User Guide
Page 1
... • Prerequisites, page 46 • Configuration Tasks, page 46 • Configuration Examples for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature History Release 12.2(2)XT 12.2(8)T 12.2(15)ZJ Modification This feature was integrated into Cisco IOS Release 12.2(8)T. and 36-Port Ethernet Switch Module for the 16- Added switching software enhancements: IEEE 802.1x, QoS...
... • Prerequisites, page 46 • Configuration Tasks, page 46 • Configuration Examples for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature History Release 12.2(2)XT 12.2(8)T 12.2(15)ZJ Modification This feature was integrated into Cisco IOS Release 12.2(8)T. and 36-Port Ethernet Switch Module for the 16- Added switching software enhancements: IEEE 802.1x, QoS...
User Guide
Page 2
...Port-Based Authentication, page 8 • Spanning Tree Protocol, page 12 • Cisco Discovery Protocol, page 24 • Switched Port Analyzer, page 24 • Network Security with ACLs, page 25 • Quality of Service, page 29 • Maximum Number of VLAN and Multicast Groups, page 35 ...1000BASE-T Gigabit Ethernet ports. and 36-port Ethernet switch network modules. New connections can be made between different segments for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview This document explains how to configure the 16- The gigabit Ethernet can also be...
...Port-Based Authentication, page 8 • Spanning Tree Protocol, page 12 • Cisco Discovery Protocol, page 24 • Switched Port Analyzer, page 24 • Network Security with ACLs, page 25 • Quality of Service, page 29 • Maximum Number of VLAN and Multicast Groups, page 35 ...1000BASE-T Gigabit Ethernet ports. and 36-port Ethernet switch network modules. New connections can be made between different segments for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview This document explains how to configure the 16- The gigabit Ethernet can also be...
User Guide
Page 3
... was received. Normally, Ethernet operates in a properly configured switched environment achieve full access to -point link between interfaces efficiently, the switch maintains an address table. Building the Address Table The Ethernet switch network module builds the address table by using the source address ... sending station with the interface on all ports connect to 200 Mbps for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview The Ethernet switch network module solves congestion problems caused by all interfaces. You can flow in its address...
... was received. Normally, Ethernet operates in a properly configured switched environment achieve full access to -point link between interfaces efficiently, the switch maintains an address table. Building the Address Table The Ethernet switch network module builds the address table by using the source address ... sending station with the interface on all ports connect to 200 Mbps for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview The Ethernet switch network module solves congestion problems caused by all interfaces. You can flow in its address...
User Guide
Page 4
...switch. and 36-Port Ethernet Switch Module for each VLAN allowed on both ends of an 802.1Q trunk or that is not Cisco devised, is loop-free before disabling spanning tree. The 802.1Q cloud separating the Cisco switches that you disable spanning tree on the access port and untagged (802.3). Layer 2 Interface Configuration... Guidelines and Restrictions Follow these guidelines and restrictions when configuring Layer 2 interfaces: In a network of Cisco switches connected through an 802.1Q trunk, the Cisco switch combines the spanning tree ...
...switch. and 36-Port Ethernet Switch Module for each VLAN allowed on both ends of an 802.1Q trunk or that is not Cisco devised, is loop-free before disabling spanning tree. The 802.1Q cloud separating the Cisco switches that you disable spanning tree on the access port and untagged (802.3). Layer 2 Interface Configuration... Guidelines and Restrictions Follow these guidelines and restrictions when configuring Layer 2 interfaces: In a network of Cisco switches connected through an 802.1Q trunk, the Cisco switch combines the spanning tree ...
User Guide
Page 5
... trunk or the VLAN ID configured for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Switch Virtual Interfaces A switch virtual interface (SVI) represents a VLAN of other switches in your network. Routed ports...Switch Module for an access port. A routed port is not associated with a VLAN, but it does not support subinterfaces. Routed ports support only CEF switching (IP fast switching is an access port. Only one or more information about configuring IP routing, see the "Configuring IP Multicast Layer 3 Switching" section on one SVI can configure...
... trunk or the VLAN ID configured for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Switch Virtual Interfaces A switch virtual interface (SVI) represents a VLAN of other switches in your network. Routed ports...Switch Module for an access port. A routed port is not associated with a VLAN, but it does not support subinterfaces. Routed ports support only CEF switching (IP fast switching is an access port. Only one or more information about configuring IP routing, see the "Configuring IP Multicast Layer 3 Switching" section on one SVI can configure...
User Guide
Page 6
..., the change to other configuration parameters (such as necessary. VTP Advertisements Each switch in one and only one or more interconnected switches that they receive out their trunk interfaces. and 36-Port Ethernet Switch Module for the entire VTP domain. If the switch receives a VTP advertisement over...in the VTP domain sends periodic advertisements out each VLAN • Frame format Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 6 A switch can create and modify VLANs but you configure a management domain. You cannot create or modify VLANs on a VTP server until...
..., the change to other configuration parameters (such as necessary. VTP Advertisements Each switch in one and only one or more interconnected switches that they receive out their trunk interfaces. and 36-Port Ethernet Switch Module for the entire VTP domain. If the switch receives a VTP advertisement over...in the VTP domain sends periodic advertisements out each VLAN • Frame format Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 6 A switch can create and modify VLANs but you configure a management domain. You cannot create or modify VLANs on a VTP server until...
User Guide
Page 7
... able to 1600 Mbps (Fast EtherChannel full duplex) between the network module and another switch or host. either source or destination or both source and destination. The selected mode applies to all switches in the same VTP domain are not performed when new information is ... VTP version 1, a VTP transparent switch inspects VTP messages for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview VTP Version 2 If you use VTP in version 1: Unrecognized Type-Length-Value (TLV) Support-A VTP server or client propagates configuration changes to use MAC addresses, or...
... able to 1600 Mbps (Fast EtherChannel full duplex) between the network module and another switch or host. either source or destination or both source and destination. The selected mode applies to all switches in the same VTP domain are not performed when new information is ... VTP version 1, a VTP transparent switch inspects VTP messages for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview VTP Version 2 If you use VTP in version 1: Unrecognized Type-Length-Value (TLV) Support-A VTP server or client propagates configuration changes to use MAC addresses, or...
User Guide
Page 8
... to configure IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from connecting to a LAN through the port to a switch port before making available any services offered by itself, make interfaces incompatible for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 ... automatically to avoid network loops and other problems. Follow these guidelines and restrictions to avoid configuration problems: • All Ethernet interfaces on the same module. • Configure all interfaces in an EtherChannel, it is transferred to operate at the same speed and duplex...
... to configure IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from connecting to a LAN through the port to a switch port before making available any services offered by itself, make interfaces incompatible for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 ... automatically to avoid network loops and other problems. Follow these guidelines and restrictions to avoid configuration problems: • All Ethernet interfaces on the same module. • Configure all interfaces in an EtherChannel, it is transferred to operate at the same speed and duplex...
User Guide
Page 10
... by the client using the dot1x port-control auto interface configuration command, the switch must initiate authentication when it determines that the client has been successfully authenticated. Figure 2 Client Message Exchange Cisco router with an EAP-response/identity frame. If the client...state effectively means that the port link state changes from the switch, the client can initiate authentication. The specific exchange of the frame, the client responds with Ethernet switch network module Authentication server (RADIUS) EAPOL-Start EAP-Request/Identity EAP-Response...
... by the client using the dot1x port-control auto interface configuration command, the switch must initiate authentication when it determines that the client has been successfully authenticated. Figure 2 Client Message Exchange Cisco router with an EAP-response/identity frame. If the client...state effectively means that the port link state changes from the switch, the client can initiate authentication. The specific exchange of the frame, the client responds with Ethernet switch network module Authentication server (RADIUS) EAPOL-Start EAP-Request/Identity EAP-Response...
User Guide
Page 11
...Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Ports in Authorized and Unauthorized States The switch...and all attempts by using the dot1x port-control interface configuration command and these keywords: • force-authorized-disables...services to up, or when an EAPOL-start frame. If the link state of attempts, authentication fails, and network access is successfully authenticated, the port changes to the authorized state, allowing all ingress and egress traffic except for the client to the unauthorized state. and 36-Port Ethernet Switch Module...
...Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Ports in Authorized and Unauthorized States The switch...and all attempts by using the dot1x port-control interface configuration command and these keywords: • force-authorized-disables...services to up, or when an EAPOL-start frame. If the link state of attempts, authentication fails, and network access is successfully authenticated, the port changes to the authorized state, allowing all ingress and egress traffic except for the client to the unauthorized state. and 36-Port Ethernet Switch Module...
User Guide
Page 12
...all other hosts indirectly attached to the port are granted access to the network. The Ethernet switch network module uses STP (the IEEE 802.1D bridge protocol) on each configured VLAN (provided that you must have a loop-free path between all VLANs. Multiple active... Protocol defines a tree with Ethernet switch network module Authentication server (RADIUS) 88850 Wireless client Spanning Tree Protocol This section describes how to configure the Spanning Tree Protocol (STP) on a switch are connected to a single LAN segment or to the switch. Cisco IOS Release 12.2(2)XT, 12.2(8)T, ...
...all other hosts indirectly attached to the port are granted access to the network. The Ethernet switch network module uses STP (the IEEE 802.1D bridge protocol) on each configured VLAN (provided that you must have a loop-free path between all VLANs. Multiple active... Protocol defines a tree with Ethernet switch network module Authentication server (RADIUS) 88850 Wireless client Spanning Tree Protocol This section describes how to configure the Spanning Tree Protocol (STP) on a switch are connected to a single LAN segment or to the switch. Cisco IOS Release 12.2(2)XT, 12.2(8)T, ...
User Guide
Page 13
...port priority and MAC address) associated with each Layer 2 interface The Bridge Protocol Data Units (BPDU) are configured with the default priority (32768), the switch with the highest bridge priority (the lowest numerical priority value) is transmitted receive the BPDU. BPDUs contain information ...included in the spanning tree are placed in the VLAN becomes the root switch. For each LAN segment is selected. and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Bridge Protocol Data Units The stable active spanning tree...
...port priority and MAC address) associated with each Layer 2 interface The Bridge Protocol Data Units (BPDU) are configured with the default priority (32768), the switch with the highest bridge priority (the lowest numerical priority value) is transmitted receive the BPDU. BPDUs contain information ...included in the spanning tree are placed in the VLAN becomes the root switch. For each LAN segment is selected. and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Bridge Protocol Data Units The stable active spanning tree...
User Guide
Page 15
...Layer 2 interface waits for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Figure 4 illustrates how a port moves through the blocking state and the transitory states of listening and learning at power up. and 36-Port Ethernet Switch Module for the forward delay timer ...to expire and then moves the Layer 2 interface to the blocking state. 2. The Layer 2 interface waits for the forward delay timer to expire, moves the Layer 2 interface to the forwarding or blocking state. If properly configured, each...
...Layer 2 interface waits for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Figure 4 illustrates how a port moves through the blocking state and the transitory states of listening and learning at power up. and 36-Port Ethernet Switch Module for the forward delay timer ...to expire and then moves the Layer 2 interface to the blocking state. 2. The Layer 2 interface waits for the forward delay timer to expire, moves the Layer 2 interface to the forwarding or blocking state. If properly configured, each...
User Guide
Page 21
... a per -VLAN Fast Ethernet: 10 basis; If all VLANs Bridge priority 32768 Spanning tree port priority (configurable on a per -VLAN basis; and 36-Port Ethernet Switch Module for all interfaces have the same priority value, spanning tree puts the interface with the first MAC address in the range assigned to VLAN 1, ...on a per -interface 128 basis; For example, if the MAC address range is 00-e0-1e-9b-2e-00 to select first and higher Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 21 You can assign lower cost values to interfaces that you want spanning tree to select...
... a per -VLAN Fast Ethernet: 10 basis; If all VLANs Bridge priority 32768 Spanning tree port priority (configurable on a per -VLAN basis; and 36-Port Ethernet Switch Module for all interfaces have the same priority value, spanning tree puts the interface with the first MAC address in the range assigned to VLAN 1, ...on a per -interface 128 basis; For example, if the MAC address range is 00-e0-1e-9b-2e-00 to select first and higher Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 21 You can assign lower cost values to interfaces that you want spanning tree to select...
User Guide
Page 22
... and learning states, and into the forwarding state. Figure 10 BackboneFast Example Before Indirect Link Failure Switch A (Root) Switch B L1 L2 L3 Blocked port Switch C 44963 Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 22 and 36-Port Ethernet Switch Module for the configured maximum aging time specified by the spanning-tree max-age global...
... and learning states, and into the forwarding state. Figure 10 BackboneFast Example Before Indirect Link Failure Switch A (Root) Switch B L1 L2 L3 Blocked port Switch C 44963 Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 22 and 36-Port Ethernet Switch Module for the configured maximum aging time specified by the spanning-tree max-age global...
User Guide
Page 24
...running lower-layer, transparent protocols. You can be indicated by a syslog message. You configure SPAN sessions using parameters that all Cisco routers, bridges, access servers, and switches. Once an interface becomes an active destination interface, incoming traffic is an interface monitored ...except that support Subnetwork Access Protocol (SNAP). When enabled, a SPAN session might become active or inactive based on the same network module. Destination Interface A destination interface (also called a monitor interface) is a protocol that runs over Layer 2 (the data link layer...
...running lower-layer, transparent protocols. You can be indicated by a syslog message. You configure SPAN sessions using parameters that all Cisco routers, bridges, access servers, and switches. Once an interface becomes an active destination interface, incoming traffic is an interface monitored ...except that support Subnetwork Access Protocol (SNAP). When enabled, a SPAN session might become active or inactive based on the same network module. Destination Interface A destination interface (also called a monitor interface) is a protocol that runs over Layer 2 (the data link layer...
User Guide
Page 25
...Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Trunk interfaces can be SPAN source interfaces; Egress SPAN (Tx) copies network traffic transmitted from the SPAN source. • Use a network analyzer to monitor interfaces. • You can be configured as access lists. In some SPAN configurations... within a single SPAN session. • You cannot configure a SPAN destination interface to in the monitored traffic, so any BPDUs seen on your Ethernet switch network module can be run at the destination interface. SPAN Traffic Network...
...Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Trunk interfaces can be SPAN source interfaces; Egress SPAN (Tx) copies network traffic transmitted from the SPAN source. • Use a network analyzer to monitor interfaces. • You can be configured as access lists. In some SPAN configurations... within a single SPAN session. • You cannot configure a SPAN destination interface to in the monitored traffic, so any BPDUs seen on your Ethernet switch network module can be run at the destination interface. SPAN Traffic Network...
User Guide
Page 26
... permit or deny and a set of access control entries (ACEs). and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Understanding ACLs Packet filtering can filter traffic as it passes through the switch could be configured to access a part of a network, but not both traffic types in the list is...
... permit or deny and a set of access control entries (ACEs). and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Understanding ACLs Packet filtering can filter traffic as it passes through the switch could be configured to access a part of a network, but not both traffic types in the list is...
User Guide
Page 27
...the fragment (including protocol type, such as if it were a complete packet because all packet fragments. Consider access list 102, configured with Ethernet switch network module Host B Human Resources network Research & Development network = ACL denying traffic from Host B and permitting traffic from host 10.2.2.2, ...of the packet contains the Layer 4 information, such as they cross the network. 16- The remaining fragments also match the Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 27 ACEs that check Layer 4 information never match a fragment unless the...
...the fragment (including protocol type, such as if it were a complete packet because all packet fragments. Consider access list 102, configured with Ethernet switch network module Host B Human Resources network Research & Development network = ACL denying traffic from Host B and permitting traffic from host 10.2.2.2, ...of the packet contains the Layer 4 information, such as they cross the network. 16- The remaining fragments also match the Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 27 ACEs that check Layer 4 information never match a fragment unless the...
User Guide
Page 28
...A mask can specify a TCP source, destination port number, or both at the same time.) - and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series first ACE, even though they do not contain the SMTP port information because the first ACE only checks Layer 3 ...Layer 4 fields. • Layer 3 fields: - The specific values associated with a given mask are referred to perform an action. Packets can be configured on these masks can be a combination of host 10.1.1.2 as masks in all 32 IP source address bits to define the flow, or specify a ...
...A mask can specify a TCP source, destination port number, or both at the same time.) - and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series first ACE, even though they do not contain the SMTP port information because the first ACE only checks Layer 3 ...Layer 4 fields. • Layer 3 fields: - The specific values associated with a given mask are referred to perform an action. Packets can be configured on these masks can be a combination of host 10.1.1.2 as masks in all 32 IP source address bits to define the flow, or specify a ...