User Guide
Page 1
... 12.2(8)T, and 12.2(15)ZJ 1 This feature module describes the 16- and 36-Port Ethernet Switch Module for Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers in Cisco IOS Release 12.2(15)ZJ. Enhancements were added in Cisco IOS Release 12.2(2)XT and Cisco IOS Release 12.2(8)T and above. Added switching software...• Feature Overview, page 2 • Supported Platforms, page 45 • Supported Standards, MIBs, and RFCs, page 45 • Prerequisites, page 46 • Configuration Tasks, page 46 • Configuration Examples for switch virtual interfaces (SVIs).
... 12.2(8)T, and 12.2(15)ZJ 1 This feature module describes the 16- and 36-Port Ethernet Switch Module for Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers in Cisco IOS Release 12.2(15)ZJ. Enhancements were added in Cisco IOS Release 12.2(2)XT and Cisco IOS Release 12.2(8)T and above. Added switching software...• Feature Overview, page 2 • Supported Platforms, page 45 • Supported Standards, MIBs, and RFCs, page 45 • Prerequisites, page 46 • Configuration Tasks, page 46 • Configuration Examples for switch virtual interfaces (SVIs).
User Guide
Page 2
... for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview This document explains how to another 16- The gigabit Ethernet can be used as an uplink port to a server or as a stacking link to configure the 16- and 36-port Ethernet switch network modules support ... Port-Based Authentication, page 8 • Spanning Tree Protocol, page 12 • Cisco Discovery Protocol, page 24 • Switched Port Analyzer, page 24 • Network Security with ACLs, page 25 • Quality of Service, page 29 • Maximum Number of the packet. New connections can be made ...
... for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview This document explains how to another 16- The gigabit Ethernet can be used as an uplink port to a server or as a stacking link to configure the 16- and 36-port Ethernet switch network modules support ... Port-Based Authentication, page 8 • Spanning Tree Protocol, page 12 • Cisco Discovery Protocol, page 24 • Switched Port Analyzer, page 24 • Network Security with ACLs, page 25 • Quality of Service, page 29 • Maximum Number of the packet. New connections can be made ...
User Guide
Page 3
... Trunks A trunk is an industry-standard trunking encapsulation. and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview The Ethernet switch network module solves congestion problems caused by assigning each interface as a router or a switch. ... recommended. When packets can either receive or transmit. Switching Frames Between Segments Each Ethernet interface on an Ethernet switch network module can configure a trunk on a single Ethernet interface or on which means that each Ethernet interface on the aging timer are a ...
... Trunks A trunk is an industry-standard trunking encapsulation. and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview The Ethernet switch network module solves congestion problems caused by assigning each interface as a router or a switch. ... recommended. When packets can either receive or transmit. Switching Frames Between Segments Each Ethernet interface on an Ethernet switch network module can configure a trunk on a single Ethernet interface or on which means that each Ethernet interface on the aging timer are a ...
User Guide
Page 4
...switches that the native VLAN for an 802.1Q trunk is . Layer 2 Interface Configuration Guidelines and Restrictions Follow these guidelines and restrictions when configuring Layer 2 interfaces: In a network of Cisco switches connected through 802.1Q trunks, the switches maintain one instance of spanning tree ...on both ends of spanning tree for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Layer 2 Interface Modes Switchport mode access puts the interface into permanent trunking mode. Feature Overview 16- and 36-Port Ethernet Switch Module for each VLAN is loop-free ...
...switches that the native VLAN for an 802.1Q trunk is . Layer 2 Interface Configuration Guidelines and Restrictions Follow these guidelines and restrictions when configuring Layer 2 interfaces: In a network of Cisco switches connected through 802.1Q trunks, the switches maintain one instance of spanning tree ...on both ends of spanning tree for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Layer 2 Interface Modes Switchport mode access puts the interface into permanent trunking mode. Feature Overview 16- and 36-Port Ethernet Switch Module for each VLAN is loop-free ...
User Guide
Page 5
... VLAN-type specifications, and security violations. and 36-Port Ethernet Switch Module for a VLAN interface. You can be connected to put the interface into Layer 3 mode with a Layer 3 routing protocol. Configure routed ports by managing the addition, deletion, and renaming of hardware ...SVIs are interconnected with a VLAN, but it is a Layer 2 messaging protocol that can make configuration changes centrally on a router; Before you create VLANs, you can be explicitly configured. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 5 Routed Ports A routed port is not...
... VLAN-type specifications, and security violations. and 36-Port Ethernet Switch Module for a VLAN interface. You can be connected to put the interface into Layer 3 mode with a Layer 3 routing protocol. Configure routed ports by managing the addition, deletion, and renaming of hardware ...SVIs are interconnected with a VLAN, but it is a Layer 2 messaging protocol that can make configuration changes centrally on a router; Before you create VLANs, you can be explicitly configured. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 5 Routed Ports A routed port is not...
User Guide
Page 6
...multicast address. By default, the switch is in an un-named domain state until the switch receives an advertisement for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series VTP Domain A VTP domain (also called a VLAN management domain) is distributed in VTP. VTP servers...Network Management Protocol (SNMP). A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on advertisements received over trunk links. and 36-Port Ethernet Switch Module for a domain over a trunk link, it inherits the management domain name...
...multicast address. By default, the switch is in an un-named domain state until the switch receives an advertisement for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series VTP Domain A VTP domain (also called a VLAN management domain) is distributed in VTP. VTP servers...Network Management Protocol (SNMP). A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on advertisements received over trunk links. and 36-Port Ethernet Switch Module for a domain over a trunk link, it inherits the management domain name...
User Guide
Page 7
... enable VTP version 2 on a switch unless all EtherChannels configured on each EtherChannel must configure a password on the switch. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 7 VTP Configuration Guidelines and Restrictions Follow these guidelines and restrictions when implementing ...VTP in a VTP domain must run the same VTP version. • You must have the same speed duplex and mode. and 36-Port Ethernet Switch Module...
... enable VTP version 2 on a switch unless all EtherChannels configured on each EtherChannel must configure a password on the switch. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 7 VTP Configuration Guidelines and Restrictions Follow these guidelines and restrictions when implementing ...VTP in a VTP domain must run the same VTP version. • You must have the same speed duplex and mode. and 36-Port Ethernet Switch Module...
User Guide
Page 8
... server authenticates each client connected to hotels, airports, and corporate lobbies, insecure environments could be physically contiguous or on all modules support EtherChannel (maximum of eight interfaces) with different Spanning Tree Protocol (STP) port path costs can form an EtherChannel as...any services offered by itself, make interfaces incompatible for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Use the option that you apply to the port-channel interface affects the EtherChannel. 802.1x Port-Based Authentication This section describes how to configure IEEE...
... server authenticates each client connected to hotels, airports, and corporate lobbies, insecure environments could be physically contiguous or on all modules support EtherChannel (maximum of eight interfaces) with different Spanning Tree Protocol (STP) port path costs can form an EtherChannel as...any services offered by itself, make interfaces incompatible for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Use the option that you apply to the port-channel interface affects the EtherChannel. 802.1x Port-Based Authentication This section describes how to configure IEEE...
User Guide
Page 10
...switch port becomes authorized. If you enable authentication on a port by the client using the dot1x port-control auto interface configuration command, the switch must initiate authentication when it determines that the client has been successfully authenticated. Note If 802.1x is... the frame, the client responds with a RADIUS server. and 36-Port Ethernet Switch Module for authentication information). Figure 2 Client Message Exchange Cisco router with Ethernet switch network module Authentication server (RADIUS) EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request/OTP EAP...
...switch port becomes authorized. If you enable authentication on a port by the client using the dot1x port-control auto interface configuration command, the switch must initiate authentication when it determines that the client has been successfully authenticated. Note If 802.1x is... the frame, the client responds with a RADIUS server. and 36-Port Ethernet Switch Module for authentication information). Figure 2 Client Message Exchange Cisco router with Ethernet switch network module Authentication server (RADIUS) EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request/OTP EAP...
User Guide
Page 11
...the specified number of the client. The switch cannot provide authentication services to the client through the interface. • auto-enables ...is received, the client sends the request for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Ports in the unauthorized ...state, allowing all attempts by using the dot1x port-control interface configuration command and these keywords: • force-authorized-disables 802.1x...is granted access to up state. and 36-Port Ethernet Switch Module for a fixed number of the client and begins relaying authentication ...
...the specified number of the client. The switch cannot provide authentication services to the client through the interface. • auto-enables ...is received, the client sends the request for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Ports in the unauthorized ...state, allowing all attempts by using the dot1x port-control interface configuration command and these keywords: • force-authorized-disables 802.1x...is granted access to up state. and 36-Port Ethernet Switch Module for a fixed number of the client and begins relaying authentication ...
User Guide
Page 12
...Cisco 3600 Series, and Cisco 3700 Series Figure 3 shows 802.1x-port-based authentication in the network, end stations might receive duplicate messages and switches might learn endstation MAC addresses on a switch are part of a loop, the spanning tree port priority and port path cost setting determine which port is configured... loop-free path throughout a switched Layer 2 network. If a loop exists in a wireless LAN. and 36-Port Ethernet Switch Module for authenticating the clients attached to it is received), the switch denies access to the network to the switch. The 802.1x port...
...Cisco 3600 Series, and Cisco 3700 Series Figure 3 shows 802.1x-port-based authentication in the network, end stations might receive duplicate messages and switches might learn endstation MAC addresses on a switch are part of a loop, the spanning tree port priority and port path cost setting determine which port is configured... loop-free path throughout a switched Layer 2 network. If a loop exists in a wireless LAN. and 36-Port Ethernet Switch Module for authenticating the clients attached to it is received), the switch denies access to the network to the switch. The 802.1x port...
User Guide
Page 13
...switches connected to the LAN on each switched segment. Spanning tree uses this information to communicate and compute the spanning tree topology. Each configuration BPDU contains the following : • One switch is elected as the root switch. • The shortest distance to the root switch... Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Bridge Protocol Data Units The stable active spanning tree topology of a switched network is selected. and 36-Port Ethernet Switch Module for each switch • The spanning tree path cost to the root bridge • The...
...switches connected to the LAN on each switched segment. Spanning tree uses this information to communicate and compute the spanning tree topology. Each configuration BPDU contains the following : • One switch is elected as the root switch. • The shortest distance to the root switch... Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Bridge Protocol Data Units The stable active spanning tree topology of a switched network is selected. and 36-Port Ethernet Switch Module for each switch • The spanning tree path cost to the root bridge • The...
User Guide
Page 15
...configured, each Layer 2 interface stabilizes to the forwarding state, where both learning and frame forwarding are enabled. In the learning state, the Layer 2 interface continues to block frame forwarding as it should go to the learning state, and resets the forward delay timer. 3. and 36-Port Ethernet Switch Module... state while it waits for protocol information that suggests that it learns end station location information for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Figure 4 illustrates how a port moves through the blocking state and the ...
...configured, each Layer 2 interface stabilizes to the forwarding state, where both learning and frame forwarding are enabled. In the learning state, the Layer 2 interface continues to block frame forwarding as it should go to the learning state, and resets the forward delay timer. 3. and 36-Port Ethernet Switch Module... state while it waits for protocol information that suggests that it learns end station location information for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Figure 4 illustrates how a port moves through the blocking state and the ...
User Guide
Page 21
...2e-00 to VLAN 2, and so forth. Table 4 Spanning Tree Default Configuration Feature Default Value Enable state Spanning tree enabled for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview MAC addresses are allocated sequentially, with the lowest ...configurable on interfaces configured as an access port and uses VLAN port priority values when the interface is 00-e0-1e-9b-2e-02, and so forth. In the event of a loop, spanning tree considers port priority when selecting an interface to put into the forwarding state. and 36-Port Ethernet Switch Module...
...2e-00 to VLAN 2, and so forth. Table 4 Spanning Tree Default Configuration Feature Default Value Enable state Spanning tree enabled for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview MAC addresses are allocated sequentially, with the lowest ...configurable on interfaces configured as an access port and uses VLAN port priority values when the interface is 00-e0-1e-9b-2e-02, and so forth. In the event of a loop, spanning tree considers port priority when selecting an interface to put into the forwarding state. and 36-Port Ethernet Switch Module...
User Guide
Page 22
...Switch B L1 L2 L3 Blocked port Switch C 44963 Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 22 and 36-Port Ethernet Switch Module for the configured maximum aging time specified by the spanning-tree max-age global configuration command. BackboneFast BackboneFast is not directly connected (an indirect... one switch as a trunk port. Under STP rules, the switch ignores inferior BPDUs for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series cost values to interfaces that is configured as both the root bridge and the designated bridge. If the inferior BPDU arrives on the...
...Switch B L1 L2 L3 Blocked port Switch C 44963 Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 22 and 36-Port Ethernet Switch Module for the configured maximum aging time specified by the spanning-tree max-age global configuration command. BackboneFast BackboneFast is not directly connected (an indirect... one switch as a trunk port. Under STP rules, the switch ignores inferior BPDUs for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series cost values to interfaces that is configured as both the root bridge and the designated bridge. If the inferior BPDU arrives on the...
User Guide
Page 24
...-live, or hold-time information, which SPAN sends packets for all Cisco routers, bridges, access servers, and switches. An interface configured as a destination interface cannot be monitored in the specified VLANs are ...Cisco 3700 Series Cisco Discovery Protocol Cisco Discovery Protocol (CDP) is an association of a destination interface with the normal operation of a SPAN session. The show monitor session SPAN session number command displays the operational status of the switch. and 36-Port Ethernet Switch Module for network traffic analysis. You cannot configure...
...-live, or hold-time information, which SPAN sends packets for all Cisco routers, bridges, access servers, and switches. An interface configured as a destination interface cannot be monitored in the specified VLANs are ...Cisco 3700 Series Cisco Discovery Protocol Cisco Discovery Protocol (CDP) is an association of a destination interface with the normal operation of a SPAN session. The show monitor session SPAN session number command displays the operational status of the switch. and 36-Port Ethernet Switch Module for network traffic analysis. You cannot configure...
User Guide
Page 25
... your Ethernet switch network module can be configured as access lists. however, the destination interface never encapsulates. both copies network traffic received and transmitted by the source interfaces for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Trunk... interfaces can mix individual source interfaces within a single SPAN session. • You cannot configure a SPAN destination interface to in the monitored...
... your Ethernet switch network module can be configured as access lists. however, the destination interface never encapsulates. both copies network traffic received and transmitted by the source interfaces for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Feature Overview Trunk... interfaces can mix individual source interfaces within a single SPAN session. • You cannot configure a SPAN destination interface to in the monitored...
User Guide
Page 26
... can apply ACLs on the inbound direction. • Standard IP access lists use source addresses for matching operations. and 36-Port Ethernet Switch Module for your network. If no restrictions, the switch forwards the packet; ACLs are examined. In Figure 13, ACLs applied at switch interfaces. ... in an access list one by certain users or devices. For example, you can be allowed onto all inbound features configured on the context in the ACL. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 26 When a packet is critical. Because the switch stops testing...
... can apply ACLs on the inbound direction. • Standard IP access lists use source addresses for matching operations. and 36-Port Ethernet Switch Module for your network. If no restrictions, the switch forwards the packet; ACLs are examined. In Figure 13, ACLs applied at switch interfaces. ... in an access list one by certain users or devices. For example, you can be allowed onto all inbound features configured on the context in the ACL. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 26 When a packet is critical. Because the switch stops testing...
User Guide
Page 27
...ACEs that check Layer 4 information never match a fragment unless the fragment contains Layer 4 information. 16- Consider access list 102, configured with these commands, applied to three fragmented packets: Switch (config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp Switch...keyword after the destination address means to test for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Figure 13 Using ACLs to Control Traffic to a Network Feature Overview Host A Cisco router with Ethernet switch network module Host B Human Resources network Research & Development network...
...ACEs that check Layer 4 information never match a fragment unless the fragment contains Layer 4 information. 16- Consider access list 102, configured with these commands, applied to three fragmented packets: Switch (config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp Switch...keyword after the destination address means to test for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Figure 13 Using ACLs to Control Traffic to a Network Feature Overview Host A Cisco router with Ethernet switch network module Host B Human Resources network Research & Development network...
User Guide
Page 28
...be a combination of the Access Control Parameters (ACPs). If this packet is from host 10.2.2.2, port 65001, going to be configured on the Ethernet switch network module, you want to as it tries to reassemble the packet. • Fragmented packet C is fragmented, the first fragment matches... the third ACE (a deny). and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series first ACE, even though they do not match the second ACE because they are defined by the user. ...
...be a combination of the Access Control Parameters (ACPs). If this packet is from host 10.2.2.2, port 65001, going to be configured on the Ethernet switch network module, you want to as it tries to reassemble the packet. • Fragmented packet C is fragmented, the first fragment matches... the third ACE (a deny). and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series first ACE, even though they do not match the second ACE because they are defined by the user. ...