- Preface
-
- Security Features Overview
- Preventing Unauthorized Access
- Controlling Switch Access with Passwords and Privilege Levels
- Configuring TACACS+
- Configuring RADIUS
- Configuring Accounting
- Configuring Local Authentication and Authorization
- MAC Authentication Bypass
- Password Strength and Management for Common Criteria
- AAA-SERVER-MIB Set Operation
- Configuring Secure Shell
- Secure Shell Version 2 Support
- X.509v3 Certificates for SSH Authentication
- Configuring Secure Socket Layer HTTP
- Certification Authority Interoperability
- Access Control List Overview
- Configuring IPv4 Access Control Lists
- IPv6 Access Control Lists
- Configuring DHCP
- Configuring IEEE 802.1x Port-Based Authentication
- Configuring Port-Based Traffic Control
- Important Notice
- Index
Contents
* - < - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W
Index
*
NTPtime<
<$nopage>HTTP over SSLsee HTTPS 1<$nopage>IEEE 802.3adSee EtherChannel 1<$nopage>PAgPSee EtherChannel 1<$nopage>Port Aggregation ProtocolSee EtherChannel 1<$nopage>Secure Copy Protocol 1A
AAA (authentication, authorization, and accounting)accountingAV pairs 1command type 1connection type 1enabling 1EXEC type 1interim records 1method lists (example) 1monitoring 1network type 1resource type 1system type 1verifying 1authorizationnetwork configuration (figure) 1server groups 1method listsaccounting 1authorization 1resource accounting 1configuring 1resource failure stop accounting 1configuring 1server groupsauthorization 1configuration 1example 1SNMP 1aaa accounting resource start-stop group command 1aaa accounting resource stop-failure group command 1access control entriesSee ACEs 1access groupsLayer 3 1access groups, applying IPv4 ACLs to interfaces 1access listsapplying to interfaces 1See ACLs 1with RADIUS 1accounting, defined 1ACEsEthernet 1IP 1ACLACLIPv4 1IP extended 1IP standard 1IPv4 1IPv6 1Layer 2 MAC 1applyingtime ranges to 1to an interface 1classifying traffic for QoS 1defined 1examples of 1extended IPv4creating 1matching criteria 1interface 1IPimplicit deny 1implicit masks 1matching criteria 1undefined 1IPv4applying to interfaces 1creating 1interfaces 1matching criteria 1numbers 1terminal lines, setting on 1unsupported features 1logging messages 1matching 1monitoring 1port 1QoS 1standard IPv4creating 1matching criteria 1support in hardware 1time ranges to 1types supported 1unsupported featuresIPv4 1activity check 1testing 1additional references 1address aliasing 1address resolution 1addressesdynamicaccelerated aging 1default aging 1defined 1learning 1MAC, discovering 1multicastSTP address management 1staticadding and removing 1aggregate-port learners 1aging timeacceleratedfor MSTP 1for STP 1MAC address table 1alternateport 1and ARP 1and CDP 1and SSH 1ARPdefined 1tableaddress resolution 1attributes 1vendor-proprietary 1vendor-specific 1attributes, RADIUSvendor-specific 1authentication 1local mode with AAA 1RADIUSlogin 1TACACS+defined 1key 1login 1authentication key 1authentication, defined 1authoritative time source, described 1with RADIUS 1authorization, defined 1auto-MDIXconfiguring 1described 1auto-MDIX, configuring 1autonegotiationmismatches 1B
BackboneFastdescribed 1enabling 1backupport 1bannersconfiguringlogin 1message-of-the-day login 1default configuration 1Berkeley r-tools replacement 1binding databaseaddress, DHCP serverSee DHCP, Cisco IOS server database 1binding physical and logical interfaces 1bindingsaddress, Cisco IOS DHCP server 1blockingstate 1BPDU 1contents 1filtering 1RSTP format 1bridge identifier (bridge ID) 1bridge protocol data units 1broadcast traffic 1C
CA trustpointconfiguring 1defined 1CDPdefined with LLDP 1changing the default for lines 1channel groupsbinding physical and logical interfaces 1numbering of 1CipherSuites 1Cisco 7960 IP Phone 1Cisco Discovery Protocol (CDP) 1Cisco IOS DHCP serverSee DHCP, Cisco IOS DHCP server 1Cisco IP Phone Data Traffic 1Cisco IP Phone Voice Traffic 1Cisco Networking Services 1CIST regional rootCIST rootSee MSTP 1civic location 1class maps for QoSCLI compatibility 1clockSee system clock 1CNS 1commands, setting privilege levels 1communication, global 1configurable leave timer, IGMP 1Configuration Enginerestrictions 1Configuration Examples for Configuring EtherChannels command 1Configuration Examples for Configuring MLD Snooping Queries command 1Configuration Examples for Setting Passwords and Privilege Levels command 1configuration files 1invalid combinations when copying 1password recovery disable considerations 1a PoE port 1activity check 1authentication 1authentication key 1communication, global 1domain member or endpoint attributes 1Layer 2 interfaces 1login authentication 1on Layer 2 interfaces 1port attributes 1Configuring a Multicast Router Port: Example command 1configuring a secure HTTP client 1configuring a secure HTTP server 1Configuring a Static Multicast Group: Example command 1Configuring Layer 2 EtherChannels: Examples command 1Configuring MLD Snooping Queries: Example command 1Configuring Per VRF on a TACACS+ Server 1configuring ports for voice traffic in802.1p priority tagged frames 1Configuring the Switch for Vendor-Proprietary RADIUS Server Communication: Example command 1Configuring the Switch to Use Vendor-Specific RADIUS Attributes: Examples command 1confirming 1CoSin Layer 2 frames 1CoS output queue threshold map for QoS 1configuringon Layer 2 interfaces 1described 1illustration 1D
daylight saving time 1debuggingenabling all system diagnostics 1redirecting error message output 1using commands 1banners 1DNS 1EtherChannel 1IGMP filtering 1IGMP throttling 1LLDP 1MAC address table 1MSTP 1password and privilege level 1RADIUS 1SPAN 1SSL 1STP 1TACACS+ 1UDLD 1default Ethernet VLAN configuration 1default gateway 1default VLAN configuration 1Event Service 1NameSpace Mapper 1defining AAA server groups 1definitionVLAN 1deletionVLAN 1designatedport 1switch 1detecting communication failure 1detecting indirect link failures,STP 1deviceroot 1device priorityMSTP 1STP 1devices supported 1DHCPenablingrelay agent 1server 1DHCP option 82displaying 1forwarding address, specifying 1helper address 1overview 1DHCP server port-based address allocationdefault configuration 1enabling 1DHCP snoopingaccepting untrusted packets form edge switch 1option 82 data insertion 1trusted interface 1untrusted messages 1DHCP snooping binding databaseadding bindings 1binding fileformat 1location 1configuration guidelines 1configuring 1described 1enabling 1Differentiated Services (Diff-Serv) architecture 1Differentiated Services Code Point 1directorieschanging 1creating 1displaying the working 1removing 1disabledstate 1disabling 1disabling EnergyWise 1disabling recovery of 1disclaimer 1DNIS (Dialed Number Identification Service)DNIS number 1server groups, selecting 1DNSdefault configuration 1overview 1setting up 1domain 1Domain Name SystemSee DNS 1domain names 1DNS 1DSCP 1dual-action detection 1dynamic access portsconfiguring 1dynamic addressesSee addresses 1dynamic port membershipdescribed 1reconfirming 1troubleshooting 1dynamic port VLAN membershipdescribed 1troubleshooting 1types of connections 1dynamic VLAN assignments 1E
egress expedite queue 1ELIN location 1enable password 1enable secret 1enable secret password 1enabling 1enabling all system diagnostics 1enabling and disabling 1Enabling MLD Immediate Leave: Example command 1encrypting 1encryption for passwords 1encryption methods 1encryption, CipherSuite 1entering server address 1channel groupsbinding physical and logical interfaces 1numbering of 1configuration guidelines 1configuringLayer 2 interfaces 1default configuration 1IEEE 802.3ad, described 1interactionwith STP 1LACPhot-standby ports 1interaction with other features 1min links 1modes 1port priority 1system priority 1logical interfaces, described 1PAgPabout aggregate-port learners 1about learn method and priority 1aggregate-port learners 1described 1interaction with other features 1interaction with virtual switches 1learn method and priority configuration 1modes 1with dual-action detection 1port-channel interfacesnumbering of 1EtherChannel failover 1EtherChannel guarddescribed 1enabling 1EtherChannel | interactionwith VLANs 1Ethernet VLAN 1Event Service 1exampleACLs 1class maps 1classifying, policing, marking traffic on physical ports 1configuring egress queue 1configuring port to DSCP-trusted state 1modifying DSCP-DSCP mutation map 1Example for Configuring Auto-MDIX command 1Example for Performing a Traceroute to an IP Host command 1Example for Pinging an IP Host command 1Example of Configuring NVRAM Buffer Size command 1Examples for Configuring the System MTU command 1exiting 1expedite queueegress queuesSRR weights 1guidelines 1expedite queue for QoS 1extended system IDMSTP 1extended-range VLAN 1extended-range VLAN configuration guidelines 1F
fallback bridgingSTPkeepalive messages 1VLAN-bridge STP 1feature history 1feature informationIGMP snooping 1VLANs 1fiber-optic, detecting unidirectional links 1file systemdisplaying available file systems 1displaying file information 1local file system names 1network file system names 1setting the default 1filescopying 1deleting 1tarcreating 1displaying the contents of 1extracting 1filters, IPSee ACLs, IP [filtersIPflash device,number of 1flash memory 1flash: file system 1forward-delay timeMSTP 1STP 1forwardingstate 1G
global leave, IGMP 1H
hello timeMSTP 1STP 1hosts, limit on dynamic ports 1hot-standby ports 1HTTP secure server 1HTTPSconfiguring 1described 1self-signed certificate 1I
ICMPHost Unreachable message 1time-exceeded messages 1traceroute and 1ICMP pingexecuting 1overview 1Identifying the RADIUS Server Host: Examples command 1identifying the server 1IEEE 802.1Q tagging 1IEEE 802.1sSee MSTP 1IEEE 802.3ad, described 1IGMPconfigurable leave timerdescribed 1enabling 1flooded multicast trafficcontrolling the length of time 1disabling on an interface 1global leave 1recovering from flood mode 1join messages 1leave processing, enabling 1leaving multicast group 1queries 1report suppressiondescribed 1snooping 1supported versions 1IGMP filteringdefault configuration 1described 1IGMP groupsconfiguring filtering 1setting the maximum number 1IGMP Immediate Leave 1enabling 1IGMP profileapplying 1configuration mode 1IGMP report suppression 1and address aliasing 1definition 1global configuration 1Immediate Leave 1monitoring 1querierconfiguration guidelines 1configuring 1supported versions 1VLAN configuration 1IGMP throttlingconfiguring 1default configuration 1described 1displaying action 1IGMP Throttling Actionconfiguration guidelines 1Immediate Leave, IGMPdescribed 1enabling 1interaction with virtual switches 1interfacesauto-MDIX, configuring 1Intrusion Detection SystemSee IDS appliances 1inventory management TLV 1IP ACLsnamed 1IP addressesdiscovering 1IP addresses and subnets 1IP precedence 1IP tracerouteexecuting 1overview 1IP unicast routingdefaultgateways 1IPv4 ACLsapplying to interfaces 1extended, creating 1interfaces 1named 1standard, creating 1IPv6SDM templates 1J
join messages, IGMP 1K
keepalive messages 1key 1L
hot-standby ports 1interaction with other features 1min links 1modes 1port priority 1system priority 1Layer 2 EtherChannel configuration guidelines 1Layer 2 interface modes 1Layer 2 interfaces 1Layer 2 tracerouteand ARP 1and CDP 1broadcast traffic 1described 1IP addresses and subnets 1MAC addresses and VLANs 1multicast traffic 1multiple devices on a port 1unicast traffic 1usage guidelines 1Layer 3 packets, classification methods 1learn method and priority configuration 1leave processing, enabling 1Link Failure, detecting unidirectional 1listeningstate 1LLDPconfiguringdefault configuration 1enabling 1overview 1switch stack considerations 1transmission timer and holdtime, setting 1LLDP-MEDconfiguringTLVs 1overview 1supported TLVs 1trunk ports 1local mode with AAA 1location TLV 1logging into 1logging messages, ACL 1logical interfaces, described 1login authentication 1with RADIUS 1with TACACS+ 1login banners 1M
MAC address-table move updateconfiguration guidelines 1configuring 1description 1obtain and process messages 1MAC addressesaging time 1and VLAN association 1building the address table 1default configuration 1discovering 1dynamiclearning 1staticcharacteristics of 1MAC addresses and VLANs 1MAC extended access listsapplying to Layer 2 interfaces 1MAC/PHY configuration status TLV 1management address TLV 1mapping tabledefault configuration 1mapping tables for QoSdescribed 1markingaction in policy map 1maximum aging timeMSTP 1STP 1maximum hop count, MSTP 1memory allocation 1messages, to users through banners 1method listsAAAaccounting 1authorization 1MIB support 1min links 1mirroring traffic for analysis 1mismatches 1mismatches, autonegotiation 1MLD Messages 1MLD Queries 1MLD Reports 1MLD Snooping 1MLDv1 Done message 1access groups 1IGMPsnooping 1IPv4 ACL configuration 1multicast router interfaces 1SFP status 1voice VLAN 1VTP 1monitoring commands 1monitoring status of 1MST mode 1MSTPboundary portsconfiguration guidelines 1described 1BPDU filteringdescribed 1enabling 1BPDU guarddescribed 1enabling 1CIST root 1CIST, described 1configuration guidelines 1configuringdevice priority 1forward-delay time 1hello time 1link type for rapid convergence 1maximum aging time 1maximum hop count 1MST region 1neighbor type 1path cost 1port priority 1root device 1secondary root device 1CSToperations between regions 1default configuration 1displaying status 1enabling the mode 1EtherChannel guarddescribed 1enabling 1extended system IDeffects on root device 1effects on secondary root device 1unexpected behavior 1IEEE 802.1simplementation 1port role naming change 1terminology 1instances supported 1interface state, blocking to forwarding 1interoperability with IEEE 802.1Ddescribed 1restarting migration process 1ISToperations within a region 1loop guarddescribed 1enabling 1mapping VLANs to MST instance 1MST regionCIST 1configuring 1described 1hop-count mechanism 1IST 1supported spanning-tree instances 1PortFastdescribed 1enabling 1preventing root switch selection 1root deviceconfiguring 1effects of extended system ID 1unexpected behavior 1root guarddescribed 1enabling 1shutdown Port Fast-enabled port 1status, displaying 1MTUsystem 1Multicast Client Aging Robustness 1multicast groupsjoining 1leaving 1Multicast Router Discovery 1multicast router interfaces, monitoring 1multicast router ports, adding 1multicast traffic 1multiple devices on a port 1N
NameSpace Mapper 1native VLAN 1network 1Network Load SharingSTP path cost 1STP priorities 1network policy TLV 1nonhierarchical policy mapsconfiguring 1normal-rangeVLAN configuration guidelines 1NTPassociationsdefined 1overview 1numbering of 1O
OBFLconfiguring 1described 1displaying 1on Layer 2 interfaces 1on-board failure logging 1online diagnosticsdescribed 1overview 1P
PaGP 1PAgP 1aggregate-port learners 1described 1interaction with other features 1interaction with virtual switches 1learn method and priority configuration 1modes 1with dual-action detection 1partitioned 1password 1password and privilege level 1password recovery disable considerations 1passwordsdefault configuration 1disabling recovery of 1encrypting 1overview 1recovery of 1settingenable 1enable secret 1Telnet 1with usernames 1path cost 1MSTP 1STP 1persistent self-signed certificate 1pingcharacter output description 1executing 1overview 1PoE 1devices supported 1supported watts per port 1PoE ports 1policersconfiguringfor more than one traffic class 1policy maps for QoSnonhierarchical on physical portsconfiguring 1portpriority 1root 1port ACLsdefined 1types of 1port description TLV 1port priority 1MSTP 1STP 1port VLAN ID TLV 1port-channel interfacesnumbering of 1power management TLV 1prerequisitesIGMP snooping 1QoS 1VLAN trunks 1VMPS 1preventing unauthorized access 1prioritization 1privilege levelschanging the default for lines 1exiting 1logging into 1overview 1setting a command with 1Protecting Enable and Enable Secret Passwords with Encryption: Example command 1pruning-eligible list 1PVST mode 1PVST+described 1IEEE 802.1Q trunking interoperability 1instances supported 1Q
QoSclass mapsconfiguringegress queue characteristics 1IP standard ACLs 1policy maps on physical ports 1default configuration 1egress queuesconfiguring shaped weights for SRR 1configuring shared weights for SRR 1displaying the threshold map 1mapping DSCP or CoS values 1WTD, described 1enabling globally 1enabling VLAN-based on physical ports 1limiting bandwidth on egress interface 1mapping tablestypes of 1marked-down actions 1policersconfiguring 1queuesconfiguring egress characteristics 1location of 1QoS policy 1queries, IGMP 1queryingdomains 1keywords 1name attribute 1set power levels 1queueing 1R
attributesvendor-specific 1configuringaccounting 1authentication 1authorization 1communication, global 1default configuration 1defining AAA server groups 1limiting the services to the user 1login 1operation of 1overview 1suggested network environments 1tracking services accessed by user 1rapid convergence 1Rapid Spanning Tree ProtocolSee RSTP 1reconfirmation interval, changing 1reconfirmation interval, VMPS, changing 1reconfirming dynamic VLAN membership 1reconfirming membership 1recovery of 1recurrences 1configuring 1day of month 1day of week 1redirecting error message output 1redundancyEtherChannel 1STPbackbone 1reference 1Remote Authentication Dial-In User ServiceSee RADIUS 1report suppressiondisabling 1report suppression, IGMPdescribed 1restricting accessoverview 1RADIUS 1TACACS+ 1restrictions 1Configuration Engine 1IGMP snooping 1MSTP 1Optional Spanning-Tree Features 1STP 1voice VLANs 1VTP 1retry count, changing 1retry count, VMPS, changing 1RFC1112, IP multicast and IGMP 11305, NTP 1roleport 1rootport 1root deviceMSTP 1STP 1RSTPactive topology 1BPDUformat 1processing 1designated port, defined 1designated switch, defined 1interoperability with IEEE 802.1Ddescribed 1restarting migration process 1topology changes 1overview 1port rolesdescribed 1synchronized 1rapid convergencedescribed 1edge ports and Port Fast 1root ports 1root port, defined 1RTCbenefits 1defined 1S
scheduling 1SCPand SSH 1configuring 1SDM templates 1secure HTTP clientconfiguring 1displaying 1secure HTTP serverconfiguring 1displaying 1Secure Shell 1Secure Shell Version 2 1monitoring and maintaining 1verifying using the show ip ssh command 1SecureOn 1security 1security and identification 1See also IP traceroute 1see HTTPS 1See RADIUS 1See SCP 1See TACACS+<$nopage> 1self-signed certificate 1server groupsAAA, authorization 1server groups, AAAservice-provider network, MSTP and RSTP 1servicesnetworking 1settingenable 1enable secret 1Telnet 1with usernames 1setting a command with 1setting a password 1Setting a Telnet Password for a Terminal Line: Example command 1Setting or Changing a Static Enable Password: Example command 1setting packet forwarding 1Setting the Privilege Level for a Command: Example command 1SFP security and identification 1SFP status 1SFPsmonitoring status of 1security and identification 1status, displaying 1shaped mode 1shared mode 1show access-lists hw-summary command 1show forward command 1show platform forward command 1Simple Network Management Protocol (SNMP) 1single-switch EtherChannel 1SNMPtrapssnooping 1SPANconfiguration guidelines 1default configuration 1overview 1sessionscreating 1removing destination (monitoring) ports 1specifying monitored ports 1with ingress traffic enabled 1Spanning Treestates 1spanning-treeport priority 1SSH 1encryption methods 1user authentication methods, supported 1SSH server 1SSL 1configuring a secure HTTP client 1configuring a secure HTTP server 1monitoring 1stack changes, effects oncross-stack EtherChannel 1stacks,MSTP instances supported 1STPbridge ID 1switch 1stacks, switchpartitioned 1system prompt consideration 1static addressesSee addresses 1static joins 1static-access ports 1status, displaying 1STPaccelerating root port selection 1BackboneFastdescribed 1enabling 1BPDU message exchange 1configuringdevice priority 1forward-delay time 1hello time 1maximum aging time 1path cost 1port priority 1root device 1secondary root device 1spanning-tree mode 1transmit hold-count 1default configuration 1designated ,definedswitch 1designated port,defined 1detecting indirect link failures 1disabling 1displaying status 1EtherChannel guarddescribed 1enabling 1extended system IDeffects on root device 1effects on the secondary root device 1overview 1unexpected behavior 1IEEE 802.1D and bridge ID 1IEEE 802.1D and multicast addresses 1IEEE 802.1t and VLAN identifier 1instances supported 1interface states 1blocking 1disabled 1learning 1listening 1keepalive messages 1limitations with IEEE 802.1Q trunks 1modes supported 1overview 1protocols supported 1redundant connectivity 1rootelection 1unexpected behavior 1root deviceconfiguring 1root port, defined 1status, displaying 1UplinkFastdescribed 1disabling 1enabling 1VLAN-bridge 1STP path cost 1STP port priorities 1stratum, NTP 1Subnetwork Access Protocol (SNAP) 1suggested network environments 1summer time 1supported watts per port 1Switch Accessdisplaying 1switch stack 1system 1system capabilities TLV 1system clock 1configuringdaylight saving time 1manually 1summer time 1time zones 1overview 1system description TLV 1system name 1default configuration 1manual configuration 1system name TLV 1system priority 1system prompt, default setting 1T
accounting, defined 1authentication, defined 1authorization 1authorization, defined 1AV pairs 1accounting 1configuringaccounting 1authentication 1authentication key 1authorization 1DNIS, server group selection 1login authentication 1server groupsdefault configuration 1defined 1displaying 1identifying the server 1key 1limiting the services to the user 1login 1operation of 1overview 1server groupsDNIS selection 1tracking services accessed by user 1tar filescreating 1displaying the contents of 1extracting 1technical assistance 1Telnet 1setting a password 1temporary self-signed certificate 1Terminal Access Controller Access Control System PlusSee TACACS+<$nopage> 1terminal lines, setting a password 1timeSee NTP and system clock 1time format 1time zone 1time zones 1time-exceeded messages 1time-range command 1TLVsdefined 1Token Rings 1Topology Change Notification Processing 1traceroute and 1traceroute commandSee also IP traceroute 1traceroute, Layer 2and ARP 1and CDP 1broadcast traffic 1described 1IP addresses and subnets 1MAC addresses and VLANs 1multicast traffic 1multiple devices on a port 1unicast traffic 1usage guidelines 1traffictrapstroubleshooting 1setting packet forwarding 1SFP security and identification 1show forward command 1with debug commands 1with ping 1with traceroute 1Troubleshooting Examples command 1trunk 1configuration 1trunk port 1trunking 1trunking modes 1trunksallowed VLANs 1trustpoints, CA 1twisted-pair, detecting unidirectional links 1types of connections 1U
UDLDaggressive modemessage time 1default configuration 1disablingper interface 1enablingglobally 1per interface 1fiber-optic links 1neighbor database 1neighbor database maintenance 1normal 1normal mode 1overview 1restrictions 1twisted-pair links 1unicast MAC address filteringconfiguration 1unicast traffic 1UplinkFastdescribed 1disabling 1enabling 1usage guidelines 1user authentication methods, supported 1username-based authentication 1using commands 1V
vendor-proprietary 1vendor-specific 1virtual switches and PAgP 1VLANdefinition 1VLAN ID, discovering 1VLAN membershipconfirming 1VLAN monitoring commands 1VLAN port membership modes 1VLANsaging dynamic addresses 1STP and IEEE 802.1Q trunks 1VLAN-bridge STP 1VMPS 1dynamic port membershipdescribed 1reconfirming 1troubleshooting 1entering server address 1reconfirmation interval, changing 1reconfirming membership 1retry count, changing 1VMPS client configurationdefault 1VMPS Configuration Example command 1voice VLANconfiguration guidelines 1VTP 1configuration requirements 1version 1VTP advertisements 1VTP mode 1VTP modes 1VTP password 1VTP primary 1VTP settings 1VTP version 1VTP version 2 1VTP version 3 1W
wired location servicelocation TLV 1with debug commands 1with dual-action detection 1with ping 1with STP 1with traceroute 1with usernames 1WoLwith a MAC address 1without a MAC address 1WTDsetting thresholdsegress queue-sets 1