You are on page 1of 1814

CONTENTS

Audience 3

Organization 3

Conventions 7

Related Documentation 8
Hardware Documents 8
Software Documentation 8
Cisco IOS Documentation 9
Commands in Task Tables 9
Notices 9
OpenSSL/Open SSL Project 10
License Issues 10
Obtaining Documentation and Submitting a Service Request i-12

Product Overview 1-1

Layer 2 Software Features 1-1
802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling 1-2
Cisco IOS Auto Smartport Macros 1-2
Cisco Discovery Protocol 1-3
Cisco Group Management Protocol (CGMP) server 1-3
EtherChannel Bundles 1-3
Ethernet CFM 1-3
Ethernet OAM Protocol 1-3
Flex Links and MAC Address-Table Move Update 1-4
Flexible NetFlow (Supervisor Engine 7-E and 7L-E only) 1-4
Internet Group Management Protocol (IGMP) Snooping 1-4
IPv6 Multicast BSR and BSR Scoped Zone Support 1-5
IPv6 Multicast Listen Discovery (MLD) and Multicast Listen Discovery Snooping 1-6
Jumbo Frames 1-6
Link Aggregation Control Protocol 1-7
Cisco IOS XE IP Application Services Features in Cisco IOS XE 3.1.0SG 1-7
Link Layer Discovery Protocol 1-7
Link State Tracking 1-8
Location Service 1-8
Multiple Spanning Tree 1-8
Per-VLAN Rapid Spanning Tree 1-8

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1
Contents

Quality of Service 1-9
Cisco Modular QoS Command-Line-Interface 1-9
Two-Rate Three-Color Policing 1-9
Resilient Ethernet Protocol 1-10
SmartPort Macros 1-10
Spanning Tree Protocol 1-10
Stateful Switchover 1-10
SVI Autostate 1-11
Unidirectional Link Detection 1-11
VLANs 1-11
Virtual Switching Systems 1-12
Virtual Switch System Client 1-12
Y.1731 (AIS and RDI) 1-12
Layer 3 Software Features 1-13
Bidirectional Forwarding Detection 1-14
Cisco Express Forwarding 1-14
Device Sensor 1-14
EIGRP Stub Routing 1-14
Enhanced Object Tracking 1-15
GLBP 1-15
Cisco IOS XE IP Application Services Features in Cisco IOS XE 3.1.0SG 1-15
HSRP 1-16
Cisco IOS XE IP Application Services: HSRP Features in Cisco IOS XE 3.1.0SG 1-16
SSO Aware HSRP 1-16
IP Routing Protocols 1-17
BGP 1-17
EIGRP 1-17
IS-IS 1-18
OSPF 1-18
RIP 1-19
In Service Software Upgrade 1-19
IPv6 1-19
Multicast Services 1-19
NSF with SSO 1-20
OSPF for Routed Access 1-21
Policy-Based Routing 1-21
Unicast Reverse Path Forwarding 1-22
Unidirectional Link Routing 1-22
VRF-lite 1-22
Virtual Router Redundancy Protocol 1-22

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
2 OL-30933-01
Contents

Management Features 1-23
Cisco Call Home 1-24
Cisco Energy Wise 1-24
Cisco IOS IP Service Level Agreements 1-24
Cisco Media Services Proxy 1-25
Cisco Medianet AutoQoS 1-25
Cisco Medianet Flow Metadata 1-26
Cisco IOS Mediatrace and Performance Monitor 1-26
Cisco Network Assistant 1-27
Dynamic Host Control Protocol 1-28
Easy Virtual Network 1-28
Embedded CiscoView 1-29
Embedded Event Manager 1-29
Ethernet Management Port 1-29
File System Management on Supervisor Engine 7-E and Supervisor Engine 7L-E 1-29
FAT File Management System on Supervisor Engine 6-E, Supervisor Engine 6L-E, Catalyst 4948E, and
Catalyst 4900M 1-30
Forced 10/100 Autonegotiation 1-30
Intelligent Power Management 1-30
MAC Address Notification 1-30
MAC Notify MIB 1-30
NetFlow-lite 1-30
Power over Ethernet 1-31
Secure Shell 1-31
Simple Network Management Protocol 1-31
Smart Install 1-31
SPAN and RSPAN 1-32
Universal Power over Ethernet 1-32
Web Content Coordination Protocol 1-32
Wireshark 1-33
XML-PI 1-33
Security Features 1-33
802.1X Identity-Based Network Security 1-34
Cisco TrustSec MACsec Encryption 1-35
Cisco TrustSec Security Architecture 1-36
Cisco TrustSec Security Groups, SGTs and SGACLs 1-36
Dynamic ARP Inspection 1-37
Dynamic Host Configuration Protocol Snooping 1-37
Flood Blocking 1-37
Hardware-Based Control Plane Policing 1-37

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 3
Contents

IP Source Guard 1-38
IP Source Guard for Static Hosts 1-38
IPv6 First Hop Security 1-38
Local Authentication, RADIUS, and TACACS+ Authentication 1-40
Network Admission Control 1-40
Network Security with ACLs 1-40
Port Security 1-41
PPPoE Intermediate Agent 1-41
Session Aware Networking 1-41
Storm Control 1-42
uRPF Strict Mode 1-42
Utilities 1-42
Layer 2 Traceroute 1-42
Time Domain Reflectometry 1-43
Debugging Features 1-43
Web-based Authentication 1-43
New and Modified IOS Software Features Supported in Cisco IOS 15.2(1)E and Cisco IOS XE 3.5.0E 1-44

Command-Line Interfaces 2-1

Accessing the Switch CLI 2-2
Accessing the CLI Using the EIA/TIA-232 Console Interface 2-2
Accessing the CLI Through Telnet 2-2
Performing Command-Line Processing 2-3

Performing History Substitution 2-4

About Cisco IOS Command Modes 2-4
Getting a List of Commands and Syntax 2-5
Virtual Console for Standby Supervisor Engine 2-6

ROMMON Command-Line Interface 2-7

Archiving Crashfiles Information 2-8

Displaying a Crash Dump for Supervisor Engine 6-E and 6L-E 2-8

Configuring the Switch for the First Time 3-1

Default Switch Configuration 3-1

Configuring DHCP-Based Autoconfiguration 3-2
About DHCP-Based Autoconfiguration 3-2
DHCP Client Request Process 3-3
Configuring the DHCP Server 3-4
Configuring the TFTP Server 3-4
Configuring the DNS Server 3-5

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4 OL-30933-01
Contents

Configuring the Relay Device 3-5
Obtaining Configuration Files 3-6
Example Configuration 3-7
Configuring the Switch 3-8
Using Configuration Mode to Configure Your Switch 3-9
Verifying the Running Configuration Settings 3-9
Saving the Running Configuration Settings to Your Start-Up File 3-10
Reviewing the Configuration in NVRAM 3-10
Configuring a Default Gateway 3-11
Configuring a Static Route 3-11
Controlling Access to Privileged EXEC Commands 3-13
Setting or Changing a Static enable Password 3-13
Using the enable password and enable secret Commands 3-14
Setting or Changing a Privileged Password 3-14
Controlling Switch Access with TACACS+ 3-15
Understanding TACACS+ 3-15
TACACS+ Operation 3-17
Configuring TACACS+ 3-17
Displaying the TACACS+ Configuration 3-22
Encrypting Passwords 3-22
Configuring Multiple Privilege Levels 3-23
Setting the Privilege Level for a Command 3-23
Changing the Default Privilege Level for Lines 3-23
Logging In to a Privilege Level 3-24
Exiting a Privilege Level 3-24
Displaying the Password, Access Level, and Privilege Level Configuration 3-24
Recovering a Lost Enable Password 3-25
Modifying the Supervisor Engine Startup Configuration 3-25
Understanding the Supervisor Engine Boot Configuration 3-25
Understanding the ROM Monitor 3-26
Configuring the Software Configuration Register 3-26
Modifying the Boot Field and Using the boot Command 3-27
Modifying the Boot Field 3-28
Verifying the Configuration Register Setting 3-29
Specifying the Startup System Image 3-30
Flash Memory Features 3-31
Security Precautions 3-31
Configuring Flash Memory 3-31
Controlling Environment Variables 3-31

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 5
Contents

Resetting a Switch to Factory Default Settings 3-32

Administering the Switch 4-1

Managing the System Time and Date 4-1
System Clock 4-2
Understanding Network Time Protocol 4-2
Configuring NTP 4-3
Default NTP Configuration 4-4
Configuring NTP Authentication 4-4
Configuring NTP Associations 4-6
Configuring NTP Broadcast Service 4-7
Configuring NTP Access Restrictions 4-8
Configuring the Source IP Address for NTP Packets 4-10
Displaying the NTP Configuration 4-11
Configuring Time and Date Manually 4-11
Setting the System Clock 4-11
Displaying the Time and Date Configuration 4-12
Configuring the Time Zone 4-12
Configuring Summer Time (Daylight Saving Time) 4-13
Managing Software Licenses Using Permanent Right-To-Use Features 4-14
About a PRTU License 4-15
Benefits of a PRTU License 4-15
Guidelines for the RTU License Model 4-16
Applying a PRTU License 4-16
Activating a PRTU License 4-16
Deactivating a PRTU License 4-17
Displaying Software License Information 4-17
Configuring a System Name and Prompt 4-21
Configuring a System Name 4-22
Understanding DNS 4-22
Default DNS Configuration 4-23
Setting Up DNS 4-23
Displaying the DNS Configuration 4-24
Creating a Banner 4-24
Default Banner Configuration 4-24
Configuring a Message-of-the-Day Login Banner 4-24
Configuring a Login Banner 4-27
Managing the MAC Address Table 4-28
Building the Address Table 4-28
MAC Addresses and VLANs 4-29

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
6 OL-30933-01
Contents

Default MAC Address Table Configuration 4-30
Changing the Address Aging Time 4-30
Removing Dynamic Address Entries 4-31
Configuring MAC Change Notification Traps 4-31
Configuring MAC Move Notification Traps 4-33
Configuring MAC Threshold Notification Traps 4-35
Adding and Removing Static Address Entries 4-36
Configuring Unicast MAC Address Filtering 4-37
Disabling MAC Address Learning on a VLAN 4-39
Configuring Disable MAC Address Learning 4-39
Usage Guidelines 4-40
Deployment Scenarios 4-40
Feature Compatibility 4-42
Feature Incompatibility 4-43
Partial Feature Incompatibility 4-43
Displaying Address Table Entries 4-44
Managing the ARP Table 4-44

Configuring Embedded CiscoView Support 4-44
Understanding Embedded CiscoView 4-45
Installing and Configuring Embedded CiscoView 4-45
Displaying Embedded CiscoView Information 4-48

Configuring Virtual Switching Systems 5-1

Understanding Virtual Switching Systems 5-2
VSS Overview 5-2
Key Concepts 5-3
VSS Functionality 5-5
Hardware Requirements 5-9
Understanding VSL Topology 5-11
VSS Redundancy 5-11
Overview 5-12
RPR and SSO Redundancy 5-12
Switch Roles in a VSS 5-12
Failed Switch Recovery 5-13
VSL Failure 5-14
User Actions 5-14
Multichassis EtherChannels 5-14
Overview 5-14
MEC Failure Scenarios 5-15
Packet Handling 5-16

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 7
Contents

Traffic on the VSL 5-16
Layer 2 Protocols 5-17
Layer 3 Protocols 5-18
System Monitoring 5-20
Environmental Monitoring 5-20
File System Access 5-20
Diagnostics 5-21
Network Management 5-21
Dual-Active Detection 5-23
Dual-Active Detection Using Enhanced PAgP 5-23
Dual-Active Detection Using Fast-Hello 5-24
Recovery Actions 5-24
Configuring a Recovery IP Address 5-25
VSS Initialization 5-26
Virtual Switch Link Protocol 5-26
SSO Dependencies 5-27
Initialization Procedure 5-27
VSS Configuration Guidelines and Restrictions 5-28
General VSS Restrictions and Guidelines 5-28
Multichassis EtherChannel Restrictions and Guidelines 5-30
Dual-Active Detection Restrictions and Guidelines 5-30
Configuring a VSS 5-30
Converting to a VSS 5-30
Backing Up the Standalone Configuration 5-32
Configuring SSO and NSF 5-32
Assigning Virtual Switch Domain and Switch Numbers 5-32
Configuring VSL Port Channel and Ports 5-33
Converting the Switch to Virtual Switch Mode 5-34
(Optional) Configuring VSS Standby Switch Modules 5-35
Displaying VSS Information 5-36
Converting a VSS to Standalone Switch 5-37
Copying the VSS Configuration to a Backup File 5-38
Converting the VSS Active Switch to Standalone 5-38
Converting the VSS Standby Switch to Standalone 5-38
Configuring VSS Parameters 5-39
Configuring VSL Switch Priority 5-39
Configuring a VSL 5-41
Adding and Deleting a VSL Port After the Bootup 5-41
Displaying VSL Information 5-42
Configuring VSL QoS 5-43

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
8 OL-30933-01
Contents

Configuring the Router MAC Address 5-44
Configuring Multichassis EtherChannels 5-45
Configuring Dual-Active Detection 5-49
Configuring Enhanced PAgP Dual-Active Detection 5-49
Configuring Fast-Hello Dual-Active Detection 5-50
Displaying Dual-Active Detection 5-51
In-Service Software Upgrade (ISSU) on a VSS 5-53
VSS ISSU Concept 5-53
Traffic and Network Protocol Disruption During ISSU in a VSS 5-55
Related Documents 5-55
Prerequisites to Performing ISSU 5-55
About Performing ISSU 5-56
Performing an ISSU Upgrade: Two Methods 5-56
Guidelines for Performing ISSU 5-59
Compatibility Matrix 5-59
Compatibility Verification Using Cisco Feature Navigator 5-60
How to Perform the ISSU Process 5-61
Verifying the ISSU Software Installation 5-61
Verifying Redundancy Mode Before Beginning the ISSU Process 5-62
Verifying the ISSU State Before Beginning the ISSU Process 5-63
ISSU using the Four-command Sequence: Step 1 (loadversion) 5-65
ISSU using the Four-command Sequence: Step 2 (runversion) 5-66
ISSU using the Four Command Sequence: Step 3 (acceptversion) 5-68
ISSU using the Four Command Sequence: Step 4 (commitversion) 5-69
Using changeversion to Automate an ISSU Upgrade 5-70
Aborting a Software Upgrade During ISSU 5-76
Configuring the Rollback Timer to Safeguard Against Upgrade Issues 5-77
The ISSU Compatibility Matrix 5-79
License Upgrade on a VSS 5-81

Configuring the Cisco IOS In-Service Software Upgrade Process 6-1

Prerequisites to Performing ISSU 6-2

About ISSU 6-3
Stateful Switchover Overview 6-3
NSF Overview 6-5
ISSU Process Overview 6-6
Performing an ISSU Upgrade: 2 Methods 6-11
Changeversion Process 6-12
Changeversion: Quick Option 6-12
Scheduled Changeversion: “in” and “at” Options 6-12

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 9
Contents

Changeversion Deployment Scenario 6-13
Aborting an In-Progress Changeversion Procedure 6-13
Guidelines for Performing ISSU 6-13
Versioning Capability in Cisco IOS Software to Support ISSU 6-13
Compatibility Matrix 6-14
SNMP Support for ISSU 6-15
Compatibility Verification Using Cisco Feature Navigator 6-15
Performing the ISSU Process 6-15
Upgrading ISSU to Cisco IOS XE 3.4.0SG/15.1(2)SG from a Prior Release 6-16
Downgrading ISSU from Cisco IOS XE 3.4.0SG/15.1(2)SG to a Prior Release 6-17
Verifying the ISSU Software Installation 6-18
Verifying Redundancy Mode Before Beginning the ISSU Process 6-19
Verifying the ISSU State Before Beginning the ISSU Process 6-20
Loading New Cisco IOS Software on the Standby Supervisor Engine 6-21
Switching to the Standby Supervisor Engine 6-24
Stopping the ISSU Rollback Timer (Optional) 6-26
Loading New Cisco IOS Software on the New Standby Supervisor Engine 6-27
Using changeversion to Automate an ISSU Upgrade 6-29
Aborting a Software Upgrade During ISSU 6-34
Configuring the Rollback Timer to Safeguard Against Upgrade Issues 6-35
Displaying ISSU Compatibility Matrix Information 6-36
Displaying ISSU Compatibility Matrix Information 6-40
Related Documents 6-42

Configuring the Cisco IOS XE In Service Software Upgrade Process 7-1
Related Documents 7-2
Prerequisites to Performing ISSU 7-2

About Performing ISSU 7-3
Stateful Switchover 7-3
NSF 7-5
ISSU Process 7-6
Performing an ISSU Upgrade: 2 Methods 7-11
Changeversion Process 7-12
Changeversion: Quick Option (LV to INIT) 7-12
Scheduled Changeversion: “in” and “at” Options 7-12
Changeversion Deployment Scenario 7-13
Aborting an In-Progress Changeversion Procedure 7-13
Guidelines for Performing ISSU 7-13
Compatibility Matrix 7-13
SNMP Support for ISSU 7-14

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
10 OL-30933-01
Contents

Compatibility Verification Using Cisco Feature Navigator 7-14

How to Perform the ISSU Process 7-15
Upgrading ISSU to Cisco IOS XE 3.4.0SG/15.1(2)SG from a Prior Release 7-15
Downgrading ISSU from Cisco IOS XE 3.4.0SG/15.1(2)SG to a Prior Release 7-17
Verifying the ISSU Software Installation 7-18
Verifying Redundancy Mode Before Beginning the ISSU Process 7-18
Verifying the ISSU State Before Beginning the ISSU Process 7-20
Loading New Cisco IOS XE Software on the Standby Supervisor Engine 7-20
Switching to the Standby Supervisor Engine 7-23
Stopping the ISSU Rollback Timer (Optional) 7-25
Loading New Cisco IOS XE Software on the New Standby Supervisor Engine 7-26
Using changeversion to Automate an ISSU Upgrade 7-28
Aborting a Software Upgrade During ISSU 7-33
Configuring the Rollback Timer to Safeguard Against Upgrade Issues 7-35
Displaying ISSU Compatibility Matrix Information 7-36
Cisco High Availability Features in Cisco IOS XE 3.1.0SG 7-38

Configuring Interfaces 8-1

About Interface Configuration 8-2

Using the interface Command 8-2

Configuring a Range of Interfaces 8-4

Using the Ethernet Management Port 8-6
Understanding the Ethernet Management Port 8-6
Fa1 Interface and mgmtVrf 8-7
SSO Model 8-9
ISSU Model 8-10
Supported Features on the Ethernet Management Port 8-10
Configuring the Ethernet Management Port 8-10
Defining and Using Interface-Range Macros 8-11

Deploying SFP+ in X2 Ports 8-12

Deploying 10-Gigabit Ethernet and Gigabit Ethernet SFP Ports on Supervisor Engine V-10GE 8-12

Deploying 10-Gigabit Ethernet or Gigabit Ethernet Ports 8-13
Port Numbering TwinGig Convertors 8-13
Limitations on Using a TwinGig Convertor 8-14
Selecting X2/TwinGig Convertor Mode 8-14
Invoking Shared-Backplane Uplink Mode on
Supervisor Engine 6-E and Supervisor Engine 6L-E 8-16

Limitation and Restrictions on Supervisor Engine 7-E and Supervisor Engine 7L-E 8-16

Selecting Uplink Mode on a Supervisor Engine 6-E 8-16

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 11
Contents

Support for WS-X46490-CSFP-E on a 10-slot Chassis 8-17

Selecting the Uplink Port on a Supervisor Engine 7L-E 8-18
Single Supervisor Mode 8-18
Redundant Supervisor Mode 8-19
Digital Optical Monitoring Transceiver Support 8-19

Configuring Optional Interface Features 8-20
Configuring Ethernet Interface Speed and Duplex Mode 8-20
Speed and Duplex Mode Configuration Guidelines 8-20
Setting the Interface Speed 8-21
Setting the Interface Duplex Mode 8-22
Displaying the Interface Speed and Duplex Mode Configuration 8-22
Adding a Description for an Interface 8-23
Configuring Flow Control 8-23
Configuring Jumbo Frame Support 8-26
Ports and Modules That Support Jumbo Frames 8-26
Jumbo Frame Support 8-26
Configuring MTU Sizes 8-28
Interacting with Baby Giants 8-29
Configuring the Port Debounce Timer 8-29
Configuring Auto-MDIX on a Port 8-30
Displaying the Interface Auto-MDIX Configuration 8-32
Understanding Online Insertion and Removal 8-33

Online Insertion and Removal on a WS-4500X-32 8-33
Shutting down a Module 8-34
Booting a Module After if it has been Stopped 8-34
Common Scenarios 8-35
Monitoring and Maintaining the Interface 8-35
Monitoring Interface and Controller Status 8-36
Clearing and Resetting the Interface 8-36
Shutting Down and Restarting an Interface 8-37
Configuring Interface Link Status and Trunk Status Events 8-37
Configuring Link Status Event Notification for an Interface 8-38
Global Settings 8-38
Configuring a Switch Global Link Status Logging Event 8-38
Examples 8-38
Resetting the Interface to the Default Configuration 8-40

Checking Port Status and Connectivity 9-1

Checking Module Status 9-1

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
12 OL-30933-01
Contents

Checking Interfaces Status 9-2

Displaying MAC Addresses 9-3

Checking Cable Status Using Time Domain Reflectometer 9-3
Overview 9-3
Running the TDR Test 9-4
TDR Guidelines 9-5
Using Telnet 9-5

Changing the Logout Timer 9-6

Monitoring User Sessions 9-6

Using Ping 9-7
Understanding How Ping Works 9-7
Running Ping 9-8
Using IP Traceroute 9-8
Understanding How IP Traceroute Works 9-8
Running IP Traceroute 9-9
Using Layer 2 Traceroute 9-9
Layer 2 Traceroute Usage Guidelines 9-10
Running Layer 2 Traceroute 9-11
Configuring ICMP 9-12
Enabling ICMP Protocol Unreachable Messages 9-12
Enabling ICMP Redirect Messages 9-12
Enabling ICMP Mask Reply Messages 9-13

Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 6-E and
Supervisor Engine 6L-E 10-1
About Supervisor Engine Redundancy 10-2
Overview 10-2
RPR Operation 10-2
SSO Operation 10-3
About Supervisor Engine Redundancy Synchronization 10-4
RPR Supervisor Engine Configuration Synchronization 10-5
SSO Supervisor Engine Configuration Synchronization 10-5
Supervisor Engine Redundancy Guidelines and Restrictions 10-5

Configuring Supervisor Engine Redundancy 10-7
Configuring Redundancy 10-8
Virtual Console for Standby Supervisor Engine 10-10
Synchronizing the Supervisor Engine Configurations 10-11
Performing a Manual Switchover 10-12

Performing a Software Upgrade 10-13

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 13
Contents

Manipulating Bootflash on the Redundant Supervisor Engine 10-14

Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 7-E and
Supervisor Engine 7L-E 11-1
About Supervisor Engine Redundancy 11-2
Overview 11-2
RPR Operation 11-3
SSO Operation 11-3
About Supervisor Engine Redundancy Synchronization 11-5
RPR Supervisor Engine Configuration Synchronization 11-5
SSO Supervisor Engine Configuration Synchronization 11-5
Supervisor Engine Redundancy Guidelines and Restrictions 11-5
Configuring Supervisor Engine Redundancy 11-7
Configuring Redundancy 11-7
Virtual Console for Standby Supervisor Engine 11-9
Synchronizing the Supervisor Engine Configurations 11-10
Performing a Manual Switchover 11-12

Performing a Software Upgrade 11-12

Manipulating Bootflash on the Standby Supervisor Engine 11-14

Configuring Cisco NSF with SSO Supervisor Engine Redundancy 12-1

About NSF with SSO Supervisor Engine Redundancy 12-1
About Cisco IOS NSF-Aware and NSF-Capable Support 12-2
NSF with SSO Supervisor Engine Redundancy Overview 12-3
SSO Operation 12-4
NSF Operation 12-4
Cisco Express Forwarding 12-5
Routing Protocols 12-5
BGP Operation 12-5
OSPF Operation 12-6
IS-IS Operation 12-7
EIGRP Operation 12-8
NSF Guidelines and Restrictions 12-9
Configuring NSF with SSO Supervisor Engine Redundancy 12-9
Configuring SSO 12-10
Configuring CEF NSF 12-10
Verifying CEF NSF 12-11
Configuring BGP NSF 12-11
Verifying BGP NSF 12-11
Configuring OSPF NSF 12-12

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
14 OL-30933-01
Contents

Verifying OSPF NSF 12-13
Configuring IS-IS NSF 12-13
Verifying IS-IS NSF 12-14
Configuring EIGRP NSF 12-16
Verifying EIGRP NSF 12-16
Cisco High Availability Features in Cisco IOS XE 3.1.0SG 12-17

Environmental Monitoring and Power Management 13-1

About Environmental Monitoring 13-1
Using CLI Commands to Monitor your Environment 13-2
Displaying Environment Conditions 13-2
Displaying On Board Failure Logging (OBFL) information for 9000W AC 13-4
Emergency Actions 13-5
System Alarms 13-6
Power Management 13-7
Power Management for the Catalyst 4500 Series Switches 13-7
Supported Power Supplies 13-8
Power Management Modes for the Catalyst 4500 Switch 13-9
Selecting a Power Management Mode 13-10
Power Management Limitations in Catalyst 4500 Series Switches 13-10
Available Power for Catalyst 4500 Series Switches Power Supplies 13-14
Special Considerations for the 4200 W AC and 6000 W AC Power Supplies 13-15
Combined Mode Power Resiliency 13-19
Special Considerations for the 1400 W DC Power Supply 13-21
Special Considerations for the 1400 W DC SP Triple Input Power Supply 13-22
Powering Down a Module 13-22
Power Management for the Catalyst 4948 Switches 13-23
Power Management Modes for the Catalyst 4948 Switch 13-23
IEEE 802.3az Energy Efficient Ethernet 13-23
Determining EEE Capability 13-24
Enabling EEE 13-24
Determining EEE Status 13-24

Configuring Power over Ethernet 14-1

About Power over Ethernet 14-1
Hardware Requirements 14-2
Power Management Modes 14-2
Intelligent Power Management 14-4

Configuring Power Consumption for Powered Devices on an Interface 14-5

Displaying the Operational Status for an Interface 14-6

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 15
Contents

Displaying all PoE Detection and Removal Events 14-7

Displaying the PoE Consumed by a Module 14-8

PoE Policing and Monitoring 14-12
PoE Policing Modes 14-12
Configuring Power Policing on an Interface 14-13
Displaying Power Policing on an Interface 14-14
Configuring Errdisable Recovery 14-14
Enhanced Power PoE Support on the E-Series Chassis 14-15
Configuring Universal PoE 14-16

Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant 15-1

About Network Assistant 15-2
Community Overview 15-2
Clustering Overview 15-2
Network Assistant-Related Parameters and Their Defaults 15-3

Network Assistant CLI Commands 15-3

Configuring Your Switch for Network Assistant 15-4
(Minimum) Required Configuration 15-4
(Additional) Configuration Required to Use Community 15-5
(Additional) Configuration Required to Use Clustering 15-5
Managing a Network Using Community 15-6
Candidate and Member Requirements 15-7
Automatic Discovery of Candidates and Members 15-7
Community Names 15-8
Hostnames 15-8
Passwords 15-8
Communication Protocols 15-8
Access Modes in Network Assistant 15-9
Community Information 15-9
Adding Devices 15-9
Converting a Cluster into a Community 15-10

Managing a Network Using Cluster 15-11
Understanding Switch Clusters 15-11
Cluster Command Switch Requirements 15-11
Network Assistant and VTY 15-12
Candidate Switch and Cluster Member Switch Requirements 15-12
Using the CLI to Manage Switch Clusters 15-13
Configuring Network Assistant in Community or Cluster Mode 15-13
Configuring Network Assistant on a Networked Switch in Community Mode 15-13

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
16 OL-30933-01
Contents

Configuring Network Assistant in a Networked Switch in Cluster Mode 15-17

Configuring VLANs, VTP, and VMPS 16-1

VLANs 16-1
About VLANs 16-1
VLAN Configuration Guidelines and Restrictions 16-3
VLAN Ranges 16-3
Configurable Normal-Range VLAN Parameters 16-4
VLAN Default Configuration 16-4
Configuring VLANs 16-5
Configuring VLANs in Global Configuration Mode 16-6
Assigning a Layer 2 LAN Interface to a VLAN 16-7
VLAN Trunking Protocol 16-7
About VTP 16-8
Understanding the VTP Domain 16-8
Understanding VTP Modes 16-9
Understanding VTP Advertisements 16-9
Understanding VTP Versions 16-9
Understanding VTP Pruning 16-11
VTP Configuration Guidelines and Restrictions 16-12
VTP Default Configuration 16-13
Configuring VTP 16-14
Configuring VTP Global Parameters 16-14
Configuring the VTP Mode 16-16
Starting a Takeover 16-19
Displaying VTP Statistics 16-19
Displaying VTP Devices in a Domain 16-20
VLAN Membership Policy Server 16-20
About VMPS 16-20
Understanding the VMPS Server 16-21
Security Modes for VMPS Server 16-21
Fallback VLAN 16-22
Illegal VMPS Client Requests 16-23
Overview of VMPS Clients 16-23
Understanding Dynamic VLAN Membership 16-23
Default VMPS Client Configuration 16-24
Configuring a Switch as a VMPS Client 16-24
Administering and Monitoring the VMPS 16-27
Troubleshooting Dynamic Port VLAN Membership 16-28
Dynamic Port VLAN Membership Configuration Example 16-29

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 17
Contents

VMPS Database Configuration File Example 16-32

Configuring IP Unnumbered Interface 17-1

About IP Unnumbered Interface Support 17-1
IP Unnumbered Interface Support with DHCP Server and Relay Agent 17-2
DHCP Option 82 17-2
IP Unnumbered Interface with Connected Host Polling 17-3
IP Unnumbered Configuration Guidelines and Restrictions 17-3

Configuring IP Unnumbered Interface Support with DHCP Server 17-4
Configuring IP Unnumbered Interface Support on LAN and VLAN Interfaces 17-4
Configuring IP Unnumbered Interface Support on a Range of Ethernet VLANs 17-5
Configuring IP Unnumbered Interface Support with Connected Host Polling 17-6

Displaying IP Unnumbered Interface Settings 17-7

Troubleshooting IP Unnumbered Interface 17-8

Related Documents 17-8

Configuring Layer 2 Ethernet Interfaces 18-1

About Layer 2 Ethernet Switching 18-1
Layer 2 Ethernet Switching 18-2
Switching Frames Between Segments 18-2
Building the MAC Address Table 18-2
VLAN Trunks 18-3
Layer 2 Interface Modes 18-3
Default Layer 2 Ethernet Interface Configuration 18-4

Layer 2 Interface Configuration Guidelines and Restrictions 18-4
Configuring Ethernet Interfaces for Layer 2 Switching 18-5
Configuring an Ethernet Interface as a Layer 2 Trunk 18-5
Configuring an Interface as a Layer 2 Access Port 18-7
Clearing Layer 2 Configuration 18-8

Configuring SmartPort Macros 19-1

About SmartPort Macros and Static SmartPort 19-1

Configuring SmartPort Macros 19-2
Passing Parameters Through the Macro 19-3
Macro Parameter Help 19-3
Default SmartPort Macro Configuration 19-4
cisco-global 19-4
cisco-desktop 19-4
cisco-phone 19-5

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
18 OL-30933-01
Contents

cisco-router 19-5
cisco-switch 19-5
SmartPort Macro Configuration Guidelines 19-6
Creating SmartPort Macros 19-8
Applying SmartPort Macros 19-8
cisco-global 19-10
cisco-desktop 19-10
cisco-phone 19-11
cisco-switch 19-11
cisco-router 19-12
Displaying SmartPort Macros 19-13

Configuring Static SmartPort Macros 19-13
Default Static SmartPort Configuration 19-13
Static SmartPort Configuration Guidelines 19-14
Applying Static SmartPort Macros 19-14

Configuring Cisco IOS Auto Smartport Macros 20-1

About Auto Smartport Macros 20-1
Device Classifier 20-2
Device Visibility Mode 20-3
Configuring Auto Smartport Macros 20-3
Enabling Auto Smartport Macros 20-3
Auto Smartport Default Configuration 20-4
Auto Smartport Configuration Guidelines 20-5
Configuring Auto Smartport Built-in Macro Parameters 20-6
Configuring User-Defined Event Triggers 20-8
802.1X-Based Event Trigger 20-8
MAC Address-Based Event Trigger 20-9
Configuring Mapping Between User-Defined Triggers and Built-in Macros 20-9
Configuring Auto Smartport User-Defined Macros 20-10
Displaying Auto Smartport 20-13

Configuring STP and MST 21-1

About STP 21-1
Understanding the Bridge ID 21-2
Bridge Priority Value 21-2
Extended System ID 21-3
STP MAC Address Allocation 21-3
Bridge Protocol Data Units 21-3
Election of the Root Bridge 21-4

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 19
Contents

STP Timers 21-4
Creating the STP Topology 21-5
STP Port States 21-5
MAC Address Allocation 21-6
STP and IEEE 802.1Q Trunks 21-6
Per-VLAN Rapid Spanning Tree 21-6
Default STP Configuration 21-7

Configuring STP 21-7
Enabling STP 21-8
Enabling the Extended System ID 21-9
Configuring the Root Bridge 21-9
Configuring a Secondary Root Switch 21-12
Configuring STP Port Priority 21-13
Configuring STP Port Cost 21-15
Configuring the Bridge Priority of a VLAN 21-17
Configuring the Hello Time 21-17
Configuring the Maximum Aging Time for a VLAN 21-18
Configuring the Forward-Delay Time for a VLAN 21-19
Disabling Spanning Tree Protocol 21-20
Enabling Per-VLAN Rapid Spanning Tree 21-20
Specifying the Link Type 21-21
Restarting Protocol Migration 21-21
About MST 21-22
IEEE 802.1s MST 21-22
IEEE 802.1w RSTP 21-23
RSTP Port Roles 21-24
RSTP Port States 21-24
MST-to-SST Interoperability 21-24
Common Spanning Tree 21-25
MST Instances 21-26
MST Configuration Parameters 21-26
MST Regions 21-26
MST Region Overview 21-26
Boundary Ports 21-27
IST Master 21-27
Edge Ports 21-27
Link Type 21-28
Message Age and Hop Count 21-28
MST-to-PVST+ Interoperability 21-28

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
20 OL-30933-01
Contents

MST Configuration Restrictions and Guidelines 21-29

Configuring MST 21-29
Enabling MST 21-29
Configuring MST Instance Parameters 21-31
Configuring MST Instance Port Parameters 21-32
Restarting Protocol Migration 21-33
Displaying MST Configurations 21-33

Configuring Flex Links and MAC Address-Table Move Update 22-1

About Flex Links 22-1
Flex Links 22-2
VLAN Flex Links Load Balancing and Support 22-2
Flex Links Failover Actions 22-3
MAC Address-Table Move Update 22-4

Configuring Flex Links 22-5
Default Configuration 22-5
Configuration Guidelines 22-6
Configuring Flex Links 22-6
Configuring VLAN Load Balancing on Flex Links 22-8

Configuring MAC Address-Table Move Update 22-10
Default Configuration 22-10
Configuration Guidelines 22-10
Configuring the MAC Address-Table Move Update Feature 22-10
Configuring a Switch to Send MAC Address-Table Move Updates 22-10
Configuring a Switch to Receive MAC Address-Table Move Updates 22-12
Monitoring Flex Links and the MAC Address-Table Move Update 22-12
22-12

Configuring Resilient Ethernet Protocol 23-1

About REP 23-1
Link Integrity 23-4
Fast Convergence 23-4
VLAN Load Balancing 23-4
Spanning Tree Interaction 23-6
REP Ports 23-6
Configuring REP 23-7
Default REP Configuration 23-7
REP Configuration Guidelines 23-7
Configuring the REP Administrative VLAN 23-8
Configuring REP Interfaces 23-9

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 21
Contents

Setting Manual Preemption for VLAN Load Balancing 23-13
Configuring SNMP Traps for REP 23-14
Monitoring REP 23-14

Configuring Optional STP Features 24-1

About Root Guard 24-2

Enabling Root Guard 24-2

About Loop Guard 24-3

Enabling Loop Guard 24-4
About EtherChannel Guard 24-6

Enabling EtherChannel Guard (Optional) 24-6

About PortFast 24-6

Enabling PortFast 24-7

About BPDU Guard 24-8

Enabling BPDU Guard 24-8

About PortFast BPDU Filtering 24-9

Enabling PortFast BPDU Filtering 24-9

About UplinkFast 24-11

Enabling UplinkFast 24-12

About BackboneFast 24-13

Enabling BackboneFast 24-15

Configuring EtherChannel and Link State Tracking 25-1

About EtherChannel 25-2
Port Channel Interfaces 25-2
Configuring EtherChannels 25-3
EtherChannel Configuration Overview 25-3
Manual EtherChannel Configuration 25-3
PAgP EtherChannel Configuration 25-4
IEEE 802.3ad LACP EtherChannel Configuration 25-4
Load Balancing 25-5
EtherChannel Configuration Guidelines and Restrictions 25-5

Configuring EtherChannel 25-6
Configuring Layer 3 EtherChannels 25-7
Creating Port Channel Logical Interfaces 25-7
Configuring Physical Interfaces as Layer 3 EtherChannels 25-7
Configuring Layer 2 EtherChannels 25-10
Configuring LACP Standalone or Independent Mode 25-12

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
22 OL-30933-01
Contents

Configuring the LACP System Priority and System ID 25-13
Configuring EtherChannel Load Balancing 25-14
Removing an Interface from an EtherChannel 25-15
Removing an EtherChannel 25-15
Displaying EtherChannel to a Virtual Switch System 25-16
Understanding VSS Client 25-16
Virtual Switch System 25-16
Dual-Active Scenarios 25-16
Dual-Active Detection Using Enhanced PAgP 25-16
Displaying EtherChannel Links to VSS 25-18
Understanding Link-State Tracking 25-18

Configuring Link-State Tracking 25-21
Default Link-State Tracking Configuration 25-21
Link-State Tracking Configuration Guidelines 25-21
Configuring Link-State Tracking 25-21
Displaying Link-State Tracking Status 25-22

Configuring IGMP Snooping and Filtering,
and MVR 26-1
About IGMP Snooping 26-2
Immediate-Leave Processing 26-3
IGMP Configurable-Leave Timer 26-4
IGMP Snooping Querier 26-4
Explicit Host Tracking 26-4
Configuring IGMP Snooping 26-5
Default IGMP Snooping Configuration 26-5
Enabling IGMP Snooping Globally 26-6
Enabling IGMP Snooping on a VLAN 26-6
Configuring Learning Methods 26-7
Configuring PIM/DVMRP Learning 26-7
Configuring CGMP Learning 26-7
Configuring a Static Connection to a Multicast Router 26-8
Enabling IGMP Immediate-Leave Processing 26-8
Configuring the IGMP Leave Timer 26-9
Configuring IGMP Snooping Querier 26-10
Configuring Explicit Host Tracking 26-11
Configuring a Host Statically 26-11
Suppressing Multicast Flooding 26-12
IGMP Snooping Interface Configuration 26-12
IGMP Snooping Switch Configuration 26-13

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 23
Contents

Displaying IGMP Snooping Information 26-14
Displaying Querier Information 26-15
Displaying IGMP Host Membership Information 26-15
Displaying Group Information 26-16
Displaying Multicast Router Interfaces 26-17
Displaying MAC Address Multicast Entries 26-18
Displaying IGMP Snooping Information on a VLAN Interface 26-18
Displaying IGMP Snooping Querier Information 26-19
Understanding Multicast VLAN Registration 26-20
Using MVR in a Multicast Television Application 26-21

Configuring MVR 26-23
Default MVR Configuration 26-23
MVR Configuration Guidelines and Limitations 26-23
Configuring MVR Global Parameters 26-24
Configuring MVR on Access Ports 26-26
Configuring MVR on a Trunk Port 26-27
Displaying MVR Information 26-29

Configuring IGMP Filtering 26-30
Default IGMP Filtering Configuration 26-30
Configuring IGMP Profiles 26-31
Applying IGMP Profiles 26-32
Setting the Maximum Number of IGMP Groups 26-33

Displaying IGMP Filtering Configuration 26-34

Configuring IPv6 Multicast Listener Discovery Snooping 27-1
About MLD Snooping 27-1
MLD Messages 27-2
MLD Queries 27-3
Multicast Client Aging 27-3
Multicast Router Discovery 27-3
MLD Reports 27-4
MLD Done Messages and Immediate-Leave 27-4
Topology Change Notification Processing 27-4
Configuring IPv6 MLD Snooping 27-5
Default MLD Snooping Configuration 27-5
MLD Snooping Configuration Guidelines 27-6
Enabling or Disabling MLD Snooping 27-6
Configuring a Static Multicast Group 27-7
Configuring a Multicast Router Port 27-7

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
24 OL-30933-01
Contents

Enabling MLD Immediate Leave 27-8
Configuring MLD Snooping Queries 27-9
Disabling MLD Listener Message Suppression 27-10

Displaying MLD Snooping Information 27-10

Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling 28-1

About 802.1Q Tunneling 28-2

Configuring 802.1Q Tunneling 28-3
802.1Q Tunneling Configuration Guidelines 28-3
Native VLANs 28-4
System MTU 28-5
802.1Q Tunneling and Other Features 28-5
Configuring an 802.1Q Tunneling Port 28-6
About VLAN Mapping 28-7
Deployment Example 28-7
Mapping Customer VLANs to Service-Provider VLANs 28-9

Configuring VLAN Mapping 28-9
Default VLAN Mapping Configuration 28-9
VLAN Mapping Configuration Guidelines 28-10
Configuring VLAN Mapping 28-11
One-to-One Mapping 28-11
Traditional Q-in-Q on a Trunk Port 28-12
Selective Q-in-Q on a Trunk Port 28-12
About Layer 2 Protocol Tunneling 28-13

Configuring Layer 2 Protocol Tunneling 28-15
Default Layer 2 Protocol Tunneling Configuration 28-16
Layer 2 Protocol Tunneling Configuration Guidelines 28-16
Configuring Layer 2 Tunneling 28-17
Monitoring and Maintaining Tunneling Status 28-18

Configuring CDP 29-1

About CDP 29-1

Configuring CDP 29-2
Enabling CDP Globally 29-2
Displaying the CDP Global Configuration 29-2
Enabling CDP on an Interface 29-3
Displaying the CDP Interface Configuration 29-3
Monitoring and Maintaining CDP 29-3

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 25
Contents

Configuring LLDP, LLDP-MED, and Location Service 30-1

About LLDP, LLDP-MED, and Location Service 30-1
LLDP 30-1
LLDP-MED 30-2
Location Service 30-3
Configuring LLDP and LLDP-MED, and Location Service 30-4
Default LLDP Configuration 30-5
Configuring LLDP Characteristics 30-5
Disabling and Enabling LLDP Globally 30-6
Disabling and Enabling LLDP on an Interface 30-7
Configuring LLDP-MED TLVs 30-9
Configuring Network-Policy Profile 30-10
Configuring LLDP Power Negotiation 30-11
Configuring Location TLV and Location Service 30-12
Monitoring and Maintaining LLDP, LLDP-MED, and Location Service 30-14

Cisco IOS Carries Ethernet Features in Cisco IOS XE 3.1.0SG 30-15

Configuring UDLD 31-1

About UDLD 31-1
UDLD Topology 31-2
Fast UDLD Topology 31-2
Operation Modes 31-3
Default States for UDLD 31-3
Default UDLD Configuration 31-4

Configuring UDLD on the Switch 31-4
Fast UDLD Guidelines and Restrictions 31-4
Enabling UDLD Globally 31-5
Enabling UDLD on Individual Interfaces 31-6
Disabling UDLD on Individual Interfaces 31-7
Disabling UDLD on a Fiber-Optic Interface 31-7
Configuring a UDLD Probe Message Interval Globally 31-8
Configuring a Fast UDLD Probe Message Interval per Interface 31-8
Resetting Disabled LAN Interfaces 31-8
Displaying UDLD Link Status 31-9

Configuring Unidirectional Ethernet 32-1

About Unidirectional Ethernet 32-1

Configuring Unidirectional Ethernet 32-2

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
26 OL-30933-01
Contents

Configuring Layer 3 Interfaces 33-1

About Layer 3 Interfaces 33-1
Logical Layer 3 VLAN Interfaces 33-2
Physical Layer 3 Interfaces 33-2
Understanding SVI Autostate Exclude 33-3
Understanding Layer 3 Interface Counters 33-3
Configuration Guidelines 33-5

Configuring Logical Layer 3 VLAN Interfaces 33-6

Configuring VLANs as Layer 3 Interfaces 33-7
Configuring SVI Autostate Exclude 33-7
Configuring IP MTU Sizes 33-9
Configuring Layer 3 Interface Counters 33-10
Configuring Physical Layer 3 Interfaces 33-12

Configuring EIGRP Stub Routing 33-13
About EIGRP Stub Routing 33-13
Configuring EIGRP Stub Routing 33-14
Dual-Homed Remote Topology 33-15
EIGRP Stub Routing Configuration Tasks 33-18
Monitoring and Maintaining EIGRP 33-19
EIGRP Configuration Examples 33-19
Route Summarization Example 33-19
Route Authentication Example 33-20
Stub Routing Example 33-20

Configuring Cisco Express Forwarding 34-1

About CEF 34-1
CEF Features 34-1
Forwarding Information Base 34-2
Adjacency Tables 34-2
Adjacency Discovery 34-2
Adjacency Resolution 34-2
Adjacency Types That Require Special Handling 34-3
Unresolved Adjacency 34-3
Catalyst 4500 Series Switch Implementation of CEF 34-3
Hardware and Software Switching 34-4
Hardware Switching 34-5
Software Switching 34-5
Load Balancing 34-6
Software Interfaces 34-6

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 27
Contents

CEF Configuration Restrictions 34-6

Configuring CEF 34-6
Enabling CEF 34-6
Configuring Load Balancing for CEF 34-7
Configuring Per-Destination Load Balancing 34-7
Configuring Load Sharing Hash Function 34-7
Viewing CEF Information 34-8
Monitoring and Maintaining CEF 34-8
Displaying IP Statistics 34-8

Configuring Unicast Reverse Path Forwarding 35-1

About Unicast Reverse Path Forwarding 35-1
How Unicast RPF Works 35-2
Implementing Unicast RPF 35-4
Security Policy and Unicast RPF 35-5
Where to Use Unicast RPF 35-5
Routing Table Requirements 35-7
Where Not to Use Unicast RPF 35-7
Unicast RPF with BOOTP and DHCP 35-8
Restrictions 35-8
Limitation 35-8
Related Features and Technologies 35-8
Prerequisites to Configuring Unicast RPF 35-9
Unicast RPF Configuration Tasks 35-9
Configuring Unicast RPF 35-9
Verifying Unicast RPF 35-10
Monitoring and Maintaining Unicast RPF 35-11
Unicast RPF Configuration Example: Inbound and Outbound Filters 35-12

Configuring IP Multicast 36-1

About IP Multicast 36-1
IP Multicast Protocols 36-2
Internet Group Management Protocol 36-3
Protocol-Independent Multicast 36-3
Rendezvous Point (RP) 36-4
IGMP Snooping 36-4
IP Multicast Implementation on the Catalyst 4500 Series Switch 36-4
Restrictions on IP Multicast 36-5
CEF, MFIB, and Layer 2 Forwarding 36-6
IP Multicast Tables 36-7

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
28 OL-30933-01
Contents

Hardware and Software Forwarding 36-9
Non-Reverse Path Forwarding Traffic 36-10
Multicast Fast Drop 36-11
Multicast Forwarding Information Base 36-12
S/M, 224/4 36-13
Multicast HA 36-13
Configuring IP Multicast Routing 36-13
Default Configuration in IP Multicast Routing 36-13
Enabling IP Multicast Routing 36-14
Enabling PIM on an Interface 36-14
Enabling Dense Mode 36-15
Enabling Sparse Mode 36-15
Enabling Sparse-Dense Mode 36-15
Enabling Bidirectional Mode 36-16
Enabling PIM-SSM Mapping 36-17
Configuring a Rendezvous Point 36-17
Configuring Auto-RP 36-17
Configuring a Single Static RP 36-20
Load Splitting of IP Multicast Traffic 36-22
Monitoring and Maintaining IP Multicast Routing 36-23
Displaying System and Network Statistics 36-23
Displaying the Multicast Routing Table 36-24
Displaying IP MFIB 36-26
Displaying Bidirectional PIM Information 36-27
Displaying PIM Statistics 36-27
Clearing Tables and Databases 36-28
Configuration Examples 36-28
PIM Dense Mode Example 36-28
PIM Sparse Mode Example 36-29
Bidirectional PIM Mode Example 36-29
Sparse Mode with a Single Static RP Example 36-29
Sparse Mode with Auto-RP: Example 36-30

Configuring ANCP Client 37-1

About ANCP Client 37-1

Enabling and Configuring ANCP Client 37-2
Identifying a Port with the ANCP Protocol 37-2
Example 1 37-3
Example 2 37-4
Identifying a Port with DHCP Option 82 37-4

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 29
Contents

ANCP Guidelines and Restrictions 37-5

Configuring Bidirection Forwarding Detection 38-1

Finding Feature Information 38-1

Contents 38-1

Prerequisites for Bidirectional Forwarding Detection 38-2

Restrictions for Bidirectional Forwarding Detection 38-2

Information About Bidirectional Forwarding Detection 38-3
BFD Operation 38-3
Neighbor Relationships 38-3
BFD Detection of Failures 38-4
BFD Version Interoperability 38-5
BFD Session Limits 38-5
BFD Support for Nonbroadcast Media Interfaces 38-5
BFD Support for Nonstop Forwarding with Stateful Switchover 38-5
BFD Support for Stateful Switchover 38-6
BFD Support for Static Routing 38-6
Benefits of Using BFD for Failure Detection 38-7
Hardware Support for BFD 38-7
How to Configure Bidirectional Forwarding Detection 38-8
Configuring BFD Session Parameters on the Interface 38-8
Configuring BFD Support for Dynamic Routing Protocols 38-9
Configuring BFD Support for BGP 38-9
Configuring BFD Support for EIGRP 38-10
Configuring BFD Support for OSPF 38-11
Configuring BFD Support for Static Routing 38-13
Configuring BFD Echo Mode 38-15
Prerequisites 38-15
Restrictions 38-15
Configuring the BFD Slow Timer 38-16
Disabling BFD Echo Mode Without Asymmetry 38-16
Monitoring and Troubleshooting BFD 38-17
Configuration Examples for Bidirectional Forwarding Detection 38-17
Example: Configuring BFD in an EIGRP Network with Echo Mode Enabled by Default 38-17
Example: Configuring BFD in an OSPF Network 38-22
Example: Configuring BFD Hardware-Offload support in a BGP Network Network 38-25
Example: Configuring BFD Support for Static Routing 38-27
Additional References 38-28
Related Documents 38-28

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
30 OL-30933-01
Contents

Standards 38-28
MIBs 38-29
RFCs 38-29
Technical Assistance 38-29

Configuring Policy-Based Routing 39-1

About Policy-Based Routing 39-1
About PBR 39-2
Understanding Route-Maps 39-2
Using Policy-Based Routing 39-5
Policy-Based Routing Configuration Tasks 39-6
Enabling IPv4 PBR 39-6
Enabling IPv6 PBR 39-9
Enabling Local PBR 39-11
IPv4 39-11
IPv6 39-11
Examples of the show Command 39-11
Unsupported Commands 39-12
Policy-Based Routing Configuration Examples 39-12
Equal Access 39-12
Differing Next Hops 39-13
Deny ACE 39-13

Configuring VRF-lite 40-1

About VRF-lite 40-2
VRF-lite Configuration Guidelines 40-3

Configuring VRF-lite for IPv4 40-5
Configuring VRFs 40-5
Configuring VRF-Aware Services 40-6
Configuring the User Interface for ARP 40-6
Configuring Per-VRF for TACACS+ Servers 40-6
Configuring Multicast VRFs 40-7
Configuring a VPN Routing Session 40-8
Configuring BGP PE to CE Routing Sessions 40-9
VRF-lite Configuration Example 40-10
Configuring Switch S8 40-11
Configuring Switch S20 40-12
Configuring Switch S11 40-12
Configuring the PE Switch S3 40-13
Displaying VRF-lite Status 40-14

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 31
Contents

Configuring VRF-lite for IPv6 40-15
Configuring VRF-Aware Services 40-15
Configuring the User Interface for ARP 40-15
Configuring the User Interface for PING 40-15
Configuring the User Interface for uRPF 40-16
Configuring the User Interface for Traceroute 40-16
Configuring the User Interface for FTP and TFTP 40-16
Configuring the User Interface for Telnet and SSH 40-17
Configuring the User Interface for NTP 40-17
VRF-lite Configuration Example 40-17
Displaying VRF-lite Status 40-21
Configuring IPv6 VRF-lite 40-22
Configure VRFs 40-23
Associate Interfaces to the Defined VRFs 40-24
Populate VRF with Routes via Routing Protocols 40-24
Static Route 40-24
Routing Protocols 40-25
VPN Co-existence Between IPv4 and IPv6 40-28

Migrating from the Old to New CLI Scheme 40-28

Configuring Quality of Service 41-1

Overview of QoS 41-1
Prioritization 41-2
QoS Terminology 41-3
Basic QoS Model 41-5
Classification 41-6
Classification Based on QoS ACLs 41-6
Classification Based on Class Maps and Policy Maps 41-7
Policing and Marking 41-8
Queueing and Scheduling 41-8
Active Queue Management 41-9
Sharing Link Bandwidth Among Transmit Queues 41-9
Strict Priority / Low Latency Queueing 41-9
Traffic Shaping 41-9
Packet Modification 41-9
Per Port Per VLAN QoS 41-10
Flow-based QoS 41-10
Using Metadata in QoS Policy 41-11
Configuring System Queue Limit 41-12
Configuring VSS QoS 41-13

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
32 OL-30933-01
Contents

MQC-based QoS Configuration 41-13
Platform-supported Classification Criteria and QoS Features 41-14
Platform Hardware Capabilities 41-15
Prerequisites for Applying a QoS Service Policy 41-15
Restrictions for Applying a QoS Service Policy 41-15
Classification 41-16
Classification Statistics 41-16
Configuring a Policy Map 41-16
Attaching a Policy Map to an Interface 41-17
Policing 41-17
How to Implement Policing 41-18
Platform Restrictions 41-18
Marking Network Traffic 41-18
Contents 41-18
Information About Marking Network Traffic 41-19
Marking Action Drivers 41-21
Traffic Marking Procedure Flowchart 41-21
Restrictions for Marking Network Traffic 41-22
Multi-attribute Marking Support 41-22
Hardware Capabilities for Marking 41-23
Configuring the Policy Map Marking Action 41-23
Marking Statistics 41-24
Shaping, Sharing (Bandwidth), Priority Queuing, Queue-limiting and DBL 41-25
Shaping 41-25
Sharing(bandwidth) 41-27
Priority queuing 41-30
Queue-limiting 41-31
Active Queue Management (AQM) via Dynamic Buffer Limiting (DBL) 41-34
Transmit Queue Statistics 41-35
Enabling Per-Port Per-VLAN QoS 41-36
Policy Associations 41-39
Software QoS 41-40
Applying Flow-based QoS Policy 41-41
Examples 41-42
Configuration Guidelines 41-44
Configuring CoS Mutation 41-45
Configuring System Queue Limit 41-46
Configuring QoS on a Standalone Supervisor Engine 6-E/6L-E or Supervisor Engine 7-E/7L-E 41-47
MQC-based QoS Configuration 41-48
Platform-supported Classification Criteria and QoS Features 41-48

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 33
Contents

Platform Hardware Capabilities 41-49
Prerequisites for Applying a QoS Service Policy 41-49
Restrictions for Applying a QoS Service Policy 41-50
Classification 41-50
Classification Statistics 41-50
Configuring a Policy Map 41-50
Attaching a Policy Map to an Interface 41-51
Policing 41-51
How to Implement Policing 41-52
Platform Restrictions 41-52
Marking Network Traffic 41-52
Contents 41-53
Information About Marking Network Traffic 41-53
Marking Action Drivers 41-55
Traffic Marking Procedure Flowchart 41-55
Restrictions for Marking Network Traffic 41-56
Multi-attribute Marking Support 41-56
Hardware Capabilities for Marking 41-57
Configuring the Policy Map Marking Action 41-57
Marking Statistics 41-59
Shaping, Sharing (Bandwidth), Priority Queuing, Queue-limiting and DBL 41-59
Shaping 41-59
Sharing(bandwidth) 41-61
Priority queuing 41-64
Queue-limiting 41-65
Active Queue Management (AQM) via Dynamic Buffer Limiting (DBL) 41-68
Transmit Queue Statistics 41-69
Enabling Per-Port Per-VLAN QoS 41-70
Policy Associations 41-73
Software QoS 41-74
Applying Flow-based QoS Policy 41-75
Examples 41-76
Configuration Guidelines 41-78
Configuring CoS Mutation 41-79
Configuring System Queue Limit 41-80
Configuring VSS Auto-QoS 41-81

Configuring Auto-QoS on a Standalone Supervisor Engine 6-E/6L-E or Supervisor Engine 7-E/7L-E 41-86

Configuring Voice Interfaces 42-1

About Voice Interfaces 42-1

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
34 OL-30933-01
Contents

Cisco IP Phone Voice Traffic 42-2
Cisco IP Phone Data Traffic 42-2
Configuring a Port to Connect to a Cisco 7960 IP Phone 42-3

Configuring Voice Ports for Voice and Data Traffic 42-3

Overriding the CoS Priority of Incoming Frames 42-5

Configuring Power 42-5

Configuring Private VLANs 43-1

About Private VLANs 43-1
Purpose of a PVLAN 43-2
PVLAN Terminology 43-3
PVLANs across Multiple Switches 43-5
Standard Trunk Ports 43-5
Isolated PVLAN Trunk Ports 43-6
Promiscuous PVLAN Trunk Ports 43-7
PVLAN Modes Over Gigabit Etherchannel 43-8
Private-VLAN Interaction with Other Features 43-8
PVLANs and VLAN ACL/QoS 43-8
PVLANs and Unicast, Broadcast, and Multicast Traffic 43-9
PVLANs and SVIs 43-10
Per-Virtual Port Error-Disable on PVLANs 43-10
PVLAN Commands 43-10

Configuring PVLANs 43-11
Basic PVLAN Configuration Procedure 43-12
Default Private-VLAN Configuration 43-12
PVLAN Configuration Guidelines and Restrictions 43-12
Configuring a VLAN as a PVLAN 43-15
Associating a Secondary VLAN with a Primary VLAN 43-16
Configuring a Layer 2 Interface as a PVLAN Promiscuous Port 43-17
Configuring a Layer 2 Interface as a PVLAN Host Port 43-18
Configuring a Layer 2 Interface as an Isolated PVLAN Trunk Port 43-19
Configuring a Layer 2 Interface as a Promiscuous PVLAN Trunk Port 43-21
Permitting Routing of Secondary VLAN Ingress Traffic 43-23
Configuring PVLAN over EtherChannel 43-24
Configuring a Layer 2 EtherChannel 43-24
Configuring a Layer 2 Etherchannel as a PVLAN Promiscuous Port 43-24
Configuring a Layer 2 EtherChannel as a PVLAN Host Port 43-26
Configuring a Layer 2 EtherChannel as an Isolated PVLAN Trunk Port 43-27
Configuring a Layer 2 Etherchannel as a Promiscuous PVLAN Trunk Port 43-28

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 35
Contents

Configuring MACsec Encryption 44-1

Understanding Media Access Control Security
and MACsec Key Agreement 44-2
MKA Policies 44-2
Virtual Ports 44-3
MACsec 44-3
MACsec, MKA, and 802.1X Host Modes 44-3
Single-Host Mode 44-4
Multiple-Host Mode 44-4
MKA Statistics 44-4
Configuring MACsec and MACsec Key Agreement 44-6
Default MACsec MACsec Key Agreement Configuration 44-6
Configuring an MKA Policy 44-6
Configuring MACsec on an Interface 44-7
Understanding Cisco TrustSec MACsec 44-8

Configuring Cisco TrustSec MACsec 44-10
Configuring Cisco TrustSec Credentials on the Switch 44-10
Configuring Cisco TrustSec Switch-to-Switch Link Security in 802.1X Mode 44-11
Configuring Cisco TrustSec Switch-to-Switch Link Security in Manual Mode 44-12
Cisco TrustSec Switch-to-Switch Link Security Configuration Example 44-14

Configuring 802.1X Port-Based Authentication 45-1

About 802.1X Port-Based Authentication 45-1
Device Roles 45-2
802.1X and Network Access Control 45-3
Authentication Initiation and Message Exchange 45-4
Ports in Authorized and Unauthorized States 45-5
802.1X Host Mode 45-6
Single-Host Mode 45-7
Multiple-Hosts Mode 45-7
Multidomain Authentication Mode 45-7
Multiauthentication Mode 45-8
Pre-authentication Open Access 45-8
802.1X Violation Mode 45-8
Using MAC Move 45-9
Using MAC Replace 45-9
Using 802.1X with VLAN Assignment 45-10
Using 802.1X for Guest VLANs 45-11
Usage Guidelines for Using 802.1X Authentication with Guest VLANs 45-11

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
36 OL-30933-01
Contents

Usage Guidelines for Using 802.1X Authentication with Guest VLANs on Windows-XP
Hosts 45-12
Using 802.1X with MAC Authentication Bypass 45-12
Feature Interaction 45-13
Using 802.1X with Web-Based Authentication 45-14
Using 802.1X with Inaccessible Authentication Bypass 45-14
Using 802.1X with Unidirectional Controlled Port 45-15
Unidirectional State 45-16
Bidirectional State 45-16
Using 802.1X with VLAN User Distribution 45-16
Deployment Example 45-17
Using 802.1X with Authentication Failed VLAN Assignment 45-17
Usage Guidelines for Using Authentication Failed VLAN Assignment 45-18
Using 802.1X with Port Security 45-19
Using 802.1X Authentication with ACL Assignments and Redirect URLs 45-20
Cisco Secure ACS and AV Pairs for URL-Redirect 45-20
ACLs 45-21
Using 802.1X with RADIUS-Provided Session Timeouts 45-21
Using 802.1X with Voice VLAN Ports 45-22
Using Voice Aware 802.1x Security 45-22
Using Multiple Domain Authentication and Multiple Authentication 45-23
802.1X Supplicant and Authenticator Switches with Network Edge Access Topology 45-24
Deployment 45-24
How 802.1X Fails on a Port 45-25
Supported Topologies 45-26
Configuring 802.1X Port-Based Authentication 45-26
Default 802.1X Configuration 45-27
802.1X Configuration Guidelines 45-29
Enabling 802.1X Authentication 45-29
Configuring Switch-to-RADIUS-Server Communication 45-32
Configuring Multiple Domain Authentication and Multiple Authorization 45-34
Configuring 802.1X Authentication with ACL Assignments and Redirect URLs 45-38
Downloadable ACL 45-38
URL-Redirect 45-41
Configuring a Downloadable Policy 45-44
Configuring 802.1X Authentication with Per-User ACL and Filter-ID ACL 45-45
Per-User ACL and Filter-ID ACL 45-45
Configuring a Per-User ACL and Filter-ID ACL 45-52
Configuring RADIUS-Provided Session Timeouts 45-53
Configuring MAC Move 45-55

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 37
Contents

Configuring MAC Replace 45-55
Configuring Violation Action 45-56
Configuring 802.1X with Guest VLANs 45-57
Configuring 802.1X with MAC Authentication Bypass 45-60
Configuring 802.1X with Inaccessible Authentication Bypass 45-62
Configuring 802.1X with Unidirectional Controlled Port 45-66
Configuring 802.1X with VLAN User Distribution 45-68
Configuring the Switch 45-68
ACS Configuration 45-69
Configuring 802.1X with Authentication Failed 45-70
Configuring 802.1X with Voice VLAN 45-72
Configuring Voice Aware 802.1x Security 45-73
Configuring 802.1X with VLAN Assignment 45-75
Cisco ACS Configuration for VLAN Assignment 45-76
Enabling Fallback Authentication 45-77
Enabling Periodic Reauthentication 45-81
Enabling Multiple Hosts 45-83
Changing the Quiet Period 45-84
Changing the Switch-to-Client Retransmission Time 45-85
Setting the Switch-to-Client Frame-Retransmission Number 45-86
Configuring an Authenticator and a Supplicant Switch with NEAT 45-88
Configuring Switch as an Authenticator 45-88
Cisco AV Pair Configuration 45-89
Configuring Switch as a Supplicant 45-92
Configuring NEAT with ASP 45-93
Configuration Guidelines 45-93
Manually Reauthenticating a Client Connected to a Port 45-94
Initializing the 802.1X Authentication State 45-94
Removing 802.1X Client Information 45-95
Resetting the 802.1X Configuration to the Default Values 45-95
Controlling Switch Access with RADIUS 45-95
Understanding RADIUS 45-96
RADIUS Operation 45-97
RADIUS Change of Authorization 45-97
Overview 45-98
Change-of-Authorization Requests 45-98
CoA Request Response Code 45-99
CoA Request Commands 45-100
Configuring RADIUS 45-103
Default RADIUS Configuration 45-103

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
38 OL-30933-01
Contents

Identifying the RADIUS Server Host 45-103
Configuring RADIUS Login Authentication 45-106
Defining AAA Server Groups 45-108
Configuring RADIUS Authorization for User Privileged Access and Network Services 45-110
Starting RADIUS Accounting 45-111
Configuring Settings for All RADIUS Servers 45-112
Configuring the Switch to Use Vendor-Specific RADIUS Attributes 45-112
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 45-114
Configuring CoA on the Switch 45-115
Monitoring and Troubleshooting CoA Functionality 45-116
Configuring RADIUS Server Load Balancing 45-116
Displaying the RADIUS Configuration 45-116
Configuring Device Sensor 45-116
About Device Sensor 45-117
MSP-IOS Sensor Device Classifier Interaction 45-118
Configuring Device Sensor 45-118
Enabling MSP 45-119
Enabling Accounting Augmentation 45-119
Creating a Cisco Discovery Protocol Filter 45-120
Creating an LLDP Filter 45-120
Creating a DHCP Filter 45-121
Applying a Protocol Filter to the Device Sensor Output 45-121
Tracking TLV Changes 45-122
Verifying the Device Sensor Configuration 45-123
Troubleshooting Commands 45-124
Restrictions for Device Sensor 45-124
Configuration Examples for the Device Sensor Feature 45-124
Displaying 802.1X Statistics and Status 45-125

Displaying Authentication Details 45-125
Determining the Authentication Methods Registered with the Auth Manager 45-125
Displaying the Auth Manager Summary for an Interface 45-126
Displaying the Summary of All Auth Manager Sessions on the Switch 45-126
Displaying a Summary of All Auth Manager Sessions on the Switch Authorized for a Specified
Authentication Method 45-126
Verifying the Auth Manager Session for an Interface 45-126
Displaying MAB Details 45-128
EPM Logging 45-129
Cisco IOS Security Features 45-130

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 39
Contents

Configuring the PPPoE Intermediate Agent 46-1

Related Documents 46-2

RFCs 46-2
About PPPoE Intermediate Agent 46-2
Enabling PPPoE IA on a Switch 46-2
Configuring the Access Node Identifier for PPPoE IA on a Switch 46-2
Configuring the Identifier String, Option, and Delimiter for PPPoE IA on an Switch 46-3
Configuring the Generic Error Message for PPPoE IA on an Switch 46-3
Enabling PPPoE IA on an Interface 46-4
Configuring the PPPoE IA Trust Setting on an Interface 46-4
Configuring PPPoE IA Rate Limiting Setting on an Interface 46-4
Configuring PPPoE IA Vendor-tag Stripping on an Interface 46-5
Configuring PPPoE IA Circuit-ID and Remote-ID on an Interface 46-5
Enabling PPPoE IA for a Specific VLAN on an Interface 46-5
Configuring PPPoE IA Circuit-ID and Remote-ID for a VLAN on an Interface 46-6
Displaying Configuration Parameters 46-6

Clearing Packet Counters 46-8

Debugging PPPoE Intermediate Agent 46-8

Troubleshooting Tips 46-9

Configuring Web-Based Authentication 47-1

About Web-Based Authentication 47-1
Device Roles 47-2
Host Detection 47-2
Session Creation 47-3
Authentication Process 47-3
Customization of the Authentication Proxy Web Pages 47-4
Web-Based Authentication Interactions with Other Features 47-4
Port Security 47-4
LAN Port IP 47-5
Gateway IP 47-5
ACLs 47-5
Context-Based Access Control 47-5
802.1X Authentication 47-5
EtherChannel 47-5
Switchover 47-5
Configuring Web-Based Authentication 47-6
Default Web-Based Authentication Configuration 47-6
Web-Based Authentication Configuration Guidelines and Restrictions 47-6

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
40 OL-30933-01
Contents

Web-Based Authentication Configuration Task List 47-7
Configuring the Authentication Rule and Interfaces 47-7
Configuring AAA Authentication 47-9
Configuring Switch-to-RADIUS-Server Communication 47-9
Configuring the HTTP Server 47-11
Customizing the Authentication Proxy Web Pages 47-11
Specifying a Redirection URL for Successful Login 47-12
Configuring the Web-Based Authentication Parameters 47-13
Removing Web-Based Authentication Cache Entries 47-14
Displaying Web-Based Authentication Status 47-14

Configuring Port Security 48-1

Port Security Commands 48-2

About Port Security 48-3
Secure MAC Addresses 48-4
Maximum Number of Secure MAC Addresses 48-4
Aging Secure MAC Addresses 48-5
Sticky Addresses on a Port 48-5
Violation Actions 48-6
Invalid Packet Handling 48-7
Configuring Port Security on Access Ports 48-7
Configuring Port Security on Access Ports 48-7
Examples of Port Security on Access Ports 48-10
Example 1: Setting Maximum Number of Secure Addresses 48-11
Example 2: Setting a Violation Mode 48-11
Example 3: Setting the Aging Timer 48-11
Example 4: Setting the Aging Timer Type 48-12
Example 5: Configuring a Secure MAC Address 48-12
Example 6: Configuring Sticky Port Security 48-13
Example 7: Setting a Rate Limit for Bad Packets 48-13
Example 8: Clearing Dynamic Secure MAC Addresses 48-14
Configuring Port Security on PVLAN Ports 48-14
Configuring Port Security on an Isolated Private VLAN Host Port 48-14
Example of Port Security on an Isolated Private VLAN Host Port 48-16
Configuring Port Security on a Private VLAN Promiscuous Port 48-16
Example of Port Security on a Private VLAN Promiscuous Port 48-17
Configuring Port Security on Trunk Ports 48-17
Configuring Trunk Port Security 48-17
Examples of Trunk Port Security 48-19

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 41
Contents

Example 1: Configuring a Maximum Limit of Secure MAC Addresses for All VLANs 48-19
Example 2: Configuring a Maximum Limit of Secure MAC Addresses for Specific VLANs 48-20
Example 3: Configuring Secure MAC Addresses in a VLAN Range 48-20
Trunk Port Security Configuration Guidelines and Restrictions 48-21
Port Mode Changes 48-22
Configuring Port Security on Voice Ports 48-22
Configuring Port Security on Voice Ports 48-23
Examples of Voice Port Security 48-25
Example 1: Configuring Maximum MAC Addresses for Voice and Data VLANs 48-25
Example 2: Configuring Sticky MAC Addresses for Voice and Data VLANs 48-26
Voice Port Security Configuration Guidelines and Restrictions 48-27
Displaying Port Security Settings 48-27
Examples of Security Settings 48-28
Example 1: Displaying Security Settings for the Entire Switch 48-28
Example 2: Displaying Security Settings for an Interface 48-29
Example 3: Displaying All Secure Addresses for the Entire Switch 48-29
Example 4: Displaying a Maximum Number of MAC Addresses on an Interface 48-30
Example 5: Displaying Security Settings on an Interface for a VLAN Range 48-30
Example 6: Displaying Secured MAC Addresses and Aging Information on an Interface 48-30
Example 7: Displaying Secured MAC Addresses for a VLAN Range on an Interface 48-31
Configuring Port Security with Other Features/Environments 48-31
DHCP and IP Source Guard 48-31
802.1X Authentication 48-32
Configuring Port Security in a Wireless Environment 48-32
Port Security Configuration Guidelines and Restrictions 48-33

Configuring Control Plane Policing and Layer 2 Control Packet QoS 49-1

Configuring Control Plane Policing 49-2
About Control Plane Policing 49-2
General Guidelines for Control Plane Policing 49-3
Default Configuration 49-4
Configuring CoPP for Control Plane Traffic 49-4
Configuring CoPP for Data Plane and Management Plane Traffic 49-5
Control Plane Policing Configuration Guidelines and Restrictions 49-8
All supervisor engines 49-8
Do not apply to Catalyst 4900M, Catalyst 4948E, Supervisor Engine 6-E, and Supervisor Engine
6L-E 49-8
Monitoring CoPP 49-9

Configuring Layer 2 Control Packet QoS 49-11
Understanding Layer 2 Control Packet QoS 49-11

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
42 OL-30933-01
Contents

Default Configuration 49-11
Enabling Layer 2 Control Packet QoS 49-12
Disabling Layer 2 Control Packet QoS 49-13
Layer 2 Control Packet QoS Configuration Examples 49-14
Layer 2 Control Packet QoS Guidelines and Restrictions 49-16
Policing IPv6 Control Traffic 49-16

Configuring Dynamic ARP Inspection 50-1

About Dynamic ARP Inspection 50-1
ARP Cache Poisoning 50-2
Purpose of Dynamic ARP Inspection 50-2
Interface Trust State, Security Coverage and Network Configuration 50-3
Relative Priority of Static Bindings and DHCP Snooping Entries 50-4
Logging of Dropped Packets 50-4
Rate Limiting of ARP Packets 50-4
Port Channels Function 50-5
Configuring Dynamic ARP Inspection 50-5
Configuring Dynamic ARP Inspection in DHCP Environments 50-5
DAI Configuration Example 50-7
Switch A 50-7
Switch B 50-9
Configuring ARP ACLs for Non-DHCP Environments 50-11
Configuring the Log Buffer 50-14
Limiting the Rate of Incoming ARP Packets 50-16
Performing Validation Checks 50-19

Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts 51-1
About DHCP Snooping 51-1
Trusted and Untrusted Sources 51-2
About the DHCP Snooping Database Agent 51-2
Option 82 Data Insertion 51-4
Configuring DHCP Snooping 51-6
Default Configuration for DHCP Snooping 51-7
Enabling DHCP Snooping 51-7
Enabling DHCP Snooping on the Aggregation Switch 51-9
Enabling DHCP Snooping and Option 82 51-10
Enabling DHCP Snooping on Private VLAN 51-12
Configuring DHCP Snooping on Private VLAN 51-12
Configuring DHCP Snooping with an Ethernet Channel Group 51-12
Enabling the DHCP Snooping Database Agent 51-13

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 43
Contents

Limiting the Rate of Incoming DHCP Packets 51-13
Configuration Examples for the Database Agent 51-15
Example 1: Enabling the Database Agent 51-15
Example 2: Reading Binding Entries from a TFTP File 51-17
Example 3: Adding Information to the DHCP Snooping Database 51-18

Displaying DHCP Snooping Information 51-18
Displaying a Binding Table 51-19
Displaying the DHCP Snooping Configuration 51-19

About IP Source Guard 51-19

Configuring IP Source Guard 51-20
Configuring IP Source Guard on Private VLANs 51-22
Displaying IP Source Guard Information 51-22

Displaying IP Source Binding Information 51-23

Configuring IP Source Guard for Static Hosts 51-24
About IP Source Guard for Static Hosts 51-24
Configuring IPSG for Static Hosts on a Layer 2 Access Port 51-25
Configuring IPSG for Static Hosts on a PVLAN Host Port 51-28

Configuring Network Security with ACLs 52-1

About ACLs 52-2
Overview 52-2
Supported Features That Use ACLs 52-3
Router ACLs 52-3
Port ACLs 52-4
Dynamic ACLs 52-5
VLAN Maps 52-5
Hardware and Software ACL Support 52-6
Troubleshooting High CPU Due to ACLs 52-6

Selecting Mode of Capturing Control Packets 52-7
Guidelines and Restrictions 52-8
Selecting Control Packet Capture 52-8
TCAM Programming and ACLs 52-10

Layer 4 Operators in ACLs 52-10
Restrictions for Layer 4 Operations 52-10
Configuration Guidelines for Layer 4 Operations 52-11
How ACL Processing Impacts CPU 52-12
Configuring Unicast MAC Address Filtering 52-13

Configuring Named MAC Extended ACLs 52-14

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
44 OL-30933-01
Contents

Configuring EtherType Matching 52-15

Configuring Named IPv6 ACLs 52-16

Applying IPv6 ACLs to Layer 2 and 3 Interface 52-17

Configuring VLAN Maps 52-17
VLAN Map Configuration Guidelines 52-18
Creating and Deleting VLAN Maps 52-19
Examples of ACLs and VLAN Maps 52-19
Applying a VLAN Map to a VLAN 52-21
Using VLAN Maps in Your Network 52-22
Denying Access to a Server on Another VLAN 52-23

Displaying VLAN Access Map Information 52-24

Using VLAN Maps with Router ACLs 52-25
Guidelines for Using Router ACLs and VLAN Maps on the Same VLAN 52-25
Examples of Router ACLs and VLAN Maps Applied to VLANs 52-25
ACLs and Switched Packets 52-25
ACLs and Routed Packets 52-26
Configuring PACLs 52-27
Creating a PACL 52-27
PACL Configuration Guidelines 52-28
Removing the Requirement for a Port ACL 52-28
Configuration Restrictions 52-29
Debugging Considerations 52-29
Webauth Fallback 52-29
Configuring IPv4, IPv6, and MAC ACLs on a Layer 2 Interface 52-29
Using PACL with Access-Group Mode 52-30
Configuring Access-group Mode on Layer 2 Interface 52-31
Applying ACLs to a Layer 2 Interface 52-31
Displaying an ACL Configuration on a Layer 2 Interface 52-32
Using PACL with VLAN Maps and Router ACLs 52-32

Configuring RA Guard 52-35
Introduction 52-35
Deployment 52-36
Configuring RA Guard 52-36
Examples 52-37
Usage Guidelines 52-38

Support for IPv6 53-1

Finding Feature Information 53-1

About IPv6 53-1

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 45
Contents

IPv6 Addressing and Basic Connectivity 53-2
DHCP 53-3
Security 53-3
QoS 53-3
Management 53-4
Multicast 53-4
Static Routes 53-5
First-Hop Redundancy Protocols 53-5
Unicast Routing 53-5
RIP 53-5
OSPF 53-6
EIGRP 53-6
IS-IS 53-6
Multiprotocol BGP 53-6
Tunneling 53-7
IPv6 Default States 53-7

Port Unicast and Multicast Flood Blocking 54-1

About Flood Blocking 54-1

Configuring Port Blocking 54-1
Blocking Flooded Traffic on an Interface 54-2
Resuming Normal Forwarding on a Port 54-3

Configuring Storm Control 55-1

About Storm Control 55-1
Hardware-Based Storm Control Implementation 55-2
Software-Based Storm Control Implementation 55-2
Enabling Broadcast Storm Control 55-3

Enabling Multicast Storm Control 55-4

Disabling Broadcast Storm Control 55-5

Disabling Multicast Storm Control 55-5

Displaying Storm Control 55-6

Configuring SPAN and RSPAN 56-1

About SPAN and RSPAN 56-1
SPAN and RSPAN Concepts and Terminology 56-3
SPAN Session 56-3
Traffic Types 56-3
Source Port 56-4
Destination Port 56-5

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
46 OL-30933-01
Contents

VLAN-Based SPAN 56-5
SPAN Traffic 56-6
SPAN and RSPAN Session Limits 56-6
Default SPAN and RSPAN Configuration 56-6

Configuring SPAN 56-7
SPAN Configuration Guidelines and Restrictions 56-7
Configuring SPAN Sources 56-8
Configuring SPAN Destinations 56-9
Monitoring Source VLANs on a Trunk Interface 56-9
Configuration Scenario 56-10
Verifying a SPAN Configuration 56-10
CPU Port Sniffing 56-10

Encapsulation Configuration 56-12

Ingress Packets 56-12

Access List Filtering 56-13
ACL Configuration Guidelines 56-13
Configuring Access List Filtering 56-14
Packet Type Filtering 56-14

Configuration Example 56-15

Configuring RSPAN 56-16
RSPAN Configuration Guidelines 56-16
Creating an RSPAN Session 56-17
Creating an RSPAN Destination Session 56-18
Creating an RSPAN Destination Session and Enabling Ingress Traffic 56-19
Removing Ports from an RSPAN Session 56-20
Specifying VLANs to Monitor 56-21
Specifying VLANs to Filter 56-23
Displaying SPAN and RSPAN Status 56-24

Configuring Wireshark 57-1

Finding Feature Information 57-1

Prerequisites for Wireshark 57-2

Guidelines for Wireshark 57-2

Restrictions for Wireshark 57-4

Information about Wireshark 57-5
Capture Points 57-6
Attachment Points 57-6
Filters 57-6

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 47
Contents

Core System Filter 57-6
Capture Filter 57-7
Display Filter 57-7
Input and Output Classification 57-7
Actions 57-8
Storing Captured Packets to Buffer in Memory 57-8
Storing Captured Packets to a .pcap File 57-8
Decoding and Displaying Packets 57-9
Displaying Live Traffic 57-9
Displaying from the .pcap File 57-9
Storing and Displaying Packets 57-9
Activating and Deactivating Wireshark Capture Points 57-9
Wireshark Features used in Switches 57-10
Wireshark on VSS 57-11
How to Configure Wireshark 57-11
Default Wireshark Configuration 57-11
Defining, Modifying, or Deleting a Capture Point 57-12
Examples 57-13
Activating and Deactivating a Capture Point 57-13
Configuring Wireshark on VSS 57-14
Monitoring Wireshark 57-14

Configuration Examples for Wireshark 57-14
Example: Displaying a Brief Output from a .pcap File 57-14
Example: Displaying Detailed Output from a .pcap File 57-15
Example: Displaying a Hexadecimal Dump Output from a .pcap File 57-17
Example: Displaying Packets from a .pcap File with a Display Filter 57-18
Usage Examples for Wireshark 57-18
Example: Simple Capture and Display 57-18
Example: Simple Capture and Store 57-19
Example: Using Buffer Capture 57-20
Example: Capture Sessions 57-24
Example: Capture and Store in Lock-step Mode 57-28
Example: Simple Capture and Store in Lock-step with High-speed Mode 57-29
Example: Simple Capture and Store of Packets in Egress Direction 57-30
VSS Specific Examples 57-31
Example: Capturing and Storing in a file (Attachment Point in VSS Active Switch) 57-31
Example: Capturing and Storing in a File with Display (Attachment Point in VSS Active Switch) 57-32
Example: Capturing and Storing in a File (Attachment point in VSS Standby Switch) 57-32

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
48 OL-30933-01
Contents

Example: Capturing and Storing in a File with Display (Attachment Point in VSS Standby
Switch) 57-33
Example: Circular Buffer Usage (Attachment Point in VSS Standby Switch) 57-35

Configuring Enhanced Object Tracking 58-1

Understanding Enhanced Object Tracking 58-1

Configuring Enhanced Object Tracking Features 58-2
Default Configuration 58-2
Tracking Interface Line-Protocol or IP Routing State 58-2
Configuring a Tracked List 58-3
Configuring a Tracked List with a Boolean Expression 58-4
Configuring a Tracked List with a Weight Threshold 58-5
Configuring a Tracked List with a Percentage Threshold 58-6
Configuring HSRP Object Tracking 58-7
Configuring Other Tracking Characteristics 58-8
Configuring IP SLAs Object Tracking 58-8
Configuring Static Routing Support 58-10
Configuring a Primary Interface 58-10
Configuring a Cisco IP SLAs Monitoring Agent and Track Object 58-11
Configuring a Routing Policy and Default Route 58-11
Monitoring Enhanced Object Tracking 58-12

Configuring System Message Logging 59-1

About System Message Logging 59-1

Configuring System Message Logging 59-2
System Log Message Format 59-2
Default System Message Logging Configuration 59-3
Disabling Message Logging 59-4
Setting the Message Display Destination Device 59-5
Synchronizing Log Messages 59-6
Enabling and Disabling Timestamps on Log Messages 59-7
Enabling and Disabling Sequence Numbers in Log Messages (Optional) 59-7
Defining the Message Severity Level (Optional) 59-8
Limiting Syslog Messages Sent to the History Table and to SNMP (Optional) 59-9
Configuring UNIX Syslog Servers 59-10
Logging Messages to a UNIX Syslog Daemon 59-10
Configuring the UNIX System Logging Facility 59-11
Displaying the Logging Configuration 59-12

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 49
Contents

Onboard Failure Logging (OBFL) 60-1

Prerequisites for OBFL 60-1

Restrictions for OBFL 60-2

Information About OBFL 60-2
Overview of OBFL 60-2
Information about Data Collected by OBFL 60-2
OBFL Data Overview 60-2
Temperature 60-3
Operational Uptime 60-4
Interrupts 60-6
Message Logging 60-7
Default Settings for OBFL 60-8

Enabling OBFL 60-8

Configuration Examples for OBFL 60-9
Enabling OBFL Message Logging: Example 60-9
OBFL Message Log: Example 60-9
OBFL Component Uptime Report: Example 60-10
OBFL Report for a Specific Time: Example 60-10

Configuring SNMP 61-1

About SNMP 61-1
SNMP Versions 61-2
SNMP Manager Functions 61-3
SNMP Agent Functions 61-4
SNMP Community Strings 61-4
Using SNMP to Access MIB Variables 61-4
SNMP Notifications 61-5
Configuring SNMP 61-5
Default SNMP Configuration 61-5
SNMP Configuration Guidelines 61-6
Disabling the SNMP Agent 61-7
Configuring Community Strings 61-7
Configuring SNMP Groups and Users 61-9
Configuring SNMP Notifications 61-11
Setting the Agent Contact and Location Information 61-14
Limiting TFTP Servers Used Through SNMP 61-15
SNMP Examples 61-15
Displaying SNMP Status 61-16

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
50 OL-30933-01
Contents

Configuring NetFlow-lite 62-1

About NetFlow Packet Sampling 62-2

Feature Interaction 62-2
System-wide Restrictions 62-2
Interface-level Restrictions 62-2
Monitor-level Restrictions 62-2
Configuring NetFlow Packet Sampling 62-2
Configuring Information about the External Collector 62-3
Example 62-3
Usage Guidelines 62-4
Configuring Sampling Parameters 62-4
Example 62-5
Usage Guidelines 62-5
Activating Sampling on an Interface or VLAN 62-5
Examples 62-6
Usage Guidelines 62-7
Display Commands 62-8

Clear Commands 62-9

Configuring Flexible NetFlow 63-1

VSS Environment 63-1

Non-VSS Environment 63-7

Configuring Ethernet OAM and CFM 64-1

About Ethernet CFM 64-2
Ethernet CFM and OAM Definitions 64-2
CFM Domain 64-2
Maintenance Associations and Maintenance Points 64-4
CFM Messages 64-5
Crosscheck Function and Static Remote MEPs 64-5
SNMP Traps and Fault Alarms 64-5
Configuration Error List 64-6
IP SLAs Support for CFM 64-6
Configuring Ethernet CFM 64-6
Ethernet CFM Default Configuration 64-7
Ethernet CFM Configuration Guidelines 64-7
Configuring the CFM Domain 64-8
Configuring Ethernet CFM Crosscheck 64-11
Configuring Static Remote MEP 64-13
Configuring a Port MEP 64-14

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 51
Contents

Configuring SNMP Traps 64-16
Configuring Fault Alarms 64-16
Configuring IP SLAs CFM Operation 64-18
Manually Configuring an IP SLAs CFM Probe or Jitter Operation 64-19
Configuring an IP SLAs Operation with Endpoint Discovery 64-21
Configuring CFM on C-VLAN (Inner VLAN) 64-24
Feature Support and Behavior 64-26
Platform Restrictions and Limitations 64-26
Understanding CFM ITU-T Y.1731 Fault Management 64-27
Y.1731 Terminology 64-27
Alarm Indication Signals 64-28
Ethernet Remote Defect Indication 64-28
Multicast Ethernet Loopback 64-29
Configuring Y.1731 Fault Management 64-29
Default Y.1731 Configuration 64-29
Configuring ETH-AIS 64-29
Using Multicast Ethernet Loopback 64-31
Managing and Displaying Ethernet CFM Information 64-31

About Ethernet OAM Protocol 64-33
OAM Features 64-34
OAM Messages 64-34
Enabling and Configuring Ethernet OAM 64-35
Ethernet OAM Default Configuration 64-35
Ethernet OAM Configuration Guidelines 64-35
Enabling Ethernet OAM on an Interface 64-36
Enabling Ethernet OAM Remote Loopback 64-37
Configuring Ethernet OAM Link Monitoring 64-38
Configuring Ethernet OAM Remote Failure Indications 64-42
Configuring Ethernet OAM Templates 64-45
Displaying Ethernet OAM Protocol Information 64-49

Ethernet CFM and Ethernet OAM Interaction 64-51
Configuring Ethernet OAM Interaction with CFM 64-51
Configuring the OAM Manager 64-52
Enabling Ethernet OAM 64-52
Example: Configuring Ethernet OAM and CFM 64-53

Configuring Y.1731 (AIS and RDI) 65-1

AIS and RDI Terminology 65-1

About Y.1731 65-2

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
52 OL-30933-01
Contents

Server MEP 65-2
Alarm Indication Signal 65-2
Ethernet Remote Defect Indication 65-3

Configuring Y.1731 65-4
Y.1731 Configuration Guidelines 65-4
Configuring AIS Parameters 65-5
Clearing MEP from the AIS Defect Condition 65-6
Clearing SMEP from the AIS Defect Condition 65-6
Displaying Y.1731 Information 65-6

Configuring Call Home 66-1

About Call Home 66-2
Obtaining Smart Call Home 66-2

Configuring Call Home 66-3
Configuring Contact Information 66-4
Configuring Destination Profiles 66-5
Copying a Destination Profile 66-6
Subscribing to Alert Groups 66-6
Configuring Periodic Notification 66-8
Configuring Message Severity Threshold 66-8
Configuring Syslog Pattern Matching 66-9
Configuring General E-Mail Options 66-9
Enabling Call Home 66-10
Testing Call Home Communications 66-10
Sending a Call Home Test Message Manually 66-11
Sending a Call Home Alert Group Message Manually 66-11
Sending a Request for an Analysis and Report 66-12
Sending the Output of a Command 66-13
Configuring and Enabling Smart Call Home 66-13
Displaying Call Home Configuration Information 66-14

Call Home Default Settings 66-18

Alert Group Trigger Events and Commands 66-18

Message Contents 66-21
Syslog Alert Notification in Long-Text Format Example 66-25
Syslog Alert Notification in XML Format Example 66-28

Configuring Cisco IOS IP SLA Operations 67-1

Understanding Cisco IOS IP SLAs 67-2
Using Cisco IOS IP SLAs to Measure Network Performance 67-3
IP SLAs Responder and IP SLAs Control Protocol 67-4

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 53
Contents

Response Time Computation for IP SLAs 67-4
IP SLAs Operation Scheduling 67-5
IP SLAs Operation Threshold Monitoring 67-5

Configuring IP SLAs Operations 67-6
IP SLA Default Configuration 67-6
IP SLA Configuration Guidelines 67-6
Configuring the IP SLAs Responder 67-7
Analyzing IP Service Levels by Using the UDP Jitter Operation 67-8
Analyzing IP Service Levels by Using the ICMP Echo Operation 67-11
Monitoring IP SLAs Operations 67-13

Configuring RMON 67-1

About RMON 67-1

Configuring RMON 67-3
Default RMON Configuration 67-3
Configuring RMON Alarms and Events 67-3
Configuring RMON Collection on an Interface 67-5

Displaying RMON Status 67-6

Performing Diagnostics 69-1
Configuring Online Diagnostics 69-1
Configuring On-Demand Online Diagnostics 69-2
Scheduling Online Diagnostics 69-2
Performing Diagnostics 69-3
Starting and Stopping Online Diagnostic Tests 69-3
Displaying Online Diagnostic Tests and Test Results 69-4
Displaying Data Path Online Diagnostics Test Results 69-7
Line Card Online Diagnostics 69-8
Troubleshooting with Online Diagnostics 69-8
Power-On Self-Test Diagnostics 69-10
Overview of Power-On Self-Test Diagnostics 69-10
POST Result Example 69-11
Power-On Self-Test Results 69-13
Sample Display of the POST on an Active Supervisor Engine 69-13
Sample Display of the POST on a Standby Supervisor Engine 69-16
Troubleshooting the Test Failures 69-20

Configuring WCCP Version 2 Services 70-1

About WCCP 70-1
Overview 70-2

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
54 OL-30933-01
Contents

Hardware Acceleration 70-2
.Understanding WCCP Configuration 70-3
WCCP Features 70-4
HTTP and Non-HTTP Services Support 70-4
Multiple Routers Support 70-4
MD5 Security 70-5
Web Content Packet Return 70-5
Restrictions for WCCP 70-5

Configuring WCCP 70-6
Configuring a Service Group Using WCCP 70-6
Specifying a Web Cache Service 70-8
Using Access Lists for a WCCP Service Group 70-8
Setting a Password for a Router and Cache Engines 70-9
Verifying and Monitoring WCCP Configuration Settings 70-9

WCCP Configuration Examples 70-10
Performing a General WCCP Configuration Example 70-10
Running a Web Cache Service Example 70-10
Running a Reverse Proxy Service Example 70-10
Running TCP-Promiscuous Service Example 70-11
Running Redirect Access-List Example 70-11
Using Access Lists Example 70-11
Setting a Password for a Switch and Content Engines Example 70-11
Verifying WCCP Settings Example 70-12

Configuring MIB Support 71-1
Determining MIB Support for Cisco IOS Releases 71-1
Using Cisco IOS MIB Tools 71-2

Downloading and Compiling MIBs 71-2
Guidelines for Working with MIBs 71-3
Downloading MIBs 71-3
Compiling MIBs 71-4
Enabling SNMP Support 71-4

ROM Monitor 72-1

Entering the ROM Monitor 72-1

ROM Monitor Commands 72-2

ROM Monitor Command Descriptions 72-3

Configuration Register 72-3
Changing the Configuration Register Manually 72-3

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 55
Contents

Changing the Configuration Register Using Prompts 72-4

Console Download 72-4
Error Reporting 72-5
Debug Commands 72-5

Exiting the ROM Monitor 72-6

INDEX

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
56 OL-30933-01
Catalyst 4500 Series Switch Cisco IOS
Software Configuration Guide
Release IOS XE 3.6.0E and IOS 15.2(2)E

Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Customer Order Number: DOC-OL-30933=1
Customer Order Number: OL-30933-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of
Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo,
Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step,
Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study,
LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way
to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0711R)

Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide
Copyright © 1999–2012 Cisco Systems, Inc. All rights reserved.
Preface

This preface describes who should read this document, how it is organized, and its conventions. The
preface also tells you how to obtain Cisco documents, as well as how to obtain technical assistance.

Audience
This guide is for experienced network administrators who are responsible for configuring and
maintaining Catalyst 4500 series switches.

Organization
This guide is organized into the following chapters:

Chapter Title Description
Chapter 1 Product Overview Presents an overview of the Cisco IOS software for
the Catalyst 4500 series switches.
Chapter 2 Command-Line Interfaces Describes how to use the CLI.
Chapter 3 Configuring the Switch for the Describes how to perform a baseline configuration
First Time of the switch.
Chapter 4 Administering the Switch Describes how to administer the switch.
Chapter 5 Configuring Virtual Switching Describes how to configure Virtual Switching
Systems Systems
Chapter 6 Configuring the Cisco IOS Describes how to configure the IOS ISSU process
In-Service Software Upgrade on the switch.
Process
Chapter 7 Configuring the Cisco IOS XE In Describes how to configure the IOS XE ISSU
Service Software Upgrade Process process on the switch.
Chapter 8 Configuring Interfaces Describes how to configure non-layer-specific
features on Fast Ethernet, Gigabit Ethernet, and
10-Gigabit Ethernet interfaces.
Chapter 9 Checking Port Status and Describes how to check module and interface status.
Connectivity

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 3
Preface

Chapter Title Description
Chapter 10 Configuring Supervisor Engine Describes how to configure RPR and SSO on
Redundancy Using RPR and SSO Supervisor Engines 6-E and 6L-E.
on Supervisor Engine 6-E and
Supervisor Engine 6L-E
Chapter 11 Configuring Supervisor Engine Describes how to configure RPR and SSO on
Redundancy Using RPR and SSO Supervisor Engines 7-E, 7L-E, and 8-E.
on Supervisor Engine 7-E,
Supervisor Engine 7L-E, and
Supervisor Engine 8-E
Chapter 12 Configuring Cisco NSF with SSO Describes how to configure supervisor engine
Supervisor Engine Redundancy redundancy using Cisco nonstop forwarding (NSF)
with stateful switchover (SSO).
Chapter 13 Environmental Monitoring and Describes how to configure power management and
Power Management environmental monitoring features.
Chapter 14 Configuring Power over Ethernet Describes how to configure Power over Ethernet
(PoE).
Chapter 15 Configuring the Catalyst 4500 Describes how to install and configure Network
Series Switch with Cisco Network Assistant and Embedded CiscoView.
Assistant
Chapter 16 Configuring VLANs, VTP, Describes how to configure VLANs, VTP, and
and VMPS VMPS.
Chapter 17 Configuring IP Unnumbered Describes how to configure IP Unnumbered
Interface support.
Chapter 18 Configuring Layer 2 Ethernet Describes how to configure interfaces to support
Interfaces Layer 2 features, including VLAN trunks.
Chapter 19 Configuring EVC-Lite Describes how to enable EVC-Lite.
Chapter 20 Configuring SmartPort Macros Describes how to configure SmartPort macros.
Chapter 21 Configuring Cisco IOS Auto Describes how to configure Auto SmartPort Macros
Smartport Macros
Chapter 22 Configuring STP and MST Describes how to configure the Spanning Tree
Protocol (STP) and the Multiple Spanning Tree
(MST) protocol and explains how they work.
Chapter 23 Configuring Flex Links and MAC Describes how to how to configure Flex Links on a
Address-Table Move Update switch.
Chapter 24 Configuring Resilient Ethernet Describes how to configure Resilient Ethernet
Protocol Protocol (REP).
Chapter 25 Configuring Optional STP Describes how to configure the spanning-tree
Features PortFast, UplinkFast, BackboneFast, and other STP
features
Chapter 26 Configuring EtherChannel and Describes how to configure Layer 2 and Layer 3
Link State Tracking EtherChannel port bundles.
Chapter 27 Configuring IGMP Snooping and Describes how to configure Internet Group
Filtering, and MVR Management Protocol (IGMP) snooping and
Multicast VLAN Registration (MVR).

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4 OL-30933-01
Preface

Chapter Title Description
Chapter 28 Configuring IPv6 Multicast Describes how to configure IPv6 MLD Snooping.
Listener Discovery Snooping
Chapter 29 Configuring 802.1Q Tunneling, Describes how to configure 802.1Q and Layer 2
VLAN Mapping, and Layer 2 protocol Tunneling.
Protocol Tunneling
Chapter 30 Configuring CDP Describes how to configure the Cisco Discovery
Protocol (CDP).
Chapter 31 Configuring LLDP, LLDP-MED, Describes how to configure Link Layer Discovery
and Location Service Protocol (LLDP).
Chapter 32 Configuring UDLD Describes how to configure the UniDirectional Link
Detection (UDLD) protocol.
Chapter 33 Configuring Unidirectional Describes how to configure Unidirectional Ethernet
Ethernet
Chapter 34 Configuring Layer 3 Interfaces Describes how to configure interfaces to support
Layer 3 features.
Chapter 35 Configuring Cisco Express Describes how to configure Cisco Express
Forwarding Forwarding (CEF) for IP unicast traffic.
Chapter 36 Configuring Unicast Reverse Path Describes how to configure Unicast Reverse Path
Forwarding Forwarding.
Chapter 37 Configuring IP Multicast Describes how to configure IP Multicast Multilayer
Switching (MMLS).
Chapter 38 Configuring ANCP Client Describes how to configure ANCP.
Chapter 39 Configuring Bidirection Describes how to configure Bidirectional
Forwarding Detection Forwarding Detection
Chapter 40 Configuring Policy-Based Describes how to configure policy-based routing.
Routing
Chapter 41 Configuring VRF-lite Describes how to configure multiple VPN
routing/forwarding (multi-VRF) instances in
customer edge (CE) devices.
Chapter 42 Configuring Quality of Service Describes how to configure quality of service
(QoS).
Chapter 43 Configuring Voice Interfaces Describes how to configure voice interfaces.
Chapter 44 Configuring Private VLANs Describes how to set up and modify private VLANs.
Chapter 45 Configuring MACsec Encryption Describes how to configure MACsec encryption.
Chapter 46 Configuring 802.1X Port-Based Describes how to conf.igure 802.1X port-based
Authentication authentication.
Chapter 47 Configuring the PPPoE Describes how to configure PPPoE Intermediate
Intermediate Agent Agent.
Chapter 48 Configuring Web-Based Describes how to configure web-based
Authentication authentication.
Chapter 49 Configuring Port Security Describes how to configure port security and trunk
port security.
Chapter 50 Configuring Auto Security Describes how to configure auto security.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 5
Preface

Chapter Title Description
Chapter 51 Configuring Control Plane Describes how to protect your Catalyst 4500 series
Policing and Layer 2 Control switch using control plane policing (CoPP).
Packet QoS
Chapter 52 Configuring Dynamic ARP Describes how to configure Dynamic ARP
Inspection Inspection.
Chapter 53 Configuring DHCP Snooping, IP Describes how to configure DHCP snooping and IP
Source Guard, and IPSG for Static Source Guard.
Hosts
Chapter 54 Configuring Network Security Describes how to configure ACLS, VACLs, and
with ACLs MACLs.
Chapter 55 Support for IPv6 Describes the support for IPv6 on the switch.
Chapter 56 Port Unicast and Multicast Flood Describes how to configure unicast flood blocking.
Blocking
Chapter 57 Configuring Storm Control Describes how to configure storm control
suppression.
Chapter 58 Configuring SPAN and RSPAN Describes how to configure the Switched Port
Analyzer (SPAN).
Chapter 59 Configuring Wireshark Describes how to configure Wireshark, the Ethernet
Analyzer on the Catalyst 4500 series switch.
Chapter 60 Configuring Enhanced Object Describres how to configure Enhanced Object
Tracking Tracking
Chapter 61 Configuring System Message Describes how to configure system message
Logging logging.
Chapter 62 Onboard Failure Logging (OBFL) Describes how to enable OBFL.
Chapter 63 Configuring SNMP Describes how to configure the Simple Network
Management Protocol (SNMP).
Chapter 64 Configuring NetFlow-lite Describes how to configure NetFlow-lite.
Chapter 65 Configuring Flexible NetFlow Describes how to configure Flexible NetFlow,
Chapter 66 Configuring Ethernet OAM and Describes how to configure Ethernet OAM and
CFM CFM.
Chapter 67 Configuring Y.1731 (AIS and Describes how to configure Y.1731.
RDI)
Chapter 68 Configuring Call Home Describes how to configure Call Home.
Chapter 69 Configuring Cisco IOS IP SLA Describes how to configure Cisco IOS IP SLA
Operations operations.
Chapter 70 Configuring RMON Describes how to configure Remote Network
Monitoring (RMON).
Chapter 71 Performing Diagnostics Describes various types of diagnostics on the
Catalyst 4500 series switch.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
6 OL-30933-01
Preface

Chapter Title Description
Chapter 72 Configuring WCCP Version 2 Describes how to configure the Catalyst 4500 series
Services switches to redirect traffic to cache engines (web
caches) using the Web Cache Communication
Protocol (WCCP), and describes how to manage
cache engine clusters (cache farms).
Chapter 73 Configuring MIB Support Describes how to configure SNMP and MIB
support.
Chapter 74 ROM Monitor Describes the ROM Monitor.
Appendix A Acronyms and Abbreviations Defines acronyms and abbreviations used in this
book.

Conventions
This document uses the following typographical conventions:

Convention Description
boldface font Commands, command options, and keywords are in boldface.
italic font Command arguments for which you supply values are in italics.
[ ] Command elements in square brackets are optional.
{x|y|z} Alternative keywords in command lines are grouped in braces and separated by
vertical bars.
[x|y|z] Optional alternative keywords are grouped in brackets and separated by vertical
bars.
string A unquoted set of characters. Do not use quotation marks around the string
because the string will include the quotation marks.
screen font System displays are in screen font.
boldface screen Information you must enter verbatim is in boldface screen font.
font
italic screen font Arguments for which you supply values are in italic screen font.
This pointer highlights an important line of text in an example.
^ Represents the key labeled Control—for example, the key combination ^D in a
screen display means hold down the Control key while you press the D key.
< > Nonprinting characters such as passwords are in angle brackets.

Notes use the following conventions:

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
publication.

Cautions use the following conventions:

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 7
Preface

Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.

Related Documentation
Refer to the following documents for additional Catalyst 4500 series information:
• Catalyst 4500 Series Switch Documentation Home
http://www.cisco.com/en/US/products/hw/switches/ps4324/tsd_products_support_series_home.ht
mll
• Catalyst 4900 Series Switch Documentation Home
http://www.cisco.com/en/US/products/ps6021/index.html

Hardware Documents
Installation guides and notes including specifications and relevant safety information are available at the
following URLs:
• Catalyst 4500 Series Switches Installation Guide
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/hardware/installation/guide/78-14409
-08/4500inst.html
• Catalyst 4500 E-series Switches Installation Guide
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/hardware/catalyst4500e/installation/g
uide/Eseries.html
• For information about individual switching modules and supervisors, refer to the Catalyst 4500
Series Module Installation Guide at:
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/hardware/configuration/notes/OL_25
315.html
• Regulatory Compliance and Safety Information for the Catalyst 4500 Series Switches
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/hardware/regulatory/compliance/78_
13233.html
• Installation notes for specific supervisor engines or for accessory hardware are available at:
http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_installation_guides_list.html
• Catalyst 4900 and 4900M hardware installation information is available at:
http://www.cisco.com/en/US/products/ps6021/prod_installation_guides_list.html
• Catalyst 4500-X hardware installation information is available at:
http://www.cisco.com/en/US/products/ps12332/prod_installation_guides_list.html

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
8 OL-30933-01
Preface

Software Documentation
Software release notes, configuration guides, command references, and system message guides are
available at the following URLs:
• Cisco 4500-X release notes are available at:
http://www.cisco.com/en/US/products/ps12332/prod_release_notes_list.html
• Catalyst 4500E release notes are available at:
http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_release_notes_list.html
• Catalyst 4500 release notes are available at:
http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_release_notes_list.html
• Catalyst 4900 release notes are available at:
http://www.cisco.com/en/US/products/ps6021/prod_release_notes_list.html
Software documents for the Catalyst 4500 Classic, Catalyst 4500 E-Series, Catalyst 4900 Series, and
Catalyst 4500-X Series switches are available at the following URLs:
• Catalyst 4500 Series Software Configuration Guide
http://www.cisco.com/en/US/products/hw/switches/ps4324/products_installation_and_configurati
on_guides_list.html
• Catalyst 4500 Series Software Command Reference
http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_command_reference_list.html
• Catalyst 4500 Series Software System Message Guide
http://www.cisco.com/en/US/products/hw/switches/ps4324/products_system_message_guides_list
.html

Cisco IOS Documentation
Platform- independent Cisco IOS documentation may also apply to the Catalyst 4500 and 4900 switches.
These documents are available at the following URLs:
• Cisco IOS configuration guides, Release 15.2M&T
http://www.cisco.com/c/en/us/support/ios-nx-os-software/ios-15-2m-t/products-installation-and-co
nfiguration-guides-list.html
• Cisco IOS command references, Release 15.2M&T
http://www.cisco.com/c/en/us/support/ios-nx-os-software/ios-15-2m-t/products-command-referenc
e-list.html
You can also use the Command Lookup Tool at:
http://tools.cisco.com/Support/CLILookup/cltSearchAction.do
• Cisco IOS system messages, version 12.x
http://www.cisco.com/c/en/us/support/ios-nx-os-software/ios-15-2m-t/products-system-message-g
uides-list.html
You can also use the Error Message Decoder tool at:
http://www.cisco.com/pcgi-bin/Support/Errordecoder/index.cgi

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 9
Preface

Commands in Task Tables
Commands listed in task tables show only the relevant information for completing the task and not all
available options for the command. For a complete description of a command, refer to the command in
the Catalyst 4500 Series Switch Cisco IOS Command Reference.

Notices
The following notices pertain to this software license.

OpenSSL/Open SSL Project
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).

License Issues
The OpenSSL toolkit stays under a dual license; that is, both the conditions of the OpenSSL License and
the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both
licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please
contact openssl-core@openssl.org.

OpenSSL License:
Copyright © 1998-2007 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and
the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following
acknowledgment: “This product includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit (http://www.openssl.org/)”.
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote
products derived from this software without prior written permission. For written permission, please
contact openssl-core@openssl.org.
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in
their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/)”.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
10 OL-30933-01
Preface

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product
includes software written by Tim Hudson (tjh@cryptsoft.com).

Original SSLeay License:
Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are
adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA,
lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is
covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed.
If this package is used in a product, Eric Young should be given attribution as the author of the parts of
the library used. This can be in the form of a textual message at program startup or in documentation
(online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following
acknowledgement:
“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”.
The word ‘cryptographic’ can be left out if the routines from the library being used are not
cryptography-related.
4. If you include any Windows specific code (or a derivative thereof) from the apps directory
(application code) you must include an acknowledgement: “This product includes software written
by Tim Hudson (tjh@cryptsoft.com)”.
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 11
Preface
Obtaining Documentation and Submitting a Service Request

THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be
changed, that is, this code cannot be copied and put under another distribution license [including the
GNU Public License].

Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS Version 2.0.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
12 OL-30933-01
CH A P T E R 1
Product Overview

This chapter provides an overview of Catalyst 4500 series switches and includes the following major
sections:
• Layer 2 Software Features, page 1-1
• Layer 3 Software Features, page 1-13
• Management Features, page 1-23
• Security Features, page 1-33
• New and Modified IOS Software Features Supported in Cisco IOS 15.2(1)E and Cisco IOS XE
3.5.0E, page 1-44

Note For more information about the chassis, modules, and software features supported by the
Catalyst 4500 series switch, refer to the Release Notes for the Catalyst 4500 Series Switch at this
location:

http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html

Layer 2 Software Features
The following subsections describe the key Layer 2 switching software features on the
Catalyst 4500 series switch:
• 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling, page 1-2
• Cisco IOS Auto Smartport Macros, page 1-2
• Cisco Discovery Protocol, page 1-3
• Cisco Group Management Protocol (CGMP) server, page 1-3
• EtherChannel Bundles, page 1-3
• Ethernet CFM, page 1-3
• Ethernet OAM Protocol, page 1-3
• Flex Links and MAC Address-Table Move Update, page 1-4
• Flexible NetFlow (Supervisor Engine 7-E, 7L-E, and 8-E only), page 1-4
• Internet Group Management Protocol (IGMP) Snooping, page 1-4
• IPv6 Multicast BSR and BSR Scoped Zone Support, page 1-5

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-1
Chapter 1 Product Overview
Layer 2 Software Features

• IPv6 Multicast Listen Discovery (MLD) and Multicast Listen Discovery Snooping, page 1-6
• Jumbo Frames, page 1-6
• Link Aggregation Control Protocol, page 1-7
• Link Layer Discovery Protocol, page 1-7
• Link State Tracking, page 1-8
• Location Service, page 1-8
• Multiple Spanning Tree, page 1-8
• Per-VLAN Rapid Spanning Tree, page 1-8
• Quality of Service, page 1-9
• Resilient Ethernet Protocol, page 1-10
• SmartPort Macros, page 1-10
• Spanning Tree Protocol, page 1-10
• Stateful Switchover, page 1-10
• SVI Autostate, page 1-11
• Unidirectional Link Detection, page 1-11
• VLANs, page 1-11
• Virtual Switching Systems (Catalyst 4500-X and Supervisor Engine 7-E, 7L-E, and 8-E), page 1-12
• Virtual Switch System Client, page 1-12
• Y.1731 (AIS and RDI), page 1-13

802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling
802.1Q tunneling is a Q-in-Q technique that expands the VLAN space by retagging the tagged packets
that enter the service provider infrastructure. 802.1Q tunneling allows service providers to assign a
VLAN to each customer without losing the original customer VLAN IDs inside the tunnel. All data
traffic that enters the tunnel is encapsulated with the tunnel VLAN ID. Layer 2 Protocol Tunneling is a
similar technique for all Layer 2 control traffic.
To map customer VLANs to service-provider VLANs, you can configure VLAN mapping (or VLAN ID
translation) on trunk ports connected to a customer network. Packets entering the port are mapped to a
service provider VLAN (S-VLAN) based on the port number and the original customer VLAN-ID
(C-VLAN) of the packet.
For information on configuring 802.1Q tunneling and VLAN Mapping, see Chapter 29, “Configuring
802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling.”

Cisco IOS Auto Smartport Macros
Cisco IOS Auto SmartPort macros dynamically configure ports based on the device type detected on the
port. When the switch detects a new device on a port it applies the appropriate Cisco IOS Auto
Smartports macro. When a link-down event occurs on the port, the switch removes the macro. For
example, when you connect a Cisco IP phone to a port, Cisco IOS Auto SmartPorts automatically applies
the IP phone macro. The IP phone macro enables quality of service (QoS), security features, and a
dedicated voice VLAN to ensure proper treatment of delay-sensitive voice traffic.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-2 OL-30933-01
Chapter 1 Product Overview
Layer 2 Software Features

For information on configuring SmartPort macros, see Chapter 21, “Configuring Cisco IOS Auto
Smartport Macros.”

Cisco Discovery Protocol
The Cisco Discovery Protocol (CDP) is a device-discovery protocol that is both media- and
protocol-independent. CDP is available on all Cisco products, including routers, switches, bridges, and
access servers. Using CDP, a device can advertise its existence to other devices and receive information
about other devices on the same LAN. CDP enables Cisco switches and routers to exchange information,
such as their MAC addresses, IP addresses, and outgoing interfaces. CDP runs over the data-link layer
only, allowing two systems that support different network-layer protocols to learn about each other. Each
device configured for CDP sends periodic messages to a multicast address. Each device advertises at
least one address at which it can receive Simple Network Management Protocol (SNMP) messages.
For information on configuring CDP, see Chapter 30, “Configuring CDP.”

Cisco Group Management Protocol (CGMP) server
CGMP server manages multicast traffic. Multicast traffic is forwarded only to ports with attached hosts
that request the multicast traffic.

EtherChannel Bundles
EtherChannel port bundles allow you to create high-bandwidth connections between two switches by
grouping multiple ports into a single logical transmission path.
For information on configuring EtherChannel, see Chapter 26, “Configuring EtherChannel and Link
State Tracking.”

Ethernet CFM
Ethernet CFM is an end-to-end per-service-instance (per-VLAN) Ethernet layer OAM protocol that
includes proactive connectivity monitoring, fault verification, and fault isolation. End-to-end can be
provider-edge-to provider-edge (PE-to-PE) device or customer-edge-to-customer-edge (CE-to-CE)
device. Ethernet CFM, as specified by IEEE 802.1ag, is the standard for Layer 2 ping, Layer 2 traceroute,
and end-to-end connectivity check of the Ethernet network.
For information about CFM, see Chapter 66, “Configuring Ethernet OAM and CFM.”

Ethernet OAM Protocol
Ethernet Operations, Administration, and Maintenance (OAM) is a protocol for installing, monitoring,
and troubleshooting Ethernet networks to increase management capability within the context of the
overall Ethernet infrastructure. You can implement Ethernet OAM on any full-duplex, point-to-point, or
emulated point-to-point Ethernet link for a network or part of a network (specified interfaces).
For information about OAM, see Chapter 66, “Configuring Ethernet OAM and CFM.”

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-3
Chapter 1 Product Overview
Layer 2 Software Features

Flex Links and MAC Address-Table Move Update
Flex Links are a pair of Layer 2 interfaces (switch ports or port channels) where one interface is
configured to act as a backup to the other. The feature provides an alternative solution to the Spanning
Tree Protocol (STP). Flex Links are typically configured in service provider or enterprise networks
where customers do not want to run STP on the switch.
MAC Address-Table Move Update allows a switch to provide rapid bidirectional convergence when a
primary (forwarding) link goes down and the standby link begins forwarding traffic.
For information about Flex Links and MAC Address-Table Move Update, see Chapter 23, “Configuring
Flex Links and MAC Address-Table Move Update.”

Flexible NetFlow (Supervisor Engine 7-E, 7L-E, and 8-E only)
Flow is defined as unique set of key fields attributes, which might include fields of packet, packet routing
attributes, and input and output interface information. A NetFlow feature defines a flow as a sequence
of packets that have the same values for the feature key fields. Flexible NetFlow (FNF) allows a flow
record that specifies various flow attributes to be collected and optionally exported. NetFlow collection
supports IP, IPv6 and Layer 2 traffic.
For information on configuring Flexible NetFlow, see Chapter 65, “Configuring Flexible NetFlow.”

Internet Group Management Protocol (IGMP) Snooping
IGMP snooping manages multicast traffic. The switch software examines IP multicast packets and
forwards packets based on their content. Multicast traffic is forwarded only to ports with attached
hosts that request multicast traffic.
Support for IGMPv3 provides constrained flooding of multicast traffic in the presence of IGMPv3
hosts or routers. IGMPv3 snooping listens to IGMPv3 query and membership report messages to
maintain host-to-multicast group associations. It enables a switch to propagate multicast data only
to ports that need it. IGMPv3 snooping is fully interoperable with IGMPv1 and IGMPv2.
Explicit Host Tracking (EHT) is an extension to IGMPv3 snooping. EHT enables immediate leave
operations on a per-port basis. EHT can be used to track per host membership information or to
gather statistics about all IGMPv3 group members.
The IGMP Snooping Querier is a Layer 2 feature required to support IGMP snooping in a VLAN
where PIM and IGMP are not configured because the multicast traffic does not require routing.
With SSO support, Stateful IGMP Snooping propagates the IGMP data learned by the active
supervisor engine to the redundant supervisor engine so that when a switchover occurs, the newly
active supervisor engine is aware of the multicast group membership, which alleviates a disruption
to multicast traffic during a switchover.
Beginning with Release IOS XE 3.5.0E and IOS 15.2(1)E, the Catalyst 4500 series switch supports
an application of local IGMP snooping, Multicast VLAN Registration (MVR). MVR is designed for
applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service
provider network (for example, the broadcast of multiple television channels over a service-provider
network). MVR allows a subscriber on a port to subscribe and unsubscribe to a multicast stream on
the network-wide multicast VLAN. It allows the single multicast VLAN to be shared in the network
while subscribers remain in separate VLANs.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-4 OL-30933-01
Chapter 1 Product Overview
Layer 2 Software Features

For information on configuring IGMP snooping and MVR, see Chapter 27, “Configuring IGMP
Snooping and Filtering, and MVR.”

IPv6 Multicast BSR and BSR Scoped Zone Support
The bootstrap router (BSR) protocol for PIM-SM provides a dynamic, adaptive mechanism to
distribute group-to-RP mapping information rapidly throughout a domain. With the IPv6 BSR
feature, if an RP becomes unreachable, it will be detected and the mapping tables will be modified
so that the unreachable RP is no longer used, and the new tables will be rapidly distributed
throughout the domain.
BSR provides scoped zone support by distributing group-to-RP mappings in networks using
administratively scoped multicast. The user can configure candidate BSRs and a set of candidate
RPs for each administratively scoped region in the user's domain.
For information on BSR and BSR Scoped Zone Support, see this URL with the following caveats
related to support on a Catalyst 4500 Series switch:
http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_pim/configuration/xe-3s/ip6-mcast-bsr.html
– In the section “IPv6 BSR: Scoped Zone Support," a paragraph starts as follows:
Unless the C-RP is configured with a scope, it discovers the existence of the administratively
scoped zone and its group range through reception of a BSM from the scope zone's elected BSR
containing the scope zone's group range.
A C-RP can no longer be configured with a scope. So, the sentence should read:
A C-RP discovers the existence of the administratively scoped zone and its group range through
reception of a BSM from the scope zone's elected BSR containing the scope zone's group range.
– In the section "Configuring a BSR and Verifying BSR Information" in Step 3 under Summary
Steps and Detailed Steps, the command for configuring a C-BSR is listed as:
ipv6 pim [vrf vrf-name] bsr candidate bsr ipv6-address [hash-mask-length] [priority
priority-value]
Because the original syntax mistakenly excludes scope scope-value and the “new” option
(accept-rp-candidate access-list-name) is supported with this release.
ipv6 pim [vrf vrf-name] bsr candidate bsr ipv6-address [hash-mask-length] [priority
priority-value] [scope scope-value] [accept-rp-candidate access-list-name]
– In the section "Sending PIM RP Advertisements to the BSR" in Step 3 under Summary and
Detailed Steps, the keyword scope scope-value should be removed. The scope keyword no
longer exists for C-RPs.
– In the section "Configuring BSR for Use Within Scoped Zones,” several changes apply.
The following paragraph:
If scope is specified on the candidate RP, then this device will advertise itself as C-RP only to
the BSR for the specified scope. If the group list is specified along with the scope, then only
prefixes in the access list with the same scope as that configured will be advertised.
Should read:
The candidate RP will advertise the different ranges it serves to the respective elected BSRs. If
a group list is specified, for each of the prefixes in the group list, it will verify that there is an
elected scoped BSR for the scope of the prefix. If none exists, the prefix will be announced to the
elected non-scoped BSR, provided one is present.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-5
Chapter 1 Product Overview
Layer 2 Software Features

Note: If a prefix is not scope specific (for example, FF00::/8), it will only be announced to a
non-scoped BSR. If the candidate RP is not configured with a group list, it will behave as if a
group list with only the prefix FF00::/8 is configured.
Under the Summary Steps, steps 3 and 4 should read as follows:
ipv6 pim [vrf vrf-name] bsr candidate bsr ipv6-address [hash-mask-length] [priority
priority-value] [scope scope-value] [accept-rp-candidate access-list-name]
ipv6 pim [vrf vrf-name] bsr candidate rp ipv6-address [group-list access-list-name] [priority
priority-value] [interval seconds] [bidir]
Under the Details Steps, Step 3 should read:
ipv6 pim [vrf vrf-name] bsr candidate bsr ipv6-address [hash-mask-length] [priority
priority-value] [scope scope-value] [accept-rp-candidate access-list-name]
Example:
Device(config)# ipv6 pim bsr candidate bsr 2001:DB8:1:1:4 scope 6

Under the Details Steps, Step 4 should read:
ipv6 pim [vrf vrf-name] bsr candidate rp ipv6-address [group-list access-list-name] [priority
priority-value] [interval seconds] [bidir]
Example:
Device(config)# ipv6 pim bsr candidate rp 2001:DB8:1:1:1 group-list list

– In the section "Configuring BSR Devices to Announce Scope-to-RP Mappings,” the keyword
scope scope-value should be removed from Step 3, both under Summary and Detail Steps.
– In the section “Additional References section,” it would be helpful to reference RFC 5059.

IPv6 Multicast Listen Discovery (MLD) and Multicast Listen Discovery
Snooping
MLD is a protocol used by IPv6 multicast devices to discover the presence of multicast listeners
(nodes that want to receive IPv6 multicast packets) on its directly attached links and to discover
which multicast packets are of interest to neighboring nodes. MLD snooping is supported in two
different versions: MLD v1 and MLD v2. Network switches use MLD snooping to limit the flood
of multicast traffic, causing IPv6 multicast data to be selectively forwarded to a list of ports that want
to receive the data, instead of being flooded to all ports in a VLAN. This lessens the load on devices
in the network, minimizing unnecessary bandwidth on links, enabling efficient distribution of IPv6
multicast data.
For information on configuring multicast services, see Chapter 37, “Configuring IP Multicast.”

Jumbo Frames
The jumbo frames feature allows the switch to forward packets as large as 9216 bytes (larger than the
IEEE Ethernet MTU), rather than declare those frames “oversize” and discard them. This feature is
typically used for large data transfers. The jumbo frames feature can be configured on a per-port basis
on Layer 2 and Layer 3 interfaces. The feature is supported only on the following hardware:
• WS-X4306-GB: all ports
• WS-X4232-GB-RJ: ports 1-2

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-6 OL-30933-01
Chapter 1 Product Overview
Layer 2 Software Features

• WS-X4418-GB: ports 1-2
• WS-X4412-2GB-TX: ports 13-14
• WS-4648-RJ45V-E
• WS-X4648+RJ45V+E
• WS-X4706-10GE linecards
• supervisor engine uplink ports
For information on Jumbo Frames, see Chapter 8, “Configuring Interfaces.”

Link Aggregation Control Protocol
LACP supports the automatic creation of EtherChannels by exchanging LACP packets between LAN
ports. LACP packets are exchanged only between ports in passive and active modes. The protocol
"learns" the capabilities of LAN port groups dynamically and informs the other LAN ports. After LACP
identifies correctly matched Ethernet links, it facilitates grouping the links into an EtherChannel. Then
the EtherChannel is added to the spanning tree as a single bridge port.

Cisco IOS XE IP Application Services Features in Cisco IOS XE 3.1.0SG
This section lists the IP Application Services software features that are supported in Cisco IOS XE
3.1.0SG. Links to the feature documentation are included.
Feature guides may contain information about more than one feature. To find information about a
specific feature within a feature guide, see the Feature Information table at the end of the guide.
Feature guides document features that are supported on many different software releases and platforms.
Your Cisco software release or platform may not support all the features documented in a feature guide.
See the Feature Information table at the end of the feature guide for information about which features in
that guide are supported in your software release. Use Cisco Feature Navigator to find information about
platform support and Cisco software image support. To access Cisco Feature Navigator, go to
http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

IEEE 802.3ad Link Aggregation (LACP)
ttp://www.cisco.com/en/US/docs/ios/cether/configuration/guide/ce_lnkbndl.html

Link Aggregation Control Protocol (LACP) (802.3ad) for Gigabit Interfaces
http://www.cisco.com/en/US/docs/ios/ios_xe/cether/configuration/guide/ce_lnkbndl_xe.html

Link Layer Discovery Protocol
To support non-Cisco devices and to allow for interoperability between other devices, the switch
supports the IEEE 802.1AB LLDP. Link Layer Discovery Protocol (LLDP) is a neighbor discovery
protocol that is used for network devices to advertise information about themselves to other devices on
the network. This protocol runs over the data-link layer, which allows two systems running different
network layer protocols to learn about each other.
LLDP supports a set of attributes that it uses to discover neighbor devices. These attributes contain type,
length, and value descriptions and are referred to as TLVs. LLDP supported devices can use TLVs to receive
and send information to their neighbors. Details such as configuration information, device capabilities,
and device identity can be advertised using this protocol.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-7
Chapter 1 Product Overview
Layer 2 Software Features

For information on configuring LLDP, see Chapter 31, “Configuring LLDP, LLDP-MED, and Location
Service.”

Link State Tracking
Link-state tracking, also known as trunk failover, is a feature that binds the link state of multiple
interfaces. For example, link-state tracking provides redundancy in the network when used with server
NIC adapter teaming. When server network adapters are configured in a primary or secondary
relationship known as teaming, if the link is lost on the primary interface, connectivity is transparently
changed to the secondary interface.
For information on configuring Link State Tracking, see Chapter 26, “Configuring EtherChannel and
Link State Tracking.”

Location Service
The location service feature allows the switch to provide location and attachment tracking information
for its connected devices to a Cisco Mobility Services Engine (MSE). The tracked device can be a
wireless endpoint, a wired endpoint, or a wired switch or controller. The switch informs device link up
and link down events through encrypted Network Mobility Services Protocol (NMSP) location and
attachment notifications to the MSE.
For information on configuring LLDP, see Chapter 31, “Configuring LLDP, LLDP-MED, and Location
Service.”

Multiple Spanning Tree
IEEE 802.1s Multiple Spanning Tree (MST) allows for multiple spanning tree instances within a single
802.1Q or Inter-Switch Link (ISL) VLAN trunk. MST extends the IEEE 802.1w Rapid Spanning Tree
(RST) algorithm to multiple spanning trees. This extension provides both rapid convergence and load
balancing within a VLAN environment.
MST allows you to build multiple spanning trees over trunks. You can group and associate VLANs to
spanning tree instances. Each instance can have a topology independent of other spanning tree instances.
This new architecture provides multiple forwarding paths for data traffic and enables load balancing.
Network fault tolerance is improved because a failure in one instance (forwarding path) does not affect
other instances (forwarding paths).
For information on configuring MST, see Chapter 22, “Configuring STP and MST.”

Per-VLAN Rapid Spanning Tree
Per-VLAN Rapid Spanning Tree (PVRST+) is the implementation of 802.1w on a per-VLAN basis. It is
the same as PVST+ with respect to STP mode and runs RSTP protocol based on 802.1w.
For information on configuring PVRST+, see Chapter 22, “Configuring STP and MST.”

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-8 OL-30933-01
Chapter 1 Product Overview
Layer 2 Software Features

Quality of Service

Note QoS functionality on Catalyst 4900M, Catalyst 4948E, Catalyst 4948E-F, Supervisor Engine 6-E and
Supervisor Engine 6L-E are equivalent.

The quality of service (QoS) feature prevents congestion by selecting network traffic and prioritizing it
according to its relative importance. Implementing QoS in your network makes network performance
more predictable and bandwidth use more effective.
The Catalyst 4500 series switch supports the following QoS features:
• Classification and marking
• Ingress and egress policing, including per-port per-VLAN policing
• Sharing and shaping
Catalyst 4500 series switch supports trusted boundary, which uses the Cisco Discovery Protocol (CDP)
to detect the presence of a Cisco IP phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on
a switch port. If the telephone is not detected, the trusted boundary feature disables the trusted setting
on the switch port and prevents misuse of a high-priority queue.
The Catalyst 4500 series switch also supports QoS Automation (Auto QoS), which simplifies the
deployment of existing QoS features through automatic configuration.

Cisco Modular QoS Command-Line-Interface
Cisco Modular QoS CLI (MQC) is the framework that implements Cisco IOS software QoS. MQC
allows the user to define a traffic class, create a traffic policy (containing the QoS feature to be applied
to the traffic class), and attach the traffic policy to an interface. MQC is a cross-Cisco baseline that
provides a consistent syntax and behavior of QoS features across multiple product families. Cisco IOS
Software Release 12.2(40)SG complies to MQC for configuration of QoS features on the Supervisor
Engine 6-E. MQC enables rapid deployment of new features and technology innovations and facilitates
the management of network performance with respect to bandwidth, delay, jitter, and packet loss,
enhancing the performance of mission-critical business applications. The rich and advanced QoS
features are enabled using Cisco MQC.

Two-Rate Three-Color Policing
The Two-Rate Three-Color Policing feature (also termed Hierarchical QoS) limits the input or output
transmission rate of a class of traffic based on user-defined criteria and marks or colors packets by setting
the applicable differentiated services code point (DSCP) values. This feature is often configured on the
interfaces at the edge of a network to limit the rate of traffic entering or leaving the network. Using this
feature, traffic that conforms to user-defined criteria can be sent through the interfaces, while traffic that
exceeds or violates these criteria is sent out with a decreased priority setting or even dropped.
For information on QoS and Auto QoS, see Chapter 42, “Configuring Quality of Service.”

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-9
Chapter 1 Product Overview
Layer 2 Software Features

Resilient Ethernet Protocol
Resilient Ethernet Protocol (REP) is a Cisco proprietary protocol that provides an alternative to
Spanning Tree Protocol (STP) to control network loops, handle link failures, and improve convergence
time. REP controls a group of ports connected in a segment, ensures that the segment does not create any
bridging loops, and responds to link failures within the segment. REP provides a basis for constructing
more complex networks and supports VLAN load balancing.
For information on REP, see Chapter 24, “Configuring Resilient Ethernet Protocol.”

SmartPort Macros
SmartPort macros provide a convenient way to save and share common configurations. You can use
SmartPort macros to enable features and settings based on the location of a switch in the network and
for mass configuration deployments across the network.
For information on configuring SmartPort macros, see Chapter 20, “Configuring SmartPort Macros.”

Spanning Tree Protocol
The Spanning Tree Protocol (STP) allows you to create fault-tolerant internetworks that ensure an active,
loop-free data path between all nodes in the network. STP uses an algorithm to calculate the best
loop-free path throughout a switched network.
For information on configuring STP, see Chapter 22, “Configuring STP and MST.”
The Catalyst 4500 series switch supports the following STP enhancements:
• Spanning tree PortFast—PortFast allows a port with a directly attached host to transition to the
forwarding state directly, bypassing the listening and learning states.
• Spanning tree UplinkFast—UplinkFast provides fast convergence after a spanning-tree topology
change and achieves load balancing between redundant links using uplink groups. Uplink groups
provide an alternate path in case the currently forwarding link fails. UplinkFast is designed to
decrease spanning-tree convergence time for switches that experience a direct link failure.
• Spanning tree BackboneFast—BackboneFast reduces the time needed for the spanning tree to
converge after a topology change caused by an indirect link failure. BackboneFast decreases
spanning-tree convergence time for any switch that experiences an indirect link failure.
• Spanning tree root guard—Root guard forces a port to become a designated port so that no switch
on the other end of the link can become a root switch.
For information on the STP enhancements, see Chapter 25, “Configuring Optional STP Features.”

Stateful Switchover
Stateful switchover (SSO) enables you to propagate configuration and state information from the active
to the redundant supervisor engine so that sub-second interruptions in Layer 2 traffic occur when the
active supervisor engine switches over to the redundant supervisor engine.
• Stateful IGMP Snooping

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-10 OL-30933-01
Chapter 1 Product Overview
Layer 2 Software Features

This feature propagates the IGMP data learned by the active supervisor engine to the redundant
supervisor engine so that when a switchover occurs, the newly active supervisor engine is aware of
the multicast group membership, which alleviates a disruption to multicast traffic during a
switchover.
• Stateful DHCP Snooping
This feature propagates the DHCP-snooped data from the active supervisor engine to the redundant
supervisor engine so that when a switchover occurs, the newly active supervisor engine is aware of
the DHCP data that was already snooped, and the security benefits continue uninterrupted.
For information about SSO, see Chapter 12, “Configuring Cisco NSF with SSO Supervisor Engine
Redundancy.”

SVI Autostate
When an SVI has multiple ports on a VLAN, normally the SVI will go down when all the ports in the
VLAN go down. You can design your network so that some ports are not counted in the calculation of
SVI “going up or down.” SVI Autostate provides a knob to mark a port so that it is not counted in the
SVI “going up and down” calculation and applies to all VLANs that are enabled on that port.

Unidirectional Link Detection
The Unidirectional Link Detection (UDLD) protocol allows devices connected through fiber-optic or
copper Ethernet cables to monitor the physical configuration of the cables and detect a unidirectional
link.
With standard UDLD, the time to detect a unidirectional link can vary from a few seconds to several
minutes depending on how the timers are configured. Link status messages are exchanged every couple
of seconds. With Fast UDLD, you can detect unidirectional links in under one second (this also depends
on how the timers are configured). Link status messages are exchanged every couple of hundred
milliseconds.
For information about UDLD and Fast UDLD, see Chapter 32, “Configuring UDLD.”

VLANs
A VLAN configures switches and routers according to logical, rather than physical, topologies. Using
VLANs, you can combine any collection of LAN segments within an internetwork into an autonomous
user group, such that the segments appear as a single LAN in the network. VLANs logically segment the
network into different broadcast domains so that packets are switched only between ports within the
VLAN. Typically, a VLAN corresponds to a particular subnet, although not necessarily.
For more information about VLANs, VTP, and Dynamic VLAN Membership, see Chapter 16,
“Configuring VLANs, VTP, and VMPS.”
The following VLAN-related features also are supported:
• VLAN Trunking Protocol (VTP)—VTP maintains VLAN naming consistency and connectivity
between all devices in the VTP management domain. You can have redundancy in a domain by using
multiple VTP servers, through which you can maintain and modify the global VLAN information.
Only a few VTP servers are required in a large network.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-11
Chapter 1 Product Overview
Layer 2 Software Features

• Private VLANs—Private VLANs are sets of ports that have the features of normal VLANs and also
provide some Layer 2 isolation from other ports on the switch.
For information about private VLANs, see Chapter 44, “Configuring Private VLANs.”
• Private VLAN Trunk Ports—Private VLAN trunk ports allow a secondary port on a private VLAN
to carry multiple secondary VLANs.
• Private VLAN Promiscuous Trunk Ports—Private VLAN promiscuous trunk extends the
promiscuous port to a 802.1Q trunk port, carrying multiple primary VLANs (hence multiple
subnets). Private VLAN promiscuous trunk is typically used to offer different services or content on
different primary VLANs to isolated subscribers. Secondary VLANs can not be carried over the
private VLAN promiscuous trunk.
• Dynamic VLAN Membership—Dynamic VLAN Membership allows you to assign switch ports to
VLANs dynamically, based on the source Media Access Control (MAC) address of the device
connected to the port. When you move a host from a port on one switch in the network to a port on
another switch in the network, that switch dynamically assigns the new port to the proper VLAN for
that host. With the VMPS Client feature, you can convert a dynamic access port to a VMPS client.
VMPS clients can use VQP queries to communicate with the VMPS server to obtain a VLAN
assignment for the port based on the MAC address of the host attached to that port.

Virtual Switching Systems (Catalyst 4500-X and Supervisor Engine 7-E, 7L-E,
and 8-E)
Network operators increase network reliability by configuring switches and by provisioning links to the
redundant pairs. Redundant network elements and redundant links can add complexity to network design
and operation. Virtual switching simplifies the network by reducing the number of network elements and
hiding the complexity of managing redundant switches and links.
A VSS combines a pair of Catalyst 4500 or 4500-X series switches into a single network element. The
VSS manages the redundant links, which externally act as a single port channel. Starting with Cisco
Release IOS XE 3.4.0SG, the Catalyst 4500 or 4500-X series switches support VSS.

Note Smart Install Director is not supported with VSS.

For information on VSS, see Chapter 5, “Configuring Virtual Switching Systems.”

Virtual Switch System Client
Catalyst 4500 series switches support enhanced PAgP. If a Catalyst 4500 series switch is connected to a
Catalyst 6500 series Virtual Switch System (VSS) with a PAgP EtherChannel, the Catalyst 4500 series
switch will automatically serve as a VSS client, using enhanced PAgP on this EtherChannel for
dual-active detection. This VSS client feature has no impact on the performance of Catalyst 4500 series
switches and does not require any user configuration.
For more details, see Chapter 26, “Configuring EtherChannel and Link State Tracking.”

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-12 OL-30933-01
Chapter 1 Product Overview
Layer 3 Software Features

Y.1731 (AIS and RDI)
Y.1731 ETH-AIS (Ethernet Alarm Indication Signal function) and ETH-RDI (Ethernet Remote Defect
Indication function) provides fault and performance management for service providers in large
networks.
ETH-AIS suppresses alarms following detection of defect conditions at the server (sub) layer. Due to
independent restoration capabilities provided within the Spanning Tree Protocol (STP) environments,
ETH-AIS is not expected to be applied in the STP environments. In this case, AIS is configurable, and
the administrator describes how to enable and disable AIS in STP environment or not.
ETH-RDI can be used by a MEP to communicate to its peer MEPs that a defect condition has been
encountered. ETH-RDI is used only when ETH-CC transmission is enabled.
For information about Y.1731, see Chapter 67, “Configuring Y.1731 (AIS and RDI).”

Layer 3 Software Features
A Layer 3 switch is a high-performance switch that has been optimized for a campus LAN or an intranet,
and it provides both wirespeed Ethernet routing and switching services. Layer 3 switching improves
network performance with two software functions: route processing and intelligent network services.
Compared to conventional software-based switches, Layer 3 switches process more packets faster by
using application-specific integrated circuit (ASIC) hardware instead of microprocessor-based engines.
The following sections describe the key Layer 3 switching software features on the Catalyst 4500 series
switch:
• Bidirectional Forwarding Detection, page 1-14
• Cisco Express Forwarding, page 1-14
• Device Sensor, page 1-14
• EIGRP Stub Routing, page 1-14
• Enhanced Object Tracking, page 1-15
• GLBP, page 1-15
• HSRP, page 1-16
• In Service Software Upgrade, page 1-19
• IP Routing Protocols, page 1-17
• IPv6, page 1-19
• Multicast Services, page 1-19
• NSF with SSO, page 1-21
• OSPF for Routed Access, page 1-21
• Policy-Based Routing, page 1-22
• Unicast Reverse Path Forwarding, page 1-22
• Unicast Reverse Path Forwarding, page 1-22
• Unidirectional Link Routing, page 1-22
• VRF-lite, page 1-22
• Virtual Router Redundancy Protocol, page 1-23

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-13
Chapter 1 Product Overview
Layer 3 Software Features

Bidirectional Forwarding Detection

Note Starting with Cisco IOS Release IOS 15.1(1)SG, Bidirectional Forwarding Detection (BFD) support was
introduced on Catalyst 4900M, Catalyst 4948E, and Catalyst 4948E-F Ethernet switches. With Cisco
IOS XE 3.5.0E and IOS 15.2(1)E, supported was extended to Supervisor Engine 7-E, and Supervisor
Engine 7L-E. With Cisco IOS XE 3.6.0E and IOS 15.2(2)E, supported was extended to Supervisor
Engine 8-E.

Bidirectional Forwarding Detection (BFD) protocol. BFD is a detection protocol designed to provide
fast forwarding path failure detection times for all media types, encapsulations, topologies, and routing
protocols. It includes a description of how to configure multihop BFD sessions. BFD provides a
consistent failure detection method for network administrators in addition to fast forwarding path failure
detection.
For information on configuring BFD, see Chapter 39, “Configuring Bidirection Forwarding Detection.”

Cisco Express Forwarding
Cisco Express Forwarding (CEF) is an advanced Layer 3 IP-switching technology. CEF optimizes
network performance and scalability in networks with large and dynamic traffic patterns, such as the
Internet, and on networks that use intensive web-based applications or interactive sessions. Although
you can use CEF in any part of a network, it is designed for high-performance, highly resilient Layer 3
IP-backbone switching.
For information on configuring CEF, see Chapter 35, “Configuring Cisco Express Forwarding.”

Device Sensor
Device Sensor uses protocols such as Cisco Discovery Protocol (CDP), Link Layer Discovery Protocol
(LLDP), and DHCP to obtain endpoint information from network devices and make this information
available to its clients. Device Sensor has internal clients, such as the embedded Device Classifier (local
analyzer), Auto Smartports (ASP), MediaNet Service Interface (MSI)-Proxy, and EnergyWise. Device
Sensor also has an external client, Identity Services Engine (ISE), which uses RADIUS accounting to
receive and analyze endpoint data. When integrated with ISE, Device Sensor provides central policy
management and device-profiling capabilities.
For more information on Device Sensor, see Chapter 46, “Configuring 802.1X Port-Based
Authentication.”

EIGRP Stub Routing
The EIGRP stub routing feature, available in all images, reduces resource utilization by moving routed
traffic closer to the end user.
The IP base image contains only EIGRP stub routing. The IP services image contains complete EIGRP
routing.
In a network using EIGRP stub routing, the only route for IP traffic to follow to the user is through a
switch that is configured with EIGRP stub routing. The switch sends the routed traffic to interfaces that
are configured as user interfaces or are connected to other devices.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-14 OL-30933-01
Chapter 1 Product Overview
Layer 3 Software Features

For information on configuring EIGRP Stub Routing, see Chapter 34, “Configuring Layer 3 Interfaces.”

Enhanced Object Tracking
Before the introduction of the Enhanced Object Tracking feature, the Hot Standby Router Protocol
(HSRP) had a simple tracking mechanism that allowed you to track the interface line-protocol state only.
If the line-protocol state of the interface went down, the HSRP priority of the router was reduced,
allowing another HSRP router with a higher priority to become active.
The Enhanced Object Tracking (EOT) feature separates the tracking mechanism from HSRP and creates
a separate standalone tracking process that can be used by other Cisco IOS processes as well as HSRP.
This feature allows tracking of other objects in addition to the interface line-protocol state.
A client process, such as HSRP, Virtual Router Redundancy Protocol (VRRP), or Gateway Load
Balancing Protocol (GLBP), can now register its interest in tracking objects and then be notified when
the tracked object changes state.
For details on EOT, refer to this URL:
For platform specific information on Enhanced Object Tracking, see Chapter 60, “Configuring
Enhanced Object Tracking.”
For more detailed information on Enhanced Object Tracking, see the URL:
http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/configuration/12-4t/iap-eot.html

GLBP
The Gateway Load Balancing Protocol (GLBP) feature provides automatic router backup for IP hosts
configured with a single default gateway on a LAN. Multiple first hop routers on the LAN combine to
offer a single virtual first hop IP router while sharing the IP packet forwarding load. GLBP devices share
packet-forwarding responsibilities, optimizing resource usage, thereby reducing costs. Other routers on
the LAN may act as redundant GLBP routers that will become active if any of the existing forwarding
routers fail. This improves the resiliency of the network and reduces administrative burden.
For details on GLBP, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_glbp.html

Cisco IOS XE IP Application Services Features in Cisco IOS XE 3.1.0SG
This section list the IP Application Services software features that are supported in Cisco IOS XE
3.1.0SG. Links to the feature documentation are included.
Feature guides may contain information about more than one feature. To find information about a
specific feature within a feature guide, see the Feature Information table at the end of the guide.
Feature guides document features that are supported on many different software releases and platforms.
Your Cisco software release or platform may not support all the features documented in a feature guide.
See the Feature Information table at the end of the feature guide for information about which features in
that guide are supported in your software release. Use Cisco Feature Navigator to find information about
platform support and Cisco software image support. To access Cisco Feature Navigator, go to
http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-15
Chapter 1 Product Overview
Layer 3 Software Features

Gateway Load Balancing Protocol (GLBP), GLBP MD5 Authentication
http://www.cisco.com/en/US/docs/ios/12_2sx/12_2sxh/feature/guide/sxglbpm.html

HSRP
The Hot Standby Router Protocol (HSRP) provides high network availability by routing IP traffic from
hosts on Ethernet networks without relying on the availability of any single Layer 3 switch. This feature
is particularly useful for hosts that do not support a router discovery protocol and do not have the
functionality to switch to a new router when their selected router reloads or loses power.
For information on configuring HSRP, refer to the following URL:
http://www.cisco.com/en/US/tech/tk648/tk362/tk321/tsd_technology_support_sub-protocol_home.htm
l

Cisco IOS XE IP Application Services: HSRP Features in Cisco IOS XE 3.1.0SG
This section lists the IP Application Services:HSRP software features that are supported in Cisco IOS
XE 3.1.0SG. Links to the feature documentation are included.
Feature guides may contain information about more than one feature. To find information about a
specific feature within a feature guide, see the Feature Information table at the end of the guide.
Feature guides document features that are supported on many different software releases and platforms.
Your Cisco software release or platform may not support all the features documented in a feature guide.
See the Feature Information table at the end of the feature guide for information about which features in
that guide are supported in your software release. Use Cisco Feature Navigator to find information about
platform support and Cisco software image support. To access Cisco Feature Navigator, go to
http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

HSRP—Hot Standby Router Protocol
http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_hsrp.html

HSRP MD5 Authentication
http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_hsrp.html

HSRP Support for ICMP Redirects
http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_hsrp.html

IP Precedence Accounting
http://www.cisco.com/en/US/docs/ios/12_2/ipaddr/command/reference/1rfip2.html

ISSU—HSRP
http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_hsrp.html

SSO—HSRP
http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_hsrp.html

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-16 OL-30933-01
Chapter 1 Product Overview
Layer 3 Software Features

SSO Aware HSRP
SSO Aware HSRP offers continuous data packet forwarding during a supervisor engine switchover
without a path change to the standby HSRP router. During supervisor engine switchover, NSF with SSO
continues forwarding data packets along known routes using the HSRP virtual IP address. When both
supervisor engines fail on the active HSRP router, the standby HSRP router takes over as the active
HSRP router. It further extends reliability and availability offered by the NSF with SSO to Layer 3. SSO
aware HSRP is available for Supervisor Engine IV, V, and V-10GE on Catalyst 4507R and 4510R chassis
with supervisor redundancy.

IP Routing Protocols
The following routing protocols are supported on the Catalyst 4500 series switch:
• BGP, page 1-17
• EIGRP, page 1-17
• IS-IS, page 1-18
• OSPF, page 1-18
• RIP, page 1-19

BGP
The Border Gateway Protocol (BGP) is an exterior gateway protocol that allows you to set up an
interdomain routing system to automatically guarantee the loop-free exchange of routing information
between autonomous systems. In BGP, each route consists of a network number, a list of autonomous
systems that information has passed through (called the autonomous system path), and a list of other path
attributes.
The Catalyst 4500 series switch supports BGP version 4, including classless interdomain routing
(CIDR). CIDR lets you reduce the size of your routing tables by creating aggregate routes, resulting in
supernets. CIDR eliminates the concept of network classes within BGP and supports the advertising of
IP prefixes. CIDR routes can be carried by OSPF, EIGRP, and RIP.

BGP Route-Map Continue

The BGP Route-Map Continue feature introduces the continue clause to the BGP route-map
configuration. The continue clause provides more programmable policy configuration and route
filtering. It introduces the capability to execute additional entries in a route map after an entry is executed
with successful match and set clauses. Continue clauses allow configuring and organizing more modular
policy definitions to reduce the number of policy configurations that are repeated within the same route
map.
For details on BGP, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_4t/ip_route/configuration/guide/t_brbbas.html

EIGRP
The Enhanced Interior Gateway Routing Protocol (EIGRP) is a version of IGRP that combines the
advantages of link-state protocols with distance-vector protocols. EIGRP incorporates the Diffusing
Update Algorithm (DUAL). EIGRP includes fast convergence, variable-length subnet masks, partially

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-17
Chapter 1 Product Overview
Layer 3 Software Features

bounded updates, and multiple network-layer support. When a network topology change occurs, EIGRP
checks its topology table for a suitable new route to the destination. If such a route exists in the table,
EIGRP updates the routing table instantly. You can use the fast convergence and partial updates that
EIGRP provides to route Internetwork Packet Exchange (IPX) packets.
EIGRP saves bandwidth by sending routing updates only when routing information changes. The
updates contain information only about the link that changed, not the entire routing table. EIGRP also
takes into consideration the available bandwidth when determining the rate at which it transmits updates.

Note Layer 3 switching does not support the Next Hop Resolution Protocol (NHRP).

Note Customers can configure Enhanced Interior Gateway Routing Protocol (EIGRP) to route IPv6 prefixes.
EIGRP configuration and protocol behavior for both IPv4 and IPv6 prefixes are similar, providing
operational familiarity and continuity. EIGRP support for IPv6 will enable customers to use their
existing EIGRP knowledge and processes, allowing them to deploy an IPv6 network at a low cost.

For details on EIGRP, refer to this URL:
http://www.cisco.com/en/US/products/ps6630/products_ios_protocol_option_home.html

IS-IS
The Intermediate System-to-Intermediate System Protocol (IS-IS Protocol) uses a link-state routing
algorithm. It closely follows the Open Shortest Path First (OSPF) routing protocol used within the
TCP/IP environment. The operation of ISO IS-IS Protocol requires each router to maintain a full
topology map of the network (that is, which intermediate systems and end systems are connected to
which other intermediate systems and end systems). Periodically, the router runs an algorithm over its
map to calculate the shortest path to all possible destinations.
The IS-IS Protocol uses a two-level hierarchy. Intermediate Systems (or routers) are classified as Level
1 and Level 2. Level 1 intermediate systems deal with a single routing area. Traffic is relayed only within
that area. Any other internetwork traffic is sent to the nearest Level 2 intermediate systems, which also
acts as a Level 1 intermediate systems. Level 2 intermediate systems move traffic between different
routing areas within the same domain.
An IS-IS with multi-area support allows multiple Level 1 areas within in a single intermediate system,
thus allowing an intermediate system to be in multiple areas. A single Level 2 area is used as backbone
for inter-area traffic.
For details on IS-IS, refer to this URL:
http://www.cisco.com/en/US/products/ps6632/products_ios_protocol_option_home.html

OSPF
The Open Shortest Path First (OSPF) protocol is a standards-based IP routing protocol designed to
overcome the limitations of RIP. Because OSPF is a link-state routing protocol, it sends link-state
advertisements (LSAs) to all other routers within the same hierarchical area. Information on the attached
interfaces and their metrics is used in OSPF LSAs. As routers accumulate link-state information, they
use the shortest path first (SPF) algorithm to calculate the shortest path to each node. Additional OSPF
features include equal-cost multipath routing and routing based on the upper-layer type of service (ToS)
requests.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-18 OL-30933-01
Chapter 1 Product Overview
Layer 3 Software Features

OSPF uses the concept of an area, which is a group of contiguous OSPF networks and hosts. OSPF areas
are logical subdivisions of OSPF autonomous systems in which the internal topology is hidden from
routers outside the area. Areas allow an additional level of hierarchy different from that provided by IP
network classes, and they can be used to aggregate routing information and mask the details of a
network. These features make OSPF particularly scalable for large networks.
For details on OSPF, refer to this URL:
http://www.cisco.com/en/US/tech/tk365/tk480/tsd_technology_support_sub-protocol_home.html

RIP
The Routing Information Protocol (RIP) is a distance-vector, intradomain routing protocol. RIP works
well in small, homogeneous networks. In large, complex internetworks it has many limitations, such as
a maximum hop count of 15, lack of support for variable-length subnet masks (VLSMs), inefficient use
of bandwidth, and slow convergence. RIP II does support VLSMs.
For details on RIP, refer to this URL:
http://www.cisco.com/en/US/tech/tk365/tk554/tsd_technology_support_sub-protocol_home.html

In Service Software Upgrade
SSO requires the same version of Cisco IOS on both the active and standby supervisor engines. Because
of version mismatch during an upgrade or downgrade of the Cisco IOS software, a Catalyst 4500 series
switch is forced into operating in RPR mode. In this mode, after the switchover you can observe
link-flaps and a disruption in service. This issue is solved by the In-Service Software Upgrade (ISSU)
feature that enables you to operate in SSO/NSF mode while performing software upgrade or downgrade.
ISSU allows an upgrade or downgrade of the Catalyst IOS or IOS XE images at different release levels
on the both the active and standby supervisor engines by utilizing the Version Transformation
Framework between the stateful components running on each supervisor engine.
For details on Cisco IOS ISSU, refer to Chapter 6, “Configuring the Cisco IOS In-Service Software
Upgrade Process.”
For details on Cisco IOS XE ISSU, refer to Chapter 7, “Configuring the Cisco IOS XE In Service
Software Upgrade Process.”

IPv6
IPv6 provides services such as end-to-end security, quality of service (QoS), and globally unique
addresses. The IPv6 address space reduces the need for private addresses and Network Address
Translation (NAT) processing by border routers at network edges.
For more information about IPv6 services supported on the Catalyst 4500 series switch, see Chapter 55,
“Support for IPv6.”

Multicast Services
Multicast services save bandwidth by forcing the network to replicate packets only when necessary and
by allowing hosts to join and leave groups dynamically. The following multicast services are supported:

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-19
Chapter 1 Product Overview
Layer 3 Software Features

• ANCP Client —ANCP Multicast enables you to control multicast traffic on a Catalyst 4500 switch
using either ANCP (rather than IGMP) or direct static configuration on the CLI.
• Cisco Group Management Protocol (CGMP) server—CGMP server manages multicast traffic.
Multicast traffic is forwarded only to ports with attached hosts that request the multicast traffic.
• Internet Group Management Protocol (IGMP) snooping—IGMP snooping manages multicast
traffic. The switch software examines IP multicast packets and forwards packets based on their
content. Multicast traffic is forwarded only to ports with attached hosts that request multicast traffic.
Support for IGMPv3 provides constrained flooding of multicast traffic in the presence of IGMPv3
hosts or routers. IGMPv3 snooping listens to IGMPv3 query and membership report messages to
maintain host-to-multicast group associations. It enables a switch to propagate multicast data only
to ports that need it. IGMPv3 snooping is fully interoperable with IGMPv1 and IGMPv2.
Explicit Host Tracking (EHT) is an extension to IGMPv3 snooping. EHT enables immediate leave
operations on a per-port basis. EHT can be used to track per host membership information or to
gather statistics about all IGMPv3 group members.
The IGMP Snooping Querier is a Layer 2 feature required to support IGMP snooping in a VLAN
where PIM and IGMP are not configured because the multicast traffic does not require routing.
For information on configuring IGMP snooping, see Chapter 27, “Configuring IGMP Snooping and
Filtering, and MVR.”
• IPv6 Multicast Listen Discovery (MLD) and Multicast Listen Discovery snooping—MLD is a
protocol used by IPv6 multicast devices to discover the presence of multicast listeners (nodes that
want to receive IPv6 multicast packets) on its directly attached links and to discover which multicast
packets are of interest to neighboring nodes. MLD snooping is supported in two different versions:
MLD v1 and MLD v2. Network switches use MLD snooping to limit the flood of multicast traffic,
causing IPv6 multicast data to be selectively forwarded to a list of ports that want to receive the data,
instead of being flooded to all ports in a VLAN. This lessens the load on devices in the network,
minimizing unnecessary bandwidth on links, enabling efficient distribution of IPv6 multicast data.
For information on configuring multicast services, see Chapter 28, “Configuring IPv6 Multicast
Listener Discovery Snooping.”
• Protocol Independent Multicast (PIM)—PIM is protocol-independent because it can leverage
whichever unicast routing protocol is used to populate the unicast routing table, including EIGRP,
OSPF, BGP, or static route. PIM also uses a unicast routing table to perform the Reverse Path
Forwarding (RPF) check function instead of building a completely independent multicast routing
table.
For information on PIM-SSM mapping, see the URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/config_guide/sup720/ude
_udlr.html
• IP Multicast Load Splitting (Equal Cost Multipath (ECMP) Using S, G and Next Hop)—
IP Multicast Load Splitting introduces more flexible support for ECMP multicast load splitting by
adding support for load splitting based on source and group address and on source, group, and
next-hop address. This feature allows multicast traffic from devices that send many streams to
groups or that broadcast many channels, such as IPTV servers or MPEG video servers, to be more
effectively load shared across equal-cost paths.
For information on configuring multicast services, see Chapter 37, “Configuring IP Multicast.”

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-20 OL-30933-01
Chapter 1 Product Overview
Layer 3 Software Features

NSF with SSO
Non-Stop Forwarding with Stateful Switchover (NSF/SSO) offers continuous data packet forwarding in
a Layer 3 routing environment during supervisor engine switchover. During supervisor engine
switchover, NSF/SSO continues forwarding data packets along known routes while the routing protocol
information is recovered and validated, avoiding unnecessary route flaps and network instability. With
NSF/SSO, IP phone calls do not drop. NSF/SSO is supported for OSPF, BGP, EIGRP, IS-IS, and Cisco
Express Forwarding (CEF). NSF/SSO is typically deployed in the most critical parts of an enterprise or
service provider network, such as Layer 3 aggregation/core or a resilient Layer 3 wiring closet design.
It is an essential component of single chassis deployment for critical applications. NSF/SSO is available
for all shipping supervisor engines on Catalyst 4507R and 4510R chassis with supervisor redundancy.

Note With the IP Base image, NSF is supported with EIGRP-stub routing and OSPF.

Note With the Enterprise Services image, NSF is supported on all routing protocols except for RIP.

Note The LAN Base image does not support NSF.

For information on NSF with SSO, see Chapter 12, “Configuring Cisco NSF with SSO Supervisor
Engine Redundancy.”

OSPF for Routed Access
OSPF for Routed Access is designed specifically to enable customers to extend Layer 3 routing
capabilities to the access or wiring closet.

Note OSPF for Routed Access supports only one OSPFv2 and one OSPFv3 instance with a maximum number
of 1000 dynamically learned routes.

With the typical topology (hub and spoke) in a campus environment, where the wiring closets (spokes)
are connected to the distribution switch (hub) forwarding all nonlocal traffic to the distribution layer, the
wiring closet switch does not need to hold a complete routing table. Ideally, the distribution switch sends
a default route to the wiring closet switch to reach inter-area and external routes (OSPF stub or totally
stub area configuration).
Refer to the following link for more details:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/routed-ex.html
With Cisco IOS Release 12.2(53)SG, the IP Base image supports OSPF for routed access. The Enterprise
Services image is required if you need multiple OSPFv2 and OSPFv3 instances without route
restrictions. Enterprise Services also is required to enable the VRF-lite feature.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-21
Chapter 1 Product Overview
Layer 3 Software Features

Policy-Based Routing
Traditional IP forwarding decisions are based purely on the destination IP address of the packet being
forwarded. Policy-Based Routing (PBR) enables forwarding based upon other information associated
with a packet, such as the source interface, IP source address, Layer 4 ports, and so on. This feature
allows network managers more flexibility in how they configure and design their networks.
Starting with Release IOS XE 3.4.0SG and IOS 15.1(2)SG, the PBR Recursive Next Hop feature
enhances route maps to enable configuration of a recursive next-hop IP address. The recursive next-hop
IP address can be a subnet that is not directly connected. The routing table will be looked up to find the
directly connected next-hop to which to send the packet so that it is routed via the recursive next-hop
that has been configured.
For more information on policy-based routing, see Chapter 40, “Configuring Policy-Based Routing.”

Unicast Reverse Path Forwarding
The Unicast Reverse Path Forwarding (Unicast RPF) feature helps to mitigate problems that are caused
by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding
IP packets that lack a verifiable IP source address.
For information on URPF, see Chapter 36, “Configuring Unicast Reverse Path Forwarding.”

Unidirectional Link Routing
Unidirectional link routing (UDLR) provides a way to forward multicast packets over a physical
unidirectional interface (such as a satellite link of high bandwidth) to stub networks that have a back
channel.
For information on configuring unidirectional link routing, refer to the URL
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/config_guide/sup720/ude_udl
r.html

VRF-lite
VPN routing and forwarding (VRF-lite) is an extension of IP routing that provides multiple routing
instances. Along with BGP, it enables the creation of a Layer 3 VPN service by keeping separate IP
routing and forwarding tables for each VPN customer. VRF-lite uses input interfaces to distinguish
routes for different VPNs. It forms virtual packet-forwarding tables by associating one or more Layer 3
interfaces with each VRF, allowing the creation of multiple Layer 3 VPNs on a single switch. Interfaces
in a VRF could be either physical, such as an Ethernet port, or logical, such as a VLAN switch virtual
interface (SVI). However, interfaces cannot belong to more than one VRF at any time.
Prior to Release IOS XE 3.5.0E and IOS 15.2(1)E, only IPv4 was available. With Release IOS XE 3.5.0E
and IOS 15.2(1)E, VRF-lite support has been extended to IPv6.
For information on VRF-lite, see Chapter 41, “Configuring VRF-lite.”

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-22 OL-30933-01
Chapter 1 Product Overview
Management Features

Virtual Router Redundancy Protocol
Virtual Router Redundancy Protocol (VRRP) is a standard based first-hop redundancy protocol. With
VRRP, a group of routers function as one virtual router by sharing one virtual IP address and one virtual
MAC address. The master router performs packet forwarding, while the backup routers stay idle. VRRP
is typically used in the multi-vendor first-hop gateway redundancy deployment.
For details on VRRP, refer to this URL:
http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_vrrp_ps6441_TSD_Products_
Configuration_Guide_Chapter.html

Management Features
The Catalyst 4500 series switch offers network management and control using the CLI or through
alternative access methods, such as SNMP. The switch software supports these network management
features:
• Cisco Call Home, page 1-24
• Cisco Energy Wise, page 1-24
• Cisco IOS IP Service Level Agreements, page 1-24
• Cisco Media Services Proxy, page 1-25
• Cisco Medianet AutoQoS, page 1-25
• Cisco Medianet Flow Metadata, page 1-26
• Cisco IOS Mediatrace and Performance Monitor, page 1-26
• Cisco Network Assistant, page 1-28
• Dynamic Host Control Protocol, page 1-28
• Easy Virtual Network, page 1-28
• Embedded CiscoView, page 1-29
• Embedded Event Manager, page 1-29
• Ethernet Management Port, page 1-29
• File System Management (Supervisor Engine 7-E, 7L-E, and 8-E), page 1-29
• FAT File Management System on Supervisor Engine 6-E, Supervisor Engine 6L-E, Catalyst 4948E,
Catalyst 4948E-F, and Catalyst 4900M, page 1-30
• Forced 10/100 Autonegotiation, page 1-30
• Intelligent Power Management, page 1-30
• MAC Address Notification, page 1-30
• MAC Notify MIB, page 1-30
• NetFlow-lite, page 1-31
• Power over Ethernet, page 1-31
• Secure Shell, page 1-31
• Simple Network Management Protocol, page 1-31
• Smart Install, page 1-32

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-23
Chapter 1 Product Overview
Management Features

• SPAN and RSPAN, page 1-32
• Universal Power over Ethernet, page 1-32
• Web Content Coordination Protocol, page 1-32
• Wireshark, page 1-33
• XML-PI, page 1-33

Cisco Call Home
Call Home provides e-mail-based and web-based notification of critical system events. A versatile range
of message formats are available for optimal compatibility with pager services, standard e-mail, or
XML-based automated parsing applications. Common uses of this feature may include direct paging of
a network support engineer, e-mail notification to a Network Operations Center, XML delivery to a
support website, and utilization of Cisco Smart Call Home services for direct case generation with the
Cisco Systems Technical Assistance Center (TAC).
The Call Home feature can deliver alert messages containing information on configuration, diagnostics,
environmental conditions, inventory, and syslog events.
For more information on Call Home, see Chapter 68, “Configuring Call Home.”

Cisco Energy Wise
Cisco EnergyWise is an energy-management technology added onto Cisco switching solutions to help
you measure, report, and reduce energy consumption across your entire infrastructure. With
EnergyWise’s management interface, network management applications can communicate with
endpoints and each other, using the network as the unifying fabric.
For details refer to the URLs:

http://www.cisco.com/en/US/docs/switches/lan/energywise/phase2/ios/configuration/guide/ew_v2.htm
l

http://www.cisco.com/en/US/docs/switches/lan/energywise/phase2_5/ios/release/notes/ol23554.html#
wp60494l

Cisco IOS IP Service Level Agreements
Cisco IOS IP Service Level Agreements (SLAs) allows Cisco customers to analyze IP service levels for
IP applications and services by using active traffic monitoring—the generation of traffic in a continuous,
reliable, and predictable manner—for measuring network performance. With Cisco IOS IP SLA, service
provider customers can measure and provide service level agreements, and enterprise customers can
verify service levels, verify outsourced service level agreements, and understand network performance.
Cisco IOS IP SLAs can perform network assessments, verify quality of service (QoS), ease the
deployment of new services, and assist with network troubleshooting.
For platform-specific information on Cisco IOS IP SLA, see Chapter 69, “Configuring Cisco IOS IP
SLA Operations.”
For more detail on Cisco IOS IP SLAs, see the Cisco IOS IP SLAs Configuration Guide, Release 12.4T:
http://www.cisco.com/en/US/docs/ios/ipsla/configuration/guide/12_4t/sla_12_4t_book.html

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-24 OL-30933-01
Chapter 1 Product Overview
Management Features

Catalyst 4500 series switch also supports a Built-in Traffic Simulator using Cisco IOS IP SLAs video
operations to generate synthetic traffic for a variety of video applications, such as Telepresence, IPTV
and IP video surveillance camera. You can use the simulator tool:
• for network assessment before deploying applications that have stringent network performance
requirements.
• along with the Cisco IOS Mediatrace for post-deployment troubleshooting for any network related
performance issues.
The traffic simulator includes a sophisticated scheduler that allows the user to run several tests
simultaneously or periodically and over extended time periods. (Supported only on switches running the
Enterprise Services feature set.)
For information on configuring this feature, see the Configuring Cisco IOS IP SLAs Video Operations
document at:
http://www.cisco.com/en/US/docs/ios-xml/ios/ipsla/configuration/12-2se/sla_video.html

Cisco Media Services Proxy
The Media Services Proxy (MSP) feature identifies various media end points in the network
automatically and renders appropriate media services. It acts as a layer that connects appropriate devices
with their respective network services automatically.
MSP follows a network-centric model, where the access switches and routers learn information about
devices and flow by using mechanisms such as Cisco Discovery Protocol (formerly known as CDP) and
DHCP, or by snooping on key protocol packets such as the Session Initiation Protocol (SIP) and H.323.
Modifications to the endpoints are not required to achieve the information learning. After the
information is gleaned, MSP provides appropriate services to the network devices.
Following are the benefits of MSP:
•Automatic identification of devices and flow in the network.
•Application of appropriate services to the endpoints.
•Configuration control for the administrator, thereby reducing the manual configuration and
management of services. For example, configuring the Resource Reservation Protocol (RSVP) in the
network for video applications requiring guaranteed bandwidth.

Note The system cannot scale to greater than 512 SIP flows with MSP and Flow Metadata enabled.

For information on configuring this feature, refer to the following documents:
http://www.cisco.com/en/US/docs/ios-xml/ios/msp/configuration/15-1sg/med-ser-prxy.html
http://www.cisco.com/en/US/docs/ios-xml/ios/msp/configuration/xe-3sg/med-ser-prxy-xe.html

Cisco Medianet AutoQoS
Cisco Medianet AutoQoS provides a default configuration to ease the process of enabling QoS on
switches. This process can be difficult given the functional/behavioral differences in QoS across
different platforms. This functionality extend AutoQoS functionality for the Catalyst 4500 to support
video traffic as well as other kinds of traffic.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-25
Chapter 1 Product Overview
Management Features

The goal of AutoQos is to simplify the work customers have to undertake while configuring their
networks to support QoS. This is done by automating QoS configurations to handle various classes of
traffic. AutoQos for Medianet provides commands, which act as macros that call existing CLI commands
to implement desired configurations. You are required to specify the type of device (PC, another switch,
ip camera, etc.) connected to a given interface. AutoQos for Medianet applies a default QoS
configuration to that interface, which you can later fine-tune as needed.
For details, refer to Chapter 42, “Configuring Quality of Service.”

Cisco Medianet Flow Metadata
Flow Metadata is the data that qualifies other data. Flow Metadata aids in supporting an intelligent
network by making the network aware about the type, nature, and characteristics of the media stream
that flows in the network. Flow Metadata also allows for the network to apply policies on the media
streams. Across the Medianet system, Flow Metadata is produced, transported, stored, retrieved, and
acted on consistently by a wide variety of Medianet services.
The Flow Metadata infrastructure provides a framework that allows data from one component be
available to another component on the same network element as well as across network elements.
Flow Metadata is supported on releases prior to Cisco IOS Release 15.1(1)SG. Flow metadata is the data
that describes a flow in the network. This Flow Metadata describes the five tuple flow along with the
attributes. Network elements can take action based on the Flow Metadata generated by the endpoints.
The Flow Metadata infrastructure consists of two major components: producers and consumers.
• Flow Metadata producer is any source of Flow Metadata. The producer propagates all the attributes
of a given flow. Producers can be anywhere in the network: endpoint, proxy agents, or intermediate
nodes. Currently, Flow Metadata generated by the endpoints is supported. Producers use a specific
transport protocol, such as RSVP for signalling the Flow Metadata attributes and store the
information in a database, referred to as the control plane database, which can then be used by the
consumers.
• Flow Metadata consumer is any network element that uses the flow tuple and Flow Metadata
provided by the producers. The flow tuple and Flow Metadata can also be propagated along the
media path to consumers in different network elements via a transport infrastructure.
For configuration details, refer to the following URLs:
http://www.cisco.com/en/US/docs/ios-xml/ios/mdata/configuration/xe-3sg/metadata-framework.html
http://www.cisco.com/en/US/docs/ios-xml/ios/mdata/configuration/15-1sg/metadata-framework.html
For details on the Flow Metadata commands, refer to the following URL:
http://www.cisco.com/en/US/docs/ios-xml/ios/qos/command/qos-cr-book.html

Cisco IOS Mediatrace and Performance Monitor
Cisco IOS Mediatrace helps to isolate and troubleshoot network degradation problems by enabling a
network administrator to discover an IP flow's path, dynamically enable monitoring capabilities on the
nodes along the path, and collect information on a hop-by-hop basis. This information includes, among
other things, flow statistics; utilization information for incoming and outgoing interfaces, CPUs, and
memory; as well as any changes to IP routes or the Cisco IOS Mediatrace monitoring state.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-26 OL-30933-01
Chapter 1 Product Overview
Management Features

For details, see the following URLs:

http://www.cisco.com/en/US/docs/ios-xml/ios/media_monitoring/configuration/15-1sg/mm-pasv-mon.
html
http://www.cisco.com/en/US/docs/ios-xml/ios/media_monitoring/configuration/xe-3sg/mm-pasv-mon.
html
http://www.cisco.com/en/US/docs/ios/media_monitoring/command/reference/mm_book.html
http://www.cisco.com/en/US/docs/ios-xml/ios/media_monitoring/configuration/15-1sg/mm-mediatrace
.html
http://www.cisco.com/en/US/docs/ios-xml/ios/media_monitoring/configuration/xe-3sg/mm-mediatrace
.html
Configuration guidelines for Cisco IOS Mediatrace and Performance Monitor include the following:
• Video monitoring is supported only on physical ports.
Limitations for Cisco IOS Mediatrace and Performance Monitor on a Catalyst 4500 Series Switch
include the following:
• Both features can only be configured to monitor ingress traffic.
• Packets cannot be monitored by both CEure and the rxSPAN session with encapsulation. The
first-applied configuration takes precedence.
• Not all packets received by an interface can be monitored. After a packet is received by an ingress
interface, it might be either unable to make a forwarding decision or dropped at various stages
because of configured security features (like IP Source Guard). The switch attempts to monitor
packets close to the switch, but only those that are not dropped before the input classification stage
can be monitored.
• CPU utilization is impacted when you monitor a high traffic rate. After the internally-determined
threshold is crossed, monitored packets are dropped although the original packet is forwarded in
hardware intact. Starting with Release IOS XE 3.3.0SG and IOS 15.1(1)SG, monitored packets
might be dropped if any of the following apply:
– The packet rate exceeds 512 PPS per flow.
– The aggregated bandwidth of the monitor traffic exceeds 10Mbps.
– Resources are insufficient to enqueue a new monitored packet.
When monitored packets are dropped, the monitor event will be set to TRUE if the flow record
contains collect monitor event. If one minute passes with no new drops, the monitor event is set to
FALSE but is not reflected in the output of the show performance monitor status until the new
monitor interval starts.
monitor event is a global flag. This means that any packet drops that would trigger "monitor event"
be set to TRUE for all monitored flows at that monitor interval. If a metric depends on the collection
of continuous packets, the accuracy of that metric might be impacted when a monitor event is TRUE.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-27
Chapter 1 Product Overview
Management Features

Cisco Network Assistant
Cisco Network Assistant manages standalone devices, clusters of devices, or federations of devices from
anywhere in your intranet. Using its graphical user interface, you can perform multiple configuration
tasks without having to remember command-line interface commands. Embedded CiscoView is a device
management application that can be embedded on the switch flash and provides dynamic status,
monitoring, and configuration information for your switch.
For more information on Cisco Network Assistant, see Chapter 15, “Configuring the Catalyst 4500
Series Switch with Cisco Network Assistant.”

Dynamic Host Control Protocol
The Catalyst 4500 series switch uses DHCP in the following ways:
• Dynamic Host Control Protocol server—The Cisco IOS DHCP server feature is a full DHCP server
implementation that assigns and manages IP addresses from specified address pools within the
router to DHCP clients. If the Cisco IOS DHCP server cannot satisfy a DHCP request from its own
database, it can forward the request to one or more secondary DHCP servers defined by the network
administrator.
• Dynamic Host Control Protocol autoconfiguration—With this feature your switch (the DHCP client)
is automatically configured at startup with IP address information and a configuration file.
For DHCP server configuration information, refer to the chapter, “Configuring DHCP,” in the Cisco
IOS IP and IP Routing Configuration Guide at the following URL:
http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_dhcp_rdmp_ps6350_TSD_P
roducts_Configuration_Guide_Chapter.html

Easy Virtual Network
Easy Virtual Network (EVN) is an IP-based virtualization technology that provides end-to-end
virtualization of the network. You can use a single IP infrastructure to provide separate virtual networks
whose traffic paths remain isolated from each other. Configure Easy Virtual Network to configure two
or more virtual IP networks.
For details on EVN, refer to the following URLs:
http://www.cisco.com/en/US/docs/ios-xml/ios/evn/configuration/xe-3s/evn-xe-3s-book.html
The following restrictions/feature interactions apply:
• Multicast
When multicast traffic traverses VRFs, where source and receivers are in different VRFs, mulitcast
counters will not increment on receivers' VRFs.
• NetFlow
When configured on an EVN trunk interface, NetFlow captures traffic information for all VRFs but
does not preserve the VRF information.
• SPAN
– When an EVN trunk interface is configured as a SPAN source, traffic belonging to all VRFs
carried by the EVN trunk is spanned. By default, the VNET tag is not preserved. To preserve it,
configure SPAN destination with the encapsulation dot1q option.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-28 OL-30933-01
Chapter 1 Product Overview
Management Features

– To span traffic belonging to specific VRFs on an EVN trunk, configure filter vlan on the SPAN
session with the corresponding VNET tags as vlan_ids and configure VLANs specified in filter
vlan.
– To span traffic in specific VRFs on all interfaces, configure vlan as the SPAN source with
VNET tags as vlan_ids and configure VLANs specified as sources.
– If cpu is configured as a SPAN source, then transmit packets that will be spanned are tagged by
default. If the encapsulation dot1q option is set on the SPAN session, then the cpu transmitted
packets, which are spanned, are double tagged.
Refer to Chapter 58, “Configuring SPAN and RSPAN,” for information on configuring SPAN
sessions.

Embedded CiscoView
A web-based tool to configure the Catalyst 4500 series switch. Embedded CiscoView is a device
management application that can be embedded on the switch flash and provides dynamic status,
monitoring, and configuration information for your switch.
For more information on Embedded CiscoView, see Chapter 4, “Administering the Switch.”

Embedded Event Manager
Embedded Event Manager (EEM) is a distributed and customized approach to event detection and
recovery offered directly in a Cisco IOS device. EEM offers the ability to monitor events and take
informational, corrective, or any desired EEM action when the monitored events occur or when a
threshold is reached. An EEM policy is an entity that defines an event and the actions to be taken when
that event occurs.
For information on EEM, see the URL:

http://www.cisco.com/en/US/products/ps6815/products_ios_protocol_group_home.html

Ethernet Management Port
The Ethernet management port, also referred to as the Fa1 or fastethernet1 port, is a Layer 3 host port
to which you can connect a PC. You can use the Ethernet management port instead of the switch console
port for network management. When managing a switch stack, connect the PC to the Ethernet
management port on a Catalyst 4500 series switch.
For more information on Ethernet management port, see the “Using the Ethernet Management Port”
section in Chapter 8, “Configuring Interfaces.”

File System Management (Supervisor Engine 7-E, 7L-E, and 8-E)
The format command for IOS XE 3.1.0SG changed slightly compared to the classic IOS format because
the later does not support ext2 format.
For USB flash under IOS XE 3.1.0SG, there are 3 optional formats, i.e. FAT16, FAT32 and EXT2:
Switch# format usb0: ?
FAT16 FAT16 filesystem type

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-29
Chapter 1 Product Overview
Management Features

FAT32 FAT32 filesystem type
ext2 ext2 filesystem type

For SD card under IOS XE 3.1.0SG, the default format is FAT16:
Switch# format slaveusb0: ?
FAT16 FAT16 filesystem type
FAT32 FAT32 filesystem type
ext2 ext2 filesystem type

FAT File Management System on Supervisor Engine 6-E, Supervisor Engine
6L-E, Catalyst 4948E, Catalyst 4948E-F, and Catalyst 4900M
The FAT file system is widely used to manage files on devices disks and flash. The support of the FAT
file system allows you to easily remove, add, and/or transfer images to and from the flash.

Forced 10/100 Autonegotiation
This feature allows you to configure a port to limit the speed at which it will autonegotiate to a speed
lower than the physically maximum speed. This method of reducing the throughput incurs much less
overhead than using an ACL.

Intelligent Power Management
Working with powered devices (PDs) from Cisco, this feature uses power negotiation to refine the power
consumption of an 802.3af-compliant PD beyond the granularity of power consumption provided by the
802.3af class. Power negotiation also enables the backward compatibility of newer PDs with older
modules that do not support either 802.3af or high-power levels as required by IEEE standard.
For more information on Intelligent Power Management, see the “Intelligent Power Management”
section in Chapter 14, “Configuring Power over Ethernet.”

MAC Address Notification
MAC address notification monitors the MAC addresses that are learned by, aged out, or removed from
the Catalyst 4500 series switch. Notifications are sent out or retrieved by using the
CISCO-MAC-NOTIFICATION MIB. It is typically used by a central network management application
to collect such MAC address notification events for host moves. User-configurable MAC table utilization
thresholds can be defined to notify any potential DoS or man-in-the-middle attack.
For information on MAC Address Notification, see Chapter 4, “Administering the Switch.”

MAC Notify MIB
The MAC Notify MIB feature monitors network performance, utilization, and security conditions
enabling a network administrator to track the MAC addresses that are learned or removed on the switch
forwarding the Ethernet frames.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-30 OL-30933-01
Chapter 1 Product Overview
Management Features

NetFlow-lite

Note NetFlow-lite is only supported on the Catalyst 4948E and Catalyst 4948E-F Ethernet switches.

The NetFlow-lite feature is based on ingress packet sampling at a monitoring point that can be an
interface on the switch. By exporting NetFlow sampled packets, it provides visibility into traffic that is
switched through the device. The rate at which input packets are sampled is configurable and a wide
range of sampling rates are supported. Each sampled packet is exported as a separate NetFlow data
record in the data path. NetFlow V9 and V10(IPFIX) export formats are supported.
For more information on NetFlow statistics, see Chapter 64, “Configuring NetFlow-lite.”

Power over Ethernet
Power over Ethernet (PoE) allows the LAN switching infrastructure to provide power to an endpoint
("powered device") over a copper Ethernet cable. This capability, once referred to as "inline power," was
originally developed by Cisco in 2000 to support emerging IP telephony deployments.
IP telephones need power for operation, and Power over Ethernet supports scalable, manageable power
delivery and simplifies IP telephony deployments. As wireless networking emerged, Power over
Ethernet began powering wireless devices in locations where local power access did not exist.
For more information on Power over Ethernet, see Chapter 14, “Configuring Power over Ethernet.”

Secure Shell
Secure Shell (SSH) is a program that enables you to log into another computer over a network, to execute
commands remotely, and to move files from one machine to another. The switch may not initiate SSH
connections: SSH will be limited to providing a remote login session to the switch and will only function
as a server.

Simple Network Management Protocol
Simple Network Management Protocol (SNMP) facilitates the exchange of management information
between network devices. The Catalyst 4500 series switch supports these SNMP types and
enhancements:
• SNMP—A full Internet standard
• SNMP v2—Community-based administrative framework for version 2 of SNMP
• SNMP v3—Security framework with three levels: noAuthNoPriv, authNoPriv, and authPriv
(available only on a crypto image, such as cat4000-i5k91s-mz)
• SNMP trap message enhancements—Additional information with certain SNMP trap messages,
including spanning-tree topology change notifications and configuration change notifications
For more information on SNMP, see Chapter 63, “Configuring SNMP.”

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-31
Chapter 1 Product Overview
Management Features

Smart Install
Beginning with Cisco IOS XE 3.4.0SG and 15.1(2)SG, the Catalyst 4500 series switch supported Smart
Install, which is a plug-and-play configuration and image-management feature that provides zero-touch
deployment for new switches. You can ship a switch to a location, place it in the network and power it
on with no configuration required on the device.
For details on Smart Install, see the URL:

http://www.cisco.com/en/US/docs/switches/lan/smart_install/configuration/guide/smart_install.html

SPAN and RSPAN
Switched Port Analyzer (SPAN) allows you to monitor traffic on any port for analysis by a network
analyzer or Remote Monitoring (RMON) probe. You also can do the following:
• Configure ACLs on SPAN sessions.
• Allow incoming traffic on SPAN destination ports to be switched normally.
• Explicitly configure the encapsulation type of packets that are spanned out of a destination port.
• Restrict ingress sniffing depending on whether the packet is unicast, multicast, or broadcast, and
depending on whether the packet is valid.
• Mirror packets sent to or from the CPU out of a SPAN destination port for troubleshooting purposes.
For information on SPAN, see Chapter 58, “Configuring SPAN and RSPAN.”
Remote SPAN (RSPAN) is an extension of SPAN, where source ports and destination ports are
distributed across multiple switches, allowing remote monitoring of multiple switches across the
network. The traffic for each RSPAN session is carried over a user-specified RSPAN VLAN that is
dedicated for that RSPAN session on all participating switches.
For information on RSPAN, see Chapter 58, “Configuring SPAN and RSPAN.”

Universal Power over Ethernet
The IEEE 802.3 Power over Ethernet (PoE) standard sets the maximum power that can be sourced by
data terminal equipment (DTE) at 30W. This power is sourced over two pairs out of the four twisted pairs
of conductors in a Class D, or better, cabling as specified in ISO/IEC 11801:1995.
Cisco® Universal Power over Ethernet (UPOE) is a Cisco proprietary technology that extends the IEEE
802.3 PoE standard to provide the capability to source up to 60W of power over standard Ethernet
cabling infrastructure (Class D or better).
For more information on UPOE, see the “Configuring Universal PoE” section in Chapter 14,
“Configuring Power over Ethernet.”

Web Content Coordination Protocol

Note WCCP version 1 is not supported.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-32 OL-30933-01
Chapter 1 Product Overview
Security Features

Web Content Communication Protocol (WCCP) Version 2 Layer 2 redirection enables Catalyst 4500
series switches to transparently redirect content requests to the directly connected content engines by
using a Layer 2 and MAC address rewrite. The WCCPv2 Layer 2 redirection is accelerated in the
switching hardware, and is more efficient than Layer 3 redirection using Generic Routing Encapsulation
(GRE). The content engines in a cache cluster transparently store frequently accessed content, and then
fulfills successive requests for the same content, eliminating repetitive transmissions of identical content
from the original content servers. It supports the transparent redirection of HTTP and non-HTTP traffic
with ports or dynamic services, such as Web caching, HTTPS caching, File Transfer Protocol (FTP)
caching, proxy caching, media caching, and streaming services. WCCPv2 Layer 2 redirection is
typically deployed for transparent caching at network edge, such as regional or branch sites. WCCPv2
Layer 2 redirection cannot be enabled on the same input interface with PBR or VRF-lite. ACL-based
classification for Layer 2 redirection is not supported.
For information on WCCP, see Chapter 72, “Configuring WCCP Version 2 Services.”

Wireshark

Note Wireshark is supported only on Supervisor Engine 7-E, Supervisor Engine 7L-E, Supervisor Engine 8-E,
and Catalyst 4500X.

Starting with Cisco IOS Release XE 3.3.0SG and the IP Base and Enterprise Services feature sets, the
Catalyst 4500 series switch supports Wireshark. This is a packet analyzer program, formerly known as
Ethereal that supports multiple protocols and presents information in a graphical and text-based user
interface. Wireshark is applied or enabled on an individual interface; global packet capture is not
supported.
For information on Wireshark, see Chapter 59, “Configuring Wireshark.”

XML-PI
eXtensible Markup Language Programmatic Interface (XML-PI) Release 1.0 leverages the Network
Configuration Protocol (NETCONF). It provides new data models that collect running configurations
and show command output down to the keyword level without requiring the technologies or external
XML-to-command line interface (CLI) gateways. XML-PI allows you to develop XML-based network
management applications to control any number of network devices simultaneously.
Refer to the following link for more details:
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_xmlpi_v1.html

Security Features
The Catalyst 4500 series switch offers network management and control through the CLI or through
alternative access methods, such as SNMP. The switch software supports these security features:
• 802.1X Identity-Based Network Security, page 1-34
• Dynamic ARP Inspection, page 1-37
• Cisco TrustSec Security Architecture, page 1-36
• Cisco TrustSec Security Groups, SGTs and SGACLs, page 1-36

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-33
Chapter 1 Product Overview
Security Features

• Dynamic ARP Inspection, page 1-37
• Dynamic Host Configuration Protocol Snooping, page 1-37
• Flood Blocking, page 1-37
• Hardware-Based Control Plane Policing, page 1-37
• IP Source Guard, page 1-38
• IP Source Guard for Static Hosts, page 1-38
• IPsec VPN, page 1-40
• IPv6 First Hop Security, page 1-38
• Local Authentication, RADIUS, and TACACS+ Authentication, page 1-40
• Network Admission Control, page 1-40
• Network Security with ACLs, page 1-41
• Port Security, page 1-41
• PPPoE Intermediate Agent, page 1-41
• Session Aware Networking, page 1-42
• Storm Control, page 1-42
• uRPF Strict Mode, page 1-42
• Utilities, page 1-43
• Web-based Authentication, page 1-43

802.1X Identity-Based Network Security
This security feature consists of the following:
• 802.1X Authentication for Guest VLANs—Allows you to use VLAN assignment to limit network
access for certain users.
• 802.1X Authentication Failed Open Assignment—Allows you to configure a switch to handle the
case when a device fails to authenticate itself correctly through 802.1X (for example, not providing
the correct password).
• 802.1X Authentication with ACL Assignment—Downloads per-host policies such as ACLs and
redirect URLs to the switch from the RADIUS server during 802.1X or MAB authentication of the
host.
• 802.1X Authentication with Per-User ACL and Filter-ID ACL—Allows ACL policy enforcement
using a third-party AAA server.
• 802.1X Convergence—Provides consistency between the switching business units in 802.1X
configuration and implementation.
• 802.1X Protocol—Provides a means for a host that is connected to a switch port to be authenticated
before it is given access to the switch services.
• 802.1X RADIUS accounting—Allows you to track the use of network devices.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-34 OL-30933-01
Chapter 1 Product Overview
Security Features

• 802.1X Supplicant and Authenticator Switches with Network Edge Access Topology
(NEAT)—Extends identity to areas outside the wiring closet (such as conference rooms). NEAT is
designed for deployment scenarios where a switch acting as 802.1X authenticator to end-hosts (PC
or Cisco IP-phones) is placed in an unsecured location (outside wiring closet); the authenticator
switch cannot always be trusted.
• 802.1X with Authentication Failed VLAN Assignment—Allows you to provide access for
authentication failed users on a per-port basis. Authentication failed users are end hosts that are
802.1X-capable but do not have valid credentials in an authentication server or end hosts that do not
give any username and password combination in the authentication pop-up window on the user side.
• 802.1X with Inaccessible Authentication Bypass—Applies when the AAA servers are unreachable
or nonresponsive. In this situation, 802.1X user authentication typically fails with the port closed,
and the user is denied access. Inaccessible Authentication Bypass provides a configurable
alternative on the Catalyst 4500 series switch to grant a critical port network access in a locally
specified VLAN.
• 802.1X with Port Security—Allows port security on an 802.1X port in either single- or multiple-host
mode. When you enable port security and 802.1X on a port, 802.1X authenticates the port, and port
security manages the number of MAC addresses allowed on that port, including that of the client.
• 802.1X with MAC Authentication Bypass—Provides network access to agentless devices without
802.1X supplicant capabilities, such as printers. Upon detecting a new MAC address on a switch
port, the Catalyst 4500 series switch will proxy an 802.1X authentication request based on the
device’s MAC address.
• 802.1X with RADIUS-Provided Session Timeouts—Allows you to specify whether a switch uses a
locally configured or a RADIUS-provided reauthentication timeout.
• 802.1X with Unidirectional Controlled Port—Allows the Wake-on-LAN (WoL) magic packets to
reach a workstation attached to an unauthorized 802.1X switch port. Unidirectional Controlled Port
is typically used to send operating systems or software updates from a central server to workstations
at night.
• 802.1X with Violation Mode—This feature allows you to configure 802.1X security violation
behavior as either shutdown, restrict, or replace mode, based on the response to the violation.
• 802.1X with VLAN assignment—This feature allows you to enable non-802.1X-capable hosts to
access networks that use 802.1X authentication.
• 802.1X with VLAN user distribution—An alternative to dynamically assigning a VLAN ID or a
VLAN name, this feature assign a VLAN Group name. It enables you to distribute users belonging
to the same group (and characterized by a common VLAN Group name) across multiple VLANs.
Ordinarily, you do this to avoid creating an overly large broadcast domain.
• 802.1X with Voice VLAN—This feature allows you to use 802.1X security on a port while enabling
it to be used by both Cisco IP phones and devices with 802.1X supplicant support.
• Multi-Domain Authentication—This feature allows both a data device and a voice device, such as
an IP phone (Cisco or non-Cisco), to authenticate on the same switch port, which is divided into a
data domain and a voice domain.
• RADIUS Change of Authorization—This feature employs Change of Authorization (CoA)
extensions defined in RFC 5176 in a push model to allow for the dynamic reconfiguring of sessions
from external authentication, authorization, and accounting (AAA) or policy servers.
For more information on 802.1X identity-based network security, see Chapter 46, “Configuring 802.1X
Port-Based Authentication.”

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-35
Chapter 1 Product Overview
Security Features

Cisco TrustSec MACsec Encryption
MACsec (Media Access Control Security) is the IEEE 802.1AE standard for authenticating and
encrypting packets between two MACsec-capable devices. The Catalyst 4500 series switch supports
802.1AE encryption with MACsec Key Agreement (MKA) on downlink ports for encryption between
the switch and host devices. The switch also supports MACsec link layer switch-to-switch security by
using Cisco TrustSec Network Device Admission Control (NDAC) and the Security Association
Protocol (SAP) key exchange. Link layer security can include both packet authentication between
switches and MACsec encryption between switches (encryption is optional).
For more information on TrustSec MACsec encryption, see Chapter 45, “Configuring MACsec
Encryption.”

Cisco TrustSec Security Architecture
The Cisco TrustSec security architecture builds secure networks by establishing domains of trusted
network devices. Each device in the domain is authenticated by its peers. Communication on the links
between devices in the domain is secured with a combination of encryption, message integrity check,
and data-path replay protection mechanisms. Cisco TrustSec uses the device and user credentials
acquired during authentication for classifying the packets by security groups (SGs) as they enter the
network. This packet classification is maintained by tagging packets on ingress to the Cisco TrustSec
network so that they can be properly identified for the purpose of applying security and other policy
criteria along the data path. The tag, called the security group tag (SGT), allows the network to enforce
the access control policy by enabling the endpoint device to act upon the SGT to filter traffic.
For more information, refer to the following URL:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

Cisco TrustSec Security Groups, SGTs and SGACLs

Note This support is provided only on Supervisor Engine 7-E, Supervisor Engine 7L-E, Supervisor Engine
8-E, and Catalyst 4500X.

A security group is a grouping of users, endpoint devices, and resources that share access control
policies. Security groups are defined by the administrator in the Cisco ISE or Cisco Secure ACS. As new
users and devices are added to the Cisco TrustSec domain, the authentication server assigns these new
entities to appropriate security groups. Once a device is authenticated, Cisco TrustSec tags any packet
that originates from that device with a security group tag (SGT) that contains the security group number
of the device. The packet carries this SGT throughout the network.
Using security group access control lists (SGACLs), you can control the operations that users can
perform based on the security group assignments of users and destination resources.
For more information, refer to the following URL:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html
For Cisco TrustSec SGFT and SGACL guidelines and restrictions that apply on the Catalyst 4500 series
switch, refer to "Appendix B. Notes for the Catalyst 4500 Series Switches" in the Cisco TrustSec Switch
Configuration Guide.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-36 OL-30933-01
Chapter 1 Product Overview
Security Features

Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) intercepts all ARP requests, replies on untrusted ports, and verifies each
intercepted packet for valid IP to MAC bindings. Dynamic ARP Inspection helps to prevent attacks on
a network by not relaying invalid ARP replies out to other ports in the same VLAN. Denied ARP packets
are logged by the switch for auditing.
For more information on dynamic ARP inspection, see Chapter 52, “Configuring Dynamic ARP
Inspection.”

Dynamic Host Configuration Protocol Snooping
Dynamic Host Configuration Protocol (DHCP) Snooping is a security feature that is a component of a
DHCP server. DHCP snooping provides security by intercepting untrusted DHCP messages and by
building and maintaining a DHCP snooping binding table. An untrusted message is a message that is
received from outside the network or firewall that can cause traffic attacks within your network.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also provides a way
to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected
to the DHCP server or another switch.
With SSO support, DHCP Snooping propagates the DHCP-snooped data from the active supervisor
engine to the redundant supervisor engine so that when a switchover occurs, the newly active supervisor
engine is aware of the DHCP data that was already snooped, and the security benefits continue
uninterrupted.
For DHCP server configuration information, refer to the chapter, “Configuring DHCP,” in the Cisco IOS
IP and IP Routing Configuration Guide at the following URL:
http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_dhcp_rdmp_ps6350_TSD_Produ
cts_Configuration_Guide_Chapter.html
For information on configuring DHCP snooping, see Chapter 53, “Configuring DHCP Snooping, IP
Source Guard, and IPSG for Static Hosts.”

Flood Blocking
Flood blocking enables users to disable the flooding of unicast and multicast packets on a per-port basis.
Occasionally, unknown unicast or multicast traffic from an unprotected port is flooded to a protected port
because a MAC address has timed out or has not been learned by the switch.
For information on flood blocking, see Chapter 56, “Port Unicast and Multicast Flood Blocking.”

Hardware-Based Control Plane Policing
Control Plane Policing provides a unified solution to limit the rate of CPU bound control plane traffic in
hardware. It enables users to install system wide control plane ACLs to protect the CPU by limiting rates
or filtering out malicious DoS attacks. Control plane policing ensures the network stability, availability
and packet forwarding, and prevents network outages such as loss of protocol updates despite an attack
or heavy load on the switch. Hardware-based control plane policing is available for all
Catalyst 4500 supervisor engines. It supports various Layer 2 and Layer 3 control protocols, such as

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-37
Chapter 1 Product Overview
Security Features

CDP, EAPOL, STP, DTP, VTP, ICMP, CGMP, IGMP, DHCP, RIPv2, OSPF, PIM, TELNET, SNMP,
HTTP, and packets destined to 224.0.0.* multicast link local addresses. Predefined system policies or
user-configurable policies can be applied to those control protocols.
Through Layer 2 Control Packet QoS, you can police control packets arriving on a physical port or
VLAN; it enables you to apply QoS on Layer 2 control packets
For information on control plane policing and Layer 2 control packet QoS, see Chapter 51, “Configuring
Control Plane Policing and Layer 2 Control Packet QoS.”

IP Source Guard
Similar to DHCP snooping, this feature is enabled on an untrusted Layer 2 port that is configured for
DHCP snooping. Initially all IP traffic on the port is blocked except for the DHCP packets, which are
captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP
server, a PVACL is installed on the port, which restricts the client IP traffic only to clients with assigned
IP addresses, so any IP traffic with source IP addresses other than those assigned by the DHCP server
will be filtered out. This filtering prevents a malicious host from attacking a network by hijacking
neighbor host's IP address.
For information on configuring IP Source Guard, see Chapter 53, “Configuring DHCP Snooping, IP
Source Guard, and IPSG for Static Hosts.”

IP Source Guard for Static Hosts
This feature allows you to secure the IP address learned from static hosts by using ARP packets and then
bind that IP address to a given MAC address using the device tracking database, allowing entries to
survive through link down events.
IP Source Guard (IPSG) for static hosts allows multiple bindings per-port per-MAC address for both
DHCP and static hosts, in both device tracking database and DHCP snooping binding database. The
feature allows you to take action when a limit is exceeded.
For information on configuring IPSG for static hosts, see Chapter 53, “Configuring DHCP Snooping, IP
Source Guard, and IPSG for Static Hosts.”

IPv6 First Hop Security

Note IPv6 First Hop Security is supported only on Catalyst 4948E, Catalyst 4948E-F, Catalyst 4500-X,
Supervisor Engine 6-E, 6L-E, 7-E, 7L-E, and 8-E.

IPv6 FHS is a suite of features designed to secure link operations in an IPv6 enabled network as well as
address certain scalability issues seen in large L2 domains. IPv6 FHS provides effective counter
measures for the following types of attacks or misconfiguration errors that could result in DoS or
information theft:
• Router impersonation (MiM attacks)
• Address theft
• Address spoofing
• Remote address resolution cache exhaustion (DoS attacks)

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-38 OL-30933-01
Chapter 1 Product Overview
Security Features

These attacks can come from malicious or mis-configured users and could result in severe disruption to
users of the Layer 2 domain and to the network in general.
The following features are supported:
• DAD Proxy
• Data Glean
• Destination Guard
• IPv6 Snooping (DHCP Data Gleaning, per-limit Address Limit)
• IPv6 Address Glean
• IPv6 Device Tracking
• Lightweight DHCPv6 Relay Agent (LDRA)
• NDP Inspection
• Per ND Cache Limit
• Per Port Address Limit
• Source and Prefix Guard

Note IPV6 LDRA is the only FHS feature supported on EtherChannels.

Note Configuring IPv6 FHS on secondary VLANs is not allowed; they inherit the policy from the primary
VLAN configuration. Whatever policy is applied on the primary VLANs is programmed automatically
on the associated secondary VLANs. The applied policy, however, always overrides the VLAN level
configuration.

The following caveats are specific for Data Glean, Prefix Guard, and Source Guard enabled on a Catalyst
4500 series switch:
• First Hop Security (FHS) cannot be configured on the same port or VLAN as dot1X, because the
latter asserts control over the MAC table and FHS requires similar control to allow only valid NDP
or DHCPv6 hosts.
• If unicast Rpf ( unicast reverse path forwarding; uRPF) is configured on box and FHS is enabled,
Forward Lookup CAM is populated with routes from FHS and uRPF. Packets that normally fail the
uRPF check are admitted provided it passes the Source Guard or Prefix Guard check.
• If Data Glean policy and Source Guard (or Prefix Guard) are applied such that VLAN policies and
port polices differ, neither VLAN nor port policy are effective.
• All ICMP and DHCP version 6 control packets are permitted even when Source Guard or Prefix
Guard is enabled.
For a brief overview of FHS, see the URL:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/aag_c45-707354.pdf
For detailed information on how to implement FHS, see the URL:
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-4t/ip6-first-hop-security.html

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-39
Chapter 1 Product Overview
Security Features

IPsec VPN
When a growing organization expands to multiple locations, one of the challenges it faces is how to
interconnect remote sites to the corporate network. As network security risks increase and regulatory
compliance becomes essential, it is important to address these critical needs.
You can dramatically increase the reach of your network without significantly expanding your
infrastructure by using Cisco IOS IPsec VPNs. IPsec is a standards-based encryption technology that
enables you to securely connect branch offices and remote users and provides significant cost savings
compared to traditional WAN access such as Frame Relay or ATM. IPsec VPNs provide high levels of
security through encryption and authentication, protecting data from unauthorized access.
For additional information, refer to the following URL:
http://www.cisco.com/en/US/products/ps6635/products_ios_protocol_group_home.html

Local Authentication, RADIUS, and TACACS+ Authentication
Local Authentication, Remote Authentication Dial-In User Service (RADIUS), and Terminal Access
Controller Access Control System Plus (TACACS+) authentication methods control access to the switch.
For additional information, refer to the following URL:
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_authentifcn_ps635
0_TSD_Products_Configuration_Guide_Chapter.html

Network Admission Control
Network Admission Control consists of two features:
• NAC Layer 2 IP validation
NAC Layer 2 IP is an integral part of Cisco Network Admission Control. It offers the first line of
defense for infected hosts (PCs and other devices attached to a LAN port) attempting to connect to
the corporate network. NAC Layer 2 IP on the Cisco Catalyst 4500 series switch performs posture
validation at the Layer 2 edge of the network for non-802.1x-enabled host devices. Host device
posture validation includes antivirus state and OS patch levels. Depending on the corporate access
policy and host device posture, a host may be unconditionally admitted, admitted with restricted
access, or quarantined to prevent the spread of viruses across the network.
For more information on Layer 2 IP validation, see the URL:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.
1/configuration/guide/nac_conf.html
• NAC Layer 2 802.1X authentication
The Cisco Catalyst 4500 series switch extends NAC support to 802.1x-enabled devices. Like NAC
Layer 2 IP, the NAC Layer 2 802.1x feature determines the level of network access based on
endpoint information.
For more information on 802.1X identity-based network security, see Chapter 46, “Configuring
802.1X Port-Based Authentication.”

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-40 OL-30933-01
Chapter 1 Product Overview
Security Features

Network Security with ACLs
An access control list (ACL) filters network traffic by controlling whether routed packets are forwarded
or blocked at the router interfaces. The Catalyst 4500 series switch examines each packet to determine
whether to forward or drop the packet based on the criteria you specified within the access lists.
MAC access control lists (MACLs) and VLAN access control lists (VACLs) are supported. VACLs are
also known as VLAN maps in Cisco IOS.
The Catalyst 4500 series switch supports three types of ACLs:
• IP ACLs, which filter IP traffic, including TCP, the User Datagram Protocol (UDP), Internet Group
Management Protocol (IGMP), and Internet Control Message Protocol (ICMP)
• IPv6 ACLs
• MAC ACLs which match based on Ethernet addresses and Ether Type
The switch supports the following applications of ACLs to filter traffic:
• MAC address filtering, which enables you to block unicast traffic for a MAC address on a VLAN
interface.
• Port ACLs, which enable you to apply ACLs to Layer 2 interfaces on a switch for inbound traffic.
• Router ACLs, which are applied to Layer 3 interfaces to control the access of routed traffic between
VLANs.
• VLAN ACLs or VLAN maps to control the access of all packets (bridged and routed).
For information on ACLs, MACLs, VLAN maps, MAC address filtering, and Port ACLs, see
Chapter 54, “Configuring Network Security with ACLs.”

Port Security
Port security restricts traffic on a port based upon the MAC address of the workstation that accesses the
port. Trunk port security extends this feature to trunks, including private VLAN isolated trunks, on a
per-VLAN basis.
Sticky port security extends port security by saving the dynamically learned MAC addresses in the
running configuration to survive port link down and switch reset. It enables a network administrator to
restrict the MAC addresses allowed or the maximum number of MAC addresses on each port.
Voice VLAN sticky port security further extends the sticky port security to the voice-over-IP
deployment. Voice VLAN sticky port security locks a port and blocks access from a station with a MAC
address different from the IP phone and the workstation behind the IP phone.
For information on port security, see Chapter 49, “Configuring Port Security.”

PPPoE Intermediate Agent
PPPoE Intermediate Agent (PPPoE IA) is placed between a subscriber and BRAS to help the service
provider BRAS distinguish between end hosts connected over Ethernet to an access switch. On the
access switch, PPPoE IA enables Subscriber Line Identification by appropriately tagging Ethernet
frames of different users. (The tag contains specific information such as which subscriber is connected
to the switch and VLAN.) PPPoE IA acts as mini-security firewall between host and BRAS by
intercepting all PPPoE Active Discovery (PAD) messages on a per-port per-VLAN basis. It provides

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-41
Chapter 1 Product Overview
Security Features

specific security feature such as verifying the intercepted PAD message from untrusted port, performing
per-port PAD message rate limiting, inserting and removing VSA tags into and from PAD messages,
respectively.
For information on PPPoE IA, see Chapter 47, “Configuring the PPPoE Intermediate Agent.”

Session Aware Networking
Session Aware Networking provides an identity-based approach to access management and subscriber
management. It offers a consistent way to configure features across technologies, a command interface
that allows easy deployment and customization of features, and a robust policy control engine with the
ability to apply policies defined locally or received from an external server to enforce policy in the
network.
Session Aware Networking allows a single session identifier to be used for web authentication sessions
in addition to all 802.1X and MAB authenticated sessions for a client. This session ID is used for all
reporting purposes such as show commands, MIBs, and RADIUS messages and allows users to
distinguish messages for one session from messages for other sessions. This common session ID is used
consistently across all authentication methods and features applied to a session.

Note IPv6 is not supported for web authentication, dot.1X, or MAB.

For additional information, refer to the following URL:
http://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/xe-3se/3850/san-overview.html

Storm Control
Broadcast suppression is used to prevent LANs from being disrupted by a broadcast storm on one or
more switch ports. A LAN broadcast storm occurs when broadcast packets flood the LAN, creating
excessive traffic and degrading network performance. Errors in the protocol-stack implementation or in
the network configuration can cause a broadcast storm. Multicast and broadcast suppression measures
how much broadcast traffic is passing through a port and compares the broadcast traffic with some
configurable threshold value within a specific time interval. If the amount of broadcast traffic reaches
the threshold during this interval, broadcast frames are dropped, and optionally the port is shut down
Starting with Cisco IOS Release 12.2(40)SG, the Catalyst 4500 series switch allows suppression of
broadcast and multicast traffic on a per-port basis.
For information on configuring broadcast suppression, see Chapter 57, “Configuring Storm Control.”

uRPF Strict Mode
The uRPF feature mitigates problems caused by the introduction of malformed or forged (spoofed) IP
source addresses into a network by discarding IP packets that lack a verifiable IP source address. uRPF
deflects denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks by forwarding only
packets that have source addresses that are valid and consistent with the IP routing table. This helps to
protect the network of the customer, the ISP, and the rest of the Internet. When using uRPF in strict mode,
the packet must be received on the interface that the router uses to forward the return packet. uRPF strict
mode is supported for both IPv4 and IPv6 prefixes.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-42 OL-30933-01
Chapter 1 Product Overview
Security Features

For information on configuring broadcast suppression, see Chapter 36, “Configuring Unicast Reverse
Path Forwarding.”

Utilities
Supported utilities include the following:

Layer 2 Traceroute
Layer 2 traceroute allows the switch to identify the physical path that a packet takes from a source device
to a destination device. Layer 2 traceroute supports only unicast source and destination MAC addresses.
For information about Layer 2 Traceroute, see Chapter 9, “Checking Port Status and Connectivity.”

Time Domain Reflectometry
Time Domain Reflectometry (TDR) is a technology used for diagnosing the state and reliability of
cables. TDR can detect open, shorted, or terminated cable states. The calculation of the distance to the
failure point is also supported.
For information about TDR, see Chapter 9, “Checking Port Status and Connectivity.”

Debugging Features
The Catalyst 4500 series switch has several commands to help you debug your initial setup. These
commands are included in the following command groups:
• platform
• debug platform
For more information, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference.

Web-based Authentication
The web-based authentication feature, known as Web Authentication Proxy, enables you to authenticate
end users on host systems that do not run the IEEE 802.1X supplicant. When you initiate an HTTP
session, this feature intercepts ingress HTTP packets from the host and sends an HTML login page to
your. You key in the credentials, which the web-based authentication feature sends to the AAA server
for authentication. If authentication succeeds, web-based authentication sends a Login-Successful
HTML page to the host and applies the access policies returned by the AAA server.
For information on configuring web-based authentication, see Chapter 48, “Configuring Web-Based
Authentication.”

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-43
Chapter 1 Product Overview
New and Modified IOS Software Features Supported in Cisco IOS 15.2(1)E and Cisco IOS XE 3.5.0E

New and Modified IOS Software Features Supported in Cisco
IOS 15.2(1)E and Cisco IOS XE 3.5.0E
This document provides a list of new and modified software features supported in
Cisco IOS Release 15.2(1)E and Cisco IOS XE Release 3.5.0E.

New Features:

eEdge integration with MACSEC

http://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/15-e/san-macsec.html

DHCP Gleaning

http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-e/dhcp-gleaning.html

http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_dhcp/configuration/xe-3e/dhcp-xe-3e-book.html

Service Discovery Gateway

http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_dns/configuration/15-e/dns-15-e-book.html

802.1X support for trunk ports

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-e/con-
fig-ieee-802x-pba.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configura-
tion/xe-3e/sec-usr-8021x-xe-3e-book.html

Enhancements/Respins:

Commented IP Access List Entries

http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/sec-acl-comm-ipacl.html

http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/xe-3e/sec-acl-comm-ipacl.html

IPv6 ACL Extensions for Hop by Hop Filtering

http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/ip6-acl-ext-hbh.html

ACL Sequence Numbering

http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/sec-acl-seq-num.html

http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/xe-3e/sec-acl-seq-num.html

ACL Support for Filtering IP Options

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-44 OL-30933-01
Chapter 1 Product Overview
New and Modified IOS Software Features Supported in Cisco IOS 15.2(1)E and Cisco IOS XE 3.5.0E

http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/sec-acl-support-fil-
ter-ip-option.html

http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/xe-3e/sec-acl-support-fil-
ter-ip-option.html

ACL - TCP Flags Filtering

http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/sec-create-filter-tcp.html

http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/xe-3e/sec-create-filter-tcp.html

ACL - Named ACL Support for Noncontiguous Ports on an Access Control Entry

http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/sec-named-acl-support-for-non-
contiguous-ports.html

http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/xe-3e/sec-named-acl-support-for-non-
contiguous-ports.html

IP Access List Entry Sequence Numbering

http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/sec-acl-seq-num.html

http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/xe-3e/sec-acl-seq-num.html

IOS ACL Support for filtering IP Options

http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/sec-acl-support-fil-
ter-ip-option.html

ACL syslog Correlation

http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/sec-acl-syslog.html

IP Named Access Control List

http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/sec-acl-named.html

http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/xe-3e/sec-acl-named.html

IPv6 PACL support

http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/ip6-pacl-supp.html

Cisco Data Collection Manager

http://www.cisco.com/en/US/docs/ios-xml/ios/bsdcm/configuration/15-e/bsdcm-15-e-book.html

SNMPv3 Community MIB Support

http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/configuration/15-e/snmp-15-e-book.html

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 1-45
Chapter 1 Product Overview
New and Modified IOS Software Features Supported in Cisco IOS 15.2(1)E and Cisco IOS XE 3.5.0E

http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/configuration/xe-3e/snmp-xe-3e-book.html

NETCONF XML PI

http://www.cisco.com/en/US/docs/ios-xml/ios/cns/configuration/15-e/cns-15-e-book.html

IPv6 PIM Passive

http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_pim/configuration/15-e/ip6-mcast-pim-pass.html

HSRP aware PIM

http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_pim/configuration/15-e/imc_hsrp_aware.html

OSPFv3 ABR Type 3 LSA Filtering

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/15-e/iro-abr-type-3.html

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/15-e/iro-ospfv3-dc-ignore.html

Graceful Shutdown Support for OSPFv3

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/15-e/iro-ospfv3-gshutdown.html

OSPF Support for BFD over IPv4

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configura-
tion/15-e/irbfd-bfd-ospf-ipv4-supp.html

BFD - VRF Support

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/15-e/irbfd-vrf-supp.html

BFD - Static Route Support

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configura-
tion/15-e/irbfd-bfd-static-route-supp.html

Static Route Support for BFD over IPv6

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/15-e/ip6-bfd-static.html

BFD - EIGRP Support

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/15-e/irbfd-bfd-eigrp-supp.html

OSPFv3 BFD

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/15-e/ip6-route-bfd-ospfv3.html

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-46 OL-30933-01
CH A P T E R 2
Command-Line Interfaces

This chapter describes the CLIs you use to configure the Catalyst 4500 series switch. This chapter
includes the following major sections:
• Accessing the Switch CLI, page 2-2
• Performing Command-Line Processing, page 2-3
• Performing History Substitution, page 2-4
• About Cisco IOS Command Modes, page 2-4
• Getting a List of Commands and Syntax, page 2-5
• ROMMON Command-Line Interface, page 2-7
• Archiving Crashfiles Information, page 2-8
• Displaying a Crash Dump for Supervisor Engine 6-E and 6L-E, page 2-8

Note For complete syntax and usage information for the switch commands used in this chapter, see the Cisco
Catalyst 4500 Series Switch Command Reference and related publications at this location:

http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html

If a command is not in the Catalyst 4500 Series Switch Command Reference, you can locate it in the
Cisco IOS library. See the Cisco IOS Command Reference and related publications at this location:

http://www.cisco.com/en/US/products/ps6350/index.html

The following command changes apply only to Supervisor Engines 6-E and 6L-E:
• The rename command is supported in the FAT file system for bootflash and slot0.
• The fsck command is supported for the slot0 device. It is not supported in the file systems on
supervisor engines other than Supervisor Engine 6-E and 6L-E.
The following additional file management commands are supported on Supervisor Engine 7-E,
Supervisor Engine 7L-E, and Supervisor Engine 8-E:
• verify <filename>
• delete <filename>
• copy <source_flename>, target_filename>

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 2-1
Chapter 2 Command-Line Interfaces
Accessing the Switch CLI

Accessing the Switch CLI
The following sections describe how to access the switch CLI:
• Accessing the CLI Using the EIA/TIA-232 Console Interface, page 2-2
• Accessing the CLI Through Telnet, page 2-2

Accessing the CLI Using the EIA/TIA-232 Console Interface

Note EIA/TIA-232 was known as recommended standard 232 (RS-232) before its acceptance as a standard by
the Electronic Industries Alliance (EIA) and Telecommunications Industry Association (TIA).

Perform the initial switch configuration over a connection to the EIA/TIA-232 console interface. Refer
to the Catalyst 4500 Series Switch Module Installation Guide for console interface cable connection
procedures.
To access the switch through the console interface, perform this task:

Command Purpose
Step 1 Switch> enable From the user EXEC prompt (>), enter enable to change
to enable mode (also known as privileged mode or
privileged EXEC mode).
Step 2 Password: password At the password prompt, enter the system password. The
prompt (#) appears, indicating that you have accessed the
Switch#
CLI in enabled mode.
Step 3 Switch# quit When you are finished executing the task command, exit
the session.

After accessing the switch through the EIA/TIA-232 interface, you see this display:
Press Return for Console prompt

Switch> enable
Password:< >
Switch#

Accessing the CLI Through Telnet

Note Before you make a Telnet connection to the switch, you must set the IP address for the switch. See the
“Configuring Physical Layer 3 Interfaces” section on page 34-12.

The switch supports up to eight simultaneous Telnet sessions. Telnet sessions disconnect automatically
after remaining idle for the period specified by the exec-timeout command.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
2-2 OL-30933-01
Chapter 2 Command-Line Interfaces
Performing Command-Line Processing

To make a Telnet connection to the switch, perform this task:

Command Purpose
Step 1 telnet {hostname | ip_addr} From the remote host, enter the telnet command and the
name or IP address of the switch you want to access.
Step 2 Password: password At the prompt, enter the password for the CLI. If no
password has been configured, press Return.
Switch#
Step 3 Enter the necessary commands to complete your desired
tasks.
Step 4 Switch# quit When finished, exit the Telnet session.

This example shows how to open a Telnet session to the switch:
unix_host% telnet Switch_1
Trying 172.20.52.40...
Connected to 172.20.52.40.
Escape character is '^]'.
User Access Verification
Password:< >
Switch_1> enable
Password:
Switch_1#

Performing Command-Line Processing
Switch commands are not case sensitive. You can abbreviate commands and parameters if the
abbreviations contain enough letters to be different from any other currently available commands or
parameters.
You can scroll through the last 20 commands stored in the history buffer and enter or edit a command at
the prompt. Table 2-1 lists the keyboard shortcuts for entering and editing switch commands.

Table 2-1 Keyboard Shortcuts

Keystrokes Result
Press Ctrl-B or Moves the cursor back one character.
press the Left Arrow key1
Press Ctrl-F or Moves the cursor forward one character.
press the Right Arrow key1
Press Ctrl-A Moves the cursor to the beginning of the command line.
Press Ctrl-E Moves the cursor to the end of the command line.
Press Esc-B Moves the cursor back one word.
Press Esc-F Moves the cursor forward one word.
1. The Arrow keys function only on ANSI-compatible terminals, such as VT100s.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 2-3
Chapter 2 Command-Line Interfaces
Performing History Substitution

Performing History Substitution
The history buffer stores the last 20 command lines you entered. History substitution enables you to
access these command lines without retyping them. Table 2-2 lists the history substitution commands.

Table 2-2 History Substitution Commands

Command Purpose
1
Ctrl-P or the Up Arrow key Recalls commands in the history buffer, beginning with
the most recent command. Repeat the key sequence to
recall older commands successively.
Ctrl-N or the Down Arrow key1 Returns to more recent commands in the history buffer
after commands have been recalled with Ctrl-P or the
Up Arrow key. Repeat the key sequence to recall more
recent commands.
Switch# show history Lists the last several commands you have entered in
EXEC mode.
1. The Arrow keys function only on ANSI-compatible terminals such as VT100s.

About Cisco IOS Command Modes
Note For complete information about Cisco IOS command modes, refer to the Cisco IOS Configuration
Fundamentals Configuration Guide and the Cisco IOS Configuration Fundamentals Command
Reference at the following URLs:

http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/ffun_c.html

http://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_book.html

The Cisco IOS user interface has many different modes: user EXEC, privileged EXEC (enable), global
configuration, interface, subinterface, and protocol-specific. The commands available to you depend on
which mode you are in. To get a list of the commands in a given mode, enter a question mark (?) at the
system prompt. See the “Getting a List of Commands and Syntax” section on page 2-5 for more
information.
When you start a session on the switch, you begin in user mode, also called user EXEC mode. Only a
small subset of commands are available in EXEC mode. To have access to all commands, you must enter
privileged EXEC mode, also called enable mode. To access the privileged EXEC mode, you must enter
a password. When you are in the privileged EXEC mode, you can enter any EXEC command or access
global configuration mode. Most EXEC commands are one-time commands, such as show commands,
which display the current configuration status, and clear commands, which reset counters or interfaces.
The EXEC commands are not saved when the switch is rebooted.
The configuration modes allow you to make changes to the running configuration. If you save the
configuration, these commands are stored when you reboot the switch. You must start in global
configuration mode. From global configuration mode, you can enter interface configuration mode,
subinterface configuration mode, and a variety of protocol-specific modes.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
2-4 OL-30933-01
Chapter 2 Command-Line Interfaces
Getting a List of Commands and Syntax

You use a separate mode called ROMMON when the switch cannot boot up properly. For example, the
switch might enter ROMMON mode if it does not find a valid system image when it is booting, or if its
configuration file is corrupted. For more information, see the “ROMMON Command-Line Interface”
section on page 2-7.
Table 2-3 lists and describes frequently used Cisco IOS modes.

Table 2-3 Frequently Used Cisco IOS Command Modes

Mode What You Use It For How to Access Prompt
User EXEC To connect to remote devices, Log in. Switch>
change terminal settings on a
temporary basis, perform basic
tests, and display system
information.
Privileged EXEC (enable) To set operating parameters. The From user EXEC mode, enter the Switch#
privileged command set includes enable command and the enable
the commands in user EXEC password (if a password has been
mode, as well as the configure configured).
command. Use the configure
command to access the other
command modes.
Global configuration To configure features that affect From privileged EXEC mode, Switch(config)#
the system as a whole, such as the enter the configure terminal
system time or switch name. command.
Interface configuration To enable or modify the operation From global configuration mode, Switch(config-if)#
of a 10-Gigabit Ethernet, Gigabit enter the interface type location
Ethernet, or Fast Ethernet interface command.
with interface commands.
Console configuration To configure the console interface; From global configuration mode, Switch(config-line)#
from the directly connected enter the line console 0 command.
console or the virtual terminal;
used with Telnet.

The Cisco IOS command interpreter, called the EXEC, interprets and runs the commands you enter. You
can abbreviate commands and keywords by entering just enough characters to make the command unique
from other commands. For example, you can abbreviate the show command to sh and the configure
terminal command to config t.
When you type exit, the switch backs out one level. To exit configuration mode completely and return
to privileged EXEC mode, press Ctrl-Z.

Getting a List of Commands and Syntax
In any command mode, you can get a list of available commands by entering a question mark (?).
Switch> ?

To obtain a list of commands that begin with a particular character sequence, enter those characters
followed by the question mark (?). Do not include a space before the question mark. This form of help
is called word help, because it completes a word for you.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 2-5
Chapter 2 Command-Line Interfaces
Getting a List of Commands and Syntax

To list keywords or arguments, enter a question mark in place of a keyword or argument. Include a space
before the question mark. This form of help is called command syntax help, because it reminds you
which keywords or arguments are applicable based on the command, keywords, and arguments you have
already entered.
Switch# configure ?
memory Configure from NV memory
network Configure from a TFTP network host
overwrite-network Overwrite NV memory from TFTP network host
terminal Configure from the terminal
<cr>

To redisplay a command you previously entered, press the Up Arrow key or Ctrl-P. You can continue
to press the Up Arrow key to see the last 20 commands you entered.

Tip If you are having trouble entering a command, check the system prompt and enter the question mark (?)
for a list of available commands. You might be in the wrong command mode or using incorrect syntax.

Type exit to return to the previous mode. Press Ctrl-Z or enter the end command in any mode to
immediately return to privileged EXEC mode.

Virtual Console for Standby Supervisor Engine
Catalyst 4500 series switches can be configured with 2 supervisor engines to provide redundancy. When
the switch is powered, one of the supervisor engines becomes active and remains active until a
switchover occurs. The other supervisor engine remains in standby mode.
Each supervisor engine has its own console port. Access to the standby supervisor engine is possible
only through the console port of the standby supervisor engine. You must connect to the standby console
to access, monitor or debug the standby supervisor.
Virtual Console for Standby Supervisor Engine enables you to access the standby console from the active
supervisor engine without requiring a physical connection to the standby console. It uses IPC over
EOBC to communicate with the standby supervisor engine and thus emulate the standby console on the
active supervisor engine. Only one active standby console session is active at any time.
The virtual console for standby supervisor engine enables users who are logged onto the active
supervisor engine to remotely execute show commands on the standby supervisor engine and view the
results on the active supervisor engine. Virtual console is available only from the active supervisor
engine.
You can access the standby virtual console from the active supervisor engine with the attach module,
session module, or remote login commands on the active supervisor engine. You must be in privilege
EXEC mode (level 15) to run these commands to access the standby console.
Once you enter the standby virtual console, the terminal prompt automatically changes to
hostname-standby-console#, where hostname is the configured name of the switch. The prompt is
restored back to the original prompt when you exit the virtual console.
You exit the virtual console with the exit or quit commands. When the inactivity period of the terminal
on the active supervisor engine where you logged in exceeds the configured idle time, you are
automatically logged out of the terminal on the active supervisor engine. In this case, the virtual console
session is also terminated. Virtual console session is also automatically terminated when the standby is
rebooted. After the standby boots up, you need to create another virtual console session.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
2-6 OL-30933-01
Chapter 2 Command-Line Interfaces
ROMMON Command-Line Interface

To log in to the standby supervisor engine using a virtual console, enter the following command:
Switch# session module 2
Connecting to standby virtual console
Type "exit" or "quit" to end this session
Switch-standby-console# exit

If the standby console is not enabled, the following message appears:
Switch-standby-console#
Standby console disabled.
Valid commands are: exit, logout

Virtual session into the standby console is N/A with RPR:
Switch# session module 2
IPC server port name IFConsoleServer:2 not registered on standby.
Secondary cannot be accessed by virtual console

Note The standby virtual console provides the standard features that are available from the supervisor console
such as command history, command completion, command help and partial command keywords.

The following limitations apply to the standby virtual console:
• All commands on the virtual console run to completion. It does not provide the auto-more feature;
it behaves as if the terminal length 0 command has been executed. It is also noninteractive. A
executing command cannot be interrupted or aborted by any key sequence on the active supervisor
engine. If a command produces considerable output, the virtual console displays it on the supervisor
screen.
• The virtual console is noninteractive. Because the virtual console does not detect the interactive
nature of a command, any command that requires user interaction causes the virtual console to wait
until the RPC timer aborts the command.
• The virtual console timer is set to 60 seconds. The virtual console returns to its prompt after 60
seconds. During this time, you cannot abort the command from the keyboard. You must wait for the
timer to expire before you continue.
• You cannot use virtual console to view debug and syslog messages that are being displayed on the
standby supervisor engine. The virtual console only displays the output of commands that are
executed from the virtual console. Other information that is displayed on the real standby console
does not appear on the virtual console.

ROMMON Command-Line Interface
ROMMON is a ROM-based program that is involved at power-up or reset, or when a fatal exception error
occurs. The switch enters ROMMON mode if the switch does not find a valid software image, if the
NVRAM configuration is corrupted, or if the configuration register is set to enter ROMMON mode.
From the ROMMON mode, you can load a software image manually from flash memory, from a network
server file, or from bootflash.
You can also enter ROMMON mode by restarting the switch and pressing Ctrl-C during the first five
seconds of startup.

Note Ctrl-C is always enabled for 60 seconds after you reboot the switch, even if Ctrl-C is configured to be
off in the configuration register settings.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 2-7
Chapter 2 Command-Line Interfaces
Archiving Crashfiles Information

When you enter ROMMON mode, the prompt changes to rommon 1>. Use the ? command to see the
available ROMMON commands.
For more information about the ROMMON commands, refer to the Cisco IOS Command Reference.

Archiving Crashfiles Information
This feature allows you to archive crashinfo files (otherwise overwritten if another system reset were to
happen first to the bootflash). Having access to archived crashinfo data greatly assists in troubleshooting.
To archive crashinfo files, perform this task:

Command Purpose
Step 1 Switch# configure terminal Enters global configuration mode.
Step 2 Switch(config)# exception crashinfo file Enables archiving crashinfo files to bootflash. The files
bootflash: name are stored in bootflash with the name specified
concatenated with the date.
Step 3 Switch(config)# end Returns to privileged EXEC mode.
Step 4 Switch# show running-config Verifies your entries.
Step 5 Switch# copy running-config startup-config (Optional) Saves your entries in the configuration file.

Displaying a Crash Dump for Supervisor Engine 6-E and 6L-E
A crash dump provides the following information:
• Malloc or free traces
• Chuck alloc/free traces
• Process block dump
• Register memory dump
• Current proc stack partial decode
• Interrupt level stack
• Last 128 memory block dump
To display a crash dump, do the following:
Switch# show platform crashdump

Current Time: 9/6/2010 15:47:21

Last Power Failure: 09/06/2010 15:03:28
Last Reload Status: 00002000
Last Software Reset State: 00000000

Crashdump version: 1

Last crash: 09/06/2010 06:21:58

Build: 12.2(20100723:074204) ENTSERVICES
buildversion addr: 14847D24

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
2-8 OL-30933-01
Chapter 2 Command-Line Interfaces
Displaying a Crash Dump for Supervisor Engine 6-E and 6L-E

========= Context ======================
pc=10999E70 lr=10999E34 msr=02029230 vector=00000600
cr=20004022 ctr=108EC3EC xer=00000000
r0=10999E34 r1=2421F930 r2=0000001E r3=234BBFD8
r4=0000000A r5=00000000 r6=2421F918 r7=00000000
r8=00000000 r9=00000000 r10=14850000 r11=234BBFD4
r12=EB93A100 r13=B4E9F3F3 r14=10CD0984 r15=00000000
r16=156CA504 r17=156CA504 r18=00000001 r19=00000000
r20=00000000 r21=00000000 r22=00000000 r23=00000000
r24=00000000 r25=00000000 r26=00000000 r27=00000000
r28=15870804 r29=00000000 r30=14850000 r31=00000000
dec=00083695 tbu=00000002 tbl=2A7D42DA
dar=80210020 dsisr=80210020 hid0=80004000

Traceback: 10999E70 11B430B8 10C84444 10C83338 11BE0C5C 10C93874 10C93D78 10C94140
10C992EC 10CD155C 1099BCFC 10992CEC

========= Stack frames ======================
Frame 1: pc=11B430B8 stack=2421F940
Frame 2: pc=10C84444 stack=2421F948
Frame 3: pc=10C83338 stack=2421F9B0
Frame 4: pc=11BE0C5C stack=2421F9E8
Frame 5: pc=10C93874 stack=2421FA00
Frame 6: pc=10C93D78 stack=2421FA18
Frame 7: pc=10C94140 stack=2421FA48
Frame 8: pc=10C992EC stack=2421FA58
Frame 9: pc=10CD155C stack=2421FA70
Frame 10: pc=1099BCFC stack=2421FB08
Frame 11: pc=10992CEC stack=2421FB10

========= Pushed stack ======================
2421F930: 2421F940 10999E34 2421F940 15868B74
2421F940: 2421F948 11B430B8 2421F9B0 10C84444
2421F950: 2421F978 00000000 00000000 00000000
2421F960: 00000000 2421F9C0 00000000 240CC3C8
2421F970: 2421F990 11AE7394 00000006 FFFFFFFF
2421F980: 00000000 00000000 00000000 14BE0000
2421F990: 00000000 00000000 00000000 00000000
2421F9A0: 00000001 00000000 15868B74 15868B74
2421F9B0: 2421F9E8 10C83338 00000000 00000000
2421F9C0: 00000071 15868B74 156CA328 13794ACD
2421F9D0: 00000000 00000001 00000000 1511A790
2421F9E0: 2366B680 15868B74 2421FA00 11BE0C5C
2421F9F0: 156CA328 156CA328 2366B680 15868B74
2421FA00: 2421FA18 10C93874 2421FA20 00000000
2421FA10: 00000000 2366B628 2421FA48 10C93D78
2421FA20: 2421FA58 10C95370 00000000 11BB0A98
2421FA30: 00000000 00000000 15868B74 00000000
2421FA40: 00000000 15868B74 2421FA58 10C94140
2421FA50: 00000003 15868B74 2421FA70 10C992EC
2421FA60: 00000000 00000000 00000000 156CA328
2421FA70: 2421FB08 10CD155C 0DFFFFFF FFFFFFFF
2421FA80: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
2421FA90: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
2421FAA0: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
2421FAB0: 00000001 FFFFFFFF FFFFFFFF FFFFFFFF
2421FAC0: FFFFFFFF 00000000 00000000 00000000
2421FAD0: 00000000 00000000 00000000 00000000
2421FAE0: 00000000 00000000 00000000 00000000

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 2-9
Chapter 2 Command-Line Interfaces
Displaying a Crash Dump for Supervisor Engine 6-E and 6L-E

2421FAF0: 00000000 00000000 00000000 00000000
2421FB00: 00000000 00000000 2421FB10 1099BCFC
2421FB10: 00000000 10992CEC FFFFFFFF

========= Popped stack ======================
2421F730: E8000800 151B1AB0 2421F748 132BBFA8
2421F740: 000E8000 151B1AB0 2421F760 132BC0D0
2421F750: 000E8000 00009B0A E8000800 151B1AB0
2421F760: 2421F778 132BC2A0 E8000800 00009B0A
2421F770: 00000800 153B1B7C 2421F790 123FAF28
2421F780: 2421F790 00000000 0000000A 151B17E4
2421F790: 2421F798 123FB2BC 2421F7B0 11C12A90
2421F7A0: 00009B0A 11C12880 0000000A 146C0000
2421F7B0: 2421F7C0 11BA7384 00000000 146B0000
2421F7C0: 2421F7D0 11AD3144 0000000A 0000000A
2421F7D0: 2421F7D8 11C10390 2421F7E0 11BB0424
2421F7E0: 2421F7F0 11BB04E4 2433FCD4 FFFFFFFE
2421F7F0: 2421F800 107CF880 7FFFFFFF FFFFFFFE
2421F800: 2421F8A8 107CCDF0 20637261 73686475
2421F810: 6D700000 00000000 2421F840 00000000
2421F820: 2421F8B0 00000000 0000004A 002E8A00
2421F830: 39760000 0000004A 00000000 2433FCF0
2421F840: 2421F848 2433FCF0 00000000 11A12ACC
2421F850: 13CD617C 10C7DAAC 00000000 2421F8AC
2421F860: 10CD0984 00000000 156CA504 156CA504
2421F870: 00000001 00000000 00000000 00000000
2421F880: 00000000 00000000 00000000 00000000
2421F890: 00000000 00000000 15870804 00000000
2421F8A0: 14850000 FFFFFFFE 2421F930 107CFC7C
2421F8B0: 2421F8C8 14BB1760 00000002 00000000
2421F8C0: 2421F930 14620E40 24330AB4 0000004A
2421F8D0: 00000000 00000000 2421F8E8 10C1FD9C
2421F8E0: 2421F8F8 00000000 00000000 00000000
2421F8F0: 15868B74 15868B74 2421F910 117CF5C0
2421F900: 2421F968 1586A45C 2421F920 15868B74
2421F910: 2421F918 00000000 14850000 00000000
2421F920: 2421F930 10999978 2421F930 00000000

========= Malloc and Free Traces=====================

MallocFree Trace: ixmallocfree=0x2C ptr=0x151A40D8
151A3F78: 2366B628 11AF1144 2366B628 11AF1348 2366B66C 60000024 2447A940 11AF1350
151A3F98: 2447A940 30000018 2447A940 11AF1110 2366B628 4000000E 2366B628 11AF1144
151A3FB8: 2366B628 11AF1348 2366B66C 60000024 2447A940 11AF1350 2447A940 30000018
151A3FD8: 2447A940 11AF1110 2366B628 4000000E 2366B628 11AF1144 2366B628 11AF1348
151A3FF8: 2366B66C 60000024 2447A940 11AF1350 2447A940 30000018 2447A940 11AF1110
151A4018: 2366B628 4000000E 2366B628 11AF1144 2366B628 11AF1348 2366B66C 60000024
151A4038: 2447A940 11AF1350 22FAC944 119F6CC0 22FACF4C 6000005E 2433FCD4 40000046
151A4058: 2433FCD4 11A31DD4 2433FCD4 11A32370 2433FD88 6000005E 2447A940 30000018
151A4078: 2447A940 107D7294 2366B628 40000018 2366B628 10C9533C 2366B680 3000001A
151A4098: 2366B680 10C9536C 2433FCD4 4000000E 2433FCD4 10C7DAAC 2433FCD4 10C7DB90
151A40B8: 2433FD18 60000096 2433FCD4 4000000E 2433FCD4 10E28604 2433FCD4 10E287BC
151A40D8: 2433FD18 60000096 2366B66C 60000024 2447A940 11AF1350 2447A940 30000018
151A40F8: 2447A940 11AF1110 2366B628 4000000E 2366B628 11AF1144 2366B628 11AF1348
151A4118: 2366B66C 60000024 2447A940 11AF1350 2447A940 30000018 2447A940 11AF1110
151A4138: 2366B628 4000000E 2366B628 11AF1144 2366B628 11AF1348 2366B66C 60000024
151A4158: 2447A940 11AF1350 2447A940 30000018 2447A940 11AF1110 2366B628 4000000E

========= Chunk Malloc and Chunk Free Traces=====================

151A3B78: 238928B8 11A32D70 11A34618 238928B8 11A3187C 11A34618
151A3B60: 15866F0C 10C7FF20 10C7F104 1586FBF0 10C7FE38 10C7F17C

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
2-10 OL-30933-01
Chapter 2 Command-Line Interfaces
Displaying a Crash Dump for Supervisor Engine 6-E and 6L-E

151A3B48: 1586D760 10C7FE38 10C7F17C 1586FF98 10C7FE38 10C7F17C
151A3B30: 1586D760 10C84B24 10C7F17C 1586D760 10C7FE38 10C7F17C
151A3B18: 1586FF98 10C84B24 10C7F17C 1586FF98 10C7FE38 10C7F17C
151A3B00: 1586D760 10C84B24 10C7F17C 1586D760 10C7FE38 10C7F17C
151A3AE8: 1586FF98 10C84B24 10C7F17C 1586FF98 10C7FE38 10C7F17C
151A3AD0: 1586D760 10C84B24 10C7F17C 1586FBF0 10C84B24 10C7F17C
151A3AB8: 1586FBF0 10C7FE38 10C7F17C 1586D760 10C7FE38 10C7F17C
151A3AA0: 1586FBF0 10C84B24 10C7F17C 1586FBF0 10C7FE38 10C7F17C
151A3A88: 15870340 10C7FE38 10C7F17C 1586FBF0 10C84B24 10C7F17C
151A3A70: 1586D760 10C84B24 10C7F17C 1586D760 10C7FE38 10C7F17C
151A3A58: 1586FBF0 10C7FE38 10C7F17C 1586D760 10C84B24 10C7F17C
151A3A40: 1586D760 10C7FE38 10C7F17C 1586FBF0 10C84B24 10C7F17C
151A3A28: 1586FBF0 10C7FE38 10C7F17C 1586D760 10C84B24 10C7F17C
151A3A10: 15870340 10C84B24 10C7F17C 15870340 10C7FE38 10C7F17C
151A39F8: 1586D760 10C7FE38 10C7F17C 15870340 10C84B24 10C7F17C
151A39E0: 15870340 10C7FE38 10C7F17C 1586D760 10C84B24 10C7F17C
151A39C8: 1586D760 10C7FE38 10C7F17C 15870340 10C84B24 10C7F17C
151A39B0: 15870340 10C7FE38 10C7F17C 1586D760 10C84B24 10C7F17C
151A3998: 1586D760 10C7FE38 10C7F17C 15870340 10C84B24 10C7F17C
151A3980: 15870340 10C7FE38 10C7F17C 1586D760 10C84B24 10C7F17C
151A3968: 1586D760 10C7FE38 10C7F17C 15870340 10C84B24 10C7F17C
151A3950: 15870340 10C7FE38 10C7F17C 1586D3B8 10C7FE38 10C7F17C
151A3938: 15870340 10C84B24 10C7F17C 1586D760 10C84B24 10C7F17C
151A3920: 1586D760 10C7FE38 10C7F17C
151A3C14: 15870340 10C7FE38 10C7F17C 1586D760 10C84B24 10C7F17C
151A3BFC: 1586D3B8 10C84B24 10C7F17C 1586D3B8 10C7FE38 10C7F17C
151A3BE4: 1586D760 10C7FE38 10C7F17C 1586D3B8 10C84B24 10C7F17C
151A3BCC: 15870340 10C84B24 10C7F17C 15870340 10C7FE38 10C7F17C
151A3BB4: 1586D3B8 10C7FE38 10C7F17C 15870340 10C84B24 10C7F17C
151A3B9C: 1586D760 10C84B24 10C7F17C 1586D760 10C7FE38 10C7F17C
151A3B84: 15870340 10C7FE38 10C7F17C

========= Process Level Info ==================

---- Current Process Block (at 0x24330AB4) ----

24330A8C: AB1234CD 710000 24330AB4 13DF55F0 11A2F280 24330D48 24330A5C 8000014A
24330AAC: 1 10530DC4 242110BC 1582AAAC 156CA328 10CD0984 0 156CA504
24330ACC: 156CA504 6 FFFFFFFF 1 2421FA78 13D2A3E0 FF 0
24330AEC: 1 13D2A3E0 2421FA78 24330AB4 14BE0000 156CA328 107D4240 40004024
24330B0C: 11A3C6A4 2029230 0 0 0 0 0 10100
24330B2C: 0 1000000 0 0 0 71 0 0
24330B4C: 0 25610 2350 320BC 0 0 0 0
24330B6C: 0 2035F 0 156CA328 0 2210B 0 2210B
24330B8C: 0 13 0 13D42FC4 4 1 15E 1
24330BAC: 0 0 0 EA60 EA60 156CA328 0 0
24330BCC: 0 0 0 0 0 24330AB4 151A5708 0
24330BEC: 0 0 149A2408 0 0 0 420A 0
24330C0C: 0 0 24330BEC 0 0 0 4290 24330AB4
24330C2C: 0 0 0 0 24330BEC 24330AB4 0 0
24330C4C: 142D2 0 0 0 24330BEC 24330AB4 0 0
24330C6C: 242D2 0 0 0 0 0 0 24325EB4
24330C8C: 0 0 0 0 0 0 0 0
24330CAC: 0 24325F14 24330C9C 24325EBC 0 151A6450 0 0
24330CCC: 0 0 0 FFFFFFF FFFFFFF 0 0 0
24330CEC: 0 0 0 0 0 23EFC15C 0 0
24330D0C: 32 0 0 0 0 0 0 0
24330D2C: 0 0 0 0 BEEFCAFE 0

---- Partial decode of process block ----

Pid 113: Process "Exec" stack 0x242110BC savedsp 0x1582AAAC

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 2-11
Chapter 2 Command-Line Interfaces
Displaying a Crash Dump for Supervisor Engine 6-E and 6L-E

Flags: analyze crashblock on_old_queue
Status 0x00000000 Orig_ra 0x00000000 Routine 0x00000000 Signal 0
Caller_pc 0x00000000 Callee_pc 0x00000000 Dbg_events 0x00000000 State 0
Totmalloc 153104 Totfree 9040 Totgetbuf 0
Totretbuf 0 Edisms 0x0 Eparm 0x156CA328
Elapsed 0x0 Ncalls 0x13 Ngiveups 0x0
Priority_q 4 Ticks_5s 1 Cpu_5sec 0 Cpu_1min 0
Cpu_5min 0 Stacksize 0xEA60 Lowstack 0xEA60
Ttyptr 0x156CA328 Mem_holding 0x320BC Thrash_count 0
Wakeup_reasons 0x0FFFFFFF Default_wakeup_reasons 0x0FFFFFFF
Direct_wakeup_major 0x00000000 Direct_wakeup_minor 0x00000000

Regs R14-R31, CR, PC, MSR at last suspend; R3 from proc creation, PC unused:
R3 : 156CA328 R14: 10CD0984 R15: 00000000 R16: 156CA504 R17: 156CA504
R18: 00000006 R19: FFFFFFFF R20: 00000001 R21: 2421FA78 R22: 13D2A3E0
R23: 000000FF R24: 00000000 R25: 00000001 R26: 13D2A3E0 R27: 2421FA78
R28: 24330AB4 R29: 14BE0000 R30: 156CA328 R31: 107D4240 CR: 40004024
PC : 11A3C6A4 MSR: 02029230

---- Current Process Stack (0x714 bytes used, out of 0xEA60 available) ----

Current SP = 0x2421F930, saved SP = 0x1582AAAC

2421F71C: 1A 2421F918 0 FFFFFFFF 151B1AB0 E8000800 151B1AB0 2421F748
2421F73C: 132BBFA8 E8000 151B1AB0 2421F760 132BC0D0 E8000 9B0A E8000800
2421F75C: 151B1AB0 2421F778 132BC2A0 E8000800 9B0A 800 153B1B7C 2421F790
2421F77C: 123FAF28 2421F790 0 A 151B17E4 2421F798 123FB2BC 2421F7B0
2421F79C: 11C12A90 9B0A 11C12880 A 146C0000 2421F7C0 11BA7384 0
2421F7BC: 146B0000 2421F7D0 11AD3144 A A 2421F7D8 11C10390 2421F7E0
2421F7DC: 11BB0424 2421F7F0 11BB04E4 2433FCD4 FFFFFFFE 2421F800 107CF880 7FFFFFFF
2421F7FC: FFFFFFFE 2421F8A8 107CCDF0 20637261 73686475 6D700000 0 2421F840
2421F81C: 0 2421F8B0 0 4A 2E8A00 39760000 4A 0
2421F83C: 2433FCF0 2421F848 2433FCF0 0 11A12ACC 13CD617C 10C7DAAC 0
2421F85C: 2421F8AC 10CD0984 0 156CA504 156CA504 1 0 0
2421F87C: 0 0 0 0 0 0 0 15870804
2421F89C: 0 14850000 FFFFFFFE 2421F930 107CFC7C 2421F8C8 14BB1760 2
2421F8BC: 0 2421F930 14620E40 24330AB4 4A 0 0 2421F8E8
2421F8DC: 10C1FD9C 2421F8F8 0 0 0 15868B74 15868B74 2421F910
2421F8FC: 117CF5C0 2421F968 1586A45C 2421F920 15868B74 2421F918 0 14850000
2421F91C: 0 2421F930 10999978 2421F930 0 2421F940 10999E34 2421F940
2421F93C: 15868B74 2421F948 11B430B8 2421F9B0 10C84444 2421F978 0 0
2421F95C: 0 0 2421F9C0 0 240CC3C8 2421F990 11AE7394 6
2421F97C: FFFFFFFF 0 0 0 14BE0000 0 0 0
2421F99C: 0 1 0 15868B74 15868B74 2421F9E8 10C83338 0
2421F9BC: 0 71 15868B74 156CA328 13794ACD 0 1 0
2421F9DC: 1511A790 2366B680 15868B74 2421FA00 11BE0C5C 156CA328 156CA328 2366B680
2421F9FC: 15868B74 2421FA18 10C93874 2421FA20 0 0 2366B628 2421FA48
2421FA1C: 10C93D78 2421FA58 10C95370 0 11BB0A98 0 0 15868B74
2421FA3C: 0 0 15868B74 2421FA58 10C94140 3 15868B74 2421FA70
2421FA5C: 10C992EC 0 0 0 156CA328 2421FB08 10CD155C DFFFFFF
2421FA7C: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
2421FA9C: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 1 FFFFFFFF FFFFFFFF
2421FABC: FFFFFFFF FFFFFFFF 0 0 0 0 0 0
2421FADC: 0 0 0 0 0 0 0 0
2421FAFC: 0 0 0 2421FB10 1099BCFC 0 10992CEC FFFFFFFF

========= Interrupt Level Stack Dump ==========

---- Level 1 Interrupt stack (0x0 bytes used, out of 0x2328 available) ----

intstacks[1]: base 0x156DB3D8 stack 0x156DD6F8 routine 0x0 count 0x0
size 0x2328 low 0x2328 desc 0x156BE7D0

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
2-12 OL-30933-01
Chapter 2 Command-Line Interfaces
Displaying a Crash Dump for Supervisor Engine 6-E and 6L-E

---- Level 2 Interrupt stack (0x3F8 bytes used, out of 0x2328 available) ----

intstacks[2]: base 0x156D90B0 stack 0x156DB3D0 routine 0x0 count 0x2
size 0x2328 low 0x2328 desc 0x156C0C78

156DAFE0: 156DAFE8 FFFFFFFF 156DB020 119E1374 0 B6B8 0 B6F4
156DB000: 156DB020 16035650 156DB0E0 0 2DAE 4 1 16031964
156DB020: 156DB028 119E15BC 156DB050 119E1670 0 B6B8 0 1E3
156DB040: 2DAE 1603191C 156DB050 1603190C 156DB0D0 11BB458C FFFFFFFF FFFFFFFF
156DB060: 0 1E3 16002438 1603191C 1CCB58E0 64 0 2DAE
156DB080: 0 B6B8 FFFFFFFF FFFFFFFF FFFFFFFF 137B49A8 1603560C 160355D0
156DB0A0: 14BABC00 B9DE8DC0 156DB128 0 1C703D84 17F1C788 0 11
156DB0C0: 0 156DB138 160355D0 156DB128 156DB100 11EBBCDC 0 11
156DB0E0: 1CCB58E0 64 156DB110 2DAE 14BAC400 156DB220 17B7B610 0
156DB100: 90040008 151B1AB0 0 151B1AB0 156DB120 132BBFA8 90040 122C3E40
156DB120: 156DB138 132BC0D0 1CCB58E0 0 0 151B1AB0 156DB150 132BCC08
156DB140: 0 156DB240 156DB158 10 156DB1C0 15 156DB170 129ADCC4
156DB160: 156DB170 11 156DB1E0 16 156DB3B0 122BF51C FFFFFFFF FFFFFFFF
156DB180: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
156DB1A0: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
156DB1C0: 0 2000000 0 7FFFFFFF 0 0 FFFFFFFF FFFFFFFF
156DB1E0: 0 20001FF 0 7FFFFFFF 0 0 FFFFFFFF FFFFFFFF
156DB200: 10100 1F4 1F4 77359400 3 2 16 3D
156DB220: 294 294 294 0 0 2 2 1
156DB240: 80000 0 0 FF 0 0 FFFFFFFF FFFFFFFF
156DB260: 0 1EB 0 1FF 0 0 FFFFFFFF FFFFFFFF
156DB280: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
156DB2A0: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
156DB2C0: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
156DB2E0: 0 FFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
156DB300: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
156DB320: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
156DB340: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
156DB360: 15FFFFFF 10 10 10 10 FFFFFFFF FFFFFFFF FFFFFFFF
156DB380: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 0 14BE0000 146CF310
156DB3A0: 146D0000 14620E80 4 1C7061FC 156DB3C0 132DE01C FFFFFFFF 2
156DB3C0: 156DB3C8 132DDD84 14BAE470 11C0DCD0 FFFFFFFF FFFFFFFF

---- Level 3 Interrupt stack (0x350 bytes used, out of 0x2328 available) ----

intstacks[3]: base 0x156D6D88 stack 0x156D90A8 routine 0x0 count 0x995
size 0x2328 low 0x2328 desc 0x156BE924

156D8D60: 156D8D68 FFFFFFFF 156D8DA0 119E1374 0 21EEB 0 21EE4
156D8D80: 0 1 1 160BA724 0 0 156D8DA0 160BA85C
156D8DA0: 156D8DD8 119E1E40 156D8DB0 1 1603560C 156D8F38 160029D8 16035650
156D8DC0: 1 4 0 22030 156D8DD8 160A5670 156D8DF8 119E1F74
156D8DE0: 156D8DF8 4 156D8E08 160BA85C 156D8E08 4 4 160BA85C
156D8E00: 156D8E08 160BA724 156D8E38 11A312A8 156D8E30 119DF688 156D8E30 16035650
156D8E20: 0 16002CA8 156D8E50 16002F78 156D8E50 119DFBD8 0 8E12
156D8E40: 0 156D8F38 156D8E50 1603148C 156D8ED0 11BB458C 156D8E60 1603148C
156D8E60: 0 8E12 16002CA8 156D8F38 1C6FF080 64 0 0
156D8E80: 156D8E90 156D8EE0 156D8E90 1C6FEF9C 156D8ED0 13B40000 14370000 14BC97D0
156D8EA0: 156D8F28 2980A1B9 156D8ED0 84D7317 0 0 1C6FEFAC 0
156D8EC0: 84D7317 1C6FEED4 0 153B1DA4 156D8ED8 11EBBCDC 156D8EE0 11C0C254
156D8EE0: 156D8EF8 132F05E0 2 2980A460 156D8EF8 84D7317 156D8F00 132EFB10
156D8F00: 156D8F18 132B19FC 84D7317 1C6FEED4 0 84D7317 156D8F90 132B1EEC
156D8F20: 0 84D6D76 1C6FF080 64 0 0 0 8E12
156D8F40: 16002CA8 156D8F38 14BE0000 13FD0000 138A0000 160BA4B0 160BA4B0 160BA4B0
156D8F60: 14BABC00 2980A1B9 137C0000 13F50000 14BAC400 0 14BE0000 0
156D8F80: 84D7317 1C6FEED4 0 84D7317 156D8FA8 132B2448 156D8FA0 156D8FB8
156D8FA0: 156D8FA8 11BBE798 156D9030 132B0C9C 156D8FB8 11BBE798 0 7530
156D8FC0: 0 2EE0 0 1 FFFFFFFF FFFFFFFF 4B354370 754D616E

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 2-13
Chapter 2 Command-Line Interfaces
Displaying a Crash Dump for Supervisor Engine 6-E and 6L-E

156D8FE0: 20526576 69657700 0 0 0 0 0 0
156D9000: 0 0 1ADBEEF 1896AD90 156D9030 0 0 146CF310
156D9020: 146D0000 14620EA0 D 1893E4BC 156D9038 134D23A4 156D9058 12023A6C
156D9040: 0 1B1DDC40 156D9050 40 D 1B1DDC40 156D9080 11ED3534
156D9060: 40 132D6244 0 14620EA0 146D0000 14620EA0 D 22D85610
156D9080: 156D9088 133C43C8 156D9098 132DE01C FFFFFFFF 3 156D90A0 132DDE4C
156D90A0: 14BAE470 11C0DCD0 FFFFFFFF FFFFFFFF

---- Level 4 Interrupt stack (0x348 bytes used, out of 0x2328 available) ----

intstacks[4]: base 0x156D4A60 stack 0x156D6D80 routine 0x0 count 0x8376
size 0x2328 low 0x2328 desc 0x156BEA78

156D6A40: 156D6A48 FFFFFFFF 156D6A80 119E1374 0 21E4B 0 21E48
156D6A60: FFFFFFFF 1 1 160BA724 0 0 156D6A80 160BA85C
156D6A80: 156D6AB8 119E1E40 FFFFFFFF 1 1603560C 156D6C18 16002938 16035650
156D6AA0: 1 4 0 21F90 156D6AB8 160A5670 156D6AD8 119E1F74
156D6AC0: 156D6AD8 4 4 160BA85C 156D6AD8 160BA724 156D6B08 11A312A8
156D6AE0: 156D6B00 119DF688 156D6BC0 16035650 0 156C504C 1 160BA724
156D6B00: 156D6B08 156C8B5C 156D6B30 11A31B54 156D6B30 119DFBD8 0 8DCE
156D6B20: 0 1603129C 156D6B30 1603128C 156D6BB0 11BB458C FFFFFFFF FFFFFFFF
156D6B40: 0 8DCE 160028E8 1603129C 1BB124AC 64 0 0
156D6B60: 0 1A68C FFFFFFFF FFFFFFFF FFFFFFFF 13B40000 14370000 14BC97D0
156D6B80: 156D6C08 28E47C74 156D6BB0 84B1B7D 0 0 1BB123D8 0
156D6BA0: 84B1B7D 1BB12300 0 153B1DA4 156D6BB8 11EBBCDC 156D6BC0 11C0C254
156D6BC0: 156D6BD8 132F05E0 2 28E47EC0 156D6BD8 84B1B7D 156D6BE0 132EFB10
156D6BE0: 156D6BF8 132B19FC 84B1B7D 1BB12300 0 84B1B7D 156D6C70 132B1EEC
156D6C00: FFFFFFFF FFFFFFFF 1BB124AC 64 0 0 0 8DCE
156D6C20: 160028E8 1603129C 14BE0000 160BA4D8 13860000 13FA0000 160BA428 160BA4B0
156D6C40: 14BABC00 28E47C74 137C0000 13F50000 14BAC400 0 14BE0000 0
156D6C60: 84B1B7D 1BB12300 0 84B1B7D 156D6C88 132B2448 156D6C80 156D6C98
156D6C80: 156D6C88 11BBE798 156D6D10 132B0C9C A0000 14800000 0 1770
156D6CA0: 0 BB8 156D6CD0 1 14BAC400 0 14BE0000 146CF310
156D6CC0: 146D0000 151B1AB0 156D6CF0 151B1AB0 156D6CE0 0 156D6D10 146CF310
156D6CE0: 2029230 14620EC0 156D6D20 153B1DA4 156D6CF8 151B1AB0 3012000 11C0C254
156D6D00: 156D6D18 132F05E0 3012020 153B1C8C 156D6D30 11C0FE70 156D6D20 153B1C8C
156D6D20: 156D6D40 11C0FE28 156D6D38 153B1C8C 3012040 153B1C8C 156D6D48 11C100CC
156D6D40: 156D6D50 11C10348 14BE0000 146C62B4 156D6D78 11BB0A10 FFFFFF 1CCAFCB8
156D6D60: 156D6D70 146CF310 146D0000 14620EC0 2A 4 14BAE470 11C0DCD0
156D6D80: FFFFFFFF FFFFFFFF

---- Level 5 Interrupt stack (0x170 bytes used, out of 0x2328 available) ----

intstacks[5]: base 0x156D2738 stack 0x156D4A58 routine 0x0 count 0x8843
size 0x2328 low 0x2328 desc 0x156BEBCC

156D48F0: 156D4918 FFFFFFFF 14BAC400 0 14BE0000 13B50000 0 151B1AB0
156D4910: A0000060 151B1AB0 156D4928 132BBFA8 A0000 151B1AB0 156D4940 132BC0D0
156D4930: A0000 14C00000 A0000060 151B1AB0 156D4958 132BC42C A0000060 14C00000
156D4950: 60 189A84E0 156D4970 12405FD8 156D4970 1 1 1B1AD9E0
156D4970: 156D4978 124067F8 156D4998 11CB7020 156D49A8 14C00000 FFFFFFFF 0
156D4990: 14BE0000 13B50000 2 1B5A1068 2029230 153B1DA4 156D49D0 1BB11BE0
156D49B0: 156D49B8 0 14BE0000 13B50000 3 14380000 1B1AD9E0 153B1DA4
156D49D0: 156D49D8 132EFB10 156D49E0 11C0C254 156D49F8 132F05E0 2 2A7A9FE0
156D49F0: 2029230 153B1DA4 156D4A00 132EFB10 156D4A18 11CB7200 3 14380000
156D4A10: 14380000 153B1DA4 156D4A20 1338A684 156D4A48 132F0B04 2 2A7A9F6F
156D4A30: FFFFFFFF 146CF310 146D0000 14620EE0 0 5 156D4A50 11BAE8C0
156D4A50: 14BAE470 11C0DCD0 FFFFFFFF FFFFFFFF

---- Level 6 Interrupt stack (0x0 bytes used, out of 0x2328 available) ----

intstacks[6]: base 0x156D0410 stack 0x156D2730 routine 0x0 count 0x0
size 0x2328 low 0x2328 desc 0x156BED20

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
2-14 OL-30933-01
Chapter 2 Command-Line Interfaces
Displaying a Crash Dump for Supervisor Engine 6-E and 6L-E

---- Level 7 Interrupt stack (0x0 bytes used, out of 0x2328 available) ----

intstacks[7]: base 0x156CE0E8 stack 0x156D0408 routine 0x0 count 0x0
size 0x2328 low 0x2328 desc 0x156BEE74

---- Level 8 Interrupt stack (base 0x0, size 0x0) is invalid ----

---- Level 9 Interrupt stack (base 0x0, size 0x0) is invalid ----

========= Register Memory Dump ================

Reg00(PC ): 10999E70
Reg01(MSR): 2029230 [Not RAM Addr]
Reg02(CR ): 20004022
Reg03(LR ): 10999E34
Reg04(CTR): 108EC3EC
Reg05(XER): 0 [Not RAM Addr]
Reg06(DAR): 0 [Not RAM Addr]
Reg07(DSISR): 0 [Not RAM Addr]
Reg08(DEC): 83695 [Not RAM Addr]
Reg09(TBU): 2 [Not RAM Addr]
Reg10(TBL): 2A7D42DA
Reg11(IMMR): 0 [Not RAM Addr]
Reg12(R0 ): 10999E34
Reg13(R1 ): 2421F930
Reg14(R2 ): 1E [Not RAM Addr]
Reg15(R3 ): 234BBFD8 [In malloc Block 0x234BBB54] [Last malloc Block 0x234BBB10]
Reg16(R4 ): A [Not RAM Addr]
Reg17(R5 ): 0 [Not RAM Addr]
Reg18(R6 ): 2421F918
Reg19(R7 ): 0 [Not RAM Addr]
Reg20(R8 ): 0 [Not RAM Addr]
Reg21(R9 ): 0 [Not RAM Addr]
Reg22(R10): 14850000
Reg23(R11): 234BBFD4
Reg24(R12): EB93A100 [Not RAM Addr]
Reg25(R13): B4E9F3F3 [Not RAM Addr]
Reg26(R14): 10CD0984
Reg27(R15): 0 [Not RAM Addr]
Reg28(R16): 156CA504 [In malloc Block 0x156CA2F0]
Reg29(R17): 156CA504
Reg30(R18): 1 [Not RAM Addr]
Reg31(R19): 0 [Not RAM Addr]
Reg32(R20): 0 [Not RAM Addr]
Reg33(R21): 0 [Not RAM Addr]
Reg34(R22): 0 [Not RAM Addr]
Reg35(R23): 0 [Not RAM Addr]
Reg36(R24): 0 [Not RAM Addr]
Reg37(R25): 0 [Not RAM Addr]
Reg38(R26): 0 [Not RAM Addr]
Reg39(R27): 0 [Not RAM Addr]
Reg40(R28): 15870804 [In malloc Block 0x158707DC] [Last malloc Block 0x15870790]
Reg41(R29): 0 [Not RAM Addr]
Reg42(R30): 14850000
Reg43(R31): 0 [Not RAM Addr]

buffer check=0 sched_hc=0x0

---- block0 ptr=2421F8D0 is_malloc=0 length=0x260 ----

2421F890: 0 0 15870804 0 14850000 FFFFFFFE 2421F930 107CFC7C
2421F8B0: 2421F8C8 14BB1760 2 0 2421F930 14620E40 24330AB4 4A

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 2-15
Chapter 2 Command-Line Interfaces
Displaying a Crash Dump for Supervisor Engine 6-E and 6L-E

2421F8D0: 0 0 2421F8E8 10C1FD9C 2421F8F8 0 0 0
2421F8F0: 15868B74 15868B74 2421F910 117CF5C0 2421F968 1586A45C 2421F920 15868B74
2421F910: 2421F918 0 14850000 0 2421F930 10999978 2421F930 0
2421F930: 2421F940 10999E34 2421F940 15868B74 2421F948 11B430B8 2421F9B0 10C84444
2421F950: 2421F978 0 0 0 0 2421F9C0 0 240CC3C8
2421F970: 2421F990 11AE7394 6 FFFFFFFF 0 0 0 14BE0000
2421F990: 0 0 0 0 1 0 15868B74 15868B74
2421F9B0: 2421F9E8 10C83338 0 0 71 15868B74 156CA328 13794ACD
2421F9D0: 0 1 0 1511A790 2366B680 15868B74 2421FA00 11BE0C5C
2421F9F0: 156CA328 156CA328 2366B680 15868B74 2421FA18 10C93874 2421FA20 0
2421FA10: 0 2366B628 2421FA48 10C93D78 2421FA58 10C95370 0 11BB0A98
2421FA30: 0 0 15868B74 0 0 15868B74 2421FA58 10C94140
2421FA50: 3 15868B74 2421FA70 10C992EC 0 0 0 156CA328
2421FA70: 2421FB08 10CD155C DFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
2421FA90: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
2421FAB0: 1 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 0 0 0
2421FAD0: 0 0 0 0 0 0 0 0
2421FAF0: 0 0 0 0 0 0 2421FB10 1099BCFC
2421FB10: 0 10992CEC FFFFFFFF FD0110DF AB1234CD 0 0 1378AC50

---- block1 ptr=10999E34 is_malloc=0 length=0x13C ----

10999DF4: 3D2014BE 8009845C 2F800000 419E0010 3D2014BE 806983C4 4800000C 3D201485
10999E14: 80698C20 4927268D 38000000 3D2014BE 90098484 3D201485 90098CAC 4BFFFAB9
10999E34: 2F9F0000 419E0038 3D2014BE 80098498 2F800000 40BE0028 3860FFFE 3C8013CD
10999E54: 3884617C 4BE35D99 2F9F0003 409D0008 3BE00003 1C7F03E8 4909658D 7FE10808
10999E74: 38000000 3D201445 900900E4 80010014 7C0803A6 83E1000C 38210010 4E800020
10999E94: 9421FFF8 7C0802A6 9001000C 7C862378 38832010 38602000 3CA013CD 38A56198
10999EB4: 482E2201 8001000C 7C0803A6 38210008 4E800020 7C681B78 7C6A1B78 39200000
10999ED4: 89630000 2F8B0000 419E0078 380BFF9F 2B800005 40BD0010 380BFFD0 2B800009
10999EF4: 419D0060 552B2036 880A0000 7C000774 2F800039 419D0014 7D2B0214 3929FFD0
10999F14: 394A0001 48000018 892A0000 7D290774 7D2B4A14 3929FFA9 394A0001 896A0000
10999F34: 2F8B0000 419E001C 380BFF9F 2B800005 40BDFFB4 380BFFD0 2B800009 409DFFA8
10999F54: 38600000 7F8A4000 4D9E0020 91250000 91440000 38600001 4E800020

---- block2 ptr=20004020 is_malloc=0 length=0x100 ----

20003FE0: ADBEEF 0 0 0 BEEF 0 7ADBEEF 1F724E78
20004000: 12800 0 1ADBEEF 12216BE8 1BE7FE60 BEEF 1BE7FE70 1813277C
20004020: 1BE7FE78 1253BA98 FE70 FFFFFFFF 3 0 FFFFFFFF FFFFFFFF
20004040: FFFFFFFF FFFFFFFF 10800 0 0 1FFFF 1BE7FF38 11F86C4C
20004060: 180AB988 1BE7FEF8 2027FEE8 FF84BEEF 3 0 0 0
20004080: BEEF 0 BEEF 0 0 0 0 0
200040A0: 0 ADBEEF 0 0 0 BEEF 0 7ADBEEF
200040C0: 1F724E78 12800 0 1ADBEEF 12216BE8 1BE7FE60 BEEF 1BE7FE70
200040E0: 1813277C 1BE7FE78 1253BA98 FE70 FFFFFFFF 3 0 FFFFFFFF
20004100: FFFFFFFF FFFFFFFF FFFFFFFF 10800 0 0 1FFFF 1BE7FF38

---- block3 ptr=108EC3EC is_malloc=0 length=0x100 ----

108EC3AC: 7C0803A6 83E1000C 38210010 4E800020 9421FFF8 7C0802A6 9001000C 2C030000
108EC3CC: 40A2000C 4BFFF7F9 48000008 4BFFFB79 8001000C 7C0803A6 38210008 4E800020
108EC3EC: 9421FFF8 7C0802A6 9001000C 3D20149A 8009FB08 2F800000 41BE0028 4BFEF791
108EC40C: 3D201485 81299C1C 81290024 7D2903A6 38600000 4E800421 38600000 4BFF0EFD
108EC42C: 8001000C 7C0803A6 38210008 4E800020 9421FFF8 7C0802A6 9001000C 3D20149A
108EC44C: 8009FB08 2F800000 41BE0028 4BFEF741 3D201485 81299C1C 81290024 7D2903A6
108EC46C: 38600000 4E800421 38600000 4BFF0EAD 8001000C 7C0803A6 38210008 4E800020
108EC48C: 9421FFE8 7C0802A6 BF810008 9001001C 7C9C2378 38000000 7C7E1B79 418200B0
108EC4AC: 7FC3F378 492150A5 38000000 7C7D1B79 4182009C 3BE00000 7F9FE800 40BC008C
108EC4CC: 7C9EF8AE 3D201442 8069EDA4 7C840774 49214EFD 2F830000 409E0064 2F9C0000

---- block4 ptr=234BBB10 is_malloc=1 length=0x100 ----

234BBAD0: FFFE0000 0 13C9C0B0 107FD290 234BBB10 234BBA24 8000000E 1

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
2-16 OL-30933-01
Chapter 2 Command-Line Interfaces
Displaying a Crash Dump for Supervisor Engine 6-E and 6L-E

234BBAF0: 0 23056294 23054D90 13597D4C 1 0 0 FD0110DF
234BBB10: AB1234CD FFFE0000 0 13D9A594 10027870 234BBB54 234BBAE0 8000000E
234BBB30: 1 0 1 4 0 0 0 0
234BBB50: FD0110DF AB1234CD FFFE0000 0 156CD7F4 119EB018 234BC350 234BBB24
234BBB70: 800003EA 1 119F6768 0 234466EC 234FFE84 0 156CD7B8
234BBB90: 64 77 C000C 0 0 0 0 0
234BBBB0: 30000 14BB1760 52656720 46756E63 74696F6E 20310000 234BBDB8 234BC34C
234BBBD0: 0 0 0 234BBDB8 234BBDC4 234BBDD0 234BBDDC 234BBDE8
234BBBF0: 234BBDF4 234BBE00 234BBE0C 234BBE18 234BBE24 234BBE30 234BBE3C 234BBE48

---- block5 ptr=15870790 is_malloc=1 length=0x14C ----

15870750: 0 0 0 0 0 0 0 0
15870770: 0 0 0 0 0 0 0 FD0110DF
15870790: AB1234CD FFFE0000 0 13D9A594 10CA1538 158707DC 1586B958 80000012
158707B0: 1 4928F581 0 1 23C0BED0 0 0 0
158707D0: 1449E540 F FD0110DF AB1234CD FFFE0000 0 13D2B910 10C89680
158707F0: 15870840 158707A4 8000001E 1 38210008 158711F0 13D40DB8 0
15870810: 13D3EC78 0 0 0 10CC65BC 7 144B0254 15870868
15870830: 158708AC 0 0 FD0110DF AB1234CD FFFE0000 0 13D2B91C
15870850: 10C896E8 15870884 158707F0 8000000E 1 7C09002E 158708F0 23F0FB18
15870870: 17 0 0 0 FD0110DF AB1234CD FFFE0000 0
15870890: 13D2B92C 10C8970C 158708C8 15870854 8000000E 1 7D6B4A14 15870980
158708B0: 15871160 8 0 0 0 FD0110DF AB1234CD FFFE0000
158708D0: 0 13D2BA48 10C8BE78

---- block6 ptr=15870790 is_malloc=1 length=0x100 ----

15870750: 0 0 0 0 0 0 0 0
15870770: 0 0 0 0 0 0 0 FD0110DF
15870790: AB1234CD FFFE0000 0 13D9A594 10CA1538 158707DC 1586B958 80000012
158707B0: 1 4928F581 0 1 23C0BED0 0 0 0
158707D0: 1449E540 F FD0110DF AB1234CD FFFE0000 0 13D2B910 10C89680
158707F0: 15870840 158707A4 8000001E 1 38210008 158711F0 13D40DB8 0
15870810: 13D3EC78 0 0 0 10CC65BC 7 144B0254 15870868
15870830: 158708AC 0 0 FD0110DF AB1234CD FFFE0000 0 13D2B91C
15870850: 10C896E8 15870884 158707F0 8000000E 1 7C09002E 158708F0 23F0FB18
15870870: 17 0 0 0 FD0110DF AB1234CD FFFE0000 0

---- block7 ptr=240CC354 is_malloc=1 length=0x14C ----

240CC314: 2 240CC37C 0 0 0 0 2 0
240CC334: 0 0 0 0 0 0 0 FD0110DF
240CC354: AB1234CD CD0000 24031228 240CC1F0 1011D6CC 240CC3A0 240CC2F0 80000012
240CC374: 1 D0D0D0D 1 8 10B4FEE8 0 2 4
240CC394: 0 10B50054 FD0110DF AB1234CD FFFE0000 0 13D9A594 10C8D690
240CC3B4: 240CC404 240CC368 8000001E 1 10C7DB80 1 40 0
240CC3D4: 1 23553660 10C8D61C 0 0 0 0 0
240CC3F4: 0 0 0 FD0110DF AB1234CD CD0000 24031228 1362B664
240CC414: 10DF2B24 240CEA20 240CC3B4 800012FA 1 D0D0D0D 2416C8DC ABADCAFE
240CC434: C C 0 CD 80000000 0 0 0
240CC454: 0 0 0 0 0 0 0 0
240CC474: 0 0 0 0 0 0 0 0
240CC494: 0 0 0

---- block8 ptr=13794ACC is_malloc=0 length=0x100 ----

13794A8C: 51522E2E 2E2E2E2E 5C2E5354 55565758 595A2E2E 2E2E2E2E 30313233 34353637
13794AAC: 38392E2E 2E2E2E2E 0 30313233 34353637 38396162 63646566 0
13794ACC: 202020 20202020 20202828 28282820 20202020 20202020 20202020 20202020
13794AEC: 20881010 10101010 10101010 10101010 10040404 4040404 4040410 10101010
13794B0C: 10104141 41414141 1010101 1010101 1010101 1010101 1010101 10101010
13794B2C: 10104242 42424242 2020202 2020202 2020202 2020202 2020202 10101010
13794B4C: 20000000 436F6D6D 756E6963 6174696F 6E206572 726F7220 6F6E2073 656E6400

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 2-17
Chapter 2 Command-Line Interfaces
Displaying a Crash Dump for Supervisor Engine 6-E and 6L-E

13794B6C: 546F6F20 6D616E79 206C696E 6B730000 426C6F63 6B206465 76696365 20726571
13794B8C: 75697265 64000000 41726720 6C697374 20746F6F 20626967 0 4E6F2073
13794BAC: 75636820 70726F63 65737300 4E6F7420 6F776E65 72000000 4E6F2073 75636820

Log buffer:

6:21:19 UTC Mon Sep 6 2010
CMD: 'alias exec cas clear auth sess' 06:21:19 UTC Mon Sep 6 2010
CMD: 'alias exec sas show auth sess' 06:21:19 UTC Mon Sep 6 2010
CMD: 'alias exec cpu show proc cpu | inc CPU' 06:21:19 UTC Mon Sep 6 2010
CMD: 'alias exec si show run int gi6/25' 06:21:19 UTC Mon Sep 6 2010
CMD: 'line con 0' 06:21:19 UTC Mon Sep 6 2010
CMD: ' exec-timeout 0 0' 06:21:19 UTC Mon Sep 6 2010
CMD: ' stopbits 1' 06:21:19 UTC Mon Sep 6 2010
CMD: ' speed 38400' 06:21:19 UTC Mon Sep 6 2010
CMD: 'line vty 0 4' 06:21:19 UTC Mon Sep 6 2010
CMD: 'scheduler runtime netinput 100' 06:21:19 UTC Mon Sep 6 2010
CMD: 'mac address-table static 0023.abf8.3303 vlan 1 interface GigabitEthernet6/15'
06:21:19 UTC Mon Sep 6 2010
CMD: 'end' 06:21:19 UTC Mon Sep 6 2010

*Sep 6 06:21:19.103: %SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to campus1.
*Sep 6 06:21:21.779: %SYS-5-CONFIG_I: Configured from memory by console
*Sep 6 06:21:21.875: %SYS-5-RESTART: System restarted --
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-ENTSERVICES-M),
Experimental Version 12.2(20100723:074204) [/../../../../ios/sys 179]
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Mon 06-Sep-10 22:11 by cisco
*Sep 6 06:21:23.363: Slot 0 : delete
*Sep 6 06:21:23.363: K5SuperportSetConfig:
*Sep 6 06:21:23.363: num of Superports : 4, SuperportIds( 57, 57, 57, 57 )
*Sep 6 06:21:23.363: K5SuperportGroupMode XauiK5PortSpeedType 10G10
*Sep 6 06:21:23.363: K5SuperportConfig:
*Sep 6 06:21:23.363: K5SuperportUsageState Populated, 4K5SuperportManagementProtocol
VsiK5HeaderType K10 SCH Preamble, Max SubportId : 9
*Sep 6 06:21:23.363: num of subports : 1, SubportConfig:
*Sep 6 06:21:23.363: SubportConfig( K5SubportId : 0, PimHwPhyportId : 240 )
*Sep 6 06:21:23.711: %C4K_JOB-4-OVERRUN: (Suppressed 1 times)Job Lj-poll ran 20941
microseconds (its runTimeMax was 2000)
*Sep 6 06:21:23.711: Slot 0 : new
*Sep 6 06:21:23.711: K5SuperportSetConfig:
*Sep 6 06:21:23.711: num of Superports : 4, SuperportIds( 57, 57, 57, 57 )
*Sep 6 06:21:23.711: K5SuperportGroupMode XauiK5PortSpeedType 10G10
*Sep 6 06:21:23.711: K5SuperportConfig:
*Sep 6 06:21:23.711: K5SuperportUsageState Populated, 3K5SuperportManagementProtocol
VsiK5HeaderType K10 SCH Preamble, Max SubportId : 9
*Sep 6 06:21:23.711: num of subports : 2, SubportConfig:
*Sep 6 06:21:23.711: SubportConfig( K5SubportId : 8, PimHwPhyportId : 242 )
*Sep 6 06:21:23.711: SubportConfig( K5SubportId : 9, PimHwPhyportId : 243 )CMD: 'en'
06:21:56 UTC Mon Sep 6 2010
CMD: 'plat' 06:21:57 UTC Mon Sep 6 2010
CMD: 'platform cr' 06:21:57 UTC Mon Sep 6 2010
CMD: 'platform crashdump d' 06:21:58 UTC Mon Sep 6 2010
CMD: 'platform crashdump ' 06:21:58 UTC Mon Sep 6 2010

Supervisor (WS-X45-SUP6-E) Board Specific Crash Data:
MCSR: 0x0
L1CSR0: 0x10001 L1CSR1: 0x10001
SRR0: 0x10999e70 CSRR0: 0x0 MCSRR0: 0x0
MCAR: 0x0
ESR: 0x2000000
CISR0: 0x0 CISR1: 0x0
L2CTL: 0xa0000000
L2CAPTDATAHI: 0x0 L2CAPTDATALO: 0x0

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
2-18 OL-30933-01
Chapter 2 Command-Line Interfaces
Displaying a Crash Dump for Supervisor Engine 6-E and 6L-E

L2CAPTECC: 0x0
L2ERRDET: 0x0
L2ERRDIS: 0x0
L2ERRATTR: 0x0
L2ERRADDRH: 0x0L2ERRADDRL: 0x0
L2_ERRCTL: 0x0
DDR_CAPTURE_DATA_HI: 0x0 DDR_CAPTURE_DATA_LO: 0x0
DDR_CAPTURE_ECC: 0x0
DDR_ERR_DETECT: 0x0
DDR_ERR_DISABLE: 0x0
DDR_ERR_INT_EN: 0x9
DDR_CAPTURE_ATTRIBUTES: 0x0
DDR_CAPTURE_ADDRESS: 0x0
DDR_CAPTURE_EXT_ADDRESS: 0x0
DDR_ERR_SBE: 0xff0000
PCI_ERR_DR: 0x0
PCI_ERR_ATTRIB: 0x0
PCI_ERR_ADDR: 0x0
PCI_ERR_EXT_ADDR: 0x0
PCI_ERR_DH: 0x0PCI_ERR_DL: 0x0
Machine Check Interrupt Count: 0
L1 Instruction Cache Parity Errors: 0
L1 Instruction Cache Parity Errors (CPU30): 0
L1 Data Cache Parity Errors: 0

Jawa Crash Data:
Interrupt Mask: 0xe180
Interrupt: 0x0

GalK5DriverMan( 0 )
SlotType( 3 )
State( GalK5DriverManStateReady )
SilentRollRegister( 0 )
GldMajorVersion( 0 )
CardRevision( 0 )
GldMinor( 1)
Load Dynamic Driver( No )

GalK5DriverMan( 1 )
SlotType( 1 )
State( GalK5DriverManStateReady )
SilentRollRegister( 0 )
GldMajorVersion( 0 )
CardRevision( 0 )
GldMinor( 1)
Load Dynamic Driver( No )

Switch#

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 2-19
Chapter 2 Command-Line Interfaces
Displaying a Crash Dump for Supervisor Engine 6-E and 6L-E

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
2-20 OL-30933-01
CH A P T E R 3
Configuring the Switch for the First Time

This chapter describes how to initially configure a Catalyst 4500 series switch.
The information presented here supplements the administration information and procedures in this
publication: Cisco IOS Configuration Fundamentals Command Reference, Release 12.2SR, at this URL:

http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/12_4/cf_12_4_book.html
This chapter includes the following major sections:
• Default Switch Configuration, page 3-1
• Configuring DHCP-Based Autoconfiguration, page 3-2
• Configuring the Switch, page 3-8
• Controlling Access to Privileged EXEC Commands, page 3-13
• Recovering a Lost Enable Password, page 3-25
• Modifying the Supervisor Engine Startup Configuration, page 3-25
• Resetting a Switch to Factory Default Settings, page 3-32

Note For complete syntax and usage information for the switch commands used in this chapter, see the Cisco
Catalyst 4500 Series Switch Command Reference and related publications at this location:

http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html

If a command is not in the Catalyst 4500 Series Switch Command Reference, you can locate it in the
Cisco IOS library. See the Cisco IOS Command Reference and related publications at this location:

http://www.cisco.com/en/US/products/ps6350/index.html

Default Switch Configuration
This section describes the default configurations for the Catalyst 4500 series switch. Table 3-1 shows the
default configuration settings for each feature.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 3-1
Chapter 3 Configuring the Switch for the First Time
Configuring DHCP-Based Autoconfiguration

Table 3-1 Default Switch Configuration

Feature Default Settings
Administrative connection Normal mode
Global switch information No default value for system name, system contact, and location
System clock No value for system clock time
Passwords No passwords are configured for normal mode or enable mode
(press the Return key)
Switch prompt Switch>

Interfaces Enabled, with speed and flow control autonegotiated, and without
IP addresses

Configuring DHCP-Based Autoconfiguration
These sections describe how to configure DHCP-based autoconfiguration:
• About DHCP-Based Autoconfiguration, page 3-2
• DHCP Client Request Process, page 3-3
• Configuring the DHCP Server, page 3-4
• Configuring the TFTP Server, page 3-4
• Configuring the DNS Server, page 3-5
• Configuring the Relay Device, page 3-5
• Obtaining Configuration Files, page 3-6
• Example Configuration, page 3-7
If your DHCP server is a Cisco device, or if you are configuring the switch as a DHCP server, refer to
the “IP Addressing and Services” section in the Cisco IOS IP and IP Routing Configuration Guide for
Cisco IOS Release 12.1 for additional information about configuring DHCP.

About DHCP-Based Autoconfiguration

Note Starting with Release 12.2(20)EW, you can enable DHCP AutoConfiguration by entering the write
erase command. This command clears the startup-config in NVRAM. In images prior to Release
12.2(20)EW, this command does not enable autoconfiguration.

DHCP provides configuration information to Internet hosts and internetworking devices. This protocol
consists of two components: one component for delivering configuration parameters from a DHCP
server to a device and another component that is a mechanism for allocating network addresses to
devices. DHCP is built on a client-server model, in which designated DHCP servers allocate network
addresses and deliver configuration parameters to dynamically configured devices. The switch can act
as both a DHCP client and a DHCP server.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
3-2 OL-30933-01
Chapter 3 Configuring the Switch for the First Time
Configuring DHCP-Based Autoconfiguration

With DHCP-based autoconfiguration, no DHCP client-side configuration is needed on your switch
because your switch (the DHCP client) is automatically configured at startup with IP address
information and a configuration file. However, you need to configure the DHCP server or the DHCP
server feature on your switch for various lease options associated with IP addresses. If you are using
DHCP to relay the configuration file location on the network, you might also need to configure a Trivial
File Transfer Protocol (TFTP) server and a Domain Name System (DNS) server.
DHCP-based autoconfiguration replaces the BOOTP client functionality on your switch.

DHCP Client Request Process
At startup the switch automatically requests configuration information from a DHCP server if a
configuration file is not present on the switch.
Figure 3-1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP
server.

Figure 3-1 DHCP Client and Server Message Exchange

DHCPDISCOVER (broadcast)
Switch A DHCPOFFER (unicast) DHCP server
DHCPREQUEST (broadcast)
DHCPACK (unicast)

51807
The client, Switch A, broadcasts a DHCPDISCOVER message to locate a DHCP server. The DHCP
server offers configuration parameters (such as an IP address, subnet mask, gateway IP address, DNS IP
address, lease for the IP address, and so forth) to the client in a DHCPOFFER unicast message.
In a DHCPREQUEST broadcast message, the client returns a formal request for the offered
configuration information to the DHCP server. The formal request is broadcast so that all other DHCP
servers that received the DHCPDISCOVER broadcast message from the client can reclaim the IP
addresses that they offered to the client.
The DHCP server confirms that the IP address has been allocated to the client by returning a DHCPACK
unicast message to the client. With this message, the client and server are bound, and the client uses the
configuration information that it received from the server. The amount of information the switch receives
depends on how you configure the DHCP server. For more information, see the “Configuring the DHCP
Server” section on page 3-4.
If the configuration parameters sent to the client in the DHCPOFFER unicast message are invalid (if
configuration error exists), the client returns a DHCPDECLINE broadcast message to the DHCP server.
The DHCP server sends the client a DHCPNAK denial broadcast message, which means that the offered
configuration parameters have not been assigned, that an error has occurred during the negotiation of the
parameters, or that the client has been slow in responding to the DHCPOFFER message. (The DHCP
server might have assigned the parameters to another client.)
A DHCP client might receive offers from multiple DHCP servers and can accept any of them; however,
the client usually accepts the first offer it receives. The offer from the DHCP server is not a guarantee
that the IP address will be allocated to the client; however, the server usually reserves the address until
the client has had a chance to formally request the address.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 3-3
Chapter 3 Configuring the Switch for the First Time
Configuring DHCP-Based Autoconfiguration

Configuring the DHCP Server
A switch can act as both the DHCP client and the DHCP server. By default, the Cisco IOS DHCP server
and relay agent features are enabled on your switch.
You should configure the DHCP server, or the DHCP server feature running on your switch, with
reserved leases that are bound to each switch by the switch hardware address.
If you want the switch to receive IP address information, you must configure the DHCP server with these
lease options:
• IP address of the client (required)
• Subnet mask of the client (required)
• DNS server IP address (optional)
• Router IP address (required)

Note The router IP address is the default gateway address for the switch.

If you want the switch to receive the configuration file from a TFTP server, you must configure the
DHCP server with these lease options:
• TFTP server name or IP address (required)
• Boot filename (the name of the configuration file that the client needs) (recommended)
• Host name (optional)
Depending on the settings of the DHCP server or the DHCP server feature running on your switch, the
switch can receive IP address information, the configuration file, or both.
If you do not configure the DHCP server, or the DHCP server feature running on your switch, with the
lease options described earlier, the switch replies to client requests with only those parameters that are
configured. If the IP address and subnet mask are not in the reply, the switch is not configured. If the
router IP address or TFTP server name (or IP address) are not found, the switch might send broadcast,
instead of unicast, TFTP requests. Unavailability of other lease options does not impact
autoconfiguration.
The DHCP server, or the DHCP server feature running on your switch, can be on the same LAN or on a
different LAN than the switch. If the DHCP server is running on a different LAN, you should configure
a DHCP relay, which forwards broadcast traffic between two directly connected LANs. A router does
not forward broadcast packets, but it forwards packets based on the destination IP address in the received
packet. For more information on relay devices, see the “Configuring the Relay Device” section on
page 3-5.

Configuring the TFTP Server
Based on the DHCP server configuration, the switch attempts to download one or more configuration
files from the TFTP server. If you configured the DHCP server to respond to the switch with all the
options required for IP connectivity to the TFTP server, and if you configured the DHCP server with a
TFTP server name, address, and configuration filename, the switch attempts to download the specified
configuration file from the specified TFTP server.
If you did not specify the configuration filename or the TFTP server name, or if the configuration file
could not be downloaded, the switch attempts to download a configuration file using various
combinations of filenames and TFTP server addresses. The files include the specified configuration

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
3-4 OL-30933-01
Chapter 3 Configuring the Switch for the First Time
Configuring DHCP-Based Autoconfiguration

filename (if any) and the following files: network-confg, cisconet.cfg, hostname.confg, or hostname.cfg,
where hostname is the current hostname of the switch and router-confg and ciscortr.cfg. The TFTP server
addresses used include the specified TFTP server address (if any) and the broadcast address
(255.255.255.255).
For the switch to successfully download a configuration file, the TFTP server must contain one or more
configuration files in its base directory. The files can include the following:
• The configuration file named in the DHCP reply (the actual switch configuration file).
• The network-confg or the cisconet.cfg file (known as the default configuration files).
• The router-confg or the ciscortr.cfg file. (These files contain commands common to all switches.
Normally, if the DHCP and TFTP servers are properly configured, these files are not accessed.)
If you specify the TFTP server name in the DHCP server-lease database, you must also configure the
TFTP server name-to-IP-address mapping in the DNS-server database.
If the TFTP server you plan to use is on a different LAN from the switch, or if you plan to access it with
the switch through the broadcast address (which occurs if the DHCP server response does not contain
all the required information described earlier), you must configure a relay to forward the TFTP packets
to the TFTP server. For more information, see the “Configuring the Relay Device” section on page 3-5.
The preferred solution is to configure either the DHCP server or the DHCP server feature running on
your switch with all the required information.

Configuring the DNS Server
The DHCP server, or the DHCP server feature running on your switch, uses the DNS server to resolve
the TFTP server name to an IP address. You must configure the TFTP server name-to-IP address map on
the DNS server. The TFTP server contains the configuration files for the switch.
You can configure the IP addresses of the DNS servers in the lease database of the DHCP server where
the DHCP replies retrieve them. You can enter up to two DNS server IP addresses in the lease database.
The DNS server can be on the same or on a different LAN as the switch. If it is on a different LAN, the
switch must be able to access it through a router.

Configuring the Relay Device
You must configure a relay device to forward received broadcast packets to the destination host whenever
a switch sends broadcast packets to which a host on a different LAN must respond. Examples of such
broadcast packets are DHCP, DNS, and in some cases, TFTP packets.
If the relay device is a Cisco router, enable IP routing (ip routing global configuration command) and
configure helper addresses (ip helper-address interface configuration command). For example, in
Figure 3-2, configure the router interfaces as follows:
On interface 10.0.0.2:
router(config-if)# ip helper-address 20.0.0.2
router(config-if)# ip helper-address 20.0.0.3
router(config-if)# ip helper-address 20.0.0.4

On interface 20.0.0.1:
router(config-if)# ip helper-address 10.0.0.1

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 3-5
Chapter 3 Configuring the Switch for the First Time
Configuring DHCP-Based Autoconfiguration

Figure 3-2 Relay Device Used in Autoconfiguration

Switch Cisco router
(DHCP client) (Relay)

10.0.0.2
10.0.0.1 20.0.0.1

20.0.0.2 20.0.0.3 20.0.0.4

49068
DHCP server TFTP server DNS server

Obtaining Configuration Files
Depending on the availability of the IP address and the configuration filename in the DHCP reserved
lease, the switch obtains its configuration information in these ways:
• The IP address and the configuration filename are reserved for the switch and provided in the DHCP
reply (one-file read method).
The switch receives its IP address, subnet mask, TFTP server address, and the configuration
filename from either the DHCP server or the DHCP server feature running on your switch. The
switch sends a unicast message to the TFTP server to retrieve the named configuration file from the
base directory of the server, and upon receipt, completes its boot-up process.
• The IP address and the configuration filename is reserved for the switch, but the TFTP server
address is not provided in the DHCP reply (one-file read method).
The switch receives its IP address, subnet mask, and the configuration filename from either the
DHCP server or the DHCP server feature running on your switch. The switch sends a broadcast
message to a TFTP server to retrieve the named configuration file from the base directory of the
server, and upon receipt, completes its boot-up process.
• Only the IP address is reserved for the switch and provided in the DHCP reply. The configuration
filename is not provided (two-file read method).
The switch receives its IP address, subnet mask, and the TFTP server address from either the DHCP
server or the DHCP server feature running on your switch. The switch sends a unicast message to
the TFTP server to retrieve the network-confg or cisconet.cfg default configuration file. (If the
network-confg file cannot be read, the switch reads the cisconet.cfg file.)
The default configuration file contains the host names-to-IP-address mapping for the switch. The
switch fills its host table with the information in the file and obtains its host name. If the host name
is not found in the file, the switch uses the host name in the DHCP reply. If the host name is not
specified in the DHCP reply, the switch uses the default Switch as its host name.
After obtaining its host name from the default configuration file or the DHCP reply, the switch reads
the configuration file that has the same name as its host name (hostname-confg or hostname.cfg,
depending on whether or not the network-confg file or the cisconet.cfg file was read earlier) from
the TFTP server. If the cisconet.cfg file is read, the filename of the host is truncated to eight
characters.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
3-6 OL-30933-01
Chapter 3 Configuring the Switch for the First Time
Configuring DHCP-Based Autoconfiguration

If the switch cannot read the network-confg, cisconet.cfg, or the hostname file, it reads the
router-confg file. If the switch cannot read the router-confg file, it reads the ciscortr.cfg file.

Note The switch broadcasts TFTP server requests provided that one of these conditions is met: the TFTP
server is not obtained from the DHCP replies; all attempts to read the configuration file through unicast
transmissions fail; or the TFTP server name cannot be resolved to an IP address.

Example Configuration
Figure 3-3 shows a network example for retrieving IP information using DHCP-based autoconfiguration.

Figure 3-3 DHCP-Based Autoconfiguration Network Example

Switch 1 Switch 2 Switch 3 Switch 4
00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004

Cisco router
10.0.0.10

10.0.0.1 10.0.0.2 10.0.0.3

49066
DHCP server DNS server TFTP server
(maritsu)

Table 3-2 shows the configuration of the reserved leases on either the DHCP server or the DHCP server
feature running on your switch.

Table 3-2 DHCP Server Configuration

Switch 1 Switch 2 Switch 3 Switch 4
Binding key 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004
(hardware address)
IP address 10.0.0.21 10.0.0.22 10.0.0.23 10.0.0.24
Subnet mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
Router address 10.0.0.10 10.0.0.10 10.0.0.10 10.0.0.10
DNS server address 10.0.0.2 10.0.0.2 10.0.0.2 10.0.0.2
TFTP server name maritsu or 10.0.0.3 maritsu or 10.0.0.3 maritsu or 10.0.0.3 maritsu or 10.0.0.3
Boot filename switch1-confg switch2-confg switch3-confg switch4-confg
(configuration file)
(optional)
Host name (optional) switch1 switch2 switch3 switch4

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 3-7
Chapter 3 Configuring the Switch for the First Time
Configuring the Switch

DNS Server Configuration
The DNS server maps the TFTP server name maritsu to IP address 10.0.0.3.
TFTP Server Configuration (on UNIX)
The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file
used in the two-file read method. This file contains the host name that you plan to assign to the switch
based on its IP address. The base directory also contains a configuration file for each switch
(switch1-confg, switch2-confg, and so forth) as shown in the following display:
prompt> cd /tftpserver/work/
prompt> ls
network-confg
switch1-confg
switch2-confg
switch3-confg
switch4-confg
prompt> cat network-confg
ip host switch1 10.0.0.21
ip host switch2 10.0.0.22
ip host switch3 10.0.0.23
ip host switch4 10.0.0.24

DHCP Client Configuration
No configuration file is present on Switch 1 through Switch 4.
Configuration Explanation
In Figure 3-3, Switch 1 reads its configuration file as follows:
• Switch 1 obtains its IP address 10.0.0.21 from the DHCP server.
• If no configuration filename is given in the DHCP server reply, Switch 1 reads the network-confg
file from the base directory of the TFTP server.
• Switch 1 adds the contents of the network-confg file to its host table.
• Switch 1 reads its host table by indexing its IP address 10.0.0.21 to its host name (switch1).
• Switch 1 reads the configuration file that corresponds to its host name; for example, it reads
switch1-confg from the TFTP server.
Switches 2 through 4 retrieve their configuration files and IP addresses in the same way.

Configuring the Switch
The following sections describe how to configure your switch:
• Using Configuration Mode to Configure Your Switch, page 3-9
• Verifying the Running Configuration Settings, page 3-9
• Saving the Running Configuration Settings to Your Start-Up File, page 3-10
• Reviewing the Configuration in NVRAM, page 3-10
• Configuring a Default Gateway, page 3-11
• Configuring a Static Route, page 3-11

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
3-8 OL-30933-01
Chapter 3 Configuring the Switch for the First Time
Configuring the Switch

Using Configuration Mode to Configure Your Switch
To configure your switch from configuration mode, follow these steps:

Step 1 Connect a console terminal to the console interface of your supervisor engine.
Step 2 After a few seconds, you see the user EXEC prompt (Switch>). Now, you may want to enter privileged
EXEC mode, also known as enable mode. Type enable to enter enable mode:
Switch> enable

Note You must be in enable mode to make configuration changes.

The prompt changes to the enable prompt (#):
Switch#

Step 3 At the enable prompt (#), enter the configure terminal command to enter global configuration mode:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#

Step 4 At the global configuration mode prompt, enter the interface type slot/interface command to enter
interface configuration mode:
Switch(config)# interface fastethernet 5/1
Switch(config-if)#

Step 5 In either of these configuration modes, enter changes to the switch configuration.
Step 6 Enter the end command to exit configuration mode.
Step 7 Save your settings. See the “Saving the Running Configuration Settings to Your Start-Up File” section
on page 3-10.

Your switch is now minimally configured and can boot with the configuration you entered. To see a list
of the configuration commands, enter ? at the prompt or press the help key in configuration mode.

Verifying the Running Configuration Settings
To verify the configuration settings you entered or the changes you made, enter the show
running-config command at the enable prompt (#), as shown in this example:
Switch# show running-config
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 3-9
Chapter 3 Configuring the Switch for the First Time
Configuring the Switch

<...output truncated...>

!
line con 0
transport input none
line vty 0 4
exec-timeout 0 0
password lab
login
transport input lat pad dsipcon mop telnet rlogin udptn nasi
!
end
Switch#

Saving the Running Configuration Settings to Your Start-Up File

Caution This command saves the configuration settings that you created in configuration mode. If you fail to do
this step, your configuration is lost the next time you reload the system.

To store the configuration, changes to the configuration, or changes to the startup configuration in
NVRAM, enter the copy running-config startup-config command at the enable prompt (#), as follows:
Switch# copy running-config startup-config

Reviewing the Configuration in NVRAM
To display information stored in NVRAM, enter the show startup-config EXEC command.
The following example shows a typical system configuration:
Switch# show startup-config
Using 1579 out of 491500 bytes, uncompressed size = 7372 bytes
Uncompressed configuration from 1579 bytes to 7372 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service compress-config
!
hostname Switch
!
!
ip subnet-zero
!
!
!
!
interface GigabitEthernet1/1
no snmp trap link-status
!
interface GigabitEthernet1/2
no snmp trap link-status
!--More--

<...output truncated...>

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
3-10 OL-30933-01
Chapter 3 Configuring the Switch for the First Time
Configuring the Switch

!
line con 0
exec-timeout 0 0
transport input none
line vty 0 4
exec-timeout 0 0
password lab
login
transport input lat pad dsipcon mop telnet rlogin udptn nasi
!
end

Switch#

Configuring a Default Gateway

Note The switch uses the default gateway only when it is not configured with a routing protocol.

Configure a default gateway to send data to subnets other than its own when the switch is not configured
with a routing protocol. The default gateway must be the IP address of an interface on a router that is
directly connected to the switch.
To configure a default gateway, perform this task:

Command Purpose
Step 1 Switch(config)# ip default-gateway IP-address Configures a default gateway.
Step 2 Switch# show ip route Verifies that the default gateway is correctly displayed in
the IP routing table.

This example shows how to configure a default gateway and how to verify the configuration:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip default-gateway 172.20.52.35
Switch(config)# end
3d17h: %SYS-5-CONFIG_I: Configured from console by console
Switch# show ip route
Default gateway is 172.20.52.35

Host Gateway Last Use Total Uses Interface
ICMP redirect cache is empty
Switch#

Configuring a Static Route
If your Telnet station or SNMP network management workstation is on a different network from your
switch and a routing protocol has not been configured, you might need to add a static routing table entry
for the network where your end station is located.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 3-11
Chapter 3 Configuring the Switch for the First Time
Configuring the Switch

To configure a static route, perform this task:

Command Purpose
Step 1 Switch(config)# ip route dest_IP_address mask Configures a static route to the remote network.
{forwarding_IP | vlan vlan_ID}
Step 2 Switch# show running-config Verifies that the static route is displayed correctly.

This example shows how to use the ip route command to configure a static route to a workstation at IP
address 171.10.5.10 on the switch with a subnet mask and IP address 172.20.3.35 of the forwarding
router:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip route 171.10.5.10 255.255.255.255 172.20.3.35
Switch(config)# end
Switch#

This example shows how to use the show running-config command to confirm the configuration of the
static route:
Switch# show running-config
Building configuration...
.
<...output truncated...>
.
ip default-gateway 172.20.52.35
ip classless
ip route 171.10.5.10 255.255.255.255 172.20.3.35
no ip http server
!
line con 0
transport input none
line vty 0 4
exec-timeout 0 0
password lab
login
transport input lat pad dsipcon mop telnet rlogin udptn nasi
!
end

Switch#

This example shows how to use the ip route command to configure the static route IP address 171.20.5.3
with subnet mask and connected over VLAN 1 to a workstation on the switch:
Switch# configure terminal
Switch(config)# ip route 171.20.5.3 255.255.255.255 vlan 1
Switch(config)# end
Switch#

This example shows how to use the show running-config command to confirm the configuration of the
static route:
Switch# show running-config
Building configuration...
.
<...output truncated...>

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
3-12 OL-30933-01
Chapter 3 Configuring the Switch for the First Time
Controlling Access to Privileged EXEC Commands

.
ip default-gateway 172.20.52.35
ip classless
ip route 171.20.5.3 255.255.255.255 Vlan1
no ip http server
!
!
x25 host z
!
line con 0
transport input none
line vty 0 4
exec-timeout 0 0
password lab
login
transport input lat pad dsipcon mop telnet rlogin udptn nasi
!
end

Switch#

Controlling Access to Privileged EXEC Commands
The procedures in these sections let you control access to the system configuration file and privileged
EXEC commands:
• Setting or Changing a Static enable Password, page 3-13
• Using the enable password and enable secret Commands, page 3-14
• Setting or Changing a Privileged Password, page 3-14
• Controlling Switch Access with TACACS+, page 3-15
• Encrypting Passwords, page 3-22
• Configuring Multiple Privilege Levels, page 3-23

Setting or Changing a Static enable Password
To set or change a static password that controls access to the enable mode, enter this command:

Command Purpose
Switch(config)# enable password password Sets a new password or changes an existing
password for the privileged EXEC mode.

This example shows how to configure an enable password as lab:
Switch# configure terminal
Switch(config)# enable password lab
Switch(config)#

For instructions on how to display the password or access level configuration, see the “Displaying the
Password, Access Level, and Privilege Level Configuration” section on page 3-24.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 3-13
Chapter 3 Configuring the Switch for the First Time
Controlling Access to Privileged EXEC Commands

Using the enable password and enable secret Commands
To provide an additional layer of security, particularly for passwords that cross the network or that are
stored on a TFTP server, use either the enable password or enable secret command. Both commands
configure an encrypted password that you must enter to access the enable mode (the default) or any other
privilege level that you specify.
We recommend that you use the enable secret command.
If you configure the enable secret command, it takes precedence over the enable password command;
the two commands cannot be in effect simultaneously.
To configure the switch to require an enable password, enter one of these commands:

Command Purpose
Switch(config)# enable password [level Establishes a password for the privileged EXEC
level] {password | encryption-type mode.
encrypted-password}
Switch(config)# enable secret [level Specifies a secret password that is saved using a
level] {password | encryption-type nonreversible encryption method. (If
encrypted-password}
enable password and enable secret commands are
both set, users must enter the enable secret
password.)

When you enter either of these password commands with the level option, you define a password for a
specific privilege level. After you specify the level and set a password, give the password only to users
who need to have access at this level. Use the privilege level configuration command to specify
commands accessible at various levels.
If you enable the service password-encryption command, the password you enter is encrypted. When
you display the password with the more system:running-config command, the password displays the
password in encrypted form.
If you specify an encryption type, you must provide an encrypted password—an encrypted password you
copy from another Catalyst 4500 series switch configuration.

Note You cannot recover a lost encrypted password. You must clear NVRAM and set a new password. See the
“Recovering a Lost Enable Password” section on page 3-25 for more information.

For information on how to display the password or access level configuration, see the “Displaying the
Password, Access Level, and Privilege Level Configuration” section on page 3-24.

Setting or Changing a Privileged Password
To set or change a privileged password, enter this command:

Command Purpose
Switch(config-line)# password password Sets a new password or changes an existing
password for the privileged level.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
3-14 OL-30933-01
Chapter 3 Configuring the Switch for the First Time
Controlling Access to Privileged EXEC Commands

For information on how to display the password or access level configuration, see the “Displaying the
Password, Access Level, and Privilege Level Configuration” section on page 3-24.

Controlling Switch Access with TACACS+
This section describes how to enable and configure TACACS+, which provides detailed accounting
information and flexible administrative control over authentication and authorization processes.
TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled
only through AAA commands.

Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS
Security Command Reference, Release 12.2.

This section contains the following configuration information:
• Understanding TACACS+, page 3-15
• TACACS+ Operation, page 3-17
• Configuring TACACS+, page 3-17
• Displaying the TACACS+ Configuration, page 3-22

Understanding TACACS+
TACACS+ is a security application that provides centralized validation of users attempting to gain access
to your switch. TACACS+ services are maintained in a database on a TACACS+ daemon typically
running on a UNIX or Windows NT workstation. You should have access to and should configure a
TACACS+ server before configuring TACACS+ features on your switch.
TACACS+ provides for separate and modular AAA facilities. TACACS+ allows for a single access
control server (the TACACS+ daemon) to provide each service—authentication, authorization, and
accounting—independently. Each service can be locked into its own database to take advantage of other
services available on that server or on the network, depending on the capabilities of the daemon.
The goal of TACACS+ is to provide a method for managing multiple network access points from a single
management service. Your switch can be a network access server along with other Cisco routers and
access servers. A network access server provides connections to a single user, to a network or
subnetwork, and to interconnected networks as shown in Figure 3-4.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 3-15
Chapter 3 Configuring the Switch for the First Time
Controlling Access to Privileged EXEC Commands

Figure 3-4 Typical TACACS+ Network Configuration

UNIX workstation
(TACACS+ Catalyst 6500
server 1) series switch

171.20.10.7

UNIX workstation
(TACACS+
server 2)

171.20.10.8

Configure the switches with the
TACACS+ server addresses.
Set an authentication key
(also configure the same key on
the TACACS+ servers).
Enable AAA.

101230
Create a login authentication method list.
Apply the list to the terminal lines.
Create an authorization and accounting
Workstations method list as required. Workstations

TACACS+ administered through the AAA security services can provide these services:
• Authentication—Provides complete control of authentication through login and password dialog,
challenge and response, and messaging support.
The authentication facility can conduct a dialog with the user (such as, after a username and
password are provided, to challenge a user with several questions such as home address, mother’s
maiden name, service type, and social security number). The TACACS+ authentication service can
also send messages to user screens. For example, a message could notify users that their passwords
must be changed because of the company’s password aging policy.
• Authorization—Provides strict control over user capabilities for the duration of the user’s session,
including but not limited to setting autocommands, access control, session duration, or protocol
support. You can also enforce restrictions on the commands a user can execute with the TACACS+
authorization feature.
• Accounting—Collects and sends information used for billing, auditing, and reporting to the
TACACS+ daemon. Network managers can use the accounting facility to track user activity for a
security audit or to provide information for user billing. Accounting records include user identities,
start and stop times, executed commands (such as PPP), number of packets, and number of bytes.
The TACACS+ protocol provides authentication between the switch and the TACACS+ daemon, and it
ensures confidentiality because all protocol exchanges between the switch and the TACACS+ daemon
are encrypted.
You need a system running the TACACS+ daemon software to use TACACS+ on your switch.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
3-16 OL-30933-01
Chapter 3 Configuring the Switch for the First Time
Controlling Access to Privileged EXEC Commands

TACACS+ Operation
When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process
occurs:
1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username
prompt, which is then displayed to the user. The user enters a username, and the switch then contacts
the TACACS+ daemon to obtain a password prompt. The switch displays the password prompt to
the user, the user enters a password, and the password is then sent to the TACACS+ daemon.
TACACS+ allows a conversation between the daemon and the user until the daemon receives enough
information to authenticate the user. The daemon prompts for a username and password
combination, but can include other items such as the user’s mother’s maiden name.
2. The switch eventually receives one of these responses from the TACACS+ daemon:
• ACCEPT—The user is authenticated and service can begin. If the switch is configured to
require authorization, authorization begins at this time.
• REJECT—The user is not authenticated. The user can be denied access or is prompted to retry
the login sequence, depending on the TACACS+ daemon.
• ERROR—An error occurred at some time during authentication with the daemon or in the
network connection between the daemon and the switch. If an ERROR response is received, the
switch typically tries to use an alternative method for authenticating the user.
• CONTINUE—The user is prompted for additional authentication information.
After authentication, the user undergoes an additional authorization phase if authorization has been
enabled on the switch. Users must first successfully complete TACACS+ authentication before
proceeding to TACACS+ authorization.
3. If TACACS+ authorization is required, the TACACS+ daemon is again contacted, and it returns an
ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response
contains data in the form of attributes that direct the EXEC or NETWORK session for that user and
the services that the user can access:
• Telnet, Secure Shell (SSH), rlogin, or privileged EXEC services
• Connection parameters, including the host or client IP address, access list, and user timeouts

Configuring TACACS+
This section describes how to configure your switch to support TACACS+. At a minimum, you must
identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+
authentication. You can optionally define method lists for TACACS+ authorization and accounting. A
method list defines the sequence and methods used to authenticate, to authorize, or to keep accounts on
a user. Use method lists to designate one or more security protocols, ensuring a backup system if the
initial method fails. The software uses the first method listed to authenticate, to authorize, or to keep
accounts on users; if that method does not respond, the software selects the next method in the list. This
process continues until there is successful communication with a listed method or the method list is
exhausted.
This section contains the following configuration information:
• Default TACACS+ Configuration, page 3-18
• Identifying the TACACS+ Server Host and Setting the Authentication Key, page 3-18
• Configuring TACACS+ Login Authentication, page 3-19

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 3-17
Chapter 3 Configuring the Switch for the First Time
Controlling Access to Privileged EXEC Commands

• Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services,
page 3-21
• Starting TACACS+ Accounting, page 3-21

Default TACACS+ Configuration

TACACS+ and AAA are disabled by default.
To prevent a lapse in security, you cannot configure TACACS+ through a network management
application. When enabled, TACACS+ can authenticate users accessing the switch through the CLI.

Note Although TACACS+ configuration is performed through the CLI, the TACACS+ server authenticates
HTTP connections that have been configured with a privilege level of 15.

Identifying the TACACS+ Server Host and Setting the Authentication Key

You can configure the switch to use a single server or AAA server groups in order to group existing
server hosts for authentication. You can group servers to select a subset of the configured server hosts
and use them for a particular service. The server group is used with a global server-host list and contains
the list of IP addresses of the selected server hosts.
To identify the IP host or host maintaining TACACS+ server and optionally set the encryption key,
perform this task, beginning in privileged EXEC mode:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 tacacs-server host hostname [port Identifies the IP host or hosts maintaining a TACACS+ server. Enter this
integer] [timeout integer] [key command multiple times to create a list of preferred hosts. The software
string]
searches for hosts in the order in which you specify them.
• For hostname, specify the name or IP address of the host.
• (Optional) For port integer, specify a server port number. The default
is port 49. The range is 1 to 65535.
• (Optional) For timeout integer, specify a time in seconds the switch
waits for a response from the daemon before it times out and declares
an error. The default is 5 seconds. The range is 1 to 1000 seconds.
• (Optional) For key string, specify the encryption key for encrypting
and decrypting all traffic between the switch and the TACACS+
daemon. You must configure the same key on the TACACS+ daemon
for encryption to succeed.
Step 3 aaa new-model Enables AAA.
Step 4 aaa group server tacacs+ group-name (Optional) Defines the AAA server-group with a group name.
This command puts the switch in a server group subconfiguration mode.
Step 5 server ip-address (Optional) Associates a particular TACACS+ server with the defined
server group. Repeat this step for each TACACS+ server in the AAA
server group.
Each server in the group must be previously defined in Step 2.
Step 6 end Returns to privileged EXEC mode.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
3-18 OL-30933-01
Chapter 3 Configuring the Switch for the First Time
Controlling Access to Privileged EXEC Commands

Command Purpose
Step 7 show tacacs Verifies your entries.
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.

To remove the specified TACACS+ server name or address, use the no tacacs-server host hostname
global configuration command. To remove a server group from the configuration list, use the no aaa
group server tacacs+ group-name global configuration command. To remove the IP address of a
TACACS+ server, use the no server ip-address server group subconfiguration command.

Configuring TACACS+ Login Authentication

To configure AAA authentication, define a named list of authentication methods and then apply that list
to various ports. The method list defines the types of authentication you intend to perform and the
sequence in which you intend to perform them; you must apply the list to a specific port before you can
perform any of the defined authentication methods. The only exception is the default method list (which,
by coincidence, is named default). The default method list is automatically applied to all ports except
those that have a named method list explicitly defined. A defined method list overrides the default
method list.
A method list describes the sequence and authentication methods that must be queried to authenticate a
user. You can designate one or more security protocols for authentication, ensuring a backup system for
authentication in case the initial method fails. The software uses the first method listed to authenticate
users; if that method fails to respond, the software selects the next authentication method in the method
list. This process continues until there is successful communication with a listed authentication method
or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that
the security server or local username database responds by denying the user access—the authentication
process stops, and no other authentication methods are attempted.
To configure login authentication, perform this task, beginning in privileged EXEC mode:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 aaa new-model Enables AAA.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 3-19
Chapter 3 Configuring the Switch for the First Time
Controlling Access to Privileged EXEC Commands

Command Purpose
Step 3 aaa authentication login {default | Creates a login authentication method list.
list-name} method1 [method2...]
• To create a default list that is used when a named list is not specified
in the login authentication command, use the default keyword
followed by the methods that you plan to use in default situations. The
default method list is automatically applied to all ports.
• For list-name, specify a character string to name the list you are
creating.
• For method1..., specify the actual method the authentication
algorithm tries. The additional methods of authentication are used
only if the previous method returns an error, not if it fails.
Select one of these methods:
• enable—Use the enable password for authentication. Before you can
use this authentication method, you must define an enable password
by using the enable password global configuration command.
• group tacacs+—Uses TACACS+ authentication. Before you can use
this authentication method, you must configure the TACACS+ server.
For more information, see the “Identifying the TACACS+ Server Host
and Setting the Authentication Key” section on page 3-18.
• line—Use the line password for authentication. Before you can use
this authentication method, you must define a line password. Use the
password password line configuration command.
• local—Use the local username database for authentication. You must
enter username information in the database. Use the username
password global configuration command.
• local-case—Use a case-sensitive local username database for
authentication. You must enter username information in the database
by using the username name password global configuration
command.
• none—Do not use any authentication for login.
Step 4 line [console | tty | vty] line-number Enters line configuration mode, and configures the lines to which you
[ending-line-number] want to apply the authentication list.
Step 5 login authentication { default | Applies the authentication list to a line or set of lines.
list-name}
• If you specify default, use the default list created with the aaa
authentication login command.
• For list-name, specify the list created with the aaa authentication
login command.
Step 6 end Returns to privileged EXEC mode.
Step 7 show running-config Verifies your entries.
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.

To disable AAA, use the no aaa new-model global configuration command. To disable AAA
authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global
configuration command. To either disable TACACS+ authentication for logins or to return to the default
value, use the no login authentication {default | list-name} line configuration command.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
3-20 OL-30933-01
Chapter 3 Configuring the Switch for the First Time
Controlling Access to Privileged EXEC Commands

Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services

AAA authorization limits the services available to a user. When AAA authorization is enabled, the
switch uses information retrieved from the user’s profile, which is located either in the local user
database or on the security server, to configure the user’s session. The user is granted access to a
requested service only if the information in the user profile allows it.
To set parameters that restrict a user’s network access to privileged EXEC mode, use the aaa
authorization global configuration command with the tacacs+ keyword.
The aaa authorization exec tacacs+ local command sets these authorization parameters:
• Use TACACS+ for privileged EXEC access authorization if authentication was performed by using
TACACS+.
• Use the local database if authentication was not performed by using TACACS+.

Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has
been configured.

To specify TACACS+ authorization for privileged EXEC access and network services, perform this task,
beginning in privileged EXEC mode:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 aaa authorization network tacacs+ Configures the switch for user TACACS+ authorization for all
network-related service requests.
Step 3 aaa authorization exec tacacs+ Configures the switch for user TACACS+ authorization if the user has
privileged EXEC access.
The exec keyword might return user profile information (such as
autocommand information).
Step 4 end Returns to privileged EXEC mode.
Step 5 show running-config Verifies your entries.
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.

To disable authorization, use the no aaa authorization {network | exec} method1 global configuration
command.

Starting TACACS+ Accounting

The AAA accounting feature tracks the services that users are accessing and the amount of network
resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to
the TACACS+ security server in the form of accounting records. Each accounting record contains
accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed
for network management, client billing, or auditing.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 3-21
Chapter 3 Configuring the Switch for the First Time
Controlling Access to Privileged EXEC Commands

To enable TACACS+ accounting for each Cisco IOS privilege level and for network services, perform
this task, beginning in privileged EXEC mode:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 aaa accounting network start-stop Enables TACACS+ accounting for all network-related service requests.
tacacs+
Step 3 aaa accounting exec start-stop Enables TACACS+ accounting to send a start-record accounting notice
tacacs+ at the beginning of a privileged EXEC process and a stop-record at the
end.
Step 4 end Returns to privileged EXEC mode.
Step 5 show running-config Verifies your entries.
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.

To disable accounting, use the no aaa accounting {network | exec} {start-stop} method1... global
configuration command.

Displaying the TACACS+ Configuration
To display TACACS+ server statistics, use the show tacacs privileged EXEC command.

Encrypting Passwords
Because protocol analyzers can examine packets (and read passwords), you can increase access security
by configuring the Cisco IOS software to encrypt passwords. Encryption prevents the password from
being readable in the configuration file.
To configure the Cisco IOS software to encrypt passwords, enter this command:

Command Purpose
Switch(config)# service password-encryption Encrypts a password.

Encryption occurs when the current configuration is written or when a password is configured. Password
encryption is applied to all passwords, including authentication key passwords, the privileged command
password, console and virtual terminal line access passwords, and Border Gateway Protocol (BGP)
neighbor passwords. The service password-encryption command keeps unauthorized individuals from
viewing your password in your configuration file.

Caution The service password-encryption command does not provide a high-level of network security. If you
use this command, you should also take additional network security measures.

Although you cannot recover a lost encrypted password (that is, you cannot get the original password
back), you can regain control of the switch after having lost or forgotten the encrypted password. See
the “Recovering a Lost Enable Password” section on page 3-25 for more information.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
3-22 OL-30933-01
Chapter 3 Configuring the Switch for the First Time
Controlling Access to Privileged EXEC Commands

For information on how to display the password or access level configuration, see the “Displaying the
Password, Access Level, and Privilege Level Configuration” section on page 3-24.

Configuring Multiple Privilege Levels
By default, Cisco IOS software has two modes of password security: user EXEC mode and privileged
EXEC mode. You can configure up to 16 hierarchical levels of commands for each mode. By configuring
multiple passwords, you can allow different sets of users to have access to specified commands.
For example, if you want many users to have access to the clear line command, you can assign it level 2
security and distribute the level 2 password to more users. If you want more restricted access to the
configure command, you can assign it level 3 security and distribute that password to fewer users.
The procedures in the following sections describe how to configure additional levels of security:
• Setting the Privilege Level for a Command, page 3-23
• Changing the Default Privilege Level for Lines, page 3-23
• Logging In to a Privilege Level, page 3-24
• Exiting a Privilege Level, page 3-24
• Displaying the Password, Access Level, and Privilege Level Configuration, page 3-24

Setting the Privilege Level for a Command
To set the privilege level for a command, perform this task:

Command Purpose
Step 1 Switch(config)# privilege mode level level Sets the privilege level for a command.
command
Step 2 Switch(config)# enable password level level Specifies the enable password for a privilege level.
[encryption-type] password

For information on how to display the password or access level configuration, see the “Displaying the
Password, Access Level, and Privilege Level Configuration” section on page 3-24.

Changing the Default Privilege Level for Lines
To change the default privilege level for a given line or a group of lines, perform this task:

Command Purpose
Switch(config-line)# privilege level level Changes the default privilege level for the line.

For information on how to display the password or access level configuration, see the “Displaying the
Password, Access Level, and Privilege Level Configuration” section on page 3-24.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 3-23
Chapter 3 Configuring the Switch for the First Time
Controlling Access to Privileged EXEC Commands

Logging In to a Privilege Level
To log in at a specified privilege level, enter this command:

Command Purpose
Switch# enable level Logs in to a specified privilege level.

Exiting a Privilege Level
To exit to a specified privilege level, enter this command:

Command Purpose
Switch# disable level Exits to a specified privilege level.

Displaying the Password, Access Level, and Privilege Level Configuration
To display detailed password information, perform this task:

Command Purpose
Step 1 Switch# show running-config Displays the password and access level configuration.
Step 2 Switch# show privilege Shows the privilege level configuration.

This example shows how to display the password and access level configuration:
Switch# show running-config
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname Switch
!
boot system flash sup-bootflash
enable password lab
!
<...output truncated...>

This example shows how to display the privilege level configuration:
Switch# show privilege
Current privilege level is 15
Switch#

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
3-24 OL-30933-01
Chapter 3 Configuring the Switch for the First Time
Recovering a Lost Enable Password

Recovering a Lost Enable Password
Note For more information on the configuration register which is preconfigured in NVRAM, see “Configuring
the Software Configuration Register” section on page 3-26.

To recover a lost enable password, follow these steps:

Step 1 Connect to the console interface.
Step 2 Stop the boot sequence and enter ROM monitor by pressing Ctrl-C during the first 5 seconds of bootup.
Step 3 Configure the switch to boot-up without reading the configuration memory (NVRAM).
Step 4 Reboot the system.
Step 5 Access enable mode (this can be done without a password if a password has not been configured).
Step 6 View or change the password, or erase the configuration.
Step 7 Reconfigure the switch to boot-up and read the NVRAM as it normally does.
Step 8 Reboot the system.

Modifying the Supervisor Engine Startup Configuration
These sections describe how the startup configuration on the supervisor engine works and how to modify
the BOOT variable and the configuration register:
• Understanding the Supervisor Engine Boot Configuration, page 3-25
• Configuring the Software Configuration Register, page 3-26
• Specifying the Startup System Image, page 3-30
• Controlling Environment Variables, page 3-31

Understanding the Supervisor Engine Boot Configuration
The supervisor engine boot process involves two software images: ROM monitor and supervisor engine
software. When the switch is booted or reset, the ROMMON code is executed. Depending on the
NVRAM configuration, the supervisor engine either stays in ROMMON mode or loads the supervisor
engine software.
Two user-configurable parameters determine how the switch boots: the configuration register and the
BOOT environment variable. The configuration register is described in the “Modifying the Boot Field
and Using the boot Command” section on page 3-27. The BOOT environment variable is described in
the “Specifying the Startup System Image” section on page 3-30.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 3-25
Chapter 3 Configuring the Switch for the First Time
Modifying the Supervisor Engine Startup Configuration

Understanding the ROM Monitor
The ROM monitor (ROMMON) is invoked at switch bootup, reset, or when a fatal exception occurs. The
switch enters ROMMON mode if the switch does not find a valid software image, if the NVRAM
configuration is corrupted, or if the configuration register is set to enter ROMMON mode. From
ROMMON mode, you can manually load a software image from bootflash or a flash disk, or you can
boot up from the management interface. ROMMON mode loads a primary image from which you can
configure a secondary image to boot up from a specified source either locally or through the network
using the BOOTLDR environment variable. This variable is described in the “Switch#” section on
page 3-32.
You can also enter ROMMON mode by restarting the switch and then pressing Ctrl-C during the first
five seconds of startup. If you are connected through a terminal server, you can escape to the Telnet
prompt and enter the send break command to enter ROMMON mode.

Note Ctrl-C is always enabled for five seconds after you reboot the switch, regardless of whether the
configuration-register setting has Ctrl-C disabled.

The ROM monitor has these features:
• Power-on confidence test
• Hardware initialization
• Boot capability (manual bootup and autoboot)
• File system (read-only while in ROMMON)

Configuring the Software Configuration Register
The switch uses a 16-bit software configuration register, which allows you to set specific system
parameters. Settings for the software configuration register are preconfigured in NVRAM.
Here are some reasons why you might want to change the software configuration register settings:
• To select a boot source and default boot filename
• To control broadcast addresses
• To set the console terminal baud rate
• To load operating software from flash memory
• To recover a lost password
• To manually boot the system using the boot command at the bootstrap program prompt
• To force an automatic bootup from the system bootstrap software (boot image) or from a default
system image in onboard flash memory, and read any boot system commands that are stored in the
configuration file in NVRAM

Caution To avoid possibly halting the Catalyst 4500 series switch switch, remember that valid configuration
register settings might be combinations of settings and not just the individual settings listed in Table 3-3.
For example, the factory default value of 0x2101 is a combination of settings.

Table 3-3 lists the meaning of each of the software configuration memory bits. Table 3-4 defines the boot
field.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
3-26 OL-30933-01
Chapter 3 Configuring the Switch for the First Time
Modifying the Supervisor Engine Startup Configuration

Table 3-3 Software Configuration Register Bits

Bit Number1 Hexadecimal Meaning
00 to 03 0x0000 to 0x000F Boot field (see Table 3-4)
04 0x0010 Unused
05 0x0020 Bit two of console line speed
06 0x0040 Causes system software to ignore NVRAM contents
07 0x0080 OEM2 bit enabled
08 0x0100 Unused
09 0x0200 Unused
10 0x0400 IP broadcast with all zeros
11 to 12 0x0800 to 0x1000 Bits one and zero of Console line speed (default is 9600 baud)
13 0x2000 Loads ROM monitor after netboot fails
14 0x4000 IP broadcasts do not have network numbers
1. The factory default value for the configuration register is 0x2101. This value is a combination of the following: binary bit 13,
bit 8 = 0x0100 and binary bits 00 through 03 = 0x0001. See Table 3-4.
2. OEM = original equipment manufacturer.

Table 3-4 Explanation of Boot Field (Configuration Register Bits 00 to 03)

Boot Field Meaning
00 Stays at the system bootstrap prompt (does not autoboot).
01 Boots the first file in onboard flash memory.
02 to 0F Autoboots using image(s) specified by the BOOT environment variable. If more than one
image is specified, the switch attempts to boot the first image specified in the BOOT
variable. As long as the switch can successfully boot from this image, the same image is
used on a reboot. If the switch fails to boot from the image specified in the BOOT variable,
the switch tries to boot from the next image listed in the BOOT variable. If the end of the
BOOT variable is reached without the switch booting successfully, the switch attempts the
boot from the beginning of the BOOT variable. The autoboot continues until the switch
successfully boots from one of the images specified in the BOOT variable.

Modifying the Boot Field and Using the boot Command
The configuration register boot field determines whether the switch loads an operating system image
and, if so, where it obtains this system image. The following sections describe how to use and set the
configuration register boot field and the procedures you must perform to modify the configuration
register boot field. In ROMMON, to modify the configuration register and change boot settings, use the
the confreg command.
Bits 0 through 3 of the software configuration register contain the boot field.

Note The factory default configuration register setting for systems and spares is 0x2101. However, the
recommended value is 0x0102.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 3-27
Chapter 3 Configuring the Switch for the First Time
Modifying the Supervisor Engine Startup Configuration

When the boot field is set to either 00 or 01 (0-0-0-0 or 0-0-0-1), the system ignores any boot instructions
in the system configuration file and the following occurs:
• When the boot field is set to 00, you must boot up the operating system manually by entering the
boot command at the system bootstrap or ROMMON prompt.
• When the boot field is set to 01, the system boots the first image in the bootflash single in-line
memory module (SIMM).
• When the entire boot field equals a value between 0-0-1-0 and 1-1-1-1, the switch loads the system
image specified by boot system commands in the startup configuration file.

Caution If you set bootfield to a value between 0-0-1-0 and 1-1-1-1, you must specify a value in the boot system
command, else the switch cannot boot up and remains in ROMMON.

You can enter the boot command only or enter the command and include additional boot instructions,
such as the name of a file stored in flash memory, or a file that you specify for booting from a network
server. If you use the boot command without specifying a file or any other boot instructions, the system
boots from the default flash image (the first image in onboard flash memory). Otherwise, you can
instruct the system to boot up from a specific flash image (using the boot system flash filename
command).
You can also use the boot command to boot up images stored in the compact flash cards located in slot 0
on the supervisor engine.

Modifying the Boot Field
Modify the boot field from the software configuration register. To modify the software configuration
register boot field, perform this task:

Command Purpose
Step 1 Switch# show version Determines the current configuration register setting.
Step 2 Switch# configure terminal Enters configuration mode, and specify the terminal
option.
Step 3 Switch(config)# config-register value Modifies the existing configuration register setting to
reflect the way you want the switch to load a system
image.
Step 4 Switch(config)# end Exits configuration mode.
Step 5 Switch# reload Reboots the switch to make your changes take effect.

To modify the configuration register while the switch is running Cisco IOS software, follow these steps:

Step 1 Enter the enable command and your password to enter privileged level, as follows:
Switch> enable
Password:
Switch#

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
3-28 OL-30933-01
Chapter 3 Configuring the Switch for the First Time
Modifying the Supervisor Engine Startup Configuration

Step 2 Enter the configure terminal command at the EXEC mode prompt (#), as follows:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#

Step 3 Configure the configuration register to 0x102 as follows:
Switch(config)# config-register 0x102

Set the contents of the configuration register by specifying the value command variable, where value is
a hexadecimal number preceded by 0x (see Table 3-3 on page 3-27).
Step 4 Enter the end command to exit configuration mode. The new value settings are saved to memory;
however, the new settings do not take effect until the system is rebooted.
Step 5 Enter the show version EXEC command to display the configuration register value currently in effect;
it is be used at the next reload. The value is displayed on the last line of the screen display, as shown in
this sample output:
Configuration register is 0x141 (will be 0x102 at next reload)

Step 6 Save your settings.
See the “Saving the Running Configuration Settings to Your Start-Up File” section on page 3-10. Note
that configuration register changes take effect only after the system reloads, such as when you enter a
reload command from the console.
Step 7 Reboot the system. The new configuration register value takes effect with the next system boot up.

Verifying the Configuration Register Setting
Enter the show version EXEC command to verify the current configuration register setting. In
ROMMON mode, enter the show version command to verify the configuration register setting.
To verify the configuration register setting for the switch, perform this task:

Command Purpose
Switch# show version Displays the configuration register setting.

In this example, the show version command indicates that the current configuration register is set so that
the switch does not automatically load an operating system image. Instead, it enters ROMMON mode
and waits for you to enter ROM monitor commands.
Supervisor Engine 6-E and Supervisor Engine 6L-E
Switch# show version
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-ENTSERVICES-M), Version
15.1(1)SG5.214, CISCO INTERNAL USE ONLY DEVTEST VERSION , synced to END_OF_FLO_ISP
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 17-Jan-12 23:07 by gsbuprod

ROM: 12.2(44r)SG(0.146)
Switch uptime is 1 minute
System returned to ROM by power-on
System image file is
"tftp://172.25.60.31/auto/gsg-sw/interim/flo_dsgs7/newest_image/ios/dev/cat4500e-entservic
es-mz"

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 3-29
Chapter 3 Configuring the Switch for the First Time
Modifying the Supervisor Engine Startup Configuration

Darkside Revision 4, Jawa Revision 20, Tatooine Revision 141, Forerunner Revision 1.83

cisco WS-C4503-E (MPC8548) processor (revision 6) with 1048576K bytes of memory.
Processor board ID SPE120301X8
MPC8548 CPU at 1.33GHz, Supervisor 6-E
Last reset from PowerUp
1 Virtual Ethernet interface
52 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.

Supervisor Engine 7-E, Supervisor Engine 7L-E, and Supervisor Engine 8-E
Switch# show version
Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software
(cat4500e-UNIVERSALK9-M), Version 03.03.00.SG5.
CISCO INTERNAL USE ONLY UNIVERSAL DEVELOPMENT K10 IOSD VERSION , synced to V150_5_20_SID
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Wed 14-Dec-11 07:59 by gsbuprod

ROM: 15.0(1r)SG(0.326)
Switch uptime is 7 minutes
System returned to ROM by reload
System image file is
"tftp://172.25.60.31/auto/gsg-sw/interim/flo_gsbu8/newest_image/iosxe/dev/cat4500e-univers
alk9.b
Jawa Revision 7, Snowtrooper Revision 0x0.0x1C

Last reload reason: Reload command

...

License Information for 'WS-X45-SUP7-E'
License Level: entservices Type: Permanent
Next reboot license Level: entservices

cisco WS-C4503-E (MPC8572) processor (revision 8) with 2097152K/20480K bytes of memory.
Processor board ID SPE134600QA
MPC8572 CPU at 1.5GHz, Supervisor 7
Last reset from Reload
1 Virtual Ethernet interface
96 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.

Configuration register is 0x40

Specifying the Startup System Image
You can enter multiple boot commands in the startup configuration file or in the BOOT environment
variable to provide backup methods for loading a system image.
The BOOT environment variable is also described in the “Specify the Startup System Image in the
Configuration File” section in the “Loading and Maintaining System Images and Microcode” chapter of
the Cisco IOS Configuration Fundamentals Configuration Guide.
Use the following sections to configure your switch to boot from flash memory. Flash memory can be
either single in-line memory modules (SIMMs) or flash disks. Check the appropriate hardware
installation and maintenance guide for information about types of flash memory.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
3-30 OL-30933-01
Chapter 3 Configuring the Switch for the First Time
Modifying the Supervisor Engine Startup Configuration

Flash Memory Features
Flash memory allows you to do the following:
• Remotely load multiple system software images through TFTP or RCP transfers (one transfer for
each file loaded)
• Boot a switch manually or automatically from a system software image stored in flash memory (you
can also boot directly from ROM)
• Copy the system image to flash memory using TFTP
• Boot the system from flash memory either automatically or manually
• Copy the flash memory image to a network server using TFTP or RCP
For more information on flash memory, see this URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/hardware/configuration/notes/OL_2788.h
tml

Security Precautions
Note the following security precaution when loading from flash memory:

Caution You can only change the system image stored in flash memory from privileged EXEC level on the
console terminal.

Configuring Flash Memory
To configure your switch to boot from flash memory, perform the following procedure. Refer to the
appropriate hardware installation and maintenance publication for complete instructions on installing
the hardware.

Step 1 Copy a system image to flash memory using TFTP or other protocols. Refer to the “Cisco IOS File
Management” and “Loading and Maintaining System Images” chapters in the Cisco IOS Configuration
Fundamentals Configuration Guide, Release 12.2, at the following URL:

http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/12_2sr/cf_12_2sr_book.html
Step 2 Configure the system to boot automatically from the desired file in flash memory.
You might need to change the configuration register value. See the “Modifying the Boot Field and Using
the boot Command” section on page 3-27, for more information on modifying the configuration register.
Step 3 Save your configurations.
Step 4 Power cycle and reboot your system to verify that all is working as expected.

Controlling Environment Variables
Although the ROM monitor controls environment variables, you can create, modify, or view them with
certain commands. To create or modify the BOOT and BOOTLDR variables, use the boot system and
boot bootldr global configuration commands, respectively. Refer to the “Specify the Startup System

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 3-31
Chapter 3 Configuring the Switch for the First Time
Resetting a Switch to Factory Default Settings

Image in the Configuration File” section in the “Loading and Maintaining System Images and
Microcode” chapter of the Configuration Fundamentals Configuration Guide for details on setting the
BOOT environment variable.

Note When you use the boot system and boot bootldr global configuration commands, you affect only the
running configuration. To save the configuration for future use, you must save the environment variable
settings to your startup configuration, which places the information under ROM monitor control. Enter
the copy system:running-config nvram:startup-config command to save the environment variables
from your running configuration to your startup configuration.

You can view the contents of the BOOT and BOOTLDR variables using the show bootvar command.
This command displays the settings for these variables as they exist in the startup configuration and in
the running configuration if a running configuration setting differs from a startup configuration setting.
This example shows how to check the BOOT and BOOTLDR variables on the switch:
Switch# show bootvar
BOOTLDR variable = bootflash:cat4000-is-mz,1;
Configuration register is 0x0
Switch#

Resetting a Switch to Factory Default Settings
Manufacturing and repair centers can use the erase /all non-default command to do the following:
• Clear the nonvolatile configurations and states of the local supervisor engine (NVRAM and flashes).
• Set the factory default parameters on the Catalyst 4500 series switch before it is ready to ship to a
customer.
For example, entering this command can generate the following output:
Switch# erase /all non-default
Erase and format operation will destroy all data in non-volatile storage. Continue?
[confirm]
Formatting bootflash: ...

Format of bootflash complete
Erasing nvram:
Erasing cat4000_flash:
Clearing crashinfo:data
Clearing the last power failure timestamp
Clearing all ROMMON variables
Setting default ROMMON variables:
ConfigReg=0x2101
PS1=rommon ! >
EnableAutoConfig=1
Setting vtp mode to transparent
%WARNING! Please reboot the system for the changes to take effect
Switch#
00:01:48: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
Switch#

If the Catalyst 4500 series switch is accessible to a TFTP server, you can copy an image to the bootflash
memory with the TFTP command:
Switch# copy tftp://192.20.3.123/tftpboot/abc/cat4500-entservices-mz.bin bootflash:

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
3-32 OL-30933-01
Chapter 3 Configuring the Switch for the First Time
Resetting a Switch to Factory Default Settings

When the copying is completed, you can reboot the just-copied Catalyst 4500 series switch image to the
image stored in the bootflash memory with the reload command:
Switch# reload

System configuration has been modified. Save? [yes/no]: no
Proceed with reload? [confirm]

00:06:17: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.

To see details about the default parameters set by the erase /all non-default command, see the usage
guidelines for the erase command in the Catalyst 4500 Series Switch Cisco IOS Command Reference.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 3-33
Chapter 3 Configuring the Switch for the First Time
Resetting a Switch to Factory Default Settings

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
3-34 OL-30933-01
CH A P T E R 4
Administering the Switch

This chapter describes how to perform one-time operations to administer the Catalyst 4500 Series
switch.
This chapter also describes how to install and configure the Embedded CiscoView network management
system to provide a graphical representation of a Catalyst 4500 series switch and to provide a GUI-based
management and configuration interface.
This chapter includes the following major sections:
• Managing the System Time and Date, page 4-1
• Managing Software Licenses Using Permanent Right-To-Use Features, page 4-14
• Configuring a System Name and Prompt, page 4-21
• Creating a Banner, page 4-24
• Managing the MAC Address Table, page 4-28
• Managing the ARP Table, page 4-44
• Configuring Embedded CiscoView Support, page 4-44

Note For complete syntax and usage information for the switch commands used in this chapter, see the Cisco
Catalyst 4500 Series Switch Command Reference and related publications at this location:

http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html

If a command is not in the Catalyst 4500 Series Switch Command Reference, you can locate it in the
Cisco IOS library. See the Cisco IOS Command Reference and related publications at this location:

http://www.cisco.com/en/US/products/ps6350/index.html

Managing the System Time and Date
You can configure the system time and date on your switch manually or automatically by using Network
Time Protocol (NTP).
These sections contain this configuration information:
• System Clock, page 4-2
• Understanding Network Time Protocol, page 4-2

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-1
Chapter 4 Administering the Switch
Managing the System Time and Date

• Configuring NTP, page 4-3
• Configuring Time and Date Manually, page 4-11

System Clock
The core of the time service is the system clock, which monitors the date and time. This clock starts when
the system starts.
The system clock can provide time to these services:
• User show commands
• Logging and debugging messages
The system clock keeps track of time internally based on Universal Time Coordinated (UTC), also
known as Greenwich Mean Time (GMT). You can configure information about the local time zone and
summer time (daylight saving time) so that the time is correct for the local time zone.
The system clock keeps track of whether the time is authoritative or not (whether it was set by a time
source considered to be authoritative). If it is not authoritative, the time is available only for display
purposes and is not redistributed. For configuration information, see the “Configuring Time and Date
Manually” section on page 4-11.

Understanding Network Time Protocol
The NTP is designed to synchronize a network of devices. NTP runs over User Datagram Protocol
(UDP), which runs over IP. NTP is documented in RFC 1305.
An NTP network usually gets its time from an authoritative time source, such as a radio clock or an
atomic clock attached to a time server. NTP then distributes this time across the network. NTP is
extremely efficient; no more than one packet per minute is necessary to synchronize two devices to
within a millisecond of one another.
NTP uses the concept of a stratum to describe how many NTP hops away a device is from an
authoritative time source. A stratum 1 time server has a radio or atomic clock directly attached, a
stratum 2 time server receives its time through NTP from a stratum 1 time server, and so on. A device
running NTP automatically chooses as its time source the device with the lowest stratum number with
which it communicates through NTP. This strategy effectively builds a self-organizing tree of NTP
speakers.
NTP avoids synchronizing to a device whose time might not have been synchronized. NTP also
compares the time reported by several devices and does not synchronize to a device whose time is
significantly different than the others, even if its stratum is lower.
The communications between devices running NTP (known as associations) are usually statically
configured; each device is given the IP address of all devices with which it should associate. Accurate
timekeeping is possible by exchanging NTP messages between each pair of devices with an association.
However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This
alternative reduces configuration complexity because each device can be configured to send or receive
broadcast messages; however, information flow is one-way only.
The time kept on a device is a critical resource; you should use the security features of NTP to avoid the
accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based
restriction scheme and an encrypted authentication mechanism.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-2 OL-30933-01
Chapter 4 Administering the Switch
Managing the System Time and Date

Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio
or atomic clock. We recommend that the time service for your network be derived from the public NTP
servers available on the IP Internet.
Figure 4-1 shows a typical network example using NTP. Switch A is the NTP master, with Switches B,
C, and D configured in NTP server mode, in server association with Switch A. Switch E is configured
as an NTP peer to the upstream and downstream switches, Switch B and Switch F, respectively.

Figure 4-1 Typical NTP Network Configuration

Switch A
Local
workgroup
servers

Switch B Switch C Switch D

Switch E

Workstations
Switch F

101349
Workstations

If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as if
it is synchronized through NTP, when it is not. Other devices then synchronize to that device through
NTP.
NTP time overrides the time set by any other method.
Several manufacturers include NTP software for their host systems, and a public version for systems
running UNIX and its various derivatives is also available. This software allows host systems to be
synchronized as well.

Configuring NTP
These sections contain this configuration information:
• Default NTP Configuration, page 4-4
• Configuring NTP Authentication, page 4-4

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-3
Chapter 4 Administering the Switch
Managing the System Time and Date

• Configuring NTP Associations, page 4-6
• Configuring NTP Broadcast Service, page 4-7
• Configuring NTP Access Restrictions, page 4-8
• Configuring the Source IP Address for NTP Packets, page 4-10
• Displaying the NTP Configuration, page 4-11

Default NTP Configuration
Table 4-1 shows the default NTP configuration.

Table 4-1 Default NTP Configuration

Feature Default Setting
NTP authentication Disabled. No authentication key is specified.
NTP peer or server associations None configured.
NTP broadcast service Disabled; no interface sends or receives NTP broadcast packets.
NTP access restrictions No access control is specified.
NTP packet source IP address The source address is set by the outgoing interface.

NTP is enabled on all interfaces by default. All interfaces receive NTP packets.

Configuring NTP Authentication
This procedure must be coordinated with the administrator of the NTP server; the information you
configure in this procedure must be matched by the servers used by the switch to synchronize its time to
the NTP server.
To authenticate the associations (communications between devices running NTP that provide for
accurate timekeeping) with other devices for security purposes, perform this task:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 ntp authenticate Enables the NTP authentication feature, which is disabled by
default.
Step 3 ntp authentication-key number md5 value Defines the authentication keys. By default, none are defined.
• For number, specify a key number. The range is 1 to
4294967295.
• md5 specifies that message authentication support is provided
by using the message digest algorithm 5 (MD5).
• For value, enter an arbitrary string of up to eight characters for
the key.
The switch does not synchronize to a device unless both have one
of these authentication keys, and the key number is specified by the
ntp trusted-key key-number command.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-4 OL-30933-01
Chapter 4 Administering the Switch
Managing the System Time and Date

Command Purpose
Step 4 ntp trusted-key key-number Specifies one or more key numbers (defined in Step 3) that a peer
NTP device must provide in its NTP packets for this switch to
synchronize to it.
By default, no trusted keys are defined.
For key-number, specify the key defined in Step 3.
This command provides protection against accidentally
synchronizing the switch to a device that is not trusted.
Step 5 end Returns to privileged EXEC mode.
Step 6 show running-config Verifies your entries.
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.

To disable NTP authentication, use the no ntp authenticate global configuration command. To remove
an authentication key, use the no ntp authentication-key number global configuration command. To
disable authentication of the identity of a device, use the no ntp trusted-key key-number global
configuration command.
This example shows how to configure the switch to synchronize only to devices providing authentication
key 42 in the device’s NTP packets:
Switch# configure terminal
Switch(config)# ntp authenticate
Switch(config)# ntp authentication-key 42 md5 aNiceKey
Switch(config)# ntp trusted-key 42
Switch(config)# end
Switch#

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-5
Chapter 4 Administering the Switch
Managing the System Time and Date

Configuring NTP Associations
An NTP association can be a peer association (this switch can either synchronize to the other device or
allow the other device to synchronize to it), or it can be a server association (meaning that only this
switch synchronizes to the other device, and not the other way around).
To form an NTP association with another device, perform this task:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 ntp peer ip-address [version number] Configures the switch system clock to synchronize a peer or to be
[key keyid] [source interface] synchronized by a peer (peer association).
[prefer]
or or
ntp server ip-address [version
number] [key keyid] [source Configures the switch system clock to be synchronized by a time server
interface] [prefer] (server association).
No peer or server associations are defined by default.
• For ip-address in a peer association, specify either the IP address of
the peer providing, or being provided, the clock synchronization. For
a server association, specify the IP address of the time server
providing the clock synchronization.
• (Optional) For number, specify the NTP version number. The range is
1 to 3. By default, Version 3 is selected.
• (Optional) For keyid, enter the authentication key defined by entering
the ntp authentication-key global configuration command.
• (Optional) For interface, specify the interface from which to pick the
IP source address. By default, the source IP address is taken from the
outgoing interface.
• (Optional) Enter the prefer keyword to make this peer or server the
preferred one that provides synchronization. This keyword reduces
switching back and forth between peers and servers.
Step 3 end Returns to privileged EXEC mode.
Step 4 show running-config Verifies your entries.
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.

You need to configure only one end of an association; the other device can automatically establish the
association. If you are using the default NTP version (Version 3) and NTP synchronization does not
occur, try using NTP Version 2. Many NTP servers on the Internet run Version 2.
To remove a peer or server association, use the no ntp peer ip-address or the no ntp server ip-address
global configuration command.
This example shows how to configure the switch to synchronize its system clock with the clock of the
peer at IP address 172.16.22.44 using NTP Version 2:
Switch# configure terminal
Switch(config)# ntp server 172.16.22.44 version 2
Switch(config)# end
Switch#

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-6 OL-30933-01
Chapter 4 Administering the Switch
Managing the System Time and Date

Configuring NTP Broadcast Service
The communications between devices running NTP (known as associations) are usually statically
configured; each device is given the IP addresses of all devices with which it should form associations.
Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an
association. However, in a LAN environment, NTP can be configured to use IP broadcast messages
instead. This alternative reduces configuration complexity because each device can be configured to
send or receive broadcast messages. However, the information flow is one-way only.
The switch can send or receive NTP broadcast packets on an interface-by-interface basis if there is an
NTP broadcast server, such as a router, broadcasting time information on the network. The switch can
send NTP broadcast packets to a peer so that the peer can synchronize to it. The switch can also receive
NTP broadcast packets to synchronize its own clock. This section provides procedures for both sending
and receiving NTP broadcast packets.
To configure the switch to send NTP broadcast packets to peers so that they can synchronize their clock
to the switch, perform this task:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 interface interface-id Specifies the interface to send NTP broadcast packets, and enter
interface configuration mode.
Step 3 ntp broadcast [version number] [key Enables the interface to send NTP broadcast packets to a peer.
keyid] [destination-address]
By default, this feature is disabled on all interfaces.
• (Optional) For number, specify the NTP version number. The
range is 1 to 3. If you do not specify a version, Version 3 is used.
• (Optional) For keyid, specify the authentication key to use when
sending packets to the peer.
• (Optional) For destination-address, specify the IP address of the
peer that is synchronizing its clock to this switch.
Step 4 end Returns to privileged EXEC mode.
Step 5 show running-config Verifies your entries.
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.

To disable the interface from sending NTP broadcast packets, use the no ntp broadcast interface
configuration command.
This example shows how to configure a port to send NTP Version 2 packets:
Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ntp broadcast version 2
Switch(config-if)# end
Switch#

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-7
Chapter 4 Administering the Switch
Managing the System Time and Date

To configure the switch to receive NTP broadcast packets from connected peers, perform this task:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 interface interface-id Specifies the interface to receive NTP broadcast packets, and enter
interface configuration mode.
Step 3 ntp broadcast client Enables the interface to receive NTP broadcast packets.
By default, no interfaces receive NTP broadcast packets.
Step 4 exit Returns to global configuration mode.
Step 5 ntp broadcastdelay microseconds (Optional) Changes the estimated round-trip delay between the switch and
the NTP broadcast server.
The default is 3000 microseconds; the range is 1 to 999999.
Step 6 end Returns to privileged EXEC mode.
Step 7 show running-config Verifies your entries.
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.

To disable an interface from receiving NTP broadcast packets, use the no ntp broadcast client interface
configuration command. To change the estimated round-trip delay to the default, use the
no ntp broadcastdelay global configuration command.
This example shows how to configure a port to receive NTP broadcast packets:
Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ntp broadcast client
Switch(config-if)# end
Switch#

Configuring NTP Access Restrictions
You can control NTP access on two levels as described in these sections:
• Creating an Access Group and Assigning a Basic IP Access List, page 4-9
• Disabling NTP Services on a Specific Interface, page 4-10

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-8 OL-30933-01
Chapter 4 Administering the Switch
Managing the System Time and Date

Creating an Access Group and Assigning a Basic IP Access List

To control access to NTP services by using access lists, perform this task:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 ntp access-group {query-only | Creates an access group, and apply a basic IP access list.
serve-only | serve | peer}
access-list-number The keywords have these meanings:
• query-only—Allows only NTP control queries.
• serve-only—Allows only time requests.
• serve—Allows time requests and NTP control queries, but does not
allow the switch to synchronize to the remote device.
• peer—Allows time requests and NTP control queries and allows the
switch to synchronize to the remote device.
For access-list-number, enter a standard IP access list number from 1
to 99.
Step 3 access-list access-list-number Creates the access list.
permit source [source-wildcard]
• For access-list-number, enter the number specified in Step 2.
• Enter the permit keyword to permit access if the conditions are
matched.
• For source, enter the IP address of the device that is permitted access
to the switch.
• (Optional) For source-wildcard, enter the wildcard bits to be applied
to the source.
Note When creating an access list, remember that, by default, the end
of the access list contains an implicit deny statement for
everything if it did not find a match before reaching the end.
Step 4 end Returns to privileged EXEC mode.
Step 5 show running-config Verifies your entries.
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.

The access group keywords are scanned in this order, from least restrictive to most restrictive:
1. peer—Allows time requests and NTP control queries and allows the switch to synchronize itself to
a device whose address passes the access list criteria.
2. serve—Allows time requests and NTP control queries, but does not allow the switch to synchronize
itself to a device whose address passes the access list criteria.
3. serve-only—Allows only time requests from a device whose address passes the access list criteria.
4. query-only—Allows only NTP control queries from a device whose address passes the access list
criteria.
If the source IP address matches the access lists for more than one access type, the first type is granted.
If no access groups are specified, all access types are granted to all devices. If any access groups are
specified, only the specified access types are granted.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-9
Chapter 4 Administering the Switch
Managing the System Time and Date

To remove access control to the switch NTP services, use the
no ntp access-group {query-only | serve-only | serve | peer} global configuration command.
This example shows how to configure the switch to allow itself to synchronize to a peer from access
list 99. However, the switch restricts access to allow only time requests from access list 42:
Switch# configure terminal
Switch(config)# ntp access-group peer 99
Switch(config)# ntp access-group serve-only 42
Switch(config)# access-list 99 permit 172.20.130.5
Switch(config)# access list 42 permit 172.20.130.6
Switch(config)# end
Switch#

Disabling NTP Services on a Specific Interface

NTP services are enabled on all interfaces by default.
To disable NTP packets from being received on an interface, perform this task:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 interface interface-id Enters interface configuration mode, and specify the interface to disable.
Step 3 ntp disable Disables NTP packets from being received on the interface.
By default, all interfaces receive NTP packets.
To reenable receipt of NTP packets on an interface, use the
no ntp disable interface configuration command.
Step 4 end Returns to privileged EXEC mode.
Step 5 show running-config Verifies your entries.
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.

Configuring the Source IP Address for NTP Packets
When the switch sends an NTP packet, the source IP address is normally set to the address of the
interface through which the NTP packet is sent. To use a particular source IP address for all NTP packets,
use the ntp source global configuration command. The address is taken from the specified interface.
This command is useful if the address on an interface cannot be used as the destination for reply packets.
To configure a specific interface from which the IP source address is to be taken, perform this task:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 ntp source type number Specifies the interface type and number from which the IP source address
is taken.
By default, the source address is set by the outgoing interface.
Step 3 end Returns to privileged EXEC mode.
Step 4 show running-config Verifies your entries.
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-10 OL-30933-01
Chapter 4 Administering the Switch
Managing the System Time and Date

The specified interface is used for the source address for all packets sent to all destinations. If a source
address is to be used for a specific association, use the source keyword in the ntp peer or ntp server
global configuration command as described in the “Configuring NTP Associations” section on page 4-6.

Displaying the NTP Configuration
Use the following privileged EXEC commands to display NTP information:
• show ntp associations [detail]
• show ntp status
For detailed information about the fields in these displays, see the
Cisco IOS Configuration Fundamentals Command Reference, Release 12.3.

Configuring Time and Date Manually
If no other source of time is available, you can manually configure the time and date after the system is
restarted. The time remains accurate until the next system restart. We recommend that you use manual
configuration only as a last resort. If you have an outside source to which the switch can synchronize,
you do not need to manually set the system clock.
These sections contain this configuration information:
• Setting the System Clock, page 4-11
• Displaying the Time and Date Configuration, page 4-12
• Configuring the Time Zone, page 4-12
• Configuring Summer Time (Daylight Saving Time), page 4-13

Setting the System Clock
If you have an outside source on the network that provides time services, such as an NTP server, you do
not need to manually set the system clock.
To set the system clock, perform this task:

Command Purpose
Step 1 clock set hh:mm:ss day month year Manually sets the system clock using one of these formats.
or
clock set hh:mm:ss month day year • For hh:mm:ss, specify the time in hours (24-hour format), minutes,
and seconds. The time specified is relative to the configured time
zone.
• For day, specify the day by date in the month.
• For month, specify the month by name.
• For year, specify the year (no abbreviation).

This example shows how to manually set the system clock to 1:32 p.m. on July 23, 2001:
Switch# clock set 13:32:00 23 July 2001

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-11
Chapter 4 Administering the Switch
Managing the System Time and Date

Displaying the Time and Date Configuration
To display the time and date configuration, use the show clock [detail] privileged EXEC command.
The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be
accurate). If the system clock was set by a timing source such as NTP, the flag is set. If the time is not
authoritative, it is used only for display purposes. Until the clock is authoritative and the authoritative
flag is set, the flag prevents peers from synchronizing to the clock when the peers’ time is invalid.
The symbol that precedes the show clock display has this meaning:
• *—Time is not authoritative.
• (blank)—Time is authoritative.
• .—Time is authoritative, but NTP is not synchronized.

Configuring the Time Zone
To manually configure the time zone, perform this task:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 clock timezone zone hours-offset Sets the time zone.
[minutes-offset]
To set the time to UTC, use the no clock timezone global configuration
command.
The switch keeps internal time in universal time coordinated (UTC), so
this command is used only for display purposes and when the time is
manually set.
• For zone, enter the name of the time zone to be displayed when
standard time is in effect. The default is UTC.
• For hours-offset, enter the hours offset from UTC.
• (Optional) For minutes-offset, enter the minutes offset from UTC.
Step 3 end Returns to privileged EXEC mode.
Step 4 show running-config Verifies your entries.
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.

The minutes-offset variable in the clock timezone global configuration command is available for those
cases where a local time zone is a percentage of an hour different from UTC. For example, the time zone
for some sections of Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours and .5 means 50
percent. The necessary command is clock timezone AST -3 30.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-12 OL-30933-01
Chapter 4 Administering the Switch
Managing the System Time and Date

Configuring Summer Time (Daylight Saving Time)
To configure summer time (daylight saving time) in areas where it starts and ends on a particular day of
the week each year, perform this task:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 clock summer-time zone recurring Configures summer time to start and end on the specified days every year.
[week day month hh:mm week day
month hh:mm [offset]] Summer time is disabled by default. If you specify clock summer-time
zone recurring without parameters, the summer time rules default to the
United States rules.
• For zone, specify the name of the time zone (for example, PDT) to be
displayed when summer time is in effect.
• (Optional) For week, specify the week of the month (1 to 5 or last).
• (Optional) For day, specify the day of the week (Sunday, Monday...).
• (Optional) For month, specify the month (January, February...).
• (Optional) For hh:mm, specify the time (24-hour format) in hours and
minutes.
• (Optional) For offset, specify the number of minutes to add during
summer time. The default is 60.
Step 3 end Returns to privileged EXEC mode.
Step 4 show running-config Verifies your entries.
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.

The first part of the clock summer-time global configuration command specifies when summer time
begins, and the second part specifies when it ends. All times are relative to the local time zone. The start
time is relative to standard time. The end time is relative to summer time. If the starting month is after
the ending month, the system assumes that you are in the southern hemisphere.
This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and
ends on the last Sunday in October at 02:00:
Switch# configure terminal
Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October
2:00
Switch(config)# end
Switch#

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-13
Chapter 4 Administering the Switch
Managing Software Licenses Using Permanent Right-To-Use Features

If summer time in your area does not follow a recurring pattern (configure the exact date and time of the
next summer time events), perform this task:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 clock summer-time zone date [month Configures summer time to start on the first date and end on the second
date year hh:mm month date year date.
hh:mm [offset]]
or To disable summer time, use the no clock summer-time global
clock summer-time zone date [date configuration command.
month year hh:mm date month year
hh:mm [offset]] Summer time is disabled by default.
• For zone, specify the name of the time zone (for example, PDT) to be
displayed when summer time is in effect.
• (Optional) For week, specify the week of the month (1 to 5 or last).
• (Optional) For day, specify the day of the week (Sunday, Monday...).
• (Optional) For month, specify the month (January, February...).
• (Optional) For hh:mm, specify the time (24-hour format) in hours and
minutes.
• (Optional) For offset, specify the number of minutes to add during
summer time. The default is 60.
Step 3 end Returns to privileged EXEC mode.
Step 4 show running-config Verifies your entries.
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.

The first part of the clock summer-time global configuration command specifies when summer time
begins, and the second part specifies when it ends. All times are relative to the local time zone. The start
time is relative to standard time. The end time is relative to summer time. If the starting month is after
the ending month, the system assumes that you are in the southern hemisphere.
To disable summer time, use the no clock summer-time global configuration command.
This example shows how to set summer time to start on October 12, 2000, at 02:00, and end on April 26,
2001, at 02:00:
Switch# configure terminal
Switch(config)# clock summer-time pdt date 12 October 2000 2:00 26 April 2001 2:00
Switch#

Managing Software Licenses Using Permanent Right-To-Use
Features
If you want to upgrade or downgrade from one license level to another, we recommend that you use the
permanent right-to-use (PRTU) license instead of the node-locked license.
• About a PRTU License, page 4-15
• Guidelines for the RTU License Model, page 4-16
• Applying a PRTU License, page 4-16

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-14 OL-30933-01
Chapter 4 Administering the Switch
Managing Software Licenses Using Permanent Right-To-Use Features

• Activating a PRTU License, page 4-16
• Deactivating a PRTU License, page 4-17

About a PRTU License
The Permanent Right-to-use (PRTU) license is not installable and it cannot be cleared; it is available by
default.
Prior to IOS Release XE 3.4.2SG, when you upgraded from one license level to another (e.g., IP Base
to Entservices), you visited http://www.cisco.com/go/license, obtained the desired license using your
device’s PAK, and then applied the license on your device.

Note For details of the Cisco IOS activation process, see the Configuring the Cisco IOS Software
Activation Feature guide at this URL:
http://www.cisco.com/en/US/docs/ios/csa/configuration/guide/csa_commands.html

With IOS Release XE 3.4.2SG, the PRTU license feature simplifies the process by enabling you to do
the following:
• Upgrade from a lower license to a higher license using the license right-to-use activate feature
name command.
• Downgrade from a higher license to a lower license using the license right-to-use deactivate
feature name command.
• You cannot relocate a PRTU license to another device because the license is bundled with the image.
So, by upgrading the IOS image, you obtain the PRTU license.

Benefits of a PRTU License
• They are not associated with a specific switch.
With the node-locked license model, in a release prior to IOS Cisco XE 3.4.2SG, a license was
applicable to a specific switch UID. Therefore, to activate a license on a new switch, you had to
obtain a new license for the new UID. With PRTU licenses, logging on the Cisco server is un
necessary to download and install the license. The license is available with the image.
• They can be instantly activated on any supported switch.
With the node-locked license model, you open the Cisco Product License Registration Portal to
obtain a license for a new switch that you purchase or an RMA switch that you need to replace. This
process is often cumbersome and lengthy, and applying the license on the new switch is an
error-prone activity. With PRTU licenses, you can apply a license on a switch and activate it
immediately.
• They can be applied without requiring an Internet connection.
With the node-locked license model, you need to access an Internet connection to obtain a license
for your device’s UID. This may be difficult in some deployment scenarios where an Internet
connection is unavailable. With PRTU licenses, you can apply a supported license on any switch at
any time without requiring an Internet connection to interact with the Cisco Product License
Registration Portal.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-15
Chapter 4 Administering the Switch
Managing Software Licenses Using Permanent Right-To-Use Features

Guidelines for the RTU License Model
• The PRTU license model is based on mutual trust between you and Cisco. When you apply an PRTU
license, it is implied that you have first purchased the license from Cisco. This agreement is
explained in detail in the EULA, which is displayed when you activate the license.
• The PRTU license model does not replace the node-locked license model. Instead, it simplifies
upgrading or moving your switch’s license. The node-licked license model is still available.
• Although PRTU licenses are permanent, we also support evaluation licenses and all existing
licenses.

Applying a PRTU License
To apply a PRTU license on a switch, follow these steps:

Step 1 Upgrade from one license level to another by using the Cisco sales ordering tool to purchase the license.
You will receive an e-mail or paper confirmation that grants you permission to activate the license on
your switch.
Step 2 Apply the license by entering the appropriate commands on your switch. If you are upgrading a license
on a switch, enter the activation command to activate the higher license. If you are moving a license from
one switch to another, enter the deactivation command on the first switch and the activation command
on the second switch.

Note Prior to IOS Release XE 3.4.2SG, you provided the license file to a Cisco server, then obtained
the new license file. With IOS Release XE 3.4.2SG, you do not require those operations. Once
the IOS image is upgraded, you receive the license on the switch and activate it with the license
right-to-use activate feature name command.

Step 3 Read and accept the EULA.
Step 4 If you change the license boot level, reboot.

Note When activating PRTU for the same license level as the existing one, a reboot is unnecessary.

Activating a PRTU License
To activate a PRTU license on a switch, use either of the following commands in privileged EXEC mode:

Command Purpose
Step 1 license right-to-use activate feature-name Activates a license on a switch and prompts for EULA.
Step 2 license right-to-use activate feature-name Activates a license without prompting for EULA.
acceptEULA
This step may be required in situations where deployments
are automated using install scripts.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-16 OL-30933-01
Chapter 4 Administering the Switch
Managing Software Licenses Using Permanent Right-To-Use Features

Deactivating a PRTU License
To deactivate a PRTU license on a switch, enter the following command in privileged EXEC mode:

Command Purpose
license right-to-use deactivate feature-name Deactivates a license on a switch.

Displaying Software License Information
To display information about the software licenses on your switch, use one of these methods:
• Use Cisco License Manager to view license and device information. In the GUI, the discovery and
polling features collect all the license and device information that appears in the Properties window.
For detailed instructions, see the Cisco License Manager online help.
• Use the Cisco IOS privileged EXEC commands in Table 2.

Table 2 Commands for Displaying Software License Information

Command Description
show license agent {counters | Displays the information about the software license agent.
session} For information about the show license agent privileged
EXEC command, see the Cisco Software Activation Tasks and
Commands feature module.
show license [all | detail Displays information about the software license.
[feature-name | feature | file | For information about the show license privileged EXEC
statistics | status | udi | right-to-use | command, see the Cisco IOS Software Licensing feature
summary | permanent | in-use | module at this URL:
image levels | evaluation | expiring]
http://www.cisco.com/en/US/docs/ios/12_2/12_2se/feature/guid
e/se_cisl.html
show version Displays the software licenses installed on the switch.

This is an example of output from the show license command:
Switch# show license detail
Index: 1 Feature: entservices Version: 1.0
License Type: Evaluation
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 3 days
License State: Active, Not in Use, EULA accepted
License Count: Non-Counted
License Priority: Low
Store Index: 0
Store Name: Dynamic Evaluation License Storage
Index: 2 Feature: entservices Version: 1.0
License Type: PermanentRightToUse
License State: Inactive
License Count: Non-Counted
Store Index: 1
Store Name: Dynamic Evaluation License Storage
Index: 3 Feature: ipbase Version: 1.0
License Type: Permanent

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-17
Chapter 4 Administering the Switch
Managing Software Licenses Using Permanent Right-To-Use Features

License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Store Index: 1
Store Name: Primary License Storage
Index: 4 Feature: ipbase Version: 1.0
License Type: Evaluation
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
License State: Inactive
License Count: Non-Counted
License Priority: None
Store Index: 2
Store Name: Dynamic Evaluation License Storage
Index: 5 Feature: ipbase Version: 1.0
License Type: PermanentRightToUse
License State: Inactive
License Count: Non-Counted
Store Index: 3
Store Name: Dynamic Evaluation License Storage

This is an example of output from the show license feature command:
Switch# show license feature
Feature name Enforcement Evaluation Clear Allowed Enabled Right…
-—————————————————————————————————————-
entservices true true true false true
ipbase true true true true true
lanbase false false true false false
internal_service true false true false false

This is an example of output from the show license file command:
Switch# show license file
License Store: Primary License Storage
License Index: 1
License: 11 ipbase 1.0 LONG NORMAL STANDALONE EXCL INFINITE_KEYS INFINITE_KEYS NEVER NEVER
NiL SLM_CODE CL_ND_LCK NiL *1DELA9XDSFSJXAH400 NiL NiL NiL 5_MINS WS-C4507R+EFOX1327G52D
xLt5Q1e2VJi03pzp3GSE3PrvxwyfO,SLjP0SXuZOq0f4QTXyc1pSQY51xj31fh7ZfTD6AskNyeUYT8sCUesi9IVKB8
5wsZSX1HZiXwOd9RHp3mjmnhxFDnS0e6UxjgXgqvV:$AQEBIf8B///kh4dluXv+U+xjUPlzoc3++jpV9d8He4jOuba
fbkmmOtaOYAoB3inJLnlLyv50VCuRqwInXo3s+nsLU7rOtdOxoIxYZAo3LYmUJ+MFzsqlhKoJVlPyEvQ8H21MNUjVb
hoN0gyIWsyiJaM8AQIkVBQFzhr10GYolVzdzfJfEPQIx6tZ++/Vtc/q3SF/5Ko8XCY=
Comment:
Hash: Z+EY3ce1csQlVpRGc5NNy5ypmds=
License Store: Dynamic License Storage
License Store: Primary License Storage
License Store: Dynamic License Storage
License Index: 0
License: 11 entservices 1.0 LONG TRIAL DISABLED 1440 DISABLED STANDALONE ADD INFINITE_KEYS
INFINITE_KEYS NEVER NEVER NiL SLM_CODE DEMO NiL NiL Ni NiL NiL 5_MINS NiL
BGf3gQnLuroDmnnMJMwWVa2ukR8kP2JZyinKpmOXpa32jwPuSBmHvcSRiSSaqBngV8$AQEBIQAB///FTlc+Qu1Xlg2
Z+yB2StUHHymf2w5PEw+cYg/hTOKYCI+oXi0jwBZ2iLrYTKYwxSSRqwInXo3s+nsLU7rOtdOxoIxYZAo3LYmUJ+MFz
sqlhKoJVlPyEvQ8H21MNUjVbhoN0gyIWsyiJaM8AQIkVBQFzhr10GYolVzdzfJfEPQIx6tZ++/Vtc/q3SF/5Ko8XCY
=
Comment:
Hash: RmO9Kumi8BFKq0wCAx2CcUDE6rg=
License Index: 1
License: 12 entservices 1.0 LONG TRIAL DISABLED DISABLED DISABLED STANDALONE ADD
INFINITE_KEYS INFINITE_KEYS 1 JAN 2006 1 JAN 2035 NiL NiL SLM_CODE DEMO NiL NiL Ni NiL NiL
5_MINS NOTLOCKEDNOTLOCKEDHBL
l1nG2zXePlBt,ifk7ZReL80LqzvzgRUCelWrBp41FC3jOKer6ZMT7XC4834W3Ev7fm1eXoWaK58t:oDeH5RI1V3dVE
2VpAnYb7WiKDz9En8PfrI7vewhayNbschEXBD9:tfPfir6GaALUFwsLxcqYzHuL2$AQEBIf8B///mCSo9+7kn+8zTC
3WX1YS9if+g0e8AjRRu1Jq3Kye4y8wv4c+Y9FHJ7Ro/mw7ERwqRqwInXo3s+nsLU7rOtdOxoIxYZAo3LYmUJ+MFzsq
lhKoJVlPyEvQ8H21MNUjVbhoN0gyIWsyiJaM8AQIkVBQFzhr10GYolVzdzfJfEPQIx6tZ++/Vtc/q3SF/5Ko8XCY=

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-18 OL-30933-01
Chapter 4 Administering the Switch
Managing Software Licenses Using Permanent Right-To-Use Features

Comment:
Hash: 9w09jAFGBzi2w6XQCljLOBe2p+Y=
License Index: 2
License: 11 ipbase 1.0 LONG TRIAL DISABLED 1440 DISABLED STANDALONE ADD INFINITE_KEYS
INFINITE_KEYS NEVER NEVER NiL SLM_CODE DEMO NiL NiL Ni NiL NiL 5_MINS NiL
YXNJUtpFJiC2Rpdt1SJNVQBCpQUBNt59tdkJJTgKwmLTKj:vmp,sVkMiiRYLfMHQfj$AQEBIf8B//kagzg0R7bT5rn
6dVYVPUFmxB1UsblGgbkInHYo55DJzHE/Bqnlf9keNdSyzPbUhSRqwInXo3snsLU7rOtdOxoIxYZAo3LYmUJ+MFzsq
lhKoJVlPyEvQ8H21MNUjVbhoN0gyIWsyiJaM8AQIkVBQFzhr10GYolVzdzfJfEPQIx6tZ++/Vtc/q3SF/5Ko8XCY=
Comment:
Hash: H6zsXVLv9TFlmTfFGm0tK4VHJ2Q=
License Index: 3
License: 12 ipbase 1.0 LONG TRIAL DISABLED DISABLED DISABLED STANDALONE ADD INFINITE_KEYS
INFINITE_KEYS 1 JAN 2006 1 JAN 2035 NiL NiL SLM_CODE DEMO NiL NiL Ni NiL NiL 5_MINS
NOTLOCKEDNOTLOCKEDHBL
Zh0GdIANTlXwW6LJgQ95LB0aCazzbsjSOL4HUaqcySLcOvcLq,d04oTgS8pJbHIO3BaD0tgELHog9egQWj9bCJ3,sm
2jRaJkgkhYKO9BrbWYLOA,mO3Qe2E,TPJou8fms:LtvrfctzLbujmB0XcB68MPLm$AQEBIf8B//+O8JwRWipzfjtWl
AItclx+D6NLhKMyqS1hJoxCM1Txgw8BpmG5QQY5nCiE14CPvVKRqwInXo3s+nsLU7rOtdOxoIxYZAo3LYmUJ+MFzsq
lhKoJVlPyEvQ8H21MNUjVbhoN0gyIWsyiJaM8AQIkVBQFzhr10GYolVzdzfJfEPQIx6tZ++/Vtc/q3SF/5Ko8XCY=
Comment:
Hash: S3Ks+G07ueugA9hMFPkXGTF12So=

This is an example of output from the show license statistics command:
Switch# show license statistics
Administrative statistics
Install success count: 4
Install failure count: 1
Install duplicate count: 0
Comment add count: 0
Comment delete count: 0
Clear count: 0
Save count: 0
Save cred count: 0
Client status Request success count 1 Request failure count 0 Release count 0 Global
Notify count 1

This is an example of output from the show license status command:
Switch# show license status
License Type Supported
permanent Non-expiring node locked license
extension Expiring node locked license
evaluation Expiring non node locked license
License Operation Supported install Install license clear Clear license annotate Comment
license save Save license revoke Revoke license call-home License call-home Call-home
Operation Supported show pak Display license pak via call-home install Install license via
call-home revoke Revoke license via call-home resend Fetch license via call-home Device
status Device Credential type: IMAGE Device Credential Verification: PASS Rehost Type:
DC_OR_IC

When you enter the show license udi command on WS-C4507R+E, this output appears:
Switch# show license udi
Device# PID SN UDI
-—————————————————————————————————————
*0 WS-C4507R+E FOX1327G52D WS-C4507R+E:FOX1327G52D

Note The show license udi command output shows details on the current switch.

This is an example of the show license right-to-use command:
Switch# show license right-to-use
License Store: Primary License Storage

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-19
Chapter 4 Administering the Switch
Managing Software Licenses Using Permanent Right-To-Use Features

License Store: Dynamic License Storage
License Store: Primary License Storage
License Store: Dynamic License Storage
StoreIndex: 1 Feature: entservices Version: 1.0
License Type: PermanentRightToUse
License State: Inactive
License Count: Non-Counted
StoreIndex: 3 Feature: ipbase Version: 1.0
License Type: PermanentRightToUse
License State: Inactive
License Count: Non-Counted

This is an example of the show license summary command:
Switch# show license summary
Index 0 Feature: entservices
Period left: 8 weeks 3 days
License Type: Evaluation
License State: Active, Not in Use, EULA accepted
License Count: Non-Counted
License Priority: Low
Index 1 Feature: ipbase
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 2 Feature: lanbase
Period left: 0 seconds
Index 3 Feature: internal_service
Period left: 0 seconds

This is an example of the show license evaluation command:
Switch# show license evaluation
License Store: Primary License Storage
License Store: Dynamic License Storage
StoreIndex: 0 Feature: entservices Version: 1.0
License Type: Evaluation
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 3 days
License State: Active, Not in Use, EULA accepted
License Count: Non-Counted
License Priority: Low
StoreIndex: 2 Feature: ipbase Version: 1.0
License Type: Evaluation
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
License State: Inactive
License Count: Non-Counted
License Priority: None

This is an example of the show license image levels command:
Switch# show license image levels
Module name Image level Priority Configured Valid license
-————————————————————————————————-
WS-X45-SUP7-E entservices 1 NO entservices
ipbase 2 NO ipbase
lanbase 3 NO lanbase

Module Name Role Current Level Reboot Level
-————————————————————————————————-
WS-X45-SUP7-E Active ipbase ipbase

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-20 OL-30933-01
Chapter 4 Administering the Switch
Configuring a System Name and Prompt

This is an example of the show license expiring command
Switch# show license expiring
License Store: Primary License Storage
License Store: Dynamic License Storage
StoreIndex: 0 Feature: entservices Version: 1.0
License Type: Evaluation
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 3 days
License State: Active, Not in Use, EULA accepted
License Count: Non-Counted
License Priority: Low
StoreIndex: 2 Feature: ipbase Version: 1.0
License Type: Evaluation
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
License State: Inactive
License Count: Non-Counted
License Priority: None
Switch#

This is an example of the show license in-use command
Switch# show license in-use
License Store: Primary License Storage
StoreIndex: 1 Feature: ipbase Version: 1.0
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
License Store: Dynamic License Storage

Configuring a System Name and Prompt
You configure the system name on the switch to identify it. By default, the system name and prompt are
Switch.
If you have not configured a system prompt, the first 20 characters of the system name are used as the
system prompt. A greater-than symbol [>] is appended. The prompt is updated whenever the system
name changes.
For complete syntax and usage information for the commands used in this section, see the Cisco IOS
Configuration Fundamentals Command Reference, Release 12.3 and the Cisco IOS IP Command
Reference, Volume 2 of 3: Routing Protocols, Release 12.3.
These sections contain this configuration information:
• Configuring a System Name, page 4-22
• Understanding DNS, page 4-22

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-21
Chapter 4 Administering the Switch
Configuring a System Name and Prompt

Configuring a System Name
To manually configure a system name, perform this task:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 hostname name Manually configures a system name.
The default setting is switch.
The name must follow the rules for ARPANET hostnames. They must start
with a letter, end with a letter or digit, and have as interior characters only
letters, digits, and hyphens. Names can be up to 63 characters.
To return to the default hostname, use the no hostname global
configuration command.
Step 3 end Returns to privileged EXEC mode.
Step 4 show running-config Verifies your entries.
Step 5 copy running-config (Optional) Saves your entries in the configuration file.
startup-config

When you set the system name, it is also used as the system prompt.

Understanding DNS
The DNS protocol controls the Domain Name System (DNS), a distributed database with which you can
map hostnames to IP addresses. When you configure DNS on your switch, you can substitute the
hostname for the IP address with all IP commands, such as ping, telnet, connect, and related Telnet
support operations.
IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain.
Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco
Systems is a commercial organization that IP identifies by a com domain name, so its domain name is
cisco.com. A specific device in this domain, for example, the File Transfer Protocol (FTP) system is
identified as ftp.cisco.com.
To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache
(or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first
identify the hostnames, specify the name server that is present on your network, and enable the DNS.
These sections contain this configuration information:
• Default DNS Configuration, page 4-23
• Setting Up DNS, page 4-23
• Displaying the DNS Configuration, page 4-24

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-22 OL-30933-01
Chapter 4 Administering the Switch
Configuring a System Name and Prompt

Default DNS Configuration
Table 4-3 shows the default DNS configuration.

Table 4-3 Default DNS Configuration

Feature Default Setting
DNS enable state Enabled.
DNS default domain name None configured.
DNS servers No name server addresses are configured.

Setting Up DNS
To set up your switch to use the DNS, perform this task:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 ip domain-name name Defines a default domain name that the software uses to complete unqualified
hostnames (names without a dotted-decimal domain name).
To remove a domain name, use the no ip domain-name name global
configuration command.
Do not include the initial period that separates an unqualified name from the
domain name.
At boot time, no domain name is configured; however, if the switch
configuration comes from a BOOTP or Dynamic Host Configuration Protocol
(DHCP) server, then the default domain name might be set by the BOOTP or
DHCP server (if the servers were configured with this information).
Step 3 ip name-server Specifies the address of one or more name servers to use for name and address
server-address1 resolution.
[server-address2 ...
server-address6] To remove a name server address, use the no ip name-server server-address
global configuration command.
You can specify up to six name servers. Separate each server address with a
space. The first server specified is the primary server. The switch sends DNS
queries to the primary server first. If that query fails, the backup servers are
queried.
Step 4 ip domain-lookup (Optional) Enables DNS-based hostname-to-address translation on your switch.
This feature is enabled by default.
To disable DNS on the switch, use the no ip domain-lookup global
configuration command.
If your network devices require connectivity with devices in networks for which
you do not control name assignment, you can dynamically assign device names
that uniquely identify your devices by using the global Internet naming scheme
(DNS).
Step 5 end Returns to privileged EXEC mode.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-23
Chapter 4 Administering the Switch
Creating a Banner

Command Purpose
Step 6 show running-config Verifies your entries.
Step 7 copy running-config (Optional) Saves your entries in the configuration file.
startup-config

If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you
configure a hostname that contains no periods (.), a period followed by the default domain name is
appended to the hostname before the DNS query is made to map the name to an IP address. The default
domain name is the value set by the ip domain-name global configuration command. If there is a
period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default
domain name to the hostname.

Displaying the DNS Configuration
To display the DNS configuration information, use the show running-config privileged EXEC
command.

Creating a Banner
You can configure a message-of-the-day (MOTD) and a login banner. The MOTD banner displays on all
connected terminals at login and is useful for sending messages that affect all network users (such as
impending system shutdowns).
The login banner also displays on all connected terminals. It appears after the MOTD banner and before
the login prompts.

Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS
Configuration Fundamentals Command Reference, Release 12.3.

The contain this configuration information:
• Default Banner Configuration, page 4-24
• Configuring a Message-of-the-Day Login Banner, page 4-24
• Configuring a Login Banner, page 4-27

Default Banner Configuration
The MOTD and login banners are not configured.

Configuring a Message-of-the-Day Login Banner
You can create a single or multiline message banner that appears on the screen when someone logs in to
the switch.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-24 OL-30933-01
Chapter 4 Administering the Switch
Creating a Banner

To configure a MOTD login banner, perform this task:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 banner motd c message c Specifies the message of the day.
To delete the MOTD banner, use the no banner motd global
configuration command.
For c, enter the delimiting character of your choice, for example, a
pound sign (#), and press the Return key. The delimiting character
signifies the beginning and end of the banner text. Characters after the
ending delimiter are discarded.
Note When configuring a banner using the "#" sign as a delimeter on
Supervisor Engine 7-E and Supervisor Engine 7L-E, you must
first turn off shell processing with the no shell processing
command. Else, you can not exit from the banner configuration.

### With shell processing enabled ###

Sup7# conf t
Enter configuration commands, one per line. End with
CNTL/Z.
Sup7(config)# ban
Sup7(config)# banner lo
Sup7(config)# banner login #
Enter TEXT message. End with the character '#'
test login banner
#
##
e#
Sup7(config)#

### With shell processing disabled ###

Sup7(config)# banner login #
Enter TEXT message. End with the character '#'
test login banner
#
Sup7(config)#

For message, enter a banner message up to 255 characters. You cannot
use the delimiting character in the message.
Step 3 end Returns to privileged EXEC mode.
Step 4 show running-config Verifies your entries.
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.

This example shows how to configure a MOTD banner for the switch by using the pound sign (#) symbol
as the beginning and ending delimiter:
Switch(config)# banner motd #
it is a secure site. Only authorized users are allowed.
For access, contact technical support.
#
Switch(config)#

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-25
Chapter 4 Administering the Switch
Creating a Banner

This example shows the banner that appears from the previous configuration:
Unix> telnet 172.2.5.4
Trying 172.2.5.4...
Connected to 172.2.5.4.
Escape character is '^]'.

it is a secure site. Only authorized users are allowed.
For access, contact technical support.

User Access Verification

Password:

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-26 OL-30933-01
Chapter 4 Administering the Switch
Creating a Banner

Configuring a Login Banner
You can configure a login banner to be displayed on all connected terminals. This banner appears after
the MOTD banner and before the login prompt.
To configure a login banner, perform this task:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 banner login c message c Specifies the login message.
To delete the login banner, use the no banner login global configuration
command.
For c, enter the delimiting character of your choice, for example, a pound
sign (#), and press the Return key. The delimiting character signifies the
beginning and end of the banner text. Characters after the ending delimiter
are discarded.
Note When configuring a banner using the "#" sign as a delimeter on
Supervisor Engine 7-E and Supervisor Engine 7L-E, you must first
turn off shell processing with the no shell processing command.
Else, you can not exit from the banner configuration.

### With shell processing enabled ###

Sup7# conf t
Enter configuration commands, one per line. End with
CNTL/Z.
Sup7(config)# ban
Sup7(config)# banner lo
Sup7(config)# banner login #
Enter TEXT message. End with the character '#'
test login banner
#
##
e#
Sup7(config)#

### With shell processing disabled ###

Sup7(config)# banner login #
Enter TEXT message. End with the character '#'
test login banner
#
Sup7(config)#

For message, enter a login message up to 255 characters. You cannot use the
delimiting character in the message.
Step 3 end Returns to privileged EXEC mode.
Step 4 show running-config Verifies your entries.
Step 5 copy running-config (Optional) Saves your entries in the configuration file.
startup-config

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-27
Chapter 4 Administering the Switch
Managing the MAC Address Table

This example shows how to configure a login banner for the switch by using the dollar sign ($) symbol
as the beginning and ending delimiter:
Switch# configuration terminal
Switch(config)# banner login $
Access for authorized users only. Please enter your username and password.
$
Switch(config)# end
Switch#

Managing the MAC Address Table
The MAC address table contains address information that the switch uses to forward traffic between
ports. All MAC addresses in the address table are associated with one or more ports. The address table
includes these types of addresses:
• Dynamic address—A source MAC address that the switch learns and then ages when it is not in use.
• Static address—A manually entered unicast address that does not age and that is not lost when the
switch resets.
The address table lists the destination MAC address, the associated VLAN ID, and port number
associated with the address and the type (static or dynamic).

Note For complete syntax and usage information for the commands used in this section, see the command
reference for this release.

These sections contain this configuration information:
• Building the Address Table, page 4-28
• MAC Addresses and VLANs, page 4-29
• Default MAC Address Table Configuration, page 4-30
• Changing the Address Aging Time, page 4-30
• Removing Dynamic Address Entries, page 4-31
• Configuring MAC Change Notification Traps, page 4-31
• Configuring MAC Move Notification Traps, page 4-33
• Configuring MAC Threshold Notification Traps, page 4-35
• Adding and Removing Static Address Entries, page 4-36
• Configuring Unicast MAC Address Filtering, page 4-37
• Disabling MAC Address Learning on a VLAN, page 4-39
• Displaying Address Table Entries, page 4-44

Building the Address Table
With multiple MAC addresses supported on all ports, you can connect any port on the switch to
individual workstations, repeaters, switches, routers, or other network devices. The switch provides
dynamic addressing by learning the source address of packets it receives on each port and adding the

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-28 OL-30933-01
Chapter 4 Administering the Switch
Managing the MAC Address Table

address and its associated port number to the address table. As stations are added or removed from the
network, the switch updates the address table, adding new dynamic addresses and aging out those that
are not in use.
The aging interval is globally configured. However, the switch maintains an address table for each
VLAN, and STP can accelerate the aging interval on a per-VLAN basis.
The switch sends packets between any combination of ports, based on the destination address of the
received packet. Using the MAC address table, the switch forwards the packet only to the port associated
with the destination address. If the destination address is on the port that sent the packet, the packet is
filtered and not forwarded. The switch always uses the store-and-forward method: complete packets are
stored and checked for errors before transmission.

MAC Addresses and VLANs
All addresses are associated with a VLAN. An address can exist in more than one VLAN and have
different destinations in each. Unicast addresses, for example, could be forwarded to port 1 in VLAN 1
and ports 9, 10, and 1 in VLAN 5.
Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in
another until it is learned or statically associated with a port in the other VLAN.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-29
Chapter 4 Administering the Switch
Managing the MAC Address Table

When PVLANs are configured, address learning depends on the type of MAC address:
• Dynamic MAC addresses learned in one VLAN of a PVLAN are replicated in the associated
VLANs. For example, a MAC address learned in a private-VLAN secondary VLAN is replicated in
the primary VLAN.
• Static MAC addresses configured in a primary or secondary VLAN are not replicated in the
associated VLANs. When you configure a static MAC address in a PVLAN primary or secondary
VLAN, you should also configure the same static MAC address in all associated VLANs.
For more information about PVLANs, see Chapter 44, “Configuring Private VLANs.”

Default MAC Address Table Configuration
Table 4-4 shows the default MAC address table configuration.

Table 4-4 Default MAC Address Table Configuration

Feature Default Setting
Aging time 300 seconds
Dynamic addresses Automatically learned
Static addresses None configured

Changing the Address Aging Time
Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in
use. You can change the aging time setting for all VLANs or for a specified VLAN.
Setting too short an aging time can cause addresses to be prematurely removed from the table. When the
switch receives a packet for an unknown destination, it floods the packet to all ports in the same VLAN
as the receiving port. This unnecessary flooding can impact performance. Setting too long an aging time
can cause the address table to be filled with unused addresses, which prevents new addresses from being
learned. Flooding results, which can impact switch performance.
To configure the dynamic address table aging time, perform this task:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 mac address-table aging-time [0 | Sets the length of time that a dynamic entry remains in the MAC
10-1000000] [vlan vlan-id] address table after the entry is used or updated.
To return to the default value, use the no mac address-table
aging-time global configuration command.
The range is 10 to 1000000 seconds. The default is 300. You can also
enter 0, which disables aging. Static address entries are never aged
or removed from the table.
For vlan-id, valid IDs are 1 to 4094.
Step 3 end Returns to privileged EXEC mode.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-30 OL-30933-01
Chapter 4 Administering the Switch
Managing the MAC Address Table

Command Purpose
Step 4 show mac address-table aging-time Verifies your entries.
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.

Removing Dynamic Address Entries
To remove all dynamic entries, use the clear mac address-table dynamic command in EXEC mode.
You can also remove a specific MAC address (clear mac address-table dynamic address mac-address),
remove all addresses on the specified physical port or port channel
(clear mac address-table dynamic interface interface-id), or remove all addresses on a specified
VLAN (clear mac address-table dynamic vlan vlan-id).
To verify that dynamic entries have been removed, use the show mac address-table dynamic privileged
EXEC command.

Configuring MAC Change Notification Traps
MAC change notification allows you to track users on a network by storing the MAC change activity on
the switch. Whenever the switch learns or removes a MAC address, an SNMP notification can be
generated and sent to the network management system. If you have many users entering and exiting the
network, you can set a trap interval time to bundle the notification traps and reduce network traffic. The
MAC notification history table stores the MAC address activity for each hardware port for which the trap
is enabled. MAC address notifications are generated for dynamic and static MAC addresses; events are
not generated for self addresses or multicast addresses.
To send MAC change notification traps to an NMS host, perform this task:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 snmp-server host host-addr [traps | informs] { version Specifies the recipient of the trap message.
{1|2c|3}} [auth | noauth | priv] community-string
[udp-port port] [notification-type] • For host-addr, specify the name or address of the
NMS.
• Specify traps (the default) to send SNMP traps
to the host. Specify informs to send SNMP
informs to the host.
• Specify the SNMP version to support. Version 1,
the default, is not available with informs.
• For community-string, specify the string to send
with the notification operation. Though you can
set this string by using the snmp-server host
command, we recommend that you define this
string by using the snmp-server community
command before using the snmp-server host
command.
• For notification-type, use the mac-notification
keyword.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-31
Chapter 4 Administering the Switch
Managing the MAC Address Table

Command Purpose
Step 3 snmp-server enable traps mac-notification change Enables the switch to send MAC change traps to the
NMS.
To disable the switch from sending MAC change
notification traps, use the
no snmp-server enable traps mac-notification
change global configuration command.
Step 4 mac address-table notification change Enables the MAC address change notification
feature.
Step 5 mac address-table notification change Enters the trap interval time and the history table
[interval value] | [history-size value] size.
• (Optional) For interval value, specify the
notification trap interval in seconds between
each set of traps that are generated to the NMS.
The range is 0 to 2147483647 seconds; the
default is 1 second.
• (Optional) For history-size value, specify the
maximum number of entries in the MAC
notification history table. The range is 0 to 500;
the default is 1.
To disable the MAC change notification feature, use
the no mac address-table notification change
global configuration command.
Step 6 interface interface-id Enters interface configuration mode, and specifies
the interface on which to enable the SNMP MAC
change notification trap.
Step 7 snmp trap mac-notification change {added | removed} Enables the MAC change notification trap.
• Enable the MAC change notification trap
whenever a MAC address is added on this
interface.
• Enable the MAC change notification trap
whenever a MAC address is removed from this
interface.
To disable the MAC change notification traps on a
specific interface, use the no snmp trap
mac-notification change {added | removed}
interface configuration command.
Step 8 end Returns to privileged EXEC mode.
Step 9 show mac address-table notification change interface Verifies your entries.
show running-config
Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration
file.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-32 OL-30933-01
Chapter 4 Administering the Switch
Managing the MAC Address Table

This example shows how to specify 172.69.59.93 as the network management system, enable the switch
to send MAC change notification traps to the network management system, enable the MAC change
notification feature, set the interval time to 60 seconds, set the history-size to 100 entries, and enable
traps whenever a MAC address is added on the specified port:
Switch# configure terminal
Switch(config)# snmp-server host 172.69.59.93 private mac-notification
Switch(config)# snmp-server enable traps mac-notification change
Switch(config)# mac address-table notification change
Switch(config)# mac address-table notification change interval 60
Switch(config)# mac address-table notification change history-size 100
Switch(config)# interface fastethernet0/2
Switch(config-if)# snmp trap mac-notification change added
Switch(config-if)# end
Switch# show mac address-table notification change interface
MAC Notification Feature is Enabled on the switch
MAC Notification Flags For All Ethernet Interfaces :
----------------------------------------------------
Interface MAC Added Trap MAC Removed Trap
--------- -------------- ----------------
GigabitEthernet1/1 Enabled Enabled
GigabitEthernet1/2 Enabled Enabled
GigabitEthernet1/3 Enabled Enabled
GigabitEthernet1/4 Enabled Enabled
GigabitEthernet1/5 Enabled Enabled
GigabitEthernet1/6 Enabled Enabled
GigabitEthernet1/7 Enabled Enabled
GigabitEthernet1/8 Enabled Enabled
GigabitEthernet1/9 Enabled Enabled
GigabitEthernet1/10 Enabled Enabled
GigabitEthernet1/11 Enabled Enabled
GigabitEthernet1/12 Enabled Enabled

Switch#

Configuring MAC Move Notification Traps
When you configure MAC move notification, an SNMP notification is generated and sent to the network
management system whenever a MAC address moves from one port to another within the same VLAN.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-33
Chapter 4 Administering the Switch
Managing the MAC Address Table

To configure MAC move notification, perform this task:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 snmp-server host host-addr [traps | informs] { version Specifies the recipient of the trap message.
{1|2c|3}} [auth | noauth | priv] community-string
[udp-port port] [notification-type] • For host-addr, specify the name or address of the
NMS.
• Specify traps (the default) to send SNMP traps
to the host. Specify informs to send SNMP
informs to the host.
• Specify the SNMP version to support. Version 1,
the default, is not available with informs.
• For community-string, specify the string to send
with the notification operation. Though you can
set this string by using the snmp-server host
command, we recommend that you define this
string by using the snmp-server community
command before using the snmp-server host
command.
• For notification-type, use the mac-notification
keyword.
Step 3 snmp-server enable traps mac-notification move Enables the switch to send MAC move notification
traps to the NMS.
To disable the switch from sending MAC notification
traps, use the
no snmp-server enable traps mac-notification
move global configuration command.
Step 4 mac address-table notification mac-move Enables the MAC-move notification feature.
To disable this feature, use the
no mac-address-table notification mac-move
global configuration command.
Step 5 end Returns to privileged EXEC mode.
Step 6 show mac address-table notification mac-move Displays the MAC-move notification status.
show running-config
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration
file.

This example shows how to specify 172.69.59.93 as the network management system, enable the switch
to send MAC move notification traps to the NMS, enable the MAC move notification feature, and enable
traps whenever a MAC address moves from one port to another:
Switch# configure terminal
Switch(config)# snmp-server host 171.69.59.93 private mac-notification
Switch(config)# snmp-server enable traps mac-notification move
Switch(config)# mac address-table notification mac-move
Switch(config)# end
Switch# show mac address-table notification mac-move
MAC Move Notification: Enabled

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-34 OL-30933-01
Chapter 4 Administering the Switch
Managing the MAC Address Table

Configuring MAC Threshold Notification Traps
When you configure MAC threshold notification, an SNMP notification is generated and sent to the
network management system when a MAC address table (MAT) threshold limit is reached or exceeded.
To configure MAC address threshold notification, perform this task:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 snmp-server host host-addr [traps|informs] {version Specifies the recipient of the trap message.
{1|2c|3}} [auth | noauth | priv] community-string
[udp-port port] [notification-type] • For host-addr, specify the name or address of the
NMS.
• Specify traps (the default) to send SNMP traps
to the host. Specify informs to send SNMP
informs to the host.
• Specify the SNMP version to support. Version 1,
the default, is not available with informs.
• For community-string, specify the string to send
with the notification operation. Though you can
set this string by using the snmp-server host
command, we recommend that you define this
string by using the snmp-server community
command before using the snmp-server host
command.
• For notification-type, use the mac-notification
keyword.
Step 3 snmp-server enable traps mac-notification threshold Enables the switch to send MAC threshold
notification traps to the NMS.
To disable the switch from sending MAC threshold
notification traps, use the
no snmp-server enable traps mac-notification
threshold global configuration command.
Step 4 mac address-table notification threshold Enables the MAC address threshold notification
feature.
To disable this feature, use the
no address-table notification threshold global
configuration command.
Step 5 mac address-table notification threshold Enters the threshold value for the MAT usage
[limit percentage] | [interval time] monitoring.
• (Optional) For limit percentage, specify the
percentage of the MAT utilization; valid values
are from 1 to 100 percent. Default is 50 percent.
• (Optional) For interval time, specify the time
between notifications; valid values are greater
than or equal to 120 seconds. Default is 120
seconds.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-35
Chapter 4 Administering the Switch
Managing the MAC Address Table

Command Purpose
Step 6 end Returns to privileged EXEC mode.
Step 7 show mac address-table notification threshold Displays the MAC utilization threshold notification
show running-config status.
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration
file.

This example shows how to specify 172.69.59.93 as the network management system, enable the MAC
threshold notification feature, enable the switch to send MAC threshold notification traps to the NMS,
set the interval to 123 seconds, and set the limit to 78 percent:
Switch# configure terminal
Switch(config)# snmp-server host 171.69.59.93 private mac-notification
Switch(config)# snmp-server enable traps mac-notification threshold
Switch(config)# mac address-table notification threshold
Switch(config)# mac address-table notification threshold interval 123
Switch(config)# mac address-table notification threshold limit 78
Switch(config)# end
Switch# show mac-address-table notification threshold
Status limit Interval
-------------+-----------+-------------
enabled 78 123
Switch#

Adding and Removing Static Address Entries
A static address has these characteristics:
• It is manually entered in the address table and must be manually removed.
• It can be a unicast or multicast address.
• It does not age and is retained when the switch restarts.
You can add and remove static addresses and define the forwarding behavior for them. The forwarding
behavior defines how a port that receives a packet forwards it to another port for transmission. Because
all ports are associated with at least one VLAN, the switch acquires the VLAN ID for the address from
the ports that you specify. You can specify a different list of destination ports for each source port.
A packet with a static address that arrives on a VLAN where it has not been statically entered is flooded
to all ports and not learned.
You add a static address to the address table by specifying the destination MAC unicast address and the
VLAN from which it is received. Packets received with this destination address are forwarded to the
interface specified with the interface-id option.
When you configure a static MAC address in a private-VLAN primary or secondary VLAN, you should
also configure the same static MAC address in all associated VLANs. Static MAC addresses configured
in a private-VLAN primary or secondary VLAN are not replicated in the associated VLAN. For more
information about PVLANs, see Chapter 44, “Configuring Private VLANs.”

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-36 OL-30933-01
Chapter 4 Administering the Switch
Managing the MAC Address Table

To add a static address, perform this task:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 mac address-table static mac-addr Adds a static address to the MAC address table.
vlan vlan-id interface interface-id
• For mac-addr, specify the destination MAC unicast address to add to
the address table. Packets with this destination address received in the
specified VLAN are forwarded to the specified interface.
• For vlan-id, specify the VLAN for which the packet with the
specified MAC address is received. Valid VLAN IDs are 1 to 4094.
• For interface-id, specify the interface to which the received packet is
forwarded. Valid interfaces include physical ports or port channels.
You can specify static multicast addresses for multiple interface IDs.
However, you cannot assign static unicast MAC address to multiple
interfaces with the same MAC address and VLAN ID.
To remove static entries from the address table, use the
no mac address-table static mac-addr vlan vlan-id [interface
interface-id] global configuration command.
Step 3 end Returns to privileged EXEC mode.
Step 4 show mac address-table static Verifies your entries.
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.

This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a
packet is received in VLAN 4 with this MAC address as its destination address, the packet is forwarded
to the specified port:
Switch# configure terminal
Switch(config)# mac address-table static c2f3.220a.12f4 vlan 4 interface
gigabitethernet0/1
Switch(config)# end
Switch#

Configuring Unicast MAC Address Filtering
When unicast MAC address filtering is enabled, the switch drops packets with specific source or
destination MAC addresses. This feature is disabled by default and only supports unicast static
addresses.
When using unicast address filtering, consider these guidelines:
• Multicast MAC addresses, broadcast MAC addresses, and router MAC addresses are not supported.
If you specify one of these addresses when entering the mac address-table static vlan drop global
configuration command, one of these messages appears:
% Only unicast addresses can be configured to be dropped

% CPU destined address cannot be configured as drop address

• Packets that are forwarded to the CPU are also not supported.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-37
Chapter 4 Administering the Switch
Managing the MAC Address Table

• If you add a unicast MAC address as a static address and configure unicast MAC address filtering,
the switch either adds the MAC address as a static address or drops packets with that MAC address,
depending on which command was entered last. The second command that you entered overrides the
first command.
For example, if you enter the mac address-table static vlan interface global configuration
command followed by the mac address-table static vlan drop command, the switch drops packets
with the specified MAC address as a source or destination.
If you enter the mac address-table static vlan drop global configuration command followed by the
mac address-table static vlan interface command, the switch adds the MAC address as a static
address.
You enable unicast MAC address filtering and configure the switch to drop packets with a specific
address by specifying the source or destination unicast MAC address and the VLAN from which it is
received.
To configure the switch to drop a source or destination unicast static address, perform this task:

Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 mac address-table static mac-addr Enables unicast MAC address filtering and configure the switch to drop a
vlan vlan-id drop packet with the specified source or destination unicast static address.
• For mac-addr, specify a source or destination unicast MAC address.
Packets with this MAC address are dropped.
• For vlan-id, specify the VLAN for which the packet with the
specified MAC address is received. Valid VLAN IDs are 1 to 4094.
To disable unicast MAC address filtering, use the no mac address-table
static vlan global configuration command.
Step 3 end Returns to privileged EXEC mode.
Step 4 show mac address-table static Verifies your entries.
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.

This example shows how to enable unicast MAC address filtering and to configure the switch to drop
packets that have a source or destination address of c2f3.220a.12f4. When a packet is received in
VLAN 4 with this MAC address as its source or destination, the packet is dropped:
Switch# configure terminal
Switch(config)# mac a ddress-table static c2f3.220a.12f4 vlan 4 drop
Switch(config)# end
Switch#

Note To filter MAC addresses on a secondary VLAN, specify the corresponding primary VLAN in the above
configuration. If the specified VLAN is a primary VLAN, all matching packets received in this primary
VLAN and associated secondary VLANs are dropped.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-38 OL-30933-01
Chapter 4 Administering the Switch
Managing the MAC Address Table

Disabling MAC Address Learning on a VLAN
By default, MAC address learning is enabled on all VLANs on the switch. By controlling which VLANs
can learn MAC addresses, you can manage the available MAC address table space. By disabling learning
on a VLAN, you can conserve the MAC address table space because all the MAC addresses seen on this
VLAN are not learned.
Before disabling MAC address learning, you should understand the network topology and features
deployed. Many Layer 2 features use MAC addresses and may not work properly if learning is disabled.
Because disabling learning causes flooding of packets, you need to understand the impact of flooding on
the network.
These sections contain this information:
• Deployment Scenarios, page 4-40
• Configuring Disable MAC Address Learning, page 4-39
• Usage Guidelines, page 4-40
• Deployment Scenarios, page 4-40
• Feature Compatibility, page 4-42
• Feature Incompatibility, page 4-43

Configuring Disable MAC Address Learning
To disable MAC address learning on a VLAN, perform this task:

Command Purpose
Step 1 Switch# configure terminal Enters global configuration mode.
Step 2 Switch(config)# no mac Disables MAC address learning on the specified VLAN or VLANs. You
address-table learning vlan vlan-id can specify a single VLAN ID or a range of VLAN IDs separated by a
range
hyphen or comma. Valid VLAN IDs are 1 to 4094.
You can reenable MAC address learning on a VLAN by entering the
mac address-table learning vlan global configuration command.
Step 3 Switch(config)# end Returns to privileged EXEC mode.
Step 4 Switch# show mac address-table Displays the MAC address learning status of all VLANs or a specified
learning [vlan vlan-id range] VLAN.
Step 5 Switch# copy running-config (Optional) Saves your entries in the configuration file.
startup-config

This example shows how to disable learning on any VLAN or range of VLANs:
Switch# configure terminal
Switch(config)# no mac a ddress-table learning vlan 9-16
Switch(config)# end
Switch#

Switch# show mac address-table learning
Learning disabled on vlans: 9-11,13-16

Switch# show mac address-table learning vlan 10-15
Learning disabled on vlans: 10-11,13-15

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-39
Chapter 4 Administering the Switch
Managing the MAC Address Table

Usage Guidelines

Note These guidelines are advisory only. Contact the Cisco solution provider team for specific solution
implementations.

When disabling MAC address learning on a VLAN, consider these guidelines:
• If learning is disabled on a VLAN with an SVI interface, it floods every IP packet in the Layer 2
domain. Because this flooding may be undesirable, you should disable MAC address learning on a
SVI VLAN carefully.
• If you provide a VLAN range that includes reserved VLAN (such as 1000-1006), the command is
accepted and disable learning is enabled for all VLANs except for 1002-005 (that is,
1000-1001,1006). However, if you specify an invalid range (such as 1-5000), the command fails and
disable learning is not enabled on any of the VLANs.
• With PVLANs, you need to disable learning on the primary VLAN and all secondary VLANs
associated with that primary VLANs. Otherwise, you encounter traffic flooding in one direction and
unicast flooding in the other direction.
• To disable MAC address learning on a VLAN, consider the flooding implications.

Deployment Scenarios
This section includes these deployment scenarios:
• Metro (Point to Point Links), page 4-40
• Network Load Balancers, page 4-41
• Layer 2 Firewall or Cache, page 4-42

Metro (Point to Point Links)

In this topology, you have two ports on a VLAN; traffic enters one and must exit the other. On a
point-to-point link in metro networks, numerous MAC addresses are on these types of ports by disabling
learning on the VLAN to which these two ports belong, many entries in the MAC address table space
can be saved. Because there is only one egress port for the traffic, you can flood the packet and avoid
having to learn all the MAC addresses seen on this port. This process saves considerable space in the
MAC address table.
To obtain source learning, packets are bridged as Layer 2 flood packets. Replicated packets use a distinct
dedicated bandwidth. Regardless of the number of ports in a flood set, a flood packet always consumes
replication packet bandwidth, which consumes some multicast and broadcast packet-processing
bandwidth (Figure 4-2).

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-40 OL-30933-01
Chapter 4 Administering the Switch
Managing the MAC Address Table

Figure 4-2 Disabling MAC Address Learning: Point-to-Point Links

Core Switch Core Switch

R R

FW Sync

External Distribution Distribution External
FW interface Switch Switch FW interface
L2/L3
VR R R VR
Internal Internal
L2 FW interface FW interface L2
Firewall VLAN a VLAN a Firewall
Access Switch

VLAN b VLAN c

VLAN b VLAN c

Access Switch Access Switch

276980
Security Area = (VLAN b, VLAN c)

Network Load Balancers

In this topology, you have two devices, one active and one standby. To perform load balancing, both
devices must receive all packets. You could place both devices on the same VLAN. If learning can be
disabled on this VLAN, the packet is flooded and both devices receive all traffic destined to any MAC
address on the VLAN. You also can assign a multicast MAC address to both load balancers to ensure
that all packets reach them. (Figure 4-3).

Figure 4-3 Disabling MAC Address Learning: Network Load Balancers

Gi 3/1 Gi 3/2
276981

VLAN 10 VLAN 10

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-41
Chapter 4 Administering the Switch
Managing the MAC Address Table

Layer 2 Firewall or Cache

In this topology, a rewritten Layer 3 packet is routed back to a Layer 2 firewall (or cache) before exiting.
When the packet reenters the switch from the firewall, it possesses the switch’s MAC address because
the packet was previously routed. If the ingress port is a switch port, the switch learns the router’s MAC
address. For a routed port or SVI, however, the switch does not learn the address. Source misses are
generated continuously for all arriving data packets and the switch shows a very high CPU utilization.
By disabling learning on the VLAN that the firewall or cache egress is connected to, you will routinely
suppress the source miss and do not observe high CPU utilization (Figure 4-4).

Figure 4-4 Disabling MAC Address Learning: Layer 2 Firewall/Cache

Gi 3/1
VLAN 10 Load Web server 1
balancer 1

Gi 3/2
VLAN 10

276982
Load Web server 1
balancer 2

Feature Compatibility
The following features are compatible with disabling MAC address learning on a VLAN:
• EtherChannel—The learning disable feature has no impact on EtherChannel provided that the MAC
learning state is either disabled or enabled for a VLAN on EtherChannel ports.
• Switch Virtual Interface (SVI, Layer 3 on a VLAN)— The learning disable feature has no impact
on SVI. Although disabling MAC address learning on a SVI VLAN causes flooding, it does not
impact any Layer 3 feature.
• REP—The learning disable feature has no impact on REP provided that the MAC learning state is
either disabled or enabled for an active VLAN on a port where REP is running.
• Unicast, Multicast, and Broadcast—When you enable learning on a VLAN, learning is disabled on
all types of traffic.
• DAI, ESMP, and IGMP snooping— These features do not interact with the learning disable feature.
• Control packets— Control packets arrive at the CPU even if learning is disabled.
• RSPAN— Learning on a VLAN and on an RSPAN are compatible.
• VLAN translation—To disable learning on a VLAN that is being translated, you must disable
learning on the translated VLAN.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-42 OL-30933-01
Chapter 4 Administering the Switch
Managing the MAC Address Table

Feature Incompatibility
The following features are incompatible with disabling MAC address learning and do not work properly
when the feature is enabled:
• 802.1X—The 802.1X class of features does not work when learning is disabled because some of
these features require source miss, which is ignored.
• Port security— Port security VLANs requires learning to be enabled. To secure MAC addresses,
packets must first arrive at the CPU. However, if you disable learning on a VLAN, SA suppression
ensures that packets do not operate this way.
• Unicast flood blocking— When unicast flood blocking is enabled on a port, it is removed from the
VLAN flood set. If learning is disabled on the same VLAN, the host connected to that port do not
receive traffic.
• DHCP snooping—To send the packet out the correct port once a DHCP request has been resolved,
DHCP snooping must learn the MAC address. If you disable learning, the switch do not know on
which port to exit the packet; the two features are incompatible.
• Broadcast storm control— This feature does not interact with the learning disable feature.
• Flooding of packets in a VLAN domain in which learning is disabled through PVL.

Partial Feature Incompatibility
Although the following features are partially incompatible with disabling MAC address learning, they
still retain a large portion of their functionality:
• FlexLink—FlexLink functions and upstream convergence is not impacted. However, downstream
fast convergence uses a MAC table to send dummy multicast packets for each learned MAC address
upstream to expedite downstream convergence. This situation does not happen if you enabled
learning disable. FlexLink downstream convergence occurs naturally, but it is slower if learning is
enabled on that VLAN.
• PVLAN—To observe correct behavior, you must disable learning on the primary VLAN and all
secondary VLANs associated with the primary VLAN.

Note To avoid confusion, configure PVLAN similarly on both the primary and secondary VLANs in
the PVLAN space.

• Spanning Tree (STP)—Except for the UplinkFast feature, per-VLAN spanning tree functionality is
not impacted. To achieve faster downstream convergence, UplinkFast forwards dummy multicast
packets using learned MAC addresses. This action is not possible unless MAC learning is enabled.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-43
Chapter 4 Administering the Switch
Managing the ARP Table

Displaying Address Table Entries
You can display the MAC address table by using one or more of the privileged EXEC commands
described in Table 4-5.

Table 4-5 Commands for Displaying the MAC Address Table

Command Description
show ip igmp snooping groups Displays the Layer 2 multicast entries for all VLANs or the specified VLAN.
show mac address-table address Displays MAC address table information for the specified MAC address.
show mac address-table aging-time Displays the aging time in all VLANs or the specified VLAN.
show mac address-table count Displays the number of addresses present in all VLANs or the specified VLAN.
show mac address-table dynamic Displays only dynamic MAC address table entries.
show mac address-table interface Displays the MAC address table information for the specified interface.
show mac address-table notification Displays the MAC notification parameters and history table.
show mac address-table static Displays only static MAC address table entries.
show mac address-table vlan Displays the MAC address table information for the specified VLAN.

Managing the ARP Table
To communicate with a device (over Ethernet, for example), the software first must learn the 48-bit MAC
address or the local data link address of that device. The process of learning the local data link address
from an IP address is called address resolution.
The Address Resolution Protocol (ARP) associates a host IP address with the corresponding media or
MAC addresses and the VLAN ID. Using an IP address, ARP finds the associated MAC address. When
a MAC address is found, the IP-MAC address association is stored in an ARP cache for rapid retrieval
and the IP datagram is encapsulated in a link-layer frame and sent over the network. Encapsulation of IP
datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by the
Subnetwork Access Protocol (SNAP). By default, standard Ethernet-style ARP encapsulation
(represented by the arpa keyword) is enabled on the IP interface.
ARP entries added manually to the table do not age and must be manually removed.
For CLI procedures, see the Cisco IOS Release 12.3 documentation on Cisco.com.

Configuring Embedded CiscoView Support
The Catalyst 4500 series switch supports CiscoView web-based administration using the Catalyst Web
Interface (CWI) tool. CiscoView is a device management application that can be embedded on the switch
flash and provides dynamic status, monitoring, and configuration information for your switch.
CiscoView displays a physical view of your switch chassis with color-coded modules and ports and
monitoring capabilities that display the switch status, performance, and other statistics. Configuration
capabilities allow comprehensive changes to devices, if the required security privileges have been
granted. The configuration and monitoring capabilities for the Catalyst 4500 series of switches mirror
those available in CiscoView in all server-based CiscoWorks solutions, including CiscoWorks LAN
Management Solution (LMS) and CiscoWorks Routed WAN Management Solution (RWAN).

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-44 OL-30933-01
Chapter 4 Administering the Switch
Configuring Embedded CiscoView Support

These sections describe the Embedded CiscoView support available with
Cisco IOS Release 12.1(20)EW and later releases:
• Understanding Embedded CiscoView, page 4-45
• Installing and Configuring Embedded CiscoView, page 4-45
• Displaying Embedded CiscoView Information, page 4-48

Understanding Embedded CiscoView
The Embedded CiscoView network management system is a web-based interface that uses HTTP and
SNMP to provide a graphical representation of the switch and to provide a GUI-based management and
configuration interface.

Installing and Configuring Embedded CiscoView
To install and configure Embedded CiscoView, perform this task:

Command Purpose
Step 1 Switch# dir device_name Displays the contents of the device.
If you are installing Embedded CiscoView for the first
time, or if the CiscoView directory is empty, skip to
Step 5.
Step 2 Switch# delete device_name:cv/* Removes existing files from the CiscoView directory.
Step 3 Switch# squeeze device_name: Recovers the space in the file system.
Step 4 Switch# copy tftp bootflash Copies the tar file to bootflash.
Step 5 Switch# archive tar /xtract tftp:// Extracts the CiscoView files from the tar file on the TFTP
ip address of tftp server/ciscoview.tar server to the CiscoView directory.
device_name:cv
Step 6 Switch# dir device_name: Displays the contents of the device.
In a redundant configuration, repeat Step 1 through
Step 6 for the file system on the redundant supervisor
engine.
Step 7 Switch# configure terminal Enters global configuration mode.
Step 8 Switch(config)# ip http server Enables the HTTP web server.
Step 9 Switch(config)# snmp-server community string ro Configures the SNMP password for read-only operation.
Step 10 Switch(config)# snmp-server community string rw Configures the SNMP password for read/write operation.

Note The default password for accessing the switch web page is the enable-level password of the switch.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-45
Chapter 4 Administering the Switch
Configuring Embedded CiscoView Support

The following example shows how to install and configure Embedded CiscoView on your switch:
Switch# dir
Directory of bootflash:/
Directory of bootflash:/
1 -rw- 9572396 Dec 30 2002 01:05:01 +00:00 cat4000-i9k2s-mz.121-19.EW
2 -rw- 9604192 Jan 3 2003 07:46:49 +00:00 cat4000-i5k2s-mz.121-19.EW
3 -rw- 1985024 Jan 21 2003 03:31:20 +00:00 Cat4000IOS.v4-0.tar
4 -rw- 1910127 Jan 23 2003 04:23:39 +00:00 cv/Cat4000IOS-4.0.sgz
5 -rw- 7258 Jan 23 2003 04:23:46 +00:00 cv/Cat4000IOS-4.0_ace.html
6 -rw- 405 Jan 23 2003 04:23:46 +00:00 cv/Cat4000IOS-4.0_error.html
7 -rw- 2738 Jan 23 2003 04:23:46 +00:00 cv/Cat4000IOS-4.0_install.html
8 -rw- 20450 Jan 23 2003 04:23:46 +00:00 cv/Cat4000IOS-4.0_jks.jar
9 -rw- 20743 Jan 23 2003 04:23:46 +00:00 cv/Cat4000IOS-4.0_nos.jar
10 -rw- 12383 Jan 23 2003 04:23:46 +00:00 cv/applet.html
11 -rw- 529 Jan 23 2003 04:23:46 +00:00 cv/cisco.x509
12 -rw- 2523 Jan 23 2003 04:23:46 +00:00 cv/identitydb.obj
13 -rw- 1173 Mar 19 2003 05:50:26 +00:00 post-2003.03.19.05.50.07-passed.txt

32578556 bytes total (38199688 bytes free)
Switch#
Switch# del cv/*
Delete filename [cv/*]?
Delete bootflash:cv/Cat4000IOS-4.0.sgz? [confirm]y
Delete bootflash:cv/Cat4000IOS-4.0_ace.html? [confirm]y
Delete bootflash:cv/Cat4000IOS-4.0_error.html? [confirm]y
Delete bootflash:cv/Cat4000IOS-4.0_install.html? [confirm]y
Delete bootflash:cv/Cat4000IOS-4.0_jks.jar? [confirm]y
Delete bootflash:cv/Cat4000IOS-4.0_nos.jar? [confirm]y
Delete bootflash:cv/applet.html? [confirm]y
Delete bootflash:cv/cisco.x509? [confirm]y
Delete bootflash:cv/identitydb.obj? [confirm]y
Switch#

Switch# squeeze bootflash:
All deleted files will be removed. Continue? [confirm]y
Squeeze operation may take a while. Continue? [confirm]y
Squeeze of bootflash complete
Switch#
Switch# copy tftp bootflash
Address or name of remote host []? 10.5.5.5
Source filename []? Cat4000IOS.v5-1.tar
Destination filename [Cat4000IOS.v5-1.tar]?
Accessing tftp://10.5.5.5/Cat4000IOS.v5-1.tar...
Loading Cat4000IOS.v5-1.tar from 10.5.5.5 (via FastEthernet2/1):
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 2031616 bytes]

2031616 bytes copied in 11.388 secs (178400 bytes/sec)
Switch#
Switch# dir
Directory of bootflash:/

Directory of bootflash:/
1 -rw- 9572396 Dec 30 2002 01:05:01 +00:00 cat4000-i9k2s-mz.121-19.EW
2 -rw- 9604192 Jan 3 2003 07:46:49 +00:00 cat4000-i5k2s-mz.121-19.EW
3 -rw- 1985024 Jan 21 2003 03:31:20 +00:00 Cat4000IOS.v4-0.tar
4 -rw- 1173 Mar 19 2003 05:50:26 +00:00 post-2003.03.19.05.50.07-passed.txt
5 -rw- 2031616 Mar 26 2003 05:33:12 +00:00 Cat4000IOS.v5-1.tar

32578556 bytes total (38199688 bytes free)

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-46 OL-30933-01
Chapter 4 Administering the Switch
Configuring Embedded CiscoView Support

Switch#
Switch# archive tar /xtract Cat4000IOS.v5-1.tar /cv
extracting Cat4000IOS-5.1.sgz (1956591 bytes)
extracting Cat4000IOS-5.1_ace.html (7263 bytes)
extracting Cat4000IOS-5.1_error.html (410 bytes)
extracting Cat4000IOS-5.1_install.html (2743 bytes)
extracting Cat4000IOS-5.1_jks.jar (20450 bytes)
extracting Cat4000IOS-5.1_nos.jar (20782 bytes)
extracting applet.html (12388 bytes)
extracting cisco.x509 (529 bytes)
extracting identitydb.obj (2523 bytes)
Switch#
Switch# dir

Directory of bootflash:/
1 -rw- 9572396 Dec 30 2002 01:05:01 +00:00 cat4000-i9k2s-mz.121-19.EW
2 -rw- 9604192 Jan 3 2003 07:46:49 +00:00 cat4000-i5k2s-mz.121-19.EW
3 -rw- 1985024 Jan 21 2003 03:31:20 +00:00 Cat4000IOS.v4-0.tar
4 -rw- 1173 Mar 19 2003 05:50:26 +00:00 post-2003.03.19.05.50.07-passed.txt
5 -rw- 2031616 Mar 26 2003 05:33:12 +00:00 Cat4000IOS.v5-1.tar
6 -rw- 1956591 Mar 26 2003 05:36:11 +00:00 cv/Cat4000IOS-5.1.sgz
7 -rw- 7263 Mar 26 2003 05:36:19 +00:00 cv/Cat4000IOS-5.1_ace.html
8 -rw- 410 Mar 26 2003 05:36:19 +00:00 cv/Cat4000IOS-5.1_error.html
9 -rw- 2743 Mar 26 2003 05:36:19 +00:00 cv/Cat4000IOS-5.1_install.html
10 -rw- 20450 Mar 26 2003 05:36:19 +00:00 cv/Cat4000IOS-5.1_jks.jar
11 -rw- 20782 Mar 26 2003 05:36:19 +00:00 cv/Cat4000IOS-5.1_nos.jar
12 -rw- 12388 Mar 26 2003 05:36:19 +00:00 cv/applet.html
13 -rw- 529 Mar 26 2003 05:36:19 +00:00 cv/cisco.x509
14 -rw- 2523 Mar 26 2003 05:36:19 +00:00 cv/identitydb.obj

32578556 bytes total (7358284 bytes free)

Switch#
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip http server
Switch(config)# snmp-server community public ro
Switch(config)# snmp-server community public rw
Switch(config)# exit
Switch# wr
Building configuration...
Compressed configuration from 2735 bytes to 1169 bytes[OK]
Switch# show ciscoview ?
package ADP Package Details
version ADP version
| Output modifiers
<

For more information about web access to the switch, refer to the “Using the Cisco Web Browser”
chapter in the Cisco IOS Configuration Fundamentals Configuration Guide at this URL:

http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/12_4t/cf_12_4t_book.html

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL-30933-01 4-47
Chapter 4 Administering the Switch
Configuring Embedded CiscoView Support

Displaying Embedded CiscoView Information
To display the Embedded CiscoView information, enter the following commands:

Command Purpose
Switch# show ciscoview package Displays information about the Embedded CiscoView files.
Switch# show ciscoview version Displays the Embedded CiscoView version.

The following example shows how to display the Embedded CiscoView file and version information:
Switch# show ciscoview package
File source:
CVFILE SIZE(in bytes)
------------------------------------------------
Cat4000IOS-5.1.sgz 1956591
Cat4000IOS-5.1_ace.html 7263
Cat4000IOS-5.1_error.html 410
Cat4000IOS-5.1_install.html 2743
Cat4000IOS-5.1_jks.jar 20450
Cat4000IOS-5.1_nos.jar 20782
applet.html 12388
cisco.x509 529
identitydb.obj 2523

Switch# show ciscoview version
Engine Version: 5.3.4 ADP Device: Cat4000IOS ADP Version: 5.1 ADK: 49
Switch#

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
4-48 OL-30933-01
CH A P T E R 5
Configuring Virtual Switching Systems

This chapter describes how to configure a virtual switching system (VSS) for the Catalyst 4500/4500X
series switch (Supervisor Engine 7-E, Supervisor Engine 7L-E, Supervisor Engine 8-E, Catalyst
4500-X). Cisco Release IOS XE 3.4.0SG and later releases support VSS.

Note For complete syntax and usage information for the commands used in this chapter, see these
publications:
• The Cisco IOS Virtual Switch Command Reference at this URL:
http://www.cisco.com/en/US/docs/ios/vswitch/command/reference/vs_book.html
• The Cisco IOS Software Release 12.4 Mainline at this URL:
http://www.cisco.com/en/US/products/ps6350/prod_command_reference_list.html

Note For complete syntax and usage information for the switch commands used in this chapter, see the Cisco
Catalyst 4500 Series Switch Command Reference and related publications at this location:

http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html

If a command is not in the Catalyst 4500 Series Switch Command Reference, you can locate it in the
Cisco IOS library. See the Cisco IOS Master Command List, Release 12.2SX and related publications at
this location:

http://www.cisco.com/en/US/products/ps6350/index.html

This chapter consists of these sections:
• Understanding Virtual Switching Systems, page 5-2
• VSS Configuration Guidelines and Restrictions, page 5-28
• Configuring a VSS, page 5-30
• In-Service Software Upgrade (ISSU) on a VSS, page 5-55
• License Upgrade on a VSS, page 5-83

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-1
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

Understanding Virtual Switching Systems
These sections describe a VSS:
• VSS Overview, page 5-2
• VSS Redundancy, page 5-11
• Multichassis EtherChannels, page 5-14
• Packet Handling, page 5-16
• System Monitoring, page 5-20
• Dual-Active Detection, page 5-23
• Configuring a Recovery IP Address, page 5-25
• VSS Initialization, page 5-26

VSS Overview
Network operators increase network reliability by configuring switches and by provisioning links to the
redundant pairs. Figure 5-1 shows a typical switch network configuration. Redundant network elements
and redundant links can add complexity to network design and operation. Virtual switching simplifies
the network by reducing the number of network elements and hiding the complexity of managing
redundant switches and links.
A VSS combines a pair of Catalyst 4500 or 4500-X series switches into a single network element. The
VSS manages the redundant links, which externally act as a single port channel.
The VSS simplifies network configuration and operation by reducing the number of Layer 3 routing
neighbors and by providing a loop-free Layer 2 topology.

Figure 5-1 Typical Switch Network Design

Access

Distribution

Core
181320

The following sections present an overview of the VSS. These topics are covered in detail in subsequent
chapters:
• Key Concepts, page 5-3
• VSS Functionality, page 5-5

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-2 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

• Hardware Requirements, page 5-9
• Understanding VSL Topology, page 5-11

Key Concepts
The VSS incorporates the following key concepts:
• Virtual Switching System, page 5-3
• VSS Active and VSS Standby Switch, page 5-3
• Virtual Switch Link, page 5-4
• Multichassis EtherChannel, page 5-5

Virtual Switching System

A VSS combines a pair of switches into a single network element. For example, a VSS in the distribution
layer of the network interacts with the access and core networks as if it were a single switch. See
Figure 5-2.
An access switch connects to both switches of the VSS using one logical port channel. The VSS manages
redundancy and load balancing on the port channel. This capability enables a loop-free Layer 2 network
topology. The VSS also simplifies the Layer 3 network topology by reducing the number of routing peers
in the network.

Figure 5-2 VSS in the Distribution Network

Physical view Logical view

Virtual Distribution Switch Virtual Distribution Switch

181321
Access Access

VSS Active and VSS Standby Switch

When you create or restart a VSS, the peer switches negotiate their roles. One switch becomes the VSS
Active switch, and the other switch becomes the VSS Standby switch.
The VSS Active controls the VSS, running the Layer 2 and Layer 3 control protocols for the switching
modules on both switches. The VSS Active switch also provides management functions for the VSS,
such as module online insertion and removal (OIR) and the console interface.
The VSS Active and VSS Standby switches perform packet forwarding for ingress data traffic on their
locally hosted interfaces. However, the VSS Standby switch sends all control traffic to the VSS Active
switch for processing.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-3
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

Virtual Switch Link

For the two switches of the VSS to act as one network element, they need to share control information
and data traffic.
The virtual switch link (VSL) is a special link that carries control and data traffic between the two
switches of a VSS, as shown in Figure 5-3. The VSL is implemented as an EtherChannel with up to eight
links. The VSL gives control and management traffic higher priority than data traffic so that control and
management messages are never discarded. Data traffic is load balanced among the VSL links by the
EtherChannel load-balancing algorithm.

Note EtherChannel load balancing method is a global configuration; VSL observes that method of load
balancing.

Figure 5-3 Virtual Switch Link

Virtual switch

Chassis 1 Chassis 2

181322
Virtual switch link
(VSL)

When you configure VSL, all existing configurations are removed from the interface except for specific
allowed commands. When you configure VSL, the system puts the interface into a restricted mode. This
means that only specific configuration commands can be configured on the interface.
The following VSL configuration commands are inserted automatically on all VSL member ports:
• switchport mode trunk
• switchport nonegotiate
• no lldp transmit
• no lldp receive
• no cdp enable
• service-policy output VSL-Queuing-Policy
In VSL restricted mode, only these configuration commands are available:
• channel-group
• default
• description
• exit
• load-interval
• logging
• no
• power

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-4 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

• service-policy
• shutdown

Multichassis EtherChannel

Note Beginning with Cisco Release IOS XE 3.5.0E and IOS 15.2(1)SG, Layer 3 MEC is supported on the
Catalyst 4500 series switch. Cisco Release IOS XE 3.4.0SG does not support Layer 3 MEC.

An EtherChannel (also known as a port channel) is a collection of two or more physical links that
combine to form one logical link. Layer 2 protocols operate on the EtherChannel as a single logical
entity. A VSS enables the creation of Multi-Chassis EtherChannel (MEC), which is an Etherchannel
whose member ports can be distributed across the member switches in a VSS. Because non-VSS
switches connected to a VSS view the MEC as a standard EtherChannel, non-VSS switches can connect
in a dual homed manner. Figure 5-4 displays a dual-homed connection for an MEC into the VSS; VSS
is seen as a single logical switch. Traffic traversing an MEC can be load balanced locally within a VSS
member switch much as in standard EtherChannels. Cisco MEC supports the bundling protocols LACP
and PAgP as well as ON mode.

Figure 5-4 VSS with MEC

VSL
Chassis 1 Chassis 2

MEC

181323

VSS supports a maximum of 256 EtherChannels. This limit applies to the total number of regular
EtherChannels and MECs. Because the VSL requires two EtherChannel numbers (one for each switch
in the VSS), there are 254 user-configurable EtherChannels.
For information on how to configure Layer 3 Multichassis EtherChannels, see For information on how
to configure Layer 3 Multichassis EtherChannels, see, page 5-5

VSS Functionality
The following sections describe the main functionality of a VSS:
• Redundancy and High Availability, page 5-6
• Packet Handling, page 5-6

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-5
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

• System Management, page 5-6
• Quad-Supervisor (In-chassis Standby Supervisor Engine) Support, page 5-6
• Asymmetric chassis support, page 5-8
• Interface Naming Convention, page 5-8
• Module Number Convention, page 5-8
• Key Software Features not Supported on VSS, page 5-8

Redundancy and High Availability

In a VSS, supervisor engine redundancy operates between the VSS Active and VSS Standby switch,
using stateful switchover (SSO) and nonstop forwarding (NSF). The peer switch exchange configuration
and state information across the VSL and the VSS Standby supervisor engine runs in SSO-HOT mode.
The VSS Standby switch monitors the VSS Active switch using the VSL. If it detects failure, the VSS
Standby switch initiates a switchover and takes on the VSS Active role. When the failed switch recovers,
it takes on the VSS Standby role.
If either the VSS Active switch fails or all links that belong to the VSL port-channel fail, the VSS
Standby switch initiates a switchover and assumes the role of the VSS Active switch. If the previous VSS
Active switch has failed, it reloads and boots as the VSS Standby switch. However, if only the VSL
port-channel failure caused the switchover, the previous VSS Active switch enters recovery mode
(provided dual-active detection is configured). In this scenario, the previous VSS Active chassis (now in
recovery mode) carries no traffic and only monitors the VSL link. When one link in the VSL
port-channel is up, the recovery mode switch reloads and boots as a VSS Standby chassis. For additional
information about dual-active detection, see the “Dual-Active Detection” section on page 5-23.

Packet Handling

The VSS Active supervisor engine runs the Layer 2 and Layer 3 protocols and features for the VSS and
manages all ports on both switches.
The VSS uses VSL to communicate protocol and system information between the peer switches and to
carry data traffic between the switches when required.
Both switches perform packet forwarding for ingress traffic on their interfaces. If possible, ingress traffic
is forwarded to an outgoing interface on the same switch to minimize data traffic that must traverse the
VSL.

System Management

The VSS Active supervisor engine acts as a single point of control for the VSS. For example, the VSS
Active supervisor engine handles OIR of switching modules on both switches. The VSS Active
supervisor engine uses VSL to send messages to and from local ports on the VSS Standby switch.
The command console on the VSS Active supervisor engine is used to control both switches. In virtual
switch mode, the command console on the VSS Standby supervisor engine blocks attempts to enter
configuration mode.
The VSS Standby switch runs a subset of system management tasks. For example, the VSS Standby
switch handles its own power management, linecard bringup, and other local hardware management.

Quad-Supervisor (In-chassis Standby Supervisor Engine) Support

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-6 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

The Catalyst 4500 series switches support dual supervisors in a redundant chassis, which can be
configured for SSO or RPR mode. However, when a chassis is running in VSS mode, it supports a second
supervisor engine, but only in rommon mode. In-Chassis-Standby (ICS) can not participate in control,
management, or forwarding plane functioning. This makes ports on the supervisor engine in rommon
mode available for forwarding although it neither participates in any switchover nor provides protection
against any failure. In VSS mode, an In-Chassis-Active (ICA) supervisor engine participates in VSS
control/ management operation and manages ports on the supervisor engine in rommon mode.
If the second supervisor engine is inserted in a redundant chassis, the following information applies:
• It must also be manually configured for VSS mode, i.e., it must have been converted from standalone
to VSS mode previously. If you insert a supervisor engine that was not configured for VSS mode, it
will disrupt the operation of the ICA supervisor engine. If it was previously configured, automatic
boot must be disabled (i.e., to boot only to ROM Monitor) with the confreg command in rommon.
The supervisor engine does not takeover or boot automatically when the ICA supervisor engine fails.
A manual boot up is required to make it participate in VSS; it then functions as an ICA supervisor
engine.
More details on rommon commands are found at this URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/15.1.2/XE_340/configuration/guide/r
ommon.html#wp1013959
• A supervisor engine's conversion from standalone to VSS occurs per engine. If two supervisor
engines exist in a chassis, one should be retained in rommon or removed, before conversion occurs.
You can convert the second supervisor to VSS mode while the first supervisor is removed or in
rommon, with the additional step of setting it to “boot only to ROM Monitor.” When both engines
are converted to VSS, they can be inserted into the chassis together and re-booted.
• Booting a chassis with two supervisor engines configured for VSS causes one of the engines to
become the ICA and participate in VSS. The other engine, which becomes the ICS, will
continuously reload. The secondary supervisor (the ICS) must be configured to “boot only to ROM
Monitor” with automatic boot disabled.
• When the ICA fails, the ICS doesn't take over because ICS support of SSO or RPR mode is
unavailable. ICS (the secondary supervisor) must be booted manually to become the ICA and
manage the VSS operations. For this to happen, the former active supervisor engine must remain in
rommon mode.
• ISSU support requires ICA supervisor engines on both chassis. The ICS supervisor engine does not
participate in upgrade or any forwarding operations.
• Because ICS supervisor engines do not communicate with ICA supervisors, VSS and other
configurations must be done at conversion time on the ICS. If not done or the configurations do not
match the necessary VSS parameters (like, SwitchId, Domain, and VSL configurations), it cannot
form a VSS when ICA goes down and ICS is booted manually. You can, however, enter these
“bootup” commands to make it join an existing VSS domain.

Note When a supervisor engine in VSS mode is booting in a chassis, where an ICA supervisor engine already
exists, the ICS supervisor engine (the one that is booting) is continuously reset. It must be manually put
into rommon by disabling auto-boot. Simultaneously, the ICS may display a message that it has crashed
and might generate a crashdump. Because the supervisor engine is going down, this message is harmless;
it does not affect the functionality of VSS. Instead of resetting itself gracefully, the engine might crash
while attempting a reset.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-7
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

Asymmetric chassis support

Catalyst 4500 and Catalyst 4500X VSS require the same supervisor engine type in both chassis. The
chassis can differ in type (i.e., +E and -E chassis can be in a single VSS) and also can differ in the number
of slots in chassis. VSS cannot be formed between different flavors of Catalyst 4500X (e.g., 4500X-16
and 4500X-32).

Interface Naming Convention

In VSS mode, interfaces are specified using the switch number (in addition to slot and port), because the
same slot numbers are used on both chassis. For example, the interface 1/5/4 command specifies port 4
of the switching module in slot 5 of switch 1. The interface 2/5/4 command specifies port 4 on the
switching module in slot 5 of switch 2.

Module Number Convention

IOS treats modules in both chassis as if they belong to one single chassis and the module number space
is 1-20.
Switch 1 receives a module number from 1-10 and switch 2 receives a number from 11-20, irrespective
the chassis type, supervisor type, or number of slots in a chassis. For example, on a 3-slot chassis VSS,
the module numbers on switch 1 would be 1, 2, and 3, and on switch 2, the numbers would be 11, 12,
and 13. The module number on switch 2 always starts from 11.
The show switch virtual slot-map command provides virtual to physical slot mapping. The following
is a sample output:
Virtual Remote Physical Module
Slot No Switch No Slot No Uptime
---------+-----------+----------+----------
1 1 1 00:24:14
2 1 2 00:23:46
3 1 3 -
4 1 4 -
5 1 5 -
6 1 6 -
7 1 7 -
8 1 8 -
9 1 9 -
10 1 10 -
11 2 1 00:22:03
12 2 2 00:24:43
13 2 3 00:24:43
14 2 4 -
15 2 5 -
16 2 6 -
17 2 7 -
18 2 8 -
19 2 9 -
20 2 10 -

Key Software Features not Supported on VSS

With some exceptions, the VSS maintains feature parity with the standalone Catalyst 4500 or 4500-X
series switches. Major exceptions include:
• CFM D8.1
• Dot1q Tunnel (“legacy/classic” dot1q tunnel)
• Dot1q tunneling and L2PT (Layer 2 Protocol Tunneling)

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-8 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

• Energywise
• Fast UDLD
• Flexlink
• Mediatrace (Medianet active video monitoring feature)
• Metadata (Medianet feature)
• Per VLAN Learning
• REP and associated featurettes
• UDE
• UDLR
• VLAN Translation (1:1 and 1:2-Selective QinQ)
• VMPS Client
• WCCP

Hardware Requirements
The following sections describe the hardware requirements of a VSS:
• Chassis and Modules, page 5-9
• VSL Hardware Requirements, page 5-10
• Multichassis EtherChannel Requirements, page 5-11

Chassis and Modules

Table 5-1 describes the hardware requirements for the VSS chassis and modules.

Table 5-1 VSS Hardware Requirements

Hardware Count Requirements
Chassis 2 VSS is available on a Catalyst 4500-X switch and on
chassis that support Supervisor Engine 7-E, Supervisor
Engine 7-LE, and Supervisor Engine 8-E.
Note +E and -E chassis can be mixed.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-9
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

Table 5-1 VSS Hardware Requirements

Hardware Count Requirements
Supervisor Engines 2 VSS is available on Supervisor Engine 7-E, Supervisor
Engine 7L-E, Supervisor Engine 8-E, and on the Catalyst
4500-X switch series.
All supervisor engines or systems in a VSS must match
precisely.
Linecard1 0 to as many WS-X4712-SFP-E
linecard slots are WS-X4724-SFP-E
available in a
chassis. WS-X4748-SFP-E
WS-X4748-RJ45V+E
WS-X4712-SFP+E
WS-X4640-CSFP-E
WS-X4748-UPOE+E
WS-X4748-RJ45-E
WS-X4606-X2-E
WS-X4648-RJ45V-E
WS-X4648-RJ45V+E
WS-X4648-RJ45-E
WS-X4624-SFP-E
WS-X4612-SFP-E
WS-X4548-RJ45V+
WS-X4448-GB-SFP
WS-X4306-GB
WS-X4248-RJ45V
WS-X4248-FE-SFP
WS-X4148-RJ
WS-X4148-FX-MT
1. With IOS XE 3.6.0E and IOS 15.2(2)E -E chassis are supported on Supervisor Engine 7-E and 7L-E alone. Support for
Supervisor Engine 8-E will be available in a later release.

VSL Hardware Requirements

The VSL EtherChannel supports both 10-Gigabit Ethernet ports and 1- Gigabit Ethernet ports.
We recommend that you use at least two of the 10-Gigabit/1-Gigabit Ethernet ports to create the VSL
between the two switches. You cannot combine 10-Gigabit and 1-Gigabit Ethernet ports in a VSL
port-channel.
Be aware of the following:
• You can add additional physical links to the VSL EtherChannel with the 10-Gigabit Ethernet ports
on any supported supervisor engine or linecard.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-10 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

• Oversubscribed linecard ports can be used for VSL but total bandwidth requirements of VSL or any
traffic drop because of a certain hashing mechanism must be accounted for before using
oversubscribed linecard ports for VSL.
• VSL ports can have only 10 Gigabit Ethernet port mode on a WS-X4606-X2-E linecard; non-VSL
ports can be configured as 10 or 1 Gigabit Ethernet port mode.
• 1 Gigabit Ethernet ports on line card X4606-X2-E cannot be used as VSL links.

Multichassis EtherChannel Requirements

Physical links from any of the supervisor engines or linecard modules can be used to implement a
Multichassis EtherChannel (MEC).

Understanding VSL Topology
A VSS contains two switches that communicate using the VSL, which is a special port group.
We recommend that you configure at least two of the 10-Gigabit/1-Gigabit Ethernet ports as VSL,
selecting ports from different modules. Figure 5-5 shows a example topology.

Figure 5-5 VSL Topology Example

VSL
VSS Active VSS Standby
In-chassis Standby In-chassis Standby

Linecard 1 Linecard 1
Linecard 2 Linecard 2
181326

Linecard N Linecard N
Active chassis Standby chassis

VSS Redundancy
The following sections describe how redundancy in a VSS supports network high availability:
• Overview, page 5-12
• RPR and SSO Redundancy, page 5-12
• Switch Roles in a VSS, page 5-12
• Failed Switch Recovery, page 5-13
• VSL Failure, page 5-14
• User Actions, page 5-14

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-11
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

Overview
A VSS operates stateful switchover (SSO) between the VSS Active and VSS Standby supervisor
engines. Compared to standalone mode, a VSS has the following important differences in its redundancy
model:
• The VSS Active and VSS Standby supervisor engines are hosted in separate switches and use the
VSL to exchange information.
• The VSS Active supervisor engine controls both switches of the VSS. The VSS Active supervisor
engine runs the Layer 2 and Layer 3 control protocols and manages the switching modules on both
switches.
• The VSS Active and VSS Standby switches perform data traffic forwarding.
If the VSS Active supervisor engine fails, the VSS Standby supervisor engine initiates a switchover and
assumes the VSS Active role.

RPR and SSO Redundancy
A VSS operates with stateful switchover (SSO) redundancy if it meets the following requirements:
• Both supervisor engines must be running the same software version, unless it is in the process of
software upgrade.
• VSL-related configuration in the two switches must match.
• SSO and nonstop forwarding (NSF) must be configured on each switch.

Note See the “SSO Dependencies” section on page 5-27 for additional details about the requirements for SSO
redundancy on a VSS. See Chapter 12, “Configuring Cisco NSF with SSO Supervisor Engine
Redundancy” for information about configuring SSO and NSF.

With SSO redundancy, the VSS Standby supervisor engine is always ready to assume control following
a fault on the VSS Active supervisor engine. Configuration, forwarding, and state information are
synchronized from the VSS Active supervisor engine to the redundant supervisor engine at startup and
whenever changes to the VSS Active supervisor engine configuration occur. If a switchover occurs,
traffic disruption is minimized.
If a VSS does not meet the requirements for SSO redundancy, it will be incapable of establishing a
relationship with the peer switch. Catalyst 4500/4500-X series switches’ VSS does not support route
processor redundancy (RPR) mode.
The VSS runs stateful switchover (SSO) between the VSS Active and VSS Standby supervisor engines
(see Figure 5-6). The VSS determines the role of each supervisor engine during initialization.
The supervisor engine in the VSS Standby switch runs in hot standby state. The VSS uses the VSL link
to synchronize configuration data from the VSS Active to the VSS Standby supervisor engine. Also,
protocols and features that support high availability synchronize their events and state information to the
VSS Standby supervisor engine.

Switch Roles in a VSS
Figure 5-6 illustrates the switches’ roles in a VSS.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-12 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

Figure 5-6 Switches’ Roles in a VSS

Failed Switch Recovery
If the VSS Active switch or supervisor engine fails, the VSS initiates a stateful switchover (SSO) and
the former VSS Standby supervisor engine assumes the VSS Active role. The failed switch performs
recovery action by reloading the supervisor engine.
If the VSS Standby switch or supervisor engine fails, no switchover is required. The failed switch
performs recovery action by reloading the supervisor engine.
The VSL links are unavailable while the failed switch recovers. After the switch reloads, it becomes the
new VSS Standby switch and the VSS reinitializes the VSL links between the two switches.
The switching modules on the failed switch are unavailable during recovery, so the VSS operates only
with the MEC links that terminate on the VSS Active switch. The bandwidth of the VSS is reduced until
the failed switch has completed its recovery and become operational again. Any devices that are
connected only to the failed switch experience an outage.

Note The VSS may experience a brief data path disruption when the switching modules in the VSS Standby
switch become operational after the SSO.

After the SSO, much of the processing power of the VSS Active supervisor engine is consumed in
bringing up a large number of ports simultaneously in the VSS Standby switch. As a result, some links
might be brought up before the supervisor engine has configured forwarding for the links, causing traffic
to those links to be lost until the configuration is complete. This condition is especially disruptive if the
link is an MEC link and it is running in "ON" mode. This is why it is recommended that MEC ports
always have either PAgP or LACP mode of EtherChannel configured.

Note We recommend not configuring LACP independent mode (standalone-mode) for MEC because ports on
the VSS Standby switch (while it boots) come up tens of seconds before the control plane is fully
functional. This behavior causes a port to start working in independent mode and might cause traffic loss
until the port is bundled.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-13
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

VSL Failure
To ensure fast recovery from VSL failures, fast link failure detection is enabled in virtual switch mode
on all VSL port channel members.

Note Fast link notification is based upon internal hardware assisted BFD sessions between the pair of physical
VSL links.

If a single VSL physical link goes down, the VSS adjusts the port group so that the failed link is not
selected.
If the VSS Standby switch detects complete VSL link failure, it initiates a stateful switchover (SSO). If
the VSS Active switch has failed (causing the VSL links to go down), the scenario is switch failure, as
described in the previous section.
If only the VSL has failed and the VSS Active switch is still operational, this is a dual-active scenario.
The VSS detects that both switches are operating in VSS Active mode and performs recovery action. See
the “Dual-Active Detection” section on page 5-23 for additional details about the dual-active scenario.

User Actions
From the VSS Active switch command console, you can initiate a VSS switchover or a reload.
If you enter the reload command from the command console, it performs a reload on the switch
where reload is issued.
To reload only the VSS Standby switch, use the redundancy reload peer command.
To force a switchover from the VSS Active to the VSS Standby supervisor engine, use the
redundancy force-switchover command.
To reset both the VSS Active and Standby switch, use the redundancy reload shelf command.

Multichassis EtherChannels
These sections describe multichassis EtherChannels (MECs):
• Overview, page 5-14
• MEC Failure Scenarios, page 5-15

Overview
A multichassis EtherChannel is an EtherChannel with ports that terminate on both switches of the VSS
(see Figure 5-7). A VSS MEC can connect to any network element that supports EtherChannel (such as
a host, server, router, or switch).
At the VSS, an MEC is an EtherChannel with additional capability: the VSS balances the load across
ports in each switch independently. For example, if traffic enters the VSS Active switch, the VSS will
select an MEC link from the VSS Active switch. This MEC capability ensures that data traffic does not
unnecessarily traverse the VSL.
Each MEC can optionally be configured to support either PAgP or LACP. These protocols run only on
the VSS Active switch. PAgP or LACP control packets destined for an MEC link on the VSS Standby
switch are sent across VSL.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-14 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

An MEC can support up to eight physical links, which can be distributed in any proportion between the
VSS Active and VSS Standby switch.

Figure 5-7 MEC Topology

Router, switch
or server

Virtual switch MEC
Supervisor Supervisor
engine engine

181327
Active chassis Standby chassis

MEC Failure Scenarios
We recommend that you configure the MEC with at least one link to each switch. This configuration
conserves VSL bandwidth (traffic egress link is on the same switch as the ingress link), and increases
network reliability (if one VSS supervisor engine fails, the MEC is still operational).
The following sections describe possible failures and the resulting impacts:
• Single MEC Link Failure, page 5-15
• All MEC Links to the VSS Active Switch Fail, page 5-15
• All MEC Links to the VSS Standby Switch Fail, page 5-16
• All MEC Links Fail, page 5-16
• VSS Standby Switch Failure, page 5-16
• VSS Active Switch Failure, page 5-16

Single MEC Link Failure

If a link within the MEC fails (and other links in the MEC are still operational), the MEC redistributes
the load among the operational links, as in a regular port.

All MEC Links to the VSS Active Switch Fail

If all links to the VSS Active switch fail, the MEC becomes a regular EtherChannel with operational
links to the VSS Standby switch.
Data traffic terminating on the VSS Active switch reaches the MEC by crossing the VSL to the VSS
Standby switch. Control protocols continue to run in the VSS Active switch. Protocol messages reach
the MEC by crossing the VSL.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-15
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

All MEC Links to the VSS Standby Switch Fail

If all links fail to the VSS Standby switch, the MEC becomes a regular EtherChannel with operational
links to the VSS Active switch.
Control protocols continue to run in the VSS Active switch. All control and data traffic from the VSS
Standby switch reaches the MEC by crossing the VSL to the VSS Active switch.

All MEC Links Fail

If all links in an MEC fail, the logical interface for the EtherChannel is set to unavailable. Layer 2 control
protocols perform the same corrective action as for a link-down event on a regular EtherChannel.
On adjacent switches, routing protocols and Spanning Tree Protocol (STP) perform the same corrective
action as for a regular EtherChannel.

VSS Standby Switch Failure

If the VSS Standby switch fails, the MEC becomes a regular EtherChannel with operational links on the
VSS Active switch. Connected peer switches detect the link failures, and adjust their load-balancing
algorithms to use only the links to the VSS Active switch.

VSS Active Switch Failure

VSS Active switch failure results in a stateful switchover (SSO). See the “VSS Redundancy” section on
page 5-11 for details about SSO on a VSS. After the switchover, the MEC is operational on the new VSS
Active switch. Connected peer switches detect the link failures (to the failed switch), and adjust their
load-balancing algorithms to use only the links to the new VSS Active switch.

Packet Handling
In a VSS, the VSS Active supervisor engine runs the Layer 2 and Layer 3 protocols and features for the
VSS and manages the ports on both switches.
The VSS uses the VSL to communicate system and protocol information between the peer switches and
to carry data traffic between the two switches.
Both switches perform packet forwarding for ingress traffic on their local interfaces. The VSS minimizes
the amount of data traffic that must traverse the VSL.
The following sections describe packet handling in a VSS:
• Traffic on the VSL, page 5-16
• Layer 2 Protocols, page 5-17
• Layer 3 Protocols, page 5-18

Traffic on the VSL
The VSL carries data traffic and in-band control traffic between the two switches. All frames forwarded
over the VSL link are encapsulated with a special header (up to ten bytes for data traffic and 18 bytes
for control packets), which provides information for the VSS to forward the packet on the peer switch.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-16 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

The VSL transports control messages between the two switches. Messages include protocol messages
that are processed by the VSS Active supervisor engine, but received or transmitted by interfaces on the
VSS Standby switch. Control traffic also includes module programming between the VSS Active
supervisor engine and switching modules on the VSS Standby switch.
The VSS needs to transmit data traffic over the VSL under the following circumstances:
• Layer 2 traffic flooded over a VLAN (even for dual-homed links).
• Packets processed by software on the VSS Active supervisor engine where the ingress interface is
on the VSS Standby switch.
• The packet destination is on the peer switch, such as the following examples:
– Traffic within a VLAN where the known destination interface is on the peer switch.
– Traffic that is replicated for a multicast group and the multicast receivers are on the peer switch.
– The known unicast destination MAC address is on the peer switch.
– The packet is a MAC notification frame destined for a port on the peer switch.
VSL also transports system data, such as NetFlow export data and SNMP data, from the VSS Standby
switch to the VSS Active supervisor engine.
To preserve the VSL bandwidth for critical functions, the VSS uses strategies to minimize user data
traffic that must traverse the VSL. For example, if an access switch is dual-homed (attached with an
MEC terminating on both VSS switches), the VSS transmits packets to the access switch using a link on
the same switch as the ingress link.
Traffic on the VSL is load-balanced with the same global hashing algorithms available for
EtherChannels (the default algorithm is source-destination IP).

Layer 2 Protocols
The VSS Active supervisor engine runs the Layer 2 protocols (such as STP and VTP) for the switching
modules on both switches. Protocol messages that are transmitted and received on the VSS Standby
switch switching modules must traverse the VSL to reach the VSS Active supervisor engine.
All Layer 2 protocols in VSS work similarly in standalone mode. The following sections describe the
difference in behavior for some protocols in VSS:
• Spanning Tree Protocol, page 5-17
• EtherChannel Control Protocols, page 5-18
• Jumbo frame size restriction, page 5-18
• SPAN, page 5-18
• Private VLANs, page 5-18

Spanning Tree Protocol

The VSS Active switch runs Spanning Tree Protocol (STP). The VSS Standby switch redirects STP
BPDUs across the VSL to the VSS Active switch.
The STP bridge ID is commonly derived from the chassis MAC address. To ensure that the bridge ID
does not change after a switchover, the VSS continues to use the original chassis MAC address for the
STP Bridge ID.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-17
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

EtherChannel Control Protocols

Link Aggregation Control Protocol (LACP) and Port Aggregation Protocol (PAgP) packets contain a
device identifier. The VSS defines a common device identifier for both chassis. You should use PAgP or
LACP on MECs instead of mode ON, although all three modes are supported.
A new PAgP enhancement has been defined for assisting with dual-active scenario detection. For
additional information, see the “Dual-Active Detection” section on page 5-23.

Jumbo frame size restriction

The maximum jumbo frame size supported on a VSS interface is 9188 bytes (MTU of 9170 bytes). This
accommodates the overhead of transporting packets between the two member switches over VSL.
Not all frames traverse VSL. So, packets confined to one of the member switches could have a size of
9216 bytes (MTU of 9198 bytes). Such frames may require diversion over VSL when a failure occurs.
This is why the max configured MTU on non-VSL front panel ports is 9170.

Note The MTU CLI is unavailable on a VSL interface. It is set internally to 9198 (Max frame size of
9216), addressing the overhead of VSL.

For example, if we send traffic between two ports on the active switch, no overhead exists. However,
overhead exists when we send packets between ports of active to ports of standby. Even more overhead
exists when we send packets from standby ports to the active CPU. The higher limit accommodates the
worst case and guarantees consistent forwarding under all scenarios.

SPAN

VSS supports all SPAN features for non-VSL interfaces.

Note SPAN on VSL ports is not supported; VSL ports can be neither a SPAN source, nor a SPAN destination.

The number of SPAN sessions available on a VSS matches that on a single switch running in standalone
mode.

Private VLANs

Private VLANs on VSS work similarly in standalone mode. The only exception is that the native VLAN
on isolated trunk ports must be configured explicitly. Refer to Chapter 44, “Configuring Private
VLANs” for details on how to configure the native VLAN on isolated trunk ports.

Layer 3 Protocols
The VSS Active supervisor engine runs the Layer 3 protocols and features for the VSS. All layer 3
protocol packets are sent to and processed by the VSS Active supervisor engine. Both member switches
perform hardware forwarding for ingress traffic on their interfaces. If possible, to minimize data traffic
that must traverse the VSL, ingress traffic is forwarded to an outgoing interface on the same switch.
When software forwarding is required, packets are sent to the VSS Active supervisor engine for
processing.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-18 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

The same router MAC address, assigned by the VSS Active supervisor engine, is used for all Layer 3
interfaces on both VSS member switches. After a switchover, the original router MAC address is still
used. The router MAC address is configurable and can be chosen from three options: virtual-mac
(derived from domainId), chassis-mac (preserved after switchover), and user-configured MAC address.
VSS uses virtual MAC address as the default.
The following sections describe Layer 3 protocols for a VSS:
• IPv4, page 5-19
• IPv6, page 5-19
• IPv4 Multicast, page 5-19
• Software Features, page 5-20

IPv4

The supervisor engine on the VSS Active switch runs the IPv4 routing protocols and performs any
required software forwarding. All routing protocol packets received on the VSS Standby switch are
redirected to the VSS Active supervisor engine across the VSL. The VSS Active supervisor engine
generates all routing protocol packets to be sent out over ports on either VSS member switch.
Hardware forwarding is distributed across both members on the VSS. The supervisor engine on the VSS
Active switch sends Forwarding Information Base (FIB) updates to the VSS Standby supervisor engine,
which installs all routes and adjacencies in its hardware.
Packets intended for a local adjacency (reachable by local ports) are forwarded locally on the ingress
switch. Packets intended for a remote adjacency (reachable by remote ports) must traverse the VSL.
The supervisor engine on the VSS Active switch performs all software forwarding (for protocols such
as IPX) and feature processing (such as fragmentation and TTL exceed). If a switchover occurs, software
forwarding is disrupted until the new VSS Active supervisor engine obtains the latest CEF and other
forwarding information.
In virtual switch mode, the requirements to support non-stop forwarding (NSF) match those in
standalone redundant mode of operation.
From a routing peer perspective, Multi-Chassis EtherChannels (MEC) remain operational during a
switchover (only the links to the failed switch are down, but the routing adjacencies remain valid).
The VSS achieves Layer 3 load-balancing over all paths in the FIB entries, be it local or remote.

IPv6

VSS supports IPv6 unicast and multicast as it is there on standalone system.

IPv4 Multicast

The IPv4 multicast protocols run on the VSS Active supervisor engine. Internet Group Management
Protocol (IGMP) and Protocol Independent Multicast (PIM) protocol packets received on the VSS
Standby supervisor engine are transmitted across VSL to the VSS Active supervisor engine. The VSS
Active supervisor engine generates IGMP and PIM protocol packets to be sent over ports on either VSS
member.
The VSS Active supervisor engine syncs Multicast Forwarding Information Base (MFIB) state to the
VSS Standby supervisor engine. On both member switches, all multicast routes are loaded in hardware
with replica expansion table (RET) entries programmed for only local outgoing interfaces. Both member
switches are capable of performing hardware forwarding.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-19
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

Note To avoid multicast route changes as a result of the switchover, we recommend that all links carrying
multicast traffic be configured as MEC rather than Equal Cost Multipath (ECMP).

For packets traversing VSL, all Layer 3 multicast replication occurs on the egress switch. If there are
multiple receivers on the egress switch, only one packet is replicated and forwarded over the VSL, and
then replicated to all local egress ports.

Software Features

Software features run only on the VSS Active supervisor engine. Incoming packets to the VSS Standby
switch that require software processing are sent across the VSL to the VSS Active supervisor engine.

System Monitoring
The following sections describe system monitoring and system management for a VSS:
• Environmental Monitoring, page 5-20
• File System Access, page 5-20
• Diagnostics, page 5-21
• Network Management, page 5-21

Environmental Monitoring
Environmental monitoring runs on both supervisor engines. The VSS Standby switch reports
notifications to the VSS Active supervisor engine. The VSS Active switch gathers log messages for both
switches. The VSS Active switch synchronizes the calendar and system clock to the VSS Standby
switch.

File System Access
File system access on VSS is the same as it is on dual supervisor standalone system. All files on a
standby switch are accessible with slave prefix as following:
Switch# dir ?
/all List all files
/recursive List files recursively
all-filesystems List files on all filesystems
bootflash: Directory or file name
cat4000_flash: Directory or file name
cns: Directory or file name
crashinfo: Directory or file name
kinfo: Directory or file name
null: Directory or file name
nvram: Directory or file name
revrcsf: Directory or file name
slavebootflash: Directory or file name
slavecat4000_flash: Directory or file name
slavecrashinfo: Directory or file name
slavekinfo: Directory or file name
slavenvram: Directory or file name
slaveslot0: Directory or file name
slaveusb0: Directory or file name

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-20 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

slot0: Directory or file name
system: Directory or file name
tar: Directory or file name
tmpsys: Directory or file name
usb0: Directory or file name
| Output modifiers

All file or directory name with prefix "slave" show vss standby files.

Diagnostics
Bootup diagnostics are run independently on both switches. Online diagnostics can be invoked on the
basis of virtual slots, which provide accessibility to modules on both switches. Use the show switch
virtual slot-map command to display the virtual to physical slot mapping.
Switch# show switch virtual slot-map
Virtual Slot to Remote Switch/Physical Slot Mapping Table:

Virtual Remote Physical Module
Slot No Switch No Slot No Uptime
---------+-----------+----------+----------
1 1 1 -
2 1 2 -
3 1 3 02:43:51
4 1 4 -
5 1 5 -
6 1 6 02:45:20
7 1 7 -
8 1 8 02:43:50
9 1 9 -
10 1 10 -
11 2 1 02:46:50
12 2 2 02:46:50
13 2 3 -
14 2 4 -
15 2 5 02:42:23
16 2 6 -
17 2 7 -
18 2 8 -
19 2 9 -
20 2 10 -

Network Management
The following sections describe network management for a VSS:
• Telnet over SSH Sessions and the Web Browser User Interface, page 5-21
• SNMP, page 5-22
• Command Console, page 5-22
• Accessing the Remote Console on VSS, page 5-22
• Copying Files to Bootflash, page 5-23
• Transferring a Large File over VSL, page 5-23

Telnet over SSH Sessions and the Web Browser User Interface

A VSS supports remote access using Telnet over SSH sessions and the Cisco web browser user interface.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-21
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

All remote access is directed to the VSS Active supervisor engine, which manages the whole VSS.
If the VSS performs a switchover, Telnet over SSH sessions and web browser sessions are disconnected.

SNMP

The SNMP agent runs on the VSS Active supervisor engine.
CISCO-VIRTUAL-SWITCH-MIB is a new MIB for virtual switch mode and contains the following
main components:
• cvsGlobalObjects — Domain #, Switch #, Switch Mode
• cvsCoreSwitchConfig — Switch Priority
• cvsChassisTable — Switch Role and Uptime
• cvsModuleTable — Information on the physical modules listed in the ENTITY-MIB
entPhysicalTable, whose entPhysicalClass is module(9)
• cvsVSLConnectionTable — VSL Port Count, Operational State
• cvsVSLStatsTable — Total Packets, Total Error Packets
• cvsVSLPortStatsTable — TX/RX Good, Bad, Bi-dir and Uni-dir Packets

Command Console

Because the management plane of the two switches are common (that is, both switches in a VSS can be
configured and managed from Active switch itself), you do not require access to the Standby console.
However, the consoles of both switches are available by connecting console cables to both supervisor
engine console ports. Availability of the Standby console does not imply that you can configure the
switch from Standby console as well. Config mode is not available on the Standby and show commands
are limited in availability. Observe that all show commands, even for remote ports, are available on the
Active switch.
The console on the VSS Standby switch will indicate that switch is operating in VSS Standby mode by
adding the characters “-stdby” to the command line prompt. You cannot enter configuration mode on the
VSS Standby switch console.
The following example shows the prompt on the VSS Standby console:
Switch-standby> sh clock
*14:04:58.705 UTC Tue Nov 20 2012

Accessing the Remote Console on VSS

Remote console (the Standby's console) can be accessed from the Local (Active) switch. This is available
on a standalone system and works similarly on VSS. To access the remote console from the Active, you
can use the remote login command with a VSS-Standby module number. Observe that the module
number is a virtual slot and it would be an In-Chassis-Active supervisor module number on the remote
chassis.
Switch# remote login module 11
Connecting to standby virtual console
Type "exit" or "quit" to end this session

9 Switch-standby-console>

Because the Standby console is not available in config mode and only partially available in EXEC mode,
distributed features like Netflow and Wireshark have special exemptions for respective commands (that
is, these commands are allowed). Refer to Chapter 65, “Configuring Flexible NetFlow” and Chapter 59,

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-22 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

“Configuring Wireshark” for details.

Copying Files to Bootflash

When you copy a file to a bootflash on the Active, it is not automatically copied to the Standby bootflash.
This means that when you perform an ISSU upgrade or downgrade, both switches must receive the files
individually. This behavior matches that on a dual-supervisor standalone system. Similarly, the removal
of a file on one switch does not cause the removal of the same file on the other switch.

Transferring a Large File over VSL

Because the management plane of the VSS switches are performed through the Active, you might need
to send a large-config/image file from one switch to another (that is, sending a file transfer over VSL).
When you do this, the VSL link becomes “busy.” Because data is flowing on a front panel port, it [the
data] is significantly slower than what you might see on a dual-supervisor standalone system because in
the latter, this action occurs through dedicated EOBC link.
On VSS, copying a large file from one switch to another may take several minutes. Hence, you should
do this only when needed. Consider a wait of several minutes before file transfer completes.

Dual-Active Detection
If the VSL fails, the VSS Standby switch cannot determine the state of the VSS Active switch. To ensure
that switchover occurs without delay, the VSS Standby switch assumes the VSS Active switch has failed
and initiates switchover to take over the VSS Active role.
If the original VSS Active switch is still operational, both switch are now VSS Active. This situation is
called a dual-active scenario. A dual-active scenario can have adverse effects on network stability,
because both switches use the same IP addresses, SSH keys, and STP bridge ID. The VSS must detect a
dual-active scenario and take recovery action.
The VSS supports the methods, Enhanced PAgP and Fast-Hello, for detecting a dual-active scenario.
PAgP uses messaging over the MEC links to communicate between the two switches through a neighbor
switch. Enhanced PAgP requires a neighbor switch that supports the PAgP enhancements.
The dual-active detection and recovery methods are described in the following sections:
• Dual-Active Detection Using Enhanced PAgP, page 5-23
• Dual-Active Detection Using Fast-Hello, page 5-24
• Recovery Actions, page 5-24

Dual-Active Detection Using Enhanced PAgP
Port aggregation protocol (PAgP) is a Cisco-proprietary protocol for managing EtherChannels. If a VSS
MEC terminates to a Cisco switch, you can run PAgP protocol on the MEC. If PAgP is running on the
MECs between the VSS and an upstream or downstream switch, the VSS can use PAgP to detect a
dual-active scenario. The MEC must have at least one port on each switch of the VSS.
In virtual switch mode, PAgP messages include a new type length value (TLV) which contains the ID of
the VSS Active switch. Only switches in virtual switch mode send the new TLV.
For dual-active detection to operate successfully, one or more of the connected switches must be able to
process the new TLV. Catalyst 4500, Catalyst 4500-X, and Catalyst 49xx series switches have this
capability. For a list of other Cisco products that support enhanced PAgP, refer to Release Notes for

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-23
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

Cisco IOS Release at this URL:

http://www.cisco.com/en/US/products/ps6350/tsd_products_support_series_home.html
When the VSS Standby switch detects VSL failure, it initiates SSO and becomes VSS Active.
Subsequent PAgP messages to the connected switch from the newly VSS Active switch contain the new
VSS Active ID. The connected switch sends PAgP messages with the new VSS Active ID to both VSS
switches.
If the formerly VSS Active switch is still operational, it detects the dual-active scenario because the VSS
Active ID in the PAgP messages changes. This switch initiates recovery actions as described in the
“Recovery Actions” section on page 5-24.

Dual-Active Detection Using Fast-Hello
Dual-Active fast-hello employs fast-hello Layer 2 messages over a direct Ethernet connection. When the
VSL goes down, the event is communicated to the peer switch. If the switch was operating as the active
before the VSL went down, it goes into recovery mode upon receipt of a VSL down indication from the
peer switch. This method is faster than IP BFD and ePAGP and does not require a neighboring switch.

Fast-Hello Link

A fast-hello link is configured between two VSS members with the intention of detecting a dual-active
condition. Configuring dual-active fast-hello automatically removes all configurations from the
specified interfaces, and restricts the interface to dual-active configuration commands. The following
commands are allowed only in restricted mode on a fast-hello interface:
default—Sets a command to its defaults
description—Describes the interface
dual-active—Specifies a virtual switch dual-active config
exit—Exits from the fast hello interface configuration mode
load-interval—Specifies the interval for load calculation on an interface
logging—Configures logging for interface
no—Negates a command or set its defaults
shutdown—Shuts down the selected interface
No data traffic other than fast-hello can be used by fast-hello links.
For details on how to configure fast-hello dual-active detection, see the “Configuring Fast-Hello
Dual-Active Detection” section on page 5-52.

Recovery Actions
An VSS Active switch that detects a dual-active condition shuts down (by err-disabling) all of its
non-VSL interfaces to remove itself from the network, and waits in recovery mode until the VSL links
have recovered. You might need to intervene directly to fix the VSL failure. When the shut down switch
detects that VSL is operational again, the switch reloads and returns to service as the VSS Standby
switch.
Loopback interfaces are also shut down in recovery mode. The loopback interfaces are operationally
down and not err-disabled.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-24 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

Note If the running configuration of the switch in recovery mode has been changed without saving, the switch
will not automatically reload. In this situation, you must write the configuration to memory and then
reload manually using the reload command. Only configuration changes applied to VSL ports on the
switch can be saved. All other configuration changes are discarded as the node reboots as VSS standby.

When a switch becomes active (either due to dual-active scenario or otherwise), the IP address
configured for fa1 management interface is associated with the active switch. By default, the switch in
recovery mode will not have any IP address for the fa1 interface on its supervisor engine. To ensure IP
connectivity to the switch during recovery, you ca n configure an recovery IP address. (IP address
configuration is mandatory if you want IP connectivity while switch is in recovery.) When a switch
enters recovery mode, the IP address for the management interface on its supervisor engine is associated
with the recovery IP address.
The recovery IP address for a management interface can be verified in the output of commands such as
show ip interface brief and show interfaces.

Configuring a Recovery IP Address
The recovery IP address is the IP address that is used for the fa1 interface (of a switch) while in recovery
mode.
To configure the recovery IP address for the fa1 interface, perform the following task:

Command Purpose
Step 1 Switch# configure terminal Enters configuration mode.
Step 2 Switch (config)# switch virtual domain domain-id Specifies virtual switch domain.
Step 3 Switch (config-vs-domain)# [no] dual-active recovery Configures a recovery IP address.
[switch n] ip address recovery-ip-address
recovery-ip-mask n is the VSS switch ID.

The following example shows how to set a recovery IP address 111.255.255.2555.0:
Switch# configure terminal
Switch(config)# switch virtual domain 19
Switch(config-vs-domain)# dual-active recovery ip address 1.1.1.1 255.255.255.0

By default, ip address is not configured for recovery mode. So, the switch-fa1 interface is not associated
with an IP address while the switch is in recovery mode. This ensures that two devices do not respond
to the same IP address.
Without the switch n option, the (same) recovery ip address is used by either switch when it enters
recovery mode. By definition, there is only one switch (in a given VSS system) in recovery mode at a
time, making one recovery ip address sufficient.
If the two switches must use different IP addresses when the respective switch is in recovery mode, use
the switch n option.
You can configure recovery IP addresses without the switch n option and with the switch n option
simultaneously (for a total of three IP addresses, one global and one per switch). When done, the
per-switch IP address takes precedence. If no per-switch IP address exists, the global IP address is used.
Following are two examples:

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-25
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

Scenario 1

The VSS System is configured as follows:
• Global IP address- GIP
• switch 1 IP address - IP1
• switch 2 IP address - IP2
In this scenario, if switch 1 enters recovery mode, it will use IP1 for the fa1 interface on switch 1.
Conversely, if switch 2 enters recovery mode, it will use IP2 for the fa1 interface on switch2.

Scenario 2

The VSS system is configured as follows:
• Global IP address - GIP
• switch 1 IP address - IP1
• switch 2 specific IP address
In this scenario, if switch 1 enters recovery mode, it will use IP1 for the fa1 interface on the switch 1.
Conversely, if switch 2 enters recovery mode, it will use GIP for the fa1 interface on switch2.

VSS Initialization
A VSS is formed when the two switches and the VSL link between them become operational. The peer
switch communicates over the VSL to negotiate the switches’ roles.
If only one switch becomes operational, it assumes the VSS Active role. The VSS forms when the second
switch becomes operational and both switches bring up their VSL interfaces.
VSS initialization is described in the following sections:
• Virtual Switch Link Protocol, page 5-26
• SSO Dependencies, page 5-27
• Initialization Procedure, page 5-27

Virtual Switch Link Protocol
The Virtual Switch Link Protocol (VSLP) consists of several protocols that contribute to virtual switch
initialization. The VSLP includes the following protocols:
• Role Resolution Protocol
The peer switch use Role Resolution Protocol (RRP) to negotiate the role (VSS Active or VSS
Standby) for each switch.
• Link Management Protocol
The Link Management Protocol (LMP) runs on all VSL links, and exchanges information required
to establish communication between the two switches.
LMP identifies and rejects any unidirectional links. If LMP flags a unidirectional link, the switch
that detects the condition brings the link down and up to restart the VSLP negotiation. VSL moves
the control traffic to another port if necessary.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-26 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Understanding Virtual Switching Systems

SSO Dependencies
For the VSS to operate with SSO redundancy, the VSS must meet the following conditions:
• Identical software versions (except during ISSU with compatible versions)
• VSL configuration consistency
During the startup sequence, the VSS Standby switch sends virtual switch information from the
startup-config file to the VSS Active switch.
The VSS Active switch ensures that the following information matches correctly on both switches:
– Switch virtual domain
– Switch virtual node
– Switch priority (optional)
– VSL port channel: switch virtual link identifier
– VSL ports: channel-group number, shutdown, total number of VSL ports
• If the VSS detects a mismatch, it prints out an error message on the VSS Active switch console and
the VSS Standby switch does not bootup. There are various ways to recover from this situation. If
the switch is not running live traffic, you can either disconnect the VSL links or shutdown VSL ports
on the peer, which would boot in VSS Active mode. You can make the necessary changes afterwards
and reboot the switch and ensure VSL links are connected and not put in shutdown mode.
Alternatively, you could clear the VSS rommon variable (VS_SWITCH_NUMBER) and allow the
switch to boot in standalone mode. This method requires that no traffic flows through this switch.
Once the switch is in standalone mode, you can convert it to VSS and then reboot it.
• SSO and NSF enabled
SSO and NSF must be configured and enabled on both switches. For detailed information on
configuring and verifying SSO and NSF, see Chapter 12, “Configuring Cisco NSF with SSO
Supervisor Engine Redundancy.”
If these conditions are unsatisfied, the VSS stops booting and ensures that the forwarding plane is not
performing forwarding. For a description of SSO and RPR, see the “VSS Redundancy” section on
page 5-11.

Initialization Procedure
The following sections describe the VSS initialization procedure:
• VSL Initialization, page 5-27
• System Initialization, page 5-28
• VSL Down, page 5-28

VSL Initialization

A VSS is formed when the two switches and the VSL link between them become operational. Because
both switches need to be assigned their role (VSS Active or VSS Standby) before completing
initialization, VSL is brought online before the rest of the system is initialized. The initialization
sequence is as follows:
1. The VSS initializes all cards with VSL ports, and then initializes the VSL ports.
2. The two switch communicate over VSL to negotiate their roles (VSS Active or VSS Standby).

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-27
Chapter 5 Configuring Virtual Switching Systems
VSS Configuration Guidelines and Restrictions

3. The VSS Active switch completes the boot sequence, including the consistency check described in
the “SSO Dependencies” section on page 5-27.
4. If the consistency check completed successfully, the VSS Standby switch comes up in SSO VSS
Standby mode. If the consistency check failed, the VSS Standby switch comes up in RPR mode.
5. The VSS Active switch synchronizes configuration and application data to the VSS Standby switch.
If VSS is either forming for the first time or a mismatch exists between VSL information sent by the
Standby switch and what is on the Active switch, the new configuration is absorbed in the
startup-config. This means that if the Active switch was running prior to the Standby switch and
unsaved configurations existed, they would be written to the startup-config if the Standby switch
sends mismatched VSL information.

System Initialization

If you boot both switches simultaneously, the switch configured as Switch 1 boots as VSS Active and
the one with Switch 2 boots as VSS Standby. If priority is configured, the higher priority switch becomes
active.
If you boot only one switch, the VSL ports remain inactive, and the switch boots as VSS Active. When
you subsequently boot the other switch, the VSL links become active, and the new switch boots as VSS
Standby. Because preemption is not supported, if a VSS Active is already running, the peer switch would
always receive the VSS Standby role, even if its priority is higher than that of the Active's.

VSL Down

If the VSL is down when both switches try to boot up, the situation is similar to a dual-active scenario.
One of the switch becomes VSS Active and the other switch initiates recovery from the dual-active
scenario. For further information, see the “Configuring Dual-Active Detection” section on page 5-51.

VSS Configuration Guidelines and Restrictions
The following sections describe restrictions and guidelines for VSS configuration:
• General VSS Restrictions and Guidelines, page 5-28
• Multichassis EtherChannel Restrictions and Guidelines, page 5-30
• Dual-Active Detection Restrictions and Guidelines, page 5-30

General VSS Restrictions and Guidelines
When configuring the VSS, note the following guidelines and restrictions:
• In Cisco IOS XE 3.4.0E (15.1(2)SG, E, VSS did not support SMI (both Director and Client).
Beginning with Cisco IOS XE 3.5.0E (15.2(1)E, VSS supports SmartInstall Director but not SMI
Client.
Beginning with Cisco IOS XE 3.6.0E (15.2(2)E), VSS supports SmartInstall Director and SMI
Client.
VSS [mode] is transparent to SMI except for the changes in interface names.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-28 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
VSS Configuration Guidelines and Restrictions

• The SMI Director has only one instance on VSS and runs on the VSS active switch. The standby
Catalyst 4500 switch in a VSS is not listed as a director in the output of the sh vstack status
command.
• The VSS configurations in the startup-config file must match on both switches; that is, the domain
must match, the switch ID must be unique, and the VSL ports' information must match the physical
connection.
• There is no restriction to configure oversubscribed linecard ports as VSL. The responsibility of
bandwidth availability for a given network requirement lies with the network operator.
• VSL portchannel must have more than one port in the channel, preferably distributed on more than
one module. If the VSL consists of only one link, its failure causes a Dual-Active operation of the
VSS. Also, all VSL links configured on one module may cause a Dual-Active operation, if the
module goes down..
• The ICS supervisor engine is supported only in rommon mode; its ports are available but the
supervisor engine neither forwards traffic nor provides any redundancy in that chassis.
• If a dual-supervisor system is being converted to VSS, each supervisor engine in the chassis must
be converted to VSS one at a time; when one supervisor is being converted to VSS, another one must
remain in rommon or be removed from the chassis. When both supervisor engines are converted,
they could be inserted in the chassis. A combination of converted and non-converted supervisor
engines in a chassis is not supported and it may disrupt the network.
• Classification and marking based on 'qos-group' in a QoS policy-map is not supported in VSS.
• The following older gneration linecards (WS-X42xy to WS-X45xy) are supported with the VSS
feature:
– WS-X4148-RJ
– WS-X4148-RJ
– WS-X4148-FX-MT
– WS-X4306-GB
– WS-X4548-RJ45V+
– WS-X4448-GB-SFP
– WS-X4248-FE-SFP
– WS-X4248-RJ45V
Please remove all other linecards from your system when converting from standalone to VSS mode.
• Do not attach a QoS policy with the maximum queue-limit (8184) to a large number of targets in a
VSS system. This will cause continuous reloads on the standby supervisor engine.
• When an aymmetric virtual switch (i.e. a VSS comprising of chassis with different slot capacities)
boots initially after conversion from standalone mode, the entPhysicalDescr object for the standby
chassis does not hold the correct value. The entPhysicalDescr objects for both the active and standby
chassis will match and hold the value for the active chassis.
After the running configuration is saved and a shelf reload occurs, this behaviour is not observed -
the entPhysicalDescr objects for both chassis accurately reflects the correct chassis types.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-29
Chapter 5 Configuring Virtual Switching Systems
Configuring a VSS

Multichassis EtherChannel Restrictions and Guidelines
When configuring MECs, note the following guidelines and restrictions:
• Port Security over EtherChannels is not supported.
• All links in an MEC must terminate locally on the VSS Active or VSS Standby switch of the same
virtual domain.
• An MEC can be connected to another MEC on a different VSS domain.
• Policers applied on an MEC are applied on two switches independently; if a policer is applied for
100 Mbps of conforming action, it will apply 100Mbps on both switches, resulting in a total
conforming rate of 200 Mbps. To mitigate this, you can reduce the policer rate. In a more restrictive
case, a rate of 50 Mbps might be necessary to achieve a maximum of 100Mbps. In a more liberal
case, where conforming action of 200 Mbps is not a problem, policing rate could be kept to
100Mbps.

Dual-Active Detection Restrictions and Guidelines
When configuring dual-active detection, note the following guidelines and restrictions:
• For line redundancy, we recommend configuring at least two ports per switch for dual-active
detection. For module redundancy, the two ports can be on different modules in each switch, and
should be on different modules than the VSL ports, if feasible.
• Only trusted PAgP channels are relied upon to detect dual-active mode of operation.

Configuring a VSS
These sections describe how to configure a VSS:
• Configuring Easy VSS, page 5-30
• Converting to a VSS, page 5-32
• Displaying VSS Information, page 5-38
• Converting a VSS to Standalone Switch, page 5-39
• Configuring VSS Parameters, page 5-41
• Configuring Multichassis EtherChannels, page 5-47
• Configuring Dual-Active Detection, page 5-51

Configuring Easy VSS
Beginning with Cisco IOS XE 3.6.0E (IOS 15.2(2)E), the Catalyst 4500 series switch supports Easy
VSS, which enables you to configure VSS with a single command on the active switch and no action on
the VSS standby switch.
The active switch can gather information from all switches that are Layer 3 reachable.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-30 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Configuring a VSS

Note Both switches are directly connected to each other using Layer 3 physical interfaces and are reachable
through these interfaces. These physical interfaces are candidate VSL interfaces and are displayed in a
list of "potential" VSL interfaces in the output of the vsl ? command in easy-vss mode. This output also
displays a list of indirectly-reachable Layer 3 interfaces.

Cisco IOS XE 3.6.0E (IOS 15.2(2)E) only supports reachability using a default route. Management and
user-created VRF are not supported.

Note Switches are reachable to each other through management interfaces. Reachability to neighboring
switches using a management interface isn't supported although the management interface appears in the
candidate VSL list.

Switches can be Layer 3 reachable indirectly but directly connected. The directly-connected physical
interfaces display in the output of the vsl? command, which displays all switches that have direct
physical connections.
Alternatively, you can make a physical interface Layer 3 “capable” (i.e., make two switches reachable
via directly connected Layer 3 links), by performing the following steps on both switches (A and B):

Command Purpose
Step 1 Switch(config)# interface interface Selects interface and switches to interface
configuration mode.
Step 2 Switch(config-if)# no switchport Converts the switch to a Layer 3 interface.
Step 3 Switch(config-if)# ip add a.a.a.a b.b.b.b Configures an IP address for temporary use.
Step 4 Switch(config-if)# exit Exits interface configuration mode.

On Switch-A
Switch-A(config)# int G2/15
Switch-A(config-if)# no switchport
Switch-A(config-if)# ip address 5.5.5.6 255.255.255.0

On Switch-B
Switch-B(config)# int G3/15
Switch-B(config-if)# no switchport
Switch-B(config-if)# ip address 5.5.5.5 255.255.255.0
Ping 5.5.5.6 from switch-B

Issuing the switch convert mode easy-virtual-switch exec command on a VSS active switch displays
a list of potential VSS standby switches - those that are directly connected and hardware compatible.
From the displayed list, the sub-command vsl ? derives input from interfaces that belong to the switch
where we are executing the command.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-31
Chapter 5 Configuring Virtual Switching Systems
Configuring a VSS

Perform the following task on the VSS active switch that you want to make the master switch, which
manages the standby switch after VSS boot-up:

Command Purpose
Step 1 Switch# switch convert mode easy-virtual-switch Switches to easy VSS sub-mode
Step 2 Switch(easy-vss)# VSL ? Displays a list of local inter-faces (with their peer
interfaces, switch-ip and switch-name).
and

Switch(easy-vss)# VSL local-interface Assigns the local interfaces that we want to convert to
VSL. Choose interfaces under the column Local
Interfaces under 'VSL?'
Step 3 Switch(easy-vss)# exit Return to exec command mode.

The following example illustrates use of the vsl ? command:
SwitchA# switch convert mode easy-virtual-switch
# (easy-vss)# VLS ?
Local Interface Remote Interface Hostname Standby-IP
GigabitEthernet2/15 GigabitEthernet3/15 Switch-B 5.5.5.5
GigabitEthernet2/17 GigabitEthernet3/17 Switch-B 5.5.5.5
GigabitEthernet2/4 GigabitEthernet3/4 Switch-C 4.4.4.4

The switch on which we execute the above commands becomes the master switch after VSS boots. Local
Interfaces lists interfaces on the switch where we are executing the commands. Remote Interfaces lists
the interfaces on the peer switch connected with the local interfaces.
Select a maximum of eight VSL local interfaces (i.e., interfaces under the Local Interface column).
This example forces both the master and standby switches to reboot and come up in VSS. Now, we have
two interfaces as VSL members with the local interfaces GigabitEthernet 2/15 and GigabitEthernet 2/17.
SwitchA# switch convert mode easy-virtual-switch
SwitchA(easy-vss)# VSL GigabitEthernet2/15 GigabitEthernet2/17

Note 10G and 1G interfaces cannot be mixed. Chosen interfaces should belong to the same peer.

The master switch shares the tftp image path with the standby switch. On reboot, if the tftp path is used
for loading the image, both switches boot with the same image.

Converting to a VSS
By default, the Catalyst 4500/4500X series switch is configured to operate in standalone mode (the
switch works independently). The VSS combines two standalone switches into one virtual switch,
operating in virtual switch mode.

Note When you convert two standalone switches into one VSS, all non-VSL configuration settings on the VSS
Standby switch will revert to the default configuration.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-32 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Configuring a VSS

Note Preferably, conversion to VSS should be done on a maintenance window. If you plan to use the same port
channel number for VSL, default the existing port channel configurations that are available on
standalone switches. Then, follow the guidelines in section Configuring VSL Port Channel and Ports,
page 5-35.

To convert two standalone switches into a VSS, you perform the following major activities:
• Save the standalone configuration files.
• Configure each switch for required VSS configurations.
• Convert to a VSS.
In virtual switch mode, both switches use the same configuration file. When you make configuration
changes on the VSS Active switch, these changes are automatically propagated to the VSS Standby
switch.
The tasks required to convert the standalone switch to a VSS are detailed in the following sections:
• Backing Up the Standalone Configuration, page 5-34
• Configuring SSO and NSF, page 5-34
• Assigning Virtual Switch Domain and Switch Numbers, page 5-34
• Configuring VSL Port Channel and Ports, page 5-35
• Converting the Switch to Virtual Switch Mode, page 5-36
• (Optional) Configuring VSS Standby Switch Modules, page 5-37
In the procedures that follow, the example commands assume the configuration shown in Figure 5-8.

Figure 5-8 Example VSS

T 5/1 T 5/2
Chassis A Chassis B
(Switch 1) (Switch 2)
181325

Virtual switch link
(VSL)

Two chassis, A and B, are converted into a VSS with virtual switch domain 100. Interface 10-Gigabit
Ethernet 5/1 on Switch 1 is connected to interface 10-Gigabit Ethernet 5/2 on Switch 2 to form the VSL.

Note The port channels 10 and 20 mentioned in the config steps below are merely exemplary. You can
configure any port channel number from 1-64 for VSL port channel.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-33
Chapter 5 Configuring Virtual Switching Systems
Configuring a VSS

Backing Up the Standalone Configuration
Save the configuration files for both switches operating in standalone mode. You need these files to
revert to standalone mode from virtual switch mode.
On Switch 1, perform this task:

Command Purpose
Step 1 Switch-1# copy running-config startup-config (Optional) Saves the running configuration to startup
configuration.
Step 2 Switch-1# copy startup-config Copies the startup configuration to a backup file.
disk0:old-startup-config

On Switch 2, perform this task:

Command Purpose
Step 1 Switch-2# copy running-config startup-config (Optional) Saves the running configuration to the
startup configuration file.
Step 2 Switch-2# copy startup-config Copies the startup configuration to a backup file.
disk0:old-startup-config

Configuring SSO and NSF
SSO and NSF are configured as default on VSS.

Assigning Virtual Switch Domain and Switch Numbers
You must configure the same virtual switch domain number on both switches of the VSS. The virtual
switch domain is a number between 1 and 255, and must be unique for each VSS in your network (the
domain number is incorporated into various identifiers to ensure that these identifiers are unique across
the network).
Within the VSS, you must configure one switch to be switch number 1 and the other switch to be switch
number 2.
To configure the virtual switch domain and switch number on both switches, perform this task on
Switch 1:

Command Purpose
Step 1 Switch-1(config)# switch virtual domain 100 Configures the virtual switch domain on Switch A.
Step 2 Switch-1(config-vs-domain)# switch 1 Configures Switch A as virtual switch number 1.
Step 3 Switch-1(config-vs-domain)# exit Exits config-vs-domain.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-34 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Configuring a VSS

Perform the following task on Switch 2:

Command Purpose
Step 1 Switch-2(config)# switch virtual domain 100 Configures the virtual switch domain on Switch B.
Step 2 Switch-2(config-vs-domain)# switch 2 Configures Switch B as virtual switch number 2.
Step 3 Switch-2(config-vs-domain)# exit Exits config-vs-domain.

Note The switch number is not stored in the startup or running configuration, because both switches use the
same configuration file (but must not have the same switch number).

Configuring VSL Port Channel and Ports
The VSL is configured with a unique port channel on each switch. During the conversion, the VSS
configures both port channels on the VSS Active switch. If the VSS Standby switch VSL port channel
number has been configured for another use, the VSS comes up in RPR mode. To avoid this situation,
check that both port channel numbers are available on both of the switches.
Check the port channel number with the show running-config interface port-channel command. The
command displays an error message if the port channel is available for VSL. For example, the following
command shows that port channel 20 is available on Switch 1:
Switch-1 # show running-config interface port-channel 20
% Invalid input detected at '^' marker.

To configure the VSL port channels, perform this task on Switch 1:

Note The port channels 10 and 20 mentioned in the configuration steps below are exemplary only. You can
configure any port channel number from 1-64 for VSL port channel.

Command Purpose
Step 1 Switch-1(config)# interface port-channel 10 Configures port channel 10 on Switch 1.
Step 2 Switch-1(config)# switchport Convert to a Layer 2 port.
Step 3 Switch-1(config-if)# switch virtual link 1 Associates Switch 1 as owner of port channel 10.
Step 4 Switch-1(config-if)# no shutdown Activates the port channel.
Step 5 Switch-1(config-if)# exit Exits interface configuration.

Perform the following task on Switch 2:

Command Purpose
Step 1 Switch-2(config)# interface port-channel 20 Configures port channel 20 on Switch 2.
Step 2 Switch-1(config)# switchport Convert to a Layer 2 port.
Step 3 Switch-2(config-if)# switch virtual link 2 Associates Switch 2 as owner of port channel 20.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-35
Chapter 5 Configuring Virtual Switching Systems
Configuring a VSS

Command Purpose
Step 4 Switch-2(config-if)# no shutdown Activates the port channel.
Step 5 Switch-2(config-if)# exit Exits interface configuration mode.

You must add the VSL physical ports to the port channel. In the following example, interfaces 10-Gigabit
Ethernet 3/1 and 3/2 on Switch 1 are connected to interfaces 10-Gigabit Ethernet 5/2 and 5/3 on
Switch 2.

Tip For line redundancy, we recommend configuring at least two ports per switch for the VSL. For module
redundancy, the two ports can be on different switching modules in each chassis.

To configure the VSL ports, perform this task on Switch 1:

Command Purpose
Step 1 Switch-1(config)# interface range Enters configuration mode for interface range
tengigabitethernet 3/1-2 tengigabitethernet 3/1-2 on Switch 1.
Step 2 Switch-1(config-if)# channel-group 10 mode on Adds this interface to channel group 10.

Note 1G ports, which are converted from 10G ports using a connector, are not supported for VSL. This
impacts Sup7-E and Sup7L-E ports.

On Switch 2, perform this task:

Command Purpose
Step 1 Switch-2(config)# interface range Enters configuration mode for interface range
tengigabitethernet 5/2-3 tengigabitethernet 5/2-3 on Switch 2.
Step 2 Switch-2(config-if)# channel-group 20 mode on Adds this interface to channel group 20.

Note 1G ports, which are converted from 10G ports using a connector, are not supported for VSL. This
impacts Sup7-E and Sup7L-E ports.

Converting the Switch to Virtual Switch Mode
Conversion to virtual switch mode requires a restart for both switches. After the reboot, commands that
specify interfaces with module/port now include the switch number. For example, a port on a switching
module is specified by switch/module/port.
Prior to the restart, the VSS converts the startup configuration to use the switch/module/port convention.
A backup copy of the startup configuration file is saved in bootflash. This file is assigned a default name,
but you are also prompted to override the default name if you want to change it.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-36 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Configuring a VSS

To convert Switch 1 to virtual switch mode, perform this task:

Command Purpose
Switch-1# switch convert mode virtual Converts Switch 1 to virtual switch mode.
After you enter the command, you are prompted to
confirm the action. Enter yes.
The system creates a converted configuration file, and
saves the file to the bootflash.

To convert Switch 2 to virtual switch mode, perform this task on Switch 2:

Command Purpose
Switch-2# switch convert mode virtual Converts Switch 2 to virtual switch mode.
After you enter the command, you are prompted to
confirm the action. Enter yes.
The system creates a converted configuration file, and
saves the file to the bootflash.

Note After you confirm the command (by entering yes at the prompt), the running configuration is
automatically saved as the startup configuration and the switch reboots. After the reboot, the switch is
in virtual switch mode, so you must specify interfaces with three identifiers (switch/module/port).

When switches are being converted to VSS, you should not set them to ignore startup-config. If done,
the switch can be enabled to parse the startup-config at the rommon prompt. Ignoring startup-config in
VSS mode, causes a switch to boot in a semi-VSS mode, which can only be corrected by a reboot and
by enabling the parsing of startup-config.

(Optional) Configuring VSS Standby Switch Modules

Note You cannot configure or provision modules on VSS.

When switches form initial VSS relationships, they send module information to each other and this
information is pushed to the configuration and used subsequently for provisioning, provided the switch
is booting and the peer is down or not present.
The following example shows the module provisioning information:
module provision switch 1
slot 1 slot-type 148 port-type 60 number 4 virtual-slot 17
slot 2 slot-type 137 port-type 31 number 16 virtual-slot 18
slot 3 slot-type 227 port-type 60 number 8 virtual-slot 19
slot 4 slot-type 225 port-type 61 number 48 virtual-slot 20
slot 5 slot-type 82 port-type 31 number 2 virtual-slot 21
module provision switch 2
slot 1 slot-type 148 port-type 60 number 4 virtual-slot 33
slot 2 slot-type 227 port-type 60 number 8 virtual-slot 34
slot 3 slot-type 137 port-type 31 number 16 virtual-slot 35

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-37
Chapter 5 Configuring Virtual Switching Systems
Configuring a VSS

slot 4 slot-type 225 port-type 61 number 48 virtual-slot 36
slot 5 slot-type 82 port-type 31 number 2 virtual-slot 37

These commands are not available to the user and that various numbers used in these commands are
internal to the system and used to identify a module. These commands are written to the startup-config
when a switch detects a given module while it is running in VSS mode. When reconverted to standalone
mode, these commands are removed from the startup-config.

Displaying VSS Information
To display basic information about the VSS, perform one of these tasks:

Command Purpose
Switch# show switch virtual Displays the virtual switch domain number, and the
switch number and role for each of the switches.
Switch# show switch virtual role Displays the role, switch number, and priority for
each of the switch in the VSS.
Switch# show switch virtual link Displays the status of the VSL.

The following example shows the information output from these commands:
Switch# show switch virtual
Executing the command on VSS member switch role = VSS Active, id = 1

Switch mode : Virtual Switch
Virtual switch domain number : 100
Local switch number : 1
Local switch operational role: Virtual Switch Active
Peer switch number : 2
Peer switch operational role : Virtual Switch Standby

Executing the command on VSS member switch role = VSS Standby, id = 2

Switch mode : Virtual Switch
Virtual switch domain number : 100
Local switch number : 2
Local switch operational role: Virtual Switch Standby
Peer switch number : 1
Peer switch operational role : Virtual Switch Active

Switch# show switch virtual role

Executing the command on VSS member switch role = VSS Active, id = 1

RRP information for Instance 1

--------------------------------------------------------------------
Valid Flags Peer Preferred Reserved
Count Peer Peer

--------------------------------------------------------------------
TRUE V 1 1 1

Switch Switch Status Preempt Priority Role Local Remote
Number Oper(Conf) Oper(Conf) SID SID
--------------------------------------------------------------------

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-38 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Configuring a VSS

LOCAL 1 UP FALSE(N ) 100(100) ACTIVE 0 0
REMOTE 2 UP FALSE(N ) 100(100) STANDBY 7496 7678

Peer 0 represents the local switch

Flags : V - Valid
In dual-active recovery mode: No

Executing the command on VSS member switch role = VSS Standby, id = 2

RRP information for Instance 2

--------------------------------------------------------------------
Valid Flags Peer Preferred Reserved
Count Peer Peer

-------------------------------------------------------------------
TRUE V 1 1 1

Switch Switch Status Preempt Priority Role Local Remote
Number Oper(Conf) Oper(Conf) SID SID

--------------------------------------------------------------------
LOCAL 2 UP FALSE(N ) 100(100) STANDBY 0 0
REMOTE 1 UP FALSE(N ) 100(100) ACTIVE 7678 7496

Peer 0 represents the local switch

Flags : V - Valid
In dual-active recovery mode: No

Switch# show switch virtual link

Executing the command on VSS member switch role = VSS Active, id = 1

VSL Status : UP
VSL Uptime : 13 minutes
VSL Control Link : Te1/1/1

Executing the command on VSS member switch role = VSS Standby, id = 2

VSL Status : UP
VSL Uptime : 13 minutes
VSL Control Link : Te2/1/1

Converting a VSS to Standalone Switch
To convert a VSS into two standalone systems, you perform the following major steps:
• Copying the VSS Configuration to a Backup File, page 5-40
• Converting the VSS Active Switch to Standalone, page 5-40
• Converting the VSS Standby Switch to Standalone, page 5-40

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-39
Chapter 5 Configuring Virtual Switching Systems
Configuring a VSS

Copying the VSS Configuration to a Backup File
Save the configuration file from the VSS Active switch. You may need this file if you convert to virtual
switch mode again. You only need to save the file from the VSS Active switch, because the configuration
file on the VSS Standby switch is identical to the file on the VSS Active switch.

Command Purpose
Step 1 Switch-1# copy running-config startup-config (Optional) Saves the running configuration to startup
configuration. This step is only required if there are
unsaved changes in the running configuration that
you want to preserve.
Step 2 Switch-1# copy startup-config Copies the startup configuration to a backup file.
bootflash:vs-startup-config

Converting the VSS Active Switch to Standalone
When you convert the VSS Active switch to standalone mode, the VSS Active switch removes the
provisioning and configuration information related to VSL links and the peer chassis modules, saves the
configuration file, and performs a reload. The switch comes up in standalone mode with only the
configuration data relevant to the standalone system.
The VSS Standby switch of the VSS becomes VSS Active. VSL links on this switch are down because
the peer is now unavailable.
To convert the VSS Active switch to standalone mode, perform this task on the VSS Active switch:

Command Purpose
Switch-1# switch convert mode stand-alone Converts Switch 1 to standalone mode.
After you enter the command, you are prompted to
confirm the action. Enter yes.

Conversion from VSS to standalone causes all physical interfaces to be administratively shutdown and
written to the startup-config. This is a safeguard against a standalone system arriving in the network alive
and conflicting with a bridge or router MAC address, which might still be there if one of the VSS
switches is still running in VSS mode.
We do not recommend that you convert a VSS to standalone in a live network.

Converting the VSS Standby Switch to Standalone
When you convert the new VSS Active switch to standalone mode, the switch removes the provisioning
and configuration information related to VSL links and the peer switch modules, saves the configuration
file and performs a reload. The switch comes up in standalone mode with only its own provisioning and
configuration data.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-40 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Configuring a VSS

To convert the peer switch to standalone, perform this task on the VSS Standby switch:

Command Purpose
Switch-2# switch convert mode stand-alone Converts Switch 2 to standalone mode.
After you enter the command, you are prompted to
confirm the action. Enter yes.

Configuring VSS Parameters
These sections describe how to configure VSS parameters:
• Configuring VSL Switch Priority, page 5-41
• Configuring a VSL, page 5-43
• Adding and Deleting a VSL Port After the Bootup, page 5-43
• Displaying VSL Information, page 5-44
• Configuring VSL QoS, page 5-45
• Configuring the Router MAC Address, page 5-46

Configuring VSL Switch Priority
To configure the switch priority, perform this task:

Command Purpose
Step 1 Switch(config)# switch virtual domain 100 Enters configuration mode for the virtual switch
domain.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-41
Chapter 5 Configuring Virtual Switching Systems
Configuring a VSS

Command Purpose
Step 2 Switch(config-vs-domain)# switch [1 | 2] priority Configures the priority for the switch. The switch
[priority_num] with the higher priority assumes the VSS Active role.
The range is 1 (lowest priority) to 255 (highest
priority); the default is 100.
Note

• The new priority value only takes effect after you
save the configuration and perform a reload of
the VSS.
• If the higher priority switch is currently in VSS
Standby state, you can make it the VSS Active
switch by initiating a switchover with the
redundancy force-switchover command.
The show switch virtual role command displays
the operating priority and the configured priority
for each switch in the VSS.
• The no form of the command resets the priority
value to the default value of 100. The new value
takes effect after you save the configuration and
perform a reload.
Step 3 Switch# show switch virtual role Displays the current priority.

Note If you make configuration changes to the switch priority, the changes only take effect after you save the
running configuration to the startup configuration file and perform a reload. The show switch virtual
role command shows the operating and configured priority values. You can manually set the VSS
Standby switch to VSS Active using the redundancy force-switchover command.

This example shows how to configure virtual switch priority:
Switch(config)# switch virtual domain 100
Switch(config-vs-domain)# switch 1 priority 200
Switch(config-vs-domain)# exit

This example shows how to display priority information for the VSS:
Switch# show switch virtual role
Switch Switch Status Preempt Priority Role Session ID
Number Oper(Conf) Oper(Conf) Local Remote
------------------------------------------------------------------
LOCAL 1 UP FALSE(N) 100(200) ACTIVE 0 0
REMOTE 2 UP FALSE(N) 100(100) STANDBY 8158 1991

In dual-active recovery mode: No

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-42 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Configuring a VSS

Configuring a VSL
To configure a port channel to be a VSL, perform this task:

Command Purpose
Step 1 Switch(config)# interface port-channel channel_num Enters configuration mode for the specified port
channel.
Step 2 Switch(config-if)# switch virtual link switch_num Assigns the port channel to the virtual link for the
specified switch.

Note We recommend that you configure the VSL prior to converting the switch into a VSS.

This example shows how to configure the VSL:
Switch-1(config)# interface port-channel 10
Switch-1(config-if)# switch virtual link 1
Switch-1(config-if)# no shutdown (If the port is admin shutdown)
Switch-1(config)# interface tenGigabitEthernet 5/1
Switch-1(config-if)# channel-group 10 mode on
Switch-1(config-if)# no shutdown (If the port is admin shutdown)

Switch-2(config)# interface port-channel 25
Switch-2(config-if)# switch virtual link 2
Switch-2(config-if)# no shutdown (If the port is admin shutdown)
Switch-2(config-if)# interface tenGigabitEthernet 5/2
Switch-2(config-if)# channel-group 25 mode on
Switch-2(config-if)# no shutdown (If the port is admin shutdown)

Adding and Deleting a VSL Port After the Bootup
At any time, you can add and delete VSL ports from a port-channel to increase the nunber of links in the
VSL, to move the port from one port to another, or to remove it from VSL.
Before adding or deleting VSL ports, do the following:
• Ensure all ports are physically connected to the peer switch. The peer port must also be configured
for VSL.
• Shutdown the port before configuring VSL. When both ports on the link are configured for VSL,
unshut them.
• Spread VSL ports across multiple modules.
• While deleting a port, retain at least one “active” VSL port pair. Else, a dual-active operation could
occur.
• To save link flap and high CPU, shutdown the ports before VSL is unconfigured.
• After adding, deleting, or modifying VSL ports, write the config to nvram (that is, startup-config).
• If you need to move ports to another port, account for the bandwidth requirement of VSL. You
should add an additional VSL link in the channel, move ports and remove additional links in the
channel.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-43
Chapter 5 Configuring Virtual Switching Systems
Configuring a VSS

Displaying VSL Information
To display information about the VSL, perform one of these tasks:

Command Purpose
Switch# show switch virtual link Displays information about the VSL.
Switch# show switch virtual link port-channel Displays information about the VSL port channel.
Switch# show switch virtual link port Displays information about the VSL ports.

This example shows how to display VSL information:
Switch# show switch virtual link
VSL Status : UP
VSL Uptime : 1 day, 3 hours, 39 minutes
VSL Control Link : Te 1/5/1

Switch# show switch virtual link port-channel

Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use N - not in use, no aggregation
f - failed to allocate aggregator

M - not in use, no aggregation due to minimum links not met
m - not in use, port not aggregated due to minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated

Group Port-channel Protocol Ports
------+-------------+-----------+---------------------------------------------
10 Po10(RU) - Te1/5/4(P) Te1/5/5(P)
20 Po20(RU) - Te2/5/4(P) Te2/5/5(P)

Switch# show switch virtual link port
LMP summary

Link info: Configured: 1 Operational: 1

Peer Peer Peer Peer Timer(s)running
Interface Flag State Flag MAC Switch Interface (Time remaining)
--------------------------------------------------------------------------------
Gi1/3/11 vfsp operational vfsp f866.f296.be00 2 Gi2/1/11 T4(708ms)
T5(29.91s)

Flags: v - Valid flag set f - Bi-directional flag set
s - Negotiation flag set p - Peer detected flag set

Timers: T4 - Hello Tx Timer T5 - Hello Rx Timer

LMP Status

Last operational Current packet Last Diag Time since
Interface Failure state State Result Last Diag
-------------------------------------------------------------------------------
Gi1/3/11 No failure Hello bidir Never ran --

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-44 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Configuring a VSS

LMP hello timer

Hello Tx (T4) ms Hello Rx (T5*) ms
Interface State Cfg Cur Rem Cfg Cur Rem
-------------------------------------------------------------------------
Gi1/3/11 operational - 1000 708 - 30000 29144

*T5 = min_rx * multiplier
Cfg : Configured Time
Cur : Current Time
Rem : Remaining Time

Configuring VSL QoS
When a physical port is configured as a member of a VSL port-channel, a queuing policy is automatically
attached to the VSL member ports. This queuing policy provides a dedicated queue for VSS
Management, VSLP, BFD, Layer 2 and Layer 3 control protocols, and voice and video data traffic. Each
queue is provided with a minimum bandwidth, ensuring that VSS management and control protocol
packets are not dropped when congestion occurs on the VSL. The bandwidth assigned to a class of traffic
is the minimum bandwidth that is guaranteed to the class during congestion. The VSL link uses Transmit
Queue Sharing, where the output link bandwidth is shared among multiple queues of a given VSL port.
Any modification or removal of VSL Queuing policy is restricted in a VSS system.
The following command sequence is inserted automatically by software.
interface TenGigabitEthernet1/1/1
switchport mode trunk
switchport nonegotiate
no lldp transmit
no lldp receive
no cdp enable
channel-group 10 mode on
service-policy output VSL-Queuing-Policy
end

Switch# show policy-map VSL-Queuing-Policy
Policy Map VSL-Queuing-Policy
Class VSL-MGMT-PACKETS
bandwidth percent 5
Class VSL-L2-CONTROL-PACKETS
bandwidth percent 5
Class VSL-L3-CONTROL-PACKETS
bandwidth percent 5
Class VSL-VOICE-VIDEO-TRAFFIC
bandwidth percent 30
Class VSL-SIGNALING-NETWORK-MGMT
bandwidth percent 10
Class VSL-MULTIMEDIA-TRAFFIC
bandwidth percent 20
Class VSL-DATA-PACKETS
bandwidth percent 20
Class class-default
bandwidth percent 5

class-map match-any VSL-MGMT-PACKETS
match access-group name VSL-MGMT

class-map match-any VSL-DATA-PACKETS
match any

class-map match-any VSL-L2-CONTROL-PACKETS

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
OL-30933-01 5-45
Chapter 5 Configuring Virtual Switching Systems
Configuring a VSS

match access-group name VSL-DOT1x
match access-group name VSL-BPDU
match access-group name VSL-CDP
match access-group name VSL-LLDP
match access-group name VSL-SSTP
match access-group name VSL-GARP

class-map match-any VSL-L3-CONTROL-PACKETS
match access-group name VSL-IPV4-ROUTING
match access-group name VSL-BFD
match access-group name VSL-DHCP-CLIENT-TO-SERVER
match access-group name VSL-DHCP-SERVER-TO-CLIENT
match access-group name VSL-DHCP-SERVER-TO-SERVER
match access-group name VSL-IPV6-ROUTING

class-map match-any VSL-MULTIMEDIA-TRAFFIC
match dscp af41
match dscp af42
match dscp af43
match dscp af31
match dscp af32
match dscp af33
match dscp af21
match dscp af22
match dscp af23

class-map match-any VSL-VOICE-VIDEO-TRAFFIC
match dscp ef
match dscp cs4
match dscp cs5

class-map match-any VSL-SIGNALING-NETWORK-MGMT
match dscp cs2
match dscp cs3
match dscp cs6
match dscp cs7

Configuring the Router MAC Address
On VSS, all routing protocols are centralized on the active supervisor engine. A common router MAC
address is used for Layer 3 interfaces on both active and standby switches. Additionally, to ensure
non-stop forwarding, the same router MAC address is used after switchover to Standby, so that all layer
3 peers see a consistent router MAC address.
There are three ways to configure a router MAC address on VSS:
• HHH—Manually set a router MAC address. Ensure that this MAC address is reserved for this usage.
• chassis—Use the mac-address range reserved for Chassis. This is the Cisco MAC address assigned
to the chassis.
• use-virtual—Use the mac-address range reserved for the VSS. This is the served Cisco MAC address
pool, which is derived from a base MAC address +vvs domain-id.
By default, the virtual domain based router MAC address is used. Any change of router MAC address
configuration requires a reboot of both VSS supervisor engines
The follow table shows how to configure the router MAC address.

Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)SG
5-46 OL-30933-01
Chapter 5 Configuring Virtual Switching Systems
Configuring a VSS

Command Purpose
Switch(config)# switch virtual domain domain_id Enters VSS configuration mode.
Switch(config-vs-domain)# mac-address use-virtual Assigns the router MAC address from a reserved pool of
domain-based addresses.
Note This is the default.

This is shown in the configuration, even if it the default.
Switch(config-vs-domain)# mac-address mac-address Assigns the router MAC address in three 2-byte
hexadecimal numbers.
Switch(config-vs-domain)# mac-address chassis Specifies the router MAC address as the last address of
chassis MAC address range.

Configuring Multichassis EtherChannels
Conf