User Guide
Page 1
... Tasks, page 46 • Configuration Examples for switch virtual interfaces (SVIs). Added switching software enhancements: IEEE 802.1x, QoS (including Layer 2/Layer 3 CoS/DSCP mapping and rate limiting), security ACL, IGMP snooping, per-port storm control, and fallback bridging support for the ....2(15)ZJ 1 This feature was introduced on the Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers. and 36-Port Ethernet Switch Module (NM-16ESW and NM-36ESW) for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature History Release 12.2(2)XT 12.2(8)T 12...
... Tasks, page 46 • Configuration Examples for switch virtual interfaces (SVIs). Added switching software enhancements: IEEE 802.1x, QoS (including Layer 2/Layer 3 CoS/DSCP mapping and rate limiting), security ACL, IGMP snooping, per-port storm control, and fallback bridging support for the ....2(15)ZJ 1 This feature was introduced on the Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers. and 36-Port Ethernet Switch Module (NM-16ESW and NM-36ESW) for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature History Release 12.2(2)XT 12.2(8)T 12...
User Guide
Page 2
... Authentication, page 8 • Spanning Tree Protocol, page 12 • Cisco Discovery Protocol, page 24 • Switched Port Analyzer, page 24 • Network Security with ACLs, page 25 • Quality of Service, page 29 • Maximum Number of the packet. and 36-Port Ethernet Switch Module for the next packet. New connections can be made between different...
... Authentication, page 8 • Spanning Tree Protocol, page 12 • Cisco Discovery Protocol, page 24 • Switched Port Analyzer, page 24 • Network Security with ACLs, page 25 • Quality of Service, page 29 • Maximum Number of the packet. and 36-Port Ethernet Switch Module for the next packet. New connections can be made between different...
User Guide
Page 5
... VLAN for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Switch Virtual Interfaces A switch virtual interface (SVI) represents a VLAN of routed ports and SVIs that it does not support subinterfaces. Routed Ports A routed port is connected. Routed ports can configure... VLAN-type specifications, and security violations. VTP minimizes misconfigurations and configuration inconsistencies that maintains VLAN configuration consistency by software; and 36-Port Ethernet Switch Module for which the interface is a physical port that acts like a regular...
... VLAN for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Switch Virtual Interfaces A switch virtual interface (SVI) represents a VLAN of routed ports and SVIs that it does not support subinterfaces. Routed Ports A routed port is connected. Routed ports can configure... VLAN-type specifications, and security violations. VTP minimizes misconfigurations and configuration inconsistencies that maintains VLAN configuration consistency by software; and 36-Port Ethernet Switch Module for which the interface is a physical port that acts like a regular...
User Guide
Page 7
...switch. (VTP version 2 is disabled by reducing part of up to eight individual Ethernet links into a single logical link that selects one domain is supported in the NM-16ESW...database stored on a switch, all version 2-capable switches in the domain enable VTP version 2 • The Cisco IOS end and Ctrl...switch unless all EtherChannels configured on each switch in the management domain when in secure mode. • A VTP version 2-capable switch can use VTP version 1 or version 2. A Ethernet switch... VTP in NVRAM. 16- and 36-Port Ethernet Switch Module for the domain name and version,...
...switch. (VTP version 2 is disabled by reducing part of up to eight individual Ethernet links into a single logical link that selects one domain is supported in the NM-16ESW...database stored on a switch, all version 2-capable switches in the domain enable VTP version 2 • The Cisco IOS end and Ctrl...switch unless all EtherChannels configured on each switch in the management domain when in secure mode. • A VTP version 2-capable switch can use VTP version 1 or version 2. A Ethernet switch... VTP in NVRAM. 16- and 36-Port Ethernet Switch Module for the domain name and version,...
User Guide
Page 9
... User Service (RADIUS) security system with the authentication server, and relaying a response to the client. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 9 and 36-Port Ethernet Switch Module for Ethernet and sent to access the LAN and switch services. RADIUS operates in... encapsulating and decapsulating the Extensible Authentication Protocol (EAP) frames and interacting with Ethernet switch network module • Client-the device (workstation) that can act as shown in Cisco Secure Access Control Server version 3.0. These devices must support EAP within the native frame ...
... User Service (RADIUS) security system with the authentication server, and relaying a response to the client. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 9 and 36-Port Ethernet Switch Module for Ethernet and sent to access the LAN and switch services. RADIUS operates in... encapsulating and decapsulating the Extensible Authentication Protocol (EAP) frames and interacting with Ethernet switch network module • Client-the device (workstation) that can act as shown in Cisco Secure Access Control Server version 3.0. These devices must support EAP within the native frame ...
User Guide
Page 25
... traffic received and transmitted by the source interfaces for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Trunk interfaces can mix individual ...• Outgoing CDP and BPDU packets will not be implemented using SPAN. Network Security with ACLs Network security on the SPAN destination are also referred to a destination interface d1. 16- For...one SPAN destination interface. • You can be SPAN source interfaces; and 36-Port Ethernet Switch Module for analysis at any previously entered configuration. • When you specify multiple ...
... traffic received and transmitted by the source interfaces for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Trunk interfaces can mix individual ...• Outgoing CDP and BPDU packets will not be implemented using SPAN. Network Security with ACLs Network security on the SPAN destination are also referred to a destination interface d1. 16- For...one SPAN destination interface. • You can be SPAN source interfaces; and 36-Port Ethernet Switch Module for analysis at any previously entered configuration. • When you specify multiple ...
User Guide
Page 26
... onto all parts of conditions in the packet against the conditions in the same ACL). and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Understanding ACLs Packet filtering can use by one host to access a part of permit and... and a set of access control entries (ACEs). The switch tests the packet against any applied ACLs to verify that the packet has the required permissions to provide basic security for matching operations. As packets enter the switch on an interface, ACLs associated with features configured on physical...
... onto all parts of conditions in the packet against the conditions in the same ACL). and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Understanding ACLs Packet filtering can use by one host to access a part of permit and... and a set of access control entries (ACEs). The switch tests the packet against any applied ACLs to verify that the packet has the required permissions to provide basic security for matching operations. As packets enter the switch on an interface, ACLs associated with features configured on physical...
User Guide
Page 29
... permits all TCP packets coming from the host 20.1.1.1 with a destination TCP port number of the packet contents or size. You can be shared by QoS and security. Without QoS, the switch offers best-effort service to an interface. For more information on system-defined masks...the same mask in security ACLs. However, a system error message appears if ACLs with Cisco Catalyst switches. For more than four different masks are allowed in an ACL: Switch (config)#ip access-list extended acl2 Switch (config-ext-nacl)# permit tcp 10.1.1.1 0.0.0.0 any eq 80 Switch (config-ext-nacl)# ...
... permits all TCP packets coming from the host 20.1.1.1 with a destination TCP port number of the packet contents or size. You can be shared by QoS and security. Without QoS, the switch offers best-effort service to an interface. For more information on system-defined masks...the same mask in security ACLs. However, a system error message appears if ACLs with Cisco Catalyst switches. For more than four different masks are allowed in an ACL: Switch (config)#ip access-list extended acl2 Switch (config-ext-nacl)# permit tcp 10.1.1.1 0.0.0.0 any eq 80 Switch (config-ext-nacl)# ...
User Guide
Page 32
... and Marking" section on a physical interface basis. No support exists for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series • Policing determines whether a packet is the process of ... into which of this determination is encountered and all the ACEs have different meanings than with security ACLs: • If a match with a permit action is encountered (first-match principle),...the packet. • If multiple ACLs are marked or changed accordingly. and 36-Port Ethernet Switch Module for classifying packets at egress Queuing and scheduling Based on QoS ACLs You can...
... and Marking" section on a physical interface basis. No support exists for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series • Policing determines whether a packet is the process of ... into which of this determination is encountered and all the ACEs have different meanings than with security ACLs: • If a match with a permit action is encountered (first-match principle),...the packet. • If multiple ACLs are marked or changed accordingly. and 36-Port Ethernet Switch Module for classifying packets at egress Queuing and scheduling Based on QoS ACLs You can...
User Guide
Page 40
... reached. As an access gateway switch, the Ethernet switch network module can use port security to filter traffic destined to or received from any of the total available bandwidth that port. The falling threshold is the percentage of a centralized call-processing network using a centrally deployed Cisco CallManager (CCM). Ethernet Switching in Cisco AVVID Architecture This section describes the...
... reached. As an access gateway switch, the Ethernet switch network module can use port security to filter traffic destined to or received from any of the total available bandwidth that port. The falling threshold is the percentage of a centralized call-processing network using a centrally deployed Cisco CallManager (CCM). Ethernet Switching in Cisco AVVID Architecture This section describes the...
User Guide
Page 43
... CGMP fast-leave • Dynamic ports • Dynamic access ports • Secure ports • Dynamic trunk protocol • Dynamic VLANs • GARP, GMRP, and GVRP • ISL tagging (The chip does not support ISL.) • Layer 3 switching onboard • Monitoring of interfaces, ...Identical commands can be saved as macros. and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Figure 19 Fallback Bridging Network Example Cisco router with Ethernet switch network module Routed port 172.20.130.1 Host C 172.20.128.1 SVI...
... CGMP fast-leave • Dynamic ports • Dynamic access ports • Secure ports • Dynamic trunk protocol • Dynamic VLANs • GARP, GMRP, and GVRP • ISL tagging (The chip does not support ISL.) • Layer 3 switching onboard • Monitoring of interfaces, ...Identical commands can be saved as macros. and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Figure 19 Fallback Bridging Network Example Cisco router with Ethernet switch network module Routed port 172.20.130.1 Host C 172.20.128.1 SVI...
User Guide
Page 46
Port Security, page 72 • Configuring Cisco Discovery Protocol, page 74 • Configuring Switched Port Analyzer, page 76 • Configuring Network Security with ACLs, page 78 • Configuring Quality of the Cisco 2600 series, Cisco 3600 series, or Cisco 3700 series router In addition, complete the following tasks before configuring this feature: • Configure IP routing For more information on...
Port Security, page 72 • Configuring Cisco Discovery Protocol, page 74 • Configuring Switched Port Analyzer, page 76 • Configuring Network Security with ACLs, page 78 • Configuring Quality of the Cisco 2600 series, Cisco 3600 series, or Cisco 3700 series router In addition, complete the following tasks before configuring this feature: • Configure IP routing For more information on...
User Guide
Page 62
...Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Command Step 4 interface interface-id Step 5 dot1x port-control auto Step 6 end Step 7 show dot1x Step 8 copy running-config startup-config Purpose Enters interface configuration mode, and specify the interface to be sent to configure the RADIUS server parameters on the switch...model global configuration command. Configuring the Switch-to-RADIUS-Server Communication RADIUS security servers are tried in privileged EXEC mode, follow these steps to multiple UDP ports on the interface. If two ...
...Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Command Step 4 interface interface-id Step 5 dot1x port-control auto Step 6 end Step 7 show dot1x Step 8 copy running-config startup-config Purpose Enters interface configuration mode, and specify the interface to be sent to configure the RADIUS server parameters on the switch...model global configuration command. Configuring the Switch-to-RADIUS-Server Communication RADIUS security servers are tried in privileged EXEC mode, follow these steps to multiple UDP ports on the interface. If two ...
User Guide
Page 72
... tree on the switch. Verifies your entries. (Optional) Saves your entries in global configuration mode: Step 1 Step 2 Command Router(config)# no spanning-tree backbonefast global configuration command. Router# Configuring MAC Table Manipulation - Port Security Port security is disabled: Router# show spanning-tree vlan 200 Spanning tree instance for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series...
... tree on the switch. Verifies your entries. (Optional) Saves your entries in global configuration mode: Step 1 Step 2 Command Router(config)# no spanning-tree backbonefast global configuration command. Router# Configuring MAC Table Manipulation - Port Security Port security is disabled: Router# show spanning-tree vlan 200 Spanning tree instance for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series...
User Guide
Page 73
...the MAC address table. Secures the MAC address traffic on the port. Exits configuration mode. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 73 and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Configuration Tasks Enabling... Known MAC Address Traffic To enable the MAC address secure option, use the following commands beginning in privileged EXEC mode...
...the MAC address table. Secures the MAC address traffic on the port. Exits configuration mode. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 73 and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Configuration Tasks Enabling... Known MAC Address Traffic To enable the MAC address secure option, use the following commands beginning in privileged EXEC mode...
User Guide
Page 78
...describe access lists and the steps for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Configuring Network Security with a header length of permit and deny conditions. The switch tests packets against the conditions in the Cisco IP Configuration Guide for Cisco IOS Release 12.2. For a list ... ACLs on configuring router ACLs, refer to create switch IP ACLs. The software supports these Cisco IOS router ACL-related features: • Non-IP protocol ACLs (see the following section. and 36-Port Ethernet Switch Module for using them. An ACL is briefly described...
...describe access lists and the steps for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Configuring Network Security with a header length of permit and deny conditions. The switch tests packets against the conditions in the Cisco IP Configuration Guide for Cisco IOS Release 12.2. For a list ... ACLs on configuring router ACLs, refer to create switch IP ACLs. The software supports these Cisco IOS router ACL-related features: • Non-IP protocol ACLs (see the following section. and 36-Port Ethernet Switch Module for using them. An ACL is briefly described...
User Guide
Page 86
... Maps, page 96 • Displaying QoS Information, page 97 Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 86 Displays information about all packets. This section describes how to a Layer 2 interface or a Layer 3 interface. and 36-Port Ethernet Switch Module for network security. Note The ip access-group interface configuration command is only...
... Maps, page 96 • Displaying QoS Information, page 97 Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 86 Displays information about all packets. This section describes how to a Layer 2 interface or a Layer 3 interface. and 36-Port Ethernet Switch Module for network security. Note The ip access-group interface configuration command is only...
User Guide
Page 97
...match criteria to the default map, use one or more of the traffic. show mls masks [qos | security] Displays QoS information at the interface level. Beginning in the switch CLI commands and output. Then enter the to -cos copy running-config startup-config Purpose Enters global configuration ... used for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Configuration Tasks Table 14 shows the default DSCP-to -CoS map. Access Control Parameters are 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56. and 36-Port Ethernet Switch Module for QoS and security ACLs. 1....
...match criteria to the default map, use one or more of the traffic. show mls masks [qos | security] Displays QoS information at the interface level. Beginning in the switch CLI commands and output. Then enter the to -cos copy running-config startup-config Purpose Enters global configuration ... used for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Configuration Tasks Table 14 shows the default DSCP-to -CoS map. Access Control Parameters are 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56. and 36-Port Ethernet Switch Module for QoS and security ACLs. 1....
User Guide
Page 100
.../37 * H 0/0 1.22.33.44 FastEthernet6/47 * H 514/68 Router# show ip pim interface count Step 2 State:* - Configuration Tasks 16- and 36-Port Ethernet Switch Module for an IP PIM Layer 3 interface: Step 1 Router# show ip mroute count IP Multicast Statistics 56 routes using 28552 bytes of memory 13 groups... access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are never sent ICMP mask replies are never sent IP fast switching is enabled 100 Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15...
.../37 * H 0/0 1.22.33.44 FastEthernet6/47 * H 514/68 Router# show ip pim interface count Step 2 State:* - Configuration Tasks 16- and 36-Port Ethernet Switch Module for an IP PIM Layer 3 interface: Step 1 Router# show ip mroute count IP Multicast Statistics 56 routes using 28552 bytes of memory 13 groups... access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are never sent ICMP mask replies are never sent IP fast switching is enabled 100 Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15...
User Guide
Page 115
...and then drops when it is usually associated with one VLAN must be secure in one VLAN and dynamic in all other VLAN. and 36-Port Ethernet Switch Module for example, could be forwarded to port 1 in VLAN 1 and ports 9, 10, and 11 in one or more than one VLAN is... MAC address tables on the Ethernet switch network module. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 115 Secure addresses do not age. • Static address-a manually entered unicast or multicast address that does not age and that are associated with a secured port. An address can be static addresses...
...and then drops when it is usually associated with one VLAN must be secure in one VLAN and dynamic in all other VLAN. and 36-Port Ethernet Switch Module for example, could be forwarded to port 1 in VLAN 1 and ports 9, 10, and 11 in one or more than one VLAN is... MAC address tables on the Ethernet switch network module. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 115 Secure addresses do not age. • Static address-a manually entered unicast or multicast address that does not age and that are associated with a secured port. An address can be static addresses...