1. enable
2. configure terminal
3. line [console | vty] line-number
4. access-class access-list-number {in | out}
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice(config)# enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1287
 Security
Applying an IPv4 ACL to an Interface

Command or Action Purpose

Step 3 line [console | vty] line-number Identifies a specific line to configure, and enter in-line
configuration mode.
Example:
• console—Specifies the console terminal line. The
SwitchDevice(config)# line console 0 console port is DCE.
• vty—Specifies a virtual terminal for remote console
access.

The line-number is the first line number in a contiguous

group that you want to configure when the line type is
specified. The range is from 0 to 16.

Step 4 access-class access-list-number {in | out} Restricts incoming and outgoing connections between a
particular virtual terminal line (into a device) and the
Example:
addresses in an access list.
SwitchDevice(config-line)# access-class 10 in

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-line)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Applying an IPv4 ACL to an Interface

This section describes how to apply IPv4 ACLs to network interfaces.
Beginning in privileged EXEC mode, follow these steps to control access to an interface:

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. ip access-group {access-list-number | name} {in | out}
4. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1288
 Security
Applying an IPv4 ACL to an Interface

5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Identifies a specific interface for configuration, and enter
interface configuration mode.
Example:
The interface can be a Layer 2 interface (port ACL), or a
SwitchDevice(config)# interface Layer 3 interface (router ACL).
gigabitethernet1/0/1

Step 3 ip access-group {access-list-number | name} {in | out} Controls access to the specified interface.
Example: The out keyword is not supported for Layer 2 interfaces
(port ACLs).
SwitchDevice(config-if)# ip access-group 2 in

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 5 show running-config Displays the access list configuration.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
IPv4 ACL Interface Considerations, on page 1276
Restrictions for Configuring IPv4 Access Control Lists, on page 1263

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1289
 Security
Creating Named MAC Extended ACLs

Creating Named MAC Extended ACLs

You can filter non-IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named
MAC extended ACLs. The procedure is similar to that of configuring other extended named ACLs.
Follow these steps to create a named MAC extended ACL:

SUMMARY STEPS
1. enable
2. configure terminal
3. mac access-list extended name
4. {deny | permit} {any | host source MAC address | source MAC address mask} {any | host destination
MAC address | destination MAC address mask} [type mask | lsap lsap mask | aarp | amber | dec-spanning
| decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | mop-console | mop-dump |
msdos | mumps | netbios | vines-echo | vines-ip | xns-idp | 0-65535] [cos cos]
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 mac access-list extended name Defines an extended MAC access list using a name.
Example:

SwitchDevice(config)# mac access-list extended mac1

Step 4 {deny | permit} {any | host source MAC address | source In extended MAC access-list configuration mode, specifies
MAC address mask} {any | host destination MAC address to permit or deny any source MAC address, a source MAC
| destination MAC address mask} [type mask | lsap lsap address with a mask, or a specific host source MAC address
mask | aarp | amber | dec-spanning | decnet-iv | diagnostic and any destination MAC address, destination MAC address
| dsm | etype-6000 | etype-8042 | lat | lavc-sca | with a mask, or a specific destination MAC address.
mop-console | mop-dump | msdos | mumps | netbios |
(Optional) You can also enter these options:
vines-echo | vines-ip | xns-idp | 0-65535] [cos cos]

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1290
 Security
Applying a MAC ACL to a Layer 2 Interface

Command or Action Purpose

Example: • type mask—An arbitrary EtherType number of a packet
with Ethernet II or SNAP encapsulation in decimal,
SwitchDevice(config-ext-macl)# deny any any hexadecimal, or octal with optional mask of don’t care
decnet-iv bits applied to the EtherType before testing for a
match.
or
• lsap lsap mask—An LSAP number of a packet with
IEEE 802.2 encapsulation in decimal, hexadecimal,
SwitchDevice(config-ext-macl)# permit any any
or octal with optional mask of don’t care bits.
• aarp | amber | dec-spanning | decnet-iv | diagnostic
| dsm | etype-6000 | etype-8042 | lat | lavc-sca |
mop-console | mop-dump | msdos | mumps | netbios
| vines-echo | vines-ip | xns-idp—A non-IP protocol.
• cos cos—An IEEE 802.1Q cost of service number
from 0 to 7 used to set priority.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-ext-macl)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Restrictions for Configuring IPv4 Access Control Lists, on page 1263
Configuring VLAN Maps, on page 1293

Applying a MAC ACL to a Layer 2 Interface

Follow these steps to apply a MAC access list to control access to a Layer 2 interface:

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1291
 Security
Applying a MAC ACL to a Layer 2 Interface

4. mac access-group {name} {in | out }

5. end
6. show mac access-group [interface interface-id]
7. show running-config
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Identifies a specific interface, and enter interface

configuration mode. The interface must be a physical Layer
Example:
2 interface (port ACL).
SwitchDevice(config)# interface
gigabitethernet1/0/2

Step 4 mac access-group {name} {in | out } Controls access to the specified interface by using the MAC
access list.
Example:
Port ACLs are supported in the outbound and inbound
SwitchDevice(config-if)# mac access-group mac1 in directions .

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 6 show mac access-group [interface interface-id] Displays the MAC access list applied to the interface or all
Layer 2 interfaces.
Example:

SwitchDevice# show mac access-group interface

gigabitethernet1/0/2

Step 7 show running-config Verifies your entries.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1292
 Security
Configuring VLAN Maps

Command or Action Purpose

SwitchDevice# show running-config

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

After receiving a packet, the switch checks it against the inbound ACL. If the ACL permits it, the switch
continues to process the packet. If the ACL rejects the packet, the switch discards it. When you apply an
undefined ACL to an interface, the switch acts as if the ACL has not been applied and permits all packets.
Remember this behavior if you use undefined ACLs for network security.
Related Topics
Restrictions for Configuring IPv4 Access Control Lists, on page 1263

Configuring VLAN Maps

To create a VLAN map and apply it to one or more VLANs, perform these steps:

Before you begin

Create the standard or extended IPv4 ACLs or named MAC extended ACLs that you want to apply to the
VLAN.

SUMMARY STEPS
1. vlan access-map name [number]
2. match {ip | mac} address {name | number} [name | number]
3. Enter one of the following commands to specify an IP packet or a non-IP packet (with only a known MAC
address) and to match the packet against one or more ACLs (standard or extended):
• action { forward}

SwitchDevice(config-access-map)# action forward

• action { drop}

SwitchDevice(config-access-map)# action drop

4. vlan filter mapname vlan-list list

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1293
 Security
Configuring VLAN Maps

DETAILED STEPS

Command or Action Purpose

Step 1 vlan access-map name [number] Creates a VLAN map, and give it a name and (optionally)
a number. The number is the sequence number of the entry
Example:
within the map.
SwitchDevice(config)# vlan access-map map_1 20 When you create VLAN maps with the same name, numbers
are assigned sequentially in increments of 10. When
modifying or deleting maps, you can enter the number of
the map entry that you want to modify or delete.
VLAN maps do not use the specific permit or deny
keywords. To deny a packet by using VLAN maps, create
an ACL that would match the packet, and set the action to
drop. A permit in the ACL counts as a match. A deny in
the ACL means no match.
Entering this command changes to access-map configuration
mode.

Step 2 match {ip | mac} address {name | number} [name | Match the packet (using either the IP or MAC address)
number] against one or more standard or extended access lists. Note
that packets are only matched against access lists of the
Example:
correct protocol type. IP packets are matched against
standard or extended IP access lists. Non-IP packets are
SwitchDevice(config-access-map)# match ip address
ip2 only matched against named MAC extended access lists.
Note If the VLAN map is configured with a match
clause for a type of packet (IP or MAC) and the
map action is drop, all packets that match the
type are dropped. If the VLAN map has no match
clause, and the configured action is drop, all IP
and Layer 2 packets are dropped.

Step 3 Enter one of the following commands to specify an IP Sets the action for the map entry.
packet or a non-IP packet (with only a known MAC address)
and to match the packet against one or more ACLs (standard
or extended):
• action { forward}

SwitchDevice(config-access-map)# action forward

• action { drop}

SwitchDevice(config-access-map)# action drop

Step 4 vlan filter mapname vlan-list list Applies the VLAN map to one or more VLAN IDs.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1294
 Security
Creating a VLAN Map

Command or Action Purpose

The list can be a single VLAN ID (22), a consecutive list
SwitchDevice(config)# vlan filter map 1 vlan-list
(10-22), or a string of VLAN IDs (12, 22, 30). Spaces
20-22
around the comma and hyphen are optional.

Related Topics
Creating a Numbered Standard ACL, on page 1277
Creating a Numbered Extended ACL, on page 1278
Creating Named MAC Extended ACLs, on page 1290
Creating a VLAN Map, on page 1295
Applying a VLAN Map to a VLAN, on page 1296

Creating a VLAN Map

Each VLAN map consists of an ordered series of entries. Beginning in privileged EXEC mode, follow these
steps to create, add to, or delete a VLAN map entry:

SUMMARY STEPS
1. configure terminal
2. vlan access-map name [number]
3. match {ip | mac} address {name | number} [name | number]
4. action {drop | forward}
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 vlan access-map name [number] Creates a VLAN map, and give it a name and (optionally)
a number. The number is the sequence number of the entry
Example:
within the map.
SwitchDevice(config)# vlan access-map map_1 20 When you create VLAN maps with the same name, numbers
are assigned sequentially in increments of 10. When
modifying or deleting maps, you can enter the number of
the map entry that you want to modify or delete.
VLAN maps do not use the specific permit or deny
keywords. To deny a packet by using VLAN maps, create
an ACL that would match the packet, and set the action to

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1295
 Security
Applying a VLAN Map to a VLAN

Command or Action Purpose

drop. A permit in the ACL counts as a match. A deny in
the ACL means no match.
Entering this command changes to access-map configuration
mode.

Step 3 match {ip | mac} address {name | number} [name | Match the packet (using either the IP or MAC address)
number] against one or more standard or extended access lists. Note
that packets are only matched against access lists of the
Example:
correct protocol type. IP packets are matched against
standard or extended IP access lists. Non-IP packets are
SwitchDevice(config-access-map)# match ip address
ip2 only matched against named MAC extended access lists.

Step 4 action {drop | forward} (Optional) Sets the action for the map entry. The default is
to forward.
Example:

SwitchDevice(config-access-map)# action forward

Step 5 end Returns to global configuration mode.

Example:

SwitchDevice(config-access-map)# end

Step 6 show running-config Displays the access list configuration.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Configuring VLAN Maps, on page 1293

Applying a VLAN Map to a VLAN

Beginning in privileged EXEC mode, follow these steps to apply a VLAN map to one or more VLANs:

SUMMARY STEPS
1. configure terminal
2. vlan filter mapname vlan-list list

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1296
 Security
Monitoring IPv4 ACLs

3. end
4. show running-config
5. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 vlan filter mapname vlan-list list Applies the VLAN map to one or more VLAN IDs.
Example: The list can be a single VLAN ID (22), a consecutive list
(10-22), or a string of VLAN IDs (12, 22, 30). Spaces
SwitchDevice(config)# vlan filter map 1 vlan-list around the comma and hyphen are optional.
20-22

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 4 show running-config Displays the access list configuration.

Example:

SwitchDevice# show running-config

Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Configuring VLAN Maps, on page 1293

Monitoring IPv4 ACLs

You can monitor IPv4 ACLs by displaying the ACLs that are configured on the switch, and displaying the
ACLs that have been applied to interfaces and VLANs.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1297
 Security
Configuration Examples for ACLs

When you use the ip access-group interface configuration command to apply ACLs to a Layer 2 or 3 interface,
you can display the access groups on the interface. You can also display the MAC ACLs applied to a Layer
2 interface. You can use the privileged EXEC commands as described in this table to display this information.

Table 140: Commands for Displaying Access Lists and Access Groups

Command Purpose
show access-lists [number | name] Displays the contents of one or all current IP and
MAC address access lists or a specific access list
(numbered or named).

show ip access-lists [number | name] Displays the contents of all current IP access lists or
a specific IP access list (numbered or named).

show ip interface interface-id Displays detailed configuration and status of an

interface. If IP is enabled on the interface and ACLs
have been applied by using the ip access-group
interface configuration command, the access groups
are included in the display.

show running-config [interface interface-id] Displays the contents of the configuration file for the
switch or the specified interface, including all
configured MAC and IP access lists and which access
groups are applied to an interface.

show mac access-group [interface interface-id] Displays MAC access lists applied to all Layer 2
interfaces or the specified
Layer 2 interface.

Configuration Examples for ACLs

Examples: Using Time Ranges with ACLs
This example shows how to verify after you configure time ranges for workhours and to configure January
1, 2006, as a company holiday.

SwitchDevice# show time-range

time-range entry: new_year_day_2003 (inactive)
absolute start 00:00 01 January 2006 end 23:59 01 January 2006
time-range entry: workhours (inactive)
periodic weekdays 8:00 to 12:00
periodic weekdays 13:00 to 17:00

To apply a time range, enter the time-range name in an extended ACL that can implement time ranges. This
example shows how to create and verify extended access list 188 that denies TCP traffic from any source to
any destination during the defined holiday times and permits all TCP traffic during work hours.

SwitchDevice(config)# access-list 188 deny tcp any any time-range new_year_day_2006

SwitchDevice(config)# access-list 188 permit tcp any any time-range workhours

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1298
 Security
Examples: Including Comments in ACLs

SwitchDevice(config)# end
SwitchDevice# show access-lists
Extended IP access list 188
10 deny tcp any any time-range new_year_day_2006 (inactive)
20 permit tcp any any time-range workhours (inactive)

This example uses named ACLs to permit and deny the same traffic.

SwitchDevice(config)# ip access-list extended deny_access

SwitchDevice(config-ext-nacl)# deny tcp any any time-range new_year_day_2006
SwitchDevice(config-ext-nacl)# exit
SwitchDevice(config)# ip access-list extended may_access
SwitchDevice(config-ext-nacl)# permit tcp any any time-range workhours
SwitchDevice(config-ext-nacl)# end
SwitchDevice# show ip access-lists
Extended IP access list lpip_default
10 permit ip any any
Extended IP access list deny_access
10 deny tcp any any time-range new_year_day_2006 (inactive)
Extended IP access list may_access
10 permit tcp any any time-range workhours (inactive)

Examples: Including Comments in ACLs

You can use the remark keyword to include comments (remarks) about entries in any IP standard or extended
ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100
characters.
The remark can go before or after a permit or deny statement. You should be consistent about where you put
the remark so that it is clear which remark describes which permit or deny statement. For example, it would
be confusing to have some remarks before the associated permit or deny statements and some remarks after
the associated statements.
To include a comment for IP numbered standard or extended ACLs, use the access-list access-list number
remark remark global configuration command. To remove the remark, use the no form of this command.
In this example, the workstation that belongs to Jones is allowed access, and the workstation that belongs to
Smith is not allowed access:

SwitchDevice(config)# access-list 1 remark Permit only Jones workstation through

SwitchDevice(config)# access-list 1 permit 171.69.2.88
SwitchDevice(config)# access-list 1 remark Do not allow Smith through
SwitchDevice(config)# access-list 1 deny 171.69.3.13

For an entry in a named IP ACL, use the remark access-list configuration command. To remove the remark,
use the no form of this command.
In this example, the Jones subnet is not allowed to use outbound Telnet:

SwitchDevice(config)# ip access-list extended telnetting

SwitchDevice(config-ext-nacl)# remark Do not allow Jones subnet to telnet out
SwitchDevice(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1299
 Security
IPv4 ACL Configuration Examples

IPv4 ACL Configuration Examples

This section provides examples of configuring and applying IPv4 ACLs. For detailed information about
compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.4 and to the Configuring IP
Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide,
Release 12.4.

ACLs in a Small Networked Office

Figure 102: Using Router ACLs to Control Traffic

This shows a small networked office environment with routed Port 2 connected to Server A, containing benefits
and other information that all employees can access, and routed Port 1 connected to Server B, containing
confidential payroll data. All users can access Server A, but Server B has restricted

access.
Use router ACLs to do this in one of two ways:
• Create a standard ACL, and filter traffic coming to the server from Port 1.
• Create an extended ACL, and filter traffic coming from the server into Port 1.

Examples: ACLs in a Small Networked Office

This example uses a standard ACL to filter traffic coming into Server B from a port, permitting traffic only
from Accounting’s source addresses 172.20.128.64 to 172.20.128.95. The ACL is applied to traffic coming
out of routed Port 1 from the specified source address.

SwitchDevice(config)# access-list 6 permit 172.20.128.64 0.0.0.31

SwitchDevice(config)# end
SwitchDevice# how access-lists
Standard IP access list 6
10 permit 172.20.128.64, wildcard bits 0.0.0.31

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1300
 Security
Example: Numbered ACLs

SwitchDevice(config)# interface gigabitethernet1/0/1

SwitchDevice(config-if)# ip access-group 6 out

This example uses an extended ACL to filter traffic coming from Server B into a port, permitting traffic from
any source address (in this case Server B) to only the Accounting destination addresses 172.20.128.64 to
172.20.128.95. The ACL is applied to traffic going into routed Port 1, permitting it to go only to the specified
destination addresses. Note that with extended ACLs, you must enter the protocol (IP) before the source and
destination information.

SwitchDevice(config)# access-list 106 permit ip any 172.20.128.64 0.0.0.31

SwitchDevice(config)# end
SwitchDevice# show access-lists
Extended IP access list 106
10 permit ip any 172.20.128.64 0.0.0.31
SwitchDevice(config)# interface gigabitethernet1/0/1
SwitchDevice(config-if)# ip access-group 106 in

Example: Numbered ACLs

In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its
subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host.
Using access list 2, the switch accepts one address on subnet 48 and reject all others on that subnet. The last
line of the list shows that the switch accepts addresses on all other network 36.0.0.0 subnets. The ACL is
applied to packets entering a port.

SwitchDevice(config)# access-list 2 permit 36.48.0.3

SwitchDevice(config)# access-list 2 deny 36.48.0.0 0.0.255.255
SwitchDevice(config)# access-list 2 permit 36.0.0.0 0.255.255.255
SwitchDevice(config)# interface gigabitethernet2/0/1
SwitchDevice(config-if)# ip access-group 2 in

Examples: Extended ACLs

In this example, the first line permits any incoming TCP connections with destination ports greater than 1023.
The second line permits incoming TCP connections to the Simple Mail Transfer Protocol (SMTP) port of
host 128.88.1.2. The third line permits incoming ICMP messages for error feedback.

SwitchDevice(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 gt 1023

SwitchDevice(config)# access-list 102 permit tcp any host 128.88.1.2 eq 25
SwitchDevice(config)# access-list 102 permit icmp any any
SwitchDevice(config)# interface gigabitethernet2/0/1
SwitchDevice(config-if)# ip access-group 102 in

In this example, suppose that you have a network connected to the Internet, and you want any host on the
network to be able to form TCP connections to any host on the Internet. However, you do not want IP hosts
to be able to form TCP connections to hosts on your network, except to the mail (SMTP) port of a dedicated
mail host.
SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The same
port numbers are used throughout the life of the connection. Mail packets coming in from the Internet have
a destination port of 25. Outbound packets have the port numbers reversed. Because the secure system of the
network always accepts mail connections on port 25, the incoming and outgoing services are separately

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1301
 Security
Examples: Named ACLs

controlled. The ACL must be configured as an input ACL on the outbound interface and an output ACL on
the inbound interface.

SwitchDevice(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 23

SwitchDevice(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 25
SwitchDevice(config)# interface gigabitethernet1/0/1
SwitchDevice(config-if)# ip access-group 102 in

In this example, the network is a Class B network with the address 128.88.0.0, and the mail host address is
128.88.1.2. The established keyword is used only for the TCP to show an established connection. A match
occurs if the TCP datagram has the ACK or RST bits set, which show that the packet belongs to an existing
connection. Gigabit Ethernet interface 1 on stack member 1 is the interface that connects the router to the
Internet.

SwitchDevice(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 established

SwitchDevice(config)# access-list 102 permit tcp any host 128.88.1.2 eq 25
SwitchDevice(config)# interface gigabitethernet1/0/1
SwitchDevice(config-if)# ip access-group 102 in

Examples: Named ACLs

Creating named standard and extended ACLs

This example creates a standard ACL named internet_filter and an extended ACL named marketing_group.
The internet_filter ACL allows all traffic from the source address 1.2.3.4.

SwitchDevice(config)# ip access-list standard Internet_filter

SwitchDevice(config-ext-nacl)# permit 1.2.3.4
SwitchDevice(config-ext-nacl)# exit

The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0
0.0.255.255 and denies any other TCP traffic. It permits ICMP traffic, denies UDP traffic from any source to
the destination address range 171.69.0.0 through 179.69.255.255 with a destination port less than 1024, denies
any other IP traffic, and provides a log of the result.

SwitchDevice(config)# ip access-list extended marketing_group

SwitchDevice(config-ext-nacl)# permit tcp any 171.69.0.0 0.0.255.255 eq telnet
SwitchDevice(config-ext-nacl)# deny tcp any any
SwitchDevice(config-ext-nacl)# permit icmp any any
SwitchDevice(config-ext-nacl)# deny udp any 171.69.0.0 0.0.255.255 lt 1024
SwitchDevice(config-ext-nacl)# deny ip any any log
SwitchDevice(config-ext-nacl)# exit

The Internet_filter ACL is applied to outgoing traffic and the marketing_group ACL is applied to incoming
traffic on a Layer 3 port.

SwitchDevice(config)# interface gigabitethernet3/0/2

SwitchDevice(config-if)# no switchport
SwitchDevice(config-if)# ip address 2.0.5.1 255.255.255.0
SwitchDevice(config-if)# ip access-group Internet_filter out
SwitchDevice(config-if)# ip access-group marketing_group in

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1302
 Security
Examples: Time Range Applied to an IP ACL

Deleting individual ACEs from named ACLs

This example shows how you can delete individual ACEs from the named access list border-list:

SwitchDevice(config)# ip access-list extended border-list

SwitchDevice(config-ext-nacl)# no permit ip host 10.1.1.3 any

Examples: Time Range Applied to an IP ACL

This example denies HTTP traffic on IP on Monday through Friday between the hours of 8:00 a.m. and 6:00
p.m (18:00). The example allows UDP traffic only on Saturday and Sunday from noon to 8:00 p.m. (20:00).

SwitchDevice(config)# time-range no-http

SwitchDevice(config)# periodic weekdays 8:00 to 18:00
!
SwitchDevice(config)# time-range udp-yes
SwitchDevice(config)# periodic weekend 12:00 to 20:00
!
SwitchDevice(config)# ip access-list extended strict
SwitchDevice(config-ext-nacl)# deny tcp any any eq www time-range no-http
SwitchDevice(config-ext-nacl)# permit udp any any time-range udp-yes
!
SwitchDevice(config-ext-nacl)# exit
SwitchDevice(config)# interface gigabitethernet2/0/1
SwitchDevice(config-if)# ip access-group strict in

Examples: Configuring Commented IP ACL Entries

In this example of a numbered ACL, the workstation that belongs to Jones is allowed access, and the workstation
that belongs to Smith is not allowed access:

SwitchDevice(config)# access-list 1 remark Permit only Jones workstation through

SwitchDevice(config)# access-list 1 permit 171.69.2.88
SwitchDevice(config)# access-list 1 remark Do not allow Smith workstation through
SwitchDevice(config)# access-list 1 deny 171.69.3.13

In this example of a numbered ACL, the Winter and Smith workstations are not allowed to browse the web:

SwitchDevice(config)# access-list 100 remark Do not allow Winter to browse the web
SwitchDevice(config)# access-list 100 deny host 171.69.3.85 any eq www
SwitchDevice(config)# access-list 100 remark Do not allow Smith to browse the web
SwitchDevice(config)# access-list 100 deny host 171.69.3.13 any eq www

In this example of a named ACL, the Jones subnet is not allowed access:

SwitchDevice(config)# ip access-list standard prevention

SwitchDevice(config-std-nacl)# remark Do not allow Jones subnet through
SwitchDevice(config-std-nacl)# deny 171.69.0.0 0.0.255.255

In this example of a named ACL, the Jones subnet is not allowed to use outbound Telnet:

SwitchDevice(config)# ip access-list extended telnetting

SwitchDevice(config-ext-nacl)# remark Do not allow Jones subnet to telnet out

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1303
 Security
Examples: ACL Logging

SwitchDevice(config-ext-nacl)# deny tcp 171.69.0.0 0.0.255.255 any eq telnet

Examples: ACL Logging

Two variations of logging are supported on router ACLs. The log keyword sends an informational logging
message to the console about the packet that matches the entry; the log-input keyword includes the input
interface in the log entry.
In this example, standard named access list stan1 denies traffic from 10.1.1.0 0.0.0.255, allows traffic from
all other sources, and includes the log keyword.

SwitchDevice(config)# ip access-list standard stan1

SwitchDevice(config-std-nacl)# deny 10.1.1.0 0.0.0.255 log
SwitchDevice(config-std-nacl)# permit any log
SwitchDevice(config-std-nacl)# exit
SwitchDevice(config)# interface gigabitethernet1/0/1
SwitchDevice(config-if)# ip access-group stan1 in
SwitchDevice(config-if)# end
SwitchDevice# show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 37 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 37 messages logged
File logging: disabled
Trap logging: level debugging, 39 message lines logged

Log Buffer (4096 bytes):

00:00:48: NTP: authentication delay calculation problems

<output truncated>

00:09:34:%SEC-6-IPACCESSLOGS:list stan1 permitted 0.0.0.0 1 packet

00:09:59:%SEC-6-IPACCESSLOGS:list stan1 denied 10.1.1.15 1 packet
00:10:11:%SEC-6-IPACCESSLOGS:list stan1 permitted 0.0.0.0 1 packet

This example is a named extended access list ext1 that permits ICMP packets from any source to 10.1.1.0
0.0.0.255 and denies all UDP packets.

SwitchDevice(config)# ip access-list extended ext1

SwitchDevice(config-ext-nacl)# permit icmp any 10.1.1.0 0.0.0.255 log
SwitchDevice(config-ext-nacl)# deny udp any any log
SwitchDevice(config-std-nacl)# exit
SwitchDevice(config)# interface gigabitethernet1/0/2
SwitchDevice(config-if)# ip access-group ext1 in

This is a an example of a log for an extended ACL:

01:24:23:%SEC-6-IPACCESSLOGDP:list ext1 permitted icmp 10.1.1.15 -> 10.1.1.61 (0/0), 1

packet
01:25:14:%SEC-6-IPACCESSLOGDP:list ext1 permitted icmp 10.1.1.15 -> 10.1.1.61 (0/0), 7
packets
01:26:12:%SEC-6-IPACCESSLOGP:list ext1 denied udp 0.0.0.0(0) -> 255.255.255.255(0), 1 packet
01:31:33:%SEC-6-IPACCESSLOGP:list ext1 denied udp 0.0.0.0(0) -> 255.255.255.255(0), 8 packets

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1304
 Security
Configuration Examples for ACLs and VLAN Maps

Note that all logging entries for IP ACLs start with %SEC-6-IPACCESSLOG with minor variations in format
depending on the kind of ACL and the access entry that has been matched.
This is an example of an output message when the log-input keyword is entered:

00:04:21:%SEC-6-IPACCESSLOGDP:list inputlog permitted icmp 10.1.1.10 (Vlan1 0001.42ef.a400)

->
10.1.1.61 (0/0), 1 packet

A log message for the same sort of packet using the log keyword does not include the input interface
information:

00:05:47:%SEC-6-IPACCESSLOGDP:list inputlog permitted icmp 10.1.1.10 -> 10.1.1.61 (0/0), 1

packet

Configuration Examples for ACLs and VLAN Maps

Example: Creating an ACL and a VLAN Map to Deny a Packet
This example shows how to create an ACL and a VLAN map to deny a packet. In the first map, any packets
that match the ip1 ACL (TCP packets) would be dropped. You first create the ip1 ACL to permit any TCP
packet and no other packets. Because there is a match clause for IP packets in the VLAN map, the default
action is to drop any IP packet that does not match any of the match clauses.

SwitchDevice(config)# ip access-list extended ip1

SwitchDevice(config-ext-nacl)# permit tcp any any
SwitchDevice(config-ext-nacl)# exit
SwitchDevice(config)# vlan access-map map_1 10
SwitchDevice(config-access-map)# match ip address ip1
SwitchDevice(config-access-map)# action drop

Example: Creating an ACL and a VLAN Map to Permit a Packet

This example shows how to create a VLAN map to permit a packet. ACL ip2 permits UDP packets and any
packets that match the ip2 ACL are forwarded. In this map, any IP packets that did not match any of the
previous ACLs (that is, packets that are not TCP packets or UDP packets) would get dropped.

SwitchDevice(config)# ip access-list extended ip2

SwitchDevice(config-ext-nacl)# permit udp any any
SwitchDevice(config-ext-nacl)# exit
SwitchDevice(config)# vlan access-map map_1 20
SwitchDevice(config-access-map)# match ip address ip2
SwitchDevice(config-access-map)# action forward

Example: Default Action of Dropping IP Packets and Forwarding MAC Packets

In this example, the VLAN map has a default action of drop for IP packets and a default action of forward
for MAC packets. Used with standard ACL 101 and extended named access lists igmp-match and tcp-match,
the map will have the following results:
• Forward all UDP packets
• Drop all IGMP packets

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1305
 Security
Example: Default Action of Dropping MAC Packets and Forwarding IP Packets

• Forward all TCP packets

• Drop all other IP packets
• Forward all non-IP packets

SwitchDevice(config)# access-list 101 permit udp any any

SwitchDevice(config)# ip access-list extended igmp-match
SwitchDevice(config-ext-nacl)# permit igmp any any

SwitchDevice(config-ext-nacl)# permit tcp any any

SwitchDevice(config-ext-nacl)# exit
SwitchDevice(config)# vlan access-map drop-ip-default 10
SwitchDevice(config-access-map)# match ip address 101
SwitchDevice(config-access-map)# action forward
SwitchDevice(config-access-map)# exit
SwitchDevice(config)# vlan access-map drop-ip-default 20
SwitchDevice(config-access-map)# match ip address igmp-match
SwitchDevice(config-access-map)# action drop
SwitchDevice(config-access-map)# exit
SwitchDevice(config)# vlan access-map drop-ip-default 30
SwitchDevice(config-access-map)# match ip address tcp-match
SwitchDevice(config-access-map)# action forward

Example: Default Action of Dropping MAC Packets and Forwarding IP Packets

In this example, the VLAN map has a default action of drop for MAC packets and a default action of forward
for IP packets. Used with MAC extended access lists good-hosts and good-protocols, the map will have the
following results:
• Forward MAC packets from hosts 0000.0c00.0111 and 0000.0c00.0211
• Forward MAC packets with decnet-iv or vines-ip protocols
• Drop all other non-IP packets
• Forward all IP packets

SwitchDevice(config)# mac access-list extended good-hosts

SwitchDevice(config-ext-macl)# permit host 000.0c00.0111 any
SwitchDevice(config-ext-macl)# permit host 000.0c00.0211 any
SwitchDevice(config-ext-nacl)# exit
SwitchDevice(config)# action forward
SwitchDevice(config-ext-macl)# mac access-list extended good-protocols
SwitchDevice(config-ext-macl)# permit any any vines-ip
SwitchDevice(config-ext-nacl)# exit
SwitchDevice(config)# vlan access-map drop-mac-default 10
SwitchDevice(config-access-map)# match mac address good-hosts
SwitchDevice(config-access-map)# action forward
SwitchDevice(config-access-map)# exit
SwitchDevice(config)# vlan access-map drop-mac-default 20
SwitchDevice(config-access-map)# match mac address good-protocols
SwitchDevice(config-access-map)# action forward

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1306
 Security
Example: Default Action of Dropping All Packets

Example: Default Action of Dropping All Packets

In this example, the VLAN map has a default action of drop for all packets (IP and non-IP). Used with access
lists tcp-match and good-hosts from Examples 2 and 3, the map will have the following results:
• Forward all TCP packets
• Forward MAC packets from hosts 0000.0c00.0111 and 0000.0c00.0211
• Drop all other IP packets
• Drop all other MAC packets

SwitchDevice(config)# vlan access-map drop-all-default 10

SwitchDevice(config-access-map)# match ip address tcp-match
SwitchDevice(config-access-map)# action forward
SwitchDevice(config-access-map)# exit
SwitchDevice(config)# vlan access-map drop-all-default 20
SwitchDevice(config-access-map)# match mac address good-hosts
SwitchDevice(config-access-map)# action forward

Configuration Examples for Using VLAN Maps in Your Network

Example: Wiring Closet Configuration
Figure 103: Wiring Closet Configuration

In a wiring closet configuration, routing might not be enabled on the switch. In this configuration, the switch
can still support a VLAN map and a QoS classification ACL. Assume that Host X and Host Y are in different
VLANs and are connected to wiring closet switches A and C. Traffic from Host X to Host Y is eventually
being routed by Switch B, a Layer 3 switch with routing enabled. Traffic from Host X to Host Y can be
access-controlled at the traffic entry point,

Switch A.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1307
 Security
Example: Restricting Access to a Server on Another VLAN

If you do not want HTTP traffic switched from Host X to Host Y, you can configure a VLAN map on Switch
A to drop all HTTP traffic from Host X (IP address 10.1.1.32) to Host Y (IP address 10.1.1.34) at Switch A
and not bridge it to Switch B.
First, define the IP access list http that permits (matches) any TCP traffic on the HTTP port.

SwitchDevice(config)# ip access-list extended http

SwitchDevice(config-ext-nacl)# permit tcp host 10.1.1.32 host 10.1.1.34 eq www
SwitchDevice(config-ext-nacl)# exit

Next, create VLAN access map map2 so that traffic that matches the http access list is dropped and all other
IP traffic is forwarded.

SwitchDevice(config)# vlan access-map map2 10

SwitchDevice(config-access-map)# match ip address http
SwitchDevice(config-access-map)# action drop
SwitchDevice(config-access-map)# exit
SwitchDevice(config)# ip access-list extended match_all
SwitchDevice(config-ext-nacl)# permit ip any any
SwitchDevice(config-ext-nacl)# exit
SwitchDevice(config)# vlan access-map map2 20
SwitchDevice(config-access-map)# match ip address match_all
SwitchDevice(config-access-map)# action forward

Then, apply VLAN access map map2 to VLAN 1.

SwitchDevice(config)# vlan filter map2 vlan 1

Example: Restricting Access to a Server on Another VLAN

Figure 104: Restricting Access to a Server on Another VLAN

You can restrict access to a server on another VLAN. For example, server 10.1.1.100 in VLAN 10 needs to
have access denied to these hosts:
• Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access.
• Hosts 10.1.1.4 and 10.1.1.8 in VLAN 10 should not have access.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1308
 Security
Example: Denying Access to a Server on Another VLAN

Example: Denying Access to a Server on Another VLAN

This example shows how to deny access to a server on another VLAN by creating the VLAN map SERVER
1 that denies access to hosts in subnet 10.1.2.0.8, host 10.1.1.4, and host 10.1.1.8 and permits other IP traffic.
The final step is to apply the map SERVER1 to VLAN 10.
Define the IP ACL that will match the correct packets.

SwitchDevice(config)# ip access-list extended SERVER1_ACL

SwitchDevice(config-ext-nacl))# permit ip 10.1.2.0 0.0.0.255 host 10.1.1.100
SwitchDevice(config-ext-nacl))# permit ip host 10.1.1.4 host 10.1.1.100
SwitchDevice(config-ext-nacl))# permit ip host 10.1.1.8 host 10.1.1.100
SwitchDevice(config-ext-nacl))# exit

Define a VLAN map using this ACL that will drop IP packets that match SERVER1_ACL and forward IP
packets that do not match the ACL.

SwitchDevice(config)# vlan access-map SERVER1_MAP

SwitchDevice(config-access-map)# match ip address SERVER1_ACL
SwitchDevice(config-access-map)# action drop
SwitchDevice(config)# vlan access-map SERVER1_MAP 20
SwitchDevice(config-access-map)# action forward
SwitchDevice(config-access-map)# exit

Apply the VLAN map to VLAN 10.

SwitchDevice(config)# vlan filter SERVER1_MAP vlan-list 10

Configuration Examples of Router ACLs and VLAN Maps Applied to VLANs

This section gives examples of applying router ACLs and VLAN maps to a VLAN for switched, bridged,
routed, and multicast packets. Although the following illustrations show packets being forwarded to their
destination, each time the packet’s path crosses a line indicating a VLAN map or an ACL, it is also possible
that the packet might be dropped, rather than forwarded.

Example: ACLs and Switched Packets

Figure 105: Applying ACLs on Switched Packets

This example shows how an ACL is applied on packets that are switched within a VLAN. Packets switched
within the VLAN without being routed or forwarded by fallback bridging are only subject to the VLAN map
of the input VLAN.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1309
 Security
Example: ACLs and Bridged Packets

Example: ACLs and Bridged Packets

Figure 106: Applying ACLs on Bridged Packets

This example shows how an ACL is applied on fallback-bridged packets. For bridged packets, only Layer 2
ACLs are applied to the input VLAN. Only non-IP, non-ARP packets can be fallback-bridged.

Example: ACLs and Routed Packets

Figure 107: Applying ACLs on Routed Packets

This example shows how ACLs are applied on routed packets. The ACLs are applied in this order:
1. VLAN map for input VLAN
2. Input router ACL

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1310
 Security
Example: ACLs and Multicast Packets

3. Output router ACL

4. VLAN map for output VLAN

Example: ACLs and Multicast Packets

Figure 108: Applying ACLs on Multicast Packets

This example shows how ACLs are applied on packets that are replicated for IP multicasting. A multicast
packet being routed has two different kinds of filters applied: one for destinations that are other ports in the
input VLAN and another for each of the destinations that are in other VLANs to which the packet has been
routed. The packet might be routed to more than one output VLAN, in which case a different router output
ACL and VLAN map would apply for each destination VLAN. The final result is that the packet might be
permitted in some of the output VLANs and not in others. A copy of the packet is forwarded to those
destinations where it is permitted. However, if the input VLAN map drops the packet, no destination receives
a copy of the packet.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1311
 Security
Example: ACLs and Multicast Packets

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1312
 CHAPTER 58
Configuring IPv6 ACLs
• Finding Feature Information, on page 1313
• IPv6 ACLs Overview, on page 1313
• Restrictions for IPv6 ACLs, on page 1314
• Default Configuration for IPv6 ACLs , on page 1315
• Configuring IPv6 ACLs, on page 1315
• Attaching an IPv6 ACL to an Interface, on page 1319
• Monitoring IPv6 ACLs, on page 1320

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

IPv6 ACLs Overview

You can filter IP Version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to
interfaces similarly to the way that you create and apply IP Version 4 (IPv4) named ACLs. You can also
create and apply input router ACLs to filter Layer 3 management traffic when the switch is running the IP
base and LAN base feature sets.
A switch supports two types of IPv6 ACLs:
• IPv6 router ACLs are supported on outbound or inbound traffic on Layer 3 interfaces, which can be
routed ports, switch virtual interfaces (SVIs), or Layer 3 EtherChannels. IPv6 router ACLs apply only
to IPv6 packets that are routed.
• IPv6 port ACLs are supported on inbound Layer 2 interfaces. IPv6 port ACLs are applied to all IPv6
packets entering the interface.

The switch does not support VLAN ACLs (VLAN maps) for IPv6 traffic.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1313
 Security
Interactions with Other Features and Switches

You can apply both IPv4 and IPv6 ACLs to an interface. As with IPv4 ACLs, IPv6 port ACLs take precedence
over router ACLs.

Interactions with Other Features and Switches

• If an IPv6 router ACL is configured to deny a packet, the packet is not routed. A copy of the packet is
sent to the Internet Control Message Protocol (ICMP) queue to generate an ICMP unreachable message
for the frame.
• If a bridged frame is to be dropped due to a port ACL, the frame is not bridged.
• You can create both IPv4 and IPv6 ACLs on a switch or switch stack, and you can apply both IPv4 and
IPv6 ACLs to the same interface. Each ACL must have a unique name; an error message appears if you
try to use a name that is already configured.
You use different commands to create IPv4 and IPv6 ACLs and to attach IPv4 or IPv6 ACLs to the same
Layer 2 or Layer 3 interface. If you use the wrong command to attach an ACL (for example, an IPv4
command to attach an IPv6 ACL), you receive an error message.
• You cannot use MAC ACLs to filter IPv6 frames. MAC ACLs can only filter non-IP frames.
• If the hardware memory is full, packets are dropped on the interface and an unload error message is
logged.

Restrictions for IPv6 ACLs

With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs.
IPv6 supports only named ACLs.
The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions:
• The switch does not support matching on these keywords: flowlabel, routing header, and
undetermined-transport.
• The switch does not support reflexive ACLs (the reflect keyword).
• This release supports only port ACLs and router ACLs for IPv6; it does not support VLAN ACLs (VLAN
maps).
• Output router ACLs and input port ACLs for IPv6 are supported only on switch stacks. Switches support
only control plane (incoming) IPv6 ACLs.
• The switch does not apply MAC-based ACLs on IPv6 frames.
• You cannot apply IPv6 port ACLs to Layer 2 EtherChannels.
• When configuring an ACL, there is no restriction on keywords entered in the ACL, regardless of whether
or not they are supported on the platform. When you apply the ACL to an interface that requires hardware
forwarding (physical ports or SVIs), the switch checks to determine whether or not the ACL can be
supported on the interface. If not, attaching the ACL is rejected.
• If an ACL is applied to an interface and you attempt to add an access control entry (ACE) with an
unsupported keyword, the switch does not allow the ACE to be added to the ACL that is currently attached
to the interface.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1314
 Security
Default Configuration for IPv6 ACLs

IPv6 ACLs on the switch have these characteristics:

• Fragmented frames (the fragments keyword as in IPv4) are supported
• The same statistics supported in IPv4 are supported for IPv6 ACLs.
• If the switch runs out of hardware space, the packets associated with the ACL are dropped on the interface.
• Routed or bridged packets with hop-by-hop options have IPv6 ACLs applied in software.
• Logging is supported for router ACLs, but not for port ACLs.
• The switch supports IPv6 address-matching for a full range of prefix-lengths.

Default Configuration for IPv6 ACLs

The default IPv6 ACL configuration is as follows:
Switch# show access-lists preauth_ipv6_acl
IPv6 access list preauth_ipv6_acl (per-user)
permit udp any any eq domain sequence 10
permit tcp any any eq domain sequence 20
permit icmp any any nd-ns sequence 30
permit icmp any any nd-na sequence 40
permit icmp any any router-solicitation sequence 50
permit icmp any any router-advertisement sequence 60
permit icmp any any redirect sequence 70
permit udp any eq 547 any eq 546 sequence 80
permit udp any eq 546 any eq 547 sequence 90
deny ipv6 any any sequence 100

Configuring IPv6 ACLs

To filter IPv6 traffic, you perform these steps:

SUMMARY STEPS
1. enable
2. configure terminal
3. {ipv6 access-list list-name
4. {deny | permit} protocol {source-ipv6-prefix/|prefix-length|any| host source-ipv6-address} [ operator
[ port-number ]] { destination-ipv6-prefix/ prefix-length | any | host destination-ipv6-address} [operator
[port-number]][dscp value] [fragments] [log] [log-input] [routing] [sequence value] [time-range
name]
5. {deny | permit} tcp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator
[port-number]] {destination-ipv6- prefix/prefix-length | any | host destination-ipv6-address} [operator
[port-number]] [ack] [dscp value] [established] [fin] [log] [log-input] [neq {port | protocol}] [psh]
[range {port | protocol}] [rst] [routing] [sequence value] [syn] [time-range name] [urg]
6. {deny | permit} udp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator
[port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator
[port-number]] [dscp value] [log] [log-input] [neq {port | protocol}] [range {port | protocol}] [routing]
[sequence value] [time-range name]]

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1315
 Security
Configuring IPv6 ACLs

7. {deny | permit} icmp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator

[port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator
[port-number]] [icmp-type [icmp-code] | icmp-message] [dscp value] [log] [log-input] [routing]
[sequence value] [time-range name]
8. end
9. show ipv6 access-list
10. show running-config
11. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 {ipv6 access-list list-name Defines an IPv6 ACL name, and enters IPv6 access list
configuration mode.
Example:
SwitchDevice(config)# ipv6 access-list
example_acl_list

Step 4 {deny | permit} protocol Enter deny or permit to specify whether to deny or permit
{source-ipv6-prefix/|prefix-length|any| host the packet if conditions are matched. These are the
source-ipv6-address} [ operator [ port-number ]] { conditions:
destination-ipv6-prefix/ prefix-length | any | host
• For protocol, enter the name or number of an Internet
destination-ipv6-address} [operator [port-number]][dscp
protocol: ahp, esp, icmp, ipv6, pcp, stcp, tcp, or
value] [fragments] [log] [log-input] [routing] [sequence
udp, or an integer in the range 0 to 255 representing
value] [time-range name]
an IPv6 protocol number.
• The source-ipv6-prefix/prefix-length or
destination-ipv6-prefix/ prefix-length is the source or
destination IPv6 network or class of networks for
which to set deny or permit conditions, specified in
hexadecimal and using 16-bit values between colons
(see RFC 2373).
• Enter any as an abbreviation for the IPv6 prefix ::/0.
• For host source-ipv6-address or
destination-ipv6-address, enter the source or
destination IPv6 host address for which to set deny

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1316
 Security
Configuring IPv6 ACLs

Command or Action Purpose

or permit conditions, specified in hexadecimal using
16-bit values between colons.
• (Optional) For operator, specify an operand that
compares the source or destination ports of the
specified protocol. Operands are lt (less than), gt
(greater than), eq (equal), neq (not equal), and range.
If the operator follows the
source-ipv6-prefix/prefix-length argument, it must
match the source port. If the operator follows the
destination-ipv6- prefix/prefix-length argument, it
must match the destination port.
• (Optional) The port-number is a decimal number
from 0 to 65535 or the name of a TCP or UDP port.
You can use TCP port names only when filtering
TCP. You can use UDP port names only when
filtering UDP.
• (Optional) Enter dscp value to match a differentiated
services code point value against the traffic class value
in the Traffic Class field of each IPv6 packet header.
The acceptable range is from 0 to 63.
• (Optional) Enter fragments to check noninitial
fragments. This keyword is visible only if the protocol
is ipv6.
• (Optional) Enter log to cause an logging message to
be sent to the console about the packet that matches
the entry. Enter log-input to include the input
interface in the log entry. Logging is supported only
for router ACLs.
• (Optional) Enter routing to specify that IPv6 packets
be routed.
• (Optional) Enter sequence value to specify the
sequence number for the access list statement. The
acceptable range is from 1 to 4,294,967,295.
• (Optional) Enter time-range name to specify the time
range that applies to the deny or permit statement.

Step 5 {deny | permit} tcp {source-ipv6-prefix/prefix-length | (Optional) Define a TCP access list and the access
any | host source-ipv6-address} [operator conditions.
[port-number]] {destination-ipv6- prefix/prefix-length |
Enter tcp for Transmission Control Protocol. The
any | host destination-ipv6-address} [operator
parameters are the same as those described in Step 3a, with
[port-number]] [ack] [dscp value] [established] [fin] [log]
these additional optional parameters:
[log-input] [neq {port | protocol}] [psh] [range {port |
protocol}] [rst] [routing] [sequence value] [syn] • ack—Acknowledgment bit set.
[time-range name] [urg]

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1317
 Security
Configuring IPv6 ACLs

Command or Action Purpose

• established—An established connection. A match
occurs if the TCP datagram has the ACK or RST bits
set.
• fin—Finished bit set; no more data from sender.
• neq {port | protocol}—Matches only packets that are
not on a given port number.
• psh—Push function bit set.
• range {port | protocol}—Matches only packets in
the port number range.
• rst—Reset bit set.
• syn—Synchronize bit set.
• urg—Urgent pointer bit set.

Step 6 {deny | permit} udp {source-ipv6-prefix/prefix-length | (Optional) Define a UDP access list and the access
any | host source-ipv6-address} [operator [port-number]] conditions.
{destination-ipv6-prefix/prefix-length | any | host
Enter udp for the User Datagram Protocol. The UDP
destination-ipv6-address} [operator [port-number]] [dscp
parameters are the same as those described for TCP, except
value] [log] [log-input] [neq {port | protocol}] [range
that the [operator [port]] port number or name must be a
{port | protocol}] [routing] [sequence value] [time-range
UDP port number or name, and the established parameter
name]]
is not valid for UDP.

Step 7 {deny | permit} icmp {source-ipv6-prefix/prefix-length (Optional) Define an ICMP access list and the access
| any | host source-ipv6-address} [operator [port-number]] conditions.
{destination-ipv6-prefix/prefix-length | any | host
Enter icmp for Internet Control Message Protocol. The
destination-ipv6-address} [operator [port-number]]
ICMP parameters are the same as those described for most
[icmp-type [icmp-code] | icmp-message] [dscp value] [log]
IP protocols in Step 1, with the addition of the ICMP
[log-input] [routing] [sequence value] [time-range
message type and code parameters. These optional
name]
keywords have these meanings:
• icmp-type—Enter to filter by ICMP message type, a
number from 0 to 255.
• icmp-code—Enter to filter ICMP packets that are
filtered by the ICMP message code type, a number
from 0 to 255.
• icmp-message—Enter to filter ICMP packets by the
ICMP message type name or the ICMP message type
and code name. To see a list of ICMP message type
names and code names, use the ? key or see command
reference for this release.

Step 8 end Return to privileged EXEC mode.

Step 9 show ipv6 access-list Verify the access list configuration.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1318
 Security
Attaching an IPv6 ACL to an Interface

Command or Action Purpose

Step 10 show running-config Verifies your entries.
Example:

SwitchDevice# show running-config

Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
Attach the IPv6 ACL to an Interface

Attaching an IPv6 ACL to an Interface

You can apply an ACL to outbound or inbound traffic on Layer 3 interfaces, or to inbound traffic on Layer
2 interfaces. You can also apply ACLs only to inbound management traffic on Layer 3 interfaces.
Follow these steps to control access to an interface:

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. no switchport
5. ipv6 address ipv6-address
6. ipv6 traffic-filter access-list-name {in | out}
7. end
8. show running-config
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1319
 Security
Monitoring IPv6 ACLs

Command or Action Purpose

Step 2 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Identify a Layer 2 interface (for port ACLs) or Layer 3
interface (for router ACLs) on which to apply an access
list, and enter interface configuration mode.

Step 4 no switchport If applying a router ACL, this changes the interface from
Layer 2 mode (the default) to Layer 3 mode.

Step 5 ipv6 address ipv6-address Configure an IPv6 address on a Layer 3 interface (for router
ACLs).

Step 6 ipv6 traffic-filter access-list-name {in | out} Apply the access list to incoming or outgoing traffic on the
interface.
Note The out keyword is not supported for Layer 2
interfaces (port ACLs).

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 8 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Monitoring IPv6 ACLs

You can display information about all configured access lists, all IPv6 access lists, or a specific access list by
using one or more of the privileged EXEC commands shown in the table below:

Command Purpose
show access-lists Displays all access lists configured on the switch.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1320
Security
Monitoring IPv6 ACLs

Command Purpose
show ipv6 access-list [access-list-name] Displays all configured IPv6 access lists or the access
list specified by name.

This is an example of the output from the show access-lists privileged EXEC command. The output
shows all access lists that are configured on the switch or switch stack.
Switch # show access-lists
Extended IP access list hello
10 permit ip any any
IPv6 access list ipv6
permit ipv6 any any sequence 10

This is an example of the output from the show ipv6 access-list privileged EXEC command. The
output shows only IPv6 access lists configured on the switch or switch stack
Switch# show ipv6 access-list
IPv6 access list inbound
permit tcp any any eq bgp (8 matches) sequence 10
permit tcp any any eq telnet (15 matches) sequence 20
permit udp any any sequence 30

IPv6 access list outbound

deny udp any any sequence 10
deny tcp any any eq telnet sequence 20

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1321
 Security
Monitoring IPv6 ACLs

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1322
 CHAPTER 59
Configuring DHCP
• Finding Feature Information, on page 1323
• Information About DHCP, on page 1323
• How to Configure DHCP Features, on page 1330
• Configuring DHCP Server Port-Based Address Allocation, on page 1339

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Information About DHCP

DHCP Server
The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients
and manages them. If the DHCP server cannot give the DHCP client the requested configuration parameters
from its database, it forwards the request to one or more secondary DHCP servers defined by the network
administrator. The switch can act as a DHCP server.

DHCP Relay Agent

A DHCP relay agent is a Layer 3 device that forwards DHCP packets between clients and servers. Relay
agents forward requests and replies between clients and servers when they are not on the same physical subnet.
Relay agent forwarding is different from the normal Layer 2 forwarding, in which IP datagrams are switched
transparently between networks. Relay agents receive DHCP messages and generate new DHCP messages
to send on output interfaces.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1323
 Security
DHCP Snooping

DHCP Snooping
DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP
messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP
snooping binding table.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You use DHCP snooping to
differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the
DHCP server or another switch.

Note For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted
interfaces.

An untrusted DHCP message is a message that is received through an untrusted interface. By default, the
switch considers all interfaces untrusted. So, the switch must be configured to trust some interfaces to use
DHCP Snooping. When you use DHCP snooping in a service-provider environment, an untrusted message
is sent from a device that is not in the service-provider network, such as a customer’s switch. Messages from
unknown devices are untrusted because they can be sources of traffic attacks.
The DHCP snooping binding database has the MAC address, the IP address, the lease time, the binding type,
the VLAN number, and the interface information that corresponds to the local untrusted interfaces of a switch.
It does not have information regarding hosts interconnected with a trusted interface.
In a service-provider network, an example of an interface you might configure as trusted is one connected to
a port on a device in the same network. An example of an untrusted interface is one that is connected to an
untrusted interface in the network or to an interface on a device that is not in the network.
When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which
DHCP snooping is enabled, the switch compares the source MAC address and the DHCP client hardware
address. If the addresses match (the default), the switch forwards the packet. If the addresses do not match,
the switch drops the packet.
The switch drops a DHCP packet when one of these situations occurs:
• A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or
DHCPLEASEQUERY packet, is received from outside the network or firewall.
• A packet is received on an untrusted interface, and the source MAC address and the DHCP client hardware
address do not match.
• The switch receives a DHCPRELEASE or DHCPDECLINE broadcast message that has a MAC address
in the DHCP snooping binding database, but the interface information in the binding database does not
match the interface on which the message was received.
• A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.0.0.0,
or the relay agent forwards a packet that includes option-82 information to an untrusted port.

If the switch is an aggregation switch supporting DHCP snooping and is connected to an edge switch that is
inserting DHCP option-82 information, the switch drops packets with option-82 information when packets
are received on an untrusted interface. If DHCP snooping is enabled and packets are received on a trusted
port, the aggregation switch does not learn the DHCP snooping bindings for connected devices and cannot
build a complete DHCP snooping binding database.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1324
 Security
Option-82 Data Insertion

When an aggregation switch can be connected to an edge switch through an untrusted interface and you enter
the ip dhcp snooping information option allow-untrusted global configuration command, the aggregation
switch accepts packets with option-82 information from the edge switch. The aggregation switch learns the
bindings for hosts connected through an untrusted switch interface. The DHCP security features, such as
dynamic ARP inspection or IP source guard, can still be enabled on the aggregation switch while the switch
receives packets with option-82 information on untrusted input interfaces to which hosts are connected. The
port on the edge switch that connects to the aggregation switch must be configured as a trusted interface.
Normally, it is not desirable to broadcast packets to wireless clients. So, DHCP snooping replaces destination
broadcast MAC address (ffff.ffff.ffff) with unicast MAC address for DHCP packets that are going from server
to wireless clients. The unicast MAC address is retrieved from CHADDR field in the DHCP payload. This
processing is applied for server to client packets such as DHCP OFFER, DHCP ACK, and DHCP NACK
messages. The ip dhcp snooping wireless bootp-broadcast enable can be used to revert this behavior. When
the wireless BOOTP broadcast is enabled, the broadcast DHCP packets from server are forwarded to wireless
clients without changing the destination MAC address.

Option-82 Data Insertion

In residential, metropolitan Ethernet-access environments, DHCP can centrally manage the IP address
assignments for a large number of subscribers. When the DHCP option-82 feature is enabled on the switch,
a subscriber device is identified by the switch port through which it connects to the network (in addition to
its MAC address). Multiple hosts on the subscriber LAN can be connected to the same port on the access
switch and are uniquely identified.

Note The DHCP option-82 feature is supported only when DHCP snooping is globally enabled on the VLANs to
which subscriber devices using option-82 are assigned.

The following illustration shows a metropolitan Ethernet network in which a centralized DHCP server assigns
IP addresses to subscribers connected to the switch at the access layer. Because the DHCP clients and their
associated DHCP server do not reside on the same IP network or subnet, a DHCP relay agent (the Catalyst
switch) is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages
between the clients and the server.
Figure 109: DHCP Relay Agent in a Metropolitan Ethernet Network

When you enable the DHCP snooping information option 82 on the switch, the following sequence of
events occurs:
• The host (DHCP client) generates a DHCP request and broadcasts it on the network.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1325
 Security
Option-82 Data Insertion

• When the switch receives the DHCP request, it adds the option-82 information in the packet. By default,
the remote-ID suboption is the switch MAC address, and the circuit-ID suboption is the port identifier,
vlan-mod-port, from which the packet is received.You can configure the remote ID and circuit ID.
• If the IP address of the relay agent is configured, the switch adds this IP address in the DHCP packet.
• The switch forwards the DHCP request that includes the option-82 field to the DHCP server.
• The DHCP server receives the packet. If the server is option-82-capable, it can use the remote ID, the
circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP
addresses that can be assigned to a single remote ID or circuit ID. Then the DHCP server echoes the
option-82 field in the DHCP reply.
• The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch.
The switch verifies that it originally inserted the option-82 data by inspecting the remote ID and possibly
the circuit ID fields. The switch removes the option-82 field and forwards the packet to the switch port
that connects to the DHCP client that sent the DHCP request.

In the default suboption configuration, when the described sequence of events occurs, the values in these
fields do not change (see the illustration,Suboption Packet Formats):
• Circuit-ID suboption fields
• Suboption type
• Length of the suboption type
• Circuit-ID type
• Length of the circuit-ID type

• Remote-ID suboption fields

• Suboption type
• Length of the suboption type
• Remote-ID type
• Length of the remote-ID type

In the port field of the circuit ID suboption, the port numbers start at 3. For example, on a switch with 24
10/100/1000 ports and four small form-factor pluggable (SFP) module slots, port 3 is the Gigabit Ethernet
1/0/1 port, port 4 is the Gigabit Ethernet 1/0/2 port, and so forth. Port 27 is the SFP module slot Gigabit
Ethernet1/0/25, and so forth.
The illustration, Suboption Packet Formats. shows the packet formats for the remote-ID suboption and the
circuit-ID suboption when the default suboption configuration is used. For the circuit-ID suboption, the module
number corresponds to the switch number in the stack. The switch uses the packet formats when you globally
enable DHCP snooping and enter the ip dhcp snooping information option global configuration command.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1326
Security
Option-82 Data Insertion

Figure 110: Suboption Packet Formats

The illustration, User-Configured Suboption Packet Formats, shows the packet formats for user-configured
remote-ID and circuit-ID suboptions The switch uses these packet formats when DHCP snooping is globally
enabled and when the ip dhcp snooping information option format remote-id global configuration command
and theip dhcp snooping vlan information option format-type circuit-id string interface configuration
command are entered.
The values for these fields in the packets change from the default values when you configure the remote-ID
and circuit-ID suboptions:
• Circuit-ID suboption fields
• The circuit-ID type is 1.
• The length values are variable, depending on the length of the string that you configure.

• Remote-ID suboption fields

• The remote-ID type is 1.
• The length values are variable, depending on the length of the string that you configure.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1327
 Security
Cisco IOS DHCP Server Database

Figure 111: User-Configured Suboption Packet Formats

Cisco IOS DHCP Server Database

During the DHCP-based autoconfiguration process, the designated DHCP server uses the Cisco IOS DHCP
server database. It has IP addresses, address bindings, and configuration parameters, such as the boot file.
An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP
server database. You can manually assign the client IP address, or the DHCP server can allocate an IP address
from a DHCP address pool. For more information about manual and automatic address bindings, see the
“Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide, Release 12.4.
For procedures to enable and configure the Cisco IOS DHCP server database, see the “DHCP Configuration
Task List” section in the “Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide, Release 12.4.

DHCP Snooping Binding Database

When DHCP snooping is enabled, the switch uses the DHCP snooping binding database to store information
about untrusted interfaces. The database can have up to 64,000 bindings.
Each database entry (binding) has an IP address, an associated MAC address, the lease time (in hexadecimal
format), the interface to which the binding applies, and the VLAN to which the interface belongs. The database
agent stores the bindings in a file at a configured location. At the end of each entry is a checksum that accounts
for all the bytes from the start of the file through all the bytes associated with the entry. Each entry is 72 bytes,
followed by a space and then the checksum value.
To keep the bindings when the switch reloads, you must use the DHCP snooping database agent. If the agent
is disabled, dynamic ARP inspection or IP source guard is enabled, and the DHCP snooping binding database
has dynamic bindings, the switch loses its connectivity. If the agent is disabled and only DHCP snooping is
enabled, the switch does not lose its connectivity, but DHCP snooping might not prevent DHCP spoofing
attacks.
When reloading, the switch reads the binding file to build the DHCP snooping binding database. The switch
updates the file when the database changes.
When a switch learns of new bindings or when it loses bindings, the switch immediately updates the entries
in the database. The switch also updates the entries in the binding file. The frequency at which the file is

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1328
Security
DHCP Snooping Binding Database

updated is based on a configurable delay, and the updates are batched. If the file is not updated in a specified
time (set by the write-delay and abort-timeout values), the update stops.
This is the format of the file with bindings:

<initial-checksum>
TYPE DHCP-SNOOPING
VERSION 1
BEGIN
<entry-1> <checksum-1>
<entry-2> <checksum-1-2>
...
...
<entry-n> <checksum-1-2-..-n>
END

Each entry in the file is tagged with a checksum value that the switch uses to verify the entries when it reads
the file. The initial-checksum entry on the first line distinguishes entries associated with the latest file update
from entries associated with a previous file update.
This is an example of a binding file:

2bb4c2a1
TYPE DHCP-SNOOPING
VERSION 1
BEGIN
192.1.168.1 3 0003.47d8.c91f 2BB6488E Gi1/0/4 21ae5fbb
192.1.168.3 3 0003.44d6.c52f 2BB648EB Gi1/0/4 1bdb223f
192.1.168.2 3 0003.47d9.c8f1 2BB648AB Gi1/0/4 584a38f0
END

When the switch starts and the calculated checksum value equals the stored checksum value, the switch reads
entries from the binding file and adds the bindings to its DHCP snooping binding database. The switch ignores
an entry when one of these situations occurs:
• The switch reads the entry and the calculated checksum value does not equal the stored checksum value.
The entry and the ones following it are ignored.
• An entry has an expired lease time (the switch might not remove a binding entry when the lease time
expires).
• The interface in the entry no longer exists on the system.
• The interface is a routed interface or a DHCP snooping-trusted interface.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1329
 Security
How to Configure DHCP Features

How to Configure DHCP Features

Default DHCP Snooping Configuration
Table 141: Default DHCP Configuration

Feature Default Setting

DHCP server Enabled in Cisco IOS software, requires

configuration15

DHCP relay agent Enabled16

DHCP packet forwarding address None configured

Checking the relay agent information Enabled (invalid messages are dropped)

DHCP relay agent forwarding policy Replace the existing relay agent information

DHCP snooping enabled globally Disabled

DHCP snooping information option Enabled

DHCP snooping option to accept packets on untrusted Disabled

input interfaces17

DHCP snooping limit rate None configured

DHCP snooping trust Untrusted

DHCP snooping VLAN Disabled

DHCP snooping MAC address verification Enabled

Cisco IOS DHCP server binding database Enabled in Cisco IOS software, requires configuration.
Note The switch gets network addresses and
configuration parameters only from a
device configured as a DHCP server.

DHCP snooping binding database agent Enabled in Cisco IOS software, requires configuration.
This feature is operational only when a destination is
configured.
15
The switch responds to DHCP requests only if it is configured as a DHCP server.
16
The switch relays DHCP packets only if the IP address of the DHCP server is configured on the SVI
of the DHCP client.
17
Use this feature when the switch is an aggregation switch that receives packets with option-82 information
from an edge switch.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1330
 Security
DHCP Snooping Configuration Guidelines

DHCP Snooping Configuration Guidelines

• If a switch port is connected to a DHCP server, configure a port as trusted by entering the ip dhcp
snooping trust interface configuration command.
• If a switch port is connected to a DHCP client, configure a port as untrusted by entering the no ip dhcp
snooping trust interface configuration command.
• You can display DHCP snooping statistics by entering the show ip dhcp snooping statistics user EXEC
command, and you can clear the snooping statistics counters by entering the clear ip dhcp snooping
statistics privileged EXEC command.

Configuring the DHCP Server

The switch can act as a DHCP server.
For procedures to configure the switch as a DHCP server, see the “Configuring DHCP” section of the “IP
addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.4.

Configuring the DHCP Relay Agent

Follow these steps to enable the DHCP relay agent on the switch:

SUMMARY STEPS
1. enable
2. configure terminal
3. service dhcp
4. end
5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 service dhcp Enables the DHCP server and relay agent on your switch.
By default, this feature is enabled.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1331
 Security
Specifying the Packet Forwarding Address

Command or Action Purpose

SwitchDevice(config)# service dhcp

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

What to do next
See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP
Configuration Guide, Release 12.4 for these procedures:
• Checking (validating) the relay agent information
• Configuring the relay agent forwarding policy

Specifying the Packet Forwarding Address

If the DHCP server and the DHCP clients are on different networks or subnets, you must configure the switch
with the ip helper-address address interface configuration command. The general rule is to configure the
command on the Layer 3 interface closest to the client. The address used in the ip helper-address command
can be a specific DHCP server IP address, or it can be the network address if other DHCP servers are on the
destination network segment. Using the network address enables any DHCP server to respond to requests.
Beginning in privileged EXEC mode, follow these steps to specify the packet forwarding address:

SUMMARY STEPS
1. enable
2. configure terminal
3. interface vlan vlan-id
4. ip address ip-address subnet-mask
5. ip helper-address address
6. end
7. Use one of the following:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1332
 Security
Specifying the Packet Forwarding Address

• interface range port-range

• interface interface-id
8. switchport mode access
9. switchport access vlan vlan-id
10. end
11. show running-config
12. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface vlan vlan-id Creates a switch virtual interface by entering a VLAN ID,
and enter interface configuration mode.
Example:

SwitchDevice(config)# interface vlan 1

Step 4 ip address ip-address subnet-mask Configures the interface with an IP address and an IP
subnet.
Example:

SwitchDevice(config-if)# ip address 192.108.1.27

255.255.255.0

Step 5 ip helper-address address Specifies the DHCP packet forwarding address.

Example: The helper address can be a specific DHCP server address,
or it can be the network address if other DHCP servers are
SwitchDevice(config-if)# ip helper-address on the destination network segment. Using the network
172.16.1.2 address enables other servers to respond to DHCP requests.
If you have multiple servers, you can configure one helper
address for each server.

Step 6 end Returns to global configuration mode.

Example:

SwitchDevice(config-if)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1333
 Security
Prerequisites for Configuring DHCP Snooping and Option 82

Command or Action Purpose

Step 7 Use one of the following: Configures multiple physical ports that are connected to
the DHCP clients, and enter interface range configuration
• interface range port-range
mode.
• interface interface-id
or
Example:
Configures a single physical port that is connected to the
SwitchDevice(config)# interface DHCP client, and enter interface configuration mode.
gigabitethernet1/0/2

Step 8 switchport mode access Defines the VLAN membership mode for the port.
Example:

SwitchDevice(config-if)# switchport mode access

Step 9 switchport access vlan vlan-id Assigns the ports to the same VLAN as configured in Step
2.
Example:

SwitchDevice(config-if)# switchport access vlan

1

Step 10 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 11 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 12 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Prerequisites for Configuring DHCP Snooping and Option 82

The prerequisites for DHCP Snooping and Option 82 are as follows:
• You must globally enable DHCP snooping on the switch.
• Before globally enabling DHCP snooping on the switch, make sure that the devices acting as the DHCP
server and the DHCP relay agent are configured and enabled.
• If you want the switch to respond to DHCP requests, it must be configured as a DHCP server.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1334
 Security
Enabling DHCP Snooping and Option 82

• Before configuring the DHCP snooping information option on your switch, be sure to configure the
device that is acting as the DHCP server. You must specify the IP addresses that the DHCP server can
assign or exclude, or you must configure DHCP options for these devices.
• For DHCP snooping to function properly, all DHCP servers must be connected to the switch through
trusted interfaces. In a service-provider network, a trusted interface is connected to a port on a device in
the same network.
• You must configure the switch to use the Cisco IOS DHCP server binding database to use it for DHCP
snooping.
• To use the DHCP snooping option of accepting packets on untrusted inputs, the switch must be an
aggregation switch that receives packets with option-82 information from an edge switch.
• The following prerequisites apply to DHCP snooping binding database configuration:
• You must configure a destination on the DHCP snooping binding database to use the switch for
DHCP snooping.
• Because both NVRAM and the flash memory have limited storage capacity, we recommend that
you store the binding file on a TFTP server.
• For network-based URLs (such as TFTP and FTP), you must create an empty file at the configured
URL before the switch can write bindings to the binding file at that URL. See the documentation
for your TFTP server to determine whether you must first create an empty file on the server; some
TFTP servers cannot be configured this way.
• To ensure that the lease time in the database is accurate, we recommend that you enable and configure
Network Time Protocol (NTP).
• If NTP is configured, the switch writes binding changes to the binding file only when the switch
system clock is synchronized with NTP.

• Before configuring the DHCP relay agent on your switch, make sure to configure the device that is acting
as the DHCP server. You must specify the IP addresses that the DHCP server can assign or exclude,
configure DHCP options for devices, or set up the DHCP database agent.
• If you want the switch to relay DHCP packets, the IP address of the DHCP server must be configured
on the switch virtual interface (SVI) of the DHCP client.
• If a switch port is connected to a DHCP server, configure a port as trusted by entering the ip dhcp
snooping trust interface configuration command.
• If a switch port is connected to a DHCP client, configure a port as untrusted by entering the no ip dhcp
snooping trust interface configuration command.

Enabling DHCP Snooping and Option 82

Follow these steps to enable DHCP snooping on the switch:

SUMMARY STEPS
1. enable
2. configure terminal
3. ip dhcp snooping

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1335
 Security
Enabling DHCP Snooping and Option 82

4. ip dhcp snooping vlan vlan-range

5. ip dhcp snooping information option
6. ip dhcp snooping information option format remote-id [string ASCII-string | hostname]
7. ip dhcp snooping information option allow-untrusted
8. interface interface-id
9. ip dhcp snooping vlan vlan information option format-type circuit-id [override] string ASCII-string
10. ip dhcp snooping trust
11. ip dhcp snooping limit rate rate
12. exit
13. ip dhcp snooping verify mac-address
14. end
15. show running-config
16. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip dhcp snooping Enables DHCP snooping globally.

Example:

SwitchDevice(config)# ip dhcp snooping

Step 4 ip dhcp snooping vlan vlan-range Enables DHCP snooping on a VLAN or range of VLANs.
The range is 1 to 4094. You can enter a single VLAN ID
Example:
identified by VLAN ID number, a series of VLAN IDs
separated by commas, a range of VLAN IDs separated by
SwitchDevice(config)# ip dhcp snooping vlan 10
hyphens, or a range of VLAN IDs separated by entering
the starting and ending VLAN IDs separated by a space.
• You can enter a single VLAN ID identified by VLAN
ID number, a series of VLAN IDs separated by
commas, a range of VLAN IDs separated by hyphens,
or a range of VLAN IDs separated by entering the
starting and ending VLAN IDs separated by a space.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1336
 Security
Enabling DHCP Snooping and Option 82

Command or Action Purpose

Step 5 ip dhcp snooping information option Enables the switch to insert and remove DHCP relay
information (option-82 field) in forwarded DHCP request
Example:
messages to the DHCP server. This is the default setting.
SwitchDevice(config)# ip dhcp snooping information
option

Step 6 ip dhcp snooping information option format remote-id (Optional) Configures the remote-ID suboption.
[string ASCII-string | hostname]
You can configure the remote ID as:
Example:
• String of up to 63 ASCII characters (no spaces)
SwitchDevice(config)# ip dhcp snooping information • Configured hostname for the switch
option format remote-id string acsiistring2
Note If the hostname is longer than 63
characters, it is truncated to 63 characters
in the remote-ID configuration.

The default remote ID is the switch MAC address.

Step 7 ip dhcp snooping information option allow-untrusted (Optional) If the switch is an aggregation switch connected
to an edge switch, this command enables the switch to
Example:
accept incoming DHCP snooping packets with option-82
information from the edge switch.
SwitchDevice(config)# ip dhcp snooping information
option allow-untrusted The default setting is disabled.
Note Enter this command only on aggregation
switches that are connected to trusted devices.

Step 8 interface interface-id Specifies the interface to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet2/0/1

Step 9 ip dhcp snooping vlan vlan information option (Optional) Configures the circuit-ID suboption for the
format-type circuit-id [override] string ASCII-string specified interface.
Example: Specify the VLAN and port identifier, using a VLAN ID
in the range of 1 to 4094. The default circuit ID is the port
SwitchDevice(config-if)# ip dhcp snooping vlan 1 identifier, in the format vlan-mod-port.
information option format-type curcuit-id
override string ovrride2 You can configure the circuit ID to be a string of 3 to 63
ASCII characters (no spaces).
(Optional) Use the override keyword when you do not
want the circuit-ID suboption inserted in TLV format to
define subscriber information.

Step 10 ip dhcp snooping trust (Optional) Configures the interface as trusted or untrusted.
Use the no keyword to configure an interface to receive
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1337
 Security
Enabling DHCP Snooping and Option 82

Command or Action Purpose

messages from an untrusted client. The default setting is
SwitchDevice(config-if)# ip dhcp snooping trust
untrusted.

Step 11 ip dhcp snooping limit rate rate (Optional) Configures the number of DHCP packets per
second that an interface can receive. The range is 1 to 2048.
Example:
By default, no rate limit is configured.
SwitchDevice(config-if)# ip dhcp snooping limit Note We recommend an untrusted rate limit of not
rate 100 more than 100 packets per second. If you
configure rate limiting for trusted interfaces,
you might need to increase the rate limit if the
port is a trunk port assigned to more than one
VLAN with DHCP snooping.

Step 12 exit Returns to global configuration mode.

Example:

SwitchDevice(config-if)# exit

Step 13 ip dhcp snooping verify mac-address (Optional) Configures the switch to verify that the source
MAC address in a DHCP packet received on untrusted
Example:
ports matches the client hardware address in the packet.
The default is to verify that the source MAC address
SwitchDevice(config)# ip dhcp snooping verify
mac-address matches the client hardware address in the packet.

Step 14 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 15 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 16 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1338
 Security
Enabling the Cisco IOS DHCP Server Database

Enabling the Cisco IOS DHCP Server Database

For procedures to enable and configure the Cisco IOS DHCP server database, see the “DHCP Configuration
Task List” section in the “Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide, Release
12.4

Monitoring DHCP Snooping Information

Table 142: Commands for Displaying DHCP Information

show ip dhcp snooping Displays the DHCP snooping configuration for a

switch

show ip dhcp snooping binding Displays only the dynamically configured bindings
in the DHCP snooping binding database, also referred
to as a binding table.

show ip dhcp snooping database Displays the DHCP snooping binding database status
and statistics.

show ip dhcp snooping statistics Displays the DHCP snooping statistics in summary
or detail form.

show ip source binding Display the dynamically and statically configured

bindings.

Note If DHCP snooping is enabled and an interface changes to the down state, the switch does not delete the
statically configured bindings.

Configuring DHCP Server Port-Based Address Allocation

Information About Configuring DHCP Server Port-Based Address Allocation
DHCP server port-based address allocation is a feature that enables DHCP to maintain the same IP address
on an Ethernet switch port regardless of the attached device client identifier or client hardware address.
When Ethernet switches are deployed in the network, they offer connectivity to the directly connected devices.
In some environments, such as on a factory floor, if a device fails, the replacement device must be working
immediately in the existing network. With the current DHCP implementation, there is no guarantee that DHCP
would offer the same IP address to the replacement device. Control, monitoring, and other software expect a
stable IP address associated with each device. If a device is replaced, the address assignment should remain
stable even though the DHCP client has changed.
When configured, the DHCP server port-based address allocation feature ensures that the same IP address is
always offered to the same connected port even as the client identifier or client hardware address changes in
the DHCP messages received on that port. The DHCP protocol recognizes DHCP clients by the client identifier

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1339
 Security
Default Port-Based Address Allocation Configuration

option in the DHCP packet. Clients that do not include the client identifier option are identified by the client
hardware address. When you configure this feature, the port name of the interface overrides the client identifier
or hardware address and the actual point of connection, the switch port, becomes the client identifier.
In all cases, by connecting the Ethernet cable to the same port, the same IP address is allocated through DHCP
to the attached device.
The DHCP server port-based address allocation feature is only supported on a Cisco IOS DHCP server and
not a third-party server.

Default Port-Based Address Allocation Configuration

By default, DHCP server port-based address allocation is disabled.

Port-Based Address Allocation Configuration Guidelines

• By default, DHCP server port-based address allocation is disabled.
• To restrict assignments from the DHCP pool to preconfigured reservations (unreserved addresses are
not offered to the client and other clients are not served by the pool), you can enter the reserved-only
DHCP pool configuration command.

Enabling the DHCP Snooping Binding Database Agent

Beginning in privileged EXEC mode, follow these steps to enable and configure the DHCP snooping binding
database agent on the switch:

SUMMARY STEPS
1. enable
2. configure terminal
3. ip dhcp snooping database {flash[number]:/filename | ftp://user:password@host/filename |
http://[[username:password]@]{hostname | host-ip}[/directory] /image-name.tar |
rcp://user@host/filename}| tftp://host/filename
4. ip dhcp snooping database timeout seconds
5. ip dhcp snooping database write-delay seconds
6. end
7. ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id expiry seconds
8. show ip dhcp snooping database [detail]
9. show running-config
10. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1340
 Security
Enabling the DHCP Snooping Binding Database Agent

Command or Action Purpose

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip dhcp snooping database {flash[number]:/filename | Specifies the URL for the database agent or the binding
ftp://user:password@host/filename | file by using one of these forms:
http://[[username:password]@]{hostname |
• flash[number]:/filename
host-ip}[/directory] /image-name.tar |
rcp://user@host/filename}| tftp://host/filename (Optional) Use the number parameter to specify the
stack member number of the stack master. The range
Example:
for number is 1 to 9.
SwitchDevice(config)# ip dhcp snooping database • ftp://user:password@host/filename
tftp://10.90.90.90/snooping-rp2
• http://[[username:password]@]{hostname |
host-ip}[/directory] /image-name.tar
• rcp://user@host/filename
• tftp://host/filename

Step 4 ip dhcp snooping database timeout seconds Specifies (in seconds) how long to wait for the database
transfer process to finish before stopping the process.
Example:
The default is 300 seconds. The range is 0 to 86400. Use
SwitchDevice(config)# ip dhcp snooping database 0 to define an infinite duration, which means to continue
timeout 300 trying the transfer indefinitely.

Step 5 ip dhcp snooping database write-delay seconds Specifies the duration for which the transfer should be
delayed after the binding database changes. The range is
Example:
from 15 to 86400 seconds. The default is 300 seconds (5
minutes).
SwitchDevice(config)# ip dhcp snooping database
write-delay 15

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 ip dhcp snooping binding mac-address vlan vlan-id (Optional) Adds binding entries to the DHCP snooping
ip-address interface interface-id expiry seconds binding database. The vlan-id range is from 1 to 4904. The
seconds range is from 1 to 4294967295.
Example:
Enter this command for each entry that you add.
SwitchDevice# ip dhcp snooping binding

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1341
 Security
Enabling DHCP Server Port-Based Address Allocation

Command or Action Purpose

0001.1234.1234 vlan 1 172.20.50.5 interface gi1/1 Use this command when you are testing or debugging the
expiry 1000 switch.

Step 8 show ip dhcp snooping database [detail] Displays the status and statistics of the DHCP snooping
binding database agent.
Example:

SwitchDevice# show ip dhcp snooping database

detail

Step 9 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Enabling DHCP Server Port-Based Address Allocation

Follow these steps to globally enable port-based address allocation and to automatically generate a subscriber
identifier on an interface.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip dhcp use subscriber-id client-id
4. ip dhcp subscriber-id interface-name
5. interface interface-id
6. ip dhcp server use subscriber-id client-id
7. end
8. show running-config
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1342
 Security
Enabling DHCP Server Port-Based Address Allocation

Command or Action Purpose

Step 2 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 3 ip dhcp use subscriber-id client-id Configures the DHCP server to globally use the subscriber
identifier as the client identifier on all incoming DHCP
Example:
messages.
SwitchDevice(config)# ip dhcp use subscriber-id
client-id

Step 4 ip dhcp subscriber-id interface-name Automatically generates a subscriber identifier based on

the short name of the interface.
Example:
A subscriber identifier configured on a specific interface
SwitchDevice(config)# ip dhcp subscriber-id takes precedence over this command.
interface-name

Step 5 interface interface-id Specifies the interface to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 6 ip dhcp server use subscriber-id client-id Configures the DHCP server to use the subscriber identifier
as the client identifier on all incoming DHCP messages on
Example:
the interface.
SwitchDevice(config-if)# ip dhcp server use
subscriber-id client-id

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 8 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1343
 Security
Monitoring DHCP Server Port-Based Address Allocation

What to do next
After enabling DHCP port-based address allocation on the switch, use the ip dhcp pool global configuration
command to preassign IP addresses and to associate them to clients.

Monitoring DHCP Server Port-Based Address Allocation

Table 143: Commands for Displaying DHCP Port-Based Address Allocation Information

Command Purpose
show interface interface id Displays the status and configuration of a specific
interface.

show ip dhcp pool Displays the DHCP address pools.

show ip dhcp binding Displays address bindings on the Cisco IOS DHCP
server.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1344
 CHAPTER 60
Configuring IP Source Guard
IP Source Guard (IPSG) is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering
traffic based on the DHCP snooping binding database and on manually configured IP source bindings.
This chapter contains the following topics:
• Finding Feature Information, on page 1345
• Information About IP Source Guard, on page 1345
• How to Configure IP Source Guard, on page 1347
• Monitoring IP Source Guard, on page 1351

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Information About IP Source Guard

IP Source Guard
You can use IP source guard to prevent traffic attacks if a host tries to use the IP address of its neighbor and
you can enable IP source guard when DHCP snooping is enabled on an untrusted interface.
After IPSG is enabled on an interface, the switch blocks all IP traffic received on the interface except for
DHCP packets allowed by DHCP snooping.
The switch uses a source IP lookup table in hardware to bind IP addresses to ports. For IP and MAC filtering,
a combination of source IP and source MAC lookups are used. IP traffic with a source IP address is the binding
table is allowed, all other traffic is denied.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1345
 Security
IP Source Guard for Static Hosts

The IP source binding table has bindings that are learned by DHCP snooping or are manually configured
(static IP source bindings). An entry in this table has an IP address, its associated MAC address, and its
associated VLAN number. The switch uses the IP source binding table only when IP source guard is enabled.
IPSG is supported only on Layer 2 ports, including access and trunk ports. You can configure IPSG with
source IP address filtering or with source IP and MAC address filtering.

IP Source Guard for Static Hosts

Note Do not use IPSG (IP source guard) for static hosts on uplink ports or trunk ports.

IPSG for static hosts extends the IPSG capability to non-DHCP and static environments. The previous IPSG
used the entries created by DHCP snooping to validate the hosts connected to a switch. Any traffic received
from a host without a valid DHCP binding entry is dropped. This security feature restricts IP traffic on
nonrouted Layer 2 interfaces. It filters traffic based on the DHCP snooping binding database and on manually
configured IP source bindings. The previous version of IPSG required a DHCP environment for IPSG to
work.
IPSG for static hosts allows IPSG to work without DHCP. IPSG for static hosts relies on IP device tracking-table
entries to install port ACLs. The switch creates static entries based on ARP requests or other IP packets to
maintain the list of valid hosts for a given port. You can also specify the number of hosts allowed to send
traffic to a given port. This is equivalent to port security at Layer 3.
IPSG for static hosts also supports dynamic hosts. If a dynamic host receives a DHCP-assigned IP address
that is available in the IP DHCP snooping table, the same entry is learned by the IP device tracking table. In
a stacked environment, when the master failover occurs, the IP source guard entries for static hosts attached
to member ports are retained. When you enter the show ip device tracking all EXEC command, the IP device
tracking table displays the entries as ACTIVE.

Note Some IP hosts with multiple network interfaces can inject some invalid packets into a network interface. The
invalid packets contain the IP or MAC address for another network interface of the host as the source address.
The invalid packets can cause IPSG for static hosts to connect to the host, to learn the invalid IP or MAC
address bindings, and to reject the valid bindings. Consult the vender of the corresponding operating system
and the network interface to prevent the host from injecting invalid packets.

IPSG for static hosts initially learns IP or MAC bindings dynamically through an ACL-based snooping
mechanism. IP or MAC bindings are learned from static hosts by ARP and IP packets. They are stored in the
device tracking database. When the number of IP addresses that have been dynamically learned or statically
configured on a given port reaches a maximum, the hardware drops any packet with a new IP address. To
resolve hosts that have moved or gone away for any reason, IPSG for static hosts leverages IP device tracking
to age out dynamically learned IP address bindings. This feature can be used with DHCP snooping. Multiple
bindings are established on a port that is connected to both DHCP and static hosts. For example, bindings are
stored in both the device tracking database as well as in the DHCP snooping binding database.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1346
 Security
IP Source Guard Configuration Guidelines

IP Source Guard Configuration Guidelines

• You can configure static IP bindings only on nonrouted ports. If you enter the ip source binding
mac-address vlan vlan-id ip-address interface interface-id global configuration command on a routed
interface, this error message appears:

Static IP source binding can only be configured on switch port.

• When IP source guard with source IP filtering is enabled on an interface, DHCP snooping must be enabled
on the access VLAN for that interface.
• If you are enabling IP source guard on a trunk interface with multiple VLANs and DHCP snooping is
enabled on all the VLANs, the source IP address filter is applied on all the VLANs.

Note If IP source guard is enabled and you enable or disable DHCP snooping on a
VLAN on the trunk interface, the switch might not properly filter traffic.

• You can enable this feature when 802.1x port-based authentication is enabled.
• When you configure IP source guard smart logging, packets with a source address other than the specified
address or an address learned by DHCP are denied, and the packet contents are sent to a NetFlow collector.
If you configure this feature, make sure that smart logging is globally enabled.
• In a switch stack, if IP source guard is configured on a stack member interface and you remove the the
configuration of that switch by entering the no switch stack-member-number provision global
configuration command, the interface static bindings are removed from the binding table, but they are
not removed from the running configuration. If you again provision the switch by entering the switch
stack-member-number provision command, the binding is restored.
To remove the binding from the running configuration, you must disable IP source guard before entering
the no switch provision command. The configuration is also removed if the switch reloads while the
interface is removed from the binding table.

How to Configure IP Source Guard

Enabling IP Source Guard
SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. ip verify source [mac-check ]
5. exit
6. ip source binding mac-address vlan vlan-id ip-address interface interface-id
7. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1347
 Security
Enabling IP Source Guard

8. show running-config
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface to be configured, and enters interface
configuration mode.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 4 ip verify source [mac-check ] Enables IP source guard with source IP address filtering.
Example: (Optional) mac-check—Enables IP Source Guard with
SwitchDevice(config-if)# ip verify source source IP address and MAC address filtering.

Step 5 exit Returns to global configuration mode.

Example:

SwitchDevice(config-if)# exit

Step 6 ip source binding mac-address vlan vlan-id ip-address Adds a static IP source binding.
interface interface-id
Enter this command for each static binding.
Example:

SwitchDevice(config)# ip source binding

0100.0230.0002 vlan 11 10.0.0.4 interface
gigabitethernet1/0/1

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1348
 Security
Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port

Command or Action Purpose

Step 8 show running-config Verifies your entries.
Example:

SwitchDevice# show running-config

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port

You must configure the ip device tracking maximum limit-number interface configuration command globally
for IPSG for static hosts to work. If you only configure this command on a port without enabling IP device
tracking globally or by setting an IP device tracking maximum on that interface, IPSG with static hosts rejects
all the IP traffic from that interface.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip device tracking
4. interface interface-id
5. switchport mode access
6. switchport access vlan vlan-id
7. ip verify source[tracking] [mac-check ]
8. ip device tracking maximum number
9. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1349
 Security
Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port

Command or Action Purpose

Step 3 ip device tracking Turns on the IP host table, and globally enables IP device
tracking.
Example:

SwitchDevice(config)# ip device tracking

Step 4 interface interface-id Enters interface configuration mode.

Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 5 switchport mode access Configures a port as access.

Example:

SwitchDevice(config-if)# switchport mode access

Step 6 switchport access vlan vlan-id Configures the VLAN for this port.
Example:

SwitchDevice(config-if)# switchport access vlan 10

Step 7 ip verify source[tracking] [mac-check ] Enables IP source guard with source IP address filtering.
Example: (Optional) tracking—Enables IP source guard for static
SwitchDevice(config-if)# ip verify source tracking hosts.
mac-check
(Optional) mac-check—Enables MAC address filtering.
The command ip verify source tracking mac-checkenables
IP source guard for static hosts with MAC address filtering.
Step 8 ip device tracking maximum number Establishes a maximum limit for the number of static IPs
that the IP device tracking table allows on the port. The
Example:
range is 1to 10. The maximum number is 10.
SwitchDevice(config-if)# ip device tracking maximum Note You must configure the ip device tracking
8 maximum limit-number interface configuration
command.

Step 9 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1350
 Security
Monitoring IP Source Guard

Monitoring IP Source Guard

Table 144: Privileged EXEC show Commands

Command Purpose

show ip verify source [ interface interface-id ] Displays the IP source guard configuration on the
switch or on a specific interface.

show ip device tracking { all | interface interface-id Displays information about the entries in the IP device
| ip ip-address | mac imac-address} tracking table.

Table 145: Interface Configuration Commands

Command Purpose

ip verify source tracking Verifies the data source.

For detailed information about the fields in these displays, see the command reference for this release.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1351
 Security
Monitoring IP Source Guard

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1352
 CHAPTER 61
Configuring Dynamic ARP Inspection
• Finding Feature Information, on page 1353
• Restrictions for Dynamic ARP Inspection, on page 1353
• Understanding Dynamic ARP Inspection, on page 1355
• Default Dynamic ARP Inspection Configuration, on page 1358
• Relative Priority of ARP ACLs and DHCP Snooping Entries, on page 1359
• Configuring ARP ACLs for Non-DHCP Environments , on page 1359
• Configuring Dynamic ARP Inspection in DHCP Environments, on page 1362
• Limiting the Rate of Incoming ARP Packets, on page 1364
• Performing Dynamic ARP Inspection Validation Checks, on page 1366
• Monitoring DAI, on page 1368
• Verifying the DAI Configuration, on page 1368

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Restrictions for Dynamic ARP Inspection

This section lists the restrictions and guidelines for configuring Dynamic ARP Inspection on the switch.
• Dynamic ARP inspection is an ingress security feature; it does not perform any egress checking.
• Dynamic ARP inspection is not effective for hosts connected to switches that do not support dynamic
ARP inspection or that do not have this feature enabled. Because man-in-the-middle attacks are limited
to a single Layer 2 broadcast domain, separate the domain with dynamic ARP inspection checks from
the one with no checking. This action secures the ARP caches of hosts in the domain enabled for dynamic
ARP inspection.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1353
 Security
Restrictions for Dynamic ARP Inspection

• Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify
IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP
snooping to permit ARP packets that have dynamically assigned IP addresses.
When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to deny
packets.
• Dynamic ARP inspection is supported on access ports, trunk ports, and EtherChannel ports.

Note Do not enable Dynamic ARP inspection on RSPAN VLANs. If Dynamic ARP
inspection is enabled on RSPAN VLANs, Dynamic ARP inspection packets
might not reach the RSPAN destination port.

• A physical port can join an EtherChannel port channel only when the trust state of the physical port and
the channel port match. Otherwise, the physical port remains suspended in the port channel. A port
channel inherits its trust state from the first physical port that joins the channel. Consequently, the trust
state of the first physical port need not match the trust state of the channel.
Conversely, when you change the trust state on the port channel, the switch configures a new trust state
on all the physical ports that comprise the channel.
• The rate limit is calculated separately on each switch in a switch stack. For a cross-stack EtherChannel,
this means that the actual rate limit might be higher than the configured value. For example, if you set
the rate limit to 30 pps on an EtherChannel that has one port on switch 1 and one port on switch 2, each
port can receive packets at 29 pps without causing the EtherChannel to become error-disabled.
• The operating rate for the port channel is cumulative across all the physical ports within the channel. For
example, if you configure the port channel with an ARP rate-limit of 400 pps, all the interfaces combined
on the channel receive an aggregate 400 pps. The rate of incoming ARP packets on EtherChannel ports
is equal to the sum of the incoming rate of packets from all the channel members. Configure the rate
limit for EtherChannel ports only after examining the rate of incoming ARP packets on the channel-port
members.
The rate of incoming packets on a physical port is checked against the port-channel configuration rather
than the physical-ports configuration. The rate-limit configuration on a port channel is independent of
the configuration on its physical ports.
If the EtherChannel receives more ARP packets than the configured rate, the channel (including all
physical ports) is placed in the error-disabled state.
• Make sure to limit the rate of ARP packets on incoming trunk ports. Configure trunk ports with higher
rates to reflect their aggregation and to handle packets across multiple dynamic ARP inspection-enabled
VLANs. You also can use the ip arp inspection limit none interface configuration command to make
the rate unlimited. A high rate-limit on one VLAN can cause a denial-of-service attack to other VLANs
when the software places the port in the error-disabled state.
• When you enable dynamic ARP inspection on the switch, policers that were configured to police ARP
traffic are no longer effective. The result is that all ARP traffic is sent to the CPU.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1354
 Security
Understanding Dynamic ARP Inspection

Understanding Dynamic ARP Inspection

ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC
address. For example, Host B wants to send information to Host A but does not have the MAC address of
Host A in its ARP cache. Host B generates a broadcast message for all hosts within the broadcast domain to
obtain the MAC address associated with the IP address of Host A. All hosts within the broadcast domain
receive the ARP request, and Host A responds with its MAC address. However,because ARP allows a gratuitous
reply from a host even if an ARP request was not received, an ARP spoofing attack and the poisoning of ARP
caches can occur. After the attack, all traffic from the device under attack flows through the attacker’s computer
and then to the router, switch, or host.
A malicious user can attack hosts, switches, and routers connected to your Layer 2 network by poisoning the
ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the
subnet. Figure 26-1 shows an example of ARP cache poisoning.
Figure 112: ARP Cache Poisoning

Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet.
Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC
address MA. When Host A needs to communicate to Host B at the IP layer, it broadcasts an ARP request for
the MAC address associated with IP address IB. When the switch and Host B receive the ARP request, they
populate their ARP caches with an ARP binding for a host with the IP address IA and a MAC address MA;
for example, IP address IA is bound to MAC address MA. When Host B responds, the switch and Host A
populate their ARP caches with a binding for a host with the IP address IB and the MAC address MB.
Host C can poison the ARP caches of the switch, Host A, and Host B by broadcasting forged ARP responses
with bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts with poisoned
ARP caches use the MAC address MC as the destination MAC address for traffic intended for IA or IB. This
means that Host C intercepts that traffic. Because Host C knows the true MAC addresses associated with IA
and IB, it can forward the intercepted traffic to those hosts by using the correct MAC address as the destination.
Host C has inserted itself into the traffic stream from Host A to Host B, the classic man-in-the middleattack.
Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs,and
discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from
certain man-in-the-middle attacks.
Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed. The switch performs
these activities:
• Intercepts all ARP requests and responses on untrusted ports
• Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating
the local ARP cache or before forwarding the packet to the appropriate destination
• Drops invalid ARP packets

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1355
 Security
Interface Trust States and Network Security

Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings
stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping
if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted
interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards
the packet only if it is valid.
You enable dynamic ARP inspection on a per-VLAN basis by using the ip arp inspection vlan vlan-range
global configuration command.
In non-DHCP environments, dynamic ARP inspection can validate ARP packets against user-configured ARP
access control lists (ACLs) for hosts with statically configured IP addresses. You define an ARP ACL by
using the arp access-list acl-name global configuration command.
You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets are
invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in
the Ethernet header. Use the ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration
command.

Interface Trust States and Network Security

Dynamic ARP inspection associates a trust state with each interface on the switch. Packets arriving on trusted
interfaces bypass all dynamic ARP inspection validation checks, and those arriving on untrusted interfaces
undergo the dynamic ARP inspection validation process.
In a typical network configuration, you configure all switch ports connected to host ports as untrusted and
configure all switch ports connected to switches as trusted. With this configuration, all ARP packets entering
the network from a given switch bypass the security check. No other validation is needed at any other place
in the VLAN or in the network. You configure the trust setting by using theip arp inspection trust interface
configuration command.

Caution Use the trust state configuration carefully. Configuring interfaces as untrusted when they should betrusted
can result in a loss of connectivity.

In the following figure, assume that both Switch A and Switch B are running dynamic ARP inspection on the
VLAN that includes Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server
connected to Switch A, only Switch A binds the IP-to-MAC address of Host 1. Therefore, if the interface
between Switch A and Switch B is untrusted, the ARP packets from Host 1 are dropped by Switch B.
Connectivity between Host 1 and Host 2 is lost.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1356
 Security
Rate Limiting of ARP Packets

Figure 113: ARP Packet Validation on a VLAN Enabled for Dynamic ARP Inspection

Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the network. If
Switch A is not running dynamic ARP inspection, Host 1 can easily poison the ARP cache of Switch B (and
Host 2, if the link between the switches is configured as trusted). This condition can occur even though Switch
B is running dynamic ARP inspection.
Dynamic ARP inspection ensures that hosts (on untrusted interfaces) connected to a switch running dynamic
ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic ARP inspection
does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected
to a switch running dynamic ARP inspection.
In cases in which some switches in a VLAN run dynamic ARP inspection and other switches do not, configure
the interfaces connecting such switches as untrusted. However, to validate the bindings of packets from
nondynamic ARP inspection switches, configure the switch running dynamic ARP inspection with ARP
ACLs. When you cannot determine such bindings, at Layer 3, isolate switches running dynamic ARP inspection
from switches not running dynamic ARP inspection switches.

Note Depending on the setup of the DHCP server and the network, it might not be possible to validate a given ARP
packet on all switches in the VLAN.

Rate Limiting of ARP Packets

The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of incoming
ARP packets is rate-limited to prevent a denial-of-service attack. By default, the rate for untrusted interfaces
is 15 packets per second (pps). Trusted interfaces are not rate-limited. You can change this setting by using
the ip arp inspection limit interface configuration command.
When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the
error-disabled state. The port remains in that state until you intervene. You can use the errdisable recovery
global configuration command to enable error disable recovery so that ports automatically emerge from this
state after a specified timeout period.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1357
 Security
Relative Priority of ARP ACLs and DHCP Snooping Entries

Note The rate limit for an EtherChannel is applied separately to each switch in a stack. For example, if a limit of
20 pps is configured on the EtherChannel, each switch with ports in the EtherChannel can carry up to 20 pps.
If any switch exceeds the limit, the entire EtherChannel is placed into the error-disabled state.

Relative Priority of ARP ACLs and DHCP Snooping Entries

Dynamic ARP inspection uses the DHCP snooping binding database for the list of valid IP-to-MAC address
bindings.
ARP ACLs take precedence over entries in the DHCP snooping binding database. The switch uses ACLs only
if you configure them by using the ip arp inspection filter vlan global configuration command. The switch
first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the
switch also denies the packet even if a valid binding exists in the database populated by DHCP snooping.

Logging of Dropped Packets

When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a
rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log
entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP
addresses, and the source and destination MAC addresses.
You use the ip arp inspection log-buffer global configuration command to configure the number of entries
in the buffer and the number of entries needed in the specified interval to generate system messages. You
specify the type of packets that are logged by using the ip arp inspection vlan logging global configuration
command.

Default Dynamic ARP Inspection Configuration

Feature Default Settings
Dynamic ARP inspection Disabled on all VLANs.
Interface trust state All interfaces are untrusted.
Rate limit of incoming ARP packets The rate is 15 pps on untrusted interfaces, assuming
that the network is a switched network with a host
connecting to as many as 15 new hosts per second.
The rate is unlimited on all trusted interfaces.
The burst interval is 1 second.

ARP ACLs for non-DHCP environments No ARP ACLs are defined.

Validation checks No checks are performed.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1358
 Security
Relative Priority of ARP ACLs and DHCP Snooping Entries

Feature Default Settings

Log buffer When dynamic ARP inspection is enabled, all denied
or dropped ARP packets are logged.
The number of entries in the log is 32.
The number of system messages is limited to 5 per
second.
The logging-rate interval is 1 second.

Per-VLAN logging All denied or dropped ARP packets are logged.

Relative Priority of ARP ACLs and DHCP Snooping Entries

Dynamic ARP inspection uses the DHCP snooping binding database for the list of valid IP-to-MAC address
bindings.
ARP ACLs take precedence over entries in the DHCP snooping binding database. The switch uses ACLs only
if you configure them by using the ip arp inspection filter vlan global configuration command. The switch
first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the
switch also denies the packet even if a valid binding exists in the database populated by DHCP snooping.

Configuring ARP ACLs for Non-DHCP Environments

This procedure shows how to configure dynamic ARP inspection when Switch B shown in Figure 2 does not
support dynamic ARP inspection or DHCP snooping.
If you configure port 1 on Switch A as trusted, a security hole is created because both Switch A and Host 1
could be attacked by either Switch B or Host 2. To prevent this possibility, you must configure port 1 on
Switch A as untrusted. To permit ARP packets from Host 2, you must set up an ARP ACL and apply it to
VLAN 1. If the IP address of Host 2 is not static (it is impossible to apply the ACL configuration on Switch
A) you must separate Switch A from Switch B at Layer 3 and use a router to route packets between them.
Follow these steps to configure an ARP ACL on Switch A. This procedure is required in non-DHCP
environments.

SUMMARY STEPS
1. enable
2. configure terminal
3. arp access-list acl-name
4. permit ip host sender-ip mac host sender-mac
5. exit
6. ip arp inspection filter arp-acl-name vlan vlan-range [static]
7. interface interface-id
8. no ip arp inspection trust
9. end
10. Use the following show commands:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1359
 Security
Configuring ARP ACLs for Non-DHCP Environments

• show arp access-list acl-name

• show ip arp inspection vlan vlan-range
• show ip arp inspection interfaces
11. show running-config
12. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 arp access-list acl-name Defines an ARP ACL, and enters ARP access-list
configuration mode. By default, no ARP access lists are
defined.
Note At the end of the ARP access list, there is an
implicit deny ip any mac any command.

Step 4 permit ip host sender-ip mac host sender-mac Permits ARP packets from the specified host (Host 2).
• Forsender-ip, enter the IP address of Host 2.
• For sender-mac, enter the MAC address of Host 2.

Step 5 exit Returns to global configuration mode.

Step 6 ip arp inspection filter arp-acl-name vlan vlan-range Applies ARP ACL to the VLAN. By default, no defined
[static] ARP ACLs are applied to any VLAN.
• For arp-acl-name, specify the name of the ACL
created in Step 2.
• For vlan-range, specify the VLAN that the switches
and hosts are in. You can specify a single VLAN
identified by VLAN ID number, a range of VLANs
separated by a hyphen, or a series of VLANs
separated by a comma. The range is 1 to 4094.
• (Optional) Specify static to treat implicit denies in
the ARP ACL as explicit denies and to drop packets
that do not match any previous clauses in the ACL.
DHCP bindings are not used.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1360
 Security
Configuring ARP ACLs for Non-DHCP Environments

Command or Action Purpose

If you do not specify this keyword, it means that there
is no explicit deny in the ACL that denies the packet,
and DHCP bindings determine whether a packet is
permitted or denied if the packet does not match any
clauses in the ACL.

ARP packets containing only IP-to-MAC address bindings

are compared against the ACL. Packets are permitted only
if the access list permits them.

Step 7 interface interface-id Specifies Switch A interface that is connected to Switch

B, and enters the interface configuration mode.

Step 8 no ip arp inspection trust Configures Switch A interface that is connected to Switch
B as untrusted.
By default, all interfaces are untrusted.
For untrusted interfaces, the switch intercepts all ARP
requests and responses. It verifies that the intercepted
packets have valid IP-to-MAC address bindings before
updating the local cache and before forwarding the packet
to the appropriate destination. The switch drops invalid
packets and logs them in the log buffer according to the
logging configuration specified with the ip arp inspection
vlan logging global configuration command.

Step 9 end Returns to privileged EXEC mode.

Step 10 Use the following show commands: Verifies your entries.

• show arp access-list acl-name
• show ip arp inspection vlan vlan-range
• show ip arp inspection interfaces

Step 11 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 12 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1361
 Security
Configuring Dynamic ARP Inspection in DHCP Environments

Configuring Dynamic ARP Inspection in DHCP Environments

Before you begin
This procedure shows how to configure dynamic ARP inspection when two switches support this feature.
Host 1 is connected to Switch A, and Host 2 is connected to Switch B. Both switches are running dynamic
ARP inspection on VLAN 1 where the hosts are located. A DHCP server is connected to Switch A. Both hosts
acquire their IP addresses from the same DHCP server. Therefore, Switch A has the bindings for Host 1 and
Host 2, and Switch B has the binding for Host 2.

Note Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify IP-to-MAC
address bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to
permit ARP packets that have dynamically assigned IP addresses.

Follow these steps to configure dynamic ARP inspection. You must perform this procedure on both switches.
This procedure is required.

SUMMARY STEPS
1. enable
2. show cdp neighbors
3. configure terminal
4. ip arp inspection vlan vlan-range
5. Interfaceinterface-id
6. ip arp inspection trust
7. end
8. show ip arp inspection interfaces
9. show ip arp inspection vlan vlan-range
10. show ip dhcp snooping binding
11. show ip arp inspection statistics vlan vlan-range
12. configure terminal
13. configure terminal

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 show cdp neighbors Verify the connection between the switches.
Example:
SwitchDevice(config-if)#show cdp neighbors

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1362
 Security
Configuring Dynamic ARP Inspection in DHCP Environments

Command or Action Purpose

Step 3 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 4 ip arp inspection vlan vlan-range Enable dynamic ARP inspection on a per-VLAN basis.
By default, dynamic ARP inspection is disabled on all
Example:
VLANs. For vlan-range, specify a single VLAN identified
SwitchDevice(config)# ip arp inspection vlan 1 by VLAN ID number, a range of VLANs separated by a
hyphen, or a series of VLANs separated by a comma. The
range is 1 to 4094. Specify the same VLAN ID for both
switches.

Step 5 Interfaceinterface-id Specifies the interface connected to the other switch, and
enter interface configuration mode.
Example:
SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 6 ip arp inspection trust Configures the connection between the switches as trusted.
By default, all interfaces are untrusted.
Example:
SwitchDevice(config-if)#ip arp inspection trust The switch does not check ARP packets that it receives
from the other switch on the trusted interface. It simply
forwards the packets.
For untrusted interfaces, the switch intercepts all ARP
requests and responses. It verifies that the intercepted
packets have valid IP-to-MAC address bindings before
updating the local cache and before forwarding the packet
to the appropriate destination. The switch drops invalid
packets and logs them in the log buffer according to the
logging configuration specified with the ip arp inspection
vlan logging global configuration command.

Step 7 end Returns to privileged EXEC mode.

Example:
SwitchDevice(config-if)#end

Step 8 show ip arp inspection interfaces Verifies the dynamic ARP inspection configuration on
interfaces.
Example:
Step 9 show ip arp inspection vlan vlan-range Verifies the dynamic ARP inspection configuration on
VLAN.
Example:
SwitchDevice(config-if)#show ip arp inspection
vlan 1

Step 10 show ip dhcp snooping binding Verifies the DHCP bindings.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1363
 Security
Limiting the Rate of Incoming ARP Packets

Command or Action Purpose

SwitchDevice(config-if)#show ip dhcp snooping
binding

Step 11 show ip arp inspection statistics vlan vlan-range Checks the dynamic ARP inspection statistics on VLAN.
Example:
SwitchDevice(config-if)#show ip arp inspection
statistics vlan 1

Step 12 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 13 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Limiting the Rate of Incoming ARP Packets

The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of incoming
ARP packets is rate-limited to prevent a denial- of-service attack.
When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the
error-disabled state. The port remains in that state until you enable error-disabled recovery so that ports
automatically emerge from this state after a specified timeout period.

Note Unless you configure a rate limit on an interface, changing the trust state of the interface also changes its rate
limit to the default value for that trust state. After you configure the rate limit, the interface retains the rate
limit even when its trust state is changed. If you enter the no ip arp inspection limit interface configuration
command, the interface reverts to its default rate limit.

Follow these steps to limit the rate of incoming ARP packets. This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. ip arp inspection limit {rate pps [burst interval seconds] | none}
5. exit
6. Use the following commands:
• errdisable detect cause arp-inspection

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1364
 Security
Limiting the Rate of Incoming ARP Packets

• errdisable recovery cause arp-inspection

• errdisable recovery interval interval
7. exit
8. Use the following show commands:
• show ip arp inspection interfaces
• show errdisable recovery
9. show running-config
10. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface to be rate-limited, and enter interface
configuration mode.

Step 4 ip arp inspection limit {rate pps [burst interval seconds] Limits the rate of incoming ARP requests and responses
| none} on the interface. The default rate is 15 pps on untrusted
interfaces and unlimited on trusted interfaces. The burst
interval is 1 second.
The keywords have these meanings:
• For ratepps, specify an upper limit for the number of
incoming packets processed per second. The range is
0 to 2048 pps.
• (Optional) For burst intervalseconds, specify the
consecutive interval in seconds, over which the
interface is monitored for a high rate of ARP packets.
The range is 1 to 15.
• For rate none, specify no upper limit for the rate of
incoming ARP packets that can be processed.

Step 5 exit Returns to global configuration mode.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1365
 Security
Performing Dynamic ARP Inspection Validation Checks

Command or Action Purpose

Step 6 Use the following commands: (Optional) Enables error recovery from the dynamic ARP
inspection error-disabled state, and configure the dynamic
• errdisable detect cause arp-inspection
ARP inspection recover mechanism variables.
• errdisable recovery cause arp-inspection
• errdisable recovery interval interval By default, recovery is disabled, and the recovery interval
is 300 seconds.
For interval interval, specify the time in seconds to recover
from the error-disabled state. The range is 30 to 86400.

Step 7 exit Returns to privileged EXEC mode.

Step 8 Use the following show commands: Verifies your settings.

• show ip arp inspection interfaces
• show errdisable recovery

Step 9 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Performing Dynamic ARP Inspection Validation Checks

Dynamic ARP inspection intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings.
You can configure the switch to perform additional checks on the destination MAC address, the sender and
target IP addresses, and the source MAC address.
Follow these steps to perform specific checks on incoming ARP packets. This procedure is optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip arp inspection validate {[src-mac] [dst-mac] [ip]}
4. exit
5. show ip arp inspection vlan vlan-range
6. show running-config
7. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1366
 Security
Performing Dynamic ARP Inspection Validation Checks

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip arp inspection validate {[src-mac] [dst-mac] [ip]} Performs a specific check on incoming ARP packets. By
default, no checks are performed.
The keywords have these meanings:
• For src-mac, check the source MAC address in the
Ethernet header against the sender MAC address in
the ARP body. This check is performed on both ARP
requests and responses. When enabled, packets with
different MAC addresses are classified as invalid and
are dropped.
• For dst-mac, check the destination MAC address in
the Ethernet header against the target MAC address in
ARP body. This check is performed for ARP
responses. When enabled, packets with different MAC
addresses are classified as invalid and are dropped.
• For ip, check the ARP body for invalid and unexpected
IP addresses. Addresses include 0.0.0.0,
255.255.255.255, and all IP multicast addresses.
Sender IP addresses are checked in all ARP requests
and responses, and target IP addresses are checked
only in ARP responses.

You must specify at least one of the keywords. Each

command overrides the configuration of the previous
command; that is, if a command enables src and dst mac
validations, and a second command enables IP validation
only, the src and dst mac validations are disabled as a result
of the second command.

Step 4 exit Returns to privileged EXEC mode.

Step 5 show ip arp inspection vlan vlan-range Verifies your settings.

Step 6 show running-config Verifies your entries.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1367
 Security
Monitoring DAI

Command or Action Purpose

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Monitoring DAI
To monitor DAI, use the following commands:

Command Description
clear ip arp inspection statistics Clears dynamic ARP inspection statistics.
show ip arp inspection statistics [vlan vlan-range] Displays statistics for forwarded, dropped, MAC
validation failure, IP validation failure, ACL permitted
and denied, and DHCP permitted and denied packets
for the specified VLAN. If no VLANs are specified
or if a range is specified, displays information only
for VLANs with dynamic ARP inspection enabled
(active).

clear ip arp inspection log Clears the dynamic ARP inspection log buffer.
show ip arp inspection log Displays the configuration and contents of the
dynamic ARP inspection log buffer.

For the show ip arp inspection statistics command, the switch increments the number of forwarded packets
for each ARP request and response packet on a trusted dynamic ARP inspection port. The switch increments
the number of ACL or DHCP permitted packets for each packet that is denied by source MAC, destination
MAC, or IP validation checks, and the switch increments the appropriate.

Verifying the DAI Configuration

To display and verify the DAI configuration, use the following commands:

Command Description
show arp access-list [acl-name] Displays detailed information about ARP ACLs.

show ip arp inspection interfaces [interface-id] Displays the trust state and the rate limit of ARP
packets for the specified interface or all interfaces.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1368
Security
Verifying the DAI Configuration

Command Description
show ip arp inspection vlan vlan-range Displays the configuration and the operating state of
dynamic ARP inspection for the specified VLAN. If
no VLANs are specified or if a range is specified,
displays information only for VLANs with dynamic
ARP inspection enabled (active).

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1369
 Security
Verifying the DAI Configuration

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1370
 CHAPTER 62
Configuring IEEE 802.1x Port-Based
Authentication
This chapter describes how to configure IEEE 802.1x port-based authentication. IEEE 802.1x authentication
prevents unauthorized devices (clients) from gaining access to the network. Unless otherwise noted, the term
switch refers to a standalone switch or a switch stack.
• Finding Feature Information, on page 1371
• Information About 802.1x Port-Based Authentication, on page 1371
• How to Configure 802.1x Port-Based Authentication, on page 1403
• Monitoring 802.1x Statistics and Status, on page 1458

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Information About 802.1x Port-Based Authentication

The 802.1x standard defines a client-server-based access control and authentication protocol that prevents
unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly
authenticated. The authentication server authenticates each client connected to a switch port before making
available any services offered by the switch or the LAN.
Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol over
LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port
to which the client is connected. After authentication is successful, normal traffic can pass through the port.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1371
 Security
Port-Based Authentication Process

Note For complete syntax and usage information for the commands used in this chapter, see the “RADIUS
Commands” section in the Cisco IOS Security Command Reference, Release 12.4 and the command reference
for this release.

Port-Based Authentication Process

To configure IEEE 802.1X port-based authentication, you must enable authentication, authorization, and
accounting (AAA) and specify the authentication method list. A method list describes the sequence and
authentication method to be queried to authenticate a user.
The AAA process begins with authentication. When 802.1x port-based authentication is enabled and the client
supports 802.1x-compliant client software, these events occur:
• If the client identity is valid and the 802.1x authentication succeeds, the switch grants the client access
to the network.
• If 802.1x authentication times out while waiting for an EAPOL message exchange and MAC authentication
bypass is enabled, the switch can use the client MAC address for authorization. If the client MAC address
is valid and the authorization succeeds, the switch grants the client access to the network. If the client
MAC address is invalid and the authorization fails, the switch assigns the client to a guest VLAN that
provides limited services if a guest VLAN is configured.
• If the switch gets an invalid identity from an 802.1x-capable client and a restricted VLAN is specified,
the switch can assign the client to a restricted VLAN that provides limited services.
• If the RADIUS authentication server is unavailable (down) and inaccessible authentication bypass is
enabled, the switch grants the client access to the network by putting the port in the critical-authentication
state in the RADIUS-configured or the user-specified access VLAN.

Note Inaccessible authentication bypass is also referred to as critical authentication or

the AAA fail policy.

If Multi Domain Authentication (MDA) is enabled on a port, this flow can be used with some exceptions that
are applicable to voice authorization.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1372
Security
Port-Based Authentication Process

Figure 114: Authentication Flowchart

This figure shows the authentication process.

The switch re-authenticates a client when one of these situations occurs:

• Periodic re-authentication is enabled, and the re-authentication timer expires.
You can configure the re-authentication timer to use a switch-specific value or to be based on values
from the RADIUS server.
After 802.1x authentication using a RADIUS server is configured, the switch uses timers based on the
Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute
(Attribute [29]).
The Session-Timeout RADIUS attribute (Attribute[27]) specifies the time after which re-authentication
occurs.
The Termination-Action RADIUS attribute (Attribute [29]) specifies the action to take during
re-authentication. The actions are Initialize and ReAuthenticate. When the Initialize action is set (the
attribute value is DEFAULT), the 802.1x session ends, and connectivity is lost during re-authentication.
When the ReAuthenticate action is set (the attribute value is RADIUS-Request), the session is not affected
during re-authentication.
• You manually re-authenticate the client by entering the dot1x re-authenticate interface interface-id
privileged EXEC command.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1373
 Security
Port-Based Authentication Initiation and Message Exchange

Port-Based Authentication Initiation and Message Exchange

During 802.1x authentication, the switch or the client can initiate authentication. If you enable authentication
on a port by using the authentication port-control auto interface configuration command, the switch initiates
authentication when the link state changes from down to up or periodically as long as the port remains up and
unauthenticated. The switch sends an EAP-request/identity frame to the client to request its identity. Upon
receipt of the frame, the client responds with an EAP-response/identity frame.
However, if during bootup, the client does not receive an EAP-request/identity frame from the switch, the
client can initiate authentication by sending an EAPOL-start frame, which prompts the switch to request the
client’s identity.

Note If 802.1x authentication is not enabled or supported on the network access device, any EAPOL frames from
the client are dropped. If the client does not receive an EAP-request/identity frame after three attempts to start
authentication, the client sends frames as if the port is in the authorized state. A port in the authorized state
effectively means that the client has been successfully authenticated.

When the client supplies its identity, the switch begins its role as the intermediary, passing EAP frames between
the client and the authentication server until authentication succeeds or fails. If the authentication succeeds,
the switch port becomes authorized. If the authentication fails, authentication can be retried, the port might
be assigned to a VLAN that provides limited services, or network access is not granted.
The specific exchange of EAP frames depends on the authentication method being used.
Figure 115: Message Exchange

This figure shows a message exchange initiated by the client when the client uses the One-Time-Password
(OTP) authentication method with a RADIUS

server.
If 802.1x authentication times out while waiting for an EAPOL message exchange and MAC authentication
bypass is enabled, the switch can authorize the client when the switch detects an Ethernet packet from the

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1374
 Security
Authentication Manager for Port-Based Authentication

client. The switch uses the MAC address of the client as its identity and includes this information in the
RADIUS-access/request frame that is sent to the RADIUS server. After the server sends the switch the
RADIUS-access/accept frame (authorization is successful), the port becomes authorized. If authorization fails
and a guest VLAN is specified, the switch assigns the port to the guest VLAN. If the switch detects an EAPOL
packet while waiting for an Ethernet packet, the switch stops the MAC authentication bypass process and
starts 802.1x authentication.
Figure 116: Message Exchange During MAC Authentication Bypass

This figure shows the message exchange during MAC authentication

bypass.

Authentication Manager for Port-Based Authentication

Port-Based Authentication Methods
Table 146: 802.1x Features

Authentication Mode
method
Single host Multiple host MDA Multiple
Authentication

802.1x VLAN assignment VLAN assignment VLAN assignment VLAN assignment

Per-user ACL Per-user ACL Per-user ACL
Filter-ID attribute Filter-Id attribute Filter-Id attribute
Downloadable ACL Downloadable ACL Downloadable ACL
Redirect URL Redirect URL Redirect URL

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1375
 Security
Per-User ACLs and Filter-Ids

Authentication Mode
method
Single host Multiple host MDA Multiple
Authentication

MAC authentication VLAN assignment VLAN assignment VLAN assignment VLAN assignment
bypass
Per-user ACL Per-user ACL Per-user ACL
Filter-ID attribute Filter-Id attribute Filter-Id attribute
Downloadable ACL Downloadable ACL Downloadable ACL
Redirect URL Redirect URL Redirect URL

Standalone web Proxy ACL, Filter-Id attribute, downloadable ACL

authentication

NAC Layer 2 IP Filter-Id attribute Filter-Id attribute Filter-Id attribute Filter-Id attribute
validation
Downloadable ACL Downloadable ACL Downloadable ACL Downloadable ACL
Redirect URL Redirect URL Redirect URL Redirect URL

Web authentication Proxy ACL Proxy ACL Proxy ACL Proxy ACL
as fallback method
Filter-Id attribute Filter-Id attribute Filter-Id attribute Filter-Id attribute
Downloadable ACL Downloadable ACL Downloadable ACL Downloadable ACL
18
Supported in Cisco IOS Release 12.2(50)SE and later.
19
For clients that do not support 802.1x authentication.

Per-User ACLs and Filter-Ids

Note You can only set any as the source in the ACL.

Note For any ACL configured for multiple-host mode, the source portion of statement must be any. (For example,
permit icmp any host 10.10.1.1.)

You must specify any in the source ports of any defined ACL. Otherwise, the ACL cannot be applied and
authorization fails. Single host is the only exception to support backward compatibility.
More than one host can be authenticated on MDA-enabled and multiauth ports. The ACL policy applied for
one host does not effect the traffic of another host. If only one host is authenticated on a multi-host port, and
the other hosts gain network access without authentication, the ACL policy for the first host can be applied
to the other connected hosts by specifying any in the source address.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1376
 Security
Port-Based Authentication Manager CLI Commands

Port-Based Authentication Manager CLI Commands

The authentication-manager interface-configuration commands control all the authentication methods, such
as 802.1x, MAC authentication bypass, and web authentication. The authentication manager commands
determine the priority and order of authentication methods applied to a connected host.
The authentication manager commands control generic authentication features, such as host-mode, violation
mode, and the authentication timer. Generic authentication commands include the authentication host-mode,
authentication violation, and authentication timer interface configuration commands.
802.1x-specific commands begin with the dot1x keyword. For example, the authentication port-control
auto interface configuration command enables authentication on an interface. However, the dot1x
system-authentication control global configuration command only globally enables or disables 802.1x
authentication.

Note If 802.1x authentication is globally disabled, other authentication methods are still enabled on that port, such
as web authentication.

The authentication manager commands provide the same functionality as earlier 802.1x commands.
When filtering out verbose system messages generated by the authentication manager, the filtered content
typically relates to authentication success. You can also filter verbose messages for 802.1x authentication and
MAB authentication. There is a separate command for each authentication method:
• The no authentication logging verbose global configuration command filters verbose messages from
the authentication manager.
• The no dot1x logging verbose global configuration command filters 802.1x authentication verbose
messages.
• The no mab logging verbose global configuration command filters MAC authentication bypass (MAB)
verbose messages

Table 147: Authentication Manager Commands and Earlier 802.1x Commands

The authentication manager The equivalent 802.1x commands Description

commands in Cisco IOS in Cisco IOS Release 12.2(46)SE and
Release 12.2(50)SE or later earlier

authentication control-direction dot1x control-direction {both | Enable 802.1x authentication with

{both | in} in} the wake-on-LAN (WoL) feature,
and configure the port control as
unidirectional or bidirectional.

authentication event dot1x auth-fail vlan Enable the restricted VLAN on a

port.
dot1x critical (interface
configuration) Enable the
inaccessible-authentication-bypass
dot1x guest-vlan6
feature.
Specify an active VLAN as an
802.1x guest VLAN.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1377
 Security
Ports in Authorized and Unauthorized States

The authentication manager The equivalent 802.1x commands Description

commands in Cisco IOS in Cisco IOS Release 12.2(46)SE and
Release 12.2(50)SE or later earlier

authentication fallback dot1x fallback fallback-profile Configure a port to use web

fallback-profile authentication as a fallback method
for clients that do not support
802.1x authentication.

authentication host-mode dot1x host-mode {single-host | Allow a single host (client) or

[multi-auth | multi-domain | multi-host | multi-domain} multiple hosts on
multi-host | single-host] an 802.1x-authorized port.

authentication order mab Provides the flexibility to define the

order of authentication methods to
be used.

authentication periodic dot1x reauthentication Enable periodic re-authentication

of the client.

authentication port-control {auto dot1x port-control {auto | Enable manual control of the
| force-authorized | force-un force-authorized | authorization state of the port.
authorized} force-unauthorized}

authentication timer dot1x timeout Set the 802.1x timers.

authentication violation {protect dot1x violation-mode {shutdown Configure the violation modes that
| restrict | shutdown} | restrict | protect} occur when a new device connects
to a port or when a new device
connects to a port after the
maximum number of devices are
connected to that port.

Ports in Authorized and Unauthorized States

During 802.1x authentication, depending on the switch port state, the switch can grant a client access to the
network. The port starts in the unauthorized state. While in this state, the port that is not configured as a voice
VLAN port disallows all ingress and egress traffic except for 802.1x authentication, CDP, and STP packets.
When a client is successfully authenticated, the port changes to the authorized state, allowing all traffic for
the client to flow normally. If the port is configured as a voice VLAN port, the port allows VoIP traffic and
802.1x protocol packets before the client is successfully authenticated.

Note CDP bypass is not supported and may cause a port to go into err-disabled state.

If a client that does not support 802.1x authentication connects to an unauthorized 802.1x port, the switch
requests the client’s identity. In this situation, the client does not respond to the request, the port remains in
the unauthorized state, and the client is not granted access to the network.
In contrast, when an 802.1x-enabled client connects to a port that is not running the 802.1x standard, the client
initiates the authentication process by sending the EAPOL-start frame. When no response is received, the

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1378
 Security
802.1x Host Mode

client sends the request for a fixed number of times. Because no response is received, the client begins sending
frames as if the port is in the authorized state.
You control the port authorization state by using the authentication port-control interface configuration
command and these keywords:
• force-authorized—disables 802.1x authentication and causes the port to change to the authorized state
without any authentication exchange required. The port sends and receives normal traffic without
802.1x-based authentication of the client. This is the default setting.
• force-unauthorized—causes the port to remain in the unauthorized state, ignoring all attempts by the
client to authenticate. The switch cannot provide authentication services to the client through the port.
• auto—enables 802.1x authentication and causes the port to begin in the unauthorized state, allowing
only EAPOL frames to be sent and received through the port. The authentication process begins when
the link state of the port changes from down to up or when an EAPOL-start frame is received. The switch
requests the identity of the client and begins relaying authentication messages between the client and the
authentication server. Each client attempting to access the network is uniquely identified by the switch
by using the client MAC address.

If the client is successfully authenticated (receives an Accept frame from the authentication server), the port
state changes to authorized, and all frames from the authenticated client are allowed through the port. If the
authentication fails, the port remains in the unauthorized state, but authentication can be retried. If the
authentication server cannot be reached, the switch can resend the request. If no response is received from
the server after the specified number of attempts, authentication fails, and network access is not granted.
When a client logs off, it sends an EAPOL-logoff message, causing the switch port to change to the unauthorized
state.
If the link state of a port changes from up to down, or if an EAPOL-logoff frame is received, the port returns
to the unauthorized state.

802.1x Host Mode

You can configure an 802.1x port for single-host or for multiple-hosts mode. In single-host mode, only one
client can be connected to the 802.1x-enabled switch port. The switch detects the client by sending an EAPOL
frame when the port link state changes to the up state. If a client leaves or is replaced with another client, the
switch changes the port link state to down, and the port returns to the unauthorized state.
In multiple-hosts mode, you can attach multiple hosts to a single 802.1x-enabled port. In this mode, only one
of the attached clients must be authorized for all clients to be granted network access. If the port becomes
unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch denies network
access to all of the attached clients. In this topology, the wireless access point is responsible for authenticating
the clients attached to it, and it also acts as a client to the switch.
Figure 117: Multiple Host Mode Example

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1379
 Security
802.1x Multiple Authentication Mode

Note For all host modes, the line protocol stays up before authorization when port-based authentication is configured.

The switch supports multidomain authentication (MDA), which allows both a data device and a voice device,
such as an IP Phone (Cisco or non-Cisco), to connect to the same switch port.

802.1x Multiple Authentication Mode

Multiple-authentication (multiauth) mode allows multiple authenticated clients on the data VLAN and voice
VLAN. Each host is individually authenticated. There is no limit to the number of data or voice device that
can be authenticated on a multiauthport.
If a hub or access point is connected to an 802.1x-enabled port, each connected client must be authenticated.
For non-802.1x devices, you can use MAC authentication bypass or web authentication as the per-host
authentication fallback method to authenticate different hosts with different methods on a single port.

Note When a port is in multiple-authentication mode, the authentication-failed VLAN features do not activate.

You can assign a RADIUS-server-supplied VLAN in multi-auth mode, under the following conditions:
• The host is the first host authorized on the port, and the RADIUS server supplies VLAN information
• Subsequent hosts are authorized with a VLAN that matches the operational VLAN.
• A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no VLAN
assignment, or their VLAN information matches the operational VLAN.
• The first host authorized on the port has a group VLAN assignment, and subsequent hosts either have
no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent hosts
must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all hosts are
subject to the conditions specified in the VLAN list.
• After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information
or be denied access to the port.
• You cannot configure a guest VLAN or an auth-fail VLAN in multi-auth mode.
• The behavior of the critical-auth VLAN is not changed for multi-auth mode. When a host tries to
authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured VLAN.

Multi-auth Per User VLAN assignment

Note This feature is supported only on Catalyst 2960X switches running the LAN base image

The Multi-auth Per User VLAN assignment feature allows you to create multiple operational access VLANs
based on VLANs assigned to the clients on the port that has a single configured access VLAN. The port
configured as an access port where the traffic for all the VLANs associated with data domain is not dot1q
tagged, and these VLANs are treated as native VLANs.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1380
 Security
Limitation in Multi-auth Per User VLAN assignment

The number of hosts per multi-auth port is 8, however there can be more hosts.

Note The Multi-auth Per User VLAN assignment feature is not supported for Voice domain. All clients in Voice
domain on a port must use the same VLAN.

The following scenarios are associated with the multi-auth Per User VLAN assignments:
Scenario one
When a hub is connected to an access port, and the port is configured with an access VLAN (V0).
The host (H1) is assigned to VLAN (V1) through the hub. The operational VLAN of the port is changed to
V1. This behaviour is similar on a single-host or multi-domain-auth port.
When a second host (H2) is connected and gets assigned to VLAN ( V2), the port will have two operational
VLANs (V1 and V2). If H1 and H2 sends untagged ingress traffic, H1 traffic is mapped to VLAN (V1) and
H2 traffic to VLAN (V2), all egress traffic going out of the port on VLAN (V1) and VLAN (V2) are untagged.
If both the hosts, H1 and H2 are logged out or the sessions are removed due to some reason then VLAN (V1)
and VLAN (V2) are removed from the port, and the configured VLAN (V0) is restored on the port.
Scenario two
When a hub is connected to an access port, and the port is configured with an access VLAN (V0). The host
(H1) is assigned to VLAN (V1) through the hub. The operational VLAN of the port is changed to V1.
When a second host (H2) is connected and gets authorized without explicit vlan policy, H2 is expected to use
the configured VLAN (V0) that is restored on the port. A ll egress traffic going out of two operational VLANs,
VLAN (V0) and VLAN (V1) are untagged.
If host (H2 ) is logged out or the session is removed due to some reason then the configured VLAN (V0) is
removed from the port, and VLAN (V1) becomes the only operational VLAN on the port.
Scenario three
When a hub is connected to an access port in open mode, and the port is configured with an access VLAN
(V0) .
The host (H1) is assigned to VLAN (V1) through the hub. The operational VLAN of the port is changed to
V1. When a second host (H2) is connected and remains unauthorized, it still has access to operational VLAN
(V1) due to open mode.
If host H1 is logged out or the session is removed due to some reason, VLAN (V1) is removed from the port
and host (H2) gets assigned to VLAN (V0).

Note The combination of Open mode and VLAN assignment has an adverse affect on host (H2) because it has an
IP address in the subnet that corresponds to VLAN (V1).

Limitation in Multi-auth Per User VLAN assignment

In the Multi-auth Per User VLAN assignment feature, egress traffic from multiple vlans are untagged on a
port where the hosts receive traffic that is not meant for them. This can be a problem with broadcast and
multicast traffic.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1381
 Security
MAC Move

• IPv4 ARPs: Hosts receive ARP packets from other subnets. This is a problem if two subnets in different
Virtual Routing and Forwarding (VRF) tables with overlapping IP address range are active on the port.
The host ARP cache may get invalid entries.
• IPv6 control packets: In IPv6 deployments, Router Advertisements (RA) are processed by hosts that
are not supposed to receive them. When a host from one VLAN receives RA from a different VLAN,
the host assign incorrect IPv6 address to itself. Such a host is unable to get access to the network.
The workaround is to enable the IPv6 first hop security so that the broadcast ICMPv6 packets are converted
to unicast and sent out from multi-auth enabled ports.. The packet is replicated for each client in multi-auth
port belonging to the VLAN and the destination MAC is set to an individual client. Ports having one
VLAN, ICMPv6 packets broadcast normally.
• IP multicast: Multicast traffic destined to a multicast group gets replicated for different VLANs if the
hosts on those VLANs join the multicast group. When two hosts in different VLANs join a multicast
group (on the same mutli-auth port), two copies of each multicast packet are sent out from that port.

MAC Move
When a MAC address is authenticated on one switch port, that address is not allowed on another authentication
manager-enabled port of the switch. If the switch detects that same MAC address on another authentication
manager-enabled port, the address is not allowed.
There are situations where a MAC address might need to move from one port to another on the same switch.
For example, when there is another device (for example a hub or an IP phone) between an authenticated host
and a switch port, you might want to disconnect the host from the device and connect it directly to another
port on the same switch.
You can globally enable MAC move so the device is reauthenticated on the new port. When a host moves to
a second port, the session on the first port is deleted, and the host is reauthenticated on the new port. MAC
move is supported on all host modes. (The authenticated host can move to any port on the switch, no matter
which host mode is enabled on the that port.) When a MAC address moves from one port to another, the
switch terminates the authenticated session on the original port and initiates a new authentication sequence
on the new port. The MAC move feature applies to both voice and data hosts.

Note In open authentication mode, a MAC address is immediately moved from the original port to the new port,
with no requirement for authorization on the new port.

MAC Replace
The MAC replace feature can be configured to address the violation that occurs when a host attempts to
connect to a port where another host was previously authenticated.

Note This feature does not apply to ports in multi-auth mode, because violations are not triggered in that mode. It
does not apply to ports in multiple host mode, because in that mode, only the first host requires authentication.

If you configure the authentication violation interface configuration command with the replace keyword,
the authentication process on a port in multi-domain mode is:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1382
 Security
802.1x Accounting

• A new MAC address is received on a port with an existing authenticated MAC address.
• The authentication manager replaces the MAC address of the current data host on the port with the new
MAC address.
• The authentication manager initiates the authentication process for the new MAC address.
• If the authentication manager determines that the new host is a voice host, the original voice host is
removed.

If a port is in open authentication mode, any new MAC address is immediately added to the MAC address
table.

802.1x Accounting
The 802.1x standard defines how users are authorized and authenticated for network access but does not keep
track of network usage. 802.1x accounting is disabled by default. You can enable 802.1x accounting to monitor
this activity on 802.1x-enabled ports:
• User successfully authenticates.
• User logs off.
• Link-down occurs.
• Re-authentication successfully occurs.
• Re-authentication fails.

The switch does not log 802.1x accounting information. Instead, it sends this information to the RADIUS
server, which must be configured to log accounting messages.

802.1x Accounting Attribute-Value Pairs

The information sent to the RADIUS server is represented in the form of Attribute-Value (AV) pairs. These
AV pairs provide data for different applications. (For example, a billing application might require information
that is in the Acct-Input-Octets or the Acct-Output-Octets attributes of a RADIUS packet.)
AV pairs are automatically sent by a switch that is configured for 802.1x accounting. Three types of RADIUS
accounting packets are sent by a switch:
• START–sent when a new user session starts
• INTERIM–sent during an existing session for updates
• STOP–sent when a session terminates

You can view the AV pairs that are being sent by the switch by entering the debug radius accounting
privileged EXEC command. For more information about this command, see the Cisco IOS Debug Command
Reference, Release 12.4.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1383
 Security
802.1x Readiness Check

This table lists the AV pairs and when they are sent are sent by the switch.

Table 148: Accounting AV Pairs

Attribute Number AV Pair Name START INTERIM STOP

Attribute[1] User-Name Always Always Always

Attribute[4] NAS-IP-Address Always Always Always

Attribute[5] NAS-Port Always Always Always

Attribute[8] Framed-IP-Address Never Sometimes20 Sometimes

Attribute[25] Class Always Always Always

Attribute[30] Called-Station-ID Always Always Always

Attribute[31] Calling-Station-ID Always Always Always

Attribute[40] Acct-Status-Type Always Always Always

Attribute[41] Acct-Delay-Time Always Always Always

Attribute[42] Acct-Input-Octets Never Always Always

Attribute[43] Acct-Output-Octets Never Always Always

Attribute[44] Acct-Session-ID Always Always Always

Attribute[45] Acct-Authentic Always Always Always

Attribute[46] Acct-Session-Time Never Always Always

Attribute[49] Acct-Terminate-Cause Never Never Always

Attribute[61] NAS-Port-Type Always Always Always

20
The Framed-IP-Address AV pair is sent only if a valid Dynamic Host Control Protocol (DHCP) binding
exists for the host in the DHCP snooping bindings table.
You can view the AV pairs that are being sent by the switch by entering the debug radius accounting
privileged EXEC command.

802.1x Readiness Check

The 802.1x readiness check monitors 802.1x activity on all the switch ports and displays information about
the devices connected to the ports that support 802.1x. You can use this feature to determine if the devices
connected to the switch ports are 802.1x-capable. You use an alternate authentication such as MAC
authentication bypass or web authentication for the devices that do not support 802.1x functionality.
This feature only works if the supplicant on the client supports a query with the NOTIFY EAP notification
packet. The client must respond within the 802.1x timeout value.
Related Topics
Configuring 802.1x Readiness Check, on page 1407

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1384
 Security
Switch-to-RADIUS-Server Communication

Switch-to-RADIUS-Server Communication
RADIUS security servers are identified by their hostname or IP address, hostname and specific UDP port
numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port
number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a
server at the same IP address. If two different host entries on the same RADIUS server are configured for the
same service—for example, authentication—the second host entry configured acts as the fail-over backup to
the first one. The RADIUS host entries are tried in the order that they were configured.
Related Topics
Configuring the Switch-to-RADIUS-Server Communication, on page 1415

802.1x Authentication with VLAN Assignment

The switch supports 802.1x authentication with VLAN assignment. After successful 802.1x authentication
of a port, the RADIUS server sends the VLAN assignment to configure the switch port. The RADIUS server
database maintains the username-to-VLAN mappings, assigning the VLAN based on the username of the
client connected to the switch port. You can use this feature to limit network access for certain users.
Voice device authentication is supported with multidomain host mode in Cisco IOS Release 12.2(37)SE. In
Cisco IOS Release 12.2(40)SE and later, when a voice device is authorized and the RADIUS server returned
an authorized VLAN, the voice VLAN on the port is configured to send and receive packets on the assigned
voice VLAN. Voice VLAN assignment behaves the same as data VLAN assignment on multidomain
authentication (MDA)-enabled ports.
When configured on the switch and the RADIUS server, 802.1x authentication with VLAN assignment has
these characteristics:
• If no VLAN is supplied by the RADIUS server or if 802.1x authentication is disabled, the port is
configured in its access VLAN after successful authentication. Recall that an access VLAN is a VLAN
assigned to an access port. All packets sent from or received on this port belong to this VLAN.
• If 802.1x authentication is enabled but the VLAN information from the RADIUS server is not valid,
authorization fails and configured VLAN remains in use. This prevents ports from appearing unexpectedly
in an inappropriate VLAN because of a configuration error.
Configuration errors could include specifying a VLAN for a routed port, a malformed VLAN ID, a
nonexistent or internal (routed port) VLAN ID, an RSPAN VLAN, a shut down or suspended VLAN.
In the case of a multidomain host port, configuration errors can also be due to an attempted assignment
of a data VLAN that matches the configured or assigned voice VLAN ID (or the reverse).
• If 802.1x authentication is enabled and all information from the RADIUS server is valid, the authorized
device is placed in the specified VLAN after authentication.
• If the multiple-hosts mode is enabled on an 802.1x port, all hosts are placed in the same VLAN (specified
by the RADIUS server) as the first authenticated host.
• Enabling port security does not impact the RADIUS server-assigned VLAN behavior.
• If 802.1x authentication is disabled on the port, it is returned to the configured access VLAN and
configured voice VLAN.
• If an 802.1x port is authenticated and put in the RADIUS server-assigned VLAN, any change to the port
access VLAN configuration does not take effect. In the case of a multidomain host, the same applies to
voice devices when the port is fully authorized with these exceptions:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1385
 Security
802.1x Authentication with VLAN Assignment

• If the VLAN configuration change of one device results in matching the other device configured
or assigned VLAN, then authorization of all devices on the port is terminated and multidomain host
mode is disabled until a valid configuration is restored where data and voice device configured
VLANs no longer match.
• If a voice device is authorized and is using a downloaded voice VLAN, the removal of the voice
VLAN configuration, or modifying the configuration value to dot1p or untagged results in voice
device un-authorization and the disablement of multi-domain host mode.

When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is put into
the configured access VLAN.
If an 802.1x port is authenticated and put in the RADIUS server-assigned VLAN, any change to the port
access VLAN configuration does not take effect. In the case of a multidomain host, the same applies to voice
devices when the port is fully authorized with these exceptions:
• If the VLAN configuration change of one device results in matching the other device configured or
assigned VLAN, authorization of all devices on the port is terminated and multidomain host mode is
disabled until a valid configuration is restored where data and voice device configured VLANs no longer
match.
• If a voice device is authorized and is using a downloaded voice VLAN, the removal of the voice VLAN
configuration, or modifying the configuration value to dot1p or untagged results in voice device
un-authorization and the disablement of multi-domain host mode.

When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is put into
the configured access VLAN.
The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic ports, or
with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
To configure VLAN assignment you need to perform these tasks:
• Enable AAA authorization by using the network keyword to allow interface configuration from the
RADIUS server.
• Enable 802.1x authentication. (The VLAN assignment feature is automatically enabled when you configure
802.1x authentication on an access port).
• Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these
attributes to the switch:
• [64] Tunnel-Type = VLAN
• [65] Tunnel-Medium-Type = 802
• [81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
• [83] Tunnel-Preference

Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802 (type
6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the IEEE 802.1x-authenticated user.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1386
 Security
802.1x Authentication with Per-User ACLs

802.1x Authentication with Per-User ACLs

You can enable per-user access control lists (ACLs) to provide different levels of network access and service
to an 802.1x-authenticated user. When the RADIUS server authenticates a user connected to an 802.1x port,
it retrieves the ACL attributes based on the user identity and sends them to the switch. The switch applies the
attributes to the 802.1x port for the duration of the user session. The switch removes the per-user ACL
configuration when the session is over, if authentication fails, or if a link-down condition occurs. The switch
does not save RADIUS-specified ACLs in the running configuration. When the port is unauthorized, the
switch removes the ACL from the port.
You can configure router ACLs and input port ACLs on the same switch. However, a port ACL takes precedence
over a router ACL. If you apply input port ACL to an interface that belongs to a VLAN, the port ACL takes
precedence over an input router ACL applied to the VLAN interface. Incoming packets received on the port
to which a port ACL is applied are filtered by the port ACL. Incoming routed packets received on other ports
are filtered by the router ACL. Outgoing routed packets are filtered by the router ACL. To avoid configuration
conflicts, you should carefully plan the user profiles stored on the RADIUS server.
RADIUS supports per-user attributes, including vendor-specific attributes. These vendor-specific attributes
(VSAs) are in octet-string format and are passed to the switch during the authentication process. The VSAs
used for per-user ACLs are inacl#<n> for the ingress direction and outacl#<n> for the egress direction. MAC
ACLs are supported only in the ingress direction. The switch supports VSAs only in the ingress direction. It
does not support port ACLs in the egress direction on Layer 2 ports.
Use only the extended ACL syntax style to define the per-user configuration stored on the RADIUS server.
When the definitions are passed from the RADIUS server, they are created by using the extended naming
convention. However, if you use the Filter-Id attribute, it can point to a standard ACL.
You can use the Filter-Id attribute to specify an inbound or outbound ACL that is already configured on the
switch. The attribute contains the ACL number followed by .in for ingress filtering or .out for egress filtering.
If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by
default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported
only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
The maximum size of the per-user ACL is 4000 ASCII characters but is limited by the maximum size of
RADIUS-server per-user ACLs.
To configure per-user ACLs:
• Enable AAA authentication.
• Enable AAA authorization by using the network keyword to allow interface configuration from the
RADIUS server.
• Enable 802.1x authentication.
• Configure the user profile and VSAs on the RADIUS server.
• Configure the 802.1x port for single-host mode.

802.1x Authentication with Downloadable ACLs and Redirect URLs

You can download ACLs and redirect URLs from a RADIUS server to the switch during 802.1x authentication
or MAC authentication bypass of the host. You can also download ACLs during web authentication.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1387
 Security
802.1x Authentication with Downloadable ACLs and Redirect URLs

Note A downloadable ACL is also referred to as a dACL.

If more than one host is authenticated and the host is in single-host, MDA, or multiple-authentication mode,
the switch changes the source address of the ACL to the host IP address.
You can apply the ACLs and redirect URLs to all the devices connected to the 802.1x-enabled port.
If no ACLs are downloaded during 802.1x authentication, the switch applies the static default ACL on the
port to the host. On a voice VLAN port configured in multi-auth or MDA mode, the switch applies the ACL
only to the phone as part of the authorization policies.

Note The limit for dACL with stacking is 64 ACEs per dACL per port. The limit without stacking is the number
of available TCAM entries which varies based on the other ACL features that are active.

Beginning with Cisco IOS Release 12.2(55)SE, if there is no static ACL on a port, a dynamic auth-default
ACL is created, and policies are enforced before dACLs are downloaded and applied.

Note The auth-default-ACL does not appear in the running configuration.

The auth-default ACL is created when at least one host with an authorization policy is detected on the port.
The auth-default ACL is removed from the port when the last authenticated session ends. You can configure
the auth-default ACL by using the ip access-list extended auth-default-acl global configuration command.

Note The auth-default-ACL does not support Cisco Discovery Protocol (CDP) bypass in the single host mode. You
must configure a static ACL on the interface to support CDP bypass.

The 802.1x and MAB authentication methods support two authentication modes, open and closed. If there is
no static ACL on a port in closed authentication mode:
• An auth-default-ACL is created.
• The auth-default-ACL allows only DHCP traffic until policies are enforced.
• When the first host authenticates, the authorization policy is applied without IP address insertion.
• When a second host is detected, the policies for the first host are refreshed, and policies for the first and
subsequent sessions are enforced with IP address insertion.

If there is no static ACL on a port in open authentication mode:

• An auth-default-ACL-OPEN is created and allows all traffic.
• Policies are enforced with IP address insertion to prevent security breaches.
• Web authentication is subject to the auth-default-ACL-OPEN.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1388
 Security
Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL

To control access for hosts with no authorization policy, you can configure a directive. The supported values
for the directive are open and default. When you configure the open directive, all traffic is allowed. The default
directive subjects traffic to the access provided by the port. You can configure the directive either in the user
profile on the AAA server or on the switch. To configure the directive on the AAA server, use the
authz-directive =<open/default> global command. To configure the directive on the switch, use the epm
access-control open global configuration command.

Note The default value of the directive is default.

If a host falls back to web authentication on a port without a configured ACL:

• If the port is in open authentication mode, the auth-default-ACL-OPEN is created.
• If the port is in closed authentication mode, the auth-default-ACL is created.

The access control entries (ACEs) in the fallback ACL are converted to per-user entries. If the configured
fallback profile does not include a fallback ACL, the host is subject to the auth-default-ACL associated with
the port.

Note If you use a custom logo with web authentication and it is stored on an external server, the port ACL must
allow access to the external server before authentication. You must either configure a static port ACL or
change the auth-default-ACL to provide appropriate access to the external server.

Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL
The switch uses these cisco-av-pair VSAs:
• url-redirect is the HTTP or HTTPS URL.
• url-redirect-acl is the switch ACL name or number.

The switch uses the CiscoSecure-defined-ACL attribute value pair to intercept an HTTP or HTTPS request
from the end point. The switch then forwards the client web browser to the specified redirect address. The
url-redirect AV pair on the Cisco Secure ACS contains the URL to which the web browser is redirected. The
url-redirect-acl attribute value pair contains the name or number of an ACL that specifies the HTTP or HTTPS
traffic to redirect.

Note • Traffic that matches a permit ACE in the ACL is redirected.

• Define the URL redirect ACL and the default port ACL on the switch.

If a redirect URL is configured for a client on the authentication server, a default port ACL on the connected
client switch port must also be configured.
This section describes the ACS server switchover or failover behavior:
The first authorization request is sent to the primary ACS server; after the time out period set by the tacacs-server
timeout command ends, the request is switched-over to the secondary server for authorization. After the first

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1389
 Security
Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs

authorization request, all succeeding requests are sent to the secondary ACS server. After the switchover, if
the secondary server is not available, attempts are made to reach the server and after the timeout period,
authorization requests are then sent to the primary ACS server. If both servers are down, authorization requests
are sent to the next ACS server in the list, after the configured timeout period ends, sent to the next server,
and so on. If none of the servers are reachable, the user receives an authorization failed message.

Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs

You can set the CiscoSecure-Defined-ACL Attribute-Value (AV) pair on the Cisco Secure ACS with the
RADIUS cisco-av-pair vendor-specific attributes (VSAs). This pair specifies the names of the downloadable
ACLs on the Cisco Secure ACS with the #ACL#-IP-name-number attribute.
• The name is the ACL name.
• The number is the version number (for example, 3f783768).

If a downloadable ACL is configured for a client on the authentication server, a default port ACL on the
connected client switch port must also be configured.
If the default ACL is configured on the switch and the Cisco Secure ACS sends a host-access-policy to the
switch, it applies the policy to traffic from the host connected to a switch port. If the policy does not apply,
the switch applies the default ACL. If the Cisco Secure ACS sends the switch a downloadable ACL, this ACL
takes precedence over the default ACL that is configured on the switch port. However, if the switch receives
an host access policy from the Cisco Secure ACS but the default ACL is not configured, the authorization
failure is declared.

VLAN ID-based MAC Authentication

You can use VLAN ID-based MAC authentication if you wish to authenticate hosts based on a static VLAN
ID instead of a downloadable VLAN. When you have a static VLAN policy configured on your switch, VLAN
information is sent to an IAS (Microsoft) RADIUS server along with the MAC address of each host for
authentication. The VLAN ID configured on the connected port is used for MAC authentication. By using
VLAN ID-based MAC authentication with an IAS server, you can have a fixed number of VLANs in the
network.
The feature also limits the number of VLANs monitored and handled by STP. The network can be managed
as a fixed VLAN.

Note This feature is not supported on Cisco ACS Server. (The ACS server ignores the sent VLAN-IDs for new
hosts and only authenticates based on the MAC address.)

802.1x Authentication with Guest VLAN

You can configure a guest VLAN for each 802.1x port on the switch to provide limited services to clients,
such as downloading the 802.1x client. These clients might be upgrading their system for 802.1x authentication,
and some hosts, such as Windows 98 systems, might not be IEEE 802.1x-capable.
When you enable a guest VLAN on an 802.1x port, the switch assigns clients to a guest VLAN when the
switch does not receive a response to its EAP request/identity frame or when EAPOL packets are not sent by
the client.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1390
 Security
802.1x Authentication with Restricted VLAN

The switch maintains the EAPOL packet history. If an EAPOL packet is detected on the interface during the
lifetime of the link, the switch determines that the device connected to that interface is an IEEE 802.1x-capable
supplicant, and the interface does not change to the guest VLAN state. EAPOL history is cleared if the interface
link status goes down. If no EAPOL packet is detected on the interface, the interface changes to the guest
VLAN state.
If the switch is trying to authorize an 802.1x-capable voice device and the AAA server is unavailable, the
authorization attempt fails, but the detection of the EAPOL packet is saved in the EAPOL history. When the
AAA server becomes available, the switch authorizes the voice device. However, the switch no longer allows
other devices access to the guest VLAN. To prevent this situation, use one of these command sequences:
• Enter the authentication event no-response action authorize vlan vlan-id interface configuration
command to allow access to the guest VLAN.
• Enter the shutdown interface configuration command followed by the no shutdown interface configuration
command to restart the port.

If devices send EAPOL packets to the switch during the lifetime of the link, the switch no longer allows clients
that fail authentication access to the guest VLAN.

Note If an EAPOL packet is detected after the interface has changed to the guest VLAN, the interface reverts to an
unauthorized state, and 802.1x authentication restarts.

Any number of 802.1x-incapable clients are allowed access when the switch port is moved to the guest VLAN.
If an 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put into
the unauthorized state in the user-configured access VLAN, and authentication is restarted.
Guest VLANs are supported on 802.1x ports in single host, multiple host, multi-auth and multi-domain modes.
You can configure any active VLAN except an RSPAN VLAN, a private VLAN, or a voice VLAN as an
802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk
ports; it is supported only on access ports.
The switch supports MAC authentication bypass. When MAC authentication bypass is enabled on an 802.1x
port, the switch can authorize clients based on the client MAC address when IEEE 802.1x authentication times
out while waiting for an EAPOL message exchange. After detecting a client on an 802.1x port, the switch
waits for an Ethernet packet from the client. The switch sends the authentication server a
RADIUS-access/request frame with a username and password based on the MAC address. If authorization
succeeds, the switch grants the client access to the network. If authorization fails, the switch assigns the port
to the guest VLAN if one is specified.

802.1x Authentication with Restricted VLAN

You can configure a restricted VLAN (also referred to as an authentication failed VLAN) for each IEEE 802.1x
port on a switch stack or a switch to provide limited services to clients that cannot access the guest VLAN.
These clients are 802.1x-compliant and cannot access another VLAN because they fail the authentication
process. A restricted VLAN allows users without valid credentials in an authentication server (typically,
visitors to an enterprise) to access a limited set of services. The administrator can control the services available
to the restricted VLAN.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1391
 Security
802.1x Authentication with Inaccessible Authentication Bypass

Note You can configure a VLAN to be both the guest VLAN and the restricted VLAN if you want to provide the
same services to both types of users.

Without this feature, the client attempts and fails authentication indefinitely, and the switch port remains in
the spanning-tree blocking state. With this feature, you can configure the switch port to be in the restricted
VLAN after a specified number of authentication attempts (the default value is 3 attempts).
The authenticator counts the failed authentication attempts for the client. When this count exceeds the configured
maximum number of authentication attempts, the port moves to the restricted VLAN. The failed attempt count
increments when the RADIUS server replies with either an EAP failure or an empty response without an EAP
packet. When the port moves into the restricted VLAN, the failed attempt counter resets.
Users who fail authentication remain in the restricted VLAN until the next re-authentication attempt. A port
in the restricted VLAN tries to re-authenticate at configured intervals (the default is 60 seconds). If
re-authentication fails, the port remains in the restricted VLAN. If re-authentication is successful, the port
moves either to the configured VLAN or to a VLAN sent by the RADIUS server. You can disable
re-authentication. If you do this, the only way to restart the authentication process is for the port to receive a
link down or EAP logoff event. We recommend that you keep re-authentication enabled if a client might
connect through a hub. When a client disconnects from the hub, the port might not receive the link down or
EAP logoff event.
After a port moves to the restricted VLAN, a simulated EAP success message is sent to the client. This prevents
clients from indefinitely attempting authentication. Some clients (for example, devices running Windows XP)
cannot implement DHCP without EAP success.
Restricted VLANs are supported on 802.1x ports in all host modes and on Layer 2 ports.
You can configure any active VLAN except an RSPAN VLAN, a primary private VLAN, or a voice VLAN
as an 802.1x restricted VLAN. The restricted VLAN feature is not supported on internal VLANs (routed
ports) or trunk ports; it is supported only on access ports.
Other security port features such as dynamic ARP Inspection, DHCP snooping, and IP source guard can be
configured independently on a restricted VLAN.

802.1x Authentication with Inaccessible Authentication Bypass

Use the inaccessible authentication bypass feature, also referred to as critical authentication or the AAA fail
policy, when the switch cannot reach the configured RADIUS servers and new hosts cannot be authenticated.
You can configure the switch to connect those hosts to critical ports.
When a new host tries to connect to the critical port, that host is moved to a user-specified access VLAN, the
critical VLAN. The administrator gives limited authentication to the hosts.
When the switch tries to authenticate a host connected to a critical port, the switch checks the status of the
configured RADIUS server. If a server is available, the switch can authenticate the host. However, if all the
RADIUS servers are unavailable, the switch grants network access to the host and puts the port in the
critical-authentication state, which is a special case of the authentication state.

Inaccessible Authentication Bypass Support on Multiple-Authentication Ports

When a port is configured on any host mode and the AAA server is unavailable, the port is then configured
to multi-host mode and moved to the critical VLAN. To support this inaccessible bypass on

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1392
 Security
Inaccessible Authentication Bypass Authentication Results

multiple-authentication (multiauth) ports, use the authentication event server dead action reinitialize vlan
vlan-id command. When a new host tries to connect to the critical port, that port is reinitialized and all the
connected hosts are moved to the user-specified access VLAN.
This command is supported on all host modes.

Inaccessible Authentication Bypass Authentication Results

The behavior of the inaccessible authentication bypass feature depends on the authorization state of the port:
• If the port is unauthorized when a host connected to a critical port tries to authenticate and all servers
are unavailable, the switch puts the port in the critical-authentication state in the RADIUS-configured
or user-specified access VLAN.
• If the port is already authorized and reauthentication occurs, the switch puts the critical port in the
critical-authentication state in the current VLAN, which might be the one previously assigned by the
RADIUS server.
• If the RADIUS server becomes unavailable during an authentication exchange, the current exchange
times out, and the switch puts the critical port in the critical-authentication state during the next
authentication attempt.

You can configure the critical port to reinitialize hosts and move them out of the critical VLAN when the
RADIUS server is again available. When this is configured, all critical ports in the critical-authentication state
are automatically re-authenticated.

Inaccessible Authentication Bypass Feature Interactions

Inaccessible authentication bypass interacts with these features:
• Guest VLAN—Inaccessible authentication bypass is compatible with guest VLAN. When a guest VLAN
is enabled on 8021.x port, the features interact as follows:
• If at least one RADIUS server is available, the switch assigns a client to a guest VLAN when the
switch does not receive a response to its EAP request/identity frame or when EAPOL packets are
not sent by the client.
• If all the RADIUS servers are not available and the client is connected to a critical port, the switch
authenticates the client and puts the critical port in the critical-authentication state in the
RADIUS-configured or user-specified access VLAN.
• If all the RADIUS servers are not available and the client is not connected to a critical port, the
switch might not assign clients to the guest VLAN if one is configured.
• If all the RADIUS servers are not available and if a client is connected to a critical port and was
previously assigned to a guest VLAN, the switch keeps the port in the guest VLAN.

• Restricted VLAN—If the port is already authorized in a restricted VLAN and the RADIUS servers are
unavailable, the switch puts the critical port in the critical-authentication state in the restricted VLAN.
• 802.1x accounting—Accounting is not affected if the RADIUS servers are unavailable.
• Private VLAN—You can configure inaccessible authentication bypass on a private VLAN host port.
The access VLAN must be a secondary private VLAN.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1393
 Security
802.1x Critical Voice VLAN

• Voice VLAN—Inaccessible authentication bypass is compatible with voice VLAN, but the
RADIUS-configured or user-specified access VLAN and the voice VLAN must be different.
• Remote Switched Port Analyzer (RSPAN)—Do not configure an RSPAN VLAN as the
RADIUS-configured or user-specified access VLAN for inaccessible authentication bypass.

802.1x Critical Voice VLAN

When an IP phone connected to a port is authenticated by the access control server (ACS), the phone is put
into the voice domain. If the ACS is not reachable, the switch cannot determine if the device is a voice device.
If the server is unavailable, the phone cannot access the voice network and therefore cannot operate.
For data traffic, you can configure inaccessible authentication bypass, or critical authentication, to allow traffic
to pass through on the native VLAN when the server is not available. If the RADIUS authentication server
is unavailable (down) and inaccessible authentication bypass is enabled, the switch grants the client access
to the network and puts the port in the critical-authentication state in the RADIUS-configured or the
user-specified access VLAN. When the switch cannot reach the configured RADIUS servers and new hosts
cannot be authenticated, the switch connects those hosts to critical ports. A new host trying to connect to the
critical port is moved to a user-specified access VLAN, the critical VLAN, and granted limited authentication.
You can enter the authentication event server dead action authorize voice interface configuration command
to configure the critical voice VLAN feature. When the ACS does not respond, the port goes into critical
authentication mode. When traffic coming from the host is tagged with the voice VLAN, the connected device
(the phone) is put in the configured voice VLAN for the port. The IP phones learn the voice VLAN identification
through CDP (Cisco devices) or through LLDP or DHCP.
You can configure the voice VLAN for a port by entering the switchport voice vlan vlan-id interface
configuration command.
This feature is supported in multidomain and multi-auth host modes. Although you can enter the command
when the switch in single-host or multi-host mode, the command has no effect unless the device changes to
multidomain or multi-auth host mode.

802.1x User Distribution

You can configure 802.1x user distribution to load-balance users with the same group name across multiple
different VLANs.
The VLANs are either supplied by the RADIUS server or configured through the switch CLI under a VLAN
group name.
• Configure the RADIUS server to send more than one VLAN name for a user. The multiple VLAN names
can be sent as part of the response to the user. The 802.1x user distribution tracks all the users in a
particular VLAN and achieves load balancing by moving the authorized user to the least populated
VLAN.
• Configure the RADIUS server to send a VLAN group name for a user. The VLAN group name can be
sent as part of the response to the user. You can search for the selected VLAN group name among the
VLAN group names that you configured by using the switch CLI. If the VLAN group name is found,
the corresponding VLANs under this VLAN group name are searched to find the least populated VLAN.
Load balancing is achieved by moving the corresponding authorized user to that VLAN.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1394
 Security
802.1x User Distribution Configuration Guidelines

Note The RADIUS server can send the VLAN information in any combination of
VLAN-IDs, VLAN names, or VLAN groups.

802.1x User Distribution Configuration Guidelines

• Confirm that at least one VLAN is mapped to the VLAN group.
• You can map more than one VLAN to a VLAN group.
• You can modify the VLAN group by adding or deleting a VLAN.
• When you clear an existing VLAN from the VLAN group name, none of the authenticated ports in the
VLAN are cleared, but the mappings are removed from the existing VLAN group.
• If you clear the last VLAN from the VLAN group name, the VLAN group is cleared.
• You can clear a VLAN group even when the active VLANs are mapped to the group. When you clear a
VLAN group, none of the ports or users that are in the authenticated state in any VLAN within the group
are cleared, but the VLAN mappings to the VLAN group are cleared.

IEEE 802.1x Authentication with Voice VLAN Ports

A voice VLAN port is a special access port associated with two VLAN identifiers:
• VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone
connected to the port.
• PVID to carry the data traffic to and from the workstation connected to the switch through the IP phone.
The PVID is the native VLAN of the port.

The IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This allows
the phone to work independently of IEEE 802.1x authentication.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional
clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts
mode is enabled, the supplicant authentication affects both the PVID and the VVID.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first
CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result,
if several IP phones are connected in series, the switch recognizes only the one directly connected to it. When
IEEE 802.1x authentication is enabled on a voice VLAN port, the switch drops packets from unrecognized
IP phones more than one hop away.
When IEEE 802.1x authentication is enabled on a switch port, you can configure an access port VLAN that
is also a voice VLAN.
When IP phones are connected to an 802.1x-enabled switch port that is in single host mode, the switch grants
the phones network access without authenticating them. We recommend that you use multidomain authentication
(MDA) on the port to authenticate both a data device and a voice device, such as an IP phone

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1395
 Security
IEEE 802.1x Authentication with Port Security

Note If you enable IEEE 802.1x authentication on an access port on which a voice VLAN is configured and to
which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.

IEEE 802.1x Authentication with Port Security

In general, Cisco does not recommend enabling port security when IEEE 802.1x is enabled. Since IEEE 802.1x
enforces a single MAC address per port (or per VLAN when MDA is configured for IP telephony), port
security is redundant and in some cases may interfere with expected IEEE 802.1x operations.

IEEE 802.1x Authentication with Wake-on-LAN

The IEEE 802.1x authentication with wake-on-LAN (WoL) feature allows dormant PCs to be powered when
the switch receives a specific Ethernet frame, known as the magic packet. You can use this feature in
environments where administrators need to connect to systems that have been powered down.
When a host that uses WoL is attached through an IEEE 802.1x port and the host powers off, the IEEE 802.1x
port becomes unauthorized. The port can only receive and send EAPOL packets, and WoL magic packets
cannot reach the host. When the PC is powered off, it is not authorized, and the switch port is not opened.
When the switch uses IEEE 802.1x authentication with WoL, the switch forwards traffic to unauthorized
IEEE 802.1x ports, including magic packets. While the port is unauthorized, the switch continues to block
ingress traffic other than EAPOL packets. The host can receive packets but cannot send packets to other
devices in the network.

Note If PortFast is not enabled on the port, the port is forced to the bidirectional state.

When you configure a port as unidirectional by using the authentication control-direction in interface
configuration command, the port changes to the spanning-tree forwarding state. The port can send packets to
the host but cannot receive packets from the host.
When you configure a port as bidirectional by using the authentication control-direction both interface
configuration command, the port is access-controlled in both directions. The port does not receive packets
from or send packets to the host.

IEEE 802.1x Authentication with MAC Authentication Bypass

You can configure the switch to authorize clients based on the client MAC address by using the MAC
authentication bypass feature. For example, you can enable this feature on IEEE 802.1x ports connected to
devices such as printers.
If IEEE 802.1x authentication times out while waiting for an EAPOL response from the client, the switch
tries to authorize the client by using MAC authentication bypass.
When the MAC authentication bypass feature is enabled on an IEEE 802.1x port, the switch uses the MAC
address as the client identity. The authentication server has a database of client MAC addresses that are allowed
network access. After detecting a client on an IEEE 802.1x port, the switch waits for an Ethernet packet from
the client. The switch sends the authentication server a RADIUS-access/request frame with a username and

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1396
Security
IEEE 802.1x Authentication with MAC Authentication Bypass

password based on the MAC address. If authorization succeeds, the switch grants the client access to the
network. If authorization fails, the switch assigns the port to the guest VLAN if one is configured. This process
works for most client devices; however, it does not work for clients that use an alternate MAC address format.
You can configure how MAB authentication is performed for clients with MAC addresses that deviate from
the standard format or where the RADIUS configuration requires the user name and password to differ.
If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the
device connected to that interface is an 802.1x-capable supplicant and uses 802.1x authentication (not MAC
authentication bypass) to authorize the interface. EAPOL history is cleared if the interface link status goes
down.
If the switch already authorized a port by using MAC authentication bypass and detects an IEEE 802.1x
supplicant, the switch does not unauthorize the client connected to the port. When re-authentication occurs,
the switch uses the authentication or re-authentication methods configured on the port, if the previous session
ended because the Termination-Action RADIUS attribute value is DEFAULT.
Clients that were authorized with MAC authentication bypass can be re-authenticated. The re-authentication
process is the same as that for clients that were authenticated with IEEE 802.1x. During re-authentication, the
port remains in the previously assigned VLAN. If re-authentication is successful, the switch keeps the port
in the same VLAN. If re-authentication fails, the switch assigns the port to the guest VLAN, if one is configured.
If re-authentication is based on the Session-Timeout RADIUS attribute (Attribute[27]) and the
Termination-Action RADIUS attribute (Attribute [29]) and if the Termination-Action RADIUS attribute
(Attribute [29]) action is Initialize (the attribute value is DEFAULT), the MAC authentication bypass session
ends, and connectivity is lost during re-authentication. If MAC authentication bypass is enabled and the IEEE
802.1x authentication times out, the switch uses the MAC authentication bypass feature to initiate
re-authorization. For more information about these AV pairs, see RFC 3580, “IEEE 802.1X Remote
Authentication Dial In User Service (RADIUS) Usage Guidelines.”
MAC authentication bypass interacts with the features:
• IEEE 802.1x authentication—You can enable MAC authentication bypass only if 802.1x authentication
is enabled on the port .
• Guest VLAN—If a client has an invalid MAC address identity, the switch assigns the client to a guest
VLAN if one is configured.
• Restricted VLAN—This feature is not supported when the client connected to an IEEE 802.lx port is
authenticated with MAC authentication bypass.
• Port security
• Voice VLAN
• VLAN Membership Policy Server (VMPS)—IEEE802.1x and VMPS are mutually exclusive.
• Private VLAN—You can assign a client to a private VLAN.
• Network Edge Access Topology (NEAT)—MAB and NEAT are mutually exclusive. You cannot enable
MAB when NEAT is enabled on an interface, and you cannot enable NEAT when MAB is enabled on
an interface.

Cisco IOS Release 12.2(55)SE and later supports filtering of verbose MAB system messages

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1397
 Security
Network Admission Control Layer 2 IEEE 802.1x Validation

Network Admission Control Layer 2 IEEE 802.1x Validation

The switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which checks
the antivirus condition or posture of endpoint systems or clients before granting the devices network access.
With NAC Layer 2 IEEE 802.1x validation, you can do these tasks:
• Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS
attribute (Attribute[29]) from the authentication server.
• Set the number of seconds between re-authentication attempts as the value of the Session-Timeout
RADIUS attribute (Attribute[27]) and get an access policy against the client from the RADIUS server.
• Set the action to be taken when the switch tries to re-authenticate the client by using the
Termination-Action RADIUS attribute (Attribute[29]). If the value is the DEFAULT or is not set, the
session ends. If the value is RADIUS-Request, the re-authentication process starts.
• Set the list of VLAN number or name or VLAN group name as the value of the Tunnel Group Private
ID (Attribute[81]) and the preference for the VLAN number or name or VLAN group name as the value
of the Tunnel Preference (Attribute[83]). If you do not configure the Tunnel Preference, the first Tunnel
Group Private ID (Attribute[81]) attribute is picked up from the list.
• View the NAC posture token, which shows the posture of the client, by using the show authentication
privileged EXEC command.
• Configure secondary private VLANs as guest VLANs.

Configuring NAC Layer 2 IEEE 802.1x validation is similar to configuring IEEE 802.1x port-based
authentication except that you must configure a posture token on the RADIUS server.

Flexible Authentication Ordering

You can use flexible authentication ordering to configure the order of methods that a port uses to authenticate
a new host. The IEEE 802.1X Flexible Authentication feature supports three authentication methods:
• dot1X—IEEE 802.1X authentication is a Layer 2 authentication method.
• mab—MAC-Authentication Bypass is a Layer 2 authentication method.
• webauth—Web authentication is a Layer 3 authentication method.

Using this feature, you can control which ports use which authentication methods, and you can control the
failover sequencing of methods on those ports. For example, MAC authentication bypass and 802.1x can be
the primary or secondary authentication methods, and web authentication can be the fallback method if either
or both of those authentication attempts fail.
The IEEE 802.1X Flexible Authentication feature supports the following host modes:
• multi-auth—Multiauthentication allows one authentication on a voice VLAN and multiple authentications
on the data VLAN.
• multi-domain—Multidomain authentication allows two authentications: one on the voice VLAN and
one on the data VLAN.

Related Topics
Configuring Flexible Authentication Ordering, on page 1453

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1398
 Security
Open1x Authentication

Open1x Authentication
Open1x authentication allows a device access to a port before that device is authenticated. When open
authentication is configured, a new host can pass traffic according to the access control list (ACL) defined on
the port. After the host is authenticated, the policies configured on the RADIUS server are applied to that
host.
You can configure open authentication with these scenarios:
• Single-host mode with open authentication–Only one user is allowed network access before and after
authentication.
• MDA mode with open authentication–Only one user in the voice domain and one user in the data domain
are allowed.
• Multiple-hosts mode with open authentication–Any host can access the network.
• Multiple-authentication mode with open authentication–Similar to MDA, except multiple hosts can be
authenticated.

Note If open authentication is configured, it takes precedence over other authentication

controls. This means that if you use the authentication open interface
configuration command, the port will grant access to the host irrespective of the
authentication port-control interface configuration command.

Related Topics
Configuring Open1x, on page 1454

Multidomain Authentication
The switch supports multidomain authentication (MDA), which allows both a data device and voice device,
such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a
data domain and a voice domain.

Note For all host modes, the line protocol stays up before authorization when port-based authentication is configured.

MDA does not enforce the order of device authentication. However, for best results, we recommend that a
voice device is authenticated before a data device on an MDA-enabled port.
Follow these guidelines for configuring MDA:
• You must configure a switch port for MDA.
• You must configure the voice VLAN for the IP phone when the host mode is set to multidomain.
• Voice VLAN assignment on an MDA-enabled port is supported Cisco IOS Release 12.2(40)SE and later.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1399
 Security
Multidomain Authentication

Note You can assign a dynamic VLAN to a voice device on an MDA-enabled switch
port, but the voice device fails authorization if a static voice VLAN configured
on the switchport is the same as the dynamic VLAN assigned for the voice device
in the RADIUS server.

• To authorize a voice device, the AAA server must be configured to send a Cisco Attribute-Value (AV)
pair attribute with a value of device-traffic-class=voice. Without this value, the switch treats the voice
device as a data device.
• The guest VLAN and restricted VLAN features only apply to the data devices on an MDA-enabled port.
The switch treats a voice device that fails authorization as a data device.
• If more than one device attempts authorization on either the voice or the data domain of a port, it is error
disabled.
• Until a device is authorized, the port drops its traffic. Non-Cisco IP phones or voice devices are allowed
into both the data and voice VLANs. The data VLAN allows the voice device to contact a DHCP server
to obtain an IP address and acquire the voice VLAN information. After the voice device starts sending
on the voice VLAN, its access to the data VLAN is blocked.
• A voice device MAC address that is binding on the data VLAN is not counted towards the port security
MAC address limit.
• You can use dynamic VLAN assignment from a RADIUS server only for data devices.
• MDA can use MAC authentication bypass as a fallback mechanism to allow the switch port to connect
to devices that do not support IEEE 802.1x authentication.
• When a data or a voice device is detected on a port, its MAC address is blocked until authorization
succeeds. If the authorization fails, the MAC address remains blocked for 5 minutes.
• If more than five devices are detected on the data VLAN or more than one voice device is detected on
the voice VLAN while a port is unauthorized, the port is error disabled.
• When a port host mode is changed from single- or multihost to multidomain mode, an authorized data
device remains authorized on the port. However, a Cisco IP phone that has been allowed on the port
voice VLAN is automatically removed and must be reauthenticated on that port.
• Active fallback mechanisms such as guest VLAN and restricted VLAN remain configured after a port
changes from single- or multihost mode to multidomain mode.
• Switching a port host mode from multidomain to single- or multihost mode removes all authorized devices
from the port.
• If a data domain is authorized first and placed in the guest VLAN, non-IEEE 802.1x-capable voice
devices need to tag their packets on the voice VLAN to trigger authentication.
• We do not recommend per-user ACLs with an MDA-enabled port. An authorized device with a per-user
ACL policy might impact traffic on both the voice and data VLANs of the port. If used, only one device
on the port should enforce per-user ACLs.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1400
 Security
802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT)

802.1x Supplicant and Authenticator Switches with Network Edge Access

Topology (NEAT)
The Network Edge Access Topology (NEAT) feature extends identity to areas outside the wiring closet (such
as conference rooms). This allows any type of device to authenticate on the port.
• 802.1x switch supplicant: You can configure a switch to act as a supplicant to another switch by using
the 802.1x supplicant feature. This configuration is helpful in a scenario, where, for example, a switch
is outside a wiring closet and is connected to an upstream switch through a trunk port. A switch configured
with the 802.1x switch supplicant feature authenticates with the upstream switch for secure connectivity.
Once the supplicant switch authenticates successfully the port mode changes from access to trunk.
• If the access VLAN is configured on the authenticator switch, it becomes the native VLAN for the trunk
port after successful authentication.

In the default state, when you connect a supplicant switch to an authenticator switch that has BPDU guard
enabled, the authenticator port could be error-disabled if it receives a Spanning Tree Protocol (STP) bridge
protocol data unit (BPDU) packets before the supplicant switch has authenticated. Beginning with Cisco IOS
Release 15.0(1)SE, you can control traffic exiting the supplicant port during the authentication period. Entering
the dot1x supplicant controlled transient global configuration command temporarily blocks the supplicant
port during authentication to ensure that the authenticator port does not shut down before authentication
completes. If authentication fails, the supplicant port opens. Entering the no dot1x supplicant controlled
transient global configuration command opens the supplicant port during the authentication period. This is
the default behavior.
We strongly recommend using the dot1x supplicant controlled transientcommand on a supplicant switch
when BPDU guard is enabled on the authenticator switch port with the spanning-tree bpduguard enable
interface configuration command.

Note If you globally enable BPDU guard on the authenticator switch by using the spanning-tree portfast bpduguard
default global configuration command, entering the dot1x supplicant controlled transient command does
not prevent the BPDU violation.

You can enable MDA or multiauth mode on the authenticator switch interface that connects to one more
supplicant switches. Multihost mode is not supported on the authenticator switch interface.
Use the dot1x supplicant force-multicast global configuration command on the supplicant switch for Network
Edge Access Topology (NEAT) to work in all host modes.
• Host Authorization: Ensures that only traffic from authorized hosts (connecting to the switch with
supplicant) is allowed on the network. The switches use Client Information Signalling Protocol (CISP)
to send the MAC addresses connecting to the supplicant switch to the authenticator switch.
• Auto enablement: Automatically enables trunk configuration on the authenticator switch, allowing user
traffic from multiple VLANs coming from supplicant switches. Configure the cisco-av-pair as
device-traffic-class=switch at the ACS. (You can configure this under the group or the user settings.)

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1401
 Security
Voice Aware 802.1x Security

Figure 118: Authenticator and Supplicant Switch using CISP

1 Workstations (clients) 2 Supplicant switch (outside

wiring closet)

3 Authenticator switch 4 Access control server

(ACS)

5 Trunk port

Note The switchport nonegotiate command is not supported on supplicant and authenticator switches with NEAT.
This command should not be configured at the supplicant side of the topology. If configured on the authenticator
side, the internal macros will automatically remove this command from the port.

Voice Aware 802.1x Security

Note To use voice aware IEEE 802.1x authentication, the switch must be running the LAN base image.

You use the voice aware 802.1x security feature to configure the switch to disable only the VLAN on which
a security violation occurs, whether it is a data or voice VLAN. In previous releases, when an attempt to
authenticate the data client caused a security violation, the entire port shut down, resulting in a complete loss
of connectivity.
You can use this feature in IP phone deployments where a PC is connected to the IP phone. A security violation
found on the data VLAN results in the shutdown of only the data VLAN. The traffic on the voice VLAN
flows through the switch without interruption.
Related Topics
Configuring Voice Aware 802.1x Security, on page 1409

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1402
 Security
Common Session ID

Common Session ID
Authentication manager uses a single session ID (referred to as a common session ID) for a client no matter
which authentication method is used. This ID is used for all reporting purposes, such as the show commands
and MIBs. The session ID appears with all per-session syslog messages.
The session ID includes:
• The IP address of the Network Access Device (NAD)
• A monotonically increasing unique 32 bit integer
• The session start time stamp (a 32 bit integer)

This example shows how the session ID appears in the output of the show authentication command. The
session ID in this example is 160000050000000B288508E5:

SwitchDevice# show authentication sessions

Interface MAC Address Method Domain Status Session ID
Fa4/0/4 0000.0000.0203 mab DATA Authz Success 160000050000000B288508E5

This is an example of how the session ID appears in the syslog output. The session ID in this example is
also160000050000000B288508E5:

1w0d: %AUTHMGR-5-START: Starting 'mab' for client (0000.0000.0203) on Interface Fa4/0/4

AuditSessionID 160000050000000B288508E5
1w0d: %MAB-5-SUCCESS: Authentication successful for client (0000.0000.0203) on Interface
Fa4/0/4 AuditSessionID 160000050000000B288508E5
1w0d: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client
(0000.0000.0203) on Interface Fa4/0/4 AuditSessionID 160000050000000B288508E5

The session ID is used by the NAD, the AAA server, and other report-analyzing applications to identify the
client. The ID appears automatically. No configuration is required.

How to Configure 802.1x Port-Based Authentication

Default 802.1x Authentication Configuration
Table 149: Default 802.1x Authentication Configuration

Feature Default Setting

Switch 802.1x enable state Disabled.

Per-port 802.1x enable state Disabled (force-authorized).

The port sends and receives normal traffic without
802.1x-based authentication of the client.

AAA Disabled.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1403
 Security
Default 802.1x Authentication Configuration

Feature Default Setting

RADIUS server • None specified.

• IP address • 1812.
• UDP authentication port • None specified.
• Key

Host mode Single-host mode.

Control direction Bidirectional control.

Periodic re-authentication Disabled.

Number of seconds between re-authentication attempts 3600 seconds.

Re-authentication number 2 times (number of times that the switch restarts the
authentication process before the port changes to the
unauthorized state).

Quiet period 60 seconds (number of seconds that the switch remains

in the quiet state following a failed authentication
exchange with the client).

Retransmission time 30 seconds (number of seconds that the switch should

wait for a response to an EAP request/identity frame
from the client before resending the request).

Maximum retransmission number 2 times (number of times that the switch will send an
EAP-request/identity frame before restarting the
authentication process).

Client timeout period 30 seconds (when relaying a request from the

authentication server to the client, the amount of time
the switch waits for a response before resending the
request to the client.)

Authentication server timeout period 30 seconds (when relaying a response from the client
to the authentication server, the amount of time the
switch waits for a reply before resending the response
to the server.)
You can change this timeout period by using the dot1x
timeout server-timeout interface configuration
command.

Inactivity timeout Disabled.

Guest VLAN None specified.

Inaccessible authentication bypass Disabled.

Restricted VLAN None specified.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1404
 Security
802.1x Authentication Configuration Guidelines

Feature Default Setting

Authenticator (switch) mode None specified.

MAC authentication bypass Disabled.

Voice-aware security Disabled.

802.1x Authentication Configuration Guidelines

802.1x Authentication
These are the 802.1x authentication configuration guidelines:
• When 802.1x authentication is enabled, ports are authenticated before any other Layer 2 or Layer 3
features are enabled.
• If the VLAN to which an 802.1x-enabled port is assigned changes, this change is transparent and does
not affect the switch. For example, this change occurs if a port is assigned to a RADIUS server-assigned
VLAN and is then assigned to a different VLAN after re-authentication.
If the VLAN to which an 802.1x port is assigned to shut down, disabled, or removed, the port becomes
unauthorized. For example, the port is unauthorized after the access VLAN to which a port is assigned
shuts down or is removed.
• The 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3 routed
ports, but it is not supported on these port types:
• Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk port.
If you try to enable 802.1x authentication on a dynamic port, an error message appears, and 802.1x
authentication is not enabled. If you try to change the mode of an 802.1x-enabled port to dynamic,
an error message appears, and the port mode is not changed.
• Dynamic-access ports—If you try to enable 802.1x authentication on a dynamic-access (VLAN
Query Protocol [VQP]) port, an error message appears, and 802.1x authentication is not enabled.
If you try to change an 802.1x-enabled port to dynamic VLAN assignment, an error message appears,
and the VLAN configuration is not changed.
• EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an
EtherChannel as an 802.1x port. If you try to enable 802.1x authentication on an EtherChannel port,
an error message appears, and 802.1x authentication is not enabled.
• Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can enable
802.1x authentication on a port that is a SPAN or RSPAN destination port. However, 802.1x
authentication is disabled until the port is removed as a SPAN or RSPAN destination port. You can
enable 802.1x authentication on a SPAN or RSPAN source port.

• Before globally enabling 802.1x authentication on a switch by entering the dot1x system-auth-control
global configuration command, remove the EtherChannel configuration from the interfaces on which
802.1x authentication and EtherChannel are configured.
• Cisco IOS Release 12.2(55)SE and later supports filtering of system messages related to 802.1x
authentication.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1405
 Security
VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass

VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass
These are the configuration guidelines for VLAN assignment, guest VLAN, restricted VLAN, and inaccessible
authentication bypass:
• When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a
voice VLAN.
• The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic ports,
or with dynamic-access port assignment through a VMPS.
• You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x guest VLAN.
The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported
only on access ports.
• After you configure a guest VLAN for an 802.1x port to which a DHCP client is connected, you might
need to get a host IP address from a DHCP server. You can change the settings for restarting the 802.1x
authentication process on the switch before the DHCP process on the client times out and tries to get a
host IP address from the DHCP server. Decrease the settings for the 802.1x authentication process
(authentication timer inactivity and authentication timer reauthentication interface configuration
commands). The amount to decrease the settings depends on the connected 802.1x client type.
• When configuring the inaccessible authentication bypass feature, follow these guidelines:
• The feature is supported on 802.1x port in single-host mode and multihosts mode.
• If the client is running Windows XP and the port to which the client is connected is in the
critical-authentication state, Windows XP might report that the interface is not authenticated.
• If the Windows XP client is configured for DHCP and has an IP address from the DHCP server,
receiving an EAP-Success message on a critical port might not re-initiate the DHCP configuration
process.
• You can configure the inaccessible authentication bypass feature and the restricted VLAN on an
802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN and all the
RADIUS servers are unavailable, switch changes the port state to the critical authentication state
and remains in the restricted VLAN.

• You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x restricted VLAN.
The restricted VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is
supported only on access ports.

MAC Authentication Bypass

These are the MAC authentication bypass configuration guidelines:
• Unless otherwise stated, the MAC authentication bypass guidelines are the same as the 802.1x
authentication guidelines.
• If you disable MAC authentication bypass from a port after the port has been authorized with its MAC
address, the port state is not affected.
• If the port is in the unauthorized state and the client MAC address is not the authentication-server database,
the port remains in the unauthorized state. However, if the client MAC address is added to the database,
the switch can use MAC authentication bypass to re-authorize the port.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1406
 Security
Maximum Number of Allowed Devices Per Port

• If the port is in the authorized state, the port remains in this state until re-authorization occurs.
• You can configure a timeout period for hosts that are connected by MAC authentication bypass but are
inactive. The range is 1to 65535 seconds.

Maximum Number of Allowed Devices Per Port

This is the maximum number of devices allowed on an 802.1x-enabled port:
• In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with
a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice
VLAN.
• In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one IP
phone is allowed for the voice VLAN.
• In multihost mode, only one 802.1x supplicant is allowed on the port, but an unlimited number of
non-802.1x hosts are allowed on the access VLAN. An unlimited number of devices are allowed on the
voice VLAN.

Configuring 802.1x Readiness Check

The 802.1x readiness check monitors 802.1x activity on all the switch ports and displays information about
the devices connected to the ports that support 802.1x. You can use this feature to determine if the devices
connected to the switch ports are 802.1x-capable.
The 802.1x readiness check is allowed on all ports that can be configured for 802.1x. The readiness check is
not available on a port that is configured as dot1x force-unauthorized.
Follow these steps to enable the 802.1x readiness check on the switch:

Before you begin

Follow these guidelines to enable the readiness check on the switch:
• The readiness check is typically used before 802.1x is enabled on the switch.
• If you use the dot1x test eapol-capable privileged EXEC command without specifying an interface, all
the ports on the switch stack are tested.
• When you configure the dot1x test eapol-capable command on an 802.1x-enabled port, and the link
comes up, the port queries the connected client about its 802.1x capability. When the client responds
with a notification packet, it is 802.1x-capable. A syslog message is generated if the client responds
within the timeout period. If the client does not respond to the query, the client is not 802.1x-capable.
No syslog message is generated
• When you configure the dot1x test eapol-capable command on an 802.1x-enabled port, and the link
comes up, the port queries the connected client about its 802.1x capability. When the client responds
with a notification packet, it is 802.1x-capable. A syslog message is generated if the client responds
within the timeout period. If the client does not respond to the query, the client is not 802.1x-capable.
No syslog message is generated
• The readiness check can be sent on a port that handles multiple hosts (for example, a PC that is connected
to an IP phone). A syslog message is generated for each of the clients that respond to the readiness check
within the timer period.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1407
 Security
Configuring 802.1x Readiness Check

SUMMARY STEPS
1. enable
2. configure terminal
3. dot1x test eapol-capable [interface interface-id]
4. dot1x test timeout timeout
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 dot1x test eapol-capable [interface interface-id] Enables the 802.1x readiness check on the switch.
Example: (Optional) For interface-id specify the port on which to
SwitchDevice# dot1x test eapol-capable interface check for IEEE 802.1x readiness.
gigabitethernet1/0/13
DOT1X_PORT_EAPOL_CAPABLE:DOT1X: MAC
Note If you omit the optional interface keyword, all
00-01-02-4b-f1-a3 on gigabitethernet1/0/13 is EAPOL interfaces on the switch are tested.

capable

Step 4 dot1x test timeout timeout (Optional) Configures the timeout used to wait for EAPOL
response. The range is from 1 to 65535 seconds. The default
is 10 seconds.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1408
 Security
Configuring Voice Aware 802.1x Security

Command or Action Purpose

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
802.1x Readiness Check, on page 1384

Configuring Voice Aware 802.1x Security

Note To use voice aware IEEE 802.1x authentication, the switch must be running the LAN base image.

You use the voice aware 802.1x security feature on the switch to disable only the VLAN on which a security
violation occurs, whether it is a data or voice VLAN. You can use this feature in IP phone deployments where
a PC is connected to the IP phone. A security violation found on the data VLAN results in the shutdown of
only the data VLAN. The traffic on the voice VLAN flows through the switch without interruption.
Follow these guidelines to configure voice aware 802.1x voice security on the switch:
• You enable voice aware 802.1x security by entering the errdisable detect cause security-violation
shutdown vlan global configuration command. You disable voice aware 802.1x security by entering the
no version of this command. This command applies to all 802.1x-configured ports in the switch.

Note If you do not include the shutdown vlan keywords, the entire port is shut down
when it enters the error-disabled state.

• If you use the errdisable recovery cause security-violation global configuration command to configure
error-disabled recovery, the port is automatically re-enabled. If error-disabled recovery is not configured
for the port, you re-enable it by using the shutdown and no shutdown interface configuration commands.
• You can re-enable individual VLANs by using the clear errdisable interface interface-id vlan [vlan-list]
privileged EXEC command. If you do not specify a range, all VLANs on the port are enabled.

Beginning in privileged EXEC mode, follow these steps to enable voice aware 802.1x security:

SUMMARY STEPS
1. configure terminal
2. errdisable detect cause security-violation shutdown vlan
3. errdisable recovery cause security-violation
4. clear errdisable interfaceinterface-id vlan [vlan-list]
5. Enter the following:
• shutdown

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1409
 Security
Configuring Voice Aware 802.1x Security

• no shutdown
6. end
7. show errdisable detect

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 errdisable detect cause security-violation shutdown vlan Shut down any VLAN on which a security violation error
occurs.
Note If the shutdown vlan keywords are not
included, the entire port enters the error-disabled
state and shuts down.

Step 3 errdisable recovery cause security-violation Enter global configuration mode.

Step 4 clear errdisable interfaceinterface-id vlan [vlan-list] (Optional) Reenable individual VLANs that have been error
disabled.
• For interface-id specify the port on which to reenable
individual VLANs.
• (Optional) For vlan-list specify a list of VLANs to be
re-enabled. If vlan-list is not specified, all VLANs are
re-enabled.

Step 5 Enter the following: (Optional) Re-enable an error-disabled VLAN, and clear
all error-disable indications.
• shutdown
• no shutdown

Step 6 end Return to privileged EXEC mode.

Step 7 show errdisable detect Verify your entries.

Example
This example shows how to configure the switch to shut down any VLAN on which a security
violation error occurs:
Switch(config)# errdisable detect cause security-violation shutdown vlan
This example shows how to re-enable all VLANs that were error disabled on port Gigabit Ethernet
40/2.
Switch# clear errdisable interface gigabitethernet4/0/2
vlan
You can verify your settings by entering the show errdisable detect privileged EXEC command.

Related Topics
Voice Aware 802.1x Security, on page 1402

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1410
 Security
Configuring 802.1x Violation Modes

Configuring 802.1x Violation Modes

You can configure an 802.1x port so that it shuts down, generates a syslog error, or discards packets from a
new device when:
• a device connects to an 802.1x-enabled port
• the maximum number of allowed about devices have been authenticated on the port

Beginning in privileged EXEC mode, follow these steps to configure the security violation actions on the
switch:

SUMMARY STEPS
1. configure terminal
2. aaa new-model
3. aaa authentication dot1x {default} method1
4. interface interface-id
5. switchport mode access
6. authentication violation {shutdown | restrict | protect | replace}
7. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 aaa new-model Enables AAA.

Example:

SwitchDevice(config)# aaa new-model

Step 3 aaa authentication dot1x {default} method1 Creates an 802.1x authentication method list.
Example: To create a default list that is used when a named list is not
specified in the authentication command, use the default
SwitchDevice(config)# aaa authentication dot1x keyword followed by the method that is to be used in default
default group radius situations. The default method list is automatically applied
to all ports.
For method1, enter the group radius keywords to use the
list of all RADIUS servers for authentication.
Note Though other keywords are visible in the
command-line help string, only the group radius
keywords are supported.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1411
 Security
Configuring 802.1x Authentication

Command or Action Purpose

Step 4 interface interface-id Specifies the port connected to the client that is to be
enabled for IEEE 802.1x authentication, and enter interface
Example:
configuration mode.
SwitchDevice(config)# interface
gigabitethernet1/0/4

Step 5 switchport mode access Sets the port to access mode.

Example:

SwitchDevice(config-if)# switchport mode access

Step 6 authentication violation {shutdown | restrict | protect | Configures the violation mode. The keywords have these
replace} meanings:
Example: • shutdown–Error disable the port.

SwitchDevice(config-if)# authentication violation

• restrict–Generate a syslog error.
restrict
• protect–Drop packets from any new device that sends
traffic to the port.
• replace–Removes the current session and authenticates
with the new host.

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Configuring 802.1x Authentication

To allow per-user ACLs or VLAN assignment, you must enable AAA authorization to configure the switch
for all network-related service requests.
This is the 802.1x AAA process:

Before you begin

To configure 802.1x port-based authentication, you must enable authentication, authorization, and accounting
(AAA) and specify the authentication method list. A method list describes the sequence and authentication
method to be queried to authenticate a user.

SUMMARY STEPS
1. A user connects to a port on the switch.
2. Authentication is performed.
3. VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1412
 Security
Configuring 802.1x Port-Based Authentication

4. The switch sends a start message to an accounting server.

5. Re-authentication is performed, as necessary.
6. The switch sends an interim accounting update to the accounting server that is based on the result of
re-authentication.
7. The user disconnects from the port.
8. The switch sends a stop message to the accounting server.

DETAILED STEPS

Command or Action Purpose

Step 1 A user connects to a port on the switch.
Step 2 Authentication is performed.
Step 3 VLAN assignment is enabled, as appropriate, based on the
RADIUS server configuration.
Step 4 The switch sends a start message to an accounting server.
Step 5 Re-authentication is performed, as necessary.
Step 6 The switch sends an interim accounting update to the
accounting server that is based on the result of
re-authentication.
Step 7 The user disconnects from the port.
Step 8 The switch sends a stop message to the accounting server.

Configuring 802.1x Port-Based Authentication

Beginning in privileged EXEC mode, follow these steps to configure 802.1x port-based authentication:

SUMMARY STEPS
1. configure terminal
2. aaa new-model
3. aaa authentication dot1x {default} method1
4. dot1x system-auth-control
5. aaa authorization network {default} group radius
6. radius-server host ip-address
7. radius-server key string
8. interface interface-id
9. switchport mode access
10. authentication port-control auto
11. dot1x pae authenticator
12. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1413
 Security
Configuring 802.1x Port-Based Authentication

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 aaa new-model Enables AAA.

Example:

SwitchDevice(config)# aaa new-model

Step 3 aaa authentication dot1x {default} method1 Creates an 802.1x authentication method list.
Example: To create a default list that is used when a named list is
not specified in the authentication command, use the
SwitchDevice(config)# aaa authentication dot1x default keyword followed by the method that is to be used
default group radius in default situations. The default method list is
automatically applied to all ports.
For method1, enter the group radius keywords to use the
list of all RADIUS servers for authentication.
Note Though other keywords are visible in the
command-line help string, only the group
radius keywords are supported.

Step 4 dot1x system-auth-control Enables 802.1x authentication globally on the switch.

Example:

SwitchDevice(config)# dot1x system-auth-control

Step 5 aaa authorization network {default} group radius (Optional) Configures the switch to use user-RADIUS
authorization for all network-related service requests, such
Example:
as per-user ACLs or VLAN assignment.
SwitchDevice(config)# aaa authorization network Note For per-user ACLs, single-host mode must be
default group radius configured. This setting is the default.

Step 6 radius-server host ip-address (Optional) Specifies the IP address of the RADIUS server.
Example:

SwitchDevice(config)# radius-server host

124.2.2.12

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1414
 Security
Configuring the Switch-to-RADIUS-Server Communication

Command or Action Purpose

Step 7 radius-server key string (Optional) Specifies the authentication and encryption key
used between the switch and the RADIUS daemon running
Example:
on the RADIUS server.
SwitchDevice(config)# radius-server key abc1234

Step 8 interface interface-id Specifies the port connected to the client that is to be
enabled for IEEE 802.1x authentication, and enter interface
Example:
configuration mode.
SwitchDevice(config)# interface
gigabitethernet1/0/2

Step 9 switchport mode access (Optional) Sets the port to access mode only if you
configured the RADIUS server in Step 6 and Step 7.
Example:

SwitchDevice(config-if)# switchport mode access

Step 10 authentication port-control auto Enables 802.1x authentication on the port.

Example:

SwitchDevice(config-if)# authentication
port-control auto

Step 11 dot1x pae authenticator Sets the interface Port Access Entity to act only as an
authenticator and ignore messages meant for a supplicant.
Example:

SwitchDevice(config-if)# dot1x pae authenticator

Step 12 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Configuring the Switch-to-RADIUS-Server Communication

You can globally configure the timeout, retransmission, and encryption key values for all RADIUS servers
by using the radius-server host global configuration command. If you want to configure these options on a
per-server basis, use the radius-server timeout, the radius-server retransmit, and the radius-server key
global configuration commands.
You also need to configure some settings on the RADIUS server. These settings include the IP address of the
switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS
server documentation.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1415
 Security
Configuring the Switch-to-RADIUS-Server Communication

Follow these steps to configure the RADIUS server parameters on the switch. This procedure is required.

Before you begin

You must enable authentication, authorization, and accounting (AAA) and specify the authentication method
list. A method list describes the sequence and authentication method to be queried to authenticate a user.

SUMMARY STEPS
1. enable
2. configure terminal
3. radius-server host {hostname | ip-address} auth-port port-number key string
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 radius-server host {hostname | ip-address} auth-port Configures the RADIUS server parameters.
port-number key string
For hostname | ip-address, specify the hostname or IP
Example: address of the remote RADIUS server.
For auth-port port-number, specify the UDP destination
SwitchDevice(config)# radius-server host 125.5.5.43
auth-port 1812 key string port for authentication requests. The default is 1812. The
range is 0 to 65536.
For key string, specify the authentication and encryption
key used between the switch and the RADIUS daemon
running on the RADIUS server. The key is a text string that
must match the encryption key used on the RADIUS server.
Note Always configure the key as the last item in the
radius-server host command syntax because
leading spaces are ignored, but spaces within
and at the end of the key are used. If you use
spaces in the key, do not enclose the key in
quotation marks unless the quotation marks are
part of the key. This key must match the
encryption used on the RADIUS daemon.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1416
 Security
Configuring the Host Mode

Command or Action Purpose

If you want to use multiple RADIUS servers, re-enter this
command.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Related Topics
Switch-to-RADIUS-Server Communication, on page 1385

Configuring the Host Mode

Beginning in privileged EXEC mode, follow these steps to allow multiple hosts (clients) on an
IEEE 802.1x-authorized port that has the authentication port-control interface configuration command set
to auto. Use the multi-domain keyword to configure and enable multidomain authentication (MDA), which
allows both a host and a voice device, such as an IP phone (Cisco or non-Cisco), on the same switch port.
This procedure is optional.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. authentication host-mode [multi-auth | multi-domain | multi-host | single-host]
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port to which multiple hosts are indirectly
attached, and enter interface configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet2/0/1

Step 3 authentication host-mode [multi-auth | multi-domain | Allows multiple hosts (clients) on an 802.1x-authorized
multi-host | single-host] port.
Example: The keywords have these meanings:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1417
 Security
Configuring Periodic Re-Authentication

Command or Action Purpose

• multi-auth–Allow one client on the voice VLAN and
SwitchDevice(config-if)# authentication host-mode
multiple authenticated clients on the data VLAN.
multi-host
Note The multi-auth keyword is only available
with the authentication host-mode
command.

• multi-host–Allow multiple hosts on an

802.1x-authorized port after a single host has been
authenticated.
• multi-domain–Allow both a host and a voice device,
such as an IP phone (Cisco or non-Cisco), to be
authenticated on an IEEE 802.1x-authorized port.
Note You must configure the voice VLAN for
the IP phone when the host mode is set to
multi-domain.

Make sure that the authentication port-control interface

configuration command is set to auto for the specified
interface.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Configuring Periodic Re-Authentication

You can enable periodic 802.1x client re-authentication and specify how often it occurs. If you do not specify
a time period before enabling re-authentication, the number of seconds between attempts is 3600.
Beginning in privileged EXEC mode, follow these steps to enable periodic re-authentication of the client and
to configure the number of seconds between re-authentication attempts. This procedure is optional.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. authentication periodic
4. authentication timer {{[inactivity | reauthenticate | restart]} {value}}
5. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1418
 Security
Changing the Quiet Period

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet2/0/1

Step 3 authentication periodic Enables periodic re-authentication of the client, which is

disabled by default.
Example:
Note The default value is 3600 seconds. To change
SwitchDevice(config-if)# authentication periodic the value of the reauthentication timer or to have
the switch use a RADIUS-provided session
timeout, enter the authentication timer
reauthenticate command.

Step 4 authentication timer {{[inactivity | reauthenticate | Sets the number of seconds between re-authentication
restart]} {value}} attempts.
Example: The authentication timer keywords have these meanings:
• inactivity—Interval in seconds after which if there is
SwitchDevice(config-if)# authentication timer
reauthenticate 180 no activity from the client then it is unauthorized
• reauthenticate—Time in seconds after which an
automatic re-authentication attempt is initiated
• restart value—Interval in seconds after which an
attempt is made to authenticate an unauthorized port

This command affects the behavior of the switch only if

periodic re-authentication is enabled.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Changing the Quiet Period

When the switch cannot authenticate the client, the switch remains idle for a set period of time and then tries
again. The authentication timer restart interface configuration command controls the idle period. A failed

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1419
 Security
Changing the Quiet Period

authentication of the client might occur because the client provided an invalid password. You can provide a
faster response time to the user by entering a number smaller than the default.
Beginning in privileged EXEC mode, follow these steps to change the quiet period. This procedure is optional.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. authentication timer restart seconds
4. end
5. show authentication sessions interface interface-id
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet2/0/1

Step 3 authentication timer restart seconds Sets the number of seconds that the switch remains in the
quiet state following a failed authentication exchange with
Example:
the client.
SwitchDevice(config-if)# authentication timer The range is 1 to 65535 seconds; the default is 60.
restart 30

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 5 show authentication sessions interface interface-id Verifies your entries.

Example:

SwitchDevice# show authentication sessions

interface gigabitethernet2/0/1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1420
 Security
Changing the Switch-to-Client Retransmission Time

Command or Action Purpose

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Changing the Switch-to-Client Retransmission Time

The client responds to the EAP-request/identity frame from the switch with an EAP-response/identity frame.
If the switch does not receive this response, it waits a set period of time (known as the retransmission time)
and then resends the frame.

Note You should change the default value of this command only to adjust for unusual circumstances such as
unreliable links or specific behavioral problems with certain clients and authentication servers.

Beginning in privileged EXEC mode, follow these steps to change the amount of time that the switch waits
for client notification. This procedure is optional.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. authentication timer reauthenticate seconds
4. end
5. show authentication sessions interface interface-id
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet2/0/1

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1421
 Security
Setting the Switch-to-Client Frame-Retransmission Number

Command or Action Purpose

Step 3 authentication timer reauthenticate seconds Sets the number of seconds that the switch waits for a
response to an EAP-request/identity frame from the client
Example:
before resending the request.
SwitchDevice(config-if)# authentication timer The range is 1 to 65535 seconds; the default is 5.
reauthenticate 60

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 5 show authentication sessions interface interface-id Verifies your entries.

Example:

SwitchDevice# show authentication sessions

interface gigabitethernet2/0/1

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Setting the Switch-to-Client Frame-Retransmission Number

In addition to changing the switch-to-client retransmission time, you can change the number of times that the
switch sends an EAP-request/identity frame (assuming no response is received) to the client before restarting
the authentication process.

Note You should change the default value of this command only to adjust for unusual circumstances such as
unreliable links or specific behavioral problems with certain clients and authentication servers.

Beginning in privileged EXEC mode, follow these steps to set the switch-to-client frame-retransmission
number. This procedure is optional.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. dot1x max-reauth-req count
4. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1422
 Security
Setting the Re-Authentication Number

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet2/0/1

Step 3 dot1x max-reauth-req count Sets the number of times that the switch sends an
EAP-request/identity frame to the client before restarting
Example:
the authentication process. The range is 1 to 10; the default
is 2.
SwitchDevice(config-if)# dot1x max-reauth-req 5

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Setting the Re-Authentication Number

You can also change the number of times that the switch restarts the authentication process before the port
changes to the unauthorized state.

Note You should change the default value of this command only to adjust for unusual circumstances such as
unreliable links or specific behavioral problems with certain clients and authentication servers.

Beginning in privileged EXEC mode, follow these steps to set the re-authentication number. This procedure
is optional.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. switchport mode access
4. dot1x max-req count
5. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1423
 Security
Enabling MAC Move

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:

SwitchDevice# interface gigabitethernet2/0/1

Step 3 switchport mode access Sets the port to access mode only if you previously
configured the RADIUS server.
Example:

SwitchDevice(config-if)# switchport mode access

Step 4 dot1x max-req count Sets the number of times that the switch restarts the
authentication process before the port changes to the
Example:
unauthorized state. The range is 0 to 10; the default is 2.
SwitchDevice(config-if)# dot1x max-req 4

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Enabling MAC Move

MAC move allows an authenticated host to move from one port on the switch to another.
Beginning in privileged EXEC mode, follow these steps to globally enable MAC move on the switch. This
procedure is optional.

SUMMARY STEPS
1. configure terminal
2. authentication mac-move permit
3. end
4. show running-config
5. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1424
 Security
Enabling MAC Replace

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 authentication mac-move permit Enables MAC move on the switch. Default is deny.
Example: In Session Aware Networking mode, the default CLI is
access-session mac-move deny. To enable Mac Move in
SwitchDevice(config)# authentication mac-move Session Aware Networking, use the no access-session
permit mac-move global configuration command.

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 4 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Enabling MAC Replace

MAC replace allows a host to replace an authenticated host on a port.
Beginning in privileged EXEC mode, follow these steps to enable MAC replace on an interface. This procedure
is optional.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. authentication violation {protect | replace | restrict | shutdown}
4. end
5. show running-config
6. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1425
 Security
Enabling MAC Replace

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet2/0/2

Step 3 authentication violation {protect | replace | restrict | Use the replace keyword to enable MAC replace on the
shutdown} interface. The port removes the current session and initiates
authentication with the new host.
Example:
The other keywords have these effects:
SwitchDevice(config-if)# authentication violation
replace • protect: the port drops packets with unexpected MAC
addresses without generating a system message.
• restrict: violating packets are dropped by the CPU
and a system message is generated.
• shutdown: the port is error disabled when it receives
an unexpected MAC address.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1426
 Security
Configuring 802.1x Accounting

Configuring 802.1x Accounting

Enabling AAA system accounting with 802.1x accounting allows system reload events to be sent to the
accounting RADIUS server for logging. The server can then infer that all active 802.1x sessions are closed.
Because RADIUS uses the unreliable UDP transport protocol, accounting messages might be lost due to poor
network conditions. If the switch does not receive the accounting response message from the RADIUS server
after a configurable number of retransmissions of an accounting request, this system message appears:

Accounting message %s for session %s failed to receive Accounting Response.

When the stop message is not sent successfully, this message appears:

00:09:55: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.20.246.201:1645,1646 is not responding.

Note You must configure the RADIUS server to perform accounting tasks, such as logging start, stop, and
interim-update messages and time stamps. To turn on these functions, enable logging of “Update/Watchdog
packets from this AAA client” in your RADIUS server Network Configuration tab. Next, enable “CVS
RADIUS Accounting” in your RADIUS server System Configuration tab.

Beginning in privileged EXEC mode, follow these steps to configure 802.1x accounting after AAA is enabled
on your switch. This procedure is optional.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. aaa accounting dot1x default start-stop group radius
4. aaa accounting system default start-stop group radius
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1427
 Security
Configuring a Guest VLAN

Command or Action Purpose

gigabitethernet1/0/3

Step 3 aaa accounting dot1x default start-stop group radius Enables 802.1x accounting using the list of all RADIUS
servers.
Example:

SwitchDevice(config-if)# aaa accounting dot1x

default start-stop group radius

Step 4 aaa accounting system default start-stop group radius (Optional) Enables system accounting (using the list of all
RADIUS servers) and generates system accounting reload
Example:
event messages when the switch reloads.
SwitchDevice(config-if)# aaa accounting system
default start-stop group radius

Step 5 end Returns to privileged EXEc mode.

Example:

SwitchDevice(config-if)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring a Guest VLAN

When you configure a guest VLAN, clients that are not 802.1x-capable are put into the guest VLAN when
the server does not receive a response to its EAP request/identity frame. Clients that are 802.1x-capable but
that fail authentication are not granted network access. The switch supports guest VLANs in single-host or
multiple-hosts mode.
Beginning in privileged EXEC mode, follow these steps to configure a guest VLAN. This procedure is optional.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. Use one of the following:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1428
 Security
Configuring a Guest VLAN

• switchport mode access

• switchport mode private-vlan host
4. authentication event no-response action authorize vlan vlan-id
5. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet2/0/2

Step 3 Use one of the following: • Sets the port to access mode.
• switchport mode access • Configures the Layer 2 port as a private-VLAN host
• switchport mode private-vlan host port.
Example:

SwitchDevice(config-if)# switchport mode

private-vlan host

Step 4 authentication event no-response action authorize vlan Specifies an active VLAN as an 802.1x guest VLAN. The
vlan-id range is 1 to 4094.
Example: You can configure any active VLAN except an internal
VLAN (routed port), an RSPAN VLAN or a voice VLAN
SwitchDevice(config-if)# authentication event as an 802.1x guest VLAN.
no-response action authorize vlan 2

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1429
 Security
Configuring a Restricted VLAN

Configuring a Restricted VLAN

When you configure a restricted VLAN on a switch stack or a switch, clients that are IEEE 802.1x-compliant
are moved into the restricted VLAN when the authentication server does not receive a valid username and
password. The switch supports restricted VLANs only in single-host mode.
Beginning in privileged EXEC mode, follow these steps to configure a restricted VLAN. This procedure is
optional.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. Use one of the following:
• switchport mode access
• switchport mode private-vlan host
4. authentication port-control auto
5. authentication event fail action authorize vlan vlan-id
6. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet2/0/2

Step 3 Use one of the following: • Sets the port to access mode.
• switchport mode access • Configures the Layer 2 port as a private-VLAN host
• switchport mode private-vlan host port.
Example:

SwitchDevice(config-if)# switchport mode access

Step 4 authentication port-control auto Enables 802.1x authentication on the port.

Example:

SwitchDevice(config-if)# authentication

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1430
 Security
Configuring Number of Authentication Attempts on a Restricted VLAN

Command or Action Purpose

port-control auto

Step 5 authentication event fail action authorize vlan vlan-id Specifies an active VLAN as an 802.1x restricted VLAN.
The range is 1 to 4094.
Example:
You can configure any active VLAN except an internal
SwitchDevice(config-if)# authentication event fail VLAN (routed port), an RSPAN VLAN or a voice VLAN
action authorize vlan 2 as an 802.1x restricted VLAN.

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Configuring Number of Authentication Attempts on a Restricted VLAN

You can configure the maximum number of authentication attempts allowed before a user is assigned to the
restricted VLAN by using the authentication event retry retry count interface configuration command. The
range of allowable authentication attempts is 1 to 3. The default is 3 attempts.
Beginning in privileged EXEC mode, follow these steps to configure the maximum number of allowed
authentication attempts. This procedure is optional.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. Use one of the following:
• switchport mode access
• switchport mode private-vlan host
4. authentication port-control auto
5. authentication event fail action authorize vlan vlan-id
6. authentication event retry retry count
7. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1431
 Security
Configuring Number of Authentication Attempts on a Restricted VLAN

Command or Action Purpose

Step 2 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet2/0/3

Step 3 Use one of the following: • Sets the port to access mode.
• switchport mode access • Configures the Layer 2 port as a private-VLAN host
• switchport mode private-vlan host port.
Example:
or

SwitchDevice(config-if)# switchport mode access

Step 4 authentication port-control auto Enables 802.1x authentication on the port.

Example:

SwitchDevice(config-if)# authentication
port-control auto

Step 5 authentication event fail action authorize vlan vlan-id Specifies an active VLAN as an 802.1x restricted VLAN.
The range is 1 to 4094.
Example:
You can configure any active VLAN except an internal
SwitchDevice(config-if)# authentication event fail VLAN (routed port), an RSPAN VLAN or a voice VLAN
action authorize vlan 8 as an 802.1x restricted VLAN.

Step 6 authentication event retry retry count Specifies a number of authentication attempts to allow
before a port moves to the restricted VLAN. The range is
Example:
1 to 3, and the default is 3.
SwitchDevice(config-if)# authentication event retry
2

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1432
 Security
Configuring 802.1x Inaccessible Authentication Bypass with Critical Voice VLAN

Configuring 802.1x Inaccessible Authentication Bypass with Critical Voice

VLAN
Beginning in privileged EXEC mode, follow these steps to configure critical voice VLAN on a port and enable
the inaccessible authentication bypass feature.

SUMMARY STEPS
1. configure terminal
2. aaa new-model
3. radius-server dead-criteria{time seconds } [tries number]
4. radius-serverdeadtimeminutes
5. radius-server host ip-address address[acct-port udp-port][auth-port udp-port] [testusername
name[idle-time time] [ignore-acct-port][ignore auth-port]] [key string]
6. dot1x critical {eapol | recovery delay milliseconds}
7. interface interface-id
8. authentication event server dead action {authorize | reinitialize} vlan vlan-id]
9. switchport voice vlan vlan-id
10. authentication event server dead action authorize voice
11. show authentication interface interface-id
12. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 aaa new-model Enables AAA.

Example:

SwitchDevice(config)# aaa new-model

Step 3 radius-server dead-criteria{time seconds } [tries Sets the conditions that determine when a RADIUS server
number] is considered un-available or down (dead).
Example: • time— 1 to 120 seconds. The switch dynamically
determines a default seconds value between 10 and
SwitchDevice(config)# radius-server dead-criteria 60.
time 20 tries 10
• number—1 to 100 tries. The switch dynamically
determines a default triesnumber between 10 and
100.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1433
 Security
Configuring 802.1x Inaccessible Authentication Bypass with Critical Voice VLAN

Command or Action Purpose

Step 4 radius-serverdeadtimeminutes (Optional) Sets the number of minutes during which a
RADIUS server is not sent requests. The range is from 0
Example:
to 1440 minutes (24 hours). The default is 0 minutes.
SwitchDevice(config)# radius-server deadtime 60

Step 5 radius-server host ip-address address[acct-port (Optional) Configure the RADIUS server parameters by
udp-port][auth-port udp-port] [testusername using these keywords:
name[idle-time time] [ignore-acct-port][ignore
• acct-portudp-port—Specify the UDP port for the
auth-port]] [key string]
RADIUS accounting server. The range for the UDP
Example: port number is from 0 to 65536. The default is 1646.

SwitchDevice(config)# radius-server host 1.1.1.2

• auth-portudp-port—Specify the UDP port for the
acct-port 1550 auth-port RADIUS authentication server. The range for the
1560 test username user1 idle-time 30 key abc1234 UDP port number is from 0 to 65536. The default is
1645.
Note You should configure the UDP port for
the RADIUS accounting server and the
UDP port for the RADIUS authentication
server to nondefault values.

• test usernamename—Enable automated testing of

the RADIUS server status, and specify the username
to be used.
• idle-time time—Set the interval of time in minutes
after which the switch sends test packets to the server.
The range is from 1 to 35791 minutes. The default is
60 minutes (1 hour).
• ignore-acct-port—Disable testing on the
RADIUS-server accounting port.
• ignore-auth-port—Disable testing on the
RADIUS-server authentication port.
• For keystring, specify the authentication and
encryption key used between the switch and the
RADIUS daemon running on the RADIUS server.
The key is a text string that must match the encryption
key used on the RADIUS server.
Note Always configure the key as the last item
in the radius-server host command syntax
because leading spaces are ignored, but
spaces within and at the end of the key are
used. If you use spaces in the key, do not
enclose the key in quotation marks unless
the quotation marks are part of the key.
This key must match the encryption used
on the RADIUS daemon.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1434
 Security
Configuring 802.1x Inaccessible Authentication Bypass with Critical Voice VLAN

Command or Action Purpose

You can also configure the authentication and encryption
key by using theradius-server key {0string | 7string |
string} global configuration command.

Step 6 dot1x critical {eapol | recovery delay milliseconds} (Optional) Configure the parameters for inaccessible
authentication bypass:
Example:
• eapol—Specify that the switch sends an
SwitchDevice(config)# dot1x critical eapol EAPOL-Success message when the switch
(config)# dot1x critical recovery delay 2000 successfully authenticates the critical port.
• recovery delaymilliseconds—Set the recovery delay
period during which the switch waits to re-initialize
a critical port when a RADIUS server that was
unavailable becomes available. The range is from 1
to 10000 milliseconds. The default is 1000
milliseconds (a port can be re-initialized every
second).

Step 7 interface interface-id Specify the port to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 8 authentication event server dead action {authorize | Use these keywords to move hosts on the port if the
reinitialize} vlan vlan-id] RADIUS server is unreachable:
Example: • authorize—Move any new hosts trying to
authenticate to the user-specified critical VLAN.
SwitchDevice(config-if)# authentication event
server dead action • reinitialize—Move all authorized hosts on the port
reinitialicze vlan 20 to the user-specified critical VLAN.

Step 9 switchport voice vlan vlan-id Specifies the voice VLAN for the port. The voice VLAN
cannot be the same as the critical data VLAN configured
Example:
in Step 6.
SwitchDevice(config-if)# switchport voice vlan

Step 10 authentication event server dead action authorize voice Configures critical voice VLAN to move data traffic on
the port to the voice VLAN if the RADIUS server is
Example:
unreachable.
SwitchDevice(config-if)# authentication event
server dead action
authorize voice

Step 11 show authentication interface interface-id (Optional) Verify your entries.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1435
 Security
Example of Configuring Inaccessible Authentication Bypass

Command or Action Purpose

SwitchDevice(config-if)# do show authentication

interface gigabit 1/0/1

Step 12 copy running-config startup-config (Optional) Verify your entries.

Example:

SwitchDevice(config-if)# do copy running-config

startup-config

Example
To return to the RADIUS server default settings, use the no radius-server dead-criteria, the no
radius-server deadtime, and the no radius-server host global configuration commands. To disable
inaccessible authentication bypass, use the no authentication event server dead action interface
configuration command. To disable critical voice VLAN, use the no authentication event server
dead action authorize voice interface configuration command.

Example of Configuring Inaccessible Authentication Bypass

This example shows how to configure the inaccessible authentication bypass feature:

SwitchDevice(config)# radius-server dead-criteria time 30 tries 20

SwitchDevice(config)# radius-server deadtime 60
SwitchDevice(config)# radius-server host 1.1.1.2 acct-port 1550 auth-port 1560 test username
user1 idle-time 30 key abc1234
SwitchDevice(config)# dot1x critical eapol
SwitchDevice(config)# dot1x critical recovery delay 2000
SwitchDevice(config)# interface gigabitethernet 1/0/1
SwitchDevice(config-if)# dot1x critical
SwitchDevice(config-if)# dot1x critical recovery action reinitialize
SwitchDevice(config-if)# dot1x critical vlan 20
SwitchDevice(config-if)# end

Configuring 802.1x Authentication with WoL

Beginning in privileged EXEC mode, follow these steps to enable 802.1x authentication with WoL. This
procedure is optional.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. authentication control-direction {both | in}
4. end
5. show authentication sessions interface interface-id
6. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1436
 Security
Configuring 802.1x Authentication with WoL

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet2/0/3

Step 3 authentication control-direction {both | in} Enables 802.1x authentication with WoL on the port, and
use these keywords to configure the port as bidirectional or
Example:
unidirectional.
SwitchDevice(config-if)# authentication • both—Sets the port as bidirectional. The port cannot
control-direction both receive packets from or send packets to the host. By
default, the port is bidirectional.
• in—Sets the port as unidirectional. The port can send
packets to the host but cannot receive packets from
the host.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 5 show authentication sessions interface interface-id Verifies your entries.

Example:

SwitchDevice# show authentication sessions

interface gigabitethernet2/0/3

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1437
 Security
Configuring MAC Authentication Bypass

Configuring MAC Authentication Bypass

Beginning in privileged EXEC mode, follow these steps to enable MAC authentication bypass. This procedure
is optional.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. authentication port-control auto
4. mab [eap]
5. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet2/0/1

Step 3 authentication port-control auto Enables 802.1x authentication on the port.

Example:

SwitchDevice(config-if)# authentication
port-control auto

Step 4 mab [eap] Enables MAC authentication bypass.

Example: (Optional) Use the eap keyword to configure the switch to
use EAP for authorization.
SwitchDevice(config-if)# mab

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1438
 Security
Formatting a MAC Authentication Bypass Username and Password

Formatting a MAC Authentication Bypass Username and Password

Use the optional mab request format command to format the MAB username and password in a style accepted
by the authentication server. The username and password are usually the MAC address of the client. Some
authentication server configurations require the password to be different from the username.
Beginning in privileged EXEC mode, follow these steps to format MAC authentication bypass username and
passwords.

SUMMARY STEPS
1. configure terminal
2. mab request format attribute 1 groupsize {1 | 2 | 4 |12} [separator {- | : | .} {lowercase | uppercase}]
3. mab request format attribute2 {0 | 7} text
4. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 mab request format attribute 1 groupsize {1 | 2 | 4 |12} Specifies the format of the MAC address in the User-Name
[separator {- | : | .} {lowercase | uppercase}] attribute of MAB-generated Access-Request packets.
Example: 1—Sets the username format of the 12 hex digits of the
MAC address.
SwitchDevice(config)# mab request format attribute
1 groupsize 12 group size—The number of hex nibbles to concatenate
before insertion of a separator. A valid groupsize must be
either 1, 2, 4, or 12.
separator—The character that separates the hex nibbles
according to group size. A valid separator must be either a
hyphen, colon, or period. No separator is used for a group
size of 12.
{lowercase | uppercase}—Specifies if nonnumeric hex
nibbles should be in lowercase or uppercase.

Step 3 mab request format attribute2 {0 | 7} text 2—Specifies a custom (nondefault) value for the
User-Password attribute in MAB-generated Access-Request
Example:
packets.
SwitchDevice(config)# mab request format attribute 0—Specifies a cleartext password to follow.
2 7 A02f44E18B12
7—Specifies an encrypted password to follow.
text—Specifies the password to be used in the
User-Password attribute.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1439
 Security
Configuring 802.1x User Distribution

Command or Action Purpose

Note When you send configuration information in
e-mail, remove type 7 password information.
The show tech-support command removes this
information from its output by default.

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Configuring 802.1x User Distribution

Beginning in privileged EXEC mode, follow these steps to configure a VLAN group and to map a VLAN to
it:

SUMMARY STEPS
1. configure terminal
2. vlan group vlan-group-name vlan-list vlan-list
3. end
4. no vlan group vlan-group-name vlan-list vlan-list

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 vlan group vlan-group-name vlan-list vlan-list Configures a VLAN group, and maps a single VLAN or a
range of VLANs to it.
Example:

SwitchDevice(config)# vlan group eng-dept vlan-list

10

Step 3 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 4 no vlan group vlan-group-name vlan-list vlan-list Clears the VLAN group configuration or elements of the
VLAN group configuration.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1440
 Security
Example of Configuring VLAN Groups

Command or Action Purpose

SwitchDevice(config)# no vlan group eng-dept

vlan-list 10

Example of Configuring VLAN Groups

This example shows how to configure the VLAN groups, to map the VLANs to the groups, to and verify the
VLAN group configurations and mapping to the specified VLANs:

SwitchDevice(config)# vlan group eng-dept vlan-list 10

SwitchDevice(config)# show vlan group group-name eng-dept

Group Name Vlans Mapped
------------- --------------
eng-dept 10

SwitchDevice(config)# show dot1x vlan-group all

Group Name Vlans Mapped
------------- --------------
eng-dept 10
hr-dept 20

This example shows how to add a VLAN to an existing VLAN group and to verify that the VLAN was added:

SwitchDevice(config)# vlan group eng-dept vlan-list 30

SwitchDevice(config)# show vlan group eng-dept
Group Name Vlans Mapped
------------- --------------
eng-dept 10,30

This example shows how to remove a VLAN from a VLAN group:

SwitchDevice# no vlan group eng-dept vlan-list 10

This example shows that when all the VLANs are cleared from a VLAN group, the VLAN group is cleared:

SwitchDevice(config)# no vlan group eng-dept vlan-list 30

Vlan 30 is successfully cleared from vlan group eng-dept.

SwitchDevice(config)# show vlan group group-name eng-dept

This example shows how to clear all the VLAN groups:

SwitchDevice(config)# no vlan group end-dept vlan-list all

SwitchDevice(config)# show vlan-group all

For more information about these commands, see the Cisco IOS Security Command Reference.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1441
 Security
Configuring NAC Layer 2 802.1x Validation

Configuring NAC Layer 2 802.1x Validation

You can configure NAC Layer 2 802.1x validation, which is also referred to as 802.1x authentication with a
RADIUS server.
Beginning in privileged EXEC mode, follow these steps to configure NAC Layer 2 802.1x validation. The
procedure is optional.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. switchport mode access
4. authentication event no-response action authorize vlan vlan-id
5. authentication periodic
6. authentication timer reauthenticate
7. end
8. show authentication sessions interface interface-id
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet2/0/3

Step 3 switchport mode access Sets the port to access mode only if you configured the
RADIUS server.
Example:

SwitchDevice(config-if)# switchport mode access

Step 4 authentication event no-response action authorize vlan Specifies an active VLAN as an 802.1x guest VLAN. The
vlan-id range is 1 to 4094.
Example: You can configure any active VLAN except an internal
VLAN (routed port), an RSPAN VLAN, or a voice VLAN
SwitchDevice(config-if)# authentication event as an 802.1x guest VLAN.
no-response action authorize vlan 8

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1442
 Security
Configuring an Authenticator Switch with NEAT

Command or Action Purpose

Step 5 authentication periodic Enables periodic re-authentication of the client, which is
disabled by default.
Example:

SwitchDevice(config-if)# authentication periodic

Step 6 authentication timer reauthenticate Sets re-authentication attempt for the client (set to one hour).
Example: This command affects the behavior of the switch only if
periodic re-authentication is enabled.
SwitchDevice(config-if)# authentication timer
reauthenticate

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 8 show authentication sessions interface interface-id Verifies your entries.

Example:

SwitchDevice# show authentication sessions

interface gigabitethernet2/0/3

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring an Authenticator Switch with NEAT

Configuring this feature requires that one switch outside a wiring closet is configured as a supplicant and is
connected to an authenticator switch.

Note • The switch must be restarted and the authenticator switch interface configuration must be restored to
access mode explicitly if a line card is removed and inserted in the chassis when CISP or NEAT session
is active.
• The cisco-av-pairs must be configured as device-traffic-class=switch on the ISE, which sets the interface
as a trunk after the supplicant is successfully authenticated.

Beginning in privileged EXEC mode, follow these steps to configure a switch as an authenticator:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1443
 Security
Configuring an Authenticator Switch with NEAT

SUMMARY STEPS
1. configure terminal
2. cisp enable
3. interface interface-id
4. switchport mode access
5. authentication port-control auto
6. dot1x pae authenticator
7. spanning-tree portfast
8. end
9. show running-config interface interface-id
10. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 cisp enable Enables CISP.

Example:

SwitchDevice(config)# cisp enable

Step 3 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface gigabitethernet

2/0/1

Step 4 switchport mode access Sets the port mode to access.

Example:

SwitchDevice(config-if)# switchport mode access

Step 5 authentication port-control auto Sets the port-authentication mode to auto.

Example:

SwitchDevice(config-if)# authentication
port-control auto

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1444
 Security
Configuring a Supplicant Switch with NEAT

Command or Action Purpose

Step 6 dot1x pae authenticator Configures the interface as a port access entity (PAE)
authenticator.
Example:

SwitchDevice(config-if)# dot1x pae authenticator

Step 7 spanning-tree portfast Enables Port Fast on an access port connected to a single
workstation or server..
Example:

SwitchDevice(config-if)# spanning-tree portfast

trunk

Step 8 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 9 show running-config interface interface-id Verifies your configuration.

Example:

SwitchDevice# show running-config interface

gigabitethernet 2/0/1

Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example: Note Saving changes to the configuration file will
mean that the authenticator interface will
SwitchDevice# copy running-config startup-config continue to be in trunk mode after reload. If
you want the authenticator interface to remain
as an access port, do not save your changes to
the configuration file.

Configuring a Supplicant Switch with NEAT

Beginning in privileged EXEC mode, follow these steps to configure a switch as a supplicant:

SUMMARY STEPS
1. configure terminal
2. cisp enable
3. dot1x credentials profile
4. username suppswitch
5. password password
6. dot1x supplicant force-multicast
7. interface interface-id

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1445
 Security
Configuring a Supplicant Switch with NEAT

8. switchport trunk encapsulation dot1q

9. switchport mode trunk
10. dot1x pae supplicant
11. dot1x credentials profile-name
12. end
13. show running-config interface interface-id
14. copy running-config startup-config
15. Configuring NEAT with Auto Smartports Macros

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 cisp enable Enables CISP.

Example:

SwitchDevice(config)# cisp enable

Step 3 dot1x credentials profile Creates 802.1x credentials profile. This must be attached
to the port that is configured as supplicant.
Example:

SwitchDevice(config)# dot1x credentials test

Step 4 username suppswitch Creates a username.

Example:

SwitchDevice(config)# username suppswitch

Step 5 password password Creates a password for the new username.

Example:

SwitchDevice(config)# password myswitch

Step 6 dot1x supplicant force-multicast Forces the switch to send only multicast EAPOL packets
when it receives either unicast or multicast packets.
Example:
This also allows NEAT to work on the supplicant switch
SwitchDevice(config)# dot1x supplicant in all host modes.
force-multicast

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1446
 Security
Configuring a Supplicant Switch with NEAT

Command or Action Purpose

Step 7 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 8 switchport trunk encapsulation dot1q Sets the port to trunk mode.
Example:

SwitchDevice(config-if)# switchport trunk

encapsulation dot1q

Step 9 switchport mode trunk Configures the interface as a VLAN trunk port.
Example:

SwitchDevice(config-if)# switchport mode trunk

Step 10 dot1x pae supplicant Configures the interface as a port access entity (PAE)
supplicant.
Example:

SwitchDevice(config-if)# dot1x pae supplicant

Step 11 dot1x credentials profile-name Attaches the 802.1x credentials profile to the interface.
Example:

SwitchDevice(config-if)# dot1x credentials test

Step 12 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 13 show running-config interface interface-id Verifies your configuration.

Example:

SwitchDevice# show running-config interface

gigabitethernet1/0/1

Step 14 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1447
 Security
Configuring 802.1x Authentication with Downloadable ACLs and Redirect URLs

Command or Action Purpose

SwitchDevice# copy running-config startup-config

Step 15 Configuring NEAT with Auto Smartports Macros You can also use an Auto Smartports user-defined macro
instead of the switch VSA to configure the authenticator
switch. For more information, see the Auto Smartports
Configuration Guide for this release.

Configuring 802.1x Authentication with Downloadable ACLs and Redirect URLs

In addition to configuring 802.1x authentication on the switch, you need to configure the ACS. For more
information, see the Configuration Guide for Cisco Secure ACS 4.2:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/acs_config.pdf

Note You must configure a downloadable ACL on the ACS before downloading it to the switch.

After authentication on the port, you can use the show ip access-list privileged EXEC command to display
the downloaded ACLs on the port.

Configuring Downloadable ACLs

The policies take effect after client authentication and the client IP address addition to the IP device tracking
table. The switch then applies the downloadable ACL to the port.
Beginning in privileged EXEC mode:

SUMMARY STEPS
1. configure terminal
2. ip device tracking
3. aaa new-model
4. aaa authorization network default local group radius
5. radius-server vsa send authentication
6. interface interface-id
7. ip access-group acl-id in
8. show running-config interface interface-id
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1448
 Security
Configuring Downloadable ACLs

Command or Action Purpose

SwitchDevice# configure terminal

Step 2 ip device tracking Sets the ip device tracking table.

Example:

SwitchDevice(config)# ip device tracking

Step 3 aaa new-model Enables AAA.

Example:

SwitchDevice(config)# aaa new-model

Step 4 aaa authorization network default local group radius Sets the authorization method to local. To remove the
authorization method, use the no aaa authorization
Example:
network default local group radius command.
SwitchDevice(config)# aaa authorization network
default local group radius

Step 5 radius-server vsa send authentication Configures the radius vsa send authentication.
Example:

SwitchDevice(config)# radius-server vsa send

authentication

Step 6 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet2/0/4

Step 7 ip access-group acl-id in Configures the default ACL on the port in the input
direction.
Example:
Note The acl-id is an access list name or number.
SwitchDevice(config-if)# ip access-group
default_acl in

Step 8 show running-config interface interface-id Verifies your configuration.

Example:

SwitchDevice(config-if)# show running-config

interface gigabitethernet2/0/4

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1449
 Security
Configuring a Downloadable Policy

Command or Action Purpose

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring a Downloadable Policy

Beginning in privileged EXEC mode:

SUMMARY STEPS
1. configure terminal
2. access-list access-list-number { deny | permit } { hostname | any | host } log
3. interface interface-id
4. ip access-group acl-id in
5. exit
6. aaa new-model
7. aaa authorization network default group radius
8. ip device tracking
9. ip device tracking probe [count | interval | use-svi]
10. radius-server vsa send authentication
11. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 access-list access-list-number { deny | permit } { Defines the default port ACL.
hostname | any | host } log
The access-list-number is a decimal number from 1 to 99
Example: or 1300 to 1999.
SwitchDevice(config)# access-list 1 deny any log Enter deny or permit to specify whether to deny or permit
access if conditions are matched.
The source is the source address of the network or host
that sends a packet, such as this:
• hostname: The 32-bit quantity in dotted-decimal
format.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1450
 Security
Configuring a Downloadable Policy

Command or Action Purpose

• any: The keyword any as an abbreviation for source
and source-wildcard value of 0.0.0.0 255.255.255.255.
You do not need to enter a source-wildcard value.
• host: The keyword host as an abbreviation for source
and source-wildcard of source 0.0.0.0.

(Optional) Applies the source-wildcard wildcard bits to

the source.
(Optional) Enters log to cause an informational logging
message about the packet that matches the entry to be sent
to the console.

Step 3 interface interface-id Enters interface configuration mode.

Example:

SwitchDevice(config)# interface
gigabitethernet2/0/2

Step 4 ip access-group acl-id in Configures the default ACL on the port in the input
direction.
Example:
Note The acl-id is an access list name or number.
SwitchDevice(config-if)# ip access-group
default_acl in

Step 5 exit Returns to global configuration mode.

Example:

SwitchDevice(config-if)# exit

Step 6 aaa new-model Enables AAA.

Example:

SwitchDevice(config)# aaa new-model

Step 7 aaa authorization network default group radius Sets the authorization method to local. To remove the
authorization method, use the no aaa authorization
Example:
network default group radius command.
SwitchDevice(config)# aaa authorization network
default group radius

Step 8 ip device tracking Enables the IP device tracking table.

Example: To disable the IP device tracking table, use the no ip device
tracking global configuration commands.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1451
 Security
Configuring VLAN ID-based MAC Authentication

Command or Action Purpose

SwitchDevice(config)# ip device tracking

Step 9 ip device tracking probe [count | interval | use-svi] (Optional) Configures the IP device tracking table:
Example: • count count—Sets the number of times that the switch
sends the ARP probe. The range is from 1 to 5. The
SwitchDevice(config)# ip device tracking probe default is 3.
count
• interval interval—Sets the number of seconds that
the switch waits for a response before resending the
ARP probe. The range is from 30 to 300 seconds. The
default is 30 seconds.
• use-svi—Uses the switch virtual interface (SVI) IP
address as source of ARP probes.

Step 10 radius-server vsa send authentication Configures the network access server to recognize and use
vendor-specific attributes.
Example:
Note The downloadable ACL must be operational.
SwitchDevice(config)# radius-server vsa send
authentication

Step 11 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Configuring VLAN ID-based MAC Authentication

Beginning in privileged EXEC mode, follow these steps:

SUMMARY STEPS
1. configure terminal
2. mab request format attribute 32 vlan access-vlan
3. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1452
 Security
Configuring Flexible Authentication Ordering

Command or Action Purpose

Step 2 mab request format attribute 32 vlan access-vlan Enables VLAN ID-based MAC authentication.
Example:

SwitchDevice(config)# mab request format attribute

32 vlan access-vlan

Step 3 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring Flexible Authentication Ordering

The examples used in the instructions below changes the order of Flexible Authentication Ordering so that
MAB is attempted before IEEE 802.1X authentication (dot1x). MAB is configured as the first authentication
method, so MAB will have priority over all other authentication methods.

Note Before changing the default order and priority of these authentication methods, however, you should understand
the potential consequences of those changes. See
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/application_note_c27-573287_ps6638_Products_White_Paper.html
for details.

Beginning in privileged EXEC mode, follow these steps:

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. switchport mode access
4. authentication order [ dot1x | mab ] | {webauth}
5. authentication priority [ dot1x | mab ] | {webauth}
6. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1453
 Security
Configuring Open1x

Command or Action Purpose

Step 2 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 3 switchport mode access Sets the port to access mode only if you previously
configured the RADIUS server.
Example:

SwitchDevice(config-if)# switchport mode access

Step 4 authentication order [ dot1x | mab ] | {webauth} (Optional) Sets the order of authentication methods used
on a port.
Example:

SwitchDevice(config-if)# authentication order mab

dot1x

Step 5 authentication priority [ dot1x | mab ] | {webauth} (Optional) Adds an authentication method to the
port-priority list.
Example:

SwitchDevice(config-if)# authentication priority

mab dot1x

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Related Topics
Flexible Authentication Ordering, on page 1398

Configuring Open1x
Beginning in privileged EXEC mode, follow these steps to enable manual control of the port authorization
state:

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. switchport mode access
4. authentication control-direction {both | in}
5. authentication fallback name

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1454
 Security
Configuring Open1x

6. authentication host-mode [multi-auth | multi-domain | multi-host | single-host]

7. authentication open
8. authentication order [ dot1x | mab ] | {webauth}
9. authentication periodic
10. authentication port-control {auto | force-authorized | force-un authorized}
11. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface gigabitethernet

1/0/1

Step 3 switchport mode access Sets the port to access mode only if you configured the
RADIUS server.
Example:

SwitchDevice(config-if)# switchport mode access

Step 4 authentication control-direction {both | in} (Optional) Configures the port control as unidirectional or
bidirectional.
Example:

SwitchDevice(config-if)# authentication
control-direction both

Step 5 authentication fallback name (Optional) Configures a port to use web authentication as
a fallback method for clients that do not support 802.1x
Example:
authentication.
SwitchDevice(config-if)# authentication fallback
profile1

Step 6 authentication host-mode [multi-auth | multi-domain (Optional) Sets the authorization manager mode on a port.
| multi-host | single-host]
Example:

SwitchDevice(config-if)# authentication host-mode

multi-auth

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1455
 Security
Disabling 802.1x Authentication on the Port

Command or Action Purpose

Step 7 authentication open (Optional) Enables or disable open access on a port.
Example:

SwitchDevice(config-if)# authentication open

Step 8 authentication order [ dot1x | mab ] | {webauth} (Optional) Sets the order of authentication methods used
on a port.
Example:

SwitchDevice(config-if)# authentication order

dot1x webauth

Step 9 authentication periodic (Optional) Enables or disable reauthentication on a port.

Example:

SwitchDevice(config-if)# authentication periodic

Step 10 authentication port-control {auto | force-authorized | (Optional) Enables manual control of the port authorization
force-un authorized} state.
Example:

SwitchDevice(config-if)# authentication
port-control auto

Step 11 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Related Topics
Open1x Authentication, on page 1399

Disabling 802.1x Authentication on the Port

You can disable 802.1x authentication on the port by using the no dot1x pae interface configuration command.
Beginning in privileged EXEC mode, follow these steps to disable 802.1x authentication on the port. This
procedure is optional.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. switchport mode access

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1456
 Security
Resetting the 802.1x Authentication Configuration to the Default Values

4. no dot1x pae authenticator

5. end

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet2/0/1

Step 3 switchport mode access (Optional) Sets the port to access mode only if you
configured the RADIUS server.
Example:

SwitchDevice(config-if)# switchport mode access

Step 4 no dot1x pae authenticator Disables 802.1x authentication on the port.

Example:

SwitchDevice(config-if)# no dot1x pae authenticator

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Resetting the 802.1x Authentication Configuration to the Default Values

Beginning in privileged EXEC mode, follow these steps to reset the 802.1x authentication configuration to
the default values. This procedure is optional.

SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. dot1x default
4. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1457
 Security
Monitoring 802.1x Statistics and Status

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 2 interface interface-id Enters interface configuration mode, and specify the port
to be configured.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/2

Step 3 dot1x default Resets the 802.1x parameters to the default values.
Example:

SwitchDevice(config-if)# dot1x default

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Monitoring 802.1x Statistics and Status

Table 150: Privileged EXEC show Commands

Command Purpose

show dot1x all statistics Displays 802.1x statistics for all ports

show dot1x interface interface-id statistics Displays 802.1x statistics for a specific port

show dot1x all [count | details | statistics | Displays the 802.1x administrative and operational status
summary] for a switch

show dot1x interface interface-id Displays the 802.1x administrative and operational status
for a specific port

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1458
Security
Monitoring 802.1x Statistics and Status

Table 151: Global Configuration Commands

Command Purpose

no dot1x logging Filters verbose 802.1x authentication messages (beginning with Cisco IOS Release
verbose 12.2(55)SE)

For detailed information about the fields in these displays, see the command reference for this release.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1459
 Security
Monitoring 802.1x Statistics and Status

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1460
 CHAPTER 63
Configuring Web-Based Authentication
This chapter describes how to configure web-based authentication on the switch. It contains these sections:
• Finding Feature Information, on page 1461
• Web-Based Authentication Overview, on page 1461
• How to Configure Web-Based Authentication, on page 1470
• Monitoring Web-Based Authentication Status, on page 1486

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Web-Based Authentication Overview

Use the web-based authentication feature, known as web authentication proxy, to authenticate end users on
host systems that do not run the IEEE 802.1x supplicant.

Note You can configure web-based authentication on Layer 2 and Layer 3 interfaces.

When you initiate an HTTP session, web-based authentication intercepts ingress HTTP packets from the host
and sends an HTML login page to the users. The users enter their credentials, which the web-based
authentication feature sends to the authentication, authorization, and accounting (AAA) server for authentication.
If authentication succeeds, web-based authentication sends a Login-Successful HTML page to the host and
applies the access policies returned by the AAA server.
If authentication fails, web-based authentication forwards a Login-Fail HTML page to the user, prompting
the user to retry the login. If the user exceeds the maximum number of attempts, web-based authentication
forwards a Login-Expired HTML page to the host, and the user is placed on a watch list for a waiting period.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1461
 Security
Device Roles

Note HTTPS traffic interception for central web authentication redirect is not supported.

Note You should use global parameter-map (for method-type, custom, and redirect) only for using the same web
authentication methods like consent, web consent, and webauth, for all the clients and SSIDs. This ensures
that all the clients have the same web-authentication method.
If the requirement is to use Consent for one SSID and Web-authentication for another SSID, then you should
use two named parameter-maps. You should configure Consent in first parameter-map and configure webauth
in second parameter-map.

Device Roles
With web-based authentication, the devices in the network have these specific roles:
• Client—The device (workstation) that requests access to the LAN and the services and responds to
requests from the switch. The workstation must be running an HTML browser with Java Script enabled.
• Authentication server—Authenticates the client. The authentication server validates the identity of the
client and notifies the switch that the client is authorized to access the LAN and the switch services or
that the client is denied.
• Switch—Controls the physical access to the network based on the authentication status of the client. The
switch acts as an intermediary (proxy) between the client and the authentication server, requesting identity
information from the client, verifying that information with the authentication server, and relaying a
response to the client.

Figure 119: Web-Based Authentication Device Roles

This figure shows the roles of these devices in a

network.

Host Detection
The switch maintains an IP device tracking table to store information about detected hosts.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1462
 Security
Session Creation

Note By default, the IP device tracking feature is disabled on a switch. You must enable the IP device tracking
feature to use web-based authentication.

For Layer 2 interfaces, web-based authentication detects IP hosts by using these mechanisms:
• ARP based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static IP
address or a dynamic IP address.
• Dynamic ARP inspection
• DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding entry
for the host.

Session Creation
When web-based authentication detects a new host, it creates a session as follows:
• Reviews the exception list.
If the host IP is included in the exception list, the policy from the exception list entry is applied, and the
session is established.
• Reviews for authorization bypass
If the host IP is not on the exception list, web-based authentication sends a nonresponsive-host (NRH)
request to the server.
If the server response is access accepted, authorization is bypassed for this host. The session is established.
• Sets up the HTTP intercept ACL
If the server response to the NRH request is access rejected, the HTTP intercept ACL is activated, and
the session waits for HTTP traffic from the host.

Authentication Process
When you enable web-based authentication, these events occur:
• The user initiates an HTTP session.
• The HTTP traffic is intercepted, and authorization is initiated. The switch sends the login page to the
user. The user enters a username and password, and the switch sends the entries to the authentication
server.
• If the authentication succeeds, the switch downloads and activates the user’s access policy from the
authentication server. The login success page is sent to the user.
• If the authentication fails, the switch sends the login fail page. The user retries the login. If the maximum
number of attempts fails, the switch sends the login expired page, and the host is placed in a watch list.
After the watch list times out, the user can retry the authentication process.
• If the authentication server does not respond to the switch, and if an AAA fail policy is configured, the
switch applies the failure access policy to the host. The login success page is sent to the user.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1463
 Security
Local Web Authentication Banner

• The switch reauthenticates a client when the host does not respond to an ARP probe on a Layer 2 interface,
or when the host does not send any traffic within the idle timeout on a Layer 3 interface.
• The feature applies the downloaded timeout or the locally configured session timeout.
• If the terminate action is RADIUS, the feature sends a nonresponsive host (NRH) request to the server.
The terminate action is included in the response from the server.
• If the terminate action is default, the session is dismantled, and the applied policy is removed.

Local Web Authentication Banner

With Web Authentication, you can create a default and customized web-browser banners that appears when
you log in to a switch.
The banner appears on both the login page and the authentication-result pop-up pages. The default banner
messages are as follows:
• Authentication Successful
• Authentication Failed
• Authentication Expired

The Local Web Authentication Banner can be configured in legacy and new-style (Session-aware) CLIs as
follows:
• Legacy mode—Use the ip admission auth-proxy-banner http global configuration command.
• New-style mode—Use the parameter-map type webauth global bannerglobal configuration command.

The default banner Cisco Systems and Switch host-name Authentication appear on the Login Page. Cisco
Systems appears on the authentication result pop-up page.
Figure 120: Authentication Successful Banner

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1464
Security
Local Web Authentication Banner

The banner can be customized as follows:

• Add a message, such as switch, router, or company name to the banner:
• Legacy mode—Use the ip admission auth-proxy-banner http banner-textglobal configuration
command.
• New-style mode—Use the parameter-map type webauth global bannerglobal configuration
command

• Add a logo or text file to the banner :

• Legacy mode—Use the ip admission auth-proxy-banner http file-path global configuration
command.
• New-style mode—Use the parameter-map type webauth global banner global configuration
command

Figure 121: Customized Web Banner

If you do not enable a banner, only the username and password dialog boxes appear in the web authentication
login screen, and no banner appears when you log into the switch.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1465
 Security
Web Authentication Customizable Web Pages

Figure 122: Login Screen With No Banner

Web Authentication Customizable Web Pages

During the web-based authentication process, the switch internal HTTP server hosts four HTML pages to
deliver to an authenticating client. The server uses these pages to notify you of these four-authentication
process states:
• Login—Your credentials are requested.
• Success—The login was successful.
• Fail—The login failed.
• Expire—The login session has expired because of excessive login failures.

Guidelines
• You can substitute your own HTML pages for the default internal HTML pages.
• You can use a logo or specify text in the login, success, failure, and expire web pages.
• On the banner page, you can specify text in the login page.
• The pages are in HTML.
• You must include an HTML redirect command in the success page to access a specific URL.
• The URL string must be a valid URL (for example, http://www.cisco.com). An incomplete URL might
cause page not found or similar errors on a web browser.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1466
Security
Guidelines

• If you configure web pages for HTTP authentication, they must include the appropriate HTML commands
(for example, to set the page time out, to set a hidden password, or to confirm that the same page is not
submitted twice).
• The CLI command to redirect users to a specific URL is not available when the configured login form
is enabled. The administrator should ensure that the redirection is configured in the web page.
• If the CLI command redirecting users to specific URL after authentication occurs is entered and then the
command configuring web pages is entered, the CLI command redirecting users to a specific URL does
not take effect.
• Configured web pages can be copied to the switch boot flash or flash.
• On stackable switches, configured pages can be accessed from the flash on the stack master or members.
• The login page can be on one flash, and the success and failure pages can be another flash (for example,
the flash on the stack master or a member).
• You must configure all four pages.
• The banner page has no effect if it is configured with the web page.
• All of the logo files (image, flash, audio, video, and so on) that are stored in the system directory (for
example, flash, disk0, or disk) and that must be displayed on the login page must use
web_auth_<filename> as the file name.
• The configured authentication proxy feature supports both HTTP and SSL.

You can substitute your HTML pages for the default internal HTML pages. You can also specify a URL to
which users are redirected after authentication occurs, which replaces the internal Success page.
Figure 123: Customizable Authentication Page

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1467
 Security
Authentication Proxy Web Page Guidelines

Authentication Proxy Web Page Guidelines

When configuring customized authentication proxy web pages, follow these guidelines:
• To enable the custom web pages feature, specify all four custom HTML files. If you specify fewer than
four files, the internal default HTML pages are used.
• The four custom HTML files must be present on the flash memory of the switch. The maximum size of
each HTML file is 8 KB.
• Any images on the custom pages must be on an accessible HTTP server. Configure an intercept ACL
within the admission rule.
• Any external link from a custom page requires configuration of an intercept ACL within the admission
rule.
• To access a valid DNS server, any name resolution required for external links or images requires
configuration of an intercept ACL within the admission rule.
• If the custom web pages feature is enabled, a configured auth-proxy-banner is not used.
• If the custom web pages feature is enabled, the redirection URL for successful login feature is not
available.
• To remove the specification of a custom file, use the no form of the command.

Because the custom login page is a public web form, consider these guidelines for the page:
• The login form must accept user entries for the username and password and must show them as uname
and pwd.
• The custom login page should follow best practices for a web form, such as page timeout, hidden password,
and prevention of redundant submissions.

Related Topics
Customizing the Authentication Proxy Web Pages, on page 1478

Redirection URL for Successful Login Guidelines

When configuring a redirection URL for successful login, consider these guidelines:
• If the custom authentication proxy web pages feature is enabled, the redirection URL feature is disabled
and is not available in the CLI. You can perform redirection in the custom-login success page.
• If the redirection URL feature is enabled, a configured auth-proxy-banner is not used.
• To remove the specification of a redirection URL, use the no form of the command.
• If the redirection URL is required after the web-based authentication client is successfully authenticated,
then the URL string must start with a valid URL (for example, http://) followed by the URL information.
If only the URL is given without http://, then the redirection URL on successful authentication might
cause page not found or similar errors on a web browser.

Related Topics
Specifying a Redirection URL for Successful Login, on page 1479

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1468
 Security
Web-based Authentication Interactions with Other Features

Web-based Authentication Interactions with Other Features

Port Security
You can configure web-based authentication and port security on the same port. Web-based authentication
authenticates the port, and port security manages network access for all MAC addresses, including that of the
client. You can then limit the number or group of clients that can access the network through the port.
Related Topics
Enabling and Configuring Port Security, on page 1507

LAN Port IP
You can configure LAN port IP (LPIP) and Layer 2 web-based authentication on the same port. The host is
authenticated by using web-based authentication first, followed by LPIP posture validation. The LPIP host
policy overrides the web-based authentication host policy.
If the web-based authentication idle timer expires, the NAC policy is removed. The host is authenticated, and
posture is validated again.

Gateway IP
You cannot configure Gateway IP (GWIP) on a Layer 3 VLAN interface if web-based authentication is
configured on any of the switch ports in the VLAN.
You can configure web-based authentication on the same Layer 3 interface as Gateway IP. The host policies
for both features are applied in software. The GWIP policy overrides the web-based authentication host policy.

ACLs
If you configure a VLAN ACL or a Cisco IOS ACL on an interface, the ACL is applied to the host traffic
only after the web-based authentication host policy is applied.
For Layer 2 web-based authentication, it is more secure, though not required, to configure a port ACL (PACL)
as the default access policy for ingress traffic from hosts connected to the port. After authentication, the
web-based authentication host policy overrides the PACL. The Policy ACL is applied to the session even if
there is no ACL configured on the port.
You cannot configure a MAC ACL and web-based authentication on the same interface.
You cannot configure web-based authentication on a port whose access VLAN is configured for VACL
capture.

Context-Based Access Control

Web-based authentication cannot be configured on a Layer 2 port if context-based access control (CBAC) is
configured on the Layer 3 VLAN interface of the port VLAN.

EtherChannel
You can configure web-based authentication on a Layer 2 EtherChannel interface. The web-based authentication
configuration applies to all member channels.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1469
 Security
How to Configure Web-Based Authentication

How to Configure Web-Based Authentication

Default Web-Based Authentication Configuration
The following table shows the default web-based authentication configuration.

Table 152: Default Web-based Authentication Configuration

Feature Default Setting

AAA Disabled

RADIUS server • None specified

• IP address • 1645
• UDP authentication port • None specified
• Key

Default value of inactivity timeout 3600 seconds

Inactivity timeout Enabled

Web-Based Authentication Configuration Guidelines and Restrictions

• Web-based authentication is an ingress-only feature.
• You can configure web-based authentication only on access ports. Web-based authentication is not
supported on trunk ports, EtherChannel member ports, or dynamic trunk ports.
• You cannot authenticate hosts on Layer 2 interfaces with static ARP cache assignment. These hosts are
not detected by the web-based authentication feature because they do not send ARP messages.
• By default, the IP device tracking feature is disabled on a switch. You must enable the IP device tracking
feature to use web-based authentication.
• You must configure at least one IP address to run the switch HTTP server. You must also configure
routes to reach each host IP address. The HTTP server sends the HTTP login page to the host.
• Hosts that are more than one hop away might experience traffic disruption if an STP topology change
results in the host traffic arriving on a different port. This occurs because the ARP and DHCP updates
might not be sent after a Layer 2 (STP) topology change.
• Web-based authentication does not support VLAN assignment as a downloadable-host policy.
• Web-based authentication supports IPv6 in Session-aware policy mode. IPv6 Web-authentication requires
at least one IPv6 address configured on the switch and IPv6 Snooping configured on the switchport.
• Web-based authentication and Network Edge Access Topology (NEAT) are mutually exclusive. You
cannot use web-based authentication when NEAT is enabled on an interface, and you cannot use NEAT
when web-based authentication is running on an interface.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1470
 Security
Configuring the Authentication Rule and Interfaces

• Only the Password Authentication Protocol (PAP) is supported for web-based RADIUS authentication
on controllers. The Challenge Handshake Authentication Protocol (CHAP) is not supported for web-based
RADIUS authentication on controllers.
• Identify the following RADIUS security server settings that will be used while configuring
switch-to-RADIUS-server communication:
• Host name
• Host IP address
• Host name and specific UDP port numbers
• IP address and specific UDP port numbers

The combination of the IP address and UDP port number creates a unique identifier, that enables RADIUS
requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries
on the same RADIUS server are configured for the same service (for example, authentication) the second
host entry that is configured functions as the failover backup to the first one. The RADIUS host entries
are chosen in the order that they were configured.
• When you configure the RADIUS server parameters:
• Specify the key string on a separate command line.
• For key string, specify the authentication and encryption key used between the switch and the
RADIUS daemon running on the RADIUS server. The key is a text string that must match the
encryption key used on the RADIUS server.
• When you specify the key string, use spaces within and at the end of the key. If you use spaces in
the key, do not enclose the key in quotation marks unless the quotation marks are part of the key.
This key must match the encryption used on the RADIUS daemon.
• You can globally configure the timeout, retransmission, and encryption key values for all RADIUS
servers by using with the radius-server host global configuration command. If you want to configure
these options on a per-server basis, use the radius-server timeout, radius-server transmit, and the
radius-server key global configuration commands. For more information, see the Cisco IOS Security
Configuration Guide, Release 12.4 and the Cisco IOS Security Command Reference, Release 12.4.

Note You need to configure some settings on the RADIUS server, including: the switch
IP address, the key string to be shared by both the server and the switch, and the
downloadable ACL (DACL). For more information, see the RADIUS server
documentation.

Configuring the Authentication Rule and Interfaces

Follow these steps to configure the authentication rule and interfaces:

SUMMARY STEPS
1. enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1471
 Security
Configuring the Authentication Rule and Interfaces

2. configure terminal
3. ip admission name name proxy http
4. interface type slot/port
5. ip access-group name
6. ip admission name
7. exit
8. ip device tracking
9. end
10. show ip admission status
11. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip admission name name proxy http Configures an authentication rule for web-based
authorization.
Example:

SwitchDevice(config)# ip admission name webauth1

proxy http

Step 4 interface type slot/port Enters interface configuration mode and specifies the
ingress Layer 2 or Layer 3 interface to be enabled for
Example:
web-based authentication.
SwitchDevice(config)# interface type can be fastethernet, gigabit ethernet, or
gigabitEthernet1/0/1 tengigabitethernet.

Step 5 ip access-group name Applies the default ACL.

Example:

SwitchDevice(config-if)# ip access-group webauthag

Step 6 ip admission name Configures web-based authentication on the specified

interface.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1472
 Security
Configuring AAA Authentication

Command or Action Purpose

SwitchDevice(config-if)# ip admission webauth1

Step 7 exit Returns to configuration mode.

Example:

SwitchDevice(config-if)# exit

Step 8 ip device tracking Enables the IP device tracking table.

Example:

SwitchDevice(config)# ip device tracking

Step 9 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 10 show ip admission status Displays the configuration.

Example:

SwitchDevice# show ip admission status

Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring AAA Authentication

Follow these steps to configure AAA authentication:

SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
4. aaa authentication login default group {tacacs+ | radius}
5. aaa authorization auth-proxy default group {tacacs+ | radius}
6. tacacs-server host {hostname | ip_address}
7. tacacs-server key {key-data}

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1473
 Security
Configuring AAA Authentication

8. end
9. show running-config
10. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 aaa new-model Enables AAA functionality.

Example:

SwitchDevice(config)# aaa new-model

Step 4 aaa authentication login default group {tacacs+ | Defines the list of authentication methods at login.
radius}
Example:

SwitchDevice(config)# aaa authentication login

default group tacacs+

Step 5 aaa authorization auth-proxy default group {tacacs+ Creates an authorization method list for web-based
| radius} authorization.
Example:

SwitchDevice(config)# aaa authorization auth-proxy

default group tacacs+

Step 6 tacacs-server host {hostname | ip_address} Specifies an AAA server.

Example:

SwitchDevice(config)# tacacs-server host 10.1.1.1

Step 7 tacacs-server key {key-data} Configures the authorization and encryption key used
between the switch and the TACACS server.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1474
 Security
Configuring Switch-to-RADIUS-Server Communication

Command or Action Purpose

SwitchDevice(config)# tacacs-server key

Step 8 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 9 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring Switch-to-RADIUS-Server Communication

Follow these steps to configure the RADIUS server parameters:

SUMMARY STEPS
1. enable
2. configure terminal
3. ip radius source-interface vlan vlan interface number
4. radius-server host {hostname | ip-address} test username username
5. radius-server key string
6. radius-server dead-criteria tries num-tries
7. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1475
 Security
Configuring the HTTP Server

Command or Action Purpose

Step 2 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 3 ip radius source-interface vlan vlan interface number Specifies that the RADIUS packets have the IP address of
the indicated interface.
Example:

SwitchDevice(config)# ip radius source-interface

vlan 80

Step 4 radius-server host {hostname | ip-address} test username Specifies the host name or IP address of the remote
username RADIUS server.
Example: The test username username option enables automated
testing of the RADIUS server connection. The specified
SwitchDevice(config)# radius-server host username does not need to be a valid user name.
172.l20.39.46 test username user1
The key option specifies an authentication and encryption
key to use between the switch and the RADIUS server.
To use multiple RADIUS servers, reenter this command
for each server.

Step 5 radius-server key string Configures the authorization and encryption key used
between the switch and the RADIUS daemon running on
Example:
the RADIUS server.
SwitchDevice(config)# radius-server key rad123

Step 6 radius-server dead-criteria tries num-tries Specifies the number of unanswered sent messages to a
RADIUS server before considering the server to be inactive.
Example:
The range of num-tries is 1 to 100.
SwitchDevice(config)# radius-server dead-criteria
tries 30

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Configuring the HTTP Server

To use web-based authentication, you must enable the HTTP server within the SwitchDevice. You can enable
the server for either HTTP or HTTPS.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1476
 Security
Configuring the HTTP Server

Note The Apple psuedo-browser will not open if you configure only the ip http secure-server command. You
should also configure the ip http server command.

Follow these steps to enable the server for either HTTP or HTTPS:

SUMMARY STEPS
1. enable
2. configure terminal
3. ip http server
4. ip http secure-server
5. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip http server Enables the HTTP server. The web-based authentication
feature uses the HTTP server to communicate with the hosts
Example:
for user authentication.
SwitchDevice(config)# ip http server

Step 4 ip http secure-server Enables HTTPS.

Example: You can configure custom authentication proxy web pages
or specify a redirection URL for successful login.
SwitchDevice(config)# ip http secure-server
Note To ensure secure authentication when you enter
the ip http secure-server command, the login
page is always in HTTPS (secure HTTP) even
if the user sends an HTTP request.

Step 5 end Returns to privileged EXEC mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1477
 Security
Customizing the Authentication Proxy Web Pages

Command or Action Purpose

SwitchDevice(config)# end

Customizing the Authentication Proxy Web Pages

You can configure web authentication to display four substitute HTML pages to the user in place of the
SwitchDevice default HTML pages during web-based authentication.
For the equivalent Session Aware Networking configuration example for this feature, see the section
"Configuring a Parameter Map for Web-Based Authentication" in the chapter, "Configuring Identity Control
Policies." of the book, "Session Aware Networking Configuration Guide, Cisco IOS XE Release 3SE (Catalyst
3850 Switches)."
Follow these steps to specify the use of your custom authentication proxy web pages:

Before you begin

Store your custom HTML files on the SwitchDevice flash memory.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip admission proxy http login page file device:login-filename
4. ip admission proxy http success page file device:success-filename
5. ip admission proxy http failure page file device:fail-filename
6. ip admission proxy http login expired page file device:expired-filename
7. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip admission proxy http login page file Specifies the location in the SwitchDevice memory file
device:login-filename system of the custom HTML file to use in place of the
default login page. The device: is flash memory.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1478
 Security
Specifying a Redirection URL for Successful Login

Command or Action Purpose

SwitchDevice(config)# ip admission proxy http login

page file disk1:login.htm

Step 4 ip admission proxy http success page file Specifies the location of the custom HTML file to use in
device:success-filename place of the default login success page.
Example:

SwitchDevice(config)# ip admission proxy http

success page file disk1:success.htm

Step 5 ip admission proxy http failure page file Specifies the location of the custom HTML file to use in
device:fail-filename place of the default login failure page.
Example:

SwitchDevice(config)# ip admission proxy http fail

page file disk1:fail.htm

Step 6 ip admission proxy http login expired page file Specifies the location of the custom HTML file to use in
device:expired-filename place of the default login expired page.
Example:

SwitchDevice(config)# ip admission proxy http login

expired page file disk1:expired.htm

Step 7 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Related Topics
Authentication Proxy Web Page Guidelines, on page 1468

Specifying a Redirection URL for Successful Login

Follow these steps to specify a URL to which the user is redirected after authentication, effectively replacing
the internal Success HTML page:

SUMMARY STEPS
1. enable
2. configure terminal
3. ip admission proxy http success redirect url-string
4. end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1479
 Security
Configuring the Web-Based Authentication Parameters

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip admission proxy http success redirect url-string Specifies a URL for redirection of the user in place of the
default login success page.
Example:

SwitchDevice(config)# ip admission proxy http

success redirect www.example.com

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Related Topics
Redirection URL for Successful Login Guidelines, on page 1468

Configuring the Web-Based Authentication Parameters

Follow these steps to configure the maximum number of failed login attempts before the client is placed in a
watch list for a waiting period:

SUMMARY STEPS
1. enable
2. configure terminal
3. ip admission max-login-attempts number
4. end
5. show running-config
6. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1480
 Security
Configuring a Web-Based Authentication Local Banner

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip admission max-login-attempts number Sets the maximum number of failed login attempts. The
range is 1 to 2147483647 attempts. The default is 5.
Example:

SwitchDevice(config)# ip admission
max-login-attempts 10

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring a Web-Based Authentication Local Banner

Follow these steps to configure a local banner on a switch that has web authentication configured.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip admission auth-proxy-banner http [banner-text | file-path]

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1481
 Security
Configuring Web-Based Authentication without SVI

4. end
5. show running-config
6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 ip admission auth-proxy-banner http [banner-text | Enables the local banner.

file-path]
(Optional) Create a custom banner by entering C banner-text
Example: C (where C is a delimiting character), or file-path that
indicates a file (for example, a logo or text file) that appears
SwitchDevice(config)# ip admission in the banner.
auth-proxy-banner http C My Switch C

Step 4 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 5 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring Web-Based Authentication without SVI

You configure the web-based authentication without SVI feature to redirect the HTML login page to the client
without creating an IP address in the routing table. These steps are optional.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1482
 Security
Configuring Web-Based Authentication without SVI

SUMMARY STEPS
1. enable
2. configure terminal
3. parameter-map type webauth global
4. l2-webauth-enabled
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 parameter-map type webauth global Creates a parameter map and enters parameter-map webauth
configuration mode. The specific configuration commands
Example:
supported for a global parameter map defined with the
SwitchDevice (config)# parameter-map type webauth global keyword differ from the commands supported for a
global
named parameter map defined with the parameter-map-name
argument.
Step 4 l2-webauth-enabled Enables the web-based authentication without SVI feature
Example:
SwitchDevice (config-params-parameter-map)#
l2-webauth-enabled

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1483
 Security
Configuring Web-Based Authentication with VRF Aware

Command or Action Purpose

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring Web-Based Authentication with VRF Aware

You configure the web-based authentication with VRF aware to redirect the HTML login page to the client.
These steps are optional.

SUMMARY STEPS
1. enable
2. configure terminal
3. parameter-map type webauth global
4. webauth-vrf-aware
5. end
6. show running-config
7. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 parameter-map type webauth global Creates a parameter map and enters parameter-map webauth
configuration mode. The specific configuration commands
Example:
supported for a global parameter map defined with the
SwitchDevice (config)# parameter-map type webauth global keyword differ from the commands supported for a
global
named parameter map defined with the parameter-map-name
argument.
Step 4 webauth-vrf-aware Enables the web-based authentication VRF aware feature
on SVI.
Example:
SwitchDevice (config-params-parameter-map)#
webauth-vrf-aware

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1484
 Security
Removing Web-Based Authentication Cache Entries

Command or Action Purpose

Step 5 end Returns to privileged EXEC mode.
Example:

SwitchDevice(config)# end

Step 6 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Removing Web-Based Authentication Cache Entries

Follow these steps to remove web-based authentication cache entries:

SUMMARY STEPS
1. enable
2. clear ip auth-proxy cache {* | host ip address}
3. clear ip admission cache {* | host ip address}

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 clear ip auth-proxy cache {* | host ip address} Delete authentication proxy entries. Use an asterisk to delete
all cache entries. Enter a specific IP address to delete the
Example:
entry for a single host.
SwitchDevice# clear ip auth-proxy cache 192.168.4.5

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1485
 Security
Monitoring Web-Based Authentication Status

Command or Action Purpose

Step 3 clear ip admission cache {* | host ip address} Delete authentication proxy entries. Use an asterisk to delete
all cache entries. Enter a specific IP address to delete the
Example:
entry for a single host.
SwitchDevice# clear ip admission cache 192.168.4.5

Monitoring Web-Based Authentication Status

Use the commands in this topic to display the web-based authentication settings for all interfaces or for specific
ports.

Table 153: Privileged EXEC show Commands

Command Purpose

show authentication sessions method Displays the web-based authentication settings for all interfaces for
webauth fastethernet, gigabitethernet, or tengigabitethernet

show authentication sessions interface Displays the web-based authentication settings for the specified
type slot/port[details] interface for fastethernet, gigabitethernet, or tengigabitethernet.
In Session Aware Networking mode, use the show access-session
interface command.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1486
 CHAPTER 64
Configuring Port-Based Traffic Control
• Overview of Port-Based Traffic Control , on page 1487
• Finding Feature Information, on page 1488
• Information About Storm Control, on page 1488
• How to Configure Storm Control, on page 1490
• Information About Protected Ports, on page 1497
• How to Configure Protected Ports, on page 1498
• Monitoring Protected Ports, on page 1499
• Where to Go Next, on page 1500
• Information About Port Blocking, on page 1500
• How to Configure Port Blocking, on page 1500
• Monitoring Port Blocking, on page 1502
• Prerequisites for Port Security, on page 1502
• Restrictions for Port Security, on page 1502
• Information About Port Security, on page 1502
• How to Configure Port Security, on page 1507
• Configuration Examples for Port Security, on page 1528
• Information About Protocol Storm Protection, on page 1529
• How to Configure Protocol Storm Protection, on page 1529
• Monitoring Protocol Storm Protection, on page 1531

Overview of Port-Based Traffic Control

Port-based traffic control is a set of Layer 2 features on the Cisco Catalyst switches used to filter or block
packets at the port level in response to specific traffic conditions. The following port-based traffic control
features are supported in the Cisco IOS Release for which this guide is written:
• Storm Control
• Protected Ports
• Port Blocking
• Port Security
• Protocol Storm Protection

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1487
 Security
Finding Feature Information

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Information About Storm Control

Storm Control
Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on
one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic
and degrading network performance. Errors in the protocol-stack implementation, mistakes in network
configurations, or users issuing a denial-of-service attack can cause a storm.
Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and
determines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of a
specified type received within the 1-second time interval and compares the measurement with a predefined
suppression-level threshold.

How Traffic Activity is Measured

Storm control uses one of these methods to measure traffic activity:
• Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast,
multicast, or unicast traffic
• Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received
• Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received
• Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold
for small frames is configured for each interface.

With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until
the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If
the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the
rising suppression level. In general, the higher the level, the less effective the protection against broadcast
storms.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1488
 Security
Traffic Patterns

Note When the storm control threshold for multicast traffic is reached, all multicast traffic except control traffic,
such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. However,
the switch does not differentiate between routing updates, such as OSPF, and regular multicast data traffic,
so both types of traffic are blocked.

Traffic Patterns
Figure 124: Broadcast Storm Control Example

This example shows broadcast traffic patterns on an interface over a given period of time.

Broadcast traffic being forwarded exceeded the configured threshold between time intervals T1 and T2 and
between T4 and T5. When the amount of specified traffic exceeds the threshold, all traffic of that kind is
dropped for the next time period. Therefore, broadcast traffic is blocked during the intervals following T2
and T5. At the next time interval (for example, T3), if broadcast traffic does not exceed the threshold, it is
again forwarded.
The combination of the storm-control suppression level and the 1-second time interval controls the way the
storm control algorithm works. A higher threshold allows more packets to pass through. A threshold value
of 100 percent means that no limit is placed on the traffic. A value of 0.0 means that all broadcast, multicast,
or unicast traffic on that port is blocked.

Note Because packets do not arrive at uniform intervals, the 1-second time interval during which traffic activity is
measured can affect the behavior of storm control.

You use the storm-control interface configuration commands to set the threshold value for each traffic type.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1489
 Security
How to Configure Storm Control

How to Configure Storm Control

Configuring Storm Control and Threshold Levels
You configure storm control on a port and enter the threshold level that you want to be used for a particular
type of traffic.
However, because of hardware limitations and the way in which packets of different sizes are counted, threshold
percentages are approximations. Depending on the sizes of the packets making up the incoming traffic, the
actual enforced threshold might differ from the configured level by several percentage points.

Note Storm control is supported on physical interfaces. You can also configure storm control on an EtherChannel.
When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel
physical interfaces.

Follow these steps to storm control and threshold levels:

Before you begin

Storm control is supported on physical interfaces. You can also configure storm control on an EtherChannel.
When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel
physical interfaces.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. storm-control {broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps
[pps-low]}
5. storm-control action {shutdown | trap}
6. end
7. show storm-control [interface-id] [broadcast | multicast | unicast]
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1490
 Security
Configuring Storm Control and Threshold Levels

Command or Action Purpose

Step 2 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 4 storm-control {broadcast | multicast | unicast} level Configures broadcast, multicast, or unicast storm control.
{level [level-low] | bps bps [bps-low] | pps pps [pps-low]} By default, storm control is disabled.
Example: The keywords have these meanings:
• For level, specifies the rising threshold level for
SwitchDevice(config-if)# storm-control unicast
level 87 65 broadcast, multicast, or unicast traffic as a percentage
(up to two decimal places) of the bandwidth. The port
blocks traffic when the rising threshold is reached. The
range is 0.00 to 100.00.
• (Optional) For level-low, specifies the falling threshold
level as a percentage (up to two decimal places) of the
bandwidth. This value must be less than or equal to
the rising suppression value. The port forwards traffic
when traffic drops below this level. If you do not
configure a falling suppression level, it is set to the
rising suppression level. The range is 0.00 to 100.00.
If you set the threshold to the maximum value (100
percent), no limit is placed on the traffic. If you set the
threshold to 0.0, all broadcast, multicast, and unicast
traffic on that port is blocked.
• For bps bps, specifies the rising threshold level for
broadcast, multicast, or unicast traffic in bits per
second (up to one decimal place). The port blocks
traffic when the rising threshold is reached. The range
is 0.0 to 10000000000.0.
• (Optional) For bps-low, specifies the falling threshold
level in bits per second (up to one decimal place). It
can be less than or equal to the rising threshold level.
The port forwards traffic when traffic drops below this
level. The range is 0.0 to 10000000000.0.
• For pps pps, specifies the rising threshold level for
broadcast, multicast, or unicast traffic in packets per
second (up to one decimal place). The port blocks

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1491
 Security
Configuring Storm Control and Threshold Levels

Command or Action Purpose

traffic when the rising threshold is reached. The range
is 0.0 to 10000000000.0.
• (Optional) For pps-low, specifies the falling threshold
level in packets per second (up to one decimal place).
It can be less than or equal to the rising threshold level.
The port forwards traffic when traffic drops below this
level. The range is 0.0 to 10000000000.0.

For BPS and PPS settings, you can use metric suffixes such
as k, m, and g for large number thresholds.

Step 5 storm-control action {shutdown | trap} Specifies the action to be taken when a storm is detected.
The default is to filter out the traffic and not to send traps.
Example:
• Select the shutdown keyword to error-disable the port
SwitchDevice(config-if)# storm-control action trap during a storm.
• Select the trap keyword to generate an SNMP trap
when a storm is detected.

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 7 show storm-control [interface-id] [broadcast | multicast Verifies the storm control suppression levels set on the
| unicast] interface for the specified traffic type. If you do not enter
a traffic type, broadcast storm control settings are displayed.
Example:

SwitchDevice# show storm-control

gigabitethernet1/0/1 unicast

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring Storm Control and Threshold Levels

You configure storm control on a port and enter the threshold level that you want to be used for a particular
type of traffic.
However, because of hardware limitations and the way in which packets of different sizes are counted, threshold
percentages are approximations. Depending on the sizes of the packets making up the incoming traffic, the
actual enforced threshold might differ from the configured level by several percentage points.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1492
 Security
Configuring Storm Control and Threshold Levels

Note Storm control is supported on physical interfaces. You can also configure storm control on an EtherChannel.
When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel
physical interfaces.

Follow these steps to storm control and threshold levels:

Before you begin

Storm control is supported on physical interfaces. You can also configure storm control on an EtherChannel.
When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel
physical interfaces.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. storm-control action {shutdown | trap}
5. storm-control {broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps
[pps-low]}
6. end
7. show storm-control [interface-id] [broadcast | multicast | unicast]
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 4 storm-control action {shutdown | trap} Specifies the action to be taken when a storm is detected.
The default is to filter out the traffic and not to send traps.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1493
 Security
Configuring Storm Control and Threshold Levels

Command or Action Purpose

• Select the shutdown keyword to error-disable the port
SwitchDevice(config-if)# storm-control action trap
during a storm.
• Select the trap keyword to generate an SNMP trap
when a storm is detected.

Step 5 storm-control {broadcast | multicast | unicast} level Configures broadcast, multicast, or unicast storm control.
{level [level-low] | bps bps [bps-low] | pps pps [pps-low]} By default, storm control is disabled.
Example: The keywords have these meanings:
• For level, specifies the rising threshold level for
SwitchDevice(config-if)# storm-control unicast
level 87 65 broadcast, multicast, or unicast traffic as a percentage
(up to two decimal places) of the bandwidth. The port
blocks traffic when the rising threshold is reached. The
range is 0.00 to 100.00.
• (Optional) For level-low, specifies the falling threshold
level as a percentage (up to two decimal places) of the
bandwidth. This value must be less than or equal to
the rising suppression value. The port forwards traffic
when traffic drops below this level. If you do not
configure a falling suppression level, it is set to the
rising suppression level. The range is 0.00 to 100.00.
If you set the threshold to the maximum value (100
percent), no limit is placed on the traffic. If you set the
threshold to 0.0, all broadcast, multicast, and unicast
traffic on that port is blocked.
• For bps bps, specifies the rising threshold level for
broadcast, multicast, or unicast traffic in bits per
second (up to one decimal place). The port blocks
traffic when the rising threshold is reached. The range
is 0.0 to 10000000000.0.
• (Optional) For bps-low, specifies the falling threshold
level in bits per second (up to one decimal place). It
can be less than or equal to the rising threshold level.
The port forwards traffic when traffic drops below this
level. The range is 0.0 to 10000000000.0.
• For pps pps, specifies the rising threshold level for
broadcast, multicast, or unicast traffic in packets per
second (up to one decimal place). The port blocks
traffic when the rising threshold is reached. The range
is 0.0 to 10000000000.0.
• (Optional) For pps-low, specifies the falling threshold
level in packets per second (up to one decimal place).
It can be less than or equal to the rising threshold level.
The port forwards traffic when traffic drops below this
level. The range is 0.0 to 10000000000.0.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1494
 Security
Configuring Small-Frame Arrival Rate

Command or Action Purpose

For BPS and PPS settings, you can use metric suffixes such
as k, m, and g for large number thresholds.

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 7 show storm-control [interface-id] [broadcast | multicast Verifies the storm control suppression levels set on the
| unicast] interface for the specified traffic type. If you do not enter
a traffic type, details for all traffic types (broadcast,
Example:
multicast and unicast) are displayed.
SwitchDevice# show storm-control
gigabitethernet1/0/1 unicast

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring Small-Frame Arrival Rate

Incoming VLAN-tagged packets smaller than 67 bytes are considered small frames. They are forwarded by
the switch, but they do not cause the switch storm-control counters to increment.
You globally enable the small-frame arrival feature on the switch and then configure the small-frame threshold
for packets on each interface. Packets smaller than the minimum size and arriving at a specified rate (the
threshold) are dropped since the port is error disabled.

SUMMARY STEPS
1. enable
2. configure terminal
3. errdisable detect cause small-frame
4. errdisable recovery interval interval
5. errdisable recovery cause small-frame
6. interface interface-id
7. small-frame violation-rate pps
8. end
9. show interfaces interface-id
10. show running-config
11. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1495
 Security
Configuring Small-Frame Arrival Rate

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 errdisable detect cause small-frame Enables the small-frame rate-arrival feature on the switch.
Example:

SwitchDevice(config)# errdisable detect cause

small-frame

Step 4 errdisable recovery interval interval (Optional) Specifies the time to recover from the specified
error-disabled state.
Example:

SwitchDevice(config)# errdisable recovery interval

60

Step 5 errdisable recovery cause small-frame (Optional) Configures the recovery time for error-disabled
ports to be automatically re-enabled after they are error
Example:
disabled by the arrival of small frames
SwitchDevice(config)# errdisable recovery cause Storm control is supported on physical interfaces. You can
small-frame also configure storm control on an EtherChannel. When
storm control is configured on an EtherChannel, the storm
control settings propagate to the EtherChannel physical
interfaces.

Step 6 interface interface-id Enters interface configuration mode, and specify the
interface to be configured.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/2

Step 7 small-frame violation-rate pps Configures the threshold rate for the interface to drop
incoming packets and error disable the port. The range is
Example:
1 to 10,000 packets per second (pps)
SwitchDevice(config-if)# small-frame violation
rate 10000

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1496
 Security
Information About Protected Ports

Command or Action Purpose

Step 8 end Returns to privileged EXEC mode.
Example:

SwitchDevice(config)# end

Step 9 show interfaces interface-id Verifies the configuration.

Example:

SwitchDevice# show interfaces gigabitethernet1/0/2

Step 10 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Information About Protected Ports

Protected Ports
Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that
one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of
protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports
on the switch.
Protected ports have these features:
• A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is
also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control
traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded
in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.
• Forwarding behavior between a protected port and a nonprotected port proceeds as usual.

Because a switch stack represents a single logical switch, Layer 2 traffic is not forwarded between any protected
ports in the switch stack, whether they are on the same or different switches in the stack.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1497
 Security
Default Protected Port Configuration

Default Protected Port Configuration

The default is to have no protected ports defined.

Protected Ports Guidelines

You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an
EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is
enabled for all ports in the port-channel group.

How to Configure Protected Ports

Configuring a Protected Port
Before you begin
Protected ports are not pre-defined. This is the task to configure one.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. switchport protected
5. end
6. show interfaces interface-id switchport
7. show running-config
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface to be configured, and enter interface
configuration mode.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1498
 Security
Monitoring Protected Ports

Command or Action Purpose

SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 4 switchport protected Configures the interface to be a protected port.

Example:

SwitchDevice(config-if)# switchport protected

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show interfaces interface-id switchport Verifies your entries.

Example:

SwitchDevice# show interfaces gigabitethernet1/0/1

switchport

Step 7 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Monitoring Protected Ports

Table 154: Commands for Displaying Protected Port Settings

Command Purpose

show interfaces [interface-id] switchport Displays the administrative and operational status of
all switching (nonrouting) ports or the specified port,
including port blocking and port protection settings.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1499
 Security
Where to Go Next

Where to Go Next
•

Information About Port Blocking

Port Blocking
By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown
unicast and multicast traffic is forwarded to a protected port, there could be security issues. To prevent unknown
unicast or multicast traffic from being forwarded from one port to another, you can block a port (protected or
nonprotected) from flooding unknown unicast or multicast packets to other ports.

Note With multicast traffic, the port blocking feature blocks only pure Layer 2 packets. Multicast packets that
contain IPv4 or IPv6 information in the header are not blocked.

How to Configure Port Blocking

Blocking Flooded Traffic on an Interface
Before you begin
The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast
traffic for a port channel, it is blocked on all ports in the port-channel group.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. switchport block multicast
5. switchport block unicast
6. end
7. show interfaces interface-id switchport
8. show running-config
9. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1500
 Security
Blocking Flooded Traffic on an Interface

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 4 switchport block multicast Blocks unknown multicast forwarding out of the port.
Example: Note Only pure Layer 2 multicast traffic is blocked.
Multicast packets that contain IPv4 or IPv6
SwitchDevice(config-if)# switchport block multicast information in the header are not blocked.

Step 5 switchport block unicast Blocks unknown unicast forwarding out of the port.
Example:

SwitchDevice(config-if)# switchport block unicast

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 show interfaces interface-id switchport Verifies your entries.

Example:

SwitchDevice# show interfaces gigabitethernet1/0/1

switchport

Step 8 show running-config Verifies your entries.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1501
 Security
Monitoring Port Blocking

Command or Action Purpose

SwitchDevice# show running-config

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Monitoring Port Blocking

Table 155: Commands for Displaying Port Blocking Settings

Command Purpose

show interfaces [interface-id] switchport Displays the administrative and operational status of
all switching (nonrouting) ports or the specified port,
including port blocking and port protection settings.

Prerequisites for Port Security

Note If you try to set the maximum value to a number less than the number of secure addresses already configured
on an interface, the command is rejected.

Restrictions for Port Security

The maximum number of secure MAC addresses that you can configure on a switch or switch stack is set by
the maximum number of available MAC addresses allowed in the system. This number is determined by the
active Switch Database Management (SDM) template. This number is the total of available MAC addresses,
including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces.

Information About Port Security

Port Security
You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses
of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1502
 Security
Types of Secure MAC Addresses

does not forward packets with source addresses outside the group of defined addresses. If you limit the number
of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that
port is assured the full bandwidth of the port.
If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when
the MAC address of a station attempting to access the port is different from any of the identified secure MAC
addresses, a security violation occurs. Also, if a station with a secure MAC address configured or learned on
one secure port attempts to access another secure port, a violation is flagged.
Related Topics
Enabling and Configuring Port Security, on page 1507
Configuration Examples for Port Security, on page 1528

Types of Secure MAC Addresses

The switch supports these types of secure MAC addresses:
• Static secure MAC addresses—These are manually configured by using the switchport port-security
mac-address mac-address interface configuration command, stored in the address table, and added to
the switch running configuration.
• Dynamic secure MAC addresses—These are dynamically configured, stored only in the address table,
and removed when the switch restarts.
• Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in the
address table, and added to the running configuration. If these addresses are saved in the configuration
file, when the switch restarts, the interface does not need to dynamically reconfigure them.

Sticky Secure MAC Addresses

You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and
to add them to the running configuration by enabling sticky learning. The interface converts all the dynamic
secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to
sticky secure MAC addresses. All sticky secure MAC addresses are added to the running configuration.
The sticky secure MAC addresses do not automatically become part of the configuration file, which is the
startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the
configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do
not save the sticky secure addresses, they are lost.
If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses
and are removed from the running configuration.

Security Violations
It is a security violation when one of these situations occurs:
• The maximum number of secure MAC addresses have been added to the address table, and a station
whose MAC address is not in the address table attempts to access the interface.
• An address learned or configured on one secure interface is seen on another secure interface in the same
VLAN.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1503
 Security
Security Violations

You can configure the interface for one of three violation modes, based on the action to be taken if a violation
occurs:
• protect—when the number of secure MAC addresses reaches the maximum limit allowed on the port,
packets with unknown source addresses are dropped until you remove a sufficient number of secure
MAC addresses to drop below the maximum value or increase the number of maximum allowable
addresses. You are not notified that a security violation has occurred.

Note We do not recommend configuring the protect violation mode on a trunk port.
The protect mode disables learning when any VLAN reaches its maximum limit,
even if the port has not reached its maximum limit.

• restrict—when the number of secure MAC addresses reaches the maximum limit allowed on the port,
packets with unknown source addresses are dropped until you remove a sufficient number of secure
MAC addresses to drop below the maximum value or increase the number of maximum allowable
addresses. In this mode, you are notified that a security violation has occurred. An SNMP trap is sent, a
syslog message is logged, and the violation counter increments.
• shutdown—a port security violation causes the interface to become error-disabled and to shut down
immediately, and the port LED turns off. When a secure port is in the error-disabled state, you can bring
it out of this state by entering the errdisable recovery cause psecure-violation global configuration
command, or you can manually re-enable it by entering the shutdown and no shut down interface
configuration commands. This is the default mode.
• shutdown vlan—Use to set the security violation mode per-VLAN. In this mode, the VLAN is error
disabled instead of the entire port when a violation occurs

This table shows the violation mode and the actions taken when you configure an interface for port security.

Table 156: Security Violation Mode Actions

Violation Traffic is Sends SNMP Sends syslog Displays error Violation Shuts down
Mode forwarded trap message message counter port
21 22 increments

protect No No No No No No

restrict No Yes Yes No Yes No

shutdown No No No No Yes Yes

shutdown No No Yes No Yes No

vlan 23

21
Packets with unknown source addresses are dropped until you remove a sufficient number of secure
MAC addresses.
22
The switch returns an error message if you manually configure an address that would cause a security
violation.
23
Shuts down only the VLAN on which the violation occurred.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1504
 Security
Port Security Aging

Port Security Aging

You can use port security aging to set the aging time for all secure addresses on a port. Two types of aging
are supported per port:
• Absolute—The secure addresses on the port are deleted after the specified aging time.
• Inactivity—The secure addresses on the port are deleted only if the secure addresses are inactive for the
specified aging time.

Related Topics
Enabling and Configuring Port Security Aging, on page 1512

Default Port Security Configuration

Table 157: Default Port Security Configuration

Feature Default Setting

Port security Disabled on a port.

Sticky address learning Disabled.

Maximum number of secure MAC addresses per port 1.

Violation mode Shutdown. The port shuts down when the maximum
number of secure MAC addresses is exceeded.

Port security aging Disabled. Aging time is 0.

Static aging is disabled.
Type is absolute.

Port Security Configuration Guidelines

• Port security can only be configured on static access ports or trunk ports. A secure port cannot be a
dynamic access port.
• A secure port cannot be a destination port for Switched Port Analyzer (SPAN).

•
Note Voice VLAN is only supported on access ports and not on trunk ports, even
though the configuration is allowed.

• When you enable port security on an interface that is also configured with a voice VLAN, set the maximum
allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP
phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not
learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC
addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure
enough secure addresses to allow one for each PC and one for the phone.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1505
 Security
Port Security Configuration Guidelines

• When a trunk port configured with port security and assigned to an access VLAN for data traffic and to
a voice VLAN for voice traffic, entering the switchport voice and switchport priority extend interface
configuration commands has no effect.
When a connected device uses the same MAC address to request an IP address for the access VLAN and
then an IP address for the voice VLAN, only the access VLAN is assigned an IP address.
• When you enter a maximum secure address value for an interface, and the new value is greater than the
previous value, the new value overwrites the previously configured value. If the new value is less than
the previous value and the number of configured secure addresses on the interface exceeds the new value,
the command is rejected.
• The switch does not support port security aging of sticky secure MAC addresses.

This table summarizes port security compatibility with other port-based features.

Table 158: Port Security Compatibility with Other Switch Features

Type of Port or Feature on Port Compatible with Port Security

DTP 24 port 25 No

Trunk port Yes

Dynamic-access port 26 No

Routed port No

SPAN source port Yes

SPAN destination port No

EtherChannel Yes

Tunneling port Yes

Protected port Yes

IEEE 802.1x port Yes

Voice VLAN port 27 Yes

IP source guard Yes

Dynamic Address Resolution Protocol (ARP) Yes

inspection

Flex Links Yes

24
DTP=Dynamic Trunking Protocol
25
A port configured with the switchport mode dynamic interface configuration command.
26
A VLAN Query Protocol (VQP) port configured with the switchport access vlan dynamic interface
configuration command.
27
You must set the maximum allowed secure addresses on the port to two plus the maximum number of
secure addresses allowed on the access VLAN.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1506
 Security
Overview of Port-Based Traffic Control

Overview of Port-Based Traffic Control

Port-based traffic control is a set of Layer 2 features on the Cisco Catalyst switches used to filter or block
packets at the port level in response to specific traffic conditions. The following port-based traffic control
features are supported in the Cisco IOS Release for which this guide is written:
• Storm Control
• Protected Ports
• Port Blocking
• Port Security
• Protocol Storm Protection

How to Configure Port Security

Enabling and Configuring Port Security
Before you begin
This task restricts input to an interface by limiting and identifying MAC addresses of the stations allowed to
access the port:

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. switchport mode {access | trunk}
5. switchport voice vlan vlan-id
6. switchport port-security
7. switchport port-security [maximum value [vlan {vlan-list | {access | voice}}]]
8. switchport port-security violation {protect | restrict | shutdown | shutdown vlan}
9. switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}]
10. switchport port-security mac-address sticky
11. switchport port-security mac-address sticky [mac-address | vlan {vlan-id | {access | voice}}]
12. end
13. show port-security
14. show running-config
15. copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1507
 Security
Enabling and Configuring Port Security

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 4 switchport mode {access | trunk} Sets the interface switchport mode as access or trunk; an
interface in the default mode (dynamic auto) cannot be
Example:
configured as a secure port.
SwitchDevice(config-if)# switchport mode access

Step 5 switchport voice vlan vlan-id Enables voice VLAN on a port.

Example: vlan-id—Specifies the VLAN to be used for voice traffic.

SwitchDevice(config-if)# switchport voice vlan 22

Step 6 switchport port-security Enable port security on the interface.

Example:

SwitchDevice(config-if)# switchport port-security

Step 7 switchport port-security [maximum value [vlan (Optional) Sets the maximum number of secure MAC
{vlan-list | {access | voice}}]] addresses for the interface. The maximum number of
secure MAC addresses that you can configure on a switch
Example:
or switch stack is set by the maximum number of available
MAC addresses allowed in the system. This number is set
SwitchDevice(config-if)# switchport port-security
maximum 20 by the active Switch Database Management (SDM)
template. This number is the total of available MAC
addresses, including those used for other Layer 2 functions

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1508
 Security
Enabling and Configuring Port Security

Command or Action Purpose

and any other secure MAC addresses configured on
interfaces.
(Optional) vlan—sets a per-VLAN maximum value
Enter one of these options after you enter the vlan
keyword:
• vlan-list—On a trunk port, you can set a per-VLAN
maximum value on a range of VLANs separated by
a hyphen or a series of VLANs separated by commas.
For nonspecified VLANs, the per-VLAN maximum
value is used.
• access—On an access port, specifies the VLAN as
an access VLAN.
• voice—On an access port, specifies the VLAN as a
voice VLAN.

Note The voice keyword is available only if a voice

VLAN is configured on a port and if that port
is not the access VLAN. If an interface is
configured for voice VLAN, configure a
maximum of two secure MAC addresses.

Step 8 switchport port-security violation {protect | restrict | (Optional) Sets the violation mode, the action to be taken
shutdown | shutdown vlan} when a security violation is detected, as one of these:
Example: • protect—When the number of port secure MAC
addresses reaches the maximum limit allowed on the
SwitchDevice(config-if)# switchport port-security port, packets with unknown source addresses are
violation restrict dropped until you remove a sufficient number of
secure MAC addresses to drop below the maximum
value or increase the number of maximum allowable
addresses. You are not notified that a security
violation has occurred.
Note We do not recommend configuring the
protect mode on a trunk port. The protect
mode disables learning when any VLAN
reaches its maximum limit, even if the port
has not reached its maximum limit.

• restrict—When the number of secure MAC addresses

reaches the limit allowed on the port, packets with
unknown source addresses are dropped until you
remove a sufficient number of secure MAC addresses
or increase the number of maximum allowable
addresses. An SNMP trap is sent, a syslog message
is logged, and the violation counter increments.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1509
 Security
Enabling and Configuring Port Security

Command or Action Purpose

• shutdown—The interface is error-disabled when a
violation occurs, and the port LED turns off. An
SNMP trap is sent, a syslog message is logged, and
the violation counter increments.
• shutdown vlan—Use to set the security violation
mode per VLAN. In this mode, the VLAN is error
disabled instead of the entire port when a violation
occurs.
Note When a secure port is in the error-disabled
state, you can bring it out of this state by
entering the errdisable recovery cause
psecure-violation global configuration
command. You can manually re-enable it
by entering the shutdown and
no shutdown interface configuration
commands or by using the clear
errdisable interface vlan privileged
EXEC command.

Step 9 switchport port-security [mac-address mac-address (Optional) Enters a secure MAC address for the interface.
[vlan {vlan-id | {access | voice}}] You can use this command to enter the maximum number
of secure MAC addresses. If you configure fewer secure
Example:
MAC addresses than the maximum, the remaining MAC
addresses are dynamically learned.
SwitchDevice(config-if)# switchport port-security
mac-address 00:A0:C7:12:C9:25 vlan 3 voice Note If you enable sticky learning after you enter this
command, the secure addresses that were
dynamically learned are converted to sticky
secure MAC addresses and are added to the
running configuration.

(Optional) vlan—sets a per-VLAN maximum value.

Enter one of these options after you enter the vlan
keyword:
• vlan-id—On a trunk port, you can specify the VLAN
ID and the MAC address. If you do not specify a
VLAN ID, the native VLAN is used.
• access—On an access port, specifies the VLAN as
an access VLAN.
• voice—On an access port, specifies the VLAN as a
voice VLAN.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1510
 Security
Enabling and Configuring Port Security

Command or Action Purpose

Note The voice keyword is available only if a voice
VLAN is configured on a port and if that port
is not the access VLAN. If an interface is
configured for voice VLAN, configure a
maximum of two secure MAC addresses.

Step 10 switchport port-security mac-address sticky (Optional) Enables sticky learning on the interface.
Example:

SwitchDevice(config-if)# switchport port-security

mac-address sticky

Step 11 switchport port-security mac-address sticky (Optional) Enters a sticky secure MAC address, repeating
[mac-address | vlan {vlan-id | {access | voice}}] the command as many times as necessary. If you configure
fewer secure MAC addresses than the maximum, the
Example:
remaining MAC addresses are dynamically learned, are
converted to sticky secure MAC addresses, and are added
SwitchDevice(config-if)# switchport port-security
mac-address sticky 00:A0:C7:12:C9:25 vlan voice to the running configuration.
Note If you do not enable sticky learning before this
command is entered, an error message appears,
and you cannot enter a sticky secure MAC
address.

(Optional) vlan—sets a per-VLAN maximum value.

Enter one of these options after you enter the vlan
keyword:
• vlan-id—On a trunk port, you can specify the VLAN
ID and the MAC address. If you do not specify a
VLAN ID, the native VLAN is used.
• access—On an access port, specifies the VLAN as
an access VLAN.
• voice—On an access port, specifies the VLAN as a
voice VLAN.

Note The voice keyword is available only if a voice

VLAN is configured on a port and if that port
is not the access VLAN.

Step 12 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 13 show port-security Verifies your entries.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1511
 Security
Enabling and Configuring Port Security Aging

Command or Action Purpose

SwitchDevice# show port-security

Step 14 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 15 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Port Security, on page 1469
Port Security, on page 1502
Configuration Examples for Port Security, on page 1528

Enabling and Configuring Port Security Aging

Use this feature to remove and add devices on a secure port without manually deleting the existing secure
MAC addresses and to still limit the number of secure addresses on a port. You can enable or disable the
aging of secure addresses on a per-port basis.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. switchport port-security aging {static | time time | type {absolute | inactivity}}
5. end
6. show port-security [interface interface-id] [address]
7. show running-config
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1512
 Security
Enabling and Configuring Port Security Aging

Command or Action Purpose

Step 2 configure terminal Enters the global configuration mode.
Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 4 switchport port-security aging {static | time time | type Enables or disable static aging for the secure port, or set the
{absolute | inactivity}} aging time or type.
Example: Note The switch does not support port security aging
of sticky secure addresses.
SwitchDevice(config-if)# switchport port-security
aging time 120 Enter static to enable aging for statically configured secure
addresses on this port.
For time, specifies the aging time for this port. The valid
range is from 0 to 1440 minutes.
For type, select one of these keywords:
• absolute—Sets the aging type as absolute aging. All
the secure addresses on this port age out exactly after
the time (minutes) specified lapses and are removed
from the secure address list.
• inactivity—Sets the aging type as inactivity aging.
The secure addresses on this port age out only if there
is no data traffic from the secure source addresses for
the specified time period.

Step 5 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 6 show port-security [interface interface-id] [address] Verifies your entries.

Example:

SwitchDevice# show port-security interface

gigabitethernet1/0/1

Step 7 show running-config Verifies your entries.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1513
 Security
Finding Feature Information

Command or Action Purpose

SwitchDevice# show running-config

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Related Topics
Port Security Aging, on page 1505

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Information About Storm Control

Storm Control
Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on
one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic
and degrading network performance. Errors in the protocol-stack implementation, mistakes in network
configurations, or users issuing a denial-of-service attack can cause a storm.
Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and
determines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of a
specified type received within the 1-second time interval and compares the measurement with a predefined
suppression-level threshold.

How Traffic Activity is Measured

Storm control uses one of these methods to measure traffic activity:
• Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast,
multicast, or unicast traffic
• Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received
• Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received
• Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold
for small frames is configured for each interface.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1514
 Security
Traffic Patterns

With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until
the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If
the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the
rising suppression level. In general, the higher the level, the less effective the protection against broadcast
storms.

Note When the storm control threshold for multicast traffic is reached, all multicast traffic except control traffic,
such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. However,
the switch does not differentiate between routing updates, such as OSPF, and regular multicast data traffic,
so both types of traffic are blocked.

Traffic Patterns
Figure 125: Broadcast Storm Control Example

This example shows broadcast traffic patterns on an interface over a given period of time.

Broadcast traffic being forwarded exceeded the configured threshold between time intervals T1 and T2 and
between T4 and T5. When the amount of specified traffic exceeds the threshold, all traffic of that kind is
dropped for the next time period. Therefore, broadcast traffic is blocked during the intervals following T2
and T5. At the next time interval (for example, T3), if broadcast traffic does not exceed the threshold, it is
again forwarded.
The combination of the storm-control suppression level and the 1-second time interval controls the way the
storm control algorithm works. A higher threshold allows more packets to pass through. A threshold value
of 100 percent means that no limit is placed on the traffic. A value of 0.0 means that all broadcast, multicast,
or unicast traffic on that port is blocked.

Note Because packets do not arrive at uniform intervals, the 1-second time interval during which traffic activity is
measured can affect the behavior of storm control.

You use the storm-control interface configuration commands to set the threshold value for each traffic type.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1515
 Security
How to Configure Storm Control

How to Configure Storm Control

Configuring Storm Control and Threshold Levels
You configure storm control on a port and enter the threshold level that you want to be used for a particular
type of traffic.
However, because of hardware limitations and the way in which packets of different sizes are counted, threshold
percentages are approximations. Depending on the sizes of the packets making up the incoming traffic, the
actual enforced threshold might differ from the configured level by several percentage points.

Note Storm control is supported on physical interfaces. You can also configure storm control on an EtherChannel.
When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel
physical interfaces.

Follow these steps to storm control and threshold levels:

Before you begin

Storm control is supported on physical interfaces. You can also configure storm control on an EtherChannel.
When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel
physical interfaces.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. storm-control {broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps
[pps-low]}
5. storm-control action {shutdown | trap}
6. end
7. show storm-control [interface-id] [broadcast | multicast | unicast]
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1516
 Security
Configuring Storm Control and Threshold Levels

Command or Action Purpose

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 4 storm-control {broadcast | multicast | unicast} level Configures broadcast, multicast, or unicast storm control.
{level [level-low] | bps bps [bps-low] | pps pps [pps-low]} By default, storm control is disabled.
Example: The keywords have these meanings:
• For level, specifies the rising threshold level for
SwitchDevice(config-if)# storm-control unicast
level 87 65 broadcast, multicast, or unicast traffic as a percentage
(up to two decimal places) of the bandwidth. The port
blocks traffic when the rising threshold is reached. The
range is 0.00 to 100.00.
• (Optional) For level-low, specifies the falling threshold
level as a percentage (up to two decimal places) of the
bandwidth. This value must be less than or equal to
the rising suppression value. The port forwards traffic
when traffic drops below this level. If you do not
configure a falling suppression level, it is set to the
rising suppression level. The range is 0.00 to 100.00.
If you set the threshold to the maximum value (100
percent), no limit is placed on the traffic. If you set the
threshold to 0.0, all broadcast, multicast, and unicast
traffic on that port is blocked.
• For bps bps, specifies the rising threshold level for
broadcast, multicast, or unicast traffic in bits per
second (up to one decimal place). The port blocks
traffic when the rising threshold is reached. The range
is 0.0 to 10000000000.0.
• (Optional) For bps-low, specifies the falling threshold
level in bits per second (up to one decimal place). It
can be less than or equal to the rising threshold level.
The port forwards traffic when traffic drops below this
level. The range is 0.0 to 10000000000.0.
• For pps pps, specifies the rising threshold level for
broadcast, multicast, or unicast traffic in packets per
second (up to one decimal place). The port blocks
traffic when the rising threshold is reached. The range
is 0.0 to 10000000000.0.
• (Optional) For pps-low, specifies the falling threshold
level in packets per second (up to one decimal place).

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1517
 Security
Configuring Storm Control and Threshold Levels

Command or Action Purpose

It can be less than or equal to the rising threshold level.
The port forwards traffic when traffic drops below this
level. The range is 0.0 to 10000000000.0.

For BPS and PPS settings, you can use metric suffixes such
as k, m, and g for large number thresholds.

Step 5 storm-control action {shutdown | trap} Specifies the action to be taken when a storm is detected.
The default is to filter out the traffic and not to send traps.
Example:
• Select the shutdown keyword to error-disable the port
SwitchDevice(config-if)# storm-control action trap during a storm.
• Select the trap keyword to generate an SNMP trap
when a storm is detected.

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Step 7 show storm-control [interface-id] [broadcast | multicast Verifies the storm control suppression levels set on the
| unicast] interface for the specified traffic type. If you do not enter
a traffic type, broadcast storm control settings are displayed.
Example:

SwitchDevice# show storm-control

gigabitethernet1/0/1 unicast

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring Storm Control and Threshold Levels

You configure storm control on a port and enter the threshold level that you want to be used for a particular
type of traffic.
However, because of hardware limitations and the way in which packets of different sizes are counted, threshold
percentages are approximations. Depending on the sizes of the packets making up the incoming traffic, the
actual enforced threshold might differ from the configured level by several percentage points.

Note Storm control is supported on physical interfaces. You can also configure storm control on an EtherChannel.
When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel
physical interfaces.

Follow these steps to storm control and threshold levels:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1518
 Security
Configuring Storm Control and Threshold Levels

Before you begin

Storm control is supported on physical interfaces. You can also configure storm control on an EtherChannel.
When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel
physical interfaces.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. storm-control action {shutdown | trap}
5. storm-control {broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps
[pps-low]}
6. end
7. show storm-control [interface-id] [broadcast | multicast | unicast]
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 4 storm-control action {shutdown | trap} Specifies the action to be taken when a storm is detected.
The default is to filter out the traffic and not to send traps.
Example:
• Select the shutdown keyword to error-disable the port
SwitchDevice(config-if)# storm-control action trap during a storm.
• Select the trap keyword to generate an SNMP trap
when a storm is detected.

Step 5 storm-control {broadcast | multicast | unicast} level Configures broadcast, multicast, or unicast storm control.
{level [level-low] | bps bps [bps-low] | pps pps [pps-low]} By default, storm control is disabled.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1519
 Security
Configuring Storm Control and Threshold Levels

Command or Action Purpose

Example: The keywords have these meanings:
• For level, specifies the rising threshold level for
SwitchDevice(config-if)# storm-control unicast
level 87 65 broadcast, multicast, or unicast traffic as a percentage
(up to two decimal places) of the bandwidth. The port
blocks traffic when the rising threshold is reached. The
range is 0.00 to 100.00.
• (Optional) For level-low, specifies the falling threshold
level as a percentage (up to two decimal places) of the
bandwidth. This value must be less than or equal to
the rising suppression value. The port forwards traffic
when traffic drops below this level. If you do not
configure a falling suppression level, it is set to the
rising suppression level. The range is 0.00 to 100.00.
If you set the threshold to the maximum value (100
percent), no limit is placed on the traffic. If you set the
threshold to 0.0, all broadcast, multicast, and unicast
traffic on that port is blocked.
• For bps bps, specifies the rising threshold level for
broadcast, multicast, or unicast traffic in bits per
second (up to one decimal place). The port blocks
traffic when the rising threshold is reached. The range
is 0.0 to 10000000000.0.
• (Optional) For bps-low, specifies the falling threshold
level in bits per second (up to one decimal place). It
can be less than or equal to the rising threshold level.
The port forwards traffic when traffic drops below this
level. The range is 0.0 to 10000000000.0.
• For pps pps, specifies the rising threshold level for
broadcast, multicast, or unicast traffic in packets per
second (up to one decimal place). The port blocks
traffic when the rising threshold is reached. The range
is 0.0 to 10000000000.0.
• (Optional) For pps-low, specifies the falling threshold
level in packets per second (up to one decimal place).
It can be less than or equal to the rising threshold level.
The port forwards traffic when traffic drops below this
level. The range is 0.0 to 10000000000.0.

For BPS and PPS settings, you can use metric suffixes such
as k, m, and g for large number thresholds.

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config-if)# end

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1520
 Security
Configuring Small-Frame Arrival Rate

Command or Action Purpose

Step 7 show storm-control [interface-id] [broadcast | multicast Verifies the storm control suppression levels set on the
| unicast] interface for the specified traffic type. If you do not enter
a traffic type, details for all traffic types (broadcast,
Example:
multicast and unicast) are displayed.
SwitchDevice# show storm-control
gigabitethernet1/0/1 unicast

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Configuring Small-Frame Arrival Rate

Incoming VLAN-tagged packets smaller than 67 bytes are considered small frames. They are forwarded by
the switch, but they do not cause the switch storm-control counters to increment.
You globally enable the small-frame arrival feature on the switch and then configure the small-frame threshold
for packets on each interface. Packets smaller than the minimum size and arriving at a specified rate (the
threshold) are dropped since the port is error disabled.

SUMMARY STEPS
1. enable
2. configure terminal
3. errdisable detect cause small-frame
4. errdisable recovery interval interval
5. errdisable recovery cause small-frame
6. interface interface-id
7. small-frame violation-rate pps
8. end
9. show interfaces interface-id
10. show running-config
11. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1521
 Security
Configuring Small-Frame Arrival Rate

Command or Action Purpose

SwitchDevice# configure terminal

Step 3 errdisable detect cause small-frame Enables the small-frame rate-arrival feature on the switch.
Example:

SwitchDevice(config)# errdisable detect cause

small-frame

Step 4 errdisable recovery interval interval (Optional) Specifies the time to recover from the specified
error-disabled state.
Example:

SwitchDevice(config)# errdisable recovery interval

60

Step 5 errdisable recovery cause small-frame (Optional) Configures the recovery time for error-disabled
ports to be automatically re-enabled after they are error
Example:
disabled by the arrival of small frames
SwitchDevice(config)# errdisable recovery cause Storm control is supported on physical interfaces. You can
small-frame also configure storm control on an EtherChannel. When
storm control is configured on an EtherChannel, the storm
control settings propagate to the EtherChannel physical
interfaces.

Step 6 interface interface-id Enters interface configuration mode, and specify the
interface to be configured.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/2

Step 7 small-frame violation-rate pps Configures the threshold rate for the interface to drop
incoming packets and error disable the port. The range is
Example:
1 to 10,000 packets per second (pps)
SwitchDevice(config-if)# small-frame violation
rate 10000

Step 8 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 9 show interfaces interface-id Verifies the configuration.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1522
 Security
Information About Protected Ports

Command or Action Purpose

SwitchDevice# show interfaces gigabitethernet1/0/2

Step 10 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Information About Protected Ports

Protected Ports
Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that
one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of
protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports
on the switch.
Protected ports have these features:
• A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is
also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control
traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded
in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.
• Forwarding behavior between a protected port and a nonprotected port proceeds as usual.

Because a switch stack represents a single logical switch, Layer 2 traffic is not forwarded between any protected
ports in the switch stack, whether they are on the same or different switches in the stack.

Default Protected Port Configuration

The default is to have no protected ports defined.

Protected Ports Guidelines

You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an
EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is
enabled for all ports in the port-channel group.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1523
 Security
How to Configure Protected Ports

How to Configure Protected Ports

Configuring a Protected Port

Before you begin

Protected ports are not pre-defined. This is the task to configure one.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. switchport protected
5. end
6. show interfaces interface-id switchport
7. show running-config
8. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface
gigabitethernet1/0/1

Step 4 switchport protected Configures the interface to be a protected port.

Example:

SwitchDevice(config-if)# switchport protected

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1524
 Security
Monitoring Protected Ports

Command or Action Purpose

Step 5 end Returns to privileged EXEC mode.
Example:

SwitchDevice(config)# end

Step 6 show interfaces interface-id switchport Verifies your entries.

Example:

SwitchDevice# show interfaces gigabitethernet1/0/1

switchport

Step 7 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Monitoring Protected Ports

Table 159: Commands for Displaying Protected Port Settings

Command Purpose

show interfaces [interface-id] switchport Displays the administrative and operational status of
all switching (nonrouting) ports or the specified port,
including port blocking and port protection settings.

Where to Go Next
•

Information About Port Blocking

Port Blocking
By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown
unicast and multicast traffic is forwarded to a protected port, there could be security issues. To prevent unknown

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1525
 Security
How to Configure Port Blocking

unicast or multicast traffic from being forwarded from one port to another, you can block a port (protected or
nonprotected) from flooding unknown unicast or multicast packets to other ports.

Note With multicast traffic, the port blocking feature blocks only pure Layer 2 packets. Multicast packets that
contain IPv4 or IPv6 information in the header are not blocked.

How to Configure Port Blocking

Blocking Flooded Traffic on an Interface

Before you begin

The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast
traffic for a port channel, it is blocked on all ports in the port-channel group.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. switchport block multicast
5. switchport block unicast
6. end
7. show interfaces interface-id switchport
8. show running-config
9. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 interface interface-id Specifies the interface to be configured, and enter interface
configuration mode.
Example:

SwitchDevice(config)# interface

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1526
 Security
Blocking Flooded Traffic on an Interface

Command or Action Purpose

gigabitethernet1/0/1

Step 4 switchport block multicast Blocks unknown multicast forwarding out of the port.
Example: Note Only pure Layer 2 multicast traffic is blocked.
Multicast packets that contain IPv4 or IPv6
SwitchDevice(config-if)# switchport block multicast information in the header are not blocked.

Step 5 switchport block unicast Blocks unknown unicast forwarding out of the port.
Example:

SwitchDevice(config-if)# switchport block unicast

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 show interfaces interface-id switchport Verifies your entries.

Example:

SwitchDevice# show interfaces gigabitethernet1/0/1

switchport

Step 8 show running-config Verifies your entries.

Example:

SwitchDevice# show running-config

Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:

SwitchDevice# copy running-config startup-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1527
 Security
Monitoring Port Blocking

Monitoring Port Blocking

Table 160: Commands for Displaying Port Blocking Settings

Command Purpose

show interfaces [interface-id] switchport Displays the administrative and operational status of
all switching (nonrouting) ports or the specified port,
including port blocking and port protection settings.

Configuration Examples for Port Security

This example shows how to enable port security on a port and to set the maximum number of secure addresses
to 50. The violation mode is the default, no static secure MAC addresses are configured, and sticky learning
is enabled.

SwitchDevice(config)# interface gigabitethernet1/0/1

SwitchDevice(config-if)# switchport mode access
SwitchDevice(config-if)# switchport port-security
SwitchDevice(config-if)# switchport port-security maximum 50
SwitchDevice(config-if)# switchport port-security mac-address sticky

This example shows how to configure a static secure MAC address on VLAN 3 on a port:

SwitchDevice(config)# interface gigabitethernet1/0/2

SwitchDevice(config-if)# switchport mode trunk
SwitchDevice(config-if)# switchport port-security
SwitchDevice(config-if)# switchport port-security mac-address 0000.0200.0004 vlan 3

This example shows how to enable sticky port security on a port, to manually configure MAC addresses for
data VLAN and voice VLAN, and to set the total maximum number of secure addresses to 20 (10 for data
VLAN and 10 for voice VLAN).

SwitchDevice(config)# interface tengigabitethernet1/0/1

SwitchDevice(config-if)# switchport access vlan 21
SwitchDevice(config-if)# switchport mode access
SwitchDevice(config-if)# switchport voice vlan 22
SwitchDevice(config-if)# switchport port-security
SwitchDevice(config-if)# switchport port-security maximum 20
SwitchDevice(config-if)# switchport port-security violation restrict
SwitchDevice(config-if)# switchport port-security mac-address sticky
SwitchDevice(config-if)# switchport port-security mac-address sticky 0000.0000.0002
SwitchDevice(config-if)# switchport port-security mac-address 0000.0000.0003
SwitchDevice(config-if)# switchport port-security mac-address sticky 0000.0000.0001 vlan
voice
SwitchDevice(config-if)# switchport port-security mac-address 0000.0000.0004 vlan voice
SwitchDevice(config-if)# switchport port-security maximum 10 vlan access
SwitchDevice(config-if)# switchport port-security maximum 10 vlan voice

Related Topics
Port Security, on page 1502

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1528
 Security
Information About Protocol Storm Protection

Enabling and Configuring Port Security, on page 1507

Information About Protocol Storm Protection

Protocol Storm Protection
When a switch is flooded with Address Resolution Protocol (ARP) or control packets, high CPU utilization
can cause the CPU to overload. These issues can occur:
• Routing protocol can flap because the protocol control packets are not received, and neighboring
adjacencies are dropped.
• Spanning Tree Protocol (STP) reconverges because the STP bridge protocol data unit (BPDU) cannot
be sent or received.
• CLI is slow or unresponsive.

Using protocol storm protection, you can control the rate at which control packets are sent to the switch by
specifying the upper threshold for the packet flow rate. The supported protocols are ARP, ARP snooping,
Dynamic Host Configuration Protocol (DHCP) v4, DHCP snooping, Internet Group Management Protocol
(IGMP), and IGMP snooping.
When the packet rate exceeds the defined threshold, the switch drops all traffic arriving on the specified virtual
port for 30 seconds. The packet rate is measured again, and protocol storm protection is again applied if
necessary.
For further protection, you can manually error disable the virtual port, blocking all incoming traffic on the
virtual port. You can manually enable the virtual port or set a time interval for automatic re-enabling of the
virtual port.

Note Excess packets are dropped on no more than two virtual ports.
Virtual port error disabling is not supported for EtherChannel and Flexlink interfaces

Default Protocol Storm Protection Configuration

Protocol storm protection is disabled by default. When it is enabled, auto-recovery of the virtual port is disabled
by default.

How to Configure Protocol Storm Protection

Enabling Protocol Storm Protection
SUMMARY STEPS
1. enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1529
 Security
Enabling Protocol Storm Protection

2. configure terminal
3. psp {arp | dhcp | igmp} pps value
4. errdisable detect cause psp
5. errdisable recovery interval time
6. end
7. show psp config {arp | dhcp | igmp}

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

SwitchDevice# configure terminal

Step 3 psp {arp | dhcp | igmp} pps value Configures protocol storm protection for ARP, IGMP, or
DHCP.
Example:
For value, specifies the threshold value for the number of
SwitchDevice(config)# psp dhcp pps 35 packets per second. If the traffic exceeds this value, protocol
storm protection is enforced. The range is from 5 to 50
packets per second.

Step 4 errdisable detect cause psp (Optional) Enables error-disable detection for protocol storm
protection. If this feature is enabled, the virtual port is error
Example:
disabled. If this feature is disabled, the port drops excess
packets without error disabling the port.
SwitchDevice(config)# errdisable detect cause psp

Step 5 errdisable recovery interval time (Optional) Configures an auto-recovery time (in seconds)
for error-disabled virtual ports. When a virtual port is
Example:
error-disabled, the switch auto-recovers after this time. The
range is from 30 to 86400 seconds.
SwitchDevice

Step 6 end Returns to privileged EXEC mode.

Example:

SwitchDevice(config)# end

Step 7 show psp config {arp | dhcp | igmp} Verifies your entries.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1530
 Security
Monitoring Protocol Storm Protection

Command or Action Purpose

SwitchDevice# show psp config dhcp

Monitoring Protocol Storm Protection

Command Purpose
show psp config {arp | dhcp | igmp} Verify your entries.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1531
 Security
Monitoring Protocol Storm Protection

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1532
 CHAPTER 65
Configuring IPv6 First Hop Security
• Finding Feature Information, on page 1533
• Prerequisites for First Hop Security in IPv6, on page 1533
• Restrictions for First Hop Security in IPv6, on page 1534
• Information about First Hop Security in IPv6, on page 1534
• How to Configure an IPv6 Snooping Policy, on page 1536
• How to Configure the IPv6 Binding Table Content , on page 1540
• How to Configure an IPv6 Neighbor Discovery Inspection Policy, on page 1542
• How to Configure an IPv6 Router Advertisement Guard Policy, on page 1546
• How to Configure an IPv6 DHCP Guard Policy , on page 1550
• How to Configure IPv6 Source Guard, on page 1555
• How to Configure IPv6 Source Guard, on page 1557
• How to Configure IPv6 Prefix Guard, on page 1560

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Prerequisites for First Hop Security in IPv6

• You have configured the necessary IPv6 enabled SDM template.
• You should be familiar with the IPv6 neighbor discovery feature.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1533
 Security
Restrictions for First Hop Security in IPv6

Restrictions for First Hop Security in IPv6

• The following restrictions apply when applying FHS policies to EtherChannel interfaces (Port Channels):
• A physical port with an FHS policy attached cannot join an EtherChannel group.
• An FHS policy cannot be attached to an physical port when it is a member of an EtherChannel
group.

• By default, a snooping policy has a security-level of guard. When such a snooping policy is configured
on an access switch, external IPv6 Router Advertisement (RA) or Dynamic Host Configuration Protocol
for IPv6 (DHCPv6) server packets are blocked, even though the uplink port facing the router or DHCP
server/relay is configured as a trusted port. To allow IPv6 RA or DHCPv6 server messages, do the
following:
• Apply an IPv6 RA-guard policy (for RA) or IPv6 DHCP-guard policy (for DHCP server messages
) on the uplink port.
• Configure a snooping policy with a lower security-level, for example glean or inspect. However;
configuring a lower security level is not recommended with such a snooping policy, because benefits
of First Hop security features are not effective.

Information about First Hop Security in IPv6

First Hop Security in IPv6 (FHS IPv6) is a set of IPv6 security features, the policies of which can be attached
to a physical interface, or a VLAN. An IPv6 software policy database service stores and accesses these policies.
When a policy is configured or modified, the attributes of the policy are stored or updated in the software
policy database, then applied as was specified. The following IPv6 policies are currently supported:
• IPv6 Snooping Policy—IPv6 Snooping Policy acts as a container policy that enables most of the features
available with FHS in IPv6.
• IPv6 FHS Binding Table Content—A database table of IPv6 neighbors connected to the switch is created
from information sources such as Neighbor Discovery (ND) protocol snooping. This database, or binding,
table is used by various IPv6 guard features (such as IPv6 ND Inspection) to validate the link-layer
address (LLA), the IPv4 or IPv6 address, and prefix binding of the neighbors to prevent spoofing and
redirect attacks.
• IPv6 Neighbor Discovery Inspection—IPv6 ND inspection learns and secures bindings for stateless
autoconfiguration addresses in Layer 2 neighbor tables. IPv6 ND inspection analyzes neighbor discovery
messages in order to build a trusted binding table database and IPv6 neighbor discovery messages that
do not conform are dropped. An ND message is considered trustworthy if its IPv6-to-Media Access
Control (MAC) mapping is verifiable.
This feature mitigates some of the inherent vulnerabilities of the ND mechanism, such as attacks on
DAD, address resolution, router discovery, and the neighbor cache.
• IPv6 Router Advertisement Guard—The IPv6 Router Advertisement (RA) guard feature enables the
network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network
switch platform. RAs are used by routers to announce themselves on the link. The RA Guard feature
analyzes the RAs and filters out bogus RAs sent by unauthorized routers. In host mode, all router

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1534
Security
Information about First Hop Security in IPv6

advertisement and router redirect messages are disallowed on the port. The RA guard feature compares
configuration information on the Layer 2 device with the information found in the received RA frame.
Once the Layer 2 device has validated the content of the RA frame and router redirect frame against the
configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not
validated, the RA is dropped.
• IPv6 DHCP Guard—The IPv6 DHCP Guard feature blocks reply and advertisement messages that come
from unauthorized DHCPv6 servers and relay agents. IPv6 DHCP guard can prevent forged messages
from being entered in the binding table and block DHCPv6 server messages when they are received on
ports that are not explicitly configured as facing a DHCPv6 server or DHCP relay. To use this feature,
configure a policy and attach it to an interface or a VLAN. To debug DHCP guard packets, use the debug
ipv6 snooping dhcp-guard privileged EXEC command.
• IPv6 Source Guard—Like IPv4 Source Guard, IPv6 Source Guard validates the source address or prefix
to prevent source address spoofing.
A source guard programs the hardware to allow or deny traffic based on source or destination addresses.
It deals exclusively with data packet traffic.
The IPv6 source guard feature provides the ability to use the IPv6 binding table to install PACLs to
prevent a host from sending packets with an invalid IPv6 source address.
To debug source-guard packets, use the debug ipv6 snooping source-guard privileged EXEC command.

Note The IPv6 PACL feature is supported only in the ingress direction; it is not
supported in the egress direction.

The following restrictions apply:

• An FHS policy cannot be attached to an physical port when it is a member of an EtherChannel
group.
• When IPv6 source guard is enabled on a switch port, NDP or DHCP snooping must be enabled on
the interface to which the switch port belongs. Otherwise, all data traffic from this port will be
blocked.
• An IPv6 source guard policy cannot be attached to a VLAN. It is supported only at the interface
level.
• You cannot use IPv6 Source Guard and Prefix Guard together. When you attach the policy to an
interface, it should be "validate address" or "validate prefix" but not both.
• PVLAN and Source/Prefix Guard cannot be applied together.

For more information on IPv6 Source Guard, see the IPv6 Source Guard chapter of the Cisco IOS IPv6
Configuration Guide Library on Cisco.com.
• IPv6 Prefix Guard—The IPv6 prefix guard feature works within the IPv6 source guard feature, to enable
the device to deny traffic originated from non-topologically correct addresses. IPv6 prefix guard is often
used when IPv6 prefixes are delegated to devices (for example, home gateways) using DHCP prefix
delegation. The feature discovers ranges of addresses assigned to the link and blocks any traffic sourced
with an address outside this range.
For more information on IPv6 Prefix Guard, see the IPv6 Prefix Guard chapter of the Cisco IOS IPv6
Configuration Guide Library on Cisco.com.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1535
 Security
How to Configure an IPv6 Snooping Policy

• IPv6 Destination Guard—The IPv6 destination guard feature works with IPv6 neighbor discovery to
ensure that the device performs address resolution only for those addresses that are known to be active
on the link. It relies on the address glean functionality to populate all destinations active on the link into
the binding table and then blocks resolutions before they happen when the destination is not found in the
binding table.

Note IPv6 Destination Guard is recommended only on Layer 3. It is not recommended

on Layer2.

For more information about IPv6 Destination Guard, see the IPv6 Destination Guard chapter of the Cisco
IOS IPv6 Configuration Guide Library on Cisco.com.
• IPv6 Neighbor Discovery Multicast Suppress—The IPv6 Neighbor Discovery multicast suppress feature
is an IPv6 snooping feature that runs on a switch or a wireless controller and is used to reduce the amount
of control traffic necessary for proper link operations.
• DHCPv6 Relay—Lightweight DHCPv6 Relay Agent—The DHCPv6 Relay—Lightweight DHCPv6
Relay Agent feature allows relay agent information to be inserted by an access node that performs a
link-layer bridging (non-routing) function. Lightweight DHCPv6 Relay Agent (LDRA) functionality
can be implemented in existing access nodes, such as DSL access multiplexers (DSLAMs) and Ethernet
switches, that do not support IPv6 control or routing functions. LDRA is used to insert relay-agent options
in DHCP version 6 (DHCPv6) message exchanges primarily to identify client-facing interfaces. LDRA
functionality can be enabled on an interface and on a VLAN.
For more information about DHCPv6 Relay, See the DHCPv6 Relay—Lightweight DHCPv6 Relay
Agent section of the IP Addressing: DHCP Configuration Guide, Cisco IOS Release 15.1SG.

How to Configure an IPv6 Snooping Policy

Beginning in privileged EXEC mode, follow these steps to configure IPv6 Snooping Policy :

SUMMARY STEPS
1. configure terminal
2. ipv6 snooping policy policy-name
3. {[default ] | [device-role {node | switch}] | [limit address-count value] | [no] | [protocol {dhcp | ndp}
] | [security-level {glean | guard | inspect} ] | [tracking {disable [stale-lifetime [seconds | infinite] |
enable [reachable-lifetime [seconds | infinite] } ] | [trusted-port ] }
4. end
5. show ipv6 snooping policy policy-name

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:
SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1536
 Security
How to Configure an IPv6 Snooping Policy

Command or Action Purpose

Step 2 ipv6 snooping policy policy-name Creates a snooping policy and enters IPv6 Snooping Policy
Configuration mode.
Example:
SwitchDevice(config)# ipv6 snooping policy
example_policy

Step 3 {[default ] | [device-role {node | switch}] | [limit Enables data address gleaning, validates messages against
address-count value] | [no] | [protocol {dhcp | ndp} ] | various criteria, specifies the security level for messages.
[security-level {glean | guard | inspect} ] | [tracking
• (Optional) default—Sets all to default options.
{disable [stale-lifetime [seconds | infinite] | enable
[reachable-lifetime [seconds | infinite] } ] | [trusted-port • (Optional) device-role{node] | switch}—Specifies
]} the role of the device attached to the port. Default is
Example: node.

SwitchDevice(config-ipv6-snooping)# • (Optional) limit address-count value—Limits the

security-level inspect number of addresses allowed per target.
Example: • (Optional) no—Negates a command or sets it to
SwitchDevice(config-ipv6-snooping)# defaults.
trusted-port • (Optional) protocol{dhcp | ndp}—Specifies which
protocol should be redirected to the snooping feature
for analysis. The default, is dhcp and ndp. To change
the default, use the no protocol command.
• (Optional)
security-level{glean|guard|inspect}—Specifies the
level of security enforced by the feature. Default is
guard.
glean—Gleans addresses from messages and
populates the binding table without any
verification.
guard—Gleans addresses and inspects messages.
In addition, it rejects RA and DHCP server
messages. This is the default option.
inspect—Gleans addresses, validates messages for
consistency and conformance, and enforces address
ownership.
• (Optional) tracking {disable | enable}—Overrides
the default tracking behavior and specifies a tracking
option.
• (Optional) trusted-port—Sets up a trusted port. It
disables the guard on applicable targets. Bindings
learned through a trusted port have preference over
bindings learned through any other port. A trusted port
is given preference in case of a collision while making
an entry in the table.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1537
 Security
How to Attach an IPv6 Snooping Policy to an Interface

Command or Action Purpose

Step 4 end Exits configuration modes to Privileged EXEC mode.
Example:
SwitchDevice(config-ipv6-snooping)# exit

Step 5 show ipv6 snooping policy policy-name Displays the snooping policy configuration.
Example:
SwitchDevice#show ipv6 snooping policy
example_policy

What to do next
Attach an IPv6 Snooping policy to interfaces or VLANs.

How to Attach an IPv6 Snooping Policy to an Interface

Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping policy on an interface or
VLAN:

SUMMARY STEPS
1. configure terminal
2. interface Interface_type stack/module/port
3. switchport
4. ipv6 snooping [attach-policy policy_name [ vlan {vlan_id | add vlan_ids | exceptvlan_ids | none |
remove vlan_ids}] | vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]
5. do show running-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:
SwitchDevice# configure terminal

Step 2 interface Interface_type stack/module/port Specifies an interface type and identifier; enters the interface
configuration mode.
Example:
SwitchDevice(config)# interface gigabitethernet
1/1/4

Step 3 switchport Enters the Switchport mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1538
 Security
How to Attach an IPv6 Snooping Policy to a Layer 2 EtherChannel Interface

Command or Action Purpose

SwitchDevice(config-if)# switchport Note To configure Layer 2 parameters, if the interface
is in Layer 3 mode, you must enter the switchport
interface configuration command without any
parameters to put the interface into Layer 2
mode. This shuts down the interface and then
re-enables it, which might generate messages on
the device to which the interface is connected.
When you put an interface that is in Layer 3
mode into Layer 2 mode, the previous
configuration information related to the affected
interface might be lost, and the interface is
returned to its default configuration. The
command prompt displays as (config-if)# in
Switchport configuration mode.

Step 4 ipv6 snooping [attach-policy policy_name [ vlan {vlan_id Attaches a custom ipv6 snooping policy to the interface or
| add vlan_ids | exceptvlan_ids | none | remove vlan_ids}] the specified VLANs on the interface. To attach the default
| vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | policy to the interface, use the ipv6 snooping command
remove vlan_ids | all} ] without the attach-policy keyword. To attach the default
policy to VLANs on the interface, use the ipv6 snooping
Example:
vlan command. The default policy is, security-level guard,
SwitchDevice(config-if)# ipv6 snooping device-role node, protocol ndp and dhcp.
or

SwitchDevice(config-if)# ipv6 snooping

attach-policy example_policy

or
SwitchDevice(config-if)# ipv6 snooping vlan 111,112

or

SwitchDevice(config-if)# ipv6 snooping

attach-policy example_policy vlan 111,112

Step 5 do show running-config Verifies that the policy is attached to the specified interface
without exiting the interface configuration mode.
Example:
SwitchDevice#(config-if)# do show running-config

How to Attach an IPv6 Snooping Policy to a Layer 2 EtherChannel Interface

Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping policy on an EtherChannel
interface or VLAN:

SUMMARY STEPS
1. configure terminal
2. interface range Interface_name

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1539
 Security
How to Configure the IPv6 Binding Table Content

3. ipv6 snooping [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none |
remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids |
all} ]
4. do show running-config interfaceportchannel_interface_name

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:
SwitchDevice# configure terminal

Step 2 interface range Interface_name Specify the port-channel interface name assigned when the
EtherChannel was created. Enters the interface range
Example:
configuration mode.
SwitchDevice(config)# interface Po11
Tip Enter the do show interfaces summary
command for quick reference to interface names
and types.

Step 3 ipv6 snooping [attach-policy policy_name [ vlan {vlan_ids Attaches the IPv6 Snooping policy to the interface or the
| add vlan_ids | except vlan_ids | none | remove vlan_ids specified VLANs on that interface. The default policy is
| all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | attached if the attach-policy option is not used.
none | remove vlan_ids | all} ]
Example:
SwitchDevice(config-if-range)# ipv6 snooping
attach-policy example_policy

or

SwitchDevice(config-if-range)# ipv6 snooping

attach-policy example_policy vlan 222,223,224

or

SwitchDevice(config-if-range)#ipv6 snooping vlan

222, 223,224

Step 4 do show running-config Confirms that the policy is attached to the specified interface
interfaceportchannel_interface_name without exiting the configuration mode.
Example:
SwitchDevice#(config-if-range)# do show
running-config int po11

How to Configure the IPv6 Binding Table Content

Beginning in privileged EXEC mode, follow these steps to configure IPv6 Binding Table Content :

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1540
 Security
How to Configure the IPv6 Binding Table Content

SUMMARY STEPS
1. configure terminal
2. [no] ipv6 neighbor binding [vlan vlan-id {ipv6-address interface interface_type stack/module/port
hw_address [reachable-lifetimevalue [seconds | default | infinite] | [tracking{ [default | disable] [
reachable-lifetimevalue [seconds | default | infinite] | [enable [reachable-lifetimevalue [seconds |
default | infinite] | [retry-interval {seconds| default [reachable-lifetimevalue [seconds | default |
infinite] } ]
3. [no] ipv6 neighbor binding max-entries number [mac-limit number | port-limit number [mac-limit
number] | vlan-limit number [ [mac-limit number] | [port-limit number [mac-limitnumber] ] ] ]
4. ipv6 neighbor binding logging
5. exit
6. show ipv6 neighbor binding

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:
SwitchDevice# configure terminal

Step 2 [no] ipv6 neighbor binding [vlan vlan-id {ipv6-address Adds a static entry to the binding table database.
interface interface_type stack/module/port hw_address
[reachable-lifetimevalue [seconds | default | infinite] |
[tracking{ [default | disable] [ reachable-lifetimevalue
[seconds | default | infinite] | [enable
[reachable-lifetimevalue [seconds | default | infinite] |
[retry-interval {seconds| default [reachable-lifetimevalue
[seconds | default | infinite] } ]
Example:
SwitchDevice(config)# ipv6 neighbor binding

Step 3 [no] ipv6 neighbor binding max-entries number Specifies the maximum number of entries that are allowed
[mac-limit number | port-limit number [mac-limit number] to be inserted in the binding table cache.
| vlan-limit number [ [mac-limit number] | [port-limit
number [mac-limitnumber] ] ] ]
Example:
SwitchDevice(config)# ipv6 neighbor binding
max-entries 30000

Step 4 ipv6 neighbor binding logging Enables the logging of binding table main events.
Example:
SwitchDevice(config)# ipv6 neighbor binding logging

Step 5 exit Exits global configuration mode, and places the router in
privileged EXEC mode.
Example:
SwitchDevice(config)# exit

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1541
 Security
How to Configure an IPv6 Neighbor Discovery Inspection Policy

Command or Action Purpose

Step 6 show ipv6 neighbor binding Displays contents of a binding table.
Example:
SwitchDevice# show ipv6 neighbor binding

How to Configure an IPv6 Neighbor Discovery Inspection Policy

Beginning in privileged EXEC mode, follow these steps to configure an IPv6 ND Inspection Policy:

SUMMARY STEPS
1. configure terminal
2. [no]ipv6 nd inspection policy policy-name
3. device-role {host | monitor | router | switch}
4. drop-unsecure
5. limit address-count value
6. sec-level minimum value
7. tracking {enable [reachable-lifetime {value | infinite}] | disable [stale-lifetime {value | infinite}]}
8. trusted-port
9. validate source-mac
10. no {device-role | drop-unsecure | limit address-count | sec-level minimum | tracking | trusted-port
| validate source-mac}
11. default {device-role | drop-unsecure | limit address-count | sec-level minimum | tracking |
trusted-port | validate source-mac}
12. do show ipv6 nd inspection policy policy_name

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:
SwitchDevice# configure terminal

Step 2 [no]ipv6 nd inspection policy policy-name Specifies the ND inspection policy name and enters ND
Inspection Policy configuration mode.
Example:
SwitchDevice(config)# ipv6 nd inspection policy
example_policy

Step 3 device-role {host | monitor | router | switch} Specifies the role of the device attached to the port. The
default is host.
Example:
SwitchDevice(config-nd-inspection)# device-role
switch

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1542
 Security
How to Configure an IPv6 Neighbor Discovery Inspection Policy

Command or Action Purpose

Step 4 drop-unsecure Drops messages with no or invalid options or an invalid
signature.
Example:
SwitchDevice(config-nd-inspection)# drop-unsecure

Step 5 limit address-count value Enter 1–10,000.

Example:
SwitchDevice(config-nd-inspection)# limit
address-count 1000

Step 6 sec-level minimum value Specifies the minimum security level parameter value
when Cryptographically Generated Address (CGA) options
Example:
are used.
SwitchDevice(config-nd-inspection)# limit
address-count 1000

Step 7 tracking {enable [reachable-lifetime {value | infinite}] Overrides the default tracking policy on a port.
| disable [stale-lifetime {value | infinite}]}
Example:
SwitchDevice(config-nd-inspection)# tracking
disable stale-lifetime infinite

Step 8 trusted-port Configures a port to become a trusted port.

Example:
SwitchDevice(config-nd-inspection)# trusted-port

Step 9 validate source-mac Checks the source media access control (MAC) address
against the link-layer address.
Example:
SwitchDevice(config-nd-inspection)# validate
source-mac

Step 10 no {device-role | drop-unsecure | limit address-count | Remove the current configuration of a parameter with the
sec-level minimum | tracking | trusted-port | validate no form of the command.
source-mac}
Example:
SwitchDevice(config-nd-inspection)# no validate
source-mac

Step 11 default {device-role | drop-unsecure | limit Restores configuration to the default values.
address-count | sec-level minimum | tracking |
trusted-port | validate source-mac}
Example:
SwitchDevice(config-nd-inspection)# default limit
address-count

Step 12 do show ipv6 nd inspection policy policy_name Verifies the ND Inspection Configuration without exiting
ND inspection configuration mode.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1543
 Security
How to Attach an IPv6 Neighbor Discovery Inspection Policy to an Interface

Command or Action Purpose

SwitchDevice(config-nd-inspection)# do show ipv6
nd inspection policy example_policy

How to Attach an IPv6 Neighbor Discovery Inspection Policy to an Interface

Beginning in privileged EXEC mode, follow these steps to attach an IPv6 ND Inspection policy to an interface
or VLANs on an interface :

SUMMARY STEPS
1. configure terminal
2. interface Interface_type stack/module/port
3. ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none
| remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids |
all} ]
4. do show running-config

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:
SwitchDevice# configure terminal

Step 2 interface Interface_type stack/module/port Specifies an interface type and identifier; enters the interface
configuration mode.
Example:
SwitchDevice(config)# interface gigabitethernet
1/1/4

Step 3 ipv6 nd inspection [attach-policy policy_name [ vlan Attaches the Neighbor Discovery Inspection policy to the
{vlan_ids | add vlan_ids | except vlan_ids | none | remove interface or the specified VLANs on that interface. The
vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | default policy is attached if the attach-policy option is not
exceptvlan_ids | none | remove vlan_ids | all} ] used.
Example:
SwitchDevice(config-if)# ipv6 nd inspection
attach-policy example_policy

or

SwitchDevice(config-if)# ipv6 nd inspection

attach-policy example_policy vlan 222,223,224

or

SwitchDevice(config-if)# ipv6 nd inspection vlan

222, 223,224

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1544
 Security
How to Attach an IPv6 Neighbor Discovery Inspection Policy to a Layer 2 EtherChannel Interface

Command or Action Purpose

Step 4 do show running-config Verifies that the policy is attached to the specified interface
without exiting the interface configuration mode.
Example:
SwitchDevice#(config-if)# do show running-config

How to Attach an IPv6 Neighbor Discovery Inspection Policy to a Layer 2

EtherChannel Interface
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Neighbor Discovery Inspection
policy on an EtherChannel interface or VLAN:

SUMMARY STEPS
1. configure terminal
2. interface range Interface_name
3. ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none
| remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids |
all} ]
4. do show running-config interfaceportchannel_interface_name

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:
SwitchDevice# configure terminal

Step 2 interface range Interface_name Specify the port-channel interface name assigned when the
EtherChannel was created. Enters the interface range
Example:
configuration mode.
SwitchDevice(config)# interface Po11
Tip Enter the do show interfaces summary
command for quick reference to interface names
and types.

Step 3 ipv6 nd inspection [attach-policy policy_name [ vlan Attaches the ND Inspection policy to the interface or the
{vlan_ids | add vlan_ids | except vlan_ids | none | remove specified VLANs on that interface. The default policy is
vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | attached if the attach-policy option is not used.
exceptvlan_ids | none | remove vlan_ids | all} ]
Example:
SwitchDevice(config-if-range)# ipv6 nd inspection
attach-policy example_policy

or

SwitchDevice(config-if-range)# ipv6 nd inspection

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1545
 Security
How to Configure an IPv6 Router Advertisement Guard Policy

Command or Action Purpose

attach-policy example_policy vlan 222,223,224

or

SwitchDevice(config-if-range)#ipv6 nd inspection
vlan 222, 223,224

Step 4 do show running-config Confirms that the policy is attached to the specified interface
interfaceportchannel_interface_name without exiting the configuration mode.
Example:
SwitchDevice#(config-if-range)# do show
running-config int po11

How to Configure an IPv6 Router Advertisement Guard Policy

Beginning in privileged EXEC mode, follow these steps to configure an IPv6 Router Advertisement policy :

SUMMARY STEPS
1. configure terminal
2. [no]ipv6 nd raguard policy policy-name
3. [no]device-role {host | monitor | router | switch}
4. [no]hop-limit {maximum | minimum} value
5. [no]managed-config-flag {off | on}
6. [no]match {ipv6 access-list list | ra prefix-list list}
7. [no]other-config-flag {on | off}
8. [no]router-preference maximum {high | medium | low}
9. [no]trusted-port
10. default {device-role | hop-limit {maximum | minimum} | managed-config-flag | match {ipv6
access-list | ra prefix-list } | other-config-flag | router-preference maximum| trusted-port}
11. do show ipv6 nd raguard policy policy_name

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:
SwitchDevice# configure terminal

Step 2 [no]ipv6 nd raguard policy policy-name Specifies the RA Guard policy name and enters RA Guard
Policy configuration mode.
Example:
SwitchDevice(config)# ipv6 nd raguard policy
example_policy

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1546
 Security
How to Configure an IPv6 Router Advertisement Guard Policy

Command or Action Purpose

Step 3 [no]device-role {host | monitor | router | switch} Specifies the role of the device attached to the port. The
default is host.
Example:
SwitchDevice(config-nd-raguard)# device-role
switch

Step 4 [no]hop-limit {maximum | minimum} value (1–255) Range for Maximum and Minimum Hop Limit
values.
Example:
SwitchDevice(config-nd-raguard)# hop-limit maximum Enables filtering of Router Advertisement messages by
33 the Hop Limit value. A rogue RA message may have a
low Hop Limit value (equivalent to the IPv4 Time to Live)
that when accepted by the host, prevents the host from
generating traffic to destinations beyond the rogue RA
message generator. An RA message with an unspecified
Hop Limit value is blocked.
If not configured, this filter is disabled. Configure
minimum to block RA messages with Hop Limit values
lower than the value you specify. Configure maximumto
block RA messages with Hop Limit values greater than
the value you specify.

Step 5 [no]managed-config-flag {off | on} Enables filtering of Router Advertisement messages by

the Managed Address Configuration, or "M" flag field. A
Example:
rouge RA message with an M field of 1 can cause a host
SwitchDevice(config-nd-raguard)# to use a rogue DHCPv6 server. If not configured, this filter
managed-config-flag on
is disabled.
On—Accepts and forwards RA messages with an M value
of 1, blocks those with 0.
Off—Accepts and forwards RA messages with an M value
of 0, blocks those with 1.

Step 6 [no]match {ipv6 access-list list | ra prefix-list list} Matches a specified prefix list or access list.
Example:
SwitchDevice(config-nd-raguard)# match ipv6
access-list example_list

Step 7 [no]other-config-flag {on | off} Enables filtering of Router Advertisement messages by

the Other Configuration, or "O" flag field. A rouge RA
Example:
message with an O field of 1 can cause a host to use a
SwitchDevice(config-nd-raguard)# other-config-flag rogue DHCPv6 server. If not configured, this filter is
on
disabled.
On—Accepts and forwards RA messages with an O value
of 1, blocks those with 0.
Off—Accepts and forwards RA messages with an O value
of 0, blocks those with 1.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1547
 Security
How to Attach an IPv6 Router Advertisement Guard Policy to an Interface

Command or Action Purpose

Step 8 [no]router-preference maximum {high | medium | low} Enables filtering of Router Advertisement messages by
the Router Preference flag. If not configured, this filter is
Example:
disabled.
SwitchDevice(config-nd-raguard)# router-preference
maximum high • high—Accepts RA messages with the Router
Preference set to high, medium, or low.
• medium—Blocks RA messages with the Router
Preference set to high.
• low—Blocks RA messages with the Router
Preference set to medium and high.

Step 9 [no]trusted-port When configured as a trusted port, all attached devices are
trusted, and no further message verification is performed.
Example:
SwitchDevice(config-nd-raguard)# trusted-port

Step 10 default {device-role | hop-limit {maximum | minimum} Restores a command to its default value.
| managed-config-flag | match {ipv6 access-list | ra
prefix-list } | other-config-flag | router-preference
maximum| trusted-port}
Example:
SwitchDevice(config-nd-raguard)# default hop-limit

Step 11 do show ipv6 nd raguard policy policy_name (Optional)—Displays the ND Guard Policy configuration
without exiting the RA Guard policy configuration mode.
Example:
SwitchDevice(config-nd-raguard)# do show ipv6 nd
raguard policy example_policy

How to Attach an IPv6 Router Advertisement Guard Policy to an Interface

Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement policy to an
interface or to VLANs on the interface :

SUMMARY STEPS
1. configure terminal
2. interface Interface_type stack/module/port
3. ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none |
remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids |
all} ]
4. do show running-config

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1548
 Security
How to Attach an IPv6 Router Advertisement Guard Policy to a Layer 2 EtherChannel Interface

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:
SwitchDevice# configure terminal

Step 2 interface Interface_type stack/module/port Specifies an interface type and identifier; enters the interface
configuration mode.
Example:
SwitchDevice(config)# interface gigabitethernet
1/1/4

Step 3 ipv6 nd raguard [attach-policy policy_name [ vlan Attaches the Neighbor Discovery Inspection policy to the
{vlan_ids | add vlan_ids | except vlan_ids | none | remove interface or the specified VLANs on that interface. The
vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | default policy is attached if the attach-policy option is not
exceptvlan_ids | none | remove vlan_ids | all} ] used.
Example:
SwitchDevice(config-if)# ipv6 nd raguard
attach-policy example_policy

or

SwitchDevice(config-if)# ipv6 nd raguard

attach-policy example_policy vlan 222,223,224

or

SwitchDevice(config-if)# ipv6 nd raguard vlan 222,

223,224

Step 4 do show running-config Confirms that the policy is attached to the specified interface
without exiting the configuration mode.
Example:
SwitchDevice#(config-if)# do show running-config

How to Attach an IPv6 Router Advertisement Guard Policy to a Layer 2

EtherChannel Interface
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement Guard Policy
on an EtherChannel interface or VLAN:

SUMMARY STEPS
1. configure terminal
2. interface range Interface_name
3. ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none |
remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids |
all} ]

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1549
 Security
How to Configure an IPv6 DHCP Guard Policy

4. do show running-config interfaceportchannel_interface_name

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:
SwitchDevice# configure terminal

Step 2 interface range Interface_name Specify the port-channel interface name assigned when the
EtherChannel was created. Enters the interface range
Example:
configuration mode.
SwitchDevice(config)# interface Po11
Tip Enter the do show interfaces summary
command for quick reference to interface names
and types.

Step 3 ipv6 nd raguard [attach-policy policy_name [ vlan Attaches the RA Guard policy to the interface or the
{vlan_ids | add vlan_ids | except vlan_ids | none | remove specified VLANs on that interface. The default policy is
vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | attached if the attach-policy option is not used.
exceptvlan_ids | none | remove vlan_ids | all} ]
Example:
SwitchDevice(config-if-range)# ipv6 nd raguard
attach-policy example_policy

or

SwitchDevice(config-if-range)# ipv6 nd raguard

attach-policy example_policy vlan 222,223,224

or

SwitchDevice(config-if-range)#ipv6 nd raguard vlan

222, 223,224

Step 4 do show running-config Confirms that the policy is attached to the specified interface
interfaceportchannel_interface_name without exiting the configuration mode.
Example:
SwitchDevice#(config-if-range)# do show
running-config int po11

How to Configure an IPv6 DHCP Guard Policy

Beginning in privileged EXEC mode, follow these steps to configure an IPv6 DHCP (DHCPv6) Guard policy:

SUMMARY STEPS
1. configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1550
 Security
How to Configure an IPv6 DHCP Guard Policy

2. [no]ipv6 dhcp guard policy policy-name

3. [no]device-role {client | server}
4. [no] match server access-list ipv6-access-list-name
5. [no] match reply prefix-list ipv6-prefix-list-name
6. [no]preference{ max limit | min limit }
7. [no] trusted-port
8. default {device-role | trusted-port}
9. do show ipv6 dhcp guard policy policy_name

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:
SwitchDevice# configure terminal

Step 2 [no]ipv6 dhcp guard policy policy-name Specifies the DHCPv6 Guard policy name and enters
DHCPv6 Guard Policy configuration mode.
Example:
SwitchDevice(config)# ipv6 dhcp guard policy
example_policy

Step 3 [no]device-role {client | server} (Optional) Filters out DHCPv6 replies and DHCPv6
advertisements on the port that are not from a device of the
Example:
specified role. Default is client.
SwitchDevice(config-dhcp-guard)# device-role server
• client—Default value, specifies that the attached
device is a client. Server messages are dropped on this
port.
• server—Specifies that the attached device is a
DHCPv6 server. Server messages are allowed on this
port.

Step 4 [no] match server access-list ipv6-access-list-name (Optional). Enables verification that the advertised DHCPv6
server or relay address is from an authorized server access
Example:
list (The destination address in the access list is 'any'). If
not configured, this check will be bypassed. An empty
;;Assume a preconfigured IPv6 Access List as
follows: access list is treated as a permit all.
SwitchDevice(config)# ipv6 access-list my_acls
SwitchDevice(config-ipv6-acl)# permit host
FE80::A8BB:CCFF:FE01:F700 any

;;configure DCHPv6 Guard to match approved access

list.
SwitchDevice(config-dhcp-guard)# match server
access-list my_acls

Step 5 [no] match reply prefix-list ipv6-prefix-list-name (Optional) Enables verification of the advertised prefixes
in DHCPv6 reply messages from the configured authorized
Example:
prefix list. If not configured, this check will be bypassed.
An empty prefix list is treated as a permit.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1551
 Security
How to Configure an IPv6 DHCP Guard Policy

Command or Action Purpose

;;Assume a preconfigured IPv6 prefix list as

follows:
SwitchDevice(config)# ipv6 prefix-list my_prefix
permit 2001:0DB8::/64 le 128

;; Configure DCHPv6 Guard to match prefix

SwitchDevice(config-dhcp-guard)# match reply
prefix-list my_prefix

Step 6 [no]preference{ max limit | min limit } Configure max and min when device-role is serverto filter
DCHPv6 server advertisements by the server preference
Example:
value. The defaults permit all advertisements.
SwitchDevice(config-dhcp-guard)# preference max
250 max limit—(0 to 255) (Optional) Enables verification that
SwitchDevice(config-dhcp-guard)#preference min 150 the advertised preference (in preference option) is less than
the specified limit. Default is 255. If not specified, this
check will be bypassed.
min limit—(0 to 255) (Optional) Enables verification that
the advertised preference (in preference option) is greater
than the specified limit. Default is 0. If not specified, this
check will be bypassed.

Step 7 [no] trusted-port (Optional) trusted-port—Sets the port to a trusted mode.

No further policing takes place on the port.
Example:
SwitchDevice(config-dhcp-guard)# trusted-port Note If you configure a trusted port then the
device-role option is not available.

Step 8 default {device-role | trusted-port} (Optional) default—Sets a command to its defaults.

Example:
SwitchDevice(config-dhcp-guard)# default
device-role

Step 9 do show ipv6 dhcp guard policy policy_name (Optional) Displays the configuration of the IPv6 DHCP
guard policy without leaving the configuration submode.
Example:
Omitting the policy_name variable displays all DHCPv6
SwitchDevice(config-dhcp-guard)# do show ipv6 dhcp policies.
guard policy example_policy

Example of DHCPv6 Guard Configuration

enable
configure terminal
ipv6 access-list acl1
permit host FE80::A8BB:CCFF:FE01:F700 any
ipv6 prefix-list abc permit 2001:0DB8::/64 le 128
ipv6 dhcp guard policy pol1
device-role server
match server access-list acl1
match reply prefix-list abc
preference min 0
preference max 255

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1552
 Security
How to Attach an IPv6 DHCP Guard Policy to an Interface or a VLAN on an Interface

trusted-port
interface GigabitEthernet 0/2/0
switchport
ipv6 dhcp guard attach-policy pol1 vlan add 1
vlan 1
ipv6 dhcp guard attach-policy pol1
show ipv6 dhcp guard policy pol1

How to Attach an IPv6 DHCP Guard Policy to an Interface or a VLAN on an

Interface
Beginning in privileged EXEC mode, follow these steps to configure IPv6 Binding Table Content :

SUMMARY STEPS
1. configure terminal
2. interface Interface_type stack/module/port
3. ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none
| remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids |
all} ]
4. do show running-config interface Interface_type stack/module/port

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:
SwitchDevice# configure terminal

Step 2 interface Interface_type stack/module/port Specifies an interface type and identifier; enters the interface
configuration mode.
Example:
SwitchDevice(config)# interface gigabitethernet
1/1/4

Step 3 ipv6 dhcp guard [attach-policy policy_name [ vlan Attaches the DHCP Guard policy to the interface or the
{vlan_ids | add vlan_ids | except vlan_ids | none | remove specified VLANs on that interface. The default policy is
vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | attached if the attach-policy option is not used.
exceptvlan_ids | none | remove vlan_ids | all} ]
Example:
SwitchDevice(config-if)# ipv6 dhcp guard
attach-policy example_policy

or

SwitchDevice(config-if)# ipv6 dhcp guard

attach-policy example_policy vlan 222,223,224

or

SwitchDevice(config-if)# ipv6 dhcp guard vlan 222,

223,224

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1553
 Security
How to Attach an IPv6 DHCP Guard Policy to a Layer 2 EtherChannel Interface

Command or Action Purpose

Step 4 do show running-config interface Interface_type Confirms that the policy is attached to the specified interface
stack/module/port without exiting the configuration mode.
Example:
SwitchDevice#(config-if)# do show running-config
gig 1/1/4

How to Attach an IPv6 DHCP Guard Policy to a Layer 2 EtherChannel Interface

Beginning in privileged EXEC mode, follow these steps to attach an IPv6 DHCP Guard policy on an
EtherChannel interface or VLAN:

SUMMARY STEPS
1. configure terminal
2. interface range Interface_name
3. ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none
| remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids |
all} ]
4. do show running-config interfaceportchannel_interface_name

DETAILED STEPS

Command or Action Purpose

Step 1 configure terminal Enters the global configuration mode.
Example:
SwitchDevice# configure terminal

Step 2 interface range Interface_name Specify the port-channel interface name assigned when the
EtherChannel was created. Enters the interface range
Example:
configuration mode.
SwitchDevice(config)# interface Po11
Tip Enter the do show interfaces summary
command for quick reference to interface names
and types.

Step 3 ipv6 dhcp guard [attach-policy policy_name [ vlan Attaches the DHCP Guard policy to the interface or the
{vlan_ids | add vlan_ids | except vlan_ids | none | remove specified VLANs on that interface. The default policy is
vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | attached if the attach-policy option is not used.
exceptvlan_ids | none | remove vlan_ids | all} ]
Example:
SwitchDevice(config-if-range)# ipv6 dhcp guard
attach-policy example_policy

or

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1554
 Security
How to Configure IPv6 Source Guard

Command or Action Purpose

SwitchDevice(config-if-range)# ipv6 dhcp guard
attach-policy example_policy vlan 222,223,224

or

SwitchDevice(config-if-range)#ipv6 dhcp guard vlan

222, 223,224

Step 4 do show running-config Confirms that the policy is attached to the specified interface
interfaceportchannel_interface_name without exiting the configuration mode.
Example:
SwitchDevice#(config-if-range)# do show
running-config int po11

How to Configure IPv6 Source Guard

SUMMARY STEPS
1. enable
2. configure terminal
3. [no] ipv6 source-guard policy policy_name
4. [deny global-autoconf] [permit link-local] [default{. . . }] [exit] [no{. . . }]
5. end
6. show ipv6 source-guard policy policy_name

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:
SwitchDevice# configure terminal

Step 3 [no] ipv6 source-guard policy policy_name Specifies the IPv6 Source Guard policy name and enters
IPv6 Source Guard policy configuration mode.
Example:
SwitchDevice(config)# ipv6 source-guard policy
example_policy

Step 4 [deny global-autoconf] [permit link-local] [default{. . . (Optional) Defines the IPv6 Source Guard policy.
}] [exit] [no{. . . }]

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1555
 Security
How to Attach an IPv6 Source Guard Policy to an Interface

Command or Action Purpose

Example: • deny global-autoconf—Denies data traffic from
SwitchDevice(config-sisf-sourceguard)# deny auto-configured global addresses. This is useful when
global-autoconf all global addresses on a link are DHCP-assigned and
the administrator wants to block hosts with
self-configured addresses to send traffic.
• permit link-local—Allows all data traffic that is
sourced by a link-local address.
Note Trusted option under source guard policy is not
supported.

Step 5 end Exits out of IPv6 Source Guard policy configuration mode.
Example:
SwitchDevice(config-sisf-sourceguard)# end

Step 6 show ipv6 source-guard policy policy_name Shows the policy configuration and all the interfaces where
the policy is applied.
Example:
SwitchDevice# show ipv6 source-guard policy
example_policy

What to do next
Apply the IPv6 Source Guard policy to an interface.

How to Attach an IPv6 Source Guard Policy to an Interface

SUMMARY STEPS
1. enable
2. configure terminal
3. interface Interface_type stack/module/port
4. ipv6 source-guard [attach-policy <policy_name> ]
5. show ipv6 source-guard policy policy_name

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1556
 Security
How to Configure IPv6 Source Guard

Command or Action Purpose

SwitchDevice# configure terminal

Step 3 interface Interface_type stack/module/port Specifies an interface type and identifier; enters the interface
configuration mode.
Example:
SwitchDevice(config)# interface gigabitethernet
1/1/4

Step 4 ipv6 source-guard [attach-policy <policy_name> ] Attaches the IPv6 Source Guard policy to the interface. The
default policy is attached if the attach-policy option is not
Example:
used.
SwitchDevice(config-if)# ipv6 source-guard
attach-policy example_policy

Step 5 show ipv6 source-guard policy policy_name Shows the policy configuration and all the interfaces where
the policy is applied.
Example:
SwitchDevice#(config-if)# show ipv6 source-guard
policy example_policy

How to Configure IPv6 Source Guard

SUMMARY STEPS
1. enable
2. configure terminal
3. [no] ipv6 source-guard policy policy_name
4. [deny global-autoconf] [permit link-local] [default{. . . }] [exit] [no{. . . }]
5. end
6. show ipv6 source-guard policy policy_name

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:
SwitchDevice# configure terminal

Step 3 [no] ipv6 source-guard policy policy_name Specifies the IPv6 Source Guard policy name and enters
IPv6 Source Guard policy configuration mode.
Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1557
 Security
How to Attach an IPv6 Source Guard Policy to an Interface

Command or Action Purpose

SwitchDevice(config)# ipv6 source-guard policy
example_policy

Step 4 [deny global-autoconf] [permit link-local] [default{. . . (Optional) Defines the IPv6 Source Guard policy.
}] [exit] [no{. . . }]
• deny global-autoconf—Denies data traffic from
Example: auto-configured global addresses. This is useful when
SwitchDevice(config-sisf-sourceguard)# deny all global addresses on a link are DHCP-assigned and
global-autoconf the administrator wants to block hosts with
self-configured addresses to send traffic.
• permit link-local—Allows all data traffic that is
sourced by a link-local address.
Note Trusted option under source guard policy is not
supported.

Step 5 end Exits out of IPv6 Source Guard policy configuration mode.
Example:
SwitchDevice(config-sisf-sourceguard)# end

Step 6 show ipv6 source-guard policy policy_name Shows the policy configuration and all the interfaces where
the policy is applied.
Example:
SwitchDevice# show ipv6 source-guard policy
example_policy

What to do next
Apply the IPv6 Source Guard policy to an interface.

How to Attach an IPv6 Source Guard Policy to an Interface

SUMMARY STEPS
1. enable
2. configure terminal
3. interface Interface_type stack/module/port
4. ipv6 source-guard [attach-policy <policy_name> ]
5. show ipv6 source-guard policy policy_name

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1558
 Security
How to attach an IPv6 Source Guard Policy to a Layer 2 EtherChannel Interface

Command or Action Purpose

Step 2 configure terminal Enters the global configuration mode.
Example:
SwitchDevice# configure terminal

Step 3 interface Interface_type stack/module/port Specifies an interface type and identifier; enters the interface
configuration mode.
Example:
SwitchDevice(config)# interface gigabitethernet
1/1/4

Step 4 ipv6 source-guard [attach-policy <policy_name> ] Attaches the IPv6 Source Guard policy to the interface. The
default policy is attached if the attach-policy option is not
Example:
used.
SwitchDevice(config-if)# ipv6 source-guard
attach-policy example_policy

Step 5 show ipv6 source-guard policy policy_name Shows the policy configuration and all the interfaces where
the policy is applied.
Example:
SwitchDevice#(config-if)# show ipv6 source-guard
policy example_policy

How to attach an IPv6 Source Guard Policy to a Layer 2 EtherChannel Interface

SUMMARY STEPS
1. enable
2. configure terminal
3. interface port-channel port-channel-number
4. ipv6 source-guard [attach-policy <policy_name> ]
5. show ipv6 source-guard policy policy_name

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:
SwitchDevice# configure terminal

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1559
 Security
How to Configure IPv6 Prefix Guard

Command or Action Purpose

Step 3 interface port-channel port-channel-number Specifies an interface type and port number and places the
switch in the port channel configuration mode.
Example:
SwitchDevice (config)# interface Po4

Step 4 ipv6 source-guard [attach-policy <policy_name> ] Attaches the IPv6 Source Guard policy to the interface. The
default policy is attached if the attach-policy option is not
Example:
used.
SwitchDevice(config-if) # ipv6 source-guard
attach-policy example_policy

Step 5 show ipv6 source-guard policy policy_name Shows the policy configuration and all the interfaces where
the policy is applied.
Example:
SwitchDevice(config-if) #show ipv6 source-guard
policy example_policy

How to Configure IPv6 Prefix Guard

Note To allow routing protocol control packets sourced by a link-local address when prefix guard is applied, enable
the permit link-local command in the source-guard policy configuration mode.

SUMMARY STEPS
1. enable
2. configure terminal
3. [no] ipv6 source-guard policy source-guard-policy
4. [ no ] validate address
5. validate prefix
6. exit
7. show ipv6 source-guard policy [source-guard-policy]

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode. Enter your password if
prompted.
Example:

SwitchDevice> enable

Step 2 configure terminal Enters the global configuration mode.

Example:

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(3)E (Catalyst 3560-CX and 2960-CX Switches)
1560
 Security
How to Attach an IPv6 Prefix Guard Policy to an Interface

Command or Action Purpose

SwitchDevice# configure terminal

Step 3 [no] ipv6 source-guard policy source-guard-policy Defines an IPv6 source-guard policy name and enters switch
integrated security features source-guard policy
Example:
configuration mode.
SwitchDevice (config)# ipv6 source-guard policy
my_snooping_policy

Step 4 [ no ] validate address Disables the validate address feature and enables the IPv6
prefix guard feature to be configured.
Example:
SwitchDevice (config-sisf-sourceguard)# no validate
address

Step 5 validate prefix Enables IPv6 source guard to perform the IPv6 prefix-guard
operation.
Example:
SwitchDevice (config-sisf-sourceguard)# validate
prefix

Step 6 exit Exits switch integrated security features source-guard policy

configuration mode and returns to privileged EXEC mode.
Example:
SwitchDevice (config-sisf-sourceguard)# exit

Step 7 show ipv6 source-guard policy [source-guard-policy] Displays the IPv6 source-guard policy configuration.
Example:
SwitchDevice # show ipv6 source-guard policy
policy1

How to Attach an IPv6 Prefix Guard Policy to an Interface

SUMMARY STEPS
1. enable
2. configure terminal
3. interface Interface_type stack/module/port