- Release 15.4SY Supervisor Engine 2T Software Configuration Guide
- Preface
- Product Overview
- Command-Line Interfaces
- Smart Port Macros
- Virtual Switching Systems (VSS)
- Enhanced Fast Software Upgrade (eFSU)
- Fast Software Upgrades
- Stateful Switchover (SSO)
- Non-Stop Forwarding (NSF)
- RPR Supervisor Engine Redundancy
- Interface Configuration
- UniDirectional Link Detection (UDLD)
- Instant Access
- EnergyWise
- Power Management
- Environmental Monitoring
- Online Diagnostics
- Onboard Failure Logging (OBFL)
- Switch Fabric Functionality
- Cisco IP Phone Support
- Power over Ethernet
- Layer 2 LAN Port Configuration
- Flex Links
- EtherChannels
- IEEE 802.1ak MVRP and MRP
- VLAN Trunking Protocol (VTP)
- VLANs
- Private VLANs (PVLANs)
- Private Hosts
- IEEE 802.1Q Tunneling
- Layer 2 Protocol Tunneling
- Spanning Tree Protocols (STP, MST)
- Optional STP Features
- IP Unicast Layer 3 Switching
- Policy Based Routing (PBR)
- Layer 3 Interface Configuration
- Unidirectional Ethernet (UDE) and unidirectional link routing (UDLR)
- Multiprotocol Label Switching (MPLS)
- MPLS VPN Support
- Ethernet over MPLS (EoMPLS)
- L2VPN Advanced VPLS (A-VPLS)
- Ethernet Virtual Connections (EVC)
- Layer 2 over Multipoint GRE (L2omGRE)
- Campus Fabric
- IPv4 Multicast Layer 3 Features
- IPv4 Multicast IGMP Snooping
- IPv4 PIM Snooping
- IPv4 Multicast VLAN Registration (MVR)
- IPv4 IGMP Filtering
- IPv4 Router Guard
- IPv4 Multicast VPN Support
- IPv6 Multicast Layer 3 Features
- IPv6 MLD Snooping
- NetFlow Hardware Support
- Call Home
- System Event Archive (SEA)
- Backplane Platform Monitoring
- Local SPAN, RSPAN, and ERSPAN
- SNMP IfIndex Persistence
- Top-N Reports
- Layer 2 Traceroute Utility
- Mini Protocol Analyzer
- PFC QoS Guidelines and Restrictions
- PFC QoS Overview
- PFC QoS Classification, Marking, and Policing
- PFC QoS Policy Based Queueing
- PFC QoS Global and Interface Options
- AutoQoS
- MPLS QoS
- PFC QoS Statistics Data Export
- Cisco IOS ACL Support
- Cisco TrustSec (CTS)
- AutoSecure
- MAC Address-Based Traffic Blocking
- Port ACLs (PACLs)
- VLAN ACLs (VACLs)
- Policy-Based Forwarding (PBF)
- Denial of Service (DoS) Protection
- Control Plane Policing (CoPP)
- Dynamic Host Configuration Protocol (DHCP) Snooping
- IP Source Guard
- Dynamic ARP Inspection (DAI)
- Traffic Storm Control
- Unknown Unicast Flood Control
- IEEE 802.1X Port-Based Authentication
- Configuring Web-Based Authentication
- Port Security
- Lawful Intercept
IPv4 Router Guard
- Prerequisites for Router Guard
- Restrictions for Router Guard
- Information About Router Guard
- Default Settings for Router Guard
- How to Configure Router Guard
Note ● For complete syntax and usage information for the commands used in this chapter, see these publications:
http://www.cisco.com/en/US/products/ps11846/prod_command_reference_list.html
- Cisco IOS Release 15.4SY supports only Ethernet interfaces. Cisco IOS Release 15.4SY does not support any WAN features or commands.
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum
Prerequisites for Router Guard
Restrictions for Router Guard
Information About Router Guard
The Router Guard feature allows you to designate a specified port only as a multicast host port and not as a multicast router port. Multicast router control packets received on this port are dropped.
Any port can become a multicast router port if the switch receives one of the multicast router control packets, such as IGMP general query, PIM hello, or CGMP hello. When a port becomes a multicast router port, all multicast traffic (both known and unknown source traffic) is sent to all multicast router ports. This cannot be prevented without Router Guard.
When configured, the Router Guard feature makes the specified port a host port only. The port is prevented from becoming a router port, even if a multicast router control packets are received.
In addition, any control packets normally received from multicast routers, such as IGMP queries and PIM joins, will also be discarded by this filter.
A Router Guard command applies a user policy to a Layer 3 SVI interface, a Layer 2 port, or a particular VLAN on a Layer 2 trunk port. The Layer 2 port may be an access port or a trunk port.
The Router Guard feature does not require IGMP snooping to be enabled.
Router Guard is implemented only for IPv4.
Router Guard is typically used in access switches connected to end-user boxes in Ethernet-to-home deployment scenarios.
The IPv4 multicast Router Guard feature is SSO-compliant.
The following packet types are discarded if they are received on a port that has Router Guard enabled:
- IGMP query messages
- IPv4 PIMv2 messages
- IGMP PIM messages (PIMv1)
- IGMP DVMRP messages
- RGMP messages
- CGMP messages
When these packets are discarded, statistics are updated indicating that packets are being dropped due to Router Guard.
Router Guard can be configured globally and per-interface. The global configuration initiates Router Guard for all Layer 2 ports, which can be modified with the interface configuration commands, for example, on ports where multicast routers are connected.
Default Settings for Router Guard
How to Configure Router Guard
- Enabling Router Guard Globally
- Disabling Router Guard on Ports
- Clearing Router Guard Statistics
- Displaying Router Guard Configuration
- Displaying Router Guard Interfaces
Enabling Router Guard Globally
To enable Router Guard globally, perform this task:
|
|
---|---|
Disabling Router Guard on Ports
To disable Router Guard on a Layer 2 port to which a multicast router is connected, perform this task:
This example shows how to allow multicast router messages on trunk port Gigabit Ethernet 3/46, VLAN 20:
Router(config)# interface gigabitethernet 3/46
Clearing Router Guard Statistics
To clear Router Guard statistics, perform one of these tasks:
This example shows how to clear statistics for one particular VLAN on a trunk port:
Verifying the Router Guard Configuration
Displaying Router Guard Configuration
To display the global Router Guard configuration and the Router Guard configuration for a specific interface, perform these tasks:
|
|
---|---|
Displays the Router Guard configuration for a specific interface. |
This example shows how to display the interface command output for a port in access mode with Router Guard not active:
This example shows how to display the interface command output for a port in trunk mode:
This example shows how to verify that a trunk port is carrying VLANs 10 and 20:
Note If the port is in the shutdown state, the status will not be displayed because it cannot be determined whether the port is in trunk mode or access mode. You can use the show running-config interface xxxx command to display the Router Guard configuration.
Displaying Router Guard Interfaces
To display a list of all interfaces for which Router Guard is disabled, perform this task:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum