Catalyst 2960 Switch Software Configuration Guide Cisco IOS Release 12.2(25)FX September 2005 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface xxvii Audience Purpose xxvii xxvii Conventions xxviii Related Publications xxviii Obtaining Documentation xxix Cisco.
Contents Where to Go Next CHAPTER 2 1-16 Using the Command-Line Interface Understanding Command Modes Understanding the Help System 2-1 2-1 2-3 Understanding Abbreviated Commands 2-4 Understanding no and default Forms of Commands Understanding CLI Error Messages 2-4 2-5 Using Command History 2-5 Changing the Command History Buffer Size 2-5 Recalling Commands 2-6 Disabling the Command History Feature 2-6 Using Editing Features 2-6 Enabling and Disabling Editing Features 2-7 Editing Commands throu
Contents Specifying the Filename to Read and Write the System Configuration Booting Manually 3-13 Booting a Specific Software Image 3-13 Controlling Environment Variables 3-14 3-12 Scheduling a Reload of the Software Image 3-15 Configuring a Scheduled Reload 3-16 Displaying Scheduled Reload Information 3-17 CHAPTER 4 Configuring IE2100 CNS Agents 4-1 Understanding IE2100 Series Configuration Registrar Software 4-1 CNS Configuration Service 4-2 CNS Event Service 4-3 NameSpace Mapper 4-3 What You Shou
Contents CHAPTER 6 Administering the Switch 6-1 Managing the System Time and Date 6-1 Understanding the System Clock 6-2 Understanding Network Time Protocol 6-2 Configuring NTP 6-4 Default NTP Configuration 6-4 Configuring NTP Authentication 6-5 Configuring NTP Associations 6-6 Configuring NTP Broadcast Service 6-7 Configuring NTP Access Restrictions 6-8 Configuring the Source IP Address for NTP Packets 6-10 Displaying the NTP Configuration 6-11 Configuring Time and Date Manually 6-11 Setting the Syste
Contents CHAPTER 7 Configuring SDM Templates 7-1 Understanding the SDM Templates 7-1 Configuring the Switch SDM Template 7-2 Default SDM Template 7-2 SDM Template Configuration Guidelines Setting the SDM Template 7-2 Displaying the SDM Templates CHAPTER 8 7-2 7-3 Configuring Switch-Based Authentication 8-1 Preventing Unauthorized Access to Your Switch 8-1 Protecting Access to Privileged EXEC Commands 8-2 Default Password and Privilege Level Configuration 8-2 Setting or Changing a Static Enab
Contents Configuring RADIUS Authorization for User Privileged Access and Network Services 8-27 Starting RADIUS Accounting 8-28 Configuring Settings for All RADIUS Servers 8-29 Configuring the Switch to Use Vendor-Specific RADIUS Attributes 8-29 Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 8-30 Displaying the RADIUS Configuration 8-31 Configuring the Switch for Local Authentication and Authorization Configuring the Switch for Secure Shell 8-33 Understanding SSH 8-33 SSH Servers,
Contents Using IEEE 802.1x with VLAN Assignment 9-8 Using IEEE 802.1x with Guest VLAN 9-10 Configuring IEEE 802.1x Authentication 9-10 Default IEEE 802.1x Configuration 9-11 IEEE 802.1x Configuration Guidelines 9-12 Configuring IEEE 802.
Contents Configuring IEEE 802.
Contents Displaying VLANs 12-13 Configuring VLAN Trunks 12-14 Trunking Overview 12-14 IEEE 802.
Contents VTP Configuration in Global Configuration Mode 13-7 VTP Configuration in VLAN Database Configuration Mode VTP Configuration Guidelines 13-8 Domain Names 13-8 Passwords 13-8 VTP Version 13-8 Configuration Requirements 13-9 Configuring a VTP Server 13-9 Configuring a VTP Client 13-11 Disabling VTP (VTP Transparent Mode) 13-12 Enabling VTP Version 2 13-13 Enabling VTP Pruning 13-14 Adding a VTP Client Switch to a VTP Domain 13-14 Monitoring VTP CHAPTER 14 13-7 13-16 Configuring Voice VLAN 14-1
Contents How a Switch or Port Becomes the Root Switch or Root Port 15-7 Spanning Tree and Redundant Connectivity 15-8 Spanning-Tree Address Management 15-8 Accelerated Aging to Retain Connectivity 15-8 Spanning-Tree Modes and Protocols 15-9 Supported Spanning-Tree Instances 15-9 Spanning-Tree Interoperability and Backward Compatibility 15-10 STP and IEEE 802.
Contents Bridge Protocol Data Unit Format and Processing 16-9 Processing Superior BPDU Information 16-10 Processing Inferior BPDU Information 16-10 Topology Changes 16-10 Configuring MSTP Features 16-11 Default MSTP Configuration 16-11 MSTP Configuration Guidelines 16-12 Specifying the MST Region Configuration and Enabling MSTP Configuring the Root Switch 16-14 Configuring a Secondary Root Switch 16-15 Configuring Port Priority 16-16 Configuring Path Cost 16-17 Configuring the Switch Priority 16-18 Configu
Contents Enabling EtherChannel Guard Enabling Root Guard 17-15 Enabling Loop Guard 17-15 17-14 Displaying the Spanning-Tree Status CHAPTER 18 Configuring Flex Links 17-16 18-1 Understanding Flex Links 18-1 Configuring Flex Links 18-2 Default Flex Link Configuration 18-2 Flex Link Configuration Guidelines 18-2 Configuring Flex Links 18-3 Monitoring Flex Links CHAPTER 19 18-3 Configuring DHCP Features 19-1 Understanding DHCP Features 19-1 DHCP Server 19-2 DHCP Relay Agent 19-2 DHCP Snooping 1
Contents Configuring IGMP Snooping 20-6 Default IGMP Snooping Configuration 20-6 Enabling or Disabling IGMP Snooping 20-6 Setting the Snooping Method 20-7 Configuring a Multicast Router Port 20-8 Configuring a Host Statically to Join a Group 20-9 Enabling IGMP Immediate Leave 20-9 Configuring the IGMP Leave Timer 20-10 Configuring TCN-Related Commands 20-11 Controlling the Multicast Flooding Time After a TCN Event Recovering from Flood Mode 20-12 Disabling Multicast Flooding During a TCN Event 20-12 Config
Contents Configuring a Protected Port 21-6 Configuring Port Blocking 21-6 Default Port Blocking Configuration 21-6 Blocking Flooded Traffic on an Interface 21-7 Configuring Port Security 21-7 Understanding Port Security 21-8 Secure MAC Addresses 21-8 Security Violations 21-9 Default Port Security Configuration 21-10 Port Security Configuration Guidelines 21-10 Enabling and Configuring Port Security 21-11 Enabling and Configuring Port Security Aging 21-15 Displaying Port-Based Traffic Control Settings CH
Contents SPAN Configuration Guidelines 23-10 Creating a Local SPAN Session 23-10 Creating a Local SPAN Session and Configuring Incoming Traffic 23-13 Specifying VLANs to Filter 23-15 Configuring RSPAN 23-16 RSPAN Configuration Guidelines 23-16 Configuring a VLAN as an RSPAN VLAN 23-17 Creating an RSPAN Source Session 23-18 Creating an RSPAN Destination Session 23-19 Creating an RSPAN Destination Session and Configuring Incoming Traffic Specifying VLANs to Filter 23-22 Displaying SPAN and RSPAN Status CHAP
Contents Default System Message Logging Configuration 26-3 Disabling Message Logging 26-3 Setting the Message Display Destination Device 26-4 Synchronizing Log Messages 26-5 Enabling and Disabling Time Stamps on Log Messages 26-7 Enabling and Disabling Sequence Numbers in Log Messages 26-7 Defining the Message Severity Level 26-8 Limiting Syslog Messages Sent to the History Table and to SNMP 26-9 Configuring UNIX Syslog Servers 26-10 Logging Messages to a UNIX Syslog Daemon 26-11 Configuring the UNIX Syste
Contents Configuring IPv4 ACLs 28-4 Creating Standard and Extended IPv4 ACLs 28-5 Access List Numbers 28-6 Creating a Numbered Standard ACL 28-7 Creating a Numbered Extended ACL 28-8 Resequencing ACEs in an ACL 28-12 Creating Named Standard and Extended ACLs 28-12 Using Time Ranges with ACLs 28-14 Including Comments in ACLs 28-15 Applying an IPv4 ACL to a Terminal Line 28-16 Applying an IPv4 ACL to an Interface 28-17 Hardware and Software Treatment of IP ACLs 28-17 IPv4 ACL Configuration Examples 28-18 Num
Contents Configuring Auto-QoS 29-19 Generated Auto-QoS Configuration 29-19 Effects of Auto-QoS on the Configuration 29-24 Auto-QoS Configuration Guidelines 29-24 Enabling Auto-QoS for VoIP 29-25 Auto-QoS Configuration Example 29-26 Displaying Auto-QoS Information 29-28 Configuring Standard QoS 29-28 Default Standard QoS Configuration 29-29 Default Ingress Queue Configuration 29-29 Default Egress Queue Configuration 29-30 Default Mapping Table Configuration 29-31 Standard QoS Configuration Guidelines 29-3
Contents Configuring Egress Queue Characteristics 29-62 Configuration Guidelines 29-62 Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID 29-64 Configuring SRR Shaped Weights on Egress Queues 29-66 Configuring SRR Shared Weights on Egress Queues 29-67 Configuring the Egress Expedite Queue 29-68 Limiting the Bandwidth on an Egress Interface 29-68 Displaying Standard QoS Information CHAPTER 30 Configuring EtherC
Contents Recovering from a Command Switch Failure 31-7 Replacing a Failed Command Switch with a Cluster Member 31-8 Replacing a Failed Command Switch with Another Switch 31-9 Recovering from Lost Cluster Member Connectivity Preventing Autonegotiation Mismatches SFP Module Security and Identification Monitoring SFP Module Status 31-11 31-11 31-11 31-12 Using Ping 31-12 Understanding Ping 31-12 Executing Ping 31-13 Using Layer 2 Traceroute 31-13 Understanding Layer 2 Traceroute 31-14 Usage Guidelines 31-
Contents Copying Files B-4 Deleting Files B-5 Creating, Displaying, and Extracting tar Files B-5 Creating a tar File B-6 Displaying the Contents of a tar File B-6 Extracting a tar File B-7 Displaying the Contents of a File B-8 Working with Configuration Files B-8 Guidelines for Creating and Using Configuration Files B-9 Configuration File Types and Location B-9 Creating a Configuration File By Using a Text Editor B-10 Copying Configuration Files By Using TFTP B-10 Preparing to Download or Upload a Configur
Contents Copying Image Files By Using RCP B-29 Preparing to Download or Upload an Image File By Using RCP Downloading an Image File By Using RCP B-31 Uploading an Image File By Using RCP B-32 APPENDIX APPENDIX C D B-29 Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch Configuration Compatibility Issues C-1 Feature Behavior Incompatibilities C-5 Unsupported Commands in Cisco IOS Release 12.
Contents Spanning Tree D-4 Unsupported Global Configuration Command D-4 Unsupported Interface Configuration Command D-4 VLAN D-4 Unsupported Global Configuration Commands Unsupported vlan-config Command D-5 Unsupported User EXEC Commands D-5 VTP D-4 D-5 Unsupported Privileged EXEC Commands D-5 INDEX Catalyst 2960 Switch Software Configuration Guide xxvi 78-16881-01
Preface Audience This guide is for the networking professional managing the Catalyst 2960 switch, hereafter referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking. Purpose This guide provides the information that you need to configure Cisco IOS software features on your switch.
Preface Conventions Conventions This publication uses these conventions to convey instructions and information: Command descriptions use these conventions: • Commands and keywords are in boldface text. • Arguments for which you supply values are in italic. • Square brackets ([ ]) mean optional elements. • Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.
Preface Obtaining Documentation • For cluster requirements, see the Release Notes for Cisco Network Assistant (not orderable but available on Cisco.com). • For upgrading information, see the “Downloading Software” section in the release notes. You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation” section on page xxix.
Preface Documentation Feedback Product Documentation DVD Cisco documentation and additional literature are available in the Product Documentation DVD package, which may have shipped with your product. The Product Documentation DVD is updated regularly and may be more current than printed documentation. The Product Documentation DVD is a comprehensive library of technical product documentation on portable media.
Preface Cisco Product Security Overview Cisco Product Security Overview Cisco provides a free online Security Vulnerability Policy portal at this URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html From this site, you can perform these tasks: • Report security vulnerabilities in Cisco products. • Obtain assistance with security incidents that involve Cisco products. • Register to receive security information from Cisco.
Preface Obtaining Technical Assistance Obtaining Technical Assistance Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.
Preface Obtaining Additional Publications and Information To open a service request by telephone, use one of the following numbers: Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55 USA: 1 800 553-2447 For a complete list of Cisco TAC contacts, go to this URL: http://www.cisco.com/techsupport/contacts Definitions of Service Request Severity To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Preface Obtaining Additional Publications and Information • iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions.
C H A P T E R 1 Overview This chapter provides these topics about the Catalyst 2960 switch software: • Features, page 1-1 • Default Settings After Initial Switch Configuration, page 1-8 • Network Configuration Examples, page 1-11 • Where to Go Next, page 1-16 In this document, IP refers to IP Version 4 (IPv4). Features Some features described in this chapter are available only on the cryptographic (supports encryption) version of the software.
Chapter 1 Overview Features Ease-of-Use and Ease-of-Deployment Features • Express Setup for quickly configuring a switch for the first time with basic IP information, contact information, switch and Telnet passwords, and Simple Network Management Protocol (SNMP) information through a browser-based program. For more information about Express Setup, see the getting started guide.
Chapter 1 Overview Features Performance Features • Autosensing of port speed and autonegotiation of duplex mode on all switch ports for optimizing bandwidth • Automatic-medium-dependent interface crossover (auto-MDIX) capability on 10/100 and 10/100/1000 Mbps interfaces and on 10/100/1000 BASE-TX SFP module interface that enables the interface to automatically detect the required cable connection type (straight-through or crossover) and to configure the connection appropriately • Support for up to 90
Chapter 1 Overview Features • CLI—The Cisco IOS software supports desktop- and multilayer-switching features. You can access the CLI either by connecting your management station directly to the switch console port or by using Telnet from a remote management station. For more information about the CLI, see Chapter 2, “Using the Command-Line Interface.” • SNMP—SNMP management applications such as CiscoWorks2000 LAN Management Suite (LMS) and HP OpenView.
Chapter 1 Overview Features Note • In-band management access through SNMP Versions 1, 2c, and 3 get and set requests • Out-of-band management access through the switch console port to a directly attached terminal or to a remote terminal through a serial connection or a modem For additional descriptions of the management interfaces, see the “Network Configuration Examples” section on page 1-11.
Chapter 1 Overview Features VLAN Features • Support for up to 255 VLANs for assigning users to VLANs associated with appropriate network resources, traffic patterns, and bandwidth • Support for VLAN IDs in the 1 to 4094 range as allowed by the IEEE 802.1Q standard • VLAN Query Protocol (VQP) for dynamic VLAN membership • IEEE 802.
Chapter 1 Overview Features – Guest VLAN to provide limited services to non-IEEE 802.1x-compliant users – IEEE 802.1x accounting to track network usage • TACACS+, a proprietary feature for managing network security through a TACACS server • RADIUS for verifying the identity of, granting access to, and tracking the actions of remote users through authentication, authorization, and accounting (AAA) services • SecureSocket Layer (SSL) Version 3.0 support for the HTTP1.
Chapter 1 Overview Default Settings After Initial Switch Configuration • Egress queues and scheduling – Four egress queues per port – WTD as the congestion-avoidance mechanism for managing the queue lengths and providing drop precedences for different traffic classifications – SRR as the scheduling service for specifying the rate at which packets are dequeued to the egress interface (shaping or sharing is supported on egress queues).
Chapter 1 Overview Default Settings After Initial Switch Configuration If you do not configure the switch at all, the switch operates with these default settings: • Default switch IP address, subnet mask, and default gateway is 0.0.0.0. For more information, see Chapter 3, “Assigning the Switch IP Address and Default Gateway,” and Chapter 19, “Configuring DHCP Features.” • Default domain name is not configured. For more information, see Chapter 3, “Assigning the Switch IP Address and Default Gateway.
Chapter 1 Overview Default Settings After Initial Switch Configuration • For STP, PVST+ is enabled on VLAN 1. For more information, see Chapter 15, “Configuring STP.” • MSTP is disabled. For more information, see Chapter 16, “Configuring MSTP.” • Optional spanning-tree features are disabled. For more information, see Chapter 17, “Configuring Optional Spanning-Tree Features.” • Flex Links are not configured. For more information, see Chapter 18, “Configuring Flex Links.
Chapter 1 Overview Network Configuration Examples Network Configuration Examples This section provides network configuration concepts and includes examples of using the switch to create dedicated network segments and interconnecting the segments through Fast Ethernet and Gigabit Ethernet connections.
Chapter 1 Overview Network Configuration Examples Bandwidth alone is not the only consideration when designing your network. As your network traffic profiles evolve, consider providing network services that can support applications for voice and data integration, multimedia integration, application prioritization, and security. Table 1-2 describes some network demands and how you can meet them.
Chapter 1 Overview Network Configuration Examples Figure 1-1 High-Performance Workgroup (Gigabit-to-the-Desktop) Catalyst 3750 switches 89373 Access-layer Catalyst switches WAN Cisco 2600 router 89374 Access-layer Catalyst switches • Server aggregation (Figure 1-2)—You can use the switches to interconnect groups of servers, centralizing physical security and administration of your network.
Chapter 1 Overview Network Configuration Examples Figure 1-2 Server Aggregation Campus core Catalyst 6500 switches Catalyst 3750 StackWise switch stacks Server racks 89376 Access-layer Catalyst switches Small to Medium-Sized Network Using Catalyst 2960 Switches Figure 1-3 shows a configuration for a network of up to 500 employees. This network uses Catalyst 2960 switches with high-speed connections to two routers.
Chapter 1 Overview Network Configuration Examples Catalyst PoE switch ports automatically detect any Cisco pre-standard and IEEE 802.3af-compliant powered devices that are connected. Each PoE switch port provides 15.4 W of power per port. The powered device, such as a Cisco IP Phone, can receive redundant power when it is also connected to an AC power source. Powered devices not connected to Catalyst PoE switches must be connected to AC power sources to receive power.
Chapter 1 Overview Where to Go Next Figure 1-4 Long-Distance, High-Bandwidth Transport Configuration Access layer Aggregation layer CWDM OADM modules Eight 1-Gbps connections CWDM OADM modules Catalyst 4500 multilayer switches 95750 8 Gbps Catalyst switches Where to Go Next Before configuring the switch, review these sections for startup information: • Chapter 2, “Using the Command-Line Interface” • Chapter 3, “Assigning the Switch IP Address and Default Gateway” Catalyst 2960 Switch Softw
C H A P T E R 2 Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your Catalyst 2960 switch.
Chapter 2 Using the Command-Line Interface Understanding Command Modes Table 2-1 Command Mode Summary Mode Access Method Prompt Exit Method About This Mode User EXEC Begin a session with your switch. Switch> Enter logout or quit. Use this mode to • Change terminal settings. • Perform basic tests. • Display system information. Privileged EXEC While in user EXEC mode, enter the enable command. Switch# Enter disable to exit.
Chapter 2 Using the Command-Line Interface Understanding the Help System Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method Interface configuration While in global configuration mode, enter the interface command (with a specific interface). Switch(config-if)# Use this mode to configure To exit to global configuration mode, parameters for the Ethernet ports. enter exit. To return to privileged EXEC mode, press Ctrl-Z or enter end.
Chapter 2 Using the Command-Line Interface Understanding Abbreviated Commands Table 2-2 Help Summary (continued) Command Purpose ? List all commands available for a particular command mode. For example: Switch> ? command ? List the associated keywords for a command. For example: Switch> show ? command keyword ? List the associated arguments for a keyword.
Chapter 2 Using the Command-Line Interface Understanding CLI Error Messages Understanding CLI Error Messages Table 2-3 lists some error messages that you might encounter while using the CLI to configure your switch. Table 2-3 Common CLI Error Messages Error Message Meaning How to Get Help % Ambiguous command: "show con" You did not enter enough characters for your switch to recognize the command.
Chapter 2 Using the Command-Line Interface Using Editing Features Beginning in line configuration mode, enter this command to configure the number of command lines the switch records for all sessions on a particular line: Switch(config-line)# history [size number-of-lines] The range is from 0 to 256. Recalling Commands To recall commands from the history buffer, perform one of the actions listed in Table 2-4. These actions are optional.
Chapter 2 Using the Command-Line Interface Using Editing Features Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled, you can disable it, re-enable it, or configure a specific line to have enhanced editing. These procedures are optional.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Capitalize or lowercase words or capitalize a set of letters. Keystroke1 Purpose Press Ctrl-D. Delete the character at the cursor. Press Ctrl-K. Delete all characters from the cursor to the end of the command line. Press Ctrl-U or Ctrl-X. Delete all characters from the cursor to the beginning of the command line. Press Ctrl-W.
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands In this example, the access-list global configuration command entry extends beyond one line. When the cursor first reaches the end of the line, the line is shifted ten spaces to the left and redisplayed. The dollar sign ($) shows that the line has been scrolled to the left. Each time the cursor reaches the end of the line, the line is again shifted ten spaces to the left.
Chapter 2 Using the Command-Line Interface Accessing the CLI Accessing the CLI through a Console Connection or through Telnet Before you can access the CLI, you must connect a terminal or PC to the switch console port and power on the switch as described in the hardware installation guide that shipped with your switch. Then, to understand the boot process and the options available for assigning IP information, see Chapter 3, “Assigning the Switch IP Address and Default Gateway.
C H A P T E R 3 Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assigning the switch IP address and default gateway information) for the Catalyst 2960 switch by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The boot loader provides access to the flash file system before the operating system is loaded. Normally, the boot loader is used only to load, uncompress, and launch the operating system. After the boot loader gives the operating system control of the CPU, the boot loader is not active until the next system reset or power-on.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information These sections contain this configuration information: • Default Switch Information, page 3-3 • Understanding DHCP-Based Autoconfiguration, page 3-3 • Manually Assigning IP Information, page 3-9 Default Switch Information Table 3-1 shows the default switch information. Table 3-1 Default Switch Information Feature Default Setting IP address and subnet mask No IP address or subnet mask are defined.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DHCP Client Request Process When you boot your switch, the DHCP client is invoked and requests configuration information from a DHCP server when the configuration file is not present on the switch.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring DHCP-Based Autoconfiguration These sections contain this configuration information: • DHCP Server Configuration Guidelines, page 3-5 • Configuring the TFTP Server, page 3-5 • Configuring the DNS, page 3-6 • Configuring the Relay Device, page 3-6 • Obtaining Configuration Files, page 3-7 • Example Configuration, page 3-8 If your DHCP server is a Cisco device, see the “Configuring DHCP” section
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information If you did not specify the configuration filename, the TFTP server, or if the configuration file could not be downloaded, the switch attempts to download a configuration file by using various combinations of filenames and TFTP server addresses. The files include the specified configuration filename (if any) and these files: network-config, cisconet.cfg, hostname.config, or hostname.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Figure 3-2 Relay Device Used in Autoconfiguration Switch (DHCP client) Cisco router (Relay) 10.0.0.2 10.0.0.1 DHCP server 20.0.0.3 TFTP server 20.0.0.4 DNS server 49068 20.0.0.2 20.0.0.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Note The switch broadcasts TFTP server requests if the TFTP server is not obtained from the DHCP replies, if all attempts to read the configuration file through unicast transmissions fail, or if the TFTP server name cannot be resolved to an IP address. Example Configuration Figure 3-3 shows a sample network for retrieving IP information by using DHCP-based autoconfiguration.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information TFTP Server Configuration (on UNIX) The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method. This file contains the hostname to be assigned to the switch based on its IP address.
Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Step 5 Command Purpose ip default-gateway ip-address Enter the IP address of the next-hop router interface that is directly connected to the switch where a default gateway is being configured. The default gateway receives IP packets with unresolved destination IP addresses from the switch.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration ip address 172.20.137.50 255.255.255.0 no ip directed-broadcast ! ip default-gateway 172.20.137.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Default Boot Configuration Table 3-3 shows the default boot configuration. Table 3-3 Default Boot Configuration Feature Default Setting Operating system software image The switch attempts to automatically boot the system using information in the BOOT environment variable.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration To return to the default setting, use the no boot config-file global configuration command. Booting Manually By default, the switch automatically boots; however, you can configure it to manually boot. Beginning in privileged EXEC mode, follow these steps to configure the switch to manually boot during the next boot cycle: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 boot system filesystem:/file-url Configure the switch to boot a specific image in flash memory during the next boot cycle. • For filesystem:, use flash: for the system board flash device. • For file-url, specify the path (directory) and the name of the bootable image. Filenames and directory names are case sensitive.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Note For complete syntax and usage information for the boot loader commands and environment variables, see the command reference for this release. Table 3-4 describes the function of the most common environment variables. Table 3-4 Environment Variables Variable Boot Loader Command Cisco IOS Global Configuration Command BOOT set BOOT filesystem:/file-url ... boot system filesystem:/file-url ...
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Configuring a Scheduled Reload To configure your switch to reload the software image at a later time, use one of these commands in privileged EXEC mode: • reload in [hh:]mm [text] This command schedules a reload of the software to take affect in the specified minutes or hours and minutes. The reload must take place within approximately 24 days.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Displaying Scheduled Reload Information To display information about a previously scheduled reload or to find out if a reload has been scheduled on the switch, use the show reload privileged EXEC command. It displays reload information including the time the reload is scheduled to occur and the reason for the reload (if it was specified when the reload was scheduled).
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Catalyst 2960 Switch Software Configuration Guide 3-18 78-16881-01
C H A P T E R 4 Configuring IE2100 CNS Agents This chapter describes how to configure the Intelligence Engine 2100 (IE2100) Series Cisco Networking Services (CNS) embedded agents on your Catalyst 2960 switch. Note For complete syntax and usage information for the commands used in this section, see the Cisco Intelligence Engine 2100 Series Configuration Registrar Manual, and select Cisco IOS Software Release 12.2 > New Feature Documentation > 12.2(2)T on Cisco.com.
Chapter 4 Configuring IE2100 CNS Agents Understanding IE2100 Series Configuration Registrar Software Figure 4-1 Configuration Registrar Architectural Overview Service provider network Configuration registrar Data service directory Configuration server Event service 71444 Web-based user interface Order entry configuration management These sections contain this conceptual information: • CNS Configuration Service, page 4-2 • CNS Event Service, page 4-3 • What You Should Know About ConfigID, Devi
Chapter 4 Configuring IE2100 CNS Agents Understanding IE2100 Series Configuration Registrar Software CNS Event Service The Configuration Registrar uses the CNS Event Service for receipt and generation of configuration events. The CNS event agent resides on the switch and facilitates the communication between the switch and the event gateway on the Configuration Registrar. The CNS Event Service is a highly capable publish-and-subscribe communication method.
Chapter 4 Configuring IE2100 CNS Agents Understanding IE2100 Series Configuration Registrar Software DeviceID Each configured switch participating on the event bus has a unique deviceID, which is analogous to the switch source address so that the switch can be targeted as a specific destination on the bus. All switches configured with the cns config partial global configuration command must access the event bus.
Chapter 4 Configuring IE2100 CNS Agents Understanding CNS Embedded Agents Understanding CNS Embedded Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the CNS configuration agent.
Chapter 4 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Incremental (Partial) Configuration After the network is running, new services can be added by using the CNS configuration agent. Incremental (partial) configurations can be sent to the switch. The actual configuration can be sent as an event payload by way of the event gateway (push operation) or as a signal event that triggers the switch to initiate a pull operation.
Chapter 4 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Table 4-1 Prerequisites for Enabling Automatic Configuration Device Required Configuration Access switch Factory default (no configuration file) Distribution switch DHCP server TFTP server IE2100 Configuration Registrar Note • IP helper address • Enable DHCP relay agent • IP routing (if used as default gateway) • IP address assignment • TFTP server IP address • Path to bootstrap configuration file on the TFTP ser
Chapter 4 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Enabling the CNS Event Agent Note You must enable the CNS event agent on the switch before you enable the CNS configuration agent. Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 4 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents This example shows how to enable the CNS event agent, set the IP address gateway to 10.180.1.27, set 120 seconds as the keepalive interval, and set 10 as the retry count. Switch(config)# cns event 10.180.1.27 keepalive 120 10 Enabling the CNS Configuration Agent After enabling the CNS event agent, start the CNS configuration agent on the switch.
Chapter 4 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Step 3 Command Purpose config-cli or line-cli Enter config-cli to connect to the Configuration Registrar through the interface defined in cns config connect-intf. Enter line-cli to connect to the Registrar through modem dialup lines. Note The config-cli interface configuration command accepts the special directive character & that acts as a placeholder for the interface name.
Chapter 4 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Step 8 Command Purpose cns config initial {ip-address | hostname} [port-number] [event] [no-persist] [page page] [source ip-address] [syntax-check] Enable the configuration agent, and initiate an initial configuration. • For {ip-address | hostname}, enter the IP address or the hostname of the configuration server. • (Optional) For port-number, enter the port number of the configuration server. The default port number is 80.
Chapter 4 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the CNS configuration agent and to initiate a partial configuration on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 cns config partial {ip-address | hostname} [port-number] [source ip-address] Enable the configuration agent, and initiate a partial configuration.
Chapter 4 Configuring IE2100 CNS Agents Displaying CNS Configuration Displaying CNS Configuration You can use the privileged EXEC commands in Table 4-2 to display CNS Configuration information. Table 4-2 Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS configuration agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed.
Chapter 4 Configuring IE2100 CNS Agents Displaying CNS Configuration Catalyst 2960 Switch Software Configuration Guide 4-14 78-16881-01
C H A P T E R 5 Clustering Switches This chapter provides an overview of the concepts and of the procedures used to create and manage Catalyst 2960 switch clusters. You can create and manage switch clusters by using Network Assistant, the command-line interface (CLI), or SNMP. Configuring switch clusters is more easily done from Network Assistant than through the CLI or SNMP.
Chapter 5 Clustering Switches Understanding Switch Clusters Using switch clusters simplifies the management of multiple switches, regardless of their physical location and platform families. Clustering also provides redundancy through standby cluster command switches. In a switch cluster, 1 switch must be the cluster command switch and up to 15 other switches can be cluster member switches. The total number of switches in a cluster cannot exceed 16 switches.
Chapter 5 Clustering Switches Using the CLI to Manage Switch Clusters • It is redundantly connected to the cluster so that connectivity to cluster member switches is maintained. • It is not a command or member switch of another cluster. Note Standby cluster command switches must be the same type of switches as the cluster command switch. For example, if the cluster command switch is a Catalyst 2960 switch, the standby cluster command switches must also be Catalyst 2960 switches.
Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters If you do not know the member-switch number, enter the show cluster members privileged EXEC command on the cluster command switch. For more information about the rcommand command and all other cluster commands, see the switch command reference. The Telnet session accesses the member-switch CLI at the same privilege level as on the cluster command switch. The Cisco IOS commands then operate as usual.
Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters Note When a cluster standby group is configured, the cluster command switch can change without your knowledge. Use the first read-write and read-only community strings to communicate with the cluster command switch if there is a cluster standby group configured for the cluster.
Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters Catalyst 2960 Switch Software Configuration Guide 5-6 78-16881-01
C H A P T E R 6 Administering the Switch This chapter describes how to perform one-time operations to administer the Catalyst 2960 switch.
Chapter 6 Administering the Switch Managing the System Time and Date Understanding the System Clock The heart of the time service is the system clock. This clock runs from the moment the system starts up and keeps track of the date and time.
Chapter 6 Administering the Switch Managing the System Time and Date Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet. Figure 6-1 shows a typical network example using NTP. Switch A is the NTP master, with Switches B, C, and D configured in NTP server mode, in server association with Switch A.
Chapter 6 Administering the Switch Managing the System Time and Date Configuring NTP The switch does not have a hardware-supported clock and cannot function as an NTP master clock to which peers synchronize themselves when an external NTP source is not available. The switch also has no hardware support for a calendar. As a result, the ntp update-calendar and the ntp master global configuration commands are not available.
Chapter 6 Administering the Switch Managing the System Time and Date Configuring NTP Authentication This procedure must be coordinated with the administrator of the NTP server; the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server.
Chapter 6 Administering the Switch Managing the System Time and Date Configuring NTP Associations An NTP association can be a peer association (this switch can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this switch synchronizes to the other device, and not the other way around).
Chapter 6 Administering the Switch Managing the System Time and Date Configuring NTP Broadcast Service The communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead.
Chapter 6 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure the switch to receive NTP broadcast packets from connected peers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to receive NTP broadcast packets, and enter interface configuration mode. Step 3 ntp broadcast client Enable the interface to receive NTP broadcast packets.
Chapter 6 Administering the Switch Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp access-group {query-only | serve-only | serve | peer} access-list-number Create an access group, and apply a basic IP access list.
Chapter 6 Administering the Switch Managing the System Time and Date To remove access control to the switch NTP services, use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command. This example shows how to configure the switch to allow itself to synchronize to a peer from access list 99.
Chapter 6 Administering the Switch Managing the System Time and Date Command Purpose Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. The specified interface is used for the source address for all packets sent to all destinations.
Chapter 6 Administering the Switch Managing the System Time and Date This example shows how to manually set the system clock to 1:32 p.m. on July 23, 2001: Switch# clock set 13:32:00 23 July 2001 Displaying the Time and Date Configuration To display the time and date configuration, use the show clock [detail] privileged EXEC command. The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate).
Chapter 6 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone recurring Configure summer time to start and end on the specified days every year.
Chapter 6 Administering the Switch Configuring a System Name and Prompt Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 Configure summer time to start on the first date and end on the second clock summer-time zone date [month date year hh:mm month date year hh:mm date.
Chapter 6 Administering the Switch Configuring a System Name and Prompt These sections contain this configuration information: • Default System Name and Prompt Configuration, page 6-15 • Configuring a System Name, page 6-15 • Understanding DNS, page 6-15 Default System Name and Prompt Configuration The default switch system name and prompt is Switch.
Chapter 6 Administering the Switch Configuring a System Name and Prompt These sections contain this configuration information: • Default DNS Configuration, page 6-16 • Setting Up DNS, page 6-16 • Displaying the DNS Configuration, page 6-17 Default DNS Configuration Table 6-2 shows the default DNS configuration. Table 6-2 Default DNS Configuration Feature Default Setting DNS enable state Enabled. DNS default domain name None configured. DNS servers No name server addresses are configured.
Chapter 6 Administering the Switch Creating a Banner Command Purpose Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you configure a hostname that contains no periods (.
Chapter 6 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day.
Chapter 6 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message. For c, enter the delimiting character of your choice, for example, a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text.
Chapter 6 Administering the Switch Managing the MAC Address Table • Configuring MAC Address Notification Traps, page 6-21 • Adding and Removing Static Address Entries, page 6-23 • Configuring Unicast MAC Address Filtering, page 6-24 • Displaying Address Table Entries, page 6-25 Building the Address Table With multiple MAC addresses supported on all ports, you can connect any port on the switch to individual workstations, repeaters, switches, routers, or other network devices.
Chapter 6 Administering the Switch Managing the MAC Address Table Changing the Address Aging Time Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use. You can change the aging time setting for all VLANs or for a specified VLAN. Setting too short an aging time can cause addresses to be prematurely removed from the table.
Chapter 6 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message. | 2c | 3}} community-string notification-type • For host-addr, specify the name or address of the NMS.
Chapter 6 Administering the Switch Managing the MAC Address Table Step 9 Command Purpose show mac address-table notification interface Verify your entries. show running-config Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the switch from sending MAC address notification traps, use the no snmp-server enable traps mac-notification global configuration command.
Chapter 6 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to add a static address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table static mac-addr vlan vlan-id interface interface-id Add a static address to the MAC address table. • For mac-addr, specify the destination MAC unicast address to add to the address table.
Chapter 6 Administering the Switch Managing the MAC Address Table For example, if you enter the mac address-table static mac-addr vlan vlan-id interface interface-id global configuration command followed by the mac address-table static mac-addr vlan vlan-id drop command, the switch drops packets with the specified MAC address as a source or destination.
Chapter 6 Administering the Switch Managing the ARP Table Table 6-4 Commands for Displaying the MAC Address Table (continued) Command Description show mac address-table dynamic Displays only dynamic MAC address table entries. show mac address-table interface Displays the MAC address table information for the specified interface. show mac address-table notification Displays the MAC notification parameters and history table.
C H A P T E R 7 Configuring SDM Templates This chapter describes how to configure the Switch Database Management (SDM) templates on the Catalyst 2960 switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 7 Configuring SDM Templates Configuring the Switch SDM Template The rows in the table represent approximate hardware boundaries set when a template is selected. If a section of a hardware resource is full, all processing overflow is sent to the CPU, seriously impacting switch performance.
Chapter 7 Configuring SDM Templates Displaying the SDM Templates Displaying the SDM Templates Use the show sdm prefer privileged EXEC command with no parameters to display the active template. Use the show sdm prefer [default | qos] privileged EXEC command to display the resource numbers supported by the specified template.
Chapter 7 Configuring SDM Templates Displaying the SDM Templates Catalyst 2960 Switch Software Configuration Guide 7-4 78-16881-01
C H A P T E R 8 Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 2960 switch.
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands • If you want to use username and password pairs, but you want to store them centrally on a server instead of locally, you can store them in a database on a security server. Multiple networking devices can then use the same database to obtain user authentication (and, if necessary, authorization) information. For more information, see the “Controlling Switch Access with TACACS+” section on page 8-10.
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable secret passwords: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password [level level] {password | encryption-type encrypted-password} Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands If both the enable and enable secret passwords are defined, users must enter the enable secret password. Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level global configuration command to specify commands accessible at various levels.
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands To re-enable password recovery, use the service password-recovery global configuration command. Note Disabling password recovery will not work if you have set the switch to boot manually by using the boot manual global configuration command. This command produces the boot loader prompt (switch:) after the switch is power cycled.
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Configuring Username and Password Pairs You can configure username and password pairs, which are locally stored on the switch. These pairs are assigned to lines or ports and authenticate each user before that user can access the switch. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip traffic command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Logging into and Exiting a Privilege Level Beginning in privileged EXEC mode, follow these steps to log in to a specified privilege level and to exit to a specified privilege level: Step 1 Command Purpose enable level Log in to a specified privilege level. For level, the range is 0 to 15. Step 2 disable level Exit to a specified privilege level. For level, the range is 0 to 15.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 8-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ server 1) Catalyst 6500 series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) 171.20.10.8 101230 Configure the switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers). Enable AAA. Create a login authentication method list. Apply the list to the terminal lines.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: 1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to show to the user. The user enters a username, and the switch then contacts the TACACS+ daemon to obtain a password prompt.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ • Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 8-16 • Starting TACACS+ Accounting, page 8-17 Default TACACS+ Configuration TACACS+ and AAA are disabled by default. To prevent a lapse in security, you cannot configure TACACS+ through a network management application. When enabled, TACACS+ can authenticate users accessing the switch through the CLI.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 show tacacs Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the specified TACACS+ server name or address, use the no tacacs-server host hostname global configuration command.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Starting TACACS+ Accounting The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Understanding RADIUS RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco routers and switches. Clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Transitioning from RADIUS to TACACS+ Services Remote PC R1 RADIUS server R2 RADIUS server T1 TACACS+ server T2 TACACS+ server Workstation 86891 Figure 8-2 RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur: 1. The user is prompted to enter a username and password. 2.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring RADIUS This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS You identify RADIUS security servers by their hostname or IP address, hostname and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or hostname of the remote RADIUS server host. • (Optional) For auth-port port-number, specify the UDP destination port for authentication requests.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 5 Command Purpose login authentication {default | list-name} Apply the authentication list to a line or set of lines. • If you specify default, use the default list created with the aaa authentication login command. • For list-name, specify the list created with the aaa authentication login command. Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 8 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 8-23. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network-related service requests.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the switch and all RADIUS servers.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“ This example shows how to specify an authorized VLAN in the RADIUS server database: cisco-avpair= ”tunnel-type(#64)=VLAN(13)” cisco-avpair= ”tunnel-medium-type(#65)=802 media(6)” cisco-avpair= ”tunnel-private-group-ID(#81)=vlanid” This example shows how to apply an in
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with the switch. You specify the RADIUS host and secret text string by using the radius-server global configuration commands.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Local Authentication and Authorization Configuring the Switch for Local Authentication and Authorization You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Configuring the Switch for Secure Shell This section describes how to configure the Secure Shell (SSH) feature. To use this feature, you must install the cryptographic (encrypted) software image on your switch. You must obtain authorization to use this feature and to download the cryptographic software files from Cisco.com. For more information, see the release notes for this release.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell SSH also supports these user authentication methods: Note • TACACS+ (for more information, see the “Controlling Switch Access with TACACS+” section on page 8-10) • RADIUS (for more information, see the “Controlling Switch Access with RADIUS” section on page 8-17) • Local authentication and authorization (for more information, see the “Configuring the Switch for Local Authentication and Authorization” section
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: 1. Download the cryptographic software image from Cisco.com. This step is required. For more information, see the release notes for this release. 2. Configure a hostname and IP domain name for the switch. Follow this procedure only if you are configuring the switch as an SSH server. 3.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Configuring the SSH Server Beginning in privileged EXEC mode, follow these steps to configure the SSH server: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip ssh version [1 | 2] (Optional) Configure the switch to run SSH Version 1 or SSH Version 2. • 1—Configure the switch to run SSH Version 1. • 2—Configure the switch to run SSH Version 2.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP For more information about these commands, see the “Secure Shell Commands” section in the “Other Security Features” chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fothercr/ srfssh.htm.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP When a connection attempt is made, the HTTPS server provides a secure connection by issuing a certified X.509v3 certificate, obtained from a specified CA trustpoint, to the client. The client (usually a Web browser), in turn, has a public key that allows it to authenticate the certificate. For secure HTTP connections, we highly recommend that you configure a CA trustpoint.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP CipherSuites A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection. When connecting to the HTTPS server, the client Web browser offers a list of supported CipherSuites, and the client and server negotiate the best encryption algorithm to use from those on the list that are supported by both. For example, Netscape Communicator 4.76 supports U.S.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP SSL Configuration Guidelines When SSL is used in a switch cluster, the SSL session terminates at the cluster commander. Cluster member switches must run standard HTTP. Before you configure a CA trustpoint, you should ensure that the system clock is set. If the clock is not set, the certificate is rejected due to an incorrect date.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Use the no crypto ca trustpoint name global configuration command to delete all identity information and certificates associated with the CA. Configuring the Secure HTTP Server If you are using a certificate authority for certification, you should use the previous procedure to configure the CA trustpoint on the switch before enabling the HTTP server.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Command Step 11 Purpose ip http timeout-policy idle seconds life (Optional) Specify how long a connection to the HTTP server can remain seconds requests value open under the defined circumstances: • idle—the maximum time period when no data is received or response data cannot be sent. The range is 1 to 600 seconds. The default is 180 seconds (3 minutes).
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Command Purpose Step 3 ip http client secure-ciphersuite {[3des-ede-cbc-sha] [rc4-128-md5] [rc4-128-sha] [des-cbc-sha]} (Optional) Specify the CipherSuites (encryption algorithms) to be used for encryption over the HTTPS connection. If you do not have a reason to specify a particular CipherSuite, you should allow the server and client to negotiate a CipherSuite that they both support.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Catalyst 2960 Switch Software Configuration Guide 8-44 78-16881-01
C H A P T E R 9 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the Catalyst 2960 switch. IEEE 802.1x prevents unauthorized devices (clients) from gaining access to the network. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release. This chapter consists of these sections: • Understanding IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • Using IEEE 802.1x with Voice VLAN Ports, page 9-8 • Using IEEE 802.1x with VLAN Assignment, page 9-8 • Using IEEE 802.1x with Guest VLAN, page 9-10 Device Roles With IEEE 802.1x port-based authentication, the devices in the network have specific roles as shown in Figure 9-1. Figure 9-1 IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication within the native frame format. When the switch receives frames from the authentication server, the server’s frame header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the client.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication received. The switch requests the identity of the client and begins relaying authentication messages between the client and the authentication server. Each client attempting to access the network is uniquely identified by the switch by using the client MAC address.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication With the multiple-hosts mode enabled, you can use IEEE 802.1x to authenticate the port and port security to manage network access for all MAC addresses, including that of the client. Figure 9-3 Multiple Host Mode Example Access point Authentication server (RADIUS) 101227 Wireless clients Using IEEE 802.1x with Port Security You can configure an IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • If the port is administratively shut down, the port becomes unauthenticated, and all dynamic entries are removed from the secure host table. • Port security and a voice VLAN can be configured simultaneously on an IEEE 802.1x port that is in either single-host or multiple-hosts mode. Port security applies to both the voice VLAN identifier (VVID) and the port VLAN identifier (PVID).
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication When configured on the switch and the RADIUS server, IEEE 802.1x with VLAN assignment has these characteristics: • If no VLAN is supplied by the RADIUS server or if IEEE 802.1x authorization is disabled, the port is configured in its access VLAN after successful authentication. Recall that an access VLAN is a VLAN assigned to an access port.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Using IEEE 802.1x with Guest VLAN You can configure a guest VLAN for each IEEE 802.1x port on the switch to provide limited services to clients, such as downloading the IEEE 802.1x client. These clients might be upgrading their system for IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, might not be IEEE 802.1x-capable. When you enable a guest VLAN on an IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication • Resetting the IEEE 802.1x Configuration to the Default Values, page 9-20 (optional) • Configuring IEEE 802.1x Accounting, page 9-21 (optional) Default IEEE 802.1x Configuration Table 9-2 shows the default IEEE 802.1x configuration. Table 9-2 Default IEEE 802.1x Configuration Feature Default Setting AAA Disabled. RADIUS server • IP address • None specified. • UDP authentication port • 1812.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication IEEE 802.1x Configuration Guidelines These are the IEEE 802.1x authentication configuration guidelines: • When IEEE 802.1x is enabled, ports are authenticated before any other Layer 2 feature is enabled. • The IEEE 802.1x protocol is supported on Layer 2 static-access ports and voice VLAN ports, but it is not supported on these port types: – Trunk port—If you try to enable IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication To allow VLAN assignment, you must enable AAA authorization to configure the switch for all network-related service requests. This is the IEEE 802.1x AAA process: Step 1 A user connects to a port on the switch. Step 2 Authentication is performed. Step 3 VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration. Step 4 The switch sends a start message to an accounting server.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring the Switch-to-RADIUS-Server Communication RADIUS security servers are identified by their hostname or IP address, hostname and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation. Configuring Periodic Re-Authentication You can enable periodic IEEE 802.1x client re-authentication and specify how often it occurs.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Changing the Quiet Period When the switch cannot authenticate the client, the switch remains idle for a set period of time and then tries again. The dot1x timeout quiet-period interface configuration command controls the idle period. A failed authentication of the client might occur because the client provided an invalid password.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show dot1xinterface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default retransmission time, use the no dot1x timeout tx-period interface configuration command.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers. Beginning in privileged EXEC mode, follow these steps to set the re-authentication number. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication This example shows how to enable IEEE 802.1x and to allow multiple hosts: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# dot1x port-control auto Switch(config-if)# dot1x host-mode multi-host Configuring a Guest VLAN When you configure a guest VLAN, clients that are not IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to enable the optional guest VLAN behavior and to configure a guest VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 dot1x guest-vlan supplicant Enable the optional guest VLAN behavior globally on the switch.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring IEEE 802.1x Accounting Enabling AAA system accounting with IEEE 802.1x accounting allows system reload events to be sent to the accounting RADIUS server for logging. The server can then infer that all active IEEE 802.1x sessions are closed. Because RADIUS uses the unreliable UDP transport protocol, accounting messages might be lost due to poor network conditions.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Displaying IEEE 802.1x Statistics and Status Displaying IEEE 802.1x Statistics and Status To display IEEE 802.1x statistics for all ports, use the show dot1x all statistics privileged EXEC command. To display IEEE 802.1x statistics for a specific port, use the show dot1x statistics interface interface-id privileged EXEC command. To display the IEEE 802.
C H A P T E R 10 Configuring Interface Characteristics This chapter defines the types of interfaces on the Catalyst 2960 switch and describes how to configure them.
Chapter 10 Configuring Interface Characteristics Understanding Interface Types Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 12, “Configuring VLANs.” Packets received on a port are forwarded only to ports that belong to the same VLAN as the receiving port.
Chapter 10 Configuring Interface Characteristics Understanding Interface Types Two types of access ports are supported: • Static access ports are manually assigned to a VLAN (or through a RADIUS server for use with IEEE 802.1x. For more information, see the “Using IEEE 802.1x with VLAN Assignment” section on page 9-8.) • VLAN membership of dynamic access ports is learned through incoming packets.
Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode Dual-Purpose Uplink Ports Some Catalyst 2960 switches support dual-purpose uplink ports. Each uplink port is considered as a single interface with dual front ends (an RJ-45 connector and an SFP module connector). The dual front ends are not redundant interfaces, and the switch activates only one connector of the pair. By default, the switch dynamically selects the interface type that first links up.
Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode To configure a physical interface (port), specify the interface type, module number, and switch port number, and enter interface configuration mode. • Type—Fast Ethernet (fastethernet or fa) for 10/100 Mbps Ethernet, Gigabit Ethernet (gigabitethernet or gi) for 10/100/1000 Mbps Ethernet ports, or small form-factor pluggable (SFP) module Gigabit Ethernet interfaces.
Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode Step 3 Follow each interface command with the interface configuration commands that the interface requires. The commands that you enter define the protocols and applications that will run on the interface. The commands are collected and applied to the interface when you enter another interface command or enter end to return to privileged EXEC mode.
Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode When using the interface range global configuration command, note these guidelines: • Valid entries for port-range: – vlan vlan-ID, where the VLAN ID is 1 to 4094 Note Although the command-line interface (CLI) shows options to set multiple VLANs, these options are not supported.
Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode Beginning in privileged EXEC mode, follow these steps to define an interface range macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 define interface-range macro_name interface-range Define the interface-range macro, and save it in NVRAM. Step 3 interface range macro macro_name • The macro_name is a 32-character maximum character string.
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces This example shows how to define an interface-range named enet_list to include ports 1 and 2 and to verify the macro configuration: Switch# configure terminal Switch(config)# define interface-range enet_list gigabitethernet0/1 - 2 Switch(config)# end Switch# show running-config | include define define interface-range enet_list GigabitEthernet0/1 - 2 This example shows how to create a multiple-interface macro named macro1: Sw
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces Table 10-1 Default Layer 2 Ethernet Interface Configuration (continued) Feature Default Setting VLAN trunking Switchport mode dynamic auto (supports DTP). Port enable state All ports are enabled. Port description None defined. Speed Autonegotiate. Duplex mode Autonegotiate. Flow control Flow control is set to receive: off. It is always off for sent packets. EtherChannel (PAgP) Disabled on all Ethernet ports.
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces Speed and Duplex Configuration Guidelines When configuring an interface speed and duplex mode, note these guidelines: • Fast Ethernet (10/100-Mbps) ports support all speed and duplex options. • Gigabit Ethernet (10/100/1000-Mbps) ports support all speed options and all duplex options (auto, half, and full). However, Gigabit Ethernet ports operating at 1000 Mbps do not support half-duplex mode.
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces Step 3 Command Purpose media-type {auto-select | rj45 | sfp} Select the interface and type of a dual-purpose uplink port. The keywords have these meanings: • auto-select—The switch dynamically selects the type. When link up is achieved, the switch disables the other type until the active link goes down. When the active link goes down, the switch enables both types until one of them links up.
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces The switch does not have this behavior with 100BASE-FX-GE SFP modules. Setting the Interface Speed and Duplex Parameters Beginning in privileged EXEC mode, follow these steps to set the speed and duplex mode for a physical interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces This example shows how to set the interface speed to 100 Mbps on a 10/100/1000 Mbps port: Switch# configure terminal Switch(config)# interface gigabitethernet0/2 Switch(config-if)# speed 100 Configuring IEEE 802.3x Flow Control Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end.
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces This example shows how to turn on flow control on a port: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# flowcontrol receive on Switch(config-if)# end Configuring Auto-MDIX on an Interface When automatic medium-dependent interface crossover (auto-MDIX) is enabled on an interface, the interface automatically detects the required cable connection type (straight through or crossover)
Chapter 10 Configuring Interface Characteristics Configuring the System MTU This example shows how to enable auto-MDIX on a port: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# speed auto Switch(config-if)# duplex auto Switch(config-if)# mdix auto Switch(config-if)# end Adding a Description for an Interface You can add a description about an interface to help you remember its function.
Chapter 10 Configuring Interface Characteristics Configuring the System MTU You cannot set the MTU size for an individual interface; you set it for all 10/100 or all Gigabit Ethernet interfaces on the switch. When you change the MTU size, you must reset the switch before the new configuration takes effect. Frames sizes that can be received by the switch CPU are limited to 1998 bytes, no matter what value was entered with the system mtu or system mtu jumbo commands.
Chapter 10 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Monitoring and Maintaining the Interfaces These sections contain interface monitoring and maintenance information: • Monitoring Interface Status, page 10-18 • Clearing and Resetting Interfaces and Counters, page 10-19 • Shutting Down and Restarting the Interface, page 10-19 Monitoring Interface Status Commands entered at the privileged EXEC prompt display information about the interface, including the version
Chapter 10 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Clearing and Resetting Interfaces and Counters Table 10-4 lists the privileged EXEC mode clear commands that you can use to clear counters and reset interfaces. Table 10-4 Clear Commands for Interfaces Command Purpose clear counters [interface-id] Clear interface counters. clear interface interface-id Reset the hardware logic on an interface.
Chapter 10 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Catalyst 2960 Switch Software Configuration Guide 10-20 78-16881-01
C H A P T E R 11 Configuring Smartports Macros This chapter describes how to configure and apply Smartports macros on the Catalyst 2960 switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 11 Configuring Smartports Macros Configuring Smartports Macros Table 11-1 Cisco-Default Smartports Macros (continued) Macro Name1 Description cisco-phone Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
Chapter 11 Configuring Smartports Macros Configuring Smartports Macros Smartports Macro Configuration Guidelines Follow these guidelines when configuring macros on your switch: • When creating a macro, do not use the exit or end commands or change the command mode by using interface interface-id. This could cause commands that follow exit, end, or interface interface-id to execute in a different command mode. • When creating a macro, all CLI commands should be in the same configuration mode.
Chapter 11 Configuring Smartports Macros Configuring Smartports Macros The Cisco-default macros use the $ character to help identify required keywords. There is no restriction on using the $ character to define keywords when you create a macro. Creating Smartports Macros Beginning in privileged EXEC mode, follow these steps to create a Smartports macro: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 11 Configuring Smartports Macros Configuring Smartports Macros Applying Smartports Macros Beginning in privileged EXEC mode, follow these steps to apply a Smartports macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro global {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Apply each individual command defined in the macro to the switch by entering macro global apply macro-name.
Chapter 11 Configuring Smartports Macros Configuring Smartports Macros This example shows how to apply the user-created macro called snmp, to set the hostname address to test-server, and to set the IP precedence value to 7: Switch(config)# macro global apply snmp ADDRESS test-server VALUE 7 This example shows how to debug the user-created macro called snmp by using the macro global trace global configuration command to find any syntax or configuration errors in the macro when it is applied to the switch
Chapter 11 Configuring Smartports Macros Configuring Smartports Macros Step 7 Command Purpose macro {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Append the Cisco-default macro with the required values by using the parameter value keywords, and apply the macro to the interface. Keywords that begin with $ mean that a unique parameter value is required. You can use the macro apply macro-name ? command to display a list of any required values in the macro.
Chapter 11 Configuring Smartports Macros Displaying Smartports Macros Displaying Smartports Macros To display the Smartports macros, use one or more of the privileged EXEC commands in Table 11-2. Table 11-2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros. show parser macro name macro-name Displays a specific macro. show parser macro brief Displays the configured macro names.
C H A P T E R 12 Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Catalyst 2960 switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS). Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 12 Configuring VLANs Understanding VLANs Figure 12-1 shows an example of VLANs segmented into logically defined networks. Figure 12-1 VLANs as Logically Defined Networks Engineering VLAN Marketing VLAN Accounting VLAN Cisco router Floor 3 Gigabit Ethernet Floor 2 90571 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Chapter 12 Configuring VLANs Understanding VLANs VLAN Port Membership Modes You configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic the port carries and the number of VLANs to which it can belong. Table 12-1 lists the membership modes and membership and VTP characteristics.
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Configuring Normal-Range VLANs Normal-range VLANs are VLANs with VLAN IDs 1 to 1005. If the switch is in VTP server or VTP transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database. (VLAN IDs 1 and 1002 to 1005 are automatically created and cannot be removed.
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs These sections contain normal-range VLAN configuration information: • Token Ring VLANs, page 12-5 • Normal-Range VLAN Configuration Guidelines, page 12-5 • VLAN Configuration Mode Options, page 12-6 • Saving VLAN Configuration, page 12-6 • Default Ethernet VLAN Configuration, page 12-7 • Creating or Modifying an Ethernet VLAN, page 12-8 • Deleting a VLAN, page 12-9 • Assigning Static-Access Ports to a VLAN, page 12-10 Token Ring V
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs are several adjacent switches that all have run out of spanning-tree instances. You can prevent this possibility by setting allowed lists on the trunk ports of switches that have used up their allocation of spanning-tree instances. If the number of VLANs on the switch exceeds the number of supported spanning-tree instances, we recommend that you configure the IEEE 802.
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs When you save VLAN and VTP information (including extended-range VLAN configuration information) in the startup configuration file and reboot the switch, the switch configuration is selected as follows: Caution • If the VTP mode is transparent in the startup configuration, and the VLAN database and the VTP domain name from the VLAN database matches that in the startup configuration file, the VLAN database is ignored (cleared), and the VTP and
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Creating or Modifying an Ethernet VLAN Each Ethernet VLAN in the VLAN database has a unique, 4-digit ID that can be a number from 1 to 1001. VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs. To create a normal-range VLAN to be added to the VLAN database, assign a number and name to the VLAN. Note When the switch is in VTP transparent mode, you can assign VLAN IDs greater than 1006, but they are not added to the VLAN database.
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs You can also create or modify Ethernet VLANs by using the VLAN database configuration mode. Note VLAN database configuration mode does not support RSPAN VLAN configuration or extended-range VLANs. Beginning in privileged EXEC mode, follow these steps to use VLAN database configuration mode to create or modify an Ethernet VLAN: Command Purpose Step 1 vlan database Enter VLAN database configuration mode.
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Caution When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated with the VLAN (and thus inactive) until you assign them to a new VLAN. Beginning in privileged EXEC mode, follow these steps to delete a VLAN on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no vlan vlan-id Remove the VLAN by entering the VLAN ID.
Chapter 12 Configuring VLANs Configuring Extended-Range VLANs Command Purpose Step 7 show interfaces interface-id switchport Verify your entries in the Administrative Mode and the Access Mode VLAN fields of the display. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return an interface to its default configuration, use the default interface interface-id interface configuration command.
Chapter 12 Configuring VLANs Configuring Extended-Range VLANs Extended-Range VLAN Configuration Guidelines Follow these guidelines when creating extended-range VLANs: • To add an extended-range VLAN, you must use the vlan vlan-id global configuration command and access config-vlan mode. You cannot add extended-range VLANs in VLAN database configuration mode (accessed by entering the vlan database privileged EXEC command).
Chapter 12 Configuring VLANs Displaying VLANs Command Purpose Step 3 vlan vlan-id Enter an extended-range VLAN ID and enter config-vlan mode. The range is 1006 to 4094. Step 4 mtu mtu-size (Optional) Modify the VLAN by changing the MTU size. Note Although all VLAN commands appear in the CLI help in config-vlan mode, only the mtu mtu-size, and remote-span commands are supported for extended-range VLANs. Step 5 remote-span (Optional) Configure the VLAN as the RSPAN VLAN.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Table 12-3 VLAN Monitoring Commands (continued) Command Command Mode Purpose show interfaces [vlan vlan-id] Privileged EXEC Display characteristics for all interfaces or for the specified VLAN configured on the switch. show vlan [id vlan-id] Privileged EXEC Display parameters for all VLANs or the specified VLAN on the switch.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Table 12-4 Layer 2 Interface Modes Mode Function switchport mode access Puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The interface becomes a nontrunk interface regardless of whether or not the neighboring interface is a trunk interface. switchport mode dynamic auto Makes the interface able to convert the link to a trunk link.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Default Layer 2 Ethernet Interface VLAN Configuration Table 12-5 shows the default Layer 2 Ethernet interface VLAN configuration. Table 12-5 Default Layer 2 Ethernet Interface VLAN Configuration Feature Default Setting Interface mode switchport mode dynamic auto Allowed VLAN range VLANs 1 to 4094 VLAN range eligible for pruning VLANs 2 to 1001 Default VLAN (for access ports) VLAN 1 Native VLAN (for IEEE 802.
Chapter 12 Configuring VLANs Configuring VLAN Trunks • If you try to enable IEEE 802.1x on a trunk port, an error message appears, and IEEE 802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to trunk, the port mode is not changed. • A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable IEEE 802.1x on a dynamic port, an error message appears, and IEEE 802.1x is not enabled. If you try to change the mode of an IEEE 802.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Defining the Allowed VLANs on a Trunk By default, a trunk port sends traffic to and receives traffic from all VLANs. All VLAN IDs, 1 to 4094, are allowed on each trunk. However, you can remove VLANs from the allowed list, preventing traffic from those VLANs from passing over the trunk.
Chapter 12 Configuring VLANs Configuring VLAN Trunks To return to the default allowed VLAN list of all VLANs, use the no switchport trunk allowed vlan interface configuration command. This example shows how to remove VLAN 2 from the allowed VLAN list on a port: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport trunk allowed vlan remove 2 Switch(config-if)# end Changing the Pruning-Eligible List The pruning-eligible list applies only to trunk ports.
Chapter 12 Configuring VLANs Configuring VLAN Trunks For information about IEEE 802.1Q configuration issues, see the “IEEE 802.1Q Configuration Considerations” section on page 12-15. Beginning in privileged EXEC mode, follow these steps to configure the native VLAN on an IEEE 802.1Q trunk: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Define the interface that is configured as the IEEE 802.1Q trunk, and enter interface configuration mode.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Figure 12-2 shows two trunks connecting supported switches. In this example, the switches are configured as follows: • VLANs 8 through 10 are assigned a port priority of 16 on Trunk 1. • VLANs 3 through 6 retain the default port priority of 128 on Trunk 1. • VLANs 3 through 6 are assigned a port priority of 16 on Trunk 2. • VLANs 8 through 10 retain the default port priority of 128 on Trunk 2.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 14 show vlan When the trunk links come up, VTP passes the VTP and VLAN information to Switch B. Verify that Switch B has learned the VLAN configuration. Step 15 configure terminal Enter global configuration mode on Switch A. Step 16 interface gigabitethernet 0/1 Define the interface to set the STP port priority, and enter interface configuration mode.
Chapter 12 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 12-3: Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A. Step 2 interface gigabitethernet0/1 Define the interface to be configured as a trunk, and enter interface configuration mode. Step 3 switchport mode trunk Configure the port as a trunk port. Step 4 exit Return to global configuration mode.
Chapter 12 Configuring VLANs Configuring VMPS • “Troubleshooting Dynamic-Access Port VLAN Membership” section on page 12-29 • “VMPS Configuration Example” section on page 12-29 Understanding VMPS Each time the client switch receives the MAC address of a new host, it sends a VQP query to the VMPS. When the VMPS receives this query, it searches its database for a MAC-address-to-VLAN mapping. The server response is based on this mapping and whether or not the server is in open or secure mode.
Chapter 12 Configuring VLANs Configuring VMPS If the link goes down on a dynamic-access port, the port returns to an isolated state and does not belong to a VLAN. Any hosts that come online through the port are checked again through the VQP with the VMPS before the port is assigned to a VLAN. Dynamic-access ports can be used for direct host connections, or they can connect to a network. A maximum of 20 MAC addresses are allowed per port on the switch.
Chapter 12 Configuring VLANs Configuring VMPS Configuring the VMPS Client You configure dynamic VLANs by using the VMPS (server). The switch can be a VMPS client; it cannot be a VMPS server. Entering the IP Address of the VMPS You must first enter the IP address of the server to configure the switch as a client. Note If the VMPS is being defined for a cluster of switches, enter the address on the command switch.
Chapter 12 Configuring VLANs Configuring VMPS Step 4 Command Purpose switchport access vlan dynamic Configure the port as eligible for dynamic VLAN membership. The dynamic-access port must be connected to an end station. Step 5 end Return to privileged EXEC mode. Step 6 show interfaces interface-id switchport Verify your entries in the Operational Mode field of the display. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 12 Configuring VLANs Configuring VMPS Changing the Retry Count Beginning in privileged EXEC mode, follow these steps to change the number of times that the switch attempts to contact the VMPS before querying the next server: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vmps retry count Change the retry count. The retry range is 1 to 10; the default is 3. Step 3 end Return to privileged EXEC mode.
Chapter 12 Configuring VLANs Configuring VMPS Troubleshooting Dynamic-Access Port VLAN Membership The VMPS shuts down a dynamic-access port under these conditions: • The VMPS is in secure mode, and it does not allow the host to connect to the port. The VMPS shuts down the port to prevent the host from connecting to the network. • More than 20 active hosts reside on a dynamic-access port.
Chapter 12 Configuring VLANs Configuring VMPS Figure 12-4 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6500 series switch A Primary VMPS Server 1 Router 172.20.26.150 172.20.22.7 Client switch B End station 1 Dynamic-access port 172.20.26.151 Trunk port Switch C 172.20.26.152 Switch D 172.20.26.153 Switch E 172.20.26.154 Switch F 172.20.26.155 Switch G 172.20.26.156 Switch H 172.20.26.
C H A P T E R 13 Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the Catalyst 2960 switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 13 Configuring VTP Understanding VTP These sections contain this conceptual information: • The VTP Domain, page 13-2 • VTP Modes, page 13-3 • VTP Advertisements, page 13-3 • VTP Version 2, page 13-4 • VTP Pruning, page 13-4 The VTP Domain A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name. A switch can be in only one VTP domain.
Chapter 13 Configuring VTP Understanding VTP VTP Modes You can configure a supported switch to be in one of the VTP modes listed in Table 13-1. Table 13-1 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs, and specify other configuration parameters (such as the VTP version) for the entire VTP domain.
Chapter 13 Configuring VTP Understanding VTP • Update identity and update timestamp • MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each VLAN. • Frame format VTP advertisements distribute this VLAN information for each configured VLAN: • VLAN IDs (IEEE 802.
Chapter 13 Configuring VTP Understanding VTP Figure 13-1 shows a switched network without VTP pruning enabled. Port 1 on Switch A and Port 2 on Switch D are assigned to the Red VLAN. If a broadcast is sent from the host connected to Switch A, Switch A floods the broadcast and every switch in the network receives it, even though Switches C, E, and F have no ports in the Red VLAN.
Chapter 13 Configuring VTP Configuring VTP See the “Enabling VTP Pruning” section on page 13-14. VTP pruning takes effect several seconds after you enable it. VTP pruning does not prune traffic from VLANs that are pruning-ineligible. VLAN 1 and VLANs 1002 to 1005 are always pruning-ineligible; traffic from these VLANs cannot be pruned. Extended-range VLANs (VLAN IDs higher than 1005) are also pruning-ineligible. VTP pruning is not designed to function in VTP transparent mode.
Chapter 13 Configuring VTP Configuring VTP VTP Configuration Options You can configure VTP by using these configuration modes. • VTP Configuration in Global Configuration Mode, page 13-7 • VTP Configuration in VLAN Database Configuration Mode, page 13-7 You access VLAN database configuration mode by entering the vlan database privileged EXEC command. For detailed information about vtp commands, see the command reference for this release.
Chapter 13 Configuring VTP Configuring VTP VTP Configuration Guidelines These sections describe guidelines you should follow when implementing VTP in your network. Domain Names When configuring VTP for the first time, you must always assign a domain name. You must configure all switches in the VTP domain with the same domain name. Switches in VTP transparent mode do not exchange VTP messages with other switches, and you do not need to configure a VTP domain name for them.
Chapter 13 Configuring VTP Configuring VTP • Do not enable VTP Version 2 on a switch unless all of the switches in the same VTP domain are Version-2-capable. When you enable Version 2 on a switch, all of the Version-2-capable switches in the domain enable Version 2. If there is a Version 1-only switch, it does not exchange VTP information with switches that have Version 2 enabled.
Chapter 13 Configuring VTP Configuring VTP When you configure a domain name, it cannot be removed; you can only reassign a switch to a different domain. To return the switch to a no-password state, use the no vtp password global configuration command.
Chapter 13 Configuring VTP Configuring VTP Configuring a VTP Client When a switch is in VTP client mode, you cannot change its VLAN configuration. The client switch receives VTP updates from a VTP server in the VTP domain and then modifies its configuration accordingly. Note Caution If extended-range VLANs are configured on the switch, you cannot change VTP mode to client. You receive an error message, and the configuration is not allowed.
Chapter 13 Configuring VTP Configuring VTP Disabling VTP (VTP Transparent Mode) When you configure the switch for VTP transparent mode, VTP is disabled on the switch. The switch does not send VTP updates and does not act on VTP updates received from other switches. However, a VTP transparent switch running VTP Version 2 does forward received VTP advertisements on its trunk links.
Chapter 13 Configuring VTP Configuring VTP Enabling VTP Version 2 VTP Version 2 is disabled by default on VTP Version 2-capable switches. When you enable VTP Version 2 on a switch, every VTP Version 2-capable switch in the VTP domain enables Version 2. You can only configure the version when the switches are in VTP server or transparent mode. Caution VTP Version 1 and VTP Version 2 are not interoperable on switches in the same VTP domain. Every switch in the VTP domain must use the same VTP version.
Chapter 13 Configuring VTP Configuring VTP Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You can only enable VTP pruning on a switch in VTP server mode. Beginning in privileged EXEC mode, follow these steps to enable VTP pruning in the VTP domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 13 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to verify and reset the VTP configuration revision number on a switch before adding it to a VTP domain: Step 1 Command Purpose show vtp status Check the VTP configuration revision number. If the number is 0, add the switch to the VTP domain. If the number is greater than 0, follow these steps: a. Write down the domain name. b. Write down the configuration revision number. c.
Chapter 13 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 13-3 shows the privileged EXEC commands for monitoring VTP activity. Table 13-3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information.
C H A P T E R 14 Configuring Voice VLAN This chapter describes how to configure the voice VLAN feature on the Catalyst 2960 switch. Voice VLAN is referred to as an auxiliary VLAN in some Catalyst 6500 family switch documentation. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 14 Configuring Voice VLAN Understanding Voice VLAN Figure 14-1 Cisco 7960 IP Phone Connected to a Switch Cisco IP Phone 7960 Phone ASIC P2 3-port switch P3 Access port 101351 P1 PC Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone.
Chapter 14 Configuring Voice VLAN Configuring Voice VLAN Configuring Voice VLAN These sections contain this configuration information: • Default Voice VLAN Configuration, page 14-3 • Voice VLAN Configuration Guidelines, page 14-3 • Configuring a Port Connected to a Cisco 7960 IP Phone, page 14-4 Default Voice VLAN Configuration The voice VLAN feature is disabled by default. When the voice VLAN feature is enabled, all untagged traffic is sent according to the default CoS priority of the port.
Chapter 14 Configuring Voice VLAN Configuring Voice VLAN • If the Cisco IP Phone and a device attached to the Cisco IP Phone are in the same VLAN, they must be in the same IP subnet. These conditions indicate that they are in the same VLAN: – They both use IEEE 802.1p or untagged frames. – The Cisco IP Phone uses IEEE 802.1p frames, and the device uses untagged frames. – The Cisco IP Phone uses untagged frames, and the device uses IEEE 802.1p frames. – The Cisco IP Phone uses IEEE 802.
Chapter 14 Configuring Voice VLAN Configuring Voice VLAN Configuring IP Phone Voice Traffic You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value. It can use IEEE 802.1p priority tagging to give voice traffic a higher priority and forward all voice traffic through the native (access) VLAN.
Chapter 14 Configuring Voice VLAN Displaying Voice VLAN To return the port to its default setting, use the no switchport voice vlan interface configuration command. Configuring the Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in IEEE 802.1Q or IEEE 802.
C H A P T E R 15 Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the Catalyst 2960 switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard.
Chapter 15 Configuring STP Understanding Spanning-Tree Features • Spanning-Tree Interoperability and Backward Compatibility, page 15-10 • STP and IEEE 802.1Q Trunks, page 15-10 For configuration information, see the “Configuring Spanning-Tree Features” section on page 15-10. For information about optional spanning-tree features, see Chapter 17, “Configuring Optional Spanning-Tree Features.
Chapter 15 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements: • The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch. • The spanning-tree path cost to the root switch. • The port identifier (port priority and MAC address) associated with each Layer 2 interface.
Chapter 15 Configuring STP Understanding Spanning-Tree Features Bridge ID, Switch Priority, and Extended System ID The IEEE 802.1D standard requires that each switch has an unique bridge identifier (bridge ID), which controls the selection of the root switch. Because each VLAN is considered as a different logical bridge with PVST+ and rapid PVST+, the same switch must have a different bridge IDs for each configured VLAN . Each VLAN on the switch has a unique 8-byte bridge ID.
Chapter 15 Configuring STP Understanding Spanning-Tree Features An interface moves through these states: • From initialization to blocking • From blocking to listening or to disabled • From listening to learning or to disabled • From learning to forwarding or to disabled • From forwarding to disabled Figure 15-1 illustrates how an interface moves through the states.
Chapter 15 Configuring STP Understanding Spanning-Tree Features Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to each switch interface. A switch initially functions as the root until it exchanges BPDUs with other switches. This exchange establishes which switch in the network is the root or root switch.
Chapter 15 Configuring STP Understanding Spanning-Tree Features Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational.
Chapter 15 Configuring STP Understanding Spanning-Tree Features Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices, as shown in Figure 15-3. Spanning tree automatically disables one interface but enables it if the other one fails. If one link is high-speed and the other is low-speed, the low-speed link is always disabled.
Chapter 15 Configuring STP Understanding Spanning-Tree Features Because each VLAN is a separate spanning-tree instance, the switch accelerates aging on a per-VLAN basis. A spanning-tree reconfiguration on one VLAN can cause the dynamic addresses learned on that VLAN to be subject to accelerated aging. Dynamic addresses on other VLANs can be unaffected and remain subject to the aging interval entered for the switch.
Chapter 15 Configuring STP Configuring Spanning-Tree Features Spanning-Tree Interoperability and Backward Compatibility Table 15-2 lists the interoperability and compatibility among the supported spanning-tree modes in a network.
Chapter 15 Configuring STP Configuring Spanning-Tree Features • Disabling Spanning Tree, page 15-13 (optional) • Configuring the Root Switch, page 15-14 (optional) • Configuring a Secondary Root Switch, page 15-15 (optional) • Configuring Port Priority, page 15-16 (optional) • Configuring Path Cost, page 15-17 (optional) • Configuring the Switch Priority of a VLAN, page 15-19 (optional) • Configuring Spanning-Tree Timers, page 15-19 (optional) Default Spanning-Tree Configuration Table 15-3 s
Chapter 15 Configuring STP Configuring Spanning-Tree Features If 128 instances of spanning tree are already in use, you can disable spanning tree on one of the VLANs and then enable it on the VLAN where you want it to run. Use the no spanning-tree vlan vlan-id global configuration command to disable spanning tree on a specific VLAN, and use the spanning-tree vlan vlan-id global configuration command to enable spanning tree on the desired VLAN.
Chapter 15 Configuring STP Configuring Spanning-Tree Features Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mode {pvst | mst | rapid-pvst} Configure a spanning-tree mode. • Select pvst to enable PVST+ (the default setting). • Select mst to enable MSTP (and RSTP). For more configuration steps, see Chapter 16, “Configuring MSTP.” • Select rapid-pvst to enable rapid PVST+.
Chapter 15 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to disable spanning-tree on a per-VLAN basis. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no spanning-tree vlan vlan-id For vlan-id, the range is 1 to 4094. Step 3 end Return to privileged EXEC mode. Step 4 show spanning-tree vlan vlan-id Verify your entries.
Chapter 15 Configuring STP Configuring Spanning-Tree Features Note After configuring the switch as the root switch, we recommend that you avoid manually configuring the hello time, forward-delay time, and maximum-age time through the spanning-tree vlan vlan-id hello-time, spanning-tree vlan vlan-id forward-time, and the spanning-tree vlan vlan-id max-age global configuration commands. Beginning in privileged EXEC mode, follow these steps to configure a switch to become the root for the specified VLAN.
Chapter 15 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure a switch to become the secondary root for the specified VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root secondary [diameter net-diameter [hello-time seconds]] Configure a switch to become the secondary root for the specified VLAN.
Chapter 15 Configuring STP Configuring Spanning-Tree Features Step 3 Command Purpose spanning-tree port-priority priority Configure the port priority for an interface. For priority, the range is 0 to 240, in increments of 16; the default is 128. Valid values are 0, 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, and 240. All other values are rejected. The lower the number, the higher the priority.
Chapter 15 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure the cost of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical ports and port-channel logical interfaces (port-channel port-channel-number).
Chapter 15 Configuring STP Configuring Spanning-Tree Features Configuring the Switch Priority of a VLAN You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree vlan vlan-id root primary and the spanning-tree vlan vlan-id root secondary global configuration commands to modify the switch priority.
Chapter 15 Configuring STP Configuring Spanning-Tree Features The sections that follow provide the configuration steps. Configuring the Hello Time You can configure the interval between the generation of configuration messages by the root switch by changing the hello time. Note Exercise care when using this command.
Chapter 15 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id forward-time seconds Configure the forward time of a VLAN.
Chapter 15 Configuring STP Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 15-5: Table 15-5 Commands for Displaying Spanning-Tree Status Command Purpose show spanning-tree active Displays spanning-tree information on active interfaces only. show spanning-tree detail Displays a detailed summary of interface information.
C H A P T E R 16 Configuring MSTP This chapter describes how to configure the Cisco implementation of the Multiple STP (MSTP) on the Catalyst 2960 switch. The MSTP enables multiple VLANs to be mapped to the same spanning-tree instance, reducing the number of spanning-tree instances needed to support a large number of VLANs. The MSTP provides for multiple forwarding paths for data traffic and enables load balancing.
Chapter 16 Configuring MSTP Understanding MSTP Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic, enables load balancing, and reduces the number of spanning-tree instances required to support a large number of VLANs.
Chapter 16 Configuring MSTP Understanding MSTP IST, CIST, and CST Unlike PVST+ and rapid PVST+ in which all the spanning-tree instances are independent, the MSTP establishes and maintains two types of spanning trees: • An internal spanning tree (IST), which is the spanning tree that runs in an MST region. Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special instance for a region, known as the internal spanning tree (IST).
Chapter 16 Configuring MSTP Understanding MSTP Operations Between MST Regions If there are multiple regions or legacy 802.1D switches within the network, MSTP establishes and maintains the CST, which includes all MST regions and all legacy STP switches in the network. The MST instances combine with the IST at the boundary of the region to become the CST.
Chapter 16 Configuring MSTP Understanding MSTP Hop Count The IST and MST instances do not use the message-age and maximum-age information in the configuration BPDU to compute the spanning-tree topology. Instead, they use the path cost to the root and a hop-count mechanism similar to the IP time-to-live (TTL) mechanism. By using the spanning-tree mst max-hops global configuration command, you can configure the maximum hops inside the region and apply it to the IST and all MST instances in that region.
Chapter 16 Configuring MSTP Understanding RSTP However, the switch does not automatically revert to the MSTP mode if it no longer receives IEEE 802.1D BPDUs because it cannot detect whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. A switch might also continue to assign a boundary role to a port when the switch to which this switch is connected has joined the region.
Chapter 16 Configuring MSTP Understanding RSTP In a stable topology with consistent port roles throughout the network, the RSTP ensures that every root port and designated port immediately transition to the forwarding state while all alternate and backup ports are always in the discarding state (equivalent to blocking in IEEE 802.1D). The port state controls the operation of the forwarding and learning processes. Table 16-1 provides a comparison of IEEE 802.1D and RSTP port states.
Chapter 16 Configuring MSTP Understanding RSTP When Switch C is connected to Switch B, a similar set of handshaking messages are exchanged. Switch C selects the port connected to Switch B as its root port, and both ends immediately transition to the forwarding state. With each iteration of this handshaking process, one more switch joins the active topology. As the network converges, this proposal-agreement handshaking progresses from the root toward the leaves of the spanning tree.
Chapter 16 Configuring MSTP Understanding RSTP Figure 16-3 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5. Forward Edge port 2. Block 9. Forward 8. Agreement 3. Block 11. Forward 6. Proposal 7. Proposal 10. Agreement 88761 Root port Designated port Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802.1D BPDU format except that the protocol version is set to 2.
Chapter 16 Configuring MSTP Understanding RSTP The RSTP does not have a separate topology change notification (TCN) BPDU. It uses the topology change (TC) flag to show the topology changes. However, for interoperability with IEEE 802.1D switches, the RSTP switch processes and generates TCN BPDUs. The learning and forwarding flags are set according to the state of the sending port.
Chapter 16 Configuring MSTP Configuring MSTP Features • Protocol migration—For backward compatibility with IEEE 802.1D switches, RSTP selectively sends IEEE 802.1D configuration BPDUs and TCN BPDUs on a per-port basis. When a port is initialized, the migrate-delay timer is started (specifies the minimum time during which RSTP BPDUs are sent), and RSTP BPDUs are sent. While this timer is active, the switch processes all BPDUs received on that port and ignores the protocol type.
Chapter 16 Configuring MSTP Configuring MSTP Features Table 16-3 Default MSTP Configuration (continued) Feature Default Setting Hello time 2 seconds. Forward-delay time 15 seconds. Maximum-aging time 20 seconds. Maximum hop count 20 hops. For information about the supported number of spanning-tree instances, see the “Supported Spanning-Tree Instances” section on page 15-9.
Chapter 16 Configuring MSTP Configuring MSTP Features Specifying the MST Region Configuration and Enabling MSTP For two or more switches to be in the same MST region, they must have the same VLAN-to-instance mapping, the same configuration revision number, and the same name. A region can have one member or multiple members with the same MST configuration; each member must be capable of processing RSTP BPDUs.
Chapter 16 Configuring MSTP Configuring MSTP Features To return to the default MST region configuration, use the no spanning-tree mst configuration global configuration command. To return to the default VLAN-to-instance map, use the no instance instance-id [vlan vlan-range] MST configuration command. To return to the default name, use the no name MST configuration command. To return to the default revision number, use the no revision MST configuration command.
Chapter 16 Configuring MSTP Configuring MSTP Features forward-delay time, and maximum-age time for a network of that diameter, which can significantly reduce the convergence time. You can use the hello keyword to override the automatically calculated hello time.
Chapter 16 Configuring MSTP Configuring MSTP Features Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst instance-id root secondary [diameter net-diameter [hello-time seconds]] Configure a switch as the secondary root switch. • For instance-id, you can specify a single instance, a range of instances separated by a hyphen, or a series of instances separated by a comma. The range is 0 to 15.
Chapter 16 Configuring MSTP Configuring MSTP Features Step 3 Command Purpose spanning-tree mst instance-id port-priority priority Configure the port priority. • For instance-id, you can specify a single instance, a range of instances separated by a hyphen, or a series of instances separated by a comma. The range is 0 to 15. • For priority, the range is 0 to 240 in increments of 16. The default is 128. The lower the number, the higher the priority.
Chapter 16 Configuring MSTP Configuring MSTP Features Step 3 Command Purpose spanning-tree mst instance-id cost cost Configure the cost. If a loop occurs, the MSTP uses the path cost when selecting an interface to place into the forwarding state. A lower path cost represents higher-speed transmission. • For instance-id, you can specify a single instance, a range of instances separated by a hyphen, or a series of instances separated by a comma. The range is 0 to 15.
Chapter 16 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the switch priority. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst instance-id priority priority Configure the switch priority. • For instance-id, you can specify a single instance, a range of instances separated by a hyphen, or a series of instances separated by a comma. The range is 0 to 15.
Chapter 16 Configuring MSTP Configuring MSTP Features Configuring the Forwarding-Delay Time Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst forward-time seconds Configure the forward time for all MST instances.
Chapter 16 Configuring MSTP Configuring MSTP Features Configuring the Maximum-Hop Count Beginning in privileged EXEC mode, follow these steps to configure the maximum-hop count for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-hops hop-count Specify the number of hops in a region before the BPDU is discarded, and the information held for a port is aged.
Chapter 16 Configuring MSTP Displaying the MST Configuration and Status Restarting the Protocol Migration Process A switch running MSTP supports a built-in protocol migration mechanism that enables it to interoperate with legacy IEEE 802.1D switches. If this switch receives a legacy IEEE 802.1D configuration BPDU (a BPDU with the protocol version set to 0), it sends only IEEE 802.1D BPDUs on that port.
C H A P T E R 17 Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the Catalyst 2960 switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+). You can configure only the noted features when your switch is running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol.
Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states.
Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences. At the global level, you enable BPDU guard on Port Fast-enabled interfaces by using the spanning-tree portfast bpduguard default global configuration command.
Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding UplinkFast Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 17-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops.
Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 17-3 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B L1 L2 L3 43575 Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked interface on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure
Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features The switch tries to find if it has an alternate path to the root switch. If the inferior BPDU arrives on a blocked interface, the root port and other blocked interfaces on the switch become alternate paths to the root switch. (Self-looped ports are not considered alternate paths to the root switch.
Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 17-6 BackboneFast Example After Indirect Link Failure Switch A (Root) Switch B L1 Link failure L3 BackboneFast changes port through listening and learning states to forwarding state.
Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Root Guard The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. In such a topology, the spanning tree can reconfigure itself and select a customer switch as the root switch, as shown in Figure 17-8. You can avoid this situation by enabling root guard on SP switch interfaces that connect to switches in your customer’s network.
Chapter 17 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Understanding Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. This feature is most effective when it is enabled on the entire switched network. Loop guard prevents alternate and root ports from becoming designated ports, and spanning tree does not send BPDUs on root or alternate ports.
Chapter 17 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Optional Spanning-Tree Configuration Guidelines You can configure PortFast, BPDU guard, BPDU filtering, EtherChannel guard, root guard, or loop guard if your switch is running PVST+, rapid PVST+, or MSTP. You can configure the UplinkFast or the BackboneFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+.
Chapter 17 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Note You can use the spanning-tree portfast default global configuration command to globally enable the Port Fast feature on all nontrunking ports. To disable the Port Fast feature, use the spanning-tree portfast disable interface configuration command.
Chapter 17 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling BPDU Filtering When you globally enable BPDU filtering on Port Fast-enabled interfaces, it prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs.
Chapter 17 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling UplinkFast for Use with Redundant Links UplinkFast cannot be enabled on VLANs that have been configured with a switch priority. To enable UplinkFast on a VLAN with switch priority configured, first restore the switch priority on the VLAN to the default value by using the no spanning-tree vlan vlan-id priority global configuration command.
Chapter 17 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling BackboneFast You can enable BackboneFast to detect indirect link failures and to start the spanning-tree reconfiguration sooner. Note If you use BackboneFast, you must enable it on all switches in the network. BackboneFast is not supported on Token Ring VLANs. This feature is supported for use with third-party switches.
Chapter 17 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can use the show interfaces status err-disabled privileged EXEC command to show which switch ports are disabled because of an EtherChannel misconfiguration. On the remote device, you can enter the show etherchannel summary privileged EXEC command to verify the EtherChannel configuration.
Chapter 17 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Beginning in privileged EXEC mode, follow these steps to enable loop guard. This procedure is optional. Step 1 Command Purpose show spanning-tree active Verify which interfaces are alternate or root ports. or show spanning-tree mst Step 2 configure terminal Enter global configuration mode. Step 3 spanning-tree loopguard default Enable loop guard. By default, loop guard is disabled.
C H A P T E R 18 Configuring Flex Links This chapter describes how to configure Flex Links, a pair of interfaces on the Catalyst 2960 switch that are used to provide a mutual backup. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 18 Configuring Flex Links Configuring Flex Links Flex Links Configuration Example Uplink switch B Uplink switch C Port 1 Port 2 Switch A 116082 Figure 18-1 If a primary (forwarding) link goes down, a trap notifies the network management stations. If the standby link goes down, a trap notifies the users. Flex Links are supported only on Layer 2 ports and port channels, not on VLANs.
Chapter 18 Configuring Flex Links Monitoring Flex Links Configuring Flex Links Beginning in privileged EXEC mode, follow these steps to configure a pair of Flex Links: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface, and enter interface configuration mode. The interface can be a physical Layer 2 interface or a port channel (logical interface). The port-channel range is 1 to 6.
Chapter 18 Configuring Flex Links Monitoring Flex Links Catalyst 2960 Switch Software Configuration Guide 18-4 78-16881-01
C H A P T E R 19 Configuring DHCP Features This chapter describes how to configure DHCP snooping and the option-82 data insertion features on the Catalyst 2960 switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release, and see the “DHCP Commands” section in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2.
Chapter 19 Configuring DHCP Features Understanding DHCP Features DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them. If the DHCP server cannot give the DHCP client the requested configuration parameters from its database, it can forward the request to one or more secondary DHCP servers defined by the network administrator.
Chapter 19 Configuring DHCP Features Understanding DHCP Features The switch drops a DHCP packet when one of these situations occurs: • A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received from outside the network or firewall. • A packet is received on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match.
Chapter 19 Configuring DHCP Features Understanding DHCP Features Figure 19-1 DHCP Relay Agent in a Metropolitan Ethernet Network DHCP server Catalyst switch (DHCP relay agent) Access layer VLAN 10 Subscribers Host B (DHCP client) 98813 Host A (DHCP client) When you enable the DHCP snooping information option 82 on the switch, this sequence of events occurs: • The host (DHCP client) generates a DHCP request and broadcasts it on the network.
Chapter 19 Configuring DHCP Features Understanding DHCP Features In the port field of the circuit ID suboption, the port numbers start at 3. For example, on a switch with 24 10/100 ports and small form-factor pluggable (SFP) module slots, port 3 is the Fast Ethernet 0/1 port, port 4 is the Fast Ethernet 0/2 port, and so forth. Port 27 is the SFP module slot 0/1, and so forth. Figure 19-2 shows the packet formats for the remote ID suboption and the circuit ID suboption.
Chapter 19 Configuring DHCP Features Configuring DHCP Features This is the format of the file with bindings: TYPE DHCP-SNOOPING VERSION 1 BEGIN ... ... END Each entry in the file is tagged with a checksum value that the switch uses to verify the entries when it reads the file.
Chapter 19 Configuring DHCP Features Configuring DHCP Features Default DHCP Configuration Table 19-1 shows the default DHCP configuration.
Chapter 19 Configuring DHCP Features Configuring DHCP Features • Before configuring the DHCP snooping information option on your switch, be sure to configure the device that is acting as the DHCP server. For example, you must specify the IP addresses that the DHCP server can assign or exclude, or you must configure DHCP options for these devices. • If the DHCP relay agent is enabled but DHCP snooping is disabled, the DHCP option-82 data insertion feature is not supported.
Chapter 19 Configuring DHCP Features Configuring DHCP Features Enabling DHCP Snooping and Option 82 Beginning in privileged EXEC mode, follow these steps to enable DHCP snooping on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip dhcp snooping Enable DHCP snooping globally. Step 3 ip dhcp snooping vlan vlan-range Enable DHCP snooping on a VLAN or range of VLANs. The range is 1 to 4094.
Chapter 19 Configuring DHCP Features Configuring DHCP Features To disable DHCP snooping, use the no ip dhcp snooping global configuration command. To disable DHCP snooping on a VLAN or range of VLANs, use the no ip dhcp snooping vlan vlan-range global configuration command. To disable the insertion and removal of the option-82 field, use the no ip dhcp snooping information option global configuration command.
Chapter 19 Configuring DHCP Features Displaying DHCP Snooping Information Command Purpose Step 7 show ip dhcp snooping database [detail] Display the status and statistics of the DHCP snooping binding database agent. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To stop using the database agent and binding files, use the no ip dhcp snooping database global configuration command.
Chapter 19 Configuring DHCP Features Displaying DHCP Snooping Information Catalyst 2960 Switch Software Configuration Guide 19-12 78-16881-01
C H A P T E R 20 Configuring IGMP Snooping and MVR This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on the Catalyst 2960 switch, including an application of local IGMP snooping, Multicast VLAN Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering and procedures for configuring the IGMP throttling action.
Chapter 20 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Note For more information on IP multicast and IGMP, see RFC 1112 and RFC 2236. The multicast router sends out periodic general queries to all VLANs. All hosts interested in this multicast traffic send join requests and are added to the forwarding table entry. The switch creates one entry per VLAN in the IGMP snooping IP multicast forwarding table for each group from which it receives an IGMP join request.
Chapter 20 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Note IGMPv3 join and leave messages are not supported on switches running IGMP filtering or MVR. An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast (SSM) feature. For more information about source-specific multicast with IGMPv3 and IGMP, see the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t5/dtssm5t.
Chapter 20 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Table 20-1 IGMP Snooping Forwarding Table Destination Address Type of Packet Ports 224.1.2.3 IGMP 1, 2 The switch hardware can distinguish IGMP information packets from other packets for the multicast group. The information in the table tells the switching engine to send frames addressed to the 224.1.2.3 multicast IP address that are not IGMP packets to the router and to the host that has joined the group.
Chapter 20 Configuring IGMP Snooping and MVR Understanding IGMP Snooping When hosts want to leave a multicast group, they can silently leave, or they can send a leave message. When the switch receives a leave message from a host, it sends a group-specific query to learn if any other devices connected to that interface are interested in traffic for the specific multicast group.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping If you disable IGMP report suppression, all IGMP reports are forwarded to the multicast routers. For configuration steps, see the “Disabling IGMP Report Suppression” section on page 20-14. Configuring IGMP Snooping IGMP snooping allows switches to examine IGMP packets and make forwarding decisions based on their content.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Global IGMP snooping overrides the VLAN IGMP snooping. If global snooping is disabled, you cannot enable VLAN snooping. If global snooping is enabled, you can enable or disable VLAN snooping. Beginning in privileged EXEC mode, follow these steps to globally enable IGMP snooping on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Note If you want to use CGMP as the learning method and no multicast routers in the VLAN are CGMP proxy-enabled, you must enter the ip cgmp router-only command to dynamically access the router. Beginning in privileged EXEC mode, follow these steps to alter the method in which a VLAN interface dynamically accesses a multicast router: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 4 show ip igmp snooping mrouter [vlan vlan-id] Verify that IGMP snooping is enabled on the VLAN interface. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a multicast router port from the VLAN, use the no ip igmp snooping vlan vlan-id mrouter interface interface-id global configuration command.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Note Immediate Leave is supported only on IGMP Version 2 hosts. Beginning in privileged EXEC mode, follow these steps to enable IGMP Immediate Leave: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id immediate-leave Enable IGMP Immediate Leave on the VLAN interface. Step 3 end Return to privileged EXEC mode.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 5 show ip igmp snooping (Optional) Display the configured IGMP leave time. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To globally reset the IGMP leave timer to the default setting, use the no ip igmp snooping last-member-query-interval global configuration command.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Recovering from Flood Mode When a topology change occurs, the spanning-tree root sends a special IGMP leave message (also known as global leave) with the group multicast address 0.0.0.0. However, when you enable the ip igmp snooping tcn query solicit global configuration command, the switch sends the global leave message whether or not it is the spanning-tree root.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring the IGMP Snooping Querier Follow these guidelines when configuring the IGMP snooping querier: • Configure the VLAN in global configuration mode. • Configure an IP address on the VLAN interface. When enabled, the IGMP snooping querier uses the IP address as the query source address.
Chapter 20 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information This example shows how to set the IGMP snooping querier source address to 10.0.0.64: Switch# configure terminal Switch(config)# ip igmp snooping querier 10.0.0.
Chapter 20 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information To display IGMP snooping information, use one or more of the privileged EXEC commands in Table 20-4. Table 20-4 Commands for Displaying IGMP Snooping Information Command Purpose show ip igmp snooping [vlan vlan-id] Display the snooping configuration information for all VLANs on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN.
Chapter 20 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service-provider network (for example, the broadcast of multiple television channels over a service-provider network).
Chapter 20 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Figure 20-3 Multicast VLAN Registration Example Multicast VLAN Cisco router Multicast server SP Switch B SP SP SP SP SP SP1 SP2 Multicast data Multicast data Switch A RP1 RP2 RP3 RP4 RP5 RP6 RP7 Customer premises Hub IGMP join Set-top box Set-top box TV data TV RP = Receiver Port SP = Source Port 101364 PC TV Note: All source ports belong to the multicast VLAN.
Chapter 20 Configuring IGMP Snooping and MVR Configuring MVR These messages dynamically register for streams of multicast traffic in the multicast VLAN on the Layer 3 device. Switch B. The access layer switch, Switch A, modifies the forwarding behavior to allow the traffic to be forwarded from the multicast VLAN to the subscriber port in a different VLAN, selectively allowing traffic to cross between two VLANs. IGMP reports are sent to the same IP multicast group address as the multicast data.
Chapter 20 Configuring IGMP Snooping and MVR Configuring MVR • Because MVR on the switch uses IP multicast addresses instead of MAC multicast addresses, aliased IP multicast addresses are allowed on the switch. However, if the switch is interoperating with Catalyst 3550 or Catalyst 3500 XL switches, you should not configure IP addresses that alias between themselves or with the reserved IP multicast addresses (in the range 224.0.0.xxx). • MVR can coexist with IGMP snooping on a switch.
Chapter 20 Configuring IGMP Snooping and MVR Configuring MVR To return the switch to its default settings, use the no mvr [mode | group ip-address | querytime | vlan] global configuration commands.
Chapter 20 Configuring IGMP Snooping and MVR Displaying MVR Information Step 8 Command Purpose show mvr Verify the configuration. show mvr interface or show mvr members Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the interface to its default settings, use the no mvr [type | immediate | vlan vlan-id | group] interface configuration commands.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Table 20-6 Commands for Displaying MVR Information (continued) Command Purpose show mvr Displays MVR status and values for the switch—whether MVR is enabled or disabled, the multicast VLAN, the maximum (256) and current (0 through 256) number of multicast groups, the query response time, and the MVR mode.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Default IGMP Filtering and Throttling Configuration Table 20-7 shows the default IGMP filtering configuration.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Step 4 Command Purpose range ip multicast address Enter the IP multicast address or range of IP multicast addresses to which access is being controlled. If entering a range, enter the low IP multicast address, a space, and the high IP multicast address. You can use the range command multiple times to enter multiple addresses or ranges of addresses. Step 5 end Return to privileged EXEC mode.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling To remove a profile from an interface, use the no ip igmp filter profile number interface configuration command.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Follow these guidelines when configuring the IGMP throttling action: • You can use this command on a logical EtherChannel interface but cannot use it on ports that belong to an EtherChannel port group. • When the maximum group limitation is set to the default (no maximum), entering the ip igmp max-groups action {deny | replace} command has no effect.
Chapter 20 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration To return to the default action of dropping the report, use the no ip igmp max-groups action interface configuration command. Displaying IGMP Filtering and Throttling Configuration You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface.
Chapter 20 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Catalyst 2960 Switch Software Configuration Guide 20-28 78-16881-01
C H A P T E R 21 Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the Catalyst 2960 switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 21 Configuring Port-Based Traffic Control Configuring Storm Control Storm control uses one of these methods to measure traffic activity: • Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic • Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received • Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received With each method, the p
Chapter 21 Configuring Port-Based Traffic Control Configuring Storm Control Default Storm Control Configuration By default, unicast, broadcast, and multicast storm control are disabled on the switch interfaces; that is, the suppression level is 100 percent. Configuring Storm Control and Threshold Levels You configure storm control on a port and enter the threshold level that you want to be used for a particular type of traffic.
Chapter 21 Configuring Port-Based Traffic Control Configuring Storm Control Step 3 Command Purpose storm-control {broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps [pps-low]} Configure broadcast, multicast, or unicast storm control. By default, storm control is disabled. The keywords have these meanings: • For level, specify the rising threshold level for broadcast, multicast, or unicast traffic as a percentage (up to two decimal places) of the bandwidth.
Chapter 21 Configuring Port-Based Traffic Control Configuring Protected Ports Command Purpose Step 6 show storm-control [interface-id] [broadcast | Verify the storm control suppression levels set on the interface for multicast | unicast] the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Blocking Protected Port Configuration Guidelines You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group.
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security Blocking Flooded Traffic on an Interface Note The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port-channel group.
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security • Enabling and Configuring Port Security, page 21-11 • Enabling and Configuring Port Security Aging, page 21-15 Understanding Port Security These sections contain this conceptual information: • Secure MAC Addresses, page 21-8 • Security Violations, page 21-9 Secure MAC Addresses You configure the maximum number of secure addresses allowed on a port by using the switchport port-security maximum value interface configuratio
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security Security Violations It is a security violation when one of these situations occurs: • The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface. • An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security Default Port Security Configuration Table 21-2 shows the default port security configuration for an interface. Table 21-2 Default Port Security Configuration Feature Default Setting Port security Disabled on a port. Sticky address learning Disabled. Maximum number of secure MAC addresses per port 1. Violation mode Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded.
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security Table 21-3 summarizes port security compatibility with other port-based features. Table 21-3 Port Security Compatibility with Other Switch Features Type of Port or Feature on Port 1 DTP port Compatible with Port Security 2 No Trunk port Yes Dynamic-access port3 No SPAN source port Yes SPAN destination port No EtherChannel No Protected port Yes IEEE 802.1x port Voice VLAN port Yes 4 Yes Flex Links Yes 1.
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security Step 6 Command Purpose switchport port-security [maximum value [vlan {vlan-list | {access | voice}}]] (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system.
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security Step 8 Command Purpose switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}] (Optional) Enter a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table. All addresses are now dynamically learned.
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# switchport switchport switchport switchport switchport port-security port-security port-security port-security port-security mac-address 0000.0000.0003 mac-address sticky 0000.0000.0001 vlan voice mac-address 0000.0000.
Chapter 21 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings To disable port security aging for all secure addresses on a port, use the no switchport port-security aging time interface configuration command. To disable aging for only statically configured secure addresses, use the no switchport port-security aging static interface configuration command.
C H A P T E R 22 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on the Catalyst 2960 switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 22 Configuring CDP Configuring CDP Configuring CDP These sections contain this configuration information: • Default CDP Configuration, page 22-2 • Configuring the CDP Characteristics, page 22-2 • Disabling and Enabling CDP, page 22-3 • Disabling and Enabling CDP on an Interface, page 22-4 Default CDP Configuration Table 22-1 shows the default CDP configuration.
Chapter 22 Configuring CDP Configuring CDP Command Purpose Step 6 show cdp Verify your settings. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the CDP commands to return to the default settings. This example shows how to configure CDP characteristics.
Chapter 22 Configuring CDP Configuring CDP Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and to receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on a port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you are disabling CDP, and enter interface configuration mode.
Chapter 22 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors. show cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent.
Chapter 22 Configuring CDP Monitoring and Maintaining CDP Catalyst 2960 Switch Software Configuration Guide 22-6 78-16881-01
C H A P T E R 23 Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 2960 switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 23 Configuring SPAN and RSPAN Understanding SPAN and RSPAN These sections contain this conceptual information: • Local SPAN, page 23-2 • Remote SPAN, page 23-2 • SPAN and RSPAN Concepts and Terminology, page 23-3 • SPAN and RSPAN Interaction with Other Features, page 23-8 Local SPAN Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and destination ports are in the same switch.
Chapter 23 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 23-2 Example of RSPAN Configuration RSPAN destination ports RSPAN destination session Switch C Intermediate switches must support RSPAN VLAN RSPAN VLAN RSPAN source session A RSPAN source ports Switch B RSPAN source session B RSPAN source ports 101366 Switch A SPAN and RSPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN and RSPAN configuration.
Chapter 23 Configuring SPAN and RSPAN Understanding SPAN and RSPAN An RSPAN source session is very similar to a local SPAN session, except for where the packet stream is directed. In an RSPAN source session, SPAN packets are relabeled with the RSPAN VLAN ID and directed over normal trunk ports to the destination switch. An RSPAN destination session takes all packets received on the RSPAN VLAN, strips off the VLAN tagging, and presents them on the destination port.
Chapter 23 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • Transmit (Tx) SPAN—The goal of transmit (or egress) SPAN is to monitor as much as possible all the packets sent by the source interface after all modification and processing is performed by the switch. A copy of each packet sent by the source is sent to the destination port for that SPAN session. The copy is provided after the packet is modified.
Chapter 23 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • It can be an access port, trunk port, or voice VLAN port. • It cannot be a destination port. • Source ports can be in the same or different VLANs. • You can monitor multiple source ports in a single session. Source VLANs VLAN-based SPAN (VSPAN) is the monitoring of the network traffic in one or more VLANs. The SPAN or RSPAN source interface in VSPAN is a VLAN ID, and traffic is monitored on all the ports for that VLAN.
Chapter 23 Configuring SPAN and RSPAN Understanding SPAN and RSPAN A destination port has these characteristics: • For a local SPAN session, the destination port must reside on the same switch as the source port. For an RSPAN session, it is located on the switch containing the RSPAN destination session. There is no destination port on a switch running only an RSPAN source session. • When a port is configured as a SPAN destination port, the configuration overwrites the original port configuration.
Chapter 23 Configuring SPAN and RSPAN Understanding SPAN and RSPAN RSPAN VLAN The RSPAN VLAN carries SPAN traffic between RSPAN source and destination sessions. It has these special characteristics: • All traffic in the RSPAN VLAN is always flooded. • No MAC address learning occurs on the RSPAN VLAN. • RSPAN VLAN traffic only flows on trunk ports. • RSPAN VLANs must be configured in VLAN configuration mode by using the remote-span VLAN configuration mode command.
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN If a physical port that belongs to an EtherChannel group is a destination port and the EtherChannel group is a source, the port is removed from the EtherChannel group and from the list of monitored ports. • Multicast traffic can be monitored. For egress and ingress port monitoring, only a single unedited packet is sent to the SPAN destination port. It does not reflect the number of times the multicast packet is sent.
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Configuring Local SPAN These sections contain this configuration information: • SPAN Configuration Guidelines, page 23-10 • Creating a Local SPAN Session, page 23-10 • Creating a Local SPAN Session and Configuring Incoming Traffic, page 23-13 • Specifying VLANs to Filter, page 23-15 SPAN Configuration Guidelines Follow these guidelines when configuring SPAN: • For SPAN sources, you can monitor traffic for a single port or VLAN or a
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 3 Command Purpose monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx] Specify the SPAN session and the source port (monitored port). For session_number, the range is 1 to 66. For interface-id, specify the source port or source VLAN to monitor. • For source interface-id, specify the source port to monitor.
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 4 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation {dot1q | replicate}]} Specify the SPAN session and the destination port (monitoring port). For session_number, specify the session number entered in step 3. Note For local SPAN, you must use the same session number for the source and destination interfaces. For interface-id, specify the destination port.
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional monitoring: Switch(config)# no monitor session 1 source interface gigabitethernet0/1 rx The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be monitored.
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 4 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation {dot1q | replicate}] [ingress {dot1q vlan vlan-id | untagged vlan vlan-id | vlan vlan-id}]} Specify the SPAN session, the destination port, the packet encapsulation, and the ingress VLAN and encapsulation. For session_number, specify the session number entered in Step 3. For interface-id, specify the destination port.
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session 2 to monitor received traffic on Gigabit Ethernet source port 1, and send it to destination Gigabit Ethernet port 2 with the same egress encapsulation type as the source port, and to enable ingress forwarding with IEEE 802.1Q encapsulation and VLAN 6 as the default ingress VLAN.
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 7 Command Purpose show monitor [session session_number] Verify the configuration. show running-config Step 8 copy running-config startup-config (Optional) Save the configuration in the configuration file. To monitor all VLANs on the trunk port, use the no monitor session session_number filter global configuration command.
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • RSPAN VLANs are included as sources for port-based RSPAN sessions when source trunk ports have active RSPAN VLANs. RSPAN VLANs can also be sources in SPAN sessions. However, since the switch does not monitor spanned traffic, it does not support egress spanning of packets on any RSPAN VLAN identified as the destination of an RSPAN source session on the switch.
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Creating an RSPAN Source Session Beginning in privileged EXEC mode, follow these steps to start an RSPAN source session and to specify the monitored source and the destination RSPAN VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | local | remote} Remove any existing RSPAN configuration for the session. For session_number, the range is 1 to 66.
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN To remove a source port or VLAN from the SPAN session, use the no monitor session session_number source {interface interface-id | vlan vlan-id} global configuration command. To remove the RSPAN VLAN from the session, use the no monitor session session_number destination remote vlan vlan-id.
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 8 end Return to privileged EXEC mode. Step 9 show monitor [session session_number] Verify the configuration. show running-config Step 10 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command.
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Step 4 Purpose Specify the SPAN session, the destination port, the packet monitor session session_number encapsulation, and the incoming VLAN and encapsulation. destination {interface interface-id [, | -] [ingress {dot1q vlan vlan-id | untagged vlan For session_number, enter the number defined in Step 4.
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to configure the RSPAN source session to limit RSPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | local | remote} Remove any existing SPAN configuration for the session. For session_number, the range is 1 to 66.
Chapter 23 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions.
Chapter 23 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Catalyst 2960 Switch Software Configuration Guide 23-24 78-16881-01
C H A P T E R 24 Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst 2960 switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 24 Configuring UDLD Understanding UDLD In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected and the Layer 1 mechanisms do not detect this misconnection. If the ports are connected correctly but the traffic is one way, UDLD does not detect the unidirectional link because the Layer 1 mechanism, which is supposed to detect this condition, does not do so.
Chapter 24 Configuring UDLD Understanding UDLD • Event-driven detection and echoing UDLD relies on echoing as its detection mechanism. Whenever a UDLD device learns about a new neighbor or receives a resynchronization request from an out-of-sync neighbor, it restarts the detection window on its side of the connection and sends echo messages in reply. Because this behavior is the same on all UDLD neighbors, the sender of the echoes expects to receive an echo in reply.
Chapter 24 Configuring UDLD Configuring UDLD Configuring UDLD These sections contain this configuration information: • Default UDLD Configuration, page 24-4 • Configuration Guidelines, page 24-4 • Enabling UDLD Globally, page 24-5 • Enabling UDLD on an Interface, page 24-5 • Resetting an Interface Disabled by UDLD, page 24-6 Default UDLD Configuration Table 24-1 shows the default UDLD configuration.
Chapter 24 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic ports on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 24 Configuring UDLD Displaying UDLD Status Step 3 Command Purpose udld port [aggressive] UDLD is disabled by default. • udld port—Enables UDLD in normal mode on the specified port. • udld port aggressive—Enables UDLD in aggressive mode on the specified port. Note Use the no udld port interface configuration command to disable UDLD on a specified fiber-optic port. For more information about aggressive and normal modes, see the “Modes of Operation” section on page 24-1.
C H A P T E R 25 Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the Catalyst 2960 switch. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes. RMON provides you with comprehensive network-fault diagnosis, planning, and performance-tuning information.
Chapter 25 Configuring RMON Configuring RMON Figure 25-1 Remote Monitoring Example Network management station with generic RMON console application RMON alarms and events configured. SNMP configured. Workstations Workstations 101233 RMON history and statistic collection enabled.
Chapter 25 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Only RMON 1 is supported on the switch. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station. We recommend that you use a generic RMON console application on the network management station (NMS) to take advantage of the RMON network management capabilities.
Chapter 25 Configuring RMON Configuring RMON Command Step 3 Purpose rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535. • (Optional) For description string, specify a description of the event. • (Optional) Use the log keyword to generate an RMON log entry when the event is triggered.
Chapter 25 Configuring RMON Configuring RMON Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 25 Configuring RMON Displaying RMON Status Collecting Group Ethernet Statistics on an Interface Beginning in privileged EXEC mode, follow these steps to collect group Ethernet statistics on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which to collect statistics, and enter interface configuration mode.
C H A P T E R 26 Configuring System Message Logging This chapter describes how to configure system message logging on the Catalyst 2960 switch. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 26 Configuring System Message Logging Configuring System Message Logging Configuring System Message Logging These sections contain this configuration information: • System Log Message Format, page 26-2 • Default System Message Logging Configuration, page 26-3 • Disabling Message Logging, page 26-3 (optional) • Setting the Message Display Destination Device, page 26-4 (optional) • Synchronizing Log Messages, page 26-5 (optional) • Enabling and Disabling Time Stamps on Log Messages, page
Chapter 26 Configuring System Message Logging Configuring System Message Logging Table 26-1 System Log Message Elements (continued) Element Description MNEMONIC Text string that uniquely describes the message. description Text string containing detailed information about the event being reported.
Chapter 26 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to disable message logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no logging console Disable message logging. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries.
Chapter 26 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging host Log messages to a UNIX syslog server host. For host, specify the name or IP address of the host to be used as the syslog server. To build a list of syslog servers that receive logging messages, enter this command more than once. For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 26-10.
Chapter 26 Configuring System Message Logging Configuring System Message Logging is returned. Therefore, unsolicited messages and debug command output are not interspersed with solicited device output and prompts. After the unsolicited messages appear, the console again displays the user prompt. Beginning in privileged EXEC mode, follow these steps to configure synchronous logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 26 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Time Stamps on Log Messages By default, log messages are not time-stamped. Beginning in privileged EXEC mode, follow these steps to enable time-stamping of log messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service timestamps log uptime Enable log time stamps.
Chapter 26 Configuring System Message Logging Configuring System Message Logging To disable sequence numbers, use the no service sequence-numbers global configuration command. This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message, which are described in Table 26-3.
Chapter 26 Configuring System Message Logging Configuring System Message Logging Table 26-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level.
Chapter 26 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to change the level and history table size defaults. This procedure is optional. Command Step 1 Step 2 Purpose configure terminal logging history level Enter global configuration mode. 1 Change the default level of syslog messages stored in the history file and sent to the SNMP server. See Table 26-3 on page 26-9 for a list of level keywords.
Chapter 26 Configuring System Message Logging Configuring System Message Logging Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server. This procedure is optional. Log in as root, and perform these steps: Note Step 1 Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network.
Chapter 26 Configuring System Message Logging Displaying the Logging Configuration Step 4 Command Purpose logging facility facility-type Configure the syslog facility. See Table 26-4 on page 26-12 for facility-type keywords. The default is local7. Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
C H A P T E R 27 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on the Catalyst 2960 switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 27 Configuring SNMP Understanding SNMP • Using SNMP to Access MIB Variables, page 27-4 • SNMP Notifications, page 27-5 • SNMP ifIndex MIB Object Values, page 27-5 SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in RFC 1157.
Chapter 27 Configuring SNMP Understanding SNMP Table 27-1 identifies the characteristics of the different combinations of security models and levels. Table 27-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No Uses a community string match for authentication.
Chapter 27 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. • Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS.
Chapter 27 Configuring SNMP Understanding SNMP NMS SNMP Manager SNMP Network Get-request, Get-next-request, Get-bulk, Set-request Get-response, traps Network device MIB SNMP Agent 43581 Figure 27-1 For information on supported MIBs and how to access them, see Appendix A, “Supported MIBs.” SNMP Notifications SNMP allows the switch to send notifications to SNMP managers when particular events occur. SNMP notifications can be sent as traps or inform requests.
Chapter 27 Configuring SNMP Configuring SNMP The switch uses one of the values in Table 27-3 to assign an ifIndex value to an interface: Table 27-3 ifIndex Values Interface Type SVI ifIndex Range 1 1–4999 EtherChannel 5000–5012 Loopback 5013–5077 Tunnel 5078–5142 2 Physical (such as Gigabit Ethernet or SFP -module interfaces) 10000–14500 Null 14501 1. SVI = switch virtual interface 2. SFP = small form-factor pluggable Note The switch might not use sequential values within a range.
Chapter 27 Configuring SNMP Configuring SNMP Table 27-4 Default SNMP Configuration (continued) Feature Default Setting SNMPv3 authentication If no keyword is entered, the default is the noauth (noAuthNoPriv) security level. SNMP notification type If no type is specified, all notifications are sent. 1. This is the default when the switch starts and the startup configuration does not have any snmp-server global configuration commands.
Chapter 27 Configuring SNMP Configuring SNMP Disabling the SNMP Agent Beginning in privileged EXEC mode, follow these steps to disable the SNMP agent: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no snmp-server Disable the SNMP agent operation. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 27 Configuring SNMP Configuring SNMP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] (Optional) If you specified an IP standard access list number in Step 2, then create the list, repeating the command as many times as necessary. • For access-list-number, enter the access list number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 27 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure SNMP on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server engineID {local engineid-string Configure a name for either the local or remote copy of SNMP. | remote ip-address [udp-port port-number] • The engineid-string is a 24-character ID string with the name engineid-string} of the copy of SNMP.
Chapter 27 Configuring SNMP Configuring SNMP Command Step 4 Purpose Add a new user for an SNMP group. snmp-server user username groupname {remote host [udp-port port]} {v1 [access • The username is the name of the user on the host that connects access-list] | v2c [access access-list] | v3 to the agent. [encrypted] [access access-list] [auth {md5 | • The groupname is the name of the group to which the user is sha} auth-password]} associated.
Chapter 27 Configuring SNMP Configuring SNMP Table 27-5 Note Switch Notification Types (continued) Notification Type Keyword Description config-copy Generates a trap for SNMP copy configuration changes. entity Generates a trap for SNMP entity changes. envmon Generates environmental monitor traps. You can enable any or all of these environmental traps: fan, shutdown, status, supply, temperature. flash Generates SNMP FLASH notifications.
Chapter 27 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure the switch to send traps or informs to a host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server engineID remote ip-address engineid-string Specify the engine ID for the remote host.
Chapter 27 Configuring SNMP Configuring SNMP Command Purpose Step 9 snmp-server trap-timeout seconds (Optional) Define how often to resend trap messages. The range is 1 to 1000; the default is 30 seconds. Step 10 end Return to privileged EXEC mode. Step 11 show running-config Verify your entries. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. The snmp-server host command specifies which hosts receive the notifications.
Chapter 27 Configuring SNMP Configuring SNMP Limiting TFTP Servers Used Through SNMP Beginning in privileged EXEC mode, follow these steps to limit the TFTP servers used for saving and loading configuration files through SNMP to the servers specified in an access list: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server tftp-server-list access-list-number Limit TFTP servers used for configuration file copies through SNMP to the servers in the access list.
Chapter 27 Configuring SNMP Displaying SNMP Status This example shows how to allow read-only access for all objects to members of access list 4 that use the comaccess community string. No other SNMP managers have access to any objects. SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco.com using the community string public. Switch(config)# snmp-server community comaccess ro 4 Switch(config)# snmp-server enable traps snmp authentication Switch(config)# snmp-server host cisco.
C H A P T E R 28 Configuring Network Security with ACLs This chapter describes how to configure network security on the Catalyst 2960 switch by using access control lists (ACLs), which in commands and tables are also referred to as access lists. Note Information in this chapter about IP ACLs is specific to IP Version 4 (IPv4).
Chapter 28 Configuring Network Security with ACLs Understanding ACLs You configure access lists on a switch to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network. You can use ACLs to control which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked. For example, you can allow e-mail traffic to be forwarded but not Telnet traffic.
Chapter 28 Configuring Network Security with ACLs Understanding ACLs Figure 28-1 Using ACLs to Control Traffic to a Network Host A Host B Human Resources network Research & Development network 101365 = ACL denying traffic from Host B and permitting traffic from Host A = Packet When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs Consider access list 102, configured with these commands, applied to three fragmented packets: Switch(config)# Switch(config)# Switch(config)# Switch(config)# Note access-list access-list access-list access-list 102 102 102 102 permit tcp any host 10.1.1.1 eq smtp deny tcp any host 10.1.1.2 eq telnet permit tcp any host 10.1.1.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs The switch does not support these Cisco IOS router ACL-related features: • Non-IP protocol ACLs (see Table 28-1 on page 28-6) or bridge-group ACLs • IP accounting • Inbound and outbound rate limiting (except with QoS ACLs) • Reflexive ACLs or dynamic ACLs (except for some specialized dynamic ACLs used by the switch clustering feature) • ACL logging These are the steps to use IP ACLs on the switch: Step 1 Create an ACL by sp
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs Access List Numbers The number you use to denote your ACL shows the type of access list that you are creating. Table 28-1 lists the access-list number and corresponding access list type and shows whether or not they are supported in the switch. The switch supports IPv4 standard and extended access lists, numbers 1 to 199 and 1300 to 2699.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs Creating a Numbered Standard ACL Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} Define a standard IPv4 access list by using a source address and source [source-wildcard] wildcard. The access-list-number is a decimal number from 1 to 99 or 1300 to 1999.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs The switch always rewrites the order of standard access lists so that entries with host matches and entries with matches having a don’t care mask of 0.0.0.0 are moved to the top of the list, above any entries with non-zero don’t care masks. Therefore, in show command output and in the configuration file, the ACEs do not necessarily appear in the order in which they were entered.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2a access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [dscp dscp] Define an extended IPv4 access list and the access conditions.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs or Step 2b Command Purpose access-list access-list-number {deny | permit} protocol host source host destination [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [dscp dscp] Define an extended IP access list by using an abbreviation for a source and a source wildcard of source 0.0.0.0 and an abbreviation for a destination and destination wildcard of destination 0.0.0.0.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs Step 2d Command Purpose access-list access-list-number {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [dscp dscp] (Optional) Define an extended ICMP access list and the access conditions. Enter icmp for Internet Control Message Protocol.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs After creating a numbered extended ACL, you can apply it to terminal lines (see the “Applying an IPv4 ACL to a Terminal Line” section on page 28-16), to interfaces (see the “Applying an IPv4 ACL to an Interface” section on page 28-17). Resequencing ACEs in an ACL Sequence numbers for the entries in an access list are automatically generated when you create a new ACL.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show access-lists [number | name] Show the access list configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a named standard ACL, use the no ip access-list standard name global configuration command.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACL entries to a specific ACL. However, you can use no permit and no deny access-list configuration mode commands to remove entries from a named ACL.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs Command Purpose Step 5 show time-range Verify the time-range configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Repeat the steps if you have multiple items that you want in effect at different times. To remove a configured time-range limitation, use the no time-range time-range-name global configuration command.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so that it is clear which remark describes which permit or deny statement. For example, it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs To remove an ACL from a terminal line, use the no access-class access-list-number {in | out} line configuration command. Applying an IPv4 ACL to an Interface This section describes how to apply IPv4 ACLs to network interfaces. Note these guidelines: • Apply an ACL only to inbound Layer 2 interfaces. • When controlling access to an interface, you can use a named or numbered ACL.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs IPv4 ACL Configuration Examples This section provides examples of configuring and applying IPv4 ACLs. For detailed information about compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2 and to the Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs Named ACLs This example creates an extended ACL named marketing_group.The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.255 and denies any other TCP traffic. It permits any other IP traffic. Switch(config)# ip access-list extended marketing_group Switch(config-ext-nacl)# permit tcp any 171.69.0.0 0.0.255.
Chapter 28 Configuring Network Security with ACLs Creating Named MAC Extended ACLs In this example of a named ACL, the Jones subnet is not allowed to use outbound Telnet: Switch(config)# ip access-list extended telnetting Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out Switch(config-ext-nacl)# deny tcp 171.69.0.0 0.0.255.
Chapter 28 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Use the no mac access-list extended name global configuration command to delete the entire ACL. You can also delete individual ACEs from named MAC extended ACLs. This example shows how to create and display an access list named mac1, denying only EtherType DECnet Phase IV traffic, but permitting all other types of traffic.
Chapter 28 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration After receiving a packet, the switch checks it against the inbound ACL. If the ACL permits it, the switch continues to process the packet. If the ACL rejects the packet, the switch discards it. When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied and permits all packets. Remember this behavior if you use undefined ACLs for network security.
C H A P T E R 29 Configuring QoS This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands on the Catalyst 2960 switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 29 Configuring QoS Understanding QoS The QoS implementation is based on the Differentiated Services (Diff-Serv) architecture, an emerging standard from the Internet Engineering Task Force (IETF). This architecture specifies that each packet is classified upon entry into the network. The classification is carried in the IP packet header, using 6 bits from the deprecated IP type of service (ToS) field to carry the classification (class) information.
Chapter 29 Configuring QoS Understanding QoS Figure 29-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 header IP header Data Layer 2 ISL Frame ISL header (26 bytes) Encapsulated frame 1... (24.5 KB) FCS (4 bytes) 3 bits used for CoS Layer 2 802.1Q and 802.
Chapter 29 Configuring QoS Understanding QoS Figure 29-2 shows the basic QoS model. Actions at the ingress port include classifying traffic, policing, marking, queueing, and scheduling: • Classifying a distinct path for a packet by associating it with a QoS label. The switch maps the CoS or DSCP in the packet to a QoS label to distinguish one kind of traffic from another. The QoS label that is generated identifies all future QoS actions to be performed on this packet.
Chapter 29 Configuring QoS Understanding QoS Classification Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification is enabled only if QoS is globally enabled on the switch. By default, QoS is globally disabled, so no classification occurs. During classification, the switch performs a lookup and assigns a QoS label to the packet.
Chapter 29 Configuring QoS Understanding QoS After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. Figure 29-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface configuration for classification. Trust DSCP (IP traffic). IP and non-IP traffic Trust DSCP or IP precedence (non-IP traffic). Trust IP precedence (IP traffic). Assign DSCP identical to DSCP in packet.
Chapter 29 Configuring QoS Understanding QoS Classification Based on QoS ACLs You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: Note • If a match with a permit action is encountered (first-match principle), the specified QoS-related action is taken.
Chapter 29 Configuring QoS Understanding QoS You create and name a policy map by using the policy-map global configuration command. When you enter this command, the switch enters the policy-map configuration mode. In this mode, you specify the actions to take on a specific traffic class by using the class, trust, or set policy-map configuration and policy-map class configuration commands.
Chapter 29 Configuring QoS Understanding QoS Policing on Physical Ports In policy maps on physical ports, you can create these types of policers: • Individual QoS applies the bandwidth limits specified in the policer separately to each matched traffic class. You configure this type of policer within a policy map by using the police policy-map class configuration command. • Aggregate QoS applies the bandwidth limits specified in an aggregate policer cumulatively to all matched traffic flows.
Chapter 29 Configuring QoS Understanding QoS Figure 29-4 Policing and Marking Flowchart on Physical Ports Start Get the clasification result for the packet. No Is a policer configured for this packet? Yes Check if the packet is in profile by querying the policer. No Yes Pass through Check out-of-profile action configured for this policer. Drop Drop packet. Mark Done 86835 Modify DSCP according to the policed-DSCP map. Generate a new QoS label.
Chapter 29 Configuring QoS Understanding QoS • Before the traffic reaches the scheduling stage, QoS stores the packet in an ingress and an egress queue according to the QoS label. The QoS label is based on the DSCP or the CoS value in the packet and selects the queue through the DSCP input and output queue threshold maps or through the CoS input and output queue threshold maps.
Chapter 29 Configuring QoS Understanding QoS Weighted Tail Drop Both the ingress and egress queues use an enhanced version of the tail-drop congestion-avoidance mechanism called weighted tail drop (WTD). WTD is implemented on queues to manage the queue lengths and to provide drop precedences for different traffic classifications. As a frame is enqueued to a particular queue, WTD uses the frame’s assigned QoS label to subject it to different thresholds.
Chapter 29 Configuring QoS Understanding QoS In shared mode, the queues share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it. For example, if a queue is empty and no longer requires a share of the link, the remaining queues can expand into the unused bandwidth and share it among them. With sharing, the ratio of the weights controls the frequency of dequeuing; the absolute values are meaningless.
Chapter 29 Configuring QoS Understanding QoS The switch supports two configurable ingress queues, which are serviced by SRR in shared mode only. Table 29-1 describes the queues. Table 29-1 Ingress Queue Types Queue Type1 Function Normal User traffic that is considered to be normal priority. You can configure three different thresholds to differentiate among the flows.
Chapter 29 Configuring QoS Understanding QoS Priority Queueing You can configure one ingress queue as the priority queue by using the mls qos srr-queue input priority-queue queue-id bandwidth weight global configuration command. The priority queue should be used for traffic (such as voice) that requires guaranteed delivery because this queue is guaranteed part of the bandwidth regardless of the load on the internal ring.
Chapter 29 Configuring QoS Understanding QoS Figure 29-8 Queueing and Scheduling Flowchart for Egress Ports Start Receive packet from the internal ring. Read QoS label (DSCP or CoS value). Determine egress queue number and threshold based on the label. Are thresholds being exceeded? Yes No Drop packet. Queue the packet. Service the queue according to the SRR weights. Rewrite DSCP and/or CoS value as appropriate. Done 90565 Send the packet out the port.
Chapter 29 Configuring QoS Understanding QoS buffers) or not empty (free buffers). If the queue is not over-limit, the switch can allocate buffer space from the reserved pool or from the common pool (if it is not empty). If there are no free buffers in the common pool or if the queue is over-limit, the switch drops the frame.
Chapter 29 Configuring QoS Understanding QoS ID 1 and ID 2. The drop threshold for threshold ID 3 is preset to the queue-full state, and you cannot modify it. For more information about how WTD works, see the “Weighted Tail Drop” section on page 29-12. Shaped or Shared Mode SRR services each queue-set in shared or shaped mode. You map a port to a queue-set by using the queue-set qset-id interface configuration command.
Chapter 29 Configuring QoS Configuring Auto-QoS The input mutation causes the DSCP to be rewritten depending on the new value of DSCP chosen. The set action in a policy map also causes the DSCP to be rewritten. Configuring Auto-QoS You can use the auto-QoS feature to simplify the deployment of existing QoS features.
Chapter 29 Configuring QoS Configuring Auto-QoS Table 29-3 shows the generated auto-QoS configuration for the ingress queues. Table 29-3 Auto-QoS Configuration for the Ingress Queues Ingress Queue Queue Number CoS-to-Queue Map Queue Weight (Bandwidth) Queue (Buffer) Size SRR shared 1 0, 1 81 percent 67 percent Priority 2 2, 3, 4, 5, 6, 7 19 percent 33 percent Table 29-4 shows the generated auto-QoS configuration for the egress queues.
Chapter 29 Configuring QoS Configuring Auto-QoS • When you enter the auto qos voip cisco-softphone interface configuration command on a port at the edge of the network that is connected to a device running the Cisco SoftPhone, the switch uses policing to determine whether a packet is in or out of profile and to specify the action on the packet. If the packet does not have a DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0.
Chapter 29 Configuring QoS Configuring Auto-QoS Table 29-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically maps DSCP values to an ingress queue and to a threshold ID.
Chapter 29 Configuring QoS Configuring Auto-QoS Table 29-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically configures the egress queue buffer sizes. It configures the bandwidth and the SRR mode (shaped or shared) on the egress queues mapped to the port.
Chapter 29 Configuring QoS Configuring Auto-QoS Effects of Auto-QoS on the Configuration When auto-QoS is enabled, the auto qos voip interface configuration command and the generated configuration are added to the running configuration. The switch applies the auto-QoS-generated commands as if the commands were entered from the CLI. An existing user configuration can cause the application of the generated commands to fail or to be overridden by the generated commands. These actions occur without warning.
Chapter 29 Configuring QoS Configuring Auto-QoS Enabling Auto-QoS for VoIP Beginning in privileged EXEC mode, follow these steps to enable auto-QoS for VoIP within a QoS domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 29 Configuring QoS Configuring Auto-QoS This example shows how to enable auto-QoS and to trust the QoS labels received in incoming packets when the switch or router connected to a port is a trusted device: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# auto qos voip trust Auto-QoS Configuration Example This section describes how you could implement auto-QoS in a network, as shown in Figure 29-10. For optimum QoS performance, enable auto-QoS on all the devices in the network.
Chapter 29 Configuring QoS Configuring Auto-QoS Note You should not configure any standard QoS commands before entering the auto-QoS commands. You can fine-tune the QoS configuration, but we recommend that you do so only after the auto-QoS configuration is completed. Beginning in privileged EXEC mode, follow these steps to configure the switch at the edge of the QoS domain to prioritize the VoIP traffic over all other traffic: Command Purpose Step 1 debug auto qos Enable debugging for auto-QoS.
Chapter 29 Configuring QoS Displaying Auto-QoS Information Displaying Auto-QoS Information To display the initial auto-QoS configuration, use the show auto qos [interface [interface-id]] privileged EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command. You can compare the show auto qos and the show running-config command output to identify the user-defined QoS settings.
Chapter 29 Configuring QoS Configuring Standard QoS Default Standard QoS Configuration QoS is disabled. There is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
Chapter 29 Configuring QoS Configuring Standard QoS Default Egress Queue Configuration Table 29-9 shows the default egress queue configuration for each queue-set when QoS is enabled. All ports are mapped to queue-set 1. The port bandwidth limit is set to 100 percent and rate unlimited.
Chapter 29 Configuring QoS Configuring Standard QoS Default Mapping Table Configuration The default CoS-to-DSCP map is shown in Table 29-12 on page 29-51. The default IP-precedence-to-DSCP map is shown in Table 29-13 on page 29-52. The default DSCP-to-CoS map is shown in Table 29-14 on page 29-54. The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value.
Chapter 29 Configuring QoS Configuring Standard QoS • On a port configured for QoS, all traffic received through the port is classified, policed, and marked according to the policy map attached to the port. On a trunk port configured for QoS, traffic in all VLANs received through the port is classified, policed, and marked according to the policy map attached to the port.
Chapter 29 Configuring QoS Configuring Standard QoS • Enabling DSCP Transparency Mode, page 29-36 • Configuring the DSCP Trust State on a Port Bordering Another QoS Domain, page 29-37 Configuring the Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge of the QoS domain.
Chapter 29 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be trusted, and enter interface configuration mode. Valid interfaces include physical ports. Step 3 mls qos trust [cos | dscp | ip-precedence] Configure the port trust state.
Chapter 29 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port or to assign the default CoS to all incoming packets on the port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Valid interfaces include physical ports.
Chapter 29 Configuring QoS Configuring Standard QoS With the trusted setting, you also can use the trusted boundary feature to prevent misuse of a high-priority queue if a user bypasses the telephone and connects the PC directly to the switch. Without trusted boundary, the CoS labels generated by the PC are trusted by the switch (because of the trusted CoS setting).
Chapter 29 Configuring QoS Configuring Standard QoS If DSCP transparency is enabled by using the no mls qos rewrite ip dscp command, the switch does not modify the DSCP field in the incoming packet, and the DSCP field in the outgoing packet is the same as that in the incoming packet. Regardless of the DSCP transparency configuration, the switch modifies the internal DSCP value of the packet, which the switch uses to generate a class of service (CoS) value that represents the priority of the traffic.
Chapter 29 Configuring QoS Configuring Standard QoS Figure 29-12 DSCP-Trusted State on a Port Bordering Another QoS Domain QoS Domain 1 QoS Domain 2 Set interface to the DSCP-trusted state. Configure the DSCP-to-DSCP-mutation map. 101235 IP traffic Beginning in privileged EXEC mode, follow these steps to configure the DSCP-trusted state on a port and modify the DSCP-to-DSCP-mutation map.
Chapter 29 Configuring QoS Configuring Standard QoS To return a port to its non-trusted state, use the no mls qos trust interface configuration command. To return to the default DSCP-to-DSCP-mutation map values, use the no mls qos map dscp-mutation dscp-mutation-name global configuration command.
Chapter 29 Configuring QoS Configuring Standard QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify non-IP traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 29 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Create an IP extended ACL, repeating the command as many times as necessary. • For access-list-number, enter the access list number.
Chapter 29 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Create a Layer 2 MAC ACL by specifying the name of the list. After entering this command, the mode changes to extended MAC ACL configuration.
Chapter 29 Configuring QoS Configuring Standard QoS Classifying Traffic by Using Class Maps You use the class-map global configuration command to name and to isolate a specific traffic flow (or class) from all other traffic. The class map defines the criteria to use to match against a specific traffic flow to further classify it. Match statements can include criteria such as an ACL, IP precedence values, or DSCP values.
Chapter 29 Configuring QoS Configuring Standard QoS Command Step 4 Purpose match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported. • For access-group acl-index-or-name, specify the number or name of the ACL created in Step 2.
Chapter 29 Configuring QoS Configuring Standard QoS Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps You can configure a policy map on a physical port that specifies which traffic class to act on.
Chapter 29 Configuring QoS Configuring Standard QoS Step 3 Command Purpose policy-map policy-map-name Create a policy map by entering the policy map name, and enter policy-map configuration mode. By default, no policy maps are defined. The default behavior of a policy map is to set the DSCP to 0 if the packet is an IP packet and to set the CoS to 0 if the packet is tagged. No policing is performed.
Chapter 29 Configuring QoS Configuring Standard QoS Step 7 Command Purpose police rate-bps burst-byte [exceed-action {drop | policed-dscp-transmit}] Define a policer for the classified traffic. By default, no policer is defined. For information on the number of policers supported, see the “Standard QoS Configuration Guidelines” section on page 29-31. • For rate-bps, specify average traffic rate in bits per second (bps). The range is 1000000 to 1000000000.
Chapter 29 Configuring QoS Configuring Standard QoS This example shows how to create a policy map and attach it to an ingress port. In the configuration, the IP standard ACL permits traffic from network 10.1.0.0. For traffic matching this classification, the DSCP value in the incoming packet is trusted.
Chapter 29 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an aggregate policer: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos aggregate-policer aggregate-policer-name rate-bps burst-byte exceed-action {drop | policed-dscp-transmit} Define the policer parameters that can be applied to multiple traffic classes within the same policy map. By default, no aggregate policer is defined.
Chapter 29 Configuring QoS Configuring Standard QoS Step 9 Command Purpose service-policy input policy-map-name Specify the policy-map name, and apply it to an ingress port. Only one policy map per ingress port is supported. Step 10 end Return to privileged EXEC mode. Step 11 show mls qos aggregate-policer [aggregate-policer-name] Verify your entries. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 29 Configuring QoS Configuring Standard QoS Configuring DSCP Maps These sections contain this configuration information: • Configuring the CoS-to-DSCP Map, page 29-51 (optional) • Configuring the IP-Precedence-to-DSCP Map, page 29-52 (optional) • Configuring the Policed-DSCP Map, page 29-53 (optional, unless the null settings in the map are not appropriate) • Configuring the DSCP-to-CoS Map, page 29-54 (optional) • Configuring the DSCP-to-DSCP-Mutation Map, page 29-55 (optional, unless th
Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 4 show mls qos maps cos-dscp Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default map, use the no mls qos cos-dscp global configuration command.
Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 4 show mls qos maps ip-prec-dscp Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default map, use the no mls qos ip-prec-dscp global configuration command.
Chapter 29 Configuring QoS Configuring Standard QoS This example shows how to map DSCP 50 to 57 to a marked-down DSCP value of 0: Switch(config)# mls qos map policed-dscp 50 51 52 53 54 55 56 57 to 0 Switch(config)# end Switch# show mls qos maps policed-dscp Policed-dscp map: d1 : d2 0 1 2 3 4 5 6 7 8 9 --------------------------------------0 : 00 01 02 03 04 05 06 07 08 09 1 : 10 11 12 13 14 15 16 17 18 19 2 : 20 21 22 23 24 25 26 27 28 29 3 : 30 31 32 33 34 35 36 37 38 39 4 : 40 41 42 43 44 45 46 47 48
Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-cos dscp-list to cos Modify the DSCP-to-CoS map. • For dscp-list, enter up to eight DSCP values separated by spaces. Then enter the to keyword. • For cos, enter the CoS value to which the DSCP values correspond. The DSCP range is 0 to 63; the CoS range is 0 to 7. Step 3 end Return to privileged EXEC mode.
Chapter 29 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-DSCP-mutation map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-mutation dscp-mutation-name in-dscp to out-dscp Modify the DSCP-to-DSCP-mutation map. • For dscp-mutation-name, enter the mutation map name. You can create more than one map by specifying a new name.
Chapter 29 Configuring QoS Configuring Standard QoS Note In the above DSCP-to-DSCP-mutation map, the mutated values are shown in the body of the matrix. The d1 column specifies the most-significant digit of the original DSCP; the d2 row specifies the least-significant digit of the original DSCP. The intersection of the d1 and d2 values provides the mutated value. For example, a DSCP value of 12 corresponds to a mutated value of 10.
Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input dscp-map queue queue-id threshold threshold-id dscp1...dscp8 Map DSCP or CoS values to an ingress queue and to a threshold ID. or mls qos srr-queue input cos-map queue queue-id threshold threshold-id cos1...
Chapter 29 Configuring QoS Configuring Standard QoS In this example, the DSCP values (0 to 6) are assigned the WTD threshold of 50 percent and will be dropped sooner than the DSCP values (20 to 26) assigned to the WTD threshold of 70 percent. Allocating Buffer Space Between the Ingress Queues You define the ratio (allocate the amount of space) with which to divide the ingress buffers between the two queues.
Chapter 29 Configuring QoS Configuring Standard QoS Allocating Bandwidth Between the Ingress Queues You need to specify how much of the available bandwidth is allocated between the ingress queues. The ratio of the weights is the ratio of the frequency in which the SRR scheduler sends packets from each queue. The bandwidth and the buffer allocation control how much data can be buffered before packets are dropped. On ingress queues, SRR operates only in shared mode.
Chapter 29 Configuring QoS Configuring Standard QoS Configuring the Ingress Priority Queue You should use the priority queue only for traffic that needs to be expedited (for example, voice traffic, which needs minimum delay and jitter). The priority queue is guaranteed part of the bandwidth to reduce the delay and jitter under heavy network traffic on an oversubscribed ring (when there is more traffic than the backplane can carry, and the queues are full and dropping frames).
Chapter 29 Configuring QoS Configuring Standard QoS Configuring Egress Queue Characteristics Depending on the complexity of your network and your QoS solution, you might need to perform all of the tasks in the next sections.
Chapter 29 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the memory allocation and to drop thresholds for a queue-set. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos queue-set output qset-id buffers allocation1 ... allocation4 Allocate buffers to a queue-set. By default, all allocation values are equally mapped among the four queues (25, 25, 25, 25).
Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 7 show mls qos interface [interface-id] buffers Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no mls qos queue-set output qset-id buffers global configuration command.
Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue output dscp-map queue queue-id threshold threshold-id dscp1...dscp8 Map DSCP or CoS values to an egress queue and to a threshold ID. or mls qos srr-queue output cos-map queue queue-id threshold threshold-id cos1...cos8 By default, DSCP values 0–15 are mapped to queue 2 and threshold 1. DSCP values 16–31 are mapped to queue 3 and threshold 1.
Chapter 29 Configuring QoS Configuring Standard QoS Configuring SRR Shaped Weights on Egress Queues You can specify how much of the available bandwidth is allocated to each queue. The ratio of the weights is the ratio of frequency in which the SRR scheduler sends packets from each queue. You can configure the egress queues for shaped or shared weights, or both. Use shaping to smooth bursty traffic or to provide a smoother output over time.
Chapter 29 Configuring QoS Configuring Standard QoS Configuring SRR Shared Weights on Egress Queues In shared mode, the queues share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it. For example, if a queue empties and does not require a share of the link, the remaining queues can expand into the unused bandwidth and share it among them.
Chapter 29 Configuring QoS Configuring Standard QoS Configuring the Egress Expedite Queue You can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. SRR services this queue until it is empty before servicing the other queues. Beginning in privileged EXEC mode, follow these steps to enable the egress expedite queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 29 Configuring QoS Displaying Standard QoS Information Beginning in privileged EXEC mode, follow these steps to limit the bandwidth on an egress port. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be rate limited, and enter interface configuration mode. Step 3 srr-queue bandwidth limit weight1 Specify the percentage of the port speed to which the port should be limited.
Chapter 29 Configuring QoS Displaying Standard QoS Information Table 29-15 Commands for Displaying Standard QoS Information (continued) Command Purpose show mls qos queue-set [qset-id] Display QoS settings for the egress queues. show policy-map [policy-map-name [class class-map-name]] Display QoS policy maps, which define classification criteria for incoming traffic.
C H A P T E R 30 Configuring EtherChannels This chapter describes how to configure EtherChannels on Layer 2 ports on the Catalyst 2960 switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Chapter 30 Configuring EtherChannels Understanding EtherChannels EtherChannel Overview An EtherChannel consists of individual Fast Ethernet or Gigabit Ethernet links bundled into a single logical link as shown in Figure 30-1.
Chapter 30 Configuring EtherChannels Understanding EtherChannels Port-Channel Interfaces When you create a Layer 2 EtherChannel, a port-channel logical interface is involved. You can create the EtherChannel in these ways: • Use the channel-group interface configuration command. This command automatically creates the port-channel logical interface when the channel group gets its first physical port.
Chapter 30 Configuring EtherChannels Understanding EtherChannels Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports. By using PAgP, the switch learns the identity of partners capable of supporting PAgP and the capabilities of each port.
Chapter 30 Configuring EtherChannels Understanding EtherChannels PAgP Interaction with Other Features The Dynamic Trunking Protocol (DTP) and the Cisco Discovery Protocol (CDP) send and receive packets over the physical ports in the EtherChannel. Trunk ports send and receive PAgP protocol data units (PDUs) on the lowest numbered VLAN. In Layer 2 EtherChannels, the first port in the channel that comes up provides its MAC address to the EtherChannel.
Chapter 30 Configuring EtherChannels Understanding EtherChannels LACP Interaction with Other Features The DTP and the CDP send and receive packets over the physical ports in the EtherChannel. Trunk ports send and receive LACP PDUs on the lowest numbered VLAN. In Layer 2 EtherChannels, the first port in the channel that comes up provides its MAC address to the EtherChannel. If this port is removed from the bundle, one of the remaining ports in the bundle provides its MAC address to the EtherChannel.
Chapter 30 Configuring EtherChannels Understanding EtherChannels With source-and-destination MAC address forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the channel based on both the source and destination MAC addresses.
Chapter 30 Configuring EtherChannels Configuring EtherChannels Figure 30-3 Load Distribution and Forwarding Methods Switch with source-based forwarding enabled EtherChannel 101239 Cisco router with destination-based forwarding enabled Configuring EtherChannels These sections contain this configuration information: • Default EtherChannel Configuration, page 30-9 • EtherChannel Configuration Guidelines, page 30-9 • Configuring Layer 2 EtherChannels, page 30-10 (required) • Configuring EtherCha
Chapter 30 Configuring EtherChannels Configuring EtherChannels Default EtherChannel Configuration Table 30-3 shows the default EtherChannel configuration. Table 30-3 Default EtherChannel Configuration Feature Default Setting Channel groups None assigned. Port-channel logical interface None defined. PAgP mode No default. PAgP learn method Aggregate-port learning on all ports. PAgP priority 128 on all ports. LACP mode No default. LACP learn method Aggregate-port learning on all ports.
Chapter 30 Configuring EtherChannels Configuring EtherChannels • Do not configure an EtherChannel in both the PAgP and LACP modes. EtherChannel groups running PAgP and LACP can coexist on the same switch. Individual EtherChannel groups can run either PAgP or LACP, but they cannot interoperate. • Do not configure a Switched Port Analyzer (SPAN) destination port as part of an EtherChannel. • Do not configure a secure port as part of an EtherChannel or the reverse.
Chapter 30 Configuring EtherChannels Configuring EtherChannels Step 3 Command Purpose switchport mode {access | trunk} Assign all ports as static-access ports in the same VLAN, or configure them as trunks. switchport access vlan vlan-id If you configure the port as a static-access port, assign it to only one VLAN. The range is 1 to 4094.
Chapter 30 Configuring EtherChannels Configuring EtherChannels This example shows how to configure an EtherChannel.
Chapter 30 Configuring EtherChannels Configuring EtherChannels To return EtherChannel load balancing to the default configuration, use the no port-channel load-balance global configuration command. Configuring the PAgP Learn Method and Priority Network devices are classified as PAgP physical learners or aggregate-port learners. A device is a physical learner if it learns addresses by physical ports and directs transmissions based on that knowledge.
Chapter 30 Configuring EtherChannels Configuring EtherChannels Step 3 Command Purpose pagp learn-method physical-port Select the PAgP learning method. By default, aggregation-port learning is selected, which means the switch sends packets to the source by using any of the ports in the EtherChannel. With aggregate-port learning, it is not important on which physical port the packet arrives. Select physical-port to connect with another switch that is a physical learner.
Chapter 30 Configuring EtherChannels Configuring EtherChannels Determining which ports are active and which are hot standby is a two-step procedure. First the system with a numerically lower system priority and system-id is placed in charge of the decision. Next, that system decides which ports are active and which are hot standby, based on its values for port priority and port number. The port-priority and port-number values for the other system are not used.
Chapter 30 Configuring EtherChannels Displaying EtherChannel, PAgP, and LACP Status Note If LACP is not able to aggregate all the ports that are compatible (for example, the remote system might have more restrictive hardware limitations), all the ports that cannot be actively included in the EtherChannel are put in the hot-standby state and are used only if one of the channeled ports fails. Beginning in privileged EXEC mode, follow these steps to configure the LACP port priority.
Chapter 30 Configuring EtherChannels Displaying EtherChannel, PAgP, and LACP Status You can clear LACP channel-group information and traffic counters by using the clear lacp {channel-group-number counters | counters} privileged EXEC command. For detailed information about the fields in the displays, see the command reference for this release.
Chapter 30 Configuring EtherChannels Displaying EtherChannel, PAgP, and LACP Status Catalyst 2960 Switch Software Configuration Guide 30-18 78-16881-01
C H A P T E R 31 Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the Catalyst 2960 switch. Depending on the nature of the problem, you can use the command-line interface (CLI), the device manager, or Network Assistant to identify and solve problems. Additional troubleshooting information, such as LED descriptions, is provided in the hardware installation guide.
Chapter 31 Troubleshooting Recovering from a Software Failure Recovering from a Software Failure Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity. This procedure uses the Xmodem Protocol to recover from a corrupt or wrong image file.
Chapter 31 Troubleshooting Recovering from a Lost or Forgotten Password Step 8 If you had set the console port speed to anything other than 9600, it has been reset to that particular speed. Change the emulation software line speed to match that of the switch console port. Step 9 Load any helper files: switch: load_helper Step 10 Start the file transfer by using the Xmodem Protocol. switch: copy xmodem: flash:image_filename.
Chapter 31 Troubleshooting Recovering from a Lost or Forgotten Password Several lines of information about the software appear with instructions, informing you if the password recovery procedure has been disabled or not. • If you see a message that begins with this: The system has been interrupted prior to initializing the flash file system. The following commands will initialize the flash file system proceed to the “Procedure with Password Recovery Enabled” section on page 31-4, and follow the steps.
Chapter 31 Troubleshooting Recovering from a Lost or Forgotten Password Step 5 Rename the configuration file to config.text.old. This file contains the password definition. switch: rename flash:config.text flash:config.text.old Step 6 Boot the system: switch: boot You are prompted to start the setup program.
Chapter 31 Troubleshooting Recovering from a Lost or Forgotten Password Step 14 Reload the switch: Switch# reload Procedure with Password Recovery Disabled If the password-recovery mechanism is disabled, this message appears: The password-recovery mechanism has been triggered, but is currently disabled. Access to the boot loader prompt through the password-recovery mechanism is disallowed at this point.
Chapter 31 Troubleshooting Recovering from a Command Switch Failure Step 5 At the switch prompt, enter privileged EXEC mode: Switch> enable Step 6 Enter global configuration mode: Switch# configure terminal Step 7 Change the password: Switch (config)# enable secret password The secret password can be from 1 to 25 alphanumeric characters, can start with a number, is case sensitive, and allows spaces but ignores leading spaces.
Chapter 31 Troubleshooting Recovering from a Command Switch Failure You can prepare for a command switch failure by assigning an IP address to a member switch or another switch that is command-capable, making a note of the command-switch password, and cabling your cluster to provide redundant connectivity between the member switches and the replacement command switch.
Chapter 31 Troubleshooting Recovering from a Command Switch Failure Would you like to enter basic management setup? [yes/no]: Step 10 Enter Y at the first prompt. The prompts in the setup program vary depending on the member switch you selected to be the command switch: Continue with configuration dialog? [yes/no]: y or Configuring global parameters: If this prompt does not appear, enter enable, and press Return. Enter setup, and press Return to start the setup program.
Chapter 31 Troubleshooting Recovering from a Command Switch Failure Step 4 Enter the password of the failed command switch. Step 5 Use the setup program to configure the switch IP information. This program prompts you for IP address information and passwords. From privileged EXEC mode, enter setup, and press Return. Switch# setup --- System Configuration Dialog --Continue with configuration dialog? [yes/no]: y At any point you may enter a question mark '?' for help.
Chapter 31 Troubleshooting Recovering from Lost Cluster Member Connectivity Recovering from Lost Cluster Member Connectivity Some configurations can prevent the command switch from maintaining contact with member switches.
Chapter 31 Troubleshooting Monitoring SFP Module Status Note The security error message references the GBIC_SECURITY facility. The switch supports SFP modules and does not support GBIC modules. Although the error message text refers to GBIC interfaces and modules, the security messages actually refer to the SFP modules and module interfaces. For more information about error messages, see the system message guide for this release.
Chapter 31 Troubleshooting Using Layer 2 Traceroute Executing Ping Beginning in privileged EXEC mode, use this command to ping another device on the network from the switch: Note Command Purpose ping ip host | address Ping a remote host through IP or by supplying the hostname or network address. Though other protocol keywords are available with the ping command, they are not supported in this release. This example shows how to ping an IP host: Switch# ping 172.20.52.3 Type escape sequence to abort.
Chapter 31 Troubleshooting Using Layer 2 Traceroute Understanding Layer 2 Traceroute The Layer 2 traceroute feature allows the switch to identify the physical path that a packet takes from a source device to a destination device. Layer 2 traceroute supports only unicast source and destination MAC addresses. It finds the path by using the MAC address tables of the switches in the path.
Chapter 31 Troubleshooting Using IP Traceroute • When multiple devices are attached to one port through hubs (for example, multiple CDP neighbors are detected on a port), the Layer 2 traceroute feature is not supported. When more than one CDP neighbor is detected on a port, the Layer 2 path is not identified, and an error message appears. • This feature is not supported in Token Ring VLANs.
Chapter 31 Troubleshooting Using IP Traceroute To learn when a datagram reaches its destination, traceroute sets the UDP destination port number in the datagram to a very large value that the destination host is unlikely to be using. When a host receives a datagram destined to itself containing a destination port number that is unused locally, it sends an ICMP port-unreachable error to the source.
Chapter 31 Troubleshooting Using TDR Table 31-2 Traceroute Output Display Characters (continued) Character Description Q Source quench. U Port unreachable. To end a trace in progress, enter the escape sequence (Ctrl-^ X by default). Simultaneously press and release the Ctrl, Shift, and 6 keys and then press the X key.
Chapter 31 Troubleshooting Using Debug Commands Using Debug Commands These sections explains how you use debug commands to diagnose and resolve internetworking problems: Caution Note • Enabling Debugging on a Specific Feature, page 31-18 • Enabling All-System Diagnostics, page 31-19 • Redirecting Debug and Error Message Output, page 31-19 Because debugging output is assigned high priority in the CPU process, it can render the system unusable.
Chapter 31 Troubleshooting Using the show platform forward Command Enabling All-System Diagnostics Beginning in privileged EXEC mode, enter this command to enable all-system diagnostics: Switch# debug all Caution Because debugging output takes priority over other network traffic, and because the debug all privileged EXEC command generates more output than any other debug command, it can severely diminish switch performance or even render it unusable.
Chapter 31 Troubleshooting Using the show platform forward Command This is an example of the output from the show platform forward command on port 1 in VLAN 5 when the packet entering that port is addressed to unknown MAC addresses. The packet should be flooded to all other ports in VLAN 5. Switch# show platform forward gigabitethernet0/1 vlan 5 1.1.1 2.2.2 ip 13.1.1.1 13.2.2.
Chapter 31 Troubleshooting Using the crashinfo File Packet 1 Lookup Key-Used OutptACL 50_0D020202_0D010101-00_40000014_000A0000 Port Gi0/2 Vlan SrcMac 0005 0001.0001.0001 DstMac 0009.43A8.0145 Cos Index-Hit A-Data 01FFE 03000000 Dscpv Using the crashinfo File The crashinfo file saves information that helps Cisco technical support representatives to debug problems that caused the Cisco IOS image to fail (crash).
Chapter 31 Troubleshooting Using the crashinfo File Catalyst 2960 Switch Software Configuration Guide 31-22 78-16881-01
A P P E N D I X A Supported MIBs This appendix lists the supported management information base (MIBs) for this release on the Catalyst 2960 switch. It contains these sections: • MIB List, page A-1 • Using FTP to Access the MIB Files, page A-3 • BRIDGE-MIB MIB List Note The BRIDGE-MIB supports the context of a single VLAN. By default, SNMP messages using the configured community string always provide information for VLAN 1.
Appendix A Supported MIBs MIB List • CISCO-PAGP-MIB • CISCO-PING-MIB • CISCO-PRODUCTS-MIB • CISCO-PROCESS-MIB • CISCO-RTTMON-MIB • CISCO-SMI-MIB • CISCO-STACKMAKER-MIB • CISCO-STP-EXTENSIONS-MIB • CISCO-SYSLOG-MIB • CISCO-TC-MIB • CISCO-TCP-MIB • CISCO-UDLDP-MIB • CISCO-VLAN-IFTABLE-RELATIONSHIP-MIB • CISCO-VLAN-MEMBERSHIP-MIB • CISCO-VTP-MIB • ENTITY-MIB • ETHERLIKE-MIB • IEEE8021-PAE-MIB • IEEE8023-LAG-MIB • IF-MIB (In and out counters for VLANs are not supported.
Appendix A Supported MIBs Using FTP to Access the MIB Files Note • SNMPv2-MIB • TCP-MIB • UDP-MIB You can also use this URL for a list of supported MIBs for the Catalyst 2960 switch: ftp://ftp.cisco.com/pub/mibs/supportlists/cat2960/cat2960-supportlist.htmlYou can access other information about MIBs and Cisco products on the Cisco web site: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.
Appendix A Supported MIBs Using FTP to Access the MIB Files Catalyst 2960 Switch Software Configuration Guide A-4 78-16881-01
A P P E N D I X B Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the Catalyst 2960 flash file system, how to copy configuration files, and how to archive (upload and download) software images to a switch. Note For complete syntax and usage information for the commands used in this chapter, see the switch command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC command as shown in this example.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Setting the Default File System You can specify the file system or directory that the system uses as the default file system by using the cd filesystem: privileged EXEC command. You can set the default file system to omit the filesystem: argument from related commands.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating and Removing Directories Beginning in privileged EXEC mode, follow these steps to create and remove a directory: Step 1 Command Purpose dir filesystem: Display the directories on the specified file system. For filesystem:, use flash: for the system board flash device. Step 2 mkdir old_configs Create a new directory.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Some invalid combinations of source and destination exist.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating a tar File To create a tar file and write files into it, use this privileged EXEC command: archive tar /create destination-url flash:/file-url For destination-url, specify the destination URL alias for the local or network file system and the name of the tar file to create.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System This example shows how to display the contents of a switch tar file that is in flash memory: Switch# archive tar /table flash:c2960-lanbase-mz.122-25.FX.tar info (219 bytes) c2960-lanbase-mz.122-25.FX/ (directory) c2960-lanbase-mz.122-25.FX/html/ (directory) c2960-lanbase-mz.122-25.FX/html/foo.html (0 bytes) c2960-lanbase-mz.122-25.FX/c2960-lanbase-mz.122-25.FX.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Displaying the Contents of a File To display the contents of any readable file, including a file on a remote file system, use the more [/ascii | /binary | /ebcdic] file-url privileged EXEC command:.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • Copying Configuration Files By Using RCP, page B-15 • Clearing Configuration Information, page B-18 Guidelines for Creating and Using Configuration Files Creating configuration files can aid in your switch configuration. Configuration files can contain some or all of the commands needed to configure one or more switches.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Creating a Configuration File By Using a Text Editor When creating a configuration file, you must list commands logically so that the system can respond appropriately. This is one method of creating a configuration file: Step 1 Copy an existing configuration from a switch to a server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation). • For download operations, ensure that the permissions on the file are set correctly. The permission on the file should be world-read. • Before uploading the configuration file, you might need to create an empty file on the TFTP server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files The file is uploaded to the TFTP server. This example shows how to upload a configuration file from a switch to a TFTP server: Switch# copy system:running-config tftp://172.16.2.155/tokyo-confg Write file tokyo-confg on host 172.16.2.155? [confirm] y # Writing tokyo-confg!!! [OK] Copying Configuration Files By Using FTP You can copy configuration files to or from an FTP server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Preparing to Download or Upload a Configuration File By Using FTP Before you begin downloading or uploading a configuration file by using FTP, do these tasks: • Ensure that the switch has a route to the FTP server. The switch and the FTP server must be in the same subnetwork if you do not have a router to route traffic between subnets.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to copy a configuration file named host1-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101 and to load and run those commands on the switch: Switch# copy ftp://netadmin1:mypass@172.16.101.101/host1-confg system:running-config Configure using host1-confg from 172.16.101.101? [confirm] Connected to 172.16.101.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 Using FTP, store the switch running or startup configuration copy system:running-config ftp:[[[//[username[:password]@]location]/directory] file to the specified location.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • The remote username associated with the current TTY (terminal) process. For example, if the user is connected to the router through Telnet and was authenticated through the username command, the switch software sends the Telnet username as the remote username. • The switch hostname.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to download a configuration file by using RCP: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using RCP” section on page B-16.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using RCP: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using RCP” section on page B-16.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Clearing the Startup Configuration File To clear the contents of your startup configuration, use the erase nvram: or the erase startup-config privileged EXEC command. Caution You cannot restore the startup configuration file after it has been deleted.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note • Copying Image Files By Using FTP, page B-24 • Copying Image Files By Using RCP, page B-29 For a list of software images and the supported upgrade paths, see the release notes. Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the files needed for web management.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Table B-3 info File Description Field Description version_suffix Specifies the Cisco IOS image version string suffix version_directory Specifies the directory where the Cisco IOS image and the HTML subdirectory are installed image_name Specifies the name of the Cisco IOS image within the tar file ios_image_file_size Specifies the Cisco IOS image size in the tar file, which is
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services files. To restart the daemon, either stop the inetd process and restart it, or enter a fastboot command (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x). For more information on the TFTP daemon, see the documentation for your workstation.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 3 Step 4 Command Purpose archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tar Download the image file from the TFTP server to the switch, and overwrite the current image. archive download-sw /leave-old-sw /reload tftp:[[//location]/directory]/image-name.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Uploading an Image File By Using TFTP You can upload an image from the switch to a TFTP server. You can later download this image to the switch or to another switch of the same type. Use the upload feature only if the web management pages associated with the embedded device manager have been installed with the existing image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images These sections contain this configuration information: • Preparing to Download or Upload an Image File By Using FTP, page B-25 • Downloading an Image File By Using FTP, page B-26 • Uploading an Image File By Using FTP, page B-28 Preparing to Download or Upload an Image File By Using FTP You can copy images files to or from an FTP server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Before you begin downloading or uploading an image file by using FTP, do these tasks: • Ensure that the switch has a route to the FTP server. The switch and the FTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the FTP server by using the ping command.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Step 7 Step 8 Purpose archive download-sw /overwrite /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and overwrite the current image. /image-name.tar • The /overwrite option overwrites the software image in flash memory with the downloaded image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The archive upload-sw command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format. Caution For the download and upload algorithms to operate properly, do not rename image names.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images • The remote username associated with the current TTY (terminal) process. For example, if the user is connected to the router through Telnet and was authenticated through the username command, the switch software sends the Telnet username as the remote username. • The switch hostname.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Downloading an Image File By Using RCP You can download a new image file and replace or keep the current image. Beginning in privileged EXEC mode, follow Steps 1 through 6 to download a new image from an RCP server and overwrite the existing image. To keep the current image, go to Step 6.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 7 Command Purpose archive download-sw /leave-old-sw /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Download the image file from the RCP server to the switch, and keep the current image. • The /leave-old-sw option keeps the old software version after a download.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Beginning in privileged EXEC mode, follow these steps to upload an image to an RCP server: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload an Image File By Using RCP” section on page B-29. Step 2 Log into the switch through the console port or a Telnet session.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Catalyst 2960 Switch Software Configuration Guide B-34 78-16881-01
A P P E N D I X C Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch This appendix describes the configuration compatibility issues and the feature behavior differences that you might encounter when you upgrade a Catalyst 2950 switch to a Catalyst 2960 switch.
Appendix C Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch Configuration Compatibility Issues Table C-1 Catalyst 2950 and 2960 Switch Configuration Incompatibilities Feature Catalyst 2950 Switch Command and Explanation Result on the Catalyst 2960 Switch AAA These global configuration commands are in Cisco IOS When Cisco IOS 12.2E was restructured, these commands were intentionally removed and are 12.1EA: not supported in Cisco IOS 12.2SE.
Appendix C Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch Configuration Compatibility Issues Table C-1 Catalyst 2950 and 2960 Switch Configuration Incompatibilities (continued) Feature Catalyst 2950 Switch Command and Explanation Result on the Catalyst 2960 Switch IEEE 802.1x In Cisco IOS 12.1EA, the Catalyst 2950 switch ranges for the IEEE 802.1x server-timeout, supp-timeout, and tx-period are 1 to 65535.
Appendix C Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch Configuration Compatibility Issues Table C-1 Feature QoS 2 Catalyst 2950 and 2960 Switch Configuration Incompatibilities (continued) Catalyst 2950 Switch Command and Explanation Result on the Catalyst 2960 Switch The Catalyst 2960 switch accepts the auto qos There is limited QoS configuration compatibility between the Catalyst 2950 switch and the Catalyst 2960 command and generates QoS commands that are approp
Appendix C Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch Feature Behavior Incompatibilities Table C-1 Feature RSPAN 3 Catalyst 2950 and 2960 Switch Configuration Incompatibilities (continued) Catalyst 2950 Switch Command and Explanation Result on the Catalyst 2960 Switch You have to specify one port as the reflector port with this global configuration command: Because of advanced hardware in the Catalyst 2960 switch, you do not need to configure a reflector port.
Appendix C Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch Feature Behavior Incompatibilities • QoS The Catalyst 2960 switch uses different port hardware than the Catalyst 2950 switch, and more QoS features are offered on the Catalyst 2960 switch. For example, the Catalyst 2950 switch supports WRR scheduling, whereas the Catalyst 2960 switch supports SRR scheduling.
A P P E N D I X D Unsupported Commands in Cisco IOS Release 12.2(25)FX This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the Catalyst 2960 switch prompt but are not supported in this release, either because they are not tested or because of Catalyst 2960 hardware limitations. This is not a complete list. The unsupported commands are listed by software feature and command mode.
Appendix D Unsupported Commands in Cisco IOS Release 12.
Appendix D Unsupported Commands in Cisco IOS Release 12.2(25)FX Miscellaneous Note Use the show ip igmp snooping groups privileged EXEC command to display Layer 2 multicast address-table entries for a VLAN.
Appendix D Unsupported Commands in Cisco IOS Release 12.
Appendix D Unsupported Commands in Cisco IOS Release 12.2(25)FX VTP Unsupported vlan-config Command private-vlan Unsupported User EXEC Commands show running-config vlan show vlan ifindex show vlan private-vlan VTP Unsupported Privileged EXEC Commands vtp {password password | pruning | version number} Note This command has been replaced by the vtp global configuration command.
Appendix D Unsupported Commands in Cisco IOS Release 12.
I N D EX ACLs (continued) A extended IP abbreviating commands access-class command 2-4 configuring for QoS classification 28-16 extended IPv4 access control entries creating See ACEs 12-24 access groups, applying IPv4 ACLs to interfaces access lists 28-5 hardware and software handling 28-17 host keyword creating access ports, defined 10-2 28-10 28-5 fragments and QoS guidelines accounting implicit deny with 802.
Index ACLs (continued) aging time standard IPv4 creating accelerated for MSTP 28-7 matching criteria support for for STP 28-5 support in hardware for MSTP 28-14 for STP 28-5 16-20, 16-21 15-21 alarms, RMON 18-1 address aliasing 25-3 allowed-VLAN list 20-2 addresses 12-18 ARP displaying the MAC address table 6-25 dynamic defined 1-4, 6-26 table accelerated aging address resolution 15-8 changing the aging time default aging defined managing 6-21 vendor-specific audience 6-
Index autoconfiguration booting 3-3 automatic QoS boot loader, function of boot process See QoS manually auto-MDIX configuring described autonegotiation 1-3 interface configuration guidelines mismatches 3-13 3-13 boot loader 10-15 duplex mode 3-1 specific image 10-15 3-2 10-11 accessing 3-14 described 3-2 environment variables prompt 31-11 autosensing, port speed 3-14 trap-door mechanism 1-3 auxiliary VLAN 3-14 3-2 BPDU See voice VLAN error-disabled state availability, fe
Index CA trustpoint class of service configuring defined See CoS 8-40 clearing interfaces 8-38 caution, described CLI xxviii CDP abbreviating commands and trusted boundary configuring described command modes 29-36 described 22-2 default configuration on an interface wrapped lines getting help 22-2 CGMP described 2-5 disabling 2-6 recalling commands as IGMP snooping learning method joining multicast group CipherSuites 20-8 20-3 managing clusters Cisco 7960 IP Phone 14-1 Cis
Index command-line interface configuration files (continued) See CLI described command modes downloading 2-1 commands automatically abbreviating preparing 2-4 no and default 2-4 commands, setting privilege levels 8-8 command switch configuration conflicts defined B-8 using FTP B-13 using RCP B-17 B-11 limiting TFTP server access 31-7 from lost member connectivity 31-11 replacing obtaining with DHCP requirements password recovery disable considerations types and location 31-8
Index CoS default configuration (continued) in Layer 2 frames override priority trust priority IGMP throttling 29-2 initial switch information 14-6 Layer 2 interfaces 14-6 CoS input queue threshold map for QoS CoS output queue threshold map for QoS 29-14 29-17 MSTP 29-51 MVR counters, clearing interface 10-19 NTP cryptographic software image 16-11 20-18 6-4 password and privilege level SSH 8-33 RADIUS SSL 8-37 RMON 25-3 RSPAN 23-9 1-15 D daylight saving time 27-6 SPAN 23-9
Index device discovery protocol DHCP option 82 (continued) 22-1 device manager benefits packet format, suboption 1-2 described 1-2, 1-3 in-band management requirements 19-5 19-5 accepting untrusted packets form edge switch B-19 19-3, 19-9 binding database enabling See DHCP snooping binding database relay agent configuration guidelines 19-8 DHCP-based autoconfiguration default configuration client request message exchange option 82 data insertion 3-3 trusted interface 3-6 relay dev
Index DHCP snooping binding database (continued) delay value image files (continued) 19-11 timeout value 19-11 DHCP snooping binding table See DHCP snooping binding database Differentiated Services architecture, QoS Differentiated Services Code Point directed unicast requests 29-2 29-2 reasons for B-19 using CMS 1-2 using FTP B-26 using HTTP using RCP 1-2, B-19 B-31 using TFTP 1-4 directories changing downloading (continued) B-22 using the device manager or Network Assistant DSCP B-3
Index EtherChannel (continued) E PAgP editing features aggregate-port learners enabling and disabling keystrokes used 2-7 30-13 compatibility with Catalyst 1900 2-7 described 30-4 wrapped lines 2-8 displaying status enable password 8-3 interaction with other features enable secret password 8-3 encryption, CipherSuite modes 8-3 environment variables, function of 3-15 2-5 described 30-4, 30-5 channel groups 30-3 configuration guidelines 30-9 configuring Layer 2 interfaces default
Index flowcharts F QoS classification features, incompatible 21-11 29-6 QoS egress queueing and scheduling fiber-optic, detecting unidirectional links 24-1 files QoS ingress queueing and scheduling QoS policing and marking copying B-4 configuring description 31-21 described displaying the contents of deleting 31-21 29-10 MSTP B-5 STP displaying the contents of 10-14 10-14 forward-delay time 31-21 B-8 16-20 15-21 FTP tar accessing MIB files creating 29-13 flowcontrol crashi
Index IE2100 (continued) H Configuration Registrar hello time configID, deviceID, hostname MSTP STP 16-19 configuration service 15-20 described help, for the command line 2-3 4-3 IEEE 802.1D changing the buffer size 2-5 See STP described 2-5 IEEE 802.1p disabling 2-6 IEEE 802.
Index IGMP (continued) queries IGMP snooping (continued) supported versions 20-3 report suppression described 20-5 disabling 20-14 support for configuring 20-2 20-25 default configuration IGMP filtering described 20-27 defaults support for 1-3 Express Setup IGMP groups configuring filtering 20-25 20-25 configuration guidelines 20-10 interface 10-5 range macros 20-9 10-7 interface command configuration mode configuring 2-3 interfaces 20-23 auto-MDIX, configuring 20-23 10-15
Index interfaces (continued) restarting IP traceroute 10-19 shutting down 10-19 speed and duplex, configuring status types of 31-15 extended, creating 10-4 named 10-1 interface types 28-12 28-7 10-5 J See IDS appliances IP ACLs join messages, IGMP for QoS classification implicit deny 20-3 29-7 28-7, 28-11 implicit masks L 28-7 28-12 undefined 28-17 28-8 standard, creating 10-7 Intrusion Detection System LACP 28-17 See EtherChannel IP addresses Layer 2 frames, classificati
Index Link Aggregation Control Protocol MAC extended access lists See EtherChannel applying to Layer 2 interfaces configuring for QoS link redundancy See Flex Links links, unidirectional local SPAN 24-1 login authentication defined 28-20 See Smartports macros manageability features 8-14 1-4 management access 6-17 in-band log messages browser session See system message logging Long-Reach Ethernet (LRE) technology 1-12 loop guard CLI session 1-4 1-4 device manager described 17-9 ena
Index maximum hop count, MSTP monitoring (continued) 16-21 membership mode, VLAN port traffic suppression 12-3 member switch defined VLANs VMPS 5-2 managing VTP 5-3 recovering from lost connectivity requirements messages, to users through banners 6-17 accessing files with FTP A-3 A-3 SNMP interaction with 27-4 A-1 23-1 mismatches, autonegotiation 31-11 17-3 enabling 17-12 described 17-3 enabling 17-11 16-3 forward-delay time hello time 28-22 24-1 16-19 MST region 18-3 path
Index MSTP (continued) MSTP (continued) extended system ID shutdown Port Fast-enabled port effects on root switch status, displaying 16-14 effects on secondary root switch unexpected behavior instances supported Immediate Leave 16-14 15-9 17-2 interoperability and compatibility among modes 15-10 interoperability with IEEE 802.
Index Network Assistant benefits NTP associations 1-2 described authenticating 1-3 downloading image files guide mode requirements peer 1-2 increasing network performance overview providing network services source IP address, configuring 1-13 stratum 1-14 network design services 6-2 25-1 27-1 O See NTP optimizing system resources no commands 2-4 options, management nonhierarchical policy maps configuring described 7-1 1-3 out-of-profile markdown 1-7 29-45 29-9 non-IP traffic
Index policy maps for QoS (continued) passwords (continued) recovery of configuring 31-3 setting described enable enable secret See EtherChannel with usernames port-based authentication 8-7 accounting 13-8 path cost MSTP STP 28-2 Port Aggregation Protocol 8-3 8-6 VTP domain 29-9 port ACLs, described 8-3 Telnet 29-45 9-5 authentication server defined 16-17 9-2 RADIUS server 15-17 performance, network design performance features client, defined 1-11 9-2 configuration guidel
Index port-based authentication (continued) ports ports access 10-2 authorization state and dot1x port-control command 9-4 blocking authorized and unauthorized dynamic access voice VLAN 9-4 9-8 secure described 9-8 9-7 multiple-hosts mode 9-7 resetting to default values statistics, displaying 12-3 21-7 12-3, 12-10 switch 10-2 trunks 12-3, 12-14 VLAN assignments 9-20 12-10 port security 9-22 aging switch 21-15 and QoS trusted boundary as proxy 9-2 RADIUS client configuring
Index privilege levels (continued) logging into QoS (continued) auto-QoS (continued) 8-10 mapping on member switches overview 5-4 8-2, 8-8 setting a command with protected ports example configuration 29-26 ingress queue defaults 29-20 list of generated commands 8-8 basic model 1-6, 21-5 pruning, VTP 29-4 classification disabling class maps, described in VTP domain on a port defined 13-14 enabling 29-4 flowchart in VTP domain on a port 29-7 DSCP transparency, described 12-19 13
Index QoS (continued) QoS (continued) configuring (continued) ingress queues (continued) policy maps on physical ports port trust states within the domain trusted boundary scheduling, described 29-45 setting WTD thresholds 29-33 WTD, described 29-35 default auto configuration displaying statistics 29-69 DSCP transparency 29-36 29-14 automatic classification and queueing 29-29 detection and trusted settings CoS-to-DSCP 29-62 buffer allocation scheme, described displaying 29-16 29-51
Index QoS (continued) RADIUS (continued) queues (continued) suggested network environments high priority (expedite) location of 1-7 8-28 range 29-12 WTD, described macro 29-12 10-7 of interfaces 29-18 support for support for tracking services accessed by user 29-11 SRR, described rewrites 29-18, 29-68 8-18 10-6 rapid convergence 1-7 trust states 16-7 rapid per-VLAN spanning-tree plus bordering another domain described 29-37 rapid PVST+ 29-5 trusted device See rapid PVST+ des
Index Remote Authentication Dial-In User Service See RADIUS RMON (continued) overview statistics Remote Copy Protocol collecting group Ethernet See RCP collecting group history Remote Network Monitoring support for See RMON See RSPAN remote SPAN 23-2 report suppression, IGMP 17-8 enabling 17-15 support for 20-5 root switch disabling 20-14 MSTP requirements STP device manager restricting access passwords and privilege levels 8-2 23-6 displaying status 23-23 retry count, VMPS, ch
Index RSTP (continued) secure MAC addresses designated switch, defined deleting 16-6 interoperability with IEEE 802.
Index Simple Network Management Protocol See SNMP limiting access by TFTP servers applying Cisco-default macros 11-6 applying global parameter values applying macros 11-5, 11-7 SNAP location of 5-4 A-3 A-1 notifications default configuration overview 11-2 27-5 27-1, 27-4 security levels 11-1 27-3 status, displaying 11-8 27-16 system contact and location 11-3 website 1-4, 27-3 managing clusters with supported 11-3 11-4 displaying manager functions trap manager, configuring 1
Index source-IP address based forwarding, EtherChannel source-MAC address forwarding, EtherChannel 30-7 30-6 SPAN SSH configuring 8-34 cryptographic software image configuration guidelines default configuration 23-6 displaying status 23-23 interaction with other features overview configuration guidelines 23-8 configuring a secure HTTP client 8-42 configuring a secure HTTP server 8-41 described 21-11 8-43 standby command switch, requirements configuring ingress forwarding creating 23-
Index statistics (continued) STP (continued) RMON group history SNMP input and output VTP default configuration 25-5 15-11 default optional feature configuration 27-16 designated port, defined 13-16 sticky learning 15-3 designated switch, defined 21-8 storm control 15-3 detecting indirect link failures configuring disabling 21-3 17-5 15-13 described 21-1 displaying status disabling 21-5 EtherChannel guard 15-22 displaying 21-16 described 17-7 support for 1-3 disabling 17
Index STP (continued) Switch Database Management loop guard See SDM described 17-9 enabling 17-15 modes supported Switched Port Analyzer See SPAN switched ports 15-9 multicast addresses, effect of 15-8 optional features supported overview switchport block multicast command switchport block unicast command 1-5 switchport protected command 15-2 path costs Port Fast MSTP described 17-2 enabling 17-10 STP preventing root switch selection 17-8 15-19 See system message logging configu
Index system message logging (continued) Telnet UNIX syslog servers accessing management interfaces configuring the daemon number of connections 26-11 configuring the logging facility facilities supported 26-11 setting a password templates, SDM 26-12 system name 1-4 8-6 7-1 temporary self-signed certificate default configuration default setting 2-10 8-38 Terminal Access Controller Access Control System Plus 6-15 See TACACS+ 6-15 manual configuration terminal lines, setting a passwor
Index traceroute, Layer 2 troubleshooting (continued) and ARP 31-14 with ping and CDP 31-14 with system message logging broadcast traffic described with traceroute 31-14 IP addresses and subnets unicast traffic configuring 31-14 defined 31-14 multiple devices on a port setting STP path costs 31-16 12-20, 12-21 native VLAN for untagged traffic blocking flooded fragmented parallel 21-7 traffic policing to non-DTP device 28-3 traffic suppression 12-19 12-14 trusted boundary for Q
Index UDLD (continued) upgrading software images echoing detection mechanism See downloading 24-3 enabling globally UplinkFast 24-5 per interface 24-5 link-detection mechanism neighbor database overview disabling 17-13 enabling 17-13 1-5 uploading 24-1 status, displaying 17-4 support for 24-2 resetting an interface support for 24-1 described configuration files 24-6 preparing 24-6 1-5 unauthorized ports with IEEE 802.
Index vlan database command VLANs (continued) 12-6 VLAN filtering and SPAN parameters 23-6 vlan global configuration command VLAN ID, discovering port membership modes 12-6 static-access ports 6-26 VLAN management domain supported VTP modes 12-27 12-2 13-3 VLAN Trunking Protocol 12-3 See VTP VLAN Query Protocol VLAN trunks See VQP 12-14 VMPS VLANs administering 12-8 adding to VLAN database aging dynamic addresses allowed on trunk default configuration description 12-2, 12-6, 1
Index voice VLAN (continued) default configuration described VTP (continued) modes 14-3 14-1 displaying 14-6 IP phone data traffic, described VQP server 13-3, 13-9 13-3 transparent 14-2 monitoring 1-6, 12-23 VTP advertisements 13-14 13-8 pruning disabling 13-14 enabling 13-14 13-1 examples 13-5 13-11 overview 13-4 12-16, 13-3 and extended-range VLANs and normal-range VLANs client mode, configuring 13-1 configuration support for global configuration mode guidelines 13-7 1-6
Index WTD described 29-12 setting thresholds egress queue-sets ingress queues support for 29-62 29-57 1-7, 1-8 X Xmodem protocol 31-2 Catalyst 2960 Switch Software Configuration Guide IN-34 78-16881-01
