Cisco HWIC-4ESW, HWIC-D-9ESW User Manual

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

First Published: May 17, 2005 Last Updated: April 15, 2006

This document provides configuration tasks for the 4-port Cisco HWIC-4ESW and the 9-port Cisco HWIC-D-9ESW EtherSwitch high-speed WAN interface cards (HWICs) hardware feature supported on Cisco 1800 (modular), Cisco 2800, and Cisco 3800 series integrated services routers.

Cisco EtherSwitch HWICs are 10/100BASE-T Layer 2 Ethernet switches with Layer 3 routing capability. (Layer 3 routing is forwarded to the host and is not actually performed at the switch.) Traffic between different VLANs on a switch is routed through the router platform. Any one port on a Cisco EtherSwitch HWIC may be configured as a stacking port to link to another Cisco EtherSwitch HWIC or EtherSwitch network module in the same system. An optional power module can also be added to provide inline power for IP telephones. The HWIC-D-9ESW HWIC requires a double-wide card slot.

This hardware feature does not introduce any new or modified Cisco IOS commands.

Finding Feature Information in This Module

Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the “Feature Information for the Cisco HWIC-4ESW and the Cisco HWIC-D-9ESW

EtherSwitch Cards” section on page 117.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Corporate Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Contents

The following sections provide information about the Cisco EtherSwitch HWICs.

• Prerequisites for EtherSwitch HWICs, page 2

• Restrictions for EtherSwitch HWICs, page 2

• Information About EtherSwitch HWICs, page 3

• How to Configure EtherSwitch HWICs, page 5

• Configuration Examples for EtherSwitch HWICs, page 106

• Additional References, page 116

• Command Reference, page 117

Prerequisites for EtherSwitch HWICs

The following are prerequisites to configuring EtherSwitch HWICs:

• Configuration of IP routing. (Refer to the Cisco IOS IP Configuration Guide.)

• Use of the Cisco IOS T release, beginning with Release 12.3(8)T4 or later for Cisco HWIC-4ESW

and Cisco HWIC-D-9ESW support. (Refer to the Cisco IOS documentation.)

Restrictions for EtherSwitch HWICs

The following restrictions apply to the Cisco HWIC-4ESW and the Cisco HWIC-D-9ESW EtherSwitch HWICs:

• No more than two Ethernet Switch HWICs or network modules may be installed in a host router.

Multiple Ethernet Switch HWICs or network modules installed in a host router will not act independently of each other. They must be stacked, as they will not work at all otherwise.

• The ports of a Cisco EtherSwitch HWIC must NOT be connected to the Fast Ethernet/Gigabit

onboard ports of the router.

• There is no inline power on the ninth port (port 8) of the HWIC-D-9ESW card.

• There is no Auto MDIX support on the ninth port (port 8) of the HWIC-D-9ESW card when either

speed or duplex is not set to auto.

• There is no support for online insertion/removal (OIR) of the EtherSwitch HWICs.

• When Ethernet Switches have been installed and configured in a host router, OIR of the

CompactFlash memory card in the router must not occur. OIR of the CompactFlash memory card will compromise the configuration of the Ethernet Switches.

• VTP pruning is not supported.

• There is a limit of 200 secure MAC addresses per module that can be supported by an EtherSwitch

HWIC.

Book Title

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Prerequisites for Installing Two Ethernet Switch Network Modules in a Single Chassis

A maximum of two Ethernet switch network modules can be installed in a single chassis. If two Ethernet switch network modules of any type are installed in the same chassis, the following configuration requirements must be met:

• Both Ethernet switch network modules must have an optional Gigabit Ethernet expansion board

installed.

• An Ethernet crossover cable must be connected to the two Ethernet switch network modules using

the optional Gigabit Ethernet expansion board ports.

• Intrachassis stacking for the optional Gigabit Ethernet expansion board ports must be configured.

For information about intrachassis stacking configuration, see the 16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 series feature document.

Note Without this configuration and connection, duplications will occur in the VLAN databases, and

unexpected packet handling may occur.

Information About EtherSwitch HWICs

To configure the Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch HWICs, you should understand the following concepts:

• VLANs, page 3

• Inline Power for Cisco IP Phones, page 4

• Layer 2 Ethernet Switching, page 4

• 802.1x Authentication, page 4

• Spanning Tree Protocol, page 4

• Cisco Discovery Protocol, page 4

• Switched Port Analyzer, page 4

• IGMP Snooping, page 4

• Storm Control, page 5

• Intrachassis Stacking, page 5

• Fallback Bridging, page 5

VLANs

For information on the concept of VLANs, refer to the material at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt1636nm.ht m#1047027

Book Title

Information About EtherSwitch HWICs

Inline Power for Cisco IP Phones

For information on the concept of inline power for Cisco IP phones, refer to the material at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt1636nm.ht m#1048439

Layer 2 Ethernet Switching

For information on the concept of Layer 2 Ethernet switching, refer to the material at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt1636nm.ht m#1048478

802.1x Authentication

For information on the concept of 802.1x authentication, refer to the material at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt1636nm.ht m#1051006

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Spanning Tree Protocol

For information on the concept of Spanning Tree Protocol, refer to the material at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt1636nm.ht m#1048458

Cisco Discovery Protocol

For information on the concept of the Cisco Discovery Protocol, refer to the material at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt1636nm.ht m#1048498

Switched Port Analyzer

For information on the concept of switched port analyzer, refer to the material at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt1636nm.ht m#1053663

IGMP Snooping

For information on the concept of IGMP snooping, refer to the material at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt1636nm.ht m#1053727

Book Title

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Storm Control

For information on the concept of storm control, refer to the material at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt1636nm.ht m#1051018

Intrachassis Stacking

For information on the concept of intrachassis stacking, refer to the material at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt1636nm.ht m#1051061

Fallback Bridging

For information on the concept of fallback bridging, refer to the material at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt1636nm.ht m#1054833

How to Configure EtherSwitch HWICs

See the following sections for configuration tasks for the EtherSwitch HWICs.

• Configuring VLANs, page 6

• Configuring VLAN Trunking Protocol, page 10

• Configuring Layer 2 Interfaces, page 13

• Configuring 802.1x Authentication, page 23

• Configuring Spanning Tree, page 35

• Configuring MAC Table Manipulation, page 46

• Configuring Cisco Discovery Protocol, page 50

• Configuring the Switched Port Analyzer (SPAN), page 53

• Configuring Power Management on the Interface, page 56

• Configuring IP Multicast Layer 3 Switching, page 57

• Configuring IGMP Snooping, page 61

• Configuring Per-Port Storm Control, page 68

• Configuring Stacking, page 71

• Configuring Fallback Bridging, page 73

• Configuring Separate Voice and Data Subnets, page 89

• Managing the EtherSwitch HWIC, page 92

Book Title

How to Configure EtherSwitch HWICs

Configuring VLANs

This section describes how to configure VLANs on the switch and contains the following sections:

• Adding a VLAN Instance, page 6

• Deleting a VLAN Instance from the Database, page 8

Adding a VLAN Instance

A total of 15 VLANs can be supported by an EtherSwitch HWIC.

Follow the steps below to configure a Fast Ethernet interface as Layer 2 access.

SUMMARY STEPS

1. enable

2. vlan database

3. vlan vlan_id

4. exit

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

DETAILED STEPS

Command Purpose

Step 1

enable

Example:

Router> enable

Step 2

vlan database

Example:

Router# vlan database

Step 3

vlan vlan_id

Example:

Router(vlan)# vlan 1

Step 4

exit

Example:

Router(vlan)# exit

Verifying the VLAN Configuration

Enables privileged EXEC mode.

• Enter your password if prompted.

Enters VLAN configuration mode.

Adds an Ethernet VLAN.

Updates the VLAN database, propagates it throughout the administrative domain, and returns to privileged EXEC mode.

You can verify the VLAN configuration in VLAN database mode.

Use the show command in VLAN database mode to verify the VLAN configuration, as shown below:

Router(vlan)# show

VLAN ISL Id: 1 Name: default

Book Title

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Media Type: Ethernet VLAN 802.10 Id: 100001 State: Operational MTU: 1500 Translational Bridged VLAN: 1002 Translational Bridged VLAN: 1003

VLAN ISL Id: 2 Name: VLAN0002 Media Type: Ethernet VLAN 802.10 Id: 100002 State: Operational MTU: 1500

VLAN ISL Id: 3 Name: Red_VLAN Media Type: Ethernet VLAN 802.10 Id: 100003 State: Operational MTU: 1500

VLAN ISL Id: 1002 Name: fddi-default Media Type: FDDI VLAN 802.10 Id: 101002 State: Operational MTU: 1500 Bridge Type: SRB Translational Bridged VLAN: 1 Translational Bridged VLAN: 1003

How to Configure EtherSwitch HWICs

VLAN ISL Id: 1003 Name: token-ring-default Media Type: Token Ring VLAN 802.10 Id: 101003 State: Operational MTU: 1500 Bridge Type: SRB Ring Number: 0 Bridge Number: 1 Parent VLAN: 1005 Maximum ARE Hop Count: 7 Maximum STE Hop Count: 7 Backup CRF Mode: Disabled Translational Bridged VLAN: 1 Translational Bridged VLAN: 1002

VLAN ISL Id: 1004 Name: fddinet-default Media Type: FDDI Net VLAN 802.10 Id: 101004 State: Operational MTU: 1500 Bridge Type: SRB Bridge Number: 1 STP Type: IBM

VLAN ISL Id: 1005 Name: trnet-default Media Type: Token Ring Net VLAN 802.10 Id: 101005 State: Operational MTU: 1500 Bridge Type: SRB

Book Title

How to Configure EtherSwitch HWICs

Bridge Number: 1 STP Type: IBM

Router(vlan)# exit

APPLY completed.

Exiting....

Router# Router#

Enter the show vlan-switch command in EXEC mode using the Cisco IOS CLI to verify the VLAN configuration, as shown below.

Router# show vlan-switch

VLAN Name Status Ports

---- -------------------------------- --------- ---------------------------------1 default active Fa0/1/1, Fa0/1/2, Fa0/1/3, Fa0/1/4 Fa0/1/5, Fa0/1/6, Fa0/1/7, Fa0/1/8 Fa0/3/0, Fa0/3/2, Fa0/3/3, Fa0/3/4 Fa0/3/5, Fa0/3/6, Fa0/3/7, Fa0/3/8 2 VLAN0002 active Fa0/1/0 3 Red_VLAN active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ -----1 enet 100001 1500 - - - - - 1002 1003 2 enet 100002 1500 - - - - - 0 0 3 enet 100003 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 1 1003 1003 tr 101003 1500 1005 0 - - srb 1 1002 1004 fdnet 101004 1500 - - 1 ibm - 0 0 1005 trnet 101005 1500 - - 1 ibm - 0 0

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Router#

Deleting a VLAN Instance from the Database

You cannot delete the default VLANs for the different media types: Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005.

Follow the steps below to delete a VLAN from the database.

SUMMARY STEPS

1. enable

2. vlan database

3. no vlan vlan_id

4. exit

Book Title

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

DETAILED STEPS

Command Purpose

Step 1

enable

Example:

Router> enable

Step 2

vlan database

Example:

Router# vlan database

Step 3

no vlan vlan_id

Example:

Router(vlan)# no vlan 1

Step 4

exit

How to Configure EtherSwitch HWICs

Enables privileged EXEC mode.

• Enter your password if prompted.

Enters VLAN configuration mode.

Deletes an Ethernet VLAN.

Updates the VLAN database, propagates it throughout the administrative domain, and returns to privileged EXEC mode.

Example:

Router(vlan)# exit

Verifying VLAN Deletion

You can verify that a VLAN has been deleted from the switch in VLAN database mode.

Use the show command in VLAN database mode to verify that a VLAN has been deleted from the switch, as shown in the following output example:

Router(vlan)# show

VLAN ISL Id: 1 Name: default Media Type: Ethernet VLAN 802.10 Id: 100001 State: Operational MTU: 1500 Translational Bridged VLAN: 1002 Translational Bridged VLAN: 1003

VLAN ISL Id: 1002 Name: fddi-default Media Type: FDDI VLAN 802.10 Id: 101002 State: Operational MTU: 1500 Bridge Type: SRB Translational Bridged VLAN: 1 Translational Bridged VLAN: 1003 <output truncated>

Router(vlan)#

Book Title

How to Configure EtherSwitch HWICs

Enter the show vlan-switch brief command in EXEC mode, using the Cisco IOS CLI to verify that a VLAN has been deleted from the switch, as shown in the following output example:

Router# show vlan-switch brief

VLAN Name Status Ports

---- -------------------------------- --------- ------------------------------1 default active Fa0/1/0, Fa0/1/1, Fa0/1/2 Fa0/1/3, Fa0/1/4, Fa0/1/5 Fa0/1/6, Fa0/1/7, Fa0/1/8 300 VLAN0300 active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active Router#

Configuring VLAN Trunking Protocol

This section describes how to configure the VLAN Trunking Protocol (VTP) on an EtherSwitch HWIC, and contains the following tasks:

• Configuring a VTP Server, page 10

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

• Configuring a VTP Client, page 12

• Disabling VTP (VTP Transparent Mode), page 12

• Verifying VTP, page 13

Note VTP pruning is not supported by EtherSwitch HWICs.

Configuring a VTP Server

When a switch is in VTP server mode, you can change the VLAN configuration and have it propagate throughout the network.

Follow the steps below to configure the switch as a VTP server.

SUMMARY STEPS

1. enable

2. vlan database

3. vtp server

4. vtp domain domain_name

5. vtp password password_value

6. exit

Book Title

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

DETAILED STEPS

How to Configure EtherSwitch HWICs

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

enable

Example:

Router> enable

vlan database

Example:

Router# vlan database

vtp server

Example:

Router(vlan)# vtp server

vtp domain domain_name

Example:

Router(vlan)# vtp domain distantusers

vtp password password_value

Example:

Router(vlan)# vtp password philadelphis

exit

Example:

Router(vlan)# exit

Enables privileged EXEC mode.

• Enter your password if prompted.

Enters VLAN configuration mode.

Configures the switch as a VTP server.

Defines the VTP domain name, which can be up to 32 characters long.

(Optional) Sets a password, which can be from 8 to 64 characters long, for the VTP domain.

Updates the VLAN database, propagates it throughout the administrative domain, exits VLAN configuration mode, and returns to privileged EXEC mode.

Book Title

How to Configure EtherSwitch HWICs

Configuring a VTP Client

When a switch is in VTP client mode, you cannot change the VLAN configuration on the switch. The client switch receives VTP updates from a VTP server in the management domain and modifies its configuration accordingly.

Follow the steps below to configure the switch as a VTP client.

SUMMARY STEPS

1. enable

2. vlan database

3. vtp client

4. exit

DETAILED STEPS

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Step 1

enable

Example:

Router> enable

Step 2

vlan database

Example:

Router# vlan database

Step 3

vtp client

Example:

Router(vlan)# vtp client

Step 4

exit

Example:

Router(vlan)# exit

Disabling VTP (VTP Transparent Mode)

When you configure the switch as VTP transparent, you disable VTP on the switch. A VTP transparent switch does not send VTP updates and does not act on VTP updates received from other switches.

Follow the steps below to disable VTP on the switch.

Enables privileged EXEC mode.

• Enter your password if prompted.

Enters VLAN configuration mode.

Configures the switch as a VTP client.

Updates the VLAN database, propagates it throughout the administrative domain, exits VLAN configuration mode and returns to privileged EXEC mode.

SUMMARY STEPS

Book Title

1. enable

2. vlan database

3. vtp transparent

4. exit

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

DETAILED STEPS

How to Configure EtherSwitch HWICs

Step 1

enable

Example:

Router> enable

Step 2

vlan database

Example:

Router# vlan database

Step 3

vtp transparent

Example:

Router(vlan)# vtp transparent

Step 4

exit

Example:

Router(vlan)# exit

Verifying VTP

Enables privileged EXEC mode.

• Enter your password if prompted.

Enters VLAN configuration mode.

Configures VTP transparent mode.

Updates the VLAN database, propagates it throughout the administrative domain, exits VLAN configuration mode, and returns to privileged EXEC mode.

Use the show vtp status command to verify VTP status:

Router# show vtp status

VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 256 Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xBF 0x86 0x94 0x45 0xFC 0xDF 0xB5 0x70 Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00 Local updater ID is 1.3.214.25 on interface Fa0/0 (first interface found) Router#

Configuring Layer 2 Interfaces

This section provides the following configuration information:

• Configuring a Range of Interfaces, page 14 (required)

• Defining a Range Macro, page 14 (optional)

• Configuring Layer 2 Optional Interface Features, page 15 (optional)

Book Title

How to Configure EtherSwitch HWICs

Configuring a Range of Interfaces

Use the following task to configure a range of interfaces.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface range {macro macro_name | FastEthernet interface-id [ - interface-id] | vlan vlan_ID}

[, FastEthernet interface-id [ - interface-id] | vlan vlan-ID]

DETAILED STEPS

Command or Action Purpose

Step 1

Step 2

enable

Example:

Router> enable

configure terminal

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Enables privileged EXEC mode.

• Enter your password if prompted.

Enters global configuration mode.

Example:

Router# configure terminal

Step 3

interface range {macro macro_name | FastEthernet interface-id [ - interface-id] | vlan vlan-ID} [, FastEthernet interface-id [ - interface-id] | vlan vlan-ID]

Example:

Router(config)# interface range FastEthernet 0/1/0 - 0/1/3

Defining a Range Macro

Use the following task to define an interface range macro.

Select the range of interfaces to be configured.

• The space before the dash is required. For example, the

command interface range fastethernet 0/<slot>/0 - 0/<slot>/3 is valid; the command interface range fastethernet 0/<slot>/0-0/<slot>/3 is not valid.

• You can enter one macro or up to five comma-separated

ranges.

• Comma-separated ranges can include both VLANs and

physical interfaces.

• You are not required to enter spaces before or after the

comma.

• The interface range command only supports VLAN

interfaces that are configured with the interface vlan command.

SUMMARY STEPS

Book Title

1. enable

2. configure terminal

3. define interface-range macro_name {FastEthernet interface-id [ - interface-id] | {vlan vlan_ID -

vlan_ID} | [, FastEthernet interface-id [ - interface-id]

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

DETAILED STEPS

Command or Action Purpose

Step 1

enable

Example:

Router> enable

Step 2

configure terminal

Example:

Router# configure terminal

Step 3

define interface-range macro_name {FastEthernet interface-id [ - interface-id] | {vlan vlan_ID

- vlan-ID} | [, FastEthernet interface-id [ - interface-id]

Example:

Router(config)# define interface-range first_three FastEthernet0/1/0 - 2

How to Configure EtherSwitch HWICs

Enables privileged EXEC mode.

• Enter your password if prompted.

Enters global configuration mode.

• Defines a range of macros.

Verifying Configuration of an Interface Range Macro

Use the show running-configuration command to show the defined interface-range macro configuration, as shown below:

Router# show running-configuration | include define

define interface-range first_three FastEthernet0/1/0 - 2

Configuring Layer 2 Optional Interface Features

• Interface Speed and Duplex Configuration Guidelines, page 15

• Configuring the Interface Speed, page 16

• Configuring the Interface Duplex Mode, page 16

• Verifying Interface Speed and Duplex Mode Configuration, page 17

• Configuring a Description for an Interface, page 18

• Configuring a Fast Ethernet Interface as a Layer 2 Trunk, page 19

• Configuring a Fast Ethernet Interface as Layer 2 Access, page 21

Interface Speed and Duplex Configuration Guidelines

When configuring an interface speed and duplex mode, note these guidelines:

• If both ends of the line support autonegotiation, Cisco highly recommends the default auto

negotiation settings.

• If one interface supports auto negotiation and the other end does not, configure duplex and speed on

both interfaces; do not use the auto setting on the supported side.

• Both ends of the line need to be configured to the same setting; for example, both hard-set or both

auto-negotiate. Mismatched settings are not supported.

Book Title

How to Configure EtherSwitch HWICs

Caution Changing the interface speed and duplex mode configuration might shut down and reenable the interface

during the reconfiguration.

Configuring the Interface Speed

Use the following task to set the interface speed.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface fastethernet interface-id

4. speed [10 | 100 | auto]

DETAILED STEPS

Command or Action Purpose

Step 1

enable

Example:

Router> enable

Step 2

configure terminal

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Enables privileged EXEC mode.

• Enter your password if prompted.

Enters global configuration mode.

Example:

Router# configure terminal

Step 3

interface fastethernet interface-id

Example:

Router(config)# interface fastethernet 0/1/0

Step 4

speed [10 | 100 | auto ]

Example:

Router(config-if)# speed 100

Note If you set the interface speed to auto on a 10/100-Mbps Ethernet interface, both speed and duplex are

automatically negotiated.

Configuring the Interface Duplex Mode

Follow the steps below to set the duplex mode of a Fast Ethernet interface.

Selects the interface to be configured.

Book Title

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

SUMMARY STEPS

1. enable

2. configure terminal

3. interface fastethernet interface-id

4. duplex [auto | full | half]

DETAILED STEPS

Command or Action Purpose

Step 1

enable

Example:

Router> enable

Step 2

configure terminal

Example:

Router# configure terminal

Step 3

interface fastethernet interface-id

How to Configure EtherSwitch HWICs

Enables privileged EXEC mode.

• Enter your password if prompted.

Enters global configuration mode.

Selects the interface to be configured.

Example:

Router(config)# interface fastethernet 0/1/0

Step 4

duplex [auto | full | half]

Example:

Router(config-if)# duplex auto

Note If you set the port speed to auto on a 10/100-Mbps Ethernet interface, both speed and duplex are

automatically negotiated. You cannot change the duplex mode of auto negotiation interfaces.

The following example shows how to set the interface duplex mode to auto on Fast Ethernet interface 3:

Router(config)# interface fastethernet 0/1/0 Router(config-if)# speed 100 Router(config-if)# duplex auto Router(config-if)# end

Verifying Interface Speed and Duplex Mode Configuration

Use the show interfaces command to verify the interface speed and duplex mode configuration for an interface, as shown in the following output example.

Router# show interfaces fastethernet 0/1/0

Sets the duplex mode of the interface.

FastEthernet0/1/0 is up, line protocol is up

Hardware is Fast Ethernet, address is 000f.f70a.f272 (bia 000f.f70a.f272) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec)

Book Title

How to Configure EtherSwitch HWICs

Auto-duplex, Auto-speed ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:11, output never, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec

4 packets input, 1073 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 6 packets output, 664 bytes, 0 underruns(0/0/0) 0 output errors, 0 collisions, 3 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out

Router#

Configuring a Description for an Interface

You can add a description of an interface to help you remember its function. The description appears in the output of the following commands: show configuration, show running-config, and show interfaces.

Use the description command to add a description for an interface.

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

SUMMARY STEPS

1. enable

2. configure terminal

3. interface fastethernet interface-id

4. description string

Book Title

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

DETAILED STEPS

Command or Action Purpose

Step 1

enable

Example:

Router> enable

Step 2

configure terminal

Example:

Router# configure terminal

Step 3

interface fastethernet interface-id

Example:

Router(config)# interface fastethernet 0/1/0

Step 4

description string

How to Configure EtherSwitch HWICs

Enables privileged EXEC mode.

• Enter your password if prompted.

Enters global configuration mode.

Selects the interface to be configured.

Adds a description for an interface.

Example:

Router(config-if)# description newinterface

Configuring a Fast Ethernet Interface as a Layer 2 Trunk

Use this task to configure a Fast Ethernet interface as a Layer 2 trunk.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface fastethernet interface-id

4. shutdown

5. switchport mode trunk

6. switchport trunk native vlan vlan-num

7. switchport trunk allowed vlan {add | except | none | remove} vlan1[,vlan[,vlan[,...]]

8. no shutdown

9. end

Book Title

How to Configure EtherSwitch HWICs

DETAILED STEPS

Command or Action Purpose

Step 1

enable

Example:

Router> enable

Step 2

configure terminal

Example:

Router# configure terminal

Step 3

interface fastethernet interface-id

Example:

Router(config)# interface fastethernet 0/1/0

Step 4

shutdown

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Enables privileged EXEC mode.

• Enter your password if prompted.

Enters global configuration mode.

Selects the interface to be configured.

(Optional) Shuts down the interface to prevent traffic flow until configuration is complete.

Step 5

Step 6

Step 7

Step 8

Step 9

Example:

Router(config-if)# shutdown

switchport mode trunk

Example:

Router(config-if)# switchport mode trunk

switchport trunk native vlan vlan-num

Example:

Router(config-if)# switchport trunk native vlan 1

switchport trunk allowed vlan {add | except | none | remove} vlan1[,vlan[,vlan[,...]]

Example:

Router(config-if)# switchport trunk allowed vlan add vlan1, vlan2, vlan3

no shutdown

Example:

Router(config-if)# no shutdown

end

Configures the interface as a Layer 2 trunk.

Note Encapsulation is always dot1q.

(Optional) For 802.1Q trunks, specifies the native VLAN.

(Optional) Configures the list of VLANs allowed on the trunk. All VLANs are allowed by default. You cannot remove any of the default VLANs from a trunk.

Activates the interface. (Required only if you shut down the interface.)

Exits configuration mode.

Example:

Router(config-if)# end

Book Title

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Note Ports do not support Dynamic Trunk Protocol (DTP). Ensure that the neighboring switch is set to a mode

that will not send DTP.

Verifying a Fast Ethernet Interface as a Layer 2 Trunk

Use the following show commands to verify the configuration of a Fast Ethernet interface as a Layer 2 trunk.

router# show running-config interfaces fastEthernet 0/3/1

Building configuration... Current configuration: 71 bytes ! interface FastEthernet0/3/1 switchport mode trunk no ip address end Router#

Router# show interfaces trunk

Port Mode Encapsulation Status Native vlan Fa0/3/1 on 802.1q trunking 1

How to Configure EtherSwitch HWICs

Port Vlans allowed on trunk Fa0/3/1 1-1005

Port Vlans allowed and active in management domain Fa0/3/1 1

Port Vlans in spanning tree forwarding state and not pruned Fa0/3/1 1

Router#

Configuring a Fast Ethernet Interface as Layer 2 Access

Follow these steps below to configure a Fast Ethernet interface as Layer 2 access.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface fastethernet interface-id

4. shutdown

5. switchport mode access

6. switchport access vlan vlan-num

7. no shutdown

8. end

Book Title

How to Configure EtherSwitch HWICs

DETAILED STEPS

Command or Action Purpose

Step 1

enable

Example:

Router> enable

Step 2

configure terminal

Example:

Router# configure terminal

Step 3

interface fastethernet interface-id

Example:

Router(config)# interface fastethernet 0/1/0

Step 4

shutdown

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Enables privileged EXEC mode.

• Enter your password if prompted.

Enters global configuration mode.

Selects the interface to be configured.

(Optional) Shuts down the interface to prevent traffic flow until configuration is complete.

Step 5

Step 6

Step 7

Step 8

Example:

Router(config-if)# shutdown

switchport mode access

Example:

Router(config-if)# switchport mode access

switchport access vlan vlan-num

Example:

Router(config-if)# switchport access vlan 1

no shutdown

Example:

Router(config-if)# no shutdown

end

Example:

Router(config-if)# end

Configures the interface as a Layer 2 access.

For access ports, specifies the access VLAN.

Activates the interface.

• Required only if you shut down the interface.

Exits configuration mode.

Verifying a Fast Ethernet Interface as Layer 2 Access

Use the show running-config interface command to verify the running configuration of the interface, as shown below.

Router# show running-config interface fastethernet 0/1/2

Building configuration... Current configuration: 76 bytes ! interface FastEthernet0/1/2

Book Title

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

switchport access vlan 3 no ip address end

Use the show interfaces command to verify the switchport configuration of the interface, as shown below.

Router# show interfaces f0/1/0 switchport

Name: Fa0/1/0 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: Disabled Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: ALL Trunking VLANs Active: 1 Priority for untagged frames: 0 Override vlan tag priority: FALSE Voice VLAN: none Appliance trust: none

How to Configure EtherSwitch HWICs

Router#

Configuring 802.1x Authentication

This section describes how to configure 802.1x port-based authentication on an EtherSwitch HWIC:

• Information About the Default 802.1x Configuration, page 23

• Enabling 802.1x Authentication, page 25

• Configuring the Switch-to-RADIUS-Server Communication, page 26

• Enabling Periodic Reauthentication, page 28

• Changing the Quiet Period, page 29

• Changing the Switch-to-Client Retransmission Time, page 30

• Setting the Switch-to-Client Frame-Retransmission Number, page 32

• Enabling Multiple Hosts, page 33

• Resetting the 802.1x Configuration to the Default Values, page 34

• Displaying 802.1x Statistics and Status, page 35

Information About the Default 802.1x Configuration

Table 1 shows the default 802.1x configuration.

Book Title

How to Configure EtherSwitch HWICs

Table 1 Default 802.1x Configuration

Feature Default Setting

Authentication, authorization, and accounting (AAA)

RADIUS server

• IP address

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Disabled.

• None specified.

• UDP authentication port

• Key

• 1645.

• None specified.

Per-interface 802.1x enable state Disabled (force-authorized).

The port transmits and receives normal traffic without

802.1x-based authentication of the client.

Periodic reauthentication Disabled.

Number of seconds between

3600 seconds.

reauthentication attempts

Quiet period 60 seconds (number of seconds that the switch remains in

the quiet state following a failed authentication exchange with the client).

Retransmission time 30 seconds (number of seconds that the switch should

wait for a response to an EAP request/identity frame from the client before retransmitting the request).

Maximum retransmission number 2 times (number of times that the switch will send an

EAP-request/identity frame before restarting the authentication process).

Multiple host support Disabled.

Client timeout period 30 seconds (when relaying a request from the

authentication server to the client, the amount of time the switch waits for a response before retransmitting the request to the client). This setting is not configurable.

Authentication server timeout period 30 seconds (when relaying a response from the client to

the authentication server, the amount of time the switch waits for a reply before retransmitting the response to the server). This setting is not configurable.

Book Title

802.1x Configuration Guidelines

These are the 802.1x authentication configuration guidelines:

• When the 802.1x protocol is enabled, ports are authenticated before any other Layer 2 feature is

enabled.

• The 802.1x protocol is supported on Layer 2 static-access ports, but it is not supported on these port

types:

–

Trunk port—If you try to enable 802.1x on a trunk port, an error message appears, and 802.1x is not enabled. If you try to change the mode of an 802.1x-enabled port to trunk, the port mode is not changed.

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

–

Switch Port Analyzer (SPAN) destination port—You can enable 802.1x on a port that is a SPAN destination port; however, 802.1x is disabled until the port is removed as a SPAN destination. You can enable 802.1x on a SPAN source port.

Enabling 802.1x Authentication

To enable 802.1x port-based authentication, you must enable AAA and specify the authentication method list. A method list describes the sequence and authentication methods to be queried to authenticate a user.

The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle, the authentication process stops, and no other authentication methods are attempted.

Beginning in privileged EXEC mode, follow these steps to configure 802.1x port-based authentication. This procedure is required.

SUMMARY STEPS

How to Configure EtherSwitch HWICs

DETAILED STEPS

Command or Action Purpose

Step 1

enable

Example:

Router> enable

Step 2

configure terminal

Example:

Router# configure terminal

1. enable

2. configure terminal

3. aaa authentication dot1x {default | listname} method1 [method2...]

4. interface interface-id

5. dot1x port-control auto

6. end

7. show dot1x

8. copy running-config startup-config

Enables privileged EXEC mode.

• Enter your password if prompted.

Enters global configuration mode.

Book Title

How to Configure EtherSwitch HWICs

Command or Action Purpose

Step 3

aaa authentication dot1x {default | listname} method1 [method2...]

Example:

Router(config)# aaa authentication dot1x default newmethod

Step 4

interface interface-id

Example:

Router(config)# interface 0/1/3

Step 5

dot1x port-control auto

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Creates an 802.1x authentication method list.

• To create a default list that is used when a named list is

not specified in the authentication command, use the default keyword followed by the methods that are to be

used in default situations. The default method list is automatically applied to all interfaces.

• Enter at least one of these keywords:

–

group radius—Use the list of all RADIUS servers for authentication.

–

none—Use no authentication. The client is automatically authenticated without the switch using the information supplied by the client.

Enters interface configuration mode and specifies the interface to be enabled for 802.1x authentication.

Enables 802.1x on the interface.

Step 6

Step 7

Step 8

Example:

Router(config-if)# dot1x port-control auto

end

Example:

Router(config-if)# end

show dot1x

Example:

Router# show dot1x

copy running-config startup-config

Example:

Router# copy running-config startup-config

To disable AAA, use the no aaa new-model global configuration command. To disable 802.1x AAA authentication, use the no aaa authentication dot1x {default | list-name} method1 [method2...] global configuration command. To disable 802.1x, use the dot1x port-control force-authorized or the no dot1x port-control interface configuration command.

• For feature interaction information with trunk,

dynamic, dynamic-access, EtherChannel, secure, and SPAN ports see the “802.1x Configuration Guidelines”

section on page 24.

Returns to privileged EXEC mode.

Verifies your entries.

(Optional) Saves your entries in the configuration file.

Configuring the Switch-to-RADIUS-Server Communication

RADIUS security servers are identified by their host name or IP address, host name and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are

Book Title

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

configured for the same service—for example, authentication—the second host entry configured acts as the fail-over backup to the first one. The RADIUS host entries are tried in the order that they were configured.

Follow these steps to configure the RADIUS server parameters on the switch. This procedure is required.

SUMMARY STEPS

1. enable

2. configure terminal

3. radius-server host {hostname | ip-address} auth-port port-number key string

4. end

5. show running-config

6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1

enable

Example:

Router> enable

Step 2

configure terminal

How to Configure EtherSwitch HWICs

Enables privileged EXEC mode.

• Enter your password if prompted.

Enters global configuration mode.

Step 3

Example:

Router# configure terminal

radius-server host {hostname | ip-address} auth-port port-number key string

Example:

Router# raduis-server host hostseven auth-port 75 key newauthority75

Configures the RADIUS server parameters on the switch.

• For hostname | ip-address, specify the host name or IP

address of the remote RADIUS server.

• For auth-port port-number, specify the UDP

destination port for authentication requests. The default is 1645.

• For key string, specify the authentication and

encryption key used between the switch and the RADIUS daemon running on the RADIUS server. The key is a text string that must match the encryption key used on the RADIUS server.

NoteAlways configure the key as the last item in the

radius-server host command syntax because leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks are part of the key. This key must match the encryption used on the RADIUS daemon.

• If you want to use multiple RADIUS servers, repeat this

command.

Book Title

How to Configure EtherSwitch HWICs

Command or Action Purpose

Step 4

end

Example:

Router(config-if)# end

Step 5

show running-config

Example:

Router# show running-config

Step 6

copy running-config startup-config

Example:

Router# copy running-config startup-config

To delete the specified RADIUS server, use the no radius-server host {hostname | ip-address} global configuration command.

You can globally configure the timeout, retransmission, and encryption key values for all RADIUS servers by using the radius-server host global configuration command. If you want to configure these options on a per-server basis, use the radius-server timeout, radius-server retransmit, and the radius-server key global configuration commands.

You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, refer to the RADIUS server documentation.

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Returns to privileged EXEC mode.

Verifies your entries.

(Optional) Saves your entries in the configuration file.

Enabling Periodic Reauthentication

You can enable periodic 802.1x client reauthentication and specify how often it occurs. If you do not specify a time period before enabling reauthentication, the number of seconds between reauthentication attempts is 3600 seconds.

Automatic 802.1x client reauthentication is a global setting and cannot be set for clients connected to individual ports.

Follow these steps to enable periodic reauthentication of the client and to configure the number of seconds between reauthentication attempts.

SUMMARY STEPS

1. enable

2. configure terminal

3. dot1x re-authentication

4. dot1x timeout re-authperiod seconds

5. end

6. show dot1x

7. copy running-config startup-config

Book Title

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

DETAILED STEPS

Command or Action Purpose

Step 1

enable

Example:

Router> enable

Step 2

configure terminal

Example:

Router# configure terminal

Step 3

dot1x re-authentication

Example:

Router(config)# dot1x re-authentication

Step 4

dot1x timeout re-authperiod seconds

Example:

Router(config)# dot1x timeout re-authperiod 120

Step 5

end

How to Configure EtherSwitch HWICs

Enables privileged EXEC mode.

• Enter your password if prompted.

Enters global configuration mode.

Enables periodic reauthentication of the client.

• Periodic reauthentication is disabled by default.

Sets the number of seconds between reauthentication attempts.

• The range is 1 to 4294967295; the default is 3600

seconds.

• This command affects the behavior of the switch only

if periodic reauthentication is enabled

Returns to privileged EXEC mode.

Example:

Router(config-if)# end

Step 6

show dot1x

Example:

Router# show dot1x

Step 7

copy running-config startup-config

Example:

Router# copy running-config startup-config

To disable periodic reauthentication, use the no dot1x re-authentication global configuration command. To return to the default number of seconds between reauthentication attempts, use the no dot1x timeout re-authperiod global configuration command.

Changing the Quiet Period

When the switch cannot authenticate the client, the switch remains idle for a set period of time, and then tries again. The idle time is determined by the quiet-period value. A failed authentication of the client might occur because the client provided an invalid password. You can provide a faster response time to the user by entering smaller number than the default.

Follow these steps to change the quiet period.

Verifies your entries.

(Optional) Saves your entries in the configuration file.

Book Title

How to Configure EtherSwitch HWICs

SUMMARY STEPS

1. enable

2. configure terminal

3. dot1x timeout quiet-period seconds

4. end

5. show dot1x

6. copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1

enable

Example:

Router> enable

Step 2

configure terminal

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Enables privileged EXEC mode.

• Enter your password if prompted.

Enters global configuration mode.

Step 3

Step 4

Step 5

Step 6

Example:

Router# configure terminal

dot1x timeout quiet-period seconds

Example:

Router(config)#dot1x timeout quiet-period 120

end

Example:

Router(config-if)# end

show dot1x

Example:

Router# show dot1x

copy running-config startup-config

Example:

Router# copy running-config startup-config

To return to the default quiet time, use the no dot1x timeout quiet-period global configuration command.

Sets the number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client.

• The range is 0 to 65535 seconds; the default is 60.

Returns to privileged EXEC mode.

Verifies your entries.

(Optional) Saves your entries in the configuration file.

Changing the Switch-to-Client Retransmission Time

The client responds to the EAP-request/identity frame from the switch with an EAP-response/identity frame. If the switch does not receive this response, it waits a set period of time (known as the retransmission time), and then retransmits the frame.

Book Title

+ 88 hidden pages

Cisco HWIC-4ESW, HWIC-D-9ESW User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

Prerequisites for EtherSwitch HWICs

Restrictions for EtherSwitch HWICs

Prerequisites for Installing Two Ethernet Switch Network Modules in a Single Chassis

Information About EtherSwitch HWICs

VLANs

Inline Power for Cisco IP Phones

Layer 2 Ethernet Switching

802.1x Authentication

Spanning Tree Protocol

Cisco Discovery Protocol

Switched Port Analyzer

IGMP Snooping

Storm Control

Intrachassis Stacking

Fallback Bridging

How to Configure EtherSwitch HWICs

Configuring VLANs

Adding a VLAN Instance

Deleting a VLAN Instance from the Database

Configuring VLAN Trunking Protocol

Configuring a VTP Server

Configuring a VTP Client

Disabling VTP (VTP Transparent Mode)

Verifying VTP

Configuring Layer 2 Interfaces

Configuring a Range of Interfaces

Defining a Range Macro

Configuring Layer 2 Optional Interface Features

Configuring 802.1x Authentication

Information About the Default 802.1x Configuration

Enabling 802.1x Authentication

Configuring the Switch-to-RADIUS-Server Communication

Enabling Periodic Reauthentication

Changing the Quiet Period

Changing the Switch-to-Client Retransmission Time