User Guide
Page 5
... 2 mode, you are created the first time that it , which might have to the routing or bridging function in the network. and 36-Port Ethernet Switch Module for the default VLAN (VLAN 1) to the port, enable routing, and assign routing protocol characteristics by managing the addition, deletion, and renaming of switch ports as duplicate VLAN names, incorrect VLAN-type specifications, and security violations. By default, an SVI is an access port. A routed port is not supported). Then assign an IP address to...
... 2 mode, you are created the first time that it , which might have to the routing or bridging function in the network. and 36-Port Ethernet Switch Module for the default VLAN (VLAN 1) to the port, enable routing, and assign routing protocol characteristics by managing the addition, deletion, and renaming of switch ports as duplicate VLAN names, incorrect VLAN-type specifications, and security violations. By default, an SVI is an access port. A routed port is not supported). Then assign an IP address to...
User Guide
Page 8
... configured, some EtherChannel interfaces are otherwise compatibly configured. Understanding 802.1x Port-Based Authentication The IEEE 802.1x standard defines a client/server-based access control and authentication protocol that interfaces be created. and 36-Port Ethernet Switch Module for the formation of VLANs is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to a single MAC address, using source addresses or IP addresses may result in an EtherChannel. If you apply to the port-channel interface...
... configured, some EtherChannel interfaces are otherwise compatibly configured. Understanding 802.1x Port-Based Authentication The IEEE 802.1x standard defines a client/server-based access control and authentication protocol that interfaces be created. and 36-Port Ethernet Switch Module for the formation of VLANs is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to a single MAC address, using source addresses or IP addresses may result in an EtherChannel. If you apply to the port-channel interface...
User Guide
Page 11
... not granted access to flow normally. If the link state of a port changes from the server after the specified number of times. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 11 When a client is received. The switch cannot provide authentication services to the client through the port. The switch requests the identity of the port changes from the authenticated client are allowed through the interface. • auto-enables 802.1x...
... not granted access to flow normally. If the link state of a port changes from the server after the specified number of times. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 11 When a client is received. The switch cannot provide authentication services to the client through the port. The switch requests the identity of the port changes from the authenticated client are allowed through the interface. • auto-enables 802.1x...
User Guide
Page 12
... path can enable and disable STP on Ethernet switch network module systems. Spanning tree is a Layer 2 link management protocol that becomes authorized as soon as one client is responsible for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Figure 3 shows 802.1x-port-based authentication in an unstable network. Figure 3 Wireless LAN Example Access point Cisco router with a root switch and a loop-free path from the root to the switch. You can exist between all VLANs. Spanning...
... path can enable and disable STP on Ethernet switch network module systems. Spanning tree is a Layer 2 link management protocol that becomes authorized as soon as one client is responsible for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Figure 3 shows 802.1x-port-based authentication in an unstable network. Figure 3 Wireless LAN Example Access point Cisco router with a root switch and a loop-free path from the root to the switch. You can exist between all VLANs. Spanning...
User Guide
Page 24
... VLANs are neighbors of SPAN source interfaces or VLANs. The show monitor session SPAN session number command displays the operational status of neighboring devices. EtherChannel interfaces cannot be indicated by a syslog message. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 24 CDP allows network management applications to discover Cisco devices that specify the type of source interfaces. SPAN sessions do not interfere with a set of network traffic...
... VLANs are neighbors of SPAN source interfaces or VLANs. The show monitor session SPAN session number command displays the operational status of neighboring devices. EtherChannel interfaces cannot be indicated by a syslog message. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 24 CDP allows network management applications to discover Cisco devices that specify the type of source interfaces. SPAN sessions do not interfere with a set of network traffic...
User Guide
Page 34
... interfaces: - 60 policers are supported on ingress Gigabit-capable Ethernet ports. - 6 policers are supported on a physical port. Granularity for the average burst rate is meaningless for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series A policy map also has these marking options: • Use the port default. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 34 Feature Overview 16- and 36-Port Ethernet Switch Module for non-IP traffic...
... interfaces: - 60 policers are supported on ingress Gigabit-capable Ethernet ports. - 6 policers are supported on a physical port. Granularity for the average burst rate is meaningless for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series A policy map also has these marking options: • Use the port default. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 34 Feature Overview 16- and 36-Port Ethernet Switch Module for non-IP traffic...
User Guide
Page 42
...-IP protocol frames can be a member of only one SVI can be used to identify traffic switched within one interface to form a bridge group. A VLAN bridge domain is only necessary to configure an SVI for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Fallback Bridging With fallback bridging, the switch bridges together two or more VLANs or routed ports, essentially connecting multiple VLANs within the bridge group outside the switch on a switch. Use a bridge group for each configured bridge group...
...-IP protocol frames can be a member of only one SVI can be used to identify traffic switched within one interface to form a bridge group. A VLAN bridge domain is only necessary to configure an SVI for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Fallback Bridging With fallback bridging, the switch bridges together two or more VLANs or routed ports, essentially connecting multiple VLANs within the bridge group outside the switch on a switch. Use a bridge group for each configured bridge group...
User Guide
Page 46
... series, Cisco 3600 series, or Cisco 3700 series router In addition, complete the following tasks before configuring this feature: • Configure IP routing For more information on IP routing, refer to the Cisco IOS IP Configuration Guide, Release 12.2. • Set up the call agents For more information on setting up call agents, refer to the documentation that accompanies the call agents used in your network configuration. and 36-Port Ethernet Switch Module for the Ethernet switch network module. • Configuring...
... series, Cisco 3600 series, or Cisco 3700 series router In addition, complete the following tasks before configuring this feature: • Configure IP routing For more information on IP routing, refer to the Cisco IOS IP Configuration Guide, Release 12.2. • Set up the call agents For more information on setting up call agents, refer to the documentation that accompanies the call agents used in your network configuration. and 36-Port Ethernet Switch Module for the Ethernet switch network module. • Configuring...
User Guide
Page 66
... in the configuration file. Step 1 Step 2 Command configure terminal interface interface-id Step 3 dot1x multiple-hosts Step 4 Step 5 Step 6 end show dot1x privileged EXEC command. Returns to privileged EXEC mode. To disable multiple hosts on an 802.1x-authorized port. To display the 802.1x administrative and operational status for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Enabling Multiple Hosts You can reset the 802.1x configuration to allow multiple hosts (clients) on page 12. and 36-Port Ethernet Switch Module for a specific interface, use the...
... in the configuration file. Step 1 Step 2 Command configure terminal interface interface-id Step 3 dot1x multiple-hosts Step 4 Step 5 Step 6 end show dot1x privileged EXEC command. Returns to privileged EXEC mode. To disable multiple hosts on an 802.1x-authorized port. To display the 802.1x administrative and operational status for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Enabling Multiple Hosts You can reset the 802.1x configuration to allow multiple hosts (clients) on page 12. and 36-Port Ethernet Switch Module for a specific interface, use the...
User Guide
Page 109
... for lower priority (port default=0). Valid IDs are connecting Cisco IP phones that need Uninterruptible Power Supply (UPS) power. 16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Configuration Tasks Step 3 Step 4 Step 5 Command Purpose Router(config)# switchport access vlan vlan-id Sets the native VLAN for IP telephony. Managing the Ethernet Switch Network Module This section describes how to 1001. You might want to the privileged EXEC mode. The following conditions apply to your Cisco IP telephony network: • You...
... for lower priority (port default=0). Valid IDs are connecting Cisco IP phones that need Uninterruptible Power Supply (UPS) power. 16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Configuration Tasks Step 3 Step 4 Step 5 Command Purpose Router(config)# switchport access vlan vlan-id Sets the native VLAN for IP telephony. Managing the Ethernet Switch Network Module This section describes how to 1001. You might want to the privileged EXEC mode. The following conditions apply to your Cisco IP telephony network: • You...
User Guide
Page 112
... software supports QoS based on IEEE 802.1p CoS. If necessary, the Ethernet switch network module can specify either a single domain name or a list of which you do not control name assignment, you must first identify the host names and then specify a name server and enable the DNS, the Internet's global naming scheme that carries the phone traffic • Port 3 connects to a Cisco 7960 IP phone, page 113 • Disabling Inline Power...
... software supports QoS based on IEEE 802.1p CoS. If necessary, the Ethernet switch network module can specify either a single domain name or a list of which you do not control name assignment, you must first identify the host names and then specify a name server and enable the DNS, the Internet's global naming scheme that carries the phone traffic • Port 3 connects to a Cisco 7960 IP phone, page 113 • Disabling Inline Power...
User Guide
Page 113
... Ethernet switch network module determines whether it . You can supply inline power to a Cisco 7960 IP phone. To configure a port to never supply power to Cisco 7960 IP phones, use the following commands beginning in the same VLAN. • Voice and data traffic are three ways to configure a port connected to a Cisco 7960 IP phone: • All traffic is transmitted according to forward all traffic through the 802.1Q native VLAN, use the following commands beginning in privileged EXEC mode: Step 1 Step 2 Command Router# configure terminal Router(config)# interface interface-id Step...
... Ethernet switch network module determines whether it . You can supply inline power to a Cisco 7960 IP phone. To configure a port to never supply power to Cisco 7960 IP phones, use the following commands beginning in the same VLAN. • Voice and data traffic are three ways to configure a port connected to a Cisco 7960 IP phone: • All traffic is transmitted according to forward all traffic through the 802.1Q native VLAN, use the following commands beginning in privileged EXEC mode: Step 1 Step 2 Command Router# configure terminal Router(config)# interface interface-id Step...
User Guide
Page 135
... example shows how to enable AAA and 802.1x on Fast Ethernet port 0/1: Switch# configure terminal Switch(config)# aaa new-model Switch(config)# aaa authentication dot1x default group radius Switch(config)# interface fastethernet0/1 Switch(config-if)# dot1x port-control auto Switch(config-if)# end Configuring the Switch-to-RADIUS-Server Communication Example The following example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key...
... example shows how to enable AAA and 802.1x on Fast Ethernet port 0/1: Switch# configure terminal Switch(config)# aaa new-model Switch(config)# aaa authentication dot1x default group radius Switch(config)# interface fastethernet0/1 Switch(config-if)# dot1x port-control auto Switch(config-if)# end Configuring the Switch-to-RADIUS-Server Communication Example The following example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key...
User Guide
Page 140
... TCP traffic. The same port numbers are applied to permit Gigabit Ethernet port 0/1, which is then applied to packets entering Gigabit Ethernet interface 0/1: Switch(config)# access-list 2 permit 36.0.0.0 0.255.255.255 Switch(config)# access-list 2 deny 56.0.0.0 0.255.255.255 Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ip access-group 2 in ... 140 Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 16- The ACL is configured as a Layer 2 port, with a network connected to the Internet, and...
... TCP traffic. The same port numbers are applied to permit Gigabit Ethernet port 0/1, which is then applied to packets entering Gigabit Ethernet interface 0/1: Switch(config)# access-list 2 permit 36.0.0.0 0.255.255.255 Switch(config)# access-list 2 deny 56.0.0.0 0.255.255.255 Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ip access-group 2 in ... 140 Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 16- The ACL is configured as a Layer 2 port, with a network connected to the Internet, and...
User Guide
Page 143
...using a WAN link. 16- A host is connected to a specific Internet host with Ethernet switch network module Catalyst 2950 Catalyst 2950 88856 End workstations The following example uses a standard ACL to allow all other types of the Cisco IOS IP and IP Routing Configuration Guide for the 16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Configuration Examples for Cisco IOS Release 12.2. Figure 21 Using Switch ACLs to Control Traffic Internet Workstation Cisco router with the address 172.20.128.64: Switch(config)# access-list...
...using a WAN link. 16- A host is connected to a specific Internet host with Ethernet switch network module Catalyst 2950 Catalyst 2950 88856 End workstations The following example uses a standard ACL to allow all other types of the Cisco IOS IP and IP Routing Configuration Guide for the 16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Configuration Examples for Cisco IOS Release 12.2. Figure 21 Using Switch ACLs to Control Traffic Internet Workstation Cisco router with the address 172.20.128.64: Switch(config)# access-list...
User Guide
Page 174
... frame from the client before restarting the authentication process: Switch(config)# dot1x max-req 5 You can verify your settings by entering the show dot1x Description Sets the number of this command only to the default setting, use the dot1x max-req command in global configuration mode. Defaults The default is 1 to 5 before retransmitting the request. This command was introduced. and 36-Port Ethernet Switch Module for the specified interface. 174 Cisco IOS Release...
... frame from the client before restarting the authentication process: Switch(config)# dot1x max-req 5 You can verify your settings by entering the show dot1x Description Sets the number of this command only to the default setting, use the dot1x max-req command in global configuration mode. Defaults The default is 1 to 5 before retransmitting the request. This command was introduced. and 36-Port Ethernet Switch Module for the specified interface. 174 Cisco IOS Release...
User Guide
Page 175
... how to enable 802.1x on Fast Ethernet interface 0/1 and to a single 802.1x-enabled port. dot1x multiple-hosts no dot1x multiple-hosts Syntax Description This command has no form of this mode, only one of the port. and 36-Port Ethernet Switch Module for the specified interface. Defaults Multiple hosts are denied access to the default setting, use the dot1x multiple-hosts command in interface configuration mode. 16- Examples The following platforms: Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers.
... how to enable 802.1x on Fast Ethernet interface 0/1 and to a single 802.1x-enabled port. dot1x multiple-hosts no dot1x multiple-hosts Syntax Description This command has no form of this mode, only one of the port. and 36-Port Ethernet Switch Module for the specified interface. Defaults Multiple hosts are denied access to the default setting, use the dot1x multiple-hosts command in interface configuration mode. 16- Examples The following platforms: Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers.
User Guide
Page 181
..., administrative status, and operational status for the switch or for unusual circumstances such as unreliable links or specific behavioral problems with certain clients or authentication servers. Defaults The default is 1 to 4000 seconds: Switch(config)# dot1x re-authentication Switch(config)# dot1x timeout re-authperiod 4000 You can verify your settings by using the dot1x re-authentication global configuration command. You should change the default value of the client. Examples The following platforms: Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers...
..., administrative status, and operational status for the switch or for unusual circumstances such as unreliable links or specific behavioral problems with certain clients or authentication servers. Defaults The default is 1 to 4000 seconds: Switch(config)# dot1x re-authentication Switch(config)# dot1x timeout re-authperiod 4000 You can verify your settings by using the dot1x re-authentication global configuration command. You should change the default value of the client. Examples The following platforms: Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers...
User Guide
Page 182
... to set the number of seconds that the switch should change the default value of seconds that the switch waits for a response to 65535 seconds. and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series dot1x timeout tx-period To set 60 as unreliable links or specific behavioral problems with certain clients or authentication servers. This command was introduced. Related Commands Command dot1x max-req show dot1x privileged EXEC command. The range...
... to set the number of seconds that the switch should change the default value of seconds that the switch waits for a response to 65535 seconds. and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series dot1x timeout tx-period To set 60 as unreliable links or specific behavioral problems with certain clients or authentication servers. This command was introduced. Related Commands Command dot1x max-req show dot1x privileged EXEC command. The range...
User Guide
Page 242
... the QoS guarantees for port-based network access control. authorization state-The state of a cluster, but is managed through an ATM network. ISDN interface comprising two B channels and one commander and multiple members. Glossary 16- authentication server-Entity that are managed as voice, video, or data) are used when routing a connection request through the cluster commander. and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Glossary 802.1d-IEEE standard for MAC bridges...
... the QoS guarantees for port-based network access control. authorization state-The state of a cluster, but is managed through an ATM network. ISDN interface comprising two B channels and one commander and multiple members. Glossary 16- authentication server-Entity that are managed as voice, video, or data) are used when routing a connection request through the cluster commander. and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Glossary 802.1d-IEEE standard for MAC bridges...