Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide Cisco IOS Release 12.1(20)EA2 May 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface xxix Audience Purpose xxix xxix Conventions xxx Related Publications xxxi Obtaining Documentation xxxi Cisco.
Contents CHAPTER 2 Using the Command-Line Interface Cisco IOS Command Modes Getting Help 2-1 2-1 2-3 Abbreviating Commands 2-4 Using no and default Forms of Commands Understanding CLI Messages 2-4 2-5 Using Command History 2-5 Changing the Command History Buffer Size 2-5 Recalling Commands 2-6 Disabling the Command History Feature 2-6 Using Editing Features 2-6 Enabling and Disabling Editing Features 2-6 Editing Commands through Keystrokes 2-7 Editing Command Lines that Wrap 2-8 Searching and Fi
Contents Configuring Alarm Profiles 3-9 Creating or Modifying an Alarm Profile 3-9 Attaching an Alarm Profile to a Specific Port Enabling SNMP Traps 3-11 Displaying Catalyst 2955 Switch Alarms Status CHAPTER 4 Getting Started with CMS 3-10 3-11 4-1 Understanding CMS 4-1 Front Panel View 4-1 Topology View 4-2 CMS Menu Bar, Toolbar, and Feature Bar 4-2 Online Help 4-5 Configuration Modes 4-5 Guide Mode 4-5 Expert Mode 4-6 Wizards 4-6 Privilege Levels 4-7 Access to Older Switches in a Cluster 4-7 Confi
Contents CHAPTER 5 Assigning the Switch IP Address and Default Gateway Understanding the Boot Process 5-1 5-1 Assigning Switch Information 5-2 Default Switch Information 5-3 Understanding DHCP-Based Autoconfiguration 5-3 DHCP Client Request Process 5-4 Configuring DHCP-Based Autoconfiguration 5-5 DHCP Server Configuration Guidelines 5-5 Configuring the TFTP Server 5-6 Configuring the DNS 5-7 Configuring the Relay Device 5-7 Obtaining Configuration Files 5-8 Example Configuration 5-9 Manually Assigning
Contents Understanding CNS Embedded Agents 6-5 Initial Configuration 6-5 Incremental (Partial) Configuration 6-6 Synchronized Configuration 6-6 Configuring CNS Embedded Agents 6-6 Enabling Automated CNS Configuration 6-6 Enabling the CNS Event Agent 6-8 Enabling the CNS Configuration Agent 6-9 Enabling an Initial Configuration 6-9 Enabling a Partial Configuration 6-12 Displaying CNS Configuration CHAPTER 7 Clustering Switches 6-13 7-1 Understanding Switch Clusters 7-2 Command Switch Characteristics 7
Contents Creating a Switch Cluster 7-18 Enabling a Command Switch 7-18 Adding Member Switches 7-19 Creating a Cluster Standby Group 7-21 Verifying a Switch Cluster 7-22 Using the CLI to Manage Switch Clusters 7-23 Catalyst 1900 and Catalyst 2820 CLI Considerations Using SNMP to Manage Switch Clusters CHAPTER 8 Administering the Switch 7-24 7-24 8-1 Managing the System Time and Date 8-1 Understanding the System Clock 8-1 Understanding Network Time Protocol 8-2 Configuring NTP 8-3 Default NTP Configur
Contents Managing the MAC Address Table 8-21 Building the Address Table 8-22 MAC Addresses and VLANs 8-22 Default MAC Address Table Configuration 8-23 Changing the Address Aging Time 8-23 Removing Dynamic Address Entries 8-24 Configuring MAC Address Notification Traps 8-24 Adding and Removing Static Address Entries 8-26 Configuring Unicast MAC Address Filtering 8-27 Displaying Address Table Entries 8-28 Managing the ARP Table CHAPTER 9 8-28 Configuring Switch-Based Authentication 9-1 Preventing Unaut
Contents Configuring RADIUS 9-20 Default RADIUS Configuration 9-20 Identifying the RADIUS Server Host 9-21 Configuring RADIUS Login Authentication 9-23 Defining AAA Server Groups 9-25 Configuring RADIUS Authorization for User Privileged Access and Network Services 9-27 Starting RADIUS Accounting 9-28 Configuring Settings for All RADIUS Servers 9-29 Configuring the Switch to Use Vendor-Specific RADIUS Attributes 9-29 Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 9-30 Displaying t
Contents Configuring the Switch-to-RADIUS-Server Communication 10-13 Enabling Periodic Re-Authentication 10-14 Manually Re-Authenticating a Client Connected to a Port 10-15 Changing the Quiet Period 10-15 Changing the Switch-to-Client Retransmission Time 10-15 Setting the Switch-to-Client Frame-Retransmission Number 10-16 Configuring the Host Mode 10-17 Configuring a Guest VLAN 10-18 Resetting the 802.1x Configuration to the Default Values 10-18 Configuring 802.1x Authentication 10-19 Configuring 802.
Contents CHAPTER 12 Configuring Smartports Macros 12-1 Understanding Smartports Macros 12-1 Configuring Smartports Macros 12-2 Default Smartports Macro Configuration 12-2 Smartports Macro Configuration Guidelines 12-3 Creating Smartports Macros 12-4 Applying Smartports Macros 12-5 Applying Cisco-default Smartports Macros 12-6 Displaying Smartports Macros CHAPTER 13 Configuring LRE 12-8 13-1 Understanding LRE Features 13-1 Ports on the Catalyst 2950 LRE Switches LRE Links and LRE Profiles 13-2 L
Contents Configuring CPE Toggle 13-22 Configuring Syslog Export 13-22 Upgrading LRE Switch Firmware 13-23 Configuring for an LRE Upgrade 13-24 Performing an LRE Upgrade 13-24 Global Configuration of LRE Upgrades 13-25 Controller Configuration of LRE Upgrades 13-25 LRE Upgrade Details 13-26 LRE Upgrade Example 13-26 Displaying LRE Status CHAPTER 14 Configuring STP 13-27 14-1 Understanding Spanning-Tree Features 14-1 STP Overview 14-2 Spanning-Tree Topology and BPDUs 14-3 Bridge ID, Switch Priority, an
Contents Configuring the Switch Priority of a VLAN 14-20 Configuring Spanning-Tree Timers 14-21 Configuring the Hello Time 14-21 Configuring the Forwarding-Delay Time for a VLAN 14-22 Configuring the Maximum-Aging Time for a VLAN 14-22 Configuring Spanning Tree for Use in a Cascaded Stack 14-23 Displaying the Spanning-Tree Status CHAPTER 15 Configuring MSTP 14-24 15-1 Understanding MSTP 15-2 Multiple Spanning-Tree Regions 15-2 IST, CIST, and CST 15-2 Operations Within an MST Region 15-3 Operations Be
Contents Specifying the Link Type to Ensure Rapid Transitions Restarting the Protocol Migration Process 15-22 Displaying the MST Configuration and Status CHAPTER 16 Configuring Optional Spanning-Tree Features 15-22 15-23 16-1 Understanding Optional Spanning-Tree Features 16-1 Understanding Port Fast 16-2 Understanding BPDU Guard 16-2 Understanding BPDU Filtering 16-3 Understanding UplinkFast 16-3 Understanding Cross-Stack UplinkFast 16-5 How CSUF Works 16-5 Events that Cause Fast Convergence 16-7 Li
Contents Configuring Normal-Range VLANs 17-4 Token Ring VLANs 17-5 Normal-Range VLAN Configuration Guidelines 17-5 VLAN Configuration Mode Options 17-6 VLAN Configuration in config-vlan Mode 17-6 VLAN Configuration in VLAN Configuration Mode Saving VLAN Configuration 17-7 Default Ethernet VLAN Configuration 17-7 Creating or Modifying an Ethernet VLAN 17-8 Deleting a VLAN 17-10 Assigning Static-Access Ports to a VLAN 17-11 Configuring Extended-Range VLANs 17-12 Default VLAN Configuration 17-12 Extended-Rang
Contents Configuring the VMPS Client 17-28 Entering the IP Address of the VMPS 17-28 Configuring Dynamic Access Ports on VMPS Clients 17-28 Reconfirming VLAN Memberships 17-29 Changing the Reconfirmation Interval 17-29 Changing the Retry Count 17-30 Monitoring the VMPS 17-30 Troubleshooting Dynamic Port VLAN Membership 17-31 VMPS Configuration Example 17-31 CHAPTER 18 Configuring VTP 18-1 Understanding VTP 18-1 The VTP Domain 18-2 VTP Modes 18-3 VTP Advertisements 18-3 VTP Version 2 18-4 VTP Pruning 1
Contents CHAPTER 19 Configuring Voice VLAN 19-1 Understanding Voice VLAN 19-1 Configuring Voice VLAN 19-2 Default Voice VLAN Configuration 19-2 Voice VLAN Configuration Guidelines 19-3 Configuring a Port to Connect to a Cisco 7960 IP Phone 19-3 Configuring Ports to Carry Voice Traffic in 802.1Q Frames 19-4 Configuring Ports to Carry Voice Traffic in 802.
Contents Configuring IGMP Snooping 21-6 Default IGMP Snooping Configuration 21-6 Enabling or Disabling IGMP Snooping 21-7 Setting the Snooping Method 21-8 Configuring a Multicast Router Port 21-9 Configuring a Host Statically to Join a Group 21-10 Enabling IGMP Immediate-Leave Processing 21-10 Disabling IGMP Report Suppression 21-11 Disabling IP Multicast-Source-Only Learning 21-11 Configuring the Aging Time 21-12 Displaying IGMP Snooping Information 21-13 Understanding Multicast VLAN Registration 21-14
Contents Configuring Port Security 22-7 Understanding Port Security 22-7 Secure MAC Addresses 22-7 Security Violations 22-8 Default Port Security Configuration 22-9 Port Security Configuration Guidelines 22-9 Enabling and Configuring Port Security 22-10 Enabling and Configuring Port Security Aging 22-12 Displaying Port-Based Traffic Control Settings CHAPTER 23 Configuring UDLD 22-13 23-1 Understanding UDLD 23-1 Modes of Operation 23-1 Methods to Detect Unidirectional Links 23-2 Configuring UDLD 23-
Contents CHAPTER 25 Configuring SPAN and RSPAN 25-1 Understanding SPAN and RSPAN 25-1 SPAN and RSPAN Concepts and Terminology 25-3 SPAN Session 25-3 Traffic Types 25-3 Source Port 25-4 Destination Port 25-4 Reflector Port 25-5 SPAN Traffic 25-5 SPAN and RSPAN Interaction with Other Features 25-5 SPAN and RSPAN Session Limits 25-6 Default SPAN and RSPAN Configuration 25-7 Configuring SPAN 25-7 SPAN Configuration Guidelines 25-7 Creating a SPAN Session and Specifying Ports to Monitor 25-8 Creating a SPAN
Contents CHAPTER 27 Configuring System Message Logging 27-1 Understanding System Message Logging 27-1 Configuring System Message Logging 27-2 System Log Message Format 27-2 Default System Message Logging Configuration 27-3 Disabling and Enabling Message Logging 27-4 Setting the Message Display Destination Device 27-4 Synchronizing Log Messages 27-6 Enabling and Disabling Timestamps on Log Messages 27-7 Enabling and Disabling Sequence Numbers in Log Messages 27-8 Defining the Message Severity Level 27
Contents CHAPTER 29 Configuring Network Security with ACLs 29-1 Understanding ACLs 29-2 Handling Fragmented and Unfragmented Traffic 29-3 Understanding Access Control Parameters 29-4 Guidelines for Applying ACLs to Physical Interfaces 29-5 Configuring ACLs 29-6 Unsupported Features 29-7 Creating Standard and Extended IP ACLs 29-7 ACL Numbers 29-8 Creating a Numbered Standard ACL 29-9 Creating a Numbered Extended ACL 29-10 Creating Named Standard and Extended ACLs 29-13 Applying Time Ranges to ACLs 29-1
Contents Queueing and Scheduling 30-8 How Class of Service Works Port Priority 30-8 Port Scheduling 30-8 Egress CoS Queues 30-9 30-8 Configuring Auto-QoS 30-9 Generated Auto-QoS Configuration 30-10 Effects of Auto-QoS on the Configuration 30-13 Configuration Guidelines 30-13 Upgrading from a Previous Software Release 30-14 Enabling Auto-QoS for VoIP 30-14 Displaying Auto-QoS Information 30-15 Auto-QoS Configuration Example 30-16 Configuring Standard QoS 30-18 Default Standard QoS Configuration 30-18
Contents CHAPTER 31 Configuring EtherChannels 31-1 Understanding EtherChannels 31-1 Understanding Port-Channel Interfaces 31-2 Understanding the Port Aggregation Protocol and Link Aggregation Protocol PAgP and LACP Modes 31-4 Physical Learners and Aggregate-Port Learners 31-5 PAgP and LACP Interaction with Other Features 31-6 Understanding Load Balancing and Forwarding Methods 31-6 31-3 Configuring EtherChannels 31-7 Default EtherChannel Configuration 31-8 EtherChannel Configuration Guidelines 31-8 C
Contents Using Layer 2 Traceroute 32-16 Understanding Layer 2 Traceroute 32-16 Usage Guidelines 32-17 Displaying the Physical Path 32-18 Diagnosing LRE Connection Problems 32-18 Using Debug Commands 32-19 Enabling Debugging on a Specific Feature 32-20 Enabling All-System Diagnostics 32-20 Redirecting Debug and Error Message Output 32-21 Using the debug auto qos Command 32-21 Using the show controllers Commands Using the crashinfo File APPENDIX A Supported MIBs MIB List 32-23 A-1 A-1 Using FTP to A
Contents Copying Configuration Files By Using FTP B-12 Preparing to Download or Upload a Configuration File By Using FTP B-13 Downloading a Configuration File By Using FTP B-13 Uploading a Configuration File By Using FTP B-14 Copying Configuration Files By Using RCP B-15 Preparing to Download or Upload a Configuration File By Using RCP B-16 Downloading a Configuration File By Using RCP B-17 Uploading a Configuration File By Using RCP B-18 Clearing Configuration Information B-19 Clearing the Startup Configu
Contents Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide xxviii 78-11380-10
Preface Audience This guide is for the networking professional managing the Catalyst 2950 and 2955 switches, hereafter referred to as the switches. Before using this guide, you should have experience working with the Cisco IOS and be familiar with the concepts and terminology of Ethernet and local area networking. Purpose This guide provides the information you need to configure software features on your switch.
Preface Conventions This guide provides procedures for using the commands that have been created or changed for use with the switch. It does not provide detailed information about these commands. For detailed information about these commands, refer to the command reference for this release. This guide does not repeat the concepts and CLI procedures provided in the standard Cisco IOS Release 12.1 documentation. For information about the standard Cisco IOS Release 12.
Preface Related Publications Related Publications These documents provide complete information about the switch and are available from this Cisco.com site: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/index.htm You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation” section on page xxxi.
Preface Documentation Feedback You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml Ordering Documentation You can find instructions for ordering documentation at this URL: http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm You can order Cisco documentation in these ways: • Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool: http://www.cisco.com/en/US/partner/ordering/index.
Preface Obtaining Technical Assistance Cisco Technical Support Website The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year at this URL: http://www.cisco.com/techsupport Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password.
Preface Obtaining Additional Publications and Information Obtaining Additional Publications and Information Information about Cisco products, technologies, and network solutions is available from various online and printed sources. • Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.
C H A P T E R 1 Overview This chapter provides these topics about the Catalyst 2950 and Catalyst 2955 switch software: Note • Features, page 1-1 • Management Options, page 1-8 • Network Configuration Examples, page 1-10 • Where to Go Next, page 1-22 In this document, IP refers to IP version 4 (IPv4). Layer 3 IP version 6 (IPv6) packets are treated as non-IP packets. Features The switch software supports the switches listed in Table 1-1 and in the release notes.
Chapter 1 Overview Features Table 1-1 Switches Supported (continued) Switch Software Image Catalyst 2955C-12 EI Catalyst 2955S-12 EI Catalyst 2955T-12 EI 1. SI = standard software image 2. EI = enhanced software image Certain Cisco Long-Reach Ethernet (LRE) customer premises equipment (CPE) devices are not supported by certain Catalyst 2950 LRE switches. In Table 1-2, Yes means that the CPE is supported by the switch; No means that the CPE is not supported by the switch.
Chapter 1 Overview Features • Note Hot Standby Router Protocol (HSRP) for command-switch redundancy. The redundant command switches used for HSRP must have compatible software releases. See the “Advantages of Using CMS and Clustering Switches” section on page 1-9. For the CMS, software, and browser requirements and for the cluster hardware and software requirements, refer to the Chapter 4, “Getting Started with CMS,” and the release notes.
Chapter 1 Overview Features Note DHCP replaces the Bootstrap Protocol (BOOTP) feature autoconfiguration to ensure retrieval of configuration files by unicast TFTP messages. BOOTP is available in earlier software releases for this switch.
Chapter 1 Overview Features • IEEE 802.1s Multiple Spanning Tree Protocol (MSTP) for grouping VLANs into a spanning-tree instance and for providing multiple forwarding paths for data traffic and load balancing and rapid per-VLAN Spanning-Tree plus (rapid-PVST+) based on the IEEE 802.
Chapter 1 Overview Features • DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers (available only with the EI) • Multilevel security for a choice of security level, notification, and resulting actions • MAC-based port-level security for restricting the use of a switch port to a specific group of source addresses and preventing switch access from unauthorized stations (available only with the EI) • TACACS+, a proprietary feature for managing network security thr
Chapter 1 Overview Features Monitoring • Switch LEDs that provide visual port and switch status • Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) for traffic monitoring on any port or VLAN Note RSPAN is available only in the EI.
Chapter 1 Overview Management Options • Upstream power back-off mechanism for normalization of the upstream receive power levels by requiring the CPE devices on shorter lines to transmit at a lower power level than the CPEs on longer lines • Support for sending LRE debugging messages to the LRE message logging process and to the system message logging process Management Options The switch is designed for plug-and-play operation: you only need to assign basic IP information to the switch and connect i
Chapter 1 Overview Management Options Advantages of Using CMS and Clustering Switches Using CMS and switch clusters can simplify and minimize your configuration and monitoring tasks. You can use Cisco switch clustering technology to manage up to 16 interconnected and supported Catalyst switches through one IP address as if they were a single entity. This can conserve IP addresses if you have a limited number of them.
Chapter 1 Overview Network Configuration Examples Network Configuration Examples This section provides network configuration concepts and includes examples of using the switch to create dedicated network segments and interconnecting the segments through Fast Ethernet and Gigabit Ethernet connections.
Chapter 1 Overview Network Configuration Examples Table 1-4 Providing Network Services Network Demands Suggested Design Methods High demand for multimedia support • Use IGMP and MVR to efficiently forward multicast traffic. High demand for protecting mission-critical applications • Use VLANs and protected ports to provide security and port isolation.
Chapter 1 Overview Network Configuration Examples – GigaStack GBIC module for creating a 1-Gbps stack configuration of up to nine supported switches. The GigaStack GBIC supports one full-duplex link (in a point-to-point configuration) or up to nine half-duplex links (in a stack configuration) to other Gigabit Ethernet devices. Using the required Cisco proprietary signaling and cabling, the GigaStack GBIC-to-GigaStack GBIC connection cannot exceed 3 feet (1 meter).
Chapter 1 Overview Network Configuration Examples Small to Medium-Sized Network Configuration Figure 1-2 shows a configuration for a network that has up to 250 users. Users in this network require e-mail, file-sharing, database, and Internet access. You optimize network performance by placing workstations on the same logical segment as the servers they access most often.
Chapter 1 Overview Network Configuration Examples Servers are connected to the GBIC module ports on the switches, allowing 1-Gbps throughput to users when needed. When the switch and server ports are configured for full-duplex operation, the links provide 2 Gbps of bandwidth. For networks that do not require Gigabit performance from a server, connect the server to a Fast Ethernet or Fast EtherChannel switch port.
Chapter 1 Overview Network Configuration Examples Figure 1-3 Collapsed Backbone and Switch Cluster Configuration Gigabit servers Cisco CallManager Catalyst 3550-12T or Catalyst 3550-12G switch Cisco 2600 router Si 200 Mbps Fast EtherChannel (400-Mbps full-duplex Fast EtherChannel) 1 Gbps (2 Gbps full duplex) Catalyst 2950, 2900 XL, 3550, and 3500 XL GigaStack cluster Catalyst 2950, 2900 XL, 3550, and 3500 XL GigaStack cluster Catalyst 3550-24PWR cluster IP IP IP Workstations running Cisco Soft
Chapter 1 Overview Network Configuration Examples Note All telephones not directly connected to the hotel room CPE device require microfilters with a 300-ohm termination. Microfilters improve voice call quality when voice and data equipment are using the same telephone line. They also prevent nonfiltered telephone rings and nonfiltered telephone transitions (such as on-hook to off-hook) from interrupting the Ethernet connection.
Chapter 1 Overview Network Configuration Examples Figure 1-4 Network Hotel Configuration Set-top box IP phone Laptop TV Rooms and users Laptop POTS telephones IP Environmental controls POTS telephone Required microfilter Cisco 575 LRE CPE Cisco 585 LRE CPE Required microfilter Floor 4 Laptop POTS telephones Set-top box Laptop TV Rooms and users IP phone IP Environmental controls Required microfilter Cisco 575 LRE CPE POTS telephone Required microfilter Cisco 585 LRE CPE Floor 3 Pat
Chapter 1 Overview Network Configuration Examples Service-Provider Central-Office Configuration Figure 1-5 shows the Catalyst 2950ST-24 LRE 997 switches in a service-provider central-office network environment. The Catalyst 2950ST-24 LRE 997 switches have DC-input power supply and are compliant with the VDSL 997 band plan. The Catalyst 2950 LRE switches are located in a central office and are connected to the Cisco 576 LRE 997 CPE devices located in different buildings.
Chapter 1 Overview Network Configuration Examples Figure 1-5 Service Provider Central Office Configuration Copper twisted pair Central office Cisco router 7500 Offices and users Building 1 Laptop POTS telephones Building 2 Building 3 POTS splitter Catalyst 2950ST-24 LRE 997 switches (DC-input power) Cisco 576 LRE 997 Required microfilter 89380 POTS splitter Building 4 Cisco 576 LRE 997 CPE Large Campus Configuration Figure 1-6 shows a configuration for a network of more than 1000 users.
Chapter 1 Overview Network Configuration Examples Figure 1-6 Large Campus Configuration IP telephony network or PSTN WAN Cisco CallManager Cisco 7200 Cisco access or 7500 router gateway Servers Catalyst 6500 switch Catalyst 2950, 2900 XL, 3500 XL, and 3550 GigaStack cluster 1 Gbps (2 Gbps full duplex) Catalyst 3550-24PWR cluster IP IP Cisco IP Phones IP IP Cisco IP Phones 60995 Workstations running Cisco SoftPhone software IP Multidwelling Network Using Catalyst 2950 Switches A growing seg
Chapter 1 Overview Network Configuration Examples All ports on the residential Catalyst 2950 and 2955 switches (and Catalyst LRE switches if they are included) are configured as 802.1Q trunks with protected port and STP root guard features enabled. The protected port feature provides security and isolation between ports on the switch, ensuring that subscribers cannot view packets destined for other subscribers. STP root guard prevents unauthorized devices from becoming the STP root switch.
Chapter 1 Overview Where to Go Next Long-Distance, High-Bandwidth Transport Configuration Note To use the feature described in this section, you must have the EI installed on your switch. Figure 1-8 shows a configuration for transporting 8 Gigabits of data over a single fiber-optic cable. The Catalyst switches have Coarse Wave Division Multiplexer (CWDM) fiber-optic GBIC modules installed. Depending on the CWDM GBIC module, data is sent at wavelengths from 1470 nm to 1610 nm.
C H A P T E R 2 Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) that you can use to configure your Catalyst 2950 and Catalyst 2955 switches.
Chapter 2 Using the Command-Line Interface Cisco IOS Command Modes Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the host name Switch. Table 2-1 Command Mode Summary Mode Access Method Prompt Exit Method About This Mode User EXEC Begin a session with your switch. Switch> Enter logout or quit. Use this mode to • Change terminal settings. • Perform basic tests.
Chapter 2 Using the Command-Line Interface Getting Help Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method Interface configuration While in global configuration mode, enter the interface command (with a specific interface). Switch(config-if)# To exit to global configuration mode, enter exit. Line configuration While in global configuration mode, specify a line with the line vty or line console command.
Chapter 2 Using the Command-Line Interface Abbreviating Commands Table 2-2 Help Summary (continued) Command Purpose command ? List the associated keywords for a command. For example: Switch> show ? command keyword ? List the associated arguments for a keyword. For example: Switch(config)# cdp holdtime ? <10-255> Length of time (in sec) that receiver must keep this packet Abbreviating Commands You have to enter only enough characters for the switch to recognize the command as unique.
Chapter 2 Using the Command-Line Interface Understanding CLI Messages Understanding CLI Messages Table 2-3 lists some error messages that you might encounter while using the CLI to configure your switch. Table 2-3 Common CLI Error Messages Error Message Meaning How to Get Help % Ambiguous command: "show con" You did not enter enough characters for your switch to recognize the command. Re-enter the command followed by a question mark (?) with a space between the command and the question mark.
Chapter 2 Using the Command-Line Interface Using Editing Features Recalling Commands To recall commands from the history buffer, perform one of the actions listed in Table 2-4: Table 2-4 Recalling Commands Action1 Result Press Ctrl-P or the up arrow key. Recall commands in the history buffer, beginning with the most recent command. Repeat the key sequence to recall successively older commands. Press Ctrl-N or the down arrow key.
Chapter 2 Using the Command-Line Interface Using Editing Features To reconfigure a specific line to have enhanced editing mode, enter this command in line configuration mode: Switch(config-line)# editing To globally disable enhanced editing mode, enter this command in line configuration mode: Switch(config-line)# no editing Editing Commands through Keystrokes Table 2-5 shows the keystrokes that you need to edit command lines.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Purpose Scroll down a line or screen on displays that are longer than the terminal screen can display. Press the Return key. Scroll down one line. Press the Space bar. Scroll down one screen. Press Ctrl-L or Ctrl-R. Redisplay the current command line.
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Use line wrapping with the command history feature to recall and modify previous complex command entries. For information about recalling previous command entries, see the “Editing Commands through Keystrokes” section on page 2-7. Searching and Filtering Output of show and more Commands You can search and filter the output for show and more commands.
Chapter 2 Using the Command-Line Interface Accessing the CLI from a Browser Accessing the CLI from a Browser This procedure assumes that you have met the software requirements (including browser and Java plug-in configurations) and have assigned IP information and a Telnet password to the switch or command switch, as described in the release notes. To access the CLI from a web browser, follow these steps: Step 1 Start one of the supported browsers.
C H A P T E R 3 Configuring Catalyst 2955 Switch Alarms This section describes how to configure the different alarms for the Catalyst 2955 switch. Note The alarms described in this chapter are not available on the Catalyst 2950 switch. For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Understanding Catalyst 2955 Switch Alarms Global Status Monitoring Alarms The Catalyst 2955 switch contains facilities for processing alarms related to temperature and power supply conditions. These are referred to as global or facility alarms. Table 3-1 lists the three global alarms and their descriptions and functions.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Understanding Catalyst 2955 Switch Alarms Port Status Monitoring Alarms The Catalyst 2955 switch can also monitor the status of the Ethernet ports and generate alarm messages based on the alarms listed in Table 3-2. To save user time and effort, the switch supports changing alarm configurations by using alarm profiles. You can create a number of profiles and assign one of these profiles to each Ethernet port.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms • SNMP Traps SNMP is an application-layer protocol that provides a message format for communication between managers and agents. The SNMP system consists of an SNMP manager, an SNMP agent, and a management information base (MIB). The snmp-server enable traps command can be modified in the Catalyst 2955 switch software to allow the user to send alarm traps to an SNMP server.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms Configuring the Power Supply Alarm This section describes how to configure the power supply alarm on your switch. It contains this configuration information: • Setting the Power Mode, page 3-5 • Setting the Power Supply Alarm Options, page 3-5 Setting the Power Mode The Catalyst 2955 switch has two DC power inputs. By default, the system operates in the single power mode.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms To disable sending the alarm to a relay, to syslog, or to an SNMP server, use the no alarm facility power-supply relay, no alarm facility power-supply notifies, or no alarm facility power-supply syslog global configuration commands.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms Associating the Temperature Alarms to a Relay By default, the primary temperature alarm is associated to the major relay. You can use the alarm facility temperature command to associate the primary temperature alarm to the minor relay, to an SNMP trap, to a syslog message, or to associate the secondary temperature alarm to the major or minor relay, an SNMP trap, or a syslog message.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms Setting the FCS Error Threshold The switch generates an FCS bit error rate alarm when the actual FCS bit error rate is close to the configured FCS bit error rate. Use the fcs-threshold interface configuration command to set the FCS error threshold.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms Use the no alarm facility fcs-hysteresis command to set the FCS error hysteresis threshold to its default value. Note The show running config command displays any FCS error hysteresis that is not the default value. This example shows how to set the FCS error hysteresis at 5 percent.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms This example creates or modifies the alarm profile fastE for the fastEthernetPort with link-down (alarmList ID 3) and an FCS error rate of 30 percent (alarmList ID 4) alarms enabled. The link-down alarm is connected to the minor relay, and the FCS error rate alarm is connected to the major relay. These alarms also send notifications to an SNMP server and send system messages to a syslog server.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Displaying Catalyst 2955 Switch Alarms Status This example detaches an alarm profile named fastE from a port. Switch(config)# interface FastEthernet 0/2 Switch(config-if)# no alarm profile fastE Enabling SNMP Traps Use the snmp-server enable traps alarms global configuration command to enable the switch to send alarm traps.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Displaying Catalyst 2955 Switch Alarms Status Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 3-12 78-11380-10
C H A P T E R 4 Getting Started with CMS This chapter contains these sections that describe the Cluster Management Suite (CMS) on the Catalyst 2950 or Catalyst 2955 switch: • “Understanding CMS” section on page 4-1 • “Configuring CMS” section on page 4-7 • “Displaying CMS” section on page 4-10 • “Where to Go Next” section on page 4-15 For a list of new CMS features in this release, select Help > What’s New? from the CMS menu bar.
Chapter 4 Getting Started with CMS Understanding CMS Topology View The Topology view displays a network map that uses icons representing switch clusters, the command switch, cluster members, cluster candidates, neighboring devices that are not eligible to join a cluster, and link types. You can also display link information in the form of link reports and link graphs. For more information, see the “Displaying CMS” section on page 4-10.
Chapter 4 Getting Started with CMS Understanding CMS Table 4-1 Toolbar Buttons (continued) Toolbar Option Port Settings Icon Task 1 Display and configure port parameters on a switch. Smartports Device Macros Display or configure Smartports macros on a switch. Smartports Port Macros Display or configure Smartports macros on a port. VLAN1 Display VLAN membership, assign ports to VLANs, and change the administration mode.
Chapter 4 Getting Started with CMS Understanding CMS Figure 4-2 1 Note Features Tab and Search Tab Features tab 2 Search tab Only features supported by the devices in your cluster are displayed in the feature bar. You can search for features that are available for your cluster by clicking Search and entering a feature name, as shown in Figure 4-2. Access modes affect the availability of features from CMS. Some CMS features are not available in read-only mode.
Chapter 4 Getting Started with CMS Understanding CMS Online Help CMS provides comprehensive online help to assist you in understanding and performing configuration and monitoring tasks from the CMS windows. Online help is available for features that are supported by devices in your cluster. Sometimes the information in a topic differs for different cluster members. In these cases, the right pane contains all the versions of the topic, each labeled with the host names of the members it applies to.
Chapter 4 Getting Started with CMS Understanding CMS Figure 4-3 Guide Mode and Wizards 2 116226 1 1 Guide mode icon 2 Wizards Guide mode is not available if your switch access level is read-only. For more information about the read-only access mode, see the “Privilege Levels” section on page 4-7. Expert Mode Expert mode is for users who prefer to display all the parameter fields of a feature in a single CMS window. You can view information about the parameter fields by clicking the Help button.
Chapter 4 Getting Started with CMS Configuring CMS Privilege Levels CMS provides two levels of access to the configuration options: read-write access and read-only access. If you know your privilege level, you must specify it in the URL that you use to access the cluster. For example, if your privilege level is 13, enter this URL: http://ip_address/level/13 Privilege levels 0 to 15 are supported. • Privilege level 15 provides read-write access to CMS. This is the default.
Chapter 4 Getting Started with CMS Configuring CMS CMS Requirements This section describes the hardware and software requirements for running CMS: Note • “Minimum Hardware Configuration” section on page 4-8 • “Operating System and Browser Support” section on page 4-8 • “CMS Plug-In” section on page 4-9 • “Specifying an HTTP Port (Nondefault Configuration Only)” section on page 4-10 • “Configuring an Authentication Method (Nondefault Configuration Only)” section on page 4-10 The software requi
Chapter 4 Getting Started with CMS Configuring CMS CMS Plug-In You need to install the CMS plug-in to run CMS with your web browser. The plug-in is supported both in Windows environments and on Solaris platforms. For more information about the CMS plug-in, including the URL, refer to the "Software Compatibility" section in the release notes. Note If you need to both upgrade your web browser and install the CMS plug-in, you must upgrade your browser first.
Chapter 4 Getting Started with CMS Displaying CMS Specifying an HTTP Port (Nondefault Configuration Only) If you change the HTTP port, you must include the new port number when you enter the IP address in the browser Location or Address field (for example, http://10.1.126.45:184 where 184 is the new HTTP port number). You should write down the port number to which you are connected. Use care when changing the switch IP information.
Chapter 4 Getting Started with CMS Displaying CMS The switch home page appears, as shown in Figure 4-4. Figure 4-4 Switch Home Page The switch home page has these tabs: • Express Setup—Opens the Express Setup page Note Step 3 You can use Express Setup to assign an IP address to an unconfigured switch. For more information, refer to the hardware installation guide.
Chapter 4 Getting Started with CMS Displaying CMS If you are running an unsupported operating system, web browser, CMS plug-in or Java plug-in, or if the plug-in is not enabled, the CMS Startup Report page appears, as shown in Figure 4-5. Figure 4-5 CMS Startup Report The CMS Startup Report has links that instruct you how to correctly configure your PC or workstation. If the CMS Startup Report appears, click the links, and follow the instructions to configure your PC or workstation.
Chapter 4 Getting Started with CMS Displaying CMS Front Panel View When CMS is launched from a command switch, you can display the Front Panel view by clicking the Front Panel button on the tool bar, as shown in Figure 4-6. Toolbar 101011 Figure 4-6 1 2 1 Front Panel view button 2 Topology view button When CMS is launched from a noncommand switch, the CMS Front Panel view displays by default, and the front-panel image displays only the front panel of that switch.
Chapter 4 Getting Started with CMS Displaying CMS Note Figure 4-7 shows a cluster with a Catalyst 3550 switch as the command switch. Refer to the release notes for a list of switches that can be members of a cluster with a Catalyst 2950 or a Catalyst 2955 switch as the command switch. Topology View When CMS is launched from a command switch, the Topology view appears by default.
Chapter 4 Getting Started with CMS Where to Go Next The Topology view shows how the devices within a switch cluster are connected and how the switch cluster is connected to other clusters and devices. From this view, you can add and remove cluster members. This view provides two levels of detail of the network topology: Note • Expand Cluster—When you right-click a cluster icon and select Expand Cluster, the Topology view displays the switch cluster in detail.
Chapter 4 Getting Started with CMS Where to Go Next Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 4-16 78-11380-10
C H A P T E R 5 Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assign the switch IP address and default gateway information) for the Catalyst 2950 or Catalyst 2955 switch by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration only on the Catalyst 2950 Long-Reach Ethernet (LRE) switches.
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The boot loader provides access to the flash file system before the operating system is loaded. Normally, the boot loader is used only to load, uncompress, and launch the operating system. After the boot loader gives the operating system control of the CPU, the boot loader is not active until the next system reset or power-on.
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information CLI-based setup program also allows you to configure your switch as a command or member switch of a cluster or as a standalone switch. For more information about the Express Setup and CLI-based setup programs, refer to the hardware installation guide for your switch. Use a DHCP server for centralized control and automatic assignment of IP information after the server is configured.
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information With DHCP-based autoconfiguration, no DHCP client-side configuration is needed on your switch. However, you need to configure the DHCP server for various lease options associated with IP addresses. If you are using DHCP to relay the configuration file location on the network, you might also need to configure a TFTP server and a Domain Name System (DNS) server.
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The DHCP server sends the client a DHCPNAK denial broadcast message, which means that the offered configuration parameters have not been assigned, that an error has occurred during the negotiation of the parameters, or that the client has been slow in responding to the DHCPOFFER message (the DHCP server assigned the parameters to another client).
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information If you want the switch to receive the configuration file from a TFTP server, you must configure the DHCP server with these lease options: • TFTP server name (required) • Boot filename (the name of the configuration file that the client needs) (recommended) • Host name (optional) Depending on the settings of the DHCP server, the switch can receive IP address information, the configuration file, or both.
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the DNS The DHCP server uses the DNS server to resolve the TFTP server name to an IP address. You must configure the TFTP server name-to-IP address map on the DNS server. The TFTP server contains the configuration files for the switch. You can configure the IP addresses of the DNS servers in the lease database of the DHCP server from where the DHCP replies will retrieve them.
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Obtaining Configuration Files Depending on the availability of the IP address and the configuration filename in the DHCP reserved lease, the switch obtains its configuration information in these ways: • The IP address and the configuration filename is reserved for the switch and provided in the DHCP reply (one-file read method).
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Example Configuration Figure 5-3 shows a sample network for retrieving IP information by using DHCP-based autoconfiguration. Figure 5-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 DHCP server 10.0.0.2 DNS server 10.0.0.3 TFTP server (tftpserver) 111394 10.0.0.
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information switchb-confg switchc-confg switchd-confg prompt> cat network-confg ip host switch1 10.0.0.21 ip host switch2 10.0.0.22 ip host switch3 10.0.0.23 ip host switch4 10.0.0.24 DHCP Client Configuration No configuration file is present on Switch A through Switch D. Configuration Explanation In Figure 5-3, Switch A reads its configuration file as follows: • It obtains its IP address 10.0.0.21 from the DHCP server.
Chapter 5 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Command Purpose Step 8 show ip redirects Verify the configured default gateway. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the switch IP address, use the no ip address interface configuration command. If you are removing the address through a Telnet session, your connection to the switch will be lost.
Chapter 5 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Default Boot Configuration Table 5-3 shows the default boot configuration. Table 5-3 Default Boot Configuration Feature Default Setting Operating system software image The switch attempts to automatically boot the system using information in the BOOT environment variable.
Chapter 5 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration To return to the default setting, use the no boot config-file global configuration command. Booting Manually By default, the switch automatically boots; however, you can configure it to manually boot. Beginning in privileged EXEC mode, follow these steps to configure the switch to manually boot during the next boot cycle: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 5 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Beginning in privileged EXEC mode, follow these steps to configure the switch to boot a specific image during the next boot cycle: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 boot system filesystem:/file-url Configure the switch to boot a specific image in flash memory during the next boot cycle. • For filesystem:, use flash: for the system board flash device.
Chapter 5 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Environment variables store two kinds of data: • Data that controls code, which does not read the Cisco IOS configuration file. For example, the name of a boot loader helper file, which extends or patches the functionality of the boot loader can be stored as an environment variable. • Data that controls code, which is responsible for reading the Cisco IOS configuration file.
Chapter 5 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Table 5-5 Environment Variables (continued) Variable Boot Loader Command Cisco IOS Global Configuration Command CONFIG_FILE set CONFIG_FILE flash:/file-url boot config-file flash:/file-url Changes the filename that the software uses Specifies the filename that the software uses to read and write a nonvolatile copy of the to read and write a nonvolatile copy of the system configuration.
Chapter 5 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Note Use the at keyword only if the switch system clock has been set (through Network Time Protocol (NTP), the hardware calendar, or manually). The time is relative to the configured time zone on the switch. To schedule reloads across several switches to occur simultaneously, the time on each switch must be synchronized with NTP. The reload command halts the system.
Chapter 5 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 5-18 78-11380-10
C H A P T E R 6 Configuring IE2100 CNS Agents This chapter describes how to configure the Intelligence Engine 2100 (IE2100) Series Cisco Networking Services (CNS) embedded agents on your Catalyst 2950 or Catalyst 2955 switch. To use the feature described in this chapter, you must have the enhanced software image (EI) installed on your switch.
Chapter 6 Configuring IE2100 CNS Agents Understanding IE2100 Series Configuration Registrar Software Figure 6-1 Configuration Registrar Architectural Overview Service provider network Configuration registrar Data service directory Configuration server Event service 71444 Web-based user interface Order entry configuration management These sections contain this conceptual information: • CNS Configuration Service, page 6-2 • CNS Event Service, page 6-3 • What You Should Know About ConfigID, Devi
Chapter 6 Configuring IE2100 CNS Agents Understanding IE2100 Series Configuration Registrar Software CNS Event Service The Configuration Registrar uses the CNS Event Service for receipt and generation of configuration events. The CNS event agent resides on the switch and facilitates the communication between the switch and the event gateway on the Configuration Registrar. The CNS Event Service is a highly calable publish-and-subscribe communication method.
Chapter 6 Configuring IE2100 CNS Agents Understanding IE2100 Series Configuration Registrar Software DeviceID Each configured switch participating on the event bus has a unique deviceID, which is analogous to the switch source address so that the switch can be targeted as a specific destination on the bus. All switches configured with the cns config partial global configuration command must access the event bus.
Chapter 6 Configuring IE2100 CNS Agents Understanding CNS Embedded Agents Understanding CNS Embedded Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the CNS configuration agent.
Chapter 6 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Incremental (Partial) Configuration After the network is running, new services can be added by using the CNS configuration agent. Incremental (partial) configurations can be sent to the switch. The actual configuration can be sent as an event payload by way of the event gateway (push operation) or as a signal event that triggers the switch to initiate a pull operation.
Chapter 6 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Table 6-1 Prerequisites for Enabling Automatic Configuration Device Required Configuration Access switch Factory default (no configuration file) Distribution switch DHCP server TFTP server IE2100 Configuration Registrar Note • IP helper address • Enable DHCP relay agent • IP routing (if used as default gateway) • IP address assignment • TFTP server IP address • Path to bootstrap configuration file on the TFTP ser
Chapter 6 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Enabling the CNS Event Agent Note You must enable the CNS event agent on the switch before you enable the CNS configuration agent. Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 6 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Enabling the CNS Configuration Agent After enabling the CNS event agent, start the CNS configuration agent on the switch. You can enable the configuration agent with these commands: • the cns config initial global configuration command enables the configuration agent and initiates an initial configuration on the switch.
Chapter 6 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Command Purpose Step 6 ip route network-number Establish a static route to the Configuration Registrar whose IP address is network-number. Step 7 cns id interface num {dns-reverse | ipaddress | Set the unique eventID or configID used by the mac-address} [event] Configuration Registrar.
Chapter 6 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Step 8 Command Purpose cns config initial {ip-address | hostname} [port-number] [event] [no-persist] [page page] [source ip-address] [syntax-check] Enable the configuration agent, and initiate an initial configuration. • For {ip-address | hostname}, enter the IP address or the host name of the configuration server. • (Optional) For port-number, enter the port number of the configuration server. The default port number is 80.
Chapter 6 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the CNS configuration agent and to initiate a partial configuration on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 cns config partial {ip-address | hostname} [port-number] [source ip-address] Enable the configuration agent, and initiate a partial configuration.
Chapter 6 Configuring IE2100 CNS Agents Displaying CNS Configuration Displaying CNS Configuration You can use the privileged EXEC commands in Table 6-2 to display CNS Configuration information. Table 6-2 Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS configuration agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed.
Chapter 6 Configuring IE2100 CNS Agents Displaying CNS Configuration Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 6-14 78-11380-10
C H A P T E R 7 Clustering Switches This chapter provides these topics to help you get started with switch clustering: • Understanding Switch Clusters, page 7-2 • Planning a Switch Cluster, page 7-5 • Creating a Switch Cluster, page 7-18 • Using the CLI to Manage Switch Clusters, page 7-23 • Using SNMP to Manage Switch Clusters, page 7-24 Configuring switch clusters is more easily done from the Cluster Management Suite (CMS) web-based interface than through the command-line interface (CLI).
Chapter 7 Clustering Switches Understanding Switch Clusters Understanding Switch Clusters A switch cluster is a group of connected Catalyst switches that are managed as a single entity. In a switch cluster, 1 switch must be the command switch and up to 15 switches can be member switches. The total number of switches in a cluster cannot exceed 16 switches. The command switch is the single point of access used to configure, manage, and monitor the member switches.
Chapter 7 Clustering Switches Understanding Switch Clusters Command Switch Characteristics A Catalyst 2950 or Catalyst 2955 command switch must meet these requirements: Note • It is running Cisco IOS Release 12.0(5.2)WC(1) or later. • It has an IP address. • It has Cisco Discovery Protocol (CDP) Version 2 enabled (the default). • It is not a command or member switch of another cluster.
Chapter 7 Clustering Switches Understanding Switch Clusters • If a non-LRE Catalyst 2950 standby command switch is running a release earlier than Cisco IOS Release 12.1(9)EA1, it is connected to the command switch and to other standby command switches and member switches through its management VLAN. Note Note Non-LRE Catalyst 2950 command switches running Cisco IOS Release 12.1(9)EA1 or later can connect to standby command switches in the management VLAN.
Chapter 7 Clustering Switches Planning a Switch Cluster Planning a Switch Cluster Anticipating conflicts and compatibility issues is a high priority when you manage several switches through a cluster.
Chapter 7 Clustering Switches Planning a Switch Cluster Discovery through CDP Hops By using CDP, a command switch can discover switches up to seven CDP hops away (the default is three hops) from the edge of the cluster. The edge of the cluster is where the last member switches are connected to the cluster and to candidate switches. For example, member switches 9 and 10 in Figure 7-1 are at the edge of the cluster.
Chapter 7 Clustering Switches Planning a Switch Cluster Figure 7-2 Discovery through CDP Hops (Non-LRE Catalyst 2950 Command Switch Running Cisco IOS Release 12.
Chapter 7 Clustering Switches Planning a Switch Cluster Discovery through the Same Management VLAN A Catalyst 2900 XL command switch, a Catalyst 3500 XL command switch, or a non-LRE Catalyst 2950 command switch running a release earlier than Cisco IOS Release 12.1(9)EA1 must connect to all cluster members through its management VLAN. The default management VLAN is VLAN 1. For more information about management VLANs, see the “Management VLAN” section on page 7-16.
Chapter 7 Clustering Switches Planning a Switch Cluster Discovery through Different Management VLANs We recommend using as a command switch a Catalyst 3550 switch, a Catalyst 2955 switch, a Catalyst 2950 LRE switch, a non-LRE Catalyst 2950 switch running Cisco IOS Release 12.1(9)EA1 or later, or a Catalyst 2940 switch. These command switches can discover and manage member switches in different VLANs and different management VLANs.
Chapter 7 Clustering Switches Planning a Switch Cluster Discovery of Newly Installed Switches To join a cluster, the new, out-of-the-box switch must be connected to the cluster through one of its access ports. An access port (AP) carries the traffic of and belongs to the management VLAN. By default, the new switch and its access ports are assigned to management VLAN 1. When the new switch joins a cluster, its default management VLAN changes to the VLAN of the immediately upstream neighbor.
Chapter 7 Clustering Switches Planning a Switch Cluster Figure 7-7 Discovery of Newly Installed Switches in Different Management VLANs Command switch VLAN 9 VLAN 16 Switch A Switch B AP AP VLAN 16 New (out-of-box) candidate switch New (out-of-box) candidate switch 101325 VLAN 9 HSRP and Standby Command Switches The switch supports Hot Standby Router Protocol (HSRP) so that you can configure a group of standby command switches.
Chapter 7 Clustering Switches Planning a Switch Cluster standby priority interface configuration command in the Cisco IOS Release 12.1 documentation set. The HSRP commands are the same for changing the priority of cluster standby group members and router-redundancy group members. Note The HSRP standby hold time interval should be greater than or equal to 3 times the hello time interval. The default HSRP standby hold time interval is 10 seconds. The default HSRP standby hello time interval is 3 seconds.
Chapter 7 Clustering Switches Planning a Switch Cluster – When the command switch is a non-LRE Catalyst 2950 switch running Cisco IOS Release 12.1(6)EA2 or later, all standby command switches must be non-LRE Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later. – When the command switch is running Cisco IOS Release 12.0(5)WC2 or earlier, the standby command switches can be these switches: Catalyst 2900 XL, non-LRE Catalyst 2950, and Catalyst 3500 XL switches.
Chapter 7 Clustering Switches Planning a Switch Cluster Automatic Recovery of Cluster Configuration The active command switch continually forwards cluster-configuration information (but not device-configuration information) to the standby command switch. This ensures that the standby command switch can take over the cluster immediately after the active command switch fails.
Chapter 7 Clustering Switches Planning a Switch Cluster Host Names You do not need to assign a host name to either a command switch or an eligible cluster member. However, a host name assigned to the command switch can help to identify the switch cluster. The default host name for the switch is Switch. If a switch joins a cluster and it does not have a host name, the command switch appends a unique member number to its own host name and assigns it sequentially as each switch joins the cluster.
Chapter 7 Clustering Switches Planning a Switch Cluster TACACS+ and RADIUS Inconsistent authentication configurations in switch clusters cause CMS to continually prompt for a user name and password. If TACACS+ is configured on a cluster member, it must be configured on all cluster members. Similarly, if RADIUS is configured on a cluster member, it must be configured on all cluster members.
Chapter 7 Clustering Switches Planning a Switch Cluster • If the command switch is a Catalyst 2950 running Cisco IOS Release 12.1(9)EA1 or later or a Catalyst 2955, candidate and member switches can belong to different management VLANs. However, they must connect to the command switch through their management VLAN. • Catalyst 2950 standby command switches running Cisco IOS Release 12.
Chapter 7 Clustering Switches Creating a Switch Cluster Creating a Switch Cluster Using CMS to create a cluster is easier than using the CLI commands.
Chapter 7 Clustering Switches Creating a Switch Cluster Figure 7-9 Create Cluster Window C3550-12T 56520 Enter up to 31 characters to name the cluster. Adding Member Switches As explained in the “Automatic Discovery of Cluster Candidates and Members” section on page 7-5, the command switch automatically discovers candidate switches. When you add new cluster-capable switches to the network, the command switch discovers them and adds them to a list of candidate switches.
Chapter 7 Clustering Switches Creating a Switch Cluster For additional authentication considerations in switch clusters, see the “TACACS+ and RADIUS” section on page 7-16. Figure 7-10 Add to Cluster Window Select a switch, and click Add. Press Ctrl and leftclick to select more than one switch. 65724 2900-LRE-24-1 Enter the password of the candidate switch. If no password exists for the switch, leave this field blank. Thin line means a connection to a candidate switch.
Chapter 7 Clustering Switches Creating a Switch Cluster Creating a Cluster Standby Group The cluster standby group members must meet the requirements described in the “Standby Command Switch Characteristics” section on page 7-3 and “HSRP and Standby Command Switches” section on page 7-11. To create a cluster standby group, select Cluster > Standby Command Switches (Figure 7-12).
Chapter 7 Clustering Switches Creating a Switch Cluster Figure 7-12 Standby Command Configuration Window 3550C (cisco WS-C3550-C-24, HC, ... NMS-3550-12T-149 (cisco WS-C3550-1 3550-150 (cisco WS-C3550-12T, SC, ... Active command switch. Standby command switch. Must be a valid IP address in the same subnet as the active command switch. 65726 Once entered, this information cannot be changed.
Chapter 7 Clustering Switches Using the CLI to Manage Switch Clusters Figure 7-13 Inventory Window 12.1(4)EA1 10.10.10.6 10.10.10.7 12.0(5)WC2 10.1.1.2, 10.10.10.1, 10. 12.1(4)EA1 10.10.10.2 12.1(6)EA2 10.10.10.9 13.0(5)XU 65727 10.10.10.3 If you lose connectivity with a member switch or if a command switch fails, see the “Using Recovery Procedures” section on page 32-1. For more information about creating and managing clusters, refer to the online help.
Chapter 7 Clustering Switches Using SNMP to Manage Switch Clusters Catalyst 1900 and Catalyst 2820 CLI Considerations If your switch cluster has Catalyst 1900 and Catalyst 2820 switches running standard edition software, the Telnet session accesses the management console (a menu-driven interface) if the command switch is at privilege level 15. If the command switch is at privilege level 1 to 14, you are prompted for the password to access the menu console.
Chapter 7 Clustering Switches Using SNMP to Manage Switch Clusters Figure 7-14 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3 33020 Trap Tr ap ap Tr Member 1 Member 2 Member 3 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78-11380-10 7-25
Chapter 7 Clustering Switches Using SNMP to Manage Switch Clusters Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 7-26 78-11380-10
C H A P T E R 8 Administering the Switch This chapter describes how to perform one-time operations to administer your Catalyst 2950 or Catalyst 2955 switch.
Chapter 8 Administering the Switch Managing the System Time and Date The system clock can provide time to these services: • User show commands • Logging and debugging messages The system clock keeps track of time internally based on Universal Time Coordinated (UTC), also known as Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time (daylight saving time) so that the time appears correctly for the local time zone.
Chapter 8 Administering the Switch Managing the System Time and Date Figure 8-1 Typical NTP Network Configuration Switch A Local workgroup servers Switch B Switch C Switch D Switch E Workstations Workstations 101349 Switch F If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as though it is synchronized through NTP, when in fact it has determined the time by using other means. Other devices then synchronize to that device through NTP.
Chapter 8 Administering the Switch Managing the System Time and Date This section contains this configuration information: • Default NTP Configuration, page 8-4 • Configuring NTP Authentication, page 8-4 • Configuring NTP Associations, page 8-6 • Configuring NTP Broadcast Service, page 8-7 • Configuring NTP Access Restrictions, page 8-8 • Configuring the Source IP Address for NTP Packets, page 8-10 • Displaying the NTP Configuration, page 8-11 Default NTP Configuration Table 8-1 shows the d
Chapter 8 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to authenticate the associations (communications between devices running NTP that provide for accurate timekeeping) with other devices for security purposes: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp authenticate Enable the NTP authentication feature, which is disabled by default.
Chapter 8 Administering the Switch Managing the System Time and Date Configuring NTP Associations An NTP association can be a peer association (this switch can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this switch synchronizes to the other device, and not the other way around).
Chapter 8 Administering the Switch Managing the System Time and Date Configuring NTP Broadcast Service The communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead.
Chapter 8 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure the switch to receive NTP broadcast packets from connected peers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to receive NTP broadcast packets, and enter interface configuration mode. Step 3 ntp broadcast client Enable the interface to receive NTP broadcast packets.
Chapter 8 Administering the Switch Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp access-group {query-only | serve-only | serve | peer} access-list-number Create an access group, and apply a basic IP access list.
Chapter 8 Administering the Switch Managing the System Time and Date If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted. To remove access control to the switch NTP services, use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command.
Chapter 8 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure a specific interface from which the IP source address is to be taken: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp source type number Specify the interface type and number from which the IP source address is taken. By default, the source address is determined by the outgoing interface.
Chapter 8 Administering the Switch Managing the System Time and Date Setting the System Clock If you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock. Beginning in privileged EXEC mode, follow these steps to set the system clock: Step 1 Command Purpose clock set hh:mm:ss day month year Manually set the system clock using one of these formats.
Chapter 8 Administering the Switch Managing the System Time and Date Configuring the Time Zone Beginning in privileged EXEC mode, follow these steps to manually configure the time zone: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock timezone zone hours-offset [minutes-offset] Set the time zone. The switch keeps internal time in universal time coordinated (UTC), so this command is used only for display purposes and when the time is manually set.
Chapter 8 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone recurring Configure summer time to start and end on the specified days every year.
Chapter 8 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 Configure summer time to start on the first date and end on the second clock summer-time zone date [month date year hh:mm month date year hh:mm date.
Chapter 8 Administering the Switch Configuring a System Name and Prompt Configuring a System Name and Prompt You configure the system name on the switch to identify it. By default, the system name and prompt are Switch. If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt. A greater-than symbol [>] is appended.
Chapter 8 Administering the Switch Configuring a System Name and Prompt Configuring a System Prompt Beginning in privileged EXEC mode, follow these steps to manually configure a system prompt: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 prompt string Configure the command-line prompt to override the setting from the hostname command.
Chapter 8 Administering the Switch Configuring a System Name and Prompt Default DNS Configuration Table 8-2 shows the default DNS configuration. Table 8-2 Default DNS Configuration Feature Default Setting DNS enable state Enabled. DNS default domain name None configured. DNS servers No name server addresses are configured.
Chapter 8 Administering the Switch Creating a Banner domain name is the value set by the ip domain-name global configuration command. If there is a period (.) in the hostname, the software looks up the IP address without appending any default domain name to the hostname. To remove a domain name, use the no ip domain-name name global configuration command. To remove a name server address, use the no ip name-server server-address global configuration command.
Chapter 8 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day.
Chapter 8 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message.
Chapter 8 Administering the Switch Managing the MAC Address Table This section contains this configuration information: • Building the Address Table, page 8-22 • MAC Addresses and VLANs, page 8-22 • Default MAC Address Table Configuration, page 8-23 • Changing the Address Aging Time, page 8-23 • Removing Dynamic Address Entries, page 8-24 • Configuring MAC Address Notification Traps, page 8-24 • Adding and Removing Static Address Entries, page 8-26 • Configuring Unicast MAC Address Filteri
Chapter 8 Administering the Switch Managing the MAC Address Table Default MAC Address Table Configuration Table 8-3 shows the default MAC address table configuration. Table 8-3 Default MAC Address Table Configuration Feature Default Setting Aging time 300 seconds Dynamic addresses Automatically learned Static addresses None configured Changing the Address Aging Time Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use.
Chapter 8 Administering the Switch Managing the MAC Address Table Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC mode.
Chapter 8 Administering the Switch Managing the MAC Address Table Step 5 Command Purpose mac address-table notification [interval value] | [history-size value] Enter the trap interval time and the history table size. • (Optional) For interval value, specify the notification trap interval in seconds between each set of traps that are generated to the NMS. The range is 0 to 2147483647 seconds; the default is 1 second.
Chapter 8 Administering the Switch Managing the MAC Address Table Adding and Removing Static Address Entries A static address has these characteristics: • It is manually entered in the address table and must be manually removed. • It can be a unicast or multicast address. • It does not age and is retained when the switch restarts. You can add and remove static addresses and define the forwarding behavior for them.
Chapter 8 Administering the Switch Managing the MAC Address Table This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a packet is received in VLAN 4 with this MAC address as its destination address, the packets is forwarded to the specified interface: Switch(config)# mac address-table static c2f3.220a.
Chapter 8 Administering the Switch Managing the ARP Table Command Purpose Step 4 show mac address-table static Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable unicast MAC address filtering, use the no mac address-table static mac-addr vlan vlan-id global configuration command.
C H A P T E R 9 Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 2950 or Catalyst 2955 switch.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Protecting Access to Privileged EXEC Commands A simple way of providing terminal access control in your network is to use passwords and assign privilege levels. Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Protecting Enable and Enable Secret Passwords with Encryption To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a TFTP server, you can use either the enable password or enable secret global configuration commands.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands If both the enable and enable secret passwords are defined, users must enter the enable secret password. Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level global configuration command to specify commands accessible at various levels.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to disable password recovery: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no service password-recovery Disable password recovery.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Step 7 Command Purpose show running-config Verify your entries. The password is listed under the command line vty 0 15. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the password, use the no password global configuration command.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands To disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command. Configuring Multiple Privilege Levels By default, the software has two modes of password security: user EXEC and privileged EXEC.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Step 5 Command Purpose show running-config Verify your entries. or The first command displays the password and access level configuration. The second command displays the privilege level configuration. show privilege Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Logging into and Exiting a Privilege Level Beginning in privileged EXEC mode, follow these steps to log in to a specified privilege level and to exit to a specified privilege level: Step 1 Command Purpose enable level Log in to a specified privilege level. For level, the range is 0 to 15. Step 2 disable level Exit to a specified privilege level. For level, the range is 0 to 15.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 9-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ server 1) Catalyst 6500 series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) 171.20.10.8 101230 Configure the switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers). Enable AAA. Create a login authentication method list. Apply the list to the terminal lines.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch by using TACACS+, this process occurs: 1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to show to the user. The user enters a username, and the switch then contacts the TACACS+ daemon to obtain a password prompt.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ This section contains this configuration information: • Default TACACS+ Configuration, page 9-13 • Identifying the TACACS+ Server Host and Setting the Authentication Key, page 9-13 • Configuring TACACS+ Login Authentication, page 9-14 • Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 9-16 • Starting TACACS+ Accounting, page 9-17 Default TACACS+ Configuration TACACS+ an
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Step 4 Command Purpose aaa group server tacacs+ group-name (Optional) Define the AAA server-group with a group name. This command puts the switch in a server group subconfiguration mode. Step 5 server ip-address (Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to configure login authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Starting TACACS+ Accounting The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Controlling Switch Access with RADIUS This section describes how to enable and configure the RADIUS, which provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS is facilitated through AAA and can be enabled only through AAA commands.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS RADIUS is not suitable in these network security situations: • Multiprotocol access environments. RADIUS does not support AppleTalk Remote Access (ARA), NetBIOS Frame Control Protocol (NBFCP), NetWare Asynchronous Services Interface (NASI), or X.25 PAD connections. • Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring RADIUS This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Identifying the RADIUS Server Host Switch-to-RADIUS-server communication involves several components: • Host name or IP address • Authentication destination port • Accounting destination port • Key string • Timeout period • Retransmission value You identify RADIUS security servers by their host name or IP address, host name and specific UDP port numbers, or their IP address and specific UDP port numbers.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 8 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 9-23. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network-related service requests.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the switch and all RADIUS servers.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP’s IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“ This example shows how to specify an authorized VLAN in the RADIUS server database: c
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to specify a vendor-proprietary RADIUS server host and a shared secret text string: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Local Authentication and Authorization Configuring the Switch for Local Authentication and Authorization You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Configuring the Switch for Secure Shell This section describes how to configure the Secure Shell (SSH) feature. SSH is a cryptographic security feature that is subject to export restrictions. To use this feature, the cryptographic (encrypted) enhanced software image (EI) must be installed on your switch. You must obtain authorization to use this feature and to download the cryptographic software files from Cisco.com.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell SSH also supports these user authentication methods: Note • TACACS+ (for more information, see the “Controlling Switch Access with TACACS+” section on page 9-10) • RADIUS (for more information, see the “Controlling Switch Access with RADIUS” section on page 9-18) • Local authentication and authorization (for more information, see the “Configuring the Switch for Local Authentication and Authorization” section
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Cryptographic Software Image Guidelines These guidelines apply only to non-LRE Catalyst 2950 switches: The SSH feature uses a large amount of switch memory, which limits the number of VLANs, trunk ports, and cluster members that you can configure on the switch.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. After the RSA key pair is deleted, the SSH server is automatically disabled. Configuring the SSH Server Beginning in privileged EXEC mode, follow these steps to configure the SSH server: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Displaying the SSH Configuration and Status To display the SSH server configuration and status, use one or more of the privileged EXEC commands in Table 9-2: Table 9-2 Commands for Displaying the SSH Server Configuration and Status Command Purpose show ip ssh Shows the version and configuration information for the SSH server. show ssh Shows the status of the SSH server.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 9-38 78-11380-10
C H A P T E R 10 Configuring 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the Catalyst 2950 or Catalyst 2955 switch to prevent unauthorized devices (clients) from gaining access to the network. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release. This chapter consists of these sections: • Understanding 802.
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication • Using 802.1x with VLAN Assignment, page 10-7 • Using 802.1x with Guest VLAN, page 10-8 Device Roles With 802.1x port-based authentication, the devices in the network have specific roles as shown in Figure 10-1. Figure 10-1 802.
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication support EAP within the native frame format. When the switch receives frames from the authentication server, the server’s frame header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the client.
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication received. The switch requests the identity of the client and begins relaying authentication messages between the client and the authentication server. Each client attempting to access the network is uniquely identified by the switch by using the client’s MAC address.
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication Figure 10-3 Wireless LAN Example Access point Authentication server (RADIUS) 101227 Wireless clients Using 802.1x with Port Security For switches running the enhanced software image (EI), you can enable an 802.1x port for port security in either single-host or multiple-hosts mode.
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication Using 802.1x with Voice VLAN Ports A voice VLAN port is a special access port associated with two VLAN identifiers: • VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone connected to the port. • PVID to carry the data traffic to and from the workstation connected to the switch through the IP phone. The PVID is the native VLAN of the port.
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication • If an 802.1x port is authenticated and put in the RADIUS server assigned VLAN, any change to the port access VLAN configuration does not take effect. • The 802.1x with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring 802.1x Authentication These sections describe how to configure 802.1x port-based authentication on your switch: • Default 802.1x Configuration, page 10-9 • 802.1x Configuration Guidelines, page 10-10 • Upgrading from a Previous Software Release, page 10-11 • Enabling 802.
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Table 10-1 Default 802.1x Configuration (continued) Feature Default Setting Quiet period 60 seconds (number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client). Retransmission time 30 seconds (number of seconds that the switch should wait for a response to an EAP request/identity frame from the client before resending the request).
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication – Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can enable 802.1x on a port that is a SPAN destination, an RSPAN destination, or an RSPAN reflector port. However, 802.1x is disabled until the port is removed as a SPAN destination, an RSPAN destination, or an RSPAN reflector port. You can enable 802.1x on a SPAN or RSPAN source port. – LRE switch ports—802.
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication To allow VLAN assignment (for switches running the EI), you must enable AAA authorization to configure the switch for all network-related service requests. Beginning in privileged EXEC mode, follow these steps to configure 802.1x port-based authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA.
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication This example shows how to enable AAA and 802.
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the RADIUS server: Switch(config)# radius-server host 172.l20.39.
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Manually Re-Authenticating a Client Connected to a Port You can manually re-authenticate the client connected to a specific port at any time by entering the dot1x re-authenticate interface interface-id privileged EXEC command. This step is optional. If you want to enable or disable periodic re-authentication, see the “Enabling Periodic Re-Authentication” section on page 10-14.
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to change the amount of time that the switch waits for client notification. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode.
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication To return to the default retransmission number, use the no dot1x max-req interface configuration command. This example shows how to set 5 as the number of times that the switch sends an EAP-request/identity request before restarting the authentication process: Switch(config-if)# dot1x max-req 5 Configuring the Host Mode You can configure an 802.1x port for single-host or for multiple-hosts mode.
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring a Guest VLAN For switches running the EI, when you configure a guest VLAN, clients that are not 802.1x-capable are put into the guest VLAN when the server does not receive a response to its EAPOL request/identity frame. Clients that are 802.1x-capable but fail authentication are not granted access to the network. The switch supports guest VLANs in single-host or multiple-hosts mode.
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 3 dot1x default Reset the configurable 802.1x parameters to the default values. Step 4 end Return to privileged EXEC mode. Step 5 show dot1x interface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Configuring 802.1x Authentication To configure 802.
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 3 Command Purpose aaa authentication dot1x {default} method1 [method2...] Create an 802.1x authentication method list. To create a default list that is used when a named list is not specified in the authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Chapter 10 Configuring 802.1x Port-Based Authentication Displaying 802.1x Statistics and Status Note You must configure the RADIUS server to perform accounting tasks, such as logging start, stop, and interim-update messages and time stamps. To turn on these functions, enable logging of “Update/Watchdog packets from this AAA client” in your RADIUS server Network Configuration tab. Next, enable “CVS RADIUS Accounting” in your RADIUS server System Configuration tab.
Chapter 10 Configuring 802.1x Port-Based Authentication Displaying 802.
C H A P T E R 11 Configuring Interface Characteristics This chapter describes the types of interfaces on a Catalyst 2950 or Catalyst 2955 switch and how to configure them.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types These sections describes these types of interfaces: • Access Ports, page 11-2 • Trunk Ports, page 11-2 • Port-Based VLANs, page 11-3 • EtherChannel Port Groups, page 11-3 • Connecting Interfaces, page 11-4 Access Ports An access port belongs to and carries the traffic of only one VLAN (unless it is configured as a voice VLAN port). Traffic is received and sent in native formats with no VLAN tagging.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types member of that VLAN and traffic is forwarded to and from the trunk port for that VLAN. If VTP learns of a new, enabled VLAN that is not in the allowed list for a trunk port, the port does not become a member of the VLAN, and no traffic for the VLAN is forwarded to or from the port. For more information about trunk ports, see Chapter 17, “Configuring VLANs.
Chapter 11 Configuring Interface Characteristics Using the Interface Command Connecting Interfaces Devices within a single VLAN can communicate directly through any switch. Ports in different VLANs cannot exchange data without going through a routing device or routed interface. With a standard Layer 2 switch, ports in different VLANs have to exchange information through a router.
Chapter 11 Configuring Interface Characteristics Using the Interface Command Procedures for Configuring Interfaces These general instructions apply to all interface configuration processes. Step 1 Enter the configure terminal command at the privileged EXEC prompt: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# Step 2 Enter the interface global configuration command. Identify the interface type and the number of the connector.
Chapter 11 Configuring Interface Characteristics Using the Interface Command Beginning in privileged EXEC mode, follow these steps to configure a range of interfaces with the same parameters: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface range {port-range | macro macro_name} Enter interface-range configuration mode by entering the range of interfaces (VLANs or physical ports) to be configured.
Chapter 11 Configuring Interface Characteristics Using the Interface Command This example shows how to use a comma to add different interface type strings to the range to enable all Fast Ethernet interfaces in the range 0/1 to 0/3 and Gigabit Ethernet interfaces 0/1 and 0/2: Switch# configure terminal Switch(config)# interface range fastethernet0/1 - 3, gigabitethernet0/1 - 2 Switch(config-if-range)# no shutdown If you enter multiple configuration commands while you are in interface-range mode, each comm
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces – longreachethernet slot/{first port} - {last port}, where slot is 0 – port-channel port-channel-number - port-channel-number, where port-channel-number is from 1 to 6. • You must add a space between the interface numbers and the hyphen when entering an interface-range. For example, fastethernet 0/1 - 5 is a valid range; fastethernet 0/1-5 is not a valid range.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces These sections describe the default interface configuration and the optional features that you can configure on most physical interfaces: • Default Ethernet Interface Configuration, page 11-9 • Configuring Interface Speed and Duplex Mode, page 11-10 • Configuring Media Types for Gigabit Ethernet Interfaces on LRE Switches, page 11-13 • Configuring IEEE 802.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring Interface Speed and Duplex Mode The 10/100 Ethernet interfaces on a non-LRE switch operate in 10 or 100 Mbps and in either full- or half-duplex mode. The 10/100/1000 Ethernet interfaces on Catalyst 2950 LRE, Catalyst 2950T-24, Catalyst 2950T-48-SI, and Catalyst 2955T-24 switches operate at 10 or 100 Mbps in either full- or half-duplex mode or at 1000 Mbps only in full-duplex mode.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces • If both ends of the line support autonegotiation, we highly recommend the default setting of autonegotiation. • When connecting an interface to a 100BASE-T device that does not autonegotiate, set the speed to a non-auto value (for example, nonegotiate) and set the duplex mode to full or half to match the device. The speed value and duplex mode must be explicitly set.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Setting the Interface Speed and Duplex Parameters on a Non-LRE Switch Port Beginning in privileged EXEC mode, follow these steps to set the speed and duplex mode for a physical interface on a non-LRE switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode and the physical interface identification.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Command Purpose Step 6 show running-config Display the LRE interface speed and duplex mode configuration. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no local speed and no local duplex interface configuration commands to return the interface to the default speed and duplex settings.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Note • receive off and send on: The port sends pause frames if the remote device supports flow control but cannot receive pause frames from the remote device. • receive off and send desired: The port cannot receive pause frames but can send pause frames if the attached device supports flow control. • receive off and send off: Flow control does not operate in either direction.
Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Command Step 5 Purpose show interfaces interface-id description Verify your entry. or show running-config Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no description interface configuration command to delete the description.
Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Table 11-2 show Commands for Interfaces (continued) Command Purpose show ip interface [interface-id] Display the usability status of all interfaces configured for IP or the specified interface. show running-config interface [interface-id] Display the running configuration in RAM for the interface.
Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces This example shows how to clear and reset a port: Switch# clear interface fastethernet0/5 Shutting Down and Restarting the Interface Shutting down an interface disables all functions on the specified interface and marks the interface as unavailable on all monitoring command displays. This information is communicated to other network servers through all dynamic routing protocols.
Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 11-18 78-11380-10
C H A P T E R 12 Configuring Smartports Macros This chapter describes how to configure and apply Smartports macros on the Catalyst 2950 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros Table 12-1 Cisco-Default Smartports Macros (continued) Macro Name1 Description cisco-phone Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros Smartports Macro Configuration Guidelines Follow these guidelines when configuring macros on your switch: • When creating a macro, do not use the exit or end commands or change the command mode by using interface interface-id. This could cause commands that follow exit, end, or interface interface-id to execute in a different command mode. • When creating a macro, all CLI commands should be in the same configuration mode.
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros Creating Smartports Macros Beginning in privileged EXEC mode, follow these steps to create a Smartports macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro name macro-name Create a macro definition, and enter a macro name. A macro definition can contain up to 3000 characters. Enter the macro commands with one command per line. Use the @ character to end the macro.
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros Applying Smartports Macros Beginning in privileged EXEC mode, follow these steps to apply a Smartports macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro global {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Apply each individual command defined in the macro to the switch by entering macro global apply macro-name.
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros This example shows how to apply the user-created macro called snmp, to set the host name address to test-server and to set the IP precedence value to 7: Switch(config)# macro global apply snmp ADDRESS test-server VALUE 7 This example shows how to debug the user-created macro called snmp by using the macro global trace global configuration command to find any syntax or configuration errors in the macro when it is applied to the switch
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros Command Purpose Step 6 default interface interface-id (Optional) Clear all configuration from the specified interface. Step 7 macro {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Append the Cisco-default macro with the required values by using the parameter value keywords, and apply the macro to the interface. Keywords that begin with $ mean that a unique parameter value is required.
Chapter 12 Configuring Smartports Macros Displaying Smartports Macros Displaying Smartports Macros To display the Smartports macros, use one or more of the privileged EXEC commands in Table 12-2. Table 12-2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros. show parser macro name macro-name Displays a specific macro. show parser macro brief Displays the configured macro names.
C H A P T E R 13 Configuring LRE This chapter describes how to configure the Long-Reach Ethernet (LRE) features on your Catalyst 2950 LRE switch.
Chapter 13 Configuring LRE Understanding LRE Features Connecting a switch LRE port to a remote Ethernet device (such as a PC) requires two types of connections: • LRE link—This is the connection between the switch LRE port and the RJ-11 wall port on an LRE CPE device such as the Cisco 575 LRE CPE or the Cisco 585 LRE CPE. This connection can be through categorized or noncategorized unshielded twisted-pair cable and can extend to distances of up to 5000 feet (1524 meters).
Chapter 13 Configuring LRE Understanding LRE Features Note Consult the regulations for connecting to the public switched telephone network (PSTN) in your area. Note Use the rates and distances in Table 13-1 and Table 13-2 only as guidelines. Factors such as the type of cable that you use, how it is bundled, and the interference and noise on the LRE link can affect the actual LRE link performance. Contact Cisco Systems for information about limitations and optimization of LRE link performance.
Chapter 13 Configuring LRE Understanding LRE Features Table 13-2 LRE Profiles for the Catalyst 2950ST-24 LRE 997 Switches Profile Name LRE Link LRE Link Upstream Rate Downstream Rate (Mbps) (Mbps) Theoretical Theoretical Minimum Minimum SNR SNR Downstream Upstream LRE-12-9 12.500 9.375 31 25 LRE-12-3 12.500 3.125 31 13 LRE-9 9.375 9.375 25 25 LRE-9-6 9.375 6.250 25 19 LRE-9-4 9.375 4.688 25 16 LRE-9-3 9.375 3.125 25 13 LRE-6 (default) 6.250 6.250 19 19 LRE-6-4 6.
Chapter 13 Configuring LRE Understanding LRE Features LRE Sequences The LRE switches are shipped with predefined sequences. Sequences are sets of profiles and are used with the rate selection feature. The rate selection feature enables the switch to automatically select profiles. You can also define your own sets of sequences by using the command-line interface (CLI) commands or Cluster Management Suite (CMS).
Chapter 13 Configuring LRE Understanding LRE Features Table 13-4 LRE Rate Selection Sequences for the Catalyst 2950ST-24 LRE 997 Switches LRE-SEQCOMPLETE-REACH LRE-SEQDOWNSTREAM LRE-SEQ-SYM LRE-SEQ-SYMLONGREACH LRE-SEQUPSTREAM LRE-SEQVIDEO-TRANSMIT1 LRE-12-9 LRE-12-9 LRE-9 LRE-6-4 LRE-12-9 LRE-12-9 LRE-12-3 LRE-12-3 LRE-6 LRE-4 LRE-9 LRE-9 LRE-9 LRE-9 LRE-4 LRE-9-3 LRE-9-6 LRE-9-6 LRE-9-6 LRE-9-6 LRE-6-3 LRE-6 LRE-9-4 LRE-9-4 LRE-9-4 LRE-4-3 LRE-9-4 LRE-9-3 LRE-6 LRE-9-
Chapter 13 Configuring LRE Understanding LRE Features • Certain CPEs do not work with certain switches. For details, see the LRE switch and CPE compatibility matrix (see Table 1-2 on page 1-2). You can connect Cisco 575 LRE CPEs and Cisco 585 LRE CPEs to the Catalyst 2950ST-8 LRE or 2950ST-24 LRE switch. You can connect a Cisco 576 LRE 997 CPE only to a Catalyst 2950ST-24 LRE 997 switch. • You can hot-swap the CPE devices without powering down the switch or disrupting the other switch ports.
Chapter 13 Configuring LRE Configuring LRE Ports LRE Message Logging Process The Catalyst 2950 LRE switch software monitors switch conditions on a per-port basis and sends the debugging messages to an LRE message logging process that is different than the system message logging process described in Chapter 27, “Configuring System Message Logging.” These options are available in the LRE logging process: • Disabled—The switch does not log LRE events. • Event—The switch logs only LRE events.
Chapter 13 Configuring LRE Configuring LRE Ports Default LRE Configuration This is the default LRE configuration: • On the Catalyst 2950ST-8 LRE and the Catalyst 2950ST-24 LRE switches, the profile on all LRE ports is LRE-10. • On the Catalyst 2950ST-24 LRE 997 switches, the profile on all LRE ports is LRE-6. • Global profiles and global sequences are not assigned to LRE ports. • Per-port sequences are not assigned to specific LRE ports.
Chapter 13 Configuring LRE Configuring LRE Ports • Age and type of wiring—You can estimate the type of wiring you have based on your site’s age and type. – Newer installations less than 15 years old often use Category 3 cable in bundles of 25 pairs. There is no significant difference between 25-pair bundles and larger bundles.
Chapter 13 Configuring LRE Configuring LRE Ports • When the link between the LRE switch and the CPE device must co-exist in the same cable bundle as an asymmetric digital subscriber line (ADSL), we recommend that you use either the ANSI profile (LRE-998-15-4) or the ETSI profile (LRE-997-10-4). For details on which profile to use elsewhere, consult the regulations for connecting to the PSTN in your area. • LRE signaling can co-exist with ADSL signaling in one cable bundle.
Chapter 13 Configuring LRE Configuring LRE Ports between 100-Mbps half duplex and 100-Mbps full duplex. Use the cpe duplex and cpe speed interface configuration commands, respectively, to configure the duplex and speed settings on the Cisco 575 LRE CPE or the 576 LRE 997 CPE Ethernet port. You cannot disable CPE toggle on a link from a Cisco 575 LRE or Cisco 576 LRE CPE to a remote device (such as a PC).
Chapter 13 Configuring LRE Configuring LRE Ports Assigning a Profile to a Specific LRE Port You can set profiles on a per-port basis. You can assign the same profile or different profiles to the LRE ports on the switch. The default active profile on all LRE ports is LRE-10 on the Catalyst 2950ST-8 LRE and 2950ST-24 LRE switches and LRE-6 on the Catalyst 2950ST-24 LRE 997 switch. The switch resets the ports with the updated profile settings when they are changed.
Chapter 13 Configuring LRE Configuring LRE Ports To display the LRE link statistics and sequence information on the LRE ports, use the show controllers lre status sequence details privileged EXEC command. Assigning a Sequence to a Specific LRE Port You can set sequences on a per-port basis. You can assign the same sequence or different sequences to the LRE ports on the switch. If you assign a sequence on a per-port basis, it overrides any previously or subsequently set profiles or global sequence.
Chapter 13 Configuring LRE Configuring LRE Ports • When a link is lost for 25 seconds before being restored • When a configured sequence is modified In any of these cases, rate selection obtains the optimal profile for your line conditions. Note When an LRE link is lost for fewer than 25 seconds, the switch does not execute rate selection to re-establish the link. The link is re-established at the profile used before link loss.
Chapter 13 Configuring LRE Configuring LRE Ports Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show controllers lre profile details Verify the change. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To unlock a port, use the no rate selection profile lock interface configuration command. Link Qualification and SNR Margins When rate selection is running, the SNR is used as an indicator of link quality.
Chapter 13 Configuring LRE Configuring LRE Ports Table 13-6 SNR Requirements for Downstream Rates for the Catalyst 2950ST-8 LRE and the Catalyst 2950ST-24 LRE Switches (continued) Profile Gross Data Rate Quadrature Amplitude Modulation (QAM) LRE-15-1 16.667 256 31 33 35 39 LRE-998-15-4 16.667 256 31 33 35 39 LRE-997-10-4 12.5 256 31 33 35 39 LRE-2 2.08 4 13 15 17 20 LRE-3 3.13 4 13 15 17 20 LRE-4 4.
Chapter 13 Configuring LRE Configuring LRE Ports Table 13-8 SNR Requirements for Downstream Rates for the Catalyst 2950ST-24 LRE 997 Switches Profile Gross Data Rate QAM Theoretical Minimum SNR Medium Noise Low Noise SNR SNR High Noise SNR LRE-12-9 12.500 256 31 33 35 38 LRE-12-3 12.500 256 31 33 35 38 LRE-9 9.375 64 25 27 29 32 LRE-9-6 9.375 64 25 27 29 32 LRE-9-4 9.375 64 25 27 29 32 LRE-9-3 9.375 64 25 27 29 32 LRE-6 (default) 6.
Chapter 13 Configuring LRE Configuring LRE Ports Beginning in privileged EXEC mode, follow these steps to assign a margin to a specific LRE port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter the number of the LRE port to be configured, and enter interface configuration mode. Step 3 margin {downstream value | upstream value} Enter the downstream or upstream margin value (in dB).
Chapter 13 Configuring LRE Configuring LRE Ports Configuring LRE Link Monitor When link monitor is enabled, an LRE switch feature tracks undesirable or interesting conditions on a link or takes system-defined actions after certain thresholds are reached. Beginning in privileged EXEC mode, follow these steps to enable link monitor: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 13 Configuring LRE Configuring LRE Ports Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show controllers lre status interleave Verify the change. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the port to its default setting, use the no interleave downstream value upstream value interface configuration command.
Chapter 13 Configuring LRE Configuring LRE Ports Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show controllers lre status psd show controllers lre cpe version Verify the change. Displays the LRE binary version running on the CPE. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no lre upbo {noise-model | offset value} global configuration command.
Chapter 13 Configuring LRE Upgrading LRE Switch Firmware Beginning in privileged EXEC mode, follow these steps to enable the switch to send debugging messages to the LRE message logging process and to the system message logging process: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 lre syslog Enable the switch to send debugging messages from the LRE logging process to the system message logging process. Step 3 end Return to privileged EXEC mode.
Chapter 13 Configuring LRE Upgrading LRE Switch Firmware Note Whether upgrading a single CPE device or all CPE devices connected to an LRE switch, the expected duration of an LRE upgrade is 3 to 6 minutes. (CPE devices connected to marginal links might take longer than this to upgrade.) You perform an upgrade by using the hw-module slot module-slot-number upgrade lre [force] [local ctrlr-unit-number | remote interface-id] privileged EXEC command. Automatic upgrading is not supported.
Chapter 13 Configuring LRE Upgrading LRE Switch Firmware When executing upgrades, you can elect to upgrade a single CPE device or local controller by using the hw-module slot module-slot-number upgrade lre [force] [local ctrlr-unit-number | remote interface-id] privileged EXEC command. If no local or remote option is given, a system-wide upgrade is performed.
Chapter 13 Configuring LRE Upgrading LRE Switch Firmware The no upgrade controller configuration command removes the command for applying a particular LRE binary. To resume default upgrade behavior for a given controller, do not configure the custom upgrade commands on that controller. LRE Upgrade Details This example shows how to upgrade your LRE switch: Switch> enable Switch# hw-module slot 0 upgrade lre You are about to start an LRE upgrade on all LRE interfaces.
Chapter 13 Configuring LRE Displaying LRE Status The CPE device finishes resetting. Ethernet connectivity is available but at low speeds. Upgrade data transfer begins. 00:23:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface LongReachEthernet0/1, changed state to down Upgrade data transfer is complete. Reset the CPE device. 00:23:56: %LINK-3-UPDOWN: Interface LongReachEthernet0/1, changed state to up The CPE device has finished resetting. The desired profile is applied.
Chapter 13 Configuring LRE Displaying LRE Status Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 13-28 78-11380-10
C H A P T E R 14 Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on your Catalyst 2950 or Catalyst 2955 switch. The switch uses the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or it can use the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard.
Chapter 14 Configuring STP Understanding Spanning-Tree Features • Spanning-Tree Interoperability and Backward Compatibility, page 14-10 • STP and IEEE 802.1Q Trunks, page 14-10 For configuration information, see the “Configuring Spanning-Tree Features” section on page 14-11. For information about optional spanning-tree features, see Chapter 16, “Configuring Optional Spanning-Tree Features.
Chapter 14 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is determined by these elements: • The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch • The spanning-tree path cost to the root switch • The port identifier (port priority and MAC address) associated with each Layer 2 interface When the switches in a network are powered up, each functions as the r
Chapter 14 Configuring STP Understanding Spanning-Tree Features Bridge ID, Switch Priority, and Extended System ID The IEEE 802.1D standard requires that each switch has an unique bridge identifier (bridge ID), which determines the selection of the root switch. Because each VLAN is considered as a different logical bridge with PVST+ and rapid PVST+, the same switch must have as many different bridge IDs as VLANs configured on it.
Chapter 14 Configuring STP Understanding Spanning-Tree Features • Forwarding—The interface forwards frames. • Disabled—The interface is not participating in spanning tree because of a shutdown port, no link on the port, or no spanning-tree instance running on the port.
Chapter 14 Configuring STP Understanding Spanning-Tree Features Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to each interface in the switch. A switch initially functions as the root until it exchanges BPDUs with other switches. This exchange establishes which switch in the network is the root or root switch.
Chapter 14 Configuring STP Understanding Spanning-Tree Features Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational.
Chapter 14 Configuring STP Understanding Spanning-Tree Features Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices. Spanning tree automatically disables one interface but enables it if the other one fails, as shown in Figure 14-3. If one link is high-speed and the other is low-speed, the low-speed link is always disabled.
Chapter 14 Configuring STP Understanding Spanning-Tree Features Because each VLAN is a separate spanning-tree instance, the switch accelerates aging on a per-VLAN basis. A spanning-tree reconfiguration on one VLAN can cause the dynamic addresses learned on that VLAN to be subject to accelerated aging. Dynamic addresses on other VLANs can be unaffected and remain subject to the aging interval entered for the switch.
Chapter 14 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Interoperability and Backward Compatibility Table 14-2 lists the interoperability and compatibility among the supported spanning-tree modes in a network.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Features These sections describe how to configure spanning-tree features: • Default Spanning-Tree Configuration, page 14-11 • Spanning-Tree Configuration Guidelines, page 14-12 • Changing the Spanning-Tree Mode, page 14-13 (required) • Disabling Spanning Tree, page 14-14 (optional) • Configuring the Root Switch, page 14-14 (optional) • Configuring a Secondary Root Switch, page 14-16 (optional) • Configurin
Chapter 14 Configuring STP Configuring Spanning-Tree Features Spanning-Tree Configuration Guidelines If more VLANs are defined in the VTP than there are spanning-tree instances, you can enable PVST+ or rapid PVST+ on only 64 VLANs. If the number of VLANs exceeds 64, we recommend that you enable the MSTP to map multiple VLANs to a single spanning-tree instance. For more information, see the Chapter 15, “Configuring MSTP.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Changing the Spanning-Tree Mode The switch supports three spanning-tree modes: PVST+, rapid PVST+, or MSTP. By default, the switch runs the PVST+ protocol. Beginning in privileged EXEC mode, follow these steps to change the spanning-tree mode. If you want to enable a mode that is different from the default mode, this procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Disabling Spanning Tree Spanning tree is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning-tree limit specified in the “Supported Spanning-Tree Instances” section on page 14-9. Disable spanning tree only if you are sure there are no loops in the network topology.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Before Cisco IOS Release 12.1(9)EA1, entering the spanning-tree vlan vlan-id root global configuration command on a Catalyst 2950 switch (no extended system ID) caused it to set its own switch priority for the specified VLAN to 8192 if this value caused this switch to become the root for the specified VLAN.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure a switch to become the root for the specified VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root primary [diameter net-diameter [hello-time seconds]] Configure a switch to become the root for the specified VLAN.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure a switch to become the secondary root for the specified VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root secondary [diameter net-diameter [hello-time seconds]] Configure a switch to become the secondary root for the specified VLAN.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure the port priority of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical interfaces and port-channel logical interfaces (port-channel port-channel-number).
Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring the Path Cost The spanning-tree path cost default value is derived from the media speed of an interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 14 Configuring STP Configuring Spanning-Tree Features To return the interface to its default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree path costs, see the “Load Sharing Using STP” section on page 17-22. Configuring the Switch Priority of a VLAN You can configure the switch priority and make it more likely that the switch will be chosen as the root switch.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 14-4 describes the timers that affect the entire spanning-tree performance. Table 14-4 Spanning-Tree Timers Variable Description Hello timer Determines how often the switch broadcasts hello messages to other switches. Forward-delay timer Determines how long each of the listening and learning states last before the interface begins forwarding.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id forward-time seconds Configure the forward time of a VLAN.
Chapter 14 Configuring STP Configuring Spanning-Tree Features To return the switch to its default setting, use the no spanning-tree vlan vlan-id max-age global configuration command. Configuring Spanning Tree for Use in a Cascaded Stack Spanning tree uses default values that can be reduced when configuring your switch in cascaded configurations.
Chapter 14 Configuring STP Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 14-6: Table 14-6 Commands for Displaying Spanning-Tree Status Command Purpose show spanning-tree active Displays spanning-tree information on active interfaces only. show spanning-tree detail Displays a detailed summary of interface information.
C H A P T E R 15 Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on your Catalyst 2950 or Catalyst 2955 switch. Note The multiple spanning-tree (MST) implementation is a pre-standard implementation. It is based on the draft version of the IEEE standard. The MSTP enables multiple VLANs to be mapped to the same spanning-tree instance, thereby reducing the number of spanning-tree instances needed to support a large number of VLANs.
Chapter 15 Configuring MSTP Understanding MSTP Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic, enables load balancing, and reduces the number of spanning-tree instances required to support a large number of VLANs.
Chapter 15 Configuring MSTP Understanding MSTP All MST instances within the same region share the same protocol timers, but each MST instance has its own topology parameters, such as root switch ID, root path cost, and so forth. By default, all VLANs are assigned to the IST. An MST instance is local to the region; for example, MST instance 1 in region A is independent of MST instance 1 in region B, even if regions A and B are interconnected.
Chapter 15 Configuring MSTP Understanding MSTP Figure 15-1 MST Regions, IST Masters, and the CST Root A IST master and CST root D Legacy 802.1D MST Region 1 IST master MST Region 2 C IST master MST Region 3 74009 B Figure 15-1 does not show additional MST instances for each region. Note that the topology of MST instances can be different from that of the IST for the same region.
Chapter 15 Configuring MSTP Understanding MSTP received remaining hop count by one and propagates this value as the remaining hop count in the BPDUs it generates. When the count reaches zero, the switch discards the BPDU and ages the information held for the port. The message-age and maximum-age information in the RSTP portion of the BPDU remain the same throughout the region, and the same values are propagated by the region’s designated ports at the boundary.
Chapter 15 Configuring MSTP Understanding RSTP Understanding RSTP The RSTP takes advantage of point-to-point wiring and provides rapid convergence of the spanning tree. Reconfiguration of the spanning tree can occur in less than 1 second (in contrast to 50 seconds with the default settings in the 802.1D spanning tree), which is critical for networks carrying delay-sensitive traffic such as voice and video.
Chapter 15 Configuring MSTP Understanding RSTP Table 15-1 Port State Comparison Operational Status STP Port State (802.1D) RSTP Port State Is Port Included in the Active Topology? Enabled Blocking Discarding No Enabled Listening Discarding No Enabled Learning Learning Yes Enabled Forwarding Forwarding Yes Disabled Disabled Discarding No To be consistent with Cisco STP implementations, this guide documents the port state as blocking instead of discarding.
Chapter 15 Configuring MSTP Understanding RSTP The switch determines the link type from the port duplex mode: a full-duplex port is considered to have a point-to-point connection; a half-duplex port is considered to have a shared connection. You can override the default setting that is determined by the duplex setting by using the spanning-tree link-type interface configuration command.
Chapter 15 Configuring MSTP Understanding RSTP Figure 15-3 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5. Forward Edge port 8. Agreement 3. Block 11. Forward 6. Proposal 7. Proposal 10. Agreement Root port Designated port 74008 2. Block 9. Forward Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802.1D BPDU format except that the protocol version is set to 2.
Chapter 15 Configuring MSTP Understanding RSTP The RSTP does not have a separate topology change notification (TCN) BPDU. It uses the topology change (TC) flag to show the topology changes. However, for interoperability with 802.1D switches, the RSTP switch processes and generates TCN BPDUs. The learning and forwarding flags are set according to the state of the sending port.
Chapter 15 Configuring MSTP Configuring MSTP Features • Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them. • Protocol migration—For backward compatibility with 802.1D switches, RSTP selectively sends 802.
Chapter 15 Configuring MSTP Configuring MSTP Features Default MSTP Configuration Table 15-3 shows the default MSTP configuration. Table 15-3 Default MSTP Configuration Feature Default Setting Spanning-tree mode PVST+ (Rapid PVST+ and MSTP are disabled). Switch priority (configurable on a per-CIST interface basis) 32768. Spanning-tree port priority (configurable on a per-CIST interface basis) 128. Spanning-tree port cost (configurable on a per-CIST interface basis) 1000 Mbps: 4. 100 Mbps: 19.
Chapter 15 Configuring MSTP Configuring MSTP Features of the MST regions must contain the CST root, and all of the other MST regions must have a better path to the root contained within the MST cloud than a path through the PVST+ or rapid-PVST+ cloud. You might have to manually configure the switches in the clouds. • Partitioning the network into a large number of regions is not recommended.
Chapter 15 Configuring MSTP Configuring MSTP Features Step 8 Command Purpose spanning-tree mode mst Enable MSTP. RSTP is also enabled. Caution Changing spanning-tree modes can disrupt traffic because all spanning-tree instances are stopped for the previous mode and restarted in the new mode. You cannot run both MSTP and PVST+ or both MSTP and rapid PVST+ at the same time. Step 9 end Return to privileged EXEC mode. Step 10 show running-config Verify your entries.
Chapter 15 Configuring MSTP Configuring MSTP Features If any root switch for the specified instance has a switch priority lower than 24576, the switch sets its own priority to 4096 less than the lowest switch priority. (4096 is the value of the least-significant bit of a 4-bit switch priority value as shown in Table 14-1 on page 14-4.) Note Catalyst 2950 switches running software earlier than Cisco IOS Release 12.1(9)EA1 do not support the extended system ID.
Chapter 15 Configuring MSTP Configuring MSTP Features Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show spanning-tree mst instance-id Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst instance-id root global configuration command.
Chapter 15 Configuring MSTP Configuring MSTP Features To return the switch to its default setting, use the no spanning-tree mst instance-id root global configuration command. Configuring the Port Priority If a loop occurs, the MSTP uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last.
Chapter 15 Configuring MSTP Configuring MSTP Features Configuring the Path Cost The MSTP path cost default value is derived from the media speed of an interface. If a loop occurs, the MSTP uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 15 Configuring MSTP Configuring MSTP Features Configuring the Switch Priority You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority.
Chapter 15 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the hello time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst hello-time seconds Configure the hello time for all MST instances. The hello time is the interval between the generation of configuration messages by the root switch. These messages mean that the switch is alive.
Chapter 15 Configuring MSTP Configuring MSTP Features Configuring the Maximum-Aging Time Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-age seconds Configure the maximum-aging time for all MST instances.
Chapter 15 Configuring MSTP Configuring MSTP Features Specifying the Link Type to Ensure Rapid Transitions If you connect a port to another port through a point-to-point link and the local port becomes a designated port, the RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the “Rapid Convergence” section on page 15-7.
Chapter 15 Configuring MSTP Displaying the MST Configuration and Status Displaying the MST Configuration and Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 15-4: Table 15-4 Commands for Displaying MST Status Command Purpose show spanning-tree mst configuration Displays the MST region configuration. show spanning-tree mst instance-id Displays MST information for the specified instance.
Chapter 15 Configuring MSTP Displaying the MST Configuration and Status Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 15-24 78-11380-10
C H A P T E R 16 Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on your Catalyst 2950 or Catalyst 2955 switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+). You can configure only the noted features when your switch is running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol.
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states.
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features You can enable the BPDU guard feature for the entire switch or for an interface. Understanding BPDU Filtering The BPDU filtering feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences.
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If a switch looses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port. By enabling UplinkFast with the spanning-tree uplinkfast global configuration command, you can accelerate the choice of a new root port when a link or switch fails or when the spanning tree reconfigures itself.
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 16-4 UplinkFast Example After Direct Link Failure Switch A (Root) Switch B L1 L2 L3 Link failure 43576 UplinkFast transitions port directly to forwarding state.
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 16-5 Cross-Stack UplinkFast Topology Backbone Spanningtree root Forward Forward Link A (Root link) Link B (Alternate redundant link) Link C (Alternate redundant link) 100 or 1000 Mbps 100 or 1000 Mbps 100 or 1000 Mbps Stack-root port Alternate stackroot port Alternate stackroot port Stack port Switch B Stack port Switch C Stack port 49067 Switch A Forward Multidrop backbone (GigaSt
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Events that Cause Fast Convergence Depending on the network event or failure, the CSUF fast convergence might or might not occur. Fast convergence (less than 1 second under normal network conditions) occurs under these circumstances: • The stack-root port link fails. If two switches in the stack have alternate paths to the root, only one of the switches performs the fast transition.
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Connecting the Stack Ports A fast transition occurs across the stack of switches if the multidrop backbone connections are a continuous link from one GigaStack GBIC module to another as shown in the top half of Figure 16-6. The bottom half of Figure 16-6 shows how to connect the GigaStack GBIC module to achieve a normal convergence time.
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding BackboneFast BackboneFast detects indirect failures in the core of the backbone. BackboneFast is a complementary technology to the UplinkFast feature, which responds to failures on links directly connected to access switches. BackboneFast optimizes the maximum-age timer, which determines the amount of time the switch stores protocol information received on an interface.
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If link L1 fails as shown in Figure 16-8, Switch C cannot detect this failure because it is not connected directly to link L1. However, because Switch B is directly connected to the root switch over L1, it detects the failure, elects itself the root, and begins sending BPDUs to Switch C, identifying itself as the root.
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding EtherChannel Guard You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device. A misconfiguration can occur if the switch interfaces are configured in an EtherChannel, but the interfaces on the other device are not. A misconfiguration can also occur if the channel parameters are not the same at both ends of the EtherChannel.
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Figure 16-10 Root Guard in a Service-Provider Network Service-provider network Customer network Potential spanning-tree root without root guard enabled Enable the root-guard feature on these interfaces to prevent switches in the customer network from becoming the root switch or being in the path to the root.
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features • Enabling BackboneFast, page 16-18 (optional) • Enabling EtherChannel Guard, page 16-18 (optional) • Enabling Root Guard, page 16-19 (optional) • Enabling Loop Guard, page 16-19 (optional) Default Optional Spanning-Tree Configuration Table 16-1 shows the default optional spanning-tree configuration.
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to enable Port Fast. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Step 3 spanning-tree portfast [trunk] Enable Port Fast on an access port connected to a single workstation or server.
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can also use the spanning-tree bpduguard enable interface configuration command to enable BPDU guard on any port without also enabling the Port Fast feature. When the port receives a BPDU, it is put in the error-disabled state. You can enable the BPDU guard feature if your switch is running PVST+, rapid PVST+, or MSTP.
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to globally enable the BPDU filtering feature. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree portfast bpdufilter default Globally enable BPDU filtering. By default, BPDU filtering is disabled.
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Purpose Step 4 show spanning-tree summary Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. When UplinkFast is enabled, the switch priority of all VLANs is set to 49152.
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features To disable CSUF on an interface, use the no spanning-tree stack-port interface configuration command. To disable UplinkFast on the switch and all its VLANs, use the no spanning-tree uplinkfast global configuration command. Enabling BackboneFast You can enable BackboneFast to detect indirect link failures and to start the spanning-tree reconfiguration sooner.
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features To disable the EtherChannel guard feature, use the no spanning-tree etherchannel guard misconfig global configuration command. You can use the show interfaces status err-disabled privileged EXEC command to determine which switch ports are disabled because of an EtherChannel misconfiguration.
Chapter 16 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status You can enable this feature if your switch is running PVST+, rapid PVST+, or MSTP. Beginning in privileged EXEC mode, follow these steps to enable loop guard. This procedure is optional. Step 1 Command Purpose show spanning-tree active Determine which ports are alternate or root ports. or show spanning-tree mst Step 2 configure terminal Enter global configuration mode.
C H A P T E R 17 Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on your Catalyst 2950 or Catalyst 2955 switch. It includes information about VLAN modes and the VLAN Membership Policy Server (VMPS). Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 17 Configuring VLANs Understanding VLANs Figure 17-1 shows an example of VLANs segmented into logically defined networks. Figure 17-1 VLANs as Logically Defined Networks Engineering VLAN Marketing VLAN Accounting VLAN Cisco router Floor 3 Fast Ethernet Floor 2 16751 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Chapter 17 Configuring VLANs Understanding VLANs VLAN Port Membership Modes You configure a port to belong to a VLAN by assigning a membership mode that determines the kind of traffic the port carries and the number of VLANs to which it can belong. Table 17-1 lists the membership modes and membership and VTP characteristics.
Chapter 17 Configuring VLANs Configuring Normal-Range VLANs Configuring Normal-Range VLANs Normal-range VLANs are VLANs with VLAN IDs 1 to 1005. If the switch is in VTP server or transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database. (VLAN IDs 1 and 1002 to 1005 are automatically created and cannot be removed.
Chapter 17 Configuring VLANs Configuring Normal-Range VLANs This section includes information about these topics about normal-range VLANs: • Token Ring VLANs, page 17-5 • Normal-Range VLAN Configuration Guidelines, page 17-5 • VLAN Configuration Mode Options, page 17-6 • Saving VLAN Configuration, page 17-7 • Default Ethernet VLAN Configuration, page 17-7 • Creating or Modifying an Ethernet VLAN, page 17-8 • Deleting a VLAN, page 17-10 • Assigning Static-Access Ports to a VLAN, page 17-11
Chapter 17 Configuring VLANs Configuring Normal-Range VLANs is to allow all VLANs), the new VLAN is carried on all trunk ports. Depending on the topology of the network, this could create a loop in the new VLAN that would not be broken, particularly if there are several adjacent switches that all have run out of spanning-tree instances. You can prevent this possibility by setting allowed lists on the trunk ports of switches that have used up their allocation of spanning-tree instances.
Chapter 17 Configuring VLANs Configuring Normal-Range VLANs Saving VLAN Configuration The configurations of VLAN IDs 1 to 1005 are always saved in the VLAN database (vlan.dat file). If VTP mode is transparent, they are also saved in the switch running configuration file and you can enter the copy running-config startup-config privileged EXEC command to save the configuration in the startup configuration file.
Chapter 17 Configuring VLANs Configuring Normal-Range VLANs Table 17-2 Ethernet VLAN Defaults and Ranges Parameter Default Range VLAN ID 1 1 to 4094when the EI is installed and 1 to 1005 when the SI is installed. Note Extended-range VLANs (VLAN IDs 1006 to 4094) are not saved in the VLAN database. VLAN name No range VLANxxxx, where xxxx represents four numeric digits (including leading zeros) equal to the VLAN ID number 802.
Chapter 17 Configuring VLANs Configuring Normal-Range VLANs Command Purpose Step 3 name vlan-name (Optional) Enter a name for the VLAN. If no name is entered for the VLAN, the default is to append the vlan-id with leading zeros to the word VLAN. For example, VLAN0004 is a default VLAN name for VLAN 4. Step 4 mtu mtu-size (Optional) Change the MTU size (or other VLAN characteristic). Step 5 remote-span (Optional) Configure the VLAN as the RSPAN VLAN for a remote SPAN session.
Chapter 17 Configuring VLANs Configuring Normal-Range VLANs Note You cannot configure an RSPAN VLAN in VLAN database configuration mode. To return the VLAN name to the default settings, use the no vlan vlan-id name or no vlan vlan-id mtu VLAN configuration command. This example shows how to use VLAN database configuration mode to create Ethernet VLAN 20, name it test20, and add it to the VLAN database: Switch# vlan database Switch(vlan)# vlan 20 name test20 Switch(vlan)# exit APPLY completed. Exiting...
Chapter 17 Configuring VLANs Configuring Normal-Range VLANs Assigning Static-Access Ports to a VLAN You can assign a static-access port to a VLAN without having VTP globally propagate VLAN configuration information by disabling VTP (VTP transparent mode). If you are assigning a port on a cluster member switch to a VLAN, first use the rcommand privileged EXEC command to log in to the member switch. Note If you assign an interface to a VLAN that does not exist, the new VLAN is created.
Chapter 17 Configuring VLANs Configuring Extended-Range VLANs Configuring Extended-Range VLANs When the switch is in VTP transparent mode (VTP disabled) and the EI is installed), you can create extended-range VLANs (in the range 1006 to 4094). Extended-range VLANs enable service providers to extend their infrastructure to a greater number of customers. The extended-range VLAN IDs are allowed for any switchport commands that allow VLAN IDs.
Chapter 17 Configuring VLANs Configuring Extended-Range VLANs • VLANs in the extended range are not supported by VQP. They cannot be configured by VMPS. • STP is enabled by default on extended-range VLANs, but you can disable it by using the no spanning-tree vlan vlan-id global configuration command. When the maximum number of spanning-tree instances (64) are on the switch, spanning tree is disabled on any newly created VLANs.
Chapter 17 Configuring VLANs Displaying VLANs To delete an extended-range VLAN, use the no vlan vlan-id global configuration command. The procedure for assigning static-access ports to an extended-range VLAN is the same as for normal-range VLANs. See the “Assigning Static-Access Ports to a VLAN” section on page 17-11.
Chapter 17 Configuring VLANs Configuring VLAN Trunks Configuring VLAN Trunks These sections describe how VLAN trunks function on the switch: • Trunking Overview, page 17-15 • 802.1Q Configuration Considerations, page 17-16 • Default Layer 2 Ethernet Interface VLAN Configuration, page 17-17 Trunking Overview A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch.
Chapter 17 Configuring VLANs Configuring VLAN Trunks • If you do not intend to trunk across those links, use the switchport mode access interface configuration command to disable trunking. • To enable trunking to a device that does not support DTP, use the switchport mode trunk and switchport nonegotiate interface configuration commands to cause the interface to become a trunk but to not generate DTP frames.
Chapter 17 Configuring VLANs Configuring VLAN Trunks • Make sure the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. If the native VLAN on one end of the trunk is different from the native VLAN on the other end, spanning-tree loops might result. • Disabling spanning tree on the native VLAN of an 802.1Q trunk without disabling spanning tree on every VLAN in the network can potentially cause spanning-tree loops.
Chapter 17 Configuring VLANs Configuring VLAN Trunks Interaction with Other Features Trunking interacts with other features in these ways: • A trunk port cannot be a secure port. • Trunk ports can be grouped into EtherChannel port groups, but all trunks in the group must have the same configuration. When a group is first created, all ports follow the parameters set for the first port to be added to the group.
Chapter 17 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 8 show interfaces interface-id trunk Display the trunk configuration of the interface. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. To return an interface to its default configuration, use the default interface interface-id interface configuration command.
Chapter 17 Configuring VLANs Configuring VLAN Trunks Step 4 Command Purpose switchport trunk allowed vlan {add | all | except | remove} vlan-list (Optional) Configure the list of VLANs allowed on the trunk. For explanations about using the add, all, except, and remove keywords, refer to the command reference for this release.
Chapter 17 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show interfaces interface-id switchport Verify your entries in the Pruning VLANs Enabled field of the display. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default pruning-eligible list of all VLANs, use the no switchport trunk pruning vlan interface configuration command.
Chapter 17 Configuring VLANs Configuring VLAN Trunks Load Sharing Using STP Load sharing divides the bandwidth supplied by parallel trunks connecting switches. To avoid loops, STP normally blocks all but one parallel link between switches. Using load sharing, you divide the traffic between the links according to which VLAN the traffic belongs. You configure load sharing on trunk ports by using STP port priorities or STP path costs.
Chapter 17 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 17-3. Command Purpose Step 1 configure terminal Enter global configuration mode on Switch 1. Step 2 vtp domain domain-name Configure a VTP administrative domain. The domain name can be from 1 to 32 characters. Step 3 vtp mode server Configure Switch 1 as the VTP server. Step 4 end Return to privileged EXEC mode.
Chapter 17 Configuring VLANs Configuring VLAN Trunks Load Sharing Using STP Path Cost You can configure parallel trunks to share VLAN traffic by setting different path costs on a trunk and associating the path costs with different sets of VLANs. The VLANs keep the traffic separate. Because no loops exist, STP does not disable the ports, and redundancy is maintained in the event of a lost link. In Figure 17-4, Trunk ports 1 and 2 are 100BASE-T ports.
Chapter 17 Configuring VLANs Configuring VMPS Command Purpose Step 11 spanning-tree vlan 2-4 cost 30 Set the spanning-tree path cost to 30 for VLANs 2 through 4. Step 12 end Return to global configuration mode. Step 13 Repeat Steps 9 through 11 on Switch A interface Fast Ethernet 0/2, and set the spanning-tree path cost to 30 for VLANs 8, 9, and 10. Step 14 exit Return to privileged EXEC mode. Step 15 show running-config Verify your entries.
Chapter 17 Configuring VLANs Configuring VMPS • If the VLAN in the database does not match the current VLAN on the port and active hosts exist on the port, the VMPS sends an access-denied or a port-shutdown response, depending on the secure mode of the VMPS. If the switch receives an access-denied response from the VMPS, it continues to block traffic from the MAC address to or from the port.
Chapter 17 Configuring VLANs Configuring VMPS Default VMPS Client Configuration Table 17-6 shows the default VMPS and dynamic port configuration on client switches.
Chapter 17 Configuring VLANs Configuring VMPS Configuring the VMPS Client You configure dynamic VLANs by using the VMPS (server). The switch can be a VMPS client; it cannot be a VMPS server. Entering the IP Address of the VMPS You must first enter the IP address of the server to configure the switch as a client. Note If the VMPS is being defined for a cluster of switches, enter the address on the command switch.
Chapter 17 Configuring VLANs Configuring VMPS Step 4 Command Purpose switchport access vlan dynamic Configure the port as eligible for dynamic VLAN membership. The dynamic access port must be connected to an end station. Step 5 end Return to privileged EXEC mode. Step 6 show interfaces interface-id switchport Verify your entries in the Operational Mode field of the display. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 17 Configuring VLANs Configuring VMPS Command Purpose Step 4 show vmps Verify the dynamic VLAN reconfirmation status in the Reconfirm Interval field of the display. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no vmps reconfirm global configuration command.
Chapter 17 Configuring VLANs Configuring VMPS This is an example of output for the show vmps privileged EXEC command: Switch# show vmps VQP Client Status: -------------------VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.86 (primary, current) 172.20.128.
Chapter 17 Configuring VLANs Configuring VMPS Figure 17-5 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6500 series switch A Primary VMPS Server 1 Router 172.20.26.150 172.20.22.7 Client switch B End station 1 Dynamic-access port 172.20.26.151 Trunk port Switch C 172.20.26.152 Switch D 172.20.26.153 Switch E 172.20.26.154 Switch F 172.20.26.155 Switch G 172.20.26.156 Switch H 172.20.26.
C H A P T E R 18 Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs on your Catalyst 2950 or Catalyst 2955 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 18 Configuring VTP Understanding VTP The VTP Domain A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name. A switch can be in only one VTP domain.You make global VLAN configuration changes for the domain by using the command-line interface (CLI), Cluster Management Suite (CMS) software, or Simple Network Management Protocol (SNMP).
Chapter 18 Configuring VTP Understanding VTP VTP Modes You can configure a supported switch to be in one of the VTP modes listed in Table 18-1. Table 18-1 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs and specify other configuration parameters (such as the VTP version) for the entire VTP domain.
Chapter 18 Configuring VTP Understanding VTP • MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each VLAN. • Frame format VTP advertisements distribute this VLAN information for each configured VLAN: • VLAN IDs • VLAN name • VLAN type • VLAN state • Additional VLAN configuration information specific to the VLAN type VTP Version 2 If you use VTP in your network, you must decide whether to use version 1 or version 2. By default, VTP operates in version 1.
Chapter 18 Configuring VTP Understanding VTP Figure 18-1 Flooding Traffic without VTP Pruning Switch D Port 2 Switch E Switch B Red VLAN Switch F Switch C 89240 Port 1 Switch A Figure 18-2 shows a switched network with VTP pruning enabled. The broadcast traffic from Switch A is not forwarded to Switches C, E, and F because traffic for the Red VLAN has been pruned on the links shown (Port 5 on Switch B and Port 4 on Switch D).
Chapter 18 Configuring VTP Configuring VTP VTP pruning is not designed to function in VTP transparent mode. If one or more switches in the network are in VTP transparent mode, you should do one of these: • Turn off VTP pruning in the entire network. • Turn off VTP pruning by making all VLANs on the trunk of the switch upstream to the VTP transparent switch pruning ineligible.
Chapter 18 Configuring VTP Configuring VTP VTP Configuration Options You can configure VTP by using these configuration modes. • VTP Configuration in Global Configuration Mode, page 18-7 • VTP Configuration in VLAN Configuration Mode, page 18-7 You access VLAN configuration mode by entering the vlan database privileged EXEC command. For detailed information about vtp commands, refer to the command reference for this release.
Chapter 18 Configuring VTP Configuring VTP VTP Configuration Guidelines These sections describe guidelines you should follow when implementing VTP in your network. Domain Names When configuring VTP for the first time, you must always assign a domain name. You must configure all switches in the VTP domain with the same domain name. Switches in VTP transparent mode do not exchange VTP messages with other switches, and you do not need to configure a VTP domain name for them.
Chapter 18 Configuring VTP Configuring VTP VTP Version Follow these guidelines when deciding which VTP version to implement: • All switches in a VTP domain must run the same VTP version. • A VTP version 2-capable switch can operate in the same VTP domain as a switch running VTP version 1 if version 2 is disabled on the version 2-capable switch (version 2 is disabled by default). • Do not enable VTP version 2 on a switch unless all of the switches in the same VTP domain are version-2-capable.
Chapter 18 Configuring VTP Configuring VTP Step 4 Command Purpose vtp password password (Optional) Set the password for the VTP domain. The password can be from 8 to 64 characters. If you configure a VTP password, the VTP domain does not function properly if you do not assign the same password to each switch in the domain. Step 5 end Return to privileged EXEC mode. Step 6 show vtp status Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display.
Chapter 18 Configuring VTP Configuring VTP This example shows how to use VLAN configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch# vlan database Switch(vlan)# vtp server Switch(vlan)# vtp domain eng_group Switch(vlan)# vtp password mypassword Switch(vlan)# exit APPLY completed. Exiting.... Configuring a VTP Client When a switch is in VTP client mode, you cannot change its VLAN configuration.
Chapter 18 Configuring VTP Configuring VTP Note You can also configure a VTP client by using the vlan database privileged EXEC command to enter VLAN configuration mode and entering the vtp client command, similar to the second procedure under “Configuring a VTP Server” section on page 18-9. Use the no vtp client VLAN configuration command to return the switch to VTP server mode or the no vtp password VLAN configuration command to return the switch to a no-password state.
Chapter 18 Configuring VTP Configuring VTP Note You can also configure VTP transparent mode by using the vlan database privileged EXEC command to enter VLAN configuration mode and by entering the vtp transparent command, similar to the second procedure under the “Configuring a VTP Server” section on page 18-9. Use the no vtp transparent VLAN configuration command to return the switch to VTP server mode. If extended-range VLANs are configured on the switch, you cannot change VTP mode to server.
Chapter 18 Configuring VTP Configuring VTP Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You can only enable VTP pruning on a switch in VTP server mode. Beginning in privileged EXEC mode, follow these steps to enable VTP pruning in the VTP domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 18 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to verify and reset the VTP configuration revision number on a switch before adding it to a VTP domain: Step 1 Command Purpose show vtp status Check the VTP configuration revision number. If the number is 0, add the switch to the VTP domain. If the number is greater than 0, follow these steps: a. Write down the domain name. b. Write down the configuration revision number. c.
Chapter 18 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 18-3 shows the privileged EXEC commands for monitoring VTP activity. Table 18-3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information.
C H A P T E R 19 Configuring Voice VLAN This chapter describes how to configure the voice VLAN feature on your Catalyst 2950 or Catalyst 2955 switch. Voice VLAN is sometimes referred to as an auxiliary VLAN in the Catalyst 6000 family switch documentation. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 19 Configuring Voice VLAN Configuring Voice VLAN Figure 19-1 shows one way to connect a Cisco 7960 IP Phone. Figure 19-1 Cisco 7960 IP Phone Connected to a Switch Cisco IP Phone 7960 Phone ASIC P2 3-port switch P3 Access port 101351 P1 PC When the IP Phone connects to the switch, the access port (PC-to-telephone jack) of the IP phone can connect to a PC. Packets to and from the PC and to or from the IP phone share the same physical link to the switch and the same switch port.
Chapter 19 Configuring Voice VLAN Configuring Voice VLAN Voice VLAN Configuration Guidelines These are the voice VLAN configuration guidelines: • You should configure voice VLAN on switch access ports. • The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled.
Chapter 19 Configuring Voice VLAN Configuring Voice VLAN Configuring Ports to Carry Voice Traffic in 802.1Q Frames Beginning in privileged EXEC mode, follow these steps to configure a port to carry voice traffic in 802.1Q frames for a specific VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface connected to the IP phone, and enter interface configuration mode.
Chapter 19 Configuring Voice VLAN Configuring Voice VLAN Overriding the CoS Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco 7960 IP Phone port. The PC can generate packets with an assigned CoS value. You can configure the switch to override the priority of frames arriving on the IP phone port from connected devices.
Chapter 19 Configuring Voice VLAN Displaying Voice VLAN Configuring the IP Phone to Trust the CoS Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco 7960 IP Phone port. The PC can generate packets with an assigned CoS value. You can configure the switch to trust the priority of frames arriving on the IP phone port from connected devices.
C H A P T E R 20 Configuring DHCP Features This chapter describes how to configure DHCP snooping and the option-82 data insertion features on the Catalyst 2950 or Catalyst 2955 switch. To use the features described in this chapter, you must have the enhanced software image (EI) installed on your switch.
Chapter 20 Configuring DHCP Features Understanding DHCP Features DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them. If the DHCP server cannot give the DHCP client the requested configuration parameters from its database, it can forward the request to one or more secondary DHCP servers defined by the network administrator. Note The DHCP server feature is only available on Catalyst 2955 switches.
Chapter 20 Configuring DHCP Features Understanding DHCP Features The switch drops a DHCP packet when one of these situations occurs: • A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received from outside the network or firewall. • A packet is received on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match.
Chapter 20 Configuring DHCP Features Understanding DHCP Features When you enable the DHCP snooping information option 82 on the switch, this sequence of events occurs: • The host (DHCP client) generates a DHCP request and broadcasts it on the network. • When the switch receives the DHCP request, it adds the option-82 information in the packet.
Chapter 20 Configuring DHCP Features Configuring DHCP Features Figure 20-2 Suboption Packet Formats Circuit ID Suboption Frame Format Suboption Circuit type ID type Length Length 1 6 0 4 1 byte 1 byte 1 byte 1 byte VLAN Module Port 2 bytes 1 byte 1 byte Remote ID Suboption Frame Format Remote Suboption ID type type Length Length 8 0 6 MAC address 1 byte 1 byte 1 byte 1 byte 116300 2 6 bytes Configuring DHCP Features These sections describe how to configure DHCP snooping and option 82 on
Chapter 20 Configuring DHCP Features Configuring DHCP Features Table 20-1 Default DHCP Configuration (continued) Feature Default Setting DHCP snooping trust Untrusted DHCP snooping VLAN Disabled 1. The switch responds to DHCP requests only if it is configured as a DHCP server. 2. The switch relays DHCP packets only if the IP address of the DHCP server is configured on the SVI of the DHCP client. DHCP Snooping Configuration Guidelines These are the configuration guidelines for DHCP snooping.
Chapter 20 Configuring DHCP Features Configuring DHCP Features Enabling DHCP Snooping and Option 82 Beginning in privileged EXEC mode, follow these steps to enable DHCP snooping on the switch. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip dhcp snooping Enable DHCP snooping globally. Step 3 ip dhcp snooping vlan vlan-range Enable DHCP snooping on a VLAN or range of VLANs. The range is 1 to 4094.
Chapter 20 Configuring DHCP Features Displaying DHCP Information Displaying DHCP Information You can display a DHCP snooping binding table and configuration information for all interfaces on a switch. Displaying a Binding Table The DHCP snooping binding table for each switch has binding entries that correspond to untrusted ports. The table does not have information about hosts interconnected with a trusted port.
C H A P T E R 21 Configuring IGMP Snooping and MVR This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on your Catalyst 2950 or Catalyst 2955 switch, including an application of local IGMP snooping, Multicast VLAN Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering and procedures for configuring the IGMP throttling action.
Chapter 21 Configuring IGMP Snooping and MVR Understanding IGMP Snooping the switch adds the host port number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership reports from the multicast clients. Note For more information on IP multicast and IGMP, refer to RFC 1112 and RFC 2236.
Chapter 21 Configuring IGMP Snooping and MVR Understanding IGMP Snooping An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast (SSM) feature. For more information, refer to the “Configuring IP Multicast Layer 3 Switching” chapter in the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, Cisco IOS Release 12.1(12c)EW at this URL: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_12/config/mcastmls.
Chapter 21 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Note that the switch hardware can distinguish IGMP information packets from other packets for the multicast group. • The first entry in the table tells the switching engine to send IGMP packets to only the switch CPU. This prevents the CPU from becoming overloaded with multicast frames. • The second entry tells the switching engine to send frames addressed to the 0x0100.5E01.
Chapter 21 Configuring IGMP Snooping and MVR Understanding IGMP Snooping When hosts want to leave a multicast group, they can either silently leave, or they can send a leave message. When the switch receives a leave message from a host, it sends out a MAC-based general query to determine if any other devices connected to that interface are interested in traffic for the specific multicast group.
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Snooping The default learning method is IP multicast-source-only learning. You can disable IP multicast-source-only learning by using the no ip igmp snooping source-only-learning global configuration command. In addition to IGMP query packets, the switch also uses Protocol-Independent Multicast protocol version 2 (PIMv2) packets for multicast router discovery.
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Table 21-3 Default IGMP Snooping Configuration (continued) Feature Default Setting IGMP snooping Immediate Leave Disabled. Static groups None configured. IP multicast-source-only learning Enabled. PIM v2 multicast router discovery Enabled Aging forward-table entries (when source-only learning is enabled) Enabled. The default is 600 seconds (10 minutes). IGMP report suppression Enabled.
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Setting the Snooping Method Multicast-capable router ports are added to the forwarding table for every Layer 2 multicast entry.
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Vlan 1: -------IGMP snooping Immediate leave Multicast router learning mode Source only learning age timer CGMP interoperability mode :Enabled :Disabled :pim-dvmrp :10 :IGMP_ONLY To return to the default learning method, use the no ip igmp snooping vlan vlan-id mrouter learn cgmp global configuration command.
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring a Host Statically to Join a Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure a host on an interface.
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 4 show ip igmp snooping vlan vlan-id Verify that Immediate Leave is enabled on the VLAN. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable IGMP Immediate-Leave on a VLAN, use the no ip igmp snooping vlan vlan-id immediate-leave global configuration command.
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Note We strongly recommend that you do not disable IP multicast-source-only learning. IP multicast-source-only learning should be disabled only if your network is not composed of IP multicast-source-only networks and if disabling this learning method improves the network performance.
Chapter 21 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information To disable the aging of the forwarding table entries, enter the ip igmp snooping source-only-learning age-timer 0 global configuration command. If you disable source-only learning by using the no ip igmp snooping source-only learning global configuration command and the aging time is enabled, it has no effect on the switch.
Chapter 21 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service provider network (for example, the broadcast of multiple television channels over a service-provider network).
Chapter 21 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Using MVR in a Multicast Television Application In a multicast television application, a PC or a television with a set-top box can receive the multicast stream. Multiple set-top boxes or PCs can be connected to one subscriber port, which is a switch port configured as an MVR receiver port. Figure 21-3 is an example configuration. DHCP assigns an IP address to the set-top box or the PC.
Chapter 21 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Figure 21-3 Multicast VLAN Registration Example Multicast VLAN Cisco router Multicast server SP Switch B SP SP SP SP SP SP1 SP2 Multicast data Multicast data Switch A RP1 RP2 RP3 RP4 RP5 RP6 RP7 Customer premises Hub IGMP join Set-top box Set-top box TV data TV RP = Receiver Port SP = Source Port TV 101364 PC Note: All source ports belong to the multicast VLAN.
Chapter 21 Configuring IGMP Snooping and MVR Configuring MVR Configuring MVR These sections include basic MVR configuration information: • Default MVR Configuration, page 21-17 • MVR Configuration Guidelines and Limitations, page 21-17 • Configuring MVR Global Parameters, page 21-18 • Configuring MVR Interfaces, page 21-19 Default MVR Configuration Table 21-5 shows the default MVR configuration.
Chapter 21 Configuring IGMP Snooping and MVR Configuring MVR Configuring MVR Global Parameters You do not need to set the optional MVR parameters if you choose to use the default settings. If you do want to change the default parameters (except for the MVR VLAN), you must first enable MVR. Beginning in privileged EXEC mode, follow these steps to configure MVR parameters: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mvr Enable MVR on the switch.
Chapter 21 Configuring IGMP Snooping and MVR Configuring MVR This example shows how to enable MVR, configure the MVR group address, set the query time to 1 second (10 tenths), specify the MVR multicast VLAN as VLAN 22, set the MVR mode as dynamic, and verify the results: Switch(config)# mvr Switch(config)# mvr group 228.1.23.
Chapter 21 Configuring IGMP Snooping and MVR Configuring MVR Step 6 Command Purpose mvr immediate (Optional) Enable the Immediate Leave feature of MVR on the port. Note This command applies to only receiver ports and should only be enabled on receiver ports to which a single receiver device is connected. Step 7 end Return to privileged EXEC mode. Step 8 show mvr Verify the configuration.
Chapter 21 Configuring IGMP Snooping and MVR Displaying MVR Information Displaying MVR Information You can display MVR information for the switch or for a specified interface.
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Note IGMPv3 join and leave messages are not supported on switches running IGMP filtering. You can also set the maximum number of IGMP groups that a Layer 2 interface can join. With the IGMP throttling feature, you can also set the maximum number of IGMP groups that a Layer 2 interface can join.
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling • permit: Specifies that matching addresses are permitted. • range: Specifies a range of IP addresses for the profile. You can enter a single IP address or a range with a start and an end address. The default is for the switch to have no IGMP profiles configured. When a profile is configured, if neither the permit nor deny keyword is included, the default is to deny access to the range of IP addresses.
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Applying IGMP Profiles To control access as defined in an IGMP profile, use the ip igmp filter interface configuration command to apply the profile to the appropriate interfaces. You can apply IGMP profiles to Layer 2 ports only. You cannot apply profiles to ports that belong to an EtherChannel port group. You can apply a profile to multiple interfaces, but each interface can only have one profile applied to it.
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Setting the Maximum Number of IGMP Groups You can set the maximum number of IGMP groups that a Layer 2 interface can join by using the ip igmp max-groups interface configuration command. Use the no form of this command to set the maximum back to the default, which is no limit. You can use this command on an logical EtherChannel interface but cannot use it on ports that belong to an EtherChannel port group.
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling • If you configure the throttling action and set the maximum group limitation after an interface has added multicast entries to the forwarding table, the forwarding-table entries are either aged out or removed, depending on the throttling action. – If you configure the throttling action as deny, the entries that were previously in the forwarding table are not removed but are aged out.
Chapter 21 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Displaying IGMP Filtering and Throttling Configuration You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface. You can also display the IGMP throttling configuration for all interfaces on the switch or for a specified interface.
Chapter 21 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 21-28 78-11380-10
C H A P T E R 22 Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on your Catalyst 2950 or Catalyst 2955 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 22 Configuring Port-Based Traffic Control Configuring Storm Control Understanding Storm Control A packet storm occurs when a large number of broadcast, unicast, or multicast packets are received on a port. Forwarding these packets can cause the network to slow down or to time out. Storm control is configured for the switch as a whole but operates on a per-port basis. By default, storm control is disabled.
Chapter 22 Configuring Port-Based Traffic Control Configuring Storm Control Step 3 Command Purpose storm-control {broadcast | multicast | unicast} level {level [level-low] | pps pps pps-low} Configure broadcast, multicast, or unicast storm control. For level, specify the rising threshold level for broadcast, multicast, or unicast traffic as a percentage of the bandwidth. The storm control action occurs when traffic utilization reaches this level.
Chapter 22 Configuring Port-Based Traffic Control Configuring Protected Ports Disabling Storm Control Beginning in privileged EXEC mode, follow these steps to disable storm control: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to configure, and enter interface configuration mode. Step 3 no storm-control {broadcast | multicast | unicast} level Disable port storm control.
Chapter 22 Configuring Port-Based Traffic Control Configuring Port Blocking Beginning in privileged EXEC mode, follow these steps to define a port as a protected port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to configure and enter interface configuration mode. Step 3 switchport protected Configure the interface to be a protected port. Step 4 end Return to privileged EXEC mode.
Chapter 22 Configuring Port-Based Traffic Control Configuring Port Blocking Beginning in privileged EXEC mode, follow these steps to disable the flooding of multicast and unicast packets to an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to configure and enter interface configuration mode. Step 3 switchport block multicast Block unknown multicast forwarding to the port.
Chapter 22 Configuring Port-Based Traffic Control Configuring Port Security Configuring Port Security You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.
Chapter 22 Configuring Port-Based Traffic Control Configuring Port Security Security Violations It is a security violation when one of these situations occurs: • The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface. • An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.
Chapter 22 Configuring Port-Based Traffic Control Configuring Port Security Default Port Security Configuration Table 22-2 shows the default port security configuration for an interface. Table 22-2 Default Port Security Configuration Feature Default Setting Port security Disabled. Maximum number of secure MAC addresses One. Violation mode Shutdown. Sticky address learning Disabled. Port security aging Disabled. Aging time is 0. When enabled, the default type is absolute.
Chapter 22 Configuring Port-Based Traffic Control Configuring Port Security Enabling and Configuring Port Security Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to configure and enter interface configuration mode.
Chapter 22 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 8 switchport port-security mac-address sticky (Optional) Enable sticky learning on the interface. Step 9 end Return to privileged EXEC mode. Step 10 show port-security Verify your entries. Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 22 Configuring Port-Based Traffic Control Configuring Port Security Enabling and Configuring Port Security Aging You can use port security aging to set the aging time for static and dynamic secure addresses on a port. Two types of aging are supported per port: • Absolute—The secure addresses on the port are deleted after the specified aging time. • Inactivity—The secure addresses on the port are deleted only if the secure addresses are inactive for the specified aging time.
Chapter 22 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings This example shows how to set the aging time as 2 minutes for the inactivity aging type with aging enabled for the configured secure addresses on the interface: Switch(config-if)# switchport port-security aging time 2 Switch(config-if)# switchport port-security aging type inactivity Switch(config-if)# switchport port-security aging static You can verify the previous commands by entering the show port-security
Chapter 22 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 22-14 78-11380-10
C H A P T E R 23 Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on your Catalyst 2950 or Catalyst 2955 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 23 Configuring UDLD Understanding UDLD A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device. In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic interface are misconnected and the Layer 1 mechanisms do not detect this misconnection.
Chapter 23 Configuring UDLD Understanding UDLD • Event-driven detection and echoing UDLD relies on echoing as its detection mechanism. Whenever a UDLD device learns about a new neighbor or receives a resynchronization request from an out-of-sync neighbor, it restarts the detection window on its side of the connection and sends echo messages in reply. Because this behavior is the same on all UDLD neighbors, the sender of the echoes expects to receive an echo in reply.
Chapter 23 Configuring UDLD Configuring UDLD Configuring UDLD This section describes how to configure UDLD on your switch. It contains this configuration information: • Default UDLD Configuration, page 23-4 • Configuration Guidelines, page 23-4 • Enabling UDLD Globally, page 23-5 • Enabling UDLD on an Interface, page 23-5 • Resetting an Interface Shut Down by UDLD, page 23-6 Default UDLD Configuration Table 23-1 shows the default UDLD configuration.
Chapter 23 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic interfaces on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 23 Configuring UDLD Configuring UDLD Step 3 Command Purpose udld port [aggressive] Specify the UDLD mode of operation: • (Optional) aggressive— Enables UDLD in aggressive mode on the specified interface. UDLD is disabled by default. If you do not enter the aggressive keyword, the switch enables UDLD in normal mode. On a fiber-optic interface, this command overrides the udld enable global configuration command setting.
Chapter 23 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified interface or for all interfaces, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the display, refer to the command reference for this release.
Chapter 23 Configuring UDLD Displaying UDLD Status Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 23-8 78-11380-10
C H A P T E R 24 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on your Catalyst 2950 or Catalyst 2955 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12.1.
Chapter 24 Configuring CDP Configuring CDP Configuring CDP These sections include CDP configuration information and procedures: • Default CDP Configuration, page 24-2 • Configuring the CDP Characteristics, page 24-2 • Disabling and Enabling CDP, page 24-3 • Disabling and Enabling CDP on an Interface, page 24-4 Default CDP Configuration Table 24-1 shows the default CDP configuration.
Chapter 24 Configuring CDP Configuring CDP Command Purpose Step 6 show cdp Verify your settings. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the CDP commands to return to the default settings. This example shows how to configure CDP characteristics.
Chapter 24 Configuring CDP Configuring CDP Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you are disabling CDP, and enter interface configuration mode.
Chapter 24 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors. show cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent.
Chapter 24 Configuring CDP Monitoring and Maintaining CDP Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 24-6 78-11380-10
C H A P T E R 25 Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on your Catalyst 2950 or Catalyst 2955 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 25 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 25-1 Example SPAN Configuration 1 2 3 4 4 5 6 7 Port 4 traffic mirrored on Port 8 8 ... 5 6 3 7 2 Network analyzer 111414 8 1 Only traffic that enters or leaves source ports can be monitored by using SPAN. RSPAN extends SPAN by enabling remote monitoring of multiple switches across your network.
Chapter 25 Configuring SPAN and RSPAN Understanding SPAN and RSPAN SPAN and RSPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN and RSPAN configuration. SPAN Session A local SPAN session is an association of a destination port with source ports. You can monitor incoming or outgoing traffic on a series or range of ports. An RSPAN session is an association of source ports across your network with an RSPAN VLAN. The destination source is the RSPAN VLAN.
Chapter 25 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Source Port A source port (also called a monitored port) is a switched port that you monitor for network traffic analysis. In a single local SPAN session or RSPAN source session, you can monitor source port traffic such as received (Rx), transmitted (Tx), or bidirectional (both). The switch supports any number of source ports (up to the maximum number of available ports on the switch).
Chapter 25 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Reflector Port The reflector port is the mechanism that copies packets onto an RSPAN VLAN. The reflector port forwards only the traffic from the RSPAN source session with which it is affiliated. Any device connected to a port set as a reflector port loses connectivity until the RSPAN source session is disabled. The reflector port has these characteristics: • It is a port set to loopback.
Chapter 25 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • VLAN Trunking Protocol (VTP)—You can use VTP to prune an RSPAN VLAN between switches. • VLAN and trunking—You can modify VLAN membership or trunk settings for source, destination, or reflector ports at any time. However, changes in VLAN membership or trunk settings for a destination or reflector port do not take effect until you disable the SPAN or RSPAN session.
Chapter 25 Configuring SPAN and RSPAN Configuring SPAN Default SPAN and RSPAN Configuration Table 25-1 shows the default SPAN and RSPAN configuration. Table 25-1 Default SPAN and RSPAN Configuration Feature Default Setting SPAN state Disabled. Source port traffic to monitor Both received and sent traffic (both). Encapsulation type (destination port) Native form (no encapsulation type header). Ingress forwarding (destination port) Disabled.
Chapter 25 Configuring SPAN and RSPAN Configuring SPAN • When SPAN is enabled, configuration changes have these results: – If you change the VLAN configuration of a destination port, the change is not effective until SPAN is disabled. – If you disable all source ports or the destination port, the SPAN function stops until both a source and the destination port are enabled.
Chapter 25 Configuring SPAN and RSPAN Configuring SPAN This example shows how to set up a SPAN session, session 1, for monitoring source port traffic to a destination port. First, any existing SPAN configuration for session 1 is cleared, and then bidirectional traffic is mirrored from source port 1 to destination port 8.
Chapter 25 Configuring SPAN and RSPAN Configuring SPAN Step 4 Command Purpose monitor session session_number destination interface interface-id [encapsulation {dot1q}] [ingress vlan vlan id] Specify the SPAN session, the destination port (monitoring port), the packet encapsulation, and the ingress VLAN. For session_number, specify 1. For interface-id, specify the destination port. Valid interfaces include physical interfaces. (Optional) Specify the encapsulation header for outgoing packets.
Chapter 25 Configuring SPAN and RSPAN Configuring SPAN Removing Ports from a SPAN Session Beginning in privileged EXEC mode, follow these steps to remove a port as a SPAN source for a session: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session session_number source interface interface-id [, | -] [both | rx | tx] Specify the characteristics of the source port (monitored port) and SPAN session to remove. For session, specify 1.
Chapter 25 Configuring SPAN and RSPAN Configuring RSPAN Configuring RSPAN This section describes how to configure RSPAN on your switch.
Chapter 25 Configuring SPAN and RSPAN Configuring RSPAN Configuring a VLAN as an RSPAN VLAN First create a new VLAN to be the RSPAN VLAN for the RSPAN session. You must create the RSPAN VLAN in all switches that will participate in RSPAN. If the RSPAN VLAN-ID is in the normal range (lower than 1005) and VTP is enabled in the network, you can create the RSPAN VLAN in one switch, and VTP propagates it to the other switches in the VTP domain.
Chapter 25 Configuring SPAN and RSPAN Configuring RSPAN Step 3 Command Purpose monitor session session_number source interface interface-id [, | -] [both | rx | tx] Specify the RSPAN session and the source port (monitored port). For session_number, specify the session number identified with this RSPAN session. For interface-id, specify the source port to monitor. Valid interfaces include physical interfaces and port-channel logical interfaces (port-channel port-channel-number).
Chapter 25 Configuring SPAN and RSPAN Configuring RSPAN Creating an RSPAN Destination Session Beginning in privileged EXEC mode, follow these steps to create an RSPAN destination session and to specify the source RSPAN VLAN and the destination port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 monitor session session_number source remote vlan vlan-id Specify the RSPAN session and the source RSPAN VLAN.
Chapter 25 Configuring SPAN and RSPAN Configuring RSPAN Removing Ports from an RSPAN Session Beginning in privileged EXEC mode, follow these steps to remove a port as an RSPAN source for a session: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session session_number source interface interface-id [, | -] [both | rx | tx] Specify the characteristics of the RSPAN source port (monitored port) to remove.
Chapter 25 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the status of the current SPAN or RSPAN configuration, use the show monitor privileged EXEC command.
Chapter 25 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 25-18 78-11380-10
C H A P T E R 26 Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on your Catalyst 2950 or Catalyst 2955 switch. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes. RMON provides you with comprehensive network-fault diagnosis, planning, and performance-tuning information.
Chapter 26 Configuring RMON Configuring RMON Figure 26-1 Remote Monitoring Example Network management station with generic RMON console application RMON alarms and events configured. SNMP configured. Workstations Workstations 101233 RMON history and statistic collection enabled. The switch supports these RMON groups (defined in RFC 1757): • Statistics (RMON group 1)—Collects Ethernet, Fast Ethernet, and Gigabit Ethernet statistics on an interface.
Chapter 26 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Only RMON 1 is supported on the switch. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station. We recommend that you use a generic RMON console application on the network management station (NMS) to take advantage of RMON’s network management capabilities.
Chapter 26 Configuring RMON Configuring RMON Command Step 3 Purpose rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535. • (Optional) For description string, specify a description of the event. • (Optional) Use the log keyword to generate an RMON log entry when the event is triggered.
Chapter 26 Configuring RMON Configuring RMON Configuring RMON Collection on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which to collect history, and enter interface configuration mode.
Chapter 26 Configuring RMON Displaying RMON Status Command Purpose Step 6 show rmon statistics Display the contents of the switch statistics table. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the collection of group Ethernet statistics, use the no rmon collection stats index interface configuration command.
C H A P T E R 27 Configuring System Message Logging This chapter describes how to configure system message logging on your Catalyst 2950 or Catalyst 2955 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12.1.
Chapter 27 Configuring System Message Logging Configuring System Message Logging Configuring System Message Logging These sections describe how to configure system message logging: • System Log Message Format, page 27-2 • Default System Message Logging Configuration, page 27-3 • Disabling and Enabling Message Logging, page 27-4 • Setting the Message Display Destination Device, page 27-4 • Synchronizing Log Messages, page 27-6 • Enabling and Disabling Timestamps on Log Messages, page 27-7 • E
Chapter 27 Configuring System Message Logging Configuring System Message Logging Table 27-1 System Log Message Elements (continued) Element Description MNEMONIC Text string that uniquely describes the message. description Text string containing detailed information about the event being reported.
Chapter 27 Configuring System Message Logging Configuring System Message Logging Disabling and Enabling Message Logging Message logging is enabled by default. It must be enabled to send messages to any destination other than the console. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages.
Chapter 27 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging host Log messages to a UNIX syslog server host. For host, specify the name or IP address of the host to be used as the syslog server. To build a list of syslog servers that receive logging messages, enter this command more than once. For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 27-11.
Chapter 27 Configuring System Message Logging Configuring System Message Logging Synchronizing Log Messages You can configure the system to synchronize unsolicited messages and debug privileged EXEC command output with solicited device output and prompts for a specific console port line or virtual terminal line. You can identify the types of messages to be output asynchronously based on the level of severity.
Chapter 27 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command.
Chapter 27 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Sequence Numbers in Log Messages Because there is a chance that more than one log message can have the same timestamp, you can display messages with sequence numbers so that you can unambiguously refer to a single message. By default, sequence numbers in log messages are not displayed.
Chapter 27 Configuring System Message Logging Configuring System Message Logging Step 6 Command Purpose show running-config Verify your entries. or show logging Step 7 copy running-config startup-config Note (Optional) Save your entries in the configuration file. Specifying a level causes messages at that level and numerically lower levels to appear at the destination. To disable logging to the console, use the no logging console global configuration command.
Chapter 27 Configuring System Message Logging Configuring System Message Logging Limiting Syslog Messages Sent to the History Table and to SNMP If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the switch history table. You also can change the number of messages that are stored in the history table.
Chapter 27 Configuring System Message Logging Configuring System Message Logging Configuring UNIX Syslog Servers The next sections describe how to configure the UNIX server syslog daemon and how to define the UNIX system logging facility. Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server.
Chapter 27 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging trap level Limit messages logged to the syslog servers. Be default, syslog servers receive informational messages and lower. See Table 27-3 on page 27-9 for level keywords. Step 4 logging facility facility-type Configure the syslog facility. See Table 27-4 on page 27-12 for facility-type keywords. The default is local7. Step 5 end Return to privileged EXEC mode.
Chapter 27 Configuring System Message Logging Displaying the Logging Configuration Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12.1.
Chapter 27 Configuring System Message Logging Displaying the Logging Configuration Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 27-14 78-11380-10
C H A P T E R 28 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on your Catalyst 2950 or Catalyst 2955 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 28 Configuring SNMP Understanding SNMP • Using SNMP to Access MIB Variables, page 28-4 • SNMP Notifications, page 28-5 SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in RFC 1157.
Chapter 28 Configuring SNMP Understanding SNMP Table 28-1 identifies the characteristics of the different combinations of security models and levels. Table 28-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No Uses a community string match for authentication.
Chapter 28 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. • Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS.
Chapter 28 Configuring SNMP Configuring SNMP Figure 28-1 SNMP Network SNMP Manager Get-request, Get-next-request, Get-bulk, Set-request Get-response, traps Network device MIB SNMP Agent 43581 NMS For information on supported MIBs and how to access them, see Appendix A, “Supported MIBs.” SNMP Notifications SNMP allows the switch to send notifications to SNMP managers when particular events occur. SNMP notifications can be sent as traps or inform requests.
Chapter 28 Configuring SNMP Configuring SNMP Default SNMP Configuration Table 28-3 shows the default SNMP configuration. Table 28-3 Default SNMP Configuration Feature Default Setting SNMP agent Disabled1. SNMP trap receiver None configured. SNMP traps None enabled. SNMP version If no version keyword is present, the default is Version 1. SNMPv3 authentication If no keyword is entered, the default is the noauth (noAuthNoPriv) security level.
Chapter 28 Configuring SNMP Configuring SNMP • When configuring SNMP informs, you need to configure the SNMP engine ID for the remote agent in the SNMP database before you can send proxy requests or informs to it. • Changing the value of the SNMP engine ID has important side effects. A user's password (entered on the command line) is converted to an MD5 or SHA security digest based on the password and the local engine ID. The command-line password is then destroyed, as required by RFC 2274.
Chapter 28 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure a community string on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server community string [view view-name] [ro | rw] [access-list-number] Configure the community string.
Chapter 28 Configuring SNMP Configuring SNMP This example shows how to assign the string comaccess to SNMP, to allow read-only access, and to specify that IP access list 4 can use the community string to gain access to the switch SNMP agent: Switch(config)# snmp-server community comaccess ro 4 Configuring SNMP Groups and Users You can specify an identification name (engineID) for the local or remote SNMP server engine on the switch.
Chapter 28 Configuring SNMP Configuring SNMP Command Step 3 Purpose snmp-server group groupname {v1 | v2c | v3 Configure a new SNMP group on the remote device. {auth | noauth | priv}} [read readview] • For groupname, specify the name of the group. [write writeview] [notify notifyview] [access • Specify a security model: access-list] – v1 is the least secure of the possible security models. – v2c is the second least secure model. It allows transmission of informs and integers twice the normal width.
Chapter 28 Configuring SNMP Configuring SNMP Command Step 4 Purpose Add a new user for an SNMP group. snmp-server user username groupname {remote host [udp-port port]} {v1 [access • The username is the name of the user on the host that connects access-list] | v2c [access access-list] | v3 to the agent. [encrypted] [access access-list] [auth {md5 | • The groupname is the name of the group to which the user is sha} auth-password]} associated.
Chapter 28 Configuring SNMP Configuring SNMP Table 28-4 Switch Notification Types (continued) Notification Type Keyword Description cluster Generates a trap when the cluster configuration changes. config Generates a trap for SNMP configuration changes. copy-config Generates a trap for SNMP copy configuration changes. entity Generates a trap for SNMP entity changes. envmon Generates environmental monitor traps.
Chapter 28 Configuring SNMP Configuring SNMP Step 3 Command Purpose snmp-server user username groupname {remote host [udp-port port]} {v1 [access access-list] | v2c [access access-list] | v3 [encrypted] [access access-list] [auth {md5 | sha} auth-password]} Configure an SNMP user to be associated with the remote host created in Step 2. Note You cannot configure a remote user for an address without first configuring the engine ID for the remote host.
Chapter 28 Configuring SNMP Configuring SNMP The snmp-server host command specifies which hosts receive the notifications. The snmp-server enable trap command globally enables the mechanism for the specified notification (for traps and informs). To enable a host to receive an inform, you must configure an snmp-server host informs command for the host and globally enable informs by using the snmp-server enable traps command.
Chapter 28 Configuring SNMP Configuring SNMP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] Create a standard access list, repeating the command as many times as necessary. • For access-list-number, enter the access list number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 28 Configuring SNMP Displaying SNMP Status This example shows how to send Entity MIB traps to the host cisco.com. The community string is restricted. The first line enables the switch to send Entity MIB traps in addition to any traps previously enabled. The second line specifies the destination of these traps and overwrites any previous snmp-server host commands for the host cisco.com. Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.
C H A P T E R 29 Configuring Network Security with ACLs This chapter describes how to configure network security on a Catalyst 2950 or Catalyst 2955 switch by using access control lists (ACLs), which are also referred to in commands and tables as access lists. You can create ACLs for physical interfaces or management interfaces. A management interface is defined as a management VLAN or any traffic that is going directly to the CPU, such as SNMP, Telnet, or web traffic.
Chapter 29 Configuring Network Security with ACLs Understanding ACLs Understanding ACLs Packet filtering can limit network traffic and restrict network use by certain users or devices. ACLs can filter traffic as it passes through a switch and permit or deny packets at specified interfaces. An ACL is a sequential collection of permit and deny conditions that apply to packets.
Chapter 29 Configuring Network Security with ACLs Understanding ACLs Figure 29-1 Using ACLs to Control Traffic to a Network Host A Host B Research & Development network = ACL denying traffic from Host B and permitting traffic from Host A = Packet 101365 Human Resources network Handling Fragmented and Unfragmented Traffic IP packets can be fragmented as they cross the network.
Chapter 29 Configuring Network Security with ACLs Understanding ACLs • Packet A is a TCP packet from host 10.2.2.2, port 65000, going to host 10.1.1.1 on the SMTP port. If this packet is fragmented, the first fragment matches the first ACE (a permit), as if it were a complete packet because all Layer 4 information is present.
Chapter 29 Configuring Network Security with ACLs Understanding ACLs There are two types of masks: • User-defined mask—masks that are defined by the user.
Chapter 29 Configuring Network Security with ACLs Configuring ACLs • All ACEs in an ACL must have the same user-defined mask. However, ACEs can have different rules that use the same mask. On a given interface, only one type of user-defined mask is allowed, but you can apply any number of system-defined masks. For more information on system-defined masks, see the “Understanding Access Control Parameters” section on page 29-4.
Chapter 29 Configuring Network Security with ACLs Configuring ACLs Unsupported Features The switch does not support these Cisco IOS router ACL-related features: • Non-IP protocol ACLs (see Table 29-2 on page 29-8) • Bridge-group ACLs • IP accounting • ACL support on the outbound direction • Inbound and outbound rate limiting (except with QoS ACLs) • IP packets that have a header length of less than 5 bytes • Reflexive ACLs • Dynamic ACLs (except for certain specialized dynamic ACLs used by
Chapter 29 Configuring Network Security with ACLs Configuring ACLs ACL Numbers The number you use to denote your ACL shows the type of access list that you are creating. Table 29-2 lists the access list number and corresponding type and shows whether or not they are supported by the switch. The switch supports IP standard and IP extended access lists, numbers 1 to 199 and 1300 to 2699.
Chapter 29 Configuring Network Security with ACLs Configuring ACLs Creating a Numbered Standard ACL Note For information about creating ACLs to apply to a management interface, refer to the “Configuring IP Services” section of the Cisco IOS IP and IP Routing Configuration Guide, Cisco IOS Release 12.1 and the Cisco IOS IP and IP Routing Command Reference, Cisco IOS Release 12.1. You can these apply these ACLs only to a management interface.
Chapter 29 Configuring Network Security with ACLs Configuring ACLs This example shows how to create a standard ACL to deny access to IP host 171.69.198.102, permit access to any others, and display the results. Switch (config)# access-list 2 deny host 171.69.198.102 Switch (config)# access-list 2 permit any Switch(config)# end Switch# show access-lists Standard IP access list 2 deny 171.69.198.
Chapter 29 Configuring Network Security with ACLs Configuring ACLs Note The switch does not support dynamic or reflexive access lists. It also does not support filtering based on the minimize-monetary-cost type of service (ToS) bit. When creating ACEs in numbered extended access lists, remember that after you create the list, any additions are placed at the end of the list. You cannot reorder the list or selectively add or remove ACEs from a numbered list.
Chapter 29 Configuring Network Security with ACLs Configuring ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 29 Configuring Network Security with ACLs Configuring ACLs Use the no access-list access-list-number global configuration command to delete the entire access list. You cannot delete individual ACEs from numbered access lists. This example shows how to create and display an extended access list to deny Telnet access from any host in network 171.69.198.0 to any host in network 172.20.52.0 and permit any others.
Chapter 29 Configuring Network Security with ACLs Configuring ACLs Beginning in privileged EXEC mode, follow these steps to create a standard named access list using names: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip access-list standard {name | access-list-number} Define a standard IP access list by using a name, and enter access-list configuration mode.
Chapter 29 Configuring Network Security with ACLs Configuring ACLs Command Purpose Step 5 show access-lists [number | name] Show the access list configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. When making the standard and extended ACL, remember that, by default, the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end.
Chapter 29 Configuring Network Security with ACLs Configuring ACLs Step 3 Command Purpose absolute [start time date] [end time date] Specify when the function it will be applied to is operational. Use some combination of these commands; multiple periodic statements are allowed; only one absolute statement is allowed. If more than one absolute statement is configured, only the one configured last is executed.
Chapter 29 Configuring Network Security with ACLs Configuring ACLs Switch# show access-lists Extended IP access list 188 deny tcp any any time-range new_year_day_2000 (inactive) deny tcp any any time-range thanskgiving_2000 (active) deny tcp any any time-range christmas_2000 (inactive) permit tcp any any time-range workhours (inactive) This example uses named ACLs to permit and deny the same traffic.
Chapter 29 Configuring Network Security with ACLs Configuring ACLs Creating Named MAC Extended ACLs You can filter Layer 2 traffic on a physical Layer 2 interface by using MAC addresses and named MAC extended ACLs. The procedure is similar to that of configuring other extended named access lists. Note Named MAC extended ACLs are used as a part of the mac access-group privileged EXEC command.
Chapter 29 Configuring Network Security with ACLs Applying ACLs to Terminal Lines or Physical Interfaces Creating MAC Access Groups Beginning in privileged EXEC mode, follow these steps to create MAC access groups and to apply a MAC access list to an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Identify a specific interface for configuration, and enter interface configuration mode. The interface must be a Layer 2 interface.
Chapter 29 Configuring Network Security with ACLs Applying ACLs to Terminal Lines or Physical Interfaces After you create an ACL, you can apply it to one or more management interfaces or terminal lines. ACLs can be applied on inbound interfaces. This section describes how to accomplish this task for both terminal lines and network interfaces. Note these guidelines: • When controlling access to a line, you must use numbered IP ACLs or MAC extended ACLs.
Chapter 29 Configuring Network Security with ACLs Displaying ACL Information Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Display the access list configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 29 Configuring Network Security with ACLs Displaying ACL Information This example shows all standard and extended ACLs: Switch# show access-lists Standard IP access list 1 permit 172.20.10.10 Standard IP ACL 10 permit 12.12.12.12 Standard IP access list 12 deny 1.3.3.2 Standard IP access list 32 permit 172.20.20.20 Standard IP access list 34 permit 10.24.35.56 permit 23.45.56.34 Extended IP access list 120 Extended MAC access list mac1 This example shows only IP standard and extended ACLs.
Chapter 29 Configuring Network Security with ACLs Examples for Compiling ACLs This example shows how to view all access groups configured for an interface: Switch# show ip interface fastethernet0/9 FastEthernet0/9 is down, line protocol is down Inbound access list is ip1 The only way to ensure that you can view all configured access groups under all circumstances is to use the show running-config privileged EXEC command.
Chapter 29 Configuring Network Security with ACLs Examples for Compiling ACLs Figure 29-2 Using Switch ACLs to Control Traffic Internet Workstation End workstations 65289 Cisco router This example uses a standard ACL to allow access to a specific Internet host with the address 172.20.128.64. Switch(config)# access-list 6 permit 172.20.128.64 0.0.0.
Chapter 29 Configuring Network Security with ACLs Examples for Compiling ACLs Numbered ACL Examples This example shows that the switch accepts addresses on network 36.0.0.0 subnets and denies all packets coming from 56.0.0.0 subnets. The ACL is then applied to packets entering an interface. Switch(config)# access-list 2 permit 36.0.0.0 0.255.255.255 Switch(config)# access-list 2 deny 56.0.0.0 0.255.255.
Chapter 29 Configuring Network Security with ACLs Examples for Compiling ACLs In this example of a numbered ACL, the Winter and Smith workstations are not allowed to browse the web: Switch(config)# Switch(config)# Switch(config)# Switch(config)# access-list access-list access-list access-list 100 100 100 100 remark Do deny host remark Do deny host not allow Winter to browse the web 171.69.3.85 any eq www not allow Smith to browse the web 171.69.3.
C H A P T E R 30 Configuring QoS This chapter describes how to configure quality of service (QoS) by using automatic-QoS (auto-QoS) commands or by using standard QoS commands. With QoS, you can give preferential treatment to certain types of traffic at the expense of others. Without QoS, the Catalyst 2950 or Catalyst 2955 switch offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 30 Configuring QoS Understanding QoS You can also use these wizards to configure QoS only if your switch is running the EI: • Priority data wizard—Lets you assign priority levels to data applications based on their TCP or UDP ports. It has a standard list of applications, and you select the ones that you want to prioritize, the priority levels, and the interfaces where the prioritization occurs. Refer to the priority data wizard online help for procedures about using this wizard.
Chapter 30 Configuring QoS Understanding QoS • Prioritization bits in Layer 3 packets Layer 3 IP packets can carry a Differentiated Services Code Point (DSCP) value. The supported DSCP values are 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56. Figure 30-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 header IP header Data Layer 2 802.1Q and 802.
Chapter 30 Configuring QoS Understanding QoS Basic QoS Model Figure 30-2 shows the basic QoS model. Actions at the ingress interface include classifying traffic, policing, and marking: Note If you have the SI installed on your switch, only the queueing and scheduling features are available. • Classifying distinguishes one kind of traffic from another. For more information, see the “Classification” section on page 30-5.
Chapter 30 Configuring QoS Understanding QoS Classification Note This feature is available only if your switch is running the EI. Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification occurs only on a physical interface basis. No support exists for classifying packets at the VLAN level. You specify which fields in the frame or packet that you want to use to classify incoming traffic.
Chapter 30 Configuring QoS Understanding QoS • Configuration of a deny action is not supported in QoS ACLs on the switch. • System-defined masks are allowed in class maps with these restrictions: – A combination of system-defined and user-defined masks cannot be used in the multiple class maps that are a part of a policy map. – System-defined masks that are a part of a policy map must all use the same type of system mask.
Chapter 30 Configuring QoS Understanding QoS A policy map also has these characteristics: • A policy map can contain multiple class statements. • A separate policy-map class can exist for each type of traffic received through an interface. • A policy-map configuration state supersedes any actions due to an interface trust state. For configuration information, see the “Configuring a QoS Policy” section on page 30-26.
Chapter 30 Configuring QoS Understanding QoS Mapping Tables Note This feature is available only if your switch is running the EI. During classification, QoS uses a configurable CoS-to-DSCP map to derive an internal DSCP value from the received CoS value. This DSCP value represents the priority of the traffic. Before the traffic reaches the scheduling stage, QoS uses the configurable DSCP-to-CoS map to derive a CoS value from the internal DSCP value.
Chapter 30 Configuring QoS Configuring Auto-QoS CoS configures each transmit port (the egress port) with a normal-priority transmit queue and a high-priority transmit queue, depending on the frame tag or the port information. Frames in the normal-priority queue are forwarded only after frames in the high-priority queue are forwarded. The switch (802.1P user priority) has four priority queues. The frames are forwarded to appropriate queues based on the priority-to-queue mapping that you defined.
Chapter 30 Configuring QoS Configuring Auto-QoS You use auto-QoS commands to identify ports connected to Cisco IP Phones and to devices running the Cisco SoftPhone application. You also use the commands to identify ports that receive trusted traffic through an uplink.
Chapter 30 Configuring QoS Configuring Auto-QoS When you enable the auto-QoS feature on the first interface, these automatic actions occur: • When you enter the auto qos voip cisco-phone interface configuration command on a port at the edge of a network that is connected to a Cisco IP Phone, the switch enables the trusted boundary feature. The switch uses the Cisco Discovery Protocol (CDP) to detect the presence or absence of a Cisco IP Phone.
Chapter 30 Configuring QoS Configuring Auto-QoS Table 30-4 Generated Auto-QoS Configuration Description Automatically Generated QoS Command Equivalent If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and policy maps.
Chapter 30 Configuring QoS Configuring Auto-QoS Effects of Auto-QoS on the Configuration When auto-QoS is enabled, the auto qos voip interface configuration command and the generated configuration are added to the running configuration. The switch applies the auto-QoS-generated commands as if the commands were entered from the CLI. An existing user configuration can cause the application of the generated commands to fail or to be overridden by the generated commands. These actions occur without warning.
Chapter 30 Configuring QoS Configuring Auto-QoS Upgrading from a Previous Software Release In Cisco IOS Release 12.2(20)EA2, the implementation for auto-QoS changed from the previous release. The generated auto-QoS configuration was changed and support for the Cisco SoftPhone feature was added. If auto-QoS is configured on the switch, your switch is running a release earlier than Cisco IOS Release 12.2(20)EA2, and you upgrade to Cisco IOS Release 12.
Chapter 30 Configuring QoS Displaying Auto-QoS Information To disable auto-QoS on the switch and return to the default port trust state set (untrusted), follow these steps: 1. Use the no auto qos voip interface configuration command on all interfaces on which auto-QoS is enabled. To disable auto-QoS on multiple interfaces at the same time, you can use the interface range global configuration command. 2.
Chapter 30 Configuring QoS Auto-QoS Configuration Example Auto-QoS Configuration Example Note This example is applicable only if your switch is running the EI. This section describes how you could implement auto-QoS in a network, as shown in Figure 30-3. For optimum QoS performance, auto-QoS should be enabled on all the devices in the network. Figure 30-3 Auto-QoS Configuration Example Network Cisco router To Internet Trunk link Trunk link Video server 172.20.10.
Chapter 30 Configuring QoS Auto-QoS Configuration Example Note You should not configure any standard-QoS commands before entering the auto-QoS commands. You can fine-tune the QoS configuration, but we recommend that you do so only after the auto-QoS configuration is completed.
Chapter 30 Configuring QoS Configuring Standard QoS Configuring Standard QoS Before configuring standard QoS, you must have a thorough understanding of these items: • The types of applications used and the traffic patterns on your network. • Traffic characteristics and needs of your network. Is the traffic bursty? Do you need to reserve bandwidth for voice and video streams? • Bandwidth requirements and speed of the network. • Location of congestion points in the network.
Chapter 30 Configuring QoS Configuring Standard QoS Note In software releases earlier than Cisco IOS Release 12.1(11)EA1, the switch uses the CoS value of incoming packets without modifying the DSCP value. You can configure this by enabling pass-through mode on the port. For more information, see the “Enabling Pass-Through Mode” section on page 30-25. Configuration Guidelines Note These guidelines are applicable only if your switch is running the EI.
Chapter 30 Configuring QoS Configuring Standard QoS Table 30-5 Interaction Between Policy Maps and Security ACLs Policy-Map Conditions Security-ACL Conditions Action When the packet is in profile. Permit specified packets. Traffic is forwarded. When the packet is out of profile and the out-of-profile action is to mark down the DSCP value. Drop specified packets. Traffic is dropped. When the packet is out of profile and the out-of-profile action is to drop the packet. Permit specified packets.
Chapter 30 Configuring QoS Configuring Standard QoS Figure 30-4 Port Trusted States within the QoS Domain Trusted interface Trunk Traffic classification performed here P1 101236 P3 IP Trusted boundary Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 30 Configuring QoS Configuring Standard QoS Step 3 Command Purpose mls qos trust [cos | dscp] Configure the port trust state. By default, the port is not trusted. The keywords have these meanings: cos—Classifies ingress packets with the packet CoS values. For tagged IP packets, the DSCP value of the packet is modified based on the CoS-to-DSCP map. The egress queue assigned to the packet is based on the packet CoS value. dscp—Classifies ingress packets with packet DSCP values.
Chapter 30 Configuring QoS Configuring Standard QoS Configuring the CoS Value for an Interface QoS assigns the CoS value specified with the mls qos cos interface configuration command to untagged frames received on trusted and untrusted ports. Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port or to assign the default CoS to all incoming packets on the port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 30 Configuring QoS Configuring Standard QoS With the trusted setting, you also can use the trusted boundary feature to prevent misuse of a high-priority queue if a user bypasses the telephone and connects the PC directly to the switch. Without trusted boundary, the CoS labels generated by the PC are trusted by the switch (because of the trusted CoS setting).
Chapter 30 Configuring QoS Configuring Standard QoS You cannot enable trusted boundary if auto-QoS is already enabled and vice-versa. If auto-QoS is enabled and a Cisco IP Phone is absent on a port, the port does not trust the classification of traffic that it receives. Table 30-6 lists the port configuration when an IP phone is present or absent.
Chapter 30 Configuring QoS Configuring Standard QoS To disable pass-through mode, use the no mls qos trust pass-through dscp interface configuration command. If you enter the mls qos cos override and the mls qos trust [cos | dscp] interface commands when pass-through mode is enabled, pass-through mode is disabled.
Chapter 30 Configuring QoS Configuring Standard QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify Layer 2 traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 30 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 30 Configuring QoS Configuring Standard QoS Command Purpose Step 4 show access-lists Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. For more information about creating IP extended ACLs, see the “Guidelines for Applying ACLs to Physical Interfaces” section on page 29-5. To delete an ACL, use the no access-list access-list-number global configuration command.
Chapter 30 Configuring QoS Configuring Standard QoS This example shows how to create a Layer 2 MAC ACL with a permit statement. The statement allows traffic from the host with MAC address 0001.0000.0001 to the host with MAC address 0002.0000.0001. Switch(config)# mac access-list extended maclist1 Switch(config-ext-macl)# permit host 0001.0000.0001 host 0002.0000.
Chapter 30 Configuring QoS Configuring Standard QoS Step 4 Command Purpose match {access-group acl-index | access-group name acl-name | ip dscp dscp-list} Define the match criterion to classify traffic. By default, no match criterion is supported. Only one match criterion per class map is supported, and only one ACL per class map is supported. For access-group acl-index or access-group name acl-name, specify the number or name of the ACL created in Step 3.
Chapter 30 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a policy map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number permit {source source-wildcard | host source | any} Create an IP standard or extended ACL for IP traffic or a Layer 2 MAC ACL for non-IP traffic, repeating the command as many times as necessary.
Chapter 30 Configuring QoS Configuring Standard QoS Step 5 Command Purpose set {ip dscp new-dscp} Classify IP traffic by setting a new value in the packet. For ip dscp new-dscp, enter a new DSCP value to be assigned to the classified traffic. The supported DSCP values are 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56. Step 6 police rate-bps burst-byte [exceed-action {drop | dscp dscp-value}] Define a policer for the classified traffic.
Chapter 30 Configuring QoS Configuring Standard QoS This example shows how to create a policy map and attach it to an ingress interface. In the configuration, the IP standard ACL permits traffic from network 10.1.0.0. For traffic matching this classification, the DSCP value in the incoming packet is trusted. If the matched traffic exceeds an average traffic rate of 5000000 bps and a normal burst size of 8192 bytes, its DSCP is marked down to a value of 10 and sent.
Chapter 30 Configuring QoS Configuring Standard QoS Configuring the CoS-to-DSCP Map You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic. Table 30-7 shows the default CoS-to-DSCP map. Table 30-7 Default CoS-to-DSCP Map CoS value 0 1 2 3 4 5 6 7 DSCP value 0 8 16 24 32 40 48 56 If these values are not appropriate for your network, you need to modify them.
Chapter 30 Configuring QoS Configuring Standard QoS Configuring the DSCP-to-CoS Map You use the DSCP-to-CoS map to map DSCP values in incoming packets to a CoS value, which is used to select one of the four egress queues. The switch supports these DSCP values: 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56. Table 30-8 shows the default DSCP-to-CoS map.
Chapter 30 Configuring QoS Configuring Standard QoS Configuring the Egress Queues Note This feature is supported by both the SI and EI. This section describes how to configure the egress queues: • Configuring CoS Priority Queues, page 30-37 • Configuring WRR Priority, page 30-38 • Enabling the Expedite Queue and Configuring WRR Priority, page 30-38 For more information about the egress queues, see the “Egress CoS Queues” section on page 30-9.
Chapter 30 Configuring QoS Configuring Standard QoS Configuring WRR Priority Beginning in privileged EXEC mode, follow these steps to configure the WRR priority: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 wrr-queue bandwidth weight1...weight4 Assign WRR weights to the four CoS queues. These are the ranges for the WRR values: • For weight1, weight2, and weight3, the range is 1 to 255. • For weight4, the range is 0 to 255.
Chapter 30 Configuring QoS Displaying Standard QoS Information Displaying Standard QoS Information To display standard QoS information, use one or more of the privileged EXEC commands in Table 30-9: Table 30-9 Commands for Displaying QoS Information Command Purpose show class-map [class-map-name] 1 Display QoS class maps, which define the match criteria to classify traffic.
Chapter 30 Configuring QoS Standard QoS Configuration Examples Figure 30-5 QoS Configuration Example Network Cisco router To Internet Intelligent wiring closet Trunk link Trunk link Gigabit Ethernet 0/2 End stations Video server 172.20.10.16 Gigabit Ethernet 0/1 111387 Existing wiring closet QoS Configuration for the Existing Wiring Closet Figure 30-5 shows an existing wiring closet with Catalyst 2900 XL and 3500 XL switches, for example. These switches are running Cisco IOS Release 12.
Chapter 30 Configuring QoS Standard QoS Configuration Examples For the Catalyst 2900 and 3500 XL switches, CoS configures each transmit port (the egress port) with a normal-priority transmit queue and a high-priority transmit queue, depending on the frame tag or the port information. Frames in the normal-priority queue are forwarded only after frames in the high-priority queue are forwarded. Frames that have 802.
Chapter 30 Configuring QoS Standard QoS Configuration Examples Step 18 Command Purpose show class-map videoclass Verify your entries. show policy-map videopolicy show mls qos maps [cos-dscp | dscp-cos] Step 19 copy running-config startup-config (Optional) Save your entries in the configuration file.
C H A P T E R 31 Configuring EtherChannels This chapter describes how to configure EtherChannel on the Layer 2 interfaces of a Catalyst 2950 or Catalyst 2955 switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Chapter 31 Configuring EtherChannels Understanding EtherChannels Figure 31-1 Typical EtherChannel Configuration Catalyst 8500 series switch 1000BASE-X 1000BASE-X 10/100 Switched links 10/100 Switched links Workstations Workstations 101237 Gigabit EtherChannel Each EtherChannel can consist of up to eight compatibly configured Ethernet interfaces. All interfaces in each EtherChannel must be the same speed, and all must be configured as Layer 2 interfaces.
Chapter 31 Configuring EtherChannels Understanding EtherChannels Figure 31-2 Relationship of Physical Ports, Logical Port Channels, and Channel Groups Logical port-channel Physical ports 101238 Channel-group binding When a port joins an EtherChannel, the physical interface for that port is shut down. When the port leaves the port-channel, its physical interface is brought up, and it has the same configuration as it had before joining the EtherChannel.
Chapter 31 Configuring EtherChannels Understanding EtherChannels PAgP and LACP Modes Table 31-1 shows the user-configurable EtherChannel modes for the channel-group interface configuration command. Switch interfaces exchange PAgP packets only with partner interfaces configured in the auto or desirable modes. Switch interfaces exchange LACP packets only with partner interfaces configured in the active or passive modes. Interfaces configured in the on mode do not exchange PAgP or LACP packets.
Chapter 31 Configuring EtherChannels Understanding EtherChannels Note An Etherchannel cannot be configured in both the PAgP and LACP modes. Exchanging LACP Packets Both the active and passive LACP modes allow interfaces to negotiate with partner interfaces to determine if they can form an EtherChannel based on criteria such as interface speed and, for Layer 2 EtherChannels, trunking state and VLAN numbers.
Chapter 31 Configuring EtherChannels Understanding EtherChannels PAgP and LACP Interaction with Other Features The Dynamic Trunking Protocol (DTP) and Cisco Discovery Protocol (CDP) send and receive packets over the physical interfaces in the EtherChannel. Trunk ports send and receive PAgP and LACP protocol data units (PDUs) on the lowest numbered VLAN. Spanning tree sends packets over a single physical interface in the EtherChannel. Spanning tree regards the EtherChannel as one port.
Chapter 31 Configuring EtherChannels Configuring EtherChannels Figure 31-3 Load Distribution and Forwarding Methods Switch with source-based forwarding enabled EtherChannel 101239 Cisco router with destination-based forwarding enabled Configuring EtherChannels These sections describe how to configure EtherChannel interfaces: • Default EtherChannel Configuration, page 31-8 • EtherChannel Configuration Guidelines, page 31-8 • Configuring Layer 2 EtherChannels, page 31-9 • Configuring EtherChanne
Chapter 31 Configuring EtherChannels Configuring EtherChannels Default EtherChannel Configuration Table 31-2 shows the default EtherChannel configuration. Table 31-2 Default EtherChannel Configuration Feature Default Setting Channel groups None assigned. PAgP mode No default. PAgP learn method Aggregate-port learning on all interfaces. PAgP priority 128 on all interfaces. (Changing this value has no effect.) LACP learn method Aggregate-port learning on all interfaces.
Chapter 31 Configuring EtherChannels Configuring EtherChannels • An EtherChannel supports the same allowed range of VLANs on all the interfaces in a trunking Layer 2 EtherChannel. When configuring an interface for PAgP, if the allowed range of VLANs is not the same, the interfaces do not form an EtherChannel even when PAgP is set to the auto or desirable mode.
Chapter 31 Configuring EtherChannels Configuring EtherChannels Command Step 3 Purpose channel-group channel-group-number mode Assign the interface to a channel group, and specify the PAgP or {{auto [non-silent] | desirable [non-silent] | on} | LACP mode. {active | passive}} For channel-group-number, the range is 1 to 6. Each EtherChannel can have up to eight compatibly configured Ethernet interfaces. For mode, select one of these keywords: • active—Enables LACP only if an LACP device is detected.
Chapter 31 Configuring EtherChannels Configuring EtherChannels To remove an interface from the EtherChannel group, use the no channel-group interface configuration command. If you delete the EtherChannel by using the no interface port-channel global configuration command without removing the physical interfaces, the physical interfaces are shutdown. If you do not want the member physical interfaces to shut down, remove the physical interfaces before deleting the EtherChannel.
Chapter 31 Configuring EtherChannels Configuring EtherChannels To return EtherChannel load balancing to the default configuration, use the no port-channel load-balance global configuration command. Configuring the PAgP Learn Method and Priority Network devices are classified as PAgP physical learners or aggregate-port learners. A device is a physical learner if it learns addresses by physical ports and directs transmissions based on that knowledge.
Chapter 31 Configuring EtherChannels Configuring EtherChannels Configuring Hot Standby Ports When enabled, LACP tries to configure the maximum number of LACP-compatible ports in a channel, up to a maximum of 16 ports. Only eight LACP links can be active at one time. Any additional links are put in a hot standby state. If one of the active links becomes inactive, a link that is in hot standby mode becomes active in its place.
Chapter 31 Configuring EtherChannels Displaying EtherChannel, PAgP, and LACP Status Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries. or show lacp channel-group-number internal Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
C H A P T E R 32 Troubleshooting This chapter describes how to identify and resolve Catalyst 2950 and Catalyst 2955 software problems related to the Cisco IOS software. Depending on the nature of the problem, you can use the command-line interface (CLI) or the Cluster Management Suite (CMS) to identify and solve problems.
Chapter 32 Troubleshooting Using Recovery Procedures Recovering from Corrupted Software Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity. This procedure uses the Xmodem protocol to recover from a corrupt or wrong image file.
Chapter 32 Troubleshooting Using Recovery Procedures Step 4 Press the Mode button, and at the same time, reconnect the power cord to the switch. You can release the Mode button a second or two after the LED above port 1X turns off. Several lines of information about the software appear, as do instructions: The system has been interrupted prior to initializing the flash file system.
Chapter 32 Troubleshooting Using Recovery Procedures Step 15 Change the password: switch(config)# enable secret or switch(config)# enable password Step 16 Return to privileged EXEC mode: switch(config)# exit switch# Step 17 Write the running configuration to the startup configuration file: switch# copy running-config startup-config The new password is now included in the startup configuration.
Chapter 32 Troubleshooting Using Recovery Procedures • If you see a message that begins with this: The password-recovery mechanism has been triggered, but is currently disabled. go to the “Procedure with Password Recovery Disabled” section on page 32-6, and follow the steps. Password Recovery with Password Recovery Enabled If the password-recovery mechanism is enabled, this message appears: The system has been interrupted prior to initializing the flash file system.
Chapter 32 Troubleshooting Using Recovery Procedures Step 9 Copy the configuration file into memory: Switch# copy flash:config.text system:running-config Source filename [config.text]? Destination filename [running-config]? Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can change the password.
Chapter 32 Troubleshooting Using Recovery Procedures • If you enter n (no), the normal boot process continues as if the Mode button had not been pressed; you cannot access the boot loader prompt, and you cannot enter a new password. You see the message: Press Enter to continue........ • If you enter y (yes), the configuration file in flash memory and the VLAN database file are deleted. When the default configuration loads, you can reset the password.
Chapter 32 Troubleshooting Using Recovery Procedures Note Step 10 This procedure is likely to leave your switch VLAN interface in a shutdown state. You can see which interface is in this state by entering the show running-config privileged EXEC command. To re-enable the interface, enter the interface vlan vlan-id global configuration command, and specify the VLAN ID of the shutdown interface. With the switch in interface configuration mode, enter the no shutdown command.
Chapter 32 Troubleshooting Using Recovery Procedures Step 4 When the boot loader prompts you, enter the break key. This example shows the messages that appear on the console after the user enters a break key: The system has been interrupted prior to initializing the flash file system. The following commands will initialize the flash file system, and finish loading the operating system software: flash_init load_helper boot After the message appears, the boot loader prompt resumes.
Chapter 32 Troubleshooting Using Recovery Procedures Step 14 Enter global configuration mode: switch# configure terminal Step 15 Change the password: switch(config)# enable secret or switch(config)# enable password Step 16 Return to privileged EXEC mode: switch(config)# exit switch# Step 17 Write the running configuration to the startup configuration file: switch# copy running-config startup-config The new password is now included in the startup configuration.
Chapter 32 Troubleshooting Using Recovery Procedures Replacing a Failed Command Switch with a Cluster Member To replace a failed command switch with a command-capable member in the same cluster, follow these steps: Step 1 Disconnect the command switch from the member switches, and physically remove it from the cluster. Step 2 Insert the member switch in place of the failed command switch, and duplicate its connections to the cluster members. Step 3 Start a CLI session on the new command switch.
Chapter 32 Troubleshooting Using Recovery Procedures Step 10 Enter Y at the first prompt. The prompts in the setup program vary depending on the member switch you selected to be the command switch: Continue with configuration dialog? [yes/no]: y or Configuring global parameters: If this prompt does not appear, enter enable, and press Return. Enter setup, and press Return to start the setup program. Step 11 Respond to the questions in the setup program.
Chapter 32 Troubleshooting Using Recovery Procedures Step 5 Use the setup program to configure the switch IP information. This program prompts you for IP address information and passwords. From privileged EXEC mode, enter setup, and press Return. Switch# setup --- System Configuration Dialog --Continue with configuration dialog? [yes/no]: y At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'.
Chapter 32 Troubleshooting Preventing Autonegotiation Mismatches Recovering from Lost Member Connectivity Some configurations can prevent the command switch from maintaining contact with member switches.
Chapter 32 Troubleshooting Diagnosing Connectivity Problems After inserting a Cisco-approved GBIC or SFP module, use the errdisable recovery cause gbic-invalid global configuration command to verify the port status, and enter a time interval for recovering from the error-disabled state. After the elapsed interval, the switch brings the interface out of the error-disabled state and retries the operation.
Chapter 32 Troubleshooting Diagnosing Connectivity Problems Note Though other protocol keywords are available with the ping command, they are not supported in this release. This example shows how to ping an IP host: Switch# ping 172.20.52.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 172.20.52.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Switch# Table 32-1 describes the possible ping character output.
Chapter 32 Troubleshooting Diagnosing Connectivity Problems Usage Guidelines These are the Layer 2 traceroute usage guidelines: • Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 traceroute to functional properly, do not disable CDP. If any devices in the physical path are transparent to CDP, the switch cannot identify the path through these devices. Note For more information about enabling CDP, see Chapter 24, “Configuring CDP.
Chapter 32 Troubleshooting Diagnosing LRE Connection Problems Displaying the Physical Path You can display physical path that a packet takes from a source device to a destination device by using one of these privileged EXEC commands: • traceroute mac [interface interface-id] {source-mac-address} [interface interface-id] {destination-mac-address} [vlan vlan-id] [detail] • traceroute mac ip {source-ip-address | source-hostname} {destination-ip-address | destination-hostname} [detail] For more informati
Chapter 32 Troubleshooting Using Debug Commands Table 32-2 LRE Port Problems (continued) Problem Suspected Cause and Suggested Solution High Reed-Solomon error count without CRC errors • The interleave feature is helping Reed-Solomon error correction to function correctly in a noisy environment. This situation means that the system is on the verge of generating CRC errors.
Chapter 32 Troubleshooting Using Debug Commands Caution Note Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users.
Chapter 32 Troubleshooting Using Debug Commands The no debug all privileged EXEC command disables all diagnostic output. Using the no debug all command is a convenient way to ensure that you have not accidentally left any debug commands enabled. Redirecting Debug and Error Message Output By default, the network server sends the output from debug commands and system error messages to the console.
Chapter 32 Troubleshooting Using the show controllers Commands Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show auto qos interface interface-id Verify your entries. This command displays the auto-QoS configuration that was initially applied; it does not display any user changes to the configuration that might be in effect. For more information about auto-QoS, see the “Configuring Auto-QoS” section on page 30-9.
Chapter 32 Troubleshooting Using the crashinfo File Using the crashinfo File This feature is available if your switch is running Cisco IOS Release 12.1(11)EA1 or later. The crashinfo file saves information that helps Cisco technical support representatives to debug problems that caused the software image to fail (crash).
Chapter 32 Troubleshooting Using the crashinfo File Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 32-24 78-11380-10
A P P E N D I X A Supported MIBs This appendix lists the supported MIBs for this release. It contains these sections: • MIB List, page A-1 • Using FTP to Access the MIB Files, page A-3 MIB List Note The Catalyst 2955 switch supports the ENTITY-MIB, CISCO-ENVMON-MIB and CISCO-ENTITY-ALARM-MIB.
Appendix A Supported MIBs MIB List • CISCO-PAE-MIB • CISCO-PAGP-MIB • CISCO-PING-MIB • CISCO-PORT-SECURITY-MIB • CISCO-PROCESS-MIB • CISCO-PRODUCTS-MIB • CISCO-RTTMON-MIB (subsystems supported: sub_rtt_rmon and sub_rtt_rmonlib) • CISCO-SMI • CISCO_STACKMAKER_MIB • CISCO-STP-EXTENSIONS-MIB • CISCO-SYSLOG-MIB • CISCO-TC • CISCO-TCP-MIB • CISCO-VLAN-MEMBERSHIP-MIB • CISCO-VTP-MIB • ENTITY-MIB • IEEE8021-PAE-MIB • IANAifType-MIB • IF-MIB (RFC 1573) • OLD-CISCO-CHASSIS-M
Appendix A Supported MIBs Using FTP to Access the MIB Files Note The IF-MIB and the CISCO-IETF-VDSL-LINE-MIB are supported as read-only MIBs for the Fast Ethernet interfaces on the CPE devices. Using FTP to Access the MIB Files You can obtain each MIB file by using this procedure: Step 1 Use FTP to access the server ftp.cisco.com. Step 2 Log in with the username anonymous. Step 3 Enter your e-mail username when prompted for the password.
Appendix A Supported MIBs Using FTP to Access the MIB Files Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide A-4 78-11380-10
A P P E N D I X B Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the Catalyst 2950 or 2955 flash file system, how to copy configuration files, and how to archive (upload and download) software images. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC command as shown in this example: Switch# show file systems File Systems: * Table B-1 Size(b) 16128000 16128000 32768 - Free(b) 11118592 11118592 26363 - Type flash unknown nvram network opaque opaque opaque opaque network network Flags rw rw rw
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Table B-1 show file systems Field Descriptions (continued) Field Value Flags Permission for file system. ro—read-only. rw—read/write. wo—write-only. Prefixes Alias for file system. bs:—Read-only file system; stores the boot loader image. vb:—Stores the boot environment variables. flash:—Flash file system. nvram:—NVRAM. null:—Null destination for copies.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System To display information about files on a file system, use one of the privileged EXEC commands in Table B-2: Table B-2 Commands for Displaying Information About Files Command Description dir [/all] [filesystem:][filename] Display a list of files on a file system. show file systems Display more information about each of the files on a file system.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Use the /recursive keyword to delete the named directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are prompted only once at the beginning of this deletion process.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Use the /recursive keyword for deleting a directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are prompted only once at the beginning of this deletion process.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying the Contents of a tar File To display the contents of a tar file on the screen, use this privileged EXEC command: archive tar /table source-url For source-url, specify the source URL alias for the local or network file system.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to extract the contents of a tar file located on the TFTP server at 172.20.10.30. This command extracts just the new-configs directory into the root directory on the local flash file system. The remaining files in the saved.tar file are ignored. Switch# archive tar /xtract tftp:/172.20.10.30/saved.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This section includes this information: • Guidelines for Creating and Using Configuration Files, page B-9 • Configuration File Types and Location, page B-10 • Creating a Configuration File By Using a Text Editor, page B-10 • Copying Configuration Files By Using TFTP, page B-10 • Copying Configuration Files By Using FTP, page B-12 • Copying Configuration Files By Using RCP
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Configuration File Types and Location Startup configuration files are used during system startup to configure the software. Running configuration files contain the current configuration of the software. The two configuration files can be different. For example, you might want to change the configuration for a short time period rather than permanently.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Preparing to Download or Upload a Configuration File By Using TFTP Before you begin downloading or uploading a configuration file by using TFTP, do these tasks: • Ensure that the workstation acting as the TFTP server is properly configured. On a Sun workstation, make sure that the /etc/inetd.conf file contains this line: tftp dgram udp wait root /usr/etc/in.tftpd in.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to configure the software from the file tokyo-confg at IP address 172.16.2.155: Switch# copy tftp://172.16.2.155/tokyo-confg system:running-config Configure using tokyo-confg from 172.16.2.155? [confirm] y Booting tokyo-confg from 172.16.2.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files The username and password must be associated with an account on the FTP server. If you are writing to the server, the FTP server must be properly configured to accept your FTP write request. Use the ip ftp username and ip ftp password commands to specify a username and password for all copies.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 4 ip ftp username username (Optional) Change the default remote username. Step 5 ip ftp password password (Optional) Change the default password. Step 6 end Return to privileged EXEC mode.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Step 3 Command Purpose configure terminal Enter global configuration mode. This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). Step 4 ip ftp username username (Optional) Change the default remote username. Step 5 ip ftp password password (Optional) Change the default password.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the software sends the first valid username in this list: • The username specified in the copy command if a username is specified.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to download a configuration file by using RCP: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using RCP” section on page B-16.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using RCP: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using RCP” section on page B-16.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Clearing Configuration Information You can clear the configuration information from the startup configuration. If you reboot the switch with no startup configuration, the switch enters the setup program so that you can reconfigure the switch with all new settings.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note For a list of software images and the supported upgrade paths, refer to the release notes. Image Location on the Switch The software image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the HTML files needed for web management. The image is stored on the system board flash memory (flash:).
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Table B-3 info and info.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images • For download operations, ensure that the permissions on the file are set correctly. The permission on the file should be world-read. • Before uploading the image file, you might need to create an empty file on the TFTP server. To create an empty file, enter the touch filename command, where filename is the name of the file you will use when uploading the image to the server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The download algorithm verifies that the image is appropriate for the switch model and that enough DRAM is present, or it stops the process and reports an error. If you specify the /overwrite option, the download algorithm removes the existing image on the flash device whether or not it is the same as the new one, downloads the new image, and then reloads the software.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, the HTML files, LRE binary files, and info.ver. After these files are uploaded, the upload algorithm creates the tar file format. Caution For the download and upload algorithms to operate properly, do not rename image names.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images If the server has a directory structure, the image file is written to or copied from the directory associated with the username on the server. For example, if the image file resides in the home directory of a user on the server, specify that user's name as the remote username.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Step 7 Step 8 Purpose archive download-sw /overwrite /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and overwrite the current image. /image-name.tar • The /overwrite option overwrites the software image in flash with the downloaded image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The archive upload-sw command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, the HTML files, and info.ver. After these files are uploaded, the upload algorithm creates the tar file format. Caution For the download and upload algorithms to operate properly, do not rename image names.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Before you begin downloading or uploading an image file by using RCP, do these tasks: • Ensure that the workstation acting as the RCP server supports the remote shell (rsh). • Ensure that the switch has a route to the RCP server. The switch and the server must be in the same subnetwork if you do not have a router to route traffic between subnets.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 6 Step 7 Command Purpose archive download-sw /overwrite /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Download the image file from the RCP server to the switch, and overwrite the current image. archive download-sw /leave-old-sw /reload rcp:[[[//[username@]location]/directory]/image-na me.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board flash device (flash:). The image is placed in a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, the HTML files, and info.ver. After these files are uploaded, the upload algorithm creates the tar file format. Caution For the download and upload algorithms to operate properly, do not rename image names.
I N D EX accessing Numerics clusters, switch 802.1D command switches See STP member switches 802.1Q switch clusters and trunk ports 11-2 17-16 7-14 7-14 See ACLs 17-15 access ports native VLAN for untagged traffic 802.1s 17-21 defined 11-2 in switch clusters See MSTP 7-10 accounting 802.1w with 802.1x See RSTP 10-5, 10-20 with RADIUS 802.1x 9-28 with TACACS+ See port-based authentication 802.
Index ACLs (continued) addresses configuration guidelines displaying the MAC address table management interfaces, applying to physical interfaces, applying to defined dynamic 29-6 accelerated aging 29-5 examples of default aging 29-23 defined 29-23 extended IP matching criteria 8-28 multicast STP address management 29-7 adding and removing creating defined 29-7 implicit deny management interfaces, applying to named ADSL 29-2, 29-7 29-20 29-19, 29-21 virtual terminal lines, sett
Index ARP table automatic QoS address resolution managing See QoS 8-28 automatic recovery, clusters 8-28 asymmetric digital subscriber line See also HSRP See ADSL autonegotiation attributes, RADIUS interface configuration guidelines vendor-proprietary vendor-specific audience 7-11 mismatches 9-30 11-11 32-14 auxiliary VLAN 9-29 See voice VLAN xxix authentication local mode with AAA NTP associations 9-32 B 8-4 RADIUS key BackboneFast 9-21 login 9-23 TACACS+ defined key 16-9
Index BPDU Catalyst 2955 (continued) error-disabled state filtering configuring the power supply alarm 16-2 setting the power mode 16-3 RSTP format setting the power supply alarm options 15-9 BPDU filtering 16-3 enabling 16-15 associating the temperature alarms to a relay setting a secondary temperature threshold default alarm configuration 1-5 BPDU guard described 16-2 enabling 16-14 enabling SNMP traps power supply alarm temperature alarm 22-2 3-2 3-2 FCS bit error rate alarm 7-1
Index CDP (continued) CLI (continued) transmission timer and holdtime, setting updates managing clusters 24-2 no and default forms of commands 24-2 Cisco 575-LRE CPE client mode, VTP 1-7 Cisco Access Analog Trunk Gateway Cisco CallManager software clusters, switch accessing Cisco Intelligence Engine 2100 Series Configuration Registrar See IE2100 1-14 Cisco Networking Services adding member switches 7-5 automatic recovery 7-11 1-7, 1-16 compatibility CiscoWorks 2000 1-14 1-8, 28-4 7-18
Index clusters, switch (continued) command switch (continued) See also candidate switch, command switch, cluster standby group, member switch, and standby command switch priority recovery from command-switch failure cluster standby group automatic recovery considerations creating 7-21 defined 7-2 from failure 7-14 redundant configuration modes 4-5 standby (SC) 7-11, 7-21 configuring in clusters 4-4 4-8 4-8 to 4-9 SNMP config.
Index configuration files conflicts, configuration clearing the startup configuration creating using a text editor default name connections, secure remote B-19 connectivity problems B-10 32-15 console port, connecting to B-19 downloading command automatically 2-9 reasons for B-8 using FTP B-13 using RCP B-17 using TFTP publication text xxx xxx xxx CoS configuring 30-8 configuring priority queues B-11 guidelines for creating and using limiting TFTP server access obtaining with DH
Index cross-stack UplinkFast, STP connecting stack ports described 16-5 enabling 16-17 default configuration (continued) Layer 2 interfaces 16-8 MAC address table MSTP fast-convergence events normal-convergence events password and privilege level 16-7 Stack Membership Discovery Protocol cross talk 8-4 optional spanning-tree features 16-7 support for 21-17 NTP 16-6 8-23 15-12 MVR 16-7 Fast Uplink Transition Protocol limitations 11-9 QoS 16-6 13-10 cryptographic software image 9-
Index DHCP-based autoconfiguration (continued) described example See DHCP snooping binding database 1-3 Differentiated Services architecture, QoS 5-9 lease options Differentiated Services Code Point for IP address information digital telephone networks 5-5 for receiving the configuration file overview 5-6 relationship to BOOTP 5-4 DHCP binding database See DHCP snooping binding database See DHCP snooping binding database circuit ID suboption B-4 creating and removing B-4 displaying the wo
Index DSCP error messages 1-6, 30-3 DSCP-to-CoS map for QoS DTP during command entry 30-36 setting the display destination device 1-5, 17-15 duplex mode severity levels configuring 13-11 CPE Ethernet link 13-11 configuring 27-2 EtherChannel automatic creation of dynamic access ports characteristics 31-3 configuration guidelines default configuration 17-3 31-8 31-8 destination MAC address forwarding 17-28 displaying status 11-2 forwarding methods 31-11 See addresses interaction
Index ETSI files, crashinfo 1-7 European Telecommunication Standards Institute description 32-23 displaying the contents of See ETSI events, RMON location 26-3 examples 32-23 32-23 file system conventions for displaying available file systems xxx network configuration expedite queue, QoS expert mode displaying file information 1-10 local file system names 30-9 Express Setup setting the default 1-2, 4-11 See also hardware installation guide B-5 B-3 filtering show and more command
Index hosts, limit on dynamic ports G HP OpenView GBICs 17-31 1-8 HSRP 1000BASE-LX/LH module 1-11 automatic cluster recovery 7-14 1000BASE-SX module 1-11 cluster standby group considerations 1000BASE-ZX module 1-11 See also clusters, cluster standby group, and standby command switch GigaStack module 1-11 security and identification 32-14 get-bulk-request operation 28-3 get-next-request operation 28-3, 28-4 get-request operation I ICMP ping 28-3, 28-4 28-3 executing 32-15 Gigabi
Index IGMP filtering interfaces configuring Cisco IOS supported 21-22 default configuration described configuration guidelines 21-22 configuring 21-21 monitoring configuring the throttling action setting the maximum number 21-25 21-25 IGMP profile 11-16 11-14 flow control 21-22 configuring naming default configuration range of 21-6 enabling and disabling global configuration Immediate Leave 11-17 supported 21-7 types of 21-5 11-4 11-5 shutting down 21-7 11-17 11-8 11-1 i
Index IP ACLs (continued) L management interfaces, applying to named 29-19 LACP 29-13 physical interfaces, applying to standard, creating undefined See EtherChannel 29-20 Layer 2 frames, classification with CoS 29-9 Layer 2 interfaces, default configuration 29-19, 29-21 virtual terminal lines, setting on cluster access discovering 7-4, 7-14 7-2 command switch 32-17 described 32-16 unicast traffic 7-12, 7-14 assigned 32-16 32-17 Layer 3 parameters of ACEs 29-10 Layer 4 parameters
Index loop guard LRE ports (continued) described rate selection 16-12 enabling 16-19 described 13-14 1-5 sequences 13-5 support for LRE environment guidelines troubleshooting LRE profiles 13-9 troubleshooting assigning 32-18 LRE interleave delay 13-20 LRE link monitor 13-20 persistence 32-18 global profiles 13-13 port sequences 13-14 private profiles 13-13 public profiles 13-19 LRE links 13-12 considerations described See LRE ports LRE message logging 13-2 rate selecti
Index MAC addresses (continued) maximum hop count, MSTP membership mode, VLAN port static adding adding 8-28 characteristics of 7-19 automatic discovery 8-26 dropping 8-27 defined removing 8-26 managing 7-23 passwords 7-14 sticky secure, adding 22-7 MAC address multicast entries, monitoring MAC address-to-VLAN mapping MAC extended access lists 7-4 menu bar,variations 4-4 message logging, LRE 13-8 messages to users through banners benefits clustering CMS 8-19 metropolitan-area
Index monitoring (continued) MSTP (continued) network traffic for analysis with probe port default optional feature configuration displaying status protection speed and duplex mode described 11-12 traffic flowing among switches VLANs VMPS 26-1 16-11 enabling 16-18 extended system ID 22-13 effects on root switch 17-14 unexpected behavior 18-16 MSTP instances supported configuration guidelines described described 16-3 enabling 16-15 16-2 enabling 16-14 CIST, described 15-3 ope
Index MSTP (continued) network examples root guard collapsed backbone and switch cluster described enabling design concepts 16-11 cost-effective wiring closet 16-19 root switch network performance 15-15 effects of extended system ID unexpected behavior network services 15-14 16-2 multicast groups and IGMP snooping Immediate Leave 21-3 leaving 21-4 1-15 large campus 1-19 1-12 long-distance, high-bandwidth transport configuration 1-22 21-6 21-5 small to medium-sized network 1-18 1
Index NTP (continued) PC (passive command switch) performing an LRE upgrade restricting access creating an access group persistence, LRE link 8-9 disabling NTP services per interface source IP address, configuring stratum 8-10 8-10 synchronizing devices 8-6 time 13-24 13-19 per-VLAN spanning-tree plus See PVST+ physical ports 8-2 7-11, 7-21 11-1 PIM-DVMRP, as snooping method 21-8 ping services character output description 8-2 synchronizing 8-2 executing 32-15 overview 32-15 32-
Index port-based authentication (continued) port-based authentication (continued) configuring upgrading from a previous release 802.
Index port security aging profiles, LRE considerations 22-12 configuring default, assigning 22-10 default configuration described described 22-9 violations rate selection 22-7 with other features 17-25 18-14 enabling on a port 1-16 nonhomologated 1-3, 22-4 pruning, VTP enabling POTS splitters 1-16 See also Cisco LRE 48 POTS Splitter (PS-1M-LRE-48) precedence 13-12 13-14 protected ports 22-9 port-shutdown response, VMPS POTS telephones 13-13 See also LRE ports and CPE 22-8 hom
Index QoS, auto-QoS (continued) QoS, configuring (continued) egress queue defaults enabling for VoIP QoS policy 30-14 example, configuration generated commands basic model port trust states within the domain 30-10 30-24 default auto configuration 30-11 default configuration 30-4 classification displaying statistics class maps, described defined 30-26 trusted boundary 30-16 30-39 30-9 enabling expedite queue 30-4 in frames and packets IP ACLs, described 30-38 expedite queue 30-3 30-
Index QoS (continued) rapid PVST+ trusted boundary trust states 802.
Index Remote Copy Protocol root switch See RCP MSTP 15-14 STP remote monitoring 14-14 RSPAN see RMON configuration guidelines Remote Network Monitoring default configuration See RMON report suppression, IGMP 25-4 25-17 21-5 displaying status disabling 21-11 IDS resetting a UDLD-shutdown interface overview monitored ports overview 9-1 9-18 TACACS+ 9-10 retry count, VMPS, changing RFC 1157, SNMPv1 1305, NTP 21-2 2273-2275, SNMPv3 creating 25-13 defined 25-3 21-2 displaying
Index RSTP (continued) show configuration command show controllers ethernet-controller command rapid convergence described show controllers lre profile commands 15-7 edge ports and Port Fast point-to-point links root ports 11-14 15-7 show controllers lre profile mapping 15-7, 15-22 15-6 show interfaces command 11-12, 11-14 show running-config command 5-11 displaying ACLs 29-19, 29-20, 29-21 interface description in 11-14 shutdown command on interfaces S signal to noise ratio SC (standb
Index SNMP (continued) groups software images location in flash 28-9 in clusters recovery procedures 7-15 informs described source addresses, in ACLs 28-5 limiting access by TFTP servers configuration guidelines 28-14 limiting system log messages to NMS manager functions default configuration 27-10 28-3 managing clusters with 7-24 MIBs 25-4 displaying status 25-17 overview A-1 monitored ports 28-5 monitoring ports overview 28-1, 28-4 status, displaying trap manager, configuring
Index Stack Membership Discovery Protocol 16-6 Standby Command Configuration window standby command switch configuring defined 7-2 priority 7-11 7-12 enabling 22-7 startup configuration booting STP 5-13 B-19 configuration file BackboneFast described 16-9 enabling 16-18 5-12 specifying the filename 5-12 default boot configuration 5-12 static access ports assigning to VLAN described 16-3 enabling 16-15 BPDU guard automatically downloading described 16-2 enabling 16-14 BPDU m
Index STP (continued) STP (continued) designated port, defined designated switch, defined 14-3 detecting indirect link failures disabling Port Fast 14-3 16-9 displaying status 17-23 described affects on root switch enabling 14-14 affects on the secondary root switch 16-11 16-19 root port, defined 14-16 features supported affects of extended system ID 14-15 configuring 1-4 election 14-3 instances supported 14-3 interface states 14-6 superior BPDU disabled 14-7 timers, describe
Index syslog export system prompt and LRE logging described 13-8 disabling 13-23 enabling 13-22 default setting 13-8 manual configuration configuring TACACS+ daylight saving time manually 8-14 accounting, defined 8-12 summer time time zones 8-14 8-13 8-12 accounting authorization default configuration 9-13 9-16 login authentication 27-3 default configuration defining error message severity levels 27-8 9-14 9-13 displaying the configuration 27-4 identifying the server displayi
Index TFTP traffic policing transparent mode, VTP configuration files downloading trap-door mechanism B-11 preparing the server uploading configuring for autoconfiguration configuring managers 5-6 defined 5-6 image files overview B-22 preparing the server 28-1, 28-4 connectivity problems B-23 28-14 time detecting unidirectional links 23-1 displaying crash information 32-23 time-range command 29-15 LRE ports time ranges in ACLs 29-15 with CiscoWorks timestamps in log messages
Index upgrading software images U See downloading UDLD UplinkFast default configuration 23-4 echoing detection mechanism 23-3 enabling described 16-3 enabling 16-16 support for globally 23-5 per interface uploading 23-5 configuration files link-detection mechanism neighbor database overview 23-1 preparing 23-2 23-1 resetting an interface status, displaying 23-6 23-7 10-4 and adding static addresses B-8 using FTP B-14 using RCP B-18 preparing 8-27 and broadcast MAC addresse
Index VLAN database VLANs (continued) and startup configuration file and VTP static-access ports 17-7 STP and 802.
Index VQP VTP (continued) 17-25 VTP pruning adding a client to a domain advertisements 18-14 17-17, 18-3 and extended-range VLANs and normal-range VLANs client mode, configuring 18-1 18-1 18-11 configuration guidelines 18-7 enabling 18-14 examples 18-5 overview 18-4 pruning-eligible list, changing privileged EXEC mode requirements statistics using 18-9 18-7 configuration mode options 18-7 configuration requirements 18-9 version 1 18-12 18-9 18-4 version 2 configuration guid
Index Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide IN-34 78-11380-10
