-
CSS Administration Guide (Software Version 7.10)
-
Index
-
About This Guide
-
Logging In and Getting Started
-
Configuring Interfaces and Circuits
-
Configuring CSS Network Protocols
-
Configuring OSPF
-
Using the CSS Logging Features
-
Configuring User Profiles and CSS Parameters
-
Configuring Simple Network Management Protocol (SNMP)
-
Configuring Remote Monitoring (RMON)
-
Upgrading Your CSS Software
-
Using the Offline Diagnostic Monitor Menu
-
Table Of Contents
Configuring CSS Network Protocols
Configuring Domain Name Service
Specifying a Primary DNS Server
Specifying a Secondary DNS Server
Specifying UDP Traffic on the DNS Server Port
Configuring Address Resolution Protocol
Configuring Routing Information Protocol
Disabling an Implicit Service for Static Route Next Hop
Configuring IP Subnet-Broadcast
Configuring Cisco Discovery Protocol (CDP)
Setting the CDP Transmission Rate
Configuring Spanning-Tree Bridging for the CSS
Configuring Spanning-TreeBridge Aging-Time
Configuring Spanning-Tree Bridge Forward-Time
Configuring Spanning-Tree Bridge Hello-Time
Configuring Spanning-Tree Bridge Max-Age
Configuring Spanning-Tree Bridge Priority for the CSS
Enabling and Disabling Bridge Spanning-Tree
Configuring Secure Shell Daemon
Configuring SSHD Server-Keybits
Configuring Telnet Access When Using SSHD
Configuring Opportunistic Layer 3 Forwarding
Configuring the DHCP Relay Agent
Adding a DHCP Destination on a Circuit
Enabling and Disabling DHCP on the Circuit
Defining the Hops Field Value for Forwarding DHCP Messages
Displaying the DHCP Relay Configuration
Configuring CSS Network Protocols
This chapter describes how to configure the CSS DNS, ARP, RIP, IP, routing, spanning-tree bridging, SSH, and opportunistic Layer 3 forwarding functions. Information in this chapter applies to all CSS models, except where noted.
This chapter includes the following sections:
•
Configuring Domain Name Service
•
•
•
•
•
•
•
•
•
•
Configuring Domain Name Service
Use the dns command to enter commands that control Domain Name Service (DNS), the facility that translates host names such as myhost.mydomain.com to IP
(Internet Protocol) addresses such as 192.168.11.1. The options for this global configuration mode command are:•
•
•
•
•
Use the show running-config global command to display DNS configurations (refer to Chapter 1, Logging In and Getting Started, "Using the Running-Config and Startup-Config Files").
Specifying a Primary DNS Server
To specify the primary DNS server, use the dns primary command followed by the IP address of the DNS server you wish to specify as the primary DNS server. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).
For example:
(config)# dns primary 192.168.11.1To remove the primary DNS server, enter:
(config)# no dns primaryUsing DNS Resolve
To resolve a host name by querying the DNS server, use the dns resolve command followed by the host name you want to resolve. Enter the host name in mnemonic host-name format (for example, myhost.mydomain.com).
For example:
(config)# dns resolve fred.arrowpoint.comSpecifying a Secondary DNS Server
When a primary DNS server fails, the CSS uses the secondary DNS server to resolve host names to IP addresses. To specify a secondary DNS server, use the dns secondary command followed by the IP address of the secondary DNS server. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).
(config)# dns secondary 192.158.3.6You can specify a maximum of two secondary servers. To specify each additional server, repeat the dns secondary command. The order in which you enter the IP addresses is the order in which they are used.
To remove a secondary DNS server, enter the no version of the command followed by the IP address of the DNS server you wish to remove. For example:
(config)# no dns secondary 192.158.3.6Specifying a DNS Suffix
To specify the default suffix to use when querying the DNS facility, use the dns suffix command followed by the suffix you wish to use. Enter the default suffix as an unquoted text string with no spaces and a maximum of 64 characters.
For example:
(config)# dns suffix arrowpoint.comTo remove the default DNS suffix, enter:
(config)# no dns suffixSpecifying UDP Traffic on the DNS Server Port
For DNS UDP traffic on port 53, use the dnsflow command to determine whether the CSS uses flow control blocks (FCBs) for DNS requests and responses. This command provides the following options:
•
•
For example:
(config)# dnsflow disableConfiguring Address Resolution Protocol
Use the arp command and its options to statically configure the IP to Media Access Control (MAC) translations necessary for the CSS to send data to network nodes. The following sections discuss configuring Address Resolution Protocol (ARP) for the CSS.
Configuring ARP
To define a static ARP mapping, use the arp command. The syntax for this global configuration mode command is:
•
•
The variables and options are:
•
•
•
•
Note
For example:
(config)# arp 192.168.11.1 00-60-97-d5-26-ab ethernet-2To remove a static mapping address, use the no arp command. For example:
(config)# no arp 192.168.11.1
Note
Configuring ARP Timeout
To set the time in seconds to hold an ARP resolution result, use the arp timeout command. When you change the timeout value, it only affects new ARP entries. All previous ARP entries retain the old timeout value. To remove all entries with the old timeout value, enter the clear arp cache command.
The timeout value is the number of seconds the CSS holds an ARP resolution result. To set a timeout value, enter an integer from 60 to 86400 (24 hours) seconds. The default is 14400 seconds (4 hours). If you do not want the ARP entries to timeout, enter none or 86401.
For example:
(config)# arp timeout 120To restore the default timeout value of 14400 seconds, enter:
(config)# no arp timeoutConfiguring ARP Wait
To set the time in seconds to wait for an ARP resolution, use the arp wait command with a wait time. The wait time is the number of seconds the CSS waits for an ARP resolution in response to an ARP request to the network. Enter an integer from 5 to 30 seconds. The default is 5.
For example:
(config)# arp wait 15To restore the default wait time of 5 seconds, enter:
(config)# no arp waitUpdating ARP Parameters
To update the file containing hosts reachable through ARP, use the update arp command. This command is available in SuperUser mode. For example:
# update arp fileClearing ARP Parameters
The CSS enables you to clear ARP parameters for the ARP file or ARP cache. To clear the file that contains known hosts reachable through ARP, use the clear arp file command. For example:
# clear arp fileTo delete dynamic entries from the ARP cache, use the clear arp cache command with an IP address or hostname. The syntax and options for this command are:
•
•
•
For example:
# clear arp cacheShowing ARP Information
To display ARP information, use the show arp command. The syntax and options for the command are:
•
•
•
•
•
•
•
Note
To display the complete ARP resolution table, enter:
# show arpTable 3-1 describes the fields in the show arp output.
To display a summary of entries in the ARP resolution table, enter:
# show arp summaryTable 3-2 describes the fields in the show arp summary output.
To display the global ARP configuration, enter:
# show arp configTable 3-3 describes the fields in the show arp config output.
To display the host IP addresses entered at initialization or boot time through ARP, enter:
# show arp fileTo display the ARP entries from the CSS management port, enter:
# show arp management-portTable 3-4 describes the fields in the show arp management-port output.
To display the resolution for a host IP address, enter:
# show arp 192.50.1.6To display the host IP addresses entered at initialization or boot time through ARP, enter:
# show arp fileConfiguring Routing Information Protocol
The CSS enables you to configure the following global Routing Information Protocol (RIP) attributes:
•
•
•
By default, RIP advertises RIP routes and local routes for interfaces running RIP. The rip command advertises other routes.
The timers used by RIP in the CSS include the following default values. These RIP timer values are not user-configurable in the CSS.
•
•
•
Note
Configuring RIP Advertise
To advertise a route through RIP on the CSS, use the rip advertise command. The syntax for this command is:
rip advertise ip_address subnet_mask metric
•
•
•
For example:
(config)# rip advertise 192.168.1.0/24 9
Note
To stop advertising a route through RIP on the CSS, enter:
(config)# no rip advertise 192.168.1.0/24Configuring RIP Redistribute
To advertise routes from other protocols through RIP, use the rip redistribute command. By default, RIP advertises RIP routes and local routes for interfaces running RIP. This command instructs RIP to advertise other routes.
You can configure the following options for rip redistribute:
•
•
•
•
You can also enter an optional metric, which is the metric the CSS uses when advertising this route. Enter a number from 1 to 15. The default is 1.
For example:
(config)# rip redistribute static 3To stop advertising routes from other protocols through RIP, use either the local, static, or firewall option.
The following commands stop advertising static routes:
(config)# no rip redistribute firewall(config)# no rip redistribute local(config)# no rip redistribute static(config)# no rip redistribute ospfConfiguring RIP Equal-Cost
To set the maximum number of routes RIP can insert into the routing table, use the rip equal-cost command. Enter a number from 1 to 15. The default is 1. For example:
(config)# rip equal-cost 4To reset the number of routes to the default value of 1, enter:
(config)# no rip equal-costShowing RIP Configurations
To show a RIP configuration for one IP address or all IP addresses configured in the CSS, use the show rip command. This command provides the following options:
•
•
•
•
•
Table 3-5 describes the fields in the show rip output.
To display global RIP statistics, enter:
# show rip globalsTable 3-6 describes the fields in the show rip globals output.
To display the RIP interface statistics for all RIP interface entries, enter:
# show rip statisticsTable 3-7 describes the fields in the show rip statistics output.
Configuring Internet Protocol
To enter Internet Protocol (IP) configuration commands for the CSS, use the ip command. This command is available in configuration mode. The options for this command are:
•
•
•
Configuring IP Record-Route
To enable the CSS to process frames with a record-route option, use the ip record-route command. For example:
(config)# ip record-route
Caution
The CSS does not load balance TCP or UDP packets with IP options that are destined to a VIP address. These packet types are dropped and the CSS returns an ICMP destination/port unreachable error. This behavior exists regardless of the state (enabled or disabled) of the ip record-route and ip source-route commands.
The CSS, however, does respond to ICMP packets that are destined to a VIP address. The CSS also responds to TCP or UDP packets that include IP options that are destined to a local circuit address, or require that a routing decision be made.
To disable processing frames with a record-route option (the default behavior), enter:
(config)# no ip record-routeConfiguring IP Redundancy
To enable CSS-to-CSS redundancy, use the ip redundancy command. For example:
(config)# ip redundancy
Note
To disable CSS-to-CSS redundancy, enter:
(config)# no ip redundancyFor information on configuring CSS-to-CSS redundancy, refer to the Cisco Content Services Switch Advanced Configuration Guide, Chapter 5, Configuring Redundant Content Services Switches.
Configuring IP ECMP
Use the ip ecmp command to set the equal-cost multipath (ECMP) selection algorithm and the preferred reverse egress path. The CSS supports a maximum of 15 ECMP paths. The syntax and options for this global configuration mode command are:
•
(config)# ip ecmp address•
(config)# ip ecmp no-prefer-ingressTo reset the ingress path of a flow for its preferred reverse egress path, enter:
(config)# no ip ecmp no-prefer-ingress•
(config)# ip ecmp roundrobin
Note
Configuring an IP Route
A static route consists of a destination network address and mask, as well as the next hop to reach the destination. You can also specify a default static route (using 0.0.0.0 as the destination network address and a valid next hop address) to direct frames for which no other destination is listed in the routing table. Default static routes are useful for forwarding otherwise unrouteable packets by the CSS.
When you configure a static route, the CSS creates an internal service that periodically polls the configured next hop address with an ICMP echo (or ping) keepalive. The internal service is called an implicit service. If the router fails, the CSS removes any entries from the routing table that point to the failed router and stops sending network traffic to the failed router. When the router recovers, the CSS:
•
•
The implicit service does not determine if the default or static route appears in the routing table. This decision is based on the CSS having a viable ARP entry for the next hop router IP address so the CSS can forward traffic to that destination. The CSS uses the ICMP keepalive as a means to ensure the next hop router MAC address is available and current. However, in certain situations, the next hop router may block ICMP message transmitted by the CSS, which results in a failed ICMP keepalive (the ICMP keepalive is in the Down state). As long as the CSS has the ARP entry of the next hop router the static route is still placed in the routing table.
Note
Use the ip route command to configure an IP route. You can configure a static route, a default static IP route, a blackhole route (where the CSS drops any packets addressed to the route), or a firewall IP route. Each ip route command requires either an:
•
or
•
The ip route options are defined below. Note that the examples use the subnet mask prefix option.
•
(config)# ip route 192.168.1.0 /24 blackhole•
(config)# ip route 0.0.0.0 /0 10.0.1.1•
For example:(config)# ip route 0.0.0.0 /0 10.0.1.1 40•
(config)# ip route 192.168.1.0 /24 firewall 3 2
Note
•
The optional originated-packets keyword instructs the CSS to use this route for flow and session packets going to and from the CSS (for example, a Telnet session to the CSS). Flows or session packets that go through the CSS (for example, between an attached server and a remote client) do not use this route.
For example:
(config)# ip route 0.0.0.0/0 10.0.1.1 originated-packets
Note
The variables are:
•
•
–
–
•
•
•
To remove a static route, enter:
(config)# no ip route 0.0.0.0/24 10.0.1.1To disable the dropping of packets to a black-hole route, enter:
(config)# no ip route 192.168.1.0/24 blackholeTo remove a firewall route, enter:
(config)# no ip route 192.168.1.0/24 firewall 3Configuring IP Source-Route
To enable the CSS to process source-routed frames, use the ip source-route command. For example:
(config)# ip source-route
Caution
The CSS does not load balance TCP or UDP packets with IP options that are destined to a VIP address. These packet types are dropped and the CSS returns an ICMP destination/port unreachable error. This behavior exists regardless of the state (enabled or disabled) of the ip source-route and ip record-route commands.
The CSS, however, does respond to ICMP packets that are destined to a VIP address. The CSS also responds to TCP or UDP packets that include IP options that are destined to a local circuit address, or require that a routing decision be made.
To disable processing source-routed frames (the default behavior), enter:
(config)# no ip source-routeDisabling an Implicit Service for Static Route Next Hop
Use the ip no-implicit-service command when you do not want the CSS to start an implicit service for the next hop of a static route. By default, the CSS establishes an implicit (or internal) service for the gateway address when a static route is defined. The ip no-implicit-service command specifies that no implicit service is established to the next hop of the static route, which disables the internal service ICMP keepalive. In this case, if the ARP address for the next hop is not known to the CSS the address will not appear in the routing table.
The purpose of the implicit service to the next hop of a static route is to monitor the availability of the next hop to forward data traffic. When the ip no-implicit-service command is in effect, traffic will be forwarded to the next hop even when the next hop is unavailable. Because of the possibility of data being lost if the next hop becomes unavailable, use of the ip no-implicit-service command is strongly discouraged.
Note
When you implement the ip no-implicit-service global configuration command, this action does not affect previously configured static routes. The ip no-implicit-service command affects only those static routes added after you enable the command. Cisco Systems recommends you reboot the CSS after you modify the configuration to ensure all static routes are the same, which is useful for network monitoring and troubleshooting. If you wish to stop the implicit service for a previously configured static route, then you must delete and reconfigure the static route.
For example:
(config)# ip no-implicit-serviceTo reset the default setting, enter:
(config)# no ip no-implicit-serviceConfiguring IP Subnet-Broadcast
To enable the CSS to forward subnet broadcast addressed frames, use the ip subnet-broadcast command.
For example:
(config)# ip subnet-broadcastTo disable forwarding subnet broadcast addressed frames (the default behavior), enter:
(config)# no ip subnet-broadcast
Caution
If a "smurf" attack is successful, all the destination subnet hosts reply to the echo and flood the path back to the source. By disabling the subnet broadcast forwarding, the original echo never reaches the hosts.
Showing IP Information
Use the show ip command to display Internet Protocol (IP) information for the CSS. See the following sections to display CSS IP information.
•
•
•
•
•
Showing IP Config
Use the show ip config command to display IP global configuration parameters. The parameters shows the state (enabled or disabled) of the source route option, forward IP broadcasts, record route option, and IP route change logging. It also shows the value for the orphaned route timer.
Table 3-8 describes the fields in the show ip config output.
Showing IP Interfaces
Use the show ip interfaces command to display configured IP interfaces on the CSS. The display includes the circuit state, IP address, broadcast address, Internet Control Message Protocol (ICMP) settings, and Router Discovery Program (RDP) settings.
Table 3-9 describes the fields in the show ip interfaces output.
Showing IP Routes
Use the show ip routes command to display IP routing information. The syntax and options for this command are:
•
•
•
•
•
•
•
•
The variables are:
•
•
To show all IP routes in the CSS, enter:
# show ip routesTable 3-10 describes the fields in the show ip routes output.
Showing IP Statistics
Use the show ip statistics command to display aggregate TCP statistics for the unit. Table 3-11 describes the fields in the show ip statistics output.
Showing IP Summary
Use the show ip summary command to display a summary of IP global statistics. The statistics include data on reachable and total routes, reachable and total hosts, memory in use for each, and total IP routing memory in use.
Table 3-12 describes the fields in the show ip summary output.
Configuring Cisco Discovery Protocol (CDP)
The Cisco Discovery Protocol (CDP) is a medium-independent protocol that runs over Layer 2 (the data link layer) on the CSS and other Cisco manufactured equipment, such as routers, switches, bridges, and access servers. CDP allows the CSS to advertise itself to all other neighboring Cisco CDP-compatible devices on a network. The CSS only transmits CDP advertisements to other CDP-compatible devices on the network; it does not listen for CDP messages from the other CDP-compatible devices.
Any Cisco device with CDP support can learn about the CSS by listening to the periodic messages transmitted by the CSS and determining when the CSS is active. Network operators and analysts can use this information for configuration monitoring, topology discovery, and fault diagnosis.
CDP messages contain specific information about the CSS, such as:
•
•
•
•
•
•
CDP advertisements also include hold time information, which defines the length of time the receiving device is to hold CDP information before discarding it.
The CSS enables you to configure the following global CDP attributes:
•
•
•
Enabling CDP
To enable CDP transmissions from the CSS to other neighboring Cisco CDP-compatible devices on the network, use the cdp run global configuration command. By default, CDP advertisement is disabled for the CSS.
For example:
(config)# cdp runTo disable CDP transmissions on the CSS, enter:
(config)# no cdp runSetting the CDP Hold Time
To specify the amount of time a receiving device retains the CDP information sent by the CSS (time-to-live information) before discarding it, use the cdp holdTime global configuration command. If a neighboring device does not receive a CDP message before the hold time expires, the neighboring device drops the CSS as a neighbor. Valid entries are 10 to 255 seconds. The default is 180 seconds.
To specify a CDP hold time of 255 seconds for the receiving device, enter:
(config)# cdp holdTime 255To reset the CDP hold time back to the default value of 180 seconds, enter:
(config)# no cdp holdTimeSetting the CDP Transmission Rate
To specify the frequency at which the CSS transmits CDP packets to all receiving CDP-compatible devices, use the cdp timer global configuration command. Valid entries are 5 to 254 seconds. The default is 60 seconds.
To change the CDP transmission rate for the CSS to 120 seconds, enter:
(config)# cdp timer 120To reset the CDP timer to the default rate of 60 seconds, enter:
(config)# no cdp timerShowing CDP Information
Use the show cdp command to display and verify CDP information for the CSS, such as frequency of transmissions and the hold time for transmitted CSS CDP information.
For example:
(config)# show cdpGlobal CDP information:Sending CDP packets every 60 secondsSending a holdtime value of 16 secondsTimeLastCdpSent: 0 days 00:00:30The following example illustrates the CDP output on a Cisco Catalyst 8540 router using the IOS show cdp neighbors command.
24-8540-1>show cdp neighborsCapability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - RepeaterDevice ID Local Intrfce Holdtme Capability Platform Port ID00-10-58-01-4d-e3 Eth 0 178 R T S CSS 11050 Eth-MgmtSCA043801A5 Eth 0 144 T S WS-C6009 3/125-8540-1 Fas 0/0/7 142 R T C8540CSR Fas 0/0/425-8540-1 Eth 0 142 R T C8540CSR Eth 0SCA043801HU(bxb11 Eth 0 151 T S WS-C6009 2/4800-07-85-43-14-1d Eth 0 170 R T S CSS11503 Eth-MgmtConfiguring Spanning-Tree Bridging for the CSS
Use the following bridge commands to configure spanning-tree bridging options for the CSS:
•
•
•
•
•
•
Configuring Spanning-TreeBridge Aging-Time
To set the spanning-tree bridge filtering database aging time for the CSS, use the bridge aging-time command. The aging time is the timeout period in seconds for aging out dynamically-learned forwarding information. Enter an integer from 10 to 1000000. The default is 300.
To set the bridge aging time to 600, enter:
(config)# bridge aging-time 600To restore the default aging time of 300, enter:
(config)# no bridge aging-timeConfiguring Spanning-Tree Bridge Forward-Time
To set the spanning-tree bridge forward delay time, use the bridge forward-time command. The forward time is the delay time in seconds that all bridges use for forward delay when this bridge is acting as the root. Enter an integer from 4 to 30. The default is 4.
Note
To set the bridge forward time to 9, enter:
(config)# bridge forward-time 9To restore the default delay time of 4, enter:
(config)# no bridge forward-timeConfiguring Spanning-Tree Bridge Hello-Time
To set the bridge hello time interval, use the bridge hello-time command. The hello time is the time in seconds that all bridges use when a bridge is acting as the root. Enter an integer from 1 to 10. The default is 1.
To set the bridge hello time to 9, enter:
(config)# bridge hello-time 9To restore the default hello time interval of 1, enter:
(config)# no bridge hello-timeConfiguring Spanning-Tree Bridge Max-Age
To set the bridge spanning-tree maximum age, use the bridge max-age command. The maximum age is the time in seconds that all bridges use when a bridge is acting as the root. Enter an integer from 6 to 40. The default is 6.
Note
To set the bridge maximum age to 21, enter:
(config)# bridge max-age 21To restore the default maximum age of 6, enter:
(config)# no bridge max-ageConfiguring Spanning-Tree Bridge Priority for the CSS
To set the priority that spanning tree uses to choose the root bridge in the network, use the global bridge priority command. In spanning tree, the 2-octet field is prepended to the 6-octet MAC address to form an 8-octet bridge identifier. The device with the lowest bridge identifier is considered the highest priority bridge and becomes the root bridge. The range for bridge priority is 0 to 65535. The default is 32768.
For example:
(config)# bridge priority 1700To restore the bridge priority to its default of 32768, enter:
(config)# no bridge priorityEnabling and Disabling Bridge Spanning-Tree
Spanning-tree bridging is enabled by default. To disable the spanning-tree, enter:
(config)# bridge spanning-tree disable
Caution
When you disable spanning-tree bridging, the CSS forwards all multicast traffic, including bridge protocol data units (BPDUs) for the bridge multicast group and for trunked VLANs. The CSS can still operate in an 802.1Q spanning-tree environment as long as you do not require that the CSS put any of its ports into a blocking state.
To reenable spanning-tree bridging, enter:
(config)# bridge spanning-tree enableShowing Bridge Configurations
The CSS enables you to show bridge forwarding and bridge status information.To display bridge forwarding information, use the show bridge forwarding command. Table 3-13 describes the fields in the show bridge forwarding output.
To display bridge status information, use the show bridge status command. Table 3-14 describes the fields in the show bridge status output.
Configuring Secure Shell Daemon
The Secure Shell Daemon (SSHD) protocol provides secure encrypted communications between two hosts communicating over an insecure network. The CSS supports an implementation of OpenSSH to provide this secure communication. SSHD uses the standard CSS login sequence of entering the username and password at the CSS login prompts.
SSHD on the CSS supports both the SSH v1 and v2 protocols. For SSH v1, the software provides encrypted communication using ciphers such as 3DES or Blowfish. For SSH v2, the software provides 128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
Caution
If the CSS has been booted using a network boot from a network-mounted file system, the CSS logs the following error message by SSHD as the protocol attempts to initialize (and then exit from operation):
Unable to initialize sshd; failure to seed random number generator
Note
This section covers:
•
Enabling SSH
You must specify a Secure Management license key for the SSH functionality to be activated in your Cisco 11500 series CSS. If you ordered the software option with your CSS, the license key is located on a card in an envelope in the CSS Accessory kit. If you ordered the Secure Management software option after receipt of your CSS, the license key was mailed to you.
To install the Secure Management license key and activate SSH:
1.
# license2.
Enter the Software License Key (q to quit): nnnnnnnnnnnnThe Secure Management license key is now properly installed.
Configuring SSH Access
SSH access to the CSS is enabled by default through the no restrict ssh command. Before you use SSHD, ensure that access has not restricted through the restrict ssh command. You can verify the SSH access selection in the running-configuration file.
To enable SSH access to the CSS, enter:
(config)# no restrict sshTo disable SSH access, enter:
(config)# restrict sshConfiguring SSHD in the CSS
The CSS provides the following commands for configuring SSHD:
•
•
•
Ensure that SSHD access to the CSS is enabled for SSHD to accept connections from SSH clients. By default, SSH access is enabled through the no restrict ssh global command.
Configuring SSHD Keepalive
The CSS supports sending TCP keepalive messages to the client as a means for the server to determine whether the SSHD connection to the client is functioning (for example, if the network has gone down or the client has crashed). If you disable sending SSHD keepalives to a client, sessions may hang indefinitely on the server which consumes system resources.
To enable SSHD keepalive, use the sshd keepalive command. SSHD keepalive is enabled by default.
To enable sending SSHD keepalives to the client, enter:
(config)# sshd keepaliveTo disable sending SSHD keepalives, enter:
(config)# no sshd keepaliveConfiguring SSHD Port
To specify the port number to which the server listens for connections from clients, use the sshd port command. Enter a port number of 22 or from 512 to 65535. The default is 22 (the default port for SSH).
For example, to configure port number 65530 as the SSHD port, enter:
(config)# sshd port 65530To reset the port number to the default of 22, enter:
(config)# no sshd portConfiguring SSHD Server-Keybits
To specify the number of bits in the ephemeral protocol server key, use the sshd server keybits command. Enter the number of bits from 512 to 1024. The default is 768.
Note
For example, to set the number of bits in the server key to 1024, enter:
(config)# sshd server-keybits 1024To reset the number of bits to the default of 768, enter:
(config)# no sshd server-keybitsConfiguring Telnet Access When Using SSHD
When you use SSHD, you can disable non-secure Telnet access to the CSS. Use the global restrict telnet command to disable Telnet access to the CSS. Telnet access is enabled by default.
To disable Telnet access, enter:
(config)# restrict telnetTo reenable Telnet access to the CSS, enter:
(config)# no restrict telnetShowing SSHD Configurations
To display SSHD configurations, use the show sshd command. This command provides the following options:
•
•
•
To display the SSHD configuration, enter:
# show sshd configTable 3-15 describes the fields in the show sshd config display.
To display the SSHD sessions, enter:
# show sshd sessionsTable 3-16 describes the fields in the show sshd sessions display.
To display the SSHD version, enter:
# show sshd versionSSHield version 1.5, SSH version OpenSSH_3.0.2p1Configuring Opportunistic Layer 3 Forwarding
The CSS opportunistic Layer 3 forwarding feature allows the CSS to reduce the number of network device hops for certain packets or flows. The CSS forwards packets at Layer 3 if the destination MAC address in the Ethernet header is the CSS MAC address. Opportunistic Layer 3 forwarding allows the CSS to make Layer 3 forwarding decisions even if the layer 2 packet destination MAC address does not belong to the CSS.
For example, Figure 3-1 shows a CSS connected to VLAN1 and VLAN2. Each VLAN has an end station and an uplink to Router1. End stations A and B both point to Router1 as their default router. When end station A transmits a packet to end station B, it uses its default route to Router1. The packet contains Router1's destination MAC address. A traditional layer 2 device would forward the packet to Router1 and it would forward the packet to end station B on VLAN2.
Using opportunistic Layer 3 forwarding, the CSS inspects the IP packet header to determine the destination IP address. Instead of forwarding the packet to Router1, the CSS forwards the packet directly to end station B. Because the CSS only handles the packet once, the router and uplink are not used and network resources are conserved.
Figure 3-1 Opportunistic Layer 3 Forwarding Example
Opportunistic Layer 3 forwarding provides three modes of operation:
•
•
•
To configure ip opportunistic Layer 3 forwarding to all, enter:
(config)# ip opportunistic allTo reconfigure ip opportunistic Layer 3 forwarding to the default of local enter:
(config)# no ip opportunisticWhen you configure ip opportunistic all, you can use the ip route originated-packets command to configure routes that the CSS will use to reach devices, but will not use as opportunistic routes for forwarding traffic. Routes created using the ip route originated-packets command apply only to packets that originate on the CSS. Packets and flows forwarded by the CSS will not use these routes.
For example,
(config)# ip route 0.0.0.0/0 192.168.1.7 originated-packetsConfiguring the DHCP Relay Agent
Dynamic Host Configuration Protocol (DHCP) servers provide configuration parameters to DHCP clients. When DHCP clients and associated servers do not reside on the same IP network or subnet, a DHCP relay agent can transfer DHCP messages between them. To configure a DHCP relay agent on a 11500 series CSS, define DHCP server destinations on a circuit and enable the DHCP relay agent on the circuit.
Note
(config-circuit[VLAN2])# ip address 178.3.6.53/8See the following sections to configure and view DHCP parameters:
•
•
•
•
Adding a DHCP Destination on a Circuit
A CSS circuit acts as the DHCP relay agent. For each circuit on the CSS, you can configure a maximum of five DHCP destinations. The initial DHCP broadcast request is sent to all of the configured destinations.
Do not configure a relay destination on a circuit when the relay destination is directly connected to or reachable from one of the ports on the same circuit. In this case, the DHCP packets reach the relay destination through normal broadcast and a relay agent is not required.
To specify the DHCP relay destination address, use the dhcp relay-to command available in circuit configuration mode. Enter an IP address in dotted-decimal notation.
To add a destination address of 192.168.22.25 to a DHCP server, enter:
(config-circuit[VLAN2])# dhcp relay-to 192.168.22.25To remove the relay destination address, enter:
(config-circuit[VLAN2])# no dhcp relay-to 192.168.22.25Enabling and Disabling DHCP on the Circuit
After you enable the DHCP relay agent on the CSS circuit, the CSS transfers DHCP messages between DHCP clients and servers. To enable the agent on the circuit, use the dhcp-relay-agent command available in circuit configuration mode. For example:
(config-circuit[VLAN2])# dhcp-relay-agentTo disable the DHCP relay agent on the circuit, enter:
(config-circuit[VLAN2])# no dhcp-relay-agentDefining the Hops Field Value for Forwarding DHCP Messages
The CSS forwards or discards a DHCP message based on its hops field value in the BOOTP header. When messages have values in the hops fields that exceed the maximum value set on the CSS, the CSS discards the message. To set the maximum allowable number in the hops field, use the dhcp-agent max-hops command available in global configuration mode. By default, the maximum allowable number is 4. You can set a number from 1 to 15.
To set the maximum allowable value of 10, enter:
(config)# dhcp-agent max-hops 10To reset the maximum allowable number in the hops field to its default of 4, enter:
(config)# no dhcp-agent max-hopsDisplaying the DHCP Relay Configuration
Use the show dhcp-relay-agent global command to display the DHCP configuration information on the 11500 series CSS. This command is available in all modes. For example:
# show dhcp-relay-agent globalTable 3-17 describes the fields in the show dhcp-relay-agent global output.
Where to Go Next
For information on configuring OSPF for the CSS, refer to Chapter 4, Configuring OSPF.
