Catalyst 2950 Desktop Switch Software Configuration Guide Cisco IOS Release 12.1(11)EA1 and 12.1(11)YJ November 2002 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface xxv Audience Purpose xxv xxv Organization xxvi Conventions xxviii Related Publications xxix Obtaining Documentation xxix World Wide Web xxix Documentation CD-ROM xxx Ordering Documentation xxx Documentation Feedback xxx Obtaining Technical Assistance xxx Cisco.
Contents CHAPTER 2 Using the Command-Line Interface IOS Command Modes Getting Help 2-1 2-1 2-3 Specifying Ports in Interface Configuration Mode Abbreviating Commands 2-4 2-5 Using no and default Forms of Commands Understanding CLI Messages 2-5 2-5 Using Command History 2-6 Changing the Command History Buffer Size 2-6 Recalling Commands 2-6 Disabling the Command History Feature 2-7 Using Editing Features 2-7 Enabling and Disabling Editing Features 2-7 Editing Commands through Keystrokes 2-8 Edit
Contents Topology View Popup Menus 3-22 Link Popup Menu 3-22 Device Popup Menus 3-23 Interaction Modes 3-25 Guide Mode 3-25 Expert Mode 3-25 Wizards 3-26 Tool Tips Online Help 3-26 3-26 CMS Window Components 3-28 Host Name List 3-28 Tabs, Lists, and Tables 3-29 Filter Editor 3-29 Icons Used in Windows 3-29 Buttons 3-30 Accessing CMS 3-30 Access Modes in CMS 3-31 HTTP Access to CMS 3-32 Verifying Your Changes 3-32 Change Notification 3-32 Error Checking 3-32 Saving Your Configuration Restoring Your Conf
Contents Example Configuration 4-8 Manually Assigning IP Information 4-10 Checking and Saving the Running Configuration CHAPTER 5 Configuring IE2100 CNS Agents 4-10 5-1 Understanding IE2100 Series Configuration Registrar Software 5-1 CNS Configuration Service 5-2 CNS Event Service 5-3 NameSpace Mapper 5-3 What You Should Know About ConfigID, DeviceID, and Host Name ConfigID 5-3 DeviceID 5-4 Host Name and DeviceID 5-4 Using Host Name, DeviceID, and ConfigID 5-4 5-3 Understanding CNS Embedded Agent
Contents Virtual IP Addresses 6-13 Other Considerations for Cluster Standby Groups 6-13 Automatic Recovery of Cluster Configuration 6-15 IP Addresses 6-15 Host Names 6-16 Passwords 6-16 SNMP Community Strings 6-16 TACACS+ and RADIUS 6-17 Access Modes in CMS 6-17 Management VLAN 6-18 LRE Profiles 6-18 Availability of Switch-Specific Features in Switch Clusters 6-19 Creating a Switch Cluster 6-19 Enabling a Command Switch 6-19 Adding Member Switches 6-20 Creating a Cluster Standby Group 6-22 Verifying a Swit
Contents Identifying the TACACS+ Server Host and Setting the Authentication Key 7-13 Configuring TACACS+ Login Authentication 7-14 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Starting TACACS+ Accounting 7-17 Displaying the TACACS+ Configuration 7-17 7-16 Controlling Switch Access with RADIUS 7-18 Understanding RADIUS 7-18 RADIUS Operation 7-19 Configuring RADIUS 7-20 Default RADIUS Configuration 7-20 Identifying the RADIUS Server Host 7-20 Configuring RADIUS Login Au
Contents Configuring a System Name and Prompt 7-48 Default System Name and Prompt Configuration Configuring a System Name 7-48 Configuring a System Prompt 7-49 Understanding DNS 7-49 Default DNS Configuration 7-50 Setting Up DNS 7-50 Displaying the DNS Configuration 7-51 Creating a Banner 7-51 Default Banner Configuration 7-51 Configuring a Message-of-the-Day Login Banner Configuring a Login Banner 7-53 7-48 7-52 Managing the MAC Address Table 7-54 Building the Address Table 7-54 MAC Addresses and VLANs
Contents Changing the Switch-to-Client Retransmission Time 8-12 Setting the Switch-to-Client Frame-Retransmission Number 8-13 Enabling Multiple Hosts 8-13 Resetting the 802.1X Configuration to the Default Values 8-14 Displaying 802.
Contents Guidelines for Using LRE Profiles 10-7 CPE Ethernet Link Guidelines 10-7 Considerations for Connected Cisco 575 LRE CPEs 10-7 Considerations for Connected Cisco 585 LRE CPEs 10-8 Assigning a Global Profile to All LRE Ports 10-8 Assigning a Profile to a Specific LRE Port 10-9 Assigning a Global Sequence to All LRE Ports 10-9 Assigning a Sequence to a Specific LRE Port 10-10 Using Rate Selection to Automatically Assign Profiles 10-10 Precedence 10-11 Profile Locking 10-11 Link Qualification and SNR
Contents Spanning Tree and Redundant Connectivity 11-8 Accelerated Aging to Retain Connectivity 11-9 Configuring Spanning-Tree Features 11-9 Default STP Configuration 11-10 STP Configuration Guidelines 11-10 Disabling STP 11-12 Configuring the Root Switch 11-12 Configuring a Secondary Root Switch 11-14 Configuring the Port Priority 11-15 Configuring the Path Cost 11-16 Configuring the Switch Priority of a VLAN 11-18 Configuring the Hello Time 11-19 Configuring the Forwarding-Delay Time for a VLAN 11-19 Con
Contents Configuring a Secondary Root Switch 12-16 Configuring the Port Priority 12-17 Configuring the Path Cost 12-18 Configuring the Switch Priority 12-19 Configuring the Hello Time 12-19 Configuring the Forwarding-Delay Time 12-20 Configuring the Maximum-Aging Time 12-21 Configuring the Maximum-Hop Count 12-21 Specifying the Link Type to Ensure Rapid Transitions Restarting the Protocol Migration Process 12-22 Displaying the MST Configuration and Status CHAPTER 13 Configuring Optional Spanning-Tree Fe
Contents CHAPTER 14 Configuring VLANs 14-1 Understanding VLANs 14-1 Supported VLANs 14-2 VLAN Port Membership Modes 14-3 Configuring Normal-Range VLANs 14-4 Token Ring VLANs 14-5 Normal-Range VLAN Configuration Guidelines 14-5 VLAN Configuration Mode Options 14-6 VLAN Configuration in config-vlan Mode 14-6 VLAN Configuration in VLAN Configuration Mode Saving VLAN Configuration 14-7 Default Ethernet VLAN Configuration 14-8 Creating or Modifying an Ethernet VLAN 14-8 Deleting a VLAN 14-10 Assigning Sta
Contents Configuring the VMPS Client 14-28 Entering the IP Address of the VMPS 14-28 Configuring Dynamic Access Ports on VMPS Clients 14-29 Reconfirming VLAN Memberships 14-30 Changing the Reconfirmation Interval 14-30 Changing the Retry Count 14-30 Monitoring the VMPS 14-31 Troubleshooting Dynamic Port VLAN Membership 14-31 VMPS Configuration Example 14-32 CHAPTER 15 Configuring VTP 15-1 Understanding VTP 15-1 The VTP Domain 15-2 VTP Modes 15-3 VTP Advertisements 15-3 VTP Version 2 15-4 VTP Pruning 1
Contents Default Voice VLAN Configuration 16-2 Voice VLAN Configuration Guidelines 16-3 Configuring a Port to Connect to a Cisco 7960 IP Phone 16-3 Configuring Ports to Carry Voice Traffic in 802.1Q Frames 16-4 Configuring Ports to Carry Voice Traffic in 802.
Contents CHAPTER 18 Configuring Port-Based Traffic Control Configuring Storm Control 18-1 Understanding Storm Control 18-1 Default Storm Control Configuration Enabling Storm Control 18-2 Disabling Storm Control 18-3 Configuring Protected Ports 18-1 18-2 18-3 Configuring Port Security 18-4 Understanding Port Security 18-5 Secure MAC Addresses 18-5 Security Violations 18-6 Default Port Security Configuration 18-7 Port Security Configuration Guidelines 18-7 Enabling and Configuring Port Security 18-7 En
Contents SPAN Session 21-3 Traffic Types 21-3 Source Port 21-4 Destination Port 21-5 Reflector Port 21-5 VLAN-Based SPAN 21-6 SPAN Traffic 21-6 SPAN and RSPAN Interaction with Other Features SPAN and RSPAN Session Limits 21-8 Default SPAN and RSPAN Configuration 21-8 21-7 Configuring SPAN 21-8 SPAN Configuration Guidelines 21-8 Creating a SPAN Session and Specifying Ports to Monitor Removing Ports from a SPAN Session 21-11 Specifying VLANs to Monitor 21-12 Specifying VLANs to Filter 21-13 21-9 Configur
Contents Setting the Message Display Destination Device 23-4 Synchronizing Log Messages 23-6 Enabling and Disabling Timestamps on Log Messages 23-7 Enabling and Disabling Sequence Numbers in Log Messages 23-8 Defining the Message Severity Level 23-8 Limiting Syslog Messages Sent to the History Table and to SNMP 23-10 Configuring UNIX Syslog Servers 23-10 Logging Messages to a UNIX Syslog Daemon 23-11 Configuring the UNIX System Logging Facility 23-11 Displaying the Logging Configuration CHAPTER 24 Confi
Contents ACL Numbers 25-8 Creating a Numbered Standard ACL 25-9 Creating a Numbered Extended ACL 25-10 Creating Named Standard and Extended ACLs 25-13 Applying Time Ranges to ACLs 25-15 Including Comments About Entries in ACLs 25-17 Creating Named MAC Extended ACLs 25-18 Creating MAC Access Groups 25-19 Applying ACLs to Terminal Lines or Physical Interfaces Applying ACLs to a Terminal Line 25-20 Applying ACLs to a Physical Interface 25-21 25-20 Displaying ACL Information 25-21 Displaying ACLs 25-22 Displ
Contents Configuring Trusted Boundary 26-13 Enabling Pass-Through Mode 26-15 Configuring a QoS Policy 26-16 Classifying Traffic by Using ACLs 26-16 Classifying Traffic by Using Class Maps 26-20 Classifying, Policing, and Marking Traffic by Using Policy Maps Configuring CoS Maps 26-24 Configuring the CoS-to-DSCP Map 26-25 Configuring the DSCP-to-CoS Map 26-26 Configuring CoS and WRR 26-27 Configuring CoS Priority Queues 26-27 Configuring WRR 26-27 Displaying QoS Information 26-21 26-28 QoS Configuration
Contents Replacing a Failed Command Switch with a Cluster Member 28-9 Replacing a Failed Command Switch with Another Switch 28-10 Recovering from Lost Member Connectivity 28-11 Preventing Autonegotiation Mismatches Troubleshooting LRE Port Configuration 28-12 28-12 GBIC and SFP Module Security and Identification 28-13 Using Debug Commands 28-14 Enabling Debugging on a Specific Feature 28-14 Enabling All-System Diagnostics 28-15 Redirecting Debug and Error Message Output 28-15 Using the crashinfo File
Contents Copying Configuration Files By Using FTP B-13 Preparing to Download or Upload a Configuration File By Using FTP B-13 Downloading a Configuration File By Using FTP B-14 Uploading a Configuration File By Using FTP B-15 Copying Configuration Files By Using RCP B-16 Preparing to Download or Upload a Configuration File By Using RCP B-17 Downloading a Configuration File By Using RCP B-17 Uploading a Configuration File By Using RCP B-18 Clearing Configuration Information B-19 Clearing the Startup Configu
Contents Catalyst 2950 Desktop Switch Software Configuration Guide xxiv 78-14982-01
Preface Audience The Catalyst 2950 Desktop Switch Software Configuration Guide is for the network manager responsible for configuring the Catalyst 2950 switches, hereafter referred to as the switches. Before using this guide, you should be familiar with the concepts and terminology of Ethernet and local area networking. Purpose This guide provides information about configuring and troubleshooting a Catalyst 2950 or Catalyst 2950 Long-Reach Ethernet (LRE) switch or switch clusters.
Preface Organization This guide does not describe system messages you might encounter or how to install your switch. For more information, refer to the Catalyst 2950 Desktop Switch System Message Guide for this release and to the Catalyst 2950 Desktop Switch Hardware Installation Guide. Note This guide does not repeat the concepts and CLI procedures provided in the standard Cisco IOS Release 12.1 documentation. For information about the standard IOS Release 12.
Preface Organization Chapter 8, “Configuring 802.1X Port-Based Authentication,” describes how to configure 802.1X port-based authentication to prevent unauthorized devices (clients) from gaining access to the network. As LANs extend to hotels, airports, and corporate lobbies, insecure environments could be created. Chapter 9, “Configuring the Switch Interfaces,” defines the types of interfaces on the switch.
Preface Conventions Chapter 25, “Configuring Network Security with ACLs,” describes how to configure network security by using access control lists (ACLs). Chapter 26, “Configuring QoS,” describes how to configure quality of service (QoS) on your switch. With this feature, you can provide preferential treatment to certain types traffic. Chapter 27, “Configuring EtherChannels,” describes how to bundle a set of individual ports into a single logical link on the interfaces.
Preface Related Publications Related Publications These documents provide complete information about the switch and are available from this Cisco.com site: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/index.htm You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation” section on page xxix. • • Note Release Notes for the Catalyst 2950 Switch (not orderable but is available on Cisco.
Preface Obtaining Technical Assistance Documentation CD-ROM Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription. Ordering Documentation You can order Cisco documentation in these ways: • Registered Cisco.
Preface Obtaining Technical Assistance Cisco.com Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world. Cisco.
Preface Obtaining Technical Assistance If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC Web Site, you can open a case online by using the TAC Case Open tool at this URL: http://www.cisco.com/tac/caseopen If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC Web Site. Cisco TAC Escalation Center The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues.
C H A P T E R 1 Overview This chapter provides these topics about the Catalyst 2950 switch software: • Features, page 1-1 • Management Options, page 1-7 • Network Configuration Examples, page 1-8 • Where to Go Next, page 1-21 Features The Catalyst 2950 software supports the switches listed in Table 1-1 and in the release notes.
Chapter 1 Overview Features This section describes the features supported in this release: Note Some features require that you have the EI installed on your switch. For a list of the switches that support the EI, see Table 1-1, or refer to the release notes for this release. LRE Switch-Specific Support The Long-Reach Ethernet (LRE) switches support all of these listed EI features in addition to some specific features for LRE.
Chapter 1 Overview Features • Switch clustering technology used with CMS for – Unified configuration, monitoring, authentication, and software upgrade of multiple switches (refer to the release notes for a list of eligible cluster members). – Automatic discovery of candidate switches and creation of clusters of up to 16 switches that can be managed through a single IP address. – Extended discovery of cluster candidates that are not directly connected to the command switch.
Chapter 1 Overview Features • Address Resolution Protocol (ARP) for identifying a switch through its IP address and its corresponding MAC address • Cisco Discovery Protocol (CDP) versions 1 and 2 for network topology discovery and mapping between the switch and other Cisco devices on the network • Network Time Protocol (NTP) for providing a consistent timestamp to all switches from an external source • Directed unicast requests to a Trivial File Transfer Protocol (TFTP) server for obtaining softwa
Chapter 1 Overview Features – Loop guard for preventing alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link The switch supports up to 64 spanning-tree instances. Note VLAN Support • The switches support 250 port-based VLANs for assigning users to VLANs associated with appropriate network resources, traffic patterns, and bandwidth Note The Catalyst 2950-12, Catalyst 2950-24, and Catalyst 2950SX-24 switches support only 64 port-based VLANs.
Chapter 1 Overview Features Quality of Service and Class of Service • Classification – IEEE 802.
Chapter 1 Overview Management Options Management Options The switches are designed for plug-and-play operation: you only need to assign basic IP information to the switch and connect it to the other devices in your network. If you have specific network needs, you can configure and monitor the switch—on an individual basis or as part of a switch cluster—through its various management interfaces.
Chapter 1 Overview Network Configuration Examples By using switch clusters and CMS, you can: • Manage and monitor interconnected Catalyst switches (refer to the release notes for a list of supported switches), regardless of their geographic proximity and interconnection media, including Ethernet, Fast Ethernet, Fast EtherChannel, Cisco GigaStack Gigabit Interface Converter (GBIC), Gigabit Ethernet, and Gigabit EtherChannel connections.
Chapter 1 Overview Network Configuration Examples Table 1-2 Increasing Network Performance Network Demands Suggested Design Methods Too many users on a single network segment and a growing number of users accessing the Internet • Increased power of new PCs, workstations, and servers • High demand from networked applications (such as e-mail with large attached files) and from bandwidth-intensive applications (such as multimedia) • Create smaller network segments so that fewer users share the band
Chapter 1 Overview Network Configuration Examples You can create backup paths by using Fast Ethernet, Gigabit, Fast EtherChannel, or Gigabit EtherChannel links. Using Gigabit modules on two of the switches, you can have redundant uplink connections to a Gigabit backbone switch such as the Catalyst 3550-12G switch. If one of the redundant connections fails, the other can serve as a backup path.
Chapter 1 Overview Network Configuration Examples Figure 1-1 Example Configurations Catalyst 2950 switch Cost-Effective Wiring Closet Catalyst 2900, Catalyst 2950, Catalyst 3500, and Catalyst 3550 GigaStack cluster Catalyst 3550-12T or Catalyst 3550-12G switch Si Gigabit server High-Performance Workgroup Catalyst 2900, Catalyst 2950, Catalyst 3500, and Catalyst 3550 cluster Catalyst 3550-12T or Catalyst 3550-12T or Catalyst 3550-12G switch Catalyst 3550-12G switch 1-Gbps HSRP Si Si Catalyst 290
Chapter 1 Overview Network Configuration Examples A network backbone is a high-bandwidth connection (such as Fast Ethernet or Gigabit Ethernet) that interconnects segments and network resources. It is required if numerous segments require access to the servers. The Catalyst 2900, Catalyst 2950, Catalyst 3500, and Catalyst 3550 switches in this network are connected through a GigaStack GBIC on each switch to form a 1-Gbps network backbone.
Chapter 1 Overview Network Configuration Examples Collapsed Backbone and Switch Cluster Configuration Figure 1-3 shows a configuration for a network of approximately 500 employees. This network uses a collapsed backbone and switch clusters. A collapsed backbone has high-bandwidth uplinks from all segments and subnetworks to a single device, such as a Gigabit switch, that serves as a single point for monitoring and controlling the network.
Chapter 1 Overview Network Configuration Examples Figure 1-3 Collapsed Backbone and Switch Cluster Configuration Gigabit servers Cisco CallManager Catalyst 3550-12T or Catalyst 3550-12G switch Cisco 2600 router Si 200 Mbps Fast EtherChannel (400-Mbps full-duplex Fast EtherChannel) 1 Gbps (2 Gbps full duplex) Catalyst 2950, 2900, 3550, and 3500 GigaStack cluster Catalyst 2950, 2900, 3550, and 3500 GigaStack cluster Catalyst 3524-PWR GigaStack cluster IP IP Cisco IP Phones Workstations running
Chapter 1 Overview Network Configuration Examples Figure 1-4 Large Campus Configuration IP telephony network or PSTN WAN Cisco CallManager Cisco 7200 Cisco access or 7500 router gateway Servers Catalyst 6500 switch Catalyst 2950, 2900, 3500, and 3550 GigaStack cluster 1 Gbps (2 Gbps full duplex) Catalyst 3524-PWR GigaStack cluster IP IP Cisco IP Phones IP IP Cisco IP Phones 81636 Workstations running Cisco SoftPhone software IP Catalyst 2950 Desktop Switch Software Configuration Guide 78-14
Chapter 1 Overview Network Configuration Examples Hotel Network Configuration Figure 1-5 shows the Catalyst 2950 LRE switches in a hotel network environment with approximately 200 rooms. This network includes a PBX switchboard, a router, and high-speed servers. Connected to the telephone line in each hotel room is an LRE CPE device, such as a Cisco LRE CPE device.
Chapter 1 Overview Network Configuration Examples You can manage the switches as a switch cluster and through the cluster management suite (CMS). You can also manage and monitor the individual CPE devices from the LRE switches to which they are connected. The Catalyst 2950 LRE switch ports support the same software features as 10/100/1000 switch ports.
Chapter 1 Overview Network Configuration Examples Multidwelling Network Using Catalyst 2950 Switches A growing segment of residential and commercial customers are requiring high-speed access to Ethernet metropolitan-area networks (MANs). Figure 1-6 shows a configuration for a Gigabit Ethernet MAN ring using Catalyst 3550 multilayer switches as aggregation switches in the mini-point-of-presence (POP) location. These switches are connected through 1000BASE-X GBIC ports.
Chapter 1 Overview Network Configuration Examples Figure 1-6 Catalyst 2950 Switches in a MAN Configuration Cisco 12000 Gigabit switch routers Catalyst 6500 switches Catalyst 3550 multilayer switches Service Provider POP Si Si Si Si Si Si Si Mini-POP Gigabit MAN Si Catalyst switches Residential location Set-top box Residential gateway (hub) Set-top box 50833 TV PC TV Catalyst 2950 Desktop Switch Software Configuration Guide 78-14982-01 1-19
Chapter 1 Overview Network Configuration Examples Long-Distance, High-Bandwidth Transport Configuration Note To use the feature described in this section, you must have the EI installed on your Catalyst 2950 switch. This feature does not apply to the Catalyst 2950 LRE switches. Figure 1-7 shows a configuration for transporting Gigabits of data from one location to an off-site backup facility over a single fiber-optic cable.
Chapter 1 Overview Where to Go Next Where to Go Next Before configuring the switch, review these sections for start up information: • Chapter 2, “Using the Command-Line Interface” • Chapter 3, “Getting Started with CMS” • Chapter 4, “Assigning the Switch IP Address and Default Gateway” • Chapter 5, “Configuring IE2100 CNS Agents” Catalyst 2950 Desktop Switch Software Configuration Guide 78-14982-01 1-21
Chapter 1 Overview Where to Go Next Catalyst 2950 Desktop Switch Software Configuration Guide 1-22 78-14982-01
C H A P T E R 2 Using the Command-Line Interface This chapter describes the IOS command-line interface (CLI) that you can use to configure your switches.
Chapter 2 Using the Command-Line Interface IOS Command Modes Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the host name Switch. Table 2-1 Command Mode Summary Mode Access Method Prompt Exit Method About This Mode User EXEC Begin a session with your switch. Switch> Enter logout or quit. Use this mode to • Change terminal settings. • Perform basic tests.
Chapter 2 Using the Command-Line Interface Getting Help Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method About This Mode VLAN configuration While in privileged EXEC mode, enter the vlan database command. Switch(vlan)# To exit to privileged EXEC mode, enter exit. Use this mode to configure VLAN parameters for VLANs 1 to 1005 in the VLAN database. Interface configuration While in global configuration mode, enter the interface command (with a specific interface).
Chapter 2 Using the Command-Line Interface Specifying Ports in Interface Configuration Mode Table 2-2 Help Summary (continued) Command Purpose command ? List the associated keywords for a command. For example: Switch> show ? command keyword ? List the associated arguments for a keyword.
Chapter 2 Using the Command-Line Interface Abbreviating Commands • Port number—The number of the physical port on the switch. Refer to your switch for the port numbers. Abbreviating Commands You have to enter only enough characters for the switch to recognize the command as unique. This example shows how to enter the show configuration privileged EXEC command: Switch# show conf Using no and default Forms of Commands Almost every configuration command also has a no form.
Chapter 2 Using the Command-Line Interface Using Command History Using Command History The IOS provides a history or record of commands that you have entered. This feature is particularly useful for recalling long or complex commands or entries, including access lists.
Chapter 2 Using the Command-Line Interface Using Editing Features Disabling the Command History Feature The command history feature is automatically enabled. To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command. To disable command history for the line, enter the no history line configuration command. Using Editing Features This section describes the editing features that can help you manipulate the command line.
Chapter 2 Using the Command-Line Interface Using Editing Features Editing Commands through Keystrokes Table 2-5 shows the keystrokes that you need to edit command lines. Table 2-5 Editing Commands through Keystrokes Capability Keystroke1 Move around the command line to make changes or corrections. Press Ctrl-B, or press the Move the cursor back one character. left arrow key. Purpose Press Ctrl-F, or press the right arrow key. Move the cursor forward one character. Press Ctrl-A.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Purpose Scroll down a line or screen on displays that are longer than the terminal screen can display. Press the Return key. Scroll down one line. Press the Space bar. Scroll down one screen. Press Ctrl-L or Ctrl-R. Redisplay the current command line.
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Use line wrapping with the command history feature to recall and modify previous complex command entries. For information about recalling previous command entries, see the “Editing Commands through Keystrokes” section on page 2-8. Searching and Filtering Output of show and more Commands You can search and filter the output for show and more commands.
Chapter 2 Using the Command-Line Interface Accessing the CLI from a Browser Accessing the CLI from a Browser This procedure assumes you have met the software requirements (including browser and Java plug-in configurations) and have assigned IP information and a Telnet password to the switch or command switch, as described in the release notes. To access the CLI from a web browser, follow these steps: Step 1 Start one of the supported browsers.
Chapter 2 Using the Command-Line Interface Accessing the CLI from a Browser Catalyst 2950 Desktop Switch Software Configuration Guide 2-12 78-14982-01
C H A P T E R 3 Getting Started with CMS This chapter provides these topics about the Cluster Management Suite (CMS) software: Note Note • Features, page 3-2 • Front Panel View, page 3-4 • Topology View, page 3-10 • Menus and Toolbar, page 3-15 • Interaction Modes, page 3-25 • Wizards, page 3-26 • Online Help, page 3-26 • CMS Window Components, page 3-28 • Accessing CMS, page 3-30 • Verifying Your Changes, page 3-32 • Saving Your Configuration, page 3-33 • Restoring Your Configur
Chapter 3 Getting Started with CMS Features Features CMS provides these features (see Figure 3-1) for managing switch clusters and individual switches from Web browsers such as Netscape Communicator or Microsoft Internet Explorer: • Two views of your network that can be displayed at the same time: – The Front Panel view displays the front-panel image of a specific switch or the front-panel images of all switches in a cluster.
Chapter 3 Getting Started with CMS Features • Two levels of access to the configuration options: read-write access for users allowed to change switch settings; read-only access for users allowed to only view switch settings. • Consistent set of GUI components (such as tabs, buttons, drop-down lists, tables, and so on) for a uniform approach to viewing and setting configuration parameters (see Figure 3-1). CMS Features Toolbar Move the cursor over the icon to display the tool tip.
Chapter 3 Getting Started with CMS Front Panel View Front Panel View When CMS is launched from a command switch, the Front Panel view displays the front-panel images of all the switches in the cluster (see Figure 3-2 for an 2950 LRE switch and Figure 3-3 for a 2950 non-LRE switch). You can use the cursor to re-arrange the order of the switches in this window. Figure 3-2 Front Panel View from a 2950 LRE Command Switch 10.1.1.
Chapter 3 Getting Started with CMS Front Panel View Front Panel View from a 2950 Command Switch cluster1 10.1.1.2 Cluster tree. Right-click a member switch image to display the device pop-up menu, and select an option to view or change system-related settings. Right-click the command switch image to display the cluster pop-up menu, and select a clusterrelated option.
Chapter 3 Getting Started with CMS Front Panel View Figure 3-5 Front Panel View from a 2950 non-LRE Standalone Switch 2950-24 2950-24 Press Ctrl, and then left-click ports to select multiple ports. The color of the port LED reflects port or link status. 65719 Left-click the Mode LEDs display the Right-click a port to button to change current port mode display the port pop-up the meaning of the and the status of the menu, and select an port LEDs. switch and option to view or change connected RPS.
Chapter 3 Getting Started with CMS Front Panel View Front-Panel Images You can manage the switch from a remote station by using the front-panel images. The front-panel images are updated based on the network polling interval that you set from CMS > Preferences. This section includes descriptions of the LED images. Similar descriptions of the switch LEDs are provided in the switch hardware installation guide. Note The Preferences window is not available if your switch access level is read-only.
Chapter 3 Getting Started with CMS Front Panel View Table 3-2 Port Icon Colors for the CWDM GBIC Module Ports Wavelength Color 1470 nanometers (nm) Gray 1490 nm Violet 1510 nm Blue 1530 nm Green 1550 nm Yellow 1570 nm Orange 1590 nm Red 1610 nm Brown Redundant Power System LED The Redundant Power System (RPS) LED shows the RPS status (see Table 3-3).
Chapter 3 Getting Started with CMS Front Panel View To select or change a mode, click the Mode button until the desired mode LED is green. Table 3-4 Port Modes Mode LED Description STAT Link status of the ports or the Ethernet link status on the remote customer premises equipment (CPE) device. This is the default mode except for the Catalyst 2950 LRE switches. DUPLX Duplex setting on the ports. The default setting on the 10/100 ports is auto. The default setting on the 10/100/1000 ports is full.
Chapter 3 Getting Started with CMS Topology View Table 3-6 VLAN Membership Modes Mode Color Static access Light green Dynamic access Pink 802.1Q trunk Peach Negotiate trunk White Topology View The Topology view displays how the devices within a switch cluster are connected and how the switch cluster is connected to other clusters and devices. From this view, you can add and remove cluster members.
Chapter 3 Getting Started with CMS Topology View Figure 3-8 Expand Cluster View Cluster members of cluster1 and other devices connected to cluster1. Figure 3-9 Right-click a device icon to display a device popup menu. 65722 Right-click a link icon to display a link popup menu. Collapse Cluster View Neighboring cluster connected to cluster1. cluster1 65723 Devices connected to cluster1 that are not eligible to join the cluster.
Chapter 3 Getting Started with CMS Topology View Topology Icons The Topology view and the cluster tree use the same set of device icons to represent clusters, command and standby command switches, and member switches (see Figure 3-10).
Chapter 3 Getting Started with CMS Topology View Figure 3-11 Topology-View Link Icons Device and Link Labels The Topology view displays device and link information by using these labels: • Cluster and switch names • Switch MAC and IP addresses • Link type between the devices • Link speed and IDs of the interfaces on both ends of the link When using these labels, keep these considerations in mind: • The IP address displays only in the labels for the command switch and member switches.
Chapter 3 Getting Started with CMS Topology View Colors in the Topology View The colors of the Topology view icons show the status of the devices and links (see Table 3-7, Table 3-8, and Table 3-9). Table 3-7 Device Icon Colors Icon Color Color Meaning Green Yellow The device is operating. 1 Red1 The internal fan of the switch is not operating, or the switch is receiving power from an RPS. The device is not operating. 1. Available only on the cluster members.
Chapter 3 Getting Started with CMS Menus and Toolbar Topology Display Options You can set the type of information displayed in the Topology view by changing the settings in the Topology Options window. To display this window, select View > Topology Options.
Chapter 3 Getting Started with CMS Menus and Toolbar Note • We strongly recommend that the highest-end, command-capable switch in the cluster be the command switch: – If your switch cluster has a Catalyst 3550 switch, that switch should be the command switch. – If your switch cluster has Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL switches, the Catalyst 2950 should be the command switch.
Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-11 Menu Bar Menu-Bar Options Task CMS Page Setup Set default document printer properties to be used when printing from CMS. Print Preview View the way the CMS window or help file will appear when printed. Print Print a CMS window or help file. Guide Mode/Expert Mode Preferences 1 Select which interaction mode to use when you select a configuration option.
Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-11 Menu Bar (continued) Menu-Bar Options STP 2 Task Display and configure STP parameters for a switch. IGMP Snooping 2 Enable and disable Internet Group Management Protocol (IGMP) snooping and IGMP Immediate-Leave processing on the switch. Join or leave multicast groups, and configure multicast routers. 802.1X1 Configure 802.1X authentication of devices as they are attached to LAN ports in a point-to-point infrastructure.
Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-11 Menu Bar (continued) Menu-Bar Options Voice VLAN Task 2 Configure a port to use a voice VLAN for voice traffic, separating it from the VLANs for data traffic. Reports Inventory Display the device type, software version, IP address, and other information about a switch. Port Statistics Display port statistics. Bandwidth Graphs Display graphs that plot the total bandwidth in use by the switch.
Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-11 Menu Bar (continued) Menu-Bar Options Task Help For Active Window Display the help for the active open window. This is the same as clicking Help from the active window. Contents List all of the available online help topics. Legend Display the legend that describes the icons, labels, and links. About Display the CMS version number. 1. Not available in read-only mode.
Chapter 3 Getting Started with CMS Menus and Toolbar 1. Not available in read-only mode. For more information about the read-only and read-write access modes, see the “Access Modes in CMS” section on page 3-31. 2. Some options from this menu option are not available in read-only mode. 3. Available only from a cluster-management session. Front Panel View Popup Menus These popup menus are available in the Front Panel view.
Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-14 Port Popup Menu (continued) Popup Menu Option Link Graphs 3 Select All Ports Task Display a graph showing the bandwidth used by the selected link. Select all ports on the switch for global configuration. 1. Some options from this menu option are not available in read-only mode. 2. Available on switches that support the Port Security feature. 3.
Chapter 3 Getting Started with CMS Menus and Toolbar Figure 3-12 Multilink Decomposer Window Device Popup Menus Specific devices in the Topology view display a specific popup menu: Note • Cluster (see Table 3-16) • Command switch (see Table 3-17) • Member or standby command switch (see Table 3-18) • Candidate switch with an IP address (see Table 3-19) • Candidate switch without an IP address (see Table 3-20) • Neighboring devices (see Table 3-21) The Device Manager option in these popup men
Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-17 Device Popup Menu of a Command-Switch Icon Popup Menu Option Task Collapse cluster View the neighborhood outside a specific cluster. Host Name 1 Change the host name of a switch. Bandwidth Graphs Display graphs that plot the total bandwidth in use by the switch. Properties Display information about the device. 1. Not available in read-only mode.
Chapter 3 Getting Started with CMS Interaction Modes Table 3-21 Device Popup Menu of a Neighboring-Device Icon Popup Menu Option Device Manager 1 Task Access the web management interface of the device. Note This option is available on Cisco access points, but not on Cisco IP phones, hubs, routers and on unknown devices such as some Cisco devices and third-party devices. Disqualification Code Display the reason why the device could not join the cluster.
Chapter 3 Getting Started with CMS Wizards Wizards Note Wizards are not available if your switch access level is read-only. For more information about the read-only access mode, see the “Access Modes in CMS” section on page 3-31. Wizards simplify some configuration tasks on the switch. Similar to the guide mode, wizards provide a step-by-step approach for completing a specific configuration task. Unlike guide mode, a wizard does not prompt you to provide information for all of the feature options.
Chapter 3 Getting Started with CMS Online Help Glossary of terms used in the online help. Enter the first Click Back and Forward to redisplay Legend of icons and color codes. letters of the topic, previously displayed pages. Click and click Find to Feedback to send us your Feature help, such as concepts. search the index. comments about the online help. Information about the CMS interface. 65283 Figure 3-13 Help Contents and Index Figure 3-14 Help Contents and Index Feature help, such as concepts.
Chapter 3 Getting Started with CMS CMS Window Components CMS Window Components CMS windows consistently present configuration information. Figure 3-15 shows the components of a typical CMS window. 65580 Figure 3-15 CMS Window Components OK saves your changes and closes the window. Modify displays a secondary window from which you can change settings. Click a row to select it. Press Shift, and left-click another row to select contiguous multiple rows.
Chapter 3 Getting Started with CMS CMS Window Components Tabs, Lists, and Tables Some CMS windows have tabs that present different sets of information. Tabs are arranged like folder headings across the top of the window. Click the tab to display its information. Listed information can often be changed by selecting an item from a list. To change the information, select one or more items, and click Modify. Changing multiple items is limited to those items that apply to at least one of the selections.
Chapter 3 Getting Started with CMS Accessing CMS Buttons These are the most common buttons that you use to change the information in a CMS window: • OK—Save any changes and close the window. If you made no changes, the window closes. If CMS detects errors in your entry, the window remains open. For more information about error detection, see the “Error Checking” section on page 3-32. • Apply—Save any changes made in the window and leave the window open.
Chapter 3 Getting Started with CMS Accessing CMS To access CMS, follow these steps: Step 1 Enter the switch IP address and your privilege level in the browser Location field (Netscape Communicator) or Address field (Microsoft Internet Explorer). For example: http://10.1.126.45:184/level/14/ where 10.1.126.45 is the switch IP address, 184 is the HTTP port, and level/14 is the privilege level.
Chapter 3 Getting Started with CMS Verifying Your Changes • These switches do not support read-only mode on CMS: – Catalyst 1900 and Catalyst 2820 – Catalyst 2900 XL switches with 4-MB CPU DRAM In read-only mode, these switches appear as unavailable devices and cannot be configured from CMS.
Chapter 3 Getting Started with CMS Saving Your Configuration Saving Your Configuration Note The Save Configuration option is not available if your switch access level is read-only. For more information about the read-only access mode, see the “Access Modes in CMS” section on page 3-31. Tip As you make cluster configuration changes (except for changes to the Topology view and in the Preferences window), make sure that you periodically save the configuration from the command switch.
Chapter 3 Getting Started with CMS Using Different Versions of CMS Using Different Versions of CMS When managing switch clusters through CMS, remember that clusters can have a mix of switch models using different IOS releases and that CMS in earlier IOS releases and on different switch platforms might look and function differently from CMS in this IOS release. When you select Device > Device Manager for a cluster member, a new browser session is launched, and the CMS version for that switch is displayed.
C H A P T E R 4 Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assign the switch IP address and default gateway information) by using a variety of automatic and manual methods. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The boot loader also provides trap-door access into the system if the operating system has problems serious enough that it cannot be used.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Default Switch Information Table 4-1 shows the default switch information. Table 4-1 Default Switch Information Feature Default Setting IP address and subnet mask No IP address or subnet mask are defined. Default gateway No default gateway is defined. Enable secret password No password is defined. Host name The factory-assigned default host name is Switch. Telnet password No password is defined.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DHCP Client Request Process When you boot your switch, the switch automatically requests configuration information from a DHCP server only if a configuration file is not present on the switch. DHCP autoconfiguration does not occur under these conditions: • When a configuration file is present and the service config global configuration command is disabled on the switch.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the DHCP Server You should configure the DHCP server with reserved leases that are bound to each switch by the switch hardware address.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information For the switch to successfully download a configuration file, the TFTP server must contain one or more configuration files in its base directory. The files can include these files: • The configuration file named in the DHCP reply (the actual switch configuration file). • The network-confg or the cisconet.cfg file (known as the default configuration files). • The router-confg or the ciscortr.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Figure 4-2 Relay Device Used in Autoconfiguration Switch (DHCP client) Cisco router (Relay) 10.0.0.2 10.0.0.1 DHCP server 20.0.0.3 TFTP server 20.0.0.4 DNS server 49068 20.0.0.2 20.0.0.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Note The switch broadcasts TFTP server requests if the TFTP server is not obtained from the DHCP replies, if all attempts to read the configuration file through unicast transmissions fail, or if the TFTP server name cannot be resolved to an IP address. Example Configuration Figure 4-3 shows a sample network for retrieving IP information by using DHCP-based autoconfiguration.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DNS Server Configuration The DNS server maps the TFTP server name maritsu to IP address 10.0.0.3. TFTP Server Configuration (on UNIX) The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method. This file contains the host name to be assigned to the switch based on its IP address.
Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs) or ports: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface vlan vlan-id Enter interface configuration mode, and enter the VLAN to which the IP information is assigned.
Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration ! hostname Switch ! enable secret 5 $1$ej9.$DMUvAUnZOAmvmgqBEzIxE0 ! ip subnet-zero ! vlan 3020 cluster enable Test 0 cluster member 1 mac-address 0030.9439.0900 cluster member 2 mac-address 0001.425b.
Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration no ip address shutdown ! interface Vlan1 ip address 172.20.139.133 255.255.255.224 no ip route-cache ! ip default-gateway 172.20.139.
C H A P T E R 5 Configuring IE2100 CNS Agents This chapter describes how to configure the Intelligence Engine 2100 (IE2100) Series Cisco Networking Services (CNS) embedded agents on your switch. To use the feature described in this chapter, you must have the enhanced software image (EI) installed on your switch.
Chapter 5 Configuring IE2100 CNS Agents Understanding IE2100 Series Configuration Registrar Software Figure 5-1 Configuration Registrar Architectural Overview Service provider network Configuration registrar Data service directory Configuration server Event service 71444 Web-based user interface Order entry configuration management These sections contain this conceptual information: • CNS Configuration Service, page 5-2 • CNS Event Service, page 5-3 • What You Should Know About ConfigID, Devi
Chapter 5 Configuring IE2100 CNS Agents Understanding IE2100 Series Configuration Registrar Software CNS Event Service The Configuration Registrar uses the CNS Event Service for receipt and generation of configuration events. The CNS event agent resides on the switch and facilitates the communication between the switch and the event gateway on the Configuration Registrar. The CNS Event Service is a highly-scalable publish-and-subscribe communication method.
Chapter 5 Configuring IE2100 CNS Agents Understanding IE2100 Series Configuration Registrar Software DeviceID Each configured switch participating on the event bus has a unique deviceID, which is analogous to the switch source address so that the switch can be targeted as a specific destination on the bus. All switches configured with the cns config partial global configuration command must access the event bus.
Chapter 5 Configuring IE2100 CNS Agents Understanding CNS Embedded Agents Understanding CNS Embedded Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the CNS configuration agent.
Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Incremental (Partial) Configuration After the network is running, new services can be added by using the CNS configuration agent. Incremental (partial) configurations can be sent to the switch. The actual configuration can be sent as an event payload by way of the event gateway (push operation) or as a signal event that triggers the switch to initiate a pull operation.
Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Table 5-1 Prerequisites for Enabling Automatic Configuration Device Required Configuration Access switch Factory default (no configuration file) Distribution switch DHCP server TFTP server IE2100 Configuration Registrar Note • IP helper address • Enable DHCP relay agent • IP routing (if used as default gateway) • IP address assignment • TFTP server IP address • Path to bootstrap configuration file on the TFTP ser
Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Enabling the CNS Event Agent Note You must enable the CNS event agent on the switch before you enable the CNS configuration agent. Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents To disable the CNS event agent, use the no cns event {ip-address | hostname} global configuration command. This example shows how to enable the CNS event agent, set the IP address gateway to 10.180.1.27, set 120 seconds as the keepalive interval, and set 10 as the retry count. Switch(config)# cns event 10.180.1.
Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Step 3 Command Purpose config-cli or line-cli Enter config-cli to connect to the Configuration Registrar through the interface defined in cns config connect-intf. Enter line-cli to connect to the Registrar through modem dialup lines. Note The config-cli interface configuration command accepts the special directive character & that acts as a placeholder for the interface name.
Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Step 8 Command Purpose cns config initial {ip-address | hostname} [port-number] [event] [no-persist] [page page] [source ip-address] [syntax-check] Enable the configuration agent, and initiate an initial configuration. • For {ip-address | hostname}, enter the IP address or the host name of the configuration server. • (Optional) For port-number, enter the port number of the configuration server. The default port number is 80.
Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the CNS configuration agent and to initiate a partial configuration on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 cns config partial {ip-address | hostname} [port-number] [source ip-address] Enable the configuration agent, and initiate a partial configuration.
Chapter 5 Configuring IE2100 CNS Agents Displaying CNS Configuration Displaying CNS Configuration You can use the privileged EXEC commands in Table 5-2 to display CNS Configuration information. Table 5-2 Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS configuration agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed.
Chapter 5 Configuring IE2100 CNS Agents Displaying CNS Configuration Catalyst 2950 Desktop Switch Software Configuration Guide 5-14 78-14982-01
C H A P T E R 6 Clustering Switches This chapter provides these topics to help you get started with switch clustering: • Understanding Switch Clusters, page 6-2 • Planning a Switch Cluster, page 6-5 • Creating a Switch Cluster, page 6-19 • Using the CLI to Manage Switch Clusters, page 6-25 • Using SNMP to Manage Switch Clusters, page 6-26 Configuring switch clusters is more easily done from the Cluster Management Suite (CMS) web-based interface than through the command-line interface (CLI).
Chapter 6 Clustering Switches Understanding Switch Clusters Understanding Switch Clusters A switch cluster is a group of connected Catalyst switches that are managed as a single entity. In a switch cluster, 1 switch must be the command switch and up to 15 switches can be member switches. The total number of switches in a cluster cannot exceed 16 switches. The command switch is the single point of access used to configure, manage, and monitor the member switches.
Chapter 6 Clustering Switches Understanding Switch Clusters Command Switch Characteristics A Catalyst 2950 command switch must meet these requirements: Note Note • It is running Release 12.0(5.2)WC(1) or later. • It has an IP address. • It has Cisco Discovery Protocol (CDP) version 2 enabled (the default). • It is not a command or member switch of another cluster. • If the Catalyst 2950 command switch is running Release 12.
Chapter 6 Clustering Switches Understanding Switch Clusters Note Note Catalyst 2950 command switches running Release 12.1(9)EA1 or later can connect to standby command switches in the management VLAN. • It is redundantly connected to the cluster so that connectivity to member switches is maintained. • It is not a command or member switch of another cluster.
Chapter 6 Clustering Switches Planning a Switch Cluster Note Catalyst 2950 standby command switches running Release 12.1(9)EA1 or later can connect to candidate and member switches in VLANs different from their management VLANs. Planning a Switch Cluster Anticipating conflicts and compatibility issues is a high priority when you manage several switches through a cluster.
Chapter 6 Clustering Switches Planning a Switch Cluster Discovery through CDP Hops By using CDP, a command switch can discover switches up to seven CDP hops away (the default is three hops) from the edge of the cluster. The edge of the cluster is where the last member switches are connected to the cluster and to candidate switches. For example, member switches 9 and 10 in Figure 6-1 are at the edge of the cluster.
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-2 Discovery through CDP Hops (Command Switch Running Release 12.
Chapter 6 Clustering Switches Planning a Switch Cluster Discovery through the Same Management VLAN A Catalyst 2900 XL command switch, a Catalyst 2950 command switch running a release earlier than Release 12.1(9)EA1, or a Catalyst 3500 XL command switch must connect to all cluster members through its management VLAN. The default management VLAN is VLAN 1. For more information about management VLANs, see the “Management VLAN” section on page 6-18.
Chapter 6 Clustering Switches Planning a Switch Cluster Discovery through Different Management VLANs We recommend using a Catalyst 3550 command switch or a Catalyst 2950 command switch running Release 12.1(9)EA1 or later. These command switches can discover and manage member switches in different VLANs and different management VLANs. Catalyst 3550 member switches and Catalyst 2950 member switches running Release 12.
Chapter 6 Clustering Switches Planning a Switch Cluster Discovery through Different Management VLANs with a Layer 3 Command Switch Catalyst 3550 command switch VLAN 9 Si Switch 3 (management VLAN 16) VLAN 16 VLAN 16 Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL switches Switch 4 (management VLAN 16) Catalyst 3550 standby command switch VLAN 62 Switch 5 (management VLAN 62) VLAN trunk 4, 62 Switch 7 (management VLAN 4) VLAN 62 Switch 9 (management VLAN 62)
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-7 Discovery of Newly Installed Switches in the Same Management VLAN Command switch VLAN 16 AP Catalyst 3500 XL switch (Management VLAN 16) AP VLAN 16 VLAN 16 New (out-of-box) Catalyst 2900 LRE XL switch Figure 6-8 New (out-of-box) Catalyst 2950 switch 65581 Catalyst 2950 switch (Management VLAN 16) VLAN 16 Discovery of Newly Installed Switches in Different Management VLANs Command switch Catalyst 2950 switch (Management VLAN
Chapter 6 Clustering Switches Planning a Switch Cluster HSRP and Standby Command Switches The switch supports Hot Standby Router Protocol (HSRP) so that you can configure a group of standby command switches. Because a command switch manages the forwarding of all communication and configuration information to all the member switches, we strongly recommend that you configure a cluster standby command switch to take over if the primary command switch fails.
Chapter 6 Clustering Switches Planning a Switch Cluster Virtual IP Addresses You need to assign a unique virtual IP address and group number and name to the cluster standby group. This information must be configured on the management VLAN on the active command switch. The active command switch receives traffic destined for the virtual IP address. To manage the cluster, you must access the active command switch through the virtual IP address, not through the command-switch IP address.
Chapter 6 Clustering Switches Planning a Switch Cluster • All standby-group members must be members of the cluster. Note • There is no limit to the number of switches that you can assign as standby command switches. However, the total number of switches in the cluster—which would include the active command switch, standby-group members, and member switches—cannot be more than 16. Each standby-group member (see Figure 6-9) must be connected to the command switch through its management VLAN.
Chapter 6 Clustering Switches Planning a Switch Cluster Automatic Recovery of Cluster Configuration The active command switch continually forwards cluster-configuration information (but not device-configuration information) to the standby command switch. This ensures that the standby command switch can take over the cluster immediately after the active command switch fails.
Chapter 6 Clustering Switches Planning a Switch Cluster Host Names You do not need to assign a host name to either a command switch or an eligible cluster member. However, a host name assigned to the command switch can help to identify the switch cluster. The default host name for the switch is Switch. If a switch joins a cluster and it does not have a host name, the command switch appends a unique member number to its own host name and assigns it sequentially as each switch joins the cluster.
Chapter 6 Clustering Switches Planning a Switch Cluster TACACS+ and RADIUS Inconsistent authentication configurations in switch clusters cause CMS to continually prompt for a user name and password. If Terminal Access Controller Access Control System Plus (TACACS+) is configured on a cluster member, it must be configured on all cluster members. Similarly, if Remote Authentication Dial-In User Service (RADIUS) is configured on a cluster member, it must be configured on all cluster members.
Chapter 6 Clustering Switches Planning a Switch Cluster Management VLAN Communication with the switch management interfaces is through the command-switch IP address. The IP address is associated with the management VLAN, which by default is VLAN 1. To manage switches in a cluster, the command switch, member switches, and candidate switches must be connected through ports assigned to the command-switch management VLAN. Note • If the command switch is a Catalyst 2950 running Release 12.
Chapter 6 Clustering Switches Creating a Switch Cluster Availability of Switch-Specific Features in Switch Clusters The menu bar on the command switch displays all options available from the switch cluster. Therefore, features specific to a member switch are available from the command-switch menu bar. For example, Device > LRE Profile appears in the command-switch menu bar when at least one Catalyst 2900 LRE XL switch is in the cluster.
Chapter 6 Clustering Switches Creating a Switch Cluster If you did not enable a command switch during initial switch setup, launch Device Manager from a command-capable switch, and select Cluster > Create Cluster. Enter a cluster number (the default is 0), and use up to 31 characters to name the cluster (see Figure 6-10). Instead of using CMS to enable a command switch, you can use the cluster enable global configuration command.
Chapter 6 Clustering Switches Creating a Switch Cluster If a candidate switch in the group has a password different from the group, only that specific candidate switch is not added to the cluster. When a candidate switch joins a cluster, it inherits the command-switch password. For more information about setting passwords, see the “Passwords” section on page 6-16. For additional authentication considerations in switch clusters, see the “TACACS+ and RADIUS” section on page 6-17.
Chapter 6 Clustering Switches Creating a Switch Cluster Thin line means a connection to a candidate switch. Right-click a candidate switch to display the pop-up menu, and select Add to Cluster to add the switch to the cluster.
Chapter 6 Clustering Switches Creating a Switch Cluster These abbreviations are appended to the switch host names in the Standby Command Group list to show their eligibility or status in the cluster standby group: • AC—Active command switch • SC—Standby command switch • PC—Member of the cluster standby group but not the standby command switch • HC—Candidate switch that can be added to the cluster standby group • CC—Command switch when HSRP is disabled You must enter a virtual IP address for the
Chapter 6 Clustering Switches Creating a Switch Cluster Verifying a Switch Cluster When you finish adding cluster members, follow these steps to verify the cluster: Step 1 Enter the command switch IP address in the browser Location field (Netscape Communicator) or Address field (Microsoft Internet Explorer) to access all switches in the cluster. Step 2 Enter the command-switch password.
Chapter 6 Clustering Switches Using the CLI to Manage Switch Clusters Using the CLI to Manage Switch Clusters You can configure member switches from the CLI by first logging into the command switch. Enter the rcommand user EXEC command and the member switch number to start a Telnet session (through a console or Telnet connection) and to access the member switch CLI. The command mode changes, and the IOS commands operate as usual.
Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Using SNMP to Manage Switch Clusters When you first power on the switch, SNMP is enabled if you enter the IP information by using the setup program and accept its proposed configuration. If you did not use the setup program to enter the IP information and SNMP was not enabled, you can enable it as described in the “Configuring SNMP” section on page 24-5. On Catalyst 1900 and Catalyst 2820 switches, SNMP is enabled by default.
C H A P T E R 7 Administering the Switch This chapter describes how to perform one-time operations to administer your switch.
Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands • For an additional layer of security, you can also configure username and password pairs, which are locally stored on the switch. These pairs are assigned to lines or interfaces and authenticate each user before that user can access the switch. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.
Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands Protecting Enable and Enable Secret Passwords with Encryption To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands.
Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands If both the enable and enable secret passwords are defined, users must enter the enable secret password. Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level global configuration command to specify commands accessible at various levels.
Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to disable password recovery: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no service password-recovery Disable password recovery. This setting is saved in an area of the Flash memory that is accessible by the boot loader and the IOS image, but it is not part of the file system and is not accessible by any user.
Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands Step 7 Command Purpose show running-config Verify your entries. The password is listed under the command line vty 0 15. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the password, use the no password global configuration command.
Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands To disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command. Configuring Multiple Privilege Levels By default, the IOS software has two modes of password security: user EXEC and privileged EXEC.
Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands Step 5 Command Purpose show running-config Verify your entries. or The first command displays the password and access level configuration. The second command displays the privilege level configuration. show privilege Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ Logging into and Exiting a Privilege Level Beginning in privileged EXEC mode, follow these steps to log in to a specified privilege level and to exit to a specified privilege level: Step 1 Command Purpose enable level Log in to a specified privilege level. For level, the range is 0 to 15. Step 2 disable level Exit to a specified privilege level. For level, the range is 0 to 15.
Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ Figure 7-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ server 1) Catalyst 6500 series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) Catalyst 2950 or 3550 switches 171.20.10.8 74720 Configure the switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers). Enable AAA. Create a login authentication method list.
Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: 1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the user. The user enters a username, and the switch then contacts the TACACS+ daemon to obtain a password prompt.
Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ This section contains this configuration information: • Default TACACS+ Configuration, page 7-13 • Identifying the TACACS+ Server Host and Setting the Authentication Key, page 7-13 • Configuring TACACS+ Login Authentication, page 7-14 • Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 7-16 • Starting TACACS+ Accounting, page 7-17 Default TACACS+ Configuration TACACS+ and AAA are disab
Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ Step 4 Command Purpose aaa group server tacacs+ group-name (Optional) Define the AAA server-group with a group name. This command puts the switch in a server group subconfiguration mode. Step 5 server ip-address (Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group. Each server in the group must be previously defined in Step 2.
Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to configure login authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list.
Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ Starting TACACS+ Accounting The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Controlling Switch Access with RADIUS This section describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS), which provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS is facilitated through AAA and can be enabled only through AAA commands.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS RADIUS is not suitable in these network security situations: • Multiprotocol access environments. RADIUS does not support AppleTalk Remote Access (ARA), NetBIOS Frame Control Protocol (NBFCP), NetWare Asynchronous Services Interface (NASI), or X.25 PAD connections. • Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Configuring RADIUS This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting. A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on a user.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS You identify RADIUS security servers by their host name or IP address, host name and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or host name of the remote RADIUS server host. • (Optional) For auth-port port-number, specify the UDP destination port for authentication requests.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS This example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting: Switch(config)# radius-server host host1 Note You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, refer to the RADIUS server documentation.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or host name of the remote RADIUS server host.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Step 8 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 7-23. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network-related service requests.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the switch and all RADIUS servers.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS For example, the following AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP’s IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ The following example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“ Other vendors have their own unique vendor-IDs, options, and associated VSAs.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to specify a vendor-proprietary RADIUS server host and a shared secret text string: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | ip-address} non-standard Specify the IP address or host name of the remote RADIUS server host and identify that it is using a vendor-proprietary implementation of RADIUS.
Chapter 7 Administering the Switch Configuring the Switch for Local Authentication and Authorization Configuring the Switch for Local Authentication and Authorization You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration.
Chapter 7 Administering the Switch Configuring the Switch for Secure Shell Configuring the Switch for Secure Shell This section describes how to configure the Secure Shell (SSH) feature. To use this feature, the crypto (encrypted) multilayer software image must be installed on your switch. You must download this software image from Cisco.com. For more information, refer to the release notes for this release.
Chapter 7 Administering the Switch Managing the System Time and Date Managing the System Time and Date You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 7 Administering the Switch Managing the System Time and Date NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative time source. A stratum 1 time server has a radio or atomic clock directly attached, a stratum 2 time server receives its time through NTP from a stratum 1 time server, and so on. A device running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP.
Chapter 7 Administering the Switch Managing the System Time and Date Figure 7-3 Typical NTP Network Configuration Catalyst 6500 series switch (NTP master) Local workgroup servers Catalyst 2950 or 3550 switch Catalyst 2950 or 3550 switch Catalyst 2950 or 3550 switch These switches are configured in NTP server mode (server association) with the Catalyst 6500 series switch. Catalyst 2950 or 3550 switch This switch is configured as an NTP peer to the upstream and downstream Catalyst 3550 switches.
Chapter 7 Administering the Switch Managing the System Time and Date Default NTP Configuration Table 7-2 shows the default NTP configuration. Table 7-2 Default NTP Configuration Feature Default Setting NTP authentication Disabled. No authentication key is specified. NTP peer or server associations None configured. NTP broadcast service Disabled; no interface sends or receives NTP broadcast packets. NTP access restrictions No access control is specified.
Chapter 7 Administering the Switch Managing the System Time and Date Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable NTP authentication, use the no ntp authenticate global configuration command. To remove an authentication key, use the no ntp authentication-key number global configuration command.
Chapter 7 Administering the Switch Managing the System Time and Date Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. You need to configure only one end of an association; the other device can automatically establish the association.
Chapter 7 Administering the Switch Managing the System Time and Date Step 6 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 7 Configure the connected peers to receive NTP broadcast packets as described in the next procedure. To disable the interface from sending NTP broadcast packets, use the no ntp broadcast interface configuration command.
Chapter 7 Administering the Switch Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp access-group {query-only | serve-only | serve | peer} access-list-number Create an access group, and apply a basic IP access list.
Chapter 7 Administering the Switch Managing the System Time and Date If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted. To remove access control to the switch NTP services, use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command.
Chapter 7 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure a specific interface from which the IP source address is to be taken: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp source type number Specify the interface type and number from which the IP source address is taken. By default, the source address is determined by the outgoing interface.
Chapter 7 Administering the Switch Managing the System Time and Date Setting the System Clock If you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock. Beginning in privileged EXEC mode, follow these steps to set the system clock: Step 1 Command Purpose clock set hh:mm:ss day month year Manually set the system clock using one of these formats.
Chapter 7 Administering the Switch Managing the System Time and Date Configuring the Time Zone Beginning in privileged EXEC mode, follow these steps to manually configure the time zone: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock timezone zone hours-offset [minutes-offset] Set the time zone. The switch keeps internal time in universal time coordinated (UTC), so this command is used only for display purposes and when the time is manually set.
Chapter 7 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone recurring Configure summer time to start and end on the specified days every year.
Chapter 7 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 Configure summer time to start on the first date and end on the second clock summer-time zone date [month date year hh:mm month date year hh:mm date.
Chapter 7 Administering the Switch Configuring a System Name and Prompt Configuring a System Name and Prompt You configure the system name on the switch to identify it. By default, the system name and prompt are Switch. If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt. A greater-than symbol [>] is appended.
Chapter 7 Administering the Switch Configuring a System Name and Prompt Configuring a System Prompt Beginning in privileged EXEC mode, follow these steps to manually configure a system prompt: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 prompt string Configure the command-line prompt to override the setting from the hostname command.
Chapter 7 Administering the Switch Configuring a System Name and Prompt Default DNS Configuration Table 7-3 shows the default DNS configuration. Table 7-3 Default DNS Configuration Feature Default Setting DNS enable state Enabled. DNS default domain name None configured. DNS servers No name server addresses are configured.
Chapter 7 Administering the Switch Creating a Banner domain name is the value set by the ip domain-name global configuration command. If there is a period (.) in the hostname, the IOS software looks up the IP address without appending any default domain name to the hostname. To remove a domain name, use the no ip domain-name name global configuration command. To remove a name server address, use the no ip name-server server-address global configuration command.
Chapter 7 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day.
Chapter 7 Administering the Switch Creating a Banner Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message.
Chapter 7 Administering the Switch Managing the MAC Address Table Managing the MAC Address Table The MAC address table contains address information that the switch uses to forward traffic between ports. All MAC addresses in the address table are associated with one or more ports. The address table includes these types of addresses: • Dynamic address: a source MAC address that the switch learns and then ages when it is not in use.
Chapter 7 Administering the Switch Managing the MAC Address Table MAC Addresses and VLANs All addresses are associated with a VLAN. An address can exist in more than one VLAN and have different destinations in each. Multicast addresses, for example, could be forwarded to port 1 in VLAN 1 and ports 9, 10, and 11 in VLAN 5. Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in another until it is learned or statically associated with a port in the other VLAN.
Chapter 7 Administering the Switch Managing the MAC Address Table Command Purpose Step 4 show mac address-table aging-time Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default value, use the no mac address-table aging-time global configuration command. Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC mode.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message. | 2c | 3}} community-string notification-type • For host-addr, specify the name or address of the NMS.
Chapter 7 Administering the Switch Managing the MAC Address Table Step 9 Command Purpose show mac address-table notification interface Verify your entries. show running-config Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the switch from sending MAC address notification traps, use the no snmp-server enable traps mac-notification global configuration command.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to add a static address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table static mac-addr vlan vlan-id interface interface-id Add a static address to the MAC address table. • For mac-addr, specify the destination MAC address (unicast or multicast) to add to the address table.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to add a secure address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface, and enter interface configuration mode. Step 3 switchport port-security mac-address mac-address Add a secure address. Step 4 end Return to privileged EXEC mode. Step 5 show port-security Verify your entry.
Chapter 7 Administering the Switch Managing the ARP Table Managing the ARP Table To communicate with a device (over Ethernet, for example), the software first must determine the 48-bit MAC or the local data link address of that device. The process of determining the local data link address from an IP address is called address resolution. The Address Resolution Protocol (ARP) associates a host IP address with the corresponding media or MAC addresses and the VLAN ID.
Chapter 7 Administering the Switch Switch Software Releases Catalyst 2950 Desktop Switch Software Configuration Guide 7-62 78-14982-01
C H A P T E R 8 Configuring 802.1X Port-Based Authentication This chapter describes how to configure IEEE 802.1X port-based authentication to prevent unauthorized devices (clients) from gaining access to the network. As LANs extend to hotels, airports, and corporate lobbies, insecure environments could be created. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 8 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Device Roles With 802.1X port-based authentication, the devices in the network have specific roles as shown in Figure 8-1. Figure 8-1 802.1X Device Roles Catalyst 2950 or 3550 (switch) Authentication server (RADIUS) 74615 Workstations (clients) • Client—the device (workstation) that requests access to the LAN and switch services and responds to requests from the switch.
Chapter 8 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Authentication Initiation and Message Exchange The switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x port-control auto interface configuration command, the switch must initiate authentication when it determines that the port link state transitions from down to up.
Chapter 8 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Ports in Authorized and Unauthorized States The switch port state determines whether or not the client is granted access to the network. The port starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for 802.1X protocol packets.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Supported Topologies The 802.1X port-based authentication is supported in two topologies: • Point-to-point • Wireless LAN In a point-to-point configuration (see Figure 8-1 on page 8-2), only one client can be connected to the 802.1X-enabled switch port. The switch detects the client when the port link state changes to the up state.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Default 802.1X Configuration Table 8-1 shows the default 802.1X configuration. Table 8-1 Default 802.1X Configuration Feature Default Setting Authentication, authorization, and accounting (AAA) Disabled. RADIUS server • IP address • None specified. • UDP authentication port • 1812. • Key • None specified. Per-interface 802.1X enable state Disabled (force-authorized).
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication 802.1X Configuration Guidelines These are the 802.1X authentication configuration guidelines: • When 802.1X is enabled, ports are authenticated before any other Layer 2 features are enabled. • The 802.1X protocol is supported on Layer 2 static-access ports, but it is not supported on these port types: – Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X is not enabled.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Enabling 802.1X Authentication To enable 802.1X port-based authentication, you must enable AAA and specify the authentication method list. A method list describes the sequence and authentication methods to be queried to authenticate a user. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication This example shows how to enable AAA and 802.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the RADIUS server: Switch(config)# radius-server host 172.l20.39.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Manually Re-Authenticating a Client Connected to a Port You can manually re-authenticate the client connected to a specific port at any time by entering the dot1x re-authenticate interface interface-id privileged EXEC command. If you want to enable or disable periodic re-authentication, see the “Enabling Periodic Re-Authentication” section on page 8-10.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Changing the Switch-to-Client Retransmission Time The client responds to the EAP-request/identity frame from the switch with an EAP-response/identity frame. If the switch does not receive this response, it waits a set period of time (known as the retransmission time) and then resends the frame.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Setting the Switch-to-Client Frame-Retransmission Number In addition to changing the switch-to-client retransmission time, you can change the number of times that the switch sends an EAP-request/identity frame (assuming no response is received) to the client before restarting the authentication process.
Chapter 8 Configuring 802.1X Port-Based Authentication Displaying 802.1X Statistics and Status Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show dot1x interface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable multiple hosts on the port, use the no dot1x multiple-hosts interface configuration command. This example shows how to enable 802.
C H A P T E R 9 Configuring the Switch Interfaces This chapter defines the types of interfaces on the switch and describes how to configure them.
Chapter 9 Configuring the Switch Interfaces Understanding Interface Types These sections describes these types of interfaces: • Access Ports, page 9-2 • Trunk Ports, page 9-2 • Port-Based VLANs, page 9-3 • EtherChannel Port Groups, page 9-3 • Connecting Interfaces, page 9-3 Access Ports An access port belongs to and carries the traffic of only one VLAN. Traffic is received and sent in native formats with no VLAN tagging.
Chapter 9 Configuring the Switch Interfaces Understanding Interface Types Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 14, “Configuring VLANs.” Packets received on a port are forwarded only to ports that belong to the same VLAN as the receiving port.
Chapter 9 Configuring the Switch Interfaces Using the Interface Command Figure 9-1 Connecting VLANs with Layer 2 Switches Cisco router Switch Host B VLAN 20 VLAN 30 46647 Host A Using the Interface Command To configure a physical interface (port), use the interface global configuration command to enter interface configuration mode and to specify the interface type, slot, and number.
Chapter 9 Configuring the Switch Interfaces Using the Interface Command Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# Step 2 Enter the interface global configuration command. Identify the interface type and the number of the connector. In this example, Gigabit Ethernet interface 0/1 is selected: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# Note Step 3 You do not need to add a space between the interface type and interface number.
Chapter 9 Configuring the Switch Interfaces Using the Interface Command Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 2 i
Chapter 9 Configuring the Switch Interfaces Using the Interface Command – gigabitethernet slot/{first port} - {last port}, where slot is 0 – port-channel port-channel-number - port-channel-number, where port-channel-number is from 1 to 6 • You must add a space between the interface numbers and the hyphen when using the interface range command. For example, the command interface range fastethernet 0/1 - 5 is a valid range; the command interface range fastethernet 0/1-5 is not a valid range.
Chapter 9 Configuring the Switch Interfaces Using the Interface Command Configuring and Using Interface-Range Macros You can create an interface-range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface range macro global configuration command string, you must use the define interface-range global configuration command to define the macro.
Chapter 9 Configuring the Switch Interfaces Configuring Switch Interfaces This example shows how to define an interface-range macro named enet_list to select Fast Ethernet ports 1 to 4 and to verify the macro configuration: Switch# configure terminal Switch(config)# define interface-range enet_list fastethernet0/1 - 4 Switch(config)# end Switch# show running-config | include define define interface-range enet_list FastEthernet0/1 - 4 This example shows how to create a multiple-interface macro named macro
Chapter 9 Configuring the Switch Interfaces Configuring Switch Interfaces Default Ethernet Interface Configuration Table 9-1 shows the Ethernet interface default configuration. For more details on the VLAN parameters listed in the table, see Chapter 14, “Configuring VLANs.” For details on controlling traffic to the port, see Chapter 18, “Configuring Port-Based Traffic Control.” Table 9-1 Default Ethernet Interface Configuration Feature Default Setting Operating mode Layer 2.
Chapter 9 Configuring the Switch Interfaces Configuring Switch Interfaces become active. In that scenario, a valid configuration is to install the fiber-optic under Uplink Port 1 by having an SFP module plugged in, and to install the copper under Uplink Port 2 without the SFP module plugged in. Note By using the media-type auto-select command in Cisco IOS command-line interface (CLI), you can configure the Catalyst 2950 LRE so that the SFP module port does not take precedence over the 10/100/1000 port.
Chapter 9 Configuring the Switch Interfaces Configuring Switch Interfaces Note You cannot configure speed or duplex mode on Gigabit Interface Converter (GBIC) ports, but for certain types of GBICs, you can configure speed to not negotiate (nonegotiate) if the GBIC ports are connected to a device that does not support autonegotiation.
Chapter 9 Configuring the Switch Interfaces Configuring Switch Interfaces Setting the Interface Speed and Duplex Parameters Note The Ethernet link settings on the CPE Ethernet ports have special considerations and different default settings from the 10/100 ports. For this information, see the “Ports on the 2950 LRE” section on page 10-1.
Chapter 9 Configuring the Switch Interfaces Configuring Switch Interfaces service timestamps log uptime no service password-encryption ! hostname Switch !
Chapter 9 Configuring the Switch Interfaces Configuring Switch Interfaces These rules apply to flow control settings on the device: Note • receive on (or desired) and send on: Flow control operates in both directions; both the local and the remote devices can send pause frames to show link congestion. • receive on (or desired) and send desired: The port can receive pause frames and can send pause frames if the attached device supports flow control.
Chapter 9 Configuring the Switch Interfaces Monitoring and Maintaining the Interfaces Adding a Description for an Interface You can add a description about an interface to help you remember its function. The description appears in the output of these commands: show configuration , show running-config, and show interfaces.
Chapter 9 Configuring the Switch Interfaces Monitoring and Maintaining the Interfaces Table 9-2 Show Commands for Interfaces Command Purpose show interfaces [interface-id] Display the status and configuration of all interfaces or a specific interface. show interfaces interface-id status [err-disabled] Display interface status or a list of interfaces in error-disabled state. show interfaces [media | media] Display the output of the media-type that is configured.
Chapter 9 Configuring the Switch Interfaces Monitoring and Maintaining the Interfaces Operational Mode: down This example shows how to display the running configuration of Fast Ethernet interface 0/2: Switch# show running-config interface fastethernet0/2 Building configuration...
Chapter 9 Configuring the Switch Interfaces Monitoring and Maintaining the Interfaces Clearing and Resetting Interfaces and Counters Table 9-3 lists the clear privileged EXEC commands that you can use to clear counters and reset interfaces. Table 9-3 Clear Commands for Interfaces Command Purpose clear counters [interface-id] Clear interface counters. clear interface interface-id Reset the hardware logic on an interface.
Chapter 9 Configuring the Switch Interfaces Monitoring and Maintaining the Interfaces Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entry. Use the no shutdown interface configuration command to restart the interface.
C H A P T E R 10 Configuring LRE This chapter describes how to configure the Long-Reach Ethernet (LRE) features on your switch.
Chapter 10 Configuring LRE LRE Links and LRE Profiles LRE Links and LRE Profiles The LRE link settings define the connection between the switch LRE port and the CPE RJ-11 wall port. The LRE link provides symmetric and asymmetric bandwidth for data, voice, and video traffic. Symmetric transmission is when the downstream and upstream bandwidths are the same. Asymmetric transmission is when the downstream and the upstream bandwidths differ.
Chapter 10 Configuring LRE LRE Links and LRE Profiles Table 10-1 LRE Profiles Profile Name LRE Link Downstream Rate (Mbps) LRE Link Upstream Rate (Mbps) Theoretical Min SNR Downstream Theoretical Min SNR Upstream LRE-15 16.667 18.750 31 25 LRE-10 (default) 12.500 12.500 25 19 LRE-5 6.250 6.250 16 13 LRE-998-15-4 16.667 4.688 31 25 LRE-997-10-4 12.500 4.688 31 25 LRE-15LL 16.667 18.750 31 25 LRE-10LL 12.500 12.500 25 19 LRE-5LL 6.250 6.250 16 13 LRE-10-5 12.
Chapter 10 Configuring LRE LRE Links and LRE Profiles • Use the LL profiles (LRE-5LL, LRE-10LL, and LRE-15LL) with care. These profiles have the low-latency (LL) feature enabled and the interleaver feature disabled. The LL feature does not delay data transmission, but it makes data more susceptible to interruptions on the LRE link. All other profiles, port and global, have the interleaver feature enabled and the LL feature disabled.
Chapter 10 Configuring LRE Configuring LRE Ports Beginning with the first profile in a sequence, the switch attempts to apply each profile within that sequence to the LRE interface. The switch continues these attempts until it converges (convergence time refers to the time required for the switch to settle on an appropriate profile for the LRE interface). The link is DOWN until a link is established by one of the profiles in the sequence, after which, it is UP.
Chapter 10 Configuring LRE Configuring LRE Ports Environmental Guidelines for LRE Links The guidelines for your LRE environment are based on these factors: • Maximum distance between the LRE switch and CPE devices—LRE runs on Category 1, 2, and 3 structured and unstructured cable. The maximum distance supported on the LRE link is from 3500 to 5000 feet, depending on the profile. The higher the rate, the shorter the distance.
Chapter 10 Configuring LRE Configuring LRE Ports The greatest impact on LRE performance is from the frequency response of the cable at the higher frequencies. LRE signals are more susceptible to interference at higher frequencies. The LRE upstream signal operates at the high end of the frequency spectrum. Cables have higher attenuation at higher frequencies and also interfere with other pairs in the bundle at higher frequencies. This interference or cross talk can significantly impact the signal quality.
Chapter 10 Configuring LRE Configuring LRE Ports Note When the default speed is set to 10 or 100 Mbps with half duplex, the values set are the same. If the remote values are 10 Mbps with full duplex, the Cisco 575 LRE CPE Ethernet port is profile independent. All LRE profiles are set to be 10 Mbps with half duplex except for LRE-10 (the default), which is set to 10 Mpbs with full duplex. For a setting of 100 Mbps with full duplex, the value is set to 100 Mbps with half duplex.
Chapter 10 Configuring LRE Configuring LRE Ports Use the show controllers lre privileged EXEC commands to display the LRE link statistics and profile information on the LRE ports. For information about these commands, refer to the switch command reference. Assigning a Profile to a Specific LRE Port You can set profiles on a per-port basis. You can assign the same profile or different profiles to the LRE ports on the switch. The default active profile on all LRE ports is LRE-10.
Chapter 10 Configuring LRE Configuring LRE Ports Assigning a Sequence to a Specific LRE Port You can set sequences on a per-port basis. You can assign the same sequence or different sequences to the LRE ports on the switch. If you assign a sequence on a port basis, it overrides any previously or subsequently set profiles or global sequence. The switch resets the ports with the updated sequence settings when changed.
Chapter 10 Configuring LRE Configuring LRE Ports In any of these cases, rate selection obtains the optimal profile for your line conditions. Note When an LRE link is lost for fewer than 25 seconds, the switch does not execute rate selection to re-establish the link. The link is re-established at the profile used before link loss. The switch chooses the appropriate profile for an LRE interface when it executes rate selection.
Chapter 10 Configuring LRE Configuring LRE Ports Link Qualification and SNR Margins When rate selection is running, the SNR is used as an indicator of link quality. The switch does not provide any internal mechanism to ensure link quality. There can be different requirements for link quality, depending on the required bit-error rate and the noise level of the environment. A noisier environment would require a higher SNR to be able to provide a stable link.
Chapter 10 Configuring LRE Configuring LRE Ports Table 10-4 SNR Requirements for Upstream Rates Profile Gross Data Rate QAM Theoretical Minimum SNR Medium Noise Low Noise SNR SNR High Noise SNR LRE-4-1 1.56 4 13 15 17 20 LRE-7 8.333 16 19 21 23 26 LRE-8 9.375 64 25 27 30 34 LRE-5 6.25 4 13 15 17 20 LRE-10 12.5 16 19 21 23 26 LRE-15 18.75 64 25 27 30 34 LRE-10-5 6.25 4 13 15 17 20 LRE-10-3 3.125 16 19 21 23 26 LRE-10-1 1.
Chapter 10 Configuring LRE Configuring LRE Ports Note The margin command is effective with any profile, but only in conjunction with rate selection and only when a link is being activated. LRE Link Persistence A brief LRE link down and up transition can cause the rest of the IOS modules to react immediately, for example, the Dynamic MAC addresses are removed from that ports table.
Chapter 10 Configuring LRE Upgrading LRE Switch Firmware • Link Fail Counts: The number of times the link failed. A link fail interrupts operation of the Ethernet link for a small number of milliseconds. During this interruption, some packets might be dropped (depending on traffic levels). • PMD Freeze Event Counter: Counts the occurrence of micro-interruption or saturation events. Micro-interruptions and ADC saturations are caused by impulse noise for a short duration.
Chapter 10 Configuring LRE Upgrading LRE Switch Firmware If you wish to override the switch’s automatic selection of LRE binaries, you have these methods available: • Global LRE Upgrade Configuration Commands • LRE Controller configuration commands You can use config global commands to specify the LRE binary or binaries for a specified target type. (A target type is the family [and optionally the model or model revision] of a device containing one or more upgradable hardware elements.
Chapter 10 Configuring LRE Upgrading LRE Switch Firmware Global Configuration of LRE Upgrades Beginning in privileged EXEC mode, follow these steps to perform a system-wide upgrade to configure the LRE binary to apply to a target device and upgradable hardware element combination: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 lre binary default target_device LRE_binary Enter the device to which the LRE binary should be applied; and the LRE binary to be applied.
Chapter 10 Configuring LRE Upgrading LRE Switch Firmware LRE Upgrade Behavior Details You see on the console screen when you start an upgrade: Switch>en Switch#hw-module slot 0 upgrade lre You are about to start an LRE upgrade on all LRE interfaces. Users on LRE links being upgraded will experience a temporary disruption of Ethernet connectivity. Start LRE upgrade ? [yes]: If you answer yes or press the Enter key, the upgrade starts. If you answer no, you get the EXEC prompt.
Chapter 10 Configuring LRE Upgrading LRE Switch Firmware The CPE device has finished resetting. The desired profile is applied. 00:23:58: %LRE_LINK-3-UPDOWN: Interface Lo0/1, changed state to UP 00:23:59: %LINK-3-UPDOWN: Interface LongReachEthernet0/1, changed state to up 00:24:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface LongReachEthernet0/1, changed state to up Operation resumes in the profile link up state.
Chapter 10 Configuring LRE Upgrading LRE Switch Firmware Catalyst 2950 Desktop Switch Software Configuration Guide 10-20 78-14982-01
C H A P T E R 11 Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on your switch. For information about the Rapid Spanning Tree Protocol (RSTP) and the Multiple Spanning Tree Protocol (MSTP), see Chapter 12, “Configuring RSTP and MSTP.” For information about optional spanning-tree features, see Chapter 13, “Configuring Optional Spanning-Tree Features.
Chapter 11 Configuring STP Understanding Spanning-Tree Features • Spanning Tree and Redundant Connectivity, page 11-8 • Accelerated Aging to Retain Connectivity, page 11-9 STP Overview STP is a Layer 2 link management protocol that provides path redundancy while preventing loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two stations.
Chapter 11 Configuring STP Understanding Spanning-Tree Features • Message age • The identifier of the sending interface • Values for the hello, forward delay, and max-age protocol timers When a switch receives a configuration BPDU that contains superior information (lower bridge ID, lower path cost, and so forth), it stores the information for that port.
Chapter 11 Configuring STP Understanding Spanning-Tree Features BPDUs contain information about the sending switch and its ports, including switch and MAC addresses, switch priority, port priority, and path cost. Spanning tree uses this information to elect the root switch and root port for the switched network and the root port and designated port for each switched segment. Bridge ID, Switch Priority, and Extended System ID The IEEE 802.
Chapter 11 Configuring STP Understanding Spanning-Tree Features Creating the Spanning-Tree Topology In Figure 11-1, Switch A is elected as the root switch because the switch priority of all the switches is set to the default (32768) and Switch A has the lowest MAC address. However, because of traffic patterns, number of forwarding interfaces, or link types, Switch A might not be the ideal root switch.
Chapter 11 Configuring STP Understanding Spanning-Tree Features An interface moves through these states: • From initialization to blocking • From blocking to listening or to disabled • From listening to learning or to disabled • From learning to forwarding or to disabled • From forwarding to disabled Figure 11-2 illustrates how an interface moves through the states.
Chapter 11 Configuring STP Understanding Spanning-Tree Features Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to each interface in the switch. A switch initially functions as the root until it exchanges BPDUs with other switches. This exchange establishes which switch in the network is the root or root switch.
Chapter 11 Configuring STP Understanding Spanning-Tree Features Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational. A disabled interface performs as follows: • Discards frames received on the port • Discards frames switched from another interface for forwarding • Does not learn addresses • Does not receive BPDUs Spanning-Tree Address Management IEEE 802.
Chapter 11 Configuring STP Configuring Spanning-Tree Features Figure 11-3 Spanning Tree and Redundant Connectivity Switch A Catalyst 2950 or 3550 switch Switch C Catalyst 2950 or 3550 switch Catalyst 2950 or 3550 switch Active link Blocked link Workstations 74620 Switch B You can also create redundant links between switches by using EtherChannel groups. For more information, see Chapter 27, “Configuring EtherChannels.
Chapter 11 Configuring STP Configuring Spanning-Tree Features • Configuring the Hello Time, page 11-19 • Configuring the Forwarding-Delay Time for a VLAN, page 11-19 • Configuring the Maximum-Aging Time for a VLAN, page 11-20 • Configuring STP for Use in a Cascaded Stack, page 11-20 Default STP Configuration Table 11-3 shows the default STP configuration. Table 11-3 Default STP Configuration Feature Default Setting Enable state Enabled on VLAN 1.
Chapter 11 Configuring STP Configuring Spanning-Tree Features Caution Switches that are not running spanning tree still forward BPDUs that they receive so that the other switches on the VLAN that have a running spanning-tree instance can break loops. Therefore, spanning tree must be running on enough switches to break all the loops in the network; for example, at least one switch on each loop in the VLAN must be running spanning tree.
Chapter 11 Configuring STP Configuring Spanning-Tree Features Disabling STP STP is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning-tree limit specified in Table 11-3. Disable STP only if you are sure there are no loops in the network topology. Caution When STP is disabled and loops are present in the topology, excessive traffic and indefinite packet duplication can drastically reduce network performance.
Chapter 11 Configuring STP Configuring Spanning-Tree Features These examples show the effect of the spanning-tree vlan vlan-id root command with and without the extended system ID support: • For Catalyst 2950 switches with the extended system ID (Release 12.
Chapter 11 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to a switch to become the root for the specified VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root primary [diameter net-diameter [hello-time seconds]] Configure a switch to become the root for the specified VLAN.
Chapter 11 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure a switch to become the secondary root for the specified VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root secondary [diameter net-diameter [hello-time seconds]] Configure a switch to become the secondary root for the specified VLAN.
Chapter 11 Configuring STP Configuring Spanning-Tree Features Step 3 Command Purpose spanning-tree port-priority priority Configure the port priority for an interface that is an access port. For priority, the range is 0 to 255; the default is 128. The lower the number, the higher the priority. Step 4 spanning-tree vlan vlan-id port-priority priority Configure the VLAN port priority for an interface that is a trunk port.
Chapter 11 Configuring STP Configuring Spanning-Tree Features Step 3 Command Purpose spanning-tree cost cost Configure the cost for an interface that is an access port. If a loop occurs, spanning tree uses the path cost when selecting an interface to place into the forwarding state. A lower path cost represents higher-speed transmission. For cost, the range is 1 to 200000000; the default value is derived from the media speed of the interface.
Chapter 11 Configuring STP Configuring Spanning-Tree Features Configuring the Switch Priority of a VLAN You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree vlan vlan-id root primary and the spanning-tree vlan vlan-id root secondary global configuration commands to modify the switch priority.
Chapter 11 Configuring STP Configuring Spanning-Tree Features Configuring the Hello Time You can configure the interval between the generation of configuration messages by the root switch by changing the hello time. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree vlan vlan-id root primary and the spanning-tree vlan vlan-id root secondary global configuration commands to modify the hello time.
Chapter 11 Configuring STP Configuring Spanning-Tree Features To return the switch to its default setting, use the no spanning-tree vlan vlan-id forward-time global configuration command. Configuring the Maximum-Aging Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 11 Configuring STP Displaying the Spanning-Tree Status Figure 11-4 Gigabit Ethernet Stack Catalyst 3550 series switch Catalyst 2950 or 3550 switches Catalyst 3550 or 6000 series backbone Catalyst 2950 or 3550 switches Layer 3 backbone Cisco 7000 router 74621 Catalyst 6000 switch Catalyst 2950 Cisco 7000 or 3550 router switches Option 1: standalone cascaded cluster Option 2: cascaded cluster connected to a Layer 2 backbone Option 3: cascaded cluster connected to a Layer 3 backbone Displ
Chapter 11 Configuring STP Displaying the Spanning-Tree Status Catalyst 2950 Desktop Switch Software Configuration Guide 11-22 78-14982-01
C H A P T E R 12 Configuring RSTP and MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1W Rapid Spanning Tree Protocol (RSTP) and the IEEE 802.1S Multiple STP (MSTP) on your switch. To use the features described in this chapter, you must have the enhanced software image (EI) installed on your switch. RSTP provides rapid convergence of the spanning tree.
Chapter 12 Configuring RSTP and MSTP Understanding RSTP Understanding RSTP The RSTP takes advantage of point-to-point wiring and provides rapid convergence of the spanning tree. Reconfiguration of the spanning tree can occur in less than 1 second (in contrast to 50 seconds with the default settings in the 802.1D spanning tree), which is critical for networks carrying delay-sensitive traffic such as voice and video.
Chapter 12 Configuring RSTP and MSTP Understanding RSTP Table 12-1 Port State Comparison (continued) Operational Status STP Port State RSTP Port State Is Port Included in the Active Topology? Enabled Forwarding Forwarding Yes Disabled Disabled Discarding No To be consistent with Cisco STP implementations, this guide documents the port state as blocking instead of discarding. Designated ports start in the listening state.
Chapter 12 Configuring RSTP and MSTP Understanding RSTP Figure 12-1 Proposal and Agreement Handshaking for Rapid Convergence Switch A Proposal Switch B Root Agreement Designated switch F RP Root F DP Proposal Designated switch Agreement F RP Root F DP Designated switch F RP F DP Switch C F RP DP = designated port RP = root port F = forwarding 74007 F DP Synchronization of Port Roles When the switch receives a proposal message on one of its ports and that port is selected as the new r
Chapter 12 Configuring RSTP and MSTP Understanding RSTP Figure 12-2 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5. Forward Edge port 8. Agreement 3. Block 11. Forward 6. Proposal 7. Proposal 10. Agreement Root port Designated port 74008 2. Block 9. Forward Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802.1D BPDU format except that the protocol version is set to 2.
Chapter 12 Configuring RSTP and MSTP Understanding RSTP The RSTP does not have a separate topology change notification (TCN) BPDU. It uses the topology change (TC) flag to show the topology changes. However, for interoperability with 802.1D switches, the RSTP switch processes and generates TCN BPDUs. The learning and forwarding flags are set according to the state of the sending port.
Chapter 12 Configuring RSTP and MSTP Understanding MSTP • Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the topology change to all of its nonedge, edge, designated ports, and root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them. • Protocol migration—For backward compatibility with 802.1D switches, RSTP selectively sends 802.
Chapter 12 Configuring RSTP and MSTP Understanding MSTP IST, CIST, and CST Unlike PVST+ in which all the spanning-tree instances are independent, the MSTP establishes and maintains two types of spanning-trees: • An internal spanning tree (IST), which is the spanning tree that runs in an MST region. Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special instance for a region, known as the internal spanning tree (IST).
Chapter 12 Configuring RSTP and MSTP Understanding MSTP Operations Between MST Regions If there are multiple regions or legacy 802.1D switches within the network, MSTP establishes and maintains the CST, which includes all MST regions and all legacy STP switches in the network. The MST instances combine with the IST at the boundary of the region to become the CST.
Chapter 12 Configuring RSTP and MSTP Understanding MSTP Hop Count The IST and MST instances do not use the message-age and maximum-age information in the configuration BPDU to compute the spanning-tree topology. Instead, they use the path cost to the root and a hop-count mechanism similar to the IP time-to-live (TTL) mechanism.
Chapter 12 Configuring RSTP and MSTP Interoperability with 802.1D STP Interoperability with 802.1D STP A switch running both MSTP and RSTP supports a built-in protocol migration mechanism that enables it to interoperate with legacy 802.1D switches. If this switch receives a legacy 802.1D configuration BPDU (a BPDU with the protocol version set to 0), it sends only 802.1D BPDUs on that port.
Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Default RSTP and MSTP Configuration Table 12-3 shows the default RSTP and MSTP configuration. Table 12-3 Default RSTP and MSTP Configuration Feature Default Setting Spanning-tree mode PVST (MSTP and RSTP are disabled). Switch priority (configurable on a per-CIST interface basis) 32768. Spanning-tree port priority (configurable on a per-CIST interface basis) 128.
Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Specifying the MST Region Configuration and Enabling MSTP For two or more switches to be in the same MST region, they must have the same VLAN-to-instance mapping, the same configuration revision number, and the same name. A region can have one member or multiple members with the same MST configuration; each member must be capable of processing RSTP BPDUs.
Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features configuration command. To return to the default revision number, use the no revision MST configuration command.To re-enable PVST, use the no spanning-tree mode or the spanning-tree mode pvst global configuration command.
Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Note The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not configure an access switch as the spanning-tree primary root. Use the diameter keyword, which is available only for MST instance 0, to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network).
Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Configuring a Secondary Root Switch When you configure a Catalyst 2950 switch that supports the extended system ID as the secondary root, the spanning-tree switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified instance if the primary root switch fails.
Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Configuring the Port Priority If a loop occurs, the MSTP uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last.
Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Configuring the Path Cost The MSTP path cost default value is derived from the media speed of an interface. If a loop occurs, the MSTP uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Configuring the Switch Priority You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority.
Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the hello time for all MST instances: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst hello-time seconds Configure the hello time for all MST instances. The hello time is the interval between the generation of configuration messages by the root switch. These messages mean that the switch is alive.
Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Configuring the Maximum-Aging Time Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for all MST instances: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-age seconds Configure the maximum-aging time for all MST instances.
Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Specifying the Link Type to Ensure Rapid Transitions If you connect a port to another port through a point-to-point link and the local port becomes a designated port, the RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the “Rapid Convergence” section on page 12-3.
Chapter 12 Configuring RSTP and MSTP Displaying the MST Configuration and Status Displaying the MST Configuration and Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 12-4: Table 12-4 Commands for Displaying MST Status Command Purpose show spanning-tree mst configuration Displays the MST region configuration. show spanning-tree mst instance-id Displays MST information for the specified instance.
Chapter 12 Configuring RSTP and MSTP Displaying the MST Configuration and Status Catalyst 2950 Desktop Switch Software Configuration Guide 12-24 78-14982-01
C H A P T E R 13 Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features. You can configure all of these features when your switch is running the per-VLAN spanning-tree (PVST). You can only configure the noted features when your switch is running the Multiple Spanning Tree Protocol (MSTP). To use these features with MSTP, you must have the enhanced software image (EI) installed on your switch.
Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states.
Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences. At the global level, you can enable BPDU guard on Port Fast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command. Spanning tree shuts down ports that are in a Port Fast-operational state.
Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding UplinkFast Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 13-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops.
Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 13-3 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B L1 L2 L3 43575 Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked port on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure 13-4.
Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features How CSUF Works CSUF ensures that one link in the stack is elected as the path to the root. As shown in Figure 13-5, Switches A, B, and C are cascaded through the GigaStack GBIC to form a multidrop backbone, which communicates control and data traffic across the switches at the access layer.
Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features The switch sending the fast-transition request needs to do a fast transition to the forwarding state of a port that it has chosen as the root port, and it must obtain an acknowledgement from each stack switch before performing the fast transition.
Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Limitations These limitations apply to CSUF: • CSUF uses the GigaStack GBIC and runs on all Catalyst 3550 switches, all Catalyst 3500 XL switches, Catalyst 2950 switches with GBIC module slots, and only on modular Catalyst 2900 XL switches that have the 1000BASE-X module installed. • Up to nine stack switches can be connected through their stack ports to the multidrop backbone.
Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 13-6 GigaStack GBIC Connections and Spanning-Tree Convergence GigaStack GBIC connection for fast convergence Catalyst 3550-12T Catalyst 3550-12T Catalyst 3500 Catalyst 3500 SYSTEM RPS STATUS UTIL DUPLX MODE 1 1 1 1 1 1 1 1 1 1 SYSTEM SPEED RPS STATUS 2 1 UTIL DUPLX MODE 1 1 1 1 1 1 1 1 1 1 SPEED 2 1 Catalyst 3508G XL Catalyst 3500 3 2 1 5 4 7 6 Catalyst 295
Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding BackboneFast BackboneFast detects indirect failures in the core of the backbone. BackboneFast is a complementary technology to the UplinkFast feature, which responds to failures on links directly connected to access switches. BackboneFast optimizes the maximum-age timer, which determines the amount of time the switch stores protocol information received on an interface.
Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If link L1 fails as shown in Figure 13-8, Switch C cannot detect this failure because it is not connected directly to link L1. However, because Switch B is directly connected to the root switch over L1, it detects the failure, elects itself the root, and begins sending BPDUs to Switch C, identifying itself as the root.
Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Root Guard The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. In such a topology, the spanning tree can reconfigure itself and select a customer switch as the root switch, as shown in Figure 13-10.
Chapter 13 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Understanding Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. This feature is most effective when it is configured on the entire switched network. If your switch is running PVST or MSTP, you can enable this feature by using the spanning-tree loopguard default global configuration command.
Chapter 13 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Default Optional Spanning-Tree Configuration Table 13-1 shows the default optional spanning-tree configuration. Table 13-1 Default Optional Spanning-Tree Configuration Feature Default Setting Port Fast, BPDU filtering, BPDU guard Globally disabled (unless they are individually configured per interface). UplinkFast Globally disabled. CSUF Disabled on all interfaces. BackboneFast Globally disabled.
Chapter 13 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show spanning-tree interface interface-id portfast Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note You can use the spanning-tree portfast default global configuration command to globally enable the Port Fast feature on all nontrunking ports.
Chapter 13 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Purpose Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable BPDU guard, use the no spanning-tree portfast bpduguard default global configuration command.
Chapter 13 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features To disable BPDU filtering, use the no spanning-tree portfast bpdufilter default global configuration command. You can override the setting of the no spanning-tree portfast bpdufilter default global configuration command by using the spanning-tree bpdufilter enable interface configuration command.
Chapter 13 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling Cross-Stack UplinkFast Before enabling CSUF, make sure your stack switches are properly connected. For more information, see the “Connecting the Stack Ports” section on page 13-8. The CSUF feature is supported only when the switch is running PVST. Beginning in privileged EXEC mode, follow these steps to enable CSUF: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 13 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling BackboneFast You can enable BackboneFast to detect indirect link failures and to start the spanning-tree reconfiguration sooner. Note If you use BackboneFast, you must enable it on all switches in the network. BackboneFast is not supported on Token Ring VLANs. This feature is supported for use with third-party switches. The BackboneFast feature is supported only when the switch is running PVST.
Chapter 13 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable root guard, use the no spanning-tree guard interface configuration command.
Chapter 13 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 13-2: Table 13-2 Commands for Displaying the Spanning-Tree Status Command Purpose show spanning-tree active Displays spanning-tree information on active interfaces only. show spanning-tree detail Displays a detailed summary of interface information.
Chapter 13 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Catalyst 2950 Desktop Switch Software Configuration Guide 13-22 78-14982-01
C H A P T E R 14 Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094). It includes information about VLAN modes and the VLAN Membership Policy Server (VMPS). Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 14 Configuring VLANs Understanding VLANs For a Catalyst 2950 LRE Switch, the maximum supported number of VLANs is 250, the maximum number of STP instances is 64, and trunking is supported. The Catalyst 2950 LRE also supports 4094 VLAN IDs. The 2950 LRE software image is based on the EI software and supports the same number of VLANs, VLAN IDs, and STP instances as the EI software image. Figure 14-1 shows an example of VLANs segmented into logically defined networks.
Chapter 14 Configuring VLANs Understanding VLANs VLAN Port Membership Modes You configure a port to belong to a VLAN by assigning a membership mode that determines the kind of traffic the port carries and the number of VLANs to which it can belong. Table 14-1 lists the membership modes and membership and VTP characteristics.
Chapter 14 Configuring VLANs Configuring Normal-Range VLANs Configuring Normal-Range VLANs Normal-range VLANs are VLANs with VLAN IDs 1 to 1005. If the switch is in VTP server or transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database. (VLAN IDs 1 and 1002 to 1005 are automatically created and cannot be removed.
Chapter 14 Configuring VLANs Configuring Normal-Range VLANs This section includes information about these topics about normal-range VLANs: • Token Ring VLANs, page 14-5 • Normal-Range VLAN Configuration Guidelines, page 14-5 • VLAN Configuration Mode Options, page 14-6 • Saving VLAN Configuration, page 14-7 • Default Ethernet VLAN Configuration, page 14-8 • Creating or Modifying an Ethernet VLAN, page 14-8 • Deleting a VLAN, page 14-10 • Assigning Static-Access Ports to a VLAN, page 14-11
Chapter 14 Configuring VLANs Configuring Normal-Range VLANs • The switch supports 64 spanning-tree instances. If a switch has more active VLANs than supported spanning-tree instances, spanning tree can be enabled on 64 VLANs and is disabled on the remaining VLANs. If you have already used all available spanning-tree instances on a switch, adding another VLAN anywhere in the VTP domain creates a VLAN on that switch that is not running spanning-tree.
Chapter 14 Configuring VLANs Configuring Normal-Range VLANs Saving VLAN Configuration The configurations of VLAN IDs 1 to 1005 are always saved in the VLAN database (vlan.dat file). If VTP mode is transparent, they are also saved in the switch running configuration file and you can enter the copy running-config startup-config privileged EXEC command to save the configuration in the startup configuration file.
Chapter 14 Configuring VLANs Configuring Normal-Range VLANs Default Ethernet VLAN Configuration Table 14-2 shows the default configuration for Ethernet VLANs. Note The switch supports Ethernet interfaces exclusively. Because FDDI and Token Ring VLANs are not locally supported, you only configure FDDI and Token Ring media-specific characteristics for VTP global advertisements to other switches.
Chapter 14 Configuring VLANs Configuring Normal-Range VLANs Beginning in privileged EXEC mode, follow these steps to use config-vlan mode to create or modify an Ethernet VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan vlan-id Enter a VLAN ID, and enter config-vlan mode. Enter a new VLAN ID to create a VLAN, or enter an existing VLAN ID to modify a VLAN.
Chapter 14 Configuring VLANs Configuring Normal-Range VLANs Command Purpose Step 4 exit Update the VLAN database, propagate it throughout the administrative domain, and return to privileged EXEC mode. Step 5 show vlan {name vlan-name | id vlan-id} Verify your entries. Step 6 copy running-config startup config (Optional) If the switch is in VTP transparent mode, the VLAN configuration is saved in the running configuration file as well as in the VLAN database.
Chapter 14 Configuring VLANs Configuring Normal-Range VLANs Assigning Static-Access Ports to a VLAN You can assign a static-access port to a VLAN without having VTP globally propagate VLAN configuration information (VTP is disabled). If you are assigning a port on a cluster member switch to a VLAN, first use the rcommand privileged EXEC command to log in to the member switch. Note If you assign an interface to a VLAN that does not exist, the new VLAN is created.
Chapter 14 Configuring VLANs Configuring Extended-Range VLANs Configuring Extended-Range VLANs When the switch is in VTP transparent mode (VTP disabled) and the EI is installed), you can create extended-range VLANs (in the range 1006 to 4094). Extended-range VLANs enable service providers to extend their infrastructure to a greater number of customers. The extended-range VLAN IDs are allowed for any switchport commands that allow VLAN IDs.
Chapter 14 Configuring VLANs Configuring Extended-Range VLANs • STP is enabled by default on extended-range VLANs, but you can disable it by using the no spanning-tree vlan vlan-id global configuration command. When the maximum number of spanning-tree instances (64) are on the switch, spanning tree is disabled on any newly created VLANs. If the number of VLANs on the switch exceeds the maximum number of spanning tree instances, we recommend that you configure the IEEE 802.
Chapter 14 Configuring VLANs Displaying VLANs To delete an extended-range VLAN, use the no vlan vlan-id global configuration command. The procedure for assigning static-access ports to an extended-range VLAN is the same as for normal-range VLANs. See the “Assigning Static-Access Ports to a VLAN” section on page 14-11.
Chapter 14 Configuring VLANs Configuring VLAN Trunks Configuring VLAN Trunks These sections describe how VLAN trunks function on the switch: • Trunking Overview, page 14-15 • 802.1Q Configuration Considerations, page 14-16 • Default Layer 2 Ethernet Interface VLAN Configuration, page 14-17 Trunking Overview A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch.
Chapter 14 Configuring VLANs Configuring VLAN Trunks To avoid this, you should configure interfaces connected to devices that do not support DTP to not forward DTP frames, that is, to turn off DTP. Note • If you do not intend to trunk across those links, use the switchport mode access interface configuration command to disable trunking.
Chapter 14 Configuring VLANs Configuring VLAN Trunks • Disabling spanning tree on the native VLAN of an 802.1Q trunk without disabling spanning tree on every VLAN in the network can potentially cause spanning-tree loops. We recommend that you leave spanning tree enabled on the native VLAN of an 802.1Q trunk or disable spanning tree on every VLAN in the network. Make sure your network is loop-free before disabling spanning tree.
Chapter 14 Configuring VLANs Configuring VLAN Trunks – STP Port Fast setting – trunk status: if one port in a port group ceases to be a trunk, all ports cease to be trunks. • If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode is not changed. • A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable 802.
Chapter 14 Configuring VLANs Configuring VLAN Trunks This example shows how to configure the Fast Ethernet interface 0/4 as an 802.1Q trunk. The example assumes that the neighbor interface is configured to support 802.1Q trunking. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 14 Configuring VLANs Configuring VLAN Trunks This example shows how to remove VLAN 2 from the allowed VLAN list: Switch(config)# interface fastethernet0/1 Switch(config-if)# switchport trunk allowed vlan remove 2 Switch(config-if)# end Switch# Changing the Pruning-Eligible List The pruning-eligible list applies only to trunk ports. Each trunk port has its own eligibility list. VTP pruning must be enabled for this procedure to take effect.
Chapter 14 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to configure the native VLAN on an 802.1Q trunk: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and define the interface that is configured as the 802.1Q trunk. Step 3 switchport trunk native vlan vlan-id Configure the VLAN that is sending and receiving untagged traffic on the trunk port.
Chapter 14 Configuring VLANs Configuring VLAN Trunks In this way, Trunk 1 carries traffic for VLANs 8 through 10, and Trunk 2 carries traffic for VLANs 3 through 6. If the active trunk fails, the trunk with the lower priority takes over and carries the traffic for all of the VLANs. No duplication of traffic occurs over any trunk port.
Chapter 14 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 17 spanning-tree vlan 8 port-priority 10 Assign the port priority of 10 for VLAN 8. Step 18 spanning-tree vlan 9 port-priority 10 Assign the port priority of 10 for VLAN 9. Step 19 spanning-tree vlan 10 port-priority 10 Assign the port priority of 10 for VLAN 10. Step 20 exit Return to global configuration mode.
Chapter 14 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 14-4: Command Purpose Step 1 configure terminal Enter global configuration mode on Switch 1. Step 2 interface fastethernet 0/1 Enter interface configuration mode, and define Fast Ethernet port 0/1 as the interface to be configured as a trunk. Step 3 switchport mode trunk Configure the port as a trunk port.
Chapter 14 Configuring VLANs Configuring VMPS • “Monitoring the VMPS” section on page 14-31 • “Troubleshooting Dynamic Port VLAN Membership” section on page 14-31 • “VMPS Configuration Example” section on page 14-32 Understanding VMPS When the VMPS receives a VQP request from a client switch, it searches its database for a MAC-address-to-VLAN mapping. The server response is based on this mapping and whether or not the server is in secure mode.
Chapter 14 Configuring VLANs Configuring VMPS If the link goes down on a dynamic port, the port returns to an isolated state and does not belong to a VLAN. Any hosts that come online through the port are checked again through the VQP with the VMPS before the port is assigned to a VLAN. VMPS Database Configuration File The VMPS contains a database configuration file that you create. This ASCII text file is stored on a switch-accessible TFTP server that functions as a VMPS server.
Chapter 14 Configuring VLANs Configuring VMPS ! address vlan-name ! address 0012.2233.4455 vlan-name hardware address 0000.6509.a080 vlan-name hardware address aabb.ccdd.eeff vlan-name Green address 1223.5678.9abc vlan-name ExecStaff address fedc.ba98.7654 vlan-name --NONE-address fedc.ba23.1245 vlan-name Purple ! !Port Groups ! !vmps-port-group ! device { port | all-ports } ! vmps-port-group WiringCloset1 device 198.92.30.32 port 0/2 device 172.20.
Chapter 14 Configuring VLANs Configuring VMPS VMPS Configuration Guidelines These guidelines and restrictions apply to dynamic port VLAN membership: • You must configure the VMPS before you configure ports as dynamic. • The communication between a cluster of switches and VMPS is managed by the command switch and includes port-naming conventions that are different from standard port names. For the cluster-based port-naming conventions, see the “VMPS Database Configuration File” section on page 14-26.
Chapter 14 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to enter the IP address of the VMPS: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vmps server ipaddress primary Enter the IP address of the switch acting as the primary VMPS server. Step 3 vmps server ipaddress Enter the IP address of the switch acting as a secondary VMPS server. You can enter up to three secondary server addresses.
Chapter 14 Configuring VLANs Configuring VMPS Reconfirming VLAN Memberships Beginning in privileged EXEC mode, follow these steps to confirm the dynamic port VLAN membership assignments that the switch has received from the VMPS: Command Purpose Step 1 vmps reconfirm Reconfirm dynamic port VLAN membership. Step 2 show vmps Verify the dynamic VLAN reconfirmation status. Changing the Reconfirmation Interval VMPS clients periodically reconfirm the VLAN membership information received from the VMPS.
Chapter 14 Configuring VLANs Configuring VMPS To return the switch to its default setting, use the no vmps retry global configuration command. Monitoring the VMPS You can display information about the VMPS by using the show vmps privileged EXEC command. The switch displays this information about the VMPS: VMPS VQP Version The version of VQP used to communicate with the VMPS. The switch queries the VMPS that is using VQP version 1.
Chapter 14 Configuring VLANs Configuring VMPS VMPS Configuration Example Figure 14-5 shows a network with a VMPS server switch and VMPS client switches with dynamic ports. In this example, these assumptions apply: • The VMPS server and the VMPS client are separate switches. • The Catalyst 5000 series Switch 1 is the primary VMPS server. • The Catalyst 5000 series Switch 3 and Switch 10 are secondary VMPS servers.
C H A P T E R 15 Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 15 Configuring VTP Understanding VTP The VTP Domain A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name. A switch can be in only one VTP domain.You make global VLAN configuration changes for the domain by using the command-line interface (CLI), Cluster Management Suite (CMS) software, or Simple Network Management Protocol (SNMP).
Chapter 15 Configuring VTP Understanding VTP VTP Modes You can configure a supported switch to be in one of the VTP modes listed in Table 15-1. Table 15-1 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs and specify other configuration parameters (such as the VTP version) for the entire VTP domain.
Chapter 15 Configuring VTP Understanding VTP • MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each VLAN. • Frame format VTP advertisements distribute this VLAN information for each configured VLAN: • VLAN IDs • VLAN name • VLAN type • VLAN state • Additional VLAN configuration information specific to the VLAN type VTP Version 2 If you use VTP in your network, you must decide whether to use version 1 or version 2. By default, VTP operates in version 1.
Chapter 15 Configuring VTP Understanding VTP Figure 15-1 Flooding Traffic without VTP Pruning Switch 4 Port 2 Switch 5 Switch 2 Red VLAN Switch 6 Switch 3 45826 Port 1 Switch 1 Figure 15-2 shows a switched network with VTP pruning enabled. The broadcast traffic from Switch 1 is not forwarded to Switches 3, 5, and 6 because traffic for the Red VLAN has been pruned on the links shown (Port 5 on Switch 2 and Port 4 on Switch 4).
Chapter 15 Configuring VTP Configuring VTP VTP pruning is not designed to function in VTP transparent mode. If one or more switches in the network are in VTP transparent mode, you should do one of these: • Turn off VTP pruning in the entire network. • Turn off VTP pruning by making all VLANs on the trunk of the switch upstream to the VTP transparent switch pruning ineligible.
Chapter 15 Configuring VTP Configuring VTP VTP Configuration Options You can configure VTP by using these configuration modes. • VTP Configuration in Global Configuration Modes, page 15-7 • VTP Configuration in VLAN Configuration Mode, page 15-7 You access VLAN configuration mode by entering the vlan database privileged EXEC command. For detailed information about vtp commands, refer to the command reference for this release.
Chapter 15 Configuring VTP Configuring VTP VTP Configuration Guidelines These sections describe guidelines you should follow when implementing VTP in your network. Domain Names When configuring VTP for the first time, you must always assign a domain name. You must configure all switches in the VTP domain with the same domain name. Switches in VTP transparent mode do not exchange VTP messages with other switches, and you do not need to configure a VTP domain name for them.
Chapter 15 Configuring VTP Configuring VTP VTP Version Follow these guidelines when deciding which VTP version to implement: • All switches in a VTP domain must run the same VTP version. • A VTP version 2-capable switch can operate in the same VTP domain as a switch running VTP version 1 if version 2 is disabled on the version 2-capable switch (version 2 is disabled by default). • Do not enable VTP version 2 on a switch unless all of the switches in the same VTP domain are version-2-capable.
Chapter 15 Configuring VTP Configuring VTP Step 4 Command Purpose vtp password password (Optional) Set the password for the VTP domain. The password can be from 8 to 64 characters. If you configure a VTP password, the VTP domain does not function properly if you do not assign the same password to each switch in the domain. Step 5 end Return to privileged EXEC mode. Step 6 show vtp status Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display.
Chapter 15 Configuring VTP Configuring VTP This example shows how to use VLAN configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch# vlan database Switch(vlan)# vtp server Switch(vlan)# vtp domain eng_group Switch(vlan)# vtp password mypassword Switch(vlan)# exit APPLY completed. Exiting.... Configuring a VTP Client When a switch is in VTP client mode, you cannot change its VLAN configuration.
Chapter 15 Configuring VTP Configuring VTP Note You can also configure a VTP client by using the vlan database privileged EXEC command to enter VLAN configuration mode and entering the vtp client command, similar to the second procedure under “Configuring a VTP Server” section on page 15-9. Use the no vtp client VLAN configuration command to return the switch to VTP server mode or the no vtp password VLAN configuration command to return the switch to a no-password state.
Chapter 15 Configuring VTP Configuring VTP Note You can also configure VTP transparent mode by using the vlan database privileged EXEC command to enter VLAN configuration mode and by entering the vtp transparent command, similar to the second procedure under the “Configuring a VTP Server” section on page 15-9. Use the no vtp transparent VLAN configuration command to return the switch to VTP server mode. If extended-range VLANs are configured on the switch, you cannot change VTP mode to server.
Chapter 15 Configuring VTP Configuring VTP Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You can only enable VTP pruning on a switch in VTP server mode. Beginning in privileged EXEC mode, follow these steps to enable VTP pruning in the VTP domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 15 Configuring VTP Configuring VTP Adding a VTP Client Switch to a VTP Domain Before adding a VTP client to a VTP domain, always verify that its VTP configuration revision number is lower than the configuration revision number of the other switches in the VTP domain. Switches in a VTP domain always use the VLAN configuration of the switch with the highest VTP configuration revision number.
Chapter 15 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 15-3 shows the privileged EXEC commands for monitoring VTP activity. Table 15-3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information.
C H A P T E R 16 Configuring Voice VLAN This chapter describes how to configure the voice VLAN feature on your switch. Voice VLAN is referred to as an auxiliary VLAN in the Catalyst 6000 family switch documentation. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 16 Configuring Voice VLAN Configuring Voice VLAN Figure 16-1 shows one way to connect a Cisco 7960 IP Phone. Figure 16-1 Cisco 7960 IP Phone Connected to a Switch Cisco IP Phone 7960 Phone ASIC Catalyst 2950 or 3550 switch P2 3-port switch P3 Access port 74710 P1 PC When the IP phone connects to the switch, the access port (PC-to-telephone jack) of the IP phone can connect to a PC.
Chapter 16 Configuring Voice VLAN Configuring Voice VLAN Voice VLAN Configuration Guidelines These are the voice VLAN configuration guidelines: • You should configure voice VLAN on switch access ports. • The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled.
Chapter 16 Configuring Voice VLAN Configuring Voice VLAN Configuring Ports to Carry Voice Traffic in 802.1Q Frames Beginning in privileged EXEC mode, follow these steps to configure a port to carry voice traffic in 802.1Q frames for a specific VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface connected to the IP phone, and enter interface configuration mode.
Chapter 16 Configuring Voice VLAN Configuring Voice VLAN Overriding the CoS Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco 7960 IP Phone port. The PC can generate packets with an assigned CoS value. You can configure the switch to override the priority of frames arriving on the IP phone port from connected devices.
Chapter 16 Configuring Voice VLAN Displaying Voice VLAN Configuring the IP Phone to Trust the CoS Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco 7960 IP Phone port. The PC can generate packets with an assigned CoS value. You can configure the switch to trust the priority of frames arriving on the IP phone port from connected devices.
C H A P T E R 17 Configuring IGMP Snooping and MVR This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on your switch, including an application of local IGMP snooping, Multicast VLAN Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering.
Chapter 17 Configuring IGMP Snooping and MVR Understanding IGMP Snooping the switch adds the host port number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership reports from the multicast clients. Note For more information on IP multicast and IGMP, refer to RFC 1112 and RFC 2236.
Chapter 17 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 17-1 Initial IGMP Join Message Router A 1 IGMP report 224.1.2.3 VLAN Switching engine CPU 0 45750 Forwarding table 2 3 4 5 Host 1 Host 2 Host 3 Host 4 Router A sends a general query to the switch, which forwards the query to ports 2 through 5, all members of the same VLAN. Host 1 wants to join multicast group 224.1.2.
Chapter 17 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 17-2 Second Host Joining a Multicast Group Router A 1 VLAN Switching engine CPU 0 45751 Forwarding table 2 Host 1 3 4 Host 2 Host 3 5 Host 4 Table 17-2 Updated IGMP Snooping Forwarding Table Destination Address Type of Packet Ports 0100.5exx.xxxx IGMP 0 0100.5e01.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Note You should only use the Immediate-Leave processing feature on VLANs where a single host is connected to each port. If Immediate Leave is enabled in VLANs where more than one host is connected to a port, some hosts might be inadvertently dropped. Immediate Leave is supported with only IGMP version 2 hosts.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to globally enable IGMP snooping on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping Globally enable IGMP snooping in all existing VLAN interfaces. Step 3 end Return to privileged EXEC mode. Step 4 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to alter the method in which a VLAN interface dynamically accesses a multicast router: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id mrouter learn {cgmp | pim-dvmrp} Enable IGMP snooping on a VLAN.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show ip igmp snooping mrouter [vlan vlan-id] Verify that IGMP snooping is enabled on the VLAN interface. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a multicast router port from the VLAN, use the no ip igmp snooping vlan vlan-id mrouter interface interface-id global configuration command.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Snooping This example shows how to statically configure a host on an interface and verify the configuration: Switch# configure terminal Switch(config)# ip igmp snooping vlan 1 static 0100.5e00.0203 interface gigabitethernet0/1 Switch(config)# end Switch# show mac address-table multicast vlan 1 Vlan Mac Address Type Ports --------------------1 0100.5e00.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Snooping If you disable IP multicast-source-only learning with the ip igmp snooping source-only-learning global configuration command, the switch floods unknown multicast traffic to the VLAN and sends the traffic to the CPU until the traffic becomes known. When the switch receives an IGMP report from a host for a particular multicast group, the switch forwards traffic from this multicast group only to the multicast router ports.
Chapter 17 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Displaying IGMP Snooping Information You can display IGMP snooping information for dynamically learned and statically configured router ports and VLAN interfaces. You can also display MAC address multicast entries for a VLAN configured for IGMP snooping. To display IGMP snooping information, use one or more of the privileged EXEC commands in Table 17-4.
Chapter 17 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information IGMP snooping immediate-leave is disabled on this Vlan IGMP snooping mrouter learn mode is pim-dvmrp on this Vlan IGMP snooping is running in IGMP_ONLY mode on this Vlan This is an example of output from the show ip igmp snooping privileged EXEC command for a specific VLAN interface: Switch# show ip vlan 1 ---------IGMP snooping IGMP snooping IGMP snooping IGMP snooping igmp snooping vlan 1 is globally enabled is disable
Chapter 17 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service provider network (for example, the broadcast of multiple television channels over a service-provider network). MVR allows a subscriber on a port to subscribe and unsubscribe to a multicast stream on the network-wide multicast VLAN.
Chapter 17 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration When a subscriber changes channels or turns off the television, the set-top box sends an IGMP leave message for the multicast stream. The switch CPU sends an IGMP group-specific query through the receiver port VLAN. If there is another set-top box in the VLAN still subscribing to this group, that set-top box must respond within the maximum response time.
Chapter 17 Configuring IGMP Snooping and MVR Configuring MVR MVR eliminates the need to duplicate television-channel multicast traffic for subscribers in each VLAN. Multicast traffic for all channels is only sent around the VLAN trunk once—only on the multicast VLAN. Although the IGMP leave and join message in the VLAN to which the subscriber port is assigned. These messages dynamically register for streams of multicast traffic in the multicast VLAN on the Layer 3 device.
Chapter 17 Configuring IGMP Snooping and MVR Configuring MVR MVR Configuration Guidelines and Limitations Follow these guidelines when configuring MVR: Note • Receiver ports cannot be trunk ports. Receiver ports on a switch can be in different VLANs, but should not belong to the multicast VLAN. • The maximum number of multicast entries that can be configured on a switch (that is, the maximum number of television channels that can be received) is 256.
Chapter 17 Configuring IGMP Snooping and MVR Configuring MVR Command Step 6 Purpose mvr mode {dynamic | compatible} (Optional) Specify the MVR mode of operation: • dynamic—Allows dynamic MVR membership on source ports. • compatible—Is compatible with Catalyst 3500 XL and Catalyst 2900 XL switches and does not support IGMP dynamic joins on source ports. The default is compatible mode. Step 7 end Return to privileged EXEC mode. Step 8 show mvr Verify the configuration.
Chapter 17 Configuring IGMP Snooping and MVR Configuring MVR Step 4 Command Purpose mvr type {source | receiver} Configure an MVR port as one of these: • source—Configure uplink ports that receive and send multicast data as source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN. • receiver—Configure a port as a receiver port if it is a subscriber port and should only receive multicast data.
Chapter 17 Configuring IGMP Snooping and MVR Displaying MVR Information This is an example of output from the show mvr interface privileged EXEC command when the member keyword is included: Switch# show mvr interface fastethernet0/2 members 224.0.1.1 DYNAMIC ACTIVE Displaying MVR Information You can display MVR information for the switch or for a specified interface.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Filtering This is an example of output from the show mvr interface privileged EXEC command for a specified interface: Switch# show mvr interface fastethernet0/2 224.0.1.1 DYNAMIC ACTIVE This is an example of output from the show mvr interface privileged EXEC command when the members keyword is included: Switch# show mvr interface fastethernet0/2 members 224.0.1.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Default IGMP Filtering Configuration Table 17-7 shows the default IGMP filtering configuration.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Command Purpose Step 6 show ip igmp profile profile number Verify the profile configuration. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete a profile, use the no ip igmp profile profile number global configuration command. To delete an IP multicast address or range of IP multicast addresses, use the no range ip multicast address IGMP profile configuration command.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Current configuration : 123 bytes ! interface FastEthernet0/12 no ip address shutdown snmp trap link-status ip igmp max-groups 25 ip igmp filter 4 end Setting the Maximum Number of IGMP Groups You can set the maximum number of IGMP groups that a Layer 2 interface can join by using the ip igmp mac-groups interface configuration command. Use the no form of this command to set the maximum back to the default, which is no limit.
Chapter 17 Configuring IGMP Snooping and MVR Displaying IGMP Filtering Configuration Displaying IGMP Filtering Configuration You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface.
C H A P T E R 18 Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 18 Configuring Port-Based Traffic Control Configuring Storm Control The rising threshold is the percentage of total available bandwidth associated with multicast, broadcast, or unicast traffic before forwarding is blocked. The falling threshold is the percentage of total available bandwidth below which the switch resumes normal forwarding. In general, the higher the level, the less effective the protection against broadcast storms.
Chapter 18 Configuring Port-Based Traffic Control Configuring Protected Ports Disabling Storm Control Beginning in privileged EXEC mode, follow these steps to disable storm control: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to configure, and enter interface configuration mode. Step 3 no storm-control {broadcast | multicast | unicast} level Disable port storm control.
Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security Beginning in privileged EXEC mode, follow these steps to define a port as a protected port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the type and number of the physical interface to configure, for example gigabitethernet0/1, and enter interface configuration mode. Step 3 switchport protected Configure the interface to be a protected port.
Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security Understanding Port Security This section contains information about these topics: • Secure MAC Addresses, page 18-5 • Security Violations, page 18-6 Secure MAC Addresses A secure port can have from 1 to 132 associated secure addresses.
Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security This is an example of text from the running configuration when sticky learning is enabled on an interface: ! interface FastEthernet0/2 switchport mode access switchport port-security switchport port-security switchport port-security switchport port-security switchport port-security switchport port-security switchport port-security switchport port-security no ip address maximum 6 aging time 5 aging static mac-a
Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security Default Port Security Configuration Table 18-1 shows the default port security configuration for an interface. Table 18-1 Default Port Security Configuration Feature Default Setting Port security Disabled on a port Maximum number of secure MAC addresses 1 Violation mode Shutdown. The interface is error-disabled when a security violation occurs.
Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 5 switchport port-security maximum value (Optional) Set the maximum number of secure MAC addresses for the interface. The range is 1 to 132; the default is 1.
Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table. The addresses that were removed can be dynamically reconfigured and added to the address table as dynamic addresses.
Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security This example shows how to configure a static secure MAC address and a sticky secure MAC address on Fast Ethernet port 12 and verify the configuration: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface fastethernet0/12 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security mac-address 0000.
Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security Beginning in privileged EXEC mode, follow these steps to configure port security aging: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port on which you want to enable port security aging, and enter interface configuration mode.
Chapter 18 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Displaying Port-Based Traffic Control Settings The show interfaces interface-id switchport privileged EXEC command displays (among other characteristics) the interface traffic suppression and control configuration. The show interfaces counters privileged EXEC commands display the count of discarded packets. The show storm-control and show port-security privileged EXEC commands display those features.
C H A P T E R 19 Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 19 Configuring UDLD Understanding UDLD UDLD operates by using two mechanisms: • Neighbor database maintenance UDLD learns about other UDLD-capable neighbors by periodically sending a hello packet (also called an advertisement or probe) on every active interface to keep each device informed about its neighbors. When the switch receives a hello message, it caches the information until the age time (hold time or time-to-live) expires.
Chapter 19 Configuring UDLD Configuring UDLD Configuring UDLD This section describes how to configure UDLD on your switch. It contains this configuration information: • Default UDLD Configuration, page 19-3 • Enabling UDLD Globally, page 19-4 • Enabling UDLD on an Interface, page 19-4 • Resetting an Interface Shut Down by UDLD, page 19-5 Default UDLD Configuration Table 19-1 shows the default UDLD configuration.
Chapter 19 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or the normal mode and to set the configurable message timer on all fiber-optic interfaces on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 19 Configuring UDLD Configuring UDLD Step 3 Command Purpose udld {aggressive | enable} Specify the UDLD mode of operation: • aggressive—Enables UDLD in aggressive mode on the specified interface. For details on the usage guidelines for the aggressive mode, refer to the command reference guide. • enable—Enables UDLD in normal mode on the specified interface. UDLD is disabled by default. On a fiber-optic interface, this command overrides the udld enable global configuration command setting.
Chapter 19 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified interface or for all interfaces, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the display, refer to the command reference for this release.
C H A P T E R 20 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 20 Configuring CDP Configuring CDP Configuring CDP These sections include CDP configuration information and procedures: • Default CDP Configuration, page 20-2 • Configuring the CDP Characteristics, page 20-2 • Disabling and Enabling CDP, page 20-3 • Disabling and Enabling CDP on an Interface, page 20-4 Default CDP Configuration Table 20-1 shows the default CDP configuration.
Chapter 20 Configuring CDP Configuring CDP Command Purpose Step 6 show cdp Verify configuration by displaying global information about CDP on the device. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the CDP commands to return to the default settings. This example shows how to configure and verify CDP characteristics.
Chapter 20 Configuring CDP Configuring CDP This example shows how to enable CDP if it has been disabled. Switch# configure terminal Switch(config)# cdp run Switch(config)# end Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 20 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors. show cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent.
Chapter 20 Configuring CDP Monitoring and Maintaining CDP Catalyst 2950 Desktop Switch Software Configuration Guide 20-6 78-14982-01
C H A P T E R 21 Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 21 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 21-1 Example SPAN Configuration 1 2 3 4 5 6 7 8 9 10 11 12 5 6 7 11 8 4 12 9 3 Port 5 traffic mirrored on Port 10 10 2 Network analyzer 43580 1 Only traffic that enters or leaves source ports or traffic that enters source VLANs can be monitored by using SPAN; traffic that gets routed to ingress source ports or source VLANs cannot be monitored.
Chapter 21 Configuring SPAN and RSPAN Understanding SPAN and RSPAN SPAN and RSPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN and RSPAN configuration. SPAN Session A local SPAN session is an association of a destination port with source ports and source VLANs. An RSPAN session is an association of source ports and source VLANs across your network with an RSPAN VLAN. The destination source is the RSPAN VLAN.
Chapter 21 Configuring SPAN and RSPAN Understanding SPAN and RSPAN standard and extended output ACLs for unicast and ingress QoS policing.VLAN maps, ingress QoS policing, and policy-based routing. Switch congestion that causes packets to be dropped also has no effect on SPAN. • Transmit (Tx) SPAN—The goal of transmit (or egress) SPAN is to monitor as much as possible all the packets sent by the source interface after all modification and processing is performed by the switch.
Chapter 21 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Destination Port Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports and VLANs. The destination port has these characteristics: • It must reside on the same switch as the source port (for a local SPAN session). • It can be any Ethernet physical port.
Chapter 21 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • Spanning tree is automatically disabled on a reflector port. • A reflector port receives copies of sent and received traffic for all monitored source ports. If a reflector port is oversubscribed, it could become congested. This could affect traffic forwarding on one or more of the source ports.
Chapter 21 Configuring SPAN and RSPAN Understanding SPAN and RSPAN SPAN and RSPAN Interaction with Other Features SPAN interacts with these features: • Routing—Ingress SPAN does not monitor routed traffic. VSPAN only monitors traffic that enters the switch, not traffic that is routed between VLANs. For example, if a VLAN is being Rx-monitored and the multilayer switch routes traffic from another VLAN to the monitored VLAN, that traffic is not monitored and not received on the SPAN destination port.
Chapter 21 Configuring SPAN and RSPAN Configuring SPAN SPAN and RSPAN Session Limits You can configure (and store in NVRAM) a maximum of two SPAN or RSPAN sessions on each switch. You can divide the two sessions between SPAN, RSPAN source, and RSPAN destination sessions. You can configure multiple source ports or source VLANs for each session. Default SPAN and RSPAN Configuration Table 21-1 shows the default SPAN and RSPAN configuration.
Chapter 21 Configuring SPAN and RSPAN Configuring SPAN • When you configure a switch port as a SPAN destination port, it is no longer a normal switch port; only monitored traffic passes through the SPAN destination port. • A trunk port can be a source port or a destination port. Outgoing packets through the SPAN destination port carry the configured encapsulation headers—either Inter-Switch Link (ISL) or IEEE 802.1Q. If no encapsulation type is defined, the packets are sent in native form.
Chapter 21 Configuring SPAN and RSPAN Configuring SPAN Step 3 Command Purpose monitor session session_number source interface interface-id [, | -] [both | rx | tx] Specify the SPAN session and the source port (monitored port). For session_number, specify 1 or 2. For interface-id, specify the source port to monitor. Valid interfaces include physical interfaces and port-channel logical interfaces (port-channel port-channel-number). (Optional) [, | -] Specify a series or range of interfaces.
Chapter 21 Configuring SPAN and RSPAN Configuring SPAN Removing Ports from a SPAN Session Beginning in privileged EXEC mode, follow these steps to remove a port as a SPAN source for a session: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session session_number source interface interface-id [, | -] [both | rx | tx] Specify the characteristics of the source port (monitored port) and SPAN session to remove. For session, specify 1 or 2.
Chapter 21 Configuring SPAN and RSPAN Configuring SPAN Specifying VLANs to Monitor VLAN monitoring is similar to port monitoring. Beginning in privileged EXEC mode, follow these steps to specify VLANs to monitor: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all Clear any existing SPAN configuration for the session. | local | remote} For session_number, specify 1 or 2.
Chapter 21 Configuring SPAN and RSPAN Configuring SPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to limit SPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | local | remote} Clear any existing SPAN configuration for the session. For session_number, specify 1 or 2.
Chapter 21 Configuring SPAN and RSPAN Configuring RSPAN Configuring RSPAN This section describes how to configure RSPAN on your switch.
Chapter 21 Configuring SPAN and RSPAN Configuring RSPAN • You should create an RSPAN VLAN before configuring an RSPAN source or destination session. • If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted flooding of RSPAN traffic across the network for VLAN-IDs that are lower than 1005. Creating an RSPAN Session First create an RSPAN VLAN that does not exist for the RSPAN session in any of the switches that will participate in RSPAN.
Chapter 21 Configuring SPAN and RSPAN Configuring RSPAN Command Purpose Step 6 show monitor [session session_number] Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. This example shows how to clear any existing RSPAN configuration for session 1, configure RSPAN session 1 to monitor multiple source interfaces, and configure the destination RSPAN VLAN and the reflector-port.
Chapter 21 Configuring SPAN and RSPAN Configuring RSPAN Removing Ports from an RSPAN Session Beginning in privileged EXEC mode, follow these steps to remove a port as an RSPAN source for a session: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session session_number source interface interface-id [, | -] [both | rx | tx] Specify the characteristics of the RSPAN source port (monitored port) to remove. For session_number, specify 1 or 2.
Chapter 21 Configuring SPAN and RSPAN Configuring RSPAN Specifying VLANs to Monitor VLAN monitoring is similar to port monitoring. Beginning in privileged EXEC mode, follow these steps to specify VLANs to monitor: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all Clear any existing SPAN configuration for the session. | local | remote} For session_number, specify 1 or 2.
Chapter 21 Configuring SPAN and RSPAN Configuring RSPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to limit RSPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | local | remote} Clear any existing SPAN configuration for the session. For session_number, specify 1 or 2.
Chapter 21 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the status of the current SPAN or RSPAN configuration, use the show monitor privileged EXEC command.
C H A P T E R 22 Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on your switch. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes. RMON provides you with comprehensive network-fault diagnosis, planning, and performance-tuning information.
Chapter 22 Configuring RMON Configuring RMON Figure 22-1 Remote Monitoring Example Network management station with generic RMON console application Catalyst 3550 switch RMON alarms and events configured. SNMP configured. RMON history and statistic collection enabled.
Chapter 22 Configuring RMON Configuring RMON Note RMON configuration, status, and display for remote CPE FE interfaces is supported through SNMP only by using the RMON-MIB. Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Only RMON 1 is supported on the switch. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station.
Chapter 22 Configuring RMON Configuring RMON Command Step 3 Purpose rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535. • (Optional) For description string, specify a description of the event. • (Optional) Use the log keyword to generate an RMON log entry when the event is triggered.
Chapter 22 Configuring RMON Configuring RMON Configuring RMON Collection on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface on which to collect history.
Chapter 22 Configuring RMON Displaying RMON Status Command Purpose Step 6 show rmon statistics Display the contents of the switch statistics table. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the collection of group Ethernet statistics, use the no rmon collection stats index interface configuration command.
C H A P T E R 23 Configuring System Message Logging This chapter describes how to configure system message logging on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 23 Configuring System Message Logging Configuring System Message Logging Configuring System Message Logging These sections describe how to configure system message logging: • System Log Message Format, page 23-2 • Default System Message Logging Configuration, page 23-3 • Disabling and Enabling Message Logging, page 23-4 • Setting the Message Display Destination Device, page 23-4 • Synchronizing Log Messages, page 23-6 • Enabling and Disabling Timestamps on Log Messages, page 23-7 • E
Chapter 23 Configuring System Message Logging Configuring System Message Logging Table 23-1 System Log Message Elements (continued) Element Description MNEMONIC Text string that uniquely describes the message. description Text string containing detailed information about the event being reported.
Chapter 23 Configuring System Message Logging Configuring System Message Logging Disabling and Enabling Message Logging Message logging is enabled by default. It must be enabled to send messages to any destination other than the console. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages.
Chapter 23 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging host Log messages to a UNIX syslog server host. For host, specify the name or IP address of the host to be used as the syslog server. To build a list of syslog servers that receive logging messages, enter this command more than once. For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 23-10.
Chapter 23 Configuring System Message Logging Configuring System Message Logging Synchronizing Log Messages You can configure the system to synchronize unsolicited messages and debug privileged EXEC command output with solicited device output and prompts for a specific console port line or virtual terminal line. You can identify the types of messages to be output asynchronously based on the level of severity.
Chapter 23 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command.
Chapter 23 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Sequence Numbers in Log Messages Because there is a chance that more than one log message can have the same timestamp, you can display messages with sequence numbers so that you can unambiguously refer to a single message. By default, sequence numbers in log messages are not displayed.
Chapter 23 Configuring System Message Logging Configuring System Message Logging Step 6 Command Purpose show running-config Verify your entries. or show logging Step 7 copy running-config startup-config Note (Optional) Save your entries in the configuration file. Specifying a level causes messages at that level and numerically lower levels to be displayed at the destination. To disable logging to the console, use the no logging console global configuration command.
Chapter 23 Configuring System Message Logging Configuring System Message Logging Limiting Syslog Messages Sent to the History Table and to SNMP If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the switch history table. You also can change the number of messages that are stored in the history table.
Chapter 23 Configuring System Message Logging Configuring System Message Logging Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server. Log in as root, and perform these steps: Note Step 1 Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network.
Chapter 23 Configuring System Message Logging Displaying the Logging Configuration Step 4 Command Purpose logging facility facility-type Configure the syslog facility. See Table 23-4 on page 23-12 for facility-type keywords. The default is local7. Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
C H A P T E R 24 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 24 Configuring SNMP Understanding SNMP • Using SNMP to Access MIB Variables, page 24-4 • SNMP Notifications, page 24-5 SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in RFC 1157.
Chapter 24 Configuring SNMP Understanding SNMP Table 24-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv3 noAuthNoPriv Username No Uses a username match for authentication.
Chapter 24 Configuring SNMP Understanding SNMP SNMP Community Strings SNMP community strings authenticate access to MIB objects and function as embedded passwords. In order for the NMS to access the switch, the community string definitions on the NMS must match at least one of the three community string definitions on the switch.
Chapter 24 Configuring SNMP Configuring SNMP SNMP Notifications SNMP allows the switch to send notifications to SNMP managers when particular events occur. SNMP notifications can be sent as traps or inform requests. In command syntax, unless there is an option in the command to select either traps or informs, the keyword traps refers to either traps or informs, or both. Use the snmp-server host command to specify whether to send SNMP notifications as traps or informs.
Chapter 24 Configuring SNMP Configuring SNMP Default SNMP Configuration Table 24-3 shows the default SNMP configuration. Table 24-3 Default SNMP Configuration Feature Default Setting SNMP agent Enabled SNMP community strings Read-Only: Public Read-Write: Private Read-Write-all: Secret SNMP trap receiver None configured SNMP traps None enabled SNMP version If no version keyword is present, the default is version 1.
Chapter 24 Configuring SNMP Configuring SNMP Disabling the SNMP Agent Beginning in privileged EXEC mode, follow these steps to disable the SNMP agent: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no snmp-server Disable the SNMP agent operation. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 24 Configuring SNMP Configuring SNMP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] (Optional) If you specified an IP standard access list number in Step 2, then create the list, repeating the command as many times as necessary. • For access-list-number, enter the access list number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 24 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure SNMP on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server engineID {local engineid-string Configure a name for either the local or remote copy of SNMP. | remote ip-address [udp-port port-number] • The engineid-string is a 24-character ID string with the name engineid-string} of the copy of SNMP.
Chapter 24 Configuring SNMP Configuring SNMP Step 4 Command Purpose snmp-server user username groupname [remote host [udp-port port]] {v1 | v2c | v3 [auth {md5 | sha} auth-password]} [encrypted] [access access-list] Configure a new user to an SNMP group. • The username is the name of the user on the host that connects to the agent. • The groupname is the name of the group to which the user is associated.
Chapter 24 Configuring SNMP Configuring SNMP Table 24-4 Switch Notification Types (continued) Notification Type Keyword Description hsrp Generates a trap for Hot Standby Router Protocol (HSRP) changes. mac-notification Generates a trap for MAC address notifications. rtr Generates a trap for the SNMP Response Time Reporter (RTR). snmp Generates a trap for SNMP-type notifications. syslog Generates a trap for SNMP syslog notifications.
Chapter 24 Configuring SNMP Configuring SNMP Step 5 Command Purpose snmp-server host host-addr [traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port] [notification-type] Specify the recipient of an SNMP trap operation. • For host-addr, specify the name or Internet address of the host (the targeted recipient). • (Optional) Enter traps (the default) to send SNMP traps to the host. • (Optional) Enter informs to send SNMP informs to the host.
Chapter 24 Configuring SNMP Configuring SNMP Setting the Agent Contact and Location Information Beginning in privileged EXEC mode, follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server contact text Set the system contact string. For example: snmp-server contact Dial System Operator at beeper 21555.
Chapter 24 Configuring SNMP Configuring SNMP Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. SNMP Examples This example shows how to enable all versions of SNMP. The configuration permits any SNMP manager to access all objects with read-only permissions using the community string public.
Chapter 24 Configuring SNMP Displaying SNMP Status Displaying SNMP Status To display SNMP input and output statistics, including the number of illegal community string entries, errors, and requested variables, use the show snmp privileged EXEC command. You can also use the other privileged EXEC commands in Table 24-5 to display SNMP information. For information about the fields in the output displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 24 Configuring SNMP Displaying SNMP Status Catalyst 2950 Desktop Switch Software Configuration Guide 24-16 78-14982-01
C H A P T E R 25 Configuring Network Security with ACLs This chapter describes how to configure network security on your switch by using access control lists (ACLs), which are also referred to in commands and tables as access lists. You can create ACLs for physical interfaces or management interfaces. A management interface is defined as a management VLAN or any traffic that is going directly to the CPU, such as SNMP, Telnet, or web traffic.
Chapter 25 Configuring Network Security with ACLs Understanding ACLs Understanding ACLs Packet filtering can limit network traffic and restrict network use by certain users or devices. ACLs can filter traffic as it passes through a switch and permit or deny packets at specified interfaces. An ACL is a sequential collection of permit and deny conditions that apply to packets.
Chapter 25 Configuring Network Security with ACLs Understanding ACLs Figure 25-1 Using ACLs to Control Traffic to a Network Host A Catalyst 2950 switch Host B Research & Development network = ACL denying traffic from Host B and permitting traffic from Host A = Packet 65285 Human Resources network Handling Fragmented and Unfragmented Traffic IP packets can be fragmented as they cross the network.
Chapter 25 Configuring Network Security with ACLs Understanding ACLs • Packet A is a TCP packet from host 10.2.2.2, port 65000, going to host 10.1.1.1 on the SMTP port. If this packet is fragmented, the first fragment matches the first ACE (a permit), as if it were a complete packet because all Layer 4 information is present.
Chapter 25 Configuring Network Security with ACLs Understanding ACLs • Layer 4 fields: – TCP (You can specify a TCP source, destination port number, or both at the same time.) – UDP (You can specify a UDP source, destination port number, or both at the same time.) Note A mask can be a combination of either multiple Layer 3 and Layer 4 fields or of multiple Layer 2 fields. Layer 2 fields cannot be combined with Layer 3 or Layer 4 fields.
Chapter 25 Configuring Network Security with ACLs Configuring ACLs Guidelines for Applying ACLs to Physical Interfaces When applying ACLs to physical interfaces, follow these configuration guidelines: • Only one ACL can be attached to an interface. For more information, refer to the ip access-group interface command in the command reference for this release. • All ACEs in an ACL must have the same user-defined mask. However, ACEs can have different rules that use the same mask.
Chapter 25 Configuring Network Security with ACLs Configuring ACLs Unsupported Features The switch does not support these IOS router ACL-related features: • Non-IP protocol ACLs (see Table 25-2 on page 25-8) • Bridge-group ACLs • IP accounting • ACL support on the outbound direction • Inbound and outbound rate limiting (except with QoS ACLs) • IP packets that have a header length of less than 5 bytes • Reflexive ACLs • Dynamic ACLs (except for certain specialized dynamic ACLs used by the sw
Chapter 25 Configuring Network Security with ACLs Configuring ACLs ACL Numbers The number you use to denote your ACL shows the type of access list that you are creating. Table 25-2 lists the access list number and corresponding type and shows whether or not they are supported by the switch. The switch supports IP standard and IP extended access lists, numbers 1 to 199 and 1300 to 2699.
Chapter 25 Configuring Network Security with ACLs Configuring ACLs Creating a Numbered Standard ACL Note For information about creating ACLs to apply to a management interface, refer to the “Configuring IP Services” section of the Cisco IOS IP and IP Routing Configuration Guide and the Command Reference for IOS Release 12.1. You can these apply these ACLs only to a management interface.
Chapter 25 Configuring Network Security with ACLs Configuring ACLs This example shows how to create a standard ACL to deny access to IP host 171.69.198.102, permit access to any others, and display the results. Switch (config)# access-list 2 deny host 171.69.198.102 Switch (config)# access-list 2 permit any Switch(config)# end Switch# show access-lists Standard IP access list 2 deny 171.69.198.
Chapter 25 Configuring Network Security with ACLs Configuring ACLs Note The switch does not support dynamic or reflexive access lists. It also does not support filtering based on the minimize-monetary-cost type of service (ToS) bit. When creating ACEs in numbered extended access lists, remember that after you create the list, any additions are placed at the end of the list. You cannot reorder the list or selectively add or remove ACEs from a numbered list.
Chapter 25 Configuring Network Security with ACLs Configuring ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 25 Configuring Network Security with ACLs Configuring ACLs Use the no access-list access-list-number global configuration command to delete the entire access list. You cannot delete individual ACEs from numbered access lists. This example shows how to create and display an extended access list to deny Telnet access from any host in network 171.69.198.0 to any host in network 172.20.52.0 and permit any others.
Chapter 25 Configuring Network Security with ACLs Configuring ACLs Beginning in privileged EXEC mode, follow these steps to create a standard named access list using names: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip access-list standard {name | access-list-number} Define a standard IP access list by using a name, and enter access-list configuration mode.
Chapter 25 Configuring Network Security with ACLs Configuring ACLs Command Purpose Step 5 show access-lists [number | name] Show the access list configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. When making the standard and extended ACL, remember that, by default, the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end.
Chapter 25 Configuring Network Security with ACLs Configuring ACLs Step 3 Command Purpose absolute [start time date] [end time date] Specify when the function it will be applied to is operational. Use some combination of these commands; multiple periodic statements are allowed; only one absolute statement is allowed. If more than one absolute statement is configured, only the one configured last is executed.
Chapter 25 Configuring Network Security with ACLs Configuring ACLs deny tcp any any time-range new_year_day_2000 (inactive) deny tcp any any time-range thanskgiving_2000 (active) deny tcp any any time-range christmas_2000 (inactive) permit tcp any any time-range workhours (inactive) This example uses named ACLs to permit and deny the same traffic.
Chapter 25 Configuring Network Security with ACLs Configuring ACLs In this example, the Jones subnet is not allowed to use outbound Telnet: Switch(config)# ip access-list extended telnetting Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out Switch(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet Creating Named MAC Extended ACLs You can filter Layer 2 traffic on a physical Layer 2 interface by using MAC addresses and named MAC extended ACLs.
Chapter 25 Configuring Network Security with ACLs Configuring ACLs This example shows how to create and display an access list named mac1, denying only EtherType DECnet Phase IV traffic, but permitting all other types of traffic.
Chapter 25 Configuring Network Security with ACLs Applying ACLs to Terminal Lines or Physical Interfaces Applying ACLs to Terminal Lines or Physical Interfaces Note Before applying an ACL to a physical interface, see the “Guidelines for Applying ACLs to Physical Interfaces” section on page 25-6. You can apply ACLs to any management interface.
Chapter 25 Configuring Network Security with ACLs Displaying ACL Information Applying ACLs to a Physical Interface Beginning in privileged EXEC mode, follow these steps to control access to a Layer 2 interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Identify a specific interface for configuration and enter interface configuration mode. The interface must be a Layer 2 or management interface or a management interface VLAN ID.
Chapter 25 Configuring Network Security with ACLs Displaying ACL Information Displaying ACLs You can display existing ACLs by using show commands. Beginning in privileged EXEC mode, follow these steps to display access lists: Command Purpose Step 1 show access-lists [number | name] Show information about all IP and MAC address access lists or about a specific access list (numbered or named).
Chapter 25 Configuring Network Security with ACLs Examples for Compiling ACLs Displaying Access Groups Note This feature is available only if your switch is running the EI. You use the ip access-group interface configuration command to apply ACLs to a Layer 3 interface. When IP is enabled on an interface, you can use the show ip interface interface-id privileged EXEC command to view the input and output access lists on the interface, as well as other interface characteristics.
Chapter 25 Configuring Network Security with ACLs Examples for Compiling ACLs Use switch ACLs to do these: • Create a standard ACL, and filter traffic from a specific Internet host with an address 172.20.128.64. • Create an extended ACL, and filter traffic to deny HTTP access to all Internet hosts but allow all other types of access.
Chapter 25 Configuring Network Security with ACLs Examples for Compiling ACLs Numbered ACL Examples This example shows that the switch accepts addresses on network 36.0.0.0 subnets and denies all packets coming from 56.0.0.0 subnets. The ACL is then applied to packets entering Gigabit Ethernet interface 0/1. Switch(config)# access-list 2 permit 36.0.0.0 0.255.255.255 Switch(config)# access-list 2 deny 56.0.0.0 0.255.255.
Chapter 25 Configuring Network Security with ACLs Examples for Compiling ACLs In this example of a numbered ACL, the Winter and Smith workstations are not allowed to browse the web: Switch(config)# Switch(config)# Switch(config)# Switch(config)# access-list access-list access-list access-list 100 100 100 100 remark Do deny host remark Do deny host not allow Winter to browse the web 171.69.3.85 any eq www not allow Smith to browse the web 171.69.3.
C H A P T E R 26 Configuring QoS This chapter describes how to configure quality of service (QoS) by using QoS commands. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 26 Configuring QoS Understanding QoS • Video wizard—Gives traffic that originates from specified video servers a higher priority than the priority of data traffic. The wizard assumes that the video servers are connected to a single device in the cluster. Refer to the video wizard online help for procedures about using this wizard.
Chapter 26 Configuring QoS Understanding QoS Figure 26-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 header IP header Data Layer 2 802.
Chapter 26 Configuring QoS Understanding QoS • Marking evaluates the policer and configuration information for the action to be taken when a packet is out of profile and decides what to do with the packet (pass through a packet without modification, mark down the DSCP value in the packet, or drop the packet). For more information, see the “Policing and Marking” section on page 26-6.
Chapter 26 Configuring QoS Understanding QoS The trust DSCP configuration is meaningless for non-IP traffic. If you configure a port with this option and non-IP traffic is received, the switch assigns the default port CoS value and classifies traffic based on the CoS value. For IP traffic, you have these classification options: Note • Trust the IP DSCP in the incoming packet (configure the port to trust DSCP). The switch assigns the same DSCP to the packet for internal use.
Chapter 26 Configuring QoS Understanding QoS Classification Based on Class Maps and Policy Maps A class map is a mechanism that you use to isolate and name a specific traffic flow (or class) from all other traffic. The class map defines the criteria used to match against a specific traffic flow to further classify it; the criteria can include matching the access group defined by the ACL.
Chapter 26 Configuring QoS Understanding QoS • Only one policer can be applied to a packet in the input direction. • Only the average rate and committed burst parameters are configurable. • Policing occurs on the ingress interfaces: – 60 policers are supported on ingress Gigabit-capable Ethernet ports. – 6 policers are supported on ingress 10/100 Ethernet ports. – Granularity for the average burst rate is 1 Mbps for 10/100 ports and 8 Mbps for Gigabit Ethernet ports.
Chapter 26 Configuring QoS Understanding QoS Port Priority Frames received from users in the administratively-defined VLANs are classified or tagged for transmission to other devices. Based on rules that you define, a unique identifier (the tag) is inserted in each frame header before it is forwarded. The tag is examined and understood by each device before any broadcasts or transmissions to other switches, routers, or end stations.
Chapter 26 Configuring QoS Configuring QoS Configuring QoS Before configuring QoS, you must have a thorough understanding of these items: • The types of applications used and the traffic patterns on your network. • Traffic characteristics and needs of your network. Is the traffic bursty? Do you need to reserve bandwidth for voice and video streams? • Bandwidth requirements and speed of the network. • Location of congestion points in the network.
Chapter 26 Configuring QoS Configuring QoS Configuration Guidelines Note These guidelines are applicable only if your switch is running the EI. Before beginning the QoS configuration, you should be aware of this information: Note • If you have EtherChannel ports configured on your switch, you must configure QoS classification, policing, mapping, and queueing on the individual physical ports that comprise the EtherChannel.
Chapter 26 Configuring QoS Configuring QoS Note Both the EI and SI support this feature. Configuring the Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge of the QoS domain. When the packets are classified at the edge, the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the QoS domain. Figure 26-3 shows a sample network topology.
Chapter 26 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be trusted. Valid interfaces include physical interfaces. Step 3 mls qos trust [cos | dscp] Configure the port trust state.
Chapter 26 Configuring QoS Configuring QoS Configuring the CoS Value for an Interface QoS assigns the CoS value specified with the mls qos cos interface configuration command to untagged frames received on trusted and untrusted ports. Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port or to assign the default CoS to all incoming packets on the port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 26 Configuring QoS Configuring QoS However, if a user bypasses the telephone and connects the PC directly to the switch, the CoS labels generated by the PC are trusted by the switch (because of the trusted CoS setting) and can allow misuse of high-priority queues. The trusted boundary feature solves this problem by using the Cisco Discovery Protocol (CDP) to detect the presence of a Cisco IP phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port.
Chapter 26 Configuring QoS Configuring QoS Table 26-2 Port Configurations When Trusted Boundary is Enabled Port Configuration When a Cisco IP Phone is Present The port trusts the CoS value The packet CoS value is trusted. of the incoming packet. When a Cisco IP Phone is Absent The packet CoS value is assigned the default CoS value. The port trusts the DSCP The packet DSCP value is trusted. For tagged non-IP packets, the value of the incoming packet. packet CoS value is set to 0.
Chapter 26 Configuring QoS Configuring QoS Configuring a QoS Policy Note This feature is available only if your switch is running the EI. Configuring a QoS policy typically requires classifying traffic into classes, configuring policies applied to those traffic classes, and attaching policies to interfaces. For background information, see the “Classification” section on page 26-4 and the “Policing and Marking” section on page 26-6.
Chapter 26 Configuring QoS Configuring QoS Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show access-lists Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. For more information about creating IP standard ACLs, see the “Guidelines for Applying ACLs to Physical Interfaces” section on page 25-6. To delete an ACL, use the no access-list access-list-number global configuration command.
Chapter 26 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 26 Configuring QoS Configuring QoS Command Purpose Step 4 show access-lists Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. For more information about creating IP extended ACLs, see the “Guidelines for Applying ACLs to Physical Interfaces” section on page 25-6. To delete an ACL, use the no access-list access-list-number global configuration command.
Chapter 26 Configuring QoS Configuring QoS This example shows how to create a Layer 2 MAC ACL with a permit statement. The statement allows traffic from the host with MAC address 0001.0000.0001 to the host with MAC address 0002.0000.0001. Switch(config)# mac access-list extended maclist1 Switch(config-ext-macl)# permit host 0001.0000.0001 host 0002.0000.
Chapter 26 Configuring QoS Configuring QoS Step 4 Command Purpose match {access-group acl-index | access-group name acl-name | ip dscp dscp-list} Define the match criterion to classify traffic. By default, no match criterion is supported. Only one match criterion per class map is supported, and only one ACL per class map is supported. For access-group acl-index or access-group name acl-name, specify the number or name of the ACL created in Step 3.
Chapter 26 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to create a policy map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number permit {source source-wildcard | host source | any} Create an IP standard or extended ACL for IP traffic or a Layer 2 MAC ACL for non-IP traffic, repeating the command as many times as necessary.
Chapter 26 Configuring QoS Configuring QoS Step 5 Command Purpose set {ip dscp new-dscp} Classify IP traffic by setting a new value in the packet. For ip dscp new-dscp, enter a new DSCP value to be assigned to the classified traffic. The supported DSCP values are 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56. Step 6 police rate-bps burst-byte [exceed-action {drop | dscp dscp-value}] Define a policer for the classified traffic.
Chapter 26 Configuring QoS Configuring QoS Switch(config)# access-list 1 permit 10.1.0.0 0.0.255.
Chapter 26 Configuring QoS Configuring QoS Configuring the CoS-to-DSCP Map You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic. Table 26-3 shows the default CoS-to-DSCP map. Table 26-3 Default CoS-to-DSCP Map CoS value 0 1 2 3 4 5 6 7 DSCP value 0 8 16 24 32 40 48 56 If these values are not appropriate for your network, you need to modify them.
Chapter 26 Configuring QoS Configuring QoS Configuring the DSCP-to-CoS Map You use the DSCP-to-CoS map to map DSCP values in incoming packets to a CoS value, which is used to select one of the four egress queues. The switch supports these DSCP values: 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56. Table 26-4 shows the default DSCP-to-CoS map.
Chapter 26 Configuring QoS Configuring QoS Configuring CoS and WRR Note This feature is supported by both the EI and SI. This section describes how to configure CoS priorities and weighted round-robin (WRR): • Configuring CoS Priority Queues, page 26-27 • Configuring WRR, page 26-27 Configuring CoS Priority Queues Beginning in privileged EXEC mode, follow these steps to configure the CoS priority queues: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 26 Configuring QoS Displaying QoS Information To disable the WRR scheduler and enable the strict priority scheduler, use the no wrr-queue bandwidth global configuration command. Displaying QoS Information To display QoS information, use one or more of the privileged EXEC commands in Table 26-5: Table 26-5 Commands for Displaying QoS Information Command Purpose show class-map [class-map-name] 1 Display QoS class maps, which define the match criteria to classify traffic.
Chapter 26 Configuring QoS QoS Configuration Examples QoS Configuration Examples Note These examples are applicable only if your switch is running the EI. This section provides a QoS migration path to help you quickly implement QoS features based on your existing network and planned changes to your network, as shown in Figure 26-4.
Chapter 26 Configuring QoS QoS Configuration Examples QoS Configuration for the Existing Wiring Closet The existing wiring closet in Figure 26-4 consists of existing Catalyst 2900 XL and 3500 XL switches. These switches are running IOS release 12.0(5)XP or later, which supports the QoS-based IEEE 802.1P CoS values. QoS classifies frames by assigning priority-indexed CoS values to them and gives preference to higher-priority traffic.
Chapter 26 Configuring QoS QoS Configuration Examples Command Purpose Step 9 police 5000000 8192 exceed-action drop Define a policer for the classified video traffic to drop traffic that exceeds 5-Mbps average traffic rate with an 8192-byte burst size. Step 10 exit Return to policy-map configuration mode. Step 11 exit Return to global configuration mode. Step 12 interface gigabitethernet0/1 Enter interface configuration mode, and specify the ingress interface.
Chapter 26 Configuring QoS QoS Configuration Examples Catalyst 2950 Desktop Switch Software Configuration Guide 26-32 78-14982-01
C H A P T E R 27 Configuring EtherChannels This chapter describes how to configure EtherChannel on Layer 2 interfaces. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur. EtherChannel provides automatic recovery for the loss of a link by redistributing the load across the remaining links.
Chapter 27 Configuring EtherChannels Understanding EtherChannels Figure 27-1 Typical EtherChannel Configuration Catalyst 8500, 6000, 5500, or 4000 series switch Gigabit EtherChannel Catalyst 3550-12T switch 1000BASE-X 1000BASE-X Catalyst 2950G-24 switch 10/100 Switched links 10/100 Switched links Workstations Workstations 74618 Catalyst 3550-12T switch Each EtherChannel can consist of up to eight compatibly configured Ethernet interfaces.
Chapter 27 Configuring EtherChannels Understanding EtherChannels Figure 27-2 Relationship of Physical Ports, Logical Port Channels, and Channel Groups Logical port-channel Logical port-channel Channel-group binding 1X RPS UTIL DUPLX SPEED 2 3 4 5 6 7 8 9 10 11 12 13 11X 13X 14 15 16 17 MODE 2X 18 19 20 21 22 23 24 23X 12X 14X 1 Catalyst 295 0 SERIE S 65636 1 SYST STAT 24X 2 10/100 ports GBIC module slots Physical ports After you configure an EtherChannel, configur
Chapter 27 Configuring EtherChannels Understanding EtherChannels PAgP Modes Table 27-1 shows the user-configurable EtherChannel modes for the channel-group interface configuration command: on, auto, and desirable. Switch interfaces exchange PAgP packets only with partner interfaces configured in the auto or desirable modes; interfaces configured in the on mode do not exchange PAgP packets.
Chapter 27 Configuring EtherChannels Understanding EtherChannels Physical Learners and Aggregate-Port Learners Network devices are classified as PAgP physical learners or aggregate-port learners. A device is a physical learner if it learns addresses by physical ports and directs transmissions based on that knowledge. A device is an aggregate-port learner if it learns addresses by aggregate (logical) ports.
Chapter 27 Configuring EtherChannels Understanding EtherChannels Use the option that provides the greatest variety in your configuration. For example, if the traffic on a channel is going only to a single MAC address, using the destination-MAC address always chooses the same link in the channel; using source addresses or IP addresses might result in better load balancing.
Chapter 27 Configuring EtherChannels Configuring EtherChannels Configuring EtherChannels These sections describe how to configure EtherChannel interfaces: • Default EtherChannel Configuration, page 27-7 • EtherChannel Configuration Guidelines, page 27-8 • Configuring Layer 2 EtherChannels, page 27-8 • Configuring EtherChannel Load Balancing, page 27-10 • Configuring the PAgP Learn Method and Priority, page 27-11 Note Make sure that the interfaces are correctly configured (see the “EtherChannel
Chapter 27 Configuring EtherChannels Configuring EtherChannels EtherChannel Configuration Guidelines If improperly configured, some EtherChannel interfaces are automatically disabled to avoid network loops and other problems. Follow these guidelines to avoid configuration problems: • Configure an EtherChannel with up to eight Ethernet interfaces of the same type. Note Do not configure a GigaStack GBIC port as part of an EtherChannel.
Chapter 27 Configuring EtherChannels Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to assign a Layer 2 Ethernet interface to a Layer 2 EtherChannel: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify a physical interface to configure. Valid interfaces include physical interfaces.
Chapter 27 Configuring EtherChannels Configuring EtherChannels To remove an interface from the EtherChannel group, use the no channel-group interface configuration command. If you delete the EtherChannel by using the no interface port-channel global configuration command without removing the physical interfaces, the physical interfaces are shutdown. If you do not want the member physical interfaces to shut down, remove the physical interfaces before deleting the EtherChannel.
Chapter 27 Configuring EtherChannels Displaying EtherChannel and PAgP Status Command Purpose Step 4 show etherchannel load-balance Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return EtherChannel load balancing to the default configuration, use the no port-channel load-balance global configuration command.
Chapter 27 Configuring EtherChannels Displaying EtherChannel and PAgP Status Catalyst 2950 Desktop Switch Software Configuration Guide 27-12 78-14982-01
C H A P T E R 28 Troubleshooting This chapter describes how to identify and resolve software problems related to the IOS software. Depending on the nature of the problem, you can use the command-line interface (CLI) or the Cluster Management Suite (CMS) to identify and solve problems. To identify and resolve Cisco-approved Course Wave Division Multiplexer (CWDM) Gigabit Interface Converter (GBIC) problems, you must have the enhanced software image (EI) installed on your switch.
Chapter 28 Troubleshooting LRE Statistics Table 28-1 Ethernet Port Statistics Statistic Type Explanation Transmit Unicast Frames The total number of well-formed unicast frames sent by a port. It excludes frames sent with errors or with multicast or broadcast destination addresses. Multicast Frames The total number of well-formed multicast frames sent by a port. It excludes frames sent with errors or with unicast or broadcast destination addresses.
Chapter 28 Troubleshooting LRE Statistics Table 28-1 Ethernet Port Statistics (continued) Statistic Type Explanation Multicast Frames The total number of well-formed multicast frames received by a port. It excludes frames received with errors, with unicast or broadcast destination addresses, or with oversized or undersized frames. Also excluded are frames discarded or without a destination. Broadcast Frames The total number of well-formed broadcast frames received by a port.
Chapter 28 Troubleshooting LRE Statistics Table 28-2 LRE Link Statistics Statistic Type Explanation Upstream Bandwidth Usage The percentage of the bandwidth used for upstream traffic, based on the current upstream rate and actual upstream speed of LRE link. Downstream Bandwidth Usage The percentage of the bandwidth used for downstream traffic, based on the current downstream rate and actual downstream speed of the LRE link.
Chapter 28 Troubleshooting LRE Statistics Table 28-3 CPE Ethernet Link Statistics (continued) Counter Description Transmit Late Collisions The total number of frames discarded because of late collisions detected during transmission. It includes all transmit frames that had a collision after the transmission of the frame's 64th byte. The preamble and SFD are not included in the frame's byte count. Excess Collisions The total number of frames that failed to be sent after 16 collisions.
Chapter 28 Troubleshooting Using Recovery Procedures Using Recovery Procedures These recovery procedures require that you have physical access to the switch: • Recovering from Corrupted Software, page 28-6 • Recovering from a Lost or Forgotten Password, page 28-6 • Recovering from a Command Switch Failure, page 28-8 • Recovering from Lost Member Connectivity, page 28-11 Recovering from Corrupted Software Switch software can be corrupted during an upgrade, by downloading the wrong file to the swit
Chapter 28 Troubleshooting Using Recovery Procedures Step 3 Unplug the switch power cord. Step 4 Press the Mode button, and at the same time, reconnect the power cord to the switch. You can release the Mode button a second or two after the LED above port 1X goes off. Several lines of information about the software appear, as do instructions: The system has been interrupted prior to initializing the flash file system.
Chapter 28 Troubleshooting Using Recovery Procedures Step 13 Copy the configuration file into memory: switch# copy flash:config.text system:running-config Source filename [config.text]? Destination filename [running-config]? Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can use the following normal commands to change the password.
Chapter 28 Troubleshooting Using Recovery Procedures Replacing a Failed Command Switch with a Cluster Member To replace a failed command switch with a command-capable member in the same cluster, follow these steps: Step 1 Disconnect the command switch from the member switches, and physically remove it from the cluster. Step 2 Insert the member switch in place of the failed command switch, and duplicate its connections to the cluster members. Step 3 Start a CLI session on the new command switch.
Chapter 28 Troubleshooting Using Recovery Procedures Step 11 Respond to the questions in the setup program. When prompted for the host name, recall that on a command switch, the host name is limited to 28 characters; on a member switch to 31 characters. Do not use -n, where n is a number, as the last characters in a host name for any switch.
Chapter 28 Troubleshooting Using Recovery Procedures Basic management setup configures only enough connectivity for management of the system, extended setup will ask you to configure each interface on the system Would you like to enter basic management setup? [yes/no]: Step 6 Enter Y at the first prompt.
Chapter 28 Troubleshooting Preventing Autonegotiation Mismatches Preventing Autonegotiation Mismatches The IEEE 802.3AB autonegotiation protocol manages the switch settings for speed (10 Mbps, 100 Mbps, and 1000 Mbps excluding GBIC ports) and duplex (half or full). There are situations when this protocol can incorrectly align these settings, reducing performance.
Chapter 28 Troubleshooting GBIC and SFP Module Security and Identification Table 28-4 LRE Port Problems (continued) Problem Suspected Cause and Suggested Solution High Reed-Solomon error count without CRC errors • Interleaver is helping Reed-Solomon error correction to function correctly in a noisy environment. This situation means that the system is on the verge of generating CRC errors.
Chapter 28 Troubleshooting Using Debug Commands Using Debug Commands This section explains how you use debug commands to diagnose and resolve internetworking problems. It contains this information: Caution Note • Enabling Debugging on a Specific Feature, page 28-14 • Enabling All-System Diagnostics, page 28-15 • Redirecting Debug and Error Message Output, page 28-15 Because debugging output is assigned high priority in the CPU process, it can render the system unusable.
Chapter 28 Troubleshooting Using the crashinfo File Enabling All-System Diagnostics Beginning in privileged EXEC mode, enter this command to enable all-system diagnostics: Switch# debug all Caution Because debugging output takes priority over other network traffic, and because the debug all privileged EXEC command generates more output than any other debug command, it can severely diminish switch performance or even render it unusable.
Chapter 28 Troubleshooting Using the crashinfo File Each new crashinfo file that is created uses a sequence number that is larger than any previously-existing sequence number, so the file with the largest sequence number describes the most recent failure. Version numbers are used instead of a timestamp because the switches do not include a real-time clock. You cannot change the name of the file that the system will use when it creates the file.
A P P E N D I X A Supported MIBs This appendix lists the supported management information base (MIBs) for this release.
Appendix A Supported MIBs Using FTP to Access the MIB Files Note • CISCO-TCP-MIB • CISCO-VLAN-MEMBERSHIP-MIB • CISCO-VTP-MIB • ENTITY-MIB • IANAifType-MIB • IF-MIB (RFC 1573) • OLD-CISCO-CHASSIS-MIB • OLD-CISCO-CPU-MIB • OLD-CISCO-INTERFACES-MIB • OLD-CISCO-IP-MIB • OLD-CISCO-MEMORY-MIB • OLD-CISCO-SYSTEM-MIB • OLD-CISCO-TCP-MIB • OLD-CISCO-TS-MIB • RFC1213-MIB • RFC1398-MIB • RMON-MIB (RFC 1757) • RS-232-MIB • SNMPv2-MIB • SNMPv2-SMI • SNMPv2-TC • TCP-MIB •
Appendix A Supported MIBs Using FTP to Access the MIB Files Step 5 Change directories to wsc2900xl for a list of Catalyst 2900 XL MIBs. Step 6 Use the get MIB_filename command to obtain a copy of the MIB file. Note You can also access information about MIBs on the Cisco web site: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.
Appendix A Supported MIBs Using FTP to Access the MIB Files Catalyst 2950 Desktop Switch Software Configuration Guide A-4 78-14982-01
A P P E N D I X B Working with the IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the Flash file system, how to copy configuration files, and how to archive (upload and download) software images. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 LRE Command Reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC command as shown in this example: Switch# show file systems File Systems: * Table B-1 Size(b) 16128000 16128000 32768 - Free(b) 11118592 11118592 26363 - Type flash unknown nvram network opaque opaque opaque opaque network network Flags rw rw rw rw rw
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Table B-1 show file systems Field Descriptions (continued) Field Value Flags Permission for file system. ro—read-only. rw—read/write. wo—write-only. Prefixes Alias for file system. bs:—Read-only file system; stores the boot loader image. vb:—Stores the boot environment variables. flash:—Flash file system. nvram:—NVRAM. null:—Null destination for copies.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System To display information about files on a file system, use one of the privileged EXEC commands in Table B-2: Table B-2 Commands for Displaying Information About Files Command Description dir [/all] [filesystem:][filename] Display a list of files on a file system. show file systems Display more information about each of the files on a file system.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System To delete a directory with all its files and subdirectories, use the delete /force /recursive filesystem:/file-url privileged EXEC command. Use the /recursive keyword to delete the named directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Use the /recursive keyword for deleting a directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are prompted only once at the beginning of this deletion process.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying the Contents of a tar File To display the contents of a tar file on the screen, use this privileged EXEC command: archive tar /table source-url For source-url, specify the source URL alias for the local or network file system.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files • For the Trivial File Transfer Protocol (TFTP), the syntax is tftp:[[//location]/directory]/tar-filename.tar The tar-filename.tar is the tar file from which to extract files. For flash:/file-url, specify the location on the local Flash file system into which the tar file is extracted. You can also specify an optional list of files or directories within the tar file for extraction.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files You can copy (upload) configuration files from the switch to a file server by using TFTP, FTP, or RCP. You might perform this task to back up a current configuration file to a server before changing its contents so that you can later restore the original configuration file from the server. The protocol you use depends on which type of server you are using.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Note The copy {ftp: | rcp: | tftp:} system:running-config privileged EXEC command loads the configuration files on the switch as if you were entering the commands at the command line. The switch does not erase the existing running configuration before adding the commands.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Copying Configuration Files By Using TFTP You can configure the switch by using configuration files you create, download from another switch, or download from a TFTP server. You can copy (upload) configuration files to a TFTP server for storage.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading the Configuration File By Using TFTP To configure the switch by using a configuration file downloaded from a TFTP server, follow these steps: Step 1 Copy the configuration file to the appropriate TFTP directory on the workstation.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Copying Configuration Files By Using FTP You can copy configuration files to or from an FTP server. The FTP protocol requires a client to send a remote username and password on each FTP request to a server.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files NVRAM. If you are accessing the switch through a Telnet session and you have a valid username, this username is used, and you do not need to set the FTP username. Include the username in the copy command if you want to specify a username for only that copy operation.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Switch# copy ftp: nvram:startup-config Address of remote host [255.255.255.255]? 172.16.101.101 Name of configuration file[rtr2-confg]? host2-confg Configure using host2-confg from 172.16.101.101?[confirm] Connected to 172.16.101.101 Loading 1112 byte file host2-confg:![OK] [OK] Switch# %SYS-5-CONFIG_NV:Non-volatile store configured from host2-config by ftp from 172.16.101.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to store a startup configuration file on a server by using FTP to copy the file: Switch# configure terminal Switch(config)# ip ftp username netadmin2 Switch(config)# ip ftp password mypass Switch(config)# end Switch# copy nvram:startup-config ftp: Remote host[]? 172.16.101.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Preparing to Download or Upload a Configuration File By Using RCP Before you begin downloading or uploading a configuration file by using RCP, do these tasks: • Ensure that the workstation acting as the RCP server supports the remote shell (rsh). • Ensure that the switch has a route to the RCP server.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 copy rcp:[[[//[username@]location]/directory]/filename] system:running-config Using RCP, copy the configuration file from a network server to the running configuration or to the startup configuration file.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 4 ip rcmd remote-username username (Optional) Specify the remote username. Step 5 end Return to privileged EXEC mode. Step 6 copy system:running-config rcp:[[[//[username@]location]/directory]/filename] Using RCP, copy the configuration file from a switch running or startup configuration file to a network server.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Deleting a Stored Configuration File To delete a saved configuration from Flash memory, use the delete flash:filename privileged EXEC command. Depending on the setting of the file prompt global configuration command, you might be prompted for confirmation before you delete a file. By default, the switch prompts for confirmation on destructive file operations.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images tar File Format of Images on a Server or Cisco.com Software images located on a server or downloaded from Cisco.com are provided in a tar file format, which contains these files: • info file The info file is always at the beginning of the tar file and contains information about the files within it.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Copying Image Files By Using TFTP You can download a switch image from a TFTP server or upload the image from the switch to a TFTP server. You download a switch image file from a server to upgrade the switch software. You can overwrite the current image with the new one or keep the current image after a download.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Downloading an Image File By Using TFTP You can download a new image file and replace the current image or keep the current image. Beginning in privileged EXEC mode, follow Steps 1 through 3 to download a new image from a TFTP server and overwrite the existing image. To keep the current image, skip Step 3.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Note If the Flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version, you must specify the /overwrite option. However, the 2950 LRE only supports one complete set of IOS, HTML, and LRE binary files, and one IOS binary on the flash. You cannot have two complete sets of images with the 2950 LRE.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Caution For the download and upload algorithms to operate properly, do not rename image names. Copying Image Files By Using FTP You can download a switch image from an FTP server or upload the image from the switch to an FTP server. You download a switch image file from a server to upgrade the switch software.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Before you begin downloading or uploading an image file by using FTP, do these tasks: • Ensure that the switch has a route to the FTP server. The switch and the FTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the FTP server by using the ping command.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Command Step 7 Step 8 Purpose archive download-sw /overwrite /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and overwrite the current image. /image-name.tar • The /overwrite option overwrites the software image in Flash with the downloaded image.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board Flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images The archive upload-sw command builds an image file on the server by uploading these files in order: info, the IOS image, the HTML files, and info.ver. After these files are uploaded, the upload algorithm creates the tar file format. Caution For the download and upload algorithms to operate properly, do not rename image names.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images For the RCP copy request to execute successfully, an account must be defined on the network server for the remote username. If the server has a directory structure, the image file is written to or copied from the directory associated with the remote username on the server.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 archive download-sw /overwrite /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Download the image file from the RCP server to the switch, and overwrite the current image. Step 7 archive download-sw /leave-old-sw /reload rcp:[[[//[username@]location]/directory]/image-na me.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images If you specify the /leave-old-sw, the existing files are not removed. If there is not enough room to install the new image an keep the running image, the download process stops, and an error message is displayed. The algorithm installs the downloaded image onto the system board Flash device (flash:).
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 archive upload-sw rcp:[[[//[username@]location]/directory]/image-na me.tar] Upload the currently running switch image to the RCP server. • For //username, specify the username; for the RCP copy request to execute, an account must be defined on the network server for the remote username.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Catalyst 2950 Desktop Switch Software Configuration Guide B-34 78-14982-01
I N D EX switch clusters Numerics 6-15 access levels, CMS 802.1D 3-31 access lists See STP See ACLs 802.1Q access ports and trunk ports 9-2 defined configuration limitations 14-16 native VLAN for untagged traffic trunk mode 3-10 9-2 in switch clusters 14-20 accounting with RADIUS 802.1S 7-28 with TACACS+ See MSTP 6-10 7-11, 7-17 ACEs 802.1W defined See RSTP 25-2 Ethernet 802.1X IP See port-based authentication 802.
Index displaying interface examples of default aging 25-23 defined 25-23 extended IP creating 26-18 host keyword 7-54 removing 7-56 MAC 25-10 matching criteria adding secure 25-7 discovering 25-9 IP 7-59 7-61 multicast STP address management creating adding 25-9, 25-13, 25-15 implicit masks matching criteria 25-20 25-21 virtual terminal lines, setting on matching 25-20 25-8 protocol parameters See ARP table 7-59 1-2 CDP 20-1 VTP 14-17, 15-3 aggregated ports 25-10 See
Index autonegotiation ARP table address resolution managing interface configuration guidelines 7-61 mismatches 7-61 asymmetric digital subscriber line 9-12 28-12 auxiliary VLAN See ADSL See voice VLAN attributes, RADIUS vendor-proprietary vendor-specific 7-30 B 7-29 authentication BackboneFast local mode with AAA NTP associations 7-32 described 7-37 enabling RADIUS key 7-23 defined 3-8 banners configuring 7-11 login 7-13 login 1-4 bandwidth graphs TACACS+ key 13-19 suppo
Index disabling Cisco Discovery Protocol 18-3 browser configuration buttons, CMS See CDP 3-1, 6-1 Cisco Intelligence Engine 2100 Series Configuration Registrar 3-30 See IE2100 C Cisco IP Phones cables, monitoring for unidirectional links Cancel button 19-1 Cisco SoftPhone software automatic discovery HC CiscoWorks 2000 6-5 configuring 6-23 described 6-20 requirements displaying 6-4 standby group CC (command switch) 26-6 26-28 See CoS clearing interfaces 9-19 abbreviating comman
Index See CMS defined requirements clusters, switch accessing 6-5 cluster tree automatic recovery 6-12 described command switch configuration 6-19 6-22 6-18 managing advantages 3-31 1-7 cluster tree described through CLI 3-6 3-1 error checking planning considerations features automatic discovery 6-5 automatic recovery 6-12 3-2 Front Panel view menu bar 6-15 online help LRE profiles 6-18 privilege level management VLAN passwords 6-18 toolbar 6-16, 6-26 tool tips switch-
Index no and default collapsed backbone and switch cluster 2-5 setting privilege levels design concepts 7-8 command switch accessing cost-effective wiring closet network performance 6-12, 6-23 command switch with HSRP disabled (CC) configuration conflicts defined 6-23 6-19 passive (PC) priority 6-25 hotel network 1-16 large campus 1-14 1-10 small to medium-sized network 6-12 1-11 configuration files recovery from command-switch failure from failure redundant clearing the startup con
Index configuring Fast Uplink Transition Protocol duplex mode for an LRE upgrade LRE ports limitations 10-7 support for on Cisco 575 LRE CPE config-vlan mode cross talk 10-8 10-6 See CPE 7-33 consistency checks in VTP version 2 console port, connecting to CWDM GBIC modules 15-4 network example 2-10 conventions 1-20 wavelength colors on CMS command 3-7 xxviii for examples xxviii D xxviii CoS daylight saving time configuring 26-7 26-27 enabling all system diagnostics 26-8 de
Index RMON 22-3 lease options RSPAN 21-8 for IP address information RSTP and MSTP for receiving the configuration file 12-12 SNMP 24-6 overview SPAN 21-8 relationship to BOOTP STP system message logging system name and prompt TACACS+ 4-3 4-3 Differentiated Services Code Point 23-3 digital telephone networks 7-48 changing VLAN, Layer 2 Ethernet interfaces VLANs 14-8 VMPS 14-27 1-2 14-17 B-4 creating and removing B-4 displaying the working B-4 See automatic discovery 16-2
Index using FTP B-26 error checking, CMS using RCP B-30 error messages using TFTP DSCP during command entry B-23 severity levels 26-26 duplex mode automatic creation of 10-7 CPE Ethernet link dynamic access mode default configuration 9-11 configuring 27-8 27-7 destination MAC address forwarding 3-10 dynamic access ports characteristics 27-3 configuration guidelines 10-7 duplex mode, configuring displaying status 27-5, 27-10 interaction 14-29 with STP dynamic addresses 27-8
Index ETSI file system 1-2 European Telecommunication Standards Institute displaying file information See ETSI events, RMON local file system names 22-3 examples network configuration Expand Cluster view expert mode setting the default xxviii Flash device, number of flow control 14-12, 14-13 defined 14-1 MSTP STP 9-14 12-20 11-6, 11-19 forwarding 12-14 See broadcast storm control 11-4, 11-12 Extensible Authentication Protocol over LAN 8-1 Front Panel images, CMS Front Panel view clu
Index disabling G 2-7 recalling commands GBICs 2-6 history table, level and number of syslog messages 1000BASE-LX/LH module 1-10 1000BASE-SX module 1-10 1000BASE-ZX module 1-10 CWDM module host name list, CMS abbreviations appended to in clusters 1-9 28-13 HP OpenView get-bulk-request operation 24-3 get-next-request operation 24-3, 24-4 14-31 1-7 HSRP automatic cluster recovery 24-3, 24-4 get-response operation 6-23 6-16 hosts, limit on dynamic ports security and identification
Index configuration service described number 5-1 event service described interface 5-2 range macros 5-3 IEEE 802.
Index extended, creating 25-10 for QoS classification implicit deny L 26-16 Layer 2 frames, classification with CoS 25-9, 25-13, 25-15 implicit masks Layer 2 interfaces, default configuration 25-9 management interfaces, applying to named Layer 2 trunks 25-20 physical interfaces, applying to standard, creating undefined 25-21 25-9 virtual terminal lines, setting on Layer 4 parameters of ACEs 25-10 26-2 5-2 17-9 LEDs candidate or member cluster access discovering port 6-4, 6-15 RPS
Index troubleshooting table of 28-12 LRE link monitor 10-3 See also LRE ports and CPE LRE profiles, considerations in switch clusters 10-14 persistence lre shutdown command 10-14 LRE links 10-5 LRE switch See LRE ports upgrading firmware 10-15 LRE switch firmware upgrade LRE ports configuring LRE technology 10-1, 10-5 assigning a global sequence 10-10 assigning a private profile 10-9 assigning a public profile 10-1 M 10-8 assigning the default profile 10-9 MAC addresses CPE E
Index management VLAN changing MIBs accessing files with FTP 6-18 considerations in switch clusters location of files 6-8, 6-9, 6-18 discovery through different management VLANs discovery through same management VLAN IP address 6-9 6-8 A-2 24-1 SNMP interaction with supported 6-18 MANs 1-20 long-distance, high-bandwidth transport configuration example 1-20 mapping tables for QoS configuring DSCP 26-26 28-12 3-9 3-31 3-8 Modify button 3-30 access groups maximum hop count, MSTP 12-21
Index described operations within a region 12-10 BPDU filtering loop guard described 13-3 described enabling 13-16 enabling BPDU guard 13-3 enabling 13-15 CIST, described 13-20 CIST 12-8 configuring 12-8 described 12-12 configuring 12-13 12-7 hop-count mechanism forward-delay time hello time IST 12-20 link type for rapid convergence maximum aging time 12-21 described 13-2 enabling 13-14 described 12-14 secondary root switch enabling 12-16 13-12 13-19 root switch 12-
Index See Cisco LRE POTS Splitter (PS-1M-LRE-48) MVR configuring interfaces default configuration described modes nontrunking mode 17-17 normal-range VLANs 17-15 configuration modes 17-13 defined 17-17 monitoring 14-16 NSM 17-19 setting global parameters 14-6 14-1 5-3 NTP 17-16 associations authenticating N defined named IP ACLs peer 7-38 default configuration native VLAN overview 14-20 negotiate trunk mode 7-43 7-34 restricting access 3-10 neighboring devices, types of
Index passwords POP default configuration 7-2 disabling recovery of 7-5 encrypting 7-4 in clusters 6-16, 6-20 in CMS Port Aggregation Protocol See EtherChannel See PAgP port-based authentication authentication server 3-30 overview defined 7-1 recovery of client, defined enable Telnet quiet period 7-7 8-11 8-11 RADIUS server 15-8 8-10 RADIUS server parameters on the switch 1-16 path cost 8-9 switch-to-client frame-retransmission number MSTP switch-to-client retransmission tim
Index port-channel See also CPE See EtherChannel See also LRE ports Port Fast port scheduling described 13-2 enabling 13-14 port security aging mode, spanning tree support for described 3-7 port LEDs violations 3-9 port modes SPEED POTS splitters port membership modes, VLAN 3-9, 14-3 port modes homologated 1-16 POTS telephones port pop-up menu, Front Panel view port priority 3-21 precedence 10-11 preventing unauthorized access port profile, locking overriding CoS 802.
Index CMS 3-31 Q command switch exiting 6-25 QoS 7-10 logging into basic model 7-10 mapping on member switches overview 6-25 setting a command with defined 7-8 profile acquisition, automatic 10-10 in frames and packets 26-3 26-5 MAC ACLs, described considerations assigning 10-9 10-2 policy maps, described 26-6 port default, described 26-4 trust DSCP, described 26-5 trusted boundary, described private assigning trusted CoS, described 10-9 types for IP traffic public assignin
Index ingress port scheduling IP phones, detection and trusted settings mapping tables 26-26 26-5 marking, described default configuration 7-20 7-25 26-4, 26-6 displaying the configuration 7-31 26-15 in clusters described 6-17 method list, defined 26-23 operation of 26-6 number of overview 26-7 7-27 7-20 7-19 7-18 suggested network environments 26-6 policing, described 26-3, 26-6 policy maps tracking services accessed by user 7-18 7-28 range characteristics of configuring d
Index read-only access mode 1757, RMON 3-31 read-write access mode 1901, SNMPv2C 3-31 reconfirmation interval, VMPS, changing recovery procedures 14-30 default configuration backbone displaying status 11-8 multidrop backbone path cost overview 14-21 22-2 22-1 collecting group Ethernet redundant links and UplinkFast collecting group history 13-17 redundant power system described 13-19 support for 7-61 Remote Authentication Dial-In User Service See RADIUS STP Remote Copy Protocol
Index removing source (monitored) ports specifying monitored ports source ports 21-17 See SSH 21-15 security, port 21-4 transmitted traffic VLAN-based Secure Shell 18-4 sequence numbers in log messages 21-4 21-6 RSTP active topology, determining sequences 10-4 table of 10-4 23-8 sequences, LRE 12-2 BPDU global format assigning 12-5 processing specific port 12-6 configuration guidelines 12-12 designated port, defined 12-2 designated switch, defined assigning servers, BOOTP
Index SNAP versions supported 20-1 SNMP snooping, IGMP accessing MIB variables with 24-2 17-1 SNR 24-4 agent definition of 10-12 described 24-3 downstream rate requirements disabling 24-7 margins community strings configuring releases 24-4 LRE 24-4 default configuration upgrading 24-6 7-61 7-61 See also release notes software, VLAN considerations 6-16 informs 15-8 software images and trap keyword described location in Flash 24-10 enabling manager functions source addre
Index source ports LRE link 21-4 transmitted traffic VLAN-based port 21-4 21-6 spanning tree and native VLANs 14-17 Spanning Tree Protocol 28-2 QoS ingress and egress 26-28 RMON group Ethernet 22-5 RMON group history speed, configuring on interfaces speed, setting VTP 9-11 15-16 change notification configuring sticky learning 7-33 displaying settings described 7-33 Stack Membership Discovery Protocol 13-6 Standby Command Configuration window defined 6-2 priority 6-12 displ
Index enabling redundant connectivity 13-18 default configuration root guard 11-10 default optional feature configuration designated port, defined 13-19 11-3 root switch 13-10 affects of extended system ID displaying status configuring 11-21 extended system ID election affects on root switch 11-14 11-3 11-13 settings in a cascaded stack unexpected behavior features supported superior BPDU 11-13 11-3 timers, described 11-3 13-2 interface states UplinkFast described 13-4 11-7 en
Index displaying the time and date overview authorization, defined 7-44 configuring 7-34 See also NTP accounting default configuration authorization 23-3 defining error message severity levels 7-13 identifying the server level keywords, described limiting messages in clusters 23-12 7-17 7-13 6-17 limiting the services to the user 23-9 operation of 23-10 overview 23-2 7-16 7-12 7-10 tracking services accessed by user 23-1 sequence numbers, enabling and disabling setting the dis
Index limiting access by servers troubleshooting 24-13 time See NTP and system clock detecting unidirectional links 19-1 displaying crash information 28-15 time-range command 25-15 GBIC security and identification time ranges in ACLs 25-15 LRE ports timestamps in log messages time zones statistics 23-7 Token Ring VLANs support for ports 28-2 24-4 with debug commands 23-1 trunk ports Collapse Cluster view described 28-14 with system message logging 3-26 Topology view configuring
Index neighbor database overview user EXEC mode 19-2 username-based authentication 19-1 resetting an interface status, displaying 19-6 V 8-4 UniDirectional Link Detection protocol verifying changes in CMS See UDLD 3-32 version-dependent transparent mode UNIX syslog servers facilities supported 23-11 cluster standby group 23-12 command switch message logging configuration 23-11 6-13, 6-23 6-13, 6-23 See also IP addresses unrecognized Type-Length-Value (TLV) support 10-15 15-4 vlan.
Index configuration options configuring mapping MAC addresses to VLANs 14-6 monitoring 14-1 configuring IDs 1006 to 4094 creating in config-vlan mode reconfirming membership 14-9 creating in VLAN configuration mode default configuration deleting 14-9 9-3, 14-1 displaying 14-14 configuration guidelines limiting source traffic with SPAN 21-19 21-13 monitoring with RSPAN 21-18 monitoring with SPAN native, configuring 21-12 802.
Index server mode transparent mode consistency checks default configuration described 15-1 disabling 15-12 See WRR 15-12 window components, CMS 15-4 wizards 15-6 3-28 3-26 WRR domain names domains Weighted Round Robin 15-9 configuring defining 15-8 26-8 description 15-2 26-27 26-8 modes client 15-3, 15-11 server 15-3, 15-9 transitions 15-3 transparent monitoring X XMODEM protocol 28-6 15-3, 15-12 15-16 passwords 15-8 pruning disabling 15-14 enabling 15-14 examples 1
Index Catalyst 2950 Desktop Switch Software Configuration Guide IN-32 78-14982-01