- Release 15.4SY Supervisor Engine 2T Software Configuration Guide
- Preface
- Product Overview
- Command-Line Interfaces
- Smart Port Macros
- Virtual Switching Systems (VSS)
- Enhanced Fast Software Upgrade (eFSU)
- Fast Software Upgrades
- Stateful Switchover (SSO)
- Non-Stop Forwarding (NSF)
- RPR Supervisor Engine Redundancy
- Interface Configuration
- UniDirectional Link Detection (UDLD)
- Instant Access
- EnergyWise
- Power Management
- Environmental Monitoring
- Online Diagnostics
- Onboard Failure Logging (OBFL)
- Switch Fabric Functionality
- Cisco IP Phone Support
- Power over Ethernet
- Layer 2 LAN Port Configuration
- Flex Links
- EtherChannels
- IEEE 802.1ak MVRP and MRP
- VLAN Trunking Protocol (VTP)
- VLANs
- Private VLANs (PVLANs)
- Private Hosts
- IEEE 802.1Q Tunneling
- Layer 2 Protocol Tunneling
- Spanning Tree Protocols (STP, MST)
- Optional STP Features
- IP Unicast Layer 3 Switching
- Policy Based Routing (PBR)
- Layer 3 Interface Configuration
- Unidirectional Ethernet (UDE) and unidirectional link routing (UDLR)
- Multiprotocol Label Switching (MPLS)
- MPLS VPN Support
- Ethernet over MPLS (EoMPLS)
- L2VPN Advanced VPLS (A-VPLS)
- Ethernet Virtual Connections (EVC)
- Layer 2 over Multipoint GRE (L2omGRE)
- Campus Fabric
- IPv4 Multicast Layer 3 Features
- IPv4 Multicast IGMP Snooping
- IPv4 PIM Snooping
- IPv4 Multicast VLAN Registration (MVR)
- IPv4 IGMP Filtering
- IPv4 Router Guard
- IPv4 Multicast VPN Support
- IPv6 Multicast Layer 3 Features
- IPv6 MLD Snooping
- NetFlow Hardware Support
- Call Home
- System Event Archive (SEA)
- Backplane Platform Monitoring
- Local SPAN, RSPAN, and ERSPAN
- SNMP IfIndex Persistence
- Top-N Reports
- Layer 2 Traceroute Utility
- Mini Protocol Analyzer
- PFC QoS Guidelines and Restrictions
- PFC QoS Overview
- PFC QoS Classification, Marking, and Policing
- PFC QoS Policy Based Queueing
- PFC QoS Global and Interface Options
- AutoQoS
- MPLS QoS
- PFC QoS Statistics Data Export
- Cisco IOS ACL Support
- Cisco TrustSec (CTS)
- AutoSecure
- MAC Address-Based Traffic Blocking
- Port ACLs (PACLs)
- VLAN ACLs (VACLs)
- Policy-Based Forwarding (PBF)
- Denial of Service (DoS) Protection
- Control Plane Policing (CoPP)
- Dynamic Host Configuration Protocol (DHCP) Snooping
- IP Source Guard
- Dynamic ARP Inspection (DAI)
- Traffic Storm Control
- Unknown Unicast Flood Control
- IEEE 802.1X Port-Based Authentication
- Configuring Web-Based Authentication
- Port Security
- Lawful Intercept
- Prerequisites for Layer 2 LAN Interfaces
- Restrictions for Layer 2 LAN Interfaces
- Information About Layer 2 Switching
- Default Settings for Layer 2 LAN Interfaces
- How to Configure LAN Interfaces for Layer 2 Switching
- Configuring a LAN Port for Layer 2 Switching
- Enabling Out-of-Band MAC Address Table Synchronization
- Configuring MAC Address Table Notification
- Configuring a Layer 2 Switching Port as a Trunk
- Configuring the Layer 2 Trunk to Use DTP
- Configuring the Layer 2 Trunk Not to Use DTP
- Configuring the Access VLAN
- Configuring the 802.1Q Native VLAN
- Configuring the List of VLANs Allowed on a Trunk
- Configuring the List of Prune-Eligible VLANs
- Completing Trunk Configuration
- Verifying Layer 2 Trunk Configuration
- Configuration and Verification Examples
- Configuring a LAN Interface as a Layer 2 Access Port
- Configuring a Custom IEEE 802.1Q EtherType Field Value
LAN Ports for Layer 2 Switching
- Prerequisites for Layer 2 LAN Interfaces
- Restrictions for Layer 2 LAN Interfaces
- Information About Layer 2 Switching
- Default Settings for Layer 2 LAN Interfaces
- How to Configure LAN Interfaces for Layer 2 Switching
Note ● For complete syntax and usage information for the commands used in this chapter, see these publications:
http://www.cisco.com/en/US/products/ps11846/prod_command_reference_list.html
- Cisco IOS Release 15.4SY supports only Ethernet interfaces. Cisco IOS Release 15.4SY does not support any WAN features or commands.
- To configure Layer 3 interfaces, see Chapter36, “Layer 3 Interfaces”
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum
Prerequisites for Layer 2 LAN Interfaces
Restrictions for Layer 2 LAN Interfaces
- When connecting Cisco switches through an 802.1q trunk, make sure the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. If the native VLAN on one end of the trunk is different from the native VLAN on the other end, spanning tree loops might result.
- Disabling spanning tree on the native VLAN of an 802.1Q trunk without disabling spanning tree on every VLAN in the network can cause spanning tree loops. We recommend that you leave spanning tree enabled on the native VLAN of an 802.1Q trunk. If this is not possible, disable spanning tree on every VLAN in the network. Make sure your network is free of physical loops before disabling spanning tree.
- When you connect two Cisco switches through 802.1Q trunks, the switches exchange spanning tree BPDUs on each VLAN allowed on the trunks. The BPDUs on the native VLAN of the trunk are sent untagged to the reserved IEEE 802.1d spanning tree multicast MAC address (01-80-C2-00-00-00). The BPDUs on all other VLANs on the trunk are sent tagged to the reserved Cisco Shared Spanning Tree (SSTP) multicast MAC address (01-00-0c-cc-cc-cd).
- Non-Cisco 802.1Q switches maintain only a single instance of spanning tree (the Mono Spanning Tree, or MST) that defines the spanning tree topology for all VLANs. When you connect a Cisco switch to a non-Cisco switch through an 802.1Q trunk, the MST of the non-Cisco switch and the native VLAN spanning tree of the Cisco switch combine to form a single spanning tree topology known as the Common Spanning Tree (CST).
- Because Cisco switches transmit BPDUs to the SSTP multicast MAC address on VLANs other than the native VLAN of the trunk, non-Cisco switches do not recognize these frames as BPDUs and flood them on all ports in the corresponding VLAN. Other Cisco switches connected to the non-Cisco 802.1q cloud receive these flooded BPDUs. This allows Cisco switches to maintain a per-VLAN spanning tree topology across a cloud of non-Cisco 802.1Q switches. The non-Cisco 802.1Q cloud separating the Cisco switches is treated as a single broadcast segment between all switches connected to the non-Cisco 802.1q cloud through 802.1q trunks.
- Make certain that the native VLAN is the same on all of the 802.1q trunks connecting the Cisco switches to the non-Cisco 802.1q cloud.
- If you are connecting multiple Cisco switches to a non-Cisco 802.1q cloud, all of the connections must be through 802.1q trunks. You cannot connect Cisco switches to a non-Cisco 802.1q cloud through access ports. Doing so causes the switch to place the access port into the spanning tree “port inconsistent” state and no traffic will pass through the port.
Information About Layer 2 Switching
Information about Layer 2 Ethernet Switching
Layer 2 Ethernet Switching Overview
Layer 2 Ethernet ports on Cisco switches support simultaneous, parallel connections between Layer 2 Ethernet segments. Switched connections between Ethernet segments last only for the duration of the packet. New connections can be made between different segments for the next packet.
Layer 2 LAN switching (hardware-supported bridging) avoids congestion by assigning each connected device to its own collision domain. Because each LAN port connects to a separate Ethernet collision domain, attached devices in a properly configured switched environment achieve full access to network bandwidth.
Building the MAC Address Table
Overview of the MAC Address Table
When stations connected to different LAN ports need to communicate, the switch forwards frames from one LAN port to the other at wire speed to ensure that each session receives full bandwidth.
To switch frames between LAN ports efficiently, the switch maintains a MAC address table. When a frame enters the switch, it associates the MAC address of the sending network device with the LAN port on which it was received.
The MAC address table is built by using the source MAC address of the frames received. When the switch receives a frame for a destination MAC address not listed in its MAC address table, it floods the frame to all LAN ports of the same VLAN except the port that received the frame. When the destination station replies, the switch adds its relevant source MAC address and port ID to the MAC address table. The switch then forwards subsequent frames to a single LAN port without flooding to all LAN ports.
The MAC address table can store at least 128,000 address entries without flooding any entries. The switch uses an aging mechanism, configured by the mac address-table aging-time command, so if an address remains inactive for a specified number of seconds, it is removed from the address table.
Synchronization and Sharing of the Address Table
With distributed switching, each DFC-equipped switching module learns MAC addresses, maintains an address table, and ages table entries. MAC address table synchronization over the Ethernet Out of Band Channel (EOBC) synchronizes address tables among the PFC and all DFCs, eliminating the need for flooding by a DFC for an address that is active on another module. MAC synchronization is enabled by default.
Notification of Address Table Changes
You can configure the switch to maintain a history of dynamic additions and removals of address table entries associated with a particular LAN port. The change history can be sent as an SNMP trap notification or it can be read manually from the SNMP MIB.
Information about VLAN Trunks
Note For information about VLANs, see Chapter27, “Virtual Local Area Networks (VLANs)”
A trunk is a point-to-point link between the switch and another networking device. Trunks carry the traffic of multiple VLANs over a single link and allow you to extend VLANs across an entire network.
802.1Q, an industry-standard trunking encapsulation, is available on all Ethernet ports.
You can configure a trunk on a single Ethernet port or on an EtherChannel. For more information about EtherChannel, see Chapter24, “EtherChannels”
Ethernet trunk ports support several trunking modes (see Table 22-1).
The Dynamic Trunking Protocol (DTP) manages trunk autonegotiation on LAN ports.
To autonegotiate trunking, the LAN ports must be in the same VTP domain. Use the trunk or nonegotiate keywords to force LAN ports in different domains to trunk. For more information on VTP domains, see Chapter26, “VLAN Trunking Protocol (VTP)”
Layer 2 LAN Port Modes
Note DTP is a point-to-point protocol. However, some internetworking devices might forward DTP frames improperly. To avoid this problem, ensure that LAN ports connected to devices that do not support DTP are configured with the access keyword if you do not intend to trunk across those links. To enable trunking to a device that does not support DTP, use the nonegotiate keyword to cause the LAN port to become a trunk but not generate DTP frames.
Default Settings for Layer 2 LAN Interfaces
|
|
---|---|
VLANs 1 to 4094, except reserved VLANs (see Table 27-1) |
|
How to Configure LAN Interfaces for Layer 2 Switching
- Configuring a LAN Port for Layer 2 Switching
- Enabling Out-of-Band MAC Address Table Synchronization
- Configuring MAC Address Table Notification
- Configuring a Layer 2 Switching Port as a Trunk
- Configuring a LAN Interface as a Layer 2 Access Port
- Configuring a Custom IEEE 802.1Q EtherType Field Value
Note Use the default interface {fastethernet | gigabitethernet | tengigabitethernet} slot/port command to revert an interface to its default configuration.
Configuring a LAN Port for Layer 2 Switching
To configure a LAN port for Layer 2 switching, perform this task:
After you enter the switchport command, the default mode is switchport mode dynamic desirable. If the neighboring port supports trunking and is configured to allow trunking, the link becomes a Layer 2 trunk when you enter the switchport command.
Note When using the switchport command, if a port configured for Layer 3 is now configured for Layer 2, the configuration for Layer 3 is retained in the memory but not in the running configuration and is applied to the port whenever the port switches back to Layer 3. Also, if a port configured for Layer 2 is now configured for Layer 3, the configuration for Layer 2 is retained in the memory but not in the running configuration and is applied to the port whenever the port switches back to Layer 2. To restore the default configuration of the port in the memory and in the running configuration, use the default interface command. To avoid potential issues while changing the role of a port using the switchport command, shut down the interface before applying the switchport command.
Enabling Out-of-Band MAC Address Table Synchronization
To enable the out-of-band MAC address table synchronization feature, perform this task:
|
|
---|---|
Router(config)# mac address-table synchronize [ activity-time seconds ] |
Enables out-of-band synchronization of MAC address tables among DFC-equipped switching modules. |
When configuring out-of-band MAC address table synchronization, note the following information:
- By default, out-of-band MAC address table synchronization is disabled.
- Out-of-band MAC address table synchronization is enabled automatically if a WS-6708-10G switching module is installed in the switch.
- The activity timer interval can be configured as 160, 320, and 640 seconds. The default is 160 seconds.
This example shows how to enable out-of-band MAC address table synchronization:
Configuring MAC Address Table Notification
Note ● Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section.
- To send SNMP trap notifications using this feature, you must also enable the global MAC trap flag, using the snmp-server enable mac-notification change command.
To configure the MAC address table notification feature, perform this task:
When configuring the notification parameters, note the following information:
- The interval value parameter can be configured from 0 seconds (immediate) to 2,147,483,647 seconds. The default is 1 second.
- The history size parameter can be configured from 0 entries to 500 entries. The default is 1 entry.
This example shows how to configure the SNMP notification of dynamic additions to the MAC address table of addresses on the Gigabit Ethernet ports 5/7 and 5/8. Notifications of changes will be sent no more frequently than 5 seconds, and up to 25 changes can be stored and sent in that interval:
Configuring a Layer 2 Switching Port as a Trunk
- Configuring the Layer 2 Trunk to Use DTP
- Configuring the Layer 2 Trunk to Use DTP
- Configuring the Layer 2 Trunk Not to Use DTP
- Configuring the Access VLAN
- Configuring the 802.1Q Native VLAN
- Configuring the List of VLANs Allowed on a Trunk
- Configuring the List of Prune-Eligible VLANs
- Completing Trunk Configuration
- Verifying Layer 2 Trunk Configuration
- Configuration and Verification Examples
Configuring the Layer 2 Trunk to Use DTP
Note Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section.
To configure the Layer 2 trunk to use DTP, perform this task:
When configuring the Layer 2 trunk to use DTP, note the following information:
- Required only if the interface is a Layer 2 access port or to specify the trunking mode.
- See Table 22-1 for information about trunking modes.
Note Complete the steps in the “Completing Trunk Configuration” section after performing the tasks in this section.
Configuring the Layer 2 Trunk Not to Use DTP
Note Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section.
To configure the Layer 2 trunk not to use DTP, perform this task:
|
|
|
---|---|---|
When configuring the Layer 2 trunk not to use DTP, note the following information:
- Before entering the switchport mode trunk command, you must configure the encapsulation (see the “Configuring the Layer 2 Trunk to Use DTP” section).
- To support the switchport nonegotiate command, you must enter the switchport mode trunk command.
- Enter the switchport mode dynamic trunk command. See Table 22-1 for information about trunking modes.
- Before entering the switchport nonegotiate command, you must configure the encapsulation (see the “Configuring the Layer 2 Trunk to Use DTP” section) and configure the port to trunk unconditionally with the switchport mode trunk command (see the “Configuring the Layer 2 Trunk to Use DTP” section).
Note Complete the steps in the “Completing Trunk Configuration” section after performing the tasks in this section.
Configuring the Access VLAN
Note Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section.
To configure the access VLAN, perform this task:
|
|
---|---|
(Optional) Configures the access VLAN, which is used if the interface stops trunking. The vlan_ID value can be 1 through 4094, except reserved VLANs (see Table 27-1).
|
Note Complete the steps in the “Completing Trunk Configuration” section after performing the tasks in this section.
Configuring the 802.1Q Native VLAN
Note Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section.
To configure the 802.1Q native VLAN, perform this task:
|
|
---|---|
(Optional) Configures the 802.1Q native VLAN. Note If VLAN locking is enabled, enter the VLAN name instead of the VLAN number. For more information, see the “VLAN Locking” section. |
When configuring the native VLAN, note the following information:
- The vlan_ID value can be 1 through 4094, except reserved VLANs (see Table 27-1).
- The access VLAN is not automatically used as the native VLAN.
Note Complete the steps in the “Completing Trunk Configuration” section after performing the tasks in this section.
Configuring the List of VLANs Allowed on a Trunk
Note Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section.
To configure the list of VLANs allowed on a trunk, perform this task:
|
|
---|---|
Router(config-if)# switchport trunk allowed vlan [ add | except | none | remove ] vlan [, vlan [, vlan [,...]] |
(Optional) Configures the list of VLANs allowed on the trunk.
|
When configuring the list of VLANs allowed on a trunk, note the following information:
- The vlan parameter is either a single VLAN number from 1 through 4094, or a range of VLANs described by two VLAN numbers, the lesser one first, separated by a dash. Do not enter any spaces between comma-separated vlan parameters or in dash-specified ranges.
- If VLAN locking is enabled, enter VLAN names instead of VLAN numbers. When entering a range of VLAN names, you must leave spaces between the VLAN names and the dash.
- All VLANs are allowed by default.
- You can remove VLAN 1. If you remove VLAN 1 from a trunk, the trunk interface continues to send and receive management traffic, for example, Cisco Discovery Protocol (CDP), VLAN Trunking Protocol (VTP), Port Aggregation Protocol (PAgP), and DTP in VLAN 1.
Note Complete the steps in the “Completing Trunk Configuration” section after performing the tasks in this section.
Configuring the List of Prune-Eligible VLANs
Note Complete the steps in the “Configuring a LAN Port for Layer 2 Switching” section before performing the tasks in this section.
To configure the list of prune-eligible VLANs on the Layer 2 trunk, perform this task:
|
|
---|---|
Router(config-if)# switchport trunk pruning vlan { none |{{ add | except | remove } vlan [, vlan [, vlan [,...]]}} |
(Optional) Configures the list of prune-eligible VLANs on the trunk (see the “VTP Pruning” section). Note The no form of the command reverts to the default value (all VLANs prune-eligible). |
When configuring the list of prune-eligible VLANs on a trunk, note the following information:
- The vlan parameter is either a single VLAN number from 1 through 4094, except reserved VLANs (see Table 27-1), or a range of VLANs described by two VLAN numbers, the lesser one first, separated by a dash. Do not enter any spaces between comma-separated vlan parameters or in dash-specified ranges.
- The default list of VLANs allowed to be pruned contains all VLANs.
- Network devices in VTP transparent mode do not send VTP Join messages. On trunk connections to network devices in VTP transparent mode, configure the VLANs used by the transparent-mode network devices or that need to be carried across the transparent-mode network devices as pruning ineligible.
Note Complete the steps in the “Completing Trunk Configuration” section after performing the tasks in this section.
Completing Trunk Configuration
To complete Layer 2 trunk configuration, perform this task:
|
|
|
---|---|---|
Activates the interface. (Required only if you shut down the interface.) |
||
Verifying Layer 2 Trunk Configuration
To verify Layer 2 trunk configuration, perform this task:
|
|
|
---|---|---|
Configuration and Verification Examples
This example shows how to configure the Gigabit Ethernet port 5/8 as an 802.1Q trunk. This example assumes that the neighbor port is configured to support 802.1Q trunking:
This example shows how to verify the configuration:
Configuring a LAN Interface as a Layer 2 Access Port
Note If you assign a LAN port to a VLAN that does not exist, the port is shut down until you create the VLAN in the VLAN database (see the “Creating or Modifying an Ethernet VLAN” section).
To configure a LAN port as a Layer 2 access port, perform this task:
|
|
|
---|---|---|
(Optional) Shuts down the interface to prevent traffic flow until configuration is complete. |
||
Configures the LAN port for Layer 2 switching. Note You must enter the switchport command once without any keywords to configure the LAN port as a Layer 2 port before you can enter additional switchport commands with keywords. |
||
Places the LAN port in a VLAN. The vlan_ID value can be 1 through 4094, except reserved VLANs (see Table 27-1). Note If VLAN locking is enabled, enter the VLAN name instead of the VLAN number. For more information, see the “VLAN Locking” section. |
||
Activates the interface. (Required only if you shut down the interface.) |
||
This example shows how to configure the Gigabit Ethernet port 5/6 as an access port in VLAN 200:
This example shows how to verify the configuration:
Configuring a Custom IEEE 802.1Q EtherType Field Value
You can configure a custom EtherType field value on a port to support network devices that do not use the standard 0x8100 EtherType field value on 802.1Q-tagged or 802.1p-tagged frames.
To configure a custom value for the EtherType field, perform this task:
|
|
---|---|
When configuring a custom EtherType field value, note the following information:
- To use a custom EtherType field value, all network devices in the traffic path across the network must support the custom EtherType field value.
- You can configure a custom EtherType field value on trunk ports, access ports, and tunnel ports.
- You can configure a custom EtherType field value on the member ports of an EtherChannel.
- You cannot configure a custom EtherType field value on a port-channel interface.
- Each port supports only one EtherType field value. A port that is configured with a custom EtherType field value does not recognize frames that have any other EtherType field value as tagged frames. For example, a trunk port that is configured with a custom EtherType field value does not recognize the standard 0x8100 EtherType field value on 802.1Q-tagged frames and cannot put the frames into the VLAN to which they belong.
- See the Release Notes for Cisco IOS Release 15.2SY for a list of the modules that support custom IEEE 802.1Q EtherType field values:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/release_notes.html
This example shows how to configure the EtherType field value to 0x1234:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum