Cisco switch port commands

switch show arp

To display entries in the ARP table, use the switch show arp command in privileged EXEC mode.

switchshowarp

Syntax Description

Command Modes

Privileged EXEC (#)

Command History

Usage Guidelines

The Interface field can be empty because the associated interface of a MAC address can be aged out from the FDB table.

If an ARP entry is associated with an IP interface that is defined on a port or port channel, the VLAN field is empty.

Examples

The following example displays entries in the ARP table:

switch show bridge multicast filtering

To display the multicast filtering configuration, use the switch show bridge multicast filtering command in privileged EXEC mode.

switchshowbridgemulticastfilteringvlan

Syntax Description

Command Default

Display multicast filtering configuration for all the VLANs.

Command Modes

Privileged EXEC (#)

Command History

Examples

The following example displays the Multicast configuration for VLAN 1.

switch show bridge multicast unregistered

To display the unregistered Multicast filtering configuration, use the switch show bridge multicast unregistered command in privileged EXEC mode.

switchshowbridgemulticastunregistered

Syntax Description

Command Modes

Privileged EXEC (#)

Command History

Examples

The following example displays the unregistered Multicast configuration.

switch show dot1x

Use the switch show dot1x command in privileged EXEC mode to do the following:

• Display the 802.1X interfaces or a specified interface status.

• Display information on all the ports (including not-present ports).

• Display 802.1x statistics.

• Display active 802.1X authorized users for the device.

Release 3.6.1 and Later Releases

switchshowdot1xdetailedinterfacegigabitEthernetstatisticsusers

Release 3.5.1

switchshowdot1xalldetailedinterfacegigabitEthernetstatisticsgigabitEthernetusers

Syntax Description

Command Default

If detailed parameter is used, information about all ports is displayed. If users parameter is used, information about all users is displayed.

Command Modes

Privileged EXEC (#)

Command History

Examples

The following example specifies that unregistered Multicast packets are filtered on the interface gigabitEthernet 1/1:

The following list describes the significant fields shown in the example:

• Port: The port interface-id.

• Host mode: The port authentication configured mode. Possible values: single-host, multi-host, multi-sessions.

• Port Administrated status: The port administration (configured) mode. Possible values: force-auth, force-unauth, auto.

• Port Operational status: The port operational (actual) mode. Possible values: authorized or unauthorized.

• Quiet period: Number of seconds the device remains in the quiet state following a failed authentication exchange (for example, the client provided an invalid password).

• Tx period: Number of seconds the device waits for a response to an Extensible Authentication Protocol (EAP) request/identity frame from the client before resending the request.

• Supplicant timeout: Number of seconds the device waits for a response to an EAP-request frame from the client before resending the request.

• Max req: Maximum number of times the device sends an EAP request frame (assuming that no response is received) to the client before restarting the authentication process.

• Authentication success: Number of times the state machine received a Success message from the Authentication Server.

• Authentication fails: Number of times the state machine received a Failure message from the Authentication Server.

Examples

The following example displays 802.1X statistics for gigabitEthernet 1/1:

The following list describes the significant fields shown in the example:

• EapolFramesRx: Number of valid EAPOL frames of any type that have been received by this Authenticator.

• EapolFramesTx: Number of EAPOL frames of any type that have been transmitted by this Authenticator.

• EapolStartFramesRx: Number of EAPOL Start frames that have been received by this Authenticator.

• EapolLogoffFramesRx: Number of EAPOL Logoff frames that have been received by this Authenticator.

• EapolRespIdFramesRx: Number of EAP Resp/Id frames that have been received by this Authenticator.

• EapolRespFramesRx: Number of valid EAP Response frames (other than Resp/Id frames) that have been received by this Authenticator.

• EapolReqIdFramesTx: Number of EAP Req/Id frames that have been transmitted by this Authenticator.

• EapolReqFramesTx: Number of EAP Request frames (other than Req/Id frames) that have been transmitted by this Authenticator.

• InvalidEapolFramesRx: Number of EAPOL frames that have been received by this Authenticator for which the frame type is not recognized.

• EapLengthErrorFramesRx: Number of EAPOL frames that have been received by this Authenticator in which the Packet Body Length field is invalid.

• LastEapolFrameVersion: Protocol version number carried in the most recently received EAPOL frame.

• LastEapolFrameSource: Source MAC address carried in the most recently received EAPOL frame.

switch show lacp

To display LACP information for all interfaces or a specific interface, use the switch show lacp command in privileged EXEC mode.

switchshowlacpgigabitEthernetport-channel

Syntax Description

Command Default

Displays LACP information for all interfaces.

Command Modes

Privileged EXEC (#)

Command History

Examples

The following is a sample output of the switch show lacp command for Gigabit Ethernet interface 1/0.

switch show interface advertise

To display auto-negotiation advertisement information for all configured interfaces or for a specific interface, use the switch show interface advertise command in privileged EXEC mode.

switchshowinterfaceadvertisegigabitEthernetport-channel

Syntax Description

Command Default

Displays information for all interfaces.

Command Modes

Privileged EXEC (#)

Command History

Examples

The following example displays auto-negotiation advertisement information for the interface gigabitEthernet 1/1:

switch show interface configuration

To display the configuration for all configured interfaces or a specific interface, use the switch show interface configuration command in privileged EXEC mode.

switchshowinterfaceconfigurationgigabitEthernetport-channel

Syntax Description

Command Default

Displays configuration for all interfaces.

Command Modes

Privileged EXEC (#)

Command History

Examples

The following example displays the configuration of all configured interfaces:

switch show interface counters

To display traffic seen by all the physical interfaces or by a specific interface, use the switch show interfaces counters command in privileged EXEC mode.

switchshowinterfacecountersgigabitEthernetport-channel

Syntax Description

Command Default

Display counters for all interfaces.

Command Modes

Privileged EXEC (#)

Command History

Examples

The following example displays traffic seen by the Gigabit Ethernet interface 1/1:

switch show interface description

To display the description of all configured interfaces or a specific interface, use the switch show interface description command in privileged EXEC mode.

switchshowinterfacedescriptiongigabitEthernetport-channel

Syntax Description

Command Default

Displays description for all interfaces.

Command Modes

Privileged EXEC (#)

Command History

Examples

The following example displays the description for all configured interfaces:

switch show interface protected-ports

To display information about all protected interfaces or a specific interface, use the switch show interface protected-ports command in privileged EXEC mode.

switchshowinterfaceprotected-portsgigabitEthernetport-channel

Syntax Description

Command Default

Displays the information about all protected interfaces.

Command Modes

Privileged EXEC (#)

Command History

Examples

The following example displays the information about all protected interfaces:

switch show interface port-channel

To display information about all port channel interfaces or a specific interface, use the switch show interface port-channel command in privileged EXEC mode.

switchshowinterfaceport-channel

Syntax Description

Command Default

Displays information about all port channels.

Command Modes

Privileged EXEC (#)

Command History

Examples

The following example displays the port channels information:

switch show interface status

To display the status of all interfaces or a specific interface, use the switch show interface status command in privileged EXEC mode.

switchshowinterfacestatusgigabitEthernetport-channel

Syntax Description

Command Default

Displays status of all interfaces.

Command Modes

Privileged EXEC (#)

Command History

Examples

The following example displays the status of all interfaces:

switch show interface storm-control

To display the storm control configuration, use the switch show interface storm-control command in privileged EXEC mode.

switchshowinterfacestorm-control

Syntax Description

Command Modes

Privileged EXEC (#)

Command History

Examples

The following example displays storm control configuration:

switch show interface switchPort

To display the switchport information of all interfaces or a specific interface, use the switch show interface switchPort command in privileged EXEC mode.

switchshowinterfaceswitchPortgigabitEthernetport-channel

Syntax Description

Command Default

Displays switchport information of all interfaces.

Command Modes

Privileged EXEC (#)

Command History

Examples

The following is a sample output of the switch show interface switchPort command that displays switchport information for Gigabit Interface 1/0:

switch show ip igmp snooping groups

To display the Multicast groups learned by IGMP snooping, use the switch show ip igmp snooping groups command in the privileged EXEC mode.

switchshowipigmpsnoopinggroupsvlanip-addr

Syntax Description

Command Default

No default behavior or values.

Command Modes

Privileged EXEC (#)

Command History

Usage Guidelines

To see all Multicast groups learned by IGMP snooping, use the switch show ip igmp snooping groups command without parameters. To see a subset of Multicast groups learned by IGMP snooping, use the switch show ip igmp snooping groups command with parameters.

Examples

The following example shows a sample output for the command:

switch show ip igmp snooping interface

To display the IGMP snooping configuration for a specific VLAN, use the switch show ip igmp snooping interface command in the privileged EXEC mode.

switchshowipigmpsnoopinginterface

Syntax Description

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Examples

The following example displays the IGMP snooping configuration for VLAN 20:

When we think of connectivity in a network, the router is probably the first device that comes to mind, but switches play a vital role in enabling network devices to communicate.

Switches can take incoming/outgoing traffic and pass it onward toward its final destination. Cisco is one of the most well-known switch vendors on the market and in this article, we’re going to look at how to configure Cisco switches with PuTTY and from the command-line.

Getting Started with Cisco Switch Commands

Before we begin, get to know what hardware you’re using, fire up your CLI and download PuTTY.

The first step is to check what hardware you’re using before you begin. If you’re using a Cisco switch you need to know what model you have. You also want to check the physical state of the device and verify that none of the cables are damaged. You can turn the router on to make sure there is no damage to the lighting/indicators.

Now that you’ve made sure the device is in working order you’re ready to start configuring. In this guide, we’re going to perform a Cisco switch configuration through the command-line interface (CLI) with the open-source SSH/Telnet client PuTTY (although you can use another tool if you prefer). If for any reason putty is not an option for your setup, you can get similar results with a PuTTY alternative.

1. Connect the Switch to PuTTY

To start configuration, you want to connect the switch console to PuTTY. You can do this by doing the following:

1. Connect the switch to PuTTY with a 9-pin serial cable.
2. Now open PuTTY and the PuTTY Configuration window will display. Go to the Connection type settings and check the Serial option (shown below).
   
3. Go to the Category list section on the left-hand side and select the Serial option.
4. When the options controlling local serial lines page displays enter the COM port your network is connected to in the Serial line to connect to box e.g. COM1.
5. Next, enter the digital transmission speed of your switch model. For 300 and 500 Series Managed Switches, this is 115200.
6. Go to the Data bits field and enter 8.
7. Now go to the Stops bits field and enter 1.
8. Click on the Parity drop-down menu and select the None option.
9. Go to the Flow Control drop-down menu and select the None option.

Save Your Settings and Start the PuTTY CLI

To save your PuTTY settings for your next session do the following:

1. Click on the Session option from the Category list on the left-hand side of the page.
   
2. Go to the Saved Session field and enter a name for your settings e.g. Comparitech.
3. Click the Save button to store the settings.
4. Press the Open button at the bottom of the page to launch the CLI.

The following message will display in the command prompt:

2. Enter Privileged EXEC Mode and Set a Hostname for the Switch

Type in the enable command to enter privileged EXEC mode (you don’t need a password at this stage because you’re under the default configurations which don’t have one!):

Next, enter Global Configuration Mode and enter the following command:

You can make the switch easier to locate in the network by assigning a hostname. Enter the following command to assign a hostname:

3. Assign a Password to the Switch

Once you’ve assigned a hostname you will want to create a password to control who has access to the privileged EXEC mode (to prevent everyone from being able to log in). To assign an administrator password to enter the following command:

Remember to pick a strong password so that it’s harder to figure out.

4. Configure Telnet and Console Access Passwords

The next step is to configure passwords for Telnet and console access. Configuring passwords for these is important because it makes your switch more secure. If someone without authorization gains telnet access then it puts your network at serious risk. You can configure passwords by entering the following lines (See the top paragraph for Telnet and the bottom paragraph for Console access).

Telnet

Console

5. Configure IP Addresses With Telnet Access

The next step is to decide which IP addresses will have access to Telnet, and add them with the PuTTY CLI. To select permitted IP’s enter the following command (replace the listed IPs with the IPs of the components you want to grant permission to):

You can also configure your network’s access control lists (ACLs) to virtual terminal (VTY) lines. ACLs ensure that only the administrator can connect to the router through Telnet.

6. Configure a Network Management IP address (or Management Interface)

Next, you need to configure a network management IP address. Switches don’t come with an IP address by default, meaning that you can’t connect to it with Telnet or SSH. To solve this problem you can select a virtual LAN(VLAN) on the switch and create a virtual interface with an IP address. You can do this by entering the following command:

The new IP management address is located in VLAN1, which other computers will now use to connect.

7. Assign a Default Gateway to the Switch

At this stage, you want to assign a default gateway to the switch. The default gateway is essentially the address of the router that the switch will be communicating with. If you don’t configure a default gateway then VLAN1 will be unable to send traffic to another network. To assign the default gateway, enter the command below (change the IP address to that of your router).

8. Disable Unused Open Ports

As a best practice, it is a good idea to disable any unused open ports on the switch. Cyber-criminals often use unsecured ports as a way to breach a network. Closing these ports down reduces the number of entry points into your network and makes your switch more secure. Enter the range of ports you want to close by entering the following command (you would change 0/25-48 to the ports that you want to close):

9. Save Your System Configuration Settings

Once you’ve finished configuring the router it’s time to save your system configuration. Saving the configuration will make sure that your settings are the same when you open up your next session. To save enter the following command:

Always remember to save any changes to your settings before closing the CLI.

10. Configure NetFlow to Manage Your Cisco Switch (Optional)

It is also a good idea to use a network traffic analyzer to monitor network traffic. As a Cisco device, your switch will have the communication protocol NetFlow. However, it must be configured first. You can configure NetFlow by completing the four steps below. Before we begin, enter Global Configuration Mode by executing the following command:

Create a flow record

1. The first step is to create a flow record (you can change the name). You can do this by entering the following command: #flow record Comparitechrecord
2. After you’ve entered the previous command you need to set the IPv4 source address, IPv4 destination address, iPv4 protocol, transport source-port, transport destination-port, IPv4 dos, interface input, and interface output. You can do this by entering the following command: Switch# match ipv4 source address Switch# match ipv4 destination address Switch# match ipv4 protocol Switch# match transport source-port Switch# match transport destination-port Switch# match ipv4 tos Switch# match interface input Switch# collect interface output 
3. To finish configuring the flow record and define the type of data you’re going to collect, enter the following switch configuration commands: Switch# collect interface output Switch# collect counter bytes Switch# collect counter packets Switch# collect timestamp sys-uptime first Switch# collect timestamp sys-uptime last 

Create the Flow Exporter

1. You must now create the flow exporter to store the information that you want to export to an external network analyzer. The first step is to name the flow exporter: Switch# flow exporter Comparitechexport
2. Enter the IP address of the server your network analyzer is on (Change the IP address): Switch# destination 117.156.45.241
3. Configure the interface that you want to export packets with: Switch# destination source gigabitEthernet 0/1 
4. Configure the port that the software agent will use to listen for network packets: Switch# transport UDP 2055 
5. Set the type of protocol data that you’re going to export by entering this command: Switch# export-protocol netflow-v9 
6. To make sure there are no gaps in when flow data is sent enter the following command: Switch# template data timeout 60 

Create a Flow Monitor

1. Once you’ve configured the flow exporter it is time to create the flow monitor. Create the flow monitor with the following command:< Switch# flow monitor Comparitechmonitor
2. Associate the flow monitor with the flow record and exporter we configured earlier: Switch# record Comparitechrecord Switch# exporter Comparitechexport
3. To make sure that flow information is collected and normalized without a delay, enter the following command: Switch# cache timeout active 60 Switch# cache timeout inactive 15 
4. Enter the exit command: Switch# exit 
5. You need to input the interfaces that will collect the NetFlow data. If this is an ethernet interface you would enter the following: Switch# interface gigabitEthernet 0/1
6. Use the following command to configure NetFlow on multiple interfaces (the input command will still collect data in both directions): Switch# ip flow monitor Comparitechmonitor input 
7. If you want to collect NetFlow data on only one interface then you must use the input and output command. So you would enter the following: Switch# ip flow monitor Comparitechmonitor input Switch# ip flow monitor Comparitechmonitor output 
8. Exit configuration mode by entering the following command: Switch# exit 
9. Save your settings to finish.

Configure a Cisco Switch for Peace of Mind! 

Completing simple tasks like configuring passwords and creating network access lists controls who can access the switch can enable you to stay secure online. Incomplete or incorrect configurations are a vulnerability that attackers can exploit.

Configuring a Cisco switch is only half the battle, you also have to regularly monitor its status. Any performance issues with your switch can have a substantial impact on your users.

Using a network monitoring tool and network analyzer can help you to monitor switches remotely and review performance concerns. Taking the time out of your day to configure a switch and assign strong passwords gives you peace of mind so that you can communicate safely online.

Cisco Switch Configuration & Commands FAQs

Basic Configuration Commands

Command 

Purpose

write erase

erase startup-config

shutdown

no shutdown

Troubleshooting Commands

cdp run

no cdp run

show vlan

show vlan brief

Routing and VLAN Commands

DHCP Commands

Security Commands

Monitoring and Logging Commands

The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode.

You can start a CLI session through a console connection, through Telnet, a SSH, or by using the browser.

When you start a session, you begin in user mode, often called user EXEC mode. Only a limited subset of the commands are available in user EXEC mode. For example, most of the user EXEC commands are one-time commands, such as show commands, which show the current configuration status, and clear commands, which clear counters or interfaces. The user EXEC commands are not saved when the switch reboots.

To have access to all commands, you must enter privileged EXEC mode. Normally, you must enter a password to enter privileged EXEC mode. From this mode, you can enter any privileged EXEC command or enter global configuration mode.

Using the configuration modes (global, interface, and line), you can make changes to the running configuration. If you save the configuration, these commands are stored and used when the switch reboots. To access the various configuration modes, you must start at global configuration mode. From global configuration mode, you can enter interface configuration mode and line configuration mode.

This table describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode.

Need to enable a port on a Cisco switch? Look no further!

To begin you need to know what the name of the port is that you want to enable on the switch. This name or Port ID can be found by using the following command.

#show interface status

This command will provide a list of your ports by ID.

For this example, we will use the port Gi1/10 for our switch.

Next, we need to enter privileged EXEC mode on the switch in order to issue the following commands.

To do this, type one of the following commands.

#enable

or

#en

Now, we need to enter configuration command followed by terminal to enter global configuration mode.

#configure terminal

or

#conf t

Next, we tell the switch which interface to configure.

(config)#interface Gi1/10

Now you can assign the selected port to a VLAN. You can use whatever VLAN number you would like but for our example we will use VLAN 10.

(config-if)#switchport access vlan 10

Lastly, we want to bring this port (interface) up or enable it. To do use one of the following commands.

(config-if)#no shutdown

or

(config-if)#no shut

That’s it. Your port should now be enabled and assigned to the VLAN you choose. You can to this to any other available port on your switch. If you want to add other ports to this same network then simply repeat this process using your other port ID’s and assign them to the same VLAN.

If you would like to check on the status of the port (interface) that you just set up use the following commands.

Exit config mode by performing one of the following methods.

Use Ctrl-Z to exit configuration mode.

or

Type “exit” until you are out of configuration mode.

(If you followed this example you will likely need to enter the exit command two times in a row.)

Lastly, we can now show the status of the port(interface) you choose by entering the following command. We are going to stick with our example port for this command.

#show run interface Gi1/10

squelch

To extend the Ethernet twisted-pair 10BASE-T capability beyond the standard 100 meters on the Cisco 4000 platform, use the squelch command in interface configuration mode. To restore the default, use the no form of this command.

squelch {normal | reduced}

nosquelch

Syntax Description

Command Default

Normal range

Command Modes

Interface configuration

Command History

Examples

The following example extends the twisted-pair 10BASE-T capability on the cable attached to Ethernet interface 2:

srp buffer-size

To make adjustments to buffer settings on the receive side for different priority traffic, use the srpbuffer-sizecommand in interface configuration mode. To disable buffer size configurations, use the no form of this command.

srpbuffer-sizereceive [low | medium | high]

nosrpbuffer-sizereceive [low | medium | high]

Syntax Description

Command Default

low = 8192 kilobytes, medium = 4096 kilobytes, high = 4096 kilobytes

Command Modes

Interface configuration

Command History

Examples

The following example sets the buffer size for the receive side at the high setting of 17 kilobytes:

Related Commands

srp deficit-round-robin

To transfer packets from the internal receive buffer to Cisco IOS software, use the srpdeficit-round-robin command in interface configuration mode. To disable the packet transfer, use the no form of this command.

srpdeficit-round-robin [input | output] [low | medium | high] [quantum | deficit]

nosrpdeficit-round-robin

Syntax Description

Command Default

quantum: 9216deficit: 16384

Command Modes

Interface configuration

Command History

Examples

The following example shows how to configure packets for the medium-priority input queue:

Related Commands

srp loopback

To loop the spatial reuse protocol (SRP) interface on an OC-12c DPTIP, use the srploopbackcommand in interfaceconfiguration mode. To remove the loopback, use the no form of this command.

srploopback {internal | line} {a | b}

nosrploopback

Syntax Description

Command Default

No loops are configured.

Command Modes

Interface configuration

Command History

Usage Guidelines

Use this command for troubleshooting purposes.

Examples

The following example configures the loopback test on the A side of the SRP interface:

srp priority-map

To set priority mapping for transmitting and receiving packets, use thesrppriority-mapcommand in interface configuration mode. To disable priority mapping u se the no form of this command .

srppriority-mapreceive {low | medium | high | transmit {medium | high}}

nosrppriority-map

Syntax Description

Command Default

receivelow: 1receivemedium: 3 receivehigh: 5 transmithigh: 7

Command Modes

Interface configuration

Command History

Usage Guidelines

The spatial reuse protocol (SRP) interface provides commands to enforce quality of service (QoS) functionality on the transmit side and receive side of Cisco routers. SRP uses the IP type of service (ToS) field values to determine packet priority.

The SRP interface classifies traffic on the transmit side into high- and low-priority traffic. High-priority traffic is rate shaped and has higher priority than low-priority traffic. You have the option to configure high- or low-priority traffic and can rate limit the high-priority traffic.

The srppriority-maptransmit command enables the user to specify IP packets with values equal to or greater than the ToS value to be considered as high-priority traffic.

On the receive side, when WRED is enabled, SRP hardware classifies packets into high-, medium-, and low-priority packets on the basis of the IP ToS value. After classification, it stores the packet into the internal receive buffer. The receive buffer is partitioned for each priority packet. Cisco routers can employ WRED on the basis of the IP ToS value. Routers also employ the Deficit Round Robin (DRR) algorithm to transfer packets from the internal receive buffer to Cisco IOS software.

The srppriority-mapreceive command enables the user to classify packets as high, medium, or low based on the IP ToS value.

Examples

The following example configures Cisco 7500 series routers to transmit packets with priority greater than 5 as high-priority packets:

Related Commands

srp random-detect

To configure weighted RED (WRED) parameters on packets received through an spatial reuse protocol (SRP) interface, use the srprandom-detectcommand in interfaceconfiguration mode. To return the value to the default, use the no form of this command.

srprandom-detect {compute-interval | enable | input [low | medium | high] | [exponential-weight | precedence]}

nosrprandom-detect

Syntax Description

Command Default

compute-interval: 128 weight: 6 precedence: 7

Command Modes

Interface configuration

Command History

Examples

The following example configures WRED parameters on packets received through an SRP interface with a weight factor of 5:

srp shutdown

To disable the spatial reuse protocol (SRP) interface, use the srpshutdown command in interface configuration mode. To restart a disabled interface, use the no form of this command.

srpshutdown [a | b]

nosrpshutdown [a | b]

Syntax Description

Command Default

The SRP interface continues to be enabled until this command is issued.

Command Modes

Interface configuration

Command History

Usage Guidelines

The srpshutdown command disables all functions on the specified side.

Examples

The following example turns off side A of the SRP interface:

srp tx-traffic-rate

To limit the amount of high-priority traffic that the spatial reuse protocol (SRP) interface can handle, use thesrptx-traffic-rate command in interface configuration mode. Use the no form of this command to disable transmitted traffic rate .

srptx-traffic-rate

nosrptx-traffic-rate

Syntax Description

Command Default

: 10

Command Modes

Interface configuration

Command History

Examples

The following example configures SRP traffic to transmit at 1000 kilobits per second:

stack-mib portname

To specify a name string for a port, use the stack-mibportnamecommand in interface configuration mode.

stack-mibportname

Syntax Description

Command Default

This command has no default settings.

Command Modes

Interface configuration

Command History

Usage Guidelines

Using the stack-mib command to set a name string to a port corresponds to the portName MIB object in the portTable of CISCO-STACK-MIB. portName is the MIB object in the portTable of CISCO-STACK-MIB. You can set this object to be descriptive text describing the function of the interface.

Examples

This example shows how to set a name to a port:

storm-control

To enable broadcast, multicast, or unicast storm control on a port or to specify the action when a storm occurs on a port, use the storm-control command in interface configuration mode. To disable storm control for broadcast, multicast, or unicast traffic or to disable the specified storm-control action, use the no form of this command.

storm-control { {broadcast | multicast | unicast}level | action {shutdown | trap}}

nostorm-control { {broadcast | multicast | unicast}level | action {shutdown | trap}}

Cisco ME 2600X Series Ethernet Access Switch

storm-control { {broadcast | multicast}cir | actionshutdown}

nostorm-control { {broadcast | multicast}cir | actionshutdown}

Syntax Description

Configuring Ethernet Switch Ports

---

This chapter gives an overview of configuration tasks for the Gigabit Ethernet (GE) switch on the Cisco 800M Series ISR.

This chapter contains the following sections:

Configuring VLANs

A VLAN is a switched network that is logically segmented by function, project team, or application, without regard to the physical locations of the users. VLANs have the same attributes as physical LANs, but you can group end stations even if they are not physically located on the same LAN segment. Any switch port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to end stations in the VLAN. Each VLAN is considered a logical network, and packets destined for stations that do not belong to the VLAN must be forwarded through a router. A VLAN is a switched network that is logically segmented by function, project team, or application, without regard to the physical locations of the users. VLANs have the same attributes as physical LANs, but you can group end stations even if they are not physically located on the same LAN segment. Any switch port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to end stations in the VLAN. Each VLAN is considered a logical network, and packets destined for stations that do not belong to the VLAN must be forwarded through a router.

For detailed information on VLANs, see the following web link:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/15-0_2_se/configuration/guide/scg3750/swvlan.html

For a sample VLAN configuration, see “Example: VLAN configuration”.

Example: VLAN configuration

The following example shows how to configure inter-VLAN routing:

Configuring VTP

VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP minimizes misconfigurations and configuration inconsistencies that can cause several problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations.

Before you create VLANs, you must decide whether to use VTP in your network. Using VTP, you can make configuration changes centrally on one or more switches and have those changes automatically communicated to all the other switches in the network. Without VTP, you cannot send information about VLANs to other switches.VTP is designed to work in an environment where updates are made on a single switch and are sent through VTP to other switches in the domain. It does not work well in a situation where multiple updates to the VLAN database occur simultaneously on switches in the same domain, which would result in an inconsistency in the VLAN database.

You should understand the following concepts for configuring VTP.

• VTP domain: A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches or switch stacks under the same administrative responsibility sharing the same VTP domain name. A switch can be in only one VTP domain. You make global VLAN configuration changes for the domain.
• VTP server: In VTP server mode, you can create, modify, and delete VLANs, and specify other configuration parameters (such as the VTP version) for the entire VTP domain. VTP servers advertise their VLAN configurations to other switches in the same VTP domain and synchronize their VLAN configurations with other switches based on advertisements received over trunk links.VTP server is the default mode.
• VTP client: A VTP client behaves like a VTP server and transmits and receives VTP updates on its trunks, but you cannot create, change, or delete VLANs on a VTP client. VLANs are configured on another switch in the domain that is in server mode.
• VTP transparent: VTP transparent switches do not participate in VTP. A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. However, in VTP version 2 or version 3, transparent switches do forward VTP advertisements that they receive from other switches through their trunk interfaces. You can create, modify, and delete VLANs on a switch in VTP transparent mode.

For detailed information on VTP, see the following web link:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/15-0_2_se/configuration/guide/scg3750/swvtp.html

For a sample VTP configuration, see “Example: Configuring VTP”.

Example: Configuring VTP

The following example shows how to configure the switch as a VTP server:

The following example shows how to configure the switch as a VTP client:

The following example shows how to configure the switch as VTP transparent:

Configuring 802.1x Authentication

IEEE 802.1x port-based authentication defines a client-server-based access control and authentication protocol to prevent unauthorized clients from connecting to a LAN through publicly accessible ports.The authentication server authenticates each client connected to a switch port before allowing access to any switch or LAN services. Until the client is authenticated, IEEE 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication, normal traffic passes through the port.

With IEEE 802.1x authentication, the devices in the network have specific roles:

• Supplicant—Device (workstation) that requests access to the LAN and switch services and responds to requests from the router. The workstation must be running IEEE 802.1x-compliant client software such as that offered in the Microsoft Windows XP operating system. (The supplicant is sometimes called the client.)
• Authentication server—Device that performs the actual authentication of the supplicant. The authentication server validates the identity of the supplicant and notifies the router whether or not the supplicant is authorized to access the LAN and switch services. The Network Access Device (or Cisco ISR router in this instance) transparently passes the authentication messages between the supplicant and the authentication server, and the authentication process is carried out between the supplicant and the authentication server. The particular EAP method used will be decided between the supplicant and the authentication server (RADIUS server). The RADIUS security system with EAP extensions is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client and server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
• Authenticator—Router that controls the physical access to the network based on the authentication status of the supplicant. The router acts as an intermediary between the supplicant and the authentication server, requesting identity information from the supplicant, verifying that information with the authentication server, and relaying a response to the supplicant. The router includes the RADIUS client, which is responsible for encapsulating and decapsulating the EAP frames and interacting with the authentication server.

For detailed information on how to configure 802.1x port-based authentication, see the following link:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-mt/sec-user-8021x-15-mt-book/config-ieee-802x-pba.html

For a sample 802.1x authentication configuration see “Example: Enabling IEEE 802.1x and AAA on a Switch Port”.

Example: Enabling IEEE 802.1x and AAA on a Switch Port

This example shows how to configure Cisco 800M series ISR as 802.1x authenticator.

Configuring Spanning Tree Protocol

Spanning Tree Protocol (STP) is a Layer 2 link management protocol that provides path redundancy while preventing loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two stations. Multiple active paths among end stations cause loops in the network. If a loop exists in the network, end stations might receive duplicate messages. Switches might also learn end-station MAC addresses on multiple Layer 2 interfaces. These conditions result in an unstable network. Spanning-tree operation is transparent to end stations, which cannot detect whether they are connected to a single LAN segment or a switched LAN of multiple segments.

The STP uses a spanning-tree algorithm to select one switch of a redundantly connected network as the root of the spanning tree. The algorithm calculates the best loop-free path through a switched Layer 2 network by assigning a role to each port based on the role of the port in the active topology:

• Root—A forwarding port elected for the spanning-tree topology
• Designated—A forwarding port elected for every switched LAN segment
• Alternate—A blocked port providing an alternate path to the root bridge in the spanning tree
• Backup—A blocked port in a loopback configuration

The switch that has all of its ports as the designated role or as the backup role is the root switch. The switch that has at least one of its ports in the designated role is called the designated switch.Spanning tree forces redundant data paths into a standby (blocked) state. If a network segment in the spanning tree fails and a redundant path exists, the spanning-tree algorithm recalculates the spanning-tree topology and activates the standby path. Switches send and receive spanning-tree frames, called bridge protocol data units (BPDUs), at regular intervals. The switches do not forward these frames but use them to construct a loop-free path. BPDUs contain information about the sending switch and its ports, including switch and MAC addresses, switch priority, port priority, and path cost. Spanning tree uses this information to elect the root switch and root port for the switched network and the root port and designated port for each switched segment.

When two ports on a switch are part of a loop, the spanning-tree port priority and path cost settings control which port is put in the forwarding state and which is put in the blocking state. The spanning-tree port priority value represents the location of a port in the network topology and how well it is located to pass traffic. The path cost value represents the media speed.

For detailed configuration information on STP see the following link:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/15-0_2_se/configuration/guide/scg3750/swstp.html

For configuration examples, see “Example: Spanning Tree Protocol Configuration”.

Example: Spanning Tree Protocol Configuration

The following example shows configuring spanning-tree port priority of a Gigabit Ethernet interface. If a loop occurs, spanning tree uses the port priority when selecting an interface to put in the forwarding state.

The following example shows how to change the spanning-tree port cost of a Gigabit Ethernet interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state.

Router(config-if)# end

The following example shows configuring the bridge priority of VLAN 10 to 33792:

The following example shows configuring the hello time for VLAN 10 being configured to 7 seconds. The hello time is the interval between the generation of configuration messages by the root switch.

The following example shows configuring maximum age interval for the spanning tree. The maximum-aging time is the number of seconds a switch waits without receiving spanning-tree configuration messages before attempting a reconfiguration.

The following example shows the switch being configured as the root bridge for VLAN 10, with a network diameter of 4.

Configuring MAC Address Table Manipulation

The MAC address table contains address information that the switch uses to forward traffic between ports. All MAC addresses in the address table are associated with one or more ports. The address table includes these types of addresses:

• Dynamic address: a source MAC address that the switch learns and then drops when it is not in use. You can use the aging time setting to define how long the switch retains unseen addresses in the table.
• Static address: a manually entered unicast address that does not age and that is not lost when the switch resets.

The address table lists the destination MAC address, the associated VLAN ID, and port number associated with the address and the type (static or dynamic).

See the “Example: MAC Address Table Manipulation” for sample configurations for enabling secure MAC address, creating a statc entry, set the maximum number of secure MAC addresses and set the aging time.

For detailed configuration information on MAC address table manipulation see the following link:

http://www.cisco.com/c/en/us/td/docs/routers/access/interfaces/software/feature/guide/geshwic_cfg.html#wp1048223

Example: MAC Address Table Manipulation

The following example shows configuration for enabling secure MAC address option on the port.

The following example shows creating a static entry in the MAC address table.

The following example shows setting the aging timer.

Router(config)# end

Configuring MAC Address Notification Traps

MAC address notification enables you to track users on a network by storing the MAC address activity on the switch. Whenever the switch learns or removes a MAC address, an SNMP notification can be generated and sent to the network management system (NMS). If you have many users coming and going from the network, you can set a trap interval time to bundle the notification traps and reduce network traffic. The MAC notification history table stores the MAC address activity for each hardware port for which the trap is enabled. MAC address notifications are generated for dynamic and secure MAC addresses; events are not generated for self addresses, multicast addresses, or other static addresses.

For configuration examples, see “Example: Configuring MAC Address Notification Traps”.

Example: Configuring MAC Address Notification Traps

This example shows how to enable the MAC notification trap when a MAC address is added to the interface:

This example shows how to enable the MAC notification trap when a MAC address is removed from this interface.

Configuring the Switched Port Analyzer

You can analyze network traffic passing through ports or VLANs by using SPAN or RSPAN to send a copy of the traffic to another port on the switch or on another switch that has been connected to a network analyzer or other monitoring or security device. SPAN copies (or mirrors) traffic received or sent (or both) on source ports or source VLANs to a destination port for analysis. SPAN does not affect the switching of network traffic on the source ports or VLANs. You must dedicate the destination port for SPAN use. Except for traffic that is required for the SPAN or RSPAN session, destination ports do not receive or forward traffic.

Only traffic that enters or leaves source ports or traffic that enters or leaves source VLANs can be monitored by using SPAN; traffic routed to a source VLAN cannot be monitored. For example, if incoming traffic is being monitored, traffic that gets routed from another VLAN to the source VLAN cannot be monitored; however, traffic that is received on the source VLAN and routed to another VLAN can be monitored.

See Example: SPAN Configuration for SPAN configuration examples.

For detailed information on how to configure a switched port analyzer (SPAN) session, see the following web link:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/15-0_2_se/configuration/guide/scg3750/swspan.html

Example: SPAN Configuration

The following example shows how to configure a SPAN session to monitor bidirectional traffic from a Gigabit Ethernet source interface:

The following example shows how to configure a gigabit ethernet interface as the destination for a SPAN session:

Router(config)# end

The following example shows how to remove gigabit ethernet as a SPAN source for SPAN session 1:

Router(config)# end

Configuring IGMP Snooping

IGMP snooping constrains the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces associated with IP multicast devices. As the name implies, IGMP snooping requires the LAN switch to snoop on the IGMP transmissions between the host and the router and to keep track of multicast groups and member ports. When the switch receives an IGMP report from a host for a particular multicast group, the switch adds the host port number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership reports from the multicast clients.

The multicast router sends out periodic general queries to all VLANs. All hosts interested in this multicast traffic send join requests and are added to the forwarding table entry. The switch creates one entry per VLAN in the IGMP snooping IP multicast forwarding table for each group from which it receives an IGMP join request.

By default, IGMP snooping is globally enabled. When globally enabled or disabled, it is also enabled or disabled in all existing VLAN interfaces. By default, IGMP snooping is enabled on all VLANs, but it can be enabled and disabled on a per-VLAN basis. Global IGMP snooping overrides the per-VLAN IGMP snooping capability. If global snooping is disabled, you cannot enable VLAN snooping. If global snooping is enabled, you can enable or disable snooping on a VLAN basis.

See the “Example: Configuring IGMP Snooping” for a sample configuration on IGMP snooping.

Example: Configuring IGMP Snooping

The following example shows how to enable IGMP snooping on a VLAN interface.

Router# end

The following example shows how to enable a static connection to a multicast router.

The following example shows how to add a port as a member of a multicast group. Ports normally join multicast groups through the IGMP report message, but you can also statically configure a port as a member of a multicast group.

Router# end

Configuring Per-Port Storm Control

Storm control prevents traffic on a LAN from being disrupted by a broadcast, a multicast, or a unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation, mistakes in the network configuration, or users issuing a denial-of-service attack can cause a storm.

Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and determines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of a specified type received within the 1-second time interval and compares the measurement with a predefined suppression-level threshold.

Storm control uses one of these methods to measure traffic activity:

• Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic
• Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received

With either method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the rising suppression level. In general, the higher the level, the less effective the protection against broadcast storms.

Note In C800M platform, when you configure the storm-control action shutdown command, the state of the port changes to administratively down. Use the no shutdown command to manually revert the state of the port.

See the “Example: Per-Port Storm-Control” for a sample configuration on per-port storm control.

Example: Per-Port Storm-Control

The following example shows bandwidth-based multicast storm control being enabled at 70 percent on Gigabit Ethernet interface.

Configuring HSRP

The Hot Standby Router Protocol (HSRP) is Cisco's standard method of providing high network availability by providing first-hop redundancy for IP hosts on an IEEE 802 LAN configured with a default gateway IP address. HSRP routes IP traffic without relying on the availability of any single router. It enables a set of router interfaces to work together to present the appearance of a single virtual router or default gateway to the hosts on a LAN. When HSRP is configured on a network or segment, it provides a virtual Media Access Control (MAC) address and an IP address that is shared among a group of configured routers. HSRP allows two or more HSRP-configured routers to use the MAC address and IP network address of a virtual router. The virtual router does not exist; it represents the common target for routers that are configured to provide backup to each other. One of the routers is selected to be the active router and another to be the standby router, which assumes control of the group MAC address and IP address should the designated active router fail.

HSRP uses a priority mechanism to determine which HSRP configured device is to be the default active device. To configure a device as the active device, you assign it a priority that is higher than the priority of all the other HSRP-configured devices. The default priority is 100, so if you configure just one device to have a higher priority, that device will be the default active device. In case of ties, the primary IP addresses are compared, and the higher IP address has priority. If you do not use the standby preempt interface configuration command in the configuration for a router, that router will not become the active router, even if its priority is higher than all other routers.

For more information about configuring HSRP, see the following link:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-mt/fhp-15-mt-book/fhp-hsrp.html

For a sample HSRP configuration, see “Example: Configuring HSRP”

Example: Configuring HSRP

In this example, Router A is configured to be the active device for group 1 and standby device for group 2. Device B is configured as the active device for group 2 and standby device for group 1.

Configuring VRRP

The Virtual Router Redundancy Protocol (VRRP) is an election protocol that dynamically assigns responsibility for one or more virtual routers to the VRRP routers on a LAN, allowing several routers on a multiaccess link to utilize the same virtual IP address. A VRRP router is configured to run the VRRP protocol in conjunction with one or more other routers attached to a LAN. In a VRRP configuration, one router is elected as the virtual router master, with the other routers acting as backups in case the virtual router master fails.

An important aspect of the VRRP is VRRP router priority. Priority determines the role that each VRRP router plays and what happens if the virtual router master fails. If a VRRP router owns the IP address of the virtual router and the IP address of the physical interface, this router will function as a virtual router master. Priority also determines if a VRRP router functions as a virtual router backup and the order of ascendancy to becoming a virtual router master if the virtual router master fails. You can configure the priority of each virtual router backup using the vrrp priority command.

By default, a preemptive scheme is enabled whereby a higher priority virtual router backup that becomes available takes over for the virtual router backup that was elected to become virtual router master. You can disable this preemptive scheme using the no vrrp preempt command. If preemption is disabled, the virtual router backup that is elected to become virtual router master remains the master until the original virtual router master recovers and becomes master again.

The virtual router master sends VRRP advertisements to other VRRP routers in the same group. The advertisements communicate the priority and state of the virtual router master. The VRRP advertisements are encapsulated in IP packets and sent to the IP Version 4 multicast address assigned to the VRRP group. The advertisements are sent every second by default; the interval is configurable.

For more information on VRRP, see the following link:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-mt/fhp-15-mt-book/fhp-vrrp.html

For a sample VRRP configuration, see “Example: Configuring VRRP”.

Example: Configuring VRRP

In the following example, Router A and Router B each belong to two VRRP groups, group1 and group 5. In this configuration, each group has the following properties:

Group 1:

• Virtual IP address is 10.1.0.10.
• Router A will become the master for this group with priority 120.
• Advertising interval is 3 seconds.
• Preemption is enabled.

Group 5:

• Router B will become the master for this group with priority 200.
• Advertising interval is 30 seconds.
• Preemption is enabled.

RouterA(config-if)# no shutdown

RouterA(config-if)# end