Catalyst 2970 Switch Software Configuration Guide Cisco IOS Release 12.1(19)EA1 October 2003 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface xxvii Audience Purpose xxvii xxvii Conventions xxviii Related Publications xxix Obtaining Documentation xxix Cisco.
Contents Using Command History 2-5 Changing the Command History Buffer Size 2-5 Recalling Commands 2-6 Disabling the Command History Feature 2-6 Using Editing Features 2-6 Enabling and Disabling Editing Features 2-7 Editing Commands through Keystrokes 2-7 Editing Command Lines that Wrap 2-8 Searching and Filtering Output of show and more Commands 2-9 Accessing the CLI 2-10 Accessing the CLI through a Console Connection or through Telnet Accessing the CLI from a Browser 2-10 CHAPTER 3 Getting Started w
Contents Topology View 3-14 CMS Icons 3-15 Where to Go Next CHAPTER 4 3-15 Assigning the Switch IP Address and Default Gateway Understanding the Boot Process 4-1 4-1 Assigning Switch Information 4-2 Default Switch Information 4-3 Understanding DHCP-Based Autoconfiguration 4-3 DHCP Client Request Process 4-4 Configuring DHCP-Based Autoconfiguration 4-5 Configuring the DHCP Server 4-5 Configuring the TFTP Server 4-6 Configuring the DNS 4-6 Configuring the Relay Device 4-6 Obtaining Configuration Files
Contents Discovery Through Different VLANs 5-7 Discovery Through Different Management VLANs 5-8 Discovery of Newly Installed Switches 5-9 HSRP and Standby Cluster Command Switches 5-10 Virtual IP Addresses 5-11 Other Considerations for Cluster Standby Groups 5-11 Automatic Recovery of Cluster Configuration 5-12 IP Addresses 5-13 Host Names 5-13 Passwords 5-14 SNMP Community Strings 5-14 TACACS+ and RADIUS 5-14 Access Modes in CMS 5-15 LRE Profiles 5-15 Availability of Switch-Specific Features in Switch Clu
Contents Configuring the Time Zone 6-13 Configuring Summer Time (Daylight Saving Time) Configuring a System Name and Prompt 6-16 Default System Name and Prompt Configuration Configuring a System Name 6-16 Configuring a System Prompt 6-17 Understanding DNS 6-17 Default DNS Configuration 6-18 Setting Up DNS 6-18 Displaying the DNS Configuration 6-19 Creating a Banner 6-19 Default Banner Configuration 6-19 Configuring a Message-of-the-Day Login Banner Configuring a Login Banner 6-21 6-14 6-16 6-20 Managin
Contents Controlling Switch Access with TACACS+ 7-10 Understanding TACACS+ 7-10 TACACS+ Operation 7-12 Configuring TACACS+ 7-13 Default TACACS+ Configuration 7-13 Identifying the TACACS+ Server Host and Setting the Authentication Key 7-13 Configuring TACACS+ Login Authentication 7-14 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Starting TACACS+ Accounting 7-17 Displaying the TACACS+ Configuration 7-17 7-16 Controlling Switch Access with RADIUS 7-18 Understanding RADIU
Contents Configuring SSH 7-39 Configuration Guidelines 7-39 Setting Up the Switch to Run SSH 7-39 Configuring the SSH Server 7-40 Displaying the SSH Configuration and Status 7-41 CHAPTER 8 Configuring 802.1X Port-Based Authentication 8-1 Understanding 802.1X Port-Based Authentication 8-1 Device Roles 8-2 Authentication Initiation and Message Exchange 8-3 Ports in Authorized and Unauthorized States 8-4 Supported Topologies 8-5 Using 802.1X with Port Security 8-6 Using 802.
Contents EtherChannel Port Groups 9-4 Connecting Interfaces 9-4 Using Interface Configuration Mode 9-5 Procedures for Configuring Interfaces 9-5 Configuring a Range of Interfaces 9-6 Configuring and Using Interface Range Macros 9-7 Configuring Ethernet Interfaces 9-9 Default Ethernet Interface Configuration 9-9 Configuring Interface Speed and Duplex Mode 9-10 Configuration Guidelines 9-10 Setting the Interface Speed and Duplex Parameters Configuring IEEE 802.
Contents Saving VLAN Configuration 11-7 Default Ethernet VLAN Configuration 11-7 Creating or Modifying an Ethernet VLAN 11-8 Deleting a VLAN 11-10 Assigning Static-Access Ports to a VLAN 11-11 Configuring Extended-Range VLANs 11-12 Default VLAN Configuration 11-12 Extended-Range VLAN Configuration Guidelines Creating an Extended-Range VLAN 11-13 Displaying VLANs 11-12 11-14 Configuring VLAN Trunks 11-15 Trunking Overview 11-15 Encapsulation Types 11-16 802.
Contents CHAPTER 12 Configuring VTP 12-1 Understanding VTP 12-1 The VTP Domain 12-2 VTP Modes 12-3 VTP Advertisements 12-3 VTP Version 2 12-4 VTP Pruning 12-4 Configuring VTP 12-6 Default VTP Configuration 12-6 VTP Configuration Options 12-6 VTP Configuration in Global Configuration Mode 12-7 VTP Configuration in VLAN Database Configuration Mode VTP Configuration Guidelines 12-7 Domain Names 12-7 Passwords 12-8 VTP Version 12-8 Configuration Requirements 12-8 Configuring a VTP Server 12-9 Configuring a
Contents CHAPTER 14 Configuring STP 14-1 Understanding Spanning-Tree Features 14-1 STP Overview 14-2 Spanning-Tree Topology and BPDUs 14-3 Bridge ID, Switch Priority, and Extended System ID 14-4 Spanning-Tree Interface States 14-4 Blocking State 14-5 Listening State 14-6 Learning State 14-6 Forwarding State 14-6 Disabled State 14-7 How a Switch or Port Becomes the Root Switch or Root Port 14-7 Spanning Tree and Redundant Connectivity 14-8 Spanning-Tree Address Management 14-8 Accelerated Aging to Retai
Contents Operations Within an MST Region 15-3 Operations Between MST Regions 15-4 Hop Count 15-5 Boundary Ports 15-5 Interoperability with 802.
Contents Configuring Optional Spanning-Tree Features 16-9 Default Optional Spanning-Tree Configuration 16-9 Optional Spanning-Tree Configuration Guidelines 16-9 Enabling Port Fast 16-10 Enabling BPDU Guard 16-11 Enabling BPDU Filtering 16-12 Enabling UplinkFast for Use with Redundant Links 16-13 Enabling BackboneFast 16-13 Enabling Root Guard 16-14 Enabling Loop Guard 16-15 Displaying the Spanning-Tree Status CHAPTER 17 Configuring DHCP Features 16-16 17-1 Understanding DHCP Features 17-1 DHCP Snoopi
Contents Displaying IGMP Snooping Information 18-12 Understanding Multicast VLAN Registration 18-13 Using MVR in a Multicast Television Application Configuring MVR 18-15 Default MVR Configuration 18-16 MVR Configuration Guidelines and Limitations Configuring MVR Global Parameters 18-16 Configuring MVR Interfaces 18-18 Displaying MVR Information 18-14 18-16 18-19 Configuring IGMP Filtering and Throttling 18-20 Default IGMP Filtering and Throttling Configuration 18-21 Configuring IGMP Profiles 18-21 Ap
Contents CHAPTER 20 Configuring CDP 20-1 Understanding CDP 20-1 Configuring CDP 20-2 Default CDP Configuration 20-2 Configuring the CDP Characteristics 20-2 Disabling and Enabling CDP 20-3 Disabling and Enabling CDP on an Interface Monitoring and Maintaining CDP CHAPTER 21 Configuring UDLD 20-5 21-1 Understanding UDLD 21-1 Modes of Operation 21-1 Methods to Detect Unidirectional Links Configuring UDLD 21-4 Default UDLD Configuration 21-4 Configuration Guidelines 21-4 Enabling UDLD Globally 21-5
Contents Creating a Local SPAN Session 22-11 Creating a Local SPAN Session and Configuring Ingress Traffic 22-13 Specifying VLANs to Filter 22-15 Configuring RSPAN 22-16 RSPAN Configuration Guidelines 22-16 Configuring a VLAN as an RSPAN VLAN 22-17 Creating an RSPAN Source Session 22-18 Creating an RSPAN Destination Session 22-19 Creating an RSPAN Destination Session and Configuring Ingress Traffic Specifying VLANs to Filter 22-22 Displaying SPAN and RSPAN Status CHAPTER 23 Configuring RMON 22-20 22-2
Contents CHAPTER 25 Configuring SNMP 25-1 Understanding SNMP 25-1 SNMP Versions 25-2 SNMP Manager Functions 25-3 SNMP Agent Functions 25-4 SNMP Community Strings 25-4 Using SNMP to Access MIB Variables 25-5 SNMP Notifications 25-5 SNMP ifIndex MIB Object Values 25-6 Configuring SNMP 25-6 Default SNMP Configuration 25-7 SNMP Configuration Guidelines 25-7 Disabling the SNMP Agent 25-8 Configuring Community Strings 25-8 Configuring SNMP Groups and Users 25-9 Configuring SNMP Notifications 25-11 Setting th
Contents IP ACL Configuration Examples 26-17 Numbered ACLs 26-18 Extended ACLs 26-18 Named ACLs 26-18 Time Range Applied to an IP ACL 26-19 Commented IP ACL Entries 26-19 Creating Named MAC Extended ACLs 26-20 Applying a MAC ACL to a Layer 2 Interface 26-21 Configuring VLAN Maps 26-22 VLAN Map Configuration Guidelines 26-23 Creating a VLAN Map 26-23 Examples of ACLs and VLAN Maps 26-24 Applying a VLAN Map to a VLAN 26-26 Using VLAN Maps in Your Network 26-26 Wiring Closet Configuration 26-26 Denying Acce
Contents Configuring Standard QoS 27-26 Default Standard QoS Configuration 27-27 Default Ingress Queue Configuration 27-27 Default Egress Queue Configuration 27-28 Default Mapping Table Configuration 27-28 Standard QoS Configuration Guidelines 27-29 Enabling QoS Globally 27-30 Configuring Classification Using Port Trust States 27-30 Configuring the Trust State on Ports within the QoS Domain 27-31 Configuring the CoS Value for an Interface 27-33 Configuring a Trusted Boundary to Ensure Port Security 27-34 C
Contents CHAPTER 28 Configuring EtherChannels 28-1 Understanding EtherChannels 28-1 EtherChannel Overview 28-2 Port-Channel Interfaces 28-3 Port Aggregation Protocol 28-3 PAgP Modes 28-4 PAgP Interaction with Other Features 28-5 Link Aggregation Control Protocol 28-5 LACP Modes 28-6 LACP Interaction with Other Features 28-6 Load Balancing and Forwarding Methods 28-6 Configuring EtherChannels 28-8 Default EtherChannel Configuration 28-9 EtherChannel Configuration Guidelines 28-9 Configuring Layer 2 Ethe
Contents Using Layer 2 Traceroute 29-14 Understanding Layer 2 Traceroute 29-14 Usage Guidelines 29-14 Displaying the Physical Path 29-15 Using IP Traceroute 29-16 Understanding IP Traceroute 29-16 Executing IP Traceroute 29-16 Using Debug Commands 29-17 Enabling Debugging on a Specific Feature 29-18 Enabling All-System Diagnostics 29-18 Redirecting Debug and Error Message Output 29-19 Using the show platform forward Command Using the crashinfo File APPENDIX A Supported MIBs MIB List 29-21 A-1 A-1 Us
Contents Copying Configuration Files By Using TFTP B-10 Preparing to Download or Upload a Configuration File By Using TFTP B-10 Downloading the Configuration File By Using TFTP B-11 Uploading the Configuration File By Using TFTP B-11 Copying Configuration Files By Using FTP B-12 Preparing to Download or Upload a Configuration File By Using FTP B-13 Downloading a Configuration File By Using FTP B-13 Uploading a Configuration File By Using FTP B-15 Copying Configuration Files By Using RCP B-16 Preparing to D
Contents Interface Commands C-2 Unsupported Privileged EXEC Commands C-2 Unsupported Global Configuration Commands C-2 Unsupported Interface Configuration Commands C-2 Network Address Translation (NAT) Commands C-2 Unsupported User EXEC Commands C-2 Unsupported Global Configuration Commands C-3 Unsupported Interface Configuration Commands C-3 RADIUS C-3 Unsupported Global Configuration Commands C-3 SNMP C-3 Unsupported Global Configuration Commands C-3 Spanning Tree C-3 Unsupported Global Configuration
Contents Catalyst 2970 Switch Software Configuration Guide xxvi 78-15462-03
Preface Audience This guide is for the networking professional managing the Catalyst 2970 switch, hereafter referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking. Purpose This guide provides the information that you need to configure features on your switch.
Preface Conventions Conventions This publication uses these conventions to convey instructions and information: Command descriptions use these conventions: • Commands and keywords are in boldface text. • Arguments for which you supply values are in italic. • Square brackets ([ ]) mean optional elements. • Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.
Preface Related Publications Related Publications These documents provide complete information about the switch and are available from this Cisco.com site: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2970/index.htm You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation” section on page xxix. • Release Notes for the Catalyst 2970 Switch (not orderable but available on Cisco.
Preface Obtaining Technical Assistance Ordering Documentation You can find instructions for ordering documentation at this URL: http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm You can order Cisco documentation in these ways: • Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace: http://www.cisco.com/en/US/partner/ordering/index.shtml • Nonregistered Cisco.
Preface Obtaining Additional Publications and Information Opening a TAC Case The online TAC Case Open Tool (http://www.cisco.com/tac/caseopen) is the fastest way to open P3 and P4 cases. (Your network is minimally impaired or you require product information). After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using these recommendations, your case will be assigned to a Cisco TAC engineer.
Preface Obtaining Additional Publications and Information • Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources.
C H A P T E R 1 Overview This chapter provides these topics about the Catalyst 2970 switch software: • Features, page 1-1 • Default Settings After Initial Switch Configuration, page 1-8 • Network Configuration Examples, page 1-10 • Where to Go Next, page 1-15 In this document, IP refers to IP version 4 (IPv4). Features Some features noted in this chapter are available only on the cryptographic (that is, supports encryption) version of the switch software image.
Chapter 1 Overview Features The Catalyst 2970 switches have these features: • Ease-of-Use and Ease-of-Deployment Features, page 1-2 • Performance Features, page 1-3 • Management Options, page 1-3 • Manageability Features, page 1-4 (includes a feature requiring the cryptographic [that is, supports encryption] version of the switch software image) • Availability Features, page 1-4 • VLAN Features, page 1-5 • Security Features, page 1-5 (includes a feature requiring the cryptographic [that is,
Chapter 1 Overview Features – Automatic discovery of candidate switches and creation of clusters of up to 16 switches that can be managed through a single IP address. – Extended discovery of cluster candidates that are not directly connected to the command switch.
Chapter 1 Overview Features Manageability Features Note Note The encrypted Secure Shell (SSH) feature listed in this section is available only on the cryptographic (that is, supports encryption) version of the switch software image.
Chapter 1 Overview Features – Rapid PVST+ for balancing load across VLANs and providing rapid convergence of spanning-tree instances – UplinkFast and BackboneFast for fast convergence after a spanning-tree topology change and for achieving load balancing between redundant uplinks, including Gigabit uplinks • IEEE 802.1S Multiple Spanning Tree Protocol (MSTP) for grouping VLANs into a spanning-tree instance and for providing multiple forwarding paths for data traffic and load balancing and IEEE 802.
Chapter 1 Overview Features • Multilevel security for a choice of security level, notification, and resulting actions • Static MAC addressing for ensuring security • Protected port option for restricting the forwarding of traffic to designated ports on the same switch • Port security option for limiting and identifying MAC addresses of the stations allowed to access the port • Port security aging to set the aging time for secure addresses on a port • BPDU guard for shutting down a Port Fast-co
Chapter 1 Overview Features – Trusted boundary for detecting the presence of a Cisco IP phone, trusting the CoS value received, and ensuring port security • Policing – Traffic-policing policies on the switch port for managing how much of the port bandwidth should be allocated to a specific traffic flow – Aggregate policing for policing traffic flows in aggregate to restrict specific applications or traffic flows to metered, predefined rates • Out-of-Profile – Out-of-profile markdown for packets that
Chapter 1 Overview Default Settings After Initial Switch Configuration Default Settings After Initial Switch Configuration The switch is designed for plug-and-play operation, requiring only that you assign basic IP information to the switch and connect it to the other devices in your network. If you have specific network needs, you can change the interface-specific and system-wide settings. If you do not configure the switch at all, the switch operates with the default settings listed in Table 1-1.
Chapter 1 Overview Default Settings After Initial Switch Configuration Table 1-1 Default Settings After Initial Switch Configuration (continued) Feature Default Setting More information in...
Chapter 1 Overview Network Configuration Examples Network Configuration Examples This section provides network configuration concepts and includes examples of using the switch to create dedicated network segments and interconnecting the segments through Gigabit Ethernet connections.
Chapter 1 Overview Network Configuration Examples Bandwidth alone is not the only consideration when designing your network. As your network traffic profiles evolve, consider providing network services that can support applications for voice and data integration, multimedia integration, application prioritization, and security. Table 1-3 describes some network demands and how you can meet those demands.
Chapter 1 Overview Network Configuration Examples Figure 1-1 High-Performance Workgroup (Gigabit-to-the-Desktop) Catalyst 3750 switches 89373 Catalyst 2970 switches WAN Cisco 2600 router 89374 Catalyst 2970 switches Catalyst 2970 Switch Software Configuration Guide 1-12 78-15462-03
Chapter 1 Overview Network Configuration Examples • Server aggregation (Figure 1-2)—You can use the switches to interconnect groups of servers, centralizing physical security and administration of your network. For high-speed IP forwarding at the distribution layer, connect the switches in the access layer to multilayer switches with routing capability. The Gigabit interconnections minimize latency in the data flow.
Chapter 1 Overview Network Configuration Examples Small to Medium-Sized Network Using Catalyst 2970 Switches Figure 1-3 shows a configuration for a network of up to 500 employees. This network uses Catalyst 2970 switches with high-speed connections to two routers. For network reliability and load balancing, this network has HSRP enabled on the routers. This ensures connectivity to the Internet, WAN, and mission-critical network resources in case one of the routers fails.
Chapter 1 Overview Where to Go Next Long-Distance, High-Bandwidth Transport Configuration Figure 1-4 shows a configuration for transporting 8 Gigabits of data over a single fiber-optic cable. The Catalyst switches have Coarse Wave Division Multiplexer (CWDM) fiber-optic SFP modules installed. Depending on the CWDM SFP module, data is sent at wavelengths from 1470 nm to 1610 nm. The higher the wavelength, the farther the transmission can travel.
Chapter 1 Overview Where to Go Next Catalyst 2970 Switch Software Configuration Guide 1-16 78-15462-03
C H A P T E R 2 Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your Catalyst 2970 switch.
Chapter 2 Using the Command-Line Interface Understanding Command Modes Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the host name Switch. Table 2-1 Command Mode Summary Mode Access Method Prompt Exit Method About This Mode User EXEC Begin a session with your switch. Switch> Enter logout or quit. Use this mode to • Change terminal settings. • Perform basic tests.
Chapter 2 Using the Command-Line Interface Understanding the Help System Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method About This Mode Interface configuration While in global configuration mode, enter the interface command (with a specific interface). Switch(config-if)# To exit to global configuration mode, enter exit. Use this mode to configure parameters for the Ethernet interfaces. To return to privileged EXEC mode, press Ctrl-Z or enter end.
Chapter 2 Using the Command-Line Interface Understanding Abbreviated Commands Table 2-2 Help Summary (continued) Command Purpose command ? List the associated keywords for a command. For example: Switch> show ? command keyword ? List the associated arguments for a keyword.
Chapter 2 Using the Command-Line Interface Understanding CLI Error Messages Understanding CLI Error Messages Table 2-3 lists some error messages that you might encounter while using the CLI to configure your switch. Table 2-3 Common CLI Error Messages Error Message Meaning How to Get Help % Ambiguous command: "show con" You did not enter enough characters for your switch to recognize the command.
Chapter 2 Using the Command-Line Interface Using Editing Features Beginning in line configuration mode, enter this command to configure the number of command lines the switch records for all sessions on a particular line: Switch(config-line)# history [size number-of-lines] The range is from 0 to 256. Recalling Commands To recall commands from the history buffer, perform one of the actions listed in Table 2-4. These actions are optional.
Chapter 2 Using the Command-Line Interface Using Editing Features Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled, you can disable it, re-enable it, or configure a specific line to have enhanced editing. These procedures are optional.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Capitalize or lowercase words or capitalize a set of letters. Keystroke1 Purpose Press Ctrl-D. Delete the character at the cursor. Press Ctrl-K. Delete all characters from the cursor to the end of the command line. Press Ctrl-U or Ctrl-X. Delete all characters from the cursor to the beginning of the command line. Press Ctrl-W.
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands In this example, the access-list global configuration command entry extends beyond one line. When the cursor first reaches the end of the line, the line is shifted ten spaces to the left and redisplayed. The dollar sign ($) shows that the line has been scrolled to the left. Each time the cursor reaches the end of the line, the line is again shifted ten spaces to the left.
Chapter 2 Using the Command-Line Interface Accessing the CLI Accessing the CLI You can access the CLI through a console connection, through Telnet, or by using the browser. Accessing the CLI through a Console Connection or through Telnet Before you can access the CLI, you must connect a terminal or PC to the switch console port and power on the switch as described in the hardware installation guide that shipped with your switch.
Chapter 2 Using the Command-Line Interface Accessing the CLI Note Copies of the HTML pages that you display are saved in your browser memory cache until you exit the browser session. A password is not required to redisplay these pages, including the Cisco Systems Access page. You can access the CLI by clicking Web Console - HTML access to the command line interface from a cached copy of the Cisco Systems Access page.
Chapter 2 Using the Command-Line Interface Accessing the CLI Catalyst 2970 Switch Software Configuration Guide 2-12 78-15462-03
C H A P T E R 3 Getting Started with CMS This chapter contains these sections that describe the Cluster Management Suite (CMS) on the Catalyst 2970 switch: • “Understanding CMS” section on page 3-1 • “Configuring CMS” section on page 3-7 • “Displaying CMS” section on page 3-10 • “Where to Go Next” section on page 3-15 Refer to the appropriate switch documentation for descriptions of the browser-based management software used on other Catalyst switches.
Chapter 3 Getting Started with CMS Understanding CMS Front Panel View The Front Panel view displays the Front Panel image of a specific set of switches in a cluster. From this view, you can select multiple ports or multiple switches and configure them with the same settings. For more information, see the “Displaying CMS” section on page 3-10.
Chapter 3 Getting Started with CMS Understanding CMS Table 3-1 Toolbar Buttons Toolbar Option Icon Task Print Print a CMS window or help file. Preferences1 Set CMS display properties, such as polling intervals, the views to open at CMS startup, and the color of administratively shutdown ports. Save Configuration2 Save the configuration of the cluster or a switch to Flash memory. Software Upgrade2 Upgrade the software for the cluster or a switch.
Chapter 3 Getting Started with CMS Understanding CMS Figure 3-2 1 Note Feature Bar and Search Window Feature bar 2 Search window Only features supported by the devices in your cluster are displayed in the feature bar. You can search for features that are available for your cluster by clicking Search and entering a feature name, as shown in Figure 3-2. Access modes affect the availability of features from CMS. Some CMS features are not available in read-only mode.
Chapter 3 Getting Started with CMS Understanding CMS Online help includes these features: • Feature-specific help that gives background information and concepts on the features • Dialog-specific help that gives procedures for performing tasks • An index of online help topics • A glossary of terms used in the online help You can send us feedback about the information provided in the online help. Click Feedback to display an online form.
Chapter 3 Getting Started with CMS Understanding CMS Guide mode is not available if your switch access level is read-only. For more information about the read-only access mode, see the “Privilege Levels” section on page 3-6. Expert Mode Expert mode is for users who prefer to display all the parameter fields of a feature in a single CMS window. You can view information about the parameter fields by clicking the Help button.
Chapter 3 Getting Started with CMS Configuring CMS Access to Older Switches In a Cluster If your cluster has these member switches running earlier software releases and if you have read-only access to these member switches, some configuration windows for those switches display incomplete information: • Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS Release 12.0(5)WC2 or earlier • Catalyst 2950 member switches running Cisco IOS Release 12.
Chapter 3 Getting Started with CMS Configuring CMS Table 3-2 Minimum Hardware Configuration OS Windows NT 4.0 1 Solaris 2.5.1 or higher Processor Speed DRAM Number of Colors Resolution Font Size Pentium 300 MHz 128 MB 65,536 1024 x 768 Small SPARC 333 MHz 128 MB Most colors for applications — Small (3) 1. Service Pack 3 or higher is required. Operating System and Browser Support You can access the CMS interface by using the operating systems and browsers listed in Table 3-3.
Chapter 3 Getting Started with CMS Configuring CMS Solaris For Solaris, Java plug-in 1.4.1 is required to run CMS. You can download the Java plug-in and installation instructions from this URL: http://www.cisco.com/pcgi-bin/tablebuild.pl/java On Solaris platforms, follow the instructions in the README_FIRST.txt file to install the Java plug-in. You need to close and restart your browser after installing a Java plug-in.
Chapter 3 Getting Started with CMS Displaying CMS Configuring an Authentication Method (Nondefault Configuration Only) If you are not using the default method of authentication (the enable password), you need to configure the HTTP server interface with the method of authentication used on the switch. Beginning in privileged EXEC mode, follow these steps to configure the HTTP server interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 3 Getting Started with CMS Displaying CMS Figure 3-4 Switch Home Page The Switch Home Page has these tabs: • Note Express Setup—Opens the Express Setup page You can use Express Setup to assign an IP address to an unconfigured switch. For more information, refer to the hardware installation guide.
Chapter 3 Getting Started with CMS Displaying CMS Step 3 Click Cluster Management Suite to launch the CMS interface. The CMS Startup Report runs and verifies that your PC or workstation can correctly run CMS. If you are running an unsupported operating system, web browser, CMS plug-in or Java plug-in, or if the plug-in is not enabled, the CMS Startup Report page appears, as shown in Figure 3-5.
Chapter 3 Getting Started with CMS Displaying CMS Front Panel View When CMS is launched from a noncommand switch, the Front Panel view displays by default, and the front-panel view displays only the front panel of the specific switch. When CMS is launched from a command switch, you can display the Front Panel view by clicking the Front Panel button on the tool bar, as shown in Figure 3-6.
Chapter 3 Getting Started with CMS Displaying CMS Note Figure 3-7 shows a cluster with a Catalyst 3550 switch as the command switch. Refer to the release notes for a list of switches that can be members of a cluster with a Catalyst 2970 switch as the command switch. Note On Catalyst 1900 and Catalyst 2820 switches, CMS is referred to as Device Manager (also referred to as Switch Manager). Device Manager is for configuring an individual switch.
Chapter 3 Getting Started with CMS Where to Go Next Note Figure 3-8 shows multiple popup menus. Only one popup menu at a time appears in the CMS. The Topology view shows how the devices within a switch cluster are connected and how the switch cluster is connected to other clusters and devices. From this view, you can add and remove cluster members.
Chapter 3 Getting Started with CMS Where to Go Next Catalyst 2970 Switch Software Configuration Guide 3-16 78-15462-03
C H A P T E R 4 Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assigning the switch IP address and default gateway information) for the Catalyst 2970 switch by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The boot loader provides access to the Flash file system before the operating system is loaded. Normally, the boot loader is used only to load, uncompress, and launch the operating system. After the boot loader gives the operating system control of the CPU, the boot loader is not active until the next system reset or power-on.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Use a DHCP server for centralized control and automatic assignment of IP information once the server is configured. Note If you are using DHCP, do not respond to any of the questions in the setup program until the switch receives the dynamically assigned IP address and reads the configuration file.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The DHCP server, or the DHCP server feature running on your switch, can be on the same LAN or on a different LAN than the switch. If the DHCP server is running on a different LAN, you should configure a DHCP relay. A relay device forwards broadcast traffic between two directly connected LANs.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring DHCP-Based Autoconfiguration These sections describe how to configure DHCP-based autoconfiguration.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the TFTP Server Based on the DHCP server configuration, the switch attempts to download one or more configuration files from the TFTP server.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information For example, in Figure 4-2, configure the router interfaces as follows: On interface 10.0.0.2: router(config-if)# ip helper-address 20.0.0.2 router(config-if)# ip helper-address 20.0.0.3 router(config-if)# ip helper-address 20.0.0.4 On interface 20.0.0.1 router(config-if)# ip helper-address 10.0.0.1 Figure 4-2 Relay Device Used in Autoconfiguration Switch (DHCP client) Cisco router (Relay) 10.0.0.2 10.0.0.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The default configuration file contains the host names-to-IP-address mapping for the switch. The switch fills its host table with the information in the file and obtains its host name. If the host name is not found in the file, the switch uses the host name in the DHCP reply. If the host name is not specified in the DHCP reply, the switch uses the default Switch as its host name.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Table 4-2 shows the configuration of the reserved leases on the DHCP server or the DHCP server feature running on your switch. Table 4-2 DHCP Server Configuration Switch-1 Switch-2 Switch-3 Switch-4 Binding key (hardware address) 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 IP address 10.0.0.21 10.0.0.22 10.0.0.23 10.0.0.24 Subnet mask 255.255.255.0 255.255.255.0 255.255.255.0 255.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information • It reads the configuration file that corresponds to its host name; for example, it reads switch1-confg from the TFTP server. Switches 2 through 4 retrieve their configuration files and IP addresses in the same way.
Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Checking and Saving the Running Configuration You can check the configuration settings you entered or changes you made by entering this privileged EXEC command: Switch# show running-config Building configuration... Current configuration: 1363 bytes ! version 12.
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration To store the configuration or changes you have made to your startup configuration in Flash memory, enter this privileged EXEC command: Switch# copy running-config startup-config Destination filename [startup-config]? Building configuration... This command saves the configuration settings that you made. If you fail to do this, your configuration will be lost the next time you reload the system.
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Automatically Downloading a Configuration File You can automatically download a configuration file to your switch by using the DHCP-based autoconfiguration feature. For more information, see the “Understanding DHCP-Based Autoconfiguration” section on page 4-3. Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Step 4 Command Purpose show boot Verify your entries. The boot manual global command changes the setting of the MANUAL_BOOT environment variable. The next time you reboot the system, the switch is in boot loader mode, shown by the switch: prompt. To boot the system, use the boot filesystem:/file-url boot loader command. • For filesystem:, use flash: for the system board Flash device.
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Controlling Environment Variables With a normally operating switch, you enter the boot loader mode only through a switch console connection configured for 9600 bps. Unplug the switch power cord, and press the switch Mode button while reconnecting the power cord. You can release the Mode button a second or two after the LED above port 1 turns off. Then the boot loader switch: prompt appears.
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Table 4-4 describes the function of the most common environment variables. Table 4-4 Environment Variables Variable Boot Loader Command Cisco IOS Global Configuration Command BOOT set BOOT filesystem:/file-url ... boot system filesystem:/file-url A semicolon-separated list of executable files to Specifies the Cisco IOS image to load during the next boot cycle.
Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Scheduling a Reload of the Software Image You can schedule a reload of the software image to occur on the switch at a later time (for example, late at night or during the weekend when the switch is used less), or you can synchronize a reload network-wide (for example, to perform a software upgrade on all switches in the network). Note A scheduled reload must take place within approximately 24 days.
Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image This example shows how to reload the software on the switch at a future time: Switch# reload at 02:00 jun 20 Reload scheduled for 02:00:00 UTC Thu Jun 20 1996 (in 344 hours and 53 minutes) Proceed with reload? [confirm] To cancel a previously scheduled reload, use the reload cancel privileged EXEC command.
C H A P T E R 5 Clustering Switches This chapter provides the concepts and procedures to create and manage Catalyst 2970 switch clusters. Note This chapter focuses on Catalyst 2970 switch clusters. It also includes guidelines and limitations for clusters mixed with other cluster-capable Catalyst switches, but it does not provide complete descriptions of the cluster features for these other switches.
Chapter 5 Clustering Switches Understanding Switch Clusters Understanding Switch Clusters A switch cluster is a set of up to 16 connected, cluster-capable Catalyst switches that are managed as a single entity. The switches in the cluster use the switch clustering technology so that you can configure and troubleshoot a group of different Catalyst desktop switch platforms through a single IP address.
Chapter 5 Clustering Switches Understanding Switch Clusters Cluster Command Switch Characteristics A cluster command switch must meet these requirements: Note • It is running Cisco IOS Release 12.1(11)AX or later. • It has an IP address. • It has Cisco Discovery Protocol (CDP) version 2 enabled (the default). • It is not a command or cluster member switch of another cluster.
Chapter 5 Clustering Switches Planning a Switch Cluster Candidate Switch and Cluster Member Switch Characteristics Candidate switches are cluster-capable switches that have not yet been added to a cluster. Cluster member switches are switches that have actually been added to a switch cluster. Although not required, a candidate or cluster member switch can have its own IP address and password (for related considerations, see the “IP Addresses” section on page 5-13 and “Passwords” section on page 5-14).
Chapter 5 Clustering Switches Planning a Switch Cluster Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies. Note Do not disable CDP on the cluster command switch, on cluster members, or on any cluster-capable switches that you might want a cluster command switch to discover.
Chapter 5 Clustering Switches Planning a Switch Cluster Figure 5-1 Discovery Through CDP Hops Command switch Si VLAN 16 VLAN 62 Member switch 8 Member switch 9 Switch 11 candidate switch Member switch 10 Si Switch 12 Si Si Edge of cluster Switch 13 Candidate switches Si Switch 15 86884 Switch 14 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-
Chapter 5 Clustering Switches Planning a Switch Cluster Discovery Through Different VLANs If the cluster command switch is a Catalyst 2970, Catalyst 3550, or Catalyst 3750 switch, the cluster can have cluster member switches in different VLANs. As cluster member switches, they must be connected through at least one VLAN in common with the cluster command switch. The cluster command switch in Figure 5-3 has ports assigned to VLANs 9, 16, and 62 and therefore discovers the switches in those VLANs.
Chapter 5 Clustering Switches Planning a Switch Cluster Discovery Through Different Management VLANs Catalyst 2970, Catalyst 3550, or Catalyst 3750 cluster command switches can discover and manage cluster member switches in different VLANs and different management VLANs. As cluster member switches, they must be connected through at least one VLAN in common with the cluster command switch. They do not need to be connected to the cluster command switch through their management VLAN.
Chapter 5 Clustering Switches Planning a Switch Cluster Discovery of Newly Installed Switches To join a cluster, the new, out-of-the-box switch must be connected to the cluster through one of its access ports. An access port (AP) carries the traffic of and belongs to only one VLAN. By default, the new switch and its access ports are assigned to VLAN 1. When the new switch joins a cluster, its default VLAN changes to the VLAN of the immediately upstream neighbor.
Chapter 5 Clustering Switches Planning a Switch Cluster HSRP and Standby Cluster Command Switches The switch uses Hot Standby Router Protocol (HSRP) so that you can configure a group of standby cluster command switches.
Chapter 5 Clustering Switches Planning a Switch Cluster Virtual IP Addresses You need to assign a unique virtual IP address and group number and name to the cluster standby group. This information must be configured on a specific VLAN or routed port on the active cluster command switch. The active cluster command switch receives traffic destined for the virtual IP address.
Chapter 5 Clustering Switches Planning a Switch Cluster • Each standby-group member (Figure 5-6) must be connected to the cluster command switch through the same VLAN. Each standby-group member must also be redundantly connected to each other through at least one VLAN in common with the switch cluster. Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL cluster member switches must be connected to the cluster standby group through their management VLANs.
Chapter 5 Clustering Switches Planning a Switch Cluster When the previously active cluster command switch resumes its active role, it receives a copy of the latest cluster configuration from the active cluster command switch, including members that were added while it was down. The active cluster command switch sends a copy of the cluster configuration to the cluster standby group. IP Addresses You must assign IP information to a cluster command switch.
Chapter 5 Clustering Switches Planning a Switch Cluster Passwords You do not need to assign passwords to an individual switch if it will be a cluster member. When a switch joins a cluster, it inherits the command-switch password and retains it when it leaves the cluster. If no command-switch password is configured, the cluster member switch inherits a null password. Cluster member switches only inherit the command-switch password.
Chapter 5 Clustering Switches Creating a Switch Cluster Access Modes in CMS If your cluster has these cluster member switches running earlier software releases and if you have read-only access to these cluster member switches, some configuration windows for those switches display incomplete information: • Catalyst 2900 XL or Catalyst 3500 XL cluster member switches running Cisco IOS Release 12.0(5)WC2 or earlier • Catalyst 2950 cluster member switches running Cisco IOS Release 12.
Chapter 5 Clustering Switches Creating a Switch Cluster Note Refer to the release notes for the list of Catalyst switches eligible for switch clustering, including which ones can be cluster command switches and which ones can only be cluster member switches, and for the required software versions and browser and Java plug-in configurations.
Chapter 5 Clustering Switches Creating a Switch Cluster From CMS, there are two ways to add switches to a cluster: • Select Cluster > Add to Cluster, select a candidate switch from the list, click Add, and click OK. To add more than one candidate switch, press Ctrl, and make your choices, or press Shift, and choose the first and last switch in a range. • Display the Topology view, right-click a candidate-switch icon, and select Add to Cluster (Figure 5-9).
Chapter 5 Clustering Switches Creating a Switch Cluster Figure 5-9 Using the Topology View to Add Cluster Member Switches stack1 - 4 stack1 - 6 stack10 stack1 - 5 stack1 - 2 stack1 - 1 Add To Cluster Device Manager... Properties... stack1 - 3 3750G-24T Thin line means a connection to a candidate switch. Right-click a candidate switch to display the pop-up menu, and select Add to Cluster to add the switch to the cluster.
Chapter 5 Clustering Switches Creating a Switch Cluster • CC—Cluster command switch You must enter a virtual IP address for the cluster standby group. This address must be in the same subnet as the IP addresses of the switch. The group number must be unique within the IP subnet. It can be from 0 to 255, and the default is 0. The group name can have up to 31 characters. The Standby Command Configuration window uses the default values for the preempt and name commands that you have set by using the CLI.
Chapter 5 Clustering Switches Verifying a Switch Cluster Verifying a Switch Cluster When you finish adding cluster members, follow these steps to verify the cluster: Step 1 Enter the cluster command switch IP address in the browser Location field (Netscape Communicator) or Address field (Microsoft Internet Explorer) to access all switches in the cluster. Step 2 Enter the command-switch password.
Chapter 5 Clustering Switches Using the CLI to Manage Switch Clusters Using the CLI to Manage Switch Clusters You can configure cluster member switches from the CLI by first logging into the cluster command switch. Enter the rcommand user EXEC command and the cluster member switch number to start a Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual.
Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters cluster member switch. The cluster command switch uses this community string to control the forwarding of gets, sets, and get-next messages between the SNMP management station and the cluster member switches. Note When a cluster standby group is configured, the cluster command switch can change without your knowledge.
C H A P T E R 6 Administering the Switch This chapter describes how to perform one-time operations to administer the Catalyst 2970 switch.
Chapter 6 Administering the Switch Managing the System Time and Date Understanding the System Clock The heart of the time service is the system clock. This clock runs from the moment the system starts up and keeps track of the date and time.
Chapter 6 Administering the Switch Managing the System Time and Date Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet. Figure 6-1 show a typical network example using NTP.
Chapter 6 Administering the Switch Managing the System Time and Date Configuring NTP The switch does not have a hardware-supported clock and cannot function as an NTP master clock to which peers synchronize themselves when an external NTP source is not available. The switch also has no hardware support for a calendar. As a result, the ntp update-calendar and the ntp master global configuration commands are not available.
Chapter 6 Administering the Switch Managing the System Time and Date Configuring NTP Authentication This procedure must be coordinated with the administrator of the NTP server; the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server.
Chapter 6 Administering the Switch Managing the System Time and Date Configuring NTP Associations An NTP association can be a peer association (this switch can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this switch synchronizes to the other device, and not the other way around).
Chapter 6 Administering the Switch Managing the System Time and Date Configuring NTP Broadcast Service The communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead.
Chapter 6 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure the switch to receive NTP broadcast packets from connected peers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to receive NTP broadcast packets, and enter interface configuration mode. Step 3 ntp broadcast client Enable the interface to receive NTP broadcast packets.
Chapter 6 Administering the Switch Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp access-group {query-only | serve-only | serve | peer} access-list-number Create an access group, and apply a basic IP access list.
Chapter 6 Administering the Switch Managing the System Time and Date If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted. To remove access control to the switch NTP services, use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command.
Chapter 6 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure a specific interface from which the IP source address is to be taken: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp source type number Specify the interface type and number from which the IP source address is taken. By default, the source address is determined by the outgoing interface.
Chapter 6 Administering the Switch Managing the System Time and Date Setting the System Clock If you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock. Beginning in privileged EXEC mode, follow these steps to set the system clock: Step 1 Command Purpose clock set hh:mm:ss day month year Manually set the system clock using one of these formats.
Chapter 6 Administering the Switch Managing the System Time and Date Configuring the Time Zone Beginning in privileged EXEC mode, follow these steps to manually configure the time zone: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock timezone zone hours-offset [minutes-offset] Set the time zone. The switch keeps internal time in universal time coordinated (UTC), so this command is used only for display purposes and when the time is manually set.
Chapter 6 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone recurring Configure summer time to start and end on the specified days every year.
Chapter 6 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 Configure summer time to start on the first date and end on the second clock summer-time zone date [month date year hh:mm month date year hh:mm date.
Chapter 6 Administering the Switch Configuring a System Name and Prompt Configuring a System Name and Prompt You configure the system name on the switch to identify it. By default, the system name and prompt are Switch. If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt. A greater-than symbol [>] is appended.
Chapter 6 Administering the Switch Configuring a System Name and Prompt Configuring a System Prompt Beginning in privileged EXEC mode, follow these steps to manually configure a system prompt: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 prompt string Configure the command-line prompt to override the setting from the hostname command.
Chapter 6 Administering the Switch Configuring a System Name and Prompt Default DNS Configuration Table 6-2 shows the default DNS configuration. Table 6-2 Default DNS Configuration Feature Default Setting DNS enable state Enabled. DNS default domain name None configured. DNS servers No name server addresses are configured.
Chapter 6 Administering the Switch Creating a Banner If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you configure a hostname that contains no periods (.), a period followed by the default domain name is appended to the hostname before the DNS query is made to map the name to an IP address. The default domain name is the value set by the ip domain-name global configuration command. If there is a period (.
Chapter 6 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day.
Chapter 6 Administering the Switch Creating a Banner Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message.
Chapter 6 Administering the Switch Managing the MAC Address Table Managing the MAC Address Table The MAC address table contains address information that the switch uses to forward traffic between ports. All MAC addresses in the address table are associated with one or more ports. The address table includes these types of addresses: • Dynamic address: a source MAC address that the switch learns and then ages when it is not in use.
Chapter 6 Administering the Switch Managing the MAC Address Table MAC Addresses and VLANs All addresses are associated with a VLAN. An address can exist in more than one VLAN and have different destinations in each. Unicast addresses, for example, could forward to port 1 in VLAN 1 and port 9 in VLAN 5. Note Multiport static addresses are not supported. Each VLAN maintains its own logical address table.
Chapter 6 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the dynamic address table aging time: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table aging-time [0 | 10-1000000] [vlan vlan-id] Set the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated. The range is 10 to 1000000 seconds. The default is 300.
Chapter 6 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message. | 2c | 3}} community-string notification-type • For host-addr, specify the name or address of the NMS.
Chapter 6 Administering the Switch Managing the MAC Address Table Step 9 Command Purpose show mac address-table notification interface Verify your entries. show running-config Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the switch from sending MAC address notification traps, use the no snmp-server enable traps mac-notification global configuration command.
Chapter 6 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to add a static address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table static mac-addr vlan vlan-id interface interface-id Add a static address to the MAC address table. • For mac-addr, specify the destination MAC unicast address to add to the address table.
Chapter 6 Administering the Switch Managing the MAC Address Table For example, if you enter the mac address-table static mac-addr vlan vlan-id interface interface-id global configuration command followed by the mac address-table static mac-addr vlan vlan-id drop command, the switch drops packets with the specified MAC address as a source or destination.
Chapter 6 Administering the Switch Managing the ARP Table Table 6-4 Commands for Displaying the MAC Address Table (continued) Command Description show mac address-table interface Displays the MAC address table information for the specified interface. show mac address-table multicast Displays the Layer 2 multicast entries for all VLANs or the specified VLAN. show mac address-table notification Displays the MAC notification parameters and history table.
Chapter 6 Administering the Switch Managing the ARP Table Catalyst 2970 Switch Software Configuration Guide 6-30 78-15462-03
C H A P T E R 7 Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 2970 switch.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Protecting Access to Privileged EXEC Commands A simple way of providing terminal access control in your network is to use passwords and assign privilege levels. Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Protecting Enable and Enable Secret Passwords with Encryption To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands If both the enable and enable secret passwords are defined, users must enter the enable secret password. Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level global configuration command to specify commands accessible at various levels.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands To re-enable password recovery, use the service password-recovery global configuration command. Note Disabling password recovery will not work if you have set the switch to boot manually by using the boot manual global configuration command. This command produces the boot loader prompt (switch:) after the switch is power cycled.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Configuring Username and Password Pairs You can configure username and password pairs, which are locally stored on the switch. These pairs are assigned to lines or interfaces and authenticate each user before that user can access the switch. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip traffic command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Logging into and Exiting a Privilege Level Beginning in privileged EXEC mode, follow these steps to log in to a specified privilege level and to exit to a specified privilege level: Step 1 Command Purpose enable level Log in to a specified privilege level. For level, the range is 0 to 15. Step 2 disable level Exit to a specified privilege level. For level, the range is 0 to 15.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 7-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ server 1) Catalyst 6500 series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) Catalyst 2970 switches 171.20.10.8 89379 Configure the switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers). Enable AAA. Create a login authentication method list.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ The TACACS+ protocol provides authentication between the switch and the TACACS+ daemon, and it ensures confidentiality because all protocol exchanges between the switch and the TACACS+ daemon are encrypted. You need a system running the TACACS+ daemon software to use TACACS+ on your switch.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Configuring TACACS+ This section describes how to configure your switch to support TACACS+. At a minimum, you must identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+ authentication. You can optionally define method lists for TACACS+ authorization and accounting.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to identify the IP host or host maintaining TACACS+ server and optionally set the encryption key: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 tacacs-server host hostname [port Identify the IP host or hosts maintaining a TACACS+ server. Enter this command multiple times to create a list of preferred hosts.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Step 5 Command Purpose login authentication {default | list-name} Apply the authentication list to a line or set of lines. • If you specify default, use the default list created with the aaa authentication login command. • For list-name, specify the list created with the aaa authentication login command. Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Controlling Switch Access with RADIUS This section describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS), which provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS is facilitated through AAA and can be enabled only through AAA commands.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS • Multiprotocol access environments. RADIUS does not support AppleTalk Remote Access (ARA), NetBIOS Frame Control Protocol (NBFCP), NetWare Asynchronous Services Interface (NASI), or X.25 PAD connections. • Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring RADIUS This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Identifying the RADIUS Server Host Switch-to-RADIUS-server communication involves several components: • Host name or IP address • Authentication destination port • Accounting destination port • Key string • Timeout period • Retransmission value You identify RADIUS security servers by their host name or IP address, host name and specific UDP port numbers, or their IP address and specific UDP port numbers.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 5 Command Purpose login authentication {default | list-name} Apply the authentication list to a line or set of lines. • If you specify default, use the default list created with the aaa authentication login command. • For list-name, specify the list created with the aaa authentication login command. Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 8 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 7-23. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network-related service requests.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the switch and all RADIUS servers.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“ This example shows how to specify an authorized VLAN in the RADIUS server database: cis
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring the Switch for Vendor-Proprietary RADIUS Server Communication Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Controlling Switch Access with Kerberos This section describes how to enable and configure the Kerberos security system, which authenticates requests for network resources by using a trusted third party. To use this feature, the cryptographic (that is, supports encryption) version of the switch software must be installed on your switch.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that they are already using on their other network hosts (such as UNIX servers and PCs).
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Table 7-2 Kerberos Terms (continued) Term KEYTAB Definition 3 Principal A password that a network service shares with the KDC. In Kerberos 5 and later Kerberos versions, the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it. In Kerberos versions earlier than Kerberos 5, KEYTAB is referred to as SRVTAB 4.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Authenticating to a Boundary Switch This section describes the first layer of security through which a remote user must pass. The user must first authenticate to the boundary switch. This process then occurs: 1. The user opens an un-Kerberized Telnet connection to the boundary switch. 2. The switch prompts the user for a username and password. 3. The switch requests a TGT from the KDC for this user. 4.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Local Authentication and Authorization Configuring Kerberos So that remote users can authenticate to network services, you must configure the hosts and the KDC in the Kerberos realm to communicate and mutually authenticate users and network services. To do this, you must identify them to each other.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Step 6 Command Purpose username name [privilege level] {password encryption-type password} Enter the local database, and establish a username-based authentication system. Repeat this command for each user. • For name, specify the user ID as one word. Spaces and quotation marks are not allowed. • (Optional) For level, specify the privilege level the user has after gaining access. The range is 0 to 15.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Understanding SSH SSH is a protocol that provides a secure, remote connection to a device. SSH provides more security for remote connections than Telnet does by providing strong encryption when a device is authenticated. This software release supports SSH version 1 (SSHv1) and SSH version 2 (SSHv2).
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell • The SSH server and the SSH client are supported only on DES (56-bit) and 3DES (168-bit) data encryption software. • The switch does not support the Advanced Encryption Standard (AES) symmetric encryption algorithm.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 hostname hostname Configure a host name for your switch. Step 3 ip domain-name domain_name Configure a host domain for your switch. Step 4 crypto key generate rsa Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair. We recommend that a minimum modulus size of 1024 bits.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Step 3 Command Purpose ip ssh {timeout seconds | authentication-retries number} Configure the SSH control parameters: • Specify the time-out value in seconds; the default is 120 seconds. The range is 0 to 120 seconds. This parameter applies to the SSH negotiation phase. After the connection is established, the switch uses the default time-out values of the CLI-based sessions.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Catalyst 2970 Switch Software Configuration Guide 7-42 78-15462-03
C H A P T E R 8 Configuring 802.1X Port-Based Authentication This chapter describes how to configure IEEE 802.1X port-based authentication on the Catalyst 2970 switch. As LANs extend to hotels, airports, and corporate lobbies, creating insecure environments, 802.1X prevents unauthorized devices (clients) from gaining access to the network. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 8 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication • Using 802.1X with Per-User ACLs, page 8-9 Device Roles With 802.1X port-based authentication, the devices in the network have specific roles as shown in Figure 8-1. Figure 8-1 802.
Chapter 8 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication The devices that can act as intermediaries include the Catalyst 3750, Catalyst 3550, Catalyst 2970, Catalyst 2955, Catalyst 2950, Catalyst 2940 switches, or a wireless access point. These devices must be running software that supports the RADIUS client and 802.1X. Authentication Initiation and Message Exchange The switch or the client can initiate authentication.
Chapter 8 Configuring 802.1X Port-Based Authentication Understanding 802.
Chapter 8 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication received. The switch requests the identity of the client and begins relaying authentication messages between the client and the authentication server. Each client attempting to access the network is uniquely identified by the switch by using the client MAC address.
Chapter 8 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Using 802.1X with Port Security You can configure 802.1X port and port security in either single-host or multiple-hosts mode. (You also must configure port security on the port by using the switchport port-security interface configuration command.) When you enable port security and 802.1X on a port, 802.
Chapter 8 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Before Cisco IOS Release 12.1(14)EA1, a switch in single-host mode accepted traffic from a single host, and voice traffic was not allowed. In multiple-hosts mode, the switch did not accept voice traffic until the client was authenticated on the primary VLAN, thus making the IP phone inoperable until the user logged in. With Cisco IOS Release 12.
Chapter 8 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is put into the configured access VLAN. If an 802.1X port is authenticated and put in the RADIUS server assigned VLAN, any change to the port access VLAN configuration does not take effect. The 802.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Using 802.1X with Per-User ACLs You can enable per-user access control lists (ACLs) to provide different levels of network access and service to an 802.1X-authenticated user. When the RADIUS server authenticates a user connected to an 802.1X port, it retrieves the ACL attributes based on the user identity and sends them to the switch. The switch applies the attributes to the 802.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication • Upgrading from a Previous Software Release, page 8-12 • Configuring 802.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Table 8-1 Default 802.1X Configuration (continued) Feature Default Setting Guest VLAN None specified. Client timeout period 30 seconds (when relaying a request from the authentication server to the client, the amount of time the switch waits for a response before resending the request to the client.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Upgrading from a Previous Software Release In Cisco IOS Release 12.1(14)EA1, the implementation for 802.1X changed from the previous release. Some global configuration commands became interface configuration commands, and new commands were added. If you have 802.1X configured on the switch and you upgrade to Cisco IOS Release 12.1(14)EA1 or later, the configuration file will not contain the new commands, and 802.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Step 5 Command Purpose aaa authorization network {default} group radius (Optional) Configure the switch for user RADIUS authorization for all network-related service requests, such as per-user ACLs or VLAN assignment. Note For per-user ACLs, single-host mode must be configured. This setting is the default.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Configure the RADIUS server parameters. ip-address} auth-port port-number key For hostname | ip-address, specify the host name or IP address of the string remote RADIUS server. For auth-port port-number, specify the UDP destination port for authentication requests. The default is 1812.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Beginning in privileged EXEC mode, follow these steps to enable periodic re-authentication of the client and to configure the number of seconds between re-authentication attempts. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be configured.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be configured. Step 3 dot1x timeout quiet-period seconds Set the number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client. The range is 1 to 65535 seconds; the default is 60.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.
Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication With the multiple-hosts mode enabled, you can use 802.1X to authenticate the port and port security to manage network access for all MAC addresses, including that of the client. Beginning in privileged EXEC mode, follow these steps to allow multiple hosts (clients) on an 802.1X-authorized port that has the dot1x port-control interface configuration command set to auto. This procedure is optional.
Chapter 8 Configuring 802.1X Port-Based Authentication Displaying 802.1X Statistics and Status Command Purpose Step 5 show dot1x interface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable and remove the guest VLAN, use the no dot1x guest-vlan interface configuration command. The port returns to the unauthorized state. This example shows how to enable VLAN 2 as an 802.
Chapter 8 Configuring 802.1X Port-Based Authentication Displaying 802.
C H A P T E R 9 Configuring Interface Characteristics This chapter defines the types of interfaces on the Catalyst 2970 switch and describes how to configure them.
Chapter 9 Configuring Interface Characteristics Understanding Interface Types Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 11, “Configuring VLANs.” Packets received on a port are forwarded only to ports that belong to the same VLAN as the receiving port.
Chapter 9 Configuring Interface Characteristics Understanding Interface Types Two types of access ports are supported: • Static access ports are manually assigned to a VLAN. • VLAN membership of dynamic access ports is learned through incoming packets. By default, a dynamic access port is a member of no VLAN, and forwarding to and from the port is enabled only when the VLAN membership of the port is discovered.
Chapter 9 Configuring Interface Characteristics Understanding Interface Types EtherChannel Port Groups EtherChannel port groups provide the ability to treat multiple switch ports as one switch port. These port groups act as a single logical port for high-bandwidth connections between switches or between switches and servers. An EtherChannel balances the traffic load across the links in the channel.
Chapter 9 Configuring Interface Characteristics Using Interface Configuration Mode Using Interface Configuration Mode The switch supports these interface types: • Physical ports—including switch ports and routed ports • VLANs—switch virtual interfaces • Port-channels—EtherChannel of interfaces You can also configure a range of interfaces (see the “Configuring a Range of Interfaces” section on page 9-6).
Chapter 9 Configuring Interface Characteristics Using Interface Configuration Mode You can also configure a range of interfaces by using the interface range or interface range macro global configuration commands. Interfaces configured in a range must be the same type and must be configured with the same feature options. Step 4 After you configure an interface, verify its status by using the show privileged EXEC commands listed in the “Monitoring and Maintaining the Interfaces” section on page 9-16.
Chapter 9 Configuring Interface Characteristics Using Interface Configuration Mode Note When you use the interface range command with port channels, the first and last port channel number must be active port channels. • You must add a space between the first interface number and the hyphen when using the interface range command. For example, the command interface range gigabitethernet 0/1 - 4 is a valid range; the command interface range gigabitethernet 0/1-4 is not a valid range.
Chapter 9 Configuring Interface Characteristics Using Interface Configuration Mode Use the no define interface-range macro_name global configuration command to delete a macro.
Chapter 9 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring Ethernet Interfaces These sections describe the default interface configuration and the optional features that you can configure on most physical interfaces: • Default Ethernet Interface Configuration, page 9-9 • Configuring Interface Speed and Duplex Mode, page 9-10 • Configuring IEEE 802.
Chapter 9 Configuring Interface Characteristics Configuring Ethernet Interfaces Table 9-1 Default Layer 2 Ethernet Interface Configuration (continued) Feature Default Setting Port Fast Disabled. Auto-MDIX Disabled. Note The switch might not support a pre-standard power device—such as Cisco IP phones and access points that do not fully support IEEE 802.3AF—if that power device is connected to the switch through a crossover cable.
Chapter 9 Configuring Interface Characteristics Configuring Ethernet Interfaces • Caution When STP is enabled and a port is reconfigured, the switch can take up to 30 seconds to check for loops. The port LED is amber while STP reconfigures. Changing the interface speed and duplex mode configuration might shut down and re-enable the interface during the reconfiguration.
Chapter 9 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring IEEE 802.3X Flow Control Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end. If one port experiences congestion and cannot receive any more traffic, it notifies the other port to stop sending until the condition clears by sending a pause frame.
Chapter 9 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring Auto-MDIX on an Interface When automatic medium-dependent interface crossover (Auto-MDIX) is enabled on an interface, the interface automatically detects the required cable connection type (straight through or crossover) and configures the connection appropriately.
Chapter 9 Configuring Interface Characteristics Configuring the System MTU Adding a Description for an Interface You can add a description about an interface to help you remember its function. The description appears in the output of these privileged EXEC commands: show configuration, show running-config, and show interfaces. Beginning in privileged EXEC mode, follow these steps to add a description for an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring Interface Characteristics Configuring the System MTU Note If Gigabit Ethernet interfaces are configured to accept frames greater than the 10/100 interfaces, jumbo frames ingressing on a Gigabit Ethernet interface and egressing on a 10/100 interface are dropped. Beginning in privileged EXEC mode, follow these steps to change MTU size for all 10/100 or Gigabit Ethernet interfaces: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Monitoring and Maintaining the Interfaces You can perform the tasks in these sections to monitor and maintain interfaces: • Monitoring Interface Status, page 9-16 • Clearing and Resetting Interfaces and Counters, page 9-17 • Shutting Down and Restarting the Interface, page 9-17 Monitoring Interface Status Commands entered at the privileged EXEC prompt display information about the interface, including the vers
Chapter 9 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Clearing and Resetting Interfaces and Counters Table 9-4 lists the privileged EXEC mode clear commands that you can use to clear counters and reset interfaces. Table 9-4 Clear Commands for Interfaces Command Purpose clear counters [interface-id] Clear interface counters. clear interface interface-id Reset the hardware logic on an interface.
Chapter 9 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Catalyst 2970 Switch Software Configuration Guide 9-18 78-15462-03
C H A P T E R 10 Configuring SmartPort Macros This chapter describes how to configure and apply SmartPort macros on the Catalyst 2970 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 10 Configuring SmartPort Macros Configuring Smart-Port Macros Configuring Smart-Port Macros You can create a new SmartPort macro or use an existing macro as a template to create a new macro that is specific to your application. After you create the macro, you can apply it to an interface or range of interfaces.
Chapter 10 Configuring SmartPort Macros Configuring Smart-Port Macros Creating and Applying SmartPort Macros Beginning in privileged EXEC mode, follow these steps to create and apply a SmartPort macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro name macro-name Create a macro definition, and enter a macro name. A macro definition can contain up to 3000 characters. Enter the macro commands with one command per line. Use the @ character to end the macro.
Chapter 10 Configuring SmartPort Macros Displaying SmartPort Macros This example shows how to define the desktop-config macro for an access switch interface, apply the macro to Gigabit Ethernet interface 0/4, add a description to the interface, and verify the configuration.
C H A P T E R 11 Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Catalyst 2970 switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS). Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 11 Configuring VLANs Understanding VLANs Figure 11-1 shows an example of VLANs segmented into logically defined networks. Figure 11-1 VLANs as Logically Defined Networks Engineering VLAN Marketing VLAN Accounting VLAN Cisco router Floor 3 Gigabit Ethernet Floor 2 90571 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Chapter 11 Configuring VLANs Understanding VLANs Supported VLANs The switch supports 1005 VLANs in VTP client, server, and transparent modes. VLANs are identified with a number from 1 to 4094. VLAN IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs. VTP only learns normal-range VLANs, with VLAN IDs 1 to 1005; VLAN IDs greater than 1005 are extended-range VLANs and are not stored in the VLAN database. The switch must be in VTP transparent mode when you create VLAN IDs from 1006 to 4094.
Chapter 11 Configuring VLANs Configuring Normal-Range VLANs Table 11-1 Port Membership Modes (continued) Membership Mode VLAN Membership Characteristics VTP Characteristics Dynamic access A dynamic-access port can belong to one VLAN (VLAN ID 1 to 4094) and is dynamically assigned by a VMPS. The VMPS can be a Catalyst 5000 or Catalyst 6000 series switch, for example, but never a Catalyst 2970 switch. The Catalyst 2970 switch is a VMPS client. VTP is required.
Chapter 11 Configuring VLANs Configuring Normal-Range VLANs You can set these parameters when you create a new normal-range VLAN or modify an existing VLAN in the VLAN database: Note • VLAN ID • VLAN name • VLAN type (Ethernet, Fiber Distributed Data Interface [FDDI], FDDI network entity title [NET], TrBRF, or TrCRF, Token Ring, Token Ring-Net) • VLAN state (active or suspended) • Maximum transmission unit (MTU) for the VLAN • Security Association Identifier (SAID) • Bridge identification n
Chapter 11 Configuring VLANs Configuring Normal-Range VLANs Normal-Range VLAN Configuration Guidelines Follow these guidelines when creating and modifying normal-range VLANs in your network: • The switch supports 1005 VLANs in VTP client, server, and transparent modes. • Normal-range VLANs are identified with a number between 1 and 1001. VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs. • VLAN configuration for VLANs 1 to 1005 are always saved in the VLAN database.
Chapter 11 Configuring VLANs Configuring Normal-Range VLANs information about commands available in this mode, refer to the vlan global configuration command description in the command reference for this release. When you have finished the configuration, you must exit config-vlan mode for the configuration to take effect. To display the VLAN configuration, enter the show vlan privileged EXEC command. You must use this config-vlan mode when creating extended-range VLANs (VLAN IDs greater than 1005).
Chapter 11 Configuring VLANs Configuring Normal-Range VLANs Note The switch supports Ethernet interfaces exclusively. Because FDDI and Token Ring VLANs are not locally supported, you only configure FDDI and Token Ring media-specific characteristics for VTP global advertisements to other switches. Table 11-2 Ethernet VLAN Defaults and Ranges Parameter Default Range VLAN ID 1 1 to 4094. Note Extended-range VLANs (VLAN IDs 1006 to 4094) are not saved in the VLAN database.
Chapter 11 Configuring VLANs Configuring Normal-Range VLANs Beginning in privileged EXEC mode, follow these steps to use config-vlan mode to create or modify an Ethernet VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan vlan-id Enter a VLAN ID, and enter config-vlan mode. Enter a new VLAN ID to create a VLAN, or enter an existing VLAN ID to modify a VLAN. Note The available VLAN ID range for this command is 1 to 4094.
Chapter 11 Configuring VLANs Configuring Normal-Range VLANs Beginning in privileged EXEC mode, follow these steps to use VLAN database configuration mode to create or modify an Ethernet VLAN: Command Purpose Step 1 vlan database Enter VLAN database configuration mode. Step 2 vlan vlan-id name vlan-name Add an Ethernet VLAN by assigning a number to it. The range is 1 to 1001. You can create or modify a range of consecutive VLANs by entering vlan first-vlan-id end last-vlan-id.
Chapter 11 Configuring VLANs Configuring Normal-Range VLANs Beginning in privileged EXEC mode, follow these steps to delete a VLAN on the switch by using global configuration mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no vlan vlan-id Remove the VLAN by entering the VLAN ID. Step 3 end Return to privileged EXEC mode. Step 4 show vlan brief Verify the VLAN removal.
Chapter 11 Configuring VLANs Configuring Extended-Range VLANs To return an interface to its default configuration, use the default interface interface-id interface configuration command. This example shows how to configure Gigabit Ethernet interface 0/1 as an access port in VLAN 2: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 11 Configuring VLANs Configuring Extended-Range VLANs • VLAN IDs in the extended range are not saved in the VLAN database and are not recognized by VTP. • You cannot include extended-range VLANs in the pruning eligible range. • The switch must be in VTP transparent mode when you create extended-range VLANs. If VTP mode is server or client, an error message is generated, and the extended-range VLAN is rejected.
Chapter 11 Configuring VLANs Displaying VLANs Command Purpose Step 5 remote-span (Optional) Configure the VLAN as the RSPAN VLAN. See the “Configuring a VLAN as an RSPAN VLAN” section on page 22-17. Step 6 end Return to privileged EXEC mode. Step 7 show vlan id vlan-id Verify that the VLAN has been created. Step 8 copy running-config startup config Save your entries in the switch startup configuration file.
Chapter 11 Configuring VLANs Configuring VLAN Trunks Configuring VLAN Trunks These sections describe how VLAN trunks function on the switch: • Trunking Overview, page 11-15 • Encapsulation Types, page 11-16 • Default Layer 2 Ethernet Interface VLAN Configuration, page 11-17 • Configuring an Ethernet Interface as a Trunk Port, page 11-18 • Configuring Trunk Ports for Load Sharing, page 11-22 Trunking Overview A trunk is a point-to-point link between one or more Ethernet switch interfaces and anot
Chapter 11 Configuring VLANs Configuring VLAN Trunks Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which is a Point-to-Point Protocol. However, some internetworking devices might forward DTP frames improperly, which could cause misconfigurations. To avoid this, you should configure interfaces connected to devices that do not support DTP to not forward DTP frames, that is, to turn off DTP.
Chapter 11 Configuring VLANs Configuring VLAN Trunks The trunking mode, the trunk encapsulation type, and the hardware capabilities of the two connected interfaces determine whether a link becomes an ISL or 802.1Q trunk. 802.1Q Configuration Considerations 802.1Q trunks impose these limitations on the trunking strategy for a network: • In a network of Cisco switches connected through 802.1Q trunks, the switches maintain one instance of spanning tree for each VLAN allowed on the trunks.
Chapter 11 Configuring VLANs Configuring VLAN Trunks Configuring an Ethernet Interface as a Trunk Port Because trunk ports send and receive VTP advertisements, to use VTP you must ensure that at least one trunk port is configured on the switch and that this trunk port is connected to the trunk port of a second switch. Otherwise, the switch cannot receive any VTP advertisements.
Chapter 11 Configuring VLANs Configuring VLAN Trunks Configuring a Trunk Port Beginning in privileged EXEC mode, follow these steps to configure a port as an ISL or 802.1Q trunk port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter the interface configuration mode and the port to be configured for trunking. Step 3 switchport trunk encapsulation {isl | dot1q | negotiate} Configure the port to support ISL or 802.
Chapter 11 Configuring VLANs Configuring VLAN Trunks Defining the Allowed VLANs on a Trunk By default, a trunk port sends traffic to and receives traffic from all VLANs. All VLAN IDs, 1 to 4094, are allowed on each trunk. However, you can remove VLANs from the allowed list, preventing traffic from those VLANs from passing over the trunk.
Chapter 11 Configuring VLANs Configuring VLAN Trunks To return to the default allowed VLAN list of all VLANs, use the no switchport trunk allowed vlan interface configuration command. This example shows how to remove VLAN 2 from the allowed VLAN list on an interface: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport trunk allowed vlan remove 2 Switch(config-if)# end Changing the Pruning-Eligible List The pruning-eligible list applies only to trunk ports.
Chapter 11 Configuring VLANs Configuring VLAN Trunks For information about 802.1Q configuration issues, see the “802.1Q Configuration Considerations” section on page 11-17. Beginning in privileged EXEC mode, follow these steps to configure the native VLAN on an 802.1Q trunk: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and define the interface that is configured as the 802.1Q trunk.
Chapter 11 Configuring VLANs Configuring VLAN Trunks • VLANs 8 through 10 retain the default port priority of 128 on Trunk 2. In this way, Trunk 1 carries traffic for VLANs 8 through 10, and Trunk 2 carries traffic for VLANs 3 through 6. If the active trunk fails, the trunk with the lower priority takes over and carries the traffic for all of the VLANs. No duplication of traffic occurs over any trunk port.
Chapter 11 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 15 show vlan When the trunk links come up, VTP passes the VTP and VLAN information to Switch B. Verify that Switch B has learned the VLAN configuration. Step 16 configure terminal Enter global configuration mode on Switch A. Step 17 interface gigabitethernet 0/1 Enter interface configuration mode, and define the interface to set the STP port priority.
Chapter 11 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 11-4: Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A. Step 2 interface gigabitethernet0/1 Enter interface configuration mode, and define Gigabit Ethernet port 0/1 as the interface to be configured as a trunk.
Chapter 11 Configuring VLANs Configuring VMPS Configuring VMPS The VLAN Query Protocol (VQP) is used to support dynamic-access ports, which are not permanently assigned to a VLAN, but given VLAN assignments based on the MAC source addresses seen on the port. Each time an unknown MAC address is seen, the switch sends a VQP query to a remote VMPS; the query includes the newly seen MAC address and the port on which it was seen. The VMPS responds with a VLAN assignment for the port.
Chapter 11 Configuring VLANs Configuring VMPS Dynamic-Access Port VLAN Membership A dynamic-access port can belong to only one VLAN with an ID from 1 to 4094. When the link comes up, the switch does not forward traffic to or from this port until the VMPS provides the VLAN assignment. The VMPS receives the source MAC address from the first packet of a new host connected to the dynamic-access port and attempts to match the MAC address to a VLAN in the VMPS database.
Chapter 11 Configuring VLANs Configuring VMPS • 802.1X ports cannot be configured as dynamic-access ports. If you try to enable 802.1X on a dynamic-access (VQP) port, an error message appears, and 802.1X is not enabled. If you try to change an 802.1X-enabled port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed.
Chapter 11 Configuring VLANs Configuring VMPS Configuring Dynamic-Access Ports on VMPS Clients If you are configuring a port on a cluster member switch as a dynamic-access port, first use the rcommand privileged EXEC command to log into the cluster member switch. Caution Dynamic-access port VLAN membership is for end stations or hubs connected to end stations. Connecting dynamic-access ports to other switches can cause a loss of connectivity.
Chapter 11 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to change the reconfirmation interval: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vmps reconfirm minutes Enter the number of minutes between reconfirmations of the dynamic VLAN membership. The range is from 1 to 120. The default is 60 minutes. Step 3 end Return to privileged EXEC mode.
Chapter 11 Configuring VLANs Configuring VMPS This is an example of output for the show vmps privileged EXEC command: Switch# show vmps VQP Client Status: -------------------VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.86 (primary, current) 172.20.128.
Chapter 11 Configuring VLANs Configuring VMPS Figure 11-5 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6000 series Primary VMPS Server 1 Switch 1 End station 1 Dynamic-access port Router 172.20.26.150 172.20.22.7 Catalyst 2970 switch client 172.20.26.151 Switch 2 Trunk port Catalyst 6000 series Secondary VMPS Switch 3 Server 2 Switch 5 Switch 6 Switch 7 Switch 8 End station 2 Dynamic-access port 172.20.26.153 172.20.26.154 172.20.26.
C H A P T E R 12 Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the Catalyst 2970 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 12 Configuring VTP Understanding VTP This section contains information about these VTP parameters and characteristics. • The VTP Domain, page 12-2 • VTP Modes, page 12-3 • VTP Advertisements, page 12-3 • VTP Version 2, page 12-4 • VTP Pruning, page 12-4 The VTP Domain A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name.
Chapter 12 Configuring VTP Understanding VTP VTP Modes You can configure a supported switch to be in one of the VTP modes listed in Table 12-1. Table 12-1 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs, and specify other configuration parameters (such as the VTP version) for the entire VTP domain.
Chapter 12 Configuring VTP Understanding VTP VTP advertisements distribute this VLAN information for each configured VLAN: • VLAN IDs (ISL and 802.1Q) • VLAN name • VLAN type • VLAN state • Additional VLAN configuration information specific to the VLAN type VTP Version 2 If you use VTP in your network, you must decide whether to use version 1 or version 2. By default, VTP operates in version 1.
Chapter 12 Configuring VTP Understanding VTP Figure 12-1 Flooding Traffic without VTP Pruning Switch D Port 2 Switch E Switch B Red VLAN Switch F Switch C 89240 Port 1 Switch A Figure 12-2 shows a switched network with VTP pruning enabled. The broadcast traffic from Switch A is not forwarded to Switches C, E, and F because traffic for the Red VLAN has been pruned on the links shown (Port 5 on Switch B and Port 4 on Switch D).
Chapter 12 Configuring VTP Configuring VTP • Turn off VTP pruning by making all VLANs on the trunk of the switch upstream to the VTP transparent switch pruning ineligible. To configure VTP pruning on an interface, use the switchport trunk pruning vlan interface configuration command (see the “Changing the Pruning-Eligible List” section on page 11-21). VTP pruning operates when an interface is trunking.
Chapter 12 Configuring VTP Configuring VTP For detailed information about vtp commands, refer to the command reference for this release. VTP Configuration in Global Configuration Mode You can use the vtp global configuration command to set the VTP password, the version, the VTP file name, the interface providing updated VTP information, the domain name, and the mode, and to disable or enable pruning.
Chapter 12 Configuring VTP Configuring VTP Caution Do not configure a VTP domain if all switches are operating in VTP client mode. If you configure the domain, it is impossible to make changes to the VLAN configuration of that domain. Make sure that you configure at least one switch in the VTP domain for VTP server mode. Passwords You can configure a password for the VTP domain, but it is not required.
Chapter 12 Configuring VTP Configuring VTP Configuring a VTP Server When a switch is in VTP server mode, you can change the VLAN configuration and have it propagated throughout the network. Note If extended-range VLANs are configured on the switch, you cannot change VTP mode to server. You receive an error message, and the configuration is not allowed.
Chapter 12 Configuring VTP Configuring VTP Command Purpose Step 3 vtp domain domain-name Configure a VTP administrative-domain name. The name can be from 1 to 32 characters. All switches operating in VTP server or client mode under the same administrative responsibility must be configured with the same domain name. Step 4 vtp password password (Optional) Set a password for the VTP domain. The password can be from 8 to 64 characters.
Chapter 12 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to configure the switch as a VTP client: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp mode client Configure the switch for VTP client mode. The default setting is VTP server. Step 3 vtp domain domain-name (Optional) Enter the VTP administrative-domain name. The name can be from 1 to 32 characters. This should be the same domain name as the VTP server.
Chapter 12 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to configure VTP transparent mode and save the VTP configuration in the switch startup configuration file: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp mode transparent Configure the switch for VTP transparent mode (disable VTP). Step 3 end Return to privileged EXEC mode.
Chapter 12 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to enable VTP version 2: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp version 2 Enable VTP version 2 on the switch. VTP version 2 is disabled by default on VTP version 2-capable switches. Step 3 end Return to privileged EXEC mode. Step 4 show vtp status Verify that VTP version 2 is enabled in the VTP V2 Mode field of the display.
Chapter 12 Configuring VTP Configuring VTP Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning eligible on trunk ports. Reserved VLANs and extended-range VLANs cannot be pruned. To change the pruning-eligible VLANs, see the “Changing the Pruning-Eligible List” section on page 11-21.
Chapter 12 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 12-3 shows the privileged EXEC commands for monitoring VTP activity. Table 12-3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information.
Chapter 12 Configuring VTP Monitoring VTP Catalyst 2970 Switch Software Configuration Guide 12-16 78-15462-03
C H A P T E R 13 Configuring Voice VLAN This chapter describes how to configure the voice VLAN feature on the Catalyst 2970 switch. Voice VLAN is referred to as an auxiliary VLAN in some Catalyst 6000 family switch documentation. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 13 Configuring Voice VLAN Understanding Voice VLAN Figure 13-1 Cisco 7960 IP Phone Connected to a Switch Cisco IP Phone 7960 Phone ASIC P2 Catalyst 2970 switch 3-port switch P3 Access port 90575 P1 PC Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone.
Chapter 13 Configuring Voice VLAN Configuring Voice VLAN Configuring Voice VLAN This section describes how to configure voice VLAN on access ports. This section contains this configuration information: • Default Voice VLAN Configuration, page 13-3 • Voice VLAN Configuration Guidelines, page 13-3 • Configuring a Port Connected to a Cisco 7960 IP Phone, page 13-4 Default Voice VLAN Configuration The voice VLAN feature is disabled by default.
Chapter 13 Configuring Voice VLAN Configuring Voice VLAN • Voice VLAN ports can also be these port types: – Dynamic access port. See the “Configuring Dynamic-Access Ports on VMPS Clients” section on page 11-29 for more information. – 802.1X authenticated port. See the “Configuring 802.1X Authentication” section on page 8-12 for more information. – Protected port. See the “Configuring Protected Ports” section on page 19-5 for more information.
Chapter 13 Configuring Voice VLAN Configuring Voice VLAN Step 4 Command Purpose switchport voice vlan {vlan-id | dot1p | none | untagged} Configure how the Cisco IP Phone carries voice traffic: • vlan-id—Configure the Cisco IP Phone to forward all voice traffic through the specified VLAN. By default, the Cisco IP Phone forwards the voice traffic with an 802.1Q priority of 5. Valid VLAN IDs are from 1 to 4094. • dot1p—Configure the Cisco IP Phone to use 802.
Chapter 13 Configuring Voice VLAN Displaying Voice VLAN Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show interfaces interface-id switchport Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the port to its default setting, use the no switchport priority extend interface configuration command.
C H A P T E R 14 Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the Catalyst 2970 switch. The switch uses the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or it can use the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1W standard.
Chapter 14 Configuring STP Understanding Spanning-Tree Features • Spanning-Tree Interoperability and Backward Compatibility, page 14-10 • STP and IEEE 802.1Q Trunks, page 14-10 For configuration information, see the “Configuring Spanning-Tree Features” section on page 14-11. For information about optional spanning-tree features, see Chapter 16, “Configuring Optional Spanning-Tree Features.
Chapter 14 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is determined by these elements: • The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch. • The spanning-tree path cost to the root switch. • The port identifier (port priority and MAC address) associated with each Layer 2 interface.
Chapter 14 Configuring STP Understanding Spanning-Tree Features Bridge ID, Switch Priority, and Extended System ID The IEEE 802.1D standard requires that each switch has an unique bridge identifier (bridge ID), which determines the selection of the root switch. Because each VLAN is considered as a different logical bridge with PVST+ and rapid PVST+, the same switch must have as many different bridge IDs as VLANs configured on it. Each VLAN on the switch has a unique 8-byte bridge ID.
Chapter 14 Configuring STP Understanding Spanning-Tree Features An interface moves through these states: • From initialization to blocking • From blocking to listening or to disabled • From listening to learning or to disabled • From learning to forwarding or to disabled • From forwarding to disabled Figure 14-1 illustrates how an interface moves through the states.
Chapter 14 Configuring STP Understanding Spanning-Tree Features there is only one switch in the network, no exchange occurs, the forward-delay timer expires, and the interfaces moves to the listening state. An interface always enters the blocking state after switch initialization.
Chapter 14 Configuring STP Understanding Spanning-Tree Features Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational.
Chapter 14 Configuring STP Understanding Spanning-Tree Features Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices, as shown in Figure 14-3. Spanning tree automatically disables one interface but enables it if the other one fails. If one link is high-speed and the other is low-speed, the low-speed link is always disabled.
Chapter 14 Configuring STP Understanding Spanning-Tree Features Because each VLAN is a separate spanning-tree instance, the switch accelerates aging on a per-VLAN basis. A spanning-tree reconfiguration on one VLAN can cause the dynamic addresses learned on that VLAN to be subject to accelerated aging. Dynamic addresses on other VLANs can be unaffected and remain subject to the aging interval entered for the switch.
Chapter 14 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Interoperability and Backward Compatibility Table 14-2 lists the interoperability and compatibility among the supported spanning-tree modes in a network.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Features These sections describe how to configure spanning-tree features: • Default Spanning-Tree Configuration, page 14-11 • Spanning-Tree Configuration Guidelines, page 14-12 • Changing the Spanning-Tree Mode, page 14-13 (required) • Disabling Spanning Tree, page 14-14 (optional) • Configuring the Root Switch, page 14-14 (optional) • Configuring a Secondary Root Switch, page 14-16 (optional) • Configurin
Chapter 14 Configuring STP Configuring Spanning-Tree Features Spanning-Tree Configuration Guidelines If more VLANs are defined in the VTP than there are spanning-tree instances, you can enable PVST+ or rapid PVST+ on only 128 VLANs on the switch. The remaining VLANs operate with spanning tree disabled. However, you can map multiple VLANs to the same spanning-tree instances by using MSTP. For more information, see Chapter 15, “Configuring MSTP.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Changing the Spanning-Tree Mode The switch supports three spanning-tree modes: PVST+, rapid PVST+, or MSTP. By default, the switch runs the PVST+ protocol. Beginning in privileged EXEC mode, follow these steps to change the spanning-tree mode. If you want to enable a mode that is different from the default mode, this procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Disabling Spanning Tree Spanning tree is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning-tree limit specified in the “Supported Spanning-Tree Instances” section on page 14-9. Disable spanning tree only if you are sure there are no loops in the network topology.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Note The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not configure an access switch as the spanning-tree primary root. Use the diameter keyword to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network).
Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring a Secondary Root Switch When you configure a Catalyst 2970 switch as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified VLAN if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring Port Priority If a loop occurs, spanning tree uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last.
Chapter 14 Configuring STP Configuring Spanning-Tree Features To return to the default setting, use the no spanning-tree [vlan vlan-id] port-priority interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree port priorities, see the “Configuring Trunk Ports for Load Sharing” section on page 11-22. Configuring Path Cost The spanning-tree path cost default value is derived from the media speed of an interface.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Note The show spanning-tree interface interface-id privileged EXEC command displays information only for ports that are in a link-up operative state. Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. To return to the default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 14-4 describes the timers that affect the entire spanning-tree performance. Table 14-4 Spanning-Tree Timers Variable Description Hello timer Determines how often the switch broadcasts hello messages to other switches. Forward-delay timer Determines how long each of the listening and learning states last before the interface begins forwarding.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id forward-time seconds Configure the forward time of a VLAN.
Chapter 14 Configuring STP Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 14-5: Table 14-5 Commands for Displaying Spanning-Tree Status Command Purpose show spanning-tree active Displays spanning-tree information on active interfaces only. show spanning-tree detail Displays a detailed summary of interface information.
C H A P T E R 15 Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1S Multiple STP (MSTP) on the Catalyst 2970 switch. The MSTP enables multiple VLANs to be mapped to the same spanning-tree instance, thereby reducing the number of spanning-tree instances needed to support a large number of VLANs. The MSTP provides for multiple forwarding paths for data traffic and enables load balancing.
Chapter 15 Configuring MSTP Understanding MSTP Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic, enables load balancing, and reduces the number of spanning-tree instances required to support a large number of VLANs.
Chapter 15 Configuring MSTP Understanding MSTP IST, CIST, and CST Unlike PVST+ and rapid PVST+ in which all the spanning-tree instances are independent, the MSTP establishes and maintains two types of spanning trees: • An internal spanning tree (IST), which is the spanning tree that runs in an MST region. Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special instance for a region, known as the internal spanning tree (IST).
Chapter 15 Configuring MSTP Understanding MSTP Operations Between MST Regions If there are multiple regions or legacy 802.1D switches within the network, MSTP establishes and maintains the CST, which includes all MST regions and all legacy STP switches in the network. The MST instances combine with the IST at the boundary of the region to become the CST.
Chapter 15 Configuring MSTP Understanding MSTP Hop Count The IST and MST instances do not use the message-age and maximum-age information in the configuration BPDU to compute the spanning-tree topology. Instead, they use the path cost to the root and a hop-count mechanism similar to the IP time-to-live (TTL) mechanism. By using the spanning-tree mst max-hops global configuration command, you can configure the maximum hops inside the region and apply it to the IST and all MST instances in that region.
Chapter 15 Configuring MSTP Understanding RSTP However, the switch does not automatically revert to the MSTP mode if it no longer receives 802.1D BPDUs because it cannot determine whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. Also, a switch might continue to assign a boundary role to a port when the switch to which this switch is connected has joined the region.
Chapter 15 Configuring MSTP Understanding RSTP In a stable topology with consistent port roles throughout the network, the RSTP ensures that every root port and designated port immediately transition to the forwarding state while all alternate and backup ports are always in the discarding state (equivalent to blocking in 802.1D). The port state controls the operation of the forwarding and learning processes. Table 15-1 provides a comparison of 802.1D and RSTP port states.
Chapter 15 Configuring MSTP Understanding RSTP When Switch C is connected to Switch B, a similar set of handshaking messages are exchanged. Switch C selects the port connected to Switch B as its root port, and both ends immediately transition to the forwarding state. With each iteration of this handshaking process, one more switch joins the active topology. As the network converges, this proposal-agreement handshaking progresses from the root toward the leaves of the spanning tree.
Chapter 15 Configuring MSTP Understanding RSTP Figure 15-3 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5. Forward Edge port 2. Block 9. Forward 8. Agreement 3. Block 11. Forward 6. Proposal 7. Proposal 10. Agreement 88761 Root port Designated port Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802.1D BPDU format except that the protocol version is set to 2.
Chapter 15 Configuring MSTP Understanding RSTP The RSTP does not have a separate topology change notification (TCN) BPDU. It uses the topology change (TC) flag to show the topology changes. However, for interoperability with 802.1D switches, the RSTP switch processes and generates TCN BPDUs. The learning and forwarding flags are set according to the state of the sending port.
Chapter 15 Configuring MSTP Configuring MSTP Features • Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them. • Protocol migration—For backward compatibility with 802.1D switches, RSTP selectively sends 802.
Chapter 15 Configuring MSTP Configuring MSTP Features Default MSTP Configuration Table 15-3 shows the default MSTP configuration. Table 15-3 Default MSTP Configuration Feature Default Setting Spanning-tree mode PVST+ (Rapid PVST+ and MSTP are disabled). Switch priority (configurable on a per-CIST interface basis) 32768. Spanning-tree port priority (configurable on a per-CIST interface basis) 128. Spanning-tree port cost (configurable on a per-CIST interface basis) 1000 Mbps: 4. 100 Mbps: 19.
Chapter 15 Configuring MSTP Configuring MSTP Features • All MST boundary ports must be forwarding for load balancing between a PVST+ and an MST cloud or between a rapid-PVST+ and an MST cloud. For this to occur, the IST master of the MST cloud should also be the root of the CST.
Chapter 15 Configuring MSTP Configuring MSTP Features Step 8 Command Purpose spanning-tree mode mst Enable MSTP. RSTP is also enabled. Caution Changing spanning-tree modes can disrupt traffic because all spanning-tree instances are stopped for the previous mode and restarted in the new mode. You cannot run both MSTP and PVST+ or both MSTP and rapid PVST+ at the same time. Step 9 end Return to privileged EXEC mode. Step 10 show running-config Verify your entries.
Chapter 15 Configuring MSTP Configuring MSTP Features If any root switch for the specified instance has a switch priority lower than 24576, the switch sets its own priority to 4096 less than the lowest switch priority. (4096 is the value of the least-significant bit of a 4-bit switch priority value as shown in Table 14-1 on page 14-4.) Note Catalyst 2970 switches running software earlier than Cisco IOS Release 12.1(14)EA1 do not support the MSTP.
Chapter 15 Configuring MSTP Configuring MSTP Features Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show spanning-tree mst instance-id Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst instance-id root global configuration command.
Chapter 15 Configuring MSTP Configuring MSTP Features Configuring Port Priority If a loop occurs, the MSTP uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last.
Chapter 15 Configuring MSTP Configuring MSTP Features Configuring Path Cost The MSTP path cost default value is derived from the media speed of an interface. If a loop occurs, the MSTP uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 15 Configuring MSTP Configuring MSTP Features Configuring the Switch Priority You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority.
Chapter 15 Configuring MSTP Configuring MSTP Features Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst hello-time seconds Configure the hello time for all MST instances. The hello time is the interval between the generation of configuration messages by the root switch. These messages mean that the switch is alive. For seconds, the range is 1 to 10; the default is 2. Step 3 end Return to privileged EXEC mode.
Chapter 15 Configuring MSTP Configuring MSTP Features Configuring the Maximum-Aging Time Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-age seconds Configure the maximum-aging time for all MST instances.
Chapter 15 Configuring MSTP Configuring MSTP Features Specifying the Link Type to Ensure Rapid Transitions If you connect a port to another port through a point-to-point link and the local port becomes a designated port, the RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the “Rapid Convergence” section on page 15-7.
Chapter 15 Configuring MSTP Displaying the MST Configuration and Status Displaying the MST Configuration and Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 15-4: Table 15-4 Commands for Displaying MST Status Command Purpose show spanning-tree mst configuration Displays the MST region configuration. show spanning-tree mst instance-id Displays MST information for the specified instance.
Chapter 15 Configuring MSTP Displaying the MST Configuration and Status Catalyst 2970 Switch Software Configuration Guide 15-24 78-15462-03
C H A P T E R 16 Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the Catalyst 2970 switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+). You can configure only the noted features when your switch is running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol.
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states.
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences. At the global level, you enable BPDU guard on Port Fast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command. Spanning tree shuts down ports that are in a Port Fast-operational state.
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding UplinkFast Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 16-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops.
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 16-3 shows an example topology with no link failures. Switch A, the root switch, is connected directly to Switch B over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that is connected directly to Switch B is in a blocking state.
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features the designated switch. When a switch receives an inferior BPDU, it means that a link to which the switch is not directly connected (an indirect link) has failed (that is, the designated switch has lost its connection to the root switch).
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 16-6 BackboneFast Example After Indirect Link Failure Switch A (Root) Switch B L1 Link failure L3 BackboneFast changes port through listening and learning states to forwarding state.
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If a switch outside the SP network becomes the root switch, the interface is blocked (root-inconsistent state), and spanning tree selects a new root switch. The customer’s switch does not become the root switch and is not in the path to the root. If the switch is operating in multiple spanning-tree (MST) mode, root guard forces the port to be a designated port.
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features When the switch is operating in MST mode, BPDUs are not sent on nonboundary ports only if the port is blocked by loop guard in all MST instances. On a boundary port, loop guard blocks the port in all MST instances.
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling Port Fast A port with the Port Fast feature enabled is moved directly to the spanning-tree forwarding state without waiting for the standard forward-time delay. Caution Use Port Fast only when connecting a single end station to an access or trunk port.
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling BPDU Guard When you globally enable BPDU guard on ports that are Port Fast-enabled (the ports are in a Port Fast-operational state), spanning tree shuts down Port Fast-enabled ports that receive BPDUs. In a valid configuration, Port Fast-enabled ports do not receive BPDUs.
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling BPDU Filtering When you globally enable BPDU filtering on Port Fast-enabled ports, it prevents ports that are in a Port Fast-operational state from sending or receiving BPDUs. The ports still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these ports do not receive BPDUs.
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling UplinkFast for Use with Redundant Links UplinkFast cannot be enabled on VLANs that have been configured with a switch priority. To enable UplinkFast on a VLAN with switch priority configured, first restore the switch priority on the VLAN to the default value by using the no spanning-tree vlan vlan-id priority global configuration command.
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features The BackboneFast feature is supported only when the switch is running PVST+. It is not supported when the switch is running rapid PVST+ or MSTP. Beginning in privileged EXEC mode, follow these steps to enable BackboneFast. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree backbonefast Enable BackboneFast.
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. This feature is most effective when it is configured on the entire switched network. Loop guard operates only on ports that are considered point-to-point by the spanning tree.
Chapter 16 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 16-2: Table 16-2 Commands for Displaying the Spanning-Tree Status Command Purpose show spanning-tree active Displays spanning-tree information on active interfaces only. show spanning-tree detail Displays a detailed summary of interface information.
C H A P T E R 17 Configuring DHCP Features This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping and the option-82 data insertion features on the Catalyst 2970 switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release, and refer to the “IP Addressing and Services” section in the Cisco IOS IP and IP Routing Command Reference for Release 12.1.
Chapter 17 Configuring DHCP Features Understanding DHCP Features Option-82 Data Insertion In residential, metropolitan Ethernet-access environments, DHCP can centrally manage the IP address assignments for a large number of subscribers. When the DHCP option-82 feature is enabled on the switch, a subscriber is identified by the switch port through which it connects to the network (in addition to its MAC address).
Chapter 17 Configuring DHCP Features Configuring DHCP Features Configuring DHCP Features These sections describe how to configure DHCP snooping and option 82 on your switch: • Default DHCP Configuration, page 17-3 • DHCP Snooping Configuration Guidelines, page 17-3 • Enabling DHCP Snooping and Option 82, page 17-4 Default DHCP Configuration Table 17-1 shows the default DHCP configuration.
Chapter 17 Configuring DHCP Features Configuring DHCP Features Enabling DHCP Snooping and Option 82 Beginning in privileged EXEC mode, follow these steps to enable DHCP snooping on the switch. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip dhcp snooping Enable DHCP snooping globally. Step 3 ip dhcp snooping vlan vlan-id [vlan-id] Enable DHCP snooping on a VLAN or range of VLANs.
Chapter 17 Configuring DHCP Features Displaying DHCP Information Displaying DHCP Information You can display a DHCP snooping binding table and configuration information for all interfaces on a switch. Displaying a Binding Table The DHCP snooping binding table for each switch has binding entries that correspond to untrusted ports. The table does not have information about hosts interconnected with a trusted port because each interconnected switch has its own DHCP snooping binding table.
Chapter 17 Configuring DHCP Features Displaying DHCP Information Catalyst 2970 Switch Software Configuration Guide 17-6 78-15462-03
C H A P T E R 18 Configuring IGMP Snooping and MVR This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on the Catalyst 2970 switch, including an application of local IGMP snooping, Multicast VLAN Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering and procedures for configuring the IGMP throttling action.
Chapter 18 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Understanding IGMP Snooping Layer 2 switches can use IGMP snooping to constrain the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces associated with IP multicast devices.
Chapter 18 Configuring IGMP Snooping and MVR Understanding IGMP Snooping IGMP Versions The switch supports IGMP version 1, IGMP version 2, and IGMP version 3. These versions are interoperable on the switch. For example, if IGMP snooping is enabled on an IGMPv2 switch and the switch receives an IGMPv3 report from a host, the switch can forward the IGMPv3 report to the multicast router. Note The switches support IGMPv3 snooping based only on the destination multicast MAC address.
Chapter 18 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 18-1 Initial IGMP Join Message Router A 1 IGMP report 224.1.2.3 VLAN Switching engine CPU 0 45750 Forwarding table 2 3 4 5 Host 1 Host 2 Host 3 Host 4 Router A sends a general query to the switch, which forwards the query to ports 2 through 5, all members of the same VLAN. Host 1 wants to join multicast group 224.1.2.3 and multicasts an IGMP membership report (IGMP join message) to the group.
Chapter 18 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 18-2 Second Host Joining a Multicast Group Router A 1 VLAN Switching engine CPU 0 45751 Forwarding table 2 Host 1 3 Host 2 4 Host 3 5 Host 4 Table 18-2 Updated IGMP Snooping Forwarding Table Destination Address Type of Packet Ports 224.1.2.3 IGMP 1, 2, 5 Leaving a Multicast Group The router sends periodic multicast general queries, and the switch forwards these queries through all ports in the VLAN.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Immediate-Leave Processing Immediate Leave is only supported with IGMP version 2 hosts. The switch uses IGMP snooping Immediate-Leave processing to remove from the forwarding table an interface that sends a leave message without the switch sending MAC-based general queries to the interface. The VLAN interface is pruned from the multicast tree for the multicast group specified in the original leave message.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Default IGMP Snooping Configuration Table 18-3 shows the default IGMP snooping configuration.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping To disable IGMP snooping on a VLAN interface, use the no ip igmp snooping vlan vlan-id global configuration command for the specified VLAN number. Setting the Snooping Method Multicast-capable router ports are added to the forwarding table for every Layer 2 multicast entry.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping IGMP snooping IGMPv3 snooping (minimal) Report suppression TCN solicit query TCN flood query count :Enabled :Enabled :Enabled :Disabled :2 Vlan 1: -------IGMP snooping Immediate leave Multicast router learning mode Source only learning age timer CGMP interoperability mode :Enabled :Disabled :pim-dvmrp :10 :IGMP_ONLY To return to the default learning method, use the no ip igmp snooping vlan vlan-id mrouter learn cgmp global configur
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring a Host Statically to Join a Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure a host on an interface.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to enable IGMP Immediate-Leave processing: Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan-id immediate-leave Enable IGMP Immediate-Leave processing on the VLAN interface. Step 3 end Return to privileged EXEC mode. Step 4 show ip igmp snooping vlan vlan-id Verify that Immediate Leave is enabled on the VLAN.
Chapter 18 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Displaying IGMP Snooping Information You can display IGMP snooping information for dynamically learned and statically configured router ports and VLAN interfaces. You can also display MAC address multicast entries for a VLAN configured for IGMP snooping. To display IGMP snooping information, use one or more of the privileged EXEC commands in Table 18-4.
Chapter 18 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service provider network (for example, the broadcast of multiple television channels over a service-provider network). MVR allows a subscriber on a port to subscribe and unsubscribe to a multicast stream on the network-wide multicast VLAN.
Chapter 18 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Using MVR in a Multicast Television Application In a multicast television application, a PC or a television with a set-top box can receive the multicast stream. Multiple set-top boxes or PCs can be connected to one subscriber port, which is a switch port configured as an MVR receiver port. Figure 18-3 is an example configuration. DHCP assigns an IP address to the set-top box or the PC.
Chapter 18 Configuring IGMP Snooping and MVR Configuring MVR When a subscriber changes channels or turns off the television, the set-top box sends an IGMP leave message for the multicast stream. The switch CPU sends a MAC-based general query through the receiver port VLAN. If there is another set-top box in the VLAN still subscribing to this group, that set-top box must respond within the maximum response time specified in the query.
Chapter 18 Configuring IGMP Snooping and MVR Configuring MVR Default MVR Configuration Table 18-5 shows the default MVR configuration. Table 18-5 Default MVR Configuration Feature Default Setting MVR Disabled globally and per interface Multicast addresses None configured Query response time 0.
Chapter 18 Configuring IGMP Snooping and MVR Configuring MVR Beginning in privileged EXEC mode, follow these steps to configure MVR parameters: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mvr Enable MVR on the switch. Step 3 mvr group ip-address [count] Configure an IP multicast address on the switch or use the count parameter to configure a contiguous series of MVR group addresses (the range for count is 1 to 256; the default is 1).
Chapter 18 Configuring IGMP Snooping and MVR Configuring MVR Configuring MVR Interfaces Beginning in privileged EXEC mode, follow these steps to configure Layer 2 MVR interfaces: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mvr Enable MVR on the switch. Step 3 interface interface-id Enter interface configuration mode, and enter the type and number of the Layer 2 port to configure.
Chapter 18 Configuring IGMP Snooping and MVR Displaying MVR Information This example shows how to configure Gigabit Ethernet port 0/3 as a receiver port, statically configure the port to receive multicast traffic sent to the multicast group address, configure Immediate Leave on the interface, and verify the results. Switch(config)# mvr Switch(config)# interface gigabitethernet0/3 Switch(config-if)# mvr type receiver Switch(config-if)# mvr vlan 22 group 228.1.23.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Configuring IGMP Filtering and Throttling In some environments, for example, metropolitan or multiple-dwelling unit (MDU) installations, you might want to control the set of multicast groups to which a user on a switch port can belong. You can control the distribution of multicast services, such as IP/TV, based on some type of subscription or service plan.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Default IGMP Filtering and Throttling Configuration Table 18-7 shows the default IGMP filtering configuration.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Step 4 Command Purpose range ip multicast address Enter the IP multicast address or range of IP multicast addresses to which access is being controlled. If entering a range, enter the low IP multicast address, a space, and the high IP multicast address. You can use the range command multiple times to enter multiple addresses or ranges of addresses. Step 5 end Return to privileged EXEC mode.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling To remove a profile from an interface, use the no ip igmp filter profile number interface configuration command.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Configuring the IGMP Throttling Action After you set the maximum number of IGMP groups that a Layer 2 interface can join, you can configure an interface to remove a randomly selected multicast entry in the forwarding table and to add the next IGMP group to it by using the ip igmp max-groups action replace interface configuration command.
Chapter 18 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration To return to the default action of dropping the report, use the no ip igmp max-groups action interface configuration command. This example shows how to configure an interface to remove a randomly selected multicast entry in the forwarding table and to add an IGMP group to the forwarding table when the maximum number of entries is in the table.
Chapter 18 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Catalyst 2970 Switch Software Configuration Guide 18-26 78-15462-03
C H A P T E R 19 Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the Catalyst 2970 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 19 Configuring Port-Based Traffic Control Configuring Storm Control Understanding Storm Control Storm control prevents switchports on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation or in the network configuration can cause a storm.
Chapter 19 Configuring Port-Based Traffic Control Configuring Storm Control Note Because packets do not arrive at uniform intervals, the 200-millisecond time interval during which traffic activity is measured can affect the behavior of storm control. The switch continues to monitor traffic on the port, and when the utilization level is below the threshold level, the type of traffic that was dropped is forwarded again.
Chapter 19 Configuring Port-Based Traffic Control Configuring Storm Control Command Purpose Step 4 storm-control multicast level level [.level] Specify the multicast traffic suppression level for an interface as a percentage of total bandwidth. The level can be from 1 to 100; the optional fraction of a level can be from 0 to 99. A threshold value of 100 percent means that no limit is placed on broadcast traffic. A value of 0.0 means that all multicast traffic on that port is blocked.
Chapter 19 Configuring Port-Based Traffic Control Configuring Protected Ports Configuring Protected Ports Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Blocking This example shows how to configure Gigabit Ethernet interface 0/1 as a protected port: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport protected Switch(config-if)# end Configuring Port Blocking By default, the switch floods packets with unknown destination MAC addresses out of all ports.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport block multicast Switch(config-if)# switchport block unicast Switch(config-if)# end Configuring Port Security You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security • Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, the interface does not need to dynamically reconfigure them.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. This is the default mode. Table 19-1 shows the violation mode and the actions taken when you configure an interface for port security.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security • You cannot configure static secure or sticky secure MAC addresses in the voice VLAN. Note Voice VLAN is only supported on access ports and not on trunk ports, even though the configuration is allowed.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Step 5 Command Purpose switchport port-security maximum value [vlan [vlan-list]] (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is determined by the maximum number of available MAC addresses allowed in the system.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 8 switchport port-security mac-address sticky (Optional) Enable stick learning on the interface. Step 9 switchport port-security mac-address sticky mac-address (Optional) Enter a sticky secure MAC address, repeating the command as many times as necessary.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security This example shows how to enable port security on Gigabit Ethernet port 0/1 and to set the maximum number of secure addresses to 50. The violation mode is the default, no static secure MAC addresses are configured, and sticky learning is enabled.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Step 3 Command Purpose switchport port-security aging {static | time time | type {absolute | inactivity}} Enable or disable static aging for the secure port, or set the aging time or type. Note The switch does not support port security aging of sticky secure addresses. Enter static to enable aging for statically configured secure addresses on this port. For time, specify the aging time for this port.
Chapter 19 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Displaying Port-Based Traffic Control Settings The show interfaces interface-id switchport privileged EXEC command displays (among other characteristics) the interface traffic suppression and control configuration. The show interfaces counters privileged EXEC commands display the count of discarded packets. The show storm-control and show port-security privileged EXEC commands display those features.
Chapter 19 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Catalyst 2970 Switch Software Configuration Guide 19-16 78-15462-03
C H A P T E R 20 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on the Catalyst 2970 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 20 Configuring CDP Configuring CDP Configuring CDP These sections include CDP configuration information and procedures: • Default CDP Configuration, page 20-2 • Configuring the CDP Characteristics, page 20-2 • Disabling and Enabling CDP, page 20-3 • Disabling and Enabling CDP on an Interface, page 20-4 Default CDP Configuration Table 20-1 shows the default CDP configuration.
Chapter 20 Configuring CDP Configuring CDP Command Purpose Step 6 show cdp Verify configuration by displaying global information about CDP on the device. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the CDP commands to return to the default settings. This example shows how to configure and verify CDP characteristics.
Chapter 20 Configuring CDP Configuring CDP Beginning in privileged EXEC mode, follow these steps to enable CDP when it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 cdp run Enable CDP after disabling it. Step 3 end Return to privileged EXEC mode. This example shows how to enable CDP if it has been disabled.
Chapter 20 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors. show cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent.
Chapter 20 Configuring CDP Monitoring and Maintaining CDP Catalyst 2970 Switch Software Configuration Guide 20-6 78-15462-03
C H A P T E R 21 Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst 2970 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 21 Configuring UDLD Understanding UDLD A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device. In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic interface are misconnected and the Layer 1 mechanisms do not detect this misconnection.
Chapter 21 Configuring UDLD Understanding UDLD • Event-driven detection and echoing UDLD relies on echoing as its detection mechanism. Whenever a UDLD device learns about a new neighbor or receives a resynchronization request from an out-of-sync neighbor, it restarts the detection window on its side of the connection and sends echo messages in reply. Because this behavior is the same on all UDLD neighbors, the sender of the echoes expects to receive an echo in reply.
Chapter 21 Configuring UDLD Configuring UDLD Configuring UDLD This section describes how to configure UDLD on your switch. It contains this configuration information: • Default UDLD Configuration, page 21-4 • Configuration Guidelines, page 21-4 • Enabling UDLD Globally, page 21-5 • Enabling UDLD on an Interface, page 21-5 • Resetting an Interface Disabled by UDLD, page 21-6 Default UDLD Configuration Table 21-1 shows the default UDLD configuration.
Chapter 21 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic interfaces on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 21 Configuring UDLD Displaying UDLD Status Step 3 Command Purpose udld port {aggressive | disable} UDLD is disabled by default. • udld port—Enables UDLD in normal mode on the specified interface. • udld port aggressive—Enables UDLD in aggressive mode on the specified interface. • udld port disable—Disables UDLD on the specified fiber-optic interface. This command overrides the UDLD global setting and is available only on fiber-optic interfaces.
C H A P T E R 22 Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 2970 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN This section includes these topics: • Local SPAN, page 22-2 • Remote SPAN, page 22-2 • SPAN and RSPAN Concepts and Terminology, page 22-3 • SPAN and RSPAN Interaction with Other Features, page 22-8 Local SPAN Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and destination ports reside in the same switch.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 22-2 Example of RSPAN Configuration RSPAN destination ports RSPAN destination session Catalyst 2970 switch Intermediate switches must support RSPAN VLAN RSPAN VLAN RSPAN source session A RSPAN source ports Catalyst 2970 switch RSPAN source session B RSPAN source ports 90576 Catalyst 2970 switch SPAN and RSPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN and RSPAN configurati
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN An RSPAN source session is very similar to a local SPAN session, except for where the packet stream is directed. In an RSPAN source session, SPAN packets are relabeled with the RSPAN VLAN ID and directed over normal trunk ports to the destination switch. An RSPAN destination session takes all packets received on the RSPAN VLAN, strips off the VLAN tagging, and presents them on the destination port.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • Transmit (Tx) SPAN—The goal of transmit (or egress) SPAN is to monitor as much as possible all the packets sent by the source interface after all modification and processing is performed by the switch. A copy of each packet sent by the source is sent to the destination port for that SPAN session. The copy is provided after the packet is modified.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • It can be an access port, trunk port, or voice VLAN port. • It cannot be a destination port. • Source ports can be in the same or different VLANs. • You can monitor multiple source ports in a single session. Source VLANs VLAN-based SPAN (VSPAN) is the monitoring of the network traffic in one or more VLANs. The SPAN or RSPAN source interface in VSPAN is a VLAN ID and traffic is monitored on all the ports for that VLAN.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Destination Port Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets to the user, usually a network analyzer. A destination port has these characteristics: • For a local SPAN session, the destination port must reside on the same switch as the source port.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN RSPAN VLAN The RSPAN VLAN carries SPAN traffic between RSPAN source and destination sessions. It has these special characteristics: • All traffic in the RSPAN VLAN is always flooded. • No MAC address learning occurs on the RSPAN VLAN. • RSPAN VLAN traffic only flows on trunk ports. • RSPAN VLANs must be configured in VLAN configuration mode by using the remote-span VLAN configuration mode command.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN If a physical port that belongs to an EtherChannel group is a destination port and the EtherChannel group is a source, the port is removed from the EtherChannel group and from the list of monitored ports. • Multicast traffic can be monitored. For egress and ingress port monitoring, only a single unedited packet is sent to the SPAN destination port. It does not reflect the number of times the multicast packet is sent.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Configuring Local SPAN This section describes how to configure Local SPAN on your switch.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Creating a Local SPAN Session Beginning in privileged EXEC mode, follow these steps to create a SPAN session and specify the source (monitored) ports or VLANs and the destination (monitoring) ports: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | local | remote} Remove any existing SPAN configuration for the session.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 4 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]} Specify the SPAN session and the destination port (monitoring port). For session_number, specify the session number entered in step 3. Note For local SPAN, you must use the same session number for the source and destination interfaces. For interface-id, specify the destination port.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN The monitoring of traffic received on port 0/1 is disabled, but traffic sent from this port continues to be monitored. This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session 2 to monitor received traffic on all ports belonging to VLANs 1 through 3, and send it to destination Gigabit Ethernet port 0/2.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 4 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate] [ingress {dot1q vlan vlan-id | isl | untagged vlan vlan-id | vlan vlan-id}]} Specify the SPAN session, the destination port, the packet encapsulation, and the ingress VLAN and encapsulation. For session_number, specify the session number entered in step 3. For interface-id, specify the destination port.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to limit SPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | local | remote} Remove any existing SPAN configuration for the session. For session_number, the range is from 1 to 66.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session 2 to monitor traffic received on Gigabit Ethernet trunk port 0/4, and send traffic for only VLANs 1 through 5 and 9 to destination Gigabit Ethernet port 0/3.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • We recommend that you configure an RSPAN VLAN before you configure an RSPAN source or a destination session. • If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted flooding of RSPAN traffic across the network for VLAN IDs that are lower than 1005. Configuring a VLAN as an RSPAN VLAN First create a new VLAN to be the RSPAN VLAN for the RSPAN session.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Creating an RSPAN Source Session Beginning in privileged EXEC mode, follow these steps to start an RSPAN source session and to specify the monitored source and the destination RSPAN VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | local | remote} Remove any existing RSPAN configuration for the session. For session_number, the range is from 1 to 66.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN To remove a source port or VLAN from the SPAN session, use the no monitor session session_number source {interface interface-id | vlan vlan-id} global configuration command. To remove the RSPAN VLAN from the session, use the no monitor session session_number destination remote vlan vlan-id.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 7 Command Purpose monitor session session_number destination interface interface-id Specify the RSPAN session and the destination interface. For session_number, enter the number defined in Step 6. Note In an RSPAN destination session, you must use the same session number for the source RSPAN VLAN and the destination port. For interface-id, specify the destination interface. The destination interface must be a physical interface.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 3 Command Purpose monitor session session_number source remote vlan vlan-id Specify the RSPAN session and the source RSPAN VLAN. For session_number, the range is from 1 to 66. For vlan-id, specify the source RSPAN VLAN to monitor. Step 4 Specify the SPAN session, the destination port, the packet monitor session session_number encapsulation, and the ingress VLAN and encapsulation.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to configure the RSPAN source session to limit RSPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | local | remote} Remove any existing SPAN configuration for the session. For session_number, the range is from 1 to 66.
Chapter 22 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions.
Chapter 22 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status This is an example of output for the show monitor session all user EXEC command when ingress traffic forwarding is enabled: Switch# show monitor session all Session 1 --------Type :Local Session Source Ports : Both :Gi0/2 Destination Ports :Gi0/3 Encapsulation :Replicate Ingress:Enabled, default VLAN = 5 Ingress encapsulation:DOT1Q Session 2 --------Type :Local Session Source Ports : Both :Gi0/1 Destination Ports :Gi0/4 Encapsulation
C H A P T E R 23 Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the Catalyst 2970 switch. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes. RMON provides you with comprehensive network-fault diagnosis, planning, and performance-tuning information.
Chapter 23 Configuring RMON Configuring RMON Figure 23-1 Remote Monitoring Example Network management station with generic RMON console application Catalyst 2970 switch RMON alarms and events configured. SNMP configured. RMON history and statistic collection enabled.
Chapter 23 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Only RMON 1 is supported on the switch. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station. We recommend that you use a generic RMON console application on the network management station (NMS) to take advantage of RMON’s network management capabilities.
Chapter 23 Configuring RMON Configuring RMON Command Step 3 Purpose rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535. • (Optional) For description string, specify a description of the event. • (Optional) Use the log keyword to generate an RMON log entry when the event is triggered.
Chapter 23 Configuring RMON Configuring RMON Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 23 Configuring RMON Displaying RMON Status Collecting Group Ethernet Statistics on an Interface Beginning in privileged EXEC mode, follow these steps to collect group Ethernet statistics on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface on which to collect statistics.
C H A P T E R 24 Configuring System Message Logging This chapter describes how to configure system message logging on the Catalyst 2970 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Configuring System Message Logging These sections describe how to configure system message logging: • System Log Message Format, page 24-2 • Default System Message Logging Configuration, page 24-3 • Disabling Message Logging, page 24-4 (optional) • Setting the Message Display Destination Device, page 24-4 (optional) • Synchronizing Log Messages, page 24-5 (optional) • Enabling and Disabling Time Stamps on Log Mess
Chapter 24 Configuring System Message Logging Configuring System Message Logging Table 24-1 System Log Message Elements (continued) Element Description MNEMONIC Text string that uniquely describes the message. description Text string containing detailed information about the event being reported.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Disabling Message Logging Message logging is enabled by default. It must be enabled to send messages to any destination other than the console. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages. Beginning in privileged EXEC mode, follow these steps to disable message logging. This procedure is optional.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging host Log messages to a UNIX syslog server host. For host, specify the name or IP address of the host to be used as the syslog server. To build a list of syslog servers that receive logging messages, enter this command more than once. For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 24-10.
Chapter 24 Configuring System Message Logging Configuring System Message Logging is returned. Therefore, unsolicited messages and debug command output are not interspersed with solicited device output and prompts. After the unsolicited messages appear, the console again displays the user prompt. Beginning in privileged EXEC mode, follow these steps to configure synchronous logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Time Stamps on Log Messages By default, log messages are not time stamped. Beginning in privileged EXEC mode, follow these steps to enable time-stamping of log messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service timestamps log uptime Enable log time stamps.
Chapter 24 Configuring System Message Logging Configuring System Message Logging To disable sequence numbers, use the no service sequence-numbers global configuration command. This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message, which are described in Table 24-3.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Table 24-3 Message Logging Level Keywords Level Keyword Level Description Syslog Definition emergencies 0 System unstable LOG_EMERG alerts 1 Immediate action needed LOG_ALERT critical 2 Critical conditions LOG_CRIT errors 3 Error conditions LOG_ERR warnings 4 Warning conditions LOG_WARNING notifications 5 Normal but significant condition LOG_NOTICE informational 6 Informational messages only LO
Chapter 24 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to change the level and history table size defaults. This procedure is optional. Command Step 1 Step 2 Purpose configure terminal logging history level Enter global configuration mode. 1 Change the default level of syslog messages stored in the history file and sent to the SNMP server. See Table 24-3 on page 24-9 for a list of level keywords.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Step 1 Add a line such as the following to the file /etc/syslog.conf: local7.debug /usr/adm/logs/cisco.log The local7 keyword specifies the logging facility to be used; see Table 24-4 on page 24-12 for information on the facilities. The debug keyword specifies the syslog level; see Table 24-3 on page 24-9 for information on the severity levels.
Chapter 24 Configuring System Message Logging Displaying the Logging Configuration Table 24-4 lists the UNIX system facilities supported by the software. For more information about these facilities, consult the operator’s manual for your UNIX operating system.
C H A P T E R 25 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on the Catalyst 2970 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 25 Configuring SNMP Understanding SNMP This section includes information about these topics: • SNMP Versions, page 25-2 • SNMP Manager Functions, page 25-3 • SNMP Agent Functions, page 25-4 • SNMP Community Strings, page 25-4 • Using SNMP to Access MIB Variables, page 25-5 • SNMP Notifications, page 25-5 • SNMP ifIndex MIB Object Values, page 25-6 SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a Full Internet Stand
Chapter 25 Configuring SNMP Understanding SNMP Table 25-1 identifies the characteristics of the different combinations of security models and levels. Table 25-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No Uses a community string match for authentication.
Chapter 25 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. • Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS.
Chapter 25 Configuring SNMP Understanding SNMP Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software. CiscoWorks 2000 software uses the switch MIB variables to set device variables and to poll devices on the network for specific information. The results of a poll can be displayed as a graph and analyzed to troubleshoot internetworking problems, increase network performance, verify the configuration of devices, monitor traffic loads, and more.
Chapter 25 Configuring SNMP Configuring SNMP SNMP ifIndex MIB Object Values In an NMS, the IF-MIB generates and assigns an interface index (ifIndex) object value that is a unique number greater than zero to identify a physical or a logical interface. When the switch reboots or the switch software is upgraded, the switch uses this same value for the interface. For example, if the switch assigns the Gigabit Ethernet interface 0/5 an ifIndex value of 10003, this value is the same after the switch reboots.
Chapter 25 Configuring SNMP Configuring SNMP Default SNMP Configuration Table 25-4 shows the default SNMP configuration. Table 25-4 Default SNMP Configuration Feature Default Setting SNMP agent Enabled SNMP community strings Read-Only: Public Read-Write: Private Read-Write-all: Secret SNMP trap receiver None configured SNMP traps None enabled SNMP version If no version keyword is present, the default is version 1.
Chapter 25 Configuring SNMP Configuring SNMP Disabling the SNMP Agent Beginning in privileged EXEC mode, follow these steps to disable the SNMP agent: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no snmp-server Disable the SNMP agent operation. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 25 Configuring SNMP Configuring SNMP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] (Optional) If you specified an IP standard access list number in Step 2, then create the list, repeating the command as many times as necessary. • For access-list-number, enter the access list number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 25 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure SNMP on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server engineID {local engineid-string Configure a name for either the local or remote copy of SNMP. | remote ip-address [udp-port port-number] • The engineid-string is a 24-character ID string with the name engineid-string} of the copy of SNMP.
Chapter 25 Configuring SNMP Configuring SNMP Step 4 Command Purpose snmp-server user username groupname [remote host [udp-port port]] {v1 | v2c | v3 [auth {md5 | sha} auth-password]} [encrypted] [access access-list] Configure a new user to an SNMP group. • The username is the name of the user on the host that connects to the agent. • The groupname is the name of the group to which the user is associated.
Chapter 25 Configuring SNMP Configuring SNMP Table 25-5 Switch Notification Types Note Notification Type Keyword Description bridge Generates STP bridge MIB traps. cluster Generates a trap when the cluster configuration changes. config Generates a trap for SNMP configuration changes. config-copy Generates a trap for SNMP copy configuration changes. entity Generates a trap for SNMP entity changes. envmon Generates environmental monitor traps.
Chapter 25 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure the switch to send traps or informs to a host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server engineID remote ip-address engineid-string Specify the engine ID for the remote host.
Chapter 25 Configuring SNMP Configuring SNMP Command Purpose Step 8 snmp-server trap-timeout seconds (Optional) Define how often to resend trap messages. The range is 1 to 1000; the default is 30 seconds. Step 9 end Return to privileged EXEC mode. Step 10 show running-config Verify your entries. Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file. The snmp-server host command specifies which hosts receive the notifications.
Chapter 25 Configuring SNMP Configuring SNMP Limiting TFTP Servers Used Through SNMP Beginning in privileged EXEC mode, follow these steps to limit the TFTP servers used for saving and loading configuration files through SNMP to the servers specified in an access list: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server tftp-server-list access-list-number Limit TFTP servers used for configuration file copies through SNMP to the servers in the access list.
Chapter 25 Configuring SNMP Displaying SNMP Status This example shows how to allow read-only access for all objects to members of access list 4 that use the comaccess community string. No other SNMP managers have access to any objects. SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco.com using the community string public. Switch(config)# snmp-server community comaccess ro 4 Switch(config)# snmp-server enable traps snmp authentication Switch(config)# snmp-server host cisco.
C H A P T E R 26 Configuring Network Security with ACLs This chapter describes how to configure network security on the Catalyst 2970 switch by using access control lists (ACLs), which are also referred to in commands and tables as access lists.
Chapter 26 Configuring Network Security with ACLs Understanding ACLs You configure access lists on a switch to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network. You can use ACLs to control which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked. For example, you can allow e-mail traffic to be forwarded but not Telnet traffic.
Chapter 26 Configuring Network Security with ACLs Understanding ACLs The switch examines ACLs associated with features configured on a given interface and permits or denies packet forwarding based on how the packet matches the entries in the ACL. ACLs can only be applied to Layer 2 interfaces in the inbound direction.
Chapter 26 Configuring Network Security with ACLs Understanding ACLs You can configure VLAN maps to match Layer 3 addresses for IP traffic. All non-IP protocols are access-controlled through MAC addresses and Ethertype using MAC VLAN maps. (IP traffic is not access controlled by MAC VLAN maps.) You can enforce VLAN maps only on packets going through the switch; you cannot enforce VLAN maps on traffic between hosts on a hub or on another switch connected to this switch.
Chapter 26 Configuring Network Security with ACLs Configuring IP ACLs first ACE, even though they do not contain the SMTP port information, because the first ACE only checks Layer 3 information when applied to fragments. The information in this example is that the packet is TCP and that the destination is 10.1.1.1. • Packet B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on the Telnet port.
Chapter 26 Configuring Network Security with ACLs Configuring IP ACLs Creating Standard and Extended IP ACLs This section describes IP ACLs. An ACL is a sequential collection of permit and deny conditions. The switch tests packets against the conditions in an access list one by one. The first match determines whether the switch accepts or rejects the packet. Because the switch stops testing conditions after the first match, the order of the conditions is critical.
Chapter 26 Configuring Network Security with ACLs Configuring IP ACLs Table 26-1 Access List Numbers (continued) Note Access List Number Type Supported 1300–1999 IP standard access list (expanded range) Yes 2000–2699 IP extended access list (expanded range) Yes In addition to numbered standard and extended ACLs, you can also create standard and extended named IP ACLs using the supported numbers.
Chapter 26 Configuring Network Security with ACLs Configuring IP ACLs Note When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny statement for all packets that it did not find a match for before reaching the end. With standard access lists, if you omit the mask from an associated IP host address ACL specification, 0.0.0.0 is assumed to be the mask. This example shows how to create a standard ACL to deny access to IP host 171.69.198.
Chapter 26 Configuring Network Security with ACLs Configuring IP ACLs Supported parameters can be grouped into these categories: TCP, UDP, ICMP, IGMP, or other IP. Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 26 Configuring Network Security with ACLs Configuring IP ACLs or Step 2b Command Purpose access-list access-list-number {deny | permit} protocol host source host destination [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [dscp dscp] Define an extended IP access list using an abbreviation for a source and source wildcard of source 0.0.0.0 and an abbreviation for a destination and destination wildcard of destination 0.0.0.0.
Chapter 26 Configuring Network Security with ACLs Configuring IP ACLs Step 2e Command Purpose access-list access-list-number {deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [dscp dscp] (Optional) Define an extended IGMP access list and the access conditions. Enter igmp for Internet Group Management Protocol.
Chapter 26 Configuring Network Security with ACLs Configuring IP ACLs Consider these guidelines and limitations before configuring named ACLs: • Not all commands that accept a numbered ACL accept a named ACL. ACLs for packet filters and route filters on interfaces can use a name. VLAN maps also accept a name. • A standard ACL and an extended ACL cannot have the same name. • Numbered ACLs are also available, as described in the “Creating Standard and Extended IP ACLs” section on page 26-6.
Chapter 26 Configuring Network Security with ACLs Configuring IP ACLs Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show access-lists [number | name] Show the access list configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a named extended ACL, use the no ip access-list extended name global configuration command.
Chapter 26 Configuring Network Security with ACLs Configuring IP ACLs Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 time-range time-range-name Assign a meaningful name (for example, workhours) to the time range to be created, and enter time-range configuration mode. The name cannot contain a space or quotation mark and must begin with a letter. Step 3 absolute [start time date] [end time date] Specify when the function it will be applied to is operational.
Chapter 26 Configuring Network Security with ACLs Configuring IP ACLs Switch(config)# access-list 188 deny tcp any any time-range christmas_2003 Switch(config)# access-list 188 permit tcp any any time-range workhours Switch(config)# end Switch# show access-lists Extended IP access list 188 deny tcp any any time-range new_year_day_2003 (inactive) deny tcp any any time-range thanskgiving_2003 (active) deny tcp any any time-range christmas_2003 (inactive) permit tcp any any time-range workhours (inactive) T
Chapter 26 Configuring Network Security with ACLs Configuring IP ACLs Applying an IP ACL to a Terminal Line You can use numbered ACLs to control access to one or more terminal lines. You cannot apply named ACLs to lines. You must set identical restrictions on all the virtual terminal lines because a user can attempt to connect to any of them. For procedures for applying ACLs to interfaces, see the “Applying an IP ACL to an Interface” section on page 26-16.
Chapter 26 Configuring Network Security with ACLs Configuring IP ACLs Command Purpose Step 3 ip access-group {access-list-number | Control access to the specified interface. name} {in} Step 4 end Return to privileged EXEC mode. Step 5 show running-config Display the access list configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 26 Configuring Network Security with ACLs Configuring IP ACLs Switch(config)# interface gigabitethernet 0/3 Switch(config-if)# ip access-group 6 in This example uses an extended ACL to deny traffic coming from port 80 (HTTP). It permits all other types of traffic.
Chapter 26 Configuring Network Security with ACLs Configuring IP ACLs Time Range Applied to an IP ACL This example denies HTTP traffic on IP on Monday through Friday between the hours of 8:00 a.m. and 6:00 p.m (18:00). The example allows UDP traffic only on Saturday and Sunday from noon to 8:00 p.m. (20:00).
Chapter 26 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Creating Named MAC Extended ACLs You can filter non-IP traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named MAC extended ACLs. The procedure is similar to that of configuring other extended named ACLs. For more information about the supported non-IP protocols in the mac access-list extended command, refer to the command reference for this release.
Chapter 26 Configuring Network Security with ACLs Creating Named MAC Extended ACLs This example shows how to create and display an access list named mac1, denying only EtherType DECnet Phase IV traffic, but permitting all other types of traffic.
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps Note The mac access-group interface configuration command is only valid when applied to a physical Layer 2 interface.You cannot use the command on EtherChannel port channels. After receiving a packet, the switch checks it against the inbound ACL. If the ACL permits it, the switch continues to process the packet. If the ACL rejects the packet, the switch discards it.
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps VLAN Map Configuration Guidelines Follow these guidelines when configuring VLAN maps: • If there is no ACL configured to deny traffic on an interface and no VLAN map is configured, all traffic is permitted. • Each VLAN map consists of a series of entries. The order of entries in an VLAN map is important. A packet that comes into the switch is tested against the first entry in the VLAN map.
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps Use the no vlan access-map name global configuration command to delete a map. Use the no vlan access-map name number global configuration command to delete a single sequence entry from within the map. Use the no action access-map configuration command to enforce the default action, which is to forward. VLAN maps do not use the specific permit or deny keywords.
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps Switch(config)# vlan access-map drop-ip-default 10 Switch(config-access-map)# match ip address 101 Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan access-map drop-ip-default 20 Switch(config-access-map)# match ip address igmp-match Switch(config-access-map)# action drop Switch(config-access-map)# exit Switch(config)# vlan access-map drop-ip-default 30 Switch(config-access-map)# match ip a
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps Applying a VLAN Map to a VLAN Beginning in privileged EXEC mode, follow these steps to apply a VLAN map to one or more VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan filter mapname vlan-list list Apply the VLAN map to one or more VLAN IDs. The list can be a single VLAN ID (22), a consecutive list (10-22), or a string of VLAN IDs (12, 22, 30).
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps Figure 26-3 Wiring Closet Configuration Layer 3 Catalyst switch Si Switch B Catalyst 2970 switch Catalyst 2970 switch Switch A Switch C VLAN map: Deny HTTP from X to Y. HTTP is dropped at entry point. Host Y 10.1.1.34 89347 VLAN 1 VLAN 2 Packet Host X 10.1.1.32 If you do not want HTTP traffic switched from Host X to Host Y, you can configure a VLAN map on Switch A to drop all HTTP traffic from Host X (IP address 10.1.1.
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps Denying Access to a Server on a VLAN You can restrict access to a server on a VLAN. For example, server 10.1.1.100 in VLAN 10 needs to have access denied to hosts 10.1.1.4 and 10.1.1.8 (see Figure 26-4). Figure 26-4 Deny Access to a Server on Another VLAN VLAN map 10.1.1.100 Server (VLAN 10) 10.1.1.4 Host (VLAN 10) Catalyst 2970 switch Host (VLAN 10) Packet 89348 10.1.1.
Chapter 26 Configuring Network Security with ACLs Displaying ACL Configuration Displaying ACL Configuration You can display the ACLs that are configured on the switch, and you can display the ACLs that have been applied to interfaces and VLANs. When you use the ip access-group interface configuration command to apply ACLs to a Layer 2 interface, you can display the access groups on the interface. You can also display the MAC ACLs applied to a Layer 2 interface.
Chapter 26 Configuring Network Security with ACLs Displaying ACL Configuration Catalyst 2970 Switch Software Configuration Guide 26-30 78-15462-03
C H A P T E R 27 Configuring QoS This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands on the Catalyst 2970 switch. With QoS, you can provide preferential treatment to certain traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 27 Configuring QoS Understanding QoS The classification is carried in the IP packet header, using 6 bits from the deprecated IP type of service (TOS) field to carry the classification (class) information. Classification can also be carried in the Layer 2 frame.
Chapter 27 Configuring QoS Understanding QoS All switches and routers that access the Internet rely on the class information to provide the same forwarding treatment to packets with the same class information and different treatment to packets with different class information. The class information in the packet can be assigned by end hosts or by switches or routers along the way, based on a configured policy, detailed examination of the packet, or both.
Chapter 27 Configuring QoS Understanding QoS Actions at the egress interface include queueing and scheduling: • Queueing evaluates the QoS label and the corresponding DSCP or CoS value to determine into which of the four egress queues to place a packet. Because congestion can occur when multiple ingress ports simultaneously send data to an egress port, WTD is used to differentiate traffic classes and to subject the packets to different thresholds based on the QoS label.
Chapter 27 Configuring QoS Understanding QoS You specify which fields in the frame or packet that you want to use to classify incoming traffic. For non-IP traffic, you have these classification options as shown in Figure 27-3: • Trust the CoS value in the incoming frame (configure the port to trust CoS). Then use the configurable CoS-to-DSCP map to generate a DSCP value for the packet. Layer 2 ISL frame headers carry the CoS value in the three least-significant bits of the 1-byte User field. Layer 2 802.
Chapter 27 Configuring QoS Understanding QoS Figure 27-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface configuration for classification. Trust DSCP (IP traffic). IP and non-IP traffic Trust DSCP or IP precedence (non-IP traffic). Trust IP precedence (IP traffic). Assign DSCP identical to DSCP in packet. Check if packet came with CoS label (tag). Yes (Optional) Modify the DSCP by using the DSCP-to-DSCP-mutation map.
Chapter 27 Configuring QoS Understanding QoS Classification Based on QoS ACLs You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: Note • If a match with a permit action is encountered (first-match principle), the specified QoS-related action is taken.
Chapter 27 Configuring QoS Understanding QoS You create and name a policy map by using the policy-map global configuration command. When you enter this command, the switch enters the policy-map configuration mode. In this mode, you specify the actions to take on a specific traffic class by using the class, trust, or set policy-map configuration and policy-map class configuration commands.
Chapter 27 Configuring QoS Understanding QoS Policing uses a token-bucket algorithm. As each frame is received by the switch, a token is added to the bucket. The bucket has a hole in it and leaks at a rate that you specify as the average traffic rate in bits per second. Each time a token is added to the bucket, the switch performs a check to determine if there is enough room in the bucket.
Chapter 27 Configuring QoS Understanding QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an QoS label based on the DSCP or CoS value from the classification stage: • During classification, QoS uses configurable mapping tables to derive a corresponding DSCP or CoS value from a received CoS, DSCP, or IP precedence value. These maps include the CoS-to-DSCP map and the IP-precedence-to-DSCP map.
Chapter 27 Configuring QoS Understanding QoS Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 27-5.
Chapter 27 Configuring QoS Understanding QoS CoS 6-7 CoS 4-5 CoS 0-3 100% 1000 60% 600 40% 400 0 86692 Figure 27-6 WTD and Queue Operation For more information, see the “Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds” section on page 27-53, the “Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set” section on page 27-58, and the “Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID” section on page 27-60.
Chapter 27 Configuring QoS Understanding QoS Queueing and Scheduling on Ingress Queues Figure 27-7 shows the queueing and scheduling flowchart for ingress ports. Figure 27-7 Queueing and Scheduling Flowchart for Ingress Ports Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds. Are thresholds being exceeded? Yes No Drop packet. Send packet to the internal ring. Note 90564 Queue the packet.
Chapter 27 Configuring QoS Understanding QoS You assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an ingress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue input dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Chapter 27 Configuring QoS Understanding QoS Queueing and Scheduling on Egress Queues Figure 27-8 shows the queueing and scheduling flowchart for egress ports. Figure 27-8 Queueing and Scheduling Flowchart for Egress Ports Start Receive packet from the internal ring. Read QoS label (DSCP or CoS value). Determine egress queue number and threshold based on the label. Are thresholds being exceeded? No Yes Drop packet. Queue the packet. Service the queue according to the SRR weights.
Chapter 27 Configuring QoS Understanding QoS Figure 27-9 shows the egress queue buffer. The buffer space is divided between the common pool and the reserved pool. The switch uses a buffer allocation scheme to reserve a minimum amount of buffers for each egress queue, to prevent any queue or port from consuming all the buffers and depriving other queues, and to determine whether to grant buffer space to a requesting queue.
Chapter 27 Configuring QoS Understanding QoS threshold-id cos1...cos8} global configuration command. You can display the DSCP output queue threshold map and the CoS output queue threshold map by using the show mls qos maps privileged EXEC command. The queues use WTD to support distinct drop percentages for different traffic classes. Each queue has three drop thresholds: two configurable (explicit) WTD thresholds and one nonconfigurable (implicit) threshold preset to the queue-full state.
Chapter 27 Configuring QoS Configuring Auto-QoS • Depending on the QoS label assigned to a frame and the mutation chosen, the DSCP and CoS values of the frame are rewritten. If you do not configure the mutation map and if you configure the interface to trust the DSCP of the incoming frame, the DSCP value in the frame is not changed, but the CoS is rewritten according to the DSCP-to-CoS map.
Chapter 27 Configuring QoS Configuring Auto-QoS Table 27-2 Traffic Types, Ingress Packet Labels, Assigned Packet Labels, and Queues (continued) VoIP Data Traffic VoIP Control Traffic Routing Protocol Traffic STP BPDU Traffic All Other Traffic Assigned DSCP 46 26 48 56 0 Assigned CoS 5 3 6 7 0 CoS-to-Ingress Queue Map CoS-to-Egress Queue Map 2, 3, 4, 5, 6, 7 (queue 2) 5 (queue 1) 0, 1 (queue 1) 3, 6, 7 (queue 2) 2, 4 (queue 3) 0, 1 (queue 4) Table 27-3 shows the generated auto-QoS c
Chapter 27 Configuring QoS Configuring Auto-QoS • When you enter the auto qos voip trust interface configuration command on a port connected to the interior of the network, the switch trusts the CoS value for nonrouted interfaces in ingress packets (the assumption is that traffic has already been classified by other edge devices). The switch configures the ingress and egress queues on the interface according to the settings in Table 27-3 and Table 27-4.
Chapter 27 Configuring QoS Configuring Auto-QoS Table 27-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically maps DSCP values to an ingress queue and to a threshold ID.
Chapter 27 Configuring QoS Configuring Auto-QoS Table 27-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically sets the ingress classification to trust the CoS value received in the packet on a nonrouted interface.
Chapter 27 Configuring QoS Configuring Auto-QoS Enabling Auto-QoS for VoIP Beginning in privileged EXEC mode, follow these steps to enable auto-QoS for VoIP within a QoS domain: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface that is connected to a Cisco IP Phone or the uplink interface that is connected to another switch or router in the interior of the network.
Chapter 27 Configuring QoS Configuring Auto-QoS Auto-QoS Configuration Example This section describes how you could implement auto-QoS in a network, as shown in Figure 27-10. Figure 27-10 Auto-QoS Configuration Example Network Cisco router To Internet Gigabit Ethernet 1/0/5 Catalyst 3750 switch Gigabit Ethernet 1/0/1 Trunk link Gigabit Ethernet 1/0/2 Trunk link Gigabit Ethernet 0/2 Catalyst 3750 switch Catalyst 2970 switch Video server 172.20.10.
Chapter 27 Configuring QoS Configuring Auto-QoS Note You should not configure any standard QoS commands before entering the auto-QoS commands. You can fine-tune the QoS configuration, but we recommend that you do so only after the auto-QoS configuration is completed. Beginning in privileged EXEC mode, follow these steps to configure the switch at the edge of the QoS domain to prioritize the VoIP traffic over all other traffic: Command Purpose Step 1 debug autoqos Enable debugging for auto-QoS.
Chapter 27 Configuring QoS Displaying Auto-QoS Information Displaying Auto-QoS Information To display the initial auto-QoS configuration, use the show auto qos [interface [interface-id]] privileged EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command. You can compare the show auto qos and the show running-config command output to identify the user-defined QoS settings.
Chapter 27 Configuring QoS Configuring Standard QoS Default Standard QoS Configuration QoS is disabled. There is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
Chapter 27 Configuring QoS Configuring Standard QoS Default Egress Queue Configuration Table 27-9 shows the default egress queue configuration for each queue-set when QoS is enabled. All ports are mapped to queue-set 1. The port bandwidth limit is set to 100 percent and rate unlimited.
Chapter 27 Configuring QoS Configuring Standard QoS Standard QoS Configuration Guidelines Before beginning the QoS configuration, you should be aware of this information: • You configure QoS only on physical ports; there is no support for it on the VLAN or switch virtual interface level. • It is not possible to match IP fragments against configured IP extended ACLs to enforce QoS. IP fragments are sent as best-effort. IP fragments are denoted by fields in the IP header.
Chapter 27 Configuring QoS Configuring Standard QoS Enabling QoS Globally By default, QoS is disabled on the switch. Beginning in privileged EXEC mode, follow these steps to enable QoS. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS globally.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge of the QoS domain. When the packets are classified at the edge, the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the QoS domain. Figure 27-11 shows a sample network topology.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be trusted. Valid interfaces include physical interfaces. Step 3 mls qos trust [cos | dscp | ip-precedence] Configure the port trust state.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the CoS Value for an Interface QoS assigns the CoS value specified with the mls qos cos interface configuration command to untagged frames received on trusted and untrusted ports. Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port or to assign the default CoS to all incoming packets on the port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring a Trusted Boundary to Ensure Port Security In a typical network, you connect a Cisco IP Phone to a switch port, as shown in Figure 27-11 on page 27-31, and cascade devices that generate data packets from the back of the telephone. The Cisco IP Phone guarantees the voice quality through a shared data link by marking the CoS level of the voice packets as high priority (CoS = 5) and by marking the data packets as low priority (CoS = 0).
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the DSCP Trust State on a Port Bordering Another QoS Domain If you are administering two separate QoS domains between which you want to implement QoS features for IP traffic, you can configure the switch ports bordering the domains to a DSCP-trusted state as shown in Figure 27-12. Then the receiving port accepts the DSCP-trusted value and avoids the classification stage of QoS.
Chapter 27 Configuring QoS Configuring Standard QoS Step 5 Command Purpose mls qos dscp-mutation dscp-mutation-name Apply the map to the specified ingress DSCP-trusted port. For dscp-mutation-name, specify the mutation map name created in Step 2. You can configure multiple DSCP-to-DSCP-mutation maps on an ingress port. Step 6 end Return to privileged EXEC mode. Step 7 show mls qos maps dscp-mutation Verify your entries.
Chapter 27 Configuring QoS Configuring Standard QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify non-IP traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Create an IP extended ACL, repeating the command as many times as necessary. • For access-list-number, enter the access list number.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Create a Layer 2 MAC ACL by specifying the name of the list. After entering this command, the mode changes to extended MAC ACL configuration.
Chapter 27 Configuring QoS Configuring Standard QoS Classifying Traffic by Using Class Maps You use the class-map global configuration command to name and to isolate a specific traffic flow (or class) from all other traffic. The class map defines the criteria to use to match against a specific traffic flow to further classify it. Match statements can include criteria such as an ACL, IP precedence values, or DSCP values.
Chapter 27 Configuring QoS Configuring Standard QoS Command Step 4 Purpose match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported. • For access-group acl-index-or-name, specify the number or name of the ACL created in Step 2.
Chapter 27 Configuring QoS Configuring Standard QoS Classifying, Policing, and Marking Traffic by Using Policy Maps A policy map specifies which traffic class to act on. Actions can include trusting the CoS, DSCP, or IP precedence values in the traffic class; setting a specific DSCP or IP precedence value in the traffic class; and specifying the traffic bandwidth limitations for each matched traffic class (policer) and the action to take when the traffic is out of profile (marking).
Chapter 27 Configuring QoS Configuring Standard QoS Step 5 Command Purpose trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, then skip Step 6. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 27 Configuring QoS Configuring Standard QoS Command Purpose Step 8 exit Return to policy map configuration mode. Step 9 exit Return to global configuration mode. Step 10 interface interface-id Enter interface configuration mode, and specify the interface to attach to the policy map. Valid interfaces include physical interfaces. Step 11 service-policy input policy-map-name Specify the policy-map name, and apply it to an ingress interface.
Chapter 27 Configuring QoS Configuring Standard QoS Switch(config-ext-mac)# exit Switch(config)# class-map macclass1 Switch(config-cmap)# match access-group maclist1 Switch(config-cmap)# exit Switch(config)# policy-map macpolicy1 Switch(config-pmap)# class macclass1 Switch(config-pmap-c)# set ip dscp 63 Switch(config-pmap-c)# exit Switch(config-pmap)# class macclass2 maclist2 Switch(config-pmap-c)# set ip dscp 45 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethern
Chapter 27 Configuring QoS Configuring Standard QoS Step 5 Command Purpose class class-map-name Define a traffic classification, and enter policy-map class configuration mode. For more information, see the “Classifying, Policing, and Marking Traffic by Using Policy Maps” section on page 27-42. Step 6 police aggregate aggregate-policer-name Apply an aggregate policer to multiple classes in the same policy map. For aggregate-policer-name, enter the name specified in Step 2.
Chapter 27 Configuring QoS Configuring Standard QoS Switch(config)# interface gigabitethernet0/1 Switch(config-if)# service-policy input aggflow1 Switch(config-if)# exit Configuring DSCP Maps These sections describe how to configure the DSCP maps: • Configuring the CoS-to-DSCP Map, page 27-47 (optional) • Configuring the IP-Precedence-to-DSCP Map, page 27-48 (optional) • Configuring the Policed-DSCP Map, page 27-49 (optional, unless the null settings in the map are not appropriate) • Configuring t
Chapter 27 Configuring QoS Configuring Standard QoS This example shows how to modify and display the CoS-to-DSCP map: Switch(config)# mls qos map cos-dscp 10 15 20 25 30 35 40 45 Switch(config)# end Switch# show mls qos maps cos-dscp Cos-dscp map: cos: 0 1 2 3 4 5 6 7 -------------------------------dscp: 10 15 20 25 30 35 40 45 Configuring the IP-Precedence-to-DSCP Map You use the IP-precedence-to-DSCP map to map IP precedence values in incoming packets to a DSCP value that QoS uses internally to repres
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the Policed-DSCP Map You use the policed-DSCP map to mark down a DSCP value to a new value as the result of a policing and marking action. The default policed-DSCP map is a null map, which maps an incoming DSCP value to the same DSCP value. Beginning in privileged EXEC mode, follow these steps to modify the policed-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the DSCP-to-CoS Map You use the DSCP-to-CoS map to generate a CoS value, which is used to select one of the four egress queues. Table 27-14 shows the default DSCP-to-CoS map. Table 27-14 Default DSCP-to-CoS Map DSCP value 0–7 8–15 16–23 24–31 32–39 40–47 48–55 56–63 CoS value 0 1 2 3 4 5 6 7 If these values are not appropriate for your network, you need to modify them.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the DSCP-to-DSCP-Mutation Map If two QoS domains have different DSCP definitions, use the DSCP-to-DSCP-mutation map to translate one set of DSCP values to match the definition of another domain. You apply the DSCP-to-DSCP-mutation map to the receiving interface (ingress mutation) at the boundary of a QoS administrative domain.
Chapter 27 Configuring QoS Configuring Standard QoS This example shows how to define the DSCP-to-DSCP-mutation map.
Chapter 27 Configuring QoS Configuring Standard QoS Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an ingress queue and to set WTD thresholds. This procedure is optional.
Chapter 27 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 0 to 6 to ingress queue 1 and to threshold 1 with a drop threshold of 50 percent.
Chapter 27 Configuring QoS Configuring Standard QoS Allocating Bandwidth Between the Ingress Queues You need to specify how much of the available bandwidth is allocated between the ingress queues. The ratio of the weights is the ratio of the frequency in which the SRR scheduler sends packets from each queue. The bandwidth and the buffer allocation determine how much data can be buffered before packets are dropped. On ingress queues, SRR operates only in shared mode.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the Ingress Priority Queue You should use the priority queue only for traffic that needs to be expedited (for example, voice traffic, which needs minimum delay and jitter). The priority queue is guaranteed part of the bandwidth to reduce the delay and jitter under heavy network traffic on an oversubscribed ring (when there is more traffic than the backplane can carry, and the queues are full and dropping frames).
Chapter 27 Configuring QoS Configuring Standard QoS Configuring Egress Queue Characteristics Depending on the complexity of your network and your QoS solution, you might need to perform all of the tasks in the next sections.
Chapter 27 Configuring QoS Configuring Standard QoS Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set You can guarantee the availability of buffers, set WTD thresholds, and configure the maximum memory allocation for a queue-set by using the mls qos queue-set output qset-id threshold queue-id drop-threshold1 drop-threshold2 reserved-threshold maximum-threshold global configuration command.
Chapter 27 Configuring QoS Configuring Standard QoS Step 3 Command Purpose mls qos queue-set output qset-id threshold queue-id drop-threshold1 drop-threshold2 reserved-threshold maximum-threshold Configure the WTD thresholds, guarantee the availability of buffers, and configure the maximum memory allocation for the queue-set (four egress queues per port). By default, the WTD thresholds for queues 1, 3, and 4 are set to 100 percent. The thresholds for queue 2 are set to 50 percent.
Chapter 27 Configuring QoS Configuring Standard QoS Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID You can prioritize traffic by placing packets with particular DSCPs or costs of service into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Note The egress queue default settings are suitable for most situations.
Chapter 27 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 10 and 11 to egress queue 1 and to threshold 2: Switch(config)# mls qos srr-queue output dscp-map queue 1 threshold 2 10 11 Configuring SRR Shaped Weights on Egress Queues You can specify how much of the available bandwidth is allocated to each queue. The ratio of the weights is the ratio of frequency in which the SRR scheduler sends packets from each queue.
Chapter 27 Configuring QoS Configuring Standard QoS This example shows how to configure bandwidth shaping on queue 1. Because the weight ratios for queues 2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which is 12.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the Egress Expedite Queue Beginning in Cisco IOS Release 12.1(19)EA1, you can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. SRR services this queue until it is empty before servicing the other queues. Beginning in privileged EXEC mode, follow these steps to enable the egress expedite queue. This procedure is optional.
Chapter 27 Configuring QoS Configuring Standard QoS Limiting the Bandwidth on an Egress Interface You can limit the bandwidth on an egress interface. For example, if a customer pays only for a small percentage of a high-speed link, you can limit the bandwidth to that amount. Note The egress queue default settings are suitable for most situations. You should change them only when you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution.
Chapter 27 Configuring QoS Displaying Standard QoS Information Displaying Standard QoS Information To display standard QoS information, use one or more of the privileged EXEC commands in Table 27-15: Table 27-15 Commands for Displaying Standard QoS Information Command Purpose show class-map [class-map-name] Display QoS class maps, which define the match criteria to classify traffic. show mls qos Display global QoS configuration information.
Chapter 27 Configuring QoS Displaying Standard QoS Information Catalyst 2970 Switch Software Configuration Guide 27-66 78-15462-03
C H A P T E R 28 Configuring EtherChannels This chapter describes how to configure EtherChannels on Layer 2 interfaces on the Catalyst 2970 switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Chapter 28 Configuring EtherChannels Understanding EtherChannels EtherChannel Overview An EtherChannel consists of individual Gigabit Ethernet links bundled into a single logical link as shown in Figure 28-1.
Chapter 28 Configuring EtherChannels Understanding EtherChannels Port-Channel Interfaces When you create a Layer 2 EtherChannel, a port-channel logical interface is involved. You can create the EtherChannel in these ways: • Use the channel-group interface configuration command. This command automatically creates the port-channel logical interface when the channel group gets its first physical interface.
Chapter 28 Configuring EtherChannels Understanding EtherChannels administrative, and port parameter constraints. For example, PAgP groups the interfaces with the same speed, duplex mode, native VLAN, VLAN range, and trunking status and type. After grouping the links into an EtherChannel, PAgP adds the group to the spanning tree as a single switch port. PAgP Modes Table 28-1 shows the user-configurable EtherChannel PAgP modes for the channel-group interface configuration command.
Chapter 28 Configuring EtherChannels Understanding EtherChannels Use the silent mode when the switch is connected to a device that is not PAgP-capable and seldom, if ever, sends packets. An example of a silent partner is a file server or a packet analyzer that is not generating traffic. In this case, running PAgP on a physical port connected to a silent partner prevents that switch port from ever becoming operational.
Chapter 28 Configuring EtherChannels Understanding EtherChannels LACP Modes Table 28-2 shows the user-configurable EtherChannel LACP modes for the channel-group interface configuration command. Table 28-2 EtherChannel LACP Modes Mode Description active Places an interface into an active negotiating state in which the interface starts negotiations with other interfaces by sending LACP packets.
Chapter 28 Configuring EtherChannels Understanding EtherChannels With source-MAC address forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the channel based on the source-MAC address of the incoming packet. Therefore, to provide load balancing, packets from different hosts use different ports in the channel, but packets from the same host use the same port in the channel.
Chapter 28 Configuring EtherChannels Configuring EtherChannels Figure 28-3 Load Distribution and Forwarding Methods Catalyst 2970 switch with source-based forwarding enabled EtherChannel 90569 Cisco router with destination-based forwarding enabled Configuring EtherChannels These sections describe how to configure EtherChannel on Layer 2 interfaces: • Default EtherChannel Configuration, page 28-9 • EtherChannel Configuration Guidelines, page 28-9 • Configuring Layer 2 EtherChannels, page 28-10 (
Chapter 28 Configuring EtherChannels Configuring EtherChannels Default EtherChannel Configuration Table 28-3 shows the default EtherChannel configuration. Table 28-3 Default EtherChannel Configuration Feature Default Setting Channel groups None assigned. Port-channel logical interface None defined. PAgP mode No default. PAgP learn method Aggregate-port learning on all interfaces. PAgP priority 128 on all interfaces. LACP mode No default.
Chapter 28 Configuring EtherChannels Configuring EtherChannels • Do not configure an EtherChannel in both the PAgP and LACP modes. EtherChannel groups running PAgP and LACP can coexist on the same switch. Individual EtherChannel groups can run either PAgP or LACP, but they cannot interoperate. • Do not configure a Switched Port Analyzer (SPAN) destination as part of an EtherChannel. • Do not configure a secure port as part of an EtherChannel or the reverse.
Chapter 28 Configuring EtherChannels Configuring EtherChannels Step 4 Command Purpose channel-group channel-group-number mode {auto [non-silent] | desirable [non-silent] | on} | {active | passive} Assign the interface to a channel group, and specify the PAgP or the LACP mode. For channel-group-number, the range is 1 to 12. For mode, select one of these keywords: • auto—Enables PAgP only if a PAgP device is detected.
Chapter 28 Configuring EtherChannels Configuring EtherChannels This example shows how to configure an EtherChannel.
Chapter 28 Configuring EtherChannels Configuring EtherChannels Command Purpose Step 4 show etherchannel load-balance Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return EtherChannel load balancing to the default configuration, use the no port-channel load-balance global configuration command.
Chapter 28 Configuring EtherChannels Configuring EtherChannels Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface for transmission. Step 3 pagp learn-method physical-port Select the PAgP learning method. By default, aggregation-port learning is selected, which means the switch sends packets to the source by using any of the interfaces in the EtherChannel.
Chapter 28 Configuring EtherChannels Configuring EtherChannels Configuring LACP Hot-Standby Ports When enabled, LACP tries to configure the maximum number of LACP-compatible ports in a channel, up to a maximum of 16 ports. Only eight LACP links can be active at one time. The software places any additional links in a hot-standby mode. If one of the active links becomes inactive, a link that is in the hot-standby mode becomes active in its place.
Chapter 28 Configuring EtherChannels Configuring EtherChannels Command Purpose Step 4 show running-config Verify your entries. or show lacp sys-id Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the LACP system priority to the default value, use the no lacp system-priority global configuration command. Configuring the LACP Port Priority By default, all ports use the same port priority.
Chapter 28 Configuring EtherChannels Displaying EtherChannel, PAgP, and LACP Status Displaying EtherChannel, PAgP, and LACP Status To display EtherChannel, PAgP, and LACP status information, use the privileged EXEC commands described in Table 28-4: Table 28-4 Commands for Displaying EtherChannel, PAgP, and LACP Status Command Description show etherchannel [channel-group-number {detail | port | port-channel | protocol | summary}] {detail | load-balance | port | port-channel | protocol | summary} Displa
Chapter 28 Configuring EtherChannels Displaying EtherChannel, PAgP, and LACP Status Catalyst 2970 Switch Software Configuration Guide 28-18 78-15462-03
C H A P T E R 29 Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the Catalyst 2970 switch. Depending on the nature of the problem, you can use the command-line interface (CLI) or the Cluster Management Suite (CMS) to identify and solve problems. Additional troubleshooting information, such as LED descriptions, is provided in the hardware installation guide.
Chapter 29 Troubleshooting Recovering from Corrupted Software By Using the XMODEM Protocol Recovering from Corrupted Software By Using the XMODEM Protocol Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity. This procedure uses the XMODEM Protocol to recover from a corrupt or wrong image file.
Chapter 29 Troubleshooting Recovering from Corrupted Software By Using the XMODEM Protocol 2. Locate the bin file and extract it by using the tar -xvf UNIX command. switch% tar -xvf image_filename.tar image_filename.bin x c2970-i6l2-mz.121.11-AX/c2970-i6l2-mz.121.11-AX.bin, 2928176 bytes, 5720 tape blocks 3. Verify that the bin file was extracted by using the ls -l UNIX command. switch% ls -l image_filename.
Chapter 29 Troubleshooting Recovering from a Lost or Forgotten Password Recovering from a Lost or Forgotten Password The default configuration for the switch allows an end user with physical access to the switch to recover from a lost password by interrupting the boot process during power-on and by entering a new password. These recovery procedures require that you have physical access to the switch.
Chapter 29 Troubleshooting Recovering from a Lost or Forgotten Password Procedure with Password Recovery Enabled If the password-recovery mechanism is enabled, this message appears: The system has been interrupted prior to initializing the flash file system.
Chapter 29 Troubleshooting Recovering from a Lost or Forgotten Password Step 9 Copy the configuration file into memory: Switch# copy flash:config.text system:running-config Source filename [config.text]? Destination filename [running-config]? Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can change the password.
Chapter 29 Troubleshooting Recovering from a Lost or Forgotten Password • If you enter n (no), the normal boot process continues as if the Mode button had not been pressed; you cannot access the boot loader prompt, and you cannot enter a new password. You see the message: Press Enter to continue........ • Step 1 If you enter y (yes), the configuration file in Flash memory and the VLAN database file are deleted. When the default configuration loads, you can reset the password.
Chapter 29 Troubleshooting Recovering from a Command Switch Failure Step 9 Write the running configuration to the startup configuration file: Switch# copy running-config startup-config The new password is now in the startup configuration. Note Step 10 This procedure is likely to leave your switch virtual interface in a shutdown state. You can see which interface is in this state by entering the show running-config privileged EXEC command.
Chapter 29 Troubleshooting Recovering from a Command Switch Failure Step 3 Start a CLI session on the new command switch. You can access the CLI by using the console port or, if an IP address has been assigned to the switch, by using Telnet. For details about using the console port, refer to the switch hardware installation guide. Step 4 At the switch prompt, enter privileged EXEC mode: Switch> enable Switch# Step 5 Enter the password of the failed command switch.
Chapter 29 Troubleshooting Recovering from a Command Switch Failure Step 12 When prompted for the enable secret and enable passwords, enter the passwords of the failed command switch again. Step 13 When prompted, make sure to enable the switch as the cluster command switch, and press Return. Step 14 When prompted, assign a name to the cluster, and press Return. The cluster name can be 1 to 31 alphanumeric characters, dashes, or underscores.
Chapter 29 Troubleshooting Recovering from Lost Cluster Member Connectivity Step 6 Enter Y at the first prompt. The prompts in the setup program vary depending on the switch you selected to be the command switch: Continue with configuration dialog? [yes/no]: y or Configuring global parameters: If this prompt does not appear, enter enable, and press Return. Enter setup, and press Return to start the setup program. Step 7 Respond to the questions in the setup program.
Chapter 29 Troubleshooting Preventing Autonegotiation Mismatches Preventing Autonegotiation Mismatches The IEEE 802.3AB autonegotiation protocol manages the switch settings for speed (10 Mbps, 100 Mbps, and 1000 Mbps, excluding SFP module ports) and duplex (half or full). There are situations when this protocol can incorrectly align these settings, reducing performance.
Chapter 29 Troubleshooting Using Ping Using Ping This section consists of this information: • Understanding Ping, page 29-13 • Executing Ping, page 29-13 Understanding Ping The switch supports IP ping, which you can use to test connectivity to remote hosts. Ping sends an echo request packet to an address and waits for a reply. Ping returns one of these responses: • Normal response—The normal response (hostname is alive) occurs in 1 to 10 seconds, depending on network traffic.
Chapter 29 Troubleshooting Using Layer 2 Traceroute Table 29-1 Ping Output Display Characters Character Description ! Each exclamation point means receipt of a reply. . Each period means the network server timed out while waiting for a reply. U A destination unreachable error PDU was received. C A congestion experienced packet was received. I User interrupted test. ? Unknown packet type. & Packet lifetime exceeded.
Chapter 29 Troubleshooting Using Layer 2 Traceroute Note For more information about enabling CDP, see Chapter 20, “Configuring CDP.” • A switch is reachable from another switch when you can test connectivity by using the ping privileged EXEC command. All switches in the physical path must be reachable from each other. • The maximum number of hops identified in the path is ten.
Chapter 29 Troubleshooting Using IP Traceroute Using IP Traceroute This section consists of this information: • Understanding IP Traceroute, page 29-16 • Executing IP Traceroute, page 29-16 Understanding IP Traceroute You can use IP traceroute to identify the path that packets take through the network on a hop-by-hop basis. The command output displays all network layer (Layer 3) devices, such as routers, that the traffic passes through on the way to the destination.
Chapter 29 Troubleshooting Using Debug Commands This example shows how to perform a traceroute to an IP host: Switch# traceroute ip 171.9.15.10 Type escape sequence to abort. Tracing the route to 171.69.115.10 1 172.2.52.1 0 msec 0 msec 4 msec 2 172.2.1.203 12 msec 8 msec 0 msec 3 171.9.16.6 4 msec 0 msec 0 msec 4 171.9.4.5 0 msec 4 msec 0 msec 5 171.9.121.34 0 msec 4 msec 4 msec 6 171.9.15.9 120 msec 132 msec 128 msec 7 171.9.15.
Chapter 29 Troubleshooting Using Debug Commands Note For complete syntax and usage information for specific debug commands, refer to the command reference for this release. Enabling Debugging on a Specific Feature All debug commands are entered in privileged EXEC mode, and most debug commands take no arguments.
Chapter 29 Troubleshooting Using the show platform forward Command Redirecting Debug and Error Message Output By default, the network server sends the output from debug commands and system error messages to the console. If you use this default, you can use a virtual terminal connection to monitor debug output instead of connecting to the console port. Possible destinations include the console, virtual terminals, internal buffer, and UNIX hosts running a syslog server.
Chapter 29 Troubleshooting Using the show platform forward Command Lookup Key-Used OutptACL 50_0D020202_0D010101-00_40000014_000A0000 Port Gi0/3 Vlan SrcMac 0005 0001.0001.0001 DstMac 0002.0002.0002 Cos -----------------------------------------Packet 2 Lookup Key-Used OutptACL 50_0D020202_0D010101-00_40000014_000A0000 Port Gi0/4 Vlan SrcMac 0005 0001.0001.0001 DstMac 0002.0002.
Chapter 29 Troubleshooting Using the crashinfo File Using the crashinfo File The crashinfo file saves information that helps Cisco technical support representatives to debug problems that caused the Cisco IOS image to fail (crash). The switch writes the crash information to the console at the time of the failure, and the file is created the next time you boot the Cisco IOS image after the failure (instead of while the system is failing).
Chapter 29 Troubleshooting Using the crashinfo File Catalyst 2970 Switch Software Configuration Guide 29-22 78-15462-03
A P P E N D I X A Supported MIBs This appendix lists the supported management information base (MIBs) for this release on the Catalyst 2970 switch. It contains these sections: • MIB List, page A-1 • Using FTP to Access the MIB Files, page A-3 • BRIDGE-MIB (RFC1493) MIB List Note The BRIDGE-MIB supports the context of a single VLAN. By default, SNMP messages using the configured community string always provide information for VLAN 1.
Appendix A Supported MIBs MIB List • CISCO-PAGP-MIB • CISCO-PING-MIB • CISCO-PROCESS-MIB • CISCO-RTTMON-MIB • CISCO-STACKMAKER-MIB • CISCO-STP-EXTENSIONS-MIB • CISCO-SYSLOG-MIB • CISCO-TCP-MIB • CISCO-VLAN-IFTABLE-RELATIONSHIP-MIB • CISCO-VLAN-MEMBERSHIP-MIB • CISCO-VTP-MIB • ENTITY-MIB • ETHERLIKE_MIB • IEEE8023-LACP-MIB • IF-MIB (In and out counters for VLANs are not supported.
Appendix A Supported MIBs Using FTP to Access the MIB Files Note You can also use this URL for a list of supported MIBs for the Catalyst 2970 switch: ftp://ftp.cisco.com/pub/mibs/supportlists/cat2970/cat2970-supportlist.html You can access other information about MIBs and Cisco products on the Cisco web site: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Using FTP to Access the MIB Files You can obtain each MIB file by using this procedure: Step 1 Use FTP to access the server ftp.cisco.
Appendix A Supported MIBs Using FTP to Access the MIB Files Catalyst 2970 Switch Software Configuration Guide A-4 78-15462-03
A P P E N D I X B Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the Catalyst 2970 Flash file system, how to copy configuration files, and how to archive (upload and download) software images to a switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC command as shown in this example.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Setting the Default File System You can specify the file system or directory that the system uses as the default file system by using the cd filesystem: privileged EXEC command. You can set the default file system to omit the filesystem: argument from related commands.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating and Removing Directories Beginning in privileged EXEC mode, follow these steps to create and remove a directory: Step 1 Command Purpose dir filesystem: Display the directories on the specified file system. For filesystem:, use flash: for the system board Flash device. Step 2 mkdir old_configs Create a new directory.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Some invalid combinations of source and destination exist.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating a tar File To create a tar file and write files into it, use this privileged EXEC command: archive tar /create destination-url flash:/file-url For destination-url, specify the destination URL alias for the local or network file system and the name of the tar file to create.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System c2970-i6l2-mz.121-6.AX1/html/ (directory) c2970-i6l2-mz.121-6.AX1/html/foo.html (0 bytes) c2970-i6l2-mz.121-6.AX1/c2970-i6l2-mz.121-6.AX1.bin (610856 bytes) c2970-i6l2-mz.121-6.AX1/info (219 bytes) This example shows how to display only the /html directory and its contents: Switch# archive tar /table flash:c2970-tv0-m.tar c2970-i6l2-mz.121-6.AX1/html c2970-i6l2-mz.121-6.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Working with Configuration Files This section describes how to create, load, and maintain configuration files. Configuration files contain commands entered to customize the function of the Cisco IOS software. A way to create a basic configuration file is to use the setup program or to enter the setup privileged EXEC command.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Guidelines for Creating and Using Configuration Files Creating configuration files can aid in your switch configuration. Configuration files can contain some or all of the commands needed to configure one or more switches. For example, you might want to download the same configuration file to several switches that have the same hardware configuration.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Creating a Configuration File By Using a Text Editor When creating a configuration file, you must list commands logically so that the system can respond appropriately. This is one method of creating a configuration file: Step 1 Copy an existing configuration from a switch to a server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation). • For download operations, ensure that the permissions on the file are set correctly. The permission on the file should be world-read. • Before uploading the configuration file, you might need to create an empty file on the TFTP server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Step 3 Upload the switch configuration to the TFTP server. Specify the IP address or host name of the TFTP server and the destination filename. Use one of these privileged EXEC commands: • copy system:running-config tftp:[[[//location]/directory]/filename] • copy nvram:startup-config tftp:[[[//location]/directory]/filename] The file is uploaded to the TFTP server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This section includes this information: • Preparing to Download or Upload a Configuration File By Using FTP, page B-13 • Downloading a Configuration File By Using FTP, page B-13 • Uploading a Configuration File By Using FTP, page B-15 Preparing to Download or Upload a Configuration File By Using FTP Before you begin downloading or uploading a configuration file by using FTP, d
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 Using FTP, copy the configuration file from a network server copy ftp:[[[//[username[:password]@]location]/directory] to the running configuration or to the startup configuration file.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using FTP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using FTP: Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using FTP” section on page B-13.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Copying Configuration Files By Using RCP The Remote Copy Protocol (RCP) provides another method of downloading, uploading, and copying configuration files between remote hosts and the switch. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, RCP uses TCP, which is connection-oriented.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • When you upload a file to the RCP server, it must be properly configured to accept the RCP write request from the user on the switch. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to specify a remote username of netadmin1. Then it copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to store a startup configuration file on a server: Switch# configure terminal Switch(config)# ip rcmd remote-username netadmin2 Switch(config)# end Switch# copy nvram:startup-config rcp: Remote host[]? 172.16.101.101 Name of configuration file to write [switch2-confg]? Write file switch2-confg on host 172.16.101.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Working with Software Images This section describes how to archive (download and upload) software image files, which contain the system software, Cisco IOS code, and the web management HTML files.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images tar File Format of Images on a Server or Cisco.com Software images located on a server or downloaded from Cisco.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Copying Image Files By Using TFTP You can download a switch image from a TFTP server or upload the image from the switch to a TFTP server. You download a switch image file from a server to upgrade the switch software. You can overwrite the current image with the new one or keep the current image after a download.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images • Before uploading the image file, you might need to create an empty file on the TFTP server. To create an empty file, enter the touch filename command, where filename is the name of the file you will use when uploading the image to the server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note If the Flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version, you must specify the /overwrite option. If you specify the /leave-old-sw, the existing files are not removed.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Copying Image Files By Using FTP You can download a switch image from an FTP server or upload the image from the switch to an FTP server. You download a switch image file from a server to upgrade the switch software. You can overwrite the current image with the new one or keep the current image after a download. You upload a switch image file to a server for backup purposes.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images If the server has a directory structure, the image file is written to or copied from the directory associated with the username on the server. For example, if the image file resides in the home directory of a user on the server, specify that user's name as the remote username.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Step 7 Step 8 Purpose archive download-sw /overwrite /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and overwrite the current image. /image-name.tar • The /overwrite option overwrites the software image in Flash memory with the downloaded image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board Flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The archive upload-sw command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the HTML files. After these files are uploaded, the upload algorithm creates the tar file format. Caution For the download and upload algorithms to operate properly, do not rename image names.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the switch to a server by using RCP, the Cisco IOS software sends the first valid username in this list: • The username specified in the archive download-sw or archive upload-sw privileged EXEC command if a username is specified.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Downloading an Image File By Using RCP You can download a new image file and replace or keep the current image. Beginning in privileged EXEC mode, follow Steps 1 through 6 to download a new image from an RCP server and overwrite the existing image. To keep the current image, skip Step 6.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 7 Command Purpose archive download-sw /leave-old-sw /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Download the image file from the RCP server to the switch, and keep the current image. • The /leave-old-sw option keeps the old software version after a download.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Uploading an Image File By Using RCP You can upload an image from the switch to an RCP server. You can later download this image to the same switch or to another switch of the same type. The upload feature should be used only if the HTML pages associated with the Cluster Management Suite (CMS) have been installed with the existing image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Catalyst 2970 Switch Software Configuration Guide B-34 78-15462-03
A P P E N D I X C Unsupported Commands in Cisco IOS Release 12.1(19)EA1 This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the Catalyst 2970 switch prompt but are not supported in this release, either because they are not tested, or because of Catalyst 2970 hardware limitations. This is not a complete list. The unsupported commands are listed by software feature and command mode.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.1(19)EA1 VLAN Unsupported Interface Configuration Commands spanning-tree stack-port VLAN Unsupported vlan-config Commands private-vlan Unsupported User EXEC Commands show running-config vlan show vlan ifindex show vlan private-vlan VTP Unsupported Privileged EXEC Commands vtp {password password | pruning | version number}private-vlan Note This command has been replaced by the vtp global configuration command.
I N D EX member switches Numerics switch clusters 802.1D See ACLs 802.1Q access ports 9-3 defined configuration limitations encapsulation 5-13 access lists See STP and trunk ports 5-13 11-17 9-2 in switch clusters 11-15 5-9 accounting native VLAN for untagged traffic 802.1S 11-21 with RADIUS 7-28 with TACACS+ See MSTP 7-11, 7-17 ACEs 802.1W and QoS See RSTP defined 802.1X 27-7 26-2 Ethernet See port-based authentication IP 802.
Index IP learning applying to interface creating implicit deny defined terminal lines, setting on See ARP table 26-6, 26-17 CDP 20-1 26-29 VTP 11-18, 12-3 aggregated ports 26-11 See EtherChannel 27-29 26-6 26-2 precedence of QoS advertisements 26-20, 27-39 number per QoS class map port See ARP 26-16 26-17 MAC extended numbers 26-2 aggregate policers 27-45 aggregate policing 1-7 aging, accelerating 14-8 aging time 27-7, 27-37 standard IP accelerated configuring for QoS
Index authentication autosensing, port speed local mode with AAA NTP associations auxiliary VLAN 7-36 See voice VLAN 6-5 RADIUS key availability, features 1-4 7-21 login 7-23 B See also port-based authentication TACACS+ defined key 1-3 BackboneFast 7-11 7-13 login 7-14 6-2 authorization enabling 16-13 1-5 banners configuring with RADIUS 7-27 with TACACS+ login 7-11, 7-16 autoconfiguration 8-4 default configuration 4-3 when displayed automatic discovery 5-16 6-19 19-6 bo
Index BPDU guard CGMP described 16-3 enabling 16-11 support for as IGMP snooping learning method joining multicast group Cisco 7960 IP Phone 1-5 bridge protocol data unit 18-8 18-3 13-1 Cisco Discovery Protocol See BPDU See CDP broadcast storm-control command broadcast storms Cisco IOS File System 19-3 See IFS 19-2 CiscoWorks 2000 1-3, 25-5 class maps for QoS C configuring cables, monitoring for unidirectional links 21-1 displaying candidate switch adding automatic discovery H
Index clusters, switch accessing requirements virtual IP address 5-13 adding member switches 5-5 automatic recovery 5-10 CMS benefits command switch configuration compatibility 5-16 5-18 5-15 managing through CLI Topology view 3-14 3-6 command-line interface planning considerations See CLI automatic discovery 5-5 automatic recovery 5-10 command modes abbreviating host names 5-13 LRE profiles 5-15 passwords accessing 5-15 enabling 5-18 5-20 See also candidate switch, command
Index replacing uploading with another switch 29-10 with cluster member 29-8 preparing B-10, B-13, B-16 reasons for B-8 requirements 5-3 using FTP B-15 standby (SC) 5-10, 5-18 using RCP B-18 See also candidate switch, cluster standby group, member switch, and standby command switch community strings configuring for cluster switches SNMP config-vlan mode connectivity problems configuration examples, network 7-38 29-13, 29-14, 29-16 command clearing the startup configuration creati
Index UDLD D 21-4 VLAN, Layer 2 Ethernet interfaces daylight saving time 6-14 debugging enabling all system diagnostics 29-18 enabling for a specific feature 29-18 redirecting error message output 11-27 voice VLAN VTP 13-3 12-6 29-17 deleting VLANs 11-10 2-4 description command 9-14 designing your network, examples 8-10 auto-QoS VMPS 4-10 default configuration 802.
Index DHCP snooping image files configuration guidelines default configuration deleting old image 17-3 preparing 17-3 displaying binding tables displaying configuration 17-5 message exchange process option 82 data insertion 17-2 B-20 using FTP B-26 using RCP B-31 using TFTP 17-2 Differentiated Services architecture, QoS Differentiated Services Code Point directed unicast requests B-22, B-25, B-29 reasons for 17-5 27-1 27-2 DSCP B-24 B-23 1-6, 27-2 DSCP input queue threshold map
Index encryption for passwords modes 7-4 environment variables function of 4-16 error messages during command entry 28-5 support for 1-3 described 802.
Index displaying the contents of location deleting preparing the server 29-21 uploading 29-21 B-15 image files B-5 displaying the contents of deleting old image B-7 tar downloading creating B-28 B-26 preparing the server B-6 displaying the contents of extracting B-13 uploading B-6 B-25 B-28 B-7 image file format B-21 G file system displaying available file systems displaying file information local file system names B-3 B-1 network file system names setting the default B-2 g
Index HP OpenView IGMP groups 1-3 HSRP configuring the filtering action automatic cluster recovery setting the maximum number 5-12 cluster standby group considerations 5-11 See also clusters, cluster standby group, and standby command switch 18-24 18-23 IGMP profile applying 18-22 configuration mode configuring 18-21 18-21 IGMP snooping I and address aliasing ICMP configuring time exceeded messages traceroute and 29-16 29-16 18-6 default configuration definition ICMP ping 18-2 1
Index descriptive name, adding command switch 9-14 displaying information about discovering 9-16 5-3, 5-11, 5-13 6-29 flow control 9-12 redundant clusters management 1-3 standby command switch monitoring naming ip igmp profile command physical, identifying assigned types of manually 9-17 shutting down supported default configuration 4-3 4-3 IP phones 9-1 interfaces range macro command and QoS 9-7 13-1 automatic classification and queueing 9-5 Inter-Switch Link configuring
Index Kerberos Layer 3 packets, classification methods leave processing, IGMP authenticating to boundary switch KDC See hardware installation guide network services configuring line configuration mode 7-35 configuration examples See EtherChannel 7-36 See LACP cryptographic software image KDC links, unidirectional 7-32 with RADIUS 7-32 realm 7-33 login banners server 7-33 log messages TGT 6-19 Long-Reach Ethernet (LRE) technology 7-32 1-11 loop guard 7-33 7-34 tickets 7-14 See
Index characteristics of marking 6-26 dropping 6-28 action in policy map removing 6-27 action with aggregate policers MAC address notification, support for MAC address-to-VLAN mapping described 1-7 MAC extended access lists 26-6 maximum aging time applying to Layer 2 interfaces configuring for QoS MSTP 26-21 STP 27-39 15-21 14-21 creating 26-20 maximum hop count, MSTP defined 26-20 membership mode, VLAN port for QoS classification adding defined 1-4 management access in-band C
Index IGMP port priority filters root switch 18-25 snooping interfaces 15-14 secondary root switch 18-12 switch priority 9-16 multicast router interfaces MVR 15-17 15-19 CST 18-12 defined 18-19 network traffic for analysis with probe port 22-2 15-3 operations between regions default configuration blocking 15-4 15-12 default optional feature configuration 19-15 protection 15-16 displaying status 19-15 speed and duplex mode traffic flowing among switches traffic suppression 1
Index Port Fast N described 16-2 enabling 16-10 named IP ACLs preventing root switch selection native VLAN 16-7 configuring root guard described 16-7 enabling 16-14 default 11-21 increasing network performance configuring unexpected behavior 15-14 providing network services 18-3 leaving 18-5 performance services 18-6 CDP 1-10 1-11 SNMP 19-6 multicast router ports, adding 18-12 23-1 25-1 Network Time Protocol See NTP 18-9 multicast storm-control command multicast storms
Index overview path cost 6-2 restricting access MSTP creating an access group STP 6-9 disabling NTP services per interface source IP address, configuring stratum 6-10 14-18 PC (passive command switch) 1-10 1-3 per-VLAN spanning-tree plus 1-4 synchronizing devices See PVST+ 6-6 time physical ports services 5-10, 5-18 performance, network design performance features 6-2 support for 6-10 15-18 9-2 PIM-DVMRP, as snooping method 6-2 synchronizing ping 6-2 character output descr
Index port-based authentication authorized and unauthorized voice VLAN authentication server defined RADIUS server and voice VLAN 8-2 described 8-2 configuration guidelines 8-6 multiple-hosts mode 802.
Index protected secure 19-5 19-7 static-access examples 12-5 overview 12-4 pruning-eligible list 11-3, 11-11 switch 9-2 changing trunks 11-3, 11-15 for VTP pruning VLAN assignments VLANs 11-11 port security aging 12-14 802.
Index policy maps, described scheduling, described 27-7 27-4 trust DSCP, described 27-5 setting WTD thresholds trusted CoS, described 27-5 WTD, described trust IP precedence, described 27-17 enabling globally 27-5 class maps 27-58 27-30 flowcharts configuring classification 27-40 displaying egress queueing and scheduling 27-65 configuration guidelines auto-QoS policing and marking implicit deny 27-29 configuring 27-9 27-7 allocating bandwidth 27-45 DSCP maps 27-55 allocati
Index marked-down actions marking, described overview 27-43 R 27-3, 27-8 RADIUS 27-1 packet modification attributes 27-17 vendor-proprietary policers configuring described vendor-specific 27-43, 27-45 27-65 accounting number of 27-29 authentication 7-28 authorization 27-8 policies, attaching to an interface 27-9 7-23 7-27 communication, global 7-21, 7-29 communication, per-server policing described 27-3, 27-8 token bucket algorithm 27-9 policy maps characteristics of configur
Index RCP RADIUS TACACS+ configuration files downloading overview 7-10 retry count, VMPS, changing B-17 preparing the server 1112, IP multicast and IGMP B-16 1157, SNMPv1 B-18 image files 1305, NTP deleting old image downloading 25-2 23-2 1901, SNMPv2C B-31 25-2 1902 to 1907, SNMPv2 B-29 25-2 2236, IP multicast and IGMP B-33 reconfirmation interval, VMPS, changing recovery procedures 11-29 2273-2275, SNMPv3 default configuration displaying status 28-2 STP 25-2 23-3 23-6 enab
Index received traffic 22-4 session limits S 22-10 SC (standby command switch) sessions creating 22-17 scheduled reloads defined 22-3 secure MAC addresses limiting source traffic to specific VLANs 22-22 deleting 4-17 19-12 specifying monitored ports 22-17 maximum number of with ingress traffic enabled 22-20 types of source ports transmitted traffic VLAN-based 19-7 19-7 secure remote connections 22-5 7-38 Secure Shell 22-6 See SSH RSTP active topology, determining security,
Index shutdown command on interfaces managing clusters with 9-17 Simple Network Management Protocol MIBs See SNMP location of A-3 supported SmartPort macros configuration guidelines A-1 notifications 10-2 25-5 creating and applying 10-3 overview default configuration 10-2 security levels defined tracing SNAP 25-1, 25-5 25-3 status, displaying 10-1 displaying 5-21 25-16 system contact and location 10-4 trap manager, configuring 10-2 25-14 25-13 traps 20-1 described SNMP ac
Index destination ports 22-7 encryption methods displaying status 22-23 user authentication methods, supported interaction with other features monitored ports overview Standby Command Configuration window 22-8 configuring 22-7 22-4 session limits 22-10 sessions configuring ingress forwarding 22-11 defined 22-3 22-14, 22-21 5-2 priority 5-10 specifying monitored ports 22-11 with ingress traffic enabled 22-13 22-15 22-12 startup configuration manually clearing 22-5 4-13 specifyin
Index sticky learning disabling 19-8 storm control 14-14 displaying status configuring described 14-22 extended system ID 19-3 effects on root switch 19-2 14-14 displaying 19-15 effects on the secondary root switch support for 1-3 overview thresholds 19-2 14-4 unexpected behavior STP features supported 802.1D and bridge ID inferior BPDU 14-4 802.1D and multicast addresses 802.
Index root guard system clock described 16-7 enabling 16-14 configuring daylight saving time root port, defined manually 14-3 root switch time zones 14-14 effects of extended system ID election 6-12 summer time configuring 14-4, 14-14 unexpected behavior superior BPDU 16-3 system message logging 24-3 defining error message severity levels disabling 14-20 UplinkFast enabling described 16-4 enabling 16-13 facility keywords, described 6-2 level keywords, described success resp
Index preparing the server T uploading TACACS+ 7-11 authentication, defined configuring for autoconfiguration 7-11 authorization, defined 7-11 deleting 7-17 authorization 7-13 uploading 7-16 default configuration 7-14 TFTP server 7-13 displaying the configuration identifying the server 7-17 19-2 Time Domain Reflector 7-16 7-12 1-6 See TDR time-range command 26-13 time ranges in ACLs 26-13 time stamps in log messages tracking services accessed by user 7-17 tar files time zone
Index traffic ISL blocking flooded fragmented load sharing 19-6 setting STP path costs 26-4 unfragmented parallel 19-2 transparent mode, VTP trap-door mechanism understanding configuring MAC address notification configuring managers enabling notification types trusted boundary for QoS 27-34 27-35 classification options 27-5 ensuring port security for IP phones 25-11 support for 25-1, 25-5 troubleshooting 29-13, 29-14, 29-16 detecting unidirectional links 21-1 determining packet fo
Index and broadcast MAC addresses and CPU packets V 6-27 and multicast addresses version-dependent transparent mode 6-27 and router MAC addresses configuration guidelines described 6-27 virtual IP address 6-27 cluster standby group 6-27 command switch 6-27 unicast storm control command unicast storms 5-11, 5-19 5-11, 5-19 See also IP addresses 19-4 vlan.
Index defined number supported 26-2, 26-3 denying access example parameters 26-28 denying and permitting packets displaying static-access ports supported 1-6 with router ACLs modes VTP modes 11-29 14-10 11-5 traffic between 11-2 12-3 VLAN Trunking Protocol 11-3 See VTP VLAN Query Protocol VLAN trunks See VQP 11-15 VMPS VLANs adding 11-11 11-3 Token Ring 26-29 VLAN membership confirming 11-3 STP and 802.
Index connecting to an IP phone default configuration described passwords 13-6 1-5, 11-26 VTP adding a client to a domain advertisements 12-13 enabling 12-13 examples 12-5 overview 12-4 1-5 pruning-eligible list, changing and extended-range VLANs and normal-range VLANs 12-1 12-2 12-10 configuration server mode, configuring statistics guidelines 12-7 support for privileged EXEC mode 1-5 requirements version 1 12-8 VLAN configuration mode 12-8 12-4 configuration guidelines 12-7
