Cisco HWIC-4ESW - EtherSwitch HWIC Switch, HWIC-D-9ESW User Manual
Cisco HWIC-4ESW and HWIC-D-9ESW
EtherSwitch Interface Cards
First Published: May 17, 2005
Last Updated: July 28, 2010
This document provides configuration tasks for the 4-port Cisco HWIC-4ESW and the 9-port
Cisco HWIC-D-9ESW EtherSwitch high-speed WAN interface cards (HWICs) hardware feature
supported on Cisco 1800 (modular), Cisco 2800, and Cisco 3800 series integrated services routers.
Cisco EtherSwitch HWICs are 10/100BASE-T Layer 2 Ethernet switches with Layer 3 routing
capability. (Layer 3 routing is forwarded to the host and is not actually performed at the switch.) Traffic
between different VLANs on a switch is routed through the router platform. Any one port on a
Cisco EtherSwitch HWIC may be configured as a stacking port to link to another Cisco EtherSwitch
HWIC or EtherSwitch network module in the same system. An optional power module can also be added
to provide inline power for IP telephones. The HWIC-D-9ESW HWIC requires a double-wide card slot.
This hardware feature does not introduce any new or modified Cisco IOS commands.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. To find information
about the features documented in this module, and to see a list of the releases in which each feature is
supported, see the “Feature Information for the Cisco HWIC-4ESW and the Cisco HWIC-D-9ESW
EtherSwitch Cards” section on page 104.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS
software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An
account on Cisco.com is not required.
Americas Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
Contents
Contents
The following sections provide information about the Cisco EtherSwitch HWICs.
• Prerequisites for EtherSwitch HWICs, page 2
• Restrictions for EtherSwitch HWICs, page 2
• Information About EtherSwitch HWICs, page 3
• How to Configure EtherSwitch HWICs, page 5
• Configuration Examples for EtherSwitch HWICs, page 91
• Additional References, page 102
Prerequisites for EtherSwitch HWICs
The following are prerequisites to configuring EtherSwitch HWICs:
• Configuration of IP routing. See the Cisco IOS IP Routing: Protocol-Independent Configuration
Guide for the Cisco IOS Release you are using.
• Use of the Cisco IOS T release, beginning with Release 12.3(8)T4 or later for Cisco HWIC-4ESW
and Cisco HWIC-D-9ESW support. (See the Cisco IOS documentation.)
Restrictions for EtherSwitch HWICs
The following restrictions apply to the Cisco HWIC-4ESW and the Cisco HWIC-D-9ESW EtherSwitch
HWICs:
• No more than two Ethernet Switch HWICs or network modules may be installed in a host router.
Multiple Ethernet Switch HWICs or network modules installed in a host router will not act
independently of each other. They must be stacked, as they will not work at all otherwise.
• The ports of a Cisco EtherSwitch HWIC must NOT be connected to the Fast Ethernet/Gigabit
onboard ports of the router.
• There is no inline power on the ninth port (port 8) of the HWIC-D-9ESW card.
• There is no Auto MDIX support on the ninth port (port 8) of the HWIC-D-9ESW card when either
speed or duplex is not set to auto.
• There is no support for online insertion/removal (OIR) of the EtherSwitch HWICs.
• When Ethernet Switches have been installed and configured in a host router, OIR of the
CompactFlash memory card in the router must not occur. OIR of the CompactFlash memory card
will compromise the configuration of the Ethernet Switches.
• VTP pruning is not supported.
• There is a limit of 200 secure MAC addresses per module that can be supported by an EtherSwitch
HWIC.
• Maximum traffic for a secure MAC address is 8 Mb/s.
2
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
Prerequisites for Installing Two Ethernet Switch Network Modules in a Single Chassis
Prerequisites for Installing Two Ethernet Switch Network
Modules in a Single Chassis
A maximum of two Ethernet switch network modules can be installed in a single chassis. If two Ethernet
switch network modules of any type are installed in the same chassis, the following configuration
requirements must be met:
• Both Ethernet switch network modules must have an optional Gigabit Ethernet expansion board
installed.
• An Ethernet crossover cable must be connected to the two Ethernet switch network modules using
the optional Gigabit Ethernet expansion board ports.
• Intrachassis stacking for the optional Gigabit Ethernet expansion board ports must be configured.
For information about intrachassis stacking configuration, see the 16- and 36-Port Ethernet Switch
Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series module.
Note Without this configuration and connection, duplications will occur in the VLAN databases, and
unexpected packet handling may occur.
Information About EtherSwitch HWICs
• VLANs, page 3
• Inline Power for Cisco IP Phones, page 4
• Layer 2 Ethernet Switching, page 4
• 802.1x Authentication, page 4
• Spanning Tree Protocol, page 4
• Cisco Discovery Protocol, page 4
• Switched Port Analyzer, page 4
• IGMP Snooping, page 4
• Storm Control, page 4
• Intrachassis Stacking, page 5
• Fallback Bridging, page 5
• Default 802.1x Configuration, page 5
VLANs
For conceptual information about VLANs, see the “VLANs” section of the EtherSwitch Network
Module.
3
Information About EtherSwitch HWICs
Inline Power for Cisco IP Phones
For conceptual information about inline power for Cisco IP phones, see the “Inline Power for Cisco IP
Phones” section of the EtherSwitch Network Module.
Layer 2 Ethernet Switching
For conceptual information about Layer 2 Ethernet switching, see the “Layer 2 Ethernet Switching”
section of the EtherSwitch Network Module.
802.1x Authentication
For conceptual information about 802.1x authentication, see the “802.1x Authentication” section of the
EtherSwitch Network Module.
Spanning Tree Protocol
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
For conceptual information about Spanning Tree Protocol, see the “Using the Spanning Tree Protocol
with the EtherSwitch Network Module” section of the EtherSwitch Network Module.
Cisco Discovery Protocol
For conceptual information about Cisco Discovery Protocol, see the “Cisco Discovery Protocol” section
of the EtherSwitch Network Module.
Switched Port Analyzer
For conceptual information about a switched port analyzer, see the “Switched Port Analyzer” section of
the EtherSwitch Network Module.
IGMP Snooping
For conceptual information about IGMP snooping, see the “IGMP Snooping” section of the EtherSwitch
Network Module.
Storm Control
For conceptual information about storm control, see the “Storm Control” section of the EtherSwitch
Network Module.
4
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
Intrachassis Stacking
For conceptual information about intrachassis stacking, see the ‘Intrachassis Stacking” section of the
EtherSwitch Network Module.
Fallback Bridging
For conceptual information about fallback bridging, see the “Fallback Bridging” section of the
EtherSwitch Network Module.
Default 802.1x Configuration
Table 1 shows the default 802.1x configuration.
Table 1 Default 802.1x Configuration
Feature Default Setting
Authentication, authorization, and
accounting (AAA)
RADIUS server
• IP address
• UDP authentication port
Information About EtherSwitch HWICs
Disabled.
• None specified.
• 1645.
• Key
Per-interface 802.1x enable state Disabled (force-authorized).
Periodic reauthentication Disabled.
Number of seconds between
reauthentication attempts
Quiet period 60 seconds (number of seconds that the switch remains in
Retransmission time 30 seconds (number of seconds that the switch should
Maximum retransmission number 2 times (number of times that the switch will send an
Multiple host support Disabled.
• None specified.
The port transmits and receives normal traffic without
802.1x-based authentication of the client.
3600 seconds.
the quiet state following a failed authentication exchange
with the client).
wait for a response to an EAP request/identity frame
from the client before retransmitting the request).
EAP-request/identity frame before restarting the
authentication process).
5
How to Configure EtherSwitch HWICs
Table 1 Default 802.1x Configuration (continued)
Feature Default Setting
Client timeout period 30 seconds (when relaying a request from the
Authentication server timeout period 30 seconds (when relaying a response from the client to
802.1x Configuration Guidelines
These are the 802.1x authentication configuration guidelines:
• When the 802.1x protocol is enabled, ports are authenticated before any other Layer 2 feature is
enabled.
• The 802.1x protocol is supported on Layer 2 static-access ports, but it is not supported on these port
types:
–
–
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
authentication server to the client, the amount of time the
switch waits for a response before retransmitting the
request to the client). This setting is not configurable.
the authentication server, the amount of time the switch
waits for a reply before retransmitting the response to the
server). This setting is not configurable.
Trunk port—If you try to enable 802.1x on a trunk port, an error message appears, and 802.1x
is not enabled. If you try to change the mode of an 802.1x-enabled port to trunk, the port mode
is not changed.
Switch Port Analyzer (SPAN) destination port—You can enable 802.1x on a port that is a SPAN
destination port; however, 802.1x is disabled until the port is removed as a SPAN destination.
You can enable 802.1x on a SPAN source port.
How to Configure EtherSwitch HWICs
• Configuring VLANs, page 5
• Configuring VLAN Trunking Protocol, page 7
• Configuring Layer 2 Interfaces, page 10
• Configuring 802.1x Authentication, page 18
• Configuring Spanning Tree, page 30
• Configuring MAC Table Manipulation, page 39
• Configuring Cisco Discovery Protocol, page 41
• Configuring the Switched Port Analyzer (SPAN), page 44
• Configuring Power Management on the Interface, page 46
• Configuring IP Multicast Layer 3 Switching, page 47
• Configuring IGMP Snooping, page 51
• Configuring Per-Port Storm Control, page 56
• Configuring Stacking, page 59
• Configuring Fallback Bridging, page 61
• Configuring Separate Voice and Data Subnets, page 76
6
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
• Managing the EtherSwitch HWIC, page 78
Configuring VLANs
This section describes how to configure VLANs on the switch and contains the following sections:
• Adding a VLAN Instance, page 6
• Deleting a VLAN Instance from the Database, page 6
Adding a VLAN Instance
A total of 15 VLANs can be supported by an EtherSwitch HWIC.
Follow the steps below to configure a Fast Ethernet interface as Layer 2 access.
SUMMARY STEPS
1. enable
2. vlan database
How to Configure EtherSwitch HWICs
DETAILED STEPS
Command or Action Purpose
Step 1
Step 2
Step 3
Step 4
enable
Example:
Router> enable
vlan database
Example:
Router# vlan database
vlan vlan-id
Example:
Router(vlan)# vlan 1
exit
Example:
Router(vlan)# exit
3. vlan vlan-id
4. exit
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters VLAN configuration mode.
Adds an Ethernet VLAN.
• Enter the VLAN number.
Updates the VLAN database, propagates it throughout the
administrative domain, and returns to privileged EXEC mode.
Deleting a VLAN Instance from the Database
You cannot delete the default VLANs for the different media types: Ethernet VLAN 1 and FDDI or
Token Ring VLANs 1002 to 1005.
7
How to Configure EtherSwitch HWICs
Follow the steps below to delete a VLAN from the database.
SUMMARY STEPS
1. enable
2. vlan database
3. no vlan vlan-id
4. exit
DETAILED STEPS
Command or Action Purpose
Step 1
enable
Example:
Router> enable
Step 2
vlan database
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters VLAN configuration mode.
Example:
Router# vlan database
Step 3
no vlan vlan-id
Example:
Router(vlan)# no vlan 1
Step 4
exit
Example:
Router(vlan)# exit
Configuring VLAN Trunking Protocol
This section describes how to configure the VLAN Trunking Protocol (VTP) on an EtherSwitch HWIC,
and contains the following tasks:
• Configuring a VTP Server, page 7
• Configuring a VTP Client, page 8
• Disabling VTP (VTP Transparent Mode), page 9
Note VTP pruning is not supported by EtherSwitch HWICs.
Deletes an Ethernet VLAN.
• Enter the VLAN number.
Updates the VLAN database, propagates it throughout the
administrative domain, and returns to privileged EXEC mode.
Configuring a VTP Server
When a switch is in VTP server mode, you can change the VLAN configuration and have it propagate
throughout the network.
Follow the steps below to configure the switch as a VTP server.
8
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
SUMMARY STEPS
1. enable
2. vlan database
3. vtp server
4. vtp domain domain-name
5. vtp password password-value
6. exit
DETAILED STEPS
Command or Action Purpose
Step 1
enable
Example:
Router> enable
Step 2
vlan database
How to Configure EtherSwitch HWICs
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters VLAN configuration mode.
Example:
Router# vlan database
Step 3
vtp server
Example:
Router(vlan)# vtp server
Step 4
vtp domain domain-name
Example:
Router(vlan)# vtp domain distantusers
Step 5
vtp password password-value
Example:
Router(vlan)# vtp password philadelphia
Step 6
exit
Example:
Router(vlan)# exit
Configuring a VTP Client
Configures the switch as a VTP server.
Defines the VTP domain name.
• Enter the VTP domain name. Domain names can be a
maximum of 32 characters.
(Optional) Sets a VTP domain password
• Enter a password. Passwords can be from 8 to 64 characters.
Updates the VLAN database, propagates it throughout the
administrative domain, exits VLAN configuration mode, and
returns to privileged EXEC mode.
When a switch is in VTP client mode, you cannot change the VLAN configuration on the switch. The
client switch receives VTP updates from a VTP server in the management domain and modifies its
configuration accordingly.
Follow the steps below to configure the switch as a VTP client.
9
How to Configure EtherSwitch HWICs
SUMMARY STEPS
1. enable
2. vlan database
3. vtp client
4. exit
DETAILED STEPS
Command or Action Purpose
Step 1
enable
Example:
Router> enable
Step 2
vlan database
Example:
Router# vlan database
Step 3
vtp client
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters VLAN configuration mode.
Configures the switch as a VTP client.
Example:
Router(vlan)# vtp client
Step 4
exit
Example:
Router(vlan)# exit
Disabling VTP (VTP Transparent Mode)
When you configure the switch as VTP transparent, you disable VTP on the switch. A VTP transparent
switch does not send VTP updates and does not act on VTP updates received from other switches.
Follow the steps below to disable VTP on the switch.
SUMMARY STEPS
1. enable
2. vlan database
3. vtp transparent
4. exit
Updates the VLAN database, propagates it throughout the
administrative domain, exits VLAN configuration mode and
returns to privileged EXEC mode.
10
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
DETAILED STEPS
Command or Action Purpose
Step 1
enable
Example:
Router> enable
Step 2
vlan database
Example:
Router# vlan database
Step 3
vtp transparent
Example:
Router(vlan)# vtp transparent
Step 4
exit
Example:
Router(vlan)# exit
How to Configure EtherSwitch HWICs
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters VLAN configuration mode.
Configures VTP transparent mode.
Updates the VLAN database, propagates it throughout the
administrative domain, exits VLAN configuration mode, and
returns to privileged EXEC mode.
Configuring Layer 2 Interfaces
This section provides the following configuration information:
• Configuring a Range of Interfaces, page 10 (required)
• Defining a Range Macro, page 11 (optional)
• Configuring Layer 2 Optional Interface Features, page 12 (optional)
Configuring a Range of Interfaces
Use the following task to configure a range of interfaces.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface range {macro macro-name | fastethernet interface-id [ - interface-id] | vlan vlan-id} [,
fastethernet interface-id [ - interface-id] | vlan vlan-id]
11
How to Configure EtherSwitch HWICs
DETAILED STEPS
Command or Action Purpose
Step 1
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Router# configure terminal
Step 3
interface range {macro macro-name |
fastethernet interface-id [ - interface-id] |
vlan vlan-id} [, fastethernet interface-id [ -
interface-id] | vlan vlan-id]
Example:
Router(config)# interface range FastEthernet
0/1/0 - 0/1/3
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters global configuration mode.
Select the range of interfaces to be configured.
• The space before the dash is required. For example, the
command interface range fastethernet 0/<slot>/0 -
0/<slot>/3 is valid; the command interface range
fastethernet 0/<slot>/0-0/<slot>/3 is not valid.
• You can enter one macro or up to five comma-separated
ranges.
• Comma-separated ranges can include both VLANs and
physical interfaces.
Defining a Range Macro
Use the following task to define an interface range macro.
SUMMARY STEPS
1. enable
2. configure terminal
3. define interface-range macro-name {fastethernet interface-id [ - interface-id] | {vlan vlan-id -
vlan-id} | [, fastethernet interface-id [ - interface-id]
• You are not required to enter spaces before or after the
comma.
• The interface range command only supports VLAN
interfaces that are configured with the interface vlan
command.
12
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
DETAILED STEPS
Command or Action Purpose
Step 1
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Router# configure terminal
Step 3
define interface-range macro-name {fastethernet
interface-id [ - interface-id] | {vlan vlan-id
- vlan-id} | [, fastethernet interface-id [ -
interface-id]
Example:
Router(config)# define interface-range
first_three FastEthernet0/1/0 - 2
How to Configure EtherSwitch HWICs
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters global configuration mode.
Defines a range of macros.
• Enter the macro name, along with the interface type and
interface number, as appropriate.
Configuring Layer 2 Optional Interface Features
This section provides the following configuration information:
• Configuring the Interface Speed, page 12 (optional)
• Configuring the Interface Duplex Mode, page 13 (optional)
• Configuring a Description for an Interface, page 14 (optional)
• Configuring a Description for an Interface, page 14 (optional)
• Configuring a Fast Ethernet Interface as a Layer 2 Trunk, page 15 (optional)
• Configuring a Fast Ethernet Interface as Layer 2 Access, page 17 (optional)
Configuring the Interface Speed
Use the following task to set the interface speed.
When configuring an interface speed, note these guidelines:
• If both ends of the line support autonegotiation, Cisco highly recommends the default auto
negotiation settings.
• If one interface supports auto negotiation and the other end does not, configure interface speed on
both interfaces; do not use the auto setting on the supported side.
• Both ends of the line need to be configured to the same setting; for example, both hard-set or both
auto-negotiate. Mismatched settings are not supported.
Caution Changing the interface speed might shut down and reenable the interface during the reconfiguration.
SUMMARY STEPS
1. enable
13
How to Configure EtherSwitch HWICs
2. configure terminal
3. interface fastethernet interface-id
4. speed {10 | 100 | 1000 [negotiate] | auto [speed-list]}
DETAILED STEPS
Command or Action Purpose
Step 1
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Router# configure terminal
Step 3
interface fastethernet interface-id
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters global configuration mode.
Selects the interface to be configured and enters interface
configuration mode.
Example:
Router(config)# interface fastethernet 0/1/0
Step 4
speed {10 | 100 | 1000 [negotiate] | auto
[speed-list]}
Example:
Router(config-if)# speed 100
Note If you set the interface speed to auto on a 10/100-Mbps Ethernet interface, both speed and duplex are
automatically negotiated.
Configuring the Interface Duplex Mode
Follow the steps below to set the duplex mode of a Fast Ethernet interface.
When configuring an interface duplex mode, note these guidelines:
• If both ends of the line support autonegotiation, Cisco highly recommends the default auto
negotiation settings.
• If one interface supports auto negotiation and the other end does not, configure duplex speed on both
interfaces; do not use the auto setting on the supported side.
• Both ends of the line need to be configured to the same setting; for example, both hard-set or both
auto-negotiate. Mismatched settings are not supported.
• Enter the interface number.
Configures the speed for the interface.
• Enter the desired speed.
Caution Changing the interface duplex mode configuration might shut down and reenable the interface during
the reconfiguration.
14
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
SUMMARY STEPS
1. enable
2. configure terminal
3. interface fastethernet interface-id
4. duplex [auto | full | half]
DETAILED STEPS
Command or Action Purpose
Step 1
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Router# configure terminal
Step 3
interface fastethernet interface-id
Example:
Router(config)# interface fastethernet 0/1/0
Step 4
duplex [auto | full | half]
How to Configure EtherSwitch HWICs
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters global configuration mode.
Selects the interface to be configured.
• Enter the interface number.
Sets the duplex mode of the interface.
Example:
Router(config-if)# duplex auto
Note If you set the port speed to auto on a 10/100-Mbps Ethernet interface, both speed and duplex are
automatically negotiated. You cannot change the duplex mode of auto negotiation interfaces.
Configuring a Description for an Interface
You can add a description of an interface to help you remember its function. The description appears in
the output of the following commands: show configuration, show running-config, and show
interfaces.
Use the description command to add a description for an interface.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface fastethernet interface-id
4. description string
15
How to Configure EtherSwitch HWICs
DETAILED STEPS
Command or Action Purpose
Step 1
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Router# configure terminal
Step 3
interface fastethernet interface-id
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters global configuration mode.
Selects the interface to be configured, and enters interface
configuration mode.
Example:
Router(config)# interface fastethernet 0/1/0
Step 4
description string
Example:
Router(config-if)# description newinterface
Configuring a Fast Ethernet Interface as a Layer 2 Trunk
Use this task to configure a Fast Ethernet interface as a Layer 2 trunk.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface fastethernet interface-id
4. shutdown
5. switchport mode trunk
6. switchport trunk native vlan vlan-number
7. switchport trunk allowed vlan {add | except | none | remove} vlan1[,vlan[,vlan[,...]]
8. no shutdown
9. end
• Enter the interface number.
Adds a description for the interface.
• Enter a description for the interface.
16
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
DETAILED STEPS
Command or Action Purpose
Step 1
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Router# configure terminal
Step 3
interface fastethernet interface-id
How to Configure EtherSwitch HWICs
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters global configuration mode.
Selects the interface to be configured and enters interface
configuration mode.
Step 4
Step 5
Step 6
Step 7
Step 8
Example:
Router(config)# interface fastethernet 0/1/0
shutdown
Example:
Router(config-if)# shutdown
switchport mode trunk
Example:
Router(config-if)# switchport mode trunk
switchport trunk native vlan vlan-number
Example:
Router(config-if)# switchport trunk native vlan
1
switchport trunk allowed vlan {add | except |
none | remove} vlan1[,vlan[,vlan[,...]]
Example:
Router(config-if)# switchport trunk allowed
vlan add vlan1, vlan2, vlan3
no shutdown
• Enter the interface number.
(Optional) Shuts down the interface to prevent traffic flow
until configuration is complete.
Configures the interface as a Layer 2 trunk.
Note Encapsulation is always dot1q.
(Optional) For 802.1Q trunks, specifies the native VLAN.
(Optional) Configures the list of VLANs allowed on the
trunk. All VLANs are allowed by default. You cannot
remove any of the default VLANs from a trunk.
Activates the interface. (Required only if you shut down the
interface.)
Example:
Router(config-if)# no shutdown
Step 9
end
Example:
Router(config-if)# end
Exits interface configuration mode.
17
How to Configure EtherSwitch HWICs
Note Ports do not support Dynamic Trunk Protocol (DTP). Ensure that the neighboring switch is set to a mode
that will not send DTP.
Configuring a Fast Ethernet Interface as Layer 2 Access
Follow these steps below to configure a Fast Ethernet interface as Layer 2 access.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface fastethernet interface-id
4. shutdown
5. switchport mode access
6. switchport access vlan vlan-number
7. no shutdown
8. end
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
DETAILED STEPS
Command or Action Purpose
Step 1
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Router# configure terminal
Step 3
interface fastethernet interface-id
Example:
Router(config)# interface fastethernet 0/1/0
Step 4
shutdown
Example:
Router(config-if)# shutdown
Step 5
switchport mode access
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters global configuration mode.
Selects the interface to be configured and enters interface
configuration mode.
• Enter the interface number.
(Optional) Shuts down the interface to prevent traffic flow
until configuration is complete.
Configures the interface as a Layer 2 access.
Example:
Router(config-if)# switchport mode access
18
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
Command or Action Purpose
Step 6
switchport access vlan vlan-number
Example:
Router(config-if)# switchport access vlan 1
Step 7
no shutdown
Example:
Router(config-if)# no shutdown
Step 8
end
Example:
Router(config-if)# end
Configuring 802.1x Authentication
How to Configure EtherSwitch HWICs
For access ports, specifies the access VLAN.
• Enter the VLAN number.
Activates the interface.
• Required only if you shut down the interface.
Exits configuration mode.
• Enabling 802.1x Authentication, page 19
• Configuring the Switch-to-RADIUS-Server Communication, page 21
• Enabling Periodic Reauthentication, page 23
• Changing the Quiet Period, page 24
• Changing the Switch-to-Client Retransmission Time, page 25
• Setting the Switch-to-Client Frame-Retransmission Number, page 26
• Enabling Multiple Hosts, page 27
• Resetting the 802.1x Configuration to the Default Values, page 28
• Displaying 802.1x Statistics and Status, page 29
Enabling 802.1x Authentication
To enable 802.1x port-based authentication, you must enable AAA and specify the authentication
method list. A method list describes the sequence and authentication methods to be queried to
authenticate a user.
The software uses the first method listed to authenticate users; if that method fails to respond, the
software selects the next authentication method in the method list. This process continues until there is
successful communication with a listed authentication method or until all defined methods are
exhausted. If authentication fails at any point in this cycle, the authentication process stops, and no other
authentication methods are attempted.
For additional information on default 802.1x configuration refer “Default 802.1x Configuration” section
on page 5.
Complete these steps to configure 802.1x port-based authentication. This procedure is required.
SUMMARY STEPS
1. enable
2. configure terminal
19
How to Configure EtherSwitch HWICs
3. aaa authentication dot1x {default | listname} method1 [method2...]
4. interface interface-type interface-number
5. dot1x port-control auto
6. end
7. show dot1x
8. copy running-config startup-config
DETAILED STEPS
Command or Action Purpose
Step 1
enable
Example:
Router> enable
Step 2
configure terminal
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters global configuration mode.
Step 3
Step 4
Step 5
Step 6
Example:
Router# configure terminal
aaa authentication dot1x {default | listname}
method1 [method2...]
Example:
Router(config)# aaa authentication dot1x
default newmethod
interface interface-type interface-number
Example:
Router(config)# interface fastethernet 0/1/3
dot1x port-control auto
Example:
Router(config-if)# dot1x port-control auto
end
Creates an 802.1x authentication method list.
• To create a default list that is used when a named list is
not specified in the authentication command, use the
default keyword followed by the methods that are to be
used in default situations. The default method list is
automatically applied to all interfaces.
• Enter at least one of these keywords:
–
group radius—Use the list of all RADIUS servers
for authentication.
–
none—Use no authentication. The client is
automatically authenticated without the switch
using the information supplied by the client.
Specifies the interface to be enabled for 802.1x
authentication and enters interface configuration mode.
• Enter the interface type and interface number.
Enables 802.1x on the interface.
• For feature interaction information with trunk,
dynamic, dynamic-access, EtherChannel, secure, and
SPAN ports see the “802.1x Configuration Guidelines”
section on page 19.
Returns to privileged EXEC mode.
Example:
Router(config-if)# end
20
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
Command or Action Purpose
Step 7
show dot1x
Verifies your entries.
Example:
Router# show dot1x
Step 8
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Router# copy running-config startup-config
Configuring the Switch-to-RADIUS-Server Communication
RADIUS security servers are identified by their host name or IP address, host name and specific UDP
port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP
port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP
ports on a server at the same IP address. If two different host entries on the same RADIUS server are
configured for the same service—for example, authentication—the second host entry configured acts as
the fail-over backup to the first one. The RADIUS host entries are tried in the order that they were
configured.
Follow these steps to configure the RADIUS server parameters on the switch. This procedure is required.
How to Configure EtherSwitch HWICs
SUMMARY STEPS
DETAILED STEPS
Command or Action Purpose
Step 1
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Router# configure terminal
1. enable
2. configure terminal
3. radius-server host {hostname | ip-address} auth-port port-number key string
4. end
5. show running-config
6. copy running-config startup-config
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters global configuration mode.
21
How to Configure EtherSwitch HWICs
Command or Action Purpose
Step 3
radius-server host {hostname | ip-address}
auth-port port-number key string
Example:
Router(config)# radius-server host hostseven
auth-port 75 key newauthority75
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
Configures the RADIUS server parameters on the switch.
• For hostname | ip-address, specify the host name or IP
address of the remote RADIUS server.
• For auth-port port-number, specify the UDP
destination port for authentication requests. The default
is 1645.
• For key string, specify the authentication and
encryption key used between the switch and the
RADIUS daemon running on the RADIUS server. The
key is a text string that must match the encryption key
used on the RADIUS server.
Note Always configure the key as the last item in the
radius-server host command syntax because
leading spaces are ignored, but spaces within and at
the end of the key are used. If you use spaces in the
key, do not enclose the key in quotation marks
unless the quotation marks are part of the key. This
key must match the encryption used on the RADIUS
daemon.
Step 4
Step 5
Step 6
end
Example:
Router(config)# end
show running-config
Example:
Router# show running-config
copy running-config startup-config
Example:
Router# copy running-config startup-config
To delete the specified RADIUS server, use the no radius-server host {hostname | ip-address} global
configuration command.
You can globally configure the timeout, retransmission, and encryption key values for all RADIUS
servers by using the radius-server host global configuration command. If you want to configure these
options on a per-server basis, use the radius-server timeout, radius-server retransmit, and the
radius-server key global configuration commands.
• If you want to use multiple RADIUS servers, repeat this
command.
Returns to privileged EXEC mode.
Verifies your entries.
(Optional) Saves your entries in the configuration file.
You also need to configure some settings on the RADIUS server. These settings include the IP address
of the switch and the key string to be shared by both the server and the switch. For more information,
refer to the RADIUS server documentation.
22
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
Enabling Periodic Reauthentication
You can enable periodic 802.1x client reauthentication and specify how often it occurs. If you do not
specify a time period before enabling reauthentication, the number of seconds between reauthentication
attempts is 3600 seconds.
Automatic 802.1x client reauthentication is a global setting and cannot be set for clients connected to
individual ports.
Follow these steps to enable periodic reauthentication of the client and to configure the number of
seconds between reauthentication attempts.
SUMMARY STEPS
1. enable
2. configure terminal
3. dot1x re-authentication
4. dot1x timeout re-authperiod seconds
5. end
6. show dot1x
How to Configure EtherSwitch HWICs
DETAILED STEPS
Command or Action Purpose
Step 1
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Router# configure terminal
Step 3
dot1x re-authentication
Example:
Router(config)# dot1x re-authentication
Step 4
dot1x timeout re-authperiod seconds
Example:
Router(config)# dot1x timeout re-authperiod 120
7. copy running-config startup-config
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters global configuration mode.
Enables periodic reauthentication of the client.
• Periodic reauthentication is disabled by default.
Sets the number of seconds between reauthentication
attempts.
• The range is 1 to 4294967295; the default is 3600
seconds.
Step 5
end
Example:
Router(config)# end
• This command affects the behavior of the switch only
if periodic reauthentication is enabled
Returns to privileged EXEC mode.
23
How to Configure EtherSwitch HWICs
Command or Action Purpose
Step 6
show dot1x
Example:
Router# show dot1x
Step 7
copy running-config startup-config
Example:
Router# copy running-config startup-config
Changing the Quiet Period
When the switch cannot authenticate the client, the switch remains idle for a set period of time, and then
tries again. The idle time is determined by the quiet-period value. A failed authentication of the client
might occur because the client provided an invalid password. You can provide a faster response time to
the user by entering smaller number than the default.
Follow these steps to change the quiet period.
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
Verifies your entries.
(Optional) Saves your entries in the configuration file.
SUMMARY STEPS
DETAILED STEPS
Command or Action Purpose
Step 1
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Router# configure terminal
Step 3
dot1x timeout quiet-period seconds
Example:
Router(config)#dot1x timeout quiet-period 120
1. enable
2. configure terminal
3. dot1x timeout quiet-period seconds
4. end
5. show dot1x
6. copy running-config startup-config
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters global configuration mode.
Sets the number of seconds that the switch remains in the
quiet state following a failed authentication exchange with
the client.
• The range is 0 to 65535 seconds; the default is 60.
24
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
Command or Action Purpose
Step 4
end
Example:
Router(config-if)# end
Step 5
show dot1x
Example:
Router# show dot1x
Step 6
copy running-config startup-config
Example:
Router# copy running-config startup-config
Changing the Switch-to-Client Retransmission Time
The client responds to the EAP-request/identity frame from the switch with an EAP-response/identity
frame. If the switch does not receive this response, it waits a set period of time (known as the
retransmission time), and then retransmits the frame.
How to Configure EtherSwitch HWICs
Returns to privileged EXEC mode.
Verifies your entries.
(Optional) Saves your entries in the configuration file.
Note You should change the default value of this command only to adjust for unusual circumstances such as
SUMMARY STEPS
DETAILED STEPS
Command or Action Purpose
Step 1
enable
Example:
Router> enable
Step 2
configure terminal
unreliable links or specific behavioral problems with certain clients and authentication servers.
Follow the steps below to change the amount of time that the switch waits for client notification.
1. enable
2. configure terminal
3. dot1x timeout tx-period seconds
4. end
5. show dot1x
6. copy running-config startup-config
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters global configuration mode.
Example:
Router# configure terminal
25
How to Configure EtherSwitch HWICs
Command or Action Purpose
Step 3
dot1x timeout tx-period seconds
Example:
Router(config)# dot1x timeout tx-period seconds
Step 4
end
Example:
Router(config)# end
Step 5
show dot1x
Example:
Router# show dot1x
Step 6
copy running-config startup-config
Example:
Router# copy running-config startup-config
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
Sets the number of seconds that the switch waits for a
response to an EAP-request/identity frame from the client
before retransmitting the request.
• The range is 1 to 65535 seconds; the default is 30.
Returns to privileged EXEC mode.
Verifies your entries.
(Optional) Saves your entries in the configuration file.
Setting the Switch-to-Client Frame-Retransmission Number
In addition to changing the switch-to-client retransmission time, you can change the number of times
that the switch sends an EAP-request/identity frame (assuming no response is received) to the client
before restarting the authentication process.
Note You should change the default value of this command only to adjust for unusual circumstances such as
unreliable links or specific behavioral problems with certain clients and authentication servers.
Follow the steps below to set the switch-to-client frame-retransmission number.
SUMMARY STEPS
1. enable
2. configure terminal
3. dot1x max-req count
4. end
5. show dot1x
6. copy running-config startup-config
26
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
DETAILED STEPS
Command or Action Purpose
Step 1
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Router# configure terminal
Step 3
dot1x max-req count
Example:
Router(config)# dot1x max-req 5
Step 4
end
How to Configure EtherSwitch HWICs
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters global configuration mode.
Sets the number of times that the switch sends an
EAP-request/identity frame to the client before restarting
the authentication process.
• The range is 1 to 10; the default is 2.
Returns to privileged EXEC mode.
Example:
Router(config)# end
Step 5
show dot1x
Example:
Router# show dot1x
Step 6
copy running-config startup-config
Example:
Router# copy running-config startup-config
Enabling Multiple Hosts
You can attach multiple hosts to a single 802.1x-enabled port. In this mode, only one of the attached
hosts must be successfully authorized for all hosts to be granted network access. If the port becomes
unauthorized (reauthentication fails, and an EAPOL-logoff message is received), all attached clients are
denied access to the network.
Follow these steps below to allow multiple hosts (clients) on an 802.1x-authorized port that has the
dot1x port-control interface configuration command set to auto.
SUMMARY STEPS
Verifies your entries.
(Optional) Saves your entries in the configuration file.
1. enable
2. configure terminal
3. interface interface-type interface-number
4. dot1x multiple-hosts
5. end
6. show dot1x interface interface-number
27
How to Configure EtherSwitch HWICs
7. copy running-config startup-config
DETAILED STEPS
Command or Action Purpose
Step 1
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Router# configure terminal
Step 3
interface interface-type interface-number
Example:
Router(config)# interface fastethernet 0/1/2
Step 4
dot1x multiple-hosts
Example:
Router(config-if)# dot1x multiple-hosts
Step 5
end
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters global configuration mode.
Specifies the interface, and enters interface configuration
mode.
• Enter the interface type and interface number.
Allows multiple hosts (clients) on an 802.1x-authorized
port.
• Make sure that the dot1x port-control interface
configuration command is set to auto for the specified
interface.
Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 6
show dot1x
Verifies your entries.
Example:
Router# show dot1x
Step 7
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Router# copy running-config startup-config
Resetting the 802.1x Configuration to the Default Values
You can reset the 802.1x configuration to the default values with a single command.
Follow these steps to reset the 802.1x configuration to the default values.
SUMMARY STEPS
1. enable
2. configure terminal
3. dot1x default
4. end
28
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
5. show dot1x
6. copy running-config startup-config
DETAILED STEPS
Command or Action Purpose
Step 1
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Router# configure terminal
Step 3
dot1x default
Example:
Router(config)# dot1x default
Step 4
end
How to Configure EtherSwitch HWICs
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters global configuration mode.
Resets the configurable 802.1x parameters to the default
values.
Returns to privileged EXEC mode.
Example:
Router(config)# end
Step 5
show dot1x
Example:
Router# show dot1x
Step 6
copy running-config startup-config
Example:
Router# copy running-config startup-config
Displaying 802.1x Statistics and Status
To display 802.1x statistics for all interfaces, use the show dot1x statistics privileged EXEC command.
To display 802.1x statistics for a specific interface, use the show dot1x statistics interface interface-id
privileged EXEC command.
To display the 802.1x administrative and operational status for the switch, use the show dot1x privileged
EXEC command. To display the 802.1x administrative and operational status for a specific interface, use
the show dot1x interface interface-id privileged EXEC command.
Configuring Spanning Tree
Verifies your entries.
(Optional) Saves your entries in the configuration file.
This section provides the following configuration information:
• Enabling Spanning Tree, page 30
• Configuring Spanning Tree Port Priority, page 31
29
How to Configure EtherSwitch HWICs
• Configuring Spanning Tree Port Cost, page 32
• Configuring the Bridge Priority of a VLAN, page 34
• Configuring Hello Time, page 35
• Configuring the Forward-Delay Time for a VLAN, page 36
• Configuring the Maximum Aging Time for a VLAN, page 36
• Configuring the Root Bridge, page 37
Enabling Spanning Tree
You can enable spanning tree on a per-VLAN basis. The switch maintains a separate instance of
spanning tree for each VLAN (except on VLANs on which you disable spanning tree).
SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree vlan vlan-id
Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards
DETAILED STEPS
Command or Action Purpose
Step 1
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Router# configure terminal
Step 3
spanning-tree vlan vlan-id
Example:
Router(config)# spanning-tree vlan 200
Step 4
end
Example:
Router(config)# end
Step 5
show spanning-tree vlan vlan-id
Example:
Router# show spanning-tree vlan 200
4. end
5. show spanning-tree vlan vlan-id
Enables privileged EXEC mode.
• Enter your password if prompted.
Enters global configuration mode.
Enables spanning tree on a per-VLAN basis
• Enter the VLAN number.
Returns to privileged EXEC mode.
Verifies spanning tree configuration.
• Enter the VLAN number.
30
Loading...