- Preface
- Product Overview
- Configuring the Router for the First Time
- Configuring a Supervisor Engine 720
- Configuring a Route Switch Processor 720
- Configuring NSF with SSO Supervisor Engine Redundancy
- ISSU and eFSU on Cisco 7600 Series Routers
- Configuring RPR and RPR+ Supervisor Engine Redundancy
- Configuring Interfaces
- Configuring a Supervisor Engine 32
- Configuring LAN Ports for Layer 2 Switching
- Configuring Flex Links
- Configuring EtherChannels
- Configuring VTP
- Configuring VLANs
- Configuring Private VLANs
- Configuring Cisco IP Phone Support
- Configuring IEEE 802.1Q Tunneling
- Configuring Layer 2 Protocol Tunneling
- Configuring L2TPv3
- Configuring STP and MST
- Configuring Optional STP Features
- Configuring Layer 3 Interfaces
- Configuring GTP-SLB IPV6 Support
- IP Subscriber Awareness over Ethernet
- Configuring UDE and UDLR
- Configuring Multiprotocol Label Switching on the PFC
- Configuring IPv4 Multicast VPN Support
- Configuring Multicast VPN Extranet Support
- Configuring IP Unicast Layer 3 Switching
- Configuring IPv6 Multicast PFC3 and DFC3 Layer 3 Switching
- Configuring IPv4 Multicast Layer 3 Switching
- Configuring MLDv2 Snooping for IPv6 Multicast Traffic
- Configuring IGMP Snooping for IPv4 Multicast Traffic
- Configuring PIM Snooping
- Configuring Network Security
- Understanding Cisco IOS ACL Support
- Configuring VRF aware 6RD Tunnels
- Configuring VLAN ACLs
- Private Hosts (Using PACLs)
- Configuring IPv6 PACL
- IPv6 First-Hop Security Features
- Configuring Online Diagnostics
- Configuring Denial of Service Protection
- Configuring DHCP Snooping
- Configuring Dynamic ARP Inspection
- Configuring Traffic Storm Control
- Unknown Unicast Flood Blocking
- Configuring PFC QoS
- Configuring PFC QoS Statistics Data Export
- Configuring MPLS QoS on the PFC
- Configuring LSM MLDP based MVPN Support
- Configuring IEEE 802.1X Port-Based Authentication
- Configuring IEEE 802.1ad
- Configuring Port Security
- Configuring UDLD
- Configuring NetFlow and NDE
- Configuring Local SPAN, RSPAN, and ERSPAN
- Configuring SNMP IfIndex Persistence
- Power Management and Environmental Monitoring
- Configuring Web Cache Services Using WCCP
- Using the Top N Utility
- Using the Layer 2 Traceroute Utility
- Configuring Bidirectional Forwarding and Detection over Switched Virtual Interface
- Configuring Call Home
- Configuring IPv6 Policy Based Routing
- Using the Mini Protocol Analyzer
- Configuring Resilient Ethernet Protocol
- Configuring Synchronous Ethernet
- Configuring Link State Tracking
- Configuring BGP PIC Edge and Core for IP and MPLS
- Configuring VRF aware IPv6 tunnels over IPv4 transport
- ISIS IPv4 Loop Free Alternate Fast Reroute (LFA FRR)
- Multicast Service Reflection
- Y.1731 Performance Monitoring
- Online Diagnostic Tests
- Acronyms
- Cisco IOS Release 15S Software Images
- Index
- Understanding How Layer 2 Switching Works
- Default Layer 2 LAN Interface Configuration
- Layer 2 LAN Interface Configuration Guidelines and Restrictions
- Configuring LAN Interfaces for Layer 2 Switching
- Configuring a LAN Port for Layer 2 Switching
- Configuring a Layer 2 Switching Port as a Trunk
- Configuring the Layer 2 Switching Port as an ISL or 802.1Q Trunk
- Configuring the Layer 2 Trunk to Use DTP
- Configuring the Layer 2 Trunk Not to Use DTP
- Configuring the Access VLAN
- Configuring the 802.1Q Native VLAN
- Configuring the List of VLANs Allowed on a Trunk
- Configuring the List of Prune-Eligible VLANs
- Completing Trunk Configuration
- Verifying Layer 2 Trunk Configuration
- Configuration and Verification Examples
- Configuring a LAN Interface as a Layer 2 Access Port
- Configuring a Custom IEEE 802.1Q EtherType Field Value
Configuring LAN Ports for Layer 2 Switching
This chapter describes how to use the command-line interface (CLI) to configure Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet LAN ports for Layer 2 switching on the Cisco 7600 series routers. The configuration tasks in this chapter apply to LAN ports on LAN switching modules and to the LAN ports on the supervisor engine.
Note ● For complete syntax and usage information for the commands used in this chapter, refer to the Cisco' 7600 Series Routers Command References at this URL:
http://www.cisco.com/en/US/products/hw/routers/ps368/prod_command_reference_list.html
- To configure Layer 3 interfaces, see Chapter22, “Configuring Layer 3 Interfaces”
Understanding How Layer 2 Switching Works
These sections describe how Layer 2 switching works on the Cisco 7600 series routers:
Understanding Layer 2 Ethernet Switching
Layer 2 Ethernet Switching Overview
Cisco 7600 series routers support simultaneous, parallel connections between Layer 2 Ethernet segments. Switched connections between Ethernet segments last only for the duration of the packet. New connections can be made between different segments for the next packet.
Cisco 7600 series routers solve congestion problems caused by high-bandwidth devices and by a large number of users by assigning each device (for example, a server) to its own 10-, 100-, or 1000-Mbps collision domain. Because each LAN port connects to a separate Ethernet collision domain, servers in a properly configured switched environment achieve full access to the bandwidth.
Because collisions cause significant congestion in Ethernet networks, an effective solution is full-duplex communication. Normally, Ethernet operates in half-duplex mode, which means that stations can either receive or transmit. In full-duplex mode, two stations can transmit and receive at the same time. When packets can flow in both directions simultaneously, the effective Ethernet bandwidth doubles.
Switching Frames Between Segments
Each LAN port on a Cisco 7600 series router can connect to a single workstation or server, or to a hub through which workstations or servers connect to the network.
On a typical Ethernet hub, all ports connect to a common backplane within the hub, and the bandwidth of the network is shared by all devices attached to the hub. If two stations establish a session that uses a significant level of bandwidth, the network performance of all other stations attached to the hub is degraded.
To reduce degradation, the router considers each LAN port to be an individual segment. When stations connected to different LAN ports need to communicate, the router forwards frames from one LAN port to the other at wire speed to ensure that each session receives full bandwidth.
To switch frames between LAN ports efficiently, the router maintains an address table. When a frame enters the router, it associates the MAC address of the sending network device with the LAN port on which it was received.
Building the Address Table
Cisco 7600 series routers build the address table by using the source address of the frames received. When the router receives a frame for a destination address not listed in its address table, it floods the frame to all LAN ports of the same VLAN except the port that received the frame. When the destination station replies, the router adds its relevant source address and port ID to the address table. The router then forwards subsequent frames to a single LAN port without flooding to all LAN ports.
The address table can store at least 32,000 address entries without flooding any entries. The router uses an aging mechanism, defined by a configurable aging timer, so if an address remains inactive for a specified number of seconds, it is removed from the address table.
Understanding VLAN Trunks
These sections describe VLAN trunks on the Cisco 7600 series routers:
Trunking Overview
Note For information about VLANs, see Chapter14, “Configuring VLANs”
A trunk is a point-to-point link between the router and another networking device. Trunks carry the traffic of multiple VLANs over a single link and allow you to extend VLANs across an entire network.
Two trunking encapsulations are available on all Ethernet ports:
Note The following switching modules do not support ISL encapsulation:
• WS-X6502-10GE
• WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6548-GE-45AF
• WS-X6148-GE-TX, WS-X6148V-GE-TX, WS-X6148-GE-45AF
You can configure a trunk on a single Ethernet port or on an EtherChannel. For more information about EtherChannel, see Chapter12, “Configuring EtherChannels”
Ethernet trunk ports support several trunking modes (see Table 10-2). You can specify whether the trunk uses ISL or 802.1Q encapsulation, and if the encapsulation type is autonegotiated.
Note You can configure LAN ports to negotiate the encapsulation type. You cannot configure WAN interfaces to negotiate the encapsulation type.
The Dynamic Trunking Protocol (DTP) manages trunk autonegotiation on LAN ports. DTP supports autonegotiation of both ISL and 802.1Q trunks.
To autonegotiate trunking, the LAN ports must be in the same VTP domain. Use the trunk or nonegotiate keywords to force LAN ports in different domains to trunk. For more information on VTP domains, see Chapter13, “Configuring VTP”
Encapsulation Types
Table 10-1 lists the Ethernet trunk encapsulation types.
|
|
---|---|
Specifies ISL encapsulation on the trunk link. Note Some modules do not support ISL encapsulation (see the “Trunking Overview” section). |
|
Specifies that the LAN port negotiate with the neighboring LAN port to become an ISL (preferred) or 802.1Q trunk, depending on the configuration and capabilities of the neighboring LAN port. |
The trunking mode, the trunk encapsulation type, and the hardware capabilities of the two connected LAN ports determine whether a link becomes an ISL or 802.1Q trunk.
Layer 2 LAN Port Modes
Table 10-2 lists the Layer 2 LAN port modes and describes how they function on LAN ports.
Note DTP is a point-to-point protocol. However, some internetworking devices might forward DTP frames improperly. To avoid this problem, ensure that LAN ports connected to devices that do not support DTP are configured with the access keyword if you do not intend to trunk across those links. To enable trunking to a device that does not support DTP, use the nonegotiate keyword to cause the LAN port to become a trunk but not generate DTP frames.
Default Layer 2 LAN Interface Configuration
Table 10-3 shows the Layer 2 LAN port default configuration.
|
|
---|---|
VLANs 1 to 4094, except reserved VLANs (see Table 14-1) |
|
Layer 2 LAN Interface Configuration Guidelines and Restrictions
When configuring Layer 2 LAN ports, follow these guidelines and restrictions:
– WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6548-GE-45AF
– WS-X6148-GE-TX, WS-X6148V-GE-TX, WS-X6148-GE-45AF
- The following configuration guidelines and restrictions apply when using 802.1Q trunks and impose some limitations on the trunking strategy for a network. Note these restrictions when using 802.1Q trunks:
– When connecting Cisco switches through an 802.1q trunk, make sure the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. If the native VLAN on one end of the trunk is different from the native VLAN on the other end, spanning tree loops might result.
– Disabling spanning tree on the native VLAN of an 802.1Q trunk without disabling spanning tree on every VLAN in the network can cause spanning tree loops. We recommend that you leave spanning tree enabled on the native VLAN of an 802.1Q trunk. If this is not possible, disable spanning tree on every VLAN in the network. Make sure your network is free of physical loops before disabling spanning tree.
– When you connect two Cisco switches through 802.1Q trunks, the switches exchange spanning tree BPDUs on each VLAN allowed on the trunks. The BPDUs on the native VLAN of the trunk are sent untagged to the reserved IEEE 802.1d spanning tree multicast MAC address (01-80-C2-00-00-00). The BPDUs on all other VLANs on the trunk are sent tagged to the reserved Cisco Shared Spanning Tree (SSTP) multicast MAC address (01-00-0c-cc-cc-cd).
– Non-Cisco 802.1Q switches maintain only a single instance of spanning tree (the Mono Spanning Tree, or MST) that defines the spanning tree topology for all VLANs. When you connect a Cisco router to a non-Cisco router through an 802.1Q trunk, the MST of the non-Cisco router and the native VLAN spanning tree of the Cisco router combine to form a single spanning tree topology known as the Common Spanning Tree (CST).
– Because Cisco switches transmit BPDUs to the SSTP multicast MAC address on VLANs other than the native VLAN of the trunk, non-Cisco switches do not recognize these frames as BPDUs and flood them on all ports in the corresponding VLAN. Other Cisco switches connected to the non-Cisco 802.1q cloud receive these flooded BPDUs. This allows Cisco switches to maintain a per-VLAN spanning tree topology across a cloud of non-Cisco 802.1Q switches. The non-Cisco 802.1Q cloud separating the Cisco switches is treated as a single broadcast segment between all switches connected to the non-Cisco 802.1q cloud through 802.1q trunks.
– Make certain that the native VLAN is the same on all of the 802.1q trunks connecting the Cisco switches to the non-Cisco 802.1q cloud.
– If you are connecting multiple Cisco switches to a non-Cisco 802.1q cloud, all of the connections must be through 802.1q trunks. You cannot connect Cisco switches to a non-Cisco 802.1q cloud through ISL trunks or through access ports. Doing so causes the router to place the ISL trunk port or access port into the spanning tree “port inconsistent” state and no traffic will pass through the port.
Configuring LAN Interfaces for Layer 2 Switching
These sections describe how to configure Layer 2 switching on the Cisco 7600 series routers:
- Configuring a LAN Port for Layer 2 Switching
- Configuring a Layer 2 Switching Port as a Trunk
- Configuring a LAN Interface as a Layer 2 Access Port
- Configuring a Custom IEEE 802.1Q EtherType Field Value
Note Use the default interface {ethernet | fastethernet | gigabitethernet | tengigabitethernet} slot/port command to revert an interface to its default configuration.
Configuring a LAN Port for Layer 2 Switching
To configure a LAN port for Layer 2 switching, perform this task:
|
|
|
---|---|---|
Router(config)# interface type 1 slot/port |
||
(Optional) Shuts down the interface to prevent traffic flow until configuration is complete. |
||
Configures the LAN port for Layer 2 switching. Note You must enter the switchport command once without any keywords to configure the LAN port as a Layer 2 port before you can enter additional switchport commands with keywords. |
||
Activates the interface. (Required only if you shut down the interface.) |
||
Router# show running-config interface [ type 1 slot/port ] |
||
Router# show interfaces [ type 1 slot/port ] switchport |
||
Router# show interfaces [ type 1 slot/port ] trunk |
1.type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet |
After you enter the switchport command, the default mode is switchport mode dynamic desirable. If the neighboring port supports trunking and is configured to allow trunking, the link becomes a Layer 2 trunk when you enter the switchport command. By default, LAN trunk ports negotiate encapsulation. If the neighboring port supports ISL and 802.1Q encapsulation and both ports are set to negotiate the encapsulation type, the trunk uses ISL encapsulation (10-Gigabit Ethernet ports do not support ISL encapsulation).
Configuring a Layer 2 Switching Port as a Trunk
These section describe configuring a Layer 2 switching port as a trunk:
- Configuring the Layer 2 Switching Port as an ISL or 802.1Q Trunk
- Configuring the Layer 2 Trunk to Use DTP
- Configuring the Layer 2 Trunk Not to Use DTP
- Configuring the Access VLAN
- Configuring the 802.1Q Native VLAN
- Configuring the List of VLANs Allowed on a Trunk
- Configuring the List of Prune-Eligible VLANs
- Completing Trunk Configuration
- Verifying Layer 2 Trunk Configuration
- Configuration and Verification Examples
Configuring the Layer 2 Switching Port as an ISL or 802.1Q Trunk
Note ● Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section.
- When you enter the switchport command with no other keywords (Step 3 in the previous section), the default mode is switchport mode dynamic desirable and switchport trunk encapsulation negotiate.
To configure the Layer 2 switching port as an ISL or 802.1Q trunk, perform this task:
When configuring the Layer 2 switching port as an ISL or 802.1Q trunk, note the following information:
- The switchport mode trunk command (see the “Configuring the Layer 2 Trunk Not to Use DTP” section) is not compatible with the switchport trunk encapsulation negotiate command.
- To support the switchport mode trunk command, you must configure the encapsulation as either ISL or 802.1Q.
- The following switching modules do not support ISL encapsulation:
– WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6548-GE-45AF
– WS-X6148-GE-TX, WS-X6148V-GE-TX, WS-X6148-GE-45AF
Note Complete the steps in the “Completing Trunk Configuration” section after performing the tasks in this section.
Configuring the Layer 2 Trunk to Use DTP
Note Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section.
To configure the Layer 2 trunk to use DTP, perform this task:
|
|
---|---|
Router(config-if)# switchport mode dynamic { auto | desirable } |
|
Reverts to the default trunk trunking mode (switchport mode dynamic desirable). |
When configuring the Layer 2 trunk to use DTP, note the following information:
- Required only if the interface is a Layer 2 access port or to specify the trunking mode.
- See Table 10-2 for information about trunking modes.
Note Complete the steps in the “Completing Trunk Configuration” section after performing the tasks in this section.
Configuring the Layer 2 Trunk Not to Use DTP
Note Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section.
To configure the Layer 2 trunk not to use DTP, perform this task:
|
|
|
---|---|---|
Reverts to the default trunk trunking mode (switchport mode dynamic desirable). |
||
When configuring the Layer 2 trunk not to use DTP, note the following information:
- Before entering the switchport mode trunk command, you must configure the encapsulation (see the “Configuring the Layer 2 Switching Port as an ISL or 802.1Q Trunk” section).
- To support the switchport nonegotiate command, you must enter the switchport mode trunk command.
- Enter the switchport mode dynamic trunk command. See Table 10-2 for information about trunking modes.
- Before entering the switchport nonegotiate command, you must configure the encapsulation (see the “Configuring the Layer 2 Switching Port as an ISL or 802.1Q Trunk” section) and configure the port to trunk unconditionally with the switchport mode trunk command (see the “Configuring the Layer 2 Trunk to Use DTP” section).
Note Complete the steps in the “Completing Trunk Configuration” section after performing the tasks in this section.
Configuring the Access VLAN
Note Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section.
To configure the access VLAN, perform this task:
|
|
---|---|
(Optional) Configures the access VLAN, which is used if the interface stops trunking. The vlan_ID value can be 1 through 4094, except reserved VLANs (see Table 14-1). |
|
Note Complete the steps in the “Completing Trunk Configuration” section after performing the tasks in this section.
Configuring the 802.1Q Native VLAN
Note Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section.
To configure the 802.1Q native VLAN, perform this task:
|
|
---|---|
When configuring the native VLAN, note the following information:
- The vlan_ID value can be 1 through 4094, except reserved VLANs (see Table 14-1).
- The access VLAN is not automatically used as the native VLAN.
Note Complete the steps in the “Completing Trunk Configuration” section after performing the tasks in this section.
Configuring the List of VLANs Allowed on a Trunk
Note Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section.
To configure the list of VLANs allowed on a trunk, perform this task:
|
|
---|---|
Router(config-if)# switchport trunk allowed vlan { add | except | none | remove } vlan [, vlan [, vlan [,...]] |
(Optional) Configures the list of VLANs allowed on the trunk. |
When configuring the list of VLANs allowed on a trunk, note the following information:
- The vlan parameter is either a single VLAN number from 1 through 4094, or a range of VLANs described by two VLAN numbers, the lesser one first, separated by a dash. Do not enter any spaces between comma-separated vlan parameters or in dash-specified ranges.
- All VLANs are allowed by default.
- You can remove VLAN 1. If you remove VLAN 1 from a trunk, the trunk interface continues to send and receive management traffic, for example, Cisco Discovery Protocol (CDP), VLAN Trunking Protocol (VTP), Port Aggregation Protocol (PAgP), and DTP in VLAN 1.
Note Complete the steps in the “Completing Trunk Configuration” section after performing the tasks in this section.
Configuring the List of Prune-Eligible VLANs
Note Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section.
To configure the list of prune-eligible VLANs on the Layer 2 trunk, perform this task:
|
|
---|---|
Router(config-if)# switchport trunk pruning vlan { none |{{ add | except | remove } vlan [, vlan [, vlan [,...]]}} |
(Optional) Configures the list of prune-eligible VLANs on the trunk (see the “Understanding VTP Pruning” section). |
When configuring the list of prune-eligible VLANs on a trunk, note the following information:
- The vlan parameter is either a single VLAN number from 1 through 4094, except reserved VLANs (see Table 14-1), or a range of VLANs described by two VLAN numbers, the lesser one first, separated by a dash. Do not enter any spaces between comma-separated vlan parameters or in dash-specified ranges.
- The default list of VLANs allowed to be pruned contains all VLANs.
- Network devices in VTP transparent mode do not send VTP Join messages. On Cisco 7600 series routers with trunk connections to network devices in VTP transparent mode, configure the VLANs used by the transparent-mode network devices or that need to be carried across the transparent-mode network devices as pruning ineligible.
Note Complete the steps in the “Completing Trunk Configuration” section after performing the tasks in this section.
Completing Trunk Configuration
To complete Layer 2 trunk configuration, perform this task:
|
|
|
---|---|---|
Activates the interface. (Required only if you shut down the interface.) |
||
Verifying Layer 2 Trunk Configuration
To verify Layer 2 trunk configuration, perform this task:
|
|
|
---|---|---|
Router# show running-config interface type 2 slot/port |
||
Router# show interfaces [ type 1 slot/port] switchport |
||
Router# show interfaces [ type 1 slot/port] trunk |
2.type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet |
Configuration and Verification Examples
This example shows how to configure the Fast Ethernet port 5/8 as an 802.1Q trunk. This example assumes that the neighbor port is configured to support 802.1Q trunking:
This example shows how to verify the configuration:
Configuring a LAN Interface as a Layer 2 Access Port
Note If you assign a LAN port to a VLAN that does not exist, the port is shut down until you create the VLAN in the VLAN database (see the “Creating or Modifying an Ethernet VLAN” section).
To configure a LAN port as a Layer 2 access port, perform this task:
|
|
|
---|---|---|
Router(config)# interface type 3 slot/port |
||
(Optional) Shuts down the interface to prevent traffic flow until configuration is complete. |
||
Configures the LAN port for Layer 2 switching. Note You must enter the switchport command once without any keywords to configure the LAN port as a Layer 2 port before you can enter additional switchport commands with keywords. |
||
Reverts to the default switchport mode (switchport mode dynamic desirable). |
||
Places the LAN port in a VLAN. The vlan_ID value can be 1 through 4094, except reserved VLANs (see Table 14-1). |
||
Activates the interface. (Required only if you shut down the interface.) |
||
Router# show running-config interface [ type 1 slot/port ] |
||
Router# show interfaces [ type 1 slot/port ] switchport |
3.type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet |
This example shows how to configure the Fast Ethernet port 5/6 as an access port in VLAN 200:
This example shows how to verify the configuration:
Configuring a Custom IEEE 802.1Q EtherType Field Value
You can configure a custom EtherType field value on a port to support network devices that do not use the standard 0x8100 EtherType field value on 802.1Q-tagged or 802.1p-tagged frames.
To configure a custom value for the EtherType field, perform this task:
|
|
---|---|
Reverts to the default 802.1Q EtherType field value (0x8100). |
When configuring a custom EtherType field value, note the following information:
- To use a custom EtherType field value, all network devices in the traffic path across the network must support the custom EtherType field value.
- You can configure a custom EtherType field value on trunk ports, access ports, and tunnel ports.
- You can configure a custom EtherType field value on the member ports of an EtherChannel.
- You cannot configure a custom EtherType field value on a port-channel interface.
- Each port supports only one EtherType field value. A port that is configured with a custom EtherType field value does not recognize frames that have any other EtherType field value as tagged frames. For example, a trunk port that is configured with a custom EtherType field value does not recognize the standard 0x8100 EtherType field value on 802.1Q-tagged frames and cannot put the frames into the VLAN to which they belong.
- See the Release Notes for Cisco IOS Release 12.2SX on the Supervisor Engine 720, Supervisor Engine 32, and Supervisor Engine 2 for a list of the modules that support custom IEEE 802.1Q EtherType field values.
This example shows how to configure the EtherType field value to 0x1234: