Catalyst 2950 Desktop Switch Software Configuration Guide Cisco IOS Release 12.1(11)EA1 August 2002 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface xxiii Audience Purpose xxiii xxiii Organization xxiv Conventions xxvi Related Publications xxvii Obtaining Documentation xxvii World Wide Web xxvii Documentation CD-ROM xxviii Ordering Documentation xxviii Documentation Feedback xxviii Obtaining Technical Assistance xxviii Cisco.
Contents CHAPTER 2 Using the Command-Line Interface IOS Command Modes Getting Help 2-1 2-1 2-3 Abbreviating Commands 2-3 Using no and default Forms of Commands Understanding CLI Messages 2-4 2-4 Using Command History 2-5 Changing the Command History Buffer Size 2-5 Recalling Commands 2-5 Disabling the Command History Feature 2-6 Using Editing Features 2-6 Enabling and Disabling Editing Features 2-6 Editing Commands through Keystrokes 2-7 Editing Command Lines that Wrap 2-8 Searching and Filterin
Contents Topology View Popup Menus 3-21 Link Popup Menu 3-21 Device Popup Menus 3-22 Interaction Modes 3-23 Guide Mode 3-24 Expert Mode 3-24 Wizards 3-24 Tool Tips Online Help 3-25 3-25 CMS Window Components 3-26 Host Name List 3-26 Tabs, Lists, and Tables 3-27 Icons Used in Windows 3-27 Buttons 3-27 Accessing CMS 3-28 Access Modes in CMS 3-29 HTTP Access to CMS 3-29 Verifying Your Changes 3-30 Change Notification 3-30 Error Checking 3-30 Saving Your Configuration Restoring Your Configuration CMS Prefe
Contents Manually Assigning IP Information 4-10 Checking and Saving the Running Configuration CHAPTER 5 Configuring IE2100 CNS Agents 4-10 5-1 Understanding IE2100 Series Configuration Registrar Software 5-1 CNS Configuration Service 5-2 CNS Event Service 5-3 NameSpace Mapper 5-3 What You Should Know About ConfigID, DeviceID, and Host Name ConfigID 5-3 DeviceID 5-4 Host Name and DeviceID 5-4 Using Host Name, DeviceID, and ConfigID 5-4 5-3 Understanding CNS Embedded Agents 5-5 Initial Configuratio
Contents HSRP and Standby Command Switches 6-13 Virtual IP Addresses 6-14 Other Considerations for Cluster Standby Groups 6-14 Automatic Recovery of Cluster Configuration 6-16 IP Addresses 6-16 Host Names 6-17 Passwords 6-17 SNMP Community Strings 6-17 TACACS+ and RADIUS 6-18 Access Modes in CMS 6-18 Management VLAN 6-19 LRE Profiles 6-19 Availability of Switch-Specific Features in Switch Clusters 6-20 Creating a Switch Cluster 6-20 Enabling a Command Switch 6-20 Adding Member Switches 6-21 Creating a Clus
Contents Configuring TACACS+ 7-11 Default TACACS+ Configuration 7-12 Identifying the TACACS+ Server Host and Setting the Authentication Key 7-12 Configuring TACACS+ Login Authentication 7-13 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Starting TACACS+ Accounting 7-16 Displaying the TACACS+ Configuration 7-16 7-15 Controlling Switch Access with RADIUS 7-17 Understanding RADIUS 7-17 RADIUS Operation 7-18 Configuring RADIUS 7-19 Default RADIUS Configuration 7-19 Identif
Contents Configuring a System Name and Prompt 7-46 Default System Name and Prompt Configuration Configuring a System Name 7-46 Configuring a System Prompt 7-47 Understanding DNS 7-47 Default DNS Configuration 7-48 Setting Up DNS 7-48 Displaying the DNS Configuration 7-49 Creating a Banner 7-49 Default Banner Configuration 7-49 Configuring a Message-of-the-Day Login Banner Configuring a Login Banner 7-51 7-46 7-50 Managing the MAC Address Table 7-52 Building the Address Table 7-52 MAC Addresses and VLANs
Contents Setting the Switch-to-Client Frame-Retransmission Number 8-13 Enabling Multiple Hosts 8-13 Resetting the 802.1X Configuration to the Default Values 8-14 Displaying 802.
Contents Spanning-Tree Interface States 10-5 Blocking State 10-7 Listening State 10-7 Learning State 10-7 Forwarding State 10-7 Disabled State 10-8 Spanning-Tree Address Management 10-8 STP and IEEE 802.
Contents Hop Count 11-10 Boundary Ports 11-10 Interoperability with 802.
Contents Enabling UplinkFast for Use with Redundant Links Enabling Cross-Stack UplinkFast 12-18 Enabling BackboneFast 12-19 Enabling Root Guard 12-19 Enabling Loop Guard 12-20 Displaying the Spanning-Tree Status CHAPTER 13 Configuring VLANs 12-17 12-21 13-1 Understanding VLANs 13-1 Supported VLANs 13-2 VLAN Port Membership Modes 13-3 Configuring Normal-Range VLANs 13-4 Token Ring VLANs 13-5 Normal-Range VLAN Configuration Guidelines 13-5 VLAN Configuration Mode Options 13-6 VLAN Configuration in c
Contents Load Sharing Using STP 13-21 Load Sharing Using STP Port Priorities 13-21 Load Sharing Using STP Path Cost 13-23 Configuring VMPS 13-24 Understanding VMPS 13-25 Dynamic Port VLAN Membership 13-25 VMPS Database Configuration File 13-26 Default VMPS Configuration 13-27 VMPS Configuration Guidelines 13-28 Configuring the VMPS Client 13-28 Entering the IP Address of the VMPS 13-28 Configuring Dynamic Access Ports on VMPS Clients 13-29 Reconfirming VLAN Memberships 13-30 Changing the Reconfirmation Int
Contents Disabling VTP (VTP Transparent Mode) 14-12 Enabling VTP Version 2 14-13 Enabling VTP Pruning 14-14 Adding a VTP Client Switch to a VTP Domain 14-15 Monitoring VTP CHAPTER 15 14-16 Configuring Voice VLAN 15-1 Understanding Voice VLAN 15-1 Configuring Voice VLAN 15-2 Default Voice VLAN Configuration 15-2 Voice VLAN Configuration Guidelines 15-3 Configuring a Port to Connect to a Cisco 7960 IP Phone 15-3 Configuring Ports to Carry Voice Traffic in 802.
Contents Displaying MVR Information 16-18 Configuring IGMP Filtering 16-19 Default IGMP Filtering Configuration 16-19 Configuring IGMP Profiles 16-20 Applying IGMP Profiles 16-21 Setting the Maximum Number of IGMP Groups Displaying IGMP Filtering Configuration CHAPTER 17 Configuring Port-Based Traffic Control Configuring Storm Control 17-1 Understanding Storm Control 17-1 Default Storm Control Configuration Enabling Storm Control 17-2 Disabling Storm Control 17-3 Configuring Protected Ports 16-22 16
Contents CHAPTER 19 Configuring CDP 19-1 Understanding CDP 19-1 Configuring CDP 19-2 Default CDP Configuration 19-2 Configuring the CDP Characteristics 19-2 Disabling and Enabling CDP 19-3 Disabling and Enabling CDP on an Interface Monitoring and Maintaining CDP CHAPTER 20 Configuring SPAN and RSPAN 19-4 19-5 20-1 Understanding SPAN and RSPAN 20-1 SPAN and RSPAN Concepts and Terminology 20-3 SPAN Session 20-3 Traffic Types 20-3 Source Port 20-4 Destination Port 20-4 Reflector Port 20-4 SPAN Tr
Contents CHAPTER 21 Configuring RMON 21-1 Understanding RMON 21-1 Configuring RMON 21-2 Default RMON Configuration 21-3 Configuring RMON Alarms and Events 21-3 Configuring RMON Collection on an Interface Displaying RMON Status CHAPTER 22 21-5 21-6 Configuring System Message Logging 22-1 Understanding System Message Logging 22-1 Configuring System Message Logging 22-2 System Log Message Format 22-2 Default System Message Logging Configuration 22-3 Disabling and Enabling Message Logging 22-4 S
Contents Configuring SNMP Groups and Users 23-8 Configuring SNMP Notifications 23-10 Setting the Agent Contact and Location Information Limiting TFTP Servers Used Through SNMP 23-13 SNMP Examples 23-14 Displaying SNMP Status CHAPTER 24 23-13 23-15 Configuring Network Security with ACLs 24-1 Understanding ACLs 24-2 Handling Fragmented and Unfragmented Traffic 24-3 Understanding Access Control Parameters 24-4 Guidelines for Applying ACLs to Physical Interfaces 24-6 Configuring ACLs 24-6 Unsupported Fe
Contents CHAPTER 25 Configuring QoS 25-1 Understanding QoS 25-2 Basic QoS Model 25-3 Classification 25-4 Classification Based on QoS ACLs 25-5 Classification Based on Class Maps and Policy Maps Policing and Marking 25-6 Mapping Tables 25-7 Queueing and Scheduling 25-7 How Class of Service Works 25-7 Port Priority 25-8 Port Scheduling 25-8 CoS and WRR 25-8 25-6 Configuring QoS 25-9 Default QoS Configuration 25-9 Configuration Guidelines 25-10 Configuring Classification Using Port Trust States 25-10 Co
Contents CHAPTER 26 Configuring EtherChannels 26-1 Understanding EtherChannels 26-1 Understanding Port-Channel Interfaces 26-2 Understanding the Port Aggregation Protocol 26-3 PAgP Modes 26-4 Physical Learners and Aggregate-Port Learners 26-5 PAgP Interaction with Other Features 26-5 Understanding Load Balancing and Forwarding Methods 26-5 Configuring EtherChannels 26-7 Default EtherChannel Configuration 26-7 EtherChannel Configuration Guidelines 26-8 Configuring Layer 2 EtherChannels 26-8 Configuring
Contents Catalyst 2950 Desktop Switch Software Configuration Guide xxii 78-11380-05
Preface Audience The Catalyst 2950 Desktop Switch Software Configuration Guide is for the network manager responsible for configuring the Catalyst 2950 switches, hereafter referred to as the switches. Before using this guide, you should be familiar with the concepts and terminology of Ethernet and local area networking. Purpose This guide provides information about configuring and troubleshooting a switch or switch clusters.
Preface Organization • Cluster Management Suite (CMS) information—This guide provides an overview of the CMS web-based, switch management interface. For information about CMS requirements and the procedures for browser and plug-in configuration and accessing CMS, refer to the release notes. For CMS field-level window descriptions and procedures, refer to the CMS online help. • Cluster configuration—This guide provides information about planning for, creating, and maintaining switch clusters.
Preface Organization Chapter 7, “Administering the Switch,” describes how to perform one-time operations to administer your switch. It describes how to prevent unauthorized access to your switch through the use of passwords, privilege levels, the Terminal Access Controller Access Control System Plus (TACACS+), and the Remote Authentication Dial-In User Service (RADIUS).
Preface Conventions Chapter 22, “Configuring System Message Logging,” describes how to configure system message logging. It describes the message format and how to change the message display destination device, limit the type of messages sent, configure the UNIX server syslog daemon, and define the UNIX system logging facility and timestamp messages. Chapter 23, “Configuring SNMP,” describes how to configure the Simple Network Management Protocol (SNMP).
Preface Related Publications Tip Means the following will help you solve a problem. The tips information might not be troubleshooting or even an action, but could be useful information. Related Publications These documents provide complete information about the switch and are available from this Cisco.com site: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/index.htm You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.
Preface Obtaining Technical Assistance Documentation CD-ROM Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription. Ordering Documentation You can order Cisco documentation in these ways: • Registered Cisco.
Preface Obtaining Technical Assistance Cisco.com Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world. Cisco.
Preface Obtaining Technical Assistance If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC Web Site, you can open a case online by using the TAC Case Open tool at this URL: http://www.cisco.com/tac/caseopen If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC Web Site. Cisco TAC Escalation Center The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues.
C H A P T E R 1 Overview This chapter provides these topics about the Catalyst 2950 switch software: • Features, page 1-1 • Management Options, page 1-5 • Network Configuration Examples, page 1-7 • Where to Go Next, page 1-17 Features The Catalyst 2950 software supports the switches listed in the “Purpose” section on page xxiii and in the release notes.
Chapter 1 Overview Features Performance • Autosensing of speed on the 10/100 and 10/100/1000 ports and autonegotiation of duplex mode on the 10/100 ports for optimizing bandwidth • IEEE 802.3X flow control on Gigabit Ethernet ports operating in full-duplex mode • Fast EtherChannel and Gigabit EtherChannel for enhanced fault tolerance and for providing up to 2 Gbps of bandwidth between switches, routers, and servers • Support for frames larger than 1500 bytes.
Chapter 1 Overview Features • In-band management access through up to 16 simultaneous Telnet connections for multiple command-line interface (CLI)-based sessions over the network • In-band management access through Simple Network Management Protocol (SNMP) versions 1, 2c, and 3 get and set requests • Out-of-band management access through the switch console port to a directly-attached terminal or to a remote terminal through a serial connection and a modem Note For additional descriptions of the man
Chapter 1 Overview Features • The switch supports up to 4094 VLAN IDs to allow service provider networks to support the number of VLANs allowed by the IEEE 802.1Q standard (available only with the EI) • IEEE 802.
Chapter 1 Overview Management Options • Policing – Traffic-policing policies on the switch port for allocating the amount of the port bandwidth to a specific traffic flow – Policing traffic flows to restrict specific applications or traffic flows to metered, predefined rates – Up to 60 policers on ingress Gigabit-capable Ethernet ports Up to six policers on ingress 10/100 ports Granularity of 1 Mbps on 10/100 ports and 8 Mbps on 10/100/1000 ports – Out-of-profile markdown for packets that exceed bandw
Chapter 1 Overview Management Options Management Interface Options You can configure and monitor individual switches and switch clusters by using these interfaces: • CMS—CMS is a graphical user interface that can be launched from anywhere in your network through a web browser such as Netscape Communicator or Microsoft Internet Explorer. CMS is already installed on the switch. Using CMS, you can configure and monitor a standalone switch, a specific cluster member, or an entire switch cluster.
Chapter 1 Overview Network Configuration Examples • Apply actions from CMS to multiple ports and multiple switches at the same time to avoid re-entering the same commands for each individual port or switch.
Chapter 1 Overview Network Configuration Examples Table 1-1 Increasing Network Performance Network Demands Suggested Design Methods Too many users on a single network segment and a growing number of users accessing the Internet • Increased power of new PCs, workstations, and servers • High demand from networked applications (such as e-mail with large attached files) and from bandwidth-intensive applications (such as multimedia) • Create smaller network segments so that fewer users share the ban
Chapter 1 Overview Network Configuration Examples You can create backup paths by using Fast Ethernet, Gigabit, Fast EtherChannel, or Gigabit EtherChannel links. Using Gigabit modules on two of the switches, you can have redundant uplink connections to a Gigabit backbone switch such as the Catalyst 3550-12G switch. If one of the redundant connections fails, the other can serve as a backup path.
Chapter 1 Overview Network Configuration Examples Figure 1-1 Example Configurations Catalyst 2950 switch Cost-Effective Wiring Closet Catalyst 2900 XL, Catalyst 2950, Catalyst 3500 XL, and Catalyst 3550 GigaStack cluster Catalyst 3550-12T or Catalyst 3550-12G switch Si Gigabit server High-Performance Workgroup Catalyst 2900 XL, Catalyst 2950, Catalyst 3500 XL, and Catalyst 3550 cluster Catalyst 3550-12T or Catalyst 3550-12T or Catalyst 3550-12G switch Catalyst 3550-12G switch 1-Gbps HSRP Si Si
Chapter 1 Overview Network Configuration Examples A network backbone is a high-bandwidth connection (such as Fast Ethernet or Gigabit Ethernet) that interconnects segments and network resources. It is required if numerous segments require access to the servers. The Catalyst 2900 XL, Catalyst 2950, Catalyst 3500 XL, and Catalyst 3550 switches in this network are connected through a GigaStack GBIC on each switch to form a 1-Gbps network backbone.
Chapter 1 Overview Network Configuration Examples Collapsed Backbone and Switch Cluster Configuration Figure 1-3 shows a configuration for a network of approximately 500 employees. This network uses a collapsed backbone and switch clusters. A collapsed backbone has high-bandwidth uplinks from all segments and subnetworks to a single device, such as a Gigabit switch, that serves as a single point for monitoring and controlling the network.
Chapter 1 Overview Network Configuration Examples Figure 1-3 Collapsed Backbone and Switch Cluster Configuration Gigabit servers Cisco CallManager Catalyst 3550-12T or Catalyst 3550-12G switch Cisco 2600 router Si 200 Mbps Fast EtherChannel (400-Mbps full-duplex Fast EtherChannel) 1 Gbps (2 Gbps full duplex) Catalyst 2950, 2900 XL, 3550, and 3500 XL GigaStack cluster Catalyst 2950, 2900 XL, 3550, and 3500 XL GigaStack cluster Catalyst 3524-PWR XL GigaStack cluster IP IP IP Workstations running
Chapter 1 Overview Network Configuration Examples Figure 1-4 Large Campus Configuration IP telephony network or PSTN WAN Cisco CallManager Cisco 7200 Cisco access or 7500 router gateway Servers Catalyst 6500 switch Catalyst 2950, 2900 XL, 3500 XL, and 3550 GigaStack cluster 1 Gbps (2 Gbps full duplex) Catalyst 3524-PWR XL GigaStack cluster IP IP Cisco IP Phones IP IP Cisco IP Phones 60995 Workstations running Cisco SoftPhone software IP Multidwelling Network Using Catalyst 2950 Switches A
Chapter 1 Overview Network Configuration Examples All ports on the residential Catalyst 2950 switches (and Catalyst 2912-LRE XL or 2924-LRE XL switches if they are included) are configured as 802.1Q trunks with protected port and STP root guard features enabled. The protected port feature provides security and isolation between ports on the switch, ensuring that subscribers cannot view packets destined for other subscribers. STP root guard prevents unauthorized devices from becoming the STP root switch.
Chapter 1 Overview Network Configuration Examples Long-Distance, High-Bandwidth Transport Configuration Note To use the feature described in this section, you must have the EI installed on your switch. Figure 1-6 shows a configuration for transporting Gigabits of data from one location to an off-site backup facility over a single fiber-optic cable. The Catalyst switches have Coarse Wave Division Multiplexer (CWDM) fiber-optic GBIC modules installed.
Chapter 1 Overview Where to Go Next Where to Go Next Before configuring the switch, review these sections for start up information: • Chapter 2, “Using the Command-Line Interface” • Chapter 3, “Getting Started with CMS” • Chapter 4, “Assigning the Switch IP Address and Default Gateway” • Chapter 5, “Configuring IE2100 CNS Agents” Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-05 1-17
Chapter 1 Overview Where to Go Next Catalyst 2950 Desktop Switch Software Configuration Guide 1-18 78-11380-05
C H A P T E R 2 Using the Command-Line Interface This chapter describes the IOS command-line interface (CLI) that you can use to configure your switches.
Chapter 2 Using the Command-Line Interface IOS Command Modes Table 2-1 Command Mode Summary Mode Access Method Prompt Exit Method About This Mode User EXEC Begin a session with your switch. Switch> Enter logout or quit. Use this mode to • Change terminal settings. • Perform basic tests. • Display system information. Privileged EXEC While in user EXEC mode, enter the enable command. Switch# Enter disable to exit. Use this mode to verify commands that you have entered.
Chapter 2 Using the Command-Line Interface Getting Help Getting Help You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as shown in Table 2-2. Table 2-2 Help Summary Command Purpose help Obtain a brief description of the help system in any command mode. abbreviated-command-entry? Obtain a list of commands that begin with a particular character string.
Chapter 2 Using the Command-Line Interface Using no and default Forms of Commands Using no and default Forms of Commands Almost every configuration command also has a no form. In general, use the no form to disable a feature or function or reverse the action of a command. For example, the no shutdown interface configuration command reverses the shutdown of an interface. Use the command without the keyword no to re-enable a disabled feature or to enable a feature that is disabled by default.
Chapter 2 Using the Command-Line Interface Using Command History Using Command History The IOS provides a history or record of commands that you have entered. This feature is particularly useful for recalling long or complex commands or entries, including access lists.
Chapter 2 Using the Command-Line Interface Using Editing Features Disabling the Command History Feature The command history feature is automatically enabled. To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command. To disable command history for the line, enter the no history line configuration command. Using Editing Features This section describes the editing features that can help you manipulate the command line.
Chapter 2 Using the Command-Line Interface Using Editing Features Editing Commands through Keystrokes Table 2-5 shows the keystrokes that you need to edit command lines. Table 2-5 Editing Commands through Keystrokes Capability Keystroke1 Move around the command line to make changes or corrections. Press Ctrl-B, or press the Move the cursor back one character. left arrow key. Purpose Press Ctrl-F, or press the right arrow key. Move the cursor forward one character. Press Ctrl-A.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Purpose Scroll down a line or screen on displays that are longer than the terminal screen can display. Press the Return key. Scroll down one line. Press the Space bar. Scroll down one screen. Press Ctrl-L or Ctrl-R. Redisplay the current command line.
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Use line wrapping with the command history feature to recall and modify previous complex command entries. For information about recalling previous command entries, see the “Editing Commands through Keystrokes” section on page 2-7. Searching and Filtering Output of show and more Commands You can search and filter the output for show and more commands.
Chapter 2 Using the Command-Line Interface Accessing the CLI from a Browser Accessing the CLI from a Browser This procedure assumes you have met the software requirements (including browser and Java plug-in configurations) and have assigned IP information and a Telnet password to the switch or command switch, as described in the release notes. To access the CLI from a web browser, follow these steps: Step 1 Start one of the supported browsers.
C H A P T E R 3 Getting Started with CMS This chapter provides these topics about the Cluster Management Suite (CMS) software: Note Note • Features, page 3-2 • Front Panel View, page 3-4 • Topology View, page 3-9 • Menus and Toolbar, page 3-14 • Interaction Modes, page 3-23 • Wizards, page 3-24 • Online Help, page 3-25 • CMS Window Components, page 3-26 • Accessing CMS, page 3-28 • Verifying Your Changes, page 3-30 • Saving Your Configuration, page 3-30 • Restoring Your Configura
Chapter 3 Getting Started with CMS Features Features CMS provides these features (Figure 3-1) for managing switch clusters and individual switches from Web browsers such as Netscape Communicator or Microsoft Internet Explorer: • Two views of your network that can be displayed at the same time: – The Front Panel view displays the front-panel image of a specific switch or the front-panel images of all switches in a cluster.
Chapter 3 Getting Started with CMS Features • Two levels of access to the configuration options: read-write access for users allowed to change switch settings; read-only access for users allowed to only view switch settings • Consistent set of GUI components (such as tabs, buttons, drop-down lists, tables, and so on) for a uniform approach to viewing and setting configuration parameters CMS Features Toolbar Move the cursor over the icon to display the tool tip.
Chapter 3 Getting Started with CMS Front Panel View Front Panel View When CMS is launched from a command switch, the Front Panel view displays the front-panel images of all switches in the cluster (Figure 3-2). When CMS is launched from a standalone or noncommand member switch, the Front Panel view displays only the front panel of the specific switch (Figure 3-3). Front Panel View from a Command Switch cluster1 10.1.1.2 Cluster tree.
Chapter 3 Getting Started with CMS Front Panel View Cluster Tree The cluster tree (Figure 3-2) appears in the left frame of the Front Panel view and shows the name of the cluster and a list of its members. The sequence of the cluster-tree icons (Figure 3-4) mirror the sequence of the front-panel images. You can change the sequence by selecting View > Arrange Front Panel. The colors of the devices in the cluster tree show the status of the devices (Table 3-1).
Chapter 3 Getting Started with CMS Front Panel View Figure 3-5 shows the port icons as they appear in the front-panel images. To select a port, click the port on the front-panel image. The port is then highlighted with a yellow outline. To select multiple ports, you can: • Press the left mouse button, drag the pointer over the group of ports that you want to select, and then release the mouse button. • Press the Ctrl key, and click the ports that you want to select.
Chapter 3 Getting Started with CMS Front Panel View Table 3-3 RPS LED Color RPS Status Black (off) RPS is off or is not installed. Green RPS is connected and operational. Blinking green RPS is providing power to another switch in the stack. Amber RPS is connected but not functioning. The RPS could be in standby mode. To put the RPS in Active mode, press the Standby/Active button on the RPS, and the LED should turn green.
Chapter 3 Getting Started with CMS Front Panel View Table 3-5 Port LEDs Port Mode Port LED Color Description STAT Cyan (off) No link. Green Link present. Amber Link fault. Error frames can affect connectivity, and errors such as excessive collisions, CRC errors, and alignment and jabber errors are monitored for a link-fault indication. Port is not forwarding. Port was disabled by management, by an address violation, or by Spanning Tree Protocol (STP).
Chapter 3 Getting Started with CMS Topology View Topology View The Topology view displays how the devices within a switch cluster are connected and how the switch cluster is connected to other clusters and devices. From this view, you can add and remove cluster members. This view provides two levels of detail of the network topology: Note • When you right-click a cluster icon and select Expand Cluster, the Topology view displays the switch cluster in detail.
Chapter 3 Getting Started with CMS Topology View Figure 3-6 Expand Cluster View Right-click a link icon to display a link popup menu. Figure 3-7 Right-click a device icon to display a device popup menu. 65722 Cluster members of cluster1 and other devices connected to cluster1. Collapse Cluster View Neighboring cluster connected to cluster1. cluster1 65723 Devices connected to cluster1 that are not eligible to join the cluster.
Chapter 3 Getting Started with CMS Topology View Topology Icons The Topology view and the cluster tree use the same set of device icons to represent clusters, command and standby command switches, and member switches (Figure 3-8).
Chapter 3 Getting Started with CMS Topology View Figure 3-9 Topology-View Link Icons Device and Link Labels The Topology view displays device and link information by using these labels: • Cluster and switch names • Switch MAC and IP addresses • Link type between the devices • Link speed and IDs of the interfaces on both ends of the link When using these labels, keep these considerations in mind: • The IP address displays only in the labels for the command switch and member switches.
Chapter 3 Getting Started with CMS Topology View Table 3-7 Device Icon Colors Icon Color Color Meaning Green Yellow The device is operating. 1 Red1 The internal fan of the switch is not operating, or the switch is receiving power from an RPS. The device is not operating. 1. Available only on the cluster members.
Chapter 3 Getting Started with CMS Menus and Toolbar Menus and Toolbar The configuration and monitoring options for configuring switches and switch clusters are available from menus and a toolbar. Menu Bar The menu bar provides the complete list of options for managing a single switch and switch cluster.
Chapter 3 Getting Started with CMS Menus and Toolbar Note • We strongly recommend that the highest-end, command-capable switch in the cluster be the command switch: – If your switch cluster has a Catalyst 3550 switch, that switch should be the command switch. – If your switch cluster has Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL switches, the Catalyst 2950 should be the command switch.
Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-11 Menu Bar Menu-Bar Options Task CMS Page Setup Set default document printer properties to be used when printing from CMS. Print Preview View the way the CMS window or help file will appear when printed. Print Print a CMS window or help file. Guide Mode/Expert Mode Preferences 1 2 Select which interaction mode to use when you select a configuration option.
Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-11 Menu Bar (continued) Menu-Bar Options IGMP Snooping 2 Task Enable and disable Internet Group Management Protocol (IGMP) snooping and IGMP Immediate-Leave processing on the switch. Join or leave multicast groups, and configure multicast routers. 802.1X1 Configure 802.1X authentication of devices as they are attached to LAN ports in a point-to-point infrastructure.
Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-11 Menu Bar (continued) Menu-Bar Options Task Port Statistics Display port statistics. Bandwidth Graphs Display graphs that plot the total bandwidth in use by the switch. Link Graphs Display a graph showing the bandwidth being used for the selected link. Link Reports Display the link report for two connected devices. If one device is an unknown device or a candidate, only the cluster-member side of the link displays.
Chapter 3 Getting Started with CMS Menus and Toolbar Toolbar The toolbar buttons display commonly-used switch and cluster configuration options and information windows such as legends and online help. Hover the cursor over an icon to display the feature. Table 3-12 describes the toolbar options, from left to right on the toolbar. Table 3-12 Toolbar Buttons Toolbar Option Keyboard Shortcut Task Print Ctrl-P Print a CMS window or help file.
Chapter 3 Getting Started with CMS Menus and Toolbar Front Panel View Popup Menus These popup menus are available in the Front Panel view. Device Popup Menu You can display all switch and cluster configuration windows from the menu bar, or you can display commonly used configuration windows from the device popup menu (Table 3-13). To display the device popup menu, click the switch icon from the cluster tree or the front-panel image itself, and right-click.
Chapter 3 Getting Started with CMS Menus and Toolbar Topology View Popup Menus These popup menus are available in the Topology view. Link Popup Menu You can display reports and graphs for a specific link displayed in the Topology view (Table 3-15). To display the link popup menu, click the link icon, and right-click. Table 3-15 Link Popup Menu Popup Menu Option Task Link Report Display the link report for two connected devices.
Chapter 3 Getting Started with CMS Menus and Toolbar Device Popup Menus Specific devices in the Topology view display a specific popup menu: Note • Cluster (Table 3-16) • Command switch (Table 3-17) • Member or standby command switch (Table 3-18) • Candidate switch with an IP address (Table 3-19) • Candidate switch without an IP address (Table 3-20) • Neighboring devices (Table 3-21) The Device Manager option in these popup menus is available in read-only mode on Catalyst 2900 XL and Cataly
Chapter 3 Getting Started with CMS Interaction Modes Table 3-19 Device Popup Menu of a Candidate-Switch Icon (When the Candidate Switch Has an IP Address) Popup Menu Option Add to Cluster 1 Device Manager Task Add a candidate to a cluster. 2 Properties Launch Device Manager for a switch. Display information about the device. 1. Not available in read-only mode. For more information about the read-only and read-write access modes, see the “Access Modes in CMS” section on page 3-29. 2.
Chapter 3 Getting Started with CMS Wizards Guide Mode Note Guide mode is not available if your switch access level is read-only. For more information about the read-only access mode, see the “Access Modes in CMS” section on page 3-29. Guide mode is for users who want a step-by-step approach for completing a specific configuration task. This mode is not available for all features. A menu-bar option that has a person icon means that guide mode is available for that option.
Chapter 3 Getting Started with CMS Tool Tips Tool Tips CMS displays a popup message when you move your mouse over these devices: • A yellow device icon in the cluster tree or in Topology view—A popup displays a fault message, such as that the RPS is faulty or that the switch is unavailable because you are in read-only mode. • A red device icon in the cluster tree or in Topology view—A popup displays a message that the switch is down.
Chapter 3 Getting Started with CMS CMS Window Components CMS Window Components CMS windows consistently present configuration information. Figure 3-12 shows the components of a typical CMS window. 74796 Figure 3-12 CMS Window Components OK saves your changes and closes the window. Modify displays a secondary window from which you can change settings. Click a row to select it. Press Shift, and left-click another row to select contiguous multiple rows.
Chapter 3 Getting Started with CMS CMS Window Components window does not include Catalyst 1900 and Catalyst 2820 switches even though they are part of the cluster. Similarly, the Host Name list on the LRE Profiles window only lists the LRE switches in the cluster. Tabs, Lists, and Tables Some CMS windows have tabs that present different sets of information. Tabs are arranged like folder headings across the top of the window. Click the tab to display its information.
Chapter 3 Getting Started with CMS Accessing CMS Accessing CMS This section assumes the following: • You know the IP address and password of the command switch or a specific switch. This information is either: – Assigned to the switch by following the setup program, as described in the release notes. – Changed on the switch by following the information in the “Assigning Switch Information” section on page 4-2 and “Preventing Unauthorized Access to Your Switch” section on page 7-1.
Chapter 3 Getting Started with CMS Accessing CMS Access Modes in CMS CMS provides two levels of access to the configuration options: read-write access and read-only access. Privilege levels 0 to 15 are supported. • Privilege level 15 provides you with read-write access to CMS. • Privilege levels 1 to 14 provide you with read-only access to CMS. Any options in the CMS windows, menu bar, toolbar, and popup menus that change the switch or cluster configuration are not shown in read-only mode.
Chapter 3 Getting Started with CMS Verifying Your Changes Verifying Your Changes CMS provides notification cues to help you track and confirm the changes you make. Change Notification A green border around a field or table cell means that you made an unsaved change to the field or table cell. Previous information in that field or table cell is displayed in the window status bar. When you save the changes or if you cancel the change, the green border disappears.
Chapter 3 Getting Started with CMS Restoring Your Configuration Restoring Your Configuration After you save a switch configuration, you can restore the configuration to one or more switches for these reasons: • You made an incorrect change to the current running configuration and want to reload a saved configuration. • You need to reload a switch after a switch failure or power failure. • You want to copy the configuration of a switch to other switches.
Chapter 3 Getting Started with CMS Where to Go Next Where to Go Next Before configuring the switch, refer to these places for start-up information: • Switch release notes on Cisco.
C H A P T E R 4 Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assign the switch IP address and default gateway information) by using a variety of automatic and manual methods. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The boot loader also provides trap-door access into the system if the operating system has problems serious enough that it cannot be used.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Default Switch Information Table 4-1 shows the default switch information. Table 4-1 Default Switch Information Feature Default Setting IP address and subnet mask No IP address or subnet mask are defined. Default gateway No default gateway is defined. Enable secret password No password is defined. Host name The factory-assigned default host name is Switch. Telnet password No password is defined.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DHCP Client Request Process When you boot your switch, the DHCP client is invoked and automatically requests configuration information from a DHCP server when the configuration file is not present on the switch. Figure 4-1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP server.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the DHCP Server You should configure the DHCP server with reserved leases that are bound to each switch by the switch hardware address.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information For the switch to successfully download a configuration file, the TFTP server must contain one or more configuration files in its base directory. The files can include these files: • The configuration file named in the DHCP reply (the actual switch configuration file). • The network-confg or the cisconet.cfg file (known as the default configuration files). • The router-confg or the ciscortr.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Figure 4-2 Relay Device Used in Autoconfiguration Switch (DHCP client) Cisco router (Relay) 10.0.0.2 10.0.0.1 DHCP server 20.0.0.3 TFTP server 20.0.0.4 DNS server 49068 20.0.0.2 20.0.0.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Note The switch broadcasts TFTP server requests if the TFTP server is not obtained from the DHCP replies, if all attempts to read the configuration file through unicast transmissions fail, or if the TFTP server name cannot be resolved to an IP address. Example Configuration Figure 4-3 shows a sample network for retrieving IP information by using DHCP-based autoconfiguration.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DNS Server Configuration The DNS server maps the TFTP server name maritsu to IP address 10.0.0.3. TFTP Server Configuration (on UNIX) The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method. This file contains the host name to be assigned to the switch based on its IP address.
Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs) or ports: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface vlan vlan-id Enter interface configuration mode, and enter the VLAN to which the IP information is assigned.
Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration ! hostname Switch ! enable secret 5 $1$ej9.$DMUvAUnZOAmvmgqBEzIxE0 ! ip subnet-zero ! vlan 3020 cluster enable Test 0 cluster member 1 mac-address 0030.9439.0900 cluster member 2 mac-address 0001.425b.
Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration no ip address shutdown ! interface Vlan1 ip address 172.20.139.133 255.255.255.224 no ip route-cache ! ip default-gateway 172.20.139.
C H A P T E R 5 Configuring IE2100 CNS Agents This chapter describes how to configure the Intelligence Engine 2100 (IE2100) Series Cisco Networking Services (CNS) embedded agents on your switch. To use the feature described in this chapter, you must have the enhanced software image (EI) installed on your switch.
Chapter 5 Configuring IE2100 CNS Agents Understanding IE2100 Series Configuration Registrar Software Figure 5-1 Configuration Registrar Architectural Overview Service provider network Configuration registrar Data service directory Configuration server Event service 71444 Web-based user interface Order entry configuration management These sections contain this conceptual information: • CNS Configuration Service, page 5-2 • CNS Event Service, page 5-3 • What You Should Know About ConfigID, Devi
Chapter 5 Configuring IE2100 CNS Agents Understanding IE2100 Series Configuration Registrar Software CNS Event Service The Configuration Registrar uses the CNS Event Service for receipt and generation of configuration events. The CNS event agent resides on the switch and facilitates the communication between the switch and the event gateway on the Configuration Registrar. The CNS Event Service is a highly-scalable publish-and-subscribe communication method.
Chapter 5 Configuring IE2100 CNS Agents Understanding IE2100 Series Configuration Registrar Software DeviceID Each configured switch participating on the event bus has a unique deviceID, which is analogous to the switch source address so that the switch can be targeted as a specific destination on the bus. All switches configured with the cns config partial global configuration command must access the event bus.
Chapter 5 Configuring IE2100 CNS Agents Understanding CNS Embedded Agents Understanding CNS Embedded Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the CNS configuration agent.
Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Incremental (Partial) Configuration After the network is running, new services can be added by using the CNS configuration agent. Incremental (partial) configurations can be sent to the switch. The actual configuration can be sent as an event payload by way of the event gateway (push operation) or as a signal event that triggers the switch to initiate a pull operation.
Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Table 5-1 Prerequisites for Enabling Automatic Configuration (continued) Device DHCP server TFTP server IE2100 Configuration Registrar Note Required Configuration • IP address assignment • TFTP server IP address • Path to bootstrap configuration file on the TFTP server • Default gateway IP address • Create a bootstrap configuration file that includes the CNS configuration commands that enable the switch to communicate w
Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Enabling the CNS Event Agent Note You must enable the CNS event agent on the switch before you enable the CNS configuration agent. Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents To disable the CNS event agent, use the no cns event {ip-address | hostname} global configuration command. This example shows how to enable the CNS event agent, set the IP address gateway to 10.180.1.27, set 120 seconds as the keepalive interval, and set 10 as the retry count. Switch(config)# cns event 10.180.1.
Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Step 3 Command Purpose config-cli or line-cli Enter config-cli to connect to the Configuration Registrar through the interface defined in cns config connect-intf. Enter line-cli to connect to the Registrar through modem dialup lines. Note The config-cli interface configuration command accepts the special directive character & that acts as a placeholder for the interface name.
Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Step 8 Command Purpose cns config initial {ip-address | hostname} [port-number] [event] [no-persist] [page page] [source ip-address] [syntax-check] Enable the configuration agent, and initiate an initial configuration. • For {ip-address | hostname}, enter the IP address or the host name of the configuration server. • (Optional) For port-number, enter the port number of the configuration server. The default port number is 80.
Chapter 5 Configuring IE2100 CNS Agents Displaying CNS Configuration Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the CNS configuration agent and to initiate a partial configuration on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 cns config partial {ip-address | hostname} [port-number] [source ip-address] Enable the configuration agent, and initiate a partial configuration.
Chapter 5 Configuring IE2100 CNS Agents Displaying CNS Configuration Table 5-2 Displaying CNS Configuration (continued) Command Purpose show cns event stats Displays statistics about the CNS event agent. show cns event subject Displays a list of event agent subjects that are subscribed to by applications.
Chapter 5 Configuring IE2100 CNS Agents Displaying CNS Configuration Catalyst 2950 Desktop Switch Software Configuration Guide 5-14 78-11380-05
C H A P T E R 6 Clustering Switches This chapter provides these topics to help you get started with switch clustering: • Understanding Switch Clusters, page 6-2 • Planning a Switch Cluster, page 6-5 • Creating a Switch Cluster, page 6-20 • Using the CLI to Manage Switch Clusters, page 6-26 • Using SNMP to Manage Switch Clusters, page 6-27 Configuring switch clusters is more easily done from the Cluster Management Suite (CMS) web-based interface than through the command-line interface (CLI).
Chapter 6 Clustering Switches Understanding Switch Clusters Understanding Switch Clusters A switch cluster is a group of connected Catalyst switches that are managed as a single entity. In a switch cluster, 1 switch must be the command switch and up to 15 switches can be member switches. The total number of switches in a cluster cannot exceed 16 switches. The command switch is the single point of access used to configure, manage, and monitor the member switches.
Chapter 6 Clustering Switches Understanding Switch Clusters Command Switch Characteristics A Catalyst 2950 command switch must meet these requirements: Note Note • It is running Release 12.0(5.2)WC(1) or later. • It has an IP address. • It has Cisco Discovery Protocol (CDP) version 2 enabled (the default). • It is not a command or member switch of another cluster. • If the Catalyst 2950 command switch is running Release 12.
Chapter 6 Clustering Switches Understanding Switch Clusters Note Note Catalyst 2950 command switches running Release 12.1(9)EA1 or later can connect to standby command switches in the management VLAN. • It is redundantly connected to the cluster so that connectivity to member switches is maintained. • It is not a command or member switch of another cluster.
Chapter 6 Clustering Switches Planning a Switch Cluster Note Catalyst 2950 standby command switches running Release 12.1(9)EA1 or later can connect to candidate and member switches in VLANs different from their management VLANs. Planning a Switch Cluster Anticipating conflicts and compatibility issues is a high priority when you manage several switches through a cluster.
Chapter 6 Clustering Switches Planning a Switch Cluster Discovery through CDP Hops By using CDP, a command switch can discover switches up to seven CDP hops away (the default is three hops) from the edge of the cluster. The edge of the cluster is where the last member switches are connected to the cluster and to candidate switches. For example, member switches 9 and 10 in Figure 6-1 are at the edge of the cluster.
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-2 Discovery through CDP Hops (Command Switch Running Release 12.
Chapter 6 Clustering Switches Planning a Switch Cluster Discovery through Non-CDP-Capable and Noncluster-Capable Devices If a command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Chapter 6 Clustering Switches Planning a Switch Cluster Discovery through the Same Management VLAN A Catalyst 2900 XL command switch, a Catalyst 2950 command switch running a release earlier than Release 12.1(9)EA1, or a Catalyst 3500 XL command switch must connect to all cluster members through its management VLAN. The default management VLAN is VLAN 1. For more information about management VLANs, see the “Management VLAN” section on page 6-19.
Chapter 6 Clustering Switches Planning a Switch Cluster Discovery through Different Management VLANs We recommend using a Catalyst 3550 command switch or a Catalyst 2950 command switch running Release 12.1(9)EA1 or later. These command switches can discover and manage member switches in different VLANs and different management VLANs. Catalyst 3550 member switches and Catalyst 2950 member switches running Release 12.
Chapter 6 Clustering Switches Planning a Switch Cluster Discovery through Different Management VLANs with a Layer 3 Command Switch Catalyst 3550 command switch VLAN 9 Si Switch 3 (management VLAN 16) VLAN 16 VLAN 16 Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL switches Switch 4 (management VLAN 16) Catalyst 3550 standby command switch VLAN 62 Switch 5 (management VLAN 62) VLAN trunk 4, 62 Switch 7 (management VLAN 4) VLAN 62 Switch 9 (management VLAN 62)
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-7 Discovery of Newly Installed Switches in the Same Management VLAN Command switch VLAN 16 AP Catalyst 3500 XL switch (Management VLAN 16) AP VLAN 16 VLAN 16 New (out-of-box) Catalyst 2900 LRE XL switch Figure 6-8 New (out-of-box) Catalyst 2950 switch 65581 Catalyst 2950 switch (Management VLAN 16) VLAN 16 Discovery of Newly Installed Switches in Different Management VLANs Command switch Catalyst 2950 switch (Management VLA
Chapter 6 Clustering Switches Planning a Switch Cluster HSRP and Standby Command Switches The switch supports Hot Standby Router Protocol (HSRP) so that you can configure a group of standby command switches. Because a command switch manages the forwarding of all communication and configuration information to all the member switches, we strongly recommend that you configure a cluster standby command switch to take over if the primary command switch fails.
Chapter 6 Clustering Switches Planning a Switch Cluster Virtual IP Addresses You need to assign a unique virtual IP address and group number and name to the cluster standby group. This information must be configured on the management VLAN on the active command switch. The active command switch receives traffic destined for the virtual IP address. To manage the cluster, you must access the active command switch through the virtual IP address, not through the command-switch IP address.
Chapter 6 Clustering Switches Planning a Switch Cluster • All standby-group members must be members of the cluster. Note • There is no limit to the number of switches that you can assign as standby command switches. However, the total number of switches in the cluster—which would include the active command switch, standby-group members, and member switches—cannot be more than 16. Each standby-group member (Figure 6-9) must be connected to the command switch through its management VLAN.
Chapter 6 Clustering Switches Planning a Switch Cluster Automatic Recovery of Cluster Configuration The active command switch continually forwards cluster-configuration information (but not device-configuration information) to the standby command switch. This ensures that the standby command switch can take over the cluster immediately after the active command switch fails.
Chapter 6 Clustering Switches Planning a Switch Cluster Host Names You do not need to assign a host name to either a command switch or an eligible cluster member. However, a host name assigned to the command switch can help to identify the switch cluster. The default host name for the switch is Switch. If a switch joins a cluster and it does not have a host name, the command switch appends a unique member number to its own host name and assigns it sequentially as each switch joins the cluster.
Chapter 6 Clustering Switches Planning a Switch Cluster TACACS+ and RADIUS Inconsistent authentication configurations in switch clusters cause CMS to continually prompt for a user name and password. If Terminal Access Controller Access Control System Plus (TACACS+) is configured on a cluster member, it must be configured on all cluster members. Similarly, if Remote Authentication Dial-In User Service (RADIUS) is configured on a cluster member, it must be configured on all cluster members.
Chapter 6 Clustering Switches Planning a Switch Cluster Management VLAN Communication with the switch management interfaces is through the command-switch IP address. The IP address is associated with the management VLAN, which by default is VLAN 1. To manage switches in a cluster, the command switch, member switches, and candidate switches must be connected through ports assigned to the command-switch management VLAN. Note • If the command switch is a Catalyst 2950 running Release 12.
Chapter 6 Clustering Switches Creating a Switch Cluster Availability of Switch-Specific Features in Switch Clusters The menu bar on the command switch displays all options available from the switch cluster. Therefore, features specific to a member switch are available from the command-switch menu bar. For example, Device > LRE Profile appears in the command-switch menu bar when at least one Catalyst 2900 LRE XL switch is in the cluster.
Chapter 6 Clustering Switches Creating a Switch Cluster If you did not enable a command switch during initial switch setup, launch Device Manager from a command-capable switch, and select Cluster > Create Cluster. Enter a cluster number (the default is 0), and use up to 31 characters to name the cluster (Figure 6-10). Instead of using CMS to enable a command switch, you can use the cluster enable global configuration command.
Chapter 6 Clustering Switches Creating a Switch Cluster If a candidate switch in the group has a password different from the group, only that specific candidate switch is not added to the cluster. When a candidate switch joins a cluster, it inherits the command-switch password. For more information about setting passwords, see the “Passwords” section on page 6-17. For additional authentication considerations in switch clusters, see the “TACACS+ and RADIUS” section on page 6-18.
Chapter 6 Clustering Switches Creating a Switch Cluster Thin line means a connection to a candidate switch. Right-click a candidate switch to display the pop-up menu, and select Add to Cluster to add the switch to the cluster.
Chapter 6 Clustering Switches Creating a Switch Cluster These abbreviations are appended to the switch host names in the Standby Command Group list to show their eligibility or status in the cluster standby group: • AC—Active command switch • SC—Standby command switch • PC—Member of the cluster standby group but not the standby command switch • HC—Candidate switch that can be added to the cluster standby group • CC—Command switch when HSRP is disabled You must enter a virtual IP address for the
Chapter 6 Clustering Switches Creating a Switch Cluster Verifying a Switch Cluster When you finish adding cluster members, follow these steps to verify the cluster: Step 1 Enter the command switch IP address in the browser Location field (Netscape Communicator) or Address field (Microsoft Internet Explorer) to access all switches in the cluster. Step 2 Enter the command-switch password.
Chapter 6 Clustering Switches Using the CLI to Manage Switch Clusters Using the CLI to Manage Switch Clusters You can configure member switches from the CLI by first logging into the command switch. Enter the rcommand user EXEC command and the member switch number to start a Telnet session (through a console or Telnet connection) and to access the member switch CLI. The command mode changes, and the IOS commands operate as usual.
Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Using SNMP to Manage Switch Clusters When you first power on the switch, SNMP is enabled if you enter the IP information by using the setup program and accept its proposed configuration. If you did not use the setup program to enter the IP information and SNMP was not enabled, you can enable it as described in the “Configuring SNMP” section on page 23-5. On Catalyst 1900 and Catalyst 2820 switches, SNMP is enabled by default.
Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Catalyst 2950 Desktop Switch Software Configuration Guide 6-28 78-11380-05
C H A P T E R 7 Administering the Switch This chapter describes how to perform one-time operations to administer your switch.
Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands • If you want to use username and password pairs, but you want to store them centrally on a server instead of locally, you can store them in a database on a security server. Multiple networking devices can then use the same database to obtain user authentication (and, if necessary, authorization) information. For more information, see the “Controlling Switch Access with TACACS+” section on page 7-9.
Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands Protecting Enable and Enable Secret Passwords with Encryption To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands.
Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands If both the enable and enable secret passwords are defined, users must enter the enable secret password. Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level global configuration command to specify commands accessible at various levels.
Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands To remove the password, use the no password global configuration command. This example shows how to set the Telnet password to let45me67in89: Switch(config)# line vty 10 Switch(config-line)# password let45me67in89 Configuring Username and Password Pairs You can configure username and password pairs, which are locally stored on the switch.
Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands Configuring Multiple Privilege Levels By default, the IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip traffic command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.
Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ Logging into and Exiting a Privilege Level Beginning in privileged EXEC mode, follow these steps to log in to a specified privilege level and to exit to a specified privilege level: Step 1 Command Purpose enable level Log in to a specified privilege level. For level, the range is 0 to 15. Step 2 disable level Exit to a specified privilege level. For level, the range is 0 to 15.
Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ Figure 7-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ server 1) Catalyst 6500 series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) Catalyst 2950 or 3550 switches 171.20.10.8 74720 Configure the switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers). Enable AAA. Create a login authentication method list.
Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: 1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the user. The user enters a username, and the switch then contacts the TACACS+ daemon to obtain a password prompt.
Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ This section contains this configuration information: • Default TACACS+ Configuration, page 7-12 • Identifying the TACACS+ Server Host and Setting the Authentication Key, page 7-12 • Configuring TACACS+ Login Authentication, page 7-13 • Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 7-15 • Starting TACACS+ Accounting, page 7-16 Default TACACS+ Configuration TACACS+ and AAA are disa
Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ Step 4 Command Purpose aaa group server tacacs+ group-name (Optional) Define the AAA server-group with a group name. This command puts the switch in a server group subconfiguration mode. Step 5 server ip-address (Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group. Each server in the group must be previously defined in Step 2.
Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to configure login authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list.
Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ Starting TACACS+ Accounting The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Controlling Switch Access with RADIUS This section describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS), which provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS is facilitated through AAA and can be enabled only through AAA commands.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS RADIUS is not suitable in these network security situations: • Multiprotocol access environments. RADIUS does not support AppleTalk Remote Access (ARA), NetBIOS Frame Control Protocol (NBFCP), NetWare Asynchronous Services Interface (NASI), or X.25 PAD connections. • Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Configuring RADIUS This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting. A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on a user.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS You identify RADIUS security servers by their host name or IP address, host name and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or host name of the remote RADIUS server host.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or host name of the remote RADIUS server host.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Command Purpose Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 7-22. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network-related service requests.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the switch and all RADIUS servers.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS For example, the following AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP’s IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ The following example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“ Other vendors have their own unique vendor-IDs, options, and associated VSAs.
Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to specify a vendor-proprietary RADIUS server host and a shared secret text string: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | ip-address} non-standard Specify the IP address or host name of the remote RADIUS server host and identify that it is using a vendor-proprietary implementation of RADIUS.
Chapter 7 Administering the Switch Configuring the Switch for Local Authentication and Authorization Configuring the Switch for Local Authentication and Authorization You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration.
Chapter 7 Administering the Switch Managing the System Time and Date Managing the System Time and Date You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 7 Administering the Switch Managing the System Time and Date running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP. This strategy effectively builds a self-organizing tree of NTP speakers. NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a device that is not synchronized.
Chapter 7 Administering the Switch Managing the System Time and Date Figure 7-3 Typical NTP Network Configuration Catalyst 6500 series switch (NTP master) Local workgroup servers Catalyst 2950 or 3550 switch Catalyst 2950 or 3550 switch Catalyst 2950 or 3550 switch These switches are configured in NTP server mode (server association) with the Catalyst 6500 series switch. Catalyst 2950 or 3550 switch This switch is configured as an NTP peer to the upstream and downstream Catalyst 3550 switches.
Chapter 7 Administering the Switch Managing the System Time and Date Default NTP Configuration Table 7-2 shows the default NTP configuration. Table 7-2 Default NTP Configuration Feature Default Setting NTP authentication Disabled. No authentication key is specified. NTP peer or server associations None configured. NTP broadcast service Disabled; no interface sends or receives NTP broadcast packets. NTP access restrictions No access control is specified.
Chapter 7 Administering the Switch Managing the System Time and Date Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable NTP authentication, use the no ntp authenticate global configuration command. To remove an authentication key, use the no ntp authentication-key number global configuration command.
Chapter 7 Administering the Switch Managing the System Time and Date Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. You need to configure only one end of an association; the other device can automatically establish the association.
Chapter 7 Administering the Switch Managing the System Time and Date Step 6 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 7 Configure the connected peers to receive NTP broadcast packets as described in the next procedure. To disable the interface from sending NTP broadcast packets, use the no ntp broadcast interface configuration command.
Chapter 7 Administering the Switch Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp access-group {query-only | serve-only | serve | peer} access-list-number Create an access group, and apply a basic IP access list.
Chapter 7 Administering the Switch Managing the System Time and Date If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted. To remove access control to the switch NTP services, use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command.
Chapter 7 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure a specific interface from which the IP source address is to be taken: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp source type number Specify the interface type and number from which the IP source address is taken. By default, the source address is determined by the outgoing interface.
Chapter 7 Administering the Switch Managing the System Time and Date Setting the System Clock If you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock. Beginning in privileged EXEC mode, follow these steps to set the system clock: Step 1 Command Purpose clock set hh:mm:ss day month year Manually set the system clock using one of these formats.
Chapter 7 Administering the Switch Managing the System Time and Date Configuring the Time Zone Beginning in privileged EXEC mode, follow these steps to manually configure the time zone: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock timezone zone hours-offset [minutes-offset] Set the time zone. The switch keeps internal time in universal time coordinated (UTC), so this command is used only for display purposes and when the time is manually set.
Chapter 7 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone recurring Configure summer time to start and end on the specified days every year.
Chapter 7 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 Configure summer time to start on the first date and end on the second clock summer-time zone date [month date year hh:mm month date year hh:mm date.
Chapter 7 Administering the Switch Configuring a System Name and Prompt Configuring a System Name and Prompt You configure the system name on the switch to identify it. By default, the system name and prompt are Switch. If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt. A greater-than symbol [>] is appended.
Chapter 7 Administering the Switch Configuring a System Name and Prompt Configuring a System Prompt Beginning in privileged EXEC mode, follow these steps to manually configure a system prompt: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 prompt string Configure the command-line prompt to override the setting from the hostname command.
Chapter 7 Administering the Switch Configuring a System Name and Prompt Default DNS Configuration Table 7-3 shows the default DNS configuration. Table 7-3 Default DNS Configuration Feature Default Setting DNS enable state Enabled. DNS default domain name None configured. DNS servers No name server addresses are configured.
Chapter 7 Administering the Switch Creating a Banner domain name is the value set by the ip domain-name global configuration command. If there is a period (.) in the hostname, the IOS software looks up the IP address without appending any default domain name to the hostname. To remove a domain name, use the no ip domain-name name global configuration command. To remove a name server address, use the no ip name-server server-address global configuration command.
Chapter 7 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day.
Chapter 7 Administering the Switch Creating a Banner Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message.
Chapter 7 Administering the Switch Managing the MAC Address Table Managing the MAC Address Table The MAC address table contains address information that the switch uses to forward traffic between ports. All MAC addresses in the address table are associated with one or more ports. The address table includes these types of addresses: • Dynamic address: a source MAC address that the switch learns and then ages when it is not in use.
Chapter 7 Administering the Switch Managing the MAC Address Table MAC Addresses and VLANs All addresses are associated with a VLAN. An address can exist in more than one VLAN and have different destinations in each. Multicast addresses, for example, could be forwarded to port 1 in VLAN 1 and ports 9, 10, and 11 in VLAN 5. Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in another until it is learned or statically associated with a port in the other VLAN.
Chapter 7 Administering the Switch Managing the MAC Address Table Command Purpose Step 4 show mac address-table aging-time Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default value, use the no mac address-table aging-time global configuration command. Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC mode.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message. | 2c | 3}} community-string notification-type • For host-addr, specify the name or address of the NMS.
Chapter 7 Administering the Switch Managing the MAC Address Table Step 9 Command Purpose show mac address-table notification interface Verify your entries. show running-config Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the switch from sending MAC address notification traps, use the no snmp-server enable traps mac-notification global configuration command.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to add a static address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table static mac-addr vlan vlan-id interface interface-id Add a static address to the MAC address table. • For mac-addr, specify the destination MAC address (unicast or multicast) to add to the address table.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to add a secure address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface, and enter interface configuration mode. Step 3 switchport port-security mac-address mac-address Add a secure address. Step 4 end Return to privileged EXEC mode. Step 5 show port-security Verify your entry.
Chapter 7 Administering the Switch Managing the ARP Table Managing the ARP Table To communicate with a device (over Ethernet, for example), the software first must determine the 48-bit MAC or the local data link address of that device. The process of determining the local data link address from an IP address is called address resolution. The Address Resolution Protocol (ARP) associates a host IP address with the corresponding media or MAC addresses and the VLAN ID.
Chapter 7 Administering the Switch Managing the ARP Table Catalyst 2950 Desktop Switch Software Configuration Guide 7-60 78-11380-05
C H A P T E R 8 Configuring 802.1X Port-Based Authentication This chapter describes how to configure IEEE 802.1X port-based authentication to prevent unauthorized devices (clients) from gaining access to the network. As LANs extend to hotels, airports, and corporate lobbies, insecure environments could be created. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 8 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Device Roles With 802.1X port-based authentication, the devices in the network have specific roles as shown in Figure 8-1. Figure 8-1 802.1X Device Roles Catalyst 2950 or 3550 (switch) Authentication server (RADIUS) 74615 Workstations (clients) • Client—the device (workstation) that requests access to the LAN and switch services and responds to requests from the switch.
Chapter 8 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Authentication Initiation and Message Exchange The switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x port-control auto interface configuration command, the switch must initiate authentication when it determines that the port link state transitions from down to up.
Chapter 8 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Ports in Authorized and Unauthorized States The switch port state determines whether or not the client is granted access to the network. The port starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for 802.1X protocol packets.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Supported Topologies The 802.1X port-based authentication is supported in two topologies: • Point-to-point • Wireless LAN In a point-to-point configuration (see Figure 8-1 on page 8-2), only one client can be connected to the 802.1X-enabled switch port. The switch detects the client when the port link state changes to the up state.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Default 802.1X Configuration Table 8-1 shows the default 802.1X configuration. Table 8-1 Default 802.1X Configuration Feature Default Setting Authentication, authorization, and accounting (AAA) Disabled. RADIUS server • IP address • None specified. • UDP authentication port • 1812. • Key • None specified. Per-interface 802.1X enable state Disabled (force-authorized).
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication 802.1X Configuration Guidelines These are the 802.1X authentication configuration guidelines: • When 802.1X is enabled, ports are authenticated before any other Layer 2 features are enabled. • The 802.1X protocol is supported on Layer 2 static-access ports, but it is not supported on these port types: – Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X is not enabled.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Enabling 802.1X Authentication To enable 802.1X port-based authentication, you must enable AAA and specify the authentication method list. A method list describes the sequence and authentication methods to be queried to authenticate a user. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication This example shows how to enable AAA and 802.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the RADIUS server: Switch(config)# radius-server host 172.l20.39.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Manually Re-Authenticating a Client Connected to a Port You can manually re-authenticate the client connected to a specific port at any time by entering the dot1x re-authenticate interface interface-id privileged EXEC command. If you want to enable or disable periodic re-authentication, see the “Enabling Periodic Re-Authentication” section on page 8-10.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Changing the Switch-to-Client Retransmission Time The client responds to the EAP-request/identity frame from the switch with an EAP-response/identity frame. If the switch does not receive this response, it waits a set period of time (known as the retransmission time) and then resends the frame.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Setting the Switch-to-Client Frame-Retransmission Number In addition to changing the switch-to-client retransmission time, you can change the number of times that the switch sends an EAP-request/identity frame (assuming no response is received) to the client before restarting the authentication process.
Chapter 8 Configuring 802.1X Port-Based Authentication Displaying 802.1X Statistics and Status Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show dot1x interface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable multiple hosts on the port, use the no dot1x multiple-hosts interface configuration command. This example shows how to enable 802.
C H A P T E R 9 Configuring Interface Characteristics This chapter defines the types of interfaces on the switch and describes how to configure them.
Chapter 9 Configuring Interface Characteristics Understanding Interface Types VLAN partitions provide hard firewalls for traffic in the VLAN, and each VLAN has its own MAC address table. A VLAN comes into existence when a local port is configured to be associated with the VLAN, when the VLAN Trunking Protocol (VTP) learns of its existence from a neighbor on a trunk, or when a user creates a VLAN.
Chapter 9 Configuring Interface Characteristics Understanding Interface Types Trunk Ports A trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN database. Only IEEE 802.1Q trunk ports are supported. An IEEE 802.1Q trunk port supports simultaneous tagged and untagged traffic. An 802.1Q trunk port is assigned a default Port VLAN ID (PVID), and all untagged traffic travels on the port default PVID.
Chapter 9 Configuring Interface Characteristics Using the Interface Command Figure 9-1 Connecting VLANs with Layer 2 Switches Cisco router Switch Host B VLAN 20 VLAN 30 46647 Host A Using the Interface Command The switch supports these interface types: • Physical ports—Switch ports • VLANs—switch virtual interfaces • Port-channels—EtherChannel of interfaces You can also configure a range of interfaces (see the “Configuring a Range of Interfaces” section on page 9-6).
Chapter 9 Configuring Interface Characteristics Using the Interface Command Procedures for Configuring Interfaces These general instructions apply to all interface configuration processes. Step 1 Enter the configure terminal command at the privileged EXEC prompt: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# Step 2 Enter the interface global configuration command. Identify the interface type and the number of the connector.
Chapter 9 Configuring Interface Characteristics Using the Interface Command reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, Auto-speed input flow-control is off, output flow-control is off ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0
Chapter 9 Configuring Interface Characteristics Using the Interface Command When using the interface range global configuration command, note these guidelines: • Valid entries for port-range: – vlan vlan-ID - vlan-ID, where VLAN ID is from 1 to 4094 with the enhanced software image installed or 1 to 1005 with the standard software image installed – fastethernet slot/{first port} - {last port}, where slot is 0 – gigabitethernet slot/{first port} - {last port}, where slot is 0 – port-channel port-channel-
Chapter 9 Configuring Interface Characteristics Using the Interface Command If you enter multiple configuration commands while you are in interface range mode, each command is executed as it is entered. The commands are not batched together and executed after you exit interface range mode. If you exit interface range configuration mode while the commands are being executed, some commands might not be executed on all interfaces in the range.
Chapter 9 Configuring Interface Characteristics Configuring Layer 2 Interfaces • All interfaces in a range must be the same type; that is, all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs, but you can combine multiple interface types in a macro.
Chapter 9 Configuring Interface Characteristics Configuring Layer 2 Interfaces Table 9-1 Default Layer 2 Ethernet Interface Configuration Feature Default Setting Operating mode Layer 2 Allowed VLAN range VLANs 1 – 4094 with the enhanced software image installed or 1 to 1005 with the standard software image installed. Default VLAN (for access ports) VLAN 1. Native VLAN (for 802.1Q trunks) VLAN 1. VLAN trunking Switchport mode dynamic desirable (supports DTP).
Chapter 9 Configuring Interface Characteristics Configuring Layer 2 Interfaces These sections describe how to configure the interface speed and duplex mode: • Configuration Guidelines, page 9-11 • Setting the Interface Speed and Duplex Parameters, page 9-11 Configuration Guidelines When configuring an interface speed and duplex mode, note these guidelines: Caution • Ethernet ports set to 1000 Mbps should always be set to full duplex.
Chapter 9 Configuring Interface Characteristics Configuring Layer 2 Interfaces Step 4 Command Purpose duplex {auto | full | half} Enter the duplex parameter for the interface. Note Step 5 Step 6 Step 7 The 100BASE-FX ports set to 100 and the 10/100/1000 ports set to 1000 operate only in full-duplex mode. end Return to privileged EXEC mode. show interfaces interface-id Display the interface speed and duplex mode configuration.
Chapter 9 Configuring Interface Characteristics Configuring Layer 2 Interfaces Note • receive off and send on: The port sends pause frames if the remote device supports flow control but cannot receive pause frames from the remote device. • receive off and send desired: The port cannot receive pause frames but can send pause frames if the attached device supports flow control. • receive off and send off: Flow control does not operate in either direction.
Chapter 9 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Command Step 5 Purpose show interfaces interface-id description Verify your entry. or show running-config Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no description interface configuration command to delete the description.
Chapter 9 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Table 9-2 Show Commands for Interfaces (continued) Command Purpose show running-config interface [interface-id] Display the running configuration in RAM for the interface. show version Display the hardware configuration, software version, the names and sources of configuration files, and the boot images.
Chapter 9 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces no ip address mls qos cos 7 mls qos cos override end Clearing and Resetting Interfaces and Counters Table 9-3 lists the privileged EXEC mode clear commands that you can use to clear counters and reset interfaces. Table 9-3 Clear Commands for Interfaces Command Purpose clear counters [interface-id] Clear interface counters. clear interface interface-id Reset the hardware logic on an interface.
Chapter 9 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Shutting Down and Restarting the Interface Shutting down an interface disables all functions on the specified interface and marks the interface as unavailable on all monitoring command displays. This information is communicated to other network servers through all dynamic routing protocols. The interface is not mentioned in any routing updates.
Chapter 9 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Catalyst 2950 Desktop Switch Software Configuration Guide 9-18 78-11380-05
C H A P T E R 10 Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on your switch. For information about the Rapid Spanning Tree Protocol (RSTP) and the Multiple Spanning Tree Protocol (MSTP), see Chapter 11, “Configuring RSTP and MSTP.” For information about optional spanning-tree features, see Chapter 12, “Configuring Optional Spanning-Tree Features.
Chapter 10 Configuring STP Understanding Spanning-Tree Features • Spanning Tree and Redundant Connectivity, page 10-8 • Accelerated Aging to Retain Connectivity, page 10-9 STP Overview STP is a Layer 2 link management protocol that provides path redundancy while preventing loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two stations.
Chapter 10 Configuring STP Understanding Spanning-Tree Features • Message age • The identifier of the sending interface • Values for the hello, forward delay, and max-age protocol timers When a switch receives a configuration BPDU that contains superior information (lower bridge ID, lower path cost, and so forth), it stores the information for that port.
Chapter 10 Configuring STP Understanding Spanning-Tree Features BPDUs contain information about the sending switch and its ports, including switch and MAC addresses, switch priority, port priority, and path cost. Spanning tree uses this information to elect the root switch and root port for the switched network and the root port and designated port for each switched segment. Bridge ID, Switch Priority, and Extended System ID The IEEE 802.
Chapter 10 Configuring STP Understanding Spanning-Tree Features Creating the Spanning-Tree Topology In Figure 10-1, Switch A is elected as the root switch because the switch priority of all the switches is set to the default (32768) and Switch A has the lowest MAC address. However, because of traffic patterns, number of forwarding interfaces, or link types, Switch A might not be the ideal root switch.
Chapter 10 Configuring STP Understanding Spanning-Tree Features An interface moves through these states: • From initialization to blocking • From blocking to listening or to disabled • From listening to learning or to disabled • From learning to forwarding or to disabled • From forwarding to disabled Figure 10-2 illustrates how an interface moves through the states.
Chapter 10 Configuring STP Understanding Spanning-Tree Features Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to each interface in the switch. A switch initially functions as the root until it exchanges BPDUs with other switches. This exchange establishes which switch in the network is the root or root switch.
Chapter 10 Configuring STP Understanding Spanning-Tree Features Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational. A disabled interface performs as follows: • Discards frames received on the port • Discards frames switched from another interface for forwarding • Does not learn addresses • Does not receive BPDUs Spanning-Tree Address Management IEEE 802.
Chapter 10 Configuring STP Configuring Spanning-Tree Features Figure 10-3 Spanning Tree and Redundant Connectivity Switch A Catalyst 2950 or 3550 switch Switch C Catalyst 2950 or 3550 switch Catalyst 2950 or 3550 switch Active link Blocked link Workstations 74620 Switch B You can also create redundant links between switches by using EtherChannel groups. For more information, see Chapter 26, “Configuring EtherChannels.
Chapter 10 Configuring STP Configuring Spanning-Tree Features • Configuring the Hello Time, page 10-19 • Configuring the Forwarding-Delay Time for a VLAN, page 10-19 • Configuring the Maximum-Aging Time for a VLAN, page 10-20 • Configuring STP for Use in a Cascaded Stack, page 10-20 Default STP Configuration Table 10-3 shows the default STP configuration. Table 10-3 Default STP Configuration Feature Default Setting Enable state Enabled on VLAN 1.
Chapter 10 Configuring STP Configuring Spanning-Tree Features Caution Switches that are not running spanning tree still forward BPDUs that they receive so that the other switches on the VLAN that have a running spanning-tree instance can break loops. Therefore, spanning tree must be running on enough switches to break all the loops in the network; for example, at least one switch on each loop in the VLAN must be running spanning tree.
Chapter 10 Configuring STP Configuring Spanning-Tree Features Disabling STP STP is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning-tree limit specified in Table 10-3. Disable STP only if you are sure there are no loops in the network topology. Caution When STP is disabled and loops are present in the topology, excessive traffic and indefinite packet duplication can drastically reduce network performance.
Chapter 10 Configuring STP Configuring Spanning-Tree Features These examples show the effect of the spanning-tree vlan vlan-id root command with and without the extended system ID support: • For Catalyst 2950 switches with the extended system ID (Release 12.
Chapter 10 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to a switch to become the root for the specified VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root primary [diameter net-diameter [hello-time seconds]] Configure a switch to become the root for the specified VLAN.
Chapter 10 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure a switch to become the secondary root for the specified VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root secondary [diameter net-diameter [hello-time seconds]] Configure a switch to become the secondary root for the specified VLAN.
Chapter 10 Configuring STP Configuring Spanning-Tree Features Step 3 Command Purpose spanning-tree port-priority priority Configure the port priority for an interface that is an access port. For priority, the range is 0 to 255; the default is 128. The lower the number, the higher the priority. Step 4 spanning-tree vlan vlan-id port-priority priority Configure the VLAN port priority for an interface that is a trunk port.
Chapter 10 Configuring STP Configuring Spanning-Tree Features Step 3 Command Purpose spanning-tree cost cost Configure the cost for an interface that is an access port. If a loop occurs, spanning tree uses the path cost when selecting an interface to place into the forwarding state. A lower path cost represents higher-speed transmission. For cost, the range is 1 to 200000000; the default value is derived from the media speed of the interface.
Chapter 10 Configuring STP Configuring Spanning-Tree Features Configuring the Switch Priority of a VLAN You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree vlan vlan-id root primary and the spanning-tree vlan vlan-id root secondary global configuration commands to modify the switch priority.
Chapter 10 Configuring STP Configuring Spanning-Tree Features Configuring the Hello Time You can configure the interval between the generation of configuration messages by the root switch by changing the hello time. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree vlan vlan-id root primary and the spanning-tree vlan vlan-id root secondary global configuration commands to modify the hello time.
Chapter 10 Configuring STP Configuring Spanning-Tree Features To return the switch to its default setting, use the no spanning-tree vlan vlan-id forward-time global configuration command. Configuring the Maximum-Aging Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 10 Configuring STP Displaying the Spanning-Tree Status Figure 10-4 Gigabit Ethernet Stack Catalyst 3550 series switch Catalyst 2950 or 3550 switches Catalyst 3550 or 6000 series backbone Catalyst 2950 or 3550 switches Layer 3 backbone Cisco 7000 router 74621 Catalyst 6000 switch Catalyst 2950 Cisco 7000 or 3550 router switches Option 1: standalone cascaded cluster Option 2: cascaded cluster connected to a Layer 2 backbone Option 3: cascaded cluster connected to a Layer 3 backbone Displ
Chapter 10 Configuring STP Displaying the Spanning-Tree Status Catalyst 2950 Desktop Switch Software Configuration Guide 10-22 78-11380-05
C H A P T E R 11 Configuring RSTP and MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1W Rapid Spanning Tree Protocol (RSTP) and the IEEE 802.1S Multiple STP (MSTP) on your switch. To use the features described in this chapter, you must have the enhanced software image (EI) installed on your switch. RSTP provides rapid convergence of the spanning tree.
Chapter 11 Configuring RSTP and MSTP Understanding RSTP Understanding RSTP The RSTP takes advantage of point-to-point wiring and provides rapid convergence of the spanning tree. Reconfiguration of the spanning tree can occur in less than 1 second (in contrast to 50 seconds with the default settings in the 802.1D spanning tree), which is critical for networks carrying delay-sensitive traffic such as voice and video.
Chapter 11 Configuring RSTP and MSTP Understanding RSTP Table 11-1 Port State Comparison (continued) Operational Status STP Port State RSTP Port State Is Port Included in the Active Topology? Enabled Forwarding Forwarding Yes Disabled Disabled Discarding No To be consistent with Cisco STP implementations, this guide documents the port state as blocking instead of discarding. Designated ports start in the listening state.
Chapter 11 Configuring RSTP and MSTP Understanding RSTP Figure 11-1 Proposal and Agreement Handshaking for Rapid Convergence Switch A Proposal Switch B Root Agreement Designated switch F RP Root F DP Proposal Designated switch Agreement F RP Root F DP Designated switch F RP F DP Switch C F RP DP = designated port RP = root port F = forwarding 74007 F DP Synchronization of Port Roles When the switch receives a proposal message on one of its ports and that port is selected as the new r
Chapter 11 Configuring RSTP and MSTP Understanding RSTP Figure 11-2 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5. Forward Edge port 8. Agreement 3. Block 11. Forward 6. Proposal 7. Proposal 10. Agreement Root port Designated port 74008 2. Block 9. Forward Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802.1D BPDU format except that the protocol version is set to 2.
Chapter 11 Configuring RSTP and MSTP Understanding RSTP The RSTP does not have a separate topology change notification (TCN) BPDU. It uses the topology change (TC) flag to show the topology changes. However, for interoperability with 802.1D switches, the RSTP switch processes and generates TCN BPDUs. The learning and forwarding flags are set according to the state of the sending port.
Chapter 11 Configuring RSTP and MSTP Understanding MSTP • Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the topology change to all of its nonedge, edge, designated ports, and root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them. • Protocol migration—For backward compatibility with 802.1D switches, RSTP selectively sends 802.
Chapter 11 Configuring RSTP and MSTP Understanding MSTP IST, CIST, and CST Unlike PVST+ in which all the spanning-tree instances are independent, the MSTP establishes and maintains two types of spanning-trees: • An internal spanning tree (IST), which is the spanning tree that runs in an MST region. Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special instance for a region, known as the internal spanning tree (IST).
Chapter 11 Configuring RSTP and MSTP Understanding MSTP Operations Between MST Regions If there are multiple regions or legacy 802.1D switches within the network, MSTP establishes and maintains the CST, which includes all MST regions and all legacy STP switches in the network. The MST instances combine with the IST at the boundary of the region to become the CST.
Chapter 11 Configuring RSTP and MSTP Understanding MSTP Hop Count The IST and MST instances do not use the message-age and maximum-age information in the configuration BPDU to compute the spanning-tree topology. Instead, they use the path cost to the root and a hop-count mechanism similar to the IP time-to-live (TTL) mechanism.
Chapter 11 Configuring RSTP and MSTP Interoperability with 802.1D STP Interoperability with 802.1D STP A switch running both MSTP and RSTP supports a built-in protocol migration mechanism that enables it to interoperate with legacy 802.1D switches. If this switch receives a legacy 802.1D configuration BPDU (a BPDU with the protocol version set to 0), it sends only 802.1D BPDUs on that port.
Chapter 11 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Default RSTP and MSTP Configuration Table 11-3 shows the default RSTP and MSTP configuration. Table 11-3 Default RSTP and MSTP Configuration Feature Default Setting Spanning-tree mode PVST (MSTP and RSTP are disabled). Switch priority (configurable on a per-CIST interface basis) 32768. Spanning-tree port priority (configurable on a per-CIST interface basis) 128.
Chapter 11 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Specifying the MST Region Configuration and Enabling MSTP For two or more switches to be in the same MST region, they must have the same VLAN-to-instance mapping, the same configuration revision number, and the same name. A region can have one member or multiple members with the same MST configuration; each member must be capable of processing RSTP BPDUs.
Chapter 11 Configuring RSTP and MSTP Configuring RSTP and MSTP Features configuration command. To return to the default revision number, use the no revision MST configuration command.To re-enable PVST, use the no spanning-tree mode or the spanning-tree mode pvst global configuration command.
Chapter 11 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Note The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not configure an access switch as the spanning-tree primary root. Use the diameter keyword, which is available only for MST instance 0, to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network).
Chapter 11 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Configuring a Secondary Root Switch When you configure a Catalyst 2950 switch that supports the extended system ID as the secondary root, the spanning-tree switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified instance if the primary root switch fails.
Chapter 11 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Configuring the Port Priority If a loop occurs, the MSTP uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last.
Chapter 11 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Configuring the Path Cost The MSTP path cost default value is derived from the media speed of an interface. If a loop occurs, the MSTP uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 11 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Configuring the Switch Priority You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority.
Chapter 11 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the hello time for all MST instances: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst hello-time seconds Configure the hello time for all MST instances. The hello time is the interval between the generation of configuration messages by the root switch. These messages mean that the switch is alive.
Chapter 11 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Configuring the Maximum-Aging Time Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for all MST instances: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-age seconds Configure the maximum-aging time for all MST instances.
Chapter 11 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Specifying the Link Type to Ensure Rapid Transitions If you connect a port to another port through a point-to-point link and the local port becomes a designated port, the RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the “Rapid Convergence” section on page 11-3.
Chapter 11 Configuring RSTP and MSTP Displaying the MST Configuration and Status Displaying the MST Configuration and Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 11-4: Table 11-4 Commands for Displaying MST Status Command Purpose show spanning-tree mst configuration Displays the MST region configuration. show spanning-tree mst instance-id Displays MST information for the specified instance.
Chapter 11 Configuring RSTP and MSTP Displaying the MST Configuration and Status Catalyst 2950 Desktop Switch Software Configuration Guide 11-24 78-11380-05
C H A P T E R 12 Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features. You can configure all of these features when your switch is running the per-VLAN spanning-tree (PVST). You can only configure the noted features when your switch is running the Multiple Spanning Tree Protocol (MSTP). To use these features with MSTP, you must have the enhanced software image (EI) installed on your switch.
Chapter 12 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states.
Chapter 12 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences. At the global level, you can enable BPDU guard on Port Fast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command. Spanning tree shuts down ports that are in a Port Fast-operational state.
Chapter 12 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding UplinkFast Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 12-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops.
Chapter 12 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 12-3 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B L1 L2 L3 43575 Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked port on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure 12-4.
Chapter 12 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features How CSUF Works CSUF ensures that one link in the stack is elected as the path to the root. As shown in Figure 12-5, Switches A, B, and C are cascaded through the GigaStack GBIC to form a multidrop backbone, which communicates control and data traffic across the switches at the access layer.
Chapter 12 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features The switch sending the fast-transition request needs to do a fast transition to the forwarding state of a port that it has chosen as the root port, and it must obtain an acknowledgement from each stack switch before performing the fast transition.
Chapter 12 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Limitations These limitations apply to CSUF: • CSUF uses the GigaStack GBIC and runs on all Catalyst 3550 switches, all Catalyst 3500 XL switches, Catalyst 2950 switches with GBIC module slots, and only on modular Catalyst 2900 XL switches that have the 1000BASE-X module installed. • Up to nine stack switches can be connected through their stack ports to the multidrop backbone.
Chapter 12 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 12-6 GigaStack GBIC Connections and Spanning-Tree Convergence GigaStack GBIC connection for fast convergence Catalyst 3550-12T Catalyst 3550-12T Catalyst 3500 Catalyst 3500 SYSTEM RPS STATUS UTIL DUPLX MODE 1 1 1 1 1 1 1 1 1 1 SYSTEM SPEED RPS STATUS 2 1 UTIL DUPLX MODE 1 1 1 1 1 1 1 1 1 1 SPEED 2 1 Catalyst 3508G XL Catalyst 3500 3 2 1 5 4 7 6 Catalyst 295
Chapter 12 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding BackboneFast BackboneFast detects indirect failures in the core of the backbone. BackboneFast is a complementary technology to the UplinkFast feature, which responds to failures on links directly connected to access switches. BackboneFast optimizes the maximum-age timer, which determines the amount of time the switch stores protocol information received on an interface.
Chapter 12 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If link L1 fails as shown in Figure 12-8, Switch C cannot detect this failure because it is not connected directly to link L1. However, because Switch B is directly connected to the root switch over L1, it detects the failure, elects itself the root, and begins sending BPDUs to Switch C, identifying itself as the root.
Chapter 12 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Root Guard The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. In such a topology, the spanning tree can reconfigure itself and select a customer switch as the root switch, as shown in Figure 12-10.
Chapter 12 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Understanding Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. This feature is most effective when it is configured on the entire switched network. If your switch is running PVST or MSTP, you can enable this feature by using the spanning-tree loopguard default global configuration command.
Chapter 12 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Default Optional Spanning-Tree Configuration Table 12-1 shows the default optional spanning-tree configuration. Table 12-1 Default Optional Spanning-Tree Configuration Feature Default Setting Port Fast, BPDU filtering, BPDU guard Globally disabled (unless they are individually configured per interface). UplinkFast Globally disabled. CSUF Disabled on all interfaces. BackboneFast Globally disabled.
Chapter 12 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show spanning-tree interface interface-id portfast Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note You can use the spanning-tree portfast default global configuration command to globally enable the Port Fast feature on all nontrunking ports.
Chapter 12 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Purpose Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable BPDU guard, use the no spanning-tree portfast bpduguard default global configuration command.
Chapter 12 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features To disable BPDU filtering, use the no spanning-tree portfast bpdufilter default global configuration command. You can override the setting of the no spanning-tree portfast bpdufilter default global configuration command by using the spanning-tree bpdufilter enable interface configuration command.
Chapter 12 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling Cross-Stack UplinkFast Before enabling CSUF, make sure your stack switches are properly connected. For more information, see the “Connecting the Stack Ports” section on page 12-8. The CSUF feature is supported only when the switch is running PVST. Beginning in privileged EXEC mode, follow these steps to enable CSUF: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 12 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling BackboneFast You can enable BackboneFast to detect indirect link failures and to start the spanning-tree reconfiguration sooner. Note If you use BackboneFast, you must enable it on all switches in the network. BackboneFast is not supported on Token Ring VLANs. This feature is supported for use with third-party switches. The BackboneFast feature is supported only when the switch is running PVST.
Chapter 12 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable root guard, use the no spanning-tree guard interface configuration command.
Chapter 12 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 12-2: Table 12-2 Commands for Displaying the Spanning-Tree Status Command Purpose show spanning-tree active Displays spanning-tree information on active interfaces only. show spanning-tree detail Displays a detailed summary of interface information.
Chapter 12 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Catalyst 2950 Desktop Switch Software Configuration Guide 12-22 78-11380-05
C H A P T E R 13 Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094). It includes information about VLAN modes and the VLAN Membership Policy Server (VMPS). Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 13 Configuring VLANs Understanding VLANs Figure 13-1 shows an example of VLANs segmented into logically defined networks. Figure 13-1 VLANs as Logically Defined Networks Engineering VLAN Marketing VLAN Accounting VLAN Cisco router Floor 3 Fast Ethernet Floor 2 16751 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Chapter 13 Configuring VLANs Understanding VLANs VLAN Port Membership Modes You configure a port to belong to a VLAN by assigning a membership mode that determines the kind of traffic the port carries and the number of VLANs to which it can belong. Table 13-1 lists the membership modes and membership and VTP characteristics.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Configuring Normal-Range VLANs Normal-range VLANs are VLANs with VLAN IDs 1 to 1005. If the switch is in VTP server or transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database. (VLAN IDs 1 and 1002 to 1005 are automatically created and cannot be removed.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs This section includes information about these topics about normal-range VLANs: • Token Ring VLANs, page 13-5 • Normal-Range VLAN Configuration Guidelines, page 13-5 • VLAN Configuration Mode Options, page 13-6 • Saving VLAN Configuration, page 13-7 • Default Ethernet VLAN Configuration, page 13-8 • Creating or Modifying an Ethernet VLAN, page 13-8 • Deleting a VLAN, page 13-10 • Assigning Static-Access Ports to a VLAN, page 13-11
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs is to allow all VLANs), the new VLAN is carried on all trunk ports. Depending on the topology of the network, this could create a loop in the new VLAN that would not be broken, particularly if there are several adjacent switches that all have run out of spanning-tree instances. You can prevent this possibility by setting allowed lists on the trunk ports of switches that have used up their allocation of spanning-tree instances.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Saving VLAN Configuration The configurations of VLAN IDs 1 to 1005 are always saved in the VLAN database (vlan.dat file). If VTP mode is transparent, they are also saved in the switch running configuration file and you can enter the copy running-config startup-config privileged EXEC command to save the configuration in the startup configuration file.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Default Ethernet VLAN Configuration Table 13-2 shows the default configuration for Ethernet VLANs. Note The switch supports Ethernet interfaces exclusively. Because FDDI and Token Ring VLANs are not locally supported, you only configure FDDI and Token Ring media-specific characteristics for VTP global advertisements to other switches.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Beginning in privileged EXEC mode, follow these steps to use config-vlan mode to create or modify an Ethernet VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan vlan-id Enter a VLAN ID, and enter config-vlan mode. Enter a new VLAN ID to create a VLAN, or enter an existing VLAN ID to modify a VLAN.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Command Purpose Step 4 exit Update the VLAN database, propagate it throughout the administrative domain, and return to privileged EXEC mode. Step 5 show vlan {name vlan-name | id vlan-id} Verify your entries. Step 6 copy running-config startup config (Optional) If the switch is in VTP transparent mode, the VLAN configuration is saved in the running configuration file as well as in the VLAN database.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Assigning Static-Access Ports to a VLAN You can assign a static-access port to a VLAN without having VTP globally propagate VLAN configuration information (VTP is disabled). If you are assigning a port on a cluster member switch to a VLAN, first use the rcommand privileged EXEC command to log in to the member switch. Note If you assign an interface to a VLAN that does not exist, the new VLAN is created.
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Configuring Extended-Range VLANs When the switch is in VTP transparent mode (VTP disabled) and the EI is installed), you can create extended-range VLANs (in the range 1006 to 4094). Extended-range VLANs enable service providers to extend their infrastructure to a greater number of customers. The extended-range VLAN IDs are allowed for any switchport commands that allow VLAN IDs.
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs • STP is enabled by default on extended-range VLANs, but you can disable it by using the no spanning-tree vlan vlan-id global configuration command. When the maximum number of spanning-tree instances (64) are on the switch, spanning tree is disabled on any newly created VLANs. If the number of VLANs on the switch exceeds the maximum number of spanning tree instances, we recommend that you configure the IEEE 802.
Chapter 13 Configuring VLANs Displaying VLANs To delete an extended-range VLAN, use the no vlan vlan-id global configuration command. The procedure for assigning static-access ports to an extended-range VLAN is the same as for normal-range VLANs. See the “Assigning Static-Access Ports to a VLAN” section on page 13-11.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Configuring VLAN Trunks These sections describe how VLAN trunks function on the switch: • Trunking Overview, page 13-15 • 802.1Q Configuration Considerations, page 13-16 • Default Layer 2 Ethernet Interface VLAN Configuration, page 13-17 Trunking Overview A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch.
Chapter 13 Configuring VLANs Configuring VLAN Trunks To avoid this, you should configure interfaces connected to devices that do not support DTP to not forward DTP frames, that is, to turn off DTP. Note • If you do not intend to trunk across those links, use the switchport mode access interface configuration command to disable trunking.
Chapter 13 Configuring VLANs Configuring VLAN Trunks • Disabling spanning tree on the native VLAN of an 802.1Q trunk without disabling spanning tree on every VLAN in the network can potentially cause spanning-tree loops. We recommend that you leave spanning tree enabled on the native VLAN of an 802.1Q trunk or disable spanning tree on every VLAN in the network. Make sure your network is loop-free before disabling spanning tree.
Chapter 13 Configuring VLANs Configuring VLAN Trunks – STP Port Fast setting – trunk status: if one port in a port group ceases to be a trunk, all ports cease to be trunks. • If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode is not changed. • A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable 802.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Switch(config-if)# switchport mode dynamic desirable Switch(config-if)# end Defining the Allowed VLANs on a Trunk By default, a trunk port sends traffic to and receives traffic from all VLANs. All VLAN IDs, 1 to 4094 when the EI is installed, and 1 to 1005 when the SI is installed, are allowed on each trunk. However, you can remove VLANs from the allowed list, preventing traffic from those VLANs from passing over the trunk.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Changing the Pruning-Eligible List The pruning-eligible list applies only to trunk ports. Each trunk port has its own eligibility list. VTP pruning must be enabled for this procedure to take effect. The “Enabling VTP Pruning” section on page 14-14 describes how to enable VTP pruning.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to configure the native VLAN on an 802.1Q trunk: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and define the interface that is configured as the 802.1Q trunk. Step 3 switchport trunk native vlan vlan-id Configure the VLAN that is sending and receiving untagged traffic on the trunk port.
Chapter 13 Configuring VLANs Configuring VLAN Trunks In this way, Trunk 1 carries traffic for VLANs 8 through 10, and Trunk 2 carries traffic for VLANs 3 through 6. If the active trunk fails, the trunk with the lower priority takes over and carries the traffic for all of the VLANs. No duplication of traffic occurs over any trunk port.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 17 spanning-tree vlan 8 port-priority 10 Assign the port priority of 10 for VLAN 8. Step 18 spanning-tree vlan 9 port-priority 10 Assign the port priority of 10 for VLAN 9. Step 19 spanning-tree vlan 10 port-priority 10 Assign the port priority of 10 for VLAN 10. Step 20 exit Return to global configuration mode.
Chapter 13 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 13-4: Command Purpose Step 1 configure terminal Enter global configuration mode on Switch 1. Step 2 interface fastethernet 0/1 Enter interface configuration mode, and define Fast Ethernet port 0/1 as the interface to be configured as a trunk. Step 3 switchport mode trunk Configure the port as a trunk port.
Chapter 13 Configuring VLANs Configuring VMPS • “Monitoring the VMPS” section on page 13-31 • “Troubleshooting Dynamic Port VLAN Membership” section on page 13-31 • “VMPS Configuration Example” section on page 13-32 Understanding VMPS When the VMPS receives a VQP request from a client switch, it searches its database for a MAC-address-to-VLAN mapping. The server response is based on this mapping and whether or not the server is in secure mode.
Chapter 13 Configuring VLANs Configuring VMPS If the link goes down on a dynamic port, the port returns to an isolated state and does not belong to a VLAN. Any hosts that come online through the port are checked again through the VQP with the VMPS before the port is assigned to a VLAN. VMPS Database Configuration File The VMPS contains a database configuration file that you create. This ASCII text file is stored on a switch-accessible TFTP server that functions as a VMPS server.
Chapter 13 Configuring VLANs Configuring VMPS ! address vlan-name ! address 0012.2233.4455 vlan-name hardware address 0000.6509.a080 vlan-name hardware address aabb.ccdd.eeff vlan-name Green address 1223.5678.9abc vlan-name ExecStaff address fedc.ba98.7654 vlan-name --NONE-address fedc.ba23.1245 vlan-name Purple ! !Port Groups ! !vmps-port-group ! device { port | all-ports } ! vmps-port-group WiringCloset1 device 198.92.30.32 port 0/2 device 172.20.
Chapter 13 Configuring VLANs Configuring VMPS VMPS Configuration Guidelines These guidelines and restrictions apply to dynamic port VLAN membership: • You must configure the VMPS before you configure ports as dynamic. • The communication between a cluster of switches and VMPS is managed by the command switch and includes port-naming conventions that are different from standard port names. For the cluster-based port-naming conventions, see the “VMPS Database Configuration File” section on page 13-26.
Chapter 13 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to enter the IP address of the VMPS: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vmps server ipaddress primary Enter the IP address of the switch acting as the primary VMPS server. Step 3 vmps server ipaddress Enter the IP address of the switch acting as a secondary VMPS server. You can enter up to three secondary server addresses.
Chapter 13 Configuring VLANs Configuring VMPS Reconfirming VLAN Memberships Beginning in privileged EXEC mode, follow these steps to confirm the dynamic port VLAN membership assignments that the switch has received from the VMPS: Command Purpose Step 1 vmps reconfirm Reconfirm dynamic port VLAN membership. Step 2 show vmps Verify the dynamic VLAN reconfirmation status. Changing the Reconfirmation Interval VMPS clients periodically reconfirm the VLAN membership information received from the VMPS.
Chapter 13 Configuring VLANs Configuring VMPS To return the switch to its default setting, use the no vmps retry global configuration command. Monitoring the VMPS You can display information about the VMPS by using the show vmps privileged EXEC command. The switch displays this information about the VMPS: VMPS VQP Version The version of VQP used to communicate with the VMPS. The switch queries the VMPS that is using VQP version 1.
Chapter 13 Configuring VLANs Configuring VMPS VMPS Configuration Example Figure 13-5 shows a network with a VMPS server switch and VMPS client switches with dynamic ports. In this example, these assumptions apply: • The VMPS server and the VMPS client are separate switches. • The Catalyst 5000 series Switch 1 is the primary VMPS server. • The Catalyst 5000 series Switch 3 and Switch 10 are secondary VMPS servers.
C H A P T E R 14 Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 14 Configuring VTP Understanding VTP The VTP Domain A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name. A switch can be in only one VTP domain.You make global VLAN configuration changes for the domain by using the command-line interface (CLI), Cluster Management Suite (CMS) software, or Simple Network Management Protocol (SNMP).
Chapter 14 Configuring VTP Understanding VTP VTP Modes You can configure a supported switch to be in one of the VTP modes listed in Table 14-1. Table 14-1 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs and specify other configuration parameters (such as the VTP version) for the entire VTP domain.
Chapter 14 Configuring VTP Understanding VTP • MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each VLAN. • Frame format VTP advertisements distribute this VLAN information for each configured VLAN: • VLAN IDs • VLAN name • VLAN type • VLAN state • Additional VLAN configuration information specific to the VLAN type VTP Version 2 If you use VTP in your network, you must decide whether to use version 1 or version 2. By default, VTP operates in version 1.
Chapter 14 Configuring VTP Understanding VTP Figure 14-1 Flooding Traffic without VTP Pruning Switch 4 Port 2 Switch 5 Switch 2 Red VLAN Switch 6 Switch 3 45826 Port 1 Switch 1 Figure 14-2 shows a switched network with VTP pruning enabled. The broadcast traffic from Switch 1 is not forwarded to Switches 3, 5, and 6 because traffic for the Red VLAN has been pruned on the links shown (Port 5 on Switch 2 and Port 4 on Switch 4).
Chapter 14 Configuring VTP Configuring VTP VTP pruning is not designed to function in VTP transparent mode. If one or more switches in the network are in VTP transparent mode, you should do one of these: • Turn off VTP pruning in the entire network. • Turn off VTP pruning by making all VLANs on the trunk of the switch upstream to the VTP transparent switch pruning ineligible.
Chapter 14 Configuring VTP Configuring VTP VTP Configuration Options You can configure VTP by using these configuration modes. • VTP Configuration in Global Configuration Modes, page 14-7 • VTP Configuration in VLAN Configuration Mode, page 14-7 You access VLAN configuration mode by entering the vlan database privileged EXEC command. For detailed information about vtp commands, refer to the command reference for this release.
Chapter 14 Configuring VTP Configuring VTP VTP Configuration Guidelines These sections describe guidelines you should follow when implementing VTP in your network. Domain Names When configuring VTP for the first time, you must always assign a domain name. You must configure all switches in the VTP domain with the same domain name. Switches in VTP transparent mode do not exchange VTP messages with other switches, and you do not need to configure a VTP domain name for them.
Chapter 14 Configuring VTP Configuring VTP VTP Version Follow these guidelines when deciding which VTP version to implement: • All switches in a VTP domain must run the same VTP version. • A VTP version 2-capable switch can operate in the same VTP domain as a switch running VTP version 1 if version 2 is disabled on the version 2-capable switch (version 2 is disabled by default). • Do not enable VTP version 2 on a switch unless all of the switches in the same VTP domain are version-2-capable.
Chapter 14 Configuring VTP Configuring VTP Step 4 Command Purpose vtp password password (Optional) Set the password for the VTP domain. The password can be from 8 to 64 characters. If you configure a VTP password, the VTP domain does not function properly if you do not assign the same password to each switch in the domain. Step 5 end Return to privileged EXEC mode. Step 6 show vtp status Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display.
Chapter 14 Configuring VTP Configuring VTP This example shows how to use VLAN configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch# vlan database Switch(vlan)# vtp server Switch(vlan)# vtp domain eng_group Switch(vlan)# vtp password mypassword Switch(vlan)# exit APPLY completed. Exiting.... Configuring a VTP Client When a switch is in VTP client mode, you cannot change its VLAN configuration.
Chapter 14 Configuring VTP Configuring VTP Note You can also configure a VTP client by using the vlan database privileged EXEC command to enter VLAN configuration mode and entering the vtp client command, similar to the second procedure under “Configuring a VTP Server” section on page 14-9. Use the no vtp client VLAN configuration command to return the switch to VTP server mode or the no vtp password VLAN configuration command to return the switch to a no-password state.
Chapter 14 Configuring VTP Configuring VTP Note You can also configure VTP transparent mode by using the vlan database privileged EXEC command to enter VLAN configuration mode and by entering the vtp transparent command, similar to the second procedure under the “Configuring a VTP Server” section on page 14-9. Use the no vtp transparent VLAN configuration command to return the switch to VTP server mode. If extended-range VLANs are configured on the switch, you cannot change VTP mode to server.
Chapter 14 Configuring VTP Configuring VTP Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You can only enable VTP pruning on a switch in VTP server mode. Beginning in privileged EXEC mode, follow these steps to enable VTP pruning in the VTP domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 14 Configuring VTP Configuring VTP Adding a VTP Client Switch to a VTP Domain Before adding a VTP client to a VTP domain, always verify that its VTP configuration revision number is lower than the configuration revision number of the other switches in the VTP domain. Switches in a VTP domain always use the VLAN configuration of the switch with the highest VTP configuration revision number.
Chapter 14 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 14-3 shows the privileged EXEC commands for monitoring VTP activity. Table 14-3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information.
C H A P T E R 15 Configuring Voice VLAN This chapter describes how to configure the voice VLAN feature on your switch. Voice VLAN is referred to as an auxiliary VLAN in the Catalyst 6000 family switch documentation. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN Figure 15-1 shows one way to connect a Cisco 7960 IP Phone. Figure 15-1 Cisco 7960 IP Phone Connected to a Switch Cisco IP Phone 7960 Phone ASIC Catalyst 2950 or 3550 switch P2 3-port switch P3 Access port 74710 P1 PC When the IP phone connects to the switch, the access port (PC-to-telephone jack) of the IP phone can connect to a PC.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN Voice VLAN Configuration Guidelines These are the voice VLAN configuration guidelines: • You should configure voice VLAN on switch access ports. • The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN Configuring Ports to Carry Voice Traffic in 802.1Q Frames Beginning in privileged EXEC mode, follow these steps to configure a port to carry voice traffic in 802.1Q frames for a specific VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface connected to the IP phone, and enter interface configuration mode.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN Overriding the CoS Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco 7960 IP Phone port. The PC can generate packets with an assigned CoS value. You can configure the switch to override the priority of frames arriving on the IP phone port from connected devices.
Chapter 15 Configuring Voice VLAN Displaying Voice VLAN Configuring the IP Phone to Trust the CoS Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco 7960 IP Phone port. The PC can generate packets with an assigned CoS value. You can configure the switch to trust the priority of frames arriving on the IP phone port from connected devices.
C H A P T E R 16 Configuring IGMP Snooping and MVR This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on your switch, including an application of local IGMP snooping, Multicast VLAN Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering.
Chapter 16 Configuring IGMP Snooping and MVR Understanding IGMP Snooping the switch adds the host port number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership reports from the multicast clients. Note For more information on IP multicast and IGMP, refer to RFC 1112 and RFC 2236.
Chapter 16 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 16-1 Initial IGMP Join Message Router A 1 IGMP report 224.1.2.3 VLAN Switching engine CPU 0 45750 Forwarding table 2 3 4 5 Host 1 Host 2 Host 3 Host 4 Router A sends a general query to the switch, which forwards the query to ports 2 through 5, all members of the same VLAN. Host 1 wants to join multicast group 224.1.2.
Chapter 16 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 16-2 Second Host Joining a Multicast Group Router A 1 VLAN Switching engine CPU 0 45751 Forwarding table 2 Host 1 3 4 Host 2 Host 3 5 Host 4 Table 16-2 Updated IGMP Snooping Forwarding Table Destination Address Type of Packet Ports 0100.5exx.xxxx IGMP 0 0100.5e01.
Chapter 16 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Note You should only use the Immediate-Leave processing feature on VLANs where a single host is connected to each port. If Immediate Leave is enabled in VLANs where more than one host is connected to a port, some hosts might be inadvertently dropped. Immediate Leave is supported with only IGMP version 2 hosts.
Chapter 16 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to globally enable IGMP snooping on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping Globally enable IGMP snooping in all existing VLAN interfaces. Step 3 end Return to privileged EXEC mode. Step 4 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 16 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to alter the method in which a VLAN interface dynamically accesses a multicast router: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id mrouter learn {cgmp | pim-dvmrp} Enable IGMP snooping on a VLAN.
Chapter 16 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show ip igmp snooping mrouter [vlan vlan-id] Verify that IGMP snooping is enabled on the VLAN interface. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a multicast router port from the VLAN, use the no ip igmp snooping vlan vlan-id mrouter interface interface-id global configuration command.
Chapter 16 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Switch# Vlan ---1 show mac address-table multicast vlan 1 Mac Address Type Ports -----------------0100.5e00.0203 USER Gi0/1 Enabling IGMP Immediate-Leave Processing When you enable IGMP Immediate-Leave processing, the switch immediately removes a port when it detects an IGMP version 2 leave message on that port.
Chapter 16 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Table 16-4 Commands for Displaying IGMP Snooping Information Command Purpose show ip igmp snooping [vlan vlan-id] Display the snooping configuration information for all VLANs on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN.
Chapter 16 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information This is an example of output from the show ip igmp snooping privileged EXEC command for a specific VLAN interface: Switch# show ip vlan 1 ---------IGMP snooping IGMP snooping IGMP snooping IGMP snooping igmp snooping vlan 1 is globally enabled is disabled on this Vlan immediate-leave is disabled on this Vlan mrouter learn mode is pim-dvmrp on this Vlan This is an example of output from the show ip igmp snooping mrouter pr
Chapter 16 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service provider network (for example, the broadcast of multiple television channels over a service-provider network).
Chapter 16 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration When a subscriber changes channels or turns off the television, the set-top box sends an IGMP leave message for the multicast stream. The switch CPU sends an IGMP group-specific query through the receiver port VLAN. If there is another set-top box in the VLAN still subscribing to this group, that set-top box must respond within the maximum response time.
Chapter 16 Configuring IGMP Snooping and MVR Configuring MVR MVR eliminates the need to duplicate television-channel multicast traffic for subscribers in each VLAN. Multicast traffic for all channels is only sent around the VLAN trunk once—only on the multicast VLAN. Although the IGMP leave and join message in the VLAN to which the subscriber port is assigned. These messages dynamically register for streams of multicast traffic in the multicast VLAN on the Layer 3 device.
Chapter 16 Configuring IGMP Snooping and MVR Configuring MVR MVR Configuration Guidelines and Limitations Follow these guidelines when configuring MVR: Note • Receiver ports cannot be trunk ports. Receiver ports on a switch can be in different VLANs, but should not belong to the multicast VLAN. • The maximum number of multicast entries that can be configured on a switch (that is, the maximum number of television channels that can be received) is 256.
Chapter 16 Configuring IGMP Snooping and MVR Configuring MVR Command Step 6 Purpose mvr mode {dynamic | compatible} (Optional) Specify the MVR mode of operation: • dynamic—Allows dynamic MVR membership on source ports. • compatible—Is compatible with Catalyst 3500 XL and Catalyst 2900 XL switches and does not support IGMP dynamic joins on source ports. The default is compatible mode. Step 7 end Return to privileged EXEC mode. Step 8 show mvr Verify the configuration.
Chapter 16 Configuring IGMP Snooping and MVR Configuring MVR Step 4 Command Purpose mvr type {source | receiver} Configure an MVR port as one of these: • source—Configure uplink ports that receive and send multicast data as source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN. • receiver—Configure a port as a receiver port if it is a subscriber port and should only receive multicast data.
Chapter 16 Configuring IGMP Snooping and MVR Displaying MVR Information This is an example of output from the show mvr interface privileged EXEC command when the member keyword is included: Switch# show mvr interface fastethernet0/2 members 224.0.1.1 DYNAMIC ACTIVE Displaying MVR Information You can display MVR information for the switch or for a specified interface.
Chapter 16 Configuring IGMP Snooping and MVR Configuring IGMP Filtering This is an example of output from the show mvr interface privileged EXEC command for a specified interface: Switch# show mvr interface fastethernet0/2 224.0.1.1 DYNAMIC ACTIVE This is an example of output from the show mvr interface privileged EXEC command when the members keyword is included: Switch# show mvr interface fastethernet0/2 members 224.0.1.
Chapter 16 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Table 16-7 Default IGMP Filtering Configuration (continued) Feature Default Setting IGMP profiles None defined IGMP profile action Deny the range addresses Configuring IGMP Profiles To configure an IGMP profile, use the ip igmp profile global configuration command with a profile number to create an IGMP profile and to enter IGMP profile configuration mode.
Chapter 16 Configuring IGMP Snooping and MVR Configuring IGMP Filtering This example shows how to create IGMP profile 4 allowing access to the single IP multicast address and how to verify the configuration. If the action was to deny (the default), it would not appear in the show ip igmp profile output display. Switch(config)# ip igmp profile 4 Switch(config-igmp-profile)# permit Switch(config-igmp-profile)# range 229.9.9.
Chapter 16 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Setting the Maximum Number of IGMP Groups You can set the maximum number of IGMP groups that a Layer 2 interface can join by using the ip igmp mac-groups interface configuration command. Use the no form of this command to set the maximum back to the default, which is no limit. You cannot use this command on ports that belong to an EtherChannel port group.
Chapter 16 Configuring IGMP Snooping and MVR Displaying IGMP Filtering Configuration Displaying IGMP Filtering Configuration You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface.
Chapter 16 Configuring IGMP Snooping and MVR Displaying IGMP Filtering Configuration Catalyst 2950 Desktop Switch Software Configuration Guide 16-24 78-11380-05
C H A P T E R 17 Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 17 Configuring Port-Based Traffic Control Configuring Storm Control The rising threshold is the percentage of total available bandwidth associated with multicast, broadcast, or unicast traffic before forwarding is blocked. The falling threshold is the percentage of total available bandwidth below which the switch resumes normal forwarding. In general, the higher the level, the less effective the protection against broadcast storms.
Chapter 17 Configuring Port-Based Traffic Control Configuring Protected Ports Disabling Storm Control Beginning in privileged EXEC mode, follow these steps to disable storm control: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to configure, and enter interface configuration mode. Step 3 no storm-control {broadcast | multicast | unicast} level Disable port storm control.
Chapter 17 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 5 show interfaces interface-id switchport Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable protected port, use the no switchport protected interface configuration command.
Chapter 17 Configuring Port-Based Traffic Control Configuring Port Security Secure MAC Addresses A secure port can have from 1 to 132 associated secure addresses. After you have set the maximum number of secure MAC addresses on a port, the secure addresses are included in an address table in one of these ways: • You can configure all secure MAC addresses by using the switchport port-security mac-address mac-address interface configuration command.
Chapter 17 Configuring Port-Based Traffic Control Configuring Port Security If port security is disabled, the sticky secure MAC addresses remain in the running configuration. To disable sticky learning, enter the no switchport port-security mac-address sticky interface configuration command. If sticky learning is disabled or the running configuration is removed, the sticky secure MAC addresses remain part of the running configuration but are removed from the address table.
Chapter 17 Configuring Port-Based Traffic Control Configuring Port Security Port Security Configuration Guidelines Follow these guidelines when configuring port security: • Port security can only be configured on static access ports. • A secure port cannot be a dynamic access port or a trunk port. • A secure port cannot be a protected port. • A secure port cannot be a destination port for Switch Port Analyzer (SPAN).
Chapter 17 Configuring Port-Based Traffic Control Configuring Port Security Step 6 Command Purpose switchport port-security violation {protect | restrict | shutdown} (Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these: • protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop bel
Chapter 17 Configuring Port-Based Traffic Control Configuring Port Security To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table. The addresses that were removed can be dynamically reconfigured and added to the address table as dynamic addresses.
Chapter 17 Configuring Port-Based Traffic Control Configuring Port Security Switch(config-if)# switchport port-security mac-address 0000.02000.0004 Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security mac-address sticky 0008.a343.
Chapter 17 Configuring Port-Based Traffic Control Configuring Port Security Beginning in privileged EXEC mode, follow these steps to configure port security aging: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port on which you want to enable port security aging, and enter interface configuration mode.
Chapter 17 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Displaying Port-Based Traffic Control Settings The show interfaces interface-id switchport privileged EXEC command displays (among other characteristics) the interface traffic suppression and control configuration. The show interfaces counters privileged EXEC commands display the count of discarded packets. The show storm-control and show port-security privileged EXEC commands display those features.
C H A P T E R 18 Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 18 Configuring UDLD Understanding UDLD UDLD operates by using two mechanisms: • Neighbor database maintenance UDLD learns about other UDLD-capable neighbors by periodically sending a hello packet (also called an advertisement or probe) on every active interface to keep each device informed about its neighbors. When the switch receives a hello message, it caches the information until the age time (hold time or time-to-live) expires.
Chapter 18 Configuring UDLD Configuring UDLD Configuring UDLD This section describes how to configure UDLD on your switch. It contains this configuration information: • Default UDLD Configuration, page 18-3 • Enabling UDLD Globally, page 18-4 • Enabling UDLD on an Interface, page 18-4 • Resetting an Interface Shut Down by UDLD, page 18-5 Default UDLD Configuration Table 18-1 shows the default UDLD configuration.
Chapter 18 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic interfaces on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 18 Configuring UDLD Configuring UDLD Step 3 Command Purpose udld {aggressive | enable} Specify the UDLD mode of operation: • aggressive—Enables UDLD in aggressive mode on the specified interface. For details on the usage guidelines for the aggressive mode, refer to the command reference guide. • enable—Enables UDLD in normal mode on the specified interface. UDLD is disabled by default. On a fiber-optic interface, this command overrides the udld enable global configuration command setting.
Chapter 18 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified interface or for all interfaces, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the display, refer to the command reference for this release.
C H A P T E R 19 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 19 Configuring CDP Configuring CDP Configuring CDP These sections include CDP configuration information and procedures: • Default CDP Configuration, page 19-2 • Configuring the CDP Characteristics, page 19-2 • Disabling and Enabling CDP, page 19-3 • Disabling and Enabling CDP on an Interface, page 19-4 Default CDP Configuration Table 19-1 shows the default CDP configuration.
Chapter 19 Configuring CDP Configuring CDP Command Purpose Step 6 show cdp Verify configuration by displaying global information about CDP on the device. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the CDP commands to return to the default settings. This example shows how to configure and verify CDP characteristics.
Chapter 19 Configuring CDP Configuring CDP This example shows how to enable CDP if it has been disabled. Switch# configure terminal Switch(config)# cdp run Switch(config)# end Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 19 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors. show cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent.
Chapter 19 Configuring CDP Monitoring and Maintaining CDP Catalyst 2950 Desktop Switch Software Configuration Guide 19-6 78-11380-05
C H A P T E R 20 Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on your switch. To use the RSPAN feature described in this chapter, you must have the enhanced software image (EI) installed on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 20 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 20-1 Example SPAN Configuration 1 2 3 4 5 6 7 8 9 10 11 12 5 6 7 11 8 4 12 9 3 Port 5 traffic mirrored on Port 10 10 2 Network analyzer 43580 1 Only traffic that enters or leaves source ports can be monitored by using SPAN. RSPAN extends SPAN by enabling remote monitoring of multiple switches across your network.
Chapter 20 Configuring SPAN and RSPAN Understanding SPAN and RSPAN SPAN and RSPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN and RSPAN configuration. SPAN Session A local SPAN session is an association of a destination port with source ports. You can monitor incoming or outgoing traffic on a series or range of ports. An RSPAN session is an association of source ports across your network with an RSPAN VLAN. The destination source is the RSPAN VLAN.
Chapter 20 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Source Port A source port (also called a monitored port) is a switched port that you monitor for network traffic analysis. In a single local SPAN session or RSPAN source session, you can monitor source port traffic such as received (Rx), transmitted (Tx), or bidirectional (both). The switch supports any number of source ports (up to the maximum number of available ports on the switch).
Chapter 20 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • It can be a physical port that is assigned to an EtherChannel group, even if the EtherChannel group is specified as a SPAN source. The port is removed from the group while it is configured as a reflector port. • A port used as a reflector port cannot be a SPAN source or destination port, nor can a port be a reflector port for more than one session at a time. • It is invisible to all VLANs.
Chapter 20 Configuring SPAN and RSPAN Understanding SPAN and RSPAN If a port is added to a monitored EtherChannel group, the new port is added to the SPAN source port list. If a port is removed from a monitored EtherChannel group, it is automatically removed from the source port list. If the port is the only port in the EtherChannel group, the EtherChannel group is removed from SPAN.
Chapter 20 Configuring SPAN and RSPAN Configuring SPAN Configuring SPAN This section describes how to configure SPAN on your switch.
Chapter 20 Configuring SPAN and RSPAN Configuring SPAN Step 3 Command Purpose monitor session session_number source interface interface-id [, | -] [both | rx | tx] Specify the SPAN session and the source port (monitored port). For session_number, specify 1. For interface-id, specify the source port to monitor. Valid interfaces include physical interfaces and port-channel logical interfaces (port-channel port-channel-number). (Optional) [, | -] Specify a series or range of interfaces.
Chapter 20 Configuring SPAN and RSPAN Configuring SPAN Removing Ports from a SPAN Session Beginning in privileged EXEC mode, follow these steps to remove a port as a SPAN source for a session: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session session_number source interface interface-id [, | -] [both | rx | tx] Specify the characteristics of the source port (monitored port) and SPAN session to remove. For session, specify 1.
Chapter 20 Configuring SPAN and RSPAN Configuring RSPAN Configuring RSPAN This section describes how to configure RSPAN on your switch. It contains this configuration information: • RSPAN Configuration Guidelines, page 20-10 • Creating an RSPAN Session, page 20-11 • Creating an RSPAN Destination Session, page 20-12 • Removing Ports from an RSPAN Session, page 20-13 RSPAN Configuration Guidelines To use the RSPAN feature described in this section, you must have the EI installed on your switch.
Chapter 20 Configuring SPAN and RSPAN Configuring RSPAN • You should create an RSPAN VLAN before configuring an RSPAN source or destination session. • If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted flooding of RSPAN traffic across the network for VLAN-IDs that are lower than 1005. Creating an RSPAN Session First create an RSPAN VLAN that does not exist for the RSPAN session in any of the switches that will participate in RSPAN.
Chapter 20 Configuring SPAN and RSPAN Configuring RSPAN Step 4 Command Purpose monitor session session_number destination remote vlan vlan-id reflector-port interface Specify the RSPAN session, the destination remote VLAN, and the reflector port. For session_number, enter the session number identified with this RSPAN session. For vlan-id, specify the RSPAN VLAN to carry the monitored traffic to the destination port.
Chapter 20 Configuring SPAN and RSPAN Configuring RSPAN Command Purpose Step 5 show monitor [session session_number] Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 20 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the status of the current SPAN or RSPAN configuration, use the show monitor privileged EXEC command.
C H A P T E R 21 Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on your switch. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes. RMON provides you with comprehensive network-fault diagnosis, planning, and performance-tuning information.
Chapter 21 Configuring RMON Configuring RMON Figure 21-1 Remote Monitoring Example Network management station with generic RMON console application Catalyst 3550 switch RMON alarms and events configured. SNMP configured. RMON history and statistic collection enabled.
Chapter 21 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Only RMON 1 is supported on the switch. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station. We recommend that you use a generic RMON console application on the network management station (NMS) to take advantage of RMON’s network management capabilities.
Chapter 21 Configuring RMON Configuring RMON Command Step 3 Purpose rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535. • (Optional) For description string, specify a description of the event. • (Optional) Use the log keyword to generate an RMON log entry when the event is triggered.
Chapter 21 Configuring RMON Configuring RMON Configuring RMON Collection on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface on which to collect history.
Chapter 21 Configuring RMON Displaying RMON Status Command Purpose Step 6 show rmon statistics Display the contents of the switch statistics table. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the collection of group Ethernet statistics, use the no rmon collection stats index interface configuration command.
C H A P T E R 22 Configuring System Message Logging This chapter describes how to configure system message logging on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 22 Configuring System Message Logging Configuring System Message Logging Configuring System Message Logging These sections describe how to configure system message logging: • System Log Message Format, page 22-2 • Default System Message Logging Configuration, page 22-3 • Disabling and Enabling Message Logging, page 22-4 • Setting the Message Display Destination Device, page 22-4 • Synchronizing Log Messages, page 22-6 • Enabling and Disabling Timestamps on Log Messages, page 22-7 • E
Chapter 22 Configuring System Message Logging Configuring System Message Logging Table 22-1 System Log Message Elements (continued) Element Description MNEMONIC Text string that uniquely describes the message. description Text string containing detailed information about the event being reported.
Chapter 22 Configuring System Message Logging Configuring System Message Logging Disabling and Enabling Message Logging Message logging is enabled by default. It must be enabled to send messages to any destination other than the console. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages.
Chapter 22 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging host Log messages to a UNIX syslog server host. For host, specify the name or IP address of the host to be used as the syslog server. To build a list of syslog servers that receive logging messages, enter this command more than once. For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 22-10.
Chapter 22 Configuring System Message Logging Configuring System Message Logging Synchronizing Log Messages You can configure the system to synchronize unsolicited messages and debug privileged EXEC command output with solicited device output and prompts for a specific console port line or virtual terminal line. You can identify the types of messages to be output asynchronously based on the level of severity.
Chapter 22 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command.
Chapter 22 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Sequence Numbers in Log Messages Because there is a chance that more than one log message can have the same timestamp, you can display messages with sequence numbers so that you can unambiguously refer to a single message. By default, sequence numbers in log messages are not displayed.
Chapter 22 Configuring System Message Logging Configuring System Message Logging Step 6 Command Purpose show running-config Verify your entries. or show logging Step 7 copy running-config startup-config Note (Optional) Save your entries in the configuration file. Specifying a level causes messages at that level and numerically lower levels to be displayed at the destination. To disable logging to the console, use the no logging console global configuration command.
Chapter 22 Configuring System Message Logging Configuring System Message Logging Limiting Syslog Messages Sent to the History Table and to SNMP If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the switch history table. You also can change the number of messages that are stored in the history table.
Chapter 22 Configuring System Message Logging Configuring System Message Logging Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server. Log in as root, and perform these steps: Note Step 1 Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network.
Chapter 22 Configuring System Message Logging Displaying the Logging Configuration Step 4 Command Purpose logging facility facility-type Configure the syslog facility. See Table 22-4 on page 22-12 for facility-type keywords. The default is local7. Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
C H A P T E R 23 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 23 Configuring SNMP Understanding SNMP • Using SNMP to Access MIB Variables, page 23-4 • SNMP Notifications, page 23-5 SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in RFC 1157.
Chapter 23 Configuring SNMP Understanding SNMP You must configure the SNMP agent to use the SNMP version supported by the management station. Because an agent can communicate with multiple managers, you can configure the software to support communications with one management station using the SNMPv1 protocol, one using the SNMPv2C protocol and another using SNMPv3. SNMP Manager Functions The SNMP manager uses information in the MIB to perform the operations described in Table 23-2.
Chapter 23 Configuring SNMP Understanding SNMP SNMP Community Strings SNMP community strings authenticate access to MIB objects and function as embedded passwords. In order for the NMS to access the switch, the community string definitions on the NMS must match at least one of the three community string definitions on the switch.
Chapter 23 Configuring SNMP Configuring SNMP SNMP Notifications SNMP allows the switch to send notifications to SNMP managers when particular events occur. SNMP notifications can be sent as traps or inform requests. In command syntax, unless there is an option in the command to select either traps or informs, the keyword traps refers to either traps or informs, or both. Use the snmp-server host command to specify whether to send SNMP notifications as traps or informs.
Chapter 23 Configuring SNMP Configuring SNMP Default SNMP Configuration Table 23-3 shows the default SNMP configuration. Table 23-3 Default SNMP Configuration Feature Default Setting SNMP agent Enabled SNMP community strings Read-Only: Public Read-Write: Private Read-Write-all: Secret SNMP trap receiver None configured SNMP traps None enabled SNMP version If no version keyword is present, the default is version 1.
Chapter 23 Configuring SNMP Configuring SNMP Disabling the SNMP Agent Beginning in privileged EXEC mode, follow these steps to disable the SNMP agent: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no snmp-server Disable the SNMP agent operation. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 23 Configuring SNMP Configuring SNMP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] (Optional) If you specified an IP standard access list number in Step 2, then create the list, repeating the command as many times as necessary. • For access-list-number, enter the access list number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 23 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure SNMP on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server engineID {local engineid-string Configure a name for either the local or remote copy of SNMP. | remote ip-address [udp-port port-number] • The engineid-string is a 24-character ID string with the name engineid-string} of the copy of SNMP.
Chapter 23 Configuring SNMP Configuring SNMP Step 4 Command Purpose snmp-server user username groupname [remote host [udp-port port]] {v1 | v2c | v3 [auth {md5 | sha} auth-password]} [encrypted] [access access-list] Configure a new user to an SNMP group. • The username is the name of the user on the host that connects to the agent. • The groupname is the name of the group to which the user is associated.
Chapter 23 Configuring SNMP Configuring SNMP Table 23-4 Switch Notification Types (continued) Notification Type Keyword Description hsrp Generates a trap for Hot Standby Router Protocol (HSRP) changes. mac-notification Generates a trap for MAC address notifications. rtr Generates a trap for the SNMP Response Time Reporter (RTR). snmp Generates a trap for SNMP-type notifications. syslog Generates a trap for SNMP syslog notifications.
Chapter 23 Configuring SNMP Configuring SNMP Step 5 Step 6 Command Purpose snmp-server host host-addr [traps | informs] [version {1 | 2c | 3 [auth | noauth]}] community-string [udp-port port] [notification-type] Specify the recipient of an SNMP trap operation. snmp-server enable traps notification-types • For host-addr, specify the name or Internet address of the host (the targeted recipient). • (Optional) Enter traps (the default) to send SNMP traps to the host.
Chapter 23 Configuring SNMP Configuring SNMP Setting the Agent Contact and Location Information Beginning in privileged EXEC mode, follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server contact text Set the system contact string. For example: snmp-server contact Dial System Operator at beeper 21555.
Chapter 23 Configuring SNMP Configuring SNMP Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. SNMP Examples This example shows how to enable all versions of SNMP. The configuration permits any SNMP manager to access all objects with read-only permissions using the community string public.
Chapter 23 Configuring SNMP Displaying SNMP Status Displaying SNMP Status To display SNMP input and output statistics, including the number of illegal community string entries, errors, and requested variables, use the show snmp privileged EXEC command. You can also use the other privileged EXEC commands in Table 23-5 to display SNMP information. For information about the fields in the output displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 23 Configuring SNMP Displaying SNMP Status Catalyst 2950 Desktop Switch Software Configuration Guide 23-16 78-11380-05
C H A P T E R 24 Configuring Network Security with ACLs This chapter describes how to configure network security on your switch by using access control lists (ACLs), which are also referred to in commands and tables as access lists. You can create ACLs for physical interfaces or management interfaces. A management interface is defined as a management VLAN or any traffic that is going directly to the CPU, such as SNMP, Telnet, or web traffic.
Chapter 24 Configuring Network Security with ACLs Understanding ACLs Understanding ACLs Packet filtering can limit network traffic and restrict network use by certain users or devices. ACLs can filter traffic as it passes through a switch and permit or deny packets at specified interfaces. An ACL is a sequential collection of permit and deny conditions that apply to packets.
Chapter 24 Configuring Network Security with ACLs Understanding ACLs Figure 24-1 Using ACLs to Control Traffic to a Network Host A Catalyst 2950 switch Host B Research & Development network = ACL denying traffic from Host B and permitting traffic from Host A = Packet 65285 Human Resources network Handling Fragmented and Unfragmented Traffic IP packets can be fragmented as they cross the network.
Chapter 24 Configuring Network Security with ACLs Understanding ACLs • Packet A is a TCP packet from host 10.2.2.2, port 65000, going to host 10.1.1.1 on the SMTP port. If this packet is fragmented, the first fragment matches the first ACE (a permit), as if it were a complete packet because all Layer 4 information is present.
Chapter 24 Configuring Network Security with ACLs Understanding ACLs • Layer 4 fields: – TCP (You can specify a TCP source, destination port number, or both at the same time.) – UDP (You can specify a UDP source, destination port number, or both at the same time.) Note A mask can be a combination of either multiple Layer 3 and Layer 4 fields or of multiple Layer 2 fields. Layer 2 fields cannot be combined with Layer 3 or Layer 4 fields.
Chapter 24 Configuring Network Security with ACLs Configuring ACLs Guidelines for Applying ACLs to Physical Interfaces When applying ACLs to physical interfaces, follow these configuration guidelines: • Only one ACL can be attached to an interface. For more information, refer to the ip access-group interface command in the command reference for this release. • All ACEs in an ACL must have the same user-defined mask. However, ACEs can have different rules that use the same mask.
Chapter 24 Configuring Network Security with ACLs Configuring ACLs Unsupported Features The switch does not support these IOS router ACL-related features: • Non-IP protocol ACLs (see Table 24-2 on page 24-8) • Bridge-group ACLs • IP accounting • ACL support on the outbound direction • Inbound and outbound rate limiting (except with QoS ACLs) • IP packets that have a header length of less than 5 bytes • Reflexive ACLs • Dynamic ACLs (except for certain specialized dynamic ACLs used by the sw
Chapter 24 Configuring Network Security with ACLs Configuring ACLs ACL Numbers The number you use to denote your ACL shows the type of access list that you are creating. Table 24-2 lists the access list number and corresponding type and shows whether or not they are supported by the switch. The switch supports IP standard and IP extended access lists, numbers 1 to 199 and 1300 to 2699.
Chapter 24 Configuring Network Security with ACLs Configuring ACLs Creating a Numbered Standard ACL Note For information about creating ACLs to apply to a management interface, refer to the “Configuring IP Services” section of the Cisco IOS IP and IP Routing Configuration Guide and the Command Reference for IOS Release 12.1. You can these apply these ACLs only to a management interface.
Chapter 24 Configuring Network Security with ACLs Configuring ACLs This example shows how to create a standard ACL to deny access to IP host 171.69.198.102, permit access to any others, and display the results. Switch (config)# access-list 2 deny host 171.69.198.102 Switch (config)# access-list 2 permit any Switch(config)# end Switch# show access-lists Standard IP access list 2 deny 171.69.198.
Chapter 24 Configuring Network Security with ACLs Configuring ACLs Note The switch does not support dynamic or reflexive access lists. It also does not support filtering based on the minimize-monetary-cost type of service (ToS) bit. When creating ACEs in numbered extended access lists, remember that after you create the list, any additions are placed at the end of the list. You cannot reorder the list or selectively add or remove ACEs from a numbered list.
Chapter 24 Configuring Network Security with ACLs Configuring ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 24 Configuring Network Security with ACLs Configuring ACLs Use the no access-list access-list-number global configuration command to delete the entire access list. You cannot delete individual ACEs from numbered access lists. This example shows how to create and display an extended access list to deny Telnet access from any host in network 171.69.198.0 to any host in network 172.20.52.0 and permit any others.
Chapter 24 Configuring Network Security with ACLs Configuring ACLs Beginning in privileged EXEC mode, follow these steps to create a standard named access list using names: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip access-list standard {name | access-list-number} Define a standard IP access list by using a name, and enter access-list configuration mode.
Chapter 24 Configuring Network Security with ACLs Configuring ACLs Command Purpose Step 5 show access-lists [number | name] Show the access list configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. When making the standard and extended ACL, remember that, by default, the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end.
Chapter 24 Configuring Network Security with ACLs Configuring ACLs Step 3 Command Purpose absolute [start time date] [end time date] Specify when the function it will be applied to is operational. Use some combination of these commands; multiple periodic statements are allowed; only one absolute statement is allowed. If more than one absolute statement is configured, only the one configured last is executed.
Chapter 24 Configuring Network Security with ACLs Configuring ACLs deny tcp any any time-range new_year_day_2000 (inactive) deny tcp any any time-range thanskgiving_2000 (active) deny tcp any any time-range christmas_2000 (inactive) permit tcp any any time-range workhours (inactive) This example uses named ACLs to permit and deny the same traffic.
Chapter 24 Configuring Network Security with ACLs Configuring ACLs In this example, the Jones subnet is not allowed to use outbound Telnet: Switch(config)# ip access-list extended telnetting Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out Switch(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet Creating Named MAC Extended ACLs You can filter Layer 2 traffic on a physical Layer 2 interface by using MAC addresses and named MAC extended ACLs.
Chapter 24 Configuring Network Security with ACLs Configuring ACLs This example shows how to create and display an access list named mac1, denying only EtherType DECnet Phase IV traffic, but permitting all other types of traffic.
Chapter 24 Configuring Network Security with ACLs Applying ACLs to Terminal Lines or Physical Interfaces Applying ACLs to Terminal Lines or Physical Interfaces Note Before applying an ACL to a physical interface, see the “Guidelines for Applying ACLs to Physical Interfaces” section on page 24-6. You can apply ACLs to any management interface.
Chapter 24 Configuring Network Security with ACLs Displaying ACL Information Applying ACLs to a Physical Interface Beginning in privileged EXEC mode, follow these steps to control access to a Layer 2 interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Identify a specific interface for configuration and enter interface configuration mode. The interface must be a Layer 2 or management interface or a management interface VLAN ID.
Chapter 24 Configuring Network Security with ACLs Displaying ACL Information Displaying ACLs You can display existing ACLs by using show commands. Beginning in privileged EXEC mode, follow these steps to display access lists: Command Purpose Step 1 show access-lists [number | name] Show information about all IP and MAC address access lists or about a specific access list (numbered or named).
Chapter 24 Configuring Network Security with ACLs Examples for Compiling ACLs Displaying Access Groups Note This feature is available only if your switch is running the EI. You use the ip access-group interface configuration command to apply ACLs to a Layer 3 interface. When IP is enabled on an interface, you can use the show ip interface interface-id privileged EXEC command to view the input and output access lists on the interface, as well as other interface characteristics.
Chapter 24 Configuring Network Security with ACLs Examples for Compiling ACLs Use switch ACLs to do these: • Create a standard ACL, and filter traffic from a specific Internet host with an address 172.20.128.64. • Create an extended ACL, and filter traffic to deny HTTP access to all Internet hosts but allow all other types of access.
Chapter 24 Configuring Network Security with ACLs Examples for Compiling ACLs Numbered ACL Examples This example shows that the switch accepts addresses on network 36.0.0.0 subnets and denies all packets coming from 56.0.0.0 subnets. The ACL is then applied to packets entering Gigabit Ethernet interface 0/1. Switch(config)# access-list 2 permit 36.0.0.0 0.255.255.255 Switch(config)# access-list 2 deny 56.0.0.0 0.255.255.
Chapter 24 Configuring Network Security with ACLs Examples for Compiling ACLs In this example of a numbered ACL, the Winter and Smith workstations are not allowed to browse the web: Switch(config)# Switch(config)# Switch(config)# Switch(config)# access-list access-list access-list access-list 100 100 100 100 remark Do deny host remark Do deny host not allow Winter to browse the web 171.69.3.85 any eq www not allow Smith to browse the web 171.69.3.
C H A P T E R 25 Configuring QoS This chapter describes how to configure quality of service (QoS) by using QoS commands. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 25 Configuring QoS Understanding QoS • Video wizard—Gives traffic that originates from specified video servers a higher priority than the priority of data traffic. The wizard assumes that the video servers are connected to a single device in the cluster. Refer to the video wizard online help for procedures about using this wizard.
Chapter 25 Configuring QoS Understanding QoS Figure 25-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 header IP header Data Layer 2 802.
Chapter 25 Configuring QoS Understanding QoS • Marking evaluates the policer and configuration information for the action to be taken when a packet is out of profile and decides what to do with the packet (pass through a packet without modification, mark down the DSCP value in the packet, or drop the packet). For more information, see the “Policing and Marking” section on page 25-6.
Chapter 25 Configuring QoS Understanding QoS The trust DSCP configuration is meaningless for non-IP traffic. If you configure a port with this option and non-IP traffic is received, the switch assigns the default port CoS value and classifies traffic based on the CoS value. For IP traffic, you have these classification options: Note • Trust the IP DSCP in the incoming packet (configure the port to trust DSCP). The switch assigns the same DSCP to the packet for internal use.
Chapter 25 Configuring QoS Understanding QoS Classification Based on Class Maps and Policy Maps A class map is a mechanism that you use to isolate and name a specific traffic flow (or class) from all other traffic. The class map defines the criteria used to match against a specific traffic flow to further classify it; the criteria can include matching the access group defined by the ACL.
Chapter 25 Configuring QoS Understanding QoS • Only one policer can be applied to a packet in the input direction. • Only the average rate and committed burst parameters are configurable. • Policing occurs on the ingress interfaces: – 60 policers are supported on ingress Gigabit-capable Ethernet ports. – 6 policers are supported on ingress 10/100 Ethernet ports. – Granularity for the average burst rate is 1 Mbps for 10/100 ports and 8 Mbps for Gigabit Ethernet ports.
Chapter 25 Configuring QoS Understanding QoS Port Priority Frames received from users in the administratively-defined VLANs are classified or tagged for transmission to other devices. Based on rules that you define, a unique identifier (the tag) is inserted in each frame header before it is forwarded. The tag is examined and understood by each device before any broadcasts or transmissions to other switches, routers, or end stations.
Chapter 25 Configuring QoS Configuring QoS Configuring QoS Before configuring QoS, you must have a thorough understanding of these items: • The types of applications used and the traffic patterns on your network. • Traffic characteristics and needs of your network. Is the traffic bursty? Do you need to reserve bandwidth for voice and video streams? • Bandwidth requirements and speed of the network. • Location of congestion points in the network.
Chapter 25 Configuring QoS Configuring QoS Configuration Guidelines Note These guidelines are applicable only if your switch is running the EI. Before beginning the QoS configuration, you should be aware of this information: Note • If you have EtherChannel ports configured on your switch, you must configure QoS classification, policing, mapping, and queueing on the individual physical ports that comprise the EtherChannel.
Chapter 25 Configuring QoS Configuring QoS Note Both the EI and SI support this feature. Configuring the Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge of the QoS domain. When the packets are classified at the edge, the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the QoS domain. Figure 25-3 shows a sample network topology.
Chapter 25 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be trusted. Valid interfaces include physical interfaces. Step 3 mls qos trust [cos | dscp] Configure the port trust state.
Chapter 25 Configuring QoS Configuring QoS Configuring the CoS Value for an Interface QoS assigns the CoS value specified with the mls qos cos interface configuration command to untagged frames received on trusted and untrusted ports. Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port or to assign the default CoS to all incoming packets on the port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 25 Configuring QoS Configuring QoS However, if a user bypasses the telephone and connects the PC directly to the switch, the CoS labels generated by the PC are trusted by the switch (because of the trusted CoS setting) and can allow misuse of high-priority queues. The trusted boundary feature solves this problem by using the Cisco Discovery Protocol (CDP) to detect the presence of a Cisco IP phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port.
Chapter 25 Configuring QoS Configuring QoS Table 25-2 Port Configurations When Trusted Boundary is Enabled Port Configuration When a Cisco IP Phone is Present The port trusts the CoS value The packet CoS value is trusted. of the incoming packet. When a Cisco IP Phone is Absent The packet CoS value is assigned the default CoS value. The port trusts the DSCP The packet DSCP value is trusted. For tagged non-IP packets, the value of the incoming packet. packet CoS value is set to 0.
Chapter 25 Configuring QoS Configuring QoS Configuring a QoS Policy Note This feature is available only if your switch is running the EI. Configuring a QoS policy typically requires classifying traffic into classes, configuring policies applied to those traffic classes, and attaching policies to interfaces. For background information, see the “Classification” section on page 25-4 and the “Policing and Marking” section on page 25-6.
Chapter 25 Configuring QoS Configuring QoS Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show access-lists Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. For more information about creating IP standard ACLs, see the “Guidelines for Applying ACLs to Physical Interfaces” section on page 24-6. To delete an ACL, use the no access-list access-list-number global configuration command.
Chapter 25 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 25 Configuring QoS Configuring QoS Command Purpose Step 4 show access-lists Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. For more information about creating IP extended ACLs, see the “Guidelines for Applying ACLs to Physical Interfaces” section on page 24-6. To delete an ACL, use the no access-list access-list-number global configuration command.
Chapter 25 Configuring QoS Configuring QoS This example shows how to create a Layer 2 MAC ACL with a permit statement. The statement allows traffic from the host with MAC address 0001.0000.0001 to the host with MAC address 0002.0000.0001. Switch(config)# mac access-list extended maclist1 Switch(config-ext-macl)# permit host 0001.0000.0001 host 0002.0000.
Chapter 25 Configuring QoS Configuring QoS Step 4 Command Purpose match {access-group acl-index | access-group name acl-name | ip dscp dscp-list} Define the match criterion to classify traffic. By default, no match criterion is supported. Only one match criterion per class map is supported, and only one ACL per class map is supported. For access-group acl-index or access-group name acl-name, specify the number or name of the ACL created in Step 3.
Chapter 25 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to create a policy map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number permit {source source-wildcard | host source | any} Create an IP standard or extended ACL for IP traffic or a Layer 2 MAC ACL for non-IP traffic, repeating the command as many times as necessary.
Chapter 25 Configuring QoS Configuring QoS Step 5 Command Purpose set {ip dscp new-dscp} Classify IP traffic by setting a new value in the packet. For ip dscp new-dscp, enter a new DSCP value to be assigned to the classified traffic. The supported DSCP values are 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56. Step 6 police rate-bps burst-byte [exceed-action {drop | dscp dscp-value}] Define a policer for the classified traffic.
Chapter 25 Configuring QoS Configuring QoS Switch(config)# access-list 1 permit 10.1.0.0 0.0.255.
Chapter 25 Configuring QoS Configuring QoS Configuring the CoS-to-DSCP Map You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic. Table 25-3 shows the default CoS-to-DSCP map. Table 25-3 Default CoS-to-DSCP Map CoS value 0 1 2 3 4 5 6 7 DSCP value 0 8 16 24 32 40 48 56 If these values are not appropriate for your network, you need to modify them.
Chapter 25 Configuring QoS Configuring QoS Configuring the DSCP-to-CoS Map You use the DSCP-to-CoS map to map DSCP values in incoming packets to a CoS value, which is used to select one of the four egress queues. The switch supports these DSCP values: 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56. Table 25-4 shows the default DSCP-to-CoS map.
Chapter 25 Configuring QoS Configuring QoS Configuring CoS and WRR Note This feature is supported by both the EI and SI. This section describes how to configure CoS priorities and weighted round-robin (WRR): • Configuring CoS Priority Queues, page 25-27 • Configuring WRR, page 25-27 Configuring CoS Priority Queues Beginning in privileged EXEC mode, follow these steps to configure the CoS priority queues: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 25 Configuring QoS Displaying QoS Information To disable the WRR scheduler and enable the strict priority scheduler, use the no wrr-queue bandwidth global configuration command. Displaying QoS Information To display QoS information, use one or more of the privileged EXEC commands in Table 25-5: Table 25-5 Commands for Displaying QoS Information Command Purpose show class-map [class-map-name] 1 Display QoS class maps, which define the match criteria to classify traffic.
Chapter 25 Configuring QoS QoS Configuration Examples QoS Configuration Examples Note These examples are applicable only if your switch is running the EI. This section provides a QoS migration path to help you quickly implement QoS features based on your existing network and planned changes to your network, as shown in Figure 25-4.
Chapter 25 Configuring QoS QoS Configuration Examples QoS Configuration for the Existing Wiring Closet The existing wiring closet in Figure 25-4 consists of existing Catalyst 2900 XL and 3500 XL switches. These switches are running IOS release 12.0(5)XP or later, which supports the QoS-based IEEE 802.1P CoS values. QoS classifies frames by assigning priority-indexed CoS values to them and gives preference to higher-priority traffic.
Chapter 25 Configuring QoS QoS Configuration Examples Command Purpose Step 9 police 5000000 8192 exceed-action drop Define a policer for the classified video traffic to drop traffic that exceeds 5-Mbps average traffic rate with an 8192-byte burst size. Step 10 exit Return to policy-map configuration mode. Step 11 exit Return to global configuration mode. Step 12 interface gigabitethernet0/1 Enter interface configuration mode, and specify the ingress interface.
Chapter 25 Configuring QoS QoS Configuration Examples Catalyst 2950 Desktop Switch Software Configuration Guide 25-32 78-11380-05
C H A P T E R 26 Configuring EtherChannels This chapter describes how to configure EtherChannel on Layer 2 interfaces. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur. EtherChannel provides automatic recovery for the loss of a link by redistributing the load across the remaining links.
Chapter 26 Configuring EtherChannels Understanding EtherChannels Figure 26-1 Typical EtherChannel Configuration Catalyst 8500, 6000, 5500, or 4000 series switch Gigabit EtherChannel Catalyst 3550-12T switch 1000BASE-X 1000BASE-X Catalyst 2950G-24 switch 10/100 Switched links 10/100 Switched links Workstations Workstations 74618 Catalyst 3550-12T switch Each EtherChannel can consist of up to eight compatibly configured Ethernet interfaces.
Chapter 26 Configuring EtherChannels Understanding EtherChannels Figure 26-2 Relationship of Physical Ports, Logical Port Channels, and Channel Groups Logical port-channel Logical port-channel Channel-group binding 1X RPS UTIL DUPLX SPEED 2 3 4 5 6 7 8 9 10 11 12 13 11X 13X 14 15 16 17 MODE 2X 18 19 20 21 22 23 24 23X 12X 14X 1 Catalyst 295 0 SERIE S 65636 1 SYST STAT 24X 2 10/100 ports GBIC module slots Physical ports After you configure an EtherChannel, configur
Chapter 26 Configuring EtherChannels Understanding EtherChannels PAgP Modes Table 26-1 shows the user-configurable EtherChannel modes for the channel-group interface configuration command: on, auto, and desirable. Switch interfaces exchange PAgP packets only with partner interfaces configured in the auto or desirable modes; interfaces configured in the on mode do not exchange PAgP packets.
Chapter 26 Configuring EtherChannels Understanding EtherChannels Physical Learners and Aggregate-Port Learners Network devices are classified as PAgP physical learners or aggregate-port learners. A device is a physical learner if it learns addresses by physical ports and directs transmissions based on that knowledge. A device is an aggregate-port learner if it learns addresses by aggregate (logical) ports.
Chapter 26 Configuring EtherChannels Understanding EtherChannels Use the option that provides the greatest variety in your configuration. For example, if the traffic on a channel is going only to a single MAC address, using the destination-MAC address always chooses the same link in the channel; using source addresses or IP addresses might result in better load balancing.
Chapter 26 Configuring EtherChannels Configuring EtherChannels Configuring EtherChannels These sections describe how to configure EtherChannel interfaces: • Default EtherChannel Configuration, page 26-7 • EtherChannel Configuration Guidelines, page 26-8 • Configuring Layer 2 EtherChannels, page 26-8 • Configuring EtherChannel Load Balancing, page 26-10 • Configuring the PAgP Learn Method and Priority, page 26-11 Note Make sure that the interfaces are correctly configured (see the “EtherChannel
Chapter 26 Configuring EtherChannels Configuring EtherChannels EtherChannel Configuration Guidelines If improperly configured, some EtherChannel interfaces are automatically disabled to avoid network loops and other problems. Follow these guidelines to avoid configuration problems: • Configure an EtherChannel with up to eight Ethernet interfaces of the same type. Note Do not configure a GigaStack GBIC port as part of an EtherChannel.
Chapter 26 Configuring EtherChannels Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to assign a Layer 2 Ethernet interface to a Layer 2 EtherChannel: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify a physical interface to configure. Valid interfaces include physical interfaces.
Chapter 26 Configuring EtherChannels Configuring EtherChannels To remove an interface from the EtherChannel group, use the no channel-group interface configuration command. If you delete the EtherChannel by using the no interface port-channel global configuration command without removing the physical interfaces, the physical interfaces are shutdown. If you do not want the member physical interfaces to shut down, remove the physical interfaces before deleting the EtherChannel.
Chapter 26 Configuring EtherChannels Displaying EtherChannel and PAgP Status Command Purpose Step 4 show etherchannel load-balance Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return EtherChannel load balancing to the default configuration, use the no port-channel load-balance global configuration command.
Chapter 26 Configuring EtherChannels Displaying EtherChannel and PAgP Status Catalyst 2950 Desktop Switch Software Configuration Guide 26-12 78-11380-05
C H A P T E R 27 Troubleshooting This chapter describes how to identify and resolve software problems related to the IOS software. Depending on the nature of the problem, you can use the command-line interface (CLI) or the Cluster Management Suite (CMS) to identify and solve problems. To identify and resolve Cisco-approved Course Wave Division Multiplexer (CWDM) Gigabit Interface Converter (GBIC) problems, you must have the enhanced software image (EI) installed on your switch.
Chapter 27 Troubleshooting Using Recovery Procedures Recovering from Corrupted Software Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity. This procedure uses the XMODEM Protocol to recover from a corrupt or wrong image file.
Chapter 27 Troubleshooting Using Recovery Procedures Step 4 Press the Mode button, and at the same time, reconnect the power cord to the switch. You can release the Mode button a second or two after the LED above port 1X goes off. Several lines of information about the software appear, as do instructions: The system has been interrupted prior to initializing the flash file system.
Chapter 27 Troubleshooting Using Recovery Procedures Step 13 Copy the configuration file into memory: switch# copy flash:config.text system:running-config Source filename [config.text]? Destination filename [running-config]? Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can use the following normal commands to change the password.
Chapter 27 Troubleshooting Using Recovery Procedures Replacing a Failed Command Switch with a Cluster Member To replace a failed command switch with a command-capable member in the same cluster, follow these steps: Step 1 Disconnect the command switch from the member switches, and physically remove it from the cluster. Step 2 Insert the member switch in place of the failed command switch, and duplicate its connections to the cluster members. Step 3 Start a CLI session on the new command switch.
Chapter 27 Troubleshooting Using Recovery Procedures Step 11 Respond to the questions in the setup program. When prompted for the host name, recall that on a command switch, the host name is limited to 28 characters; on a member switch to 31 characters. Do not use -n, where n is a number, as the last characters in a host name for any switch.
Chapter 27 Troubleshooting Using Recovery Procedures Basic management setup configures only enough connectivity for management of the system, extended setup will ask you to configure each interface on the system Would you like to enter basic management setup? [yes/no]: Step 6 Enter Y at the first prompt.
Chapter 27 Troubleshooting Preventing Autonegotiation Mismatches Preventing Autonegotiation Mismatches The IEEE 802.3AB autonegotiation protocol manages the switch settings for speed (10 Mbps, 100 Mbps, and 1000 Mbps excluding GBIC ports) and duplex (half or full). There are situations when this protocol can incorrectly align these settings, reducing performance.
Chapter 27 Troubleshooting Using Debug Commands Caution Note Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users.
Chapter 27 Troubleshooting Using the crashinfo File The no debug all privileged EXEC command disables all diagnostic output. Using the no debug all command is a convenient way to ensure that you have not accidentally left any debug commands enabled. Redirecting Debug and Error Message Output By default, the network server sends the output from debug commands and system error messages to the console.
C H A P T E R A Supported MIBs This appendix lists the supported management information base (MIBs) for this release.
Chapter A Supported MIBs Using FTP to Access the MIB Files • CISCO-VLAN-MEMBERSHIP-MIB • CISCO-VTP-MIB • ENTITY-MIB • IANAifType-MIB • IF-MIB (RFC 1573) • OLD-CISCO-CHASSIS-MIB • OLD-CISCO-CPU-MIB • OLD-CISCO-INTERFACES-MIB • OLD-CISCO-IP-MIB • OLD-CISCO-MEMORY-MIB • OLD-CISCO-SYSTEM-MIB • OLD-CISCO-TCP-MIB • OLD-CISCO-TS-MIB • RFC1213-MIB • RFC1398-MIB • RMON-MIB (RFC 1757) • RS-232-MIB • SNMPv2-MIB • SNMPv2-SMI • SNMPv2-TC • TCP-MIB • UDP-MIB Using FTP to Acc
I N D EX access lists Numerics See ACLs 802.1D access ports See STP defined 802.1Q 9-2 in switch clusters and trunk ports 9-3 accounting configuration limitations 13-16 native VLAN for untagged traffic trunk mode 6-11 3-8 with RADIUS 13-20 7-27 with TACACS+ 7-10, 7-16 ACEs 802.1S defined See MSTP 24-2 Ethernet 802.1W IP See RSTP 802.1X See port-based authentication 802.
Index ACLs (continued) addresses (continued) extended IP dynamic configuring for QoS classification creating 25-18 matching criteria default aging 24-7 defined 24-9 IP implicit deny adding secure 24-9 management interfaces, applying to matching criteria named 24-21 virtual terminal lines, setting on matching 24-20 7-56 7-52 address resolution 7-59 Address Resolution Protocol See ARP table 24-8 protocol parameters address table, adding secure addresses 24-10 standard IP 7-57 adv
Index alarms, RMON allowed-VLAN list Apply button automatic recovery, clusters 21-3 See also HSRP 13-19 autonegotiation 3-27 ARP table interface configuration guidelines address resolution managing mismatches 7-59 vendor-specific 7-29 7-28 B authentication local mode with AAA NTP associations 7-31 BackboneFast 7-35 described RADIUS 7-20 1-3 bandwidth graphs 3-7 banners 7-10 configuring 7-12 login 12-19 support for 7-22 TACACS+ key 12-10 enabling defined 27-8 See voice
Index BPDU guard CDP (continued) described 12-3 enabling 12-15 support for overview transmission timer and holdtime, setting updates 1-3 broadcast storm control configuring disabling change notification, CMS 16-2 3-30 Cisco Access Analog Trunk Gateway 17-3 browser configuration Cisco CallManager software 3-1, 6-1 19-2 19-2 CGMP, joining multicast group 17-1 buttons, CMS 19-1 1-13 1-12, 1-13 Cisco Discovery Protocol 3-27 See CDP Cisco Intelligence Engine 2100 Series Configuratio
Index CLI (continued) clusters, switch (continued) history RADIUS changing the buffer size SNMP 2-5 6-18 6-17, 6-27 described 2-5 switch-specific features disabling 2-6 TACACS+ recalling commands managing clusters redundancy 2-5 no and default forms of commands client mode, VTP 2-4 See system clock 1-6 considerations clusters, switch 6-16 adding member switches 6-21 automatic discovery 6-5 automatic recovery 6-13 compatibility 6-23 defined 6-2 requirements 6-20 6-5 icons
Index CMS (continued) online help command switch (continued) 3-25 requirements 3-28 saving configuration changes toolbar window components in clusters 3-26 overview 3-24 SNMP 23-4 6-17 3-30 configuration examples, network See CLI collapsed backbone and switch cluster command modes 2-1 cost-effective wiring closet abbreviating 2-3 no and default network performance 7-7 network services command switch accessing large campus 6-13, 6-24 command switch with HSRP disabled (CC) configu
Index conventions default configuration command xxvi for examples text xxvi xxvi CoS configuring 25-27 25-8 described banners 7-49 CDP 19-2 DNS 7-48 override priority IGMP filtering 16-19 IGMP snooping 16-5 Layer 2 interfaces 15-5 25-25 MVR counters, clearing interface 9-16 NTP cross-stack UplinkFast, STP connecting stack ports 12-5 enabling 12-18 QoS 12-8 12-7 normal-convergence events 12-7 Stack Membership Discovery Protocol 12-6 21-3 RSPAN 20-6 SNMP 23-6 SPAN
Index device icons domain names Front Panel view 3-5 Topology view device labels 3-11 Front Panel view DTP 1-4, 13-15 dynamic access mode DHCP-based autoconfiguration 9-10 3-8 dynamic access ports client request message exchange characteristics 4-4 configuring configuring client side 25-26 duplex mode, configuring 3-22 1-2 defined 4-3 13-3 13-29 9-2 dynamic addresses 4-6 relay device server-side See addresses 4-6 dynamic desirable trunking mode 4-5 TFTP server described
Index error checking, CMS events, RMON 3-30 error messages examples during command entry conventions for 2-4 setting the display destination device severity levels Expand Cluster view expert mode 22-2 EtherChannel 1-7 3-10 3-24 extended-range VLANs automatic creation of configuration guidelines 26-3 configuration guidelines default configuration configuring 26-8 26-7 destination MAC address forwarding displaying status 26-5 13-12, 13-13 defined 13-1 STP 11-14 10-4, 10-12 Exten
Index Front Panel view cluster tree H 3-5 command switch described HC (candidate switch) 3-4 hello time 3-4 pop-up menus 6-24 MSTP 3-20 STP 11-19 10-19 port icons 3-6 port LEDs 3-7 help, for the command line RPS LED 3-6 Help button, CMS switch images Help Contents 3-5 FTP, accessing MIB files 3-27 3-25 history A-2 changing the buffer size G described 2-5 disabling 2-6 recalling commands GBICs 1000BASE-LX/LH module 1-9 host name list, CMS 1000BASE-ZX module 1-9 host
Index icons (continued) IGMP snooping editable table cell Front Panel view multilink configuring 3-27 16-5 default configuration 3-6 definition 3-21 16-1 sorting 3-27 enabling and disabling toolbar 3-19 global configuration Topology view web link Immediate Leave 3-11 method 3-27 IE2100 described enabling configuration agent enabling event agent configuration service number 5-2 9-4 range macros configuration guidelines joining multicast group 16-2 leaving multicast group 16-9
Index interfaces (continued) supported types of IP information assigned 9-4 manually 9-1 interfaces range macro command inventory, cluster 4-10 through DHCP-based autoconfiguration 9-8 default configuration 6-25 IOS command-line interface 4-3 IP multicast routing and IGMP snooping 16-1, 16-5 IP phones See CLI and QoS IP 15-1 named extended ACL 24-14 configuring named standard ACL 24-14 trusted boundary for QoS numbered extended ACL 24-10 numbered standard ACL 24-9 management i
Index link labels management options 3-12 link pop-up menu, Topology view links, unidirectional lists, CMS benefits 3-21 clustering 18-1 CMS 3-27 login authentication with RADIUS 7-22 with TACACS+ login banners CLI 7-13 1-6 2-1 CMS 3-1 CNS 5-1 overview 7-49 log messages 1-6 1-5 management VLAN See system message logging changing loop guard 6-19 considerations in switch clusters described discovery through different management VLANs 12-13 enabling discovery through same ma
Index menu bar monitoring (continued) described 3-14 traffic flowing among switches variations 3-14 traffic suppression messages VLANs system VMPS 3-18 to users through banners VTP 7-49 metropolitan-area networks 17-12 13-14 13-31 14-16 MSTP See MANs boundary ports MIBs configuration guidelines accessing files with FTP location of files overview described A-2 23-1 supported 23-4 11-10 described 12-3 enabling 12-16 BPDU guard A-1 mini-point-of-presence See POP describe
Index MSTP (continued) multicast groups extended system ID affects on root switch and IGMP snooping Immediate Leave 11-14 affects on secondary root switch unexpected behavior 11-16 11-14 interface state, blocking to forwarding 12-2 interoperability with 802.
Index network examples NTP (continued) collapsed backbone and switch cluster source IP address, configuring 1-12 design concepts stratum cost-effective wiring closet high-performance workgroup network performance network services services 1-13 O 1-10 network management online help 3-25 1-5 overheating indication, switch 3-5 23-1 P See NTP PAgP no commands 2-4 nontrunking mode See EtherChannel 13-16 pass-through mode normal-range VLANs configuration modes defined default configura
Index PC (passive command switch) per-VLAN Spanning Tree (PVST) EAPOL-start frame 10-2 per-VLAN Spanning Tree+ (PVST+) physical ports port-based authentication (continued) 6-13, 6-24 EAP-request/identity frame 10-8 802.
Index port pop-up menu, Front Panel view 3-20 port priority MSTP STP privileged EXEC mode privilege levels changing the default for lines 11-17 command switch 10-15 ports exiting 802.
Index QoS (continued) QoS (continued) classification (continued) policers trusted boundary, described trusted CoS, described types for IP traffic configuring 25-13 described 25-4 types for non-IP traffic types of 25-4 class maps displaying 25-6 characteristics of 25-28 configuring common wiring closet displaying 25-30 intelligent wiring closet configuration guidelines trust states 25-27 default port CoS value 25-18 IP standard ACLs 25-16 policy maps 25-21 QoS policy 25-11 25-
Index RADIUS (continued) in clusters restricting access NTP services 6-18 limiting the services to the user method list, defined operation of overview overview 7-26 7-1 passwords and privilege levels 7-19 RADIUS 7-18 tracking services accessed by user 7-9 retry count, VMPS, changing 7-17 13-30 RFC 7-27 range 1112, IP multicast and IGMP 1157, SNMPv1 9-8 of interfaces 1305, NTP 9-6 Rapid Spanning Tree Protocol 23-2 21-2 1901, SNMPv2C reconfirmation interval, VMPS, changing recover
Index running configuration, saving RSPAN (continued) displaying status 20-14 interaction with other features monitored ports 20-5 S 20-4 monitoring ports overview 20-4 SC (standby command switch) 1-5, 20-1 received traffic 4-10 secure addresses 20-3 reflector port 20-4 session limits 20-6 6-13, 6-24 adding 7-57 described 7-57 secure ports, configuring sessions security, port 17-4 17-4 creating 20-11 sequence numbers in log messages defined 20-3 server mode, VTP removing
Index SNMP (continued) SPAN configuration examples default configuration groups configuration guidelines 23-14 default configuration 23-6 23-8 in clusters 6-17 informs 20-6 destination ports 20-4 displaying status 20-14 interaction with other features and trap keyword described monitored ports 23-10 enabling overview 23-5 20-4 1-5, 20-1 received traffic 23-12 limiting access by TFTP servers limiting system log messages to NMS manager functions 22-10 23-3 managing clusters wit
Index static access ports STP (continued) assigning to VLAN defined configuring 13-11 forward-delay time 9-2, 13-3 static addresses hello time static VLAN membership path cost 802.
Index STP (continued) switch clustering technology 6-1 See clusters, switch load sharing overview switched ports 13-21 using path costs Switch Manager 13-23 using port priorities 9-2 3-2, 3-31 See also Device Manager 13-21 loop guard switchport protected command described enabling switch priority 12-13 MSTP 12-20 multicast addresses, affect of overview STP 10-8 11-19 10-18 syslog 10-2 path costs 17-3 See system message logging 13-23, 13-24 system clock Port Fast described 1
Index system message logging (continued) Telnet UNIX syslog servers accessing management interfaces configuring the daemon accessing the CLI 22-11 configuring the logging facility facilities supported 22-11 1-6 2-10 setting a password 22-12 system messages on CMS from a browser 7-5 Terminal Access Controller Access Control System Plus 3-18 system name See TACACS+ default configuration default setting terminal lines, setting a password 7-46 configuration files in base directory 7-46
Index TOS 1-4 U traffic fragmented UDLD 24-3 unfragmented default configuration 24-3 traffic policing echoing detection mechanism 1-5 transparent mode, VTP trap-door mechanism globally 4-2 configuring MAC address notification enabling neighbor database 23-10 overview 18-5 18-6 unauthorized ports with 802.
Index VLAN configuration at bootup saving VLANs (continued) modifying 13-7 native, configuring 13-7 VLAN configuration mode normal-range 2-2, 13-6 VLAN database parameters and startup configuration file and VTP 13-4 supported 13-6 vlan global configuration command VLAN ID, discovering 3-8, 13-3 13-11 STP and 802.
Index voice VLAN (continued) VTP (continued) configuring ports for voice traffic in 802.1P priority tagged frames 802.
Index WRR configuring defining 25-27 25-8 description 25-8 X XMODEM protocol 27-2 Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-05 IN-29
Index Catalyst 2950 Desktop Switch Software Configuration Guide IN-30 78-11380-05