Table Of Contents
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
Prerequisites for EtherSwitch HWICs
Restrictions for EtherSwitch HWICs
Information About EtherSwitch HWICs
Inline Power for Cisco IP Phones
How to Configure EtherSwitch HWICs
Deleting a VLAN Instance from the Database
Configuring VLAN Trunking Protocol
Disabling VTP (VTP Transparent Mode)
Configuring Layer 2 Interfaces
Configuring a Range of Interfaces
Configuring Layer 2 Optional Interface Features
Configuring 802.1x Authentication
Understanding the Default 802.1x Configuration
Enabling 802.1x Authentication
Configuring the Switch-to-RADIUS-Server Communication
Enabling Periodic Reauthentication
Changing the Switch-to-Client Retransmission Time
Setting the Switch-to-Client Frame-Retransmission Number
Resetting the 802.1x Configuration to the Default Values
Displaying 802.1x Statistics and Status
Configuring Spanning Tree Port Priority
Configuring Spanning Tree Port Cost
Configuring the Bridge Priority of a VLAN
Configuring the Forward-Delay Time for a VLAN
Configuring the Maximum Aging Time for a VLAN
Configuring MAC Table Manipulation
Enabling Known MAC Address Traffic
Creating a Static Entry in the MAC Address Table
Configuring Cisco Discovery Protocol
Enabling Cisco Discovery Protocol
Monitoring and Maintaining CDP
Configuring the Switched Port Analyzer (SPAN)
Removing Sources or Destinations from a SPAN Session
Configuring Power Management on the Interface
Verifying Power Management on the Interface
Verifying Other Power Management CLI
Configuring IP Multicast Layer 3 Switching
Enabling IP Multicast Routing Globally
Enabling IP Protocol-Independent Multicast (PIM) on Layer 3 Interfaces
Verifying IP Multicast Layer 3 Hardware Switching Summary
Verifying the IP Multicast Routing Table
Enabling or Disabling IGMP Snooping
Enabling IGMP Immediate-Leave Processing
Statically Configuring an Interface to Join a Group
Configuring a Multicast Router Port
Configuring Per-Port Storm-Control
Enabling Per-Port Storm-Control
Disabling Per-Port Storm-Control
Understanding the Default Fallback Bridging Configuration
Preventing the Forwarding of Dynamically Learned Stations
Configuring the Bridge Table Aging Time
Filtering Frames by a Specific MAC Address
Adjusting Spanning-Tree Parameters
Monitoring and Maintaining the Network
Configuring Separate Voice and Data Subnets
Configuring a Single Subnet for Voice and Data
Managing the MAC Address Tables
Clearing all MAC Address Tables
Configuration Examples for EtherSwitch HWICs
Single Range Configuration Example
Range Macro Definition Example
Optional Interface Feature: Examples
Setting the Interface Duplex Mode Example
Adding a Description for an Interface Example
VLAN Trunking Using VTP: Example
Spanning-Tree Interface and Spanning-Tree Port Priority Example
Spanning-Tree Port Cost Example
Forward-Delay Time for a VLAN Example
Maximum Aging Time for a VLAN Example
MAC Table Manipulation: Example
Switched Port Analyzer (SPAN) Source: Examples
SPAN Source Configuration Example
SPAN Destination Configuration Example
Removing Sources or Destinations from a SPAN Session Example
Subnets for Voice and Data Example
Single Subnet Configuration Example
Ethernet Ports on IP Phones with Multiple Ports Example
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
This document provides configuration tasks for the 4-port Cisco HWIC-4ESW and the 9-port Cisco HWIC-D-9ESW EtherSwitch high speed WAN interface cards (HWICs) hardware feature supported on Cisco 1800 (modular), Cisco 2800, and Cisco 3800 series integrated services routers.
Cisco EtherSwitch HWICs are 10/100BaseT Layer 2 Ethernet switches with Layer 3 routing capability. (Layer 3 routing is forwarded to the host, and is not actually performed at the switch.). Traffic between different VLANs on a switch is routed through the router platform. Any one port on a Cisco EtherSwitch HWIC may be configured as a stacking port to link to another Cisco EtherSwitch HWIC or EtherSwitch network module in the same system. An optional power module can also be added to provide inline power for IP telephones. The HWIC-D-9ESW HWIC requires a double-wide card slot.
This hardware feature does not introduce any new or modified IOS commands.
Feature History for Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
The following sections provide information about the Cisco EtherSwitch HWICs.
•
Prerequisites for EtherSwitch HWICs
•
•
•
•
Prerequisites for EtherSwitch HWICs
The following are prerequisites to configuring EtherSwitch HWICs:
•
•
Restrictions for EtherSwitch HWICs
The following restrictions apply to the Cisco HWIC-4ESW and the Cisco HWIC-D-9ESW EtherSwitch HWICs.
•
Multiple Ethernet Switch HWICs or network modules installed in a host router will not act independently of each other. They must be stacked, as they will not work at all otherwise.
•
•
•
•
•
•
•
•
Information About EtherSwitch HWICs
To configure the Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch HWICs, you should understand the following concepts:
•
VLANs
For information on the concept of VLANs, refer to the material at this URL:
/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#1047027
Inline Power for Cisco IP Phones
For information on the concept of inline power for Cisco IP phones, refer to the material at this URL:
/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#1048439
Layer 2 Ethernet Switching
For information on the concept of Layer 2 Ethernet Switching, refer to the material at this URL:
/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#1048478
802.1x Authentication
For Information on the concept of 802.1x Authentication, refer to the material at this URL:
/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#1051006
Spanning Tree Protocol
For Information on the concept of Spanning Tree Protocol, refer to the material at this URL:
/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#1048458
Cisco Discovery Protocol
For Information on the concept of the Cisco Discovery Protocol, refer to the material at this URL:
/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#1048498
Switched Port Analyzer
For Information on the concept of Switched Port Analyzer, refer to the material at this URL:
/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#1053663
IGMP Snooping
For Information on the concept of IGMP Snooping, refer to the material at this URL:
/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#1053727
Storm Control
For Information on the concept of Storm Control, refer to the material at this URL:
/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#1051018
Intrachassis Stacking
For Information on the concept of Intrachassis Stacking, refer to the material at this URL:
/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#1051061
Fallback Bridging
For Information on the concept of Fallback Bridging, refer to the material at this URL:
/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#1054833
How to Configure EtherSwitch HWICs
See the following sections for configuration tasks for the EtherSwitch HWICs.
•
•
•
•
•
•
•
•
•
•
•
•
Configuring VLANs
This section describes how to configure VLANs on the switch, and contains the following sections:
•
Adding VLAN Instances
A total of 15 VLANs are supported by an EtherSwitch HWIC.
Beginning in privileged EXEC mode, follow these steps to configure a Fast Ethernet interface as Layer 2 access:
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Verifying the VLAN Configuration
You can verify the VLAN configuration in VLAN database mode.
Use the show command in VLAN database mode to verify the VLAN configuration, as shown below:
Router(vlan)#showVLAN ISL Id: 1Name: defaultMedia Type: EthernetVLAN 802.10 Id: 100001State: OperationalMTU: 1500Translational Bridged VLAN: 1002Translational Bridged VLAN: 1003VLAN ISL Id: 2Name: VLAN0002Media Type: EthernetVLAN 802.10 Id: 100002State: OperationalMTU: 1500VLAN ISL Id: 3Name: Red_VLANMedia Type: EthernetVLAN 802.10 Id: 100003State: OperationalMTU: 1500VLAN ISL Id: 1002Name: fddi-defaultMedia Type: FDDIVLAN 802.10 Id: 101002State: OperationalMTU: 1500Bridge Type: SRBTranslational Bridged VLAN: 1Translational Bridged VLAN: 1003VLAN ISL Id: 1003Name: token-ring-defaultMedia Type: Token RingVLAN 802.10 Id: 101003State: OperationalMTU: 1500Bridge Type: SRBRing Number: 0Bridge Number: 1Parent VLAN: 1005Maximum ARE Hop Count: 7Maximum STE Hop Count: 7Backup CRF Mode: DisabledTranslational Bridged VLAN: 1Translational Bridged VLAN: 1002VLAN ISL Id: 1004Name: fddinet-defaultMedia Type: FDDI NetVLAN 802.10 Id: 101004State: OperationalMTU: 1500Bridge Type: SRBBridge Number: 1STP Type: IBMVLAN ISL Id: 1005Name: trnet-defaultMedia Type: Token Ring NetVLAN 802.10 Id: 101005State: OperationalMTU: 1500Bridge Type: SRBBridge Number: 1STP Type: IBMrouter(vlan)# exitAPPLY completed.Exiting....router#router#Enter the show vlan-switch command in EXEC mode using the Cisco IOS CLI to verify the VLAN configuration, as shown below:
router#show vlan-switchVLAN Name Status Ports---- -------------------------------- --------- ----------------------------------1 default active Fa0/1/1, Fa0/1/2, Fa0/1/3, Fa0/1/4Fa0/1/5, Fa0/1/6, Fa0/1/7, Fa0/1/8Fa0/3/0, Fa0/3/2, Fa0/3/3, Fa0/3/4Fa0/3/5, Fa0/3/6, Fa0/3/7, Fa0/3/82 VLAN0002 active Fa0/1/03 Red_VLAN active1002 fddi-default active1003 token-ring-default active1004 fddinet-default active1005 trnet-default activeVLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------1 enet 100001 1500 - - - - - 1002 10032 enet 100002 1500 - - - - - 0 03 enet 100003 1500 - - - - - 0 01002 fddi 101002 1500 - - - - - 1 10031003 tr 101003 1500 1005 0 - - srb 1 10021004 fdnet 101004 1500 - - 1 ibm - 0 01005 trnet 101005 1500 - - 1 ibm - 0 0router#Deleting a VLAN Instance from the Database
You cannot delete the default VLANs for the different media types: Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005.
Beginning in privileged EXEC mode, follow these steps to delete a VLAN from the database:
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Verifying VLAN Deletion
You can verify that a VLAN has been deleted from the switch in VLAN database mode.
Use the show command in VLAN database mode to verify that a VLAN has been deleted from the switch, as shown in the following output example:
Router(vlan)#showVLAN ISL Id: 1Name: defaultMedia Type: EthernetVLAN 802.10 Id: 100001State: OperationalMTU: 1500Translational Bridged VLAN: 1002Translational Bridged VLAN: 1003VLAN ISL Id: 1002Name: fddi-defaultMedia Type: FDDIVLAN 802.10 Id: 101002State: OperationalMTU: 1500Bridge Type: SRBTranslational Bridged VLAN: 1Translational Bridged VLAN: 1003<output truncated>Router(vlan)#Enter the show vlan-switch brief command in EXEC mode, using the Cisco IOS CLI to verify that a VLAN has been deleted from the switch, as shown in the following output example:
Router#show vlan-switch briefVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1/0, Fa0/1/1, Fa0/1/2Fa0/1/3, Fa0/1/4, Fa0/1/5Fa0/1/6, Fa0/1/7, Fa0/1/8300 VLAN0300 active1002 fddi-default active1003 token-ring-default active1004 fddinet-default active1005 trnet-default activeRouter#Configuring VLAN Trunking Protocol
This section describes how to configure the VLAN Trunking Protocol (VTP) on an EtherSwitch HWIC, and contains the following sections:
•
Note
Configuring a VTP Server
When a switch is in VTP server mode, you can change the VLAN configuration and have it propagate throughout the network.
Beginning in privileged EXEC mode, follow these steps to configure the switch as a VTP server.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring a VTP Client
When a switch is in VTP client mode, you cannot change the VLAN configuration on the switch. The client switch receives VTP updates from a VTP server in the management domain and modifies its configuration accordingly.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Disabling VTP (VTP Transparent Mode)
When you configure the switch as VTP transparent, you disable VTP on the switch. A VTP transparent switch does not send VTP updates and does not act on VTP updates received from other switches.
Beginning in privileged EXEC mode, follow these steps to disable VTP on the switch.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Verifying VTP
Use the show vtp status to verify VTP status:
Router# show vtp statusVTP Version : 2Configuration Revision : 0Maximum VLANs supported locally : 256Number of existing VLANs : 5VTP Operating Mode : ServerVTP Domain Name :VTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0xBF 0x86 0x94 0x45 0xFC 0xDF 0xB5 0x70Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00Local updater ID is 1.3.214.25 on interface Fa0/0 (first interface found)Router#Configuring Layer 2 Interfaces
This section provides the following configuration information:
•
•
•
Configuring a Range of Interfaces
Use the interface range command in global configuration mode to configure a range of interfaces.
Defining a Range Macro
Use the define interface-range command in global configuration mode to define an interface range macro:
Verifying Configuration of an Interface Range Macro
Use the show running-configuration command to show the defined interface-range macro configuration, as shown below:
Router#show running-configuration | include definedefine interface-range first_three FastEthernet0/1/0 - 2Configuring Layer 2 Optional Interface Features
•
•
•
•
•
•
•
Interface Speed and Duplex Configuration Guidelines
When configuring an interface speed and duplex mode, note these guidelines:
•
•
•
Caution
Configuring the Interface Speed
Beginning in global configuration mode, follow these steps to set the interface speed.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Note
Configuring the Interface Duplex Mode
Beginning in global configuration mode, follow these steps to set the duplex mode of a Fast Ethernet interface.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Note
The following example shows how to set the interface duplex mode to auto on Fast Ethernet interface 3:
Router(config)#interface fastethernet 0/1/0router(config-if)#speed 100Router(config-if)#duplex autoRouter(config-if)#endVerifying Interface Speed and Duplex Mode Configuration
Use the show interfaces command to verify the interface speed and duplex mode configuration for an interface, as shown in the following output example:
Router#show interfaces fastethernet 0/1/0FastEthernet0/1/0 is up, line protocol is upHardware is Fast Ethernet, address is 000f.f70a.f272 (bia 000f.f70a.f272)MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,reliability 255/255, txload 1/255, rxload 1/255Encapsulation ARPA, loopback not setKeepalive set (10 sec)Auto-duplex, Auto-speedARP type: ARPA, ARP Timeout 04:00:00Last input 00:00:11, output never, output hang neverLast clearing of "show interface" counters neverQueueing strategy: fifoOutput queue 0/40, (size/max)5 minute input rate 0 bits/sec, 0 packets/sec5 minute output rate 0 bits/sec, 0 packets/sec4 packets input, 1073 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants, 0 throttles0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored0 input packets with dribble condition detected6 packets output, 664 bytes, 0 underruns(0/0/0)0 output errors, 0 collisions, 3 interface resets0 babbles, 0 late collision, 0 deferred0 lost carrier, 0 no carrier0 output buffer failures, 0 output buffers swapped outRouter#Configuring a Description for an Interface
You can add a description of an interface to help you remember its function. The description appears in the output of the following commands: show configuration, show running-config, and show interfaces.
Use the description command, in interface configuration mode, to add a description for an interface:
Configuring a Fast Ethernet Interface as a Layer 2 Trunk
Beginning in global configuration mode, follow these steps to configure a Fast Ethernet interface as a Layer 2 trunk.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Note
Verifying a Fast Ethernet Interface as a Layer 2 Trunk
Use the following show commands to verify the configuration of a Fast Ethernet interface as a Layer 2 trunk:
router#show running-config interfaces fastEthernet 0/3/1Building configuration...Current configuration: 71 bytes!interface FastEthernet0/3/1switchport mode trunkno ip addressendrouter#router#show interfaces trunkPort Mode Encapsulation Status Native vlanFa0/3/1 on 802.1q trunking 1Port Vlans allowed on trunkFa0/3/1 1-1005Port Vlans allowed and active in management domainFa0/3/1 1Port Vlans in spanning tree forwarding state and not prunedFa0/3/1 1router#Configuring a Fast Ethernet Interface as Layer 2 Access
Beginning in global configuration mode, follow these steps to configure a Fast Ethernet interface as Layer 2 access.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Verifying a Fast Ethernet Interface as Layer 2 Access
Use the show running-config interface command to verify the running configuration of the interface, as shown below:
Router#show running-config interface fastethernet 0/1/2Building configuration...Current configuration: 76 bytes!interface FastEthernet0/1/2switchport access vlan 3no ip addressendUse the show interfaces command to verify the switchport configuration of the interface, as shown below:
Router#show interfaces f0/1/0 switchportName: Fa0/1/0Switchport: EnabledAdministrative Mode: static accessOperational Mode: static accessAdministrative Trunking Encapsulation: dot1qOperational Trunking Encapsulation: nativeNegotiation of Trunking: DisabledAccess Mode VLAN: 1 (default)Trunking Native Mode VLAN: 1 (default)Trunking VLANs Enabled: ALLTrunking VLANs Active: 1Priority for untagged frames: 0Override vlan tag priority: FALSEVoice VLAN: noneAppliance trust: nonerouter#Configuring 802.1x Authentication
This section describes how to configure 802.1x port-based authentication on an EtherSwitch HWIC:
•
•
•
•
•
•
•
•
Understanding the Default 802.1x Configuration
Table 1 shows the default 802.1x configuration.
802.1x Configuration Guidelines
These are the 802.1x authentication configuration guidelines:
•
•
–
–
Enabling 802.1x Authentication
To enable 802.1x port-based authentication, you must enable AAA and specify the authentication method list. A method list describes the sequence and authentication methods to be queried to authenticate a user.
The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle, the authentication process stops, and no other authentication methods are attempted.
Beginning in privileged EXEC mode, follow these steps to configure 802.1x port-based authentication. This procedure is required.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Step 1
Enters global configuration mode.
Step 2
Enables AAA.
Step 3
Creates an 802.1x authentication method list.
To create a default list that is used when a named list is not specified in the authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Enter at least one of these keywords:
•
•
Step 4
interface interface-idEnters interface configuration mode, and specify the interface to be enabled for 802.1x authentication.
Step 5
Enables 802.1x on the interface.
For feature interaction information with trunk, dynamic, dynamic-access, EtherChannel, secure, and SPAN ports see the "802.1x Configuration Guidelines" section.
Step 6
Returns to privileged EXEC mode.
Step 7
Verifies your entries.
Check the Status column in the 802.1x Port Summary section of the display. An enabled status means the port-control value is set either to auto or to force-unauthorized.
Step 8
(Optional) Saves your entries in the configuration file.
To disable AAA, use the no aaa new-model global configuration command. To disable 802.1x AAA authentication, use the no aaa authentication dot1x {default | list-name} method1 [method2...] global configuration command. To disable 802.1x, use the dot1x port-control force-authorized or the no dot1x port-control interface configuration command.
Configuring the Switch-to-RADIUS-Server Communication
RADIUS security servers are identified by their host name or IP address, host name and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service—for example, authentication—the second host entry configured acts as the fail-over backup to the first one. The RADIUS host entries are tried in the order that they were configured.
Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server parameters on the switch. This procedure is required.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
To delete the specified RADIUS server, use the no radius-server host {hostname | ip-address} global configuration command.
You can globally configure the timeout, retransmission, and encryption key values for all RADIUS servers by using the radius-server host global configuration command. If you want to configure these options on a per-server basis, use the radius-server timeout, radius-server retransmit, and the radius-server key global configuration commands.
You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, refer to the RADIUS server documentation.
Enabling Periodic Reauthentication
You can enable periodic 802.1x client reauthentication and specify how often it occurs. If you do not specify a time period before enabling reauthentication, the number of seconds between reauthentication attempts is 3600 seconds.
Automatic 802.1x client reauthentication is a global setting and cannot be set for clients connected to individual ports.
Beginning in privileged EXEC mode, follow these steps to enable periodic reauthentication of the client and to configure the number of seconds between reauthentication attempts:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
To disable periodic reauthentication, use the no dot1x re-authentication global configuration command. To return to the default number of seconds between reauthentication attempts, use the no dot1x timeout re-authperiod global configuration command.
Changing the Quiet Period
When the switch cannot authenticate the client, the switch remains idle for a set period of time, and then tries again. The idle time is determined by the quiet-period value. A failed authentication of the client might occur because the client provided an invalid password. You can provide a faster response time to the user by entering smaller number than the default.
Beginning in privileged EXEC mode, follow these steps to change the quiet period:
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
To return to the default quiet time, use the no dot1x timeout quiet-period global configuration command.
Changing the Switch-to-Client Retransmission Time
The client responds to the EAP-request/identity frame from the switch with an EAP-response/identity frame. If the switch does not receive this response, it waits a set period of time (known as the retransmission time), and then retransmits the frame.
Note
Beginning in privileged EXEC mode, follow these steps to change the amount of time that the switch waits for client notification:
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
To return to the default retransmission time, use the no dot1x timeout tx-period global configuration command.
Setting the Switch-to-Client Frame-Retransmission Number
In addition to changing the switch-to-client retransmission time, you can change the number of times that the switch sends an EAP-request/identity frame (assuming no response is received) to the client before restarting the authentication process.
Note
Beginning in privileged EXEC mode, follow these steps to set the switch-to-client frame-retransmission number:
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
To return to the default retransmission number, use the no dot1x max-req global configuration command.
Enabling Multiple Hosts
You can attach multiple hosts to a single 802.1x-enabled port. In this mode, only one of the attached hosts must be successfully authorized for all hosts to be granted network access. If the port becomes unauthorized (reauthentication fails, and an EAPOL-logoff message is received), all attached clients are denied access to the network.
Beginning in privileged EXEC mode, follow these steps to allow multiple hosts (clients) on an 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
To disable multiple hosts on the port, use the no dot1x multiple-hosts interface configuration command.
Resetting the 802.1x Configuration to the Default Values
You can reset the 802.1x configuration to the default values with a single command.
Beginning in privileged EXEC mode, follow these steps to reset the 802.1x configuration to the default values:
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Displaying 802.1x Statistics and Status
To display 802.1x statistics for all interfaces, use the show dot1x statistics privileged EXEC command. To display 802.1x statistics for a specific interface, use the show dot1x statistics interface interface-id privileged EXEC command.
To display the 802.1x administrative and operational status for the switch, use the show dot1x privileged EXEC command. To display the 802.1x administrative and operational status for a specific interface, use the show dot1x interface interface-id privileged EXEC command.
Configuring Spanning Tree
•
•
•
•
•
Enabling Spanning Tree
You can enable spanning tree on a per-VLAN basis. The switch maintains a separate instance of spanning tree for each VLAN (except on VLANs on which you disable spanning tree).
Verifying Spanning Tree
Use the show spanning-tree vlan to verify spanning tree configuration, as illustrated below:
Router# show spanning-tree vlan 200VLAN200 is executing the ieee compatible Spanning Tree protocolBridge Identifier has priority 32768, address 0050.3e8d.6401Configured hello time 2, max age 20, forward delay 15Current root has priority 16384, address 0060.704c.7000Root port is 264 (FastEthernet0/1/8), cost of root path is 38Topology change flag not set, detected flag not setNumber of topology changes 0 last change occurred 01:53:48 agoTimes: hold 1, topology change 24, notification 2hello 2, max age 14, forward delay 10Timers: hello 0, topology change 0, notification 0Port 264 (FastEthernet0/1/8) of VLAN200 is forwardingPort path cost 19, Port priority 128, Port Identifier 129.9.Designated root has priority 16384, address 0060.704c.7000Designated bridge has priority 32768, address 00e0.4fac.b000Designated port id is 128.2, designated path cost 19Timers: message age 3, forward delay 0, hold 0Number of transitions to forwarding state: 1BPDU: sent 3, received 3417Router#Configuring Spanning Tree Port Priority
Beginning in global configuration mode, follow these steps to configure the spanning tree port priority of an interface.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Verifying Spanning Tree Port Priority
Use the show spanning-tree interface to verify spanning-tree interface and the spanning-tree port priority configuration, as illustrated below:
Router# show spanning-tree interface fastethernet 0/1/6Port 264 (FastEthernet0/1/6) of VLAN200 is forwardingPort path cost 19, Port priority 100, Port Identifier 129.8.Designated root has priority 32768, address 0010.0d40.34c7Designated bridge has priority 32768, address 0010.0d40.34c7Designated port id is 128.1, designated path cost 0Timers: message age 2, forward delay 0, hold 0Number of transitions to forwarding state: 1BPDU: sent 0, received 13513Router#Configuring Spanning Tree Port Cost
Beginning in global configuration mode, follow these steps to configure the spanning tree port cost of an interface.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Calculating Port Cost
Port cost value calculations are based on the bandwidth of the port. There are two classes of values. Short (16-bit) values are specified by the IEEE 802.1D specification, and range in value from 1 to 65535. Long (32-bit) values are specified by the IEEE 802.1t specification, and range in value from1 to 200,000,000.
Assigning Short Port Cost Values
You can manually assign port costs in the range of 1 to 65535. Default cost values are as follows.
Assigning Long Port Cost Values
You can manually assign port costs in the range of 1 to 200,000,000. Recommended cost values are as follows.
10 Mbps
2,000,000
200,000 to 20,000,000
100 Mbps
200,000
20,000 to 2,000,000
Verifying Spanning Tree Port Cost
Use the show spanning-tree vlan to verify the spanning-tree port cost configuration.
Router# show spanning-tree vlan 200Port 264 (FastEthernet0/1/8) of VLAN200 is forwardingPort path cost 17, Port priority 64, Port Identifier 129.8.Designated root has priority 32768, address 0010.0d40.34c7Designated bridge has priority 32768, address 0010.0d40.34c7Designated port id is 128.1, designated path cost 0Timers: message age 2, forward delay 0, hold 0Number of transitions to forwarding state: 1BPDU: sent 0, received 13513Router#Configuring the Bridge Priority of a VLAN
To configure the spanning tree bridge priority of a VLAN, use the following command in global configuration mode:
Caution
Verifying the Bridge Priority of a VLAN
Use the show spanning-tree vlan bridge command to verify the bridge priority, as illustrated below:
Router# show spanning-tree vlan 200 bridge briefHello Max FwdVlan Bridge ID Time Age Delay Protocol---------------- -------------------- ---- ---- ----- --------VLAN200 33792 0050.3e8d.64c8 2 20 15 ieeeRouter#Configuring the Hello Time
To configure the hello interval for the spanning tree, use the following command in global configuration mode:
Configuring the Forward-Delay Time for a VLAN
Configuring the Maximum Aging Time for a VLAN
To configure the maximum age interval for the spanning tree, use the following command in global configuration mode:
Configuring the Root Bridge
The EtherSwitch HWIC maintains a separate instance of spanning tree for each active VLAN configured on the switch. A bridge ID, consisting of the bridge priority and the bridge MAC address, is associated with each instance. For each VLAN, the switch with the lowest bridge ID will become the root bridge for that VLAN.
To configure a VLAN instance to become the root bridge, the bridge priority can be modified from the default value (32768) to a significantly lower value so that the bridge becomes the root bridge for the specified VLAN. Use the spanning-tree vlan vlan-ID root command to alter the bridge priority.
The switch checks the bridge priority of the current root bridges for each VLAN. The bridge priority for the specified VLANs is set to 8192 if this value will cause the switch to become the root for the specified VLANs.
If any root switch for the specified VLANs has a bridge priority lower than 8192, the switch sets the bridge priority for the specified VLANs to 1 less than the lowest bridge priority.
For example, if all switches in the network have the bridge priority for VLAN 100 set to the default value of 32768, entering the spanning-tree vlan 100 root primary command on a switch will set the bridge priority for VLAN 100 to 8192, causing the switch to become the root bridge for VLAN 100.
Note
Use the diameter keyword to specify the Layer 2 network diameter (that is, the maximum number of bridge hops between any two end stations in the Layer 2 network). When you specify the network diameter, the switch automatically picks an optimal hello time, forward delay time, and maximum age time for a network of that diameter, which can significantly reduce the spanning tree convergence time. You can use the hello keyword to override the automatically calculated hello time.
Note
To configure the switch as the root, use the following command in global configuration mode:
Disabling Spanning Tree
Disables spanning tree on a per-VLAN basis.
Verifying that Spanning Tree is Disabled.
Use the show spanning-tree vlan to verify the that the spanning tree is disabled, as illustrated below:
Router# show spanning-tree vlan 200<output truncated>Spanning tree instance for VLAN 200 does not exist.Router#Configuring MAC Table Manipulation
•
•
Enabling Known MAC Address Traffic
Beginning in privileged EXEC mode, follow these steps to enable the MAC address secure option.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Verifying the MAC Address Table Secure Option
Use the show mac-address-table secure to verify the configuration, as illustrated below:
Router# show mac-address-table secureSecure Address Table:Destination Address Address Type VLAN Destination Port------------------- ------------ ---- --------------------0000.0002.0001 Secure 2 FastEthernet0/1/1Creating a Static Entry in the MAC Address Table
Beginning in privileged EXEC mode, follow these steps to create a static entry in the MAC address table.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Verifying the Mac Address Table
Use the show mac command to verify the MAC address table, as illustrated below:
Router# show mac-address-tableDestination Address Address Type VLAN Destination Port------------------- ------------ ---- --------------------00ff.ff0d.2dc0 Self 1 Vlan10007.ebc7.ff84 Static 1 FastEthernet0/3/50007.ebc8.018b Static 1 FastEthernet0/3/6000b.bf94.0006 Static 1 FastEthernet0/3/3000b.bf94.0038 Static 1 FastEthernet0/3/0000b.bf94.0039 Static 1 FastEthernet0/3/1000b.bf94.0008 Static 314 FastEthernet0/3/2000b.bf94.0038 Static 314 FastEthernet0/3/0000b.bf94.0008 Static 331 FastEthernet0/3/2000b.bf94.0038 Static 331 FastEthernet0/3/0000b.bf94.0008 Static 348 FastEthernet0/3/2000b.bf94.0038 Static 348 FastEthernet0/3/0Configuring the Aging Timer
The aging timer may be configured from 16 seconds to 4080 seconds, in 16-second intervals.
Beginning in privileged EXEC mode, follow these steps to configure the aging timer.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Caution
Verifying the Aging Time
Use the show mac-address-table aging-time command to verify the MAC address table aging timer, as illustrated below:
Router # show mac-address-table aging-timeMac address aging time 320Configuring Cisco Discovery Protocol
•
•
Enabling Cisco Discovery Protocol
To enable Cisco Discovery Protocol (CDP) globally, use the following command in global configuration mode:
Verifying the CDP Global Configuration
Use the show cdp command to verify the CDP configuration:
Router# show cdpGlobal CDP information:Sending CDP packets every 120 secondsSending a holdtime value of 180 secondsSending CDPv2 advertisements is enabledRouter#Enabling CDP on an Interface
To enable CDP on an interface, use the following command in interface configuration mode:
The following example shows how to enable CDP on Fast Ethernet interface 0/1/1:
Router(config)# interface fastethernet 0/1/1Router(config-if)# cdp enableVerifying the CDP Interface Configuration
Use the show cdp interface command to verify the CDP configuration for an interface:
Router# show cdp interface fastethernet 0/1/1FastEthernet0/1/1 is up, line protocol is upEncapsulation ARPASending CDP packets every 120 secondsHoldtime is 180 secondsRouter#Verifying CDP Neighbors
Use the show cdp neighbors command to verify information about the neighboring equipment:
Router# show cdp neighborsCapability Codes: R - Router, T - Trans Bridge, B - Source Route BridgeS - Switch, H - Host, I - IGMP, r - RepeaterDevice ID Local Intrfce Holdtme Capability Platform Port IDtftp-switch Fas 0/0 125 R S I 2811 Fas 0/3/6hwic-3745-2 Fas 0/1/0 149 R S I 3745 Fas 0/1Router#Monitoring and Maintaining CDP
Configuring the Switched Port Analyzer (SPAN)
This section describes how to configure a SPAN session for an EtherSwitch HWIC.
Note
Note
•
•
Configuring the SPAN Sources
To configure the source for a SPAN session, use the following command in global configuration mode:
The following example shows how to configure the SPAN session to monitor bidirectional traffic from source interface Fast Ethernet 0/3/1:
Router(config)# monitor session 1 source interface fastethernet 0/3/1Configuring SPAN Destinations
To configure the destination for a SPAN session, use the following command in global configuration mode:
Router(config)# monitor session 1 {destination {interface type interface-id} [, | -] | {vlan vlan_ID}}
Specifies the SPAN session (number 1) and the destination interfaces or VLANs.
Verifying the SPAN Session
Use the show monitor session command to verify the sources and destinations configured for the SPAN session.
Router# show monitor session 1Session 1---------Source Ports:RX Only: NoneTX Only: NoneBoth: Fa0/1/0Source VLANs:RX Only: NoneTX Only: NoneBoth: NoneDestination Ports: Fa0/1/1Filter VLANs: NoneRemoving Sources or Destinations from a SPAN Session
To remove sources or destinations from the SPAN session, use the following command in global configuration mode:
Configuring Power Management on the Interface
Beginning in privileged EXEC mode, follow these steps to manage the powering of the Cisco IP phones.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Verifying Power Management on the Interface
Use the show power inline command to verify the power configuration on the ports, as illustrated below:
Router# show power inlinePowerSupply SlotNum. Maximum Allocated Status----------- -------- ------- --------- ------INT-PS 0 120.000 101.500 PS GOODInterface Config Phone Powered PowerAllocated--------- ------ ----- ------- --------------Fa0/1/0 auto Cisco On 6.300 WattsFa0/1/1 auto Cisco On 6.300 WattsFa0/1/2 auto Cisco On 6.300 WattsFa0/1/3 auto Cisco On 6.300 WattsFa0/1/4 auto Cisco On 6.300 WattsFa0/1/5 auto Cisco On 6.300 WattsFa0/1/6 auto Cisco On 6.300 WattsFa0/1/7 auto Cisco On 6.300 WattsFa0/3/0 auto Cisco On 6.300 WattsFa0/3/1 auto Cisco On 6.300 WattsFa0/3/2 auto Cisco On 6.300 WattsFa0/3/3 auto Cisco On 6.300 WattsFa0/3/4 auto Cisco On 6.300 WattsFa0/3/5 auto Cisco On 6.300 WattsFa0/3/6 auto IEEE-2 On 7.000 WattsFa0/3/7 auto Cisco On 6.300 WattsVerifying Other Power Management CLI
Use the show power inline command to verify the power configuration on the ports, as illustrated below:
Router# show power inline [actual | interface fastethernet interface-id | configured]Configuring IP Multicast Layer 3 Switching
These sections describe how to configure IP multicast Layer 3 switching:
•
•
•
•
Enabling IP Multicast Routing Globally
You must enable IP multicast routing globally before you can enable IP multicast Layer 3 switching on Layer 3 interfaces.
For complete information and procedures, refer to these publications:
•
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/
•
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipras_r/index.htm
•
/en/US/docs/ios/12_2/iproute/command/reference/fiprrp_r.html
•
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fiprmc_r/index.htm
To enable IP multicast routing globally, use the following command in global configuration mode:
Enabling IP Protocol-Independent Multicast (PIM) on Layer 3 Interfaces
You must enable PIM on the Layer 3 interfaces before enabling IP multicast Layer 3 switching functions on those interfaces.
Beginning in global configuration mode, follow these steps to enable IP PIM on a Layer 3 interface.
SUMMARY STEPS
1.
2.
DETAILED STEPS
The following example shows how to enable PIM on an interface using the default mode (sparse-dense-mode):
Router(config-if)# ip pim sparse-dense modeRouter(config-if)#The following example shows how to enable PIM sparse mode on an interface:
Router(config-if)# ip pim sparse-modeRouter(config-if)#Verifying IP Multicast Layer 3 Hardware Switching Summary
Note
The show ip pim interface count command verifies the IP multicast Layer 3 switching enable state on IP PIM interfaces and the number of packets received and sent on the interface.
Use the following show commands to verify IP multicast Layer 3 switching information for an IP PIM Layer 3 interface.
Step 1
State:* - Fast Switched, D - Distributed Fast SwitchedH - Hardware Switching EnabledAddress Interface FS Mpackets In/Out10.0.0.1 VLAN1 * 151/0Router#Step 2
IP Multicast Statistics5 routes using 2728 bytes of memory4 groups, 0.25 average sources per groupForwarding Counts:Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per secondOther counts:Total/RPF failed/Other drops(OIF-null, rate-limit etc)Group:224.9.9.9, Source count:1, Packets forwarded: 0, Packets received: 66Source:10.0.0.2/32, Forwarding:0/0/0/0, Other:66/0/66Group:224.10.10.10, Source count:0, Packets forwarded: 0, Packets received: 0Group:224.0.1.39, Source count:0, Packets forwarded: 0, Packets received: 0Group:224.0.1.40, Source count:0, Packets forwarded: 0, Packets received: 0Router#
Note
Step 3
Vlan1 is up, line protocol is upInternet address is 10.0.0.1/24Broadcast address is 255.255.255.255Address determined by setup commandMTU is 1500 bytesHelper address is not setDirected broadcast forwarding is disabledMulticast reserved groups joined: 224.0.0.1 224.0.0.2 224.0.0.22 224.0.0.13Outgoing access list is not setInbound access list is not setProxy ARP is enabledLocal Proxy ARP is disabledSecurity level is defaultSplit horizon is enabledICMP redirects are always sentICMP unreachables are always sentICMP mask replies are never sentIP fast switching is enabledIP fast switching on the same interface is disabledIP Flow switching is disabledIP CEF switching is enabledIP CEF Fast switching turbo vectorIP multicast fast switching is enabledIP multicast distributed fast switching is disabledIP route-cache flags are Fast, CEFRouter Discovery is disabledIP output packet accounting is disabledIP access violation accounting is disabledTCP/IP header compression is disabledRTP/IP header compression is disabledPolicy routing is disabledNetwork address translation is disabledWCCP Redirect outbound is disabledWCCP Redirect inbound is disabledWCCP Redirect exclude is disabledBGP Policy Mapping is disabledRouter#Verifying the IP Multicast Routing Table
Use the show ip mroute command to verify the IP multicast routing table:
Router# show ip mroute 224.10.103.10IP Multicast Routing TableFlags:D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,L - Local, P - Pruned, R - RP-bit set, F - Register flag,T - SPT-bit set, J - Join SPT, M - MSDP created entry,X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel,Y - Joined MDT-data group, y - Sending to MDT-data groupOutgoing interface flags:H - Hardware switched, A - Assert winnerTimers:Uptime/ExpiresInterface state:Interface, Next-Hop or VCD, State/Mode(*, 224.10.10.10), 00:09:21/00:02:56, RP 0.0.0.0, flags:DCIncoming interface:Null, RPF nbr 0.0.0.0Outgoing interface list:Vlan1, Forward/Sparse-Dense, 00:09:21/00:00:00, HRouter#
Note
Configuring IGMP Snooping
This section describes how to configure IGMP snooping on your router and consists of the following configuration information and procedures:
•
•
•
•
Enabling or Disabling IGMP Snooping
By default, IGMP snooping is globally enabled on the EtherSwitch HWIC. When globally enabled or disabled, it is also enabled or disabled in all existing VLAN interfaces. By default, IGMP snooping is enabled on all VLANs, but it can be enabled and disabled on a per-VLAN basis.
Global IGMP snooping overrides the per-VLAN IGMP snooping capability. If global snooping is disabled, you cannot enable VLAN snooping. If global snooping is enabled, you can enable or disable snooping on a VLAN basis.
Beginning in privileged EXEC mode, follow these steps to globally enable IGMP snooping on the EtherSwitch HWIC.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
To globally disable IGMP snooping on all VLAN interfaces, use the no ip igmp snooping global command.
Beginning in privileged EXEC mode, follow these steps to enable IGMP snooping on a VLAN interface.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
To disable IGMP snooping on a VLAN interface, use the no ip igmp snooping vlan vlan-id global configuration command for the specified VLAN number (for example, vlan1).
Enabling IGMP Immediate-Leave Processing
When you enable IGMP Immediate-Leave processing, the EtherSwitch HWIC immediately removes a port from the IP multicast group when it detects an IGMP version 2 leave message on that port. Immediate-Leave processing allows the switch to remove an interface that sends a leave message from the forwarding table without first sending out group-specific queries to the interface. You should use the Immediate-Leave feature only when there is only a single receiver present on every port in the VLAN.
Beginning in privileged EXEC mode, follow these steps to enable IGMP Immediate-Leave processing.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
To disable Immediate-Leave processing, follow Steps 1 and 2 to enter interface configuration mode, and use the no ip igmp snooping vlan vlan-id immediate-leave global configuration command.
Statically Configuring an Interface to Join a Group
Ports normally join multicast groups through the IGMP report message, but you can also statically configure a host on an interface.
Beginning in privileged EXEC mode, follow these steps to add a port as a member of a multicast group.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring a Multicast Router Port
Beginning in privileged EXEC mode, follow these steps to enable a static connection to a multicast router.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Configuring Per-Port Storm-Control
You can use these techniques to block the forwarding of unnecessary flooded traffic. This section describes how to configure per-port storm-control and characteristics on your router and consists of the following configuration procedures:
•
•
By default, unicast, broadcast, and multicast suppression is disabled.
Enabling Per-Port Storm-Control
Beginning in privileged EXEC mode, follow these steps to enable per-port storm-control.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Note
Disabling Per-Port Storm-Control
Beginning in privileged EXEC mode, follow these steps to disable per-port storm-control.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Configuring Stacking
Stacking is the connection of two switch modules resident in the same chassis so that they behave as a single switch. When a chassis is populated with two switch modules, the user must configure both of them to operate in stacked mode. This is done by selecting one port from each switch module and configuring it to be a stacking partner. The user must then connect with a cable the stacking partners from each switch module to physically stack the switch modules. Any one port in a switch module can be designated as the stacking partner for that switch module.
Beginning in privileged EXEC mode, follow these steps to configure a pair of ports on two different switch modules as stacking partners.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Note
Caution
Configuring Fallback Bridging
This section describes how to configure fallback bridging on your switch. It contains this configuration information:
•
•
•
•
•
•
Understanding the Default Fallback Bridging Configuration
Table 2 shows the default fallback bridging configuration.
Creating a Bridge Group
To configure fallback bridging for a set of SVIs, these interfaces must be assigned to bridge groups. All interfaces in the same group belong to the same bridge domain. Each SVI can be assigned to only one bridge group.
Beginning in privileged EXEC mode, follow these steps to create a bridge group and assign an interface to it.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
To remove a bridge group, use the no bridge bridge-group protocol vlan-bridge global configuration command. To remove an interface from a bridge group, use the no bridge-group bridge-group interface configuration command.
Preventing the Forwarding of Dynamically Learned Stations
By default, the switch forwards any frames for stations that it has dynamically learned. By disabling this activity, the switch only forwards frames whose addresses have been statically configured into the forwarding cache.
Beginning in privileged EXEC mode, follow these steps to prevent the switch from forwarding frames for stations that it has dynamically learned.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
To cause the switch to forward frames to stations that it has dynamically learned, use the bridge bridge-group acquire global configuration command.
Configuring the Bridge Table Aging Time
A switch forwards, floods, or drops packets based on the bridge table. The bridge table maintains both static and dynamic entries. Static entries are entered by you. Dynamic entries are entered by the bridge learning process. A dynamic entry is automatically removed after a specified length of time, known as aging time, from the time the entry was created or last updated.
If you are likely to move hosts on a switched network, decrease the aging-time to enable the switch to quickly adapt to the change. If hosts on a switched network do not continuously send packets, increase the aging time to keep the dynamic entries for a longer time and thus reduce the possibility of flooding when the hosts send again.
Beginning in privileged EXEC mode, follow these steps to configure the aging time.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
To return to the default aging-time interval, use the no bridge bridge-group aging-time global configuration command.
Filtering Frames by a Specific MAC Address
A switch examines frames and sends them through the internetwork according to the destination address; a switch does not forward a frame back to its originating network segment. You can use the software to configure specific administrative filters that filter frames based on information other than the paths to their destinations.
You can filter frames with a particular MAC-layer station destination address. Any number of addresses can be configured in the system without a performance penalty.
Beginning in privileged EXEC mode, follow these steps to filter by the MAC-layer address.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
To disable the frame forwarding ability, use the no bridge bridge-group address mac-address global configuration command.
Adjusting Spanning-Tree Parameters
You might need to adjust certain spanning-tree parameters if the default values are not suitable for your switch configuration. Parameters affecting the entire spanning tree are configured with variations of the bridge global configuration command. Interface-specific parameters are configured with variations of the bridge-group interface configuration command.
You can adjust spanning-tree parameters by performing any of the tasks in these sections:
•
•
Note
Changing the Switch Priority
You can globally configure the priority of an individual switch when two switches tie for position as the root switch, or you can configure the likelihood that a switch will be selected as the root switch. This priority is determined by default; however, you can change it.
Beginning in privileged EXEC mode, follow these steps to change the switch priority.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
No no form of this command exists. To return to the default setting, use the bridge bridge-group priority number global configuration command, and set the priority to the default value. To change the priority on an interface, use the bridge-group priority interface configuration command (described in the next section).
Changing the Interface Priority
You can change the priority for an interface. When two switches tie for position as the root switch, you configure an interface priority to break the tie. The switch with the lowest interface value is elected.
Beginning in privileged EXEC mode, follow these steps to change the interface priority.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
To return to the default setting, use the bridge-group bridge-group priority number interface configuration command.
Assigning a Path Cost
Each interface has a path cost associated with it. By convention, the path cost is 1000/data rate of the attached LAN, in Mbps.
Beginning in privileged EXEC mode, follow these steps to assign a path cost.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
To return to the default path cost, use the no bridge-group bridge-group path-cost cost interface configuration command.
Adjusting BPDU Intervals
You can adjust BPDU intervals as described in these sections:
•
•
•
Note
Adjusting the Interval between Hello BPDUs
Beginning in privileged EXEC mode, follow these step to adjust the interval between hello BPDUs.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
To return to the default setting, use the no bridge bridge-group hello-time global configuration command.
Changing the Forward-Delay Interval
The forward-delay interval is the amount of time spent listening for topology change information after an interface has been activated for switching and before forwarding actually begins.
Beginning in privileged EXEC mode, follow these steps to change the forward-delay interval.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
To return to the default setting, use the no bridge bridge-group forward-time seconds global configuration command.
Changing the Maximum-Idle Interval
If a switch does not hear BPDUs from the root switch within a specified interval, it recomputes the spanning-tree topology.
Beginning in privileged EXEC mode, follow these steps to change the maximum-idle interval (maximum aging time).
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
To return to the default setting, use the no bridge bridge-group max-age global configuration command.
Disabling the Spanning Tree on an Interface
When a loop-free path exists between any two switched subnetworks, you can prevent BPDUs generated in one switching subnetwork from impacting devices in the other switching subnetwork, yet still permit switching throughout the network as a whole. For example, when switched LAN subnetworks are separated by a WAN, BPDUs can be prevented from traveling across the WAN link.
Beginning in privileged EXEC mode, follow these steps to disable spanning tree on an interface.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
To reenable spanning tree on the interface, use the no bridge-group bridge-group spanning-disabled interface configuration command.
Monitoring and Maintaining the Network
To monitor and maintain the network, use one or more of the following privileged EXEC commands.
Configuring Separate Voice and Data Subnets
For ease of network administration and increased scalability, network managers can configure the EtherSwitch HWIC to support Cisco IP phones such that the voice and data traffic reside on separate subnets. You should always use separate VLANs when you are able to segment the existing IP address space of your branch office.
User priority bits in the 802.1p portion of the 802.1Q standard header are used to provide prioritization in Ethernet Switches. This is a vital component in designing Cisco AVVID networks.
The EtherSwitch HWIC provides the performance and intelligent services of Cisco IOS software for branch office applications. The EtherSwitch HWIC can identify user applications—such as voice or multicast video—and classify traffic with the appropriate priority levels.
Note
Beginning in global configuration mode, follow these steps to automatically configure Cisco IP phones to send voice traffic on the voice VLAN ID (VVID) on a per-port basis (see the "Voice Traffic and VVID" section).
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Voice Traffic and VVID
The EtherSwitch HWIC can automatically configure voice VLAN. This capability overcomes the management complexity of overlaying a voice topology onto a data network while maintaining the quality of voice traffic. With the automatically configured voice VLAN feature, network administrators can segment phones into separate logical networks, even though the data and voice infrastructure is physically the same. The voice VLAN feature places the phones into their own VLANs without the need for end-user intervention. A user can plug the phone into the switch, and the switch provides the phone with the necessary VLAN information.
Configuring a Single Subnet for Voice and Data
For network designs with incremental IP telephony deployment, network managers can configure the EtherSwitch HWIC so that the voice and data traffic coexist on the same subnet. This might be necessary when it is impractical either to allocate an additional IP subnet for IP phones or to divide the existing IP address space into an additional subnet at the remote branch, it might be necessary to use a single IP address space for branch offices. (This is one of the simpler ways to deploy IP telephony.)
This configuration approach must address two key considerations:
•
•
Beginning in privileged EXEC mode, follow these steps to automatically configure Cisco IP phones to send voice and data traffic on the same VLAN.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Verifying Switchport Configuration
Use the show run interface command to verify the switchport configuration.
Router# show run interface interface-idUse the write memory command to save the current configuration in flash memory.
Router# write memoryManaging the EtherSwitch HWIC
This section describes how to perform basic management tasks on the EtherSwitch HWIC with the Cisco IOS CLI. You might find this information useful when you configure the switch for the previous scenarios.
The following topics are included:
•
•
•
Adding Trap Managers
A trap manager is a management station that receives and processes traps. When you configure a trap manager, community strings for each member switch must be unique. If a member switch has an IP address assigned to it, the management station accesses the switch by using its assigned IP address.
By default, no trap manager is defined, and no traps are issued.
Beginning in privileged EXEC mode, follow these steps to add a trap manager and community string.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Verifying Trap Managers
Use the show running-config command to verify that the information was entered correctly by displaying the running configuration:
Router# show running-config
Configuring IP Information
This section describes how to assign IP information on the EtherSwitch HWIC. The following topics are included:
•
•
Assigning IP Information to the Switch
You can use a BOOTP server to automatically assign IP information to the switch; however, the BOOTP server must be set up in advance with a database of physical MAC addresses and corresponding IP addresses, subnet masks, and default gateway addresses. In addition, the switch must be able to access the BOOTP server through one of its ports. At startup, a switch without an IP address requests the information from the BOOTP server; the requested information is saved in the switch running the configuration file. To ensure that the IP information is saved when the switch is restarted, save the configuration by entering the write memory command in privileged EXEC mode.
You can change the information in these fields. The mask identifies the bits that denote the network number in the IP address. When you use the mask to subnet a network, the mask is then referred to as a subnet mask. The broadcast address is reserved for sending messages to all hosts. The CPU sends traffic to an unknown IP address through the default gateway.
Beginning in privileged EXEC mode, follow these steps to enter the IP information.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Use the following procedure to remove the IP information from a switch.
Note
Beginning in global configuration mode, follow these steps to remove an IP address.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Caution
Specifying a Domain Name and Configuring the DNS
Each unique IP address can have a host name associated with it. The Cisco IOS software maintains a EC mode, and related Telnet support operations. This cache speeds the process of converting names to addresses.
IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain. Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, the FTP system, for example, is identified as ftp.cisco.com.
To track domain names, IP has defined the concept of a domain name server (DNS), the purpose of which is to hold a cache (or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify the host names and then specify a name server and enable the DNS, the Internet's global naming scheme that uniquely identifies network devices.
Specifying the Domain Name
You can specify a default domain name that the software uses to complete domain name requests. You can specify either a single domain name or a list of domain names. When you specify a domain name, any IP host name without a domain name has that domain name appended to it before being added to the host table.
Specifying a Name Server
You can specify up to six hosts that can function as a name server to supply name information for the DNS.
Enabling the DNS
If your network devices require connectivity with devices in networks for which you do not control name assignment, you can assign device names that uniquely identify your devices within the entire internetwork. The Internet's global naming scheme, the DNS, accomplishes this task. This service is enabled by default.
Enabling Switch Port Analyzer
You can monitor traffic on a given port by forwarding incoming and outgoing traffic on the port to another port in the same VLAN. A Switch Port Analyzer (SPAN) port cannot monitor ports in a different VLAN, and a SPAN port must be a static-access port. Any number of ports can be defined as SPAN ports, and any combination of ports can be monitored. SPAN is supported for up to 2 sessions.
Beginning in privileged EXEC mode, follow these steps to enable SPAN.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Beginning in privileged EXEC mode, follow these steps to disable SPAN.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Managing the ARP Table
To communicate with a device (on Ethernet, for example), the software first must determine the 48-bit MAC or local data link address of that device. The process of determining the local data link address from an IP address is called address resolution.
The Address Resolution Protocol (ARP) associates a host IP address with the corresponding media or MAC addresses and VLAN ID. Taking an IP address as input, ARP determines the associated MAC address. Once a MAC address is determined, the IP-MAC address association is stored in an ARP cache for rapid retrieval. Then the IP datagram is encapsulated in a link-layer frame and sent over the network. Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol (SNAP). By default, standard Ethernet-style ARP encapsulation (represented by the arpa keyword) is enabled on the IP interface.
When you manually add entries to the ARP Table by using the CLI, you must be aware that these entries do not age and must be manually removed.
Managing the MAC Address Tables
This section describes how to manage the MAC address tables on the EtherSwitch HWIC. The following topics are included:
•
•
•
The switch uses the MAC address tables to forward traffic between ports. All MAC addresses in the address tables are associated with one or more ports. These MAC tables include the following types of addresses:
•
•
•
The address tables list the destination MAC address and the associated VLAN ID, module, and port number associated with the address. The following shows an example of a list of addresses as they would appear in the dynamic, secure, or static address table.
Router# show mac-address-tableDestination Address Address Type VLAN Destination Port------------------- ------------ ---- --------------------000a.000b.000c Secure 1 FastEthernet0/1/8000d.e105.cc70 Self 1 Vlan100aa.00bb.00cc Static 1 FastEthernet0/1/0Understanding MAC Addresses and VLANs
All addresses are associated with a VLAN. An address can exist in more than one VLAN and have different destinations in each. Multicast addresses, for example, could be forwarded to port 1 in VLAN 1 and ports 9, 10, and 11 in VLAN 5.
Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in another until it is learned or statically associated with a port in the other VLAN. An address can be secure in one VLAN and dynamic in another. Addresses that are statically entered in one VLAN must be static addresses in all other VLANs.
Changing the Address Aging Time
Dynamic addresses are source MAC addresses that the switch learns and then drops when they are not in use. Use the Aging Time field to define how long the switch retains unseen addresses in the table. This parameter applies to all VLANs.
Configuring the Aging Time
Setting too short an aging time can cause addresses to be prematurely removed from the table. Then when the switch receives a packet for an unknown destination, it floods the packet to all ports in the same VLAN as the receiving port. This unnecessary flooding can impact performance. Setting too long an aging time can cause the address table to be filled with unused addresses; it can cause delays in establishing connectivity when a workstation is moved to a new port.
Beginning in global configuration mode, follow these steps to configure the dynamic address table aging time.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Verifying Aging-Time Configuration
Use the show mac-address-table aging-time command to verify configuration:
Router# show mac-address-table aging-time
Removing Dynamic Addresses
Beginning in privileged EXEC mode, follow these steps to remove a dynamic address entry.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
You can remove all dynamic entries by using the clear mac-address-table dynamic command in privileged EXEC mode.
Verifying Dynamic Addresses
Use the show mac-address-table dynamic command to verify configuration:
Router# show mac-address-table dynamicAdding Secure Addresses
The secure address table contains secure MAC addresses and their associated ports and VLANs. A secure address is a manually entered unicast address that is forwarded to only one port per VLAN. If you enter an address that is already assigned to another port, the switch reassigns the secure address to the new port.
You can enter a secure port address even when the port does not yet belong to a VLAN. When the port is later assigned to a VLAN, packets destined for that address are forwarded to the port.
Beginning in privileged EXEC mode, follow these steps to add a secure address.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Beginning in privileged EXEC mode, follow these steps to remove a secure address.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
You can remove all secure addresses by using the clear mac-address-table secure command in privileged EXEC mode.
Verifying Secure Addresses
Use the show mac-address-table secure command to verify configuration:
Router# show mac-address-table secureConfiguring Static Addresses
A static address has the following characteristics:
•
•
•
Because all ports are associated with at least one VLAN, the switch acquires the VLAN ID for the address from the ports that you select on the forwarding map. A static address in one VLAN must be a static address in other VLANs. A packet with a static address that arrives on a VLAN where it has not been statically entered is flooded to all ports and not learned.
Beginning in privileged EXEC mode, follow these steps to add a static address.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Beginning in privileged EXEC mode, follow these steps to remove a static address.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
:
You can remove all secure addresses by using the clear mac-address-table static command in privileged EXEC mode.
Verifying Static Addresses
Use the show mac-address-table static command to verify configuration:
Router # show mac-address-table staticStatic Address TableDestination Address Address Type VLAN Destination Port------------------- ------------ ---- --------------------000a.000b.000c Static 1 FastEthernet0/1/0Clearing all MAC Address Tables
To remove all addresses, use the clear mac-address command in privileged EXEC mode:
Configuration Examples for EtherSwitch HWICs
This section provides the following configuration examples:
Guest
