Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide Cisco IOS Release 12.1(13)EA1 March 2003 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface xxiii Audience Purpose xxiii xxiii Conventions xxiv Related Publications xxv Obtaining Documentation xxvi World Wide Web xxvi Documentation CD-ROM xxvi Ordering Documentation xxvii Documentation Feedback xxvii Obtaining Technical Assistance xxvii Cisco.
Contents CHAPTER 2 Using the Command-Line Interface IOS Command Modes Getting Help 2-1 2-1 2-3 Abbreviating Commands 2-4 Using no and default Forms of Commands Understanding CLI Messages 2-4 2-5 Using Command History 2-5 Changing the Command History Buffer Size 2-5 Recalling Commands 2-6 Disabling the Command History Feature 2-6 Using Editing Features 2-6 Enabling and Disabling Editing Features 2-7 Editing Commands through Keystrokes 2-7 Editing Command Lines that Wrap 2-8 Searching and Filterin
Contents Enabling SNMP Traps 3-12 Displaying Catalyst 2955 Switch Alarms Status CHAPTER 4 Getting Started with CMS Features 3-12 4-1 4-2 Front Panel View 4-3 Cluster Tree 4-5 Front-Panel Images 4-5 Alarm Relay and Power LEDs on Catalyst 2955 Switches Redundant Power System LED 4-7 Port Modes and LEDs 4-8 VLAN Membership Modes 4-9 4-7 Topology View 4-10 Topology Icons and Labels 4-12 Device and Link Labels 4-12 Colors in the Topology View 4-13 Topology Display Options 4-14 Menus and Toolbar 4-14
Contents Accessing CMS 4-29 Access Modes in CMS 4-30 HTTP Access to CMS 4-31 Saving Your Configuration 4-31 Restoring Your Configuration CMS Preferences 4-32 4-32 Using Different Versions of CMS Where to Go Next CHAPTER 5 4-32 4-33 Assigning the Switch IP Address and Default Gateway Understanding the Boot Process 5-1 Assigning Switch Information 5-2 Default Switch Information 5-3 Understanding DHCP-Based Autoconfiguration DHCP Client Request Process 5-4 Configuring the DHCP Server 5-5 Configuri
Contents Configuring CNS Embedded Agents 6-6 Enabling Automated CNS Configuration 6-6 Enabling the CNS Event Agent 6-8 Enabling the CNS Configuration Agent 6-9 Enabling an Initial Configuration 6-9 Enabling a Partial Configuration 6-12 Displaying CNS Configuration CHAPTER 7 Clustering Switches 6-13 7-1 Understanding Switch Clusters 7-2 Command Switch Characteristics 7-3 Standby Command Switch Characteristics 7-3 Candidate Switch and Member Switch Characteristics 7-5 Planning a Switch Cluster 7-5 Au
Contents Using the CLI to Manage Switch Clusters 7-27 Catalyst 1900 and Catalyst 2820 CLI Considerations Using SNMP to Manage Switch Clusters CHAPTER 8 Administering the Switch 7-27 7-28 8-1 Managing the System Time and Date 8-1 Understanding the System Clock 8-1 Understanding Network Time Protocol 8-2 Configuring NTP 8-3 Default NTP Configuration 8-4 Configuring NTP Authentication 8-4 Configuring NTP Associations 8-5 Configuring NTP Broadcast Service 8-6 Configuring NTP Access Restrictions 8-7 Conf
Contents Configuring MAC Address Notification Traps 8-23 Adding and Removing Static Address Entries 8-25 Adding and Removing Secure Addresses 8-26 Displaying Address Table Entries 8-26 Managing the ARP Table CHAPTER 9 8-27 Configuring Switch-Based Authentication 9-1 Preventing Unauthorized Access to Your Switch 9-1 Protecting Access to Privileged EXEC Commands 9-2 Default Password and Privilege Level Configuration 9-2 Setting or Changing a Static Enable Password 9-3 Protecting Enable and Enable Sec
Contents Configuring the Switch to Use Vendor-Specific RADIUS Attributes 9-28 Configuring the Switch for Vendor-Proprietary RADIUS Server Communication Displaying the RADIUS Configuration 9-30 Configuring the Switch for Local Authentication and Authorization Configuring the Switch for Secure Shell 9-31 Understanding SSH 9-32 Cryptographic Software Image Guidelines Configuring SSH 9-32 CHAPTER 10 Configuring 802.1X Port-Based Authentication 9-29 9-30 9-32 10-1 Understanding 802.
Contents Using the Interface Command 11-4 Procedures for Configuring Interfaces 11-5 Configuring a Range of Interfaces 11-6 Configuring and Using Interface-Range Macros 11-8 Configuring Switch Interfaces 11-9 Default Ethernet Interface Configuration 11-10 Configuring Interface Speed and Duplex Mode 11-11 Configuration Guidelines 11-11 Setting the Interface Speed and Duplex Parameters 11-12 Configuring IEEE 802.
Contents Configuring the Root Switch 12-12 Configuring a Secondary Root Switch 12-14 Configuring the Port Priority 12-15 Configuring the Path Cost 12-16 Configuring the Switch Priority of a VLAN 12-18 Configuring the Hello Time 12-18 Configuring the Forwarding-Delay Time for a VLAN 12-19 Configuring the Maximum-Aging Time for a VLAN 12-20 Configuring STP for Use in a Cascaded Stack 12-20 Displaying the Spanning-Tree Status CHAPTER 13 Configuring RSTP and MSTP 12-21 13-1 Understanding RSTP 13-2 Spanni
Contents Configuring the Forwarding-Delay Time 13-20 Configuring the Maximum-Aging Time 13-21 Configuring the Maximum-Hop Count 13-21 Specifying the Link Type to Ensure Rapid Transitions Restarting the Protocol Migration Process 13-22 Displaying the MST Configuration and Status CHAPTER 14 Configuring Optional Spanning-Tree Features 13-22 13-23 14-1 Understanding Optional Spanning-Tree Features 14-1 Understanding Port Fast 14-2 Understanding BPDU Guard 14-3 Understanding BPDU Filtering 14-3 Understan
Contents Configuring Normal-Range VLANs 15-4 Token Ring VLANs 15-5 Normal-Range VLAN Configuration Guidelines 15-5 VLAN Configuration Mode Options 15-6 VLAN Configuration in config-vlan Mode 15-6 VLAN Configuration in VLAN Configuration Mode Saving VLAN Configuration 15-7 Default Ethernet VLAN Configuration 15-7 Creating or Modifying an Ethernet VLAN 15-8 Deleting a VLAN 15-10 Assigning Static-Access Ports to a VLAN 15-11 Configuring Extended-Range VLANs 15-12 Default VLAN Configuration 15-12 Extended-Rang
Contents Changing the Reconfirmation Interval 15-30 Changing the Retry Count 15-31 Monitoring the VMPS 15-31 Troubleshooting Dynamic Port VLAN Membership VMPS Configuration Example 15-32 CHAPTER 16 Configuring VTP 15-32 16-1 Understanding VTP 16-1 The VTP Domain 16-2 VTP Modes 16-3 VTP Advertisements 16-3 VTP Version 2 16-4 VTP Pruning 16-4 Configuring VTP 16-6 Default VTP Configuration 16-6 VTP Configuration Options 16-7 VTP Configuration in Global Configuration Mode 16-7 VTP Configuration in VLAN C
Contents Configuring a Port to Connect to a Cisco 7960 IP Phone 17-3 Configuring Ports to Carry Voice Traffic in 802.1Q Frames 17-4 Configuring Ports to Carry Voice Traffic in 802.
Contents CHAPTER 19 Configuring Port-Based Traffic Control Configuring Storm Control 19-1 Understanding Storm Control 19-1 Default Storm Control Configuration Enabling Storm Control 19-2 Disabling Storm Control 19-3 Configuring Protected Ports 19-1 19-2 19-3 Configuring Port Security 19-4 Understanding Port Security 19-4 Secure MAC Addresses 19-4 Security Violations 19-5 Default Port Security Configuration 19-6 Port Security Configuration Guidelines 19-6 Enabling and Configuring Port Security 19-7 En
Contents CHAPTER 22 Configuring SPAN and RSPAN 22-1 Understanding SPAN and RSPAN 22-1 SPAN and RSPAN Concepts and Terminology 22-3 SPAN Session 22-3 Traffic Types 22-3 Source Port 22-4 Destination Port 22-4 Reflector Port 22-4 SPAN Traffic 22-5 SPAN and RSPAN Interaction with Other Features 22-6 SPAN and RSPAN Session Limits 22-6 Default SPAN and RSPAN Configuration 22-7 Configuring SPAN 22-7 SPAN Configuration Guidelines 22-7 Creating a SPAN Session and Specifying Ports to Monitor 22-8 Creating a SPAN
Contents Setting the Message Display Destination Device 24-4 Synchronizing Log Messages 24-6 Enabling and Disabling Timestamps on Log Messages 24-7 Enabling and Disabling Sequence Numbers in Log Messages 24-8 Defining the Message Severity Level 24-8 Limiting Syslog Messages Sent to the History Table and to SNMP 24-10 Configuring UNIX Syslog Servers 24-10 Logging Messages to a UNIX Syslog Daemon 24-11 Configuring the UNIX System Logging Facility 24-11 Displaying the Logging Configuration CHAPTER 25 Confi
Contents ACL Numbers 26-8 Creating a Numbered Standard ACL 26-9 Creating a Numbered Extended ACL 26-10 Creating Named Standard and Extended ACLs 26-13 Applying Time Ranges to ACLs 26-15 Including Comments About Entries in ACLs 26-17 Creating Named MAC Extended ACLs 26-18 Creating MAC Access Groups 26-19 Applying ACLs to Terminal Lines or Physical Interfaces Applying ACLs to a Terminal Line 26-20 Applying ACLs to a Physical Interface 26-21 26-20 Displaying ACL Information 26-21 Displaying ACLs 26-22 Displ
Contents Auto-QoS Configuration Example 27-14 Configuring Standard QoS 27-15 Default Standard QoS Configuration 27-16 Configuration Guidelines 27-17 Configuring Classification Using Port Trust States 27-17 Configuring the Trust State on Ports within the QoS Domain 27-18 Configuring the CoS Value for an Interface 27-20 Configuring Trusted Boundary 27-20 Enabling Pass-Through Mode 27-22 Configuring a QoS Policy 27-23 Classifying Traffic by Using ACLs 27-24 Classifying Traffic by Using Class Maps 27-27 Clas
Contents Configuring the LACP Port Priority 28-12 Configuring Hot Standby Ports 28-13 Configuring the LACP System Priority 28-13 Displaying EtherChannel, PAgP, and LACP Status CHAPTER 29 Troubleshooting 28-15 29-1 Using Recovery Procedures 29-1 Recovering from Corrupted Software 29-2 Recovering from a Lost or Forgotten Password 29-2 Recovering from a Lost or Forgotten Password on the Catalyst 2955 Switch Recovering from a Command Switch Failure 29-6 Replacing a Failed Command Switch with a Cluster Me
Preface Audience The Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide is for the network manager responsible for configuring the Catalyst 2950 and the Catalyst 2955 switches, hereafter referred to as the switches. Before using this guide, you should be familiar with the concepts and terminology of Ethernet and local area networking. Purpose This guide provides information about configuring and troubleshooting a switch or switch clusters.
Preface Conventions This guide does not describe system messages you might encounter or how to install your switch. For more information, refer to the Catalyst 2950 and Catalyst 2955 Desktop Switch System Message Guide for this release, to the Catalyst 2950 Desktop Switch Hardware Installation Guide, and to the Catalyst 2955 Switch Hardware Installation Guide. Note This guide does not repeat the concepts and CLI procedures provided in the standard Cisco IOS Release 12.1 documentation.
Preface Related Publications Related Publications These documents provide complete information about the switch and are available from this URL: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/index.htm You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation” section on page xxvi. • Note Release Notes for the Catalyst 2950 and Catalyst 2955 Switch (not orderable but available on Cisco.
Preface Obtaining Documentation For other information about related products, refer to these documents: • Catalyst GigaStack Gigabit Interface Converter Hardware Installation Guide (order number DOC-786460=) • Cluster Management Suite (CMS) online help (available only from the switch CMS software) • CWDM Passive Optical System Installation Note (not orderable but is available on Cisco.com) • 1000BASE-T Gigabit Interface Converter Installation Notes (not orderable but is available on Cisco.
Preface Obtaining Technical Assistance Ordering Documentation You can find instructions for ordering documentation at this URL: http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm You can order Cisco documentation in these ways: • Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace: http://www.cisco.com/en/US/partner/ordering/index.shtml • Registered Cisco.
Preface Obtaining Technical Assistance Cisco.com Cisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world. Cisco.
Preface Obtaining Additional Publications and Information If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL: http://www.cisco.com/en/US/support/index.html If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC website so that you can describe the situation in your own words and attach any necessary files.
Preface Obtaining Additional Publications and Information Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide xxx 78-11380-07
C H A P T E R 1 Overview This guide provides information about configuring and troubleshooting Catalyst 2950 and Catalyst 2955 switches. The Catalyst 2955 switch supports all the features in the enhanced software image (EI) for the Catalyst 2950 switch (refer to the switch command reference for more details). The Catalyst 2955 switch also supports an additional set of features that are described in Chapter 3, “Configuring Catalyst 2955 Switch Alarms.
Chapter 1 Overview Features Table 1-1 Switches Supported (continued) Switch Software Image Catalyst 2955S-12 EI Catalyst 2955T-12 EI 1. SI = standard software image Note This software release does not support the Catalyst 2950 LRE switches. For information about these switches, refer to documentation for the Catalyst 2950 LRE switches. This section describes the features supported in this release: Note Some features require that you have the EI installed on your switch.
Chapter 1 Overview Features • Per-port broadcast storm control for preventing faulty end stations from degrading overall system performance with broadcast storms • Port Aggregation Protocol (PAgP) and Link Aggregation Control Protocol (LACP) for automatic creation of EtherChannel links • Internet Group Management Protocol (IGMP) snooping support to limit flooding of IP multicast traffic • Multicast VLAN registration (MVR) to continuously send multicast streams in a multicast VLAN while isolating th
Chapter 1 Overview Features Note For additional descriptions of the management interfaces, see the “Management Options” section on page 1-7. Redundancy • HSRP for command-switch redundancy • UniDirectional link detection (UDLD) on all Ethernet ports for detecting and disabling unidirectional links on fiber-optic interfaces caused by incorrect fiber-optic wiring or port faults • IEEE 802.1D Spanning Tree Protocol (STP) for redundant backbone connections and loop-free networks.
Chapter 1 Overview Features • IEEE 802.
Chapter 1 Overview Features Quality of Service and Class of Service • Automatic QoS (auto-QoS) to simplify the deployment of existing QoS features by classifying traffic and configuring egress queues (voice over IP only) (only available in the EI) • Classification – IP Differentiated Services Code Point (IP DSCP) and class of service (CoS) marking priorities on a per-port basis for protecting the performance of mission-critical applications (only available with the EI) – Flow-based packet classificat
Chapter 1 Overview Management Options • Syslog facility for logging system messages about authentication or authorization errors, resource issues, and time-out events • Layer 2 traceroute to identify the physical path that a packet takes from a source device to a destination device • Facilities for processing alarms related to temperature, power-supply conditions, and the status of the Ethernet ports (available only on the Catalyst 2955 switch) Management Options The switches are designed for plug-a
Chapter 1 Overview Network Configuration Examples Advantages of Using CMS and Clustering Switches Using CMS and switch clusters can simplify and minimize your configuration and monitoring tasks. You can use Cisco switch clustering technology to manage up to 16 interconnected and supported Catalyst switches through one IP address as if they were a single entity. This can conserve IP addresses if you have a limited number of them.
Chapter 1 Overview Network Configuration Examples Design Concepts for Using the Switch As your network users compete for network bandwidth, it takes longer to send and receive data. When you configure your network, consider the bandwidth required by your network users and the relative priority of the network applications they use. Table 1-2 describes what can cause network performance to degrade and how you can configure your network to increase the bandwidth available to your network users.
Chapter 1 Overview Network Configuration Examples Figure 1-1 shows configuration examples of using the Catalyst switches to create these networks: • Cost-effective wiring closet—A cost-effective way to connect many users to the wiring closet is to connect up to nine Catalyst 2900 XL, Catalyst 2950, Catalyst 3500 XL, and Catalyst 3550 switches through GigaStack GBIC connections. When you use a stack of Catalyst 2950G-48 switches, you can connect up to 432 users.
Chapter 1 Overview Network Configuration Examples Figure 1-1 Example Configurations Catalyst 2950 switch Cost-Effective Wiring Closet Catalyst 2900 XL, Catalyst 2950, Catalyst 3500 XL, and Catalyst 3550 GigaStack cluster Catalyst 3550-12T or Catalyst 3550-12G switch Si Gigabit server High-Performance Workgroup Catalyst 2900 XL, Catalyst 2950, Catalyst 3500 XL, and Catalyst 3550 cluster Catalyst 3550-12T or Catalyst 3550-12T or Catalyst 3550-12G switch Catalyst 3550-12G switch 1-Gbps HSRP Si Si
Chapter 1 Overview Network Configuration Examples A network backbone is a high-bandwidth connection (such as Fast Ethernet or Gigabit Ethernet) that interconnects segments and network resources. It is required if numerous segments require access to the servers. The Catalyst 2900 XL, Catalyst 2950, Catalyst 3500 XL, and Catalyst 3550 switches in this network are connected through a GigaStack GBIC on each switch to form a 1-Gbps network backbone.
Chapter 1 Overview Network Configuration Examples Collapsed Backbone and Switch Cluster Configuration Figure 1-3 shows a configuration for a network of approximately 500 employees. This network uses a collapsed backbone and switch clusters. A collapsed backbone has high-bandwidth uplinks from all segments and subnetworks to a single device, such as a Gigabit switch, that serves as a single point for monitoring and controlling the network.
Chapter 1 Overview Network Configuration Examples Figure 1-3 Collapsed Backbone and Switch Cluster Configuration Gigabit servers Cisco CallManager Catalyst 3550-12T or Catalyst 3550-12G switch Cisco 2600 router Si 200 Mbps Fast EtherChannel (400-Mbps full-duplex Fast EtherChannel) 1 Gbps (2 Gbps full duplex) Catalyst 2950, 2900 XL, 3550, and 3500 XL GigaStack cluster Catalyst 2950, 2900 XL, 3550, and 3500 XL GigaStack cluster Catalyst 3524-PWR XL GigaStack cluster IP IP IP Workstations running
Chapter 1 Overview Network Configuration Examples Figure 1-4 Large Campus Configuration IP telephony network or PSTN WAN Cisco CallManager Cisco 7200 Cisco access or 7500 router gateway Servers Catalyst 6500 switch Catalyst 2950, 2900 XL, 3500 XL, and 3550 GigaStack cluster 1 Gbps (2 Gbps full duplex) Catalyst 3524-PWR XL GigaStack cluster IP IP Cisco IP Phones IP IP Cisco IP Phones 60995 Workstations running Cisco SoftPhone software IP Multidwelling Network Using Catalyst 2950 Switches A
Chapter 1 Overview Network Configuration Examples All ports on the residential Catalyst 2950 switches (and Catalyst 2912-LRE XL or 2924-LRE XL switches if they are included) are configured as 802.1Q trunks with protected port and STP root guard features enabled. The protected port feature provides security and isolation between ports on the switch, ensuring that subscribers cannot view packets destined for other subscribers. STP root guard prevents unauthorized devices from becoming the STP root switch.
Chapter 1 Overview Network Configuration Examples Long-Distance, High-Bandwidth Transport Configuration Note To use the feature described in this section, you must have the EI installed on your switch. Figure 1-6 shows a configuration for transporting Gigabits of data from one location to an off-site backup facility over a single fiber-optic cable. The Catalyst switches have Coarse Wave Division Multiplexer (CWDM) fiber-optic GBIC modules installed.
Chapter 1 Overview Where to Go Next Where to Go Next Before configuring the switch, review these sections for start up information: • Chapter 2, “Using the Command-Line Interface” • Chapter 4, “Getting Started with CMS” • Chapter 5, “Assigning the Switch IP Address and Default Gateway” • Chapter 6, “Configuring IE2100 CNS Agents” Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 1-18 78-11380-07
C H A P T E R 2 Using the Command-Line Interface This chapter describes the IOS command-line interface (CLI) that you can use to configure your Catalyst 2950 and Catalyst 2955 switches.
Chapter 2 Using the Command-Line Interface IOS Command Modes Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the host name Switch. Table 2-1 Command Mode Summary Mode Access Method Prompt Exit Method About This Mode User EXEC Begin a session with your switch. Switch> Enter logout or quit. Use this mode to • Change terminal settings. • Perform basic tests.
Chapter 2 Using the Command-Line Interface Getting Help Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method About This Mode Interface configuration While in global configuration mode, enter the interface command (with a specific interface). Switch(config-if)# To exit to global configuration mode, enter exit. Use this mode to configure parameters for the Ethernet interfaces. To return to privileged EXEC mode, press Ctrl-Z or enter end.
Chapter 2 Using the Command-Line Interface Abbreviating Commands Table 2-2 Help Summary (continued) Command Purpose command ? List the associated keywords for a command. For example: Switch> show ? command keyword ? List the associated arguments for a keyword. For example: Switch(config)# cdp holdtime ? <10-255> Length of time (in sec) that receiver must keep this packet Abbreviating Commands You have to enter only enough characters for the switch to recognize the command as unique.
Chapter 2 Using the Command-Line Interface Understanding CLI Messages Understanding CLI Messages Table 2-3 lists some error messages that you might encounter while using the CLI to configure your switch. Table 2-3 Common CLI Error Messages Error Message Meaning How to Get Help % Ambiguous command: "show con" You did not enter enough characters for your switch to recognize the command. Re-enter the command followed by a question mark (?) with a space between the command and the question mark.
Chapter 2 Using the Command-Line Interface Using Editing Features Recalling Commands To recall commands from the history buffer, perform one of the actions listed in Table 2-4: Table 2-4 Recalling Commands Action1 Result Press Ctrl-P or the up arrow key. Recall commands in the history buffer, beginning with the most recent command. Repeat the key sequence to recall successively older commands. Press Ctrl-N or the down arrow key.
Chapter 2 Using the Command-Line Interface Using Editing Features Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled, you can disable it.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Capitalize or lowercase words or capitalize a set of letters. Keystroke1 Purpose Press Ctrl-D. Delete the character at the cursor. Press Ctrl-K. Delete all characters from the cursor to the end of the command line. Press Ctrl-U or Ctrl-X. Delete all characters from the cursor to the beginning of the command line. Press Ctrl-W.
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands In this example, the access-list global configuration command entry extends beyond one line. When the cursor first reaches the end of the line, the line is shifted ten spaces to the left and redisplayed. The dollar sign ($) shows that the line has been scrolled to the left. Each time the cursor reaches the end of the line, the line is again shifted ten spaces to the left.
Chapter 2 Using the Command-Line Interface Accessing the CLI from a Browser You can establish a connection with the switch by either • Connecting the switch console port to a management station or dial-up modem. For information about connecting to the console port, refer to the switch hardware installation guide. • Using any Telnet TCP/IPor encrypted Secure Shell (SSH) package from a remote management station.
C H A P T E R 3 Configuring Catalyst 2955 Switch Alarms This section describes how to configure the different alarms for the Catalyst 2955 switch. Note The alarms described in this chapter are not available on the Catalyst 2950 switch. For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Understanding Catalyst 2955 Switch Alarms Global Status Monitoring Alarms The Catalyst 2955 switch contains facilities for processing alarms related to temperature and power supply conditions. These are referred to as global or facility alarms. Table 3-1 lists the three global alarms and their descriptions and functions.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Understanding Catalyst 2955 Switch Alarms For example, if the FCS bit error rate alarm value is configured to 10–8, that value is the alarm set threshold. To set the alarm clear threshold at 5*10 -10, the hysteresis, value h, is determined as follows: h = alarm clear threshold / alarm set threshold h = 5*10 -10 / 10-8 = 5*10-2 = 0.05 = 5 percent The FCS hysteresis threshold is applied to all ports on the Catalyst 2955 switch.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms Triggering Alarm Options The Catalyst 2955 supports three methods for triggering alarms: • Configurable Relays The Catalyst 2955 switch is equipped with two independent alarm relays that can be triggered by alarms for global and port status conditions. The relays can be configured to send a fault signal to an external alarm device, such as a bell, light, or other signaling device.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms Default Catalyst 2955 Switch Alarm Configuration Table 3-3 shows the default Catalyst 2955 switch alarms configuration. Table 3-3 Default Catalyst 2955 Switch Alarm Configuration Global Alarm Default Setting Power Supply Alarm Enabled in switch single power mode. No alarm. In dual power supply mode, the default alarm notification is a system message to the console.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms Use the no power-supply dual command to disable this alarm by setting the switch back to single power mode operation. Setting the Power Supply Alarm Options Use the alarm facility power-supply global configuration command to associate the power supply alarm to a relay. You can also configure all alarms and traps associated with the power supply alarm to be sent to syslog and the SNMP server.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms This section describes how to configure the temperature alarms on your switch.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show alarm settings Verify the configuration. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Note Before you can use the notifies command to send alarm traps to an SNMP server, you must first set up the SNMP server by using the snmp-server enable traps alarms global configuration command.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show fcs-threshold Verify the setting. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no fcs-threshold interface configuration command to go back to default FCS threshold value.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms Configuring Alarm Profiles This section describes how to configure alarm profiles on your switch. It contains this configuration information: • Creating or Modifying an Alarm Profile, page 3-10 • Attaching an Alarm Profile to a Specific Port, page 3-11 Creating or Modifying an Alarm Profile You can use the alarm profile global configuration command to create an alarm profile or to modify an existing profile.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms Note Before you can use the notifies command to send alarm traps to an SNMP server, you must first set up the SNMP server by using the snmp-server enable traps alarms global configuration command. See the “Enabling SNMP Traps” section on page 3-12. Table 3-4 lists the alarmList IDs and their corresponding alarm definitions.
Chapter 3 Configuring Catalyst 2955 Switch Alarms Displaying Catalyst 2955 Switch Alarms Status Enabling SNMP Traps Use the snmp-server enable traps alarms global configuration command to enable the switch to send alarm traps. Note Before using alarm profiles to set the switch to send SNMP alarm trap notifications to an SNMP server, you must first enable SNMP by using the snmp-server enable traps alarms global configuration command.
C H A P T E R 4 Getting Started with CMS This chapter provides these topics about the Cluster Management Suite (CMS) software: • Features, page 4-2 • Front Panel View, page 4-3 • Topology View, page 4-10 • Menus and Toolbar, page 4-14 • Interaction Modes, page 4-24 • CMS Window Components, page 4-26 • Accessing CMS, page 4-29 • Saving Your Configuration, page 4-31 • Restoring Your Configuration, page 4-32 • CMS Preferences, page 4-32 • Using Different Versions of CMS, page 4-32 • Wh
Chapter 4 Getting Started with CMS Features Features CMS provides these features for managing switch clusters and individual switches from Web browsers such as Netscape Communicator or Microsoft Internet Explorer: • Two views of your network, as shown in Figure 4-1, that can be displayed at the same time: – A Front Panel view that displays the front-panel image of a specific set of switches in a cluster.
Chapter 4 Getting Started with CMS Front Panel View • Menus and a toolbar, as shown in Figure 4-2, to access configuration and management options: – The menu bar provides the complete list of options for managing a single switch and switch clusters. – The toolbar provides buttons for commonly used switch and cluster configuration options and information windows such as legends and online help.
Chapter 4 Getting Started with CMS Front Panel View Figure 4-3 Front Panel View from a Command Switch Select the switches that you want displayed in the Front Panel view. Cluster tree. Note Right-click a member switch image to display the device pop-up menu and to select an option to view or change system-related settings. Right-click the command switch image to display the cluster pop-up menu and to select a cluster-related option.
Chapter 4 Getting Started with CMS Front Panel View Cluster Tree Figure 4-3 shows the cluster tree that appears in the left frame of the Front Panel view and shows the name of the cluster and a list of its members. Figure 4-5 shows the device icons that you can drag and drop to rearrange them in the cluster tree. The colors of the devices in the cluster tree show the status of the devices, as listed in Table 4-1.
Chapter 4 Getting Started with CMS Front Panel View Figure 4-6 shows the port icons as they appear in the front-panel images. To select a port, click the port on the Front Panel view. The port is then highlighted with a yellow outline. To select multiple ports, you can: • Press the left mouse button, drag the pointer over the group of ports that you want to select, and then release the mouse button. • Press the Ctrl key, and click the ports that you want to select.
Chapter 4 Getting Started with CMS Front Panel View Alarm Relay and Power LEDs on Catalyst 2955 Switches The alarm relay LED images are labeled Alarm MAJ and MIN on the CMS Front Panel view and show when a major or minor alarm has occurred on the switch. You can configure alarm relays for traffic signal failure or degradation, equipment malfunction, and SNMP messages. Red means that an alarm has occurred. No LED, or black, means the absence of alarms on the switch.
Chapter 4 Getting Started with CMS Front Panel View Table 4-3 Cisco RPS 300 and Cisco RPS 675 LED (continued) Color RPS Status Amber The RPS could be in standby mode. To put the RPS in Active mode, press the Standby/Active button on the RPS, and the LED should turn green. If it does not, one of these conditions could exist: Blinking amber Table 4-4 • One of the RPS power supplies could be down. Contact Cisco Systems. • The RPS fan could have failed. Contact Cisco Systems.
Chapter 4 Getting Started with CMS Front Panel View Table 4-5 Port Modes Mode LED Description STAT Link status of the ports. Default mode. DUPLX Duplex setting on the ports. The default setting on the 10/100 ports is auto. The default setting on the 10/100/1000 ports is full. SPEED Speed setting on the ports. The default setting on the 10/100 and 10/100/1000 ports is auto. Table 4-6 Port LEDs Port Mode Port LED Color Description STAT Cyan (off) No link. Green Link present.
Chapter 4 Getting Started with CMS Topology View Table 4-7 VLAN Membership Modes Mode Color Static access Light green Dynamic access Pink 802.1Q trunk Peach Negotiate trunk White Topology View The Topology view displays how the devices within a switch cluster are connected and how the switch cluster is connected to other clusters and devices. From this view, you can add and remove cluster members.
Chapter 4 Getting Started with CMS Topology View Figure 4-7 Expand Cluster View Right-click a device icon to display a device popup menu. Figure 4-8 81674 Cluster members of cluster1 and other devices connected to cluster1. Collapse Cluster View Neighboring cluster connected to cluster1. cluster1 65723 Devices connected to cluster1 that are not eligible to join the cluster.
Chapter 4 Getting Started with CMS Topology View Topology Icons and Labels The Topology view and the cluster tree use the same set of device icons to represent clusters, command and standby command switches, and member switches. They also use the same labels to identify the command switch (CMD) and the standby command switch (STBY).
Chapter 4 Getting Started with CMS Topology View When using these labels, keep these considerations in mind: • The IP address displays only in the labels for the command switch and member switches. • The label of a neighboring cluster icon only displays the IP address of the command-switch IP address. • The link speeds displayed are the actual link speeds except on the LRE links, which display the administratively assigned speed settings.
Chapter 4 Getting Started with CMS Menus and Toolbar Table 4-11 Device Label Colors Label Color Color Meaning Green A cluster member, either a member switch or the command switch Cyan A candidate switch that is eligible to join the cluster Yellow An unknown device or a device that is not eligible to join the cluster Topology Display Options You can set the type of information displayed in the Topology view by changing the settings in the Topology Options window.
Chapter 4 Getting Started with CMS Menus and Toolbar • If you launch CMS from a command switch, the menu bar displays the features supported on the switches in the cluster, with these exceptions: – If the command switch is a Layer 3 switch, such as a Catalyst 3550 switch, the menu bar displays the features of all Layer 3 and Layer 2 switches in the cluster.
Chapter 4 Getting Started with CMS Menus and Toolbar These are the menu bar options: • CMS – Page Setup—Set default document printer properties to be used when printing from CMS. – Print Preview—View the way the CMS window or help file will appear when printed. – Print—Print a CMS window or help file. – Guide Mode/Expert Mode—Select which interaction mode to use when you select a configuration option (not available in read-only mode).
Chapter 4 Getting Started with CMS Menus and Toolbar – Delete Cluster—Delete a cluster (not available in read-only mode). This option is available only from a cluster management session. – Add to Cluster—Add a candidate to a cluster (not available in read-only mode). This option is available only from a cluster management session. – Remove from Cluster—Remove a member from the cluster (not available in read-only mode) This option is available only from a cluster management session.
Chapter 4 Getting Started with CMS Menus and Toolbar • Port – Port Settings—Display and configure port parameters on a switch. Some options from this menu are not available in read-only mode. – Port Search—Search for a port through its description. – Port Security—Enable port security on a port (not available in read-only mode). – EtherChannels—Group ports into logical units for high-speed links between switches. Some options from this menu are not available in read-only mode.
Chapter 4 Getting Started with CMS Menus and Toolbar cluster where the command switch is a Catalyst 2950 switch running Release 12.1(6)EA2 or later, Catalyst 2955 switch running Release 12.1(12c)EA1 or later, or a Catalyst 3550 switch running Release 12.1(8)EA1 or later. For more information about system messages, refer to the switch system message guide for that release. • Tools – Ping and Trace—Perform a ping or Layer 2 traceroute operation on or to a specific address.
Chapter 4 Getting Started with CMS Menus and Toolbar Table 4-12 Toolbar Buttons (continued) Toolbar Option Icon Keyboard Shortcut Task Save Configuration2 Ctrl-S Save the configuration of the cluster of a switch to Flash memory. Software Upgrade2 Ctrl-U Upgrade the software for the cluster or a switch. Port Settings1 — Display and configure port parameters on a switch. VLAN1 Ctrl-V Display VLAN membership, assign ports to VLANs, and change the administration mode.
Chapter 4 Getting Started with CMS Menus and Toolbar Table 4-13 Device Popup Menu Popup Menu Option Device Manager Host Name Task 1 Launch Device Manager for the switch. 2 Change the name of the switch. Delete Cluster 23 4 Remove from Cluster Delete a cluster. 24 Remove a member from the cluster. Bandwidth Graphs Display graphs that plot the total bandwidth in use. Properties Display information about the device and port on either end of the link and the state of the link. 1.
Chapter 4 Getting Started with CMS Menus and Toolbar . Table 4-15 Link Popup Menu Link Popup Menu Task Link Report Display the link report for two connected devices. If one device is an unknown device or a candidate, only the cluster member side of the link displays. Link Graph Display a graph showing the current bandwidth used by the selected link. You can change the graph polling interval by selecting CMS > Preferences.
Chapter 4 Getting Started with CMS Menus and Toolbar Note • Candidate switch without an IP address (Table 4-20) • Neighboring devices (Table 4-21) The Device Manager option in these popup menus is available in read-only mode on Catalyst 2900 XL and Catalyst 3500 XL switches running Release 12.0(5)WC2 and later. It is also available on Catalyst 2950 switches running Release 12.1(6)EA2 or later, Catalyst 2955 switches running Release 12.
Chapter 4 Getting Started with CMS Interaction Modes Table 4-20 Candidate-Switch Icon Popup Menu (When the Candidate Switch Does Not Have an IP Address) Popup Menu Option Task Add to Cluster Add a candidate to a cluster. Properties Display information about the device. Table 4-21 Neighboring-Device Icon Popup Menu Popup Menu Option Task Device Manager Access the web management interface of the device.
Chapter 4 Getting Started with CMS Interaction Modes Note Guide mode is not available if your switch access level is read-only. For more information about the read-only access mode, see the “Access Modes in CMS” section on page 4-30. Expert Mode Expert mode is for users who prefer to display all the parameter fields of a feature in a single CMS window. Information about the parameter fields is available by clicking the Help button. Wizards Wizards simplify some configuration tasks on the switch.
Chapter 4 Getting Started with CMS CMS Window Components You can send us feedback about the information provided in the online help. Click Feedback to display an online form. After completing the form, click Submit to send your comments to Cisco Systems Inc. We appreciate and value your comments. Enter the first letters of the Glossary of terms used in the online help. topic, and Legend of icons and color codes. click Find to Help for all CMS windows. search the index. Help for CMS tasks.
Chapter 4 Getting Started with CMS CMS Window Components 86865 Figure 4-11 CMS Window Components OK saves your changes and closes the window. Apply saves your changes and leaves the window open. Modify displays a secondary window from which you can change settings. Refresh refreshes the window to display the latest information. Click a row to select it. Press Shift, and left-click another row to select contiguous multiple rows. Press Ctrl, and left-click rows to select noncontiguous rows.
Chapter 4 Getting Started with CMS CMS Window Components Tabs, Lists, and Tables Some CMS windows have tabs that present different sets of information. Tabs are arranged like folder headings across the top of the window. Click the tab to display its information. Listed information can often be changed by selecting an item from a list. To change the information, select one or more items, and click Modify. Changing multiple items is limited to those items that apply to at least one of the selections.
Chapter 4 Getting Started with CMS Accessing CMS Red Border Around a Field A red border around a field means that you entered invalid data in the field. An error message also displays in the window status bar. When you enter valid data in the field, a green border replaces the red border until you either save or cancel the change. If there is an error in communicating with the switch or if you make an error while performing an action, a message notifies you about the error.
Chapter 4 Getting Started with CMS Accessing CMS To access CMS, follow these steps: Step 1 Enter the switch IP address and your privilege level in the browser Location field (Netscape Communicator) or Address field (Microsoft Internet Explorer). For example: http://10.1.126.45:184/level/14/ where 10.1.126.45 is the switch IP address, 184 is the HTTP port, and level/14 is the privilege level.
Chapter 4 Getting Started with CMS Saving Your Configuration These switches do not support read-only mode on CMS: • Catalyst 1900 and Catalyst 2820 • Catalyst 2900 XL switches with 4-MB CPU DRAM In read-only mode, these switches appear as unavailable devices and cannot be configured from CMS.
Chapter 4 Getting Started with CMS Restoring Your Configuration Restoring Your Configuration After you save a switch configuration, you can restore the configuration to one or more switches for these reasons: • You made an incorrect change to the current running configuration and want to reload a saved configuration. • You need to reload a switch after a switch failure or power failure. • You want to copy the configuration of a switch to other switches.
Chapter 4 Getting Started with CMS Where to Go Next Where to Go Next Before configuring the switch, refer to these places for start-up information: • Switch release notes on Cisco.
Chapter 4 Getting Started with CMS Where to Go Next Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 4-34 78-11380-07
C H A P T E R 5 Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assign the switch IP address and default gateway information) by using a variety of automatic and manual methods. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The boot loader also provides trap-door access into the system if the operating system has problems serious enough that it cannot be used.
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Default Switch Information Table 5-1 shows the default switch information. Table 5-1 Default Switch Information Feature Default Setting IP address and subnet mask No IP address or subnet mask are defined. Default gateway No default gateway is defined. Enable secret password No password is defined. Host name The factory-assigned default host name is Switch. Telnet password No password is defined.
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DHCP Client Request Process When you boot your switch, the switch automatically requests configuration information from a DHCP server only if a configuration file is not present on the switch. DHCP autoconfiguration does not occur under these conditions: • When a configuration file is present and the service config global configuration command is disabled on the switch.
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the DHCP Server You should configure the DHCP server with reserved leases that are bound to each switch by the switch hardware address.
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information For the switch to successfully download a configuration file, the TFTP server must contain one or more configuration files in its base directory. The files can include these files: • The configuration file named in the DHCP reply (the actual switch configuration file). • The network-confg or the cisconet.cfg file (known as the default configuration files). • The router-confg or the ciscortr.
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Figure 5-2 Relay Device Used in Autoconfiguration Switch (DHCP client) Cisco router (Relay) 10.0.0.2 10.0.0.1 DHCP server 20.0.0.3 TFTP server 20.0.0.4 DNS server 49068 20.0.0.2 20.0.0.
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Note The switch broadcasts TFTP server requests if the TFTP server is not obtained from the DHCP replies, if all attempts to read the configuration file through unicast transmissions fail, or if the TFTP server name cannot be resolved to an IP address. Example Configuration Figure 5-3 shows a sample network for retrieving IP information by using DHCP-based autoconfiguration.
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DNS Server Configuration The DNS server maps the TFTP server name maritsu to IP address 10.0.0.3. TFTP Server Configuration (on UNIX) The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method. This file contains the host name to be assigned to the switch based on its IP address.
Chapter 5 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs) or ports: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface vlan vlan-id Enter interface configuration mode, and enter the VLAN to which the IP information is assigned.
Chapter 5 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration ! hostname Switch ! enable secret 5 $1$ej9.$DMUvAUnZOAmvmgqBEzIxE0 ! ip subnet-zero ! vlan 3020 cluster enable Test 0 cluster member 1 mac-address 0030.9439.0900 cluster member 2 mac-address 0001.425b.
Chapter 5 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration interface GigabitEthernet0/2 no ip address shutdown ! interface Vlan1 ip address 172.20.139.133 255.255.255.224 no ip route-cache ! ip default-gateway 172.20.139.
C H A P T E R 6 Configuring IE2100 CNS Agents This chapter describes how to configure the Intelligence Engine 2100 (IE2100) Series Cisco Networking Services (CNS) embedded agents on your Catalyst 2950 or Catalyst 2955 switch. To use the feature described in this chapter, you must have the enhanced software image (EI) installed on your switch.
Chapter 6 Configuring IE2100 CNS Agents Understanding IE2100 Series Configuration Registrar Software Figure 6-1 Configuration Registrar Architectural Overview Service provider network Configuration registrar Data service directory Configuration server Event service 71444 Web-based user interface Order entry configuration management These sections contain this conceptual information: • CNS Configuration Service, page 6-2 • CNS Event Service, page 6-3 • What You Should Know About ConfigID, Devi
Chapter 6 Configuring IE2100 CNS Agents Understanding IE2100 Series Configuration Registrar Software CNS Event Service The Configuration Registrar uses the CNS Event Service for receipt and generation of configuration events. The CNS event agent resides on the switch and facilitates the communication between the switch and the event gateway on the Configuration Registrar. The CNS Event Service is a highly-scalable publish-and-subscribe communication method.
Chapter 6 Configuring IE2100 CNS Agents Understanding IE2100 Series Configuration Registrar Software DeviceID Each configured switch participating on the event bus has a unique deviceID, which is analogous to the switch source address so that the switch can be targeted as a specific destination on the bus. All switches configured with the cns config partial global configuration command must access the event bus.
Chapter 6 Configuring IE2100 CNS Agents Understanding CNS Embedded Agents Understanding CNS Embedded Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the CNS configuration agent.
Chapter 6 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Incremental (Partial) Configuration After the network is running, new services can be added by using the CNS configuration agent. Incremental (partial) configurations can be sent to the switch. The actual configuration can be sent as an event payload by way of the event gateway (push operation) or as a signal event that triggers the switch to initiate a pull operation.
Chapter 6 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Table 6-1 Prerequisites for Enabling Automatic Configuration (continued) Device DHCP server TFTP server IE2100 Configuration Registrar Note Required Configuration • IP address assignment • TFTP server IP address • Path to bootstrap configuration file on the TFTP server • Default gateway IP address • Create a bootstrap configuration file that includes the CNS configuration commands that enable the switch to communicate w
Chapter 6 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Enabling the CNS Event Agent Note You must enable the CNS event agent on the switch before you enable the CNS configuration agent. Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 6 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents To disable the CNS event agent, use the no cns event {ip-address | hostname} global configuration command. This example shows how to enable the CNS event agent, set the IP address gateway to 10.180.1.27, set 120 seconds as the keepalive interval, and set 10 as the retry count. Switch(config)# cns event 10.180.1.
Chapter 6 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Step 3 Command Purpose config-cli or line-cli Enter config-cli to connect to the Configuration Registrar through the interface defined in cns config connect-intf. Enter line-cli to connect to the Registrar through modem dialup lines. Note The config-cli interface configuration command accepts the special directive character & that acts as a placeholder for the interface name.
Chapter 6 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Step 8 Command Purpose cns config initial {ip-address | hostname} [port-number] [event] [no-persist] [page page] [source ip-address] [syntax-check] Enable the configuration agent, and initiate an initial configuration. • For {ip-address | hostname}, enter the IP address or the host name of the configuration server. • (Optional) For port-number, enter the port number of the configuration server. The default port number is 80.
Chapter 6 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the CNS configuration agent and to initiate a partial configuration on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 cns config partial {ip-address | hostname} [port-number] [source ip-address] Enable the configuration agent, and initiate a partial configuration.
Chapter 6 Configuring IE2100 CNS Agents Displaying CNS Configuration Displaying CNS Configuration You can use the privileged EXEC commands in Table 6-2 to display CNS Configuration information. Table 6-2 Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS configuration agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed.
Chapter 6 Configuring IE2100 CNS Agents Displaying CNS Configuration Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 6-14 78-11380-07
C H A P T E R 7 Clustering Switches This chapter provides these topics to help you get started with switch clustering: • Understanding Switch Clusters, page 7-2 • Planning a Switch Cluster, page 7-5 • Creating a Switch Cluster, page 7-20 • Using the CLI to Manage Switch Clusters, page 7-27 • Using SNMP to Manage Switch Clusters, page 7-28 Configuring switch clusters is more easily done from the Cluster Management Suite (CMS) web-based interface than through the command-line interface (CLI).
Chapter 7 Clustering Switches Understanding Switch Clusters Understanding Switch Clusters A switch cluster is a group of connected Catalyst switches that are managed as a single entity. In a switch cluster, 1 switch must be the command switch and up to 15 switches can be member switches. The total number of switches in a cluster cannot exceed 16 switches. The command switch is the single point of access used to configure, manage, and monitor the member switches.
Chapter 7 Clustering Switches Understanding Switch Clusters Command Switch Characteristics A Catalyst 2950 or Catalyst 2955 command switch must meet these requirements: Note Note • It is running Release 12.0(5.2)WC(1) or later. • It has an IP address. • It has Cisco Discovery Protocol (CDP) version 2 enabled (the default). • It is not a command or member switch of another cluster. • If the Catalyst 2955 command switch is running Release 12.
Chapter 7 Clustering Switches Understanding Switch Clusters Note Note • If the Catalyst 2950 standby command switch is running Release 12.1(9)EA1 or later, it is connected to other standby switches through its managment VLAN and to all member switches through a common VLAN. • If the Catalyst 2950 standby command switch is running a release earlier than Release 12.1(9)EA1, it is connected to the command switch and to other standby command switches and member switches through its management VLAN.
Chapter 7 Clustering Switches Planning a Switch Cluster Candidate Switch and Member Switch Characteristics Candidate switches are cluster-capable switches that have not yet been added to a cluster. Member switches are switches that have actually been added to a switch cluster. Although not required, a candidate or member switch can have its own IP address and password (for related considerations, see the “IP Addresses” section on page 7-16 and “Passwords” section on page 7-17).
Chapter 7 Clustering Switches Planning a Switch Cluster Automatic Discovery of Cluster Candidates and Members The command switch uses Cisco Discovery Protocol (CDP) to discover member switches, candidate switches, neighboring switch clusters, and edge devices in star or cascaded topologies. Note Do not disable CDP on the command switch, on cluster members, or on any cluster-capable switches that you might want a command switch to discover.
Chapter 7 Clustering Switches Planning a Switch Cluster Figure 7-1 Discovery through CDP Hops (Command Switch Running a Release Earlier than Release 12.1(9)EA1) Command switch Management VLAN 16 Management VLAN 16 Member switch 8 Member switch 10 Member switch 9 Switch 12 Switch 11 candidate switch Switch 13 Edge of cluster 65281 Switch 14 Switch 15 Figure 7-2 Candidate switches Discovery through CDP Hops (Command Switch Running Release 12.
Chapter 7 Clustering Switches Planning a Switch Cluster Discovery through Non-CDP-Capable and Noncluster-Capable Devices If a command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Chapter 7 Clustering Switches Planning a Switch Cluster Discovery through the Same Management VLAN A Catalyst 2900 XL command switch, a Catalyst 2950 command switch running a release earlier than Release 12.1(9)EA1, or a Catalyst 3500 XL command switch must connect to all cluster members through its management VLAN. The default management VLAN is VLAN 1. For more information about management VLANs, see the “Management VLAN” section on page 7-19.
Chapter 7 Clustering Switches Planning a Switch Cluster Discovery through Different Management VLANs We recommend using a Catalyst 3550 command switch, a Catalyst 2955 command switch running Release 12.1(12c)EA1 or later, or a Catalyst 2950 command switch running Release 12.1(9)EA1 or later. These command switches can discover and manage member switches in different VLANs and different management VLANs. Catalyst 3550 member switches, Catalyst 2955 member switches running Release 12.
Chapter 7 Clustering Switches Planning a Switch Cluster Discovery through Different Management VLANs with a Layer 3 Command Switch Catalyst 3550 command switch VLAN 9 Si Switch 3 (management VLAN 16) VLAN 16 VLAN 62 Switch 5 (management VLAN 62) VLAN 16 Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, Catalyst 2950, Catalyst 2955, and Catalyst 3500 XL switches Catalyst 3550 standby command switch VLAN trunk 4, 62 Switch 4 (management VLAN 16) Switch 7 (management VLAN 4) VLAN 62 Switch 9 (manag
Chapter 7 Clustering Switches Planning a Switch Cluster Figure 7-7 Discovery of Newly Installed Switches in the Same Management VLAN Command switch VLAN 16 AP Catalyst 3500 XL switch (Management VLAN 16) AP VLAN 16 VLAN 16 New (out-of-box) Catalyst 2900 LRE XL switch Figure 7-8 New (out-of-box) Catalyst 2950 switch 65581 Catalyst 2950 switch (Management VLAN 16) VLAN 16 Discovery of Newly Installed Switches in Different Management VLANs Command switch Catalyst 2950 switch (Management VLA
Chapter 7 Clustering Switches Planning a Switch Cluster Note Note • When the command switch is a Catalyst 3550 switch, all standby command switches must be Catalyst 3550 switches. • When the command switch is a Catalyst 2955 switch running Release 12.1(12c)EA1 or later, all standby command switches must be Catalyst 2955 switches running Release 12.1(12c)EA1 or later. • When the command switch is a Catalyst 2950 switch running Release 12.
Chapter 7 Clustering Switches Planning a Switch Cluster If the active command switch fails, the standby command switch assumes ownership of the virtual IP address and becomes the active command switch. The passive switches in the cluster standby group compare their assigned priorities to determine the new standby command switch. The passive standby switch with the highest priority then becomes the standby command switch.
Chapter 7 Clustering Switches Planning a Switch Cluster • Each standby-group member (Figure 7-9) must be connected to the command switch through its management VLAN. Each standby-group member must also be redundantly connected to each other through the management VLAN. Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, Catalyst 2950, Catalyst 2955, and Catalyst 3500 XL member switches must be connected to the cluster standby group through their management VLANs.
Chapter 7 Clustering Switches Planning a Switch Cluster Automatic discovery has these limitations: • This limitation applies only to clusters that have Catalyst 2950, Catalyst 2955, and Catalyst 3550 command and standby command switches: If the active command switch and standby command switch become disabled at the same time, the passive command switch with the highest priority becomes the active command switch.
Chapter 7 Clustering Switches Planning a Switch Cluster Host Names You do not need to assign a host name to either a command switch or an eligible cluster member. However, a host name assigned to the command switch can help to identify the switch cluster. The default host name for the switch is Switch. If a switch joins a cluster and it does not have a host name, the command switch appends a unique member number to its own host name and assigns it sequentially as each switch joins the cluster.
Chapter 7 Clustering Switches Planning a Switch Cluster TACACS+ and RADIUS Inconsistent authentication configurations in switch clusters cause CMS to continually prompt for a user name and password. If Terminal Access Controller Access Control System Plus (TACACS+) is configured on a cluster member, it must be configured on all cluster members. Similarly, if Remote Authentication Dial-In User Service (RADIUS) is configured on a cluster member, it must be configured on all cluster members.
Chapter 7 Clustering Switches Planning a Switch Cluster Management VLAN Communication with the switch management interfaces is through the command-switch IP address. The IP address is associated with the management VLAN, which by default is VLAN 1. To manage switches in a cluster, the command switch, member switches, and candidate switches must be connected through ports assigned to the command-switch management VLAN. Note • If the command switch is a Catalyst 2950 running Release 12.
Chapter 7 Clustering Switches Creating a Switch Cluster Availability of Switch-Specific Features in Switch Clusters The menu bar on the command switch displays all options available from the switch cluster. Therefore, features specific to a member switch are available from the command-switch menu bar. For example, Device > LRE Profile appears in the command-switch menu bar when at least one Catalyst 2900 LRE XL switch is in the cluster.
Chapter 7 Clustering Switches Creating a Switch Cluster If you did not enable a command switch during initial switch setup, launch Device Manager from a command-capable switch, and select Cluster > Create Cluster. Enter a cluster number (the default is 0), and use up to 31 characters to name the cluster (Figure 7-10). Instead of using CMS to enable a command switch, you can use the cluster enable global configuration command.
Chapter 7 Clustering Switches Creating a Switch Cluster If a candidate switch in the group has a password different from the group, only that specific candidate switch is not added to the cluster. When a candidate switch joins a cluster, it inherits the command-switch password. For more information about setting passwords, see the “Passwords” section on page 7-17. For additional authentication considerations in switch clusters, see the “TACACS+ and RADIUS” section on page 7-18.
Chapter 7 Clustering Switches Creating a Switch Cluster Thin line means a connection to a candidate switch. Right-click a candidate switch to display the pop-up menu, and select Add to Cluster to add the switch to the cluster.
Chapter 7 Clustering Switches Creating a Switch Cluster Note • When the command switch is a Catalyst 3550 switch, all standby command switches must be Catalyst 3550 switches. • When the command switch is a Catalyst 2955 switch running Release 12.1(12c)EA1 or later, all standby command switches must be Catalyst 2955 switches running Release 12.1(12c)EA1 or later. • When the command switch is a Catalyst 2950 switch running Release 12.
Chapter 7 Clustering Switches Creating a Switch Cluster Figure 7-13 Standby Command Configuration Window 3550C (cisco WS-C3550-C-24, HC, ... NMS-3550-12T-149 (cisco WS-C3550-1 3550-150 (cisco WS-C3550-12T, SC, ... Active command switch. Standby command switch. Must be a valid IP address in the same subnet as the active command switch. 65726 Once entered, this information cannot be changed.
Chapter 7 Clustering Switches Creating a Switch Cluster Verifying a Switch Cluster When you finish adding cluster members, follow these steps to verify the cluster: Step 1 Enter the command switch IP address in the browser Location field (Netscape Communicator) or Address field (Microsoft Internet Explorer) to access all switches in the cluster. Step 2 Enter the command-switch password. Step 3 Select View > Topology to display the cluster topology and to view link information.
Chapter 7 Clustering Switches Using the CLI to Manage Switch Clusters Using the CLI to Manage Switch Clusters You can configure member switches from the CLI by first logging into the command switch. Enter the rcommand user EXEC command and the member switch number to start a Telnet session (through a console or Telnet connection) and to access the member switch CLI. The command mode changes, and the IOS commands operate as usual.
Chapter 7 Clustering Switches Using SNMP to Manage Switch Clusters Using SNMP to Manage Switch Clusters When you first power on the switch, SNMP is enabled if you enter the IP information by using the setup program and accept its proposed configuration. If you did not use the setup program to enter the IP information and SNMP was not enabled, you can enable it as described in the “Configuring SNMP” section on page 25-5. On Catalyst 1900 and Catalyst 2820 switches, SNMP is enabled by default.
C H A P T E R 8 Administering the Switch This chapter describes how to perform one-time operations to administer your Catalyst 2950 or Catalyst 2955 switch.
Chapter 8 Administering the Switch Managing the System Time and Date The system clock can provide time to these services: • User show commands • Logging and debugging messages The system clock keeps track of time internally based on Universal Time Coordinated (UTC), also known as Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time (daylight saving time) so that the time is correctly displayed for the local time zone.
Chapter 8 Administering the Switch Managing the System Time and Date Several manufacturers include NTP software for their host systems, and a publicly available version for systems running UNIX and its various derivatives is also available. This software allows host systems to be time-synchronized as well.
Chapter 8 Administering the Switch Managing the System Time and Date Default NTP Configuration Table 8-1 shows the default NTP configuration. Table 8-1 Default NTP Configuration Feature Default Setting NTP authentication Disabled. No authentication key is specified. NTP peer or server associations None configured. NTP broadcast service Disabled; no interface sends or receives NTP broadcast packets. NTP access restrictions No access control is specified.
Chapter 8 Administering the Switch Managing the System Time and Date Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable NTP authentication, use the no ntp authenticate global configuration command. To remove an authentication key, use the no ntp authentication-key number global configuration command.
Chapter 8 Administering the Switch Managing the System Time and Date Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. You need to configure only one end of an association; the other device can automatically establish the association.
Chapter 8 Administering the Switch Managing the System Time and Date Step 6 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 7 Configure the connected peers to receive NTP broadcast packets as described in the next procedure. To disable the interface from sending NTP broadcast packets, use the no ntp broadcast interface configuration command.
Chapter 8 Administering the Switch Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp access-group {query-only | serve-only | serve | peer} access-list-number Create an access group, and apply a basic IP access list.
Chapter 8 Administering the Switch Managing the System Time and Date If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted. To remove access control to the switch NTP services, use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command.
Chapter 8 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure a specific interface from which the IP source address is to be taken: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp source type number Specify the interface type and number from which the IP source address is taken. By default, the source address is determined by the outgoing interface.
Chapter 8 Administering the Switch Managing the System Time and Date Setting the System Clock If you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock. Beginning in privileged EXEC mode, follow these steps to set the system clock: Step 1 Command Purpose clock set hh:mm:ss day month year Manually set the system clock using one of these formats.
Chapter 8 Administering the Switch Managing the System Time and Date Configuring the Time Zone Beginning in privileged EXEC mode, follow these steps to manually configure the time zone: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock timezone zone hours-offset [minutes-offset] Set the time zone. The switch keeps internal time in universal time coordinated (UTC), so this command is used only for display purposes and when the time is manually set.
Chapter 8 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone recurring Configure summer time to start and end on the specified days every year.
Chapter 8 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 Configure summer time to start on the first date and end on the second clock summer-time zone date [month date year hh:mm month date year hh:mm date.
Chapter 8 Administering the Switch Configuring a System Name and Prompt Configuring a System Name and Prompt You configure the system name on the switch to identify it. By default, the system name and prompt are Switch. If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt. A greater-than symbol [>] is appended.
Chapter 8 Administering the Switch Configuring a System Name and Prompt Configuring a System Prompt Beginning in privileged EXEC mode, follow these steps to manually configure a system prompt: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 prompt string Configure the command-line prompt to override the setting from the hostname command.
Chapter 8 Administering the Switch Configuring a System Name and Prompt Default DNS Configuration Table 8-2 shows the default DNS configuration. Table 8-2 Default DNS Configuration Feature Default Setting DNS enable state Enabled. DNS default domain name None configured. DNS servers No name server addresses are configured.
Chapter 8 Administering the Switch Creating a Banner domain name is the value set by the ip domain-name global configuration command. If there is a period (.) in the hostname, the IOS software looks up the IP address without appending any default domain name to the hostname. To remove a domain name, use the no ip domain-name name global configuration command. To remove a name server address, use the no ip name-server server-address global configuration command.
Chapter 8 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day.
Chapter 8 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message.
Chapter 8 Administering the Switch Managing the MAC Address Table This section contains this configuration information: • Building the Address Table, page 8-21 • MAC Addresses and VLANs, page 8-21 • Default MAC Address Table Configuration, page 8-22 • Changing the Address Aging Time, page 8-22 • Removing Dynamic Address Entries, page 8-23 • Configuring MAC Address Notification Traps, page 8-23 • Adding and Removing Static Address Entries, page 8-25 • Adding and Removing Secure Addresses, pa
Chapter 8 Administering the Switch Managing the MAC Address Table Default MAC Address Table Configuration Table 8-3 shows the default MAC address table configuration. Table 8-3 Default MAC Address Table Configuration Feature Default Setting Aging time 300 seconds Dynamic addresses Automatically learned Static addresses None configured Changing the Address Aging Time Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use.
Chapter 8 Administering the Switch Managing the MAC Address Table Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC mode.
Chapter 8 Administering the Switch Managing the MAC Address Table Step 5 Command Purpose mac address-table notification [interval value] | [history-size value] Enter the trap interval time and the history table size. • (Optional) For interval value, specify the notification trap interval in seconds between each set of traps that are generated to the NMS. The range is 0 to 2147483647 seconds; the default is 1 second.
Chapter 8 Administering the Switch Managing the MAC Address Table Adding and Removing Static Address Entries A static address has these characteristics: • It is manually entered in the address table and must be manually removed. • It can be a unicast or multicast address. • It does not age and is retained when the switch restarts. You can add and remove static addresses and define the forwarding behavior for them.
Chapter 8 Administering the Switch Managing the MAC Address Table Adding and Removing Secure Addresses A secure address is a manually entered unicast address or dynamically learned address that is forwarded to only one port per VLAN. If you enter a static address that is already assigned to another port, the request will be rejected. Secure addresses can be learned dynamically if the configured secure addresses do not reach the maximum limit of the port.
Chapter 8 Administering the Switch Managing the ARP Table Managing the ARP Table To communicate with a device (over Ethernet, for example), the software first must determine the 48-bit MAC or the local data link address of that device. The process of determining the local data link address from an IP address is called address resolution. The Address Resolution Protocol (ARP) associates a host IP address with the corresponding media or MAC addresses and the VLAN ID.
Chapter 8 Administering the Switch Managing the ARP Table Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 8-28 78-11380-07
C H A P T E R 9 Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 2950 or Catalyst 2955 switch.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Protecting Access to Privileged EXEC Commands A simple way of providing terminal access control in your network is to use passwords and assign privilege levels. Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Protecting Enable and Enable Secret Passwords with Encryption To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands If both the enable and enable secret passwords are defined, users must enter the enable secret password. Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level global configuration command to specify commands accessible at various levels.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands To remove the password, use the no password global configuration command. This example shows how to set the Telnet password to let45me67in89: Switch(config)# line vty 10 Switch(config-line)# password let45me67in89 Configuring Username and Password Pairs You can configure username and password pairs, which are locally stored on the switch.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Configuring Multiple Privilege Levels By default, the IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip traffic command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Logging into and Exiting a Privilege Level Beginning in privileged EXEC mode, follow these steps to log in to a specified privilege level and to exit to a specified privilege level: Step 1 Command Purpose enable level Log in to a specified privilege level. For level, the range is 0 to 15. Step 2 disable level Exit to a specified privilege level. For level, the range is 0 to 15.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 9-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ server 1) Catalyst 6500 series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) Catalyst 2950 or 3550 switches 171.20.10.8 74720 Configure the switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers). Enable AAA. Create a login authentication method list.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: 1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the user. The user enters a username, and the switch then contacts the TACACS+ daemon to obtain a password prompt.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ This section contains this configuration information: • Default TACACS+ Configuration, page 9-12 • Identifying the TACACS+ Server Host and Setting the Authentication Key, page 9-12 • Configuring TACACS+ Login Authentication, page 9-13 • Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 9-15 • Starting TACACS+ Accounting, page 9-16 Default TACACS+ Configuration TACACS+ a
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Step 4 Command Purpose aaa group server tacacs+ group-name (Optional) Define the AAA server-group with a group name. This command puts the switch in a server group subconfiguration mode. Step 5 server ip-address (Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to configure login authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Starting TACACS+ Accounting The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Controlling Switch Access with RADIUS This section describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS), which provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS is facilitated through AAA and can be enabled only through AAA commands.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS RADIUS is not suitable in these network security situations: • Multiprotocol access environments. RADIUS does not support AppleTalk Remote Access (ARA), NetBIOS Frame Control Protocol (NBFCP), NetWare Asynchronous Services Interface (NASI), or X.25 PAD connections. • Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring RADIUS This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS You identify RADIUS security servers by their host name or IP address, host name and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 8 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 9-22. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network-related service requests.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the switch and all RADIUS servers.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP’s IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“ This example shows how to specify an authorized VLAN in the RADIUS server database: ci
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Local Authentication and Authorization Beginning in privileged EXEC mode, follow these steps to specify a vendor-proprietary RADIUS server host and a shared secret text string: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Beginning in privileged EXEC mode, follow these steps to configure the switch for local AAA: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication login default local Set the login authentication to use the local username database. The default keyword applies the local user database authentication to all interfaces.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Note For complete syntax and usage information for the commands used in this section, refer to the “Secure Shell Commands” section in the Cisco IOS Security Command Reference for Release 12.2. Understanding SSH SSH is a protocol that provides a secure, remote connection to a device. There are two versions of SSH: SSH version 1 and SSH version 2. This software release only supports SSH version 1.
C H A P T E R 10 Configuring 802.1X Port-Based Authentication This chapter describes how to configure IEEE 802.1X port-based authentication on your Catalyst 2950 or Catalyst 2955 switch to prevent unauthorized devices (clients) from gaining access to the network. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release. This chapter consists of these sections: • Understanding 802.
Chapter 10 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Device Roles With 802.1X port-based authentication, the devices in the network have specific roles as shown in Figure 10-1. Figure 10-1 802.1X Device Roles Catalyst 2950 or 3550 (switch) Authentication server (RADIUS) 74615 Workstations (clients) • Client—the device (workstation) that requests access to the LAN and switch services and responds to requests from the switch.
Chapter 10 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Authentication Initiation and Message Exchange The switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x port-control auto interface configuration command, the switch must initiate authentication when it determines that the port link state transitions from down to up.
Chapter 10 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Ports in Authorized and Unauthorized States The switch port state determines whether or not the client is granted access to the network. The port starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for 802.1X protocol packets.
Chapter 10 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Voice VLAN Ports Multiple VLAN access ports (MVAPs) are ports that belong to two VLANs. This configuration allows the separating of voice traffic and the data traffic onto different VLANs. A switch port configured with a voice VLAN has separate VLANs configured for carrying: • The voice traffic to and from the IP phone.
Chapter 10 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication • When the client logs off, the port transitions back to an unauthenticated state and all dynamic entries in the secure host table are cleared, including the entry for the client. Normal authentication then takes place. • If the port is administratively shut down the port becomes unauthenticated and all dynamic entries are removed from the secure host table.
Chapter 10 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Supported Topologies The 802.1X port-based authentication is supported in two topologies: • Point-to-point • Wireless LAN In a point-to-point configuration (see Figure 10-1 on page 10-2), only one client can be connected to the 802.1X-enabled switch port. The switch detects the client when the port link state changes to the up state.
Chapter 10 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Default 802.1X Configuration Table 10-1 shows the default 802.1X configuration. Table 10-1 Default 802.1X Configuration Feature Default Setting Authentication, authorization, and accounting (AAA) Disabled. RADIUS server • IP address • None specified. • UDP authentication port • 1812. • Key • None specified. Per-interface 802.1X enable state Disabled (force-authorized).
Chapter 10 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication 802.1X Configuration Guidelines These are some configuration guidelines and operating characteristics of 802.1X authentication: • When 802.1X is enabled, ports are authenticated before any other Layer 2 features are enabled. • The 802.1X protocol is supported on Layer 2 static-access ports, but it is not supported on these port types: – Trunk port—If you try to enable 802.
Chapter 10 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Beginning in privileged EXEC mode, follow these steps to configure 802.1X port-based authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication dot1x {default} method1 [method2...] Create an 802.1X authentication method list.
Chapter 10 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication This example shows how to enable AAA and 802.
Chapter 10 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the RADIUS server: Switch(config)# radius-server host 172.l20.39.
Chapter 10 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Manually Re-Authenticating a Client Connected to a Port You can manually re-authenticate the client connected to a specific port at any time by entering the dot1x re-authenticate interface interface-id privileged EXEC command. If you want to enable or disable periodic re-authentication, see the “Enabling Periodic Re-Authentication” section on page 10-12.
Chapter 10 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Changing the Switch-to-Client Retransmission Time The client responds to the EAP-request/identity frame from the switch with an EAP-response/identity frame. If the switch does not receive this response, it waits a set period of time (known as the retransmission time) and then resends the frame.
Chapter 10 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Beginning in privileged EXEC mode, follow these steps to set the switch-to-client frame-retransmission number: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 dot1x max-req count Set the number of times that the switch sends an EAP-request/identity frame to the client before restarting the authentication process. The range is 1 to 10; the default is 2.
Chapter 10 Configuring 802.1X Port-Based Authentication Displaying 802.1X Statistics and Status This example shows how to enable 802.1X on Fast Ethernet interface 0/1 and to allow multiple hosts: Switch(config)# interface fastethernet0/1 Switch(config-if)# dot1x port-control auto Switch(config-if)# dot1x multiple-hosts Resetting the 802.1X Configuration to the Default Values Beginning in privileged EXEC mode, follow these steps to reset the 802.
C H A P T E R 11 Configuring the Switch Interfaces This chapter describes the types of interfaces on a Catalyst 2950 or Catalyst 2955 switch and how to configure them.
Chapter 11 Configuring the Switch Interfaces Understanding Interface Types Access Ports An access port belongs to and carries the traffic of only one VLAN (unless it is configured as a voice VLAN port). Traffic is received and sent in native formats with no VLAN tagging. Traffic arriving on an access port is assumed to belong to the VLAN assigned to the port. If an access port receives an 802.1P- or 802.1Q-tagged packet for the VLAN assigned to the port, the packet is forwarded.
Chapter 11 Configuring the Switch Interfaces Understanding Interface Types Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 15, “Configuring VLANs.” Packets received on a port are forwarded only to ports that belong to the same VLAN as the receiving port.
Chapter 11 Configuring the Switch Interfaces Using the Interface Command Connecting Interfaces Devices within a single VLAN can communicate directly through any switch. Ports in different VLANs cannot exchange data without going through a routing device or routed interface. With a standard Layer 2 switch, ports in different VLANs have to exchange information through a router.
Chapter 11 Configuring the Switch Interfaces Using the Interface Command Procedures for Configuring Interfaces These general instructions apply to all interface configuration processes. Step 1 Enter the configure terminal command at the privileged EXEC prompt: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# Step 2 Enter the interface global configuration command. Identify the interface type and the number of the connector.
Chapter 11 Configuring the Switch Interfaces Using the Interface Command FastEthernet0/1 is up, line protocol is down Hardware is Fast Ethernet, address is 0000.0000.0001 (bia 0000.
Chapter 11 Configuring the Switch Interfaces Using the Interface Command Command Purpose Step 5 show interfaces [interface-id] Verify the configuration of the interfaces in the range. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 11 Configuring the Switch Interfaces Using the Interface Command *Oct 6 changed *Oct 6 changed *Oct 6 changed 08:29:29: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/ 1, state to up 08:29:29: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/ 2, state to up 08:29:29: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/ 3, state to up If you enter multiple configuration commands while you are in interface-range mode, each command is executed as it is ente
Chapter 11 Configuring the Switch Interfaces Configuring Switch Interfaces • You must add a space between the interface numbers and the hyphen when entering an interface-range. For example, fastethernet 0/1 - 5 is a valid range; fastethernet 0/1-5 is not a valid range. • The VLAN interfaces must have been configured with the interface vlan command. The show running-config privileged EXEC command output shows the configured VLAN interfaces.
Chapter 11 Configuring the Switch Interfaces Configuring Switch Interfaces These sections describe the default interface configuration and the optional features that you can configure on most physical interfaces: • Default Ethernet Interface Configuration, page 11-10 • Configuring Interface Speed and Duplex Mode, page 11-11 • Configuring IEEE 802.
Chapter 11 Configuring the Switch Interfaces Configuring Switch Interfaces Configuring Interface Speed and Duplex Mode The 10/100 Ethernet interfaces on the switch operate in 10 or 100 Mbps and in either full- or half- duplex mode. The 10/100/1000 Ethernet interfaces on the Catalyst 2950T-24 switch operate at 10, 100, or 1000 Mbps only in full-duplex mode.
Chapter 11 Configuring the Switch Interfaces Configuring Switch Interfaces Caution • When connecting an interface to a Gigabit Ethernet device that does not autonegotiate, disable autonegotiation on the switch and set the duplex and flow control parameters to be compatible with the remote device. • 100BASE-FX ports operate only at 100 Mbps and in full-duplex mode. • 1000BASE-SX ports operate only at 1000 Mbps and in full-duplex mode.
Chapter 11 Configuring the Switch Interfaces Configuring Switch Interfaces Use the no speed and no duplex interface configuration commands to return the interface to the default speed and duplex settings (autonegotiate). To return all interface settings to the defaults, use the default interface interface-id interface configuration command.
Chapter 11 Configuring the Switch Interfaces Configuring Switch Interfaces These rules apply to flow control settings on the device: Note • receive on (or desired) and send on: Flow control operates in both directions; both the local and the remote devices can send pause frames to show link congestion. • receive on (or desired) and send desired: The port can receive pause frames and can send pause frames if the attached device supports flow control.
Chapter 11 Configuring the Switch Interfaces Monitoring and Maintaining the Interfaces Adding a Description for an Interface You can add a description about an interface to help you remember its function. The description appears in the output of these commands: show configuration , show running-config, and show interfaces.
Chapter 11 Configuring the Switch Interfaces Monitoring and Maintaining the Interfaces Table 11-2 show Commands for Interfaces Command Purpose show interfaces [interface-id] Display the status and configuration of all interfaces or a specific interface. show interfaces [interface-id] capabilities [module Display the capabililities of an interface. If you do not specify a {module-number}] module, the capabilities for all ports on the switch are displayed.
Chapter 11 Configuring the Switch Interfaces Monitoring and Maintaining the Interfaces Unknown multicast blocked:disabled Voice VLAN:none (Inactive) Appliance trust:none Name: Fa0/2 Switchport: Enabled Administrative Mode: static access Operational Mode: down
Chapter 11 Configuring the Switch Interfaces Monitoring and Maintaining the Interfaces This example shows how to clear and reset the counters on Fast Ethernet interface 0/5: Switch# clear counters fastethernet0/5 Clear "show interface" counters on this interface [confirm] y Switch# *Sep 30 08:42:55: %CLEAR-5-COUNTERS: Clear counter on interface FastEthernet0/5 by vty1 (171.69.115.10) Use the clear interface or clear line privileged EXEC command to clear and reset an interface or serial line.
C H A P T E R 12 Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on your Catalyst 2950 or Catalyst 2955 switch. For information about the Rapid Spanning Tree Protocol (RSTP), the Multiple Spanning Tree Protocol (MSTP), and the per-VLAN rapid spanning tree (PVRST), see Chapter 13, “Configuring RSTP and MSTP.” For information about optional spanning-tree features, see Chapter 14, “Configuring Optional Spanning-Tree Features.
Chapter 12 Configuring STP Understanding Spanning-Tree Features • Spanning Tree and Redundant Connectivity, page 12-9 • Accelerated Aging to Retain Connectivity, page 12-9 STP Overview STP is a Layer 2 link management protocol that provides path redundancy while preventing loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two stations.
Chapter 12 Configuring STP Understanding Spanning-Tree Features When the switches in a network are powered up, each functions as the root switch. Each switch sends a configuration BPDU through all of its ports. The BPDUs communicate and compute the spanning-tree topology.
Chapter 12 Configuring STP Understanding Spanning-Tree Features When you change the switch priority value, you change the probability that the switch will be elected as the root switch. Configuring a higher value decreases the probability; a lower value increases the probability. The root switch is the logical center of the spanning-tree topology in a switched network.
Chapter 12 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Timers Table 12-2 describes the timers that affect the entire spanning-tree performance. Table 12-2 Spanning-Tree Timers Variable Description Hello timer Determines how often the switch broadcasts hello messages to other switches. Forward-delay timer Determines how long each of the listening and learning states last before the interface begins forwarding.
Chapter 12 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Interface States Propagation delays can occur when protocol information passes through a switched LAN. As a result, topology changes can take place at different times and at different places in a switched network. When an interface transitions directly from nonparticipation in the spanning-tree topology to the forwarding state, it can create temporary data loops.
Chapter 12 Configuring STP Understanding Spanning-Tree Features When the spanning-tree algorithm places a Layer 2 interface in the forwarding state, this process occurs: 1. The interface is in the listening state while spanning tree waits for protocol information to transition the interface to the blocking state. 2. While spanning tree waits the forward-delay timer to expire, it moves the interface to the learning state and resets the forward-delay timer. 3.
Chapter 12 Configuring STP Understanding Spanning-Tree Features Forwarding State A Layer 2 interface in the forwarding state forwards frames. The interface enters the forwarding state from the learning state.
Chapter 12 Configuring STP Understanding Spanning-Tree Features The external spanning-tree behavior on access ports and trunk ports is not affected by PVST+ or PVRST+. For more information on 802.1Q trunks, see Chapter 15, “Configuring VLANs.” Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices.
Chapter 12 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Features These sections describe how to configure spanning-tree features: • Default STP Configuration, page 12-10 • STP Configuration Guidelines, page 12-11 • Disabling STP, page 12-11 • Configuring the Root Switch, page 12-12 • Configuring a Secondary Root Switch, page 12-14 • Configuring the Port Priority, page 12-15 • Configuring the Path Cost, page 12-16 • Configuring the Switch Priority of a VLAN,
Chapter 12 Configuring STP Configuring Spanning-Tree Features STP Configuration Guidelines If more VLANs are defined in the VTP than there are spanning-tree instances, you can enable STP on only 64 VLANs. If the number of VLANs exceeds 64, we recommend that you enable the MSTP to map multiple VLANs to a single spanning-tree instance. For more information, see the Chapter 13, “Configuring RSTP and MSTP.
Chapter 12 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to disable STP on a per-VLAN basis: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no spanning-tree vlan vlan-id Disable STP on a per-VLAN basis. For vlan-id, you can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma.
Chapter 12 Configuring STP Configuring Spanning-Tree Features These examples show the effect of the spanning-tree vlan vlan-id root command with and without the extended system ID support: • For Catalyst 2950 and Catalyst 2955 switches with the extended system ID (Release 12.
Chapter 12 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure a switch to become the root for the specified VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root primary [diameter net-diameter [hello-time seconds]] Configure a switch to become the root for the specified VLAN.
Chapter 12 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure a switch to become the secondary root for the specified VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root secondary [diameter net-diameter [hello-time seconds]] Configure a switch to become the secondary root for the specified VLAN.
Chapter 12 Configuring STP Configuring Spanning-Tree Features Step 3 Command Purpose spanning-tree port-priority priority Configure the port priority for an interface. For priority, the range is 0 to 240 in increments of 16. The default is 128. The lower the number, the higher the priority. Valid priority values are 0, 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, and 240. All other values are rejected.
Chapter 12 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure the cost of an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify an interface to configure. Valid interfaces include physical interfaces and port-channel logical interfaces (port-channel port-channel-number).
Chapter 12 Configuring STP Configuring Spanning-Tree Features Configuring the Switch Priority of a VLAN You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree vlan vlan-id root primary and the spanning-tree vlan vlan-id root secondary global configuration commands to modify the switch priority.
Chapter 12 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure the hello time of a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id hello-time seconds Configure the hello time of a VLAN. The hello time is the interval between the generation of configuration messages by the root switch. These messages mean that the switch is alive.
Chapter 12 Configuring STP Configuring Spanning-Tree Features Configuring the Maximum-Aging Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id max-age seconds Configure the maximum-aging time of a VLAN.
Chapter 12 Configuring STP Displaying the Spanning-Tree Status Figure 12-4 Gigabit Ethernet Stack Catalyst 3550 series switch Catalyst 2950 or 3550 switches Catalyst 3550 or 6000 series backbone Catalyst 2950 or 3550 switches Layer 3 backbone Cisco 7000 router 74621 Catalyst 6000 switch Catalyst 2950 Cisco 7000 or 3550 router switches Option 1: standalone cascaded cluster Option 2: cascaded cluster connected to a Layer 2 backbone Option 3: cascaded cluster connected to a Layer 3 backbone Displ
Chapter 12 Configuring STP Displaying the Spanning-Tree Status Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 12-22 78-11380-07
C H A P T E R 13 Configuring RSTP and MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1W Rapid Spanning Tree Protocol (RSTP) and the IEEE 802.1S Multiple STP (MSTP) on your Catalyst 2950 or Catalyst 2955 switch. It also describes how to configure per-VLAN rapid spanning tree (PVRST). To use the features described in this chapter, you must have the enhanced software image (EI) installed on your switch. RSTP provides rapid convergence of the spanning tree.
Chapter 13 Configuring RSTP and MSTP Understanding RSTP Understanding RSTP The RSTP takes advantage of point-to-point wiring and provides rapid convergence of the spanning tree. Reconfiguration of the spanning tree can occur in less than 1 second (in contrast to 50 seconds with the default settings in the 802.1D spanning tree), which is critical for networks carrying delay-sensitive traffic such as voice and video.
Chapter 13 Configuring RSTP and MSTP Understanding RSTP In a stable topology with consistent port roles throughout the network, the RSTP ensures that every root port and designated port immediately transition to the forwarding state while all alternate and backup ports are always in the discarding state (equivalent to blocking in 802.1D). The port state controls the operation of the forwarding and learning processes. Table 13-1 provides a comparison of 802.1D and RSTP port states.
Chapter 13 Configuring RSTP and MSTP Understanding RSTP When Switch C is connected to Switch B, a similar set of handshaking messages are exchanged. Switch C selects the port connected to Switch B as its root port, and both ends immediately transition to the forwarding state. With each iteration of this handshaking process, one more switch joins the active topology. As the network converges, this proposal-agreement handshaking progresses from the root toward the leaves of the spanning tree.
Chapter 13 Configuring RSTP and MSTP Understanding RSTP Figure 13-2 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5. Forward Edge port 8. Agreement 3. Block 11. Forward 6. Proposal 7. Proposal 10. Agreement Root port Designated port 74008 2. Block 9. Forward Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802.1D BPDU format except that the protocol version is set to 2.
Chapter 13 Configuring RSTP and MSTP Understanding RSTP The RSTP does not have a separate topology change notification (TCN) BPDU. It uses the topology change (TC) flag to show the topology changes. However, for interoperability with 802.1D switches, the RSTP switch processes and generates TCN BPDUs. The learning and forwarding flags are set according to the state of the sending port.
Chapter 13 Configuring RSTP and MSTP Understanding MSTP • Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them. • Protocol migration—For backward compatibility with 802.1D switches, RSTP selectively sends 802.
Chapter 13 Configuring RSTP and MSTP Understanding MSTP IST, CIST, and CST Unlike PVST and PVRST in which all the spanning-tree instances are independent, the MSTP establishes and maintains two types of spanning-trees: • An internal spanning tree (IST), which is the spanning tree that runs in an MST region. Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special instance for a region, known as the internal spanning tree (IST).
Chapter 13 Configuring RSTP and MSTP Understanding MSTP Operations Between MST Regions If there are multiple regions or legacy 802.1D switches within the network, MSTP establishes and maintains the CST, which includes all MST regions and all legacy STP switches in the network. The MST instances combine with the IST at the boundary of the region to become the CST.
Chapter 13 Configuring RSTP and MSTP Understanding MSTP Hop Count The IST and MST instances do not use the message-age and maximum-age information in the configuration BPDU to compute the spanning-tree topology. Instead, they use the path cost to the root and a hop-count mechanism similar to the IP time-to-live (TTL) mechanism.
Chapter 13 Configuring RSTP and MSTP Interoperability with 802.1D STP Interoperability with 802.1D STP A switch running MSTP supports a built-in protocol migration mechanism that enables it to interoperate with legacy 802.1D switches. If this switch receives a legacy 802.1D configuration BPDU (a BPDU with the protocol version set to 0), it sends only 802.1D BPDUs on that port.
Chapter 13 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Default RSTP and MSTP Configuration Table 13-3 shows the default RSTP and MSTP configuration. Table 13-3 Default RSTP and MSTP Configuration Feature Default Setting Spanning-tree mode PVST (PVRST and MSTP are disabled). Switch priority (configurable on a per-CIST interface basis) 32768. Spanning-tree port priority (configurable on a per-CIST interface basis) 128.
Chapter 13 Configuring RSTP and MSTP Configuring RSTP and MSTP Features • All MST boundary ports must be forwarding for load balancing between a PVST and an MST cloud or between a PVRST and an MST cloud. For this to occur, the IST master of the MST cloud should also be the root of the CST.
Chapter 13 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Step 8 Command Purpose spanning-tree mode mst Enable MSTP. RSTP is also enabled. Caution Changing spanning-tree modes can disrupt traffic because all spanning-tree instances are stopped for the previous mode and restarted in the new mode. You cannot run both MSTP and PVST or both MSTP and PVRST at the same time. Step 9 end Return to privileged EXEC mode. Step 10 show running-config Verify your entries.
Chapter 13 Configuring RSTP and MSTP Configuring RSTP and MSTP Features If any root switch for the specified instance has a switch priority lower than 24576, the switch sets its own priority to 4096 less than the lowest switch priority. (4096 is the value of the least-significant bit of a 4-bit switch priority value as shown in Table 12-1 on page 12-4.) Note Catalyst 2950 switches running software earlier than Release 12.1(9)EA1 do not support the extended system ID.
Chapter 13 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show spanning-tree mst instance-id Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst instance-id root global configuration command.
Chapter 13 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Configuring the Port Priority If a loop occurs, the MSTP uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last.
Chapter 13 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Configuring the Path Cost The MSTP path cost default value is derived from the media speed of an interface. If a loop occurs, the MSTP uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 13 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Configuring the Switch Priority You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority.
Chapter 13 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the hello time for all MST instances: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst hello-time seconds Configure the hello time for all MST instances. The hello time is the interval between the generation of configuration messages by the root switch. These messages mean that the switch is alive.
Chapter 13 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Configuring the Maximum-Aging Time Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for all MST instances: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-age seconds Configure the maximum-aging time for all MST instances.
Chapter 13 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Specifying the Link Type to Ensure Rapid Transitions If you connect a port to another port through a point-to-point link and the local port becomes a designated port, the RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the “Rapid Convergence” section on page 13-3.
Chapter 13 Configuring RSTP and MSTP Displaying the MST Configuration and Status Displaying the MST Configuration and Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 13-4: Table 13-4 Commands for Displaying MST Status Command Purpose show spanning-tree mst configuration Displays the MST region configuration. show spanning-tree mst instance-id Displays MST information for the specified instance.
Chapter 13 Configuring RSTP and MSTP Displaying the MST Configuration and Status Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 13-24 78-11380-07
C H A P T E R 14 Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features. You can configure all of these features when your Catalyst 2950 or Catalyst 2955 switch is running the per-VLAN spanning tree (PVST). You can only configure the noted features when your switch is running the per-VLAN rapid spanning tree (PVRST) and the the Multiple Spanning Tree Protocol (MSTP).
Chapter 14 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states.
Chapter 14 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences. At the global level, you can enable BPDU guard on Port Fast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command. Spanning tree shuts down ports that are in a Port Fast-operational state.
Chapter 14 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding UplinkFast Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 14-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops.
Chapter 14 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 14-3 shows an example topology with no link failures. Switch A, the root switch, is connected directly to Switch B over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that is connected directly to Switch B is in a blocking state.
Chapter 14 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features How CSUF Works CSUF ensures that one link in the stack is elected as the path to the root. As shown in Figure 14-5, Switches A, B, and C are cascaded through the GigaStack GBIC to form a multidrop backbone, which communicates control and data traffic across the switches at the access layer.
Chapter 14 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features The switch sending the fast-transition request needs to do a fast transition to the forwarding state of a port that it has chosen as the root port, and it must obtain an acknowledgement from each stack switch before performing the fast transition.
Chapter 14 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Limitations These limitations apply to CSUF: • CSUF uses the GigaStack GBIC and runs on all Catalyst 3550 switches, all Catalyst 3500 XL switches, Catalyst 2950 switches with GBIC module slots, and only on modular Catalyst 2900 XL switches that have the 1000BASE-X module installed. • Up to nine stack switches can be connected through their stack ports to the multidrop backbone.
Chapter 14 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 14-6 GigaStack GBIC Connections and Spanning-Tree Convergence GigaStack GBIC connection for fast convergence Catalyst 3550-12T Catalyst 3550-12T Catalyst 3500 Catalyst 3500 SYSTEM RPS STATUS UTIL DUPLX MODE 1 1 1 1 1 1 1 1 1 1 SYSTEM SPEED RPS STATUS 2 1 UTIL DUPLX MODE 1 1 1 1 1 1 1 1 1 1 SPEED 2 1 Catalyst 3508G XL Catalyst 3500 3 2 1 5 4 7 6 Catalyst 295
Chapter 14 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding BackboneFast BackboneFast detects indirect failures in the core of the backbone. BackboneFast is a complementary technology to the UplinkFast feature, which responds to failures on links directly connected to access switches. BackboneFast optimizes the maximum-age timer, which determines the amount of time the switch stores protocol information received on an interface.
Chapter 14 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 14-7 BackboneFast Example Before Indirect Link Failure Switch A (Root) Switch B L1 L2 L3 44963 Blocked port Switch C If link L1 fails as shown in Figure 14-8, Switch C cannot detect this failure because it is not connected directly to link L1.
Chapter 14 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 14-9 Adding a Switch in a Shared-Medium Topology Switch A (Root) Switch B (Designated bridge) Switch C Blocked port 44965 Added switch Understanding EtherChannel Guard You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device.
Chapter 14 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If the switch is operating in multiple spanning-tree (MST) mode, root guard forces the port to be a designated port. If a boundary port is blocked in an internal spanning-tree (IST) instance because of root guard, the port also is blocked in all MST instances. A boundary port is a port that connects to a LAN, the designated switch of which is either an 802.
Chapter 14 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features These sections describe how to configure optional spanning-tree features: • Default Optional Spanning-Tree Configuration, page 14-14 • Enabling Port Fast, page 14-14 • Enabling BPDU Guard, page 14-15 • Enabling BPDU Filtering, page 14-16 • Enabling UplinkFast for Use with Redundant Links, page 14-17 • Enabling Cross-Stack UplinkFast, page 14-18 • Enab
Chapter 14 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can enable this feature if your switch is running PVST, PVRST, or MSTP. The PVRST and MSTP are available only if you have the EI installed on your switch. Beginning in privileged EXEC mode, follow these steps to enable Port Fast: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 14 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can also use the spanning-tree bpduguard enable interface configuration command to enable BPDU guard on any port without also enabling the Port Fast feature. When the port receives a BPDU, it is put in the error-disabled state. You can enable the BPDU guard feature if your switch is running PVST, PVRST, or MSTP. The PVRST and MSTP are available only if you have the EI installed on your switch.
Chapter 14 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to globally enable the BPDU filtering feature: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree portfast bpdufilter default Globally enable BPDU filtering. By default, BPDU filtering is disabled.
Chapter 14 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features When UplinkFast is enabled, the switch priority of all VLANs is set to 49152. If you change the path cost to a value less than 3000 and you enable UplinkFast or UplinkFast is already enabled, the path cost of all interfaces and VLAN trunks is increased by 3000 (if you change the path cost to 3000 or above, the path cost is not altered).
Chapter 14 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling BackboneFast You can enable BackboneFast to detect indirect link failures and to start the spanning-tree reconfiguration sooner. Note If you use BackboneFast, you must enable it on all switches in the network. BackboneFast is not supported on Token Ring VLANs. This feature is supported for use with third-party switches. The BackboneFast feature is supported only when the switch is running PVST.
Chapter 14 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can use the show interfaces status err-disabled privileged EXEC command to determine which switch ports are disabled because of an EtherChannel misconfiguration. On the remote device, you can enter the show etherchannel summary privileged EXEC command to verify the EtherChannel configuration.
Chapter 14 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Beginning in privileged EXEC mode, follow these steps to enable loop guard: Step 1 Command Purpose show spanning-tree active Determine which ports are alternate or root ports. or show spanning-tree mst Step 2 configure terminal Enter global configuration mode. Step 3 spanning-tree loopguard default Enable loop guard. By default, loop guard is disabled. Step 4 end Return to privileged EXEC mode.
Chapter 14 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 14-22 78-11380-07
C H A P T E R 15 Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on your Catalyst 2950 or Catalyst 2955 switch. It includes information about VLAN modes and the VLAN Membership Policy Server (VMPS). Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 15 Configuring VLANs Understanding VLANs Figure 15-1 shows an example of VLANs segmented into logically defined networks. Figure 15-1 VLANs as Logically Defined Networks Engineering VLAN Marketing VLAN Accounting VLAN Cisco router Floor 3 Fast Ethernet Floor 2 16751 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Chapter 15 Configuring VLANs Understanding VLANs VLAN Port Membership Modes You configure a port to belong to a VLAN by assigning a membership mode that determines the kind of traffic the port carries and the number of VLANs to which it can belong. Table 15-1 lists the membership modes and membership and VTP characteristics.
Chapter 15 Configuring VLANs Configuring Normal-Range VLANs Configuring Normal-Range VLANs Normal-range VLANs are VLANs with VLAN IDs 1 to 1005. If the switch is in VTP server or transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database. (VLAN IDs 1 and 1002 to 1005 are automatically created and cannot be removed.
Chapter 15 Configuring VLANs Configuring Normal-Range VLANs This section includes information about these topics about normal-range VLANs: • Token Ring VLANs, page 15-5 • Normal-Range VLAN Configuration Guidelines, page 15-5 • VLAN Configuration Mode Options, page 15-6 • Saving VLAN Configuration, page 15-7 • Default Ethernet VLAN Configuration, page 15-7 • Creating or Modifying an Ethernet VLAN, page 15-8 • Deleting a VLAN, page 15-10 • Assigning Static-Access Ports to a VLAN, page 15-11
Chapter 15 Configuring VLANs Configuring Normal-Range VLANs is to allow all VLANs), the new VLAN is carried on all trunk ports. Depending on the topology of the network, this could create a loop in the new VLAN that would not be broken, particularly if there are several adjacent switches that all have run out of spanning-tree instances. You can prevent this possibility by setting allowed lists on the trunk ports of switches that have used up their allocation of spanning-tree instances.
Chapter 15 Configuring VLANs Configuring Normal-Range VLANs Saving VLAN Configuration The configurations of VLAN IDs 1 to 1005 are always saved in the VLAN database (vlan.dat file). If VTP mode is transparent, they are also saved in the switch running configuration file and you can enter the copy running-config startup-config privileged EXEC command to save the configuration in the startup configuration file.
Chapter 15 Configuring VLANs Configuring Normal-Range VLANs Table 15-2 Ethernet VLAN Defaults and Ranges Parameter Default Range VLAN ID 1 1 to 4094 when the EI is installed and 1 to 1005 when the SI is installed. Note Extended-range VLANs (VLAN IDs 1006 to 4094) are not saved in the VLAN database. VLAN name No range VLANxxxx, where xxxx represents four numeric digits (including leading zeros) equal to the VLAN ID number 802.
Chapter 15 Configuring VLANs Configuring Normal-Range VLANs Command Purpose Step 3 name vlan-name (Optional) Enter a name for the VLAN. If no name is entered for the VLAN, the default is to append the vlan-id with leading zeros to the word VLAN. For example, VLAN0004 is a default VLAN name for VLAN 4. Step 4 mtu mtu-size (Optional) Change the MTU size (or other VLAN characteristic). Step 5 remote-span (Optional) Configure the VLAN as the RSPAN VLAN for a remote SPAN session.
Chapter 15 Configuring VLANs Configuring Normal-Range VLANs Note You cannot configure an RSPAN VLAN in VLAN database configuration mode. To return the VLAN name to the default settings, use the no vlan vlan-id name or no vlan vlan-id mtu VLAN configuration command. This example shows how to use VLAN database configuration mode to create Ethernet VLAN 20, name it test20, and add it to the VLAN database: Switch# vlan database Switch(vlan)# vlan 20 name test20 Switch(vlan)# exit APPLY completed. Exiting...
Chapter 15 Configuring VLANs Configuring Normal-Range VLANs Assigning Static-Access Ports to a VLAN You can assign a static-access port to a VLAN without having VTP globally propagate VLAN configuration information by disabling VTP (VTP transparent mode). If you are assigning a port on a cluster member switch to a VLAN, first use the rcommand privileged EXEC command to log in to the member switch. Note If you assign an interface to a VLAN that does not exist, the new VLAN is created.
Chapter 15 Configuring VLANs Configuring Extended-Range VLANs Configuring Extended-Range VLANs When the switch is in VTP transparent mode (VTP disabled) and the EI is installed), you can create extended-range VLANs (in the range 1006 to 4094). Extended-range VLANs enable service providers to extend their infrastructure to a greater number of customers. The extended-range VLAN IDs are allowed for any switchport commands that allow VLAN IDs.
Chapter 15 Configuring VLANs Configuring Extended-Range VLANs • VLANs in the extended range are not supported by VQP. They cannot be configured by VMPS. • STP is enabled by default on extended-range VLANs, but you can disable it by using the no spanning-tree vlan vlan-id global configuration command. When the maximum number of spanning-tree instances (64) are on the switch, spanning tree is disabled on any newly created VLANs.
Chapter 15 Configuring VLANs Displaying VLANs To delete an extended-range VLAN, use the no vlan vlan-id global configuration command. The procedure for assigning static-access ports to an extended-range VLAN is the same as for normal-range VLANs. See the “Assigning Static-Access Ports to a VLAN” section on page 15-11.
Chapter 15 Configuring VLANs Configuring VLAN Trunks Configuring VLAN Trunks These sections describe how VLAN trunks function on the switch: • Trunking Overview, page 15-15 • 802.1Q Configuration Considerations, page 15-16 • Default Layer 2 Ethernet Interface VLAN Configuration, page 15-17 Trunking Overview A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch.
Chapter 15 Configuring VLANs Configuring VLAN Trunks To avoid this, you should configure interfaces connected to devices that do not support DTP to not forward DTP frames, that is, to turn off DTP. Note • If you do not intend to trunk across those links, use the switchport mode access interface configuration command to disable trunking.
Chapter 15 Configuring VLANs Configuring VLAN Trunks • Make sure the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. If the native VLAN on one end of the trunk is different from the native VLAN on the other end, spanning-tree loops might result. • Disabling spanning tree on the native VLAN of an 802.1Q trunk without disabling spanning tree on every VLAN in the network can potentially cause spanning-tree loops.
Chapter 15 Configuring VLANs Configuring VLAN Trunks Interaction with Other Features Trunking interacts with other features in these ways: • A trunk port cannot be a secure port. • Trunk ports can be grouped into EtherChannel port groups, but all trunks in the group must have the same configuration. When a group is first created, all ports follow the parameters set for the first port to be added to the group.
Chapter 15 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 8 show interfaces interface-id trunk Display the trunk configuration of the interface. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. To return an interface to its default configuration, use the default interface interface-id interface configuration command.
Chapter 15 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show interfaces interface-id switchport Verify your entries in the Trunking VLANs Enabled field of the display. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default allowed VLAN list of all VLANs, use the no switchport trunk allowed vlan interface configuration command.
Chapter 15 Configuring VLANs Configuring VLAN Trunks Configuring the Native VLAN for Untagged Traffic A trunk port configured with 802.1Q tagging can receive both tagged and untagged traffic. By default, the switch forwards untagged traffic in the native VLAN configured for the port. The native VLAN is VLAN 1 by default. Note The native VLAN can be assigned any VLAN ID; it is not dependent on the management VLAN. For information about 802.1Q configuration issues, see the “802.
Chapter 15 Configuring VLANs Configuring VLAN Trunks Load Sharing Using STP Port Priorities When two ports on the same switch form a loop, the STP port priority setting determines which port is enabled and which port is in a blocking state. You can set the priorities on a parallel trunk port so that the port carries all the traffic for a given VLAN. The trunk port with the higher priority (lower values) for a VLAN is forwarding traffic for that VLAN.
Chapter 15 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 9 switchport mode trunk Configure the port as a trunk port. Step 10 end Return to privilege EXEC mode. Step 11 show interfaces fastethernet0/1 switchport Verify the VLAN configuration. Step 12 Repeat Steps 7 through 11 on Switch 1 for Fast Ethernet port 0/2. Step 13 Repeat Steps 7 through 11 on Switch 2 to configure the trunk ports on Fast Ethernet ports 0/1 and 0/2.
Chapter 15 Configuring VLANs Configuring VLAN Trunks Figure 15-4 Load-Sharing Trunks with Traffic Distributed by Path Cost Switch 1 Trunk port 2 VLANs 8 – 10 (path cost 30) VLANs 2 – 4 (path cost 19) 16591 Trunk port 1 VLANs 2 – 4 (path cost 30) VLANs 8 – 10 (path cost 19) Switch 2 Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 15-4: Command Purpose Step 1 configure terminal Enter global configuration mode on Switch 1.
Chapter 15 Configuring VLANs Configuring VMPS Configuring VMPS The switch cannot be a VMPS server but can act as a client to the VMPS and communicate with it through the VLAN Query Protocol (VQP). VMPS dynamically assigns dynamic access port VLAN membership.
Chapter 15 Configuring VLANs Configuring VMPS Dynamic Port VLAN Membership A dynamic (nontrunking) port on the switch can belong to only one VLAN, with a VLAN ID from 1 to 1005. When the link comes up, the switch does not forward traffic to or from this port until the VMPS provides the VLAN assignment. The VMPS receives the source MAC address from the first packet of a new host connected to the dynamic port and attempts to match the MAC address to a VLAN in the VMPS database.
Chapter 15 Configuring VLANs Configuring VMPS !VMPS File Format, version 1.1 ! Always begin the configuration file with ! the word “VMPS” ! !vmps domain ! The VMPS domain must be defined. !vmps mode {open | secure} ! The default mode is open. !vmps fallback !vmps no-domain-req { allow | deny } ! ! The default value is allow.
Chapter 15 Configuring VLANs Configuring VMPS vmps-port-policies vlan-name Green device 198.92.30.32 port 0/8 vmps-port-policies vlan-name Purple device 198.4.254.22 port 0/2 port-group “Executive Row” Default VMPS Configuration Table 15-6 shows the default VMPS and dynamic port configuration on client switches.
Chapter 15 Configuring VLANs Configuring VMPS • VQP does not support extended-range VLANs (VLAN IDs higher than 1006). Extended-range VLANs cannot be configured by VMPS. • The VLAN configured on the VMPS server should not be a voice VLAN. Configuring the VMPS Client You configure dynamic VLANs by using the VMPS (server). The switch can be a VMPS client; it cannot be a VMPS server.
Chapter 15 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to configure a dynamic access port on a VMPS client switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode and the switch port that is connected to the end station. Step 3 switchport mode access Set the port to access mode.
Chapter 15 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to change the reconfirmation interval: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vmps reconfirm minutes Enter the number of minutes between reconfirmations of the dynamic VLAN membership. Enter a number from 1 to 120. The default is 60 minutes. Step 3 end Return to privileged EXEC mode.
Chapter 15 Configuring VLANs Configuring VMPS VMPS domain server The IP address of the configured VLAN membership policy servers. The switch sends queries to the one marked current. The one marked primary is the primary server. VMPS Action The result of the most recent reconfirmation attempt. A reconfirmation attempt can occur automatically when the reconfirmation interval expired, or you can force it by entering the vmps reconfirm privileged EXEC command or its CMS or SNMP equivalent.
Chapter 15 Configuring VLANs Configuring VMPS Figure 15-5 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 5000 series Primary VMPS Server 1 Switch 1 End station 1 Dynamic-access port Switch 2 Router 172.20.26.150 172.20.22.7 Client 172.20.26.151 Trunk port Secondary VMPS Server 2 Switch 3 Switch 5 Switch 6 Switch 7 Switch 8 Dynamic-access port 172.20.26.154 172.20.26.155 172.20.26.156 172.20.26.157 Client Switch 9 172.20.26.
Chapter 15 Configuring VLANs Configuring VMPS Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 15-34 78-11380-07
C H A P T E R 16 Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs on your Catalyst 2950 or Catalyst 2955 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 16 Configuring VTP Understanding VTP The VTP Domain A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name. A switch can be in only one VTP domain.You make global VLAN configuration changes for the domain by using the command-line interface (CLI), Cluster Management Suite (CMS) software, or Simple Network Management Protocol (SNMP).
Chapter 16 Configuring VTP Understanding VTP VTP Modes You can configure a supported switch to be in one of the VTP modes listed in Table 16-1. Table 16-1 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs and specify other configuration parameters (such as the VTP version) for the entire VTP domain.
Chapter 16 Configuring VTP Understanding VTP • MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each VLAN. • Frame format VTP advertisements distribute this VLAN information for each configured VLAN: • VLAN IDs • VLAN name • VLAN type • VLAN state • Additional VLAN configuration information specific to the VLAN type VTP Version 2 If you use VTP in your network, you must decide whether to use version 1 or version 2. By default, VTP operates in version 1.
Chapter 16 Configuring VTP Understanding VTP Figure 16-1 Flooding Traffic without VTP Pruning Switch 4 Port 2 Switch 5 Switch 2 Red VLAN Switch 6 Switch 3 45826 Port 1 Switch 1 Figure 16-2 shows a switched network with VTP pruning enabled. The broadcast traffic from Switch 1 is not forwarded to Switches 3, 5, and 6 because traffic for the Red VLAN has been pruned on the links shown (Port 5 on Switch 2 and Port 4 on Switch 4).
Chapter 16 Configuring VTP Configuring VTP VTP pruning is not designed to function in VTP transparent mode. If one or more switches in the network are in VTP transparent mode, you should do one of these: • Turn off VTP pruning in the entire network. • Turn off VTP pruning by making all VLANs on the trunk of the switch upstream to the VTP transparent switch pruning ineligible.
Chapter 16 Configuring VTP Configuring VTP VTP Configuration Options You can configure VTP by using these configuration modes. • VTP Configuration in Global Configuration Mode, page 16-7 • VTP Configuration in VLAN Configuration Mode, page 16-7 You access VLAN configuration mode by entering the vlan database privileged EXEC command. For detailed information about vtp commands, refer to the command reference for this release.
Chapter 16 Configuring VTP Configuring VTP VTP Configuration Guidelines These sections describe guidelines you should follow when implementing VTP in your network. Domain Names When configuring VTP for the first time, you must always assign a domain name. You must configure all switches in the VTP domain with the same domain name. Switches in VTP transparent mode do not exchange VTP messages with other switches, and you do not need to configure a VTP domain name for them.
Chapter 16 Configuring VTP Configuring VTP VTP Version Follow these guidelines when deciding which VTP version to implement: • All switches in a VTP domain must run the same VTP version. • A VTP version 2-capable switch can operate in the same VTP domain as a switch running VTP version 1 if version 2 is disabled on the version 2-capable switch (version 2 is disabled by default). • Do not enable VTP version 2 on a switch unless all of the switches in the same VTP domain are version-2-capable.
Chapter 16 Configuring VTP Configuring VTP Step 4 Command Purpose vtp password password (Optional) Set the password for the VTP domain. The password can be from 8 to 64 characters. If you configure a VTP password, the VTP domain does not function properly if you do not assign the same password to each switch in the domain. Step 5 end Return to privileged EXEC mode. Step 6 show vtp status Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display.
Chapter 16 Configuring VTP Configuring VTP This example shows how to use VLAN configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch# vlan database Switch(vlan)# vtp server Switch(vlan)# vtp domain eng_group Switch(vlan)# vtp password mypassword Switch(vlan)# exit APPLY completed. Exiting.... Configuring a VTP Client When a switch is in VTP client mode, you cannot change its VLAN configuration.
Chapter 16 Configuring VTP Configuring VTP Note You can also configure a VTP client by using the vlan database privileged EXEC command to enter VLAN configuration mode and entering the vtp client command, similar to the second procedure under “Configuring a VTP Server” section on page 16-9. Use the no vtp client VLAN configuration command to return the switch to VTP server mode or the no vtp password VLAN configuration command to return the switch to a no-password state.
Chapter 16 Configuring VTP Configuring VTP Note You can also configure VTP transparent mode by using the vlan database privileged EXEC command to enter VLAN configuration mode and by entering the vtp transparent command, similar to the second procedure under the “Configuring a VTP Server” section on page 16-9. Use the no vtp transparent VLAN configuration command to return the switch to VTP server mode. If extended-range VLANs are configured on the switch, you cannot change VTP mode to server.
Chapter 16 Configuring VTP Configuring VTP Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You can only enable VTP pruning on a switch in VTP server mode. Beginning in privileged EXEC mode, follow these steps to enable VTP pruning in the VTP domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 16 Configuring VTP Monitoring VTP Beginning in privileged EXEC mode, follow these steps to verify and reset the VTP configuration revision number on a switch before adding it to a VTP domain: Step 1 Command Purpose show vtp status Check the VTP configuration revision number. If the number is 0, add the switch to the VTP domain. If the number is greater than 0, follow these steps: a. Write down the domain name. b. Write down the configuration revision number. c.
Chapter 16 Configuring VTP Monitoring VTP Table 16-3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information. show vtp counters Display counters about VTP messages that have been sent and received.
C H A P T E R 17 Configuring Voice VLAN This chapter describes how to configure the voice VLAN feature on your Catalyst 2950 or Catalyst 2955 switch. Voice VLAN is referred to as an auxiliary VLAN in the Catalyst 6000 family switch documentation. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 17 Configuring Voice VLAN Configuring Voice VLAN Figure 17-1 shows one way to connect a Cisco 7960 IP Phone. Figure 17-1 Cisco 7960 IP Phone Connected to a Switch Cisco IP Phone 7960 Phone ASIC Catalyst 2950 or 3550 switch P2 3-port switch P3 Access port 74710 P1 PC When the IP Phone connects to the switch, the access port (PC-to-telehone jack) of the IP phone can connect to a PC.
Chapter 17 Configuring Voice VLAN Configuring Voice VLAN Voice VLAN Configuration Guidelines These are the voice VLAN configuration guidelines: • You should configure voice VLAN on switch access ports. • The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled.
Chapter 17 Configuring Voice VLAN Configuring Voice VLAN Configuring Ports to Carry Voice Traffic in 802.1Q Frames Beginning in privileged EXEC mode, follow these steps to configure a port to carry voice traffic in 802.1Q frames for a specific VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface connected to the IP phone, and enter interface configuration mode.
Chapter 17 Configuring Voice VLAN Configuring Voice VLAN Overriding the CoS Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco 7960 IP Phone port. The PC can generate packets with an assigned CoS value. You can configure the switch to override the priority of frames arriving on the IP phone port from connected devices.
Chapter 17 Configuring Voice VLAN Displaying Voice VLAN Configuring the IP Phone to Trust the CoS Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco 7960 IP Phone port. The PC can generate packets with an assigned CoS value. You can configure the switch to trust the priority of frames arriving on the IP phone port from connected devices.
C H A P T E R 18 Configuring IGMP Snooping and MVR This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on your Catalyst 2950 or Catalyst 2955 switch, including an application of local IGMP snooping, Multicast VLAN Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering.
Chapter 18 Configuring IGMP Snooping and MVR Understanding IGMP Snooping the switch adds the host port number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership reports from the multicast clients. Note For more information on IP multicast and IGMP, refer to RFC 1112 and RFC 2236.
Chapter 18 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 18-1 Initial IGMP Join Message Router A 1 IGMP report 224.1.2.3 VLAN Switching engine CPU 0 45750 Forwarding table 2 3 4 5 Host 1 Host 2 Host 3 Host 4 Router A sends a general query to the switch, which forwards the query to ports 2 through 5, all members of the same VLAN. Host 1 wants to join multicast group 224.1.2.
Chapter 18 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 18-2 Second Host Joining a Multicast Group Router A 1 VLAN Switching engine CPU 0 45751 Forwarding table 2 Host 1 3 4 Host 2 Host 3 5 Host 4 Table 18-2 Updated IGMP Snooping Forwarding Table Destination Address Type of Packet Ports 0100.5exx.xxxx IGMP 0 0100.5e01.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Note You should only use the Immediate-Leave processing feature on VLANs where a single host is connected to each port. If Immediate Leave is enabled in VLANs where more than one host is connected to a port, some hosts might be inadvertently dropped. Immediate Leave is supported with only IGMP version 2 hosts.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to globally enable IGMP snooping on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping Globally enable IGMP snooping in all existing VLAN interfaces. Step 3 end Return to privileged EXEC mode. Step 4 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to alter the method in which a VLAN interface dynamically accesses a multicast router: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id mrouter learn {cgmp | pim-dvmrp} Enable IGMP snooping on a VLAN.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 4 show ip igmp snooping mrouter [vlan vlan-id] Verify that IGMP snooping is enabled on the VLAN interface. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a multicast router port from the VLAN, use the no ip igmp snooping vlan vlan-id mrouter interface interface-id global configuration command.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Enabling IGMP Immediate-Leave Processing When you enable IGMP Immediate-Leave processing, the switch immediately removes a port when it detects an IGMP version 2 leave message on that port. You should use the Immediate-Leave feature only when there is a single receiver present on every port in the VLAN. Immediate Leave is supported with only IGMP version 2 hosts.
Chapter 18 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Beginning in privileged EXEC mode, follow these steps to disable IP multicast-source-only learning: Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no ip igmp snooping source-only-learning Disable IP multicast-source-only learning. Step 3 end Return to privileged EXEC mode.
Chapter 18 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Table 18-4 Commands for Displaying IGMP Snooping Information Command Purpose show ip igmp snooping [vlan vlan-id] Display the snooping configuration information for all VLANs on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN.
Chapter 18 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information This is an example of output from the show ip igmp snooping privileged EXEC command for a specific VLAN interface: Switch# show ip vlan 1 ---------IGMP snooping IGMP snooping IGMP snooping IGMP snooping igmp snooping vlan 1 is globally enabled is disabled on this Vlan immediate-leave is disabled on this Vlan mrouter learn mode is pim-dvmrp on this Vlan This is an example of output from the show ip igmp snooping mrouter p
Chapter 18 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service provider network (for example, the broadcast of multiple television channels over a service-provider network). MVR allows a subscriber on a port to subscribe and unsubscribe to a multicast stream on the network-wide multicast VLAN.
Chapter 18 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration When a subscriber changes channels or turns off the television, the set-top box sends an IGMP leave message for the multicast stream. The switch CPU sends an IGMP group-specific query through the receiver port VLAN. If there is another set-top box in the VLAN still subscribing to this group, that set-top box must respond within the maximum response time.
Chapter 18 Configuring IGMP Snooping and MVR Configuring MVR MVR eliminates the need to duplicate television-channel multicast traffic for subscribers in each VLAN. Multicast traffic for all channels is only sent around the VLAN trunk once—only on the multicast VLAN. Although the IGMP leave and join message in the VLAN to which the subscriber port is assigned. These messages dynamically register for streams of multicast traffic in the multicast VLAN on the Layer 3 device.
Chapter 18 Configuring IGMP Snooping and MVR Configuring MVR MVR Configuration Guidelines and Limitations Follow these guidelines when configuring MVR: Note • Receiver ports cannot be trunk ports. Receiver ports on a switch can be in different VLANs, but should not belong to the multicast VLAN. • The maximum number of multicast entries that can be configured on a switch (that is, the maximum number of television channels that can be received) is 256.
Chapter 18 Configuring IGMP Snooping and MVR Configuring MVR Command Step 6 Purpose mvr mode {dynamic | compatible} (Optional) Specify the MVR mode of operation: • dynamic—Allows dynamic MVR membership on source ports. • compatible—Is compatible with Catalyst 3500 XL and Catalyst 2900 XL switches and does not support IGMP dynamic joins on source ports. The default is compatible mode. Step 7 end Return to privileged EXEC mode. Step 8 show mvr Verify the configuration.
Chapter 18 Configuring IGMP Snooping and MVR Configuring MVR Step 4 Command Purpose mvr type {source | receiver} Configure an MVR port as one of these: • source—Configure uplink ports that receive and send multicast data as source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN. • receiver—Configure a port as a receiver port if it is a subscriber port and should only receive multicast data.
Chapter 18 Configuring IGMP Snooping and MVR Displaying MVR Information This is an example of output from the show mvr interface privileged EXEC command when the member keyword is included: Switch# show mvr interface fastethernet0/2 members 224.0.1.1 DYNAMIC ACTIVE Displaying MVR Information You can display MVR information for the switch or for a specified interface.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering This is an example of output from the show mvr interface privileged EXEC command for a specified interface: Switch# show mvr interface fastethernet0/2 224.0.1.1 DYNAMIC ACTIVE This is an example of output from the show mvr interface privileged EXEC command when the members keyword is included: Switch# show mvr interface fastethernet0/2 members 224.0.1.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Table 18-7 Default IGMP Filtering Configuration (continued) Feature Default Setting IGMP profiles None defined IGMP profile action Deny the range addresses Configuring IGMP Profiles To configure an IGMP profile, use the ip igmp profile global configuration command with a profile number to create an IGMP profile and to enter IGMP profile configuration mode.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering This example shows how to create IGMP profile 4 allowing access to the single IP multicast address and how to verify the configuration. If the action was to deny (the default), it would not appear in the show ip igmp profile output display. Switch(config)# ip igmp profile 4 Switch(config-igmp-profile)# permit Switch(config-igmp-profile)# range 229.9.9.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Setting the Maximum Number of IGMP Groups You can set the maximum number of IGMP groups that a Layer 2 interface can join by using the ip igmp mac-groups interface configuration command. Use the no form of this command to set the maximum back to the default, which is no limit. You cannot use this command on ports that belong to an EtherChannel port group.
Chapter 18 Configuring IGMP Snooping and MVR Displaying IGMP Filtering Configuration Displaying IGMP Filtering Configuration You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface.
C H A P T E R 19 Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on your Catalyst 2950 or Catalyst 2955 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 19 Configuring Port-Based Traffic Control Configuring Storm Control Storm control uses a bandwidth-based method to measure traffic activity. The thresholds are expressed as a percentage of the total available bandwidth that can be used by the broadcast, multicast, or unicast traffic. The rising threshold is the percentage of total available bandwidth associated with multicast, broadcast, or unicast traffic before forwarding is blocked.
Chapter 19 Configuring Port-Based Traffic Control Configuring Protected Ports Disabling Storm Control Beginning in privileged EXEC mode, follow these steps to disable storm control: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to configure, and enter interface configuration mode. Step 3 no storm-control {broadcast | multicast | unicast} level Disable port storm control.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security To disable protected port, use the no switchport protected interface configuration command.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security • Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, the interface does not need to dynamically relearn them. Although sticky secure addresses can be manually configured, it is not recommended.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Table 19-1 Security Violation Mode Actions Violation Mode Traffic is forwarded1 Sends SNMP trap Sends syslog message Displays error message2 Violation counter increments Shuts down port protect No No No No No No restrict No Yes Yes No Yes No shutdown No Yes Yes No Yes Yes 1. Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses. 2.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Enabling and Configuring Port Security Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 8 switchport port-security mac-address sticky (Optional) Enable sticky learning on the interface. Step 9 end Return to privileged EXEC mode. Step 10 show port-security Verify your entries. show port-security address show port-security interface interface-id Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security SecureStatic address aging: Enabled Security Violation count: 0 This example shows how to configure a static secure MAC address and a sticky secure MAC address on Fast Ethernet port 12 and verify the configuration: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Beginning in privileged EXEC mode, follow these steps to configure port security aging: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port on which you want to enable port security aging, and enter interface configuration mode. Note Step 3 The switch does not support port security aging of sticky secure addresses.
Chapter 19 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Displaying Port-Based Traffic Control Settings The show interfaces interface-id switchport privileged EXEC command displays (among other characteristics) the interface traffic suppression and control configuration. The show interfaces counters privileged EXEC commands display the count of discarded packets. The show storm-control and show port-security privileged EXEC commands display those features.
Chapter 19 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 19-12 78-11380-07
C H A P T E R 20 Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on your Catalyst 2950 or Catalyst 2955 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 20 Configuring UDLD Understanding UDLD UDLD operates by using two mechanisms: • Neighbor database maintenance UDLD learns about other UDLD-capable neighbors by periodically sending a hello packet (also called an advertisement or probe) on every active interface to keep each device informed about its neighbors. When the switch receives a hello message, it caches the information until the age time (hold time or time-to-live) expires.
Chapter 20 Configuring UDLD Configuring UDLD Configuring UDLD This section describes how to configure UDLD on your switch. It contains this configuration information: • Default UDLD Configuration, page 20-3 • Enabling UDLD Globally, page 20-4 • Enabling UDLD on an Interface, page 20-4 • Resetting an Interface Shut Down by UDLD, page 20-5 Default UDLD Configuration Table 20-1 shows the default UDLD configuration.
Chapter 20 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic interfaces on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 20 Configuring UDLD Configuring UDLD Step 3 Command Purpose udld {aggressive | enable} Specify the UDLD mode of operation: • aggressive—Enables UDLD in aggressive mode on the specified interface. For details on the usage guidelines for the aggressive mode, refer to the command reference for this release. • enable—Enables UDLD in normal mode on the specified interface. UDLD is disabled by default.
Chapter 20 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified interface or for all interfaces, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the display, refer to the command reference for this release.
C H A P T E R 21 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on your Catalyst 2950 or Catalyst 2955 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 21 Configuring CDP Configuring CDP Configuring CDP These sections include CDP configuration information and procedures: • Default CDP Configuration, page 21-2 • Configuring the CDP Characteristics, page 21-2 • Disabling and Enabling CDP, page 21-3 • Disabling and Enabling CDP on an Interface, page 21-4 Default CDP Configuration Table 21-1 shows the default CDP configuration.
Chapter 21 Configuring CDP Configuring CDP Command Purpose Step 6 show cdp Verify configuration by displaying global information about CDP on the device. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the CDP commands to return to the default settings. This example shows how to configure and verify CDP characteristics.
Chapter 21 Configuring CDP Configuring CDP This example shows how to enable CDP if it has been disabled. Switch# configure terminal Switch(config)# cdp run Switch(config)# end Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 21 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors. show cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent.
Chapter 21 Configuring CDP Monitoring and Maintaining CDP Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 21-6 78-11380-07
C H A P T E R 22 Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on your Catalyst 2950 or Catalyst 2955 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 22-1 Example SPAN Configuration 1 2 3 4 5 6 7 8 9 10 11 12 5 6 7 11 8 4 12 9 3 Port 5 traffic mirrored on Port 10 10 2 Network analyzer 43580 1 Only traffic that enters or leaves source ports can be monitored by using SPAN. RSPAN extends SPAN by enabling remote monitoring of multiple switches across your network.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN SPAN and RSPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN and RSPAN configuration. SPAN Session A local SPAN session is an association of a destination port with source ports. You can monitor incoming or outgoing traffic on a series or range of ports. An RSPAN session is an association of source ports across your network with an RSPAN VLAN. The destination source is the RSPAN VLAN.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Source Port A source port (also called a monitored port) is a switched port that you monitor for network traffic analysis. In a single local SPAN session or RSPAN source session, you can monitor source port traffic such as received (Rx), transmitted (Tx), or bidirectional (both). The switch supports any number of source ports (up to the maximum number of available ports on the switch).
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN The reflector port has these characteristics: • It is a port set to loopback. • It cannot be an EtherChannel group, it does not trunk, and it cannot do protocol filtering. • It can be a physical port that is assigned to an EtherChannel group, even if the EtherChannel group is specified as a SPAN source. The port is removed from the group while it is configured as a reflector port.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN SPAN and RSPAN Interaction with Other Features SPAN interacts with these features: • Spanning Tree Protocol (STP)—A destination port or a reflector port does not participate in STP while its SPAN or RSPAN session is active. The destination or reflector port can participate in STP after the SPAN or RSPAN session is disabled. On a source port, SPAN does not affect the STP status. STP can be active on trunk ports carrying an RSPAN VLAN.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN • Each RSPAN destination session has one or more destination interfaces for each RSPAN VLAN that they support. • RSPAN destination sessions are limited to two, or one if a local SPAN or a source RSPAN session is configured on the same switch. Default SPAN and RSPAN Configuration Table 22-1 shows the default SPAN and RSPAN configuration. Table 22-1 Default SPAN and RSPAN Configuration Feature Default Setting SPAN state Disabled.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN • When SPAN is enabled, configuration changes have these results: – If you change the VLAN configuration of a destination port, the change is not effective until SPAN is disabled. – If you disable all source ports or the destination port, the SPAN function stops until both a source and the destination port are enabled.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN This example shows how to set up a SPAN session, session 1, for monitoring source port traffic to a destination port. First, any existing SPAN configuration for session 1 is cleared, and then bidirectional traffic is mirrored from source port 1 to destination port 10.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN Step 4 Command Purpose monitor session session_number destination interface interface-id [encapsulation {dot1q}] [ingress vlan vlan id] Specify the SPAN session, the destination port (monitoring port), the packet encapsulation, and the ingress VLAN. For session_number, specify 1. For interface-id, specify the destination port. Valid interfaces include physical interfaces. (Optional) Specify the encapsulation header for outgoing packets.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN Removing Ports from a SPAN Session Beginning in privileged EXEC mode, follow these steps to remove a port as a SPAN source for a session: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session session_number source interface interface-id [, | -] [both | rx | tx] Specify the characteristics of the source port (monitored port) and SPAN session to remove. For session, specify 1.
Chapter 22 Configuring SPAN and RSPAN Configuring RSPAN Configuring RSPAN This section describes how to configure RSPAN on your switch. It contains this configuration information: • RSPAN Configuration Guidelines, page 22-12 • Creating an RSPAN Session, page 22-13 • Creating an RSPAN Destination Session, page 22-14 • Removing Ports from an RSPAN Session, page 22-15 RSPAN Configuration Guidelines To use the RSPAN feature described in this section, you must have the EI installed on your switch.
Chapter 22 Configuring SPAN and RSPAN Configuring RSPAN • You should create an RSPAN VLAN before configuring an RSPAN source or destination session. • If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted flooding of RSPAN traffic across the network for VLAN-IDs that are lower than 1005. Creating an RSPAN Session First create an RSPAN VLAN that does not exist for the RSPAN session in any of the switches that will participate in RSPAN.
Chapter 22 Configuring SPAN and RSPAN Configuring RSPAN Step 4 Command Purpose monitor session session_number destination remote vlan vlan-id reflector-port interface Specify the RSPAN session, the destination remote VLAN, and the reflector port. For session_number, enter the session number identified with this RSPAN session. For vlan-id, specify the RSPAN VLAN to carry the monitored traffic to the destination port.
Chapter 22 Configuring SPAN and RSPAN Configuring RSPAN Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show monitor [session session_number] Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 22 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the status of the current SPAN or RSPAN configuration, use the show monitor privileged EXEC command.
C H A P T E R 23 Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on your Catalyst 2950 or Catalyst 2955 switch. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes. RMON provides you with comprehensive network-fault diagnosis, planning, and performance-tuning information.
Chapter 23 Configuring RMON Configuring RMON Figure 23-1 Remote Monitoring Example Network management station with generic RMON console application Catalyst 3550 switch RMON alarms and events configured. SNMP configured. RMON history and statistic collection enabled.
Chapter 23 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Only RMON 1 is supported on the switch. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station. We recommend that you use a generic RMON console application on the network management station (NMS) to take advantage of RMON’s network management capabilities.
Chapter 23 Configuring RMON Configuring RMON Command Step 3 Purpose rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535. • (Optional) For description string, specify a description of the event. • (Optional) Use the log keyword to generate an RMON log entry when the event is triggered.
Chapter 23 Configuring RMON Configuring RMON Configuring RMON Collection on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface on which to collect history.
Chapter 23 Configuring RMON Displaying RMON Status Command Purpose Step 6 show rmon statistics Display the contents of the switch statistics table. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the collection of group Ethernet statistics, use the no rmon collection stats index interface configuration command.
C H A P T E R 24 Configuring System Message Logging This chapter describes how to configure system message logging on your Catalyst 2950 or Catalyst 2955 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Configuring System Message Logging These sections describe how to configure system message logging: • System Log Message Format, page 24-2 • Default System Message Logging Configuration, page 24-3 • Disabling and Enabling Message Logging, page 24-4 • Setting the Message Display Destination Device, page 24-4 • Synchronizing Log Messages, page 24-6 • Enabling and Disabling Timestamps on Log Messages, page 24-7 • E
Chapter 24 Configuring System Message Logging Configuring System Message Logging Table 24-1 System Log Message Elements (continued) Element Description MNEMONIC Text string that uniquely describes the message. description Text string containing detailed information about the event being reported.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Disabling and Enabling Message Logging Message logging is enabled by default. It must be enabled to send messages to any destination other than the console. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging host Log messages to a UNIX syslog server host. For host, specify the name or IP address of the host to be used as the syslog server. To build a list of syslog servers that receive logging messages, enter this command more than once. For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 24-10.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Synchronizing Log Messages You can configure the system to synchronize unsolicited messages and debug privileged EXEC command output with solicited device output and prompts for a specific console port line or virtual terminal line. You can identify the types of messages to be output asynchronously based on the level of severity.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Sequence Numbers in Log Messages Because there is a chance that more than one log message can have the same timestamp, you can display messages with sequence numbers so that you can unambiguously refer to a single message. By default, sequence numbers in log messages are not displayed.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Step 6 Command Purpose show running-config Verify your entries. or show logging Step 7 copy running-config startup-config Note (Optional) Save your entries in the configuration file. Specifying a level causes messages at that level and numerically lower levels to be displayed at the destination. To disable logging to the console, use the no logging console global configuration command.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Limiting Syslog Messages Sent to the History Table and to SNMP If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the switch history table. You also can change the number of messages that are stored in the history table.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server. Log in as root, and perform these steps: Note Step 1 Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network.
Chapter 24 Configuring System Message Logging Displaying the Logging Configuration Step 4 Command Purpose logging facility facility-type Configure the syslog facility. See Table 24-4 on page 24-12 for facility-type keywords. The default is local7. Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
C H A P T E R 25 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on your Catalyst 2950 or Catalyst 2955 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 25 Configuring SNMP Understanding SNMP • Using SNMP to Access MIB Variables, page 25-4 • SNMP Notifications, page 25-5 SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in RFC 1157.
Chapter 25 Configuring SNMP Understanding SNMP Table 25-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv3 noAuthNoPriv Username No Uses a username match for authentication.
Chapter 25 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. • Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS.
Chapter 25 Configuring SNMP Configuring SNMP Figure 25-1 SNMP Network SNMP Manager Get-request, Get-next-request, Get-bulk, Set-request Get-response, traps Network device MIB SNMP Agent 43581 NMS For information on supported MIBs and how to access them, see Appendix A, “Supported MIBs.” SNMP Notifications SNMP allows the switch to send notifications to SNMP managers when particular events occur. SNMP notifications can be sent as traps or inform requests.
Chapter 25 Configuring SNMP Configuring SNMP Default SNMP Configuration Table 25-3 shows the default SNMP configuration. Table 25-3 Default SNMP Configuration Feature Default Setting SNMP agent Enabled SNMP community strings Read-Only: Public Read-Write: Private Read-Write-all: Secret SNMP trap receiver None configured SNMP traps None enabled SNMP version If no version keyword is present, the default is version 1.
Chapter 25 Configuring SNMP Configuring SNMP of this deletion, if the value of engineID changes, the security digests of SNMPv3 users become invalid, and you need to reconfigure SNMP users by using the snmp-server user username global configuration command. Similar restrictions require the reconfiguration of community strings when the engine ID changes.
Chapter 25 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure a community string on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server community string [view view-name] [ro | rw] [access-list-number] Configure the community string.
Chapter 25 Configuring SNMP Configuring SNMP This example shows how to assign the string comaccess to SNMP, to allow read-only access, and to specify that IP access list 4 can use the community string to gain access to the switch SNMP agent: Switch(config)# snmp-server community comaccess ro 4 Configuring SNMP Groups and Users You can specify an identification name (engineID) for the local or remote SNMP server engine on the switch.
Chapter 25 Configuring SNMP Configuring SNMP Command Step 3 Purpose snmp-server group groupname {v1 | v2c | v3 Configure a new SNMP group on the remote device. [auth | noauth | priv]}] [read readview] • For groupname, specify the name of the group. [write writeview] [notify notifyview] [access • Specify a security model: access-list] – v1 is the least secure of the possible security models. – v2c is the second least secure model. It allows transmission of informs and integers twice the normal width.
Chapter 25 Configuring SNMP Configuring SNMP Step 4 Command Purpose snmp-server user username groupname [remote host [udp-port port]] {v1 | v2c | v3 [auth {md5 | sha} auth-password]} [encrypted] [access access-list] Configure a new user to an SNMP group. • The username is the name of the user on the host that connects to the agent. • The groupname is the name of the group to which the user is associated.
Chapter 25 Configuring SNMP Configuring SNMP Table 25-4 Switch Notification Types (continued) Notification Type Keyword Description entity Generates a trap for SNMP entity changes. hsrp Generates a trap for Hot Standby Router Protocol (HSRP) changes. mac-notification Generates a trap for MAC address notifications. rtr Generates a trap for the SNMP Response Time Reporter (RTR). snmp Generates a trap for SNMP-type notifications. syslog Generates a trap for SNMP syslog notifications.
Chapter 25 Configuring SNMP Configuring SNMP Step 5 Command Purpose snmp-server host host-addr [traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port] [notification-type] Specify the recipient of an SNMP trap operation. • For host-addr, specify the name or Internet address of the host (the targeted recipient). • (Optional) Enter traps (the default) to send SNMP traps to the host. • (Optional) Enter informs to send SNMP informs to the host.
Chapter 25 Configuring SNMP Configuring SNMP Setting the Agent Contact and Location Information Beginning in privileged EXEC mode, follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server contact text Set the system contact string. For example: snmp-server contact Dial System Operator at beeper 21555.
Chapter 25 Configuring SNMP Configuring SNMP Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. SNMP Examples This example shows how to enable all versions of SNMP. The configuration permits any SNMP manager to access all objects with read-only permissions using the community string public.
Chapter 25 Configuring SNMP Displaying SNMP Status Displaying SNMP Status To display SNMP input and output statistics, including the number of illegal community string entries, errors, and requested variables, use the show snmp privileged EXEC command. You can also use the other privileged EXEC commands in Table 25-5 to display SNMP information. For information about the fields in the output displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
C H A P T E R 26 Configuring Network Security with ACLs This chapter describes how to configure network security on a Catalyst 2950 or Catalyst 2955 switch by using access control lists (ACLs), which are also referred to in commands and tables as access lists. You can create ACLs for physical interfaces or management interfaces. A management interface is defined as a management VLAN or any traffic that is going directly to the CPU, such as SNMP, Telnet, or web traffic.
Chapter 26 Configuring Network Security with ACLs Understanding ACLs Understanding ACLs Packet filtering can limit network traffic and restrict network use by certain users or devices. ACLs can filter traffic as it passes through a switch and permit or deny packets at specified interfaces. An ACL is a sequential collection of permit and deny conditions that apply to packets.
Chapter 26 Configuring Network Security with ACLs Understanding ACLs Figure 26-1 Using ACLs to Control Traffic to a Network Host A Catalyst 2950 switch Host B Research & Development network = ACL denying traffic from Host B and permitting traffic from Host A = Packet 65285 Human Resources network Handling Fragmented and Unfragmented Traffic IP packets can be fragmented as they cross the network.
Chapter 26 Configuring Network Security with ACLs Understanding ACLs • Packet A is a TCP packet from host 10.2.2.2, port 65000, going to host 10.1.1.1 on the SMTP port. If this packet is fragmented, the first fragment matches the first ACE (a permit), as if it were a complete packet because all Layer 4 information is present.
Chapter 26 Configuring Network Security with ACLs Understanding ACLs • Layer 4 fields: – TCP (You can specify a TCP source, destination port number, or both at the same time.) – UDP (You can specify a UDP source, destination port number, or both at the same time.) Note A mask can be a combination of either multiple Layer 3 and Layer 4 fields or of multiple Layer 2 fields. Layer 2 fields cannot be combined with Layer 3 or Layer 4 fields.
Chapter 26 Configuring Network Security with ACLs Configuring ACLs Guidelines for Applying ACLs to Physical Interfaces When applying ACLs to physical interfaces, follow these configuration guidelines: • Only one ACL can be attached to an interface. For more information, refer to the ip access-group interface command in the command reference for this release. • All ACEs in an ACL must have the same user-defined mask. However, ACEs can have different rules that use the same mask.
Chapter 26 Configuring Network Security with ACLs Configuring ACLs Unsupported Features The switch does not support these IOS router ACL-related features: • Non-IP protocol ACLs (see Table 26-2 on page 26-8) • Bridge-group ACLs • IP accounting • ACL support on the outbound direction • Inbound and outbound rate limiting (except with QoS ACLs) • IP packets that have a header length of less than 5 bytes • Reflexive ACLs • Dynamic ACLs (except for certain specialized dynamic ACLs used by the sw
Chapter 26 Configuring Network Security with ACLs Configuring ACLs ACL Numbers The number you use to denote your ACL shows the type of access list that you are creating. Table 26-2 lists the access list number and corresponding type and shows whether or not they are supported by the switch. The switch supports IP standard and IP extended access lists, numbers 1 to 199 and 1300 to 2699.
Chapter 26 Configuring Network Security with ACLs Configuring ACLs Creating a Numbered Standard ACL Note For information about creating ACLs to apply to a management interface, refer to the “Configuring IP Services” section of the Cisco IOS IP and IP Routing Configuration Guide and the Command Reference for IOS Release 12.1. You can these apply these ACLs only to a management interface.
Chapter 26 Configuring Network Security with ACLs Configuring ACLs This example shows how to create a standard ACL to deny access to IP host 171.69.198.102, permit access to any others, and display the results. Switch (config)# access-list 2 deny host 171.69.198.102 Switch (config)# access-list 2 permit any Switch(config)# end Switch# show access-lists Standard IP access list 2 deny 171.69.198.
Chapter 26 Configuring Network Security with ACLs Configuring ACLs Note The switch does not support dynamic or reflexive access lists. It also does not support filtering based on the minimize-monetary-cost type of service (ToS) bit. When creating ACEs in numbered extended access lists, remember that after you create the list, any additions are placed at the end of the list. You cannot reorder the list or selectively add or remove ACEs from a numbered list.
Chapter 26 Configuring Network Security with ACLs Configuring ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 26 Configuring Network Security with ACLs Configuring ACLs Use the no access-list access-list-number global configuration command to delete the entire access list. You cannot delete individual ACEs from numbered access lists. This example shows how to create and display an extended access list to deny Telnet access from any host in network 171.69.198.0 to any host in network 172.20.52.0 and permit any others.
Chapter 26 Configuring Network Security with ACLs Configuring ACLs Beginning in privileged EXEC mode, follow these steps to create a standard named access list using names: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip access-list standard {name | access-list-number} Define a standard IP access list by using a name, and enter access-list configuration mode.
Chapter 26 Configuring Network Security with ACLs Configuring ACLs Command Purpose Step 5 show access-lists [number | name] Show the access list configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. When making the standard and extended ACL, remember that, by default, the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end.
Chapter 26 Configuring Network Security with ACLs Configuring ACLs Step 3 Command Purpose absolute [start time date] [end time date] Specify when the function it will be applied to is operational. Use some combination of these commands; multiple periodic statements are allowed; only one absolute statement is allowed. If more than one absolute statement is configured, only the one configured last is executed.
Chapter 26 Configuring Network Security with ACLs Configuring ACLs Switch# show access-lists Extended IP access list 188 deny tcp any any time-range new_year_day_2000 (inactive) deny tcp any any time-range thanskgiving_2000 (active) deny tcp any any time-range christmas_2000 (inactive) permit tcp any any time-range workhours (inactive) This example uses named ACLs to permit and deny the same traffic.
Chapter 26 Configuring Network Security with ACLs Configuring ACLs In this example, the Jones subnet is not allowed to use outbound Telnet: Switch(config)# ip access-list extended telnetting Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out Switch(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet Creating Named MAC Extended ACLs You can filter Layer 2 traffic on a physical Layer 2 interface by using MAC addresses and named MAC extended ACLs.
Chapter 26 Configuring Network Security with ACLs Configuring ACLs This example shows how to create and display an access list named mac1, denying only EtherType DECnet Phase IV traffic, but permitting all other types of traffic.
Chapter 26 Configuring Network Security with ACLs Applying ACLs to Terminal Lines or Physical Interfaces Applying ACLs to Terminal Lines or Physical Interfaces Note Before applying an ACL to a physical interface, see the “Guidelines for Applying ACLs to Physical Interfaces” section on page 26-6. You can apply ACLs to any management interface.
Chapter 26 Configuring Network Security with ACLs Displaying ACL Information Applying ACLs to a Physical Interface Beginning in privileged EXEC mode, follow these steps to control access to a Layer 2 interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Identify a specific interface for configuration and enter interface configuration mode. The interface must be a Layer 2 or management interface or a management interface VLAN ID.
Chapter 26 Configuring Network Security with ACLs Displaying ACL Information Displaying ACLs You can display existing ACLs by using show commands. Beginning in privileged EXEC mode, follow these steps to display access lists: Command Purpose Step 1 show access-lists [number | name] Show information about all IP and MAC address access lists or about a specific access list (numbered or named).
Chapter 26 Configuring Network Security with ACLs Examples for Compiling ACLs Displaying Access Groups Note This feature is available only if your switch is running the EI. You use the ip access-group interface configuration command to apply ACLs to a Layer 3 interface. When IP is enabled on an interface, you can use the show ip interface interface-id privileged EXEC command to view the input and output access lists on the interface, as well as other interface characteristics.
Chapter 26 Configuring Network Security with ACLs Examples for Compiling ACLs Use switch ACLs to do these: • Create a standard ACL, and filter traffic from a specific Internet host with an address 172.20.128.64. • Create an extended ACL, and filter traffic to deny HTTP access to all Internet hosts but allow all other types of access.
Chapter 26 Configuring Network Security with ACLs Examples for Compiling ACLs Numbered ACL Examples This example shows that the switch accepts addresses on network 36.0.0.0 subnets and denies all packets coming from 56.0.0.0 subnets. The ACL is then applied to packets entering Gigabit Ethernet interface 0/1. Switch(config)# access-list 2 permit 36.0.0.0 0.255.255.255 Switch(config)# access-list 2 deny 56.0.0.0 0.255.255.
Chapter 26 Configuring Network Security with ACLs Examples for Compiling ACLs In this example of a numbered ACL, the Winter and Smith workstations are not allowed to browse the web: Switch(config)# Switch(config)# Switch(config)# Switch(config)# access-list access-list access-list access-list 100 100 100 100 remark Do deny host remark Do deny host not allow Winter to browse the web 171.69.3.85 any eq www not allow Smith to browse the web 171.69.3.
C H A P T E R 27 Configuring QoS This chapter describes how to configure quality of service (QoS) by using automatic-QoS (auto-QoS) commands or by using standard QoS commands. With QoS, you can give preferential treatment to certain types of traffic at the expense of others. Without QoS, the Catalyst 2950 or Catalyst 2955 switch offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 27 Configuring QoS Understanding QoS You can also use these wizards to configure QoS only if your switch is running the EI: • Priority data wizard—Lets you assign priority levels to data applications based on their TCP or UDP ports. It has a standard list of applications, and you select the ones that you want to prioritize, the priority levels, and the interfaces where the prioritization occurs. Refer to the priority data wizard online help for procedures about using this wizard.
Chapter 27 Configuring QoS Understanding QoS • Prioritization bits in Layer 3 packets Layer 3 IP packets can carry a Differentiated Services Code Point (DSCP) value. The supported DSCP values are 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56. Figure 27-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 header IP header Data Layer 2 802.
Chapter 27 Configuring QoS Understanding QoS Basic QoS Model Figure 27-2 shows the basic QoS model. Actions at the ingress interface include classifying traffic, policing, and marking: Note If you have the SI installed on your switch, only the queueing and scheduling features are available. • Classifying distinguishes one kind of traffic from another. For more information, see the “Classification” section on page 27-5.
Chapter 27 Configuring QoS Understanding QoS Classification Note This feature is available only if your switch is running the EI. Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification occurs only on a physical interface basis. No support exists for classifying packets at the VLAN level. You specify which fields in the frame or packet that you want to use to classify incoming traffic.
Chapter 27 Configuring QoS Understanding QoS • Configuration of a deny action is not supported in QoS ACLs on the switch. • System-defined masks are allowed in class maps with these restrictions: – A combination of system-defined and user-defined masks cannot be used in the multiple class maps that are a part of a policy map. – System-defined masks that are a part of a policy map must all use the same type of system mask.
Chapter 27 Configuring QoS Understanding QoS A policy map also has these characteristics: • A policy map can contain multiple class statements. • A separate policy-map class can exist for each type of traffic received through an interface. • A policy-map configuration state supersedes any actions due to an interface trust state. For configuration information, see the “Configuring a QoS Policy” section on page 27-23.
Chapter 27 Configuring QoS Understanding QoS Mapping Tables Note This feature is available only if your switch is running the EI. During classification, QoS uses a configurable CoS-to-DSCP map to derive an internal DSCP value from the received CoS value. This DSCP value represents the priority of the traffic. Before the traffic reaches the scheduling stage, QoS uses the configurable DSCP-to-CoS map to derive a CoS value from the internal DSCP value.
Chapter 27 Configuring QoS Configuring Auto-QoS CoS configures each transmit port (the egress port) with a normal-priority transmit queue and a high-priority transmit queue, depending on the frame tag or the port information. Frames in the normal-priority queue are forwarded only after frames in the high-priority queue are forwarded. The switch (802.1P user priority) has four priority queues. The frames are forwarded to appropriate queues based on the priority-to-queue mapping that you defined.
Chapter 27 Configuring QoS Configuring Auto-QoS You use auto-QoS commands to identify ports connected to Cisco IP Phones and to identify ports that receive trusted voice over IP (VoIP) traffic through an uplink.
Chapter 27 Configuring QoS Configuring Auto-QoS • When you enter the auto qos voip trust interface configuration command, the ingress classification on the interface is set to trust the QoS label received in the packet, and the egress queues on the interface are reconfigured (see Table 27-3). • When you enter the auto qos voip cisco-phone interface configuration command, the trusted boundary feature is enabled.
Chapter 27 Configuring QoS Configuring Auto-QoS Effects of Auto-QoS on the Configuration When auto-QoS is enabled, the auto qos voip interface configuration command and the generated configuration are added to the running configuration. Configuration Guidelines Before configuring auto-QoS, you should be aware of this information: • In this release, auto-QoS configures the switch only for VoIP with Cisco IP Phones.
Chapter 27 Configuring QoS Displaying Auto-QoS Information To display the QoS commands that are automatically generated when auto-QoS is enabled or disabled, enter the debug autoqos privileged EXEC command before enabling auto-QoS. For more information, see the “Using the debug autoqos Command” section on page 29-16. To disable auto-QoS on an interface, use the no auto qos voip interface configuration command.
Chapter 27 Configuring QoS Auto-QoS Configuration Example Auto-QoS Configuration Example Note This example is applicable only if your switch is running the EI. This section describes how you could implement auto-QoS in a network, as shown in Figure 27-3.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the switch at the edge of the QoS domain to prioritize the VoIP traffic over all other traffic: Command Purpose Step 1 debug autoqos Enable debugging for auto-QoS. When debugging is enabled, the switch displays the QoS configuration that is automatically generated when auto-QoS is enabled. Step 2 configure terminal Enter global configuration mode.
Chapter 27 Configuring QoS Configuring Standard QoS This section describes how to configure standard QoS on your switch: Note If your switch is running the SI, you can configure only the features described in the “Configuring Classification Using Port Trust States” and the “Configuring the Egress Queues” sections. You can also display the QoS information as described in the “Displaying Standard QoS Information” section.
Chapter 27 Configuring QoS Configuring Standard QoS Configuration Guidelines Note These guidelines are applicable only if your switch is running the EI. Before beginning the QoS configuration, you should be aware of this information: • You must disable the IEEE 802.3X flowcontrol on all ports before enabling QoS on the switch. To disable it, use the flowcontrol receive off and flowcontrol send off interface configuration commands.
Chapter 27 Configuring QoS Configuring Standard QoS Note Both the SI and EI support this feature. Configuring the Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge of the QoS domain. When the packets are classified at the edge, the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the QoS domain. Figure 27-4 shows a sample network topology.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be trusted. Valid interfaces include physical interfaces. Step 3 mls qos trust [cos | dscp] Configure the port trust state.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the CoS Value for an Interface QoS assigns the CoS value specified with the mls qos cos interface configuration command to untagged frames received on trusted and untrusted ports. Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port or to assign the default CoS to all incoming packets on the port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring QoS Configuring Standard QoS However, if a user bypasses the telephone and connects the PC directly to the switch, the CoS labels generated by the PC are trusted by the switch (because of the trusted CoS setting) and can allow misuse of high-priority queues. The trusted boundary feature solves this problem by using the CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port.
Chapter 27 Configuring QoS Configuring Standard QoS Table 27-5 lists the port configuration when an IP phone is present or absent. Table 27-5 Port Configurations When Trusted Boundary is Enabled Port Configuration When a Cisco IP Phone is Present The port trusts the CoS value The packet CoS value is trusted. of the incoming packet. When a Cisco IP Phone is Absent The packet CoS value is assigned the default CoS value. The port trusts the DSCP The packet DSCP value is trusted.
Chapter 27 Configuring QoS Configuring Standard QoS To disable pass-through mode, use the no mls qos trust pass-through dscp interface configuration command. If you enter the mls qos cos override and the mls qos trust [cos | dscp] interface commands when pass-through mode is enabled, pass-through mode is disabled.
Chapter 27 Configuring QoS Configuring Standard QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify Layer 2 traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring QoS Configuring Standard QoS Command Purpose Step 4 show access-lists Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. For more information about creating IP extended ACLs, see the “Guidelines for Applying ACLs to Physical Interfaces” section on page 26-6. To delete an ACL, use the no access-list access-list-number global configuration command.
Chapter 27 Configuring QoS Configuring Standard QoS This example shows how to create a Layer 2 MAC ACL with a permit statement. The statement allows traffic from the host with MAC address 0001.0000.0001 to the host with MAC address 0002.0000.0001. Switch(config)# mac access-list extended maclist1 Switch(config-ext-macl)# permit host 0001.0000.0001 host 0002.0000.
Chapter 27 Configuring QoS Configuring Standard QoS Step 4 Command Purpose match {access-group acl-index | access-group name acl-name | ip dscp dscp-list} Define the match criterion to classify traffic. By default, no match criterion is supported. Only one match criterion per class map is supported, and only one ACL per class map is supported. For access-group acl-index or access-group name acl-name, specify the number or name of the ACL created in Step 3.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a policy map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number permit {source source-wildcard | host source | any} Create an IP standard or extended ACL for IP traffic or a Layer 2 MAC ACL for non-IP traffic, repeating the command as many times as necessary.
Chapter 27 Configuring QoS Configuring Standard QoS Step 5 Command Purpose set {ip dscp new-dscp} Classify IP traffic by setting a new value in the packet. For ip dscp new-dscp, enter a new DSCP value to be assigned to the classified traffic. The supported DSCP values are 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56. Step 6 police rate-bps burst-byte [exceed-action {drop | dscp dscp-value}] Define a policer for the classified traffic.
Chapter 27 Configuring QoS Configuring Standard QoS This example shows how to create a policy map and attach it to an ingress interface. In the configuration, the IP standard ACL permits traffic from network 10.1.0.0. For traffic matching this classification, the DSCP value in the incoming packet is trusted. If the matched traffic exceeds an average traffic rate of 5000000 bps and a normal burst size of 8192 bytes, its DSCP is marked down to a value of 10 and sent. Switch(config)# access-list 1 permit 10.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the CoS-to-DSCP Map You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic. Table 27-6 shows the default CoS-to-DSCP map. Table 27-6 Default CoS-to-DSCP Map CoS value 0 1 2 3 4 5 6 7 DSCP value 0 8 16 24 32 40 48 56 If these values are not appropriate for your network, you need to modify them.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the DSCP-to-CoS Map You use the DSCP-to-CoS map to map DSCP values in incoming packets to a CoS value, which is used to select one of the four egress queues. The switch supports these DSCP values: 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56. Table 27-7 shows the default DSCP-to-CoS map.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the Egress Queues Note This feature is supported by both the SI and EI. This section describes how to configure the egress queues: • Configuring CoS Priority Queues, page 27-34 • Configuring WRR Priority, page 27-35 • Enabling the Expedite Queue and Configuring WRR Priority, page 27-35 For more information about the egress queues, see the “Egress CoS Queues” section on page 27-9.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring WRR Priority Beginning in privileged EXEC mode, follow these steps to configure the WRR priority: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 wrr-queue bandwidth weight1...weight4 Assign WRR weights to the four CoS queues. These are the ranges for the WRR values: • For weight1, weight2, and weight3, the range is 1 to 255. • For weight4, the range is 0 to 255.
Chapter 27 Configuring QoS Displaying Standard QoS Information Displaying Standard QoS Information To display standard QoS information, use one or more of the privileged EXEC commands in Table 27-8: Table 27-8 Commands for Displaying QoS Information Command Purpose show class-map [class-map-name] 1 Display QoS class maps, which define the match criteria to classify traffic.
Chapter 27 Configuring QoS Standard QoS Configuration Examples Figure 27-5 QoS Configuration Example Network Cisco router To Internet Gigabit Ethernet 0/5 Catalyst 3550-12G switch Gigabit Ethernet 0/1 Existing wiring closet Catalyst 2900 and 3500 XL switches Gigabit Ethernet 0/2 Intelligent wiring closet Catalyst 2950 switches Trunk link Trunk link Gigabit Ethernet 0/2 Gigabit Ethernet 0/1 65288 End stations Video server 172.20.10.
Chapter 27 Configuring QoS Standard QoS Configuration Examples For the Catalyst 2900 and 3500 XL switches, CoS configures each transmit port (the egress port) with a normal-priority transmit queue and a high-priority transmit queue, depending on the frame tag or the port information. Frames in the normal-priority queue are forwarded only after frames in the high-priority queue are forwarded. Frames that have 802.
Chapter 27 Configuring QoS Standard QoS Configuration Examples Step 18 Command Purpose show class-map videoclass Verify your entries. show policy-map videopolicy show mls qos maps [cos-dscp | dscp-cos] Step 19 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 27 Configuring QoS Standard QoS Configuration Examples Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 27-40 78-11380-07
C H A P T E R 28 Configuring EtherChannels This chapter describes how to configure EtherChannel on the Layer 2 interfaces of a Catalyst 2950 or Catalyst 2955 switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Chapter 28 Configuring EtherChannels Understanding EtherChannels Figure 28-1 Typical EtherChannel Configuration Catalyst 8500, 6000, 5500, or 4000 series switch Gigabit EtherChannel Catalyst 3550-12T switch 1000BASE-X Catalyst 3550-12T switch Catalyst 2950G-24 switch 10/100 Switched links 10/100 Switched links Workstations Workstations 74618 1000BASE-X Each EtherChannel can consist of up to eight compatibly configured Ethernet interfaces.
Chapter 28 Configuring EtherChannels Understanding EtherChannels Figure 28-2 Relationship of Physical Ports, Logical Port Channels, and Channel Groups Logical port-channel Logical port-channel Channel-group binding SYSTEM RPS STATUS UTIL DUPLX SPEED 1 2 3 4 Catalyst 5 6 3550 45144 MODE 7 8 9 10 1 2 10/100/1000 ports GBIC module slots Physical ports When a port joins an EtherChannel, the physical interface for that port is shut down.
Chapter 28 Configuring EtherChannels Understanding EtherChannels Table 28-1 EtherChannel Modes Mode Description active Places an interface into an active negotiating state, in which the interface starts negotiations with other interfaces by sending LACP packets. auto Places an interface into a passive negotiating state, in which the interface responds to PAgP packets it receives but does not start PAgP packet negotiation. This setting minimizes the transmission of PAgP packets.
Chapter 28 Configuring EtherChannels Understanding EtherChannels Exchanging LACP Packets Both the active and passive LACP modes allow interfaces to negotiate with partner interfaces to determine if they can form an EtherChannel based on criteria such as interface speed and, for Layer 2 EtherChannels, trunking state and VLAN numbers. Interfaces can form an EtherChannel when they are in different LACP modes as long as the modes are compatible.
Chapter 28 Configuring EtherChannels Understanding EtherChannels PAgP sends and receives PAgP PDUs only from interfaces that have PAgP enabled for the auto or desirable mode. LACP sends and receives LACP PDUs only from interfaces that have LACP enabled for the active or passive mode. Understanding Load Balancing and Forwarding Methods EtherChannel balances the traffic load across the links in a channel by randomly associating a newly-learned MAC address with one of the links in the channel.
Chapter 28 Configuring EtherChannels Configuring EtherChannels Figure 28-3 Load Distribution and Forwarding Methods Catalyst 2950 or 3550 switch with source-based forwarding enabled EtherChannel 74619 Cisco router with destination-based forwarding enabled Configuring EtherChannels These sections describe how to configure EtherChannel interfaces: • Default EtherChannel Configuration, page 28-8 • EtherChannel Configuration Guidelines, page 28-8 • Configuring Layer 2 EtherChannels, page 28-9 • Co
Chapter 28 Configuring EtherChannels Configuring EtherChannels Default EtherChannel Configuration Table 28-2 shows the default EtherChannel configuration. Table 28-2 Default EtherChannel Configuration Feature Default Setting Channel groups None assigned. PAgP mode No default. PAgP learn method Aggregate-port learning on all interfaces. PAgP priority 128 on all interfaces. (Changing this value has no effect.) LACP learn method Aggregate-port learning on all interfaces.
Chapter 28 Configuring EtherChannels Configuring EtherChannels desirable mode. When configuring an interface for LACP, if the allowed range of VLANs is not the same, the interfaces do not form an EtherChannel even when LACP is set to the active or passive mode • Interfaces with different spanning-tree path costs can form an EtherChannel if they are otherwise compatibly configured.
Chapter 28 Configuring EtherChannels Configuring EtherChannels Command Step 3 Purpose channel-group channel-group-number mode Assign the interface to a channel group, and specify the PAgP or {{auto [non-silent] | desirable [non-silent] | on} | LACP mode. {active | passive}} For channel-group-number, the range is 1 to 6. Each EtherChannel can have up to eight compatibly configured Ethernet interfaces. For mode, select one of these keywords: • active—Enables LACP only if an LACP device is detected.
Chapter 28 Configuring EtherChannels Configuring EtherChannels To remove an interface from the EtherChannel group, use the no channel-group interface configuration command. If you delete the EtherChannel by using the no interface port-channel global configuration command without removing the physical interfaces, the physical interfaces are shutdown. If you do not want the member physical interfaces to shut down, remove the physical interfaces before deleting the EtherChannel.
Chapter 28 Configuring EtherChannels Configuring EtherChannels Command Purpose Step 4 show etherchannel load-balance Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return EtherChannel load balancing to the default configuration, use the no port-channel load-balance global configuration command.
Chapter 28 Configuring EtherChannels Configuring EtherChannels Step 5 Command Purpose show running-config Verify your entries. or show lacp channel-group-number internal Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Configuring Hot Standby Ports When enabled, LACP tries to configure the maximum number of LACP-compatible ports in a channel, up to a maximum of 16 ports. Only eight LACP links can be active at one time.
Chapter 28 Configuring EtherChannels Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to configure the LACP system priority: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 lacp system-priority priority-value Select the LACP system priority value. For priority-value, the range is 1 to 65535. By default, the priority value is 32768. The lower the range, the higher the system priority.
Chapter 28 Configuring EtherChannels Displaying EtherChannel, PAgP, and LACP Status Displaying EtherChannel, PAgP, and LACP Status You can use the privileged EXEC commands described in Table 28-3 to display EtherChannel, PAgP, and LACP status information: Table 28-3 Commands for Displaying EtherChannel, PAgP, and LACP Status Command Description show etherchannel [channel-group-number] {brief | Displays EtherChannel information in a brief, detailed, and detail | load-balance | port | port-channel | summ
Chapter 28 Configuring EtherChannels Displaying EtherChannel, PAgP, and LACP Status Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 28-16 78-11380-07
C H A P T E R 29 Troubleshooting This chapter describes how to identify and resolve Catalyst 2950 and Catalyst 2955 software problems related to the IOS software. Depending on the nature of the problem, you can use the command-line interface (CLI) or the Cluster Management Suite (CMS) to identify and solve problems.
Chapter 29 Troubleshooting Using Recovery Procedures Recovering from Corrupted Software Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity. This procedure uses the XMODEM protocol to recover from a corrupt or wrong image file.
Chapter 29 Troubleshooting Using Recovery Procedures Step 4 Press the Mode button, and at the same time, reconnect the power cord to the switch. You can release the Mode button a second or two after the LED above port 1X turns off. Several lines of information about the software appear, as do instructions: The system has been interrupted prior to initializing the flash file system.
Chapter 29 Troubleshooting Using Recovery Procedures Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can use the following normal commands to change the password.
Chapter 29 Troubleshooting Using Recovery Procedures After the switch performs POST, the switch begins the autoboot process. The boot loader prompts the user for a break key character during the boot-up sequence, as shown in this example: ***** The system will autoboot in 15 seconds ***** Send a break key to prevent autobooting. Step 4 When the boot loader prompts you, enter the break key.
Chapter 29 Troubleshooting Using Recovery Procedures Step 12 Rename the configuration file to its original name: switch# rename flash:config.text.old flash:config.text Step 13 Copy the configuration file into memory: switch# copy flash:config.text system:running-config Source filename [config.text]? Destination filename [running-config]? Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can use these normal commands to change the password.
Chapter 29 Troubleshooting Using Recovery Procedures You can prepare for a command switch failure by assigning an IP address to a member switch or another switch that is command-capable, making a note of the command-switch password, and cabling your cluster to have redundant connectivity between the member switches and the replacement command switch.
Chapter 29 Troubleshooting Using Recovery Procedures Step 10 Enter Y at the first prompt. The prompts in the setup program vary depending on the member switch you selected to be the command switch: Continue with configuration dialog? [yes/no]: y or Configuring global parameters: If this prompt does not appear, enter enable, and press Return. Enter setup, and press Return to start the setup program. Step 11 Respond to the questions in the setup program.
Chapter 29 Troubleshooting Using Recovery Procedures Step 5 Use the setup program to configure the switch IP information. This program prompts you for IP address information and passwords. From privileged EXEC mode, enter setup, and press Return. Switch# setup --- System Configuration Dialog --Continue with configuration dialog? [yes/no]: y At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'.
Chapter 29 Troubleshooting Preventing Autonegotiation Mismatches Recovering from Lost Member Connectivity Some configurations can prevent the command switch from maintaining contact with member switches.
Chapter 29 Troubleshooting Diagnosing Connectivity Problems After inserting a Cisco-approved GBIC module, use the errdisable recovery cause gbic-invalid global configuration command to verify the port status, and enter a time interval for recovering from the error-disabled state. After the elapsed interval, the switch brings the interface out of the error-disabled state and retries the operation. For more information about the errdisable recovery command, refer to the command reference for this release.
Chapter 29 Troubleshooting Diagnosing Connectivity Problems Note Though other protocol keywords are available with the ping command, they are not supported in this release. This example shows how to ping an IP host: Switch# ping 172.20.52.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 172.20.52.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Switch# Table 29-1 describes the possible ping character output.
Chapter 29 Troubleshooting Diagnosing Connectivity Problems The switch can only identify the path from the source device to the destination device. It cannot identify the path that a packet takes from source host to the source device or from the destination device to the destination host. Switches Supporting Layer 2 Traceroute The Layer 2 traceroute feature is available on these switches: • Catalyst 2950 and Catalyst 2955 switches running Release 12.
Chapter 29 Troubleshooting Using Debug Commands • The traceroute mac ip command output shows the Layer 2 path when the specified source and destination IP addresses belong to the same subnet. When you specify the IP addresses, the switch uses Address Resolution Protocol (ARP) to associate the IP addresses with the corresponding MAC addresses and the VLAN IDs. – If an ARP entry exists for the specified IP address, the switch uses the associated MAC address and identifies the physical path.
Chapter 29 Troubleshooting Using Debug Commands Enabling Debugging on a Specific Feature All debug commands are entered in privileged EXEC mode, and most debug commands take no arguments. For example, beginning in privileged EXEC mode, enter this command to enable the debugging for EtherChannel: Switch# debug etherchannel The switch continues to generate output until you enter the no form of the command.
Chapter 29 Troubleshooting Using Debug Commands Note Be aware that the debugging destination you use affects system overhead. Logging messages to the console produces very high overhead, whereas logging messages to a virtual terminal produces less overhead. Logging messages to a syslog server produces even less, and logging to an internal buffer produces the least overhead of any method. For more information about system message logging, see Chapter 24, “Configuring System Message Logging.
Chapter 29 Troubleshooting Using the crashinfo File Switch(config)# interface gigabitethernet0/1 Switch(config-if)# auto qos voip cisco-phone Using the crashinfo File This feature is available if your switch is running IOS Release 12.1(11)EA1 or later. The crashinfo file saves information that helps Cisco technical support representatives to debug problems that caused the IOS image to fail (crash).
Chapter 29 Troubleshooting Using the crashinfo File Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 29-18 78-11380-07
A P P E N D I X A Supported MIBs This appendix lists the supported management information base (MIBs) for this release. It contains these sections: • MIB List, page A-1 • Using FTP to Access the MIB Files, page A-3 MIB List Note The Catalyst 2955 switch supports the ENTITY-MIB, CISCO-ENVMON-MIB and CISCO-ENTITY-ALARM-MIB.
Appendix A Supported MIBs MIB List • CISCO-PROCESS-MIB • CISCO-PRODUCTS-MIB • CISCO-RTTMON-MIB (subsystems supported: sub_rtt_rmon and sub_rtt_rmonlib) • CISCO-SMI • CISCO-STACKMAKER-MIB • CISCO-STP-EXTENSIONS-MIB • CISCO-SYSLOG-MIB • CISCO-TC • CISCO-TCP-MIB • CISCO-VLAN-MEMBERSHIP-MIB • CISCO-VTP-MIB • ENTITY-MIB • IANAifType-MIB • IF-MIB (RFC 1573) • OLD-CISCO-CHASSIS-MIB • OLD-CISCO-CPU-MIB • OLD-CISCO-INTERFACES-MIB • OLD-CISCO-IP-MIB • OLD-CISCO-MEMORY-MIB • O
Appendix A Supported MIBs Using FTP to Access the MIB Files Using FTP to Access the MIB Files You can obtain each MIB file by using this procedure: Step 1 Use FTP to access the server ftp.cisco.com. Step 2 Log in with the username anonymous. Step 3 Enter your e-mail username when prompted for the password. Step 4 At the ftp> prompt, change directories to /pub/mibs/v1 and the /pub/mibs/v2. Step 5 Use the get MIB_filename command to obtain a copy of the MIB file.
Appendix A Supported MIBs Using FTP to Access the MIB Files Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide A-4 78-11380-07
I N D EX access lists Numerics See ACLs 802.1D access ports See STP defined 802.1Q in switch clusters and trunk ports 11-2 7-11 accounting configuration limitations 15-16 native VLAN for untagged traffic trunk mode 11-2 4-10 with RADIUS 15-21 9-27 with TACACS+ 9-10, 9-16 ACEs 802.1S defined See MSTP 26-2 Ethernet 802.1W IP See RSTP 802.1X See port-based authentication 802.
Index ACLs (continued) addresses displaying interface examples of displaying the MAC address table 26-23 dynamic 26-23 extended IP accelerated aging configuring for QoS classification creating default aging matching criteria defined 26-7 implicit deny adding secure 26-9, 26-13, 26-15 implicit masks discovering 26-9 management interfaces, applying to matching criteria adding named adding and removing 26-20 defined 26-18 See ARP table address table, adding secure addresses 26-8 p
Index alarm indicators 4-7 alarms, RMON 23-3 allowed-VLAN list automatic QoS See QoS automatic recovery, clusters 15-19 ARP table 7-12 See also HSRP address resolution managing autonegotiation 8-27 interface configuration guidelines 8-27 attributes, RADIUS mismatches vendor-proprietary vendor-specific 11-11 29-10 auxiliary VLAN 9-29 See voice VLAN 9-28 authentication local mode with AAA NTP associations 9-30 B 8-4 RADIUS key BackboneFast 9-20 login described 9-22 enabling
Index BPDU guard Catalyst 2955 (continued) described 14-3 enabling 14-15 support for displaying Catalyst 2955 switch alarms enabling SNMP traps broadcast storm control configuring disabling power supply alarm temperature alarm 19-3 browser configuration 3-2 3-2 port status monitoring alarms 4-1, 7-1 FCS bit error rate alarm 4-28 link fault alarm 3-3 3-3 port is not operating alarm C 3-3 port not forwarding alarm cables, monitoring for unidirectional links configurable relays autom
Index Cisco Discovery Protocol Cluster Management Suite See CDP See CMS Cisco Intelligence Engine 2100 Series Configuration Registrar See IE2100 1-13 Cisco Networking Services See IE2100 7-16 7-21 automatic discovery 7-6 automatic recovery 7-12 command switch configuration Cisco SoftPhone software CiscoWorks 2000 1-13 compatibility 1-7, 25-4 creating class maps for QoS configuring displaying accessing adding member switches Cisco IP Phones described clusters, switch 7-5 7-20 creati
Index cluster standby group command switch (continued) automatic recovery considerations configuration conflicts 7-15 defined 7-14 7-2 creating 7-23 enabling defined 7-2 passive (PC) requirements 7-20 priority 7-14 See also HSRP 7-13 from command-switch failure 4-5 CMS from failure advantages 1-8 cluster tree 4-5 redundant 1-7, 4-1 replacing Front Panel view 4-5 4-3 interaction modes tool tips requirements 7-3 standby (SC) 7-13, 7-24 29-7 community strings 4-25 con
Index configuration files CWDM GBIC modules limiting TFTP server access obtaining with DHCP network example 25-14 wavelength colors on CMS 5-7 system contact and location information VMPS database D 5-10 configure terminal command 11-5 daylight saving time 2-2, 15-6 conflicts, configuration 29-10 enabling all system diagnostics 9-32 29-11 console port, connecting to 29-15 redirecting error message output 16-4 using commands 2-10 29-15 29-14 default commands conventions 2-4 defa
Index default configurations (continued) TACACS+ UDLD display options, Topology view Disqualification Code option 9-12 VLAN, Layer 2 Ethernet interfaces VLANs 15-7 VMPS 15-28 voice VLAN and DHCP-based autoconfiguration 15-17 default configuration 17-2 overview 8-16 setting up 8-17 default gateway 5-10 documentation, related deleting VLANs 15-10 domain names description command 11-15 destination addresses, in ACLs 26-12 detecting indirect link failures, STP device discovery protocol
Index EtherChannel (continued) E port-channel interfaces editing features described enabling and disabling keystrokes used wrapped lines 2-7 port groups 2-8 27-9 11-3 described 9-4 14-12 enabling 27-8 14-19 Ethernet VLANs encryption for passwords 9-4 adding error messages 15-8 defaults and ranges during command entry 2-5 modifying setting the display destination device severity levels 24-4 15-8 15-8 events, RMON 24-8 23-3 examples system message format 24-2 conventions for
Index files, crashinfo get-response operation description Gigabit Interface Converters 29-17 displaying the contents of location See GBICs 29-17 GigaStack GBIC 29-17 filtering show and more command output fast transition of redundant link 2-9 filters, IP global configuration mode flow-based packet classification flow control 1-6 graphs, bandwidth 2-2 4-8 guide 11-13 forward-delay time STP 14-5 See also GBICs See ACLs, IP MSTP 25-3 audience xxiii 13-20 purpose 12-7, 12-19 gu
Index IGMP groups, setting the maximum number I 18-23 IGMP profile ICMP ping applying 18-22 executing 29-11 configuration mode overview 29-11 configuring icons configuring cluster tree 4-5 Topology view Front Panel view 18-5 default configuration 4-13 definition 4-6 enabling and disabling 4-19 4-12 Immediate Leave IDS, using with SPAN and RSPAN 22-2 IE2100 method described enabling configuration agent enabling event agent 6-9 6-8 configuration service 6-2 ingress port sche
Index interfaces (continued) IP addresses (continued) physical, identifying range of discovering 11-4 management VLAN 11-6 restarting shutting down types of redundant clusters 11-18 supported 8-27 7-19 7-13 standby command switch 11-18 7-13, 7-16 See also IP information 11-9 ip igmp profile command 11-1 interfaces range macro command IP information 11-8 Intrusion Detection System assigned See IDS manually inventory, cluster 18-21 5-10 through DHCP-based autoconfiguration 7-26
Index Layer 2 traceroute (continued) multiple devices on a port supported switches unicast traffic M 29-14 MAC addresses 29-13 adding 29-12 usage guidelines Layer 2 trunks secure 29-13 8-26 sticky secure 15-15 Layer 3 packets, classification methods aging time 27-3 19-5 8-22 Layer 3 parameters of ACEs 26-10 and VLAN association Layer 4 parameters of ACEs 26-10 building the address table LDAP default configuration 6-2 leave processing, IGMP discovering 18-9 port 4-8 RPS 4-7
Index MANs mini-point-of-presence CWDM configuration example long-distance, high-bandwidth transport configuration example 1-17 mapping tables for QoS 22-1 mismatches, autonegotiation 29-10 modes, port 27-31 27-33 ACLs 26-7 CDP 13-21 13-21 membership mode, VLAN port interfaces 18-10 11-15 multicast router interfaces 7-21 MVR automatic discovery 7-6 18-19 port protection 7-27 passwords 7-16 traffic suppression 7-5 VLANs See also candidate switch, cluster standby group, and stand
Index MSTP (continued) MSTP (continued) configuring loop guard forward-delay time hello time described 13-20 enabling 13-19 link type for rapid convergence maximum aging time path cost CIST 13-21 described IST 13-14 secondary root switch 13-10 13-8 overview 13-19 13-7 13-7 Port Fast defined 13-8 operations between regions default configuration 13-9 displaying status 14-14 enabling 14-12 14-20 configuring extended system ID 13-16 interface state, blocking to forwarding inter
Index MVR normal-range VLANs configuring interfaces default configuration described modes configuration modes 18-17 defined 18-15 NSM 18-13 15-1 6-3 NTP 18-17 monitoring 15-6 associations 18-19 setting global parameters authenticating 18-16 defined 8-4 8-2 enabling broadcast messages N peer named IP ACLs 8-5 default configuration NameSpace Mapper 8-4 displaying the configuration See NSM overview native VLAN configuring default 8-5 server 26-13 8-2 creating an access g
Index passwords Port Aggregation Protocol default configuration encrypting 9-4 in clusters 7-17, 7-21 overview See EtherChannel 9-2 See PAgP port-based authentication authentication server 9-1 recovery of defined 29-2 setting RADIUS server enable client, defined 9-3 enable secret Telnet 10-9 manual re-authentication of a client 9-6 quiet period 16-8 path cost MSTP 10-2 configuring 9-5 VTP domain 10-2 configuration guidelines 9-4 with usernames STP 10-2 10-13 RADIUS serv
Index port-based authentication (continued) port security switch aging as proxy configuring 10-2 RADIUS client with port security described 10-7 port-channel violations 19-5 19-5 with other features See EtherChannel 19-6 port-shutdown response, VMPS Port Fast described 14-2 enabling 14-14 support for See QoS preventing unauthorized access 15-28 port icons, Front Panel view 4-6 port LEDs overriding CoS 17-5 port, described 27-8 trusting CoS 4-8 port membership modes, VLAN p
Index PSTN QoS (continued) 1-14 publications, related PVRST PVST configuring xxv class maps 15-2 27-27 CoS and WRR 15-2 27-34 default port CoS value egress queues Q QoS auto-QoS configuration and defaults display displaying example, configuration 27-12 IP extended ACLs 27-25 IP standard ACLs 27-24 MAC ACLs 27-26 policy maps 27-28 QoS policy 27-21 default configuration 27-4 displaying statistics class maps, described 27-16 27-36 egress port scheduling 27-6 27-9 enabling exp
Index QoS (continued) RADIUS (continued) policers identifying the server configuring described method list, defined 27-7 operation of 27-7 policing, described overview 27-4, 27-7 policy maps configuring displaying 9-18 9-17 macro 27-36 9-27 11-8 of interfaces 27-4 11-6 Rapid Spanning Tree Protocol 27-4 See RSTP 1-6 trusted bounday rcommand command 27-20 7-27 reconfirmation interval, VMPS, changing 27-5 understanding 9-17 range 27-28 scheduling, defined recovery procedur
Index restricting access NTP services overview RSPAN (continued) displaying status 8-7 IDS 9-1 passwords and privilege levels RADIUS 9-2 22-2 interaction with other features monitored ports 9-17 TACACS+ retry count, VMPS, changing 15-31 RFC overview 1157, SNMPv1 18-2 25-2 23-2 1901, SNMPv2C 25-2 1902 to 1907, SNMPv2 reflector port 22-4 session limits 22-6 2273-2275, SNMPv3 creating 22-13 defined 22-3 removing source (monitored) ports 25-2 2236, IP multicast and IGMP 18-2
Index RSTP (continued) SNMP root port, defined accessing MIB variables with 13-2 See also MSTP 25-4 agent running configuration, saving 5-10 described 25-4 disabling 25-7 community strings S configuring SC (standby command switch) for cluster switches 7-13, 7-24 overview secure addresses adding secure remote connections groups 19-4 25-15 25-6 25-9 in clusters 9-32 7-17 informs Secure Shell and trap keyword See SSH described 19-4 sequence numbers in log messages server mo
Index SNMP (continued) users Stack Membership Discovery Protocol Standby Command Configuration window 25-9 versions supported snooping, IGMP configuring 18-1 29-2 See also downloading and uploading source addresses, in ACLs 7-23 considerations 16-8 software images recovery procedures 7-25 standby command switch 25-2 software, VLAN considerations defined 7-2 priority 7-13 requirements 7-14 7-3 virtual IP address 26-12 SPAN 7-14 See also cluster standby group and HSRP configurati
Index STP STP (continued) accelerating root port selection extended system ID 14-4 BackboneFast described enabling affects on root switch affects on the secondary root switch 14-10 overview 14-19 BPDU filtering 14-3 enabling 14-16 features supported inferior BPDU BPDU guard 14-3 enabling 14-15 12-2 configuration guidelines 12-3 forward-delay time hello time 12-19 12-18 in cascaded stack path cost root switch 14-18 12-7 listening 12-7 overview 12-6 enabling 15-23 15-22 14-13
Index STP (continued) system message logging root port, defined default configuration 12-3 root switch 24-3 defining error message severity levels affects of extended system ID configuring election disabling 12-4, 12-12 enabling 12-3 unexpected behavior 24-4 level keywords, described 12-20 shutdown Port Fast-enabled port limiting messages 14-3 message format 12-3 supported number of spanning-tree instances timers, described 24-12 facility keywords, described 12-13 settings in a ca
Index TACACS+ (continued) Topology view configuring described accounting 9-16 authentication key authorization 9-12 default configuration device labels 4-12 TOS 9-16 7-18 9-15 9-11 1-6 and ARP 29-14 and CDP 29-13 described 29-12 IP addresses and subnets 9-9 tracking services accessed by user multicast traffic accessing management interfaces accessing the CLI from a browser supported switches 1-7 unicast traffic Terminal Access Controller Access Control System Plus fragmented
Index troubleshooting (continued) with CiscoWorks See UDLD 25-4 with debug commands with ping UniDirectional Link Detection protocol UNIX syslog servers 29-14 daemon configuration 29-11 with system message logging facilities supported 24-1 trunk ports 24-11 unrecognized Type-Length-Value (TLV) support 15-18 upgrading software, VLAN considerations 11-2 trunks 16-4 16-8 UplinkFast allowed-VLAN list 15-19 load sharing setting STP path costs described 14-4 enabling 14-17 support for
Index VLAN membership confirming modes VMPS administering 15-30 configuration example 15-3 VLAN Query Protocol default configuration description VLANs adding to VLAN database allowed on trunk described 15-8 aging dynamic addresses configuration options monitoring 15-6 default configuration retry count, changing 15-8 15-9 Cisco 7960 phone, port connections 15-7 native, configuring 802.1P priority tagged frames 802.
Index VTP (configuration) VTP (continued) configuration statistics global configuration mode guidelines requirements Token Ring support 16-4 transparent mode, configuring 16-8 privileged EXEC mode saving 16-7 16-15 using 16-7 16-1 version, guidelines 16-9 version 1 16-7 VLAN configuration mode 16-7 16-9 16-4 version 2 configuration mode options 16-7 configuration guidelines configuration requirements 16-9 disabling 16-13 enabling 16-13 overview 16-4 configuration revisio
Index Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide IN-30 78-11380-07
