Configuring the System Switch Processor

The SSP card serves the following purposes:

• With the chassis backplane, it acts as a communications path for intra-chassis communications between the installed cards in the Cisco ICS 7750.

• When connected to an external Ethernet switch, it forwards voice and data traffic between the IP network and the external network (such as the WAN and PSTN) through the Cisco ICS 7750.

Note   The Cisco ICS 7750 supports only one SSP, which is always installed in slot 7 of the chassis. For a complete description of the SSP components and SSP installation procedures, refer to the Cisco ICS 7750 Hardware Installation Guide.

• 10/100 autonegotiation on each port

• Duplex autonegotiation on each port

• Broadcast storm control for preventing faulty end stations from degrading overall system performance

• Port monitoring (Switch Port Analyzer) for complete traffic monitoring

• Cisco Discovery Protocol (CDP) for network topology discovery and mapping between the SSP and other Cisco devices in the network

• Cisco Group Management Protocol (CGMP) for limiting multicast flooding within the SSP

• Spanning Tree Protocol (STP) IEEE 802.1d with STP Port Fast Mode for network loop detection and disabling and for fault-tolerant connectivity

• Support for the following enhanced STP features:

  • STP support on a per VLAN basis

  • STP UpLinkFast feature to accelerate the reconfiguration of STP

  • STP Root Guard feature to prevent switches outside the core of the network from becoming the STP root

• Protected port option for restricting the forwarding of traffic to designated ports on the same switch

• Two queues on each port to prioritize voice and data traffic based on IEEE 802.1p class of service (CoS)

• Support for the following VLAN options:

  • Inter-Switch Link (ISL) and IEEE 802.1Q trunking support on each port—for broadcast control and enhanced security and to simplify additions, moves, and changes in the network

  • VLAN Trunk Protocol (VTP) client and server modes for inter-switch VLAN connectivity—reduces network traffic by restricting flooded traffic to links destined for stations receiving the traffic

  • Support for 64 to 250 VLANs

  • VLAN Membership Policy Server (VMPS) for dynamic VLAN membership

• Telephony features such as Voice VLAN (VVID) on a per-port basis

• Terminal Access Controller Access Control System Plus (TACACS+) feature to manage network security through a server

• Network Time Protocol (NTP) to provide an external source for time-of-day information

• Hot-swap support for removing and installing the SSP without having to power down the system and affect system operation

• Cisco ICS 7700 System Manager (also referred to as the System Manager)—A web-based, graphical user interface for system-wide configuration and monitoring

• System Switch Processor Manager (available from the System Manager)—A web-based, graphical user interface for SSP-specific configuration and monitoring

• SSP CLI—A command-line interface for SSP-specific configuration and monitoring

• SNMP

The Cisco ICS 7700 System Manager and the System Switch Processor Manager are the easiest interfaces to use for most of the SSP configuration and monitoring tasks. Using these interfaces, you can configure and monitor the SSP from anywhere on your intranet.

Note   For default settings on the SSP, refer to the Cisco ICS 7750 Command Reference.

From the CLI, you can manually add entries to the ARP table; however, these entries do not age and must be manually removed.

For detailed CLI procedures, refer to the Cisco IOS Software Configuration > Cisco IOS Release 12.0 on the Documentation Home Page.

For detailed CLI procedures, refer to the Cisco IOS Software Configuration > Cisco IOS Release 12.0 on the Documentation Home Page.

You configure the SSP as an NTP client by entering the IP addresses of up to ten NTP servers and specifying which server should be used first. You can also enter an authentication key to be used as a password when requests for time information are sent to the server.

To ensure the validity of information received from NTP servers, you can authenticate NTP messages with public-key encryption. This procedure must be coordinated with the administrator of the NTP servers: the information you enter will be matched by the servers to authenticate it.

You can configure the SSP to receive NTP broadcast messages if there is an NTP broadcast server, such as a router, broadcasting time information on the network. You can also enter a delay to account for round-trip delay between the client and the NTP broadcast server.

CDP is enabled for the SSP by default. Use the Cisco IOS CLI to change global CDP parameters and to display information about neighboring Cisco devices.

For detailed CLI procedures, refer to the Cisco IOS Software Configuration > Cisco IOS Release 12.0 on the Documentation Home Page.

Caution Do not disable CDP through the CLI because it might conflict with System Manager configurations.

End stations issue join messages to become part of a CGMP group and issue leave messages to leave the group. The membership of these groups is managed by the SSP and by the connected CGMP-enabled routers through the further exchange of CGMP messages.

Changing the CGMP parameters includes the following tasks:

Beginning in privileged EXEC mode, follow these steps to enable the CGMP Fast Leave feature:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	cgmp leave-processing	Enable CGMP and CGMP Fast Leave.
Step 3	end	Return to privileged EXEC mode.
Step 4	show cgmp	Verify your entry.

Beginning in privileged EXEC mode, follow these steps to disable the CGMP Fast Leave feature:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	no cgmp leave-processing	Disable CGMP and CGMP Fast Leave.
Step 3	end	Return to privileged EXEC mode.
Step 4	show cgmp	Verify your entry.

You can use the CLI to clear all CGMP groups, all CGMP groups in a VLAN, or all routers, their ports, and their expiration times.

Beginning in privileged EXEC mode, follow these steps to remove all multicast groups:

	Command	Purpose
Step 1	clear cgmp group	Clear all CGMP groups on all VLANs on the SSP.
Step 2	show cgmp	Verify your entry by displaying CGMP information.

To change the STP parameters, perform the following tasks, which are described in the sections below:

• Disabling STP on the SSP.

• Changing the STP parameters for each VLAN (STP protocol, switch priority, BPDU message interval, hello BPDU interval, and the forwarding time).

• Changing the STP port parameters each VLAN (Port Fast feature, root cost, path cost, port priority).

• Displaying the STP parameters and port parameters for the switch currently acting as the STP root switch.

If a switch loses connectivity, the switch begins using the alternate paths as soon as STP selects a new root port. When STP reconfigures the new root port, other ports flood the network with multicast packets, one for each address that was learned on the port. You can limit these bursts of multicast traffic by reducing the max-update-rate parameter (the default for this parameter is 150 packets per second). However, if you enter zero, station-learning frames are not generated, so the STP topology converges more slowly after a loss of connectivity.

STP UplinkFast is an enhancement that accelerates the choice of a new root port when a link or switch fails or when STP reconfigures itself. The root port transitions to the forwarding state immediately without going through the listening and learning states, as it would do with normal STP procedures. UplinkFast is most useful in edge or access switches and might not be appropriate for backbone devices.

When you enable UplinkFast, it is enabled for the SSP and cannot be enabled for individual VLANs.

Beginning in privileged EXEC mode, follow these steps to configure UplinkFast:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	spanning-tree uplinkfast max-update-rate pkts-per-second	Enable UplinkFast on the SSP. The range is from 0 to 1000 packets per second; 150 is the default. If you set the rate to 0, station-learning frames are not generated, so the STP topology converges more slowly after a loss of connectivity.
Step 3	exit	Return to privileged EXEC mode.
Step 4	show spanning-tree	Verify your entries.

Note   When UplinkFast is enabled, the bridge priority of all VLANs is set to 49152, and the path cost of all ports and VLAN trunks is increased by 3000. This change reduces the chance that the switch will become the root port. When UplinkFast is disabled, the bridge priorities of all VLANs and path costs of all ports are set to default values.

Beginning in privileged EXEC mode, follow these steps to change the STP implementation:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	spanning-tree [vlan stp-list] protocol {ieee | ibm}	Specify the STP implementation to be used for a spanning-tree instance. The stp-list is the list of VLANs to which the STP command applies.
Step 3	end	Return to privileged EXEC mode.
Step 4	show spanning-tree	Verify your entry.

Beginning in privileged EXEC mode, follow these steps to change the switch priority to determine which switch is the root switch.

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	spanning-tree [vlan stp-list] priority bridge-priority	Configure the switch priority for the specified spanning-tree instance. The stp-list is the list of VLANs to which the STP command applies. Enter a number from 0 to 65535; the lower the number, the more likely the switch will be chosen as the root switch.
Step 3	end	Return to privileged EXEC mode.
Step 4	show spanning-tree	Verify your entry.

Beginning in privileged EXEC mode, follow these steps to change the BPDU message interval (max age time):

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	spanning-tree [vlan stp-list] max-age seconds	Specify the interval between messages the spanning tree receives from the root switch. The stp-list is the list of VLANs to which the STP command applies. The maximum age is the number of seconds a switch waits without receiving STP configuration messages before attempting a reconfiguration. Enter a number from 6 to 200.
Step 3	end	Return to privileged EXEC mode.
Step 4	show spanning-tree	Verify your entry.

Beginning in privileged EXEC mode, follow these steps to change the hello BPDU interval (hello time):

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	spanning-tree [vlan stp-list] hello-time seconds	Specify the interval between hello BPDUs. Hello messages indicate that the switch is active. Enter a number from 1 to 10.
Step 3	end	Return to privileged EXEC mode.
Step 4	show spanning-tree	Verify your entry.

Beginning in privileged EXEC mode, follow these steps to change the forwarding delay time:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	spanning-tree [vlan stp-list] forward-time seconds	Specify the forwarding time for the specified spanning-tree instance. The stp-list is the list of VLANs to which the STP command applies. The forward delay is the number of seconds a port waits before changing from its STP learning and listening states to the forwarding state. Enter a number from 4 to 200.
Step 3	end	Return to privileged EXEC mode.
Step 4	show spanning-tree	Verify your entry.

Enabling this feature on an SSP port connected to a switch or hub could prevent STP from detecting and disabling loops in your network. Beginning in privileged EXEC mode, follow these steps to enable the Port Fast feature:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	interface interface	Enter interface configuration mode, and enter the port to be configured.
Step 3	spanning-tree portfast	Enable the Port Fast feature for the port.
Step 4	end	Return to privileged EXEC mode.
Step 5	show spanning-tree	Verify your entry.

Caution It is strongly recommended that you do not configure the internal SSP ports (Fast Ethernet 0/3 to 0/8) through the CLI. The SSP internal ports are configured by the ICS cards attached to them. Any configuration changes done on the internal ports are not saved and are deleted when the Cisco ICS 7750 reboots.

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	interface interface	Enter interface configuration mode, and enter the port to be configured.
Step 3	spanning-tree rootguard	Enable root guard on the port.
Step 4	end	Return to privileged EXEC mode.
Step 5	show spanning-tree	Verify that the port is configured for root guard.

Note   There could be times when unknown unicast traffic from a non-private VLAN edge port is flooded to a private VLAN edge port because a MAC address has timed out or has not been learned by the switch. Use the port block command to guarantee that no unicast and multicast traffic is flooded to the port in such a case. See the "Configuring Flooding Controls" section for more information.

Beginning in privileged EXEC mode, follow these steps to define a port as a private VLAN edge port:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	interface interface	Enter interface configuration mode, and enter the port to be configured.
Step 3	port protected	Enable private VLAN edge port on the port.
Step 4	end	Return to privileged EXEC mode.
Step 5	show port protected	Verify that the port has private VLAN edge port enabled.

Use the no version of the port protected command to disable private VLAN edge port.

If STP is enabled, the SSP can take up to 30 seconds to check for loops when a port is reconfigured. The port LED is amber while STP reconfigures.

Caution Reconfiguring the port through which you are managing the SSP could cause a temporary loss of connectivity.

Source-based forwarding port groups distribute packets forwarded to the group based on the source address of incoming packets. You can configure up to eight ports in a source-based forwarding port group. Source-based forwarding is enabled by default.

Destination-based port groups distribute packets forwarded to the group based on the destination address of incoming packets. You can configure an unlimited number of ports in a destination-based port group.

You can create up to 12 port groups of all source-based, all destination-based, or a combination of source- and destination-based ports. All ports in a group must be of the same type; for example, they must be all source based or all destination based. You can independently configure port groups that link switches, but you must consistently configure both ends of a port group.

Caution It is not recommended to configure the EtherChannelPort Grouping feature on the internal ports.

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	interface interface	Enter interface configuration mode, and enter the port to be configured.
Step 3	port network	Define the port as the network port.
Step 4	end	Return to privileged EXEC mode.
Step 5	show port network	Verify your entry.

Beginning in privileged EXEC mode, follow these steps to disable the network port:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	interface interface	Enter interface configuration mode, and enter the port to be configured.
Step 3	no port network	Disable the port as the network port.
Step 4	end	Return to privileged EXEC mode.
Step 5	show port network	Verify your entry.

Beginning in privileged EXEC mode, follow these steps to enable broadcast-storm control:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	interface interface	Enter interface configuration mode, and enter the port to configure.
Step 3	port storm-control [threshold {rising rising-number falling falling-number}]	Enter the rising and falling thresholds. Make sure the rising threshold is greater than the falling threshold.
Step 4	port storm-control filter or port storm-control trap	Disable the port during a broadcast storm, or generate an SNMP trap when the traffic on the port crosses the rising or falling threshold.
Step 5	end	Return to privileged EXEC mode.
Step 6	show port storm-control [interface]	Verify your entries.

Beginning in privileged EXEC mode, follow these steps to disable broadcast-storm control:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	interface interface	Enter interface configuration mode, and enter the port to configure.
Step 3	no port storm-control	Disable port storm control.
Step 4	end	Return to privileged EXEC mode.
Step 5	show port storm-control [interface]	Verify your entries.

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	interface interface	Enter interface configuration mode, and enter the port to configure.
Step 3	port block multicast	Block multicast forwarding to the port.
Step 4	port block unicast	Block unicast flooding to the port.
Step 5	end	Return to privileged EXEC mode.
Step 6	show port block {multicast | unicast} interface	Verify your entries, entering the appropriate command once for the multicast option or once for the unicast option.

Beginning in privileged EXEC mode, follow these steps to resume normal forwarding on a port:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	interface interface	Enter interface configuration mode, and enter the port to configure.
Step 3	no port block multicast	Enable multicast forwarding to the port.
Step 4	no port block unicast	Enable unicast flooding to the port.
Step 5	end	Return to privileged EXEC mode.
Step 6	show port block {multicast | unicast} interface	Verify your entries, entering the appropriate command once for the multicast option or once for the unicast option.

• All traffic is transmitted according to the default COS priority of the port. This is the default.

• Voice traffic is given a higher priority by the phone, and all traffic is in the same VLAN.

• Voice and data traffic are carried on separate VLANs, and voice traffic always has a COS priority of 5.

Beginning in privileged EXEC mode, follow these steps to configure a port to instruct the phone to give voice traffic a higher priority and forward all traffic through the 802.1Q native VLAN:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	interface interface	Enter interface configuration mode, and enter the port to be configured.
Step 3	switchport voice vlan dot1p	Instruct the SSP to use 802.1p priority tagging for voice traffic and to use VLAN 0 (default native VLAN) to carry all traffic.
Step 4	end	Return to privileged EXEC mode.
Step 5	show interface interface switchport	Verify the port configuration.

Note   The show power inline command does not apply to the SSP.

Table 4-4: VLAN Combinations

Port Mode	VTP Required?	Configuration Procedure	Comments
Static-access ports	No	"Assigning Static-Access Ports to a VLAN" section.	If you do not want to use VTP to globally propagate the VLAN configuration information, you can assign a static-access port to a VLAN and set the VTP mode to transparent to disable VTP.
Static-access and multi-VLAN ports	No	"Overlapping VLANs and Multi-VLAN Ports" section. "Assigning Static-Access Ports to a VLAN" section.	You must connect the multi-VLAN port to a router or server. The SSP automatically transitions to VTP transparent mode (VTP is disabled). No VTP configuration is required. Some restrictions apply to multi-VLAN ports.
Static-access and trunk ports	Recommended	"Configuring VTP Server Mode" section. Add, modify, or remove VLANs in the database as described in the "Configuring VLANs in the VTP Database" section. "Assigning Static-Access Ports to a VLAN" section.	Make sure to configure at least one trunk port on the SSP and that this trunk port is connected to the trunk port of a connected switch. Some restrictions apply to trunk ports. For more information, see the "Trunks Interacting with Other Features" section. Optionally, you can change the VTP version on the SSP and enable VTP pruning. Optionally, you can define the allowed-VLAN list, change the pruning-eligible list, and configure the native VLAN for untagged traffic on the trunk port.
Dynamic-access and trunk ports	Required	"Entering the IP Address of the VMPS" section. "Configuring Dynamic Ports on VMPS Clients" section.	You must connect the dynamic-access port to an end station and not to another switch. Configure the VMPS and the client with the same VTP domain name. Optionally, you can change the reconfirmation interval and the retry count on the VMPS client switch. Optionally, you can define the allowed-VLAN list, change the pruning-eligible list, and configure the native VLAN for untagged traffic on the trunk port.

	Command	Purpose
Step 1	vlan database	Enter VLAN configuration mode.
Step 2	vtp transparent	Configure the SSP for VTP transparent mode. The default setting is VTP server. This step disables VTP on the SSP.
Step 3	exit	Return to privileged EXEC mode.
Step 4	show vtp status	Verify the VTP configuration.
Step 5	configure terminal	Enter global configuration mode.
Step 6	interface interface	Enter interface configuration mode, and define the interface to be added to the VLAN.
Step 7	switchport mode access	Define the VLAN membership mode for this port.
Step 8	switchport access vlan 3	Assign the port to the VLAN.
Step 9	exit	Return to privileged EXEC mode.
Step 10	show interface interface-id switchport	Verify the VLAN configuration.

A multi-VLAN port performs normal switching functions in all its assigned VLANs. For example, when a multi-VLAN port receives an unknown MAC address, all the VLANs to which the port belongs learn the address. Multi-VLAN ports also respond to the STP messages generated by the different instances of STP in each VLAN.

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	interface interface	Enter interface configuration mode, and enter the port to be added to the VLAN.
Step 3	switchport mode multi	Enter the VLAN membership mode for multi-VLAN ports.
Step 4	switchport multi vlan vlan-list	Assign the port to more than one VLAN. Separate nonconsecutive VLAN IDs with a comma; use a hyphen to designate a range of IDs. Configuring a SSP port for multi-VLAN mode causes VTP to transition to transparent mode, which disables VTP.
Step 5	end	Return to privileged EXEC mode.
Step 6	show interface interface-id switchport	Verify your entries.

By default, a SSP is in the no-management-domain state until it receives an advertisement for a domain over a trunk link (a link that carries the traffic of multiple VLANs) or you configure a domain name. The default VTP mode is server mode, but VLAN information is not propagated over the network until a domain name is specified or learned.

If the switch receives a VTP advertisement over a trunk link, it inherits the domain name and configuration revision number. The switch then ignores advertisements with a different domain name or an earlier configuration revision number.

When you make a change to the VLAN configuration on a VTP server, the change is propagated to all switches in the VTP domain. VTP advertisements are sent over all trunk connections, including Inter-Switch Link (ISL) and IEEE 802.1Q, IEEE 802.10.

If you configure a switch for VTP transparent mode, you can create and modify VLANs, but the changes are not transmitted to other switches in the domain, and they affect only the individual switch.

• When the network is configured with more than 64 VLANs, the SSP automatically changes from VTP server or client mode to VTP transparent mode. The SSP then operates with the VLAN configuration that preceded the one that sent it into transparent mode.

• When a multi-VLAN port is configured on the SSP in VTP server mode or client mode, the SSP automatically changes to transparent mode.

VTP pruning blocks flooded traffic to VLANs on trunk ports that are included in the pruning-eligible list. Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning eligible on SSP trunk ports. If the VLANs are configured as pruning-ineligible, the flooding continues. In addition, VTP pruning is supported with VTP version 1 and version 2.

When configuring VTP for the first time, you must always assign a domain name. In addition, all switches in the VTP domain must be configured with the same domain name. Switches including the SSP in VTP transparent mode do not exchange VTP messages with other switches, and you do not need to configure a VTP domain name for them.

Caution Do not configure a VTP domain if all switches including the SSP are operating in VTP client mode. If you configure the domain, it is impossible to make changes to the VLAN configuration of that domain. Therefore, make sure you configure at least one switch in the VTP domain for VTP server mode.

You can configure a password for the VTP domain, but it is not required. All domain switches including the SSP must share the same password. Switches without a password or with the wrong password reject VTP advertisements.

Caution The domain does not function properly if you do not assign the same password to each switch in the domain.

If you configure a VTP password for a domain, an SSP that is booted without a VTP configuration does not accept VTP advertisements until you configure it with the correct password. After the configuration, the SSP accepts the next VTP advertisement that uses the same password and domain name in the advertisement.

If you are adding a new switch to an existing network that has VTP capability, the new switch learns the domain name only after the applicable password has been configured on the switch.

When you upgrade from a software version that supports VLANs but does not support VTP, such as Cisco IOS Release 11.2(8)SA3, to a version that does support VTP, ports that belong to a VLAN retain their VLAN membership, and VTP enters transparent mode. The domain name becomes UPGRADE, and VTP does not propagate the VLAN configuration to other switches.

If you want the switch to propagate VLAN configuration information to other switches and to learn the VLANs enabled on the network, you must configure the switch with the correct domain name, the domain password, and change the mode to VTP server mode.

Follow these guidelines when deciding which VTP version to implement:

When the SSP is in VTP server mode, you can change the VLAN configuration and have it propagated throughout the network.

Beginning in privileged EXEC mode, follow these steps to configure the SSP for VTP server mode:

	Command	Purpose
Step 1	vlan database	Enter VLAN configuration mode.
Step 2	vtp domain domain-name	Configure a VTP administrative-domain name. The name can be from 1 to 32 characters. All switches including the SSP operating in VTP server or client mode under the same administrative responsibility must be configured with the same domain name.
Step 3	vtp password password-value	(Optional) Set a password for the VTP domain. The password can be from 8 to 64 characters. If you configure a VTP password, the VTP domain will not function properly if you do not assign the same password to each switch in the domain.
Step 4	vtp server	Configure the SSP for VTP server mode (the default).
Step 5	exit	Return to privileged EXEC mode.
Step 6	show vtp status	Verify the VTP configuration.

When the SSP is in VTP client mode, you cannot change its VLAN configuration. The SSP receives VTP updates from a VTP server in the VTP domain and then modifies its configuration accordingly.

Caution Do not configure a VTP domain name if all switches including the SSP are operating in VTP client mode. If you do so, it is impossible to make changes to the VLAN configuration of that domain. Therefore, make sure you configure at least one switch as the VTP server.

Beginning in privileged EXEC mode, follow these steps to configure the SSP for VTP client mode:

	Command	Purpose
Step 1	vlan database	Enter VLAN configuration mode.
Step 2	vtp client	Configure the SSP for VTP client mode. The default setting in VTP server.
Step 3	vtp domain domain-name	Configure a VTP administrative-domain name. The name can be from 1 to 32 characters. All switches including the SSP operating in VTP server or client mode under the same administrative responsibility must be configured with the same domain name. Do not configure a VTP domain name if all switches are operating in VTP client mode. If you configure the domain, it is impossible to make changes to the VLAN configuration of that domain. Therefore, make sure you configure at least one switch in the VTP domain for VTP server mode.
Step 4	vtp password password-value	(Optional) Set a password for the VTP domain. The password can be from 8 to 64 characters. If you configure a VTP password, the VTP domain will not function properly if you do not assign the same password to each switch in the domain.
Step 5	exit	Update the VLAN database, propagate it throughout the administrative domain, and return to privileged EXEC mode.
Step 6	show vtp status	Verify the VTP configuration.

When you configure the SSP for VTP transparent mode, you disable VTP on the SSP. The SSP then does not send VTP updates and does not act on VTP updates received from other switches. However, the SSP in VTP transparent mode does forward received VTP advertisements on all of its trunk links.

Beginning in privileged EXEC mode, follow these steps to configure the SSP for VTP transparent mode:

	Command	Purpose
Step 1	vlan database	Enter VLAN configuration mode.
Step 2	vtp transparent	Configure the SSP for VTP transparent mode. The default setting in VTP server. This step disables VTP on the SSP.
Step 3	exit	Return to privileged EXEC mode.
Step 4	show vtp status	Verify the VTP configuration.

VTP version 2 is disabled by default on VTP version-2-capable switches including the SSP. When you enable VTP version 2 on a switch, every VTP version 2-capable switch in the VTP domain enables version 2.

Caution VTP version 1 and VTP version 2 are not interoperable on switches in the same VTP domain. Every switch in the VTP domain must use the same VTP version. Do not enable VTP version 2 unless every switch in the VTP domain supports version 2.

Note   In a Token Ring environment, you must enable VTP version 2 for Token Ring VLAN switching to function properly.

Beginning in privileged EXEC mode, follow these steps to disable VTP version 2:

	Command	Purpose
Step 1	vlan database	Enter VLAN configuration mode.
Step 2	no vtp v2-mode	Disable VTP version 2.
Step 3	exit	Update the VLAN database, propagate it throughout the administrative domain, and return to privileged EXEC mode.
Step 4	show vtp status	Verify that VTP version 2 is disabled.

Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the appropriate network devices.

Beginning in privileged EXEC mode, follow these steps to enable VTP pruning:

	Command	Purpose
Step 1	vlan database	Enter VLAN configuration mode.
Step 2	vtp pruning	Enable pruning in the VTP administrative domain. By default, pruning is disabled. You need to enable pruning on only one switch in the domain.
Step 3	exit	Update the VLAN database, propagate it throughout the administrative domain, and return to privileged EXEC mode.
Step 4	show vtp status	Verify that your entries.

Pruning is supported with VTP version 1 and version 2. If you enable pruning on the VTP server, it is enabled for the entire VTP domain.

Beginning in privileged EXEC mode, follow these steps to monitor VTP activity:

	Command	Purpose
Step 1	show vtp status	Display the VTP switch configuration information.
Step 2	show vtp counters	Display counters about VTP messages being sent and received.

Table 4-8: FDDI VLAN Defaults and Ranges

Parameter	Default	Range
VLAN ID	1002	1-1005
VLAN name	VLANxxxx, where xxxx is the VLAN ID	No range
802.10 SAID	100000+VLAN ID	1-4294967294
MTU size	1500	1500-18190
Ring number	None	1-4095
Parent VLAN	0	0-1005
Translational bridge 1	0	0-1005
Translational bridge 2	0	0-1005
VLAN state	active	active, suspend

Table 4-9: FDDI-Net VLAN Defaults and Ranges

Parameter	Default	Range
VLAN ID	1004	1-1005
VLAN name	VLANxxxx, where xxxx is the VLAN ID	No range
802.10 SAID	100000+VLAN ID	1-4294967294
MTU size	1500	1500-18190
Bridge number	0	0-15
STP type	ieee	auto, ibm, ieee
Translational bridge 1	0	0-1005
Translational bridge 2	0	0-1005
VLAN state	active	active, suspend

Table 4-10: Token Ring (TrBRF) VLAN Defaults and Ranges

Parameter	Default	Range
VLAN ID	1005	1-1005
VLAN name	VLANxxxx, where xxxx is the VLAN ID	No range
802.10 SAID	100000+VLAN ID	1-4294967294
MTU size	VTPv1 1500; VTPv2 4472	1500-18190
Bridge number	VTPv1 0; VTPv2 user-specified	0-15
STP type	ibm	auto, ibm, ieee
Translational bridge 1	0	0-1005
Translational bridge 2	0	0-1005
VLAN state	active	active, suspend

	Command	Purpose
Step 1	vlan database	Enter VLAN configuration mode.
Step 2	vlan vlan-id mtu mtu-size	Identify the VLAN, and change the MTU size.
Step 3	exit	Update the VLAN database, propagate it throughout the administrative domain, and return to privileged EXEC mode.
Step 4	show vlan vlan-id	Verify the VLAN configuration.

When you delete a VLAN from a switch including the SSP that is in VTP server mode, the VLAN is removed from all switches in the VTP domain. When you delete a VLAN from a switch including the SSP that is in VTP transparent mode, the VLAN is deleted only on that specific switch.

You cannot delete the default VLANs for the different media types: Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005.

Caution When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated with the VLAN (and thus inactive) until you assign them to a new VLAN.

Beginning in privileged EXEC mode, follow these steps to delete a VLAN on the SSP:

	Command	Purpose
Step 1	vlan database	Enter VLAN configuration mode.
Step 2	no vlan vlan-id	Remove the VLAN by using the VLAN ID.
Step 3	exit	Update the VLAN database, propagate it throughout the administrative domain, and return to privileged EXEC mode.
Step 4	show vlan brief	Verify the VLAN removal.

By default, all ports are static-access ports assigned to VLAN 1, which is the default management VLAN.

Beginning in privileged EXEC mode, follow these steps to assign a port to a VLAN in the VTP database:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	interface interface	Enter interface configuration mode, and define the interface to be added to the VLAN.
Step 3	switchport mode access	Define the VLAN membership mode for this port.
Step 4	switchport access vlan 3	Assign the port to the VLAN.
Step 5	exit	Return to privileged EXEC mode.
Step 6	show interface interface-id switchport	Verify the VLAN configuration.

• Make sure the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. If the native VLAN on one end of the trunk is different from the native VLAN on the other end, spanning-tree loops might result.

• Disabling STP on the native VLAN of an 802.1Q trunk without disabling STP on every VLAN in the network can potentially cause STP loops. We recommend that you leave STP enabled on the native VLAN of an 802.1Q trunk or disable STP on every VLAN in the network. Make sure your network is loop-free before disabling STP.

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	interface interface_id	Enter the interface configuration mode and the port to be added to the VLAN.
Step 3	no switchport mode	Return the port to its default static-access mode.
Step 4	end	Return to privileged EXEC.
Step 5	show interface interface-id switchport	Verify your entries.

A trunk port can become a member of a VLAN only if the VLAN is enabled and VTP knows of the VLAN. When VTP detects a newly enabled VLAN and the VLAN is in the allowed list for a trunk port, the trunk port automatically becomes a member of the enabled VLAN and forwards traffic to or receives traffic from it. When VTP detects a new enabled VLAN and the VLAN is not in the allowed list for a trunk port, the trunk port does not become a member of the VLAN and does not forward traffic to it.

Beginning in privileged EXEC mode, follow these steps to modify the allowed list of an ISL or 802.1Q trunk:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	interface interface_id	Enter interface configuration mode and the port to be added to the VLAN.
Step 3	switchport mode trunk	Configure the VLAN membership mode for trunks.
Step 4	switchport trunk allowed vlan remove vlan-list	Define the VLANs that are not allowed to transmit and receive on the port. The vlan-list parameter is a range of VLAN IDs separated by a hyphen or specific VLAN IDs separated by commas. VLANs 1 and 1002 to 1005 are reserved and cannot be removed.
Step 5	end	Return to privileged EXEC mode.
Step 6	show interface interface-id switchport allowed-vlan	Verify your entries.
Step 7	copy running-config startup-config	Save the configuration.

For ISL or IEEE 802.1Q frames with tag information, the priority value from the header frame is used. For native frames, the default priority of the input port is used.

For the SSP, frames with a priority value of 0 through 3 are sent to a normal-priority queue and frames with a priority value of 4 through 7 are sent to a high-priority queue.

The following sections describe load sharing on trunk ports by using STP port priorities or STP path costs.

• VLANs 8 through 10 are assigned a port priority of 10 on trunk 1.

• VLANs 3 through 6 retain the default port priority of 128 on trunk 1.

• VLANs 3 through 6 are assigned a port priority of 10 on trunk 2.

• VLANs 8 through 10 retain the default port priority of 128 on trunk 2.

In this way, trunk 1 carries traffic for VLANs 8 through 10, and trunk 2 carries traffic for VLANs 3 through 6. If the active trunk fails, the trunk with the lower priority takes over and carries the traffic for all of the VLANs. No duplication of traffic occurs over any trunk port.

Configuring STP Port Priorities and Load Sharing

Configuring STP Path Costs and Load Sharing

Beginning in privileged EXEC mode, follow these steps to configure STP path costs and load sharing:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode on Switch 1.
Step 2	interface fa0/1	Enter interface configuration mode, and define Fa0/1 as the interface to be configured as a trunk.
Step 3	switchport mode trunk	Configure the port as a trunk port. The trunk defaults to ISL trunking.
Step 4	end	Return to global configuration mode.
Step 5		Repeat Steps 2 through 4 on Switch 1 interface Fa0/2.
Step 6	show running-config	Verify your entries. In the display, make sure that interface Fa0/1 and Fa0/2 are configured as trunk ports.
Step 7	show vlan	When the trunk links come up, Switch 1 receives the VTP information from the other switches. Verify that Switch 1 has learned the VLAN configuration.
Step 8	configure terminal	Enter global configuration mode.
Step 9	interface fa0/1	Enter interface configuration mode, and define Fa0/1 as the interface to set the STP cost.
Step 10	spanning-tree vlan 2 3 4 cost 30	Set the spanning-tree path cost to 30 for VLANs 2, 3, and 4.
Step 11	end	Return to global configuration mode.
Step 12		Repeat Steps 9 through 11 on Switch 1 interface Fa0/2, and set the spanning-tree path cost to 30 for VLANs 8, 9, and 10.
Step 13	exit	Return to privileged EXEC mode.
Step 14	show spanning-tree	Verify your entries. In the display, verify that the path costs are set correctly for interface Fa0/1 and Fa0/2.

In response to a request, the VMPS takes one of the following actions:

• If the assigned VLAN is restricted to a group of ports, the VMPS verifies the requesting port against this group and responds as follows:

  • If the VLAN is allowed on the port, the VMPS sends the VLAN name to the client in response.

  • If the VLAN is not allowed on the port, and the VMPS is not in secure mode, the VMPS sends an access-denied response.

  • If the VLAN is not allowed on the port, and the VMPS is in secure mode, the VMPS sends a port-shutdown response.

• If the VLAN in the database does not match the current VLAN on the port, and active hosts exist on the port, the VMPS sends an access-denied or a port-shutdown response, depending on the secure mode of the VMPS.

If the SSP receives an access-denied response from the VMPS, it continues to block traffic from the MAC address to or from the port. The SSP continues to monitor the packets directed to the port and sends a query to the VMPS when it identifies a new address. If the SSP receives a port-shutdown response from the VMPS, it disables the port. The port must be manually reenabled by using the CLI, SSP Manager, or SNMP.

You can also use an explicit entry in the configuration table to deny access to specific MAC addresses for security reasons. If you enter the --NONE-- keyword for the VLAN name, the VMPS sends an access-denied or port-shutdown response.

!vmps domain <domain-name>
! The VMPS domain must be defined.
!vmps mode { open | secure }
! The default mode is open.
!vmps fallback <vlan-name>
!vmps no-domain-req { allow | deny }
!
! The default value is allow.
vmps domain WBU
vmps mode open
vmps fallback default
vmps no-domain-req deny
!
!
!MAC Addresses
!
vmps-mac-addrs
!
! address <addr> vlan-name <vlan_name>
!
address 0012.2233.4455 vlan-name hardware
address 0000.6509.a080 vlan-name hardware
address aabb.ccdd.eeff vlan-name Green
address 1223.5678.9abc vlan-name ExecStaff
address fedc.ba98.7654 vlan-name --NONE--
address fedc.ba23.1245 vlan-name Purple
!
!Port Groups
!
!vmps-port-group <group-name>
! device <device-id> { port <port-name> | all-ports }
!
vmps-port-group WiringCloset1
 device 198.92.30.32 port Fa1/3
 device 172.20.26.141 port Fa1/4
vmps-port-group "Executive Row"
 device 198.4.254.222 port es5%Fa0/1
 device 198.4.254.222 port es5%Fa0/2
 device 198.4.254.223 all-ports
!
!VLAN groups
!
!vmps-vlan-group <group-name>
! vlan-name <vlan-name>
!
vmps-vlan-group Engineering
vlan-name hardware
vlan-name software
!
!VLAN port Policies
!
!vmps-port-policies {vlan-name <vlan_name> | vlan-group <group-name> }
! { port-group <group-name> | device <device-id> port <port-name> }
!
vmps-port-policies vlan-group Engineering
 port-group WiringCloset1
vmps-port-policies vlan-name Green
 device 198.92.30.32 port Fa0/9
vmps-port-policies vlan-name Purple
 device 198.4.254.22 port Fa0/10
 port-group "Executive Row"

  You must turn off trunking on the port before the dynamic access setting takes effect.

• Dynamic ports cannot be network ports or monitor ports.

• The VTP management domain of the VMPS client and the VMPS server must be the same.

You must enter the IP address of the other device acting as the VMPS (such as a Catalyst switch) to configure the SSP as a client.

Beginning in privileged EXEC mode, follow these steps to enter the IP address of the VMPS:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	vmps server ipaddress primary	Enter the IP address of the switch acting as the primary VMPS server.
Step 3	vmps server ipaddress	Enter the IP address for the switch acting as a secondary VMPS server. You can enter up to three secondary server addresses.
Step 4	end	Return to privileged EXEC mode.
Step 5	show vmps	Verify the VMPS server entry.

If you are configuring a port on the SSP as a dynamic port, first login to the SSP by using the privileged EXEC rcommand command. For more information on how to use this command, refer to the Cisco ICS 7750 Command Reference.

Caution Dynamic port VLAN membership is for end stations. Connecting dynamic ports to other switches can cause a loss of connectivity.

Beginning in privileged EXEC mode, follow these steps to configure dynamic ports on the SSP:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	interface interface	Enter interface configuration mode and the SSP port that is connected to the end station.
Step 3	switchport mode access	Set the port to access mode.
Step 4	switchport access vlan dynamic	Configure the port as eligible for dynamic VLAN membership. The dynamic-access port must be connected to an end station.
Step 5	end	Return to privileged EXEC mode.
Step 6	show interface interface switchport	Verify the entry.

	Command	Purpose
Step 1	vmps reconfirm	Reconfirm dynamic port VLAN membership.
Step 2	show vmps	Verify the dynamic VLAN reconfirmation status.

Beginning in privileged EXEC mode, follow these steps to change the reconfirmation interval:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	vmps reconfirm minutes	Enter the number of minutes between reconfirmations of the dynamic VLAN membership. Enter a number from 1 to 120. The default is 60 minutes.
Step 3	end	Return to privileged EXEC mode.
Step 4	show vmps	Verify the dynamic VLAN reconfirmation status.

Beginning in privileged EXEC mode, follow these step to change the number of times that the SSP attempts to contact the VMPS before querying the next server:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	vmps retry count	Change the retry count. The retry range is from 1 to 10; the default is 3.
Step 3	exit	Return to privileged EXEC mode.
Step 4	show vmps	Verify your entry.

Beginning in privileged EXEC mode, follow these steps to configure the dynamic address table aging time:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	mac-address-table aging-time seconds	Enter the number of seconds that dynamic addresses are to be retained in the address table. You can enter a number from 10 to 1000000.
Step 3	end	Return to privileged EXEC mode.
Step 4	show mac-address-table aging-time	Verify your entry.

Setting too short an aging time can cause addresses to be prematurely removed from the table. Then when the SSP receives a packet for an unknown destination, it floods the packet to all ports in the same VLAN as the receiving port. This unnecessary flooding can impact performance. Setting too long an aging time can cause the address table to be filled with unused addresses; it can cause delays when a workstation is moved to a new port.

Beginning in privileged EXEC mode, follow these steps to remove a dynamic address entry:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	no mac-address-table dynamic hw-addr	Enter the MAC address to be removed from dynamic MAC address table.
Step 3	end	Return to privileged EXEC mode.
Step 4	show mac-address-table	Verify your entry.

You can remove all dynamic entries by using the clear mac-address-table dynamic command in privileged EXEC mode.

You can enter a secure port address even when the port does not yet belong to a VLAN. When the port is later assigned to the VLAN, packets destined for that address are forwarded to the port.

Beginning in privileged EXEC mode, follow these steps to add a secure address: 

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	mac-address-table secure hw-addr interface vlan vlan-id	Enter the MAC address, its associated port, and the VLAN ID.
Step 3	end	Return to privileged EXEC mode.
Step 4	show mac-address-table secure	Verify your entry.

Beginning in privileged EXEC mode, follow these steps to remove a secure address: 

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	no mac-address-table secure hw-addr vlan vlan-id	Enter the secure MAC address, its associated port, and the VLAN ID to be removed.
Step 3	end	Return to privileged EXEC mode.
Step 4	show mac-address-table secure	Verify your entry.

You can remove all secure addresses by using the clear mac-address-table secure command in privileged EXEC mode.

Note   If the in-port and out-port-list parameters are all access ports in a single VLAN, you can omit the VLAN ID. In this case, the SSP recognizes the VLAN as that associated with the in-port VLAN. Otherwise, you must supply the VLAN ID.

Beginning in privileged EXEC mode, follow these steps to add a static address:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	mac-address-table static hw-addr in-port out-port-list vlan vlan-id	Enter the MAC address, the input port, the ports to which it can be forwarded, and the VLAN ID of those ports.
Step 3	end	Return to privileged EXEC mode.
Step 4	show mac-address-table static	Verify your entry.

Beginning in privileged EXEC mode, follow these steps to remove a static address:

	Command	Purpose
Step 1	configure terminal	Enter global configuration mode.
Step 2	no mac-address-table static hw-addr in-port in-port out-port-list out-port-list vlan vlan-id	Enter the static MAC address, the input port, the ports to which it can be forwarded, and the VLAN ID to be removed.
Step 3	end	Return to privileged EXEC mode.
Step 4	show mac-address-table static	Verify your entry.

You can remove all secure addresses by using the clear mac-address-table static command in privileged EXEC mode.

• The address table of a secured port is full and the address of an incoming packet is not found in the table.

• An incoming packet has a source address assigned as a secure address on another port.

Limiting the number of devices that can connect to a secure port has the following advantages:

• Dedicated bandwidth—if the size of the address table is set to 1, the attached device is guaranteed the full bandwidth of the port.

• Added security—unknown devices cannot connect to the port.

The following parameters validate port security or indicate security violations:

Parameters	Description
Interface	Port to secure.
Security	Enable port security on the port.
Trap	Issue a trap when an address-security violation occurs.
Shutdown Port	Disable the port when an address-security violation occurs.
Secure Addresses	Number of addresses in the address table for this port. Secure ports have at least one in this field.
Max Addresses	Number of addresses that the address table for the port can contain.
Security Rejects	The number of unauthorized addresses seen on the port.