Cisco 819 Integrated Services Routers Software Configuration Guide
Configuring the Ethernet Switches
Downloads: This chapterpdf (PDF - 162.0KB) The complete bookPDF (PDF - 1.69MB) | Feedback

Table of Contents

Configuring the Ethernet Switches

Switch Port Numbering and Naming

Restrictions for the FE Switch

Information About Ethernet Switches

VLANs and VLAN Trunk Protocol

Layer 2 Ethernet Switching

802.1x Authentication

Spanning Tree Protocol

Cisco Discovery Protocol

Switched Port Analyzer

IGMP Snooping

Storm Control

Fallback Bridging

Overview of SNMP MIBs

BRIDGE-MIB for Layer 2 Ethernet Switching

MAC Address Notification

How to Configure Ethernet Switches

Configuring VLANs

VLANs on the FE Ports

VLANs on the GE Port

Configuring Layer 2 Interfaces

Configuring 802.1x Authentication

Configuring Spanning Tree Protocol

Configuring MAC Table Manipulation

Configuring Cisco Discovery Protocol

Configuring the Switched Port Analyzer

Configuring IP Multicast Layer 3 Switching

Configuring IGMP Snooping

Configuring Per-Port Storm Control

Configuring Fallback Bridging

Managing the Switch

Configuring the Ethernet Switches

This chapter gives an overview of configuration tasks for the 4-port Fast Ethernet (FE) switch and for the Gigabit Ethernet (GE) switch that services the embedded wireless access point on the Cisco 819 Integrated Services Routers (ISRs).

The FE switches are 10/100Base T Layer 2 Fast Ethernet switches. Traffic between different VLANs on a switch is routed through the router platform with the switched virtual interface (SVI).

The GE switch is a 1000Base T Layer 2 Gigabit Ethernet switch with an internal interface between the router and its embedded wireless access point.

Any switch port may be configured as a trunking port to connect to other Cisco Ethernet switches.

This chapter contains the following sections:

Switch Port Numbering and Naming

The ports on the FE switch are numbered FE0 through FE3. The port on the GE switch is named and numbered Wlan-GigabitEthernet0.

Restrictions for the FE Switch

The following restrictions apply to the FE switch:

  • The ports of an FE switch must NOT be connected to any Fast Ethernet onboard port of the router.
  • Inline power is not supported on Cisco 819 ISRs.
  • VTP pruning is not supported.
  • The FE switch can support up to 200 secure MAC addresses.

Information About Ethernet Switches

To configure Ethernet switches, you should understand the following concept:

Cisco Discovery Protocol

Cisco Discovery Protocol (CDP) runs over Layer 2 (the data link layer) on all Cisco routers, bridges, access servers, and switches. CDP allows network management applications to discover Cisco devices that are neighbors of already known devices, in particular, neighbors running lower-layer, transparent protocols. With CDP, network management applications can learn the device type and the SNMP agent address of neighboring devices. This feature enables applications to send SNMP queries to neighboring devices.

CDP runs on all LAN and WAN media that support Subnetwork Access Protocol (SNAP). Each CDP-configured device sends periodic messages to a multicast address. Each device advertises at least one address at which it can receive SNMP messages. The advertisements also contain the time-to-live, or hold-time information, which indicates the length of time a receiving device should hold CDP information before discarding it.

IGMP Snooping

For information on the concept of IGMP Snooping, see IGMP Snooping.

IGMP Version 3

The Cisco 819 ISRs support Version 3 of IGMP snooping.

IGMPv3 provides support for source filtering, which enables a multicast receiver host to signal to a router which groups the receiver host wants to receive multicast traffic from and from which sources this traffic is expected. Enabling the IGMPv3 feature with IGMP snooping on Cisco ISRs provides Basic IGMPv3 Snooping Support (BISS). BISS provides constrained flooding of multicast traffic in the presence of IGMPv3 hosts. This support constrains traffic to approximately the same set of ports as IGMPv2 snooping does with IGMPv2 hosts. The constrained flooding only considers the destination multicast address.

Overview of SNMP MIBs

Simple Management Network Protocol (SNMP) development and use is centered around the Management Information Base (MIB). An SNMP MIB is an abstract data base and it is a conceptual specification for information that a management application may read and modify in a certain form. This does not imply that the information is kept in the managed system in that same form. The SNMP agent translates between the internal data structures and formats of the managed system and the external data structures and formats defined for the MIB.

The SNMP MIB is conceptually a tree structure with conceptual tables. Cisco Layer 2 Switching Interface MIB is discussed in more detail in the next section. Relative to this tree structure, the term MIB is used in two senses. In one sense, it is actually a MIB branch, usually containing information for a single aspect of technology, such as a transmission medium or a routing protocol. A MIB used in this sense is more accurately called a MIB module and is usually defined in a single document. In the other sense, a MIB is a collection of such branches. Such a collection might comprise, for example, all the MIB modules implemented by a given agent or the entire collection of MIB modules defined for SNMP.

A MIB is a tree where the leaves are individual items of data called objects. An object may be, for example, a counter or a protocol status. MIB objects are also sometimes called variables.

For a list of MIBs supported on Cisco 819 4G LTE routers, see the “SNMP MIBs” section of Configuring Cisco 4G LTE Wireless WAN EHWIC .

MIBs were modified in IOS release 15.2(4)M1 to support Cisco 819HGW and Cisco 819HWD SKUs. Table 10-1 lists the MIBs for Cisco 819 ISRs.

Table 10-1 MIBs for Cisco 819 ISRs

MIBs
MIBs Link

CISCO-PRODUCTS-MIB

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://tools.cisco.com/ITDIT/MIBS/servlet/index

CISCO-ENTITY-VENDORTYPE-OID-MIB

OLD-CISCO-CHASSIS-MIB

CISCO-WAN-3G-MIB

BRIDGE-MIB for Layer 2 Ethernet Switching

The Layer 2 Ethernet Switching Interface BRIDGE-MIB is supported in the Cisco 819 platforms. The BRIDGE-MIB enables the user to know the Media Access Control (MAC) addresses and spanning tree information of the Ethernet switch modules. The user can query the MIB agent using the SNMP protocol and get the details of Ethernet switch modules such as MAC addresses of each interfaces and spanning protocol information.

The Bridge-MIB uses the following approaches to get the L2 layers BRIDGE-MIB information:

  • Community-string-based approach
  • Context-based approach

In the community-string-based approach, one community string is created for each VLAN. Based on the query, the respective VLAN MIB is displayed.

To get the BRIDGE-MIB details, use the snmp-server community public RW command in the configuration mode.

Router(config)#snmp-server community public RW

Use the following syntax to query the SNMP BRIDGE-MIB details:

snmpwalk -v2c <ip address of the ISR, …> public .1.3.6.1.2.1.17
snmpwalk -v2c <ip address of the ISR, …> public@2 .1.3.6.1.2.1.17
snmpwalk -v2c <ip address of the ISR, …> public@3 .1.3.6.1.2.1.17

Note When you create a VLAN “x”, the logical entity public@x is added. If you query with the public community, the L3 MIB is displayed. When you query with public@x, the L2 MIB for VLAN “x” is displayed.


In the context-based approach, the SNMP context mapping commands are used to display the values for L2 interfaces. Each VLAN is mapped to a context. When the user queries with a context, the MIB displays the data for that specific VLAN, which is mapped to the context. In this approach, each VLAN is manually mapped to a context.

To get the BRIDGE-MIB details, use the following commands in the configuration mode:

Router(config)#Routersnmp-server group public v2c context bridge-group
Router(config)#snmp-server community public RW
Router(config)#snmp-server community private RW
Router(config)#snmp-server context bridge-group
Router(config)#snmp mib community-map public context bridge-group

 

Use the following syntax to query the SNMP BRIDGE-MIB details:

snmpwalk -v2c <ip address of the ISR, …> public@1 .1.3.6.1.2.1.17 ?L2-MIB
snmpwalk -v2c <ip address of the ISR, …> private .1.3.6.1.2.1.17?L3-MIB

 


Note When you query with the public community, the L2 MIB is displayed. Use the private group for L3 MIB.


For more details to configure and retrieve the BRIDGE-MIB details, see The BRIDGE-MIB.

MAC Address Notification

MAC address notification enables you to track users on a network by storing the MAC address activity on the switch. Whenever the switch learns or removes a MAC address, an SNMP notification can be generated and sent to the NMS. If you have many users coming and going from the network, you can set a trap interval time to bundle the notification traps and reduce network traffic. The MAC notification history table stores the MAC address activity for each hardware port for which the trap is enabled. MAC address notifications are generated for dynamic and secure MAC addresses; events are not generated for self addresses, multicast addresses, or other static addresses.

For more details to configure MAC address notification, see Configuring MAC Address Notification Traps.

How to Configure Ethernet Switches

See the following sections for configuration tasks for Ethernet switches.

Configuring VLANs

This section provides information on how to configure VLANs. The Cisco 819 ISRs support 2 VLANs and the Cisco 819 ISRs support 8 VLANs.

VLANs on the FE Ports

Perform these steps to configure VLANs, beginning in configuration mode.

 

Command
Purpose

Step 1

interface fe port

Selects the Fast Ethernet port to configure.

Step 2

shutdown

(Optional) Shuts down the interface to prevent traffic flow until configuration is complete.

Step 3

switchport

Configures the Fast Ethernet port for Layer 2 switching.

Note You must enter the switchport command once without any keywords to configure the Fast Ethernet port as a Layer 2 port before you can enter additional switchport commands with keywords. This command creats a Cisco default VLAN.

This configuration sets the default trunking administrative mode to switchport mode dynamic desirable and the trunk encapsulation to negotiate .

By default, all VLANs created are included in the default trunk.

Step 4

switchport access vlan vlan_id

Creates instances of additional VLANs. Allowable values of vlan_id are 2 to 4094, except for reserved values of 1002 to 1005.

Step 5

no shutdown

Activates the interface.

Step 6

end

Exits configuration mode.

For additional information, see Layer 2 LAN Ports.

VLANs on the GE Port

Because the GE port is an internal interface that services only the router’s embedded access point, it cannot be configured only with the command switchport access vlan X , where X is other than 1. It may, however, be configured in trunk mode. This may be done by performing the following steps, beginning in configuration mode.

 

Comand
Purpose

Step 1

interface Wlan-GigabitEthernet0

Selects the Gigabit Ethernet port to configure.

Step 2

switchport mode trunk

Places the port in trunk mode.

Step 3

switchport access vlan vlan_id

(Optional) Once the port is in trunk mode, it may be assigned a VLAN number other than 1.

Configuring Layer 2 Interfaces

For information on how to configure Layer 2 interfaces, see Configuring Layer 2 Interfaces.

This section contains information on the following topics:

  • Configuring a range of interfaces
  • Defining a range macro
  • Configuring Layer 2 optional interface features

Configuring 802.1x Authentication

For information on how to configure 802.1x port-based authentication, see Configuring IEEE 802.1x Port-Based Authentication.

This section contains information on the following topics:

  • Understanding the default 802.1x configuration
  • Enabling 802.1x Authentication
  • Configuring the switch-to-RADIUS-server comunication
  • Enabling periodic reauthentication
  • Changing the quiet period
  • Changing the switch-to-client retransmission time
  • Setting the switch-to-client frame-retransmission number
  • Enabling multiple hosts
  • Resetting the 802.1x configuration to default values
  • Displaying 802.1x statistics and status

Configuring Spanning Tree Protocol

For information on how to configure Spanning Tree Protocol, see Configuring Spanning Tree.

This section contains information on the following topics:

  • Enabling spanning tree
  • Configuring spanning tree port priority
  • Configuring spanning tree port cost
  • Configuring the bridge priority of a VLAN
  • Configuring the Hello Time
  • Configuring the forward-delay time for a VLAN
  • Configuring the maximum aging time for a VLAN
  • Disabling spanning tree

Configuring MAC Table Manipulation

For information on how to configure MAC table manipulation, see Configuring MAC Table Manipulation.

Port Security

The topic of enabling known MAC address traffic deals with port security. Port security can be either static or dynamic.

Static port security allows the user to specify which devices are allowed access through a given switch port. The specification is done manually by placing allowed device MAC addresses in the MAC address table. Static port security is also known as MAC address filtering.

Dynamic port security is similar. However, instead of specifying the MAC address of the devices, the user specifies the maximum number of devices that will be allowed on the port. If the maximum number specified is more than the number of MAC addresses specified manually, the switch will learn the MAC address automatically, up to the maximum specified. If the maximum number specified is less than the number of MAC addresess already specified statically, an error message will be produced.

The following command is used to specify static or dynamic port security.

 

Command
Purpose

Router(config)# mac - address - table secure [< mac - address > | maximum maximum addresses ] fastethernet interface-id [ vlan < vlan id >]

<mac-address> enables static port security. Use of the keyword maximum enables dynamic port security.

Configuring Cisco Discovery Protocol

For information on how to configure Cisco Discovery Protocol (CDP), see Configuring Cisco Discovery Protocol.

This section contains information on the following topics:

  • Enabling CDP
  • Enabling CDP on an interface
  • Monitoring and maintaining CDP

Configuring the Switched Port Analyzer

For information on how to configure a switched port analyzer (SPAN) session, see Configuring the Switched Port Analyzer (SPAN).

This section contains information on the following topics:

  • Configuring the SPAN sources
  • Configuring SPAN destinations
  • Verifying the SPAN session
  • Removing sources or destinations from a SPAN session

Configuring IP Multicast Layer 3 Switching

For information on how to configure IP multicast Layer 3 switching, see Configuring IP Multicast Layer 3 Switching.

This section contains information on the following topics:

  • Enabling IP multicast routing globally
  • Enabling IP protocol-independent multicast (PIM) on Layer 3 interfaces
  • Verifying IP multicast Layer 3 hardware switching summary
  • Verifying the IP multicast routing table

Configuring IGMP Snooping

For information on how to configure IGMP snooping, see Configuring IGMP Snooping.

This section contains information on the following topics:

  • Enabling or disabling IGMP snooping
  • Enabling IGMP immediate-leave processing
  • Statically configuring an interface to join a group
  • Configuring a multicast router port

IGMP Version 3

In support of the IGMPv3 feature in Cisco IOS Release 12.4(15)T, the groups and count keywords were added to the show ip igmp snooping command, and the output of the show ip igmp snooping command was modified to include global information about IGMP snooping groups. Use the show ip igmp snooping command with the groups keyword to display the multicast table learned by IGMP snooping for all VLANs or the show ip igmp snooping command with the groups keyword, vlan-id keyword, and vlan-id argument to display the multicast table learned by IGMP snooping for a specific VLAN. Use the show ip igmp snooping command with the groups and count keywords to display the number of multicast groups learned by IGMP snooping.

Configuring Per-Port Storm Control

For information on how to configure per-port storm control, see Configuring Per-Port Storm-Control.

This section contains information on the following topics:

  • Enabling per-port storm-control
  • Disabling per-port storm-control

Configuring Fallback Bridging

For information on how to configure fallback bridging, see Configuring Fallback Bridging.

This section contains information on the following topics:

  • Understanding the default fallback bridging configuration
  • Creating a bridge group
  • Preventing the forwarding of dynamically learned stations
  • Configuring the bridge table aging time
  • Filtering frames by a specific MAC address
  • Adjusting spanning-tree parameters
  • Monitoring and maintaining the network

Managing the Switch

For information on management of the switch, see Managing the EtherSwitch HWIC.

This section contains information on the following topics:

  • Adding Trap Managers
  • Configuring IP Information
  • Enabling Switch Port Analyzer
  • Managing the ARP Table
  • Managing the MAC Address Tables
  • Removing Dynamic Addresses
  • Adding Secure Addresses
  • Configuring Static Addresses
  • Clearing all MAC Address Tables