Catalyst 2940 Switch Software Configuration Guide Cisco IOS Release 12.1(19)EA1 October 2003 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface xix Audience Purpose xix xix Conventions xx Related Publications xxi Obtaining Documentation xxi Cisco.
Contents Abbreviating Commands 2-4 Using no and default Forms of Commands Understanding CLI Messages 2-4 2-5 Using Command History 2-5 Changing the Command History Buffer Size 2-5 Recalling Commands 2-6 Disabling the Command History Feature 2-6 Using Editing Features 2-6 Enabling and Disabling Editing Features 2-6 Editing Commands through Keystrokes 2-7 Editing Command Lines that Wrap 2-8 Searching and Filtering Output of show and more Commands Accessing the CLI 2-9 Accessing the CLI from a Browser
Contents Displaying CMS 3-10 Launching CMS 3-10 Front Panel View 3-12 Topology View 3-14 CMS Icons 3-15 Where to Go Next CHAPTER 4 3-15 Assigning the Switch IP Address and Default Gateway Understanding the Boot Process 4-1 Assigning Switch Information 4-2 Default Switch Information 4-2 Understanding DHCP-Based Autoconfiguration DHCP Client Request Process 4-3 Configuring the DHCP Server 4-4 Configuring the TFTP Server 4-5 Configuring the DNS 4-6 Configuring the Relay Device 4-6 Obtaining Configuratio
Contents IP Addresses 5-12 Host Names 5-12 Passwords 5-12 SNMP Community Strings 5-13 TACACS+ and RADIUS 5-13 Access Modes in CMS 5-13 Management VLAN 5-14 LRE Profiles 5-15 Availability of Switch-Specific Features in Switch Clusters 5-15 Creating a Switch Cluster 5-15 Enabling a Command Switch 5-15 Adding Member Switches 5-16 Creating a Cluster Standby Group 5-19 Verifying a Switch Cluster 5-20 Using the CLI to Manage Switch Clusters 5-21 Catalyst 1900 and Catalyst 2820 CLI Considerations Using SNMP to
Contents Understanding DNS 6-16 Default DNS Configuration 6-17 Setting Up DNS 6-17 Displaying the DNS Configuration 6-18 Creating a Banner 6-18 Default Banner Configuration 6-18 Configuring a Message-of-the-Day Login Banner Configuring a Login Banner 6-20 6-19 Managing the MAC Address Table 6-20 Building the Address Table 6-21 MAC Addresses and VLANs 6-21 Default MAC Address Table Configuration 6-22 Changing the Address Aging Time 6-22 Removing Dynamic Address Entries 6-23 Configuring MAC Address Notif
Contents Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Starting TACACS+ Accounting 7-16 Displaying the TACACS+ Configuration 7-16 7-15 Controlling Switch Access with RADIUS 7-16 Understanding RADIUS 7-17 RADIUS Operation 7-18 Configuring RADIUS 7-19 Default RADIUS Configuration 7-19 Identifying the RADIUS Server Host 7-19 Configuring RADIUS Login Authentication 7-22 Defining AAA Server Groups 7-24 Configuring RADIUS Authorization for User Privileged Access and Network
Contents Configuring the Host Mode 8-14 Resetting the 802.1X Configuration to the Default Values Displaying 802.
Contents CHAPTER 11 Configuring STP 11-1 Understanding Spanning-Tree Features 11-1 STP Overview 11-2 Spanning-Tree Topology and BPDUs 11-2 Bridge ID, Switch Priority, and Extended System ID 11-3 Spanning-Tree Interface States 11-4 Blocking State 11-5 Listening State 11-6 Learning State 11-6 Forwarding State 11-6 Disabled State 11-6 How a Switch or Port Becomes the Root Switch or Root Port 11-7 Spanning Tree and Redundant Connectivity 11-7 Spanning-Tree Address Management 11-8 Accelerated Aging to Retai
Contents Understanding UplinkFast 12-3 Understanding BackboneFast 12-5 Understanding EtherChannel Guard 12-7 Understanding Root Guard 12-8 Understanding Loop Guard 12-9 Configuring Optional Spanning-Tree Features 12-9 Default Optional Spanning-Tree Configuration 12-9 Optional Spanning-Tree Configuration Guidelines 12-10 Enabling Port Fast (Optional) 12-10 Enabling BPDU Guard (Optional) 12-11 Enabling BPDU Filtering (Optional) 12-11 Enabling UplinkFast for Use with Redundant Links (Optional) Enabling Backbo
Contents Interaction with Other Features 13-14 Configuring a Trunk Port 13-14 Defining the Allowed VLANs on a Trunk 13-16 Changing the Pruning-Eligible List 13-17 Configuring the Native VLAN for Untagged Traffic Load Sharing Using STP 13-18 Load Sharing Using STP Port Priorities 13-18 Load Sharing Using STP Path Cost 13-20 13-17 Configuring VMPS 13-21 Understanding VMPS 13-22 Dynamic Port VLAN Membership 13-22 VMPS Database Configuration File 13-23 Default VMPS Configuration 13-24 VMPS Configuration Guid
Contents VTP Version 14-8 Configuration Requirements 14-9 Configuring a VTP Server 14-9 Configuring a VTP Client 14-10 Disabling VTP (VTP Transparent Mode) 14-11 Enabling VTP Version 2 14-12 Enabling VTP Pruning 14-13 Adding a VTP Client Switch to a VTP Domain 14-13 Monitoring VTP CHAPTER 15 14-15 Configuring Voice VLAN 15-1 Understanding Voice VLAN 15-1 Configuring Voice VLAN 15-2 Default Voice VLAN Configuration 15-2 Voice VLAN Configuration Guidelines 15-3 Configuring a Port to Connect to a Cisc
Contents Configuring the Aging Time 16-12 Displaying IGMP Snooping Information 16-12 Understanding Multicast VLAN Registration 16-14 Using MVR in a Multicast Television Application Configuring MVR 16-16 Default MVR Configuration 16-16 MVR Configuration Guidelines and Limitations Configuring MVR Global Parameters 16-17 Configuring MVR Interfaces 16-18 Displaying MVR Information 16-14 16-17 16-20 Configuring IGMP Filtering and Throttling 16-21 Default IGMP Filtering and Throttling Configuration 16-22
Contents Methods to Detect Unidirectional Links 18-2 Configuring UDLD 18-4 Default UDLD Configuration 18-4 Configuration Guidelines 18-4 Enabling UDLD Globally 18-5 Enabling UDLD on an Interface 18-5 Resetting an Interface Shut Down by UDLD Displaying UDLD Status CHAPTER 19 Configuring CDP 18-6 18-7 19-1 Understanding CDP 19-1 Configuring CDP 19-2 Default CDP Configuration 19-2 Configuring the CDP Characteristics 19-2 Disabling and Enabling CDP 19-3 Disabling and Enabling CDP on an Interface Mon
Contents CHAPTER 21 Configuring RMON 21-1 Understanding RMON 21-1 Configuring RMON 21-2 Default RMON Configuration 21-3 Configuring RMON Alarms and Events 21-3 Configuring RMON Collection on an Interface Displaying RMON Status CHAPTER 22 21-5 21-6 Configuring System Message Logging 22-1 Understanding System Message Logging 22-1 Configuring System Message Logging 22-2 System Log Message Format 22-2 Default System Message Logging Configuration 22-3 Disabling and Enabling Message Logging 22-4 S
Contents Configuring SNMP Groups and Users 23-8 Configuring SNMP Notifications 23-10 Setting the Agent Contact and Location Information Limiting TFTP Servers Used Through SNMP 23-13 SNMP Examples 23-14 Displaying SNMP Status CHAPTER 24 Configuring QoS 23-13 23-15 24-1 Understanding QoS 24-1 Queueing and Scheduling 24-2 How Class of Service Works Port Priority 24-2 Egress CoS Queues 24-3 24-2 Configuring QoS 24-3 Default QoS Configuration 24-3 Configuring Classification Using Port Trust States 24-4
Contents Configuring the LACP Port Priority 25-12 Configuring Hot Standby Ports 25-13 Configuring the LACP System Priority 25-13 Displaying EtherChannel, PAgP, and LACP Status CHAPTER 26 Troubleshooting 25-14 26-1 Using Recovery Procedures 26-1 Recovering from Corrupted Software 26-2 Recovering from a Lost or Forgotten Password 26-2 Recovering from a Command Switch Failure 26-4 Replacing a Failed Command Switch with a Cluster Member 26-5 Replacing a Failed Command Switch with Another Switch 26-6 Reco
Preface Audience The Catalyst 2940 Switch Software Configuration Guide is for the network manager responsible for configuring the Catalyst 2940 switch, hereafter referred to as the switch. Before using this guide, you should be familiar with the concepts and terminology of Ethernet and local area networking. Purpose This guide provides information about configuring and troubleshooting a switch or switch clusters.
Preface Conventions Note This guide does not repeat the concepts and CLI procedures provided in the standard Cisco IOS Release 12.1 documentation. For information about the standard Cisco IOS Release 12.1 commands, refer to the IOS documentation set available from the Cisco.com home page at Service and Support > Technical Documents. On the Cisco Product Documentation home page, select Release 12.1 from the Cisco IOS Software drop-down list.
Preface Related Publications Related Publications These documents provide complete information about the switch and are available from this URL: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2940/index.htm You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation” section on page xxi. • Note Release Notes for the Catalyst 2940 Switch (not orderable but available on Cisco.
Preface Obtaining Technical Assistance Documentation CD-ROM Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription. Registered Cisco.
Preface Obtaining Technical Assistance Cisco TAC Website The Cisco TAC website (http://www.cisco.com/tac) provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year. Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL: http://tools.cisco.
Preface Obtaining Additional Publications and Information Obtaining Additional Publications and Information Information about Cisco products, technologies, and network solutions is available from various online and printed sources. • The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL: http://www.cisco.com/en/US/products/products_catalog_links_launch.
C H A P T E R 1 Overview This chapter provides these topics about the Catalyst 2940 switch software: Note • Features, page 1-1 • Management Options, page 1-5 • Network Configuration Examples, page 1-7 • Where to Go Next, page 1-11 In this document, IP refers to IP version 4 (IPv4). Layer 3 IP version 6 (IPv6) packets are treated as non-IP packets.
Chapter 1 Overview Features Note Refer to the release notes for the list of Catalyst switches eligible for switch clustering, including which ones can be command switches and which ones can only be member switches. See Chapter 5, “Clustering Switches,” for the required software versions and browser and Java plug-in configurations.
Chapter 1 Overview Features • Default configuration storage in Flash memory to ensure that the switch can be connected to a network and can forward traffic with minimal user intervention • In-band management access through a CMS web-based session • In-band command-line interface (CLI) management using Telnet connections • In-band management access through SNMP versions 1, 2c, and 3 get-and-set requests • Out-of-band management access through the switch console port to a directly-attached terminal
Chapter 1 Overview Features • VLAN Trunking Protocol (VTP) for reducing network traffic by restricting flooded traffic to links destined for stations receiving the traffic. • Dynamic Trunking Protocol (DTP) for negotiating trunking on a link between two devices and for negotiating the type of trunking encapsulation (802.
Chapter 1 Overview Management Options • Scheduling of egress queues—Four egress queues on all switch ports.
Chapter 1 Overview Management Options Management Interface Options You can configure and monitor individual switches and switch clusters by using these interfaces: • CMS—CMS is a graphical user interface that can be launched from anywhere in your network through a web browser such as Netscape Communicator or Microsoft Internet Explorer. CMS is already installed on the switch. Using CMS, you can configure and monitor a standalone switch, a specific cluster member, or an entire switch cluster.
Chapter 1 Overview Network Configuration Examples • View a topology of interconnected devices to identify existing switch clusters and eligible switches that can join a cluster. You can also use the topology to quickly identify link information between switches. • Monitor real-time status of a switch or multiple switches from the LEDs on the front-panel images. The port LED colors on the images are similar to those on the physical LEDs.
Chapter 1 Overview Network Configuration Examples Table 1-2 Providing Network Services Network Demands Suggested Design Methods High demand for multimedia support • Use IGMP and MVR to efficiently forward multicast traffic. High demand for protecting mission-critical applications • Use VLANs and protected ports to provide security and port isolation.
Chapter 1 Overview Network Configuration Examples Wireless Access Point provides network connectivity for mobile users. Although the wireless access provides less bandwidth, it allows users to have network connectivity regardless of their location in the office. A server is connected to the Gigabit ports on the switch, allowing 1-Gbps throughput to users when needed. When the switch and server ports are configured for full-duplex operation, the links provide 2 Gbps of bandwidth.
Chapter 1 Overview Network Configuration Examples The workgroups are created by clustering all the Catalyst switches except the Catalyst 4500 switch. Using CMS and Cisco switch clustering technology, you can group the switches into multiple clusters, as shown, or into a single cluster. You can manage a cluster through the IP address of its active and standby command switches, regardless of the geographic location of the cluster members.
Chapter 1 Overview Where to Go Next Note Figure 1-3 An external power supply is required for IP phones and the Cisco Aironet access point.
Chapter 1 Overview Where to Go Next Catalyst 2940 Switch Software Configuration Guide 1-12 78-15507-02
C H A P T E R 2 Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) that you can use to configure your Catalyst 2940 switch switches.
Chapter 2 Using the Command-Line Interface Cisco IOS Command Modes Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the host name Switch. Table 2-1 Command Mode Summary Mode Access Method Prompt Exit Method About This Mode User EXEC Begin a session with your switch. Switch> Enter logout or quit. Use this mode to • Change terminal settings. • Perform basic tests.
Chapter 2 Using the Command-Line Interface Getting Help Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method Interface configuration While in global configuration mode, enter the interface command (with a specific interface). Switch(config-if)# To exit to global configuration mode, enter exit. Line configuration While in global configuration mode, specify a line with the line vty or line console command.
Chapter 2 Using the Command-Line Interface Specifying Ports in Interface Configuration Mode Table 2-2 Help Summary (continued) Command Purpose command ? List the associated keywords for a command. For example: Switch> show ? command keyword ? List the associated arguments for a keyword.
Chapter 2 Using the Command-Line Interface Understanding CLI Messages Understanding CLI Messages Table 2-3 lists some error messages that you might encounter while using the CLI to configure your switch. Table 2-3 Common CLI Error Messages Error Message Meaning How to Get Help % Ambiguous command: "show con" You did not enter enough characters for your switch to recognize the command. Re-enter the command followed by a question mark (?) with a space between the command and the question mark.
Chapter 2 Using the Command-Line Interface Using Editing Features Recalling Commands To recall commands from the history buffer, perform one of the actions listed in Table 2-4: Table 2-4 Recalling Commands Action1 Result Press Ctrl-P or the up arrow key. Recall commands in the history buffer, beginning with the most recent command. Repeat the key sequence to recall successively older commands. Press Ctrl-N or the down arrow key.
Chapter 2 Using the Command-Line Interface Using Editing Features To reconfigure a specific line to have enhanced editing mode, enter this command in line configuration mode: Switch(config-line)# editing To globally disable enhanced editing mode, enter this command in line configuration mode: Switch(config-line)# no editing Editing Commands through Keystrokes Table 2-5 shows the keystrokes that you need to edit command lines.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Purpose Press Esc L. Change the word at the cursor to lowercase. Press Esc U. Capitalize letters from the cursor to the end of the word. Designate a particular keystroke as Press Ctrl-V or Esc Q. an executable command, perhaps as a shortcut. Scroll down a line or screen on displays that are longer than the terminal screen can display.
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands After you complete the entry, press Ctrl-A to check the complete syntax before pressing the Return key to execute the command. The dollar sign ($) appears at the end of the line to show that the line has been scrolled to the right: Switch(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1$ The software assumes you have a terminal screen that is 80 columns wide.
Chapter 2 Using the Command-Line Interface Accessing the CLI from a Browser For information about configuring the switch for Telnet access, see the “Setting a Telnet Password for a Terminal Line” section on page 7-5. The switch supports up to 16 simultaneous Telnet sessions. Changes made by one Telnet user are reflected in all other Telnet sessions. After you connect through the console port by using a Telnet session, the user EXEC prompt appears on the management station.
C H A P T E R 3 Getting Started with CMS This chapter contains these sections that describe the Cluster Management Suite (CMS) on the Catalyst 2940 switch: • “Understanding CMS” section on page 3-1 • “Configuring CMS” section on page 3-7 • “Displaying CMS” section on page 3-10 • “Where to Go Next” section on page 3-15 Refer to the appropriate switch documentation for descriptions of the browser-based management software used on other Catalyst switches.
Chapter 3 Getting Started with CMS Understanding CMS Front Panel View The Front Panel view displays the Front Panel image of a specific set of switches in a cluster. From this view, you can select multiple ports or multiple switches and configure them with the same settings. For more information, see the “Displaying CMS” section on page 3-10.
Chapter 3 Getting Started with CMS Understanding CMS Table 3-1 Toolbar Buttons Toolbar Option Icon Task Print Print a CMS window or help file. Preferences1 Set CMS display properties, such as polling intervals, the views to open at CMS startup, and the color of administratively shutdown ports. Save Configuration2 Save the configuration of the cluster or a switch to Flash memory. Software Upgrade2 Upgrade the software for the cluster or a switch.
Chapter 3 Getting Started with CMS Understanding CMS Figure 3-2 1 Note Feature Bar and Search Window Feature bar 2 Search window Only features supported by the devices in your cluster are displayed in the feature bar. You can search for features that are available for your cluster by clicking Search and entering a feature name, as shown in Figure 3-2. Access modes affect the availability of features from CMS. Some CMS features are not available in read-only mode.
Chapter 3 Getting Started with CMS Understanding CMS Online help includes these features: • Feature-specific help that gives background information and concepts on the features • Dialog-specific help that gives procedures for performing tasks • An index of online help topics • A glossary of terms used in the online help You can send us feedback about the information provided in the online help. Click Feedback to display an online form.
Chapter 3 Getting Started with CMS Understanding CMS Guide mode is not available if your switch access level is read-only. For more information about the read-only access mode, see the “Privilege Levels” section on page 3-6. Expert Mode Expert mode is for users who prefer to display all the parameter fields of a feature in a single CMS window. You can view information about the parameter fields by clicking the Help button.
Chapter 3 Getting Started with CMS Configuring CMS Access to Older Switches In a Cluster If your cluster has these member switches running earlier software releases and if you have read-only access to these member switches, some configuration windows for those switches display incomplete information: • Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS Release 12.0(5)WC2 or earlier • Catalyst 2950 member switches running Cisco IOS Release 12.
Chapter 3 Getting Started with CMS Configuring CMS Table 3-2 Minimum Hardware Configuration OS Windows NT 4.0 1 Solaris 2.5.1 or higher Processor Speed DRAM Number of Colors Resolution Font Size Pentium 300 MHz 128 MB 65,536 1024 x 768 Small SPARC 333 MHz 128 MB Most colors for applications — Small (3) 1. Service Pack 3 or higher is required. Operating System and Browser Support You can access the CMS interface by using the operating systems and browsers listed in Table 3-3.
Chapter 3 Getting Started with CMS Configuring CMS Solaris For Solaris, Java plug-in 1.4.1 is required to run CMS. You can download the Java plug-in and installation instructions from this URL: http://www.cisco.com/pcgi-bin/tablebuild.pl/java On Solaris platforms, follow the instructions in the README_FIRST.txt file to install the Java plug-in. You need to close and restart your browser after installing a Java plug-in.
Chapter 3 Getting Started with CMS Displaying CMS Beginning in privileged EXEC mode, follow these steps to configure the HTTP server interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip http authentication {enable | local | tacacs} Configure the HTTP server interface for the type of authentication you want to use. • enable—Enable password, which is the default method of HTTP server user authentication.
Chapter 3 Getting Started with CMS Displaying CMS Figure 3-4 Switch Home Page The Switch Home Page has these tabs: • Note Step 3 Express Setup—Opens the Express Setup page You can use Express Setup to assign an IP address to an unconfigured switch. For more information, refer to the hardware installation guide.
Chapter 3 Getting Started with CMS Displaying CMS Figure 3-5 CMS Startup Report The CMS Startup Report has links that instruct you how to correctly configure your PC or workstation. If the CMS Startup Report appears, click the links, and follow the instructions to configure your PC or workstation. Note If you are running Windows and need to both upgrade your web browser and install the CMS plug-in, you must upgrade your browser first.
Chapter 3 Getting Started with CMS Displaying CMS Toolbar 101011 Figure 3-6 1 2 1 Front Panel view button 2 Topology view button The Front Panel view displays the front-panel image of the command switch and other selected switches, as shown in Figure 3-7, and you can select more switches to be displayed. You can choose and configure the switches that appear in Front Panel view. You can drag the switches that appear and re-arrange them. You can right-click on a switch port to configure that port.
Chapter 3 Getting Started with CMS Displaying CMS Topology View When CMS is launched from a command switch, the Topology view appears by default. (This view is available only when CMS is launched from a command switch.) When you click the topology button on the tool bar, the Topology view displays the command switch (indicated by the *CMD* label) and the devices that are connected to it, as shown in Figure 3-8. You can right-click on a switch or link icon to display a menu for that icon.
Chapter 3 Getting Started with CMS Where to Go Next • Note Collapse Cluster—When you right-click a command-switch icon and select Collapse Cluster, the cluster is collapsed and represented by a single icon. The view shows how the cluster is connected to other clusters, candidate switches, and devices that are not eligible to join the cluster (such as routers, access points, IP phones, and so on).
Chapter 3 Getting Started with CMS Where to Go Next Catalyst 2940 Switch Software Configuration Guide 3-16 78-15507-02
C H A P T E R 4 Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assign the switch IP address and default gateway information) by using a variety of automatic and manual methods. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The boot loader also provides trap-door access into the system if the operating system has problems serious enough that it cannot be used.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Table 4-1 Default Switch Information (continued) Feature Default Setting Telnet password No password is defined. Cluster command switch functionality Disabled. Cluster name No cluster name is defined. Understanding DHCP-Based Autoconfiguration The DHCP provides configuration information to Internet hosts and internetworking devices.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Figure 4-1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP server. Figure 4-1 DHCP Client and Server Message Exchange DHCPDISCOVER (broadcast) Switch A DHCPOFFER (unicast) DHCP server DHCPACK (unicast) 87793 DHCPREQUEST (broadcast) The client, Switch A, broadcasts a DHCPDISCOVER message to locate a DHCP server.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information If you want the switch to receive the configuration file from a TFTP server, you must configure the DHCP server with these lease options: • TFTP server name (required) • Boot filename (the name of the configuration file that the client needs) (recommended) • Host name (optional) Depending on the settings of the DHCP server, the switch can receive IP address information, the configuration file, or both.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the DNS The DHCP server uses the DNS server to resolve the TFTP server name to an IP address. You must configure the TFTP server name-to-IP address map on the DNS server. The TFTP server contains the configuration files for the switch. You can configure the IP addresses of the DNS servers in the lease database of the DHCP server from where the DHCP replies will retrieve them.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Obtaining Configuration Files Depending on the availability of the IP address and the configuration filename in the DHCP reserved lease, the switch obtains its configuration information in these ways: • The IP address and the configuration filename is reserved for the switch and provided in the DHCP reply (one-file read method).
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Example Configuration Figure 4-3 shows a sample network for retrieving IP information by using DHCP-based autoconfiguration. Figure 4-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 DHCP server 10.0.0.2 DNS server 10.0.0.3 TFTP server (maritsu) 87795 10.0.0.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information switch2-confg switch3-confg switch4-confg prompt> cat network-confg ip host switch1 10.0.0.21 ip host switch2 10.0.0.22 ip host switch3 10.0.0.23 ip host switch4 10.0.0.24 DHCP Client Configuration No configuration file is present on Switch 1 through Switch 4. Configuration Explanation In Figure 4-3, Switch 1 reads its configuration file as follows: • It obtains its IP address 10.0.0.21 from the DHCP server.
Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration To remove the switch IP address, use the no ip address interface configuration command. If you are removing the address through a Telnet session, your connection to the switch will be lost. To remove the default gateway address, use the no ip default-gateway global configuration command.
Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration no ip route-cache ! ip default-gateway 172.20.139.
Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Catalyst 2940 Switch Software Configuration Guide 4-12 78-15507-02
C H A P T E R 5 Clustering Switches This chapter provides these topics to help you get started with switch clustering: • Understanding Switch Clusters, page 5-1 • Planning a Switch Cluster, page 5-3 • Creating a Switch Cluster, page 5-15 • Using the CLI to Manage Switch Clusters, page 5-21 • Using SNMP to Manage Switch Clusters, page 5-22 Configuring switch clusters is more easily done from the Cluster Management Suite (CMS) web-based interface than through the command-line interface (CLI).
Chapter 5 Clustering Switches Understanding Switch Clusters Cluster members are connected to the command switch according to the connectivity guidelines described in the “Automatic Discovery of Cluster Candidates and Members” section on page 5-3. • Command-switch redundancy if a command switch fails. One or more switches can be designated as standby command switches to avoid loss of contact with cluster members. A cluster standby group is a group of standby command switches.
Chapter 5 Clustering Switches Planning a Switch Cluster Candidate Switch and Member Switch Characteristics Candidate switches are cluster-capable switches that have not yet been added to a cluster. Member switches are switches that have actually been added to a switch cluster. Although not required, a candidate or member switch can have its own IP address and password (for related considerations, see the “IP Addresses” section on page 5-12 and “Passwords” section on page 5-12).
Chapter 5 Clustering Switches Planning a Switch Cluster Following these connectivity guidelines ensures automatic discovery of the switch cluster, cluster candidates, connected switch clusters, and neighboring edge devices: • Discovery Through CDP Hops, page 5-4 • Discovery Through Non-CDP-Capable and Noncluster-Capable Devices, page 5-5 • Discovery Through the Same Management VLAN, page 5-5 • Discovery Through Different Management VLANs, page 5-6 • Discovery of Newly Installed Switches, page 5-
Chapter 5 Clustering Switches Planning a Switch Cluster Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Chapter 5 Clustering Switches Planning a Switch Cluster Discovery Through the Same Management VLAN Catalyst 2900 XL, Catalyst 2940, Catalyst 2950, or Catalyst 3500 XL command and standby command switches Switch 3 (management VLAN 9) Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, Catalyst 2940, Catalyst 2950, and Catalyst 3500 XL switches Command switch VLAN 9 VLAN 9 Switch 4 (management VLAN 9) Standby command switch VLAN 9 VLAN 9 Switch 5 (management VLAN 9) VLAN trunk 4, 9 Switch 7 (managem
Chapter 5 Clustering Switches Planning a Switch Cluster Discovery Through Different Management VLANs with a Layer 2 Command Switch Catalyst 2940 command switch Switch 3 (management VLAN 16) VLAN 16 VLAN 16 Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, Catalyst 2940, and Catalyst 3500 XL switches Switch 4 (management VLAN 16) Catalyst 2940 standby command switch (management VLAN 9) VLAN 62 Switch 5 (management VLAN 62) VLAN trunk 4, 62 Switch 7 (management VLAN 4) VLAN 62 Switch 9 (management VLA
Chapter 5 Clustering Switches Planning a Switch Cluster Figure 5-5 Discovery of Newly Installed Switches in Different Management VLANs Command switch Catalyst 2940 switch (Management VLAN 9) AP VLAN 9 VLAN 16 AP Catalyst 3500 XL switch (Management VLAN 16) VLAN 16 New (out-of-box) Catalyst 2820 switch New (out-of-box) Catalyst 1900 switch 87803 VLAN 9 HSRP and Standby Command Switches The switch supports Hot Standby Router Protocol (HSRP) so that you can configure a group of standby command
Chapter 5 Clustering Switches Planning a Switch Cluster Note The cluster standby group is an HSRP group. Disabling HSRP disables the cluster standby group. The switches in the cluster standby group are ranked according to HSRP priorities. The switch with the highest priority in the group is the active command switch (AC). The switch with the next highest priority is the standby command switch (SC). The other switches in the cluster standby group are the passive command switches (PC).
Chapter 5 Clustering Switches Planning a Switch Cluster – When the command switch is a Catalyst 2955 switch running Cisco IOS Release 12.1(12c)EA1 or later, all standby command switches must be Catalyst 2955 switches running Cisco IOS Release 12.1(12c)EA1 or later. – When the command switch is a Catalyst 2950 switch running Cisco IOS Release 12.1(9)EA1 or later, all standby command switches must be Catalyst 2950 switches running Cisco IOS Release 12.1(9)EA1 or later.
Chapter 5 Clustering Switches Planning a Switch Cluster VLAN Connectivity Between Standby-Group Members and Cluster Members Catalyst 3550 active command switch Si VLAN 9 Catalyst 3550 switch Catalyst 3550 passive command switch VLANs 9,16 Si Catalyst 3550 standby command switch VLANs 9,16 Si Management VLAN 16 VLAN 9 Catalyst 2900 XL or Catalyst 3500 XL switch VLAN 9 Management VLAN 16 Management VLAN 9 Catalyst 2940 switch VLAN 16 Si Catalyst 3550 multilayer switch 87804 Figure 5-6 Mem
Chapter 5 Clustering Switches Planning a Switch Cluster IP Addresses You must assign IP information to a command switch. You can access the cluster through the command-switch IP address. If you configure a cluster standby group, you must use the standby-group virtual IP address to manage the cluster from the active command switch.
Chapter 5 Clustering Switches Planning a Switch Cluster If you change the member-switch password to be different from the command-switch password and save the change, the switch is not manageable by the command switch until you change the member-switch password to match the command-switch password. Rebooting the member switch does not revert the password back to the command-switch password. We recommend that you do not change the member-switch password after it joins a cluster.
Chapter 5 Clustering Switches Planning a Switch Cluster For more information about CMS access modes, see the “Privilege Levels” section on page 3-6. Note • If your cluster has these member switches running earlier software releases and if you have read-only access to these member switches, some configuration windows for those switches display incomplete information: – Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS Release 12.
Chapter 5 Clustering Switches Creating a Switch Cluster LRE Profiles In Cisco IOS Release 12.1(14)EA1 or later, the Catalyst 2950 LRE switches do not support public profiles. In software releases earlier than Cisco IOS Release 12.1(19)EA1, a configuration conflict occurs if a switch cluster has Long-Reach Ethernet (LRE) switches that use both private and public profiles. If one LRE switch in a cluster is assigned a public profile, all LRE switches in that cluster must have that same public profile.
Chapter 5 Clustering Switches Creating a Switch Cluster Note • We strongly recommend that the highest-end, command-capable switch in the cluster be the command switch: – If your switch cluster has a Catalyst 3550 switch, that switch should be the command switch. – If your switch cluster has Catalyst 2900 XL, Catalyst 2950, Catalyst 2955, and Catalyst 3500 XL switches, the Catalyst 2950 or Catalyst 2955 switch should be the command switch.
Chapter 5 Clustering Switches Creating a Switch Cluster Figure 5-8 Add to Cluster Window Select a switch, and click Add. Press Ctrl and leftclick to select more than one switch. 87902 Enter the password of the candidate switch. If no password exists for the switch, leave this field blank. From CMS, there are two ways to add switches to a cluster: • Select Cluster > Add to Cluster, select a candidate switch from the list, click Add, and click OK.
Chapter 5 Clustering Switches Creating a Switch Cluster Using the Topology View to Add Member Switches 87903 Figure 5-9 Thin line means a connection to a candidate switch. Right-click a candidate switch to display the pop-up menu, and select Add to Cluster to add the switch to the cluster. Instead of using CMS to add members to the cluster, you can use the cluster member global configuration command from the command switch.
Chapter 5 Clustering Switches Creating a Switch Cluster Creating a Cluster Standby Group The cluster standby group members must meet the requirements described in the “Standby Command Switch Characteristics” section on page 5-2 and “HSRP and Standby Command Switches” section on page 5-8. To create a cluster standby group, select Cluster > Standby Command Switches (Figure 5-10). Figure 5-10 Standby Command Configuration Window Active command switch.
Chapter 5 Clustering Switches Creating a Switch Cluster • When the command switch is a Catalyst 2940 switches, all standby command switches must be Catalyst 2940 switches. • When the command switch is running Cisco IOS Release 12.0(5)WC2 or earlier, the standby command switches can be these switches: Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL switches.
Chapter 5 Clustering Switches Using the CLI to Manage Switch Clusters Figure 5-11 Inventory Window Step 4 Select Reports > Inventory to display an inventory of the switches in the cluster (Figure 5-11). The summary includes information such as switch model numbers, serial numbers, software versions, IP information, and location. You can also display port and switch statistics from Reports > Port Statistics and Port > Port Settings > Runtime Status.
Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters The Telnet session accesses the member-switch CLI at the same privilege level as on the command switch. The Cisco IOS commands then operate as usual. For instructions on configuring the switch for a Telnet session, see the “Setting a Telnet Password for a Terminal Line” section on page 7-5.
Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters If a member switch has its own IP address and community strings, they can be used in addition to the access provided by the command switch. For more information about SNMP and community strings, see Chapter 23, “Configuring SNMP.
Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters Catalyst 2940 Switch Software Configuration Guide 5-24 78-15507-02
C H A P T E R 6 Administering the Switch This chapter describes how to perform one-time operations to administer your Catalyst 2940 switch.
Chapter 6 Administering the Switch Managing the System Time and Date The system clock can provide time to these services: • User show commands • Logging and debugging messages The system clock keeps track of time internally based on Universal Time Coordinated (UTC), also known as Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time (daylight saving time) so that the time is correctly displayed for the local time zone.
Chapter 6 Administering the Switch Managing the System Time and Date Several manufacturers include NTP software for their host systems, and a publicly available version for systems running UNIX and its various derivatives is also available. This software allows host systems to be time-synchronized as well.
Chapter 6 Administering the Switch Managing the System Time and Date Default NTP Configuration Table 6-1 shows the default NTP configuration. Table 6-1 Default NTP Configuration Feature Default Setting NTP authentication Disabled. No authentication key is specified. NTP peer or server associations None configured. NTP broadcast service Disabled; no interface sends or receives NTP broadcast packets. NTP access restrictions No access control is specified.
Chapter 6 Administering the Switch Managing the System Time and Date Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable NTP authentication, use the no ntp authenticate global configuration command. To remove an authentication key, use the no ntp authentication-key number global configuration command.
Chapter 6 Administering the Switch Managing the System Time and Date Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. You need to configure only one end of an association; the other device can automatically establish the association.
Chapter 6 Administering the Switch Managing the System Time and Date Step 6 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 7 Configure the connected peers to receive NTP broadcast packets as described in the next procedure. To disable the interface from sending NTP broadcast packets, use the no ntp broadcast interface configuration command.
Chapter 6 Administering the Switch Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp access-group {query-only | serve-only | serve | peer} access-list-number Create an access group, and apply a basic IP access list.
Chapter 6 Administering the Switch Managing the System Time and Date If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted. To remove access control to the switch NTP services, use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command.
Chapter 6 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure a specific interface from which the IP source address is to be taken: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp source type number Specify the interface type and number from which the IP source address is taken. By default, the source address is determined by the outgoing interface.
Chapter 6 Administering the Switch Managing the System Time and Date Setting the System Clock If you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock. Beginning in privileged EXEC mode, follow these steps to set the system clock: Step 1 Command Purpose clock set hh:mm:ss day month year Manually set the system clock using one of these formats.
Chapter 6 Administering the Switch Managing the System Time and Date Configuring the Time Zone Beginning in privileged EXEC mode, follow these steps to manually configure the time zone: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock timezone zone hours-offset [minutes-offset] Set the time zone. The switch keeps internal time in universal time coordinated (UTC), so this command is used only for display purposes and when the time is manually set.
Chapter 6 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone recurring Configure summer time to start and end on the specified days every year.
Chapter 6 Administering the Switch Configuring a System Name and Prompt Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 Configure summer time to start on the first date and end on the second clock summer-time zone date [month date year hh:mm month date year hh:mm date.
Chapter 6 Administering the Switch Configuring a System Name and Prompt This section contains this configuration information: • Default System Name and Prompt Configuration, page 6-15 • Configuring a System Name, page 6-15 • Configuring a System Prompt, page 6-16 • Understanding DNS, page 6-16 Default System Name and Prompt Configuration The default switch system name and prompt is Switch.
Chapter 6 Administering the Switch Configuring a System Name and Prompt Configuring a System Prompt Beginning in privileged EXEC mode, follow these steps to manually configure a system prompt: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 prompt string Configure the command-line prompt to override the setting from the hostname command.
Chapter 6 Administering the Switch Configuring a System Name and Prompt Default DNS Configuration Table 6-2 shows the default DNS configuration.
Chapter 6 Administering the Switch Creating a Banner domain name is the value set by the ip domain-name global configuration command. If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname. To remove a domain name, use the no ip domain-name name global configuration command. To remove a name server address, use the no ip name-server server-address global configuration command.
Chapter 6 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day.
Chapter 6 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message.
Chapter 6 Administering the Switch Managing the MAC Address Table This section contains this configuration information: • Building the Address Table, page 6-21 • MAC Addresses and VLANs, page 6-21 • Default MAC Address Table Configuration, page 6-22 • Changing the Address Aging Time, page 6-22 • Removing Dynamic Address Entries, page 6-23 • Configuring MAC Address Notification Traps, page 6-23 • Adding and Removing Static Address Entries, page 6-25 • Displaying Address Table Entries, page 6
Chapter 6 Administering the Switch Managing the MAC Address Table Default MAC Address Table Configuration Table 6-3 shows the default MAC address table configuration. Table 6-3 Default MAC Address Table Configuration Feature Default Setting Aging time 300 seconds Dynamic addresses Automatically learned Static addresses None configured Changing the Address Aging Time Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use.
Chapter 6 Administering the Switch Managing the MAC Address Table Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC mode.
Chapter 6 Administering the Switch Managing the MAC Address Table Step 5 Command Purpose mac address-table notification [interval value] | [history-size value] Enter the trap interval time and the history table size. • (Optional) For interval value, specify the notification trap interval in seconds between each set of traps that are generated to the NMS. The range is 0 to 2147483647 seconds; the default is 1 second.
Chapter 6 Administering the Switch Managing the MAC Address Table Adding and Removing Static Address Entries A static address has these characteristics: • It is manually entered in the address table and must be manually removed. • It can be a unicast or multicast address. • It does not age and is retained when the switch restarts. You can add and remove static addresses and define the forwarding behavior for them.
Chapter 6 Administering the Switch Managing the ARP Table Displaying Address Table Entries You can display the MAC address table by using one or more of the privileged EXEC commands described in Table 6-4: Table 6-4 Commands for Displaying the MAC Address Table Command Description show mac address-table address Displays MAC address table information for the specified MAC address. show mac address-table aging-time Displays the aging time in all VLANs or the specified VLAN.
C H A P T E R 7 Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 2940 switch.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Protecting Access to Privileged EXEC Commands A simple way of providing terminal access control in your network is to use passwords and assign privilege levels. Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Protecting Enable and Enable Secret Passwords with Encryption To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands If both the enable and enable secret passwords are defined, users must enter the enable secret password. Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level global configuration command to specify commands accessible at various levels.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands To remove the password, use the no password global configuration command. This example shows how to set the Telnet password to let45me67in89: Switch(config)# line vty 10 Switch(config-line)# password let45me67in89 Configuring Username and Password Pairs You can configure username and password pairs, which are locally stored on the switch.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip traffic command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Logging into and Exiting a Privilege Level Beginning in privileged EXEC mode, follow these steps to log in to a specified privilege level and to exit to a specified privilege level: Step 1 Command Purpose enable level Log in to a specified privilege level. For level, the range is 0 to 15. Step 2 disable level Exit to a specified privilege level. For level, the range is 0 to 15.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ The goal of TACACS+ is to provide a method for managing multiple network access points from a single management service. Your switch can be a network access server along with other Cisco routers and access servers. A network access server provides connections to a single user, to a network or subnetwork, and to interconnected networks as shown in Figure 7-1.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ The TACACS+ protocol provides authentication between the switch and the TACACS+ daemon, and it ensures confidentiality because all protocol exchanges between the switch and the TACACS+ daemon are encrypted. You need a system running the TACACS+ daemon software to use TACACS+ on your switch.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ authorize, or to keep accounts on users; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 3 aaa new-model Enable AAA. Step 4 aaa group server tacacs+ group-name (Optional) Define the AAA server-group with a group name. This command puts the switch in a server group subconfiguration mode. Step 5 server ip-address (Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to configure login authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Starting TACACS+ Accounting The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Understanding RADIUS RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco routers and switches, including Catalyst 3550 multilayer switches, Catalyst 2955 switches, and Catalyst 2950 switches. Clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Figure 7-2 Transitioning from RADIUS to TACACS+ Services R1 RADIUS server R2 RADIUS server T1 TACACS+ server T2 TACACS+ server Workstation 87808 Catalyst 2940 switch Remote PC RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur: 1. The user is prompted to enter a username and password. 2.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring RADIUS This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS You identify RADIUS security servers by their host name or IP address, host name and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting: Switch(config)# radius-server host host1 Note You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 8 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 7-22. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network-related service requests.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the switch and all RADIUS servers.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP’s IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“ This example shows how to specify an authorized VLAN in the RADIUS server database: ci
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to specify a vendor-proprietary RADIUS server host and a shared secret text string: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Local Authentication and Authorization Configuring the Switch for Local Authentication and Authorization You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Local Authentication and Authorization Catalyst 2940 Switch Software Configuration Guide 7-32 78-15507-02
C H A P T E R 8 Configuring 802.1X Port-Based Authentication This chapter describes how to configure IEEE 802.1X port-based authentication on the Catalyst 2940 switch to prevent unauthorized devices (clients) from gaining access to the network. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release. This chapter consists of these sections: • Understanding 802.1X Port-Based Authentication, page 8-1 • Configuring 802.
Chapter 8 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Device Roles With 802.1X port-based authentication, the devices in the network have specific roles as shown in Figure 8-1. Figure 8-1 802.1X Device Roles Catalyst 2940 (switch) Authentication server (RADIUS) 87809 Workstations (clients) • Client—the device (workstation) that requests access to the LAN and switch services and responds to requests from the switch.The workstation must be running 802.
Chapter 8 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Authentication Initiation and Message Exchange The switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x port-control auto interface configuration command, the switch must initiate authentication when it determines that the port link state transitions from down to up.
Chapter 8 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Ports in Authorized and Unauthorized States The switch port state determines whether or not the client is granted access to the network. The port starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for 802.1X protocol packets.
Chapter 8 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication In a point-to-point configuration (see Figure 8-1 on page 8-2), only one client can be connected to the 802.1X-enabled switch port. The switch detects the client when the port link state changes to the up state. If a client leaves or is replaced with another client, the switch changes the port link state to down, and the port returns to the unauthorized state. Figure 8-3 shows 802.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Configuring 802.1X Authentication These sections describe how to configure 802.1X port-based authentication on your switch: • Default 802.1X Configuration, page 8-6 • 802.1X Configuration Guidelines, page 8-8 • Upgrading from a Previous Software Release, page 8-8 • Enabling 802.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Table 8-1 Default 802.1X Configuration (continued) Feature Default Setting Retransmission time 30 seconds (number of seconds that the switch should wait for a response to an EAP request/identity frame from the client before resending the request). Maximum retransmission number 2 times (number of times that the switch will send an EAP-request/identity frame before restarting the authentication process).
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication 802.1X Configuration Guidelines These are the 802.1X authentication configuration guidelines: • When 802.1X is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are enabled. • The 802.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication global configuration command. If 802.1X was running in multiple-hosts mode on an interface in the previous release, make sure to reconfigure it by using the dot1x host-mode multi-host interface configuration command. Enabling 802.1X Authentication To enable 802.1X port-based authentication, you must enable AAA and specify the authentication method list.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Step 9 Command Purpose show dot1x Verify your entries. Check the Status column in the 802.1X Port Summary section of the display. An enabled status means the port-control value is set either to auto or to force-unauthorized. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable AAA, use the no aaa new-model global configuration command. To disable 802.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Configure the RADIUS server parameters on the switch. ip-address} auth-port port-number key For hostname | ip-address, specify the host name or IP address of the string remote RADIUS server. For auth-port port-number, specify the UDP destination port for authentication requests. The default is 1812.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Beginning in privileged EXEC mode, follow these steps to enable periodic re-authentication of the client and to configure the number of seconds between re-authentication attempts. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be configured.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be configured. Step 3 dot1x timeout quiet-period seconds Set the number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client. The range is 1 to 65535 seconds; the default is 60.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication With the multiple-hosts mode enabled, you can use 802.1X to authenticate the port and port security to manage network access for all MAC addresses, including that of the client (for switches running the EI). Beginning in privileged EXEC mode, follow these steps to allow multiple hosts (clients) on an 802.1X-authorized port that has the dot1x port-control interface configuration command set to auto.
Chapter 8 Configuring 802.1X Port-Based Authentication Displaying 802.1X Statistics and Status Displaying 802.1X Statistics and Status To display 802.1X statistics for all interfaces, use the show dot1x all statistics privileged EXEC command. To display 802.1X statistics for a specific interface, use the show dot1x statistics interface interface-id privileged EXEC command. To display the 802.1X administrative and operational status for the switch, use the show dot1x all privileged EXEC command.
C H A P T E R 9 Configuring the Switch Interfaces This chapter describes the types of interfaces on a Catalyst 2940 switch and how to configure them.
Chapter 9 Configuring the Switch Interfaces Understanding Interface Types Access Ports An access port belongs to and carries the traffic of only one VLAN (unless it is configured as a voice VLAN port). Traffic is received and sent in native formats with no VLAN tagging. Traffic arriving on an access port is assumed to belong to the VLAN assigned to the port. If an access port receives an 802.1P- or 802.1Q-tagged packet for the VLAN assigned to the port, the packet is forwarded.
Chapter 9 Configuring the Switch Interfaces Understanding Interface Types Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 13, “Configuring VLANs.” Packets received on a port are forwarded only to ports that belong to the same VLAN as the receiving port.
Chapter 9 Configuring the Switch Interfaces Using the Interface Command Figure 9-1 Connecting VLANs with Layer 2 Switches Cisco router Switch Host B VLAN 20 VLAN 30 87812 Host A Using the Interface Command To configure a physical interface (port), use the interface global configuration command to enter interface configuration mode and to specify the interface type, slot, and number. • Type—Fast Ethernet (fastethernet or fa) for 10/100 Ethernet or Gigabit Ethernet (gigabitethernet or gi).
Chapter 9 Configuring the Switch Interfaces Using the Interface Command Procedures for Configuring Interfaces These general instructions apply to all interface configuration processes. Step 1 Enter the configure terminal command at the privileged EXEC prompt: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# Step 2 Enter the interface global configuration command. Identify the interface type and the number of the connector.
Chapter 9 Configuring the Switch Interfaces Using the Interface Command 5 minute output rate 1000 bits/sec, 2 packets/sec 2832963 packets input, 214073802 bytes, 0 no buffer Received 21170 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 14 ignored 2120022 packets output, 271900223 bytes, 0 underruns 0 output errors, 2 interface resets 0 output buffer failures, 0 output buffers swapped out FastEthernet0/1 is up, line protocol is up (connected) Hardware is Fast Etherne
Chapter 9 Configuring the Switch Interfaces Using the Interface Command Beginning in privileged EXEC mode, follow these steps to configure a range of interfaces with the same parameters: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface range {port-range | macro macro_name} Enter interface-range configuration mode by entering the range of interfaces (VLANs or physical ports) to be configured.
Chapter 9 Configuring the Switch Interfaces Using the Interface Command *Oct 6 08:24:35: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to up *Oct 6 08:24:35: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to up *Oct 6 08:24:35: %LINK-3-UPDOWN: Interface FastEthernet0/5, changed state to up *Oct 6 08:24:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/05, changed state to up *Oct 6 08:24:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed stat
Chapter 9 Configuring the Switch Interfaces Using the Interface Command Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config | include define Show the defined interface-range macro configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no define interface-range macro_name global configuration command to delete a macro.
Chapter 9 Configuring the Switch Interfaces Configuring Ethernet Interfaces Configuring Ethernet Interfaces The switch supports these interface types: • Physical ports—Switch ports, including access and trunk ports • VLANs—Switch virtual interfaces (SVIs) • Port-channels—EtherChannel of interfaces These sections describe the default interface configuration and the optional features that you can configure on most physical interfaces: • Default Ethernet Interface Configuration, page 9-10 • Configu
Chapter 9 Configuring the Switch Interfaces Configuring Ethernet Interfaces Table 9-1 Default Ethernet Interface Configuration (continued) Feature Default Setting Port Fast Disabled. Auto-MDIX Disabled. Configuring Interface Speed and Duplex Mode The 10/100 Ethernet interfaces on the switch operate in 10 or 100 Mbps and in either full- or half- duplex mode. The 10/100/1000 Ethernet interfaces operate at 10, 100, or 1000 Mbps.
Chapter 9 Configuring the Switch Interfaces Configuring Ethernet Interfaces Setting the Interface Speed and Duplex Parameters Beginning in privileged EXEC mode, follow these steps to set the speed and duplex mode for a physical interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode and the physical interface identification.
Chapter 9 Configuring the Switch Interfaces Configuring Ethernet Interfaces Configuring Auto-MDIX on an Interface When automatic medium-dependent interface crossover (Auto-MDIX) is enabled on an interface, the interface automatically detects the required cable connection type (straight-through or crossover) and configures the connection appropriately.
Chapter 9 Configuring the Switch Interfaces Monitoring and Maintaining the Interfaces This example shows how to enable Auto-MDIX on Gigabit Ethernet interface 0/1: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# speed auto Switch(config-if)# duplex auto Switch(config-if)# mdix auto Switch(config-if)# end Adding a Description for an Interface You can add a description about an interface to help you remember its function.
Chapter 9 Configuring the Switch Interfaces Monitoring and Maintaining the Interfaces Monitoring Interface and Controller Status Commands entered at the privileged EXEC prompt display information about the interface, including the version of the software and the hardware, the controller status, and statistics about the interfaces. Table 9-3 lists some of these interface monitoring commands. (You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.
Chapter 9 Configuring the Switch Interfaces Monitoring and Maintaining the Interfaces To clear the interface counters shown by the show interfaces privileged EXEC command, use the clear counters privileged EXEC command. The clear counters command clears all current interface counters from the interface unless optional arguments are specified to clear only a specific interface type from a specific interface number.
Chapter 9 Configuring the Switch Interfaces Monitoring and Maintaining the Interfaces This example shows how to re-enable Fast Ethernet interface 0/5: Switch# configure terminal Switch(config)# interface fastethernet0/5 Switch(config-if)# no shutdown Switch(config-if)# *Sep 30 08:36:00: %LINK-3-UPDOWN: Interface FastEthernet0/5, changed state to up To verify that an interface is disabled, enter the show interfaces privileged EXEC command.
C H A P T E R 10 Configuring SmartPort Macros This chapter describes how to configure and apply SmartPort macros on your Catalyst 2940 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 10 Configuring SmartPort Macros Configuring Smart-Port Macros Default SmartPort Macro Configuration There are no default SmartPort macros configured on the switch. SmartPort Macro Configuration Guidelines Follow these guidelines when configuring macros on your switch: • Do not use exit or end commands when creating a macro. This could cause commands that follow exit or end to execute in a different command mode.
Chapter 10 Configuring SmartPort Macros Configuring Smart-Port Macros Command Purpose Step 4 macro {apply | trace} macro-name Apply each individual command defined in the macro to the interface by entering macro apply macro-name. Specify macro trace macro-name to apply and print each command before it is applied to the interface. Step 5 macro description text (Optional) Enter a description about the macro that is applied to the interface. Step 6 end Return to privileged EXEC mode.
Chapter 10 Configuring SmartPort Macros Displaying SmartPort Macros -------------------------------------------------------------Fa0/9 desktop-config -------------------------------------------------------------- Displaying SmartPort Macros To display the SmartPort macros, use one or more of the privileged EXEC commands in Table 10-1. Table 10-1 Commands for Displaying SmartPort Macros Command Purpose show parser macro Displays all configured macros.
Chapter 10 Configuring SmartPort Macros Displaying SmartPort Macros Catalyst 2940 Switch Software Configuration Guide 10-5 78-15507-02
C H A P T E R 11 Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on your Catalyst 2940 switch. For information about optional spanning-tree features, see Chapter 12, “Configuring Optional Spanning-Tree Features.” Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 11 Configuring STP Understanding Spanning-Tree Features For information about optional spanning-tree features, see Chapter 12, “Configuring Optional Spanning-Tree Features.” STP Overview STP is a Layer 2 link management protocol that provides path redundancy while preventing loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two stations. Multiple active paths among end stations cause loops in the network.
Chapter 11 Configuring STP Understanding Spanning-Tree Features • The bridge ID of the sending switch • Message age • The identifier of the sending interface • Values for the hello, forward-delay, and max-age protocol timers When a switch receives a configuration BPDU that contains superior information (lower bridge ID, lower path cost, and so forth), it stores the information for that port.
Chapter 11 Configuring STP Understanding Spanning-Tree Features Table 11-1 Switch Priority Value and Extended System ID Switch Priority Value Extended System ID (Set Equal to the VLAN ID) Bit 16 Bit 15 Bit 14 Bit 13 Bit 12 Bit 11 Bit 10 Bit 9 Bit 8 Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1 32768 16384 8192 4096 2048 1024 512 256 128 64 32 16 8 4 2 1 Spanning tree uses the extended system ID, the switch priority, and the allocated spanning-tree MAC address to make the b
Chapter 11 Configuring STP Understanding Spanning-Tree Features Figure 11-1 illustrates how an interface moves through the states. Figure 11-1 Spanning-Tree Interface States Power-on initialization Blocking state Listening state Disabled state Forwarding state 43569 Learning state When you power up the switch, spanning tree is enabled by default, and every interface in the switch, VLAN, or network goes through the blocking state and the transitory states of listening and learning.
Chapter 11 Configuring STP Understanding Spanning-Tree Features Listening State The listening state is the first state a Layer 2 interface enters after the blocking state. The interface enters this state when the spanning tree determines that the interface should participate in frame forwarding.
Chapter 11 Configuring STP Understanding Spanning-Tree Features How a Switch or Port Becomes the Root Switch or Root Port If all switches in a network are enabled with default spanning-tree settings, the switch with the lowest MAC address becomes the root switch. In Figure 11-2, Switch A is elected as the root switch because the switch priority of all the switches is set to the default (32768) and Switch A has the lowest MAC address.
Chapter 11 Configuring STP Understanding Spanning-Tree Features Figure 11-3 Spanning Tree and Redundant Connectivity Switch A Catalyst 2940 switch Switch C Catalyst 2940 switch Catalyst 2940 switch Active link Blocked link Workstations 87814 Switch B You can also create redundant links between switches by using EtherChannel groups. For more information, see Chapter 25, “Configuring EtherChannels.” Spanning-Tree Address Management IEEE 802.
Chapter 11 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Modes and Protocols The switch supports PVST+. This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary extensions. It is the default spanning-tree mode used on all Ethernet, Fast Ethernet, and Gigabit Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.
Chapter 11 Configuring STP Configuring Spanning-Tree Features When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+. The switch combines the spanning-tree instance of the 802.1Q VLAN of the trunk with the spanning-tree instance of the non-Cisco 802.1Q switch.
Chapter 11 Configuring STP Configuring Spanning-Tree Features Table 11-3 Default Spanning-Tree Configuration (continued) Feature Default Setting Spanning-tree port cost (configurable on a per-interface basis) 1000 Mbps: 4. 100 Mbps: 19. 10 Mbps: 100. Spanning-tree VLAN port priority (configurable on a per-VLAN basis) 128. Spanning-tree VLAN port cost (configurable on a per-VLAN basis) 1000 Mbps: 4. 100 Mbps: 19. 10 Mbps: 100. Spanning-tree timers Hello time: 2 seconds.
Chapter 11 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to disable STP on a per-VLAN basis: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no spanning-tree vlan vlan-id Disable STP on a per-VLAN basis. For vlan-id, you can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 1005.
Chapter 11 Configuring STP Configuring Spanning-Tree Features Use the diameter keyword to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network). When you specify the network diameter, the switch automatically sets an optimal hello time, forward-delay time, and maximum-age time for a network of that diameter, which can significantly reduce the convergence time.
Chapter 11 Configuring STP Configuring Spanning-Tree Features Configuring a Secondary Root Switch When you configure a Catalyst 2940 switch that supports the extended system ID as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified VLAN if the primary root switch fails.
Chapter 11 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure the port priority of an interface. This procedure is optional: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify an interface to configure. Valid interfaces include physical interfaces and port-channel logical interfaces (port-channel port-channel-number).
Chapter 11 Configuring STP Configuring Spanning-Tree Features Configuring the Path Cost The spanning-tree path cost default value is derived from the media speed of an interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 11 Configuring STP Configuring Spanning-Tree Features To return the interface to its default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree path costs, see the “Load Sharing Using STP” section on page 13-18. Configuring the Switch Priority of a VLAN You can configure the switch priority and make it more likely that the switch will be chosen as the root switch.
Chapter 11 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 11-4 describes the timers that affect the entire spanning-tree performance. Table 11-4 Spanning-Tree Timers Variable Description Hello timer Determines how often the switch broadcasts hello messages to other switches. Forward-delay timer Determines how long each of the listening and learning states last before the interface begins forwarding.
Chapter 11 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. This procedure is optional: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id forward-time seconds Configure the forward time of a VLAN.
Chapter 11 Configuring STP Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 11-5: Table 11-5 Commands for Displaying Spanning-Tree Status Command Purpose show spanning-tree active Displays spanning-tree information on active interfaces only. show spanning-tree detail Displays a detailed summary of interface information.
C H A P T E R 12 Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features. You can configure all of these features when your Catalyst 2940 switch is running the per-VLAN spanning tree plus (PVST+) mode. For information on configuring the Spanning Tree Protocol (STP), see Chapter 11, “Configuring STP.” Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 12 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Ports connected to a single workstation or server should not receive bridge protocol data units (BPDUs). A port with Port Fast enabled goes through the normal cycle of spanning-tree status changes when the switch is restarted. Note Because the purpose of Port Fast is to minimize the time ports must wait for spanning-tree to converge, it is effective only when used on ports connected to end stations.
Chapter 12 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features The BPDU guard feature provides a secure response to invalid configurations because you must manually put the port back in service. Use the BPDU guard feature in a service-provider network to prevent an access port from participating in the spanning tree. If your switch is running PVST+, you can enable the BPDU guard feature for the entire switch or for an interface.
Chapter 12 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 12-2 Switches in a Hierarchical Network Backbone switches Root bridge Catalyst 3550 switches Distribution switches 87816 Catalyst 3550 switches Active link Blocked link Access switches If a switch looses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port.
Chapter 12 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 12-3 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B L1 L2 L3 87817 Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked port on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure 12-4.
Chapter 12 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features The switch tries to determine if it has an alternate path to the root switch. If the inferior BPDU arrives on a blocked port, the root port and other blocked ports on the switch become alternate paths to the root switch. (Self-looped ports are not considered alternate paths to the root switch.) If the inferior BPDU arrives on the root port, all blocked ports become alternate paths to the root switch.
Chapter 12 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 12-6 BackboneFast Example After Indirect Link Failure Switch A (Root) Switch B L1 Link failure L3 BackboneFast transitions port through listening and learning states to forwarding state.
Chapter 12 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If the switch detects a misconfiguration on the other device, EtherChannel guard places the switch interfaces in the error-disabled state, and this error message appears: PM-4-ERR_DISABLE: Channel-misconfig error detected on [chars], putting [chars] in err-disable state.
Chapter 12 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Understanding Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. This feature is most effective when it is configured on the entire switched network. If your switch is running PVST+, you can enable this feature by using the spanning-tree loopguard default global configuration command.
Chapter 12 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Optional Spanning-Tree Configuration Guidelines The UplinkFast, BackboneFast, and cross-stack UplinkFast features are not supported with the rapid PVST+ or the MSTP. Enabling Port Fast (Optional) A port with the Port Fast feature enabled is moved directly to the spanning-tree forwarding state without waiting for the standard forward-time delay.
Chapter 12 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling BPDU Guard (Optional) When you globally enable BPDU guard on ports that are Port Fast-enabled (the ports are in a Port Fast-operational state), spanning tree shuts down Port Fast-enabled ports that receive BPDUs. In a valid configuration, Port Fast-enabled ports do not receive BPDUs.
Chapter 12 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Caution Configure Port Fast only on ports that connect to end stations; otherwise, an accidental topology loop could cause a data packet loop and disrupt switch and network operation. You can also use the spanning-tree bpdufilter enable interface configuration command to enable BPDU filtering on any port without also enabling the Port Fast feature.
Chapter 12 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to enable UplinkFast. This procedure is optional: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree uplinkfast [max-update-rate Enable UplinkFast. pkts-per-second] (Optional) For pkts-per-second, the range is 0 to 32000 packets per second; the default is 150.
Chapter 12 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features To disable the BackboneFast feature, use the no spanning-tree backbonefast global configuration command. Enabling EtherChannel Guard (Optional) You can enable EtherChannel guard to detect an EtherChannel misconfiguration that causes a loop. Beginning in privileged EXEC mode, follow these steps to enable EtherChannel guard.
Chapter 12 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Step 3 Command Purpose spanning-tree guard root Enable root guard on the interface. By default, root guard is disabled on all interfaces. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 12 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 12-2: Table 12-2 Commands for Displaying the Spanning-Tree Status Command Purpose show spanning-tree active Displays spanning-tree information on active interfaces only. show spanning-tree detail Displays a detailed summary of interface information.
C H A P T E R 13 Configuring VLANs This chapter describes how to configure the supported four normal-range VLANs (VLAN IDs 1 to 1005) on your Catalyst 2940 switch. This chapter includes information about VLAN modes and the VLAN Membership Policy Server (VMPS). Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 13 Configuring VLANs Understanding VLANs Figure 13-1 shows an example of VLANs segmented into logically defined networks. Figure 13-1 VLANs as Logically Defined Networks Engineering VLAN Marketing VLAN Accounting VLAN Cisco router Floor 3 Fast Ethernet Floor 2 87823 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Chapter 13 Configuring VLANs Understanding VLANs VLAN Port Membership Modes You configure a port to belong to a VLAN by assigning a membership mode that determines the kind of traffic the port carries and the number of VLANs to which it can belong. Table 13-1 lists the membership modes and membership and VTP characteristics.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Configuring Normal-Range VLANs Normal-range VLANs are VLANs with VLAN IDs 1 to 1005. If the switch is in VTP server or transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database. (VLAN IDs 1 and 1002 to 1005 are automatically created and cannot be removed.) Configurations for VLAN IDs 1 to 1005 are written to the file vlan.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs • Creating or Modifying an Ethernet VLAN, page 13-7 • Deleting a VLAN, page 13-9 • Assigning Static-Access Ports to a VLAN, page 13-10 Token Ring VLANs Although the switch does not support Token Ring connections, a remote device such as a Catalyst 5000 series switch with Token Ring connections could be managed from one of the supported switches.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs VLAN Configuration in config-vlan Mode To access config-vlan mode, enter the vlan global configuration command with a VLAN ID. Enter a new VLAN ID to create a VLAN or with an existing VLAN ID to modify the VLAN. You can use the default VLAN configuration (Table 13-2) or enter multiple commands to configure the VLAN.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Default Ethernet VLAN Configuration Table 13-2 shows the default configuration for Ethernet VLANs. Note The switch supports Ethernet interfaces exclusively. Because FDDI and Token Ring VLANs are not locally supported, you only configure FDDI and Token Ring media-specific characteristics for VTP global advertisements to other switches. Table 13-2 Ethernet VLAN Defaults and Ranges Parameter Default Range VLAN ID 1 1 to 1005.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Command Purpose Step 4 mtu mtu-size (Optional) Change the MTU size (or other VLAN characteristic). Step 5 remote-span (Optional) Configure the VLAN as the RSPAN VLAN for a remote SPAN session. For more information on remote SPAN, see Chapter 20, “Configuring SPAN.” Step 6 end Return to privileged EXEC mode. Step 7 show vlan {name vlan-name | id vlan-id} Verify your entries.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Note You cannot configure an RSPAN VLAN in VLAN database configuration mode. To return the VLAN name to the default settings, use the no vlan vlan-id name or no vlan vlan-id mtu VLAN configuration command. This example shows how to use VLAN database configuration mode to create Ethernet VLAN 20, name it test20, and add it to the VLAN database: Switch# vlan database Switch(vlan)# vlan 20 name test20 Switch(vlan)# exit APPLY completed. Exiting....
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Assigning Static-Access Ports to a VLAN You can assign a static-access port to a VLAN without having VTP globally propagate VLAN configuration information by disabling VTP (VTP transparent mode). If you are assigning a port on a cluster member switch to a VLAN, first use the rcommand privileged EXEC command to log in to the member switch. Note If you assign an interface to a VLAN that does not exist, the new VLAN is created.
Chapter 13 Configuring VLANs Displaying VLANs Displaying VLANs Use the show vlan privileged EXEC command to display a list of all VLANs on the switch. The display includes VLAN status, ports, and configuration information. To view normal-range VLANs in the VLAN database (1 to 1005,) use the show VLAN configuration command (accessed by entering the vlan database privileged EXEC command).
Chapter 13 Configuring VLANs Configuring VLAN Trunks Figure 13-2 shows a network of switches that are connected by 802.1Q trunks. Figure 13-2 Catalyst 2940, 2900 XL, and 3500 XL Switches in a 802.1Q Trunking Environment Catalyst 6000 series switch 802.1Q trunk Catalyst 2900 XL switch 802.1Q trunk Catalyst 3500 XL switch VLAN1 802.1Q trunk Catalyst 2940 switch VLAN3 VLAN2 VLAN1 VLAN3 87824 VLAN2 802.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Table 13-4 Layer 2 Interface Modes (continued) Mode Function switchport mode dynamic auto Makes the interface able to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode. switchport mode trunk Puts the interface into permanent trunking mode and negotiates to convert the link into a trunk link.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Configuring an Ethernet Interface as a Trunk Port Because trunk ports send and receive VTP advertisements, to use VTP you must ensure that at least one trunk port is configured on the switch and that this trunk port is connected to the trunk port of a second switch. Otherwise, the switch cannot receive any VTP advertisements.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Step 3 Command Purpose switchport mode {dynamic {auto | desirable} | trunk} Configure the interface as a Layer 2 trunk (required only if the interface is a Layer 2 access port or to specify the trunking mode). • dynamic auto—Set the interface to a trunk link if the neighboring interface is set to trunk or desirable mode. • dynamic desirable—Set the interface to a trunk link if the neighboring interface is set to trunk, desirable, or auto mode.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Defining the Allowed VLANs on a Trunk By default, a trunk port sends traffic to and receives traffic from all VLANs. All VLAN IDs, 1 to 1005, are allowed on each trunk. However, you can remove VLANs from the allowed list, preventing traffic from those VLANs from passing over the trunk.
Chapter 13 Configuring VLANs Configuring VLAN Trunks This example shows how to remove VLAN 2 from the allowed VLAN list: Switch(config)# interface fastethernet0/1 Switch(config-if)# switchport trunk allowed vlan remove 2 Switch(config-if)# end Switch# Changing the Pruning-Eligible List The pruning-eligible list applies only to trunk ports. Each trunk port has its own eligibility list. VTP pruning must be enabled for this procedure to take effect.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to configure the native VLAN on an 802.1Q trunk: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and define the interface that is configured as the 802.1Q trunk. Step 3 switchport trunk native vlan vlan-id Configure the VLAN that is sending and receiving untagged traffic on the trunk port.
Chapter 13 Configuring VLANs Configuring VLAN Trunks In this way, Trunk 1 carries traffic for VLANs 8 through 10, and Trunk 2 carries traffic for VLANs 3 through 6. If the active trunk fails, the trunk with the lower priority takes over and carries the traffic for all of the VLANs. No duplication of traffic occurs over any trunk port.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 17 spanning-tree vlan 8 port-priority 10 Assign the port priority of 10 for VLAN 8. Step 18 spanning-tree vlan 9 port-priority 10 Assign the port priority of 10 for VLAN 9. Step 19 spanning-tree vlan 10 port-priority 10 Assign the port priority of 10 for VLAN 10. Step 20 exit Return to global configuration mode.
Chapter 13 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 13-4: Command Purpose Step 1 configure terminal Enter global configuration mode on Switch 1. Step 2 interface fastethernet 0/1 Enter interface configuration mode, and define Fast Ethernet port 0/1 as the interface to be configured as a trunk. Step 3 switchport mode trunk Configure the port as a trunk port. Step 4 exit Return to global configuration mode.
Chapter 13 Configuring VLANs Configuring VMPS • “Monitoring the VMPS” section on page 13-28 • “Troubleshooting Dynamic Port VLAN Membership” section on page 13-29 • “VMPS Configuration Example” section on page 13-29 Understanding VMPS When the VMPS receives a VQP request from a client switch, it searches its database for a MAC-address-to-VLAN mapping. The server response is based on this mapping and whether or not the server is in secure mode.
Chapter 13 Configuring VLANs Configuring VMPS If the link goes down on a dynamic port, the port returns to an isolated state and does not belong to a VLAN. Any hosts that come online through the port are checked again through the VQP with the VMPS before the port is assigned to a VLAN. VMPS Database Configuration File The VMPS contains a database configuration file that you create. This ASCII text file is stored on a switch-accessible TFTP server that functions as a server for VMPS.
Chapter 13 Configuring VLANs Configuring VMPS ! address vlan-name ! address 0012.2233.4455 vlan-name hardware address 0000.6509.a080 vlan-name hardware address aabb.ccdd.eeff vlan-name Green address 1223.5678.9abc vlan-name ExecStaff address fedc.ba98.7654 vlan-name --NONE-address fedc.ba23.1245 vlan-name Purple ! !Port Groups ! !vmps-port-group ! device { port | all-ports } ! vmps-port-group WiringCloset1 device 198.92.30.32 port 0/2 device 172.20.
Chapter 13 Configuring VLANs Configuring VMPS VMPS Configuration Guidelines These guidelines and restrictions apply to dynamic access port VLAN membership: • You should configure the VMPS before you configure ports as dynamic. • The communication between a cluster of switches and VMPS is managed by the command switch and includes port-naming conventions that are different from standard port names.
Chapter 13 Configuring VLANs Configuring VMPS Step 3 Command Purpose vmps server ipaddress Enter the IP address of the switch acting as a secondary VMPS server. You can enter up to three secondary server addresses. Step 4 end Return to privileged EXEC mode. Step 5 show vmps Verify your entries in the VMPS Domain Server field of the display. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 13 Configuring VLANs Configuring VMPS To return an interface to its default configuration, use the default interface interface-id interface configuration command. To return an interface to its default switchport mode (dynamic desirable), use the no switchport mode interface configuration command. To reset the access mode to the default VLAN for the switch, use the no switchport access interface configuration command.
Chapter 13 Configuring VLANs Configuring VMPS Changing the Retry Count Beginning in privileged EXEC mode, follow these steps to change the number of times that the switch attempts to contact the VMPS before querying the next server: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vmps retry count Change the retry count. The retry range is from 1 to 10; the default is 3. Step 3 end Return to privileged EXEC mode.
Chapter 13 Configuring VLANs Configuring VMPS This is an example of output for the show vmps privileged EXEC command: Switch# show vmps VQP Client Status: -------------------VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.86 (primary, current) 172.20.128.
Chapter 13 Configuring VLANs Configuring VMPS Figure 13-5 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 5000 series Primary VMPS Server 1 Switch 1 End station 1 Dynamic-access port Switch 2 Router 172.20.26.150 172.20.22.7 Client 172.20.26.151 Trunk port Secondary VMPS Server 2 Switch 3 Switch 5 Switch 6 Switch 7 Switch 8 Dynamic-access port 172.20.26.154 172.20.26.155 172.20.26.156 172.20.26.157 Client Switch 9 172.20.26.
C H A P T E R 14 Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs on your Catalyst 2940 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 14 Configuring VTP Understanding VTP The VTP Domain A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name. A switch can be in only one VTP domain.You make global VLAN configuration changes for the domain by using the command-line interface (CLI), Cluster Management Suite (CMS) software, or Simple Network Management Protocol (SNMP).
Chapter 14 Configuring VTP Understanding VTP VTP Modes You can configure a supported switch to be in one of the VTP modes listed in Table 14-1. Table 14-1 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs and specify other configuration parameters (such as the VTP version) for the entire VTP domain.
Chapter 14 Configuring VTP Understanding VTP • MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each VLAN. • Frame format VTP advertisements distribute this VLAN information for each configured VLAN: • VLAN IDs • VLAN name • VLAN type • VLAN state • Additional VLAN configuration information specific to the VLAN type VTP Version 2 If you use VTP in your network, you must decide whether to use version 1 or version 2. By default, VTP operates in version 1.
Chapter 14 Configuring VTP Understanding VTP Figure 14-1 shows a switched network without VTP pruning enabled. Port 1 on Switch 1 and Port 2 on Switch 4 are assigned to the Red VLAN. If a broadcast is sent from the host connected to Switch 1, Switch 1 floods the broadcast and every switch in the network receives it, even though Switches 3, 5, and 6 have no ports in the Red VLAN. Figure 14-1 Flooding Traffic without VTP Pruning Switch 4 Port 2 Flooded traffic is pruned.
Chapter 14 Configuring VTP Configuring VTP VTP pruning is not designed to function in VTP transparent mode. If one or more switches in the network are in VTP transparent mode, you should do one of these: • Turn off VTP pruning in the entire network. • Turn off VTP pruning by making all VLANs on the trunk of the switch upstream to the VTP transparent switch pruning ineligible.
Chapter 14 Configuring VTP Configuring VTP VTP Configuration Options You can configure VTP by using these configuration modes. • VTP Configuration in Global Configuration Mode, page 14-7 • VTP Configuration in VLAN Configuration Mode, page 14-7 You access VLAN configuration mode by entering the vlan database privileged EXEC command. For detailed information about vtp commands, refer to the command reference for this release.
Chapter 14 Configuring VTP Configuring VTP VTP Configuration Guidelines These sections describe guidelines you should follow when implementing VTP in your network. Domain Names When configuring VTP for the first time, you must always assign a domain name. You must configure all switches in the VTP domain with the same domain name. Switches in VTP transparent mode do not exchange VTP messages with other switches, and you do not need to configure a VTP domain name for them.
Chapter 14 Configuring VTP Configuring VTP • Do not enable VTP version 2 on a switch unless all of the switches in the same VTP domain are version-2-capable. When you enable version 2 on a switch, all of the version-2-capable switches in the domain enable version 2. If there is a version 1-only switch, it does not exchange VTP information with switches with version 2 enabled.
Chapter 14 Configuring VTP Configuring VTP Switch(config)# vtp domain eng_group Switch(config)# vtp password mypassword Switch(config)# end You can also use VLAN configuration mode to configure VTP parameters. Beginning in privileged EXEC mode, follow these steps to use VLAN configuration mode to configure the switch as a VTP server: Command Purpose Step 1 vlan database Enter VLAN configuration mode. Step 2 vtp server Configure the switch for VTP server mode (the default).
Chapter 14 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to configure the switch as a VTP client: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp mode client Configure the switch for VTP client mode. The default setting is VTP server. Step 3 vtp domain domain-name (Optional) Enter the VTP administrative-domain name. The name can be from 1 to 32 characters. This should be the same domain name as the VTP server.
Chapter 14 Configuring VTP Configuring VTP Command Purpose Step 4 show vtp status Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display. Step 5 copy running-config startup-config (Optional) Save the configuration in the startup configuration file. Note Only VTP mode and domain name are saved in the switch running configuration and can be copied to the startup configuration file.
Chapter 14 Configuring VTP Configuring VTP Note You can also enable VTP version 2 by using the vlan database privileged EXEC command to enter VLAN configuration mode and entering the vtp v2-mode VLAN configuration command. To disable VTP version 2, use the no vtp v2-mode VLAN configuration command. Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices.
Chapter 14 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to verify and reset the VTP configuration revision number on a switch before adding it to a VTP domain: Step 1 Command Purpose show vtp status Check the VTP configuration revision number. If the number is 0, add the switch to the VTP domain. If the number is greater than 0, follow these steps: a. Write down the domain name. b. Write down the configuration revision number. c.
Chapter 14 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 14-3 shows the privileged EXEC commands for monitoring VTP activity. Table 14-3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information.
Chapter 14 Configuring VTP Monitoring VTP Catalyst 2940 Switch Software Configuration Guide 14-16 78-15507-02
C H A P T E R 15 Configuring Voice VLAN This chapter describes how to configure the voice VLAN feature on your Catalyst 2940 switch. Voice VLAN is referred to as an auxiliary VLAN in the Catalyst 6000 family switch documentation. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN Figure 15-1 shows one way to connect a Cisco 7960 IP Phone. Figure 15-1 Cisco 7960 IP Phone Connected to a Switch Cisco IP Phone 7960 Phone ASIC Catalyst 2940 switch P2 3-port switch P3 Access port 87828 P1 PC When the IP Phone connects to the switch, the access port (PC-to-telephone jack) of the IP phone can connect to a PC.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN Voice VLAN Configuration Guidelines These are the voice VLAN configuration guidelines: • You should configure voice VLAN on switch access ports. • The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN Configuring Ports to Carry Voice Traffic in 802.1Q Frames Beginning in privileged EXEC mode, follow these steps to configure a port to carry voice traffic in 802.1Q frames for a specific VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface connected to the IP phone, and enter interface configuration mode.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN Overriding the CoS Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco 7960 IP Phone port. The PC can generate packets with an assigned CoS value. You can configure the switch to override the priority of frames arriving on the IP phone port from connected devices.
Chapter 15 Configuring Voice VLAN Displaying Voice VLAN To return the port to its default setting, use the no switchport priority extend interface configuration command or the switchport priority extend cos 0 interface configuration command. Displaying Voice VLAN To display voice VLAN for an interface, use the show interfaces interface-id switchport privileged EXEC command. For detailed information about the fields in the display, refer to the command reference for this release.
C H A P T E R 16 Configuring IGMP Snooping and MVR This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on your Catalyst 2940 switch, including an application of local IGMP snooping, Multicast VLAN Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering and procedures for configuring the IGMP throttling action.
Chapter 16 Configuring IGMP Snooping and MVR Understanding IGMP Snooping the switch adds the host port number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership reports from the multicast clients. Note For more information on IP multicast and IGMP, refer to RFC 1112 and RFC 2236.
Chapter 16 Configuring IGMP Snooping and MVR Understanding IGMP Snooping An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast (SSM) feature. For more information, refer to the “Configuring IP Multicast Layer 3 Switching” chapter in the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, Cisco IOS Release 12.1(12c)EW at this URL: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_12/config/mcastmls.
Chapter 16 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Note that the switch hardware can distinguish IGMP information packets from other packets for the multicast group. • The first entry in the table tells the switching engine to send IGMP packets to only the switch CPU. This prevents the CPU from becoming overloaded with multicast frames. • The second entry tells the switching engine to send frames addressed to the 0x0100.5E01.
Chapter 16 Configuring IGMP Snooping and MVR Understanding IGMP Snooping When hosts want to leave a multicast group, they can either silently leave, or they can send a leave message. When the switch receives a leave message from a host, it sends out a MAC-based general query to determine if any other devices connected to that interface are interested in traffic for the specific multicast group.
Chapter 16 Configuring IGMP Snooping and MVR Configuring IGMP Snooping The default learning method is IP multicast-source-only learning. You can disable IP multicast-source-only learning by using the no ip igmp snooping source-only-learning global configuration command. By default, the switch ages out forwarding-table entries that were learned by the source-only learning method and that are not in use.
Chapter 16 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Enabling or Disabling IGMP Snooping By default, IGMP snooping is globally enabled on the switch. When globally enabled or disabled, it is also enabled or disabled in all existing VLAN interfaces. IGMP snooping is by default enabled on all VLANs, but can be enabled and disabled on a per-VLAN basis. Global IGMP snooping overrides the VLAN IGMP snooping. If global snooping is disabled, you cannot enable VLAN snooping.
Chapter 16 Configuring IGMP Snooping and MVR Configuring IGMP Snooping listens to only CGMP self-join and CGMP proxy-join packets and no other CGMP packets. To learn of multicast router ports through only PIM-DVMRP packets, use the ip igmp snooping vlan vlan-id mrouter learn pim-dvmrp global configuration command.
Chapter 16 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to enable a static connection to a multicast router: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id mrouter interface interface-id Specify the multicast router VLAN ID and specify the interface to the multicast router. For the VLAN ID, the range is 1 to 1005. Step 3 end Return to privileged EXEC mode.
Chapter 16 Configuring IGMP Snooping and MVR Configuring IGMP Snooping This example shows how to statically configure a host on an interface and verify the configuration: Switch# configure terminal Switch(config)# ip igmp snooping vlan 1 static 0100.5e00.0203 interface gigabitethernet0/1 Switch(config)# end Switch# show mac address-table multicast vlan 1 Vlan Mac Address Type Ports --------------------1 0100.5e00.
Chapter 16 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to disable IGMP report suppression: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no ip igmp snooping report-suppression Disable IGMP report suppression. Step 3 end Return to privileged EXEC mode. Step 4 show ip igmp snooping Verify that IGMP report suppression is disabled.
Chapter 16 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Current configuration : 1972 bytes ! version 12.
Chapter 16 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information To display IGMP snooping information, use one or more of the privileged EXEC commands in Table 16-4. Table 16-4 Commands for Displaying IGMP Snooping Information Command Purpose show ip igmp snooping [vlan vlan-id] Display the snooping configuration information for all VLANs on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN.
Chapter 16 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service provider network (for example, the broadcast of multiple television channels over a service-provider network).
Chapter 16 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration as a forwarding destination of the specified multicast stream when it is received from the multicast VLAN. Uplink ports that send and receive multicast data to and from the multicast VLAN are called MVR source ports. When a subscriber changes channels or turns off the television, the set-top box sends an IGMP leave message for the multicast stream.
Chapter 16 Configuring IGMP Snooping and MVR Configuring MVR MVR eliminates the need to duplicate television-channel multicast traffic for subscribers in each VLAN. Multicast traffic for all channels is only sent around the VLAN trunk once—only on the multicast VLAN. Although the IGMP leave and join message in the VLAN to which the subscriber port is assigned. These messages dynamically register for streams of multicast traffic in the multicast VLAN on the Layer 3 device.
Chapter 16 Configuring IGMP Snooping and MVR Configuring MVR MVR Configuration Guidelines and Limitations Follow these guidelines when configuring MVR: Note • Receiver ports cannot be trunk ports. Receiver ports on a switch can be in different VLANs, but should not belong to the multicast VLAN. • The maximum number of multicast entries that can be configured on a switch (that is, the maximum number of television channels that can be received) is 256.
Chapter 16 Configuring IGMP Snooping and MVR Configuring MVR Command Step 6 Purpose mvr mode {dynamic | compatible} (Optional) Specify the MVR mode of operation: • dynamic—Allows dynamic MVR membership on source ports. • compatible—Is compatible with Catalyst 3500 XL and Catalyst 2900 XL switches and does not support IGMP dynamic joins on source ports. The default is compatible mode. Step 7 end Return to privileged EXEC mode. Step 8 show mvr Verify the configuration.
Chapter 16 Configuring IGMP Snooping and MVR Configuring MVR Step 4 Command Purpose mvr type {source | receiver} Configure an MVR port as one of these: • source—Configure uplink ports that receive and send multicast data as source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN. • receiver—Configure a port as a receiver port if it is a subscriber port and should only receive multicast data.
Chapter 16 Configuring IGMP Snooping and MVR Displaying MVR Information This is an example of output from the show mvr interface privileged EXEC command when the member keyword is included: Switch# show mvr interface fastethernet0/2 members 224.0.1.1 DYNAMIC ACTIVE Displaying MVR Information You can display MVR information for the switch or for a specified interface.
Chapter 16 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling This is an example of output from the show mvr interface privileged EXEC command for a specified interface: Switch# show mvr interface fastethernet0/2 224.0.1.1 DYNAMIC ACTIVE This is an example of output from the show mvr interface privileged EXEC command when the members keyword is included: Switch# show mvr interface fastethernet0/2 members 224.0.1.
Chapter 16 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling These sections describe how to configure IGMP filtering and throttling: • Default IGMP Filtering and Throttling Configuration, page 16-22 • Configuring IGMP Profiles, page 16-22 (optional) • Applying IGMP Profiles, page 16-23 (optional) • Setting the Maximum Number of IGMP Groups, page 16-25 (optional) • Configuring the IGMP Throttling Action, page 16-25 (optional) Default IGMP Filtering and Throttling Config
Chapter 16 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Beginning in privileged EXEC mode, follow these steps to create an IGMP profile: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp profile profile number Enter IGMP profile configuration mode, and assign a number to the profile you are configuring. The range is from 1 to 4294967295.
Chapter 16 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Beginning in privileged EXEC mode, follow these steps to apply an IGMP profile to a switch port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the physical interface to configure, for example fastethernet0/3. The interface must be a Layer 2 port that does not belong to an EtherChannel port group.
Chapter 16 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Setting the Maximum Number of IGMP Groups You can set the maximum number of IGMP groups that a Layer 2 interface can join by using the ip igmp max-groups interface configuration command. Use the no form of this command to set the maximum back to the default, which is no limit. You can use this command on an logical EtherChannel interface but cannot use it on ports that belong to an EtherChannel port group.
Chapter 16 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling – If you configure the throttling action as deny, the entries that were previously in the forwarding table are not removed but are aged out. After these entries are aged out and the maximum number of entries is in the forwarding table, the switch drops the next IGMP report received on the interface.
Chapter 16 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Displaying IGMP Filtering and Throttling Configuration You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface. You can also display the IGMP throttling configuration for all interfaces on the switch or for a specified interface.
Chapter 16 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Catalyst 2940 Switch Software Configuration Guide 16-28 78-15507-02
C H A P T E R 17 Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on your Catalyst 2940 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 17 Configuring Port-Based Traffic Control Configuring Storm Control Storm control uses one of these methods to measure traffic activity: • Bandwidth based • Traffic rate at which packets are received (in packets per second) (available only on non-Long-Reach Ethernet [LRE] Catalyst 2950 switches) The thresholds can either be expressed as a percentage of the total available bandwidth that can be used by the broadcast, multicast, or unicast traffic, or as the rate at which the interface receives
Chapter 17 Configuring Port-Based Traffic Control Configuring Storm Control Step 3 Command Purpose storm-control {broadcast | multicast | unicast} level {level [level-low] | pps pps pps-low} Configure broadcast, multicast, or unicast storm control. For level, specify the rising threshold level for broadcast, multicast, or unicast traffic as a percentage of the bandwidth. The storm control action occurs when traffic utilization reaches this level.
Chapter 17 Configuring Port-Based Traffic Control Configuring Protected Ports Command Purpose Step 4 no storm-control action {shutdown | trap} Disable the specified storm control action. Step 5 end Return to privileged EXEC mode. Step 6 show storm-control {broadcast | multicast | unicast} Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 17 Configuring Port-Based Traffic Control Configuring Port Security Switch# show interfaces gigabitethernet0/1 switchport Name: Gi0/1 Switchport: Enabled
Chapter 17 Configuring Port-Based Traffic Control Configuring Port Security The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the configuration, they are lost.
Chapter 17 Configuring Port-Based Traffic Control Configuring Port Security Default Port Security Configuration Table 17-2 shows the default port security configuration for an interface. Table 17-2 Default Port Security Configuration Feature Default Setting Port security Disabled. Maximum number of secure MAC addresses One. Violation mode Shutdown. Sticky address learning Disabled. Port security aging Disabled. Aging time is 0. When enabled, the default type is absolute.
Chapter 17 Configuring Port-Based Traffic Control Configuring Port Security Step 6 Command Purpose switchport port-security violation {protect | restrict | shutdown} (Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these: • protect—When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number o
Chapter 17 Configuring Port-Based Traffic Control Configuring Port Security To disable sticky learning on an interface, use the no switchport port-security mac-address sticky interface configuration command. The interface converts the sticky secure MAC addresses to dynamic secure addresses. To delete a static secure MAC address from the address table, use the clear port-security configured address mac-address privileged EXEC command.
Chapter 17 Configuring Port-Based Traffic Control Configuring Port Security 1 0003.fd62.1d45 SecureConfigured Fa0/5 1 0003.fd62.21d3 SecureSticky Fa0/5 1 0005.7428.1a45 SecureSticky Fa0/8 1 0005.7428.1a46 SecureSticky Fa0/8 1 0006.1218.
Chapter 17 Configuring Port-Based Traffic Control Configuring Port Security Beginning in privileged EXEC mode, follow these steps to configure port security aging: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port on which you want to enable port security aging, and enter interface configuration mode. Note Step 3 The switch does not support port security aging of sticky secure addresses.
Chapter 17 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Displaying Port-Based Traffic Control Settings The show interfaces interface-id switchport privileged EXEC command displays (among other characteristics) the interface traffic suppression and control configuration. The show interfaces counters privileged EXEC commands display the count of discarded packets. The show storm-control and show port-security privileged EXEC commands display those features.
C H A P T E R 18 Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on your Catalyst 2940 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 18 Configuring UDLD Understanding UDLD A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device. In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic interface are misconnected and the Layer 1 mechanisms do not detect this misconnection.
Chapter 18 Configuring UDLD Understanding UDLD • Event-driven detection and echoing UDLD relies on echoing as its detection mechanism. Whenever a UDLD device learns about a new neighbor or receives a resynchronization request from an out-of-sync neighbor, it restarts the detection window on its side of the connection and sends echo messages in reply. Because this behavior is the same on all UDLD neighbors, the sender of the echoes expects to receive an echo in reply.
Chapter 18 Configuring UDLD Configuring UDLD Configuring UDLD This section describes how to configure UDLD on your switch. It contains this configuration information: • Default UDLD Configuration, page 18-4 • Configuration Guidelines, page 18-4 • Enabling UDLD Globally, page 18-5 • Enabling UDLD on an Interface, page 18-5 • Resetting an Interface Shut Down by UDLD, page 18-6 Default UDLD Configuration Table 18-1 shows the default UDLD configuration.
Chapter 18 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic interfaces on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 18 Configuring UDLD Configuring UDLD Step 3 Command Purpose udld port [aggressive] Specify the UDLD mode of operation: • aggressive—(Optional) Enables UDLD in aggressive mode on the specified interface. UDLD is disabled by default. If you do not enter the aggressive keyword, the switch enables UDLD in normal mode. On a fiber-optic interface, this command overrides the udld enable global configuration command setting.
Chapter 18 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified interface or for all interfaces, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, refer to the command reference for this release.
Chapter 18 Configuring UDLD Displaying UDLD Status Catalyst 2940 Switch Software Configuration Guide 18-8 78-15507-02
C H A P T E R 19 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on your Catalyst 2940 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12.1.
Chapter 19 Configuring CDP Configuring CDP Configuring CDP These sections include CDP configuration information and procedures: • Default CDP Configuration, page 19-2 • Configuring the CDP Characteristics, page 19-2 • Disabling and Enabling CDP, page 19-3 • Disabling and Enabling CDP on an Interface, page 19-4 Default CDP Configuration Table 19-1 shows the default CDP configuration.
Chapter 19 Configuring CDP Configuring CDP Command Purpose Step 6 show cdp Verify configuration by displaying global information about CDP on the device. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the CDP commands to return to the default settings. This example shows how to configure and verify CDP characteristics.
Chapter 19 Configuring CDP Configuring CDP This example shows how to enable CDP if it has been disabled. Switch# configure terminal Switch(config)# cdp run Switch(config)# end Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 19 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors. show cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent.
Chapter 19 Configuring CDP Monitoring and Maintaining CDP Catalyst 2940 Switch Software Configuration Guide 19-6 78-15507-02
C H A P T E R 20 Configuring SPAN This chapter describes how to configure Switched Port Analyzer (SPAN) on your Catalyst 2940 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 20 Configuring SPAN Understanding SPAN Figure 20-1 Example SPAN Configuration 1 2 3 4 3 2 4 5 6 7 Port 4 traffic mirrored on Port 8 8 5 6 7 8 87833 1 Network analyzer Only traffic that enters or leaves source ports can be monitored by using SPAN. SPAN does not affect the switching of network traffic on source ports; a copy of the packets received or sent by the source interfaces is sent to the destination interface.
Chapter 20 Configuring SPAN Understanding SPAN Traffic Types SPAN sessions include these traffic types: • Receive (Rx) SPAN—The goal of receive (or ingress) SPAN is to monitor as much as possible all the packets received by the source interface. A copy of each packet received by the source is sent to the destination port for that SPAN session. You can monitor a series or range of ingress ports in a SPAN session. At the destination port, if tagging is enabled, the packets appear with the 802.1Q header.
Chapter 20 Configuring SPAN Understanding SPAN • It cannot be a source port or a reflector port. • It cannot be an EtherChannel group or a VLAN. • It can be a physical port that is assigned to an EtherChannel group, even if the EtherChannel group has been specified as a SPAN source. The port is removed from the group while it is configured as a SPAN destination port. • The port does not transmit any traffic except that required for the SPAN session.
Chapter 20 Configuring SPAN Understanding SPAN • EtherChannel—You can configure an EtherChannel group as a source port but not as a SPAN destination port. When a group is configured as a SPAN source, the entire group is monitored. If a port is added to a monitored EtherChannel group, the new port is added to the SPAN source port list. If a port is removed from a monitored EtherChannel group, it is automatically removed from the source port list.
Chapter 20 Configuring SPAN Configuring SPAN Configuring SPAN This section describes how to configure SPAN on your switch.
Chapter 20 Configuring SPAN Configuring SPAN Step 3 Command Purpose monitor session session_number source interface interface-id [, | -] [both | rx | tx] Specify the SPAN session and the source port (monitored port). For session_number, specify 1. For interface-id, specify the source port to monitor. Valid interfaces include physical interfaces and port-channel logical interfaces (port-channel port-channel-number). (Optional) [, | -] Specify a series or range of interfaces.
Chapter 20 Configuring SPAN Configuring SPAN Creating a SPAN Session and Enabling Ingress Traffic Beginning in privileged EXEC mode, follow these steps to create a SPAN session, to specify the source and destination ports, and to enable ingress traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance): Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 20 Configuring SPAN Configuring SPAN This example shows how to configure the destination port for ingress traffic on VLAN 5 by using a security device that supports 802.1Q encapsulation. Switch(config)# monitor session 1 destination interface Fa 0/5 encapsulation dot1q ingress vlan 5 This example shows how to disable ingress traffic forwarding on the destination port.
Chapter 20 Configuring SPAN Displaying SPAN Status This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional monitoring: Switch(config)# no monitor session 1 source interface fastEthernet0/1 rx The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be monitored. Displaying SPAN Status To display the status of the current SPAN configuration, use the show monitor privileged EXEC command.
C H A P T E R 21 Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on your Catalyst 2940 switch. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes. RMON provides you with comprehensive network-fault diagnosis, planning, and performance-tuning information.
Chapter 21 Configuring RMON Configuring RMON Figure 21-1 Remote Monitoring Example Network management station with generic RMON console application Catalyst 3550 switch RMON alarms and events configured. SNMP configured. RMON history and statistic collection enabled.
Chapter 21 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Only RMON 1 is supported on the switch. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station. We recommend that you use a generic RMON console application on the network management station (NMS) to take advantage of RMON’s network management capabilities.
Chapter 21 Configuring RMON Configuring RMON Command Step 3 Purpose rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535. • (Optional) For description string, specify a description of the event. • (Optional) Use the log keyword to generate an RMON log entry when the event is triggered.
Chapter 21 Configuring RMON Configuring RMON Configuring RMON Collection on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface on which to collect history.
Chapter 21 Configuring RMON Displaying RMON Status Command Purpose Step 6 show rmon statistics Display the contents of the switch statistics table. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the collection of group Ethernet statistics, use the no rmon collection stats index interface configuration command.
C H A P T E R 22 Configuring System Message Logging This chapter describes how to configure system message logging on your Catalyst 2940 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12.1.
Chapter 22 Configuring System Message Logging Configuring System Message Logging Configuring System Message Logging These sections describe how to configure system message logging: • System Log Message Format, page 22-2 • Default System Message Logging Configuration, page 22-3 • Disabling and Enabling Message Logging, page 22-4 • Setting the Message Display Destination Device, page 22-4 • Synchronizing Log Messages, page 22-5 • Enabling and Disabling Time Stamps on Log Messages, page 22-7 •
Chapter 22 Configuring System Message Logging Configuring System Message Logging Table 22-1 System Log Message Elements (continued) Element Description MNEMONIC Text string that uniquely describes the message. description Text string containing detailed information about the event being reported.
Chapter 22 Configuring System Message Logging Configuring System Message Logging Disabling and Enabling Message Logging Message logging is enabled by default. It must be enabled to send messages to any destination other than the console. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages.
Chapter 22 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging host Log messages to a UNIX syslog server host. For host, specify the name or IP address of the host to be used as the syslog server. To build a list of syslog servers that receive logging messages, enter this command more than once. For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 22-10.
Chapter 22 Configuring System Message Logging Configuring System Message Logging is returned. Therefore, unsolicited messages and debug command output are not interspersed with solicited device output and prompts. After the unsolicited messages appear, the console again shows the user prompt. Beginning in privileged EXEC mode, follow these steps to configure synchronous logging: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 22 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Time Stamps on Log Messages By default, log messages are not time-stamped. Beginning in privileged EXEC mode, follow these steps to enable timestamping of log messages: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service timestamps log uptime Enable log timestamps.
Chapter 22 Configuring System Message Logging Configuring System Message Logging This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) Defining the Message Severity Level You can limit messages that appear for the selected device by specifying the severity level of the message, as described in Table 22-3.
Chapter 22 Configuring System Message Logging Configuring System Message Logging Table 22-3 Message Logging Level Keywords (continued) Level Keyword Level Description Syslog Definition critical 2 Critical conditions LOG_CRIT errors 3 Error conditions LOG_ERR warnings 4 Warning conditions LOG_WARNING notifications 5 Normal but significant condition LOG_NOTICE informational 6 Informational messages only LOG_INFO debugging 7 Debugging messages LOG_DEBUG The software generates fou
Chapter 22 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. 1. Table 22-3 lists the level keywords and severity level. For SNMP usage, the severity level values increase by 1. For example, emergencies equal 1, not 0, and critical equals 3, not 2.
Chapter 22 Configuring System Message Logging Configuring System Message Logging Configuring the UNIX System Logging Facility When sending system log messages to an external device, you can cause the switch to identify its messages as originating from any of the UNIX syslog facilities. Beginning in privileged EXEC mode, follow these steps to configure UNIX system facility message logging: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 22 Configuring System Message Logging Displaying the Logging Configuration Table 22-4 Logging Facility-Type Keywords (continued) Facility Type Keyword Description sys12 System use sys13 System use sys14 System use syslog System log user User process uucp UNIX-to-UNIX copy system Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command.
C H A P T E R 23 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on your Catalyst 2940 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12.1.
Chapter 23 Configuring SNMP Understanding SNMP • Using SNMP to Access MIB Variables, page 23-4 • SNMP Notifications, page 23-4 SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in RFC 1157.
Chapter 23 Configuring SNMP Understanding SNMP You must configure the SNMP agent to use the SNMP version supported by the management station. Because an agent can communicate with multiple managers, you can configure the software to support communications with one management station using the SNMPv1 protocol, one using the SNMPv2C protocol and another using SNMPv3. SNMP Manager Functions The SNMP manager uses information in the MIB to perform the operations described in Table 23-2.
Chapter 23 Configuring SNMP Understanding SNMP A community string can have one of these attributes: Note • Read-only (RO)—Gives read access to authorized management stations to all objects in the MIB except the community strings, but does not allow write access • Read-write (RW)—Gives read and write access to authorized management stations to all objects in the MIB, but does not allow access to the community strings • Read-write-all—Gives read and write access to authorized management stations to
Chapter 23 Configuring SNMP Configuring SNMP Traps are unreliable because the receiver does not send an acknowledgment when it receives a trap, and the sender cannot determine if the trap was received. When an SNMP manager receives an inform request, it acknowledges the message with an SNMP response protocol data unit (PDU). If the sender does not receive a response, the inform request can be sent again. Because they can be re-sent, informs are more likely than traps to reach their intended destination.
Chapter 23 Configuring SNMP Configuring SNMP Table 23-3 Default SNMP Configuration (continued) Feature Default Setting SNMP version If no version keyword is present, the default is version 1. SNMPv3 authentication If no keyword is entered, the default is the noauth (noAuthNoPriv) security level. SNMP notification type If no type is specified, all notifications are sent. SNMP Configuration Guidelines An SNMP group is a table that maps SNMP users to SNMP views.
Chapter 23 Configuring SNMP Configuring SNMP Disabling the SNMP Agent Beginning in privileged EXEC mode, follow these steps to disable the SNMP agent: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no snmp-server Disable the SNMP agent operation. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 23 Configuring SNMP Configuring SNMP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] (Optional) If you specified an IP standard access list number in Step 2, then create the list, repeating the command as many times as necessary. • For access-list-number, enter the access list number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 23 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure SNMP on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server engineID {local engineid-string Configure a name for either the local or remote copy of SNMP. | remote ip-address [udp-port port-number] • The engineid-string is a 24-character ID string with the name engineid-string} of the copy of SNMP.
Chapter 23 Configuring SNMP Configuring SNMP Step 4 Command Purpose snmp-server user username groupname [remote host [udp-port port]] {v1 | v2c | v3 [auth {md5 | sha} auth-password]} [encrypted] [access access-list] Configure a new user to an SNMP group. • The username is the name of the user on the host that connects to the agent. • The groupname is the name of the group to which the user is associated.
Chapter 23 Configuring SNMP Configuring SNMP Table 23-4 Switch Notification Types (continued) Notification Type Keyword Description entity Generates a trap for SNMP entity changes. envmon Allows environmental monitor traps. hsrp Generates a trap for Hot Standby Router Protocol (HSRP) changes. mac-notification Generates a trap for MAC address notifications. rtr Generates a trap for the SNMP Response Time Reporter (RTR). snmp Generates a trap for SNMP-type notifications.
Chapter 23 Configuring SNMP Configuring SNMP Step 5 Step 6 Command Purpose snmp-server host host-addr [traps | informs] [version {1 | 2c | 3 [auth | noauth]}] community-string [udp-port port] [notification-type] Specify the recipient of an SNMP trap operation. snmp-server enable traps notification-types • For host-addr, specify the name or Internet address of the host (the targeted recipient). • (Optional) Enter traps (the default) to send SNMP traps to the host.
Chapter 23 Configuring SNMP Configuring SNMP Setting the Agent Contact and Location Information Beginning in privileged EXEC mode, follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server contact text Set the system contact string. For example: snmp-server contact Dial System Operator at beeper 21555.
Chapter 23 Configuring SNMP Configuring SNMP Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. SNMP Examples This example shows how to enable all versions of SNMP. The configuration permits any SNMP manager to access all objects with read-only permissions using the community string public.
Chapter 23 Configuring SNMP Displaying SNMP Status Displaying SNMP Status To display SNMP input and output statistics, including the number of illegal community string entries, errors, and requested variables, use the show snmp privileged EXEC command. You can also use the other privileged EXEC commands in Table 23-5 to display SNMP information. For information about the fields in the output displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12.1.
Chapter 23 Configuring SNMP Displaying SNMP Status Catalyst 2940 Switch Software Configuration Guide 23-16 78-15507-02
C H A P T E R 24 Configuring QoS This chapter describes how to configure quality of service (QoS) by using standard QoS commands. With QoS, you can give preferential treatment to certain types of traffic at the expense of others. Without QoS, the Catalyst 2940 switch offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 24 Configuring QoS Understanding QoS Figure 24-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 header IP header Data Preamble Start frame delimiter DA SA Tag PT Data FCS 98309 Layer 2 802.
Chapter 24 Configuring QoS Configuring QoS Each port on the switch has a single receive queue buffer (the ingress port) for incoming traffic. When an untagged frame arrives, it is assigned the value of the port as its port default priority. You assign this value by using the CLI or CMS. A tagged frame continues to use its assigned CoS value when it passes through the ingress port. Egress CoS Queues The switch supports four CoS queues for each egress port.
Chapter 24 Configuring QoS Configuring QoS • By default, the port trust state is not configured. • All traffic is sent through one egress queue.
Chapter 24 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be trusted. Valid interfaces include physical interfaces. Step 3 mls qos trust [cos] Configure the port trust state.
Chapter 24 Configuring QoS Configuring QoS Configuring the CoS Value for an Interface QoS assigns the CoS value specified with the mls qos cos interface configuration command to untagged frames received on trusted and untrusted ports. Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port or to assign the default CoS to all incoming packets on the port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 24 Configuring QoS Configuring QoS However, if a user bypasses the telephone and connects the PC directly to the switch, the CoS labels generated by the PC are trusted by the switch (because of the trusted CoS setting) and can allow misuse of high-priority queues. The trusted boundary feature solves this problem by using the CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port.
Chapter 24 Configuring QoS Configuring QoS Enabling Pass-Through Mode When the switch is in pass-through mode, it uses the CoS value of incoming packets without modifying the DSCP value and sends the packets from one of the four egress queues. By default, pass-through mode is disabled. The switch assigns a CoS value of 0 to all incoming packets without modifying the packets.
Chapter 24 Configuring QoS Configuring QoS Configuring CoS Priority Queues Beginning in privileged EXEC mode, follow these steps to configure the CoS priority queues: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 wrr-queue cos-map qid cos1..cosn Specify the queue ID of the CoS priority queue. (Ranges are 1 to 4 where 1 is the lowest CoS priority queue.) Specify the CoS values that are mapped to the queue id.
Chapter 24 Configuring QoS Displaying QoS Information Displaying QoS Information To display QoS information, use one or more of the privileged EXEC commands in Table 24-3: Table 24-3 Commands for Displaying QoS Information Command Purpose show wrr-queue cos-map Displays the mapping of the CoS priority queues. show wrr-queue bandwidth Displays the WRR bandwidth allocation for the CoS priority queues.
C H A P T E R 25 Configuring EtherChannels This chapter describes how to configure EtherChannel on the Layer 2 interfaces of a Catalyst 2940 switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Chapter 25 Configuring EtherChannels Understanding EtherChannels Figure 25-1 Typical EtherChannel Configuration Catalyst 8500, 6000, 5500, or 4000 series switch Gigabit EtherChannel Catalyst 3550-12T switch 1000BASE-X Catalyst 2940 switch Catalyst 2950T-24 switch 10/100 Switched links 10/100 Switched links Workstations Workstations 87840 1000BASE-X Each EtherChannel can consist of up to eight compatibly configured Ethernet interfaces.
Chapter 25 Configuring EtherChannels Understanding EtherChannels Figure 25-2 Relationship of Physical Ports, Logical Port Channels, and Channel Groups Logical port-channel Logical port-channel Channel-group binding SYSTEM RPS MODE STATUS 45144 UTIL DUPLX SPEED 1 2 3 4 Catalyst 5 6 3550 7 8 9 10 1 2 10/100/1000 ports GBIC module slots Physical ports When a port joins an EtherChannel, the physical interface for that port is shut down.
Chapter 25 Configuring EtherChannels Understanding EtherChannels Table 25-1 EtherChannel Modes Mode Description active Places an interface into an active negotiating state, in which the interface starts negotiations with other interfaces by sending LACP packets. auto Places an interface into a passive negotiating state, in which the interface responds to PAgP packets it receives but does not start PAgP packet negotiation. This setting minimizes the transmission of PAgP packets.
Chapter 25 Configuring EtherChannels Understanding EtherChannels Exchanging LACP Packets Both the active and passive LACP modes allow interfaces to negotiate with partner interfaces to determine if they can form an EtherChannel based on criteria such as interface speed and, for Layer 2 EtherChannels, trunking state and VLAN numbers. Interfaces can form an EtherChannel when they are in different LACP modes as long as the modes are compatible.
Chapter 25 Configuring EtherChannels Understanding EtherChannels PAgP sends and receives PAgP PDUs only from interfaces that have PAgP enabled for the auto or desirable mode. LACP sends and receives LACP PDUs only from interfaces that have LACP enabled for the active or passive mode. Understanding Load Balancing and Forwarding Methods EtherChannel balances the traffic load across the links in a channel by randomly associating a newly-learned MAC address with one of the links in the channel.
Chapter 25 Configuring EtherChannels Configuring EtherChannels Figure 25-3 Load Distribution and Forwarding Methods Catalyst 2940 switch with source-based forwarding enabled EtherChannel 87841 Cisco router with destination-based forwarding enabled Configuring EtherChannels These sections describe how to configure EtherChannel interfaces: • Default EtherChannel Configuration, page 25-8 • EtherChannel Configuration Guidelines, page 25-8 • Configuring Layer 2 EtherChannels, page 25-9 • Configurin
Chapter 25 Configuring EtherChannels Configuring EtherChannels Default EtherChannel Configuration Table 25-2 shows the default EtherChannel configuration. Table 25-2 Default EtherChannel Configuration Feature Default Setting Channel groups None assigned. PAgP mode No default. PAgP learn method Aggregate-port learning on all interfaces. PAgP priority 128 on all interfaces. (Changing this value has no effect.) LACP learn method Aggregate-port learning on all interfaces.
Chapter 25 Configuring EtherChannels Configuring EtherChannels desirable mode. When configuring an interface for LACP, if the allowed range of VLANs is not the same, the interfaces do not form an EtherChannel even when LACP is set to the active or passive mode • Interfaces with different spanning-tree path costs can form an EtherChannel if they are otherwise compatibly configured.
Chapter 25 Configuring EtherChannels Configuring EtherChannels Command Step 3 Purpose channel-group channel-group-number mode Assign the interface to a channel group, and specify the PAgP or {{auto [non-silent] | desirable [non-silent] | on} | LACP mode. {active | passive}} For channel-group-number, the range is 1 to 6. Each EtherChannel can have up to eight compatibly configured Ethernet interfaces. For mode, select one of these keywords: • active—Enables LACP only if an LACP device is detected.
Chapter 25 Configuring EtherChannels Configuring EtherChannels To remove an interface from the EtherChannel group, use the no channel-group interface configuration command. If you delete the EtherChannel by using the no interface port-channel global configuration command without removing the physical interfaces, the physical interfaces are shutdown. If you do not want the member physical interfaces to shut down, remove the physical interfaces before deleting the EtherChannel.
Chapter 25 Configuring EtherChannels Configuring EtherChannels Command Purpose Step 4 show etherchannel load-balance Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return EtherChannel load balancing to the default configuration, use the no port-channel load-balance global configuration command.
Chapter 25 Configuring EtherChannels Configuring EtherChannels Step 5 Command Purpose show running-config Verify your entries. or show lacp channel-group-number internal Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Configuring Hot Standby Ports When enabled, LACP tries to configure the maximum number of LACP-compatible ports in a channel, up to a maximum of 16 ports. Only eight LACP links can be active at one time.
Chapter 25 Configuring EtherChannels Displaying EtherChannel, PAgP, and LACP Status Beginning in privileged EXEC mode, follow these steps to configure the LACP system priority: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 lacp system-priority priority-value Select the LACP system priority value. For priority-value, the range is 1 to 65535. By default, the priority value is 32768. The lower the range, the higher the system priority.
C H A P T E R 26 Troubleshooting This chapter describes how to identify and resolve Catalyst 2940 software problems related to the Cisco IOS software. Depending on the nature of the problem, you can use the command-line interface (CLI) or the Cluster Management Suite (CMS) to identify and solve problems. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release and the Cisco IOS Command Summary for Cisco IOS Release 12.1.
Chapter 26 Troubleshooting Using Recovery Procedures Recovering from Corrupted Software Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity. This procedure uses the XMODEM protocol to recover from a corrupt or wrong image file.
Chapter 26 Troubleshooting Using Recovery Procedures Step 4 Press the Mode button, and at the same time, reconnect the power cord to the switch. You can release the Mode button a second or two after the LED above port 1X turns off. Several lines of information about the software appear, as do instructions: The system has been interrupted prior to initializing the flash file system.
Chapter 26 Troubleshooting Using Recovery Procedures Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can use the following normal commands to change the password.
Chapter 26 Troubleshooting Using Recovery Procedures Replacing a Failed Command Switch with a Cluster Member To replace a failed command switch with a command-capable member in the same cluster, follow these steps: Step 1 Disconnect the command switch from the member switches, and physically remove it from the cluster. Step 2 Insert the member switch in place of the failed command switch, and duplicate its connections to the cluster members. Step 3 Start a CLI session on the new command switch.
Chapter 26 Troubleshooting Using Recovery Procedures If this prompt does not appear, enter enable, and press Return. Enter setup, and press Return to start the setup program. Step 11 Respond to the questions in the setup program. When prompted for the host name, recall that on a command switch, the host name is limited to 28 characters; on a member switch to 31 characters. Do not use -n, where n is a number, as the last characters in a host name for any switch.
Chapter 26 Troubleshooting Using Recovery Procedures Basic management setup configures only enough connectivity for management of the system, extended setup will ask you to configure each interface on the system Would you like to enter basic management setup? [yes/no]: Step 6 Enter Y at the first prompt.
Chapter 26 Troubleshooting Preventing Autonegotiation Mismatches Preventing Autonegotiation Mismatches The IEEE 802.3AB autonegotiation protocol manages the switch settings for speed (10 Mbps, 100 Mbps, and 1000 Mbps excluding GBIC ports) and duplex (half or full). There are situations when this protocol can incorrectly align these settings, reducing performance.
Chapter 26 Troubleshooting Diagnosing Connectivity Problems Executing Ping If you attempt to ping a host in a different IP subnetwork, you must define a static route to the network. Beginning in privileged EXEC mode, use this command to ping another device on the network from the switch: Note Command Purpose ping [ip] {host | address} Ping a remote host through IP or by supplying the host name or network address.
Chapter 26 Troubleshooting Diagnosing Connectivity Problems Using Layer 2 Traceroute This section describes this information: • Understanding Layer 2 Traceroute, page 26-10 • Usage Guidelines, page 26-10 • Displaying the Physical Path, page 26-11 Understanding Layer 2 Traceroute The Layer 2 traceroute feature allows the switch to identify the physical path that a packet takes from a source device to a destination device. Layer 2 traceroute supports only unicast source and destination MAC addresses.
Chapter 26 Troubleshooting Using Debug Commands • The traceroute mac ip command output shows the Layer 2 path when the specified source and destination IP addresses belong to the same subnet. When you specify the IP addresses, the switch uses Address Resolution Protocol (ARP) to associate the IP addresses with the corresponding MAC addresses and the VLAN IDs. – If an ARP entry exists for the specified IP address, the switch uses the associated MAC address and identifies the physical path.
Chapter 26 Troubleshooting Using Debug Commands Enabling Debugging on a Specific Feature All debug commands are entered in privileged EXEC mode, and most debug commands take no arguments. For example, beginning in privileged EXEC mode, enter this command to enable the debugging for EtherChannel: Switch# debug etherchannel The switch continues to generate output until you enter the no form of the command.
Chapter 26 Troubleshooting Using the crashinfo File Note Be aware that the debugging destination you use affects system overhead. Logging messages to the console produces very high overhead, whereas logging messages to a virtual terminal produces less overhead. Logging messages to a syslog server produces even less, and logging to an internal buffer produces the least overhead of any method. For more information about system message logging, see Chapter 22, “Configuring System Message Logging.
Chapter 26 Troubleshooting Using the crashinfo File Catalyst 2940 Switch Software Configuration Guide 26-14 78-15507-02
A P P E N D I X A Supported MIBs This appendix lists the supported management information base (MIBs) for this release.
Appendix A Supported MIBs MIB List • CISCO-SMI • CISCO-STACKMAKER-MIB • CISCO-STP-EXTENSIONS-MIB • CISCO-SYSLOG-MIB • CISCO-TC • CISCO-TCP-MIB • CISCO-VLAN-MEMBERSHIP-MIB • CISCO-VTP-MIB • ENTITY-MIB • IANAifType-MIB • IF-MIB (RFC 1573) • OLD-CISCO-CHASSIS-MIB • OLD-CISCO-CPU-MIB • OLD-CISCO-INTERFACES-MIB • OLD-CISCO-IP-MIB • OLD-CISCO-MEMORY-MIB • OLD-CISCO-SYSTEM-MIB • OLD-CISCO-TCP-MIB • OLD-CISCO-TS-MIB • RFC1213-MIB • RFC1398-MIB • RMON-MIB (RFC 1757) •
Appendix A Supported MIBs Using FTP to Access the MIB Files Using FTP to Access the MIB Files You can obtain each MIB file by using this procedure: Step 1 Use FTP to access the server ftp.cisco.com. Step 2 Log in with the username anonymous. Step 3 Enter your e-mail username when prompted for the password. Step 4 At the ftp> prompt, change directories to /pub/mibs/v1 and the /pub/mibs/v2. Step 5 Use the get MIB_filename command to obtain a copy of the MIB file.
Appendix A Supported MIBs Using FTP to Access the MIB Files Catalyst 2940 Switch Software Configuration Guide A-4 78-15507-02
I N D EX addresses Numerics displaying the MAC address table 802.1D dynamic See STP accelerated aging 802.1Q 11-8 changing the aging time and trunk ports 9-2 default aging configuration limitations 13-13 native VLAN for untagged traffic 802.
Index ARP table autonegotiation address resolution managing interface configuration guidelines 6-26 mismatches 6-26 attributes, RADIUS 26-8 auxiliary VLAN vendor-proprietary vendor-specific See voice VLAN 7-29 7-28 authentication local mode with AAA NTP associations B 7-31 6-4 BackboneFast RADIUS described 12-5 key enabling 12-13 7-20 login 7-22 support for TACACS+ login 1-3 banners defined key 9-11 7-10 configuring 7-12 login 7-13 6-20 message-of-the-day login See
Index clearing interfaces C 9-15 CLI cables, monitoring for unidirectional links 18-1 candidate switch adding command modes 5-16 described automatic discovery defined HC 5-3 5-3 5-18 wrapped lines 5-3 standby group 5-19 getting help xx CC (command switch) 5-20 CDP 2-7 2-5 2-3 history changing the buffer size described 2-5 disabling 2-6 recalling commands and trusted boundary 24-7 managing clusters automatic discovery in switch clusters configuring 19-2 19-2 19-3, 19-4 on
Index planning considerations automatic discovery abbreviating 5-8 host names 5-12 LRE profiles 5-15 accessing configuration conflicts defined 5-13, 5-22 switch-specific features priority 5-21 automatic recovery defined 5-2 from command-switch failure from failure redundant 5-11 26-7 5-8, 5-19 replacing 5-9 26-6 with cluster member 5-2 virtual IP address 5-9 26-4 with another switch requirements 5-9 requirements 5-2 standby (SC) 5-9, 5-20 26-5 See also candidate switch, c
Index design concepts default commands network performance network services large campus default configuration 1-7 1-7 1-10 small to medium-sized network 1-8 configuration files limiting TFTP server access obtaining with DHCP 4-7 13-23 configuration modes, CMS configure terminal command config-vlan mode connectivity problems 19-2 DNS 6-17 23-13 16-22 IGMP snooping 16-6 IGMP throttling 16-22 14-4 xx CoS password and privilege level override priority trust priority RSPAN 20-5 SN
Index Device Manager dynamic port VLAN membership 3-13 See also Switch Manager described reconfirming DHCP-based autoconfiguration client request message exchange 13-26 VMPS database configuration file 4-3 relay device server-side See DTP 4-6 4-4 TFTP server 4-5 E 4-8 lease options editing features for IP address information 4-4 enabling and disabling for receiving the configuration file 4-5 4-3 relationship to BOOTP 4-3 discovery, clusters keystrokes used 2-6 2-7 wrapped lin
Index PAgP files, crashinfo aggregate-port learners description 25-5 compatibility with Catalyst 1900 displaying status location 25-12 26-13 2-9 forward-delay time STP 25-3 overview 26-13 filtering show and more command output 25-5 learn method and priority configuration modes displaying the contents of 25-12 25-14 interaction with other features 26-13 11-5, 11-19 forwarding 25-3 silent mode 25-4 support for 1-2 See broadcast storm control FTP, accessing MIB files A-3 port-chan
Index HP OpenView enabling and disabling 1-6 HSRP global configuration automatic cluster recovery Immediate Leave 5-11 cluster standby group considerations 5-9 See also clusters, cluster standby group, and standby command switch method 16-7 16-7 16-5 16-7 monitoring 16-12 VLAN configuration 16-7 IGMP throttling configuring I 16-25 default configuration ICMP ping described executing 26-9 overview 26-8 ingress port scheduling 16-5 24-3 interface IGMP number joining multicast
Index Intrusion Detection System Layer 2 interfaces, default configuration Layer 2 traceroute See IDS inventory, cluster 5-21 IP addresses candidate or member cluster access discovering 5-3, 5-12 26-11 and CDP 26-10 described 26-10 multicast traffic management VLAN unicast traffic 5-9 See also IP information Layer 2 trunks ip igmp profile command 16-22 IP information 26-10 13-12 leave processing, IGMP 16-10 line configuration mode 2-3 links, unidirectional assigned manually 18-1
Index learning MIBs 6-21 removing accessing files with FTP 6-23 static location of files adding overview 6-25 characteristics of removing 23-1 supported 6-25 MAC address multicast entries, monitoring MAC address-to-VLAN mapping 16-13 13-22 macros 23-4 A-1 mirroring traffic for analysis 20-1 mismatches, autonegotiation 26-8 monitoring See SmartPort macros cables for unidirectional links management options CDP benefits CMS 16-27 snooping 1-6 interfaces overview changing MV
Index interoperability and compatibility among modes loop guard design concepts network performance described 12-9 enabling 12-15 network services large campus Port Fast 1-7 1-7 1-10 small to medium-sized network described 12-1 enabling 12-10 CDP SNMP 12-8 enabling 12-14 no commands 12-2 16-3 leaving 16-4 configuration modes 16-5 defined 13-5 13-1 NTP associations 16-9 multicast router ports, adding 16-13 authenticating defined 16-8 Multicast VLAN Registration peer 6-2
Index manual re-authentication of a client P periodic re-authentication PAgP quiet period See EtherChannel pass-through mode 8-11 RADIUS server parameters on the switch passwords 7-2 switch-to-client retransmission time encrypting 7-4 default configuration in clusters 5-12, 5-18 described overview 7-1 recovery of 26-2 7-3 7-4 displaying statistics 8-16 EAPOL-start frame 8-3 8-3 8-3 enabling with usernames VTP domain 7-6 14-8 path cost STP 8-2 EAP-response/identity frame 7-5
Index ports pruning, VTP access enabling 9-2 dynamic access priority enabling on a port 13-3 24-2 protected secure 14-13 17-4 examples 14-5 overview 14-4 pruning-eligible list 17-5 static-access changing 13-3, 13-10 13-17 switch 9-1 for VTP pruning trunks 13-11 VLANs VLAN assignments PSTN 13-10 port security aging 14-4 14-13 1-10 publications, related PVST+ 17-10 configuring 13-2 described 17-7 11-9 17-12 sticky learning violations 17-5 Q 17-6 with other featu
Index queries, IGMP port priority 16-3 13-18 redundant clusters See cluster standby group R redundant links and UplinkFast 12-12 Remote Authentication Dial-In User Service RADIUS See RADIUS attributes vendor-proprietary vendor-specific Remote Network Monitoring 7-29 See RMON 7-28 report suppression, IGMP configuring accounting 7-27 authentication authorization 7-22 described 16-5 disabling 16-11 resetting a UDLD-shutdown interface 7-26 communication, global restricting access 7
Index root guard shutdown command on interfaces described 12-8 enabling 12-14 support for Simple Network Management Protocol See SNMP SmartPort macros 1-3 root switch STP configuration guidelines 11-12 RSPAN default configuration 10-2 default configuration 10-2 defined 20-5 10-1 20-3 displaying displaying status 20-10 tracing interaction with other features monitored ports SNAP 20-4 19-1 20-3 20-5 sessions, defined described 23-3 disabling 23-7 community strings 20-2 con
Index system contact and location trap manager, configuring Standby Command Configuration window 23-13 standby command switch 23-11 traps configuring described enabling 23-5 23-10 enabling MAC address notification overview users defined 5-2 priority 5-9 requirements 6-23 5-2 5-9 See also cluster standby group and HSRP 23-10 standby group, cluster 23-8 versions supported snooping, IGMP See cluster standby group and HSRP 23-2 static access ports 16-1 software images assigning to V
Index BPDU filtering learning 11-6 described 12-3 listening 11-6 enabling 12-11 overview 11-4 BPDU guard interoperability and compatibility among modes described 12-2 enabling 12-11 limitations with 802.
Index summer time system name 6-13 SunNet Manager default configuration 1-6 switch clustering technology default setting system prompt 3-13 See also Device Manager default setting switchport protected command switch priority STP T system clock TACACS+ configuring accounting, defined daylight saving time manually 6-13 time zones 6-12 accounting 6-11 7-16 authentication key 6-1 authorization See also NTP 7-12 7-15 login authentication system message logging default configuratio
Index TFTP with ping configuration files in base directory configuring for autoconfiguration limiting access by servers 4-5 with system message logging configuring 23-13 defined time stamps in log messages 13-16 load sharing Token Ring VLANs setting STP path costs 13-20 using STP port priorities 13-5 13-18, 13-19 native VLAN for untagged traffic 14-4 Topology view described 9-2 allowed-VLAN list 22-7 6-12 VTP support 13-14 trunks See NTP and system clock support for 22-1 trunk
Index UplinkFast aging dynamic addresses described 12-3 enabling 12-12 support for allowed on trunk 13-16 and spanning-tree instances 13-2 configuration guidelines, normal-range VLANs 1-3 user EXEC mode 11-8 configuration options 2-2 username-based authentication configuring 7-6 13-5 13-1 creating in config-vlan mode default configuration version-dependent transparent mode 14-4 virtual IP address cluster standby group command switch 5-9, 5-20 5-9, 5-20 See also IP addresses vlan
Index reconfirmation interval, changing reconfirming membership retry count, changing default configuration 13-27 13-27 13-28 voice VLAN described 14-1 disabling 14-11 domain names Cisco 7960 phone, port connections configuration guidelines 15-1 domains 14-8 14-2 modes 15-3 configuring IP phones for data traffic client 14-3, 14-10 override CoS of incoming frame server 14-3, 14-9 15-5 trust CoS priority of incoming frame transitions 15-5 configuring ports for voice traffic in 802
Index WRR configuring defining 24-9 24-3 description 24-3 X XMODEM protocol 26-2 Catalyst 2940 Switch Software Configuration Guide IN-22 78-15507-02
