manualshive.com logo in svg

Cisco 2948G - Catalyst Switch, Configuration Manual

Share
Download
Cisco 2948G - Catalyst Switch Configuration Manual Download Page 501

   

31-3

Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide

Release 8.1

78-15486-01

Chapter 31      Configuring 802.1x Authentication

Understanding How 802.1x Authentication Works

Authentication Initiation and Message Exchange

The switch or the host can initiate authentication. If you enable authentication on a port by using the set 
port dot1x mod/port port-control auto command, the switch must initiate authentication when it 
determines that the port link state transitions from down to up. The switch sends an EAP-request/identity 
frame to the host to request its identity (typically, the switch sends an initial identity/request frame that 
is followed by one or more requests for authentication information). When the host receives the frame, 
it sends an EAP-response/identity frame.

However, if during bootup, the host does not receive an EAP-request/identity frame from the switch, the 
host can initiate authentication by sending an EAPOL-start frame, which prompts the switch to request 
the host’s identity.

Note

If 802.1x is not enabled or supported on the network access device, any EAPOL frames from the host 
are dropped. If the host does not receive an EAP-request/identity frame after three attempts to start 
authentication, the host transmits frames as if the port is in the authorized state. A port that is in the 
authorized state means that the host has been successfully authenticated. For more information, see the 

“Ports in Authorized and Unauthorized States” section on page 31-4

.

When the host supplies its identity, the switch acts as the intermediary, passing EAP frames between the 
host and the authentication server until authentication succeeds or fails. If the authentication succeeds, 
the switch port becomes authorized. For more information, see the 

“Ports in Authorized and 

Unauthorized States” section on page 31-4

.

The specific exchange of EAP frames depends on the authentication method that is being used. 

Figure 31-2

 shows a message exchange that is initiated by the host using the One-Time-Password (OTP) 

authentication method with a RADIUS server.

Figure 31-2 Message Exchange

Supplicant

Catalyst switch

Port Authorized

Port Unauthorized

EAPOL-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/OTP

EAP-Response/OTP

EAP-Success

RADIUS Access-Request

RADIUS Access-Challenge

RADIUS Access-Request

RADIUS Access-Accept

EAPOL-Logoff

Authentication

server

(RADIUS)

79598

Summary of Contents for 2948G - Catalyst Switch

Page 1: ... Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Software Release 8 1 Customer Order Number DOC 7815486 Text Part Number 78 15486 01 ...

Page 2: ...DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCIP CCSP the Cisco Arrow logo the Cisco Powered Network mark Cisco Unity Follow Me Browsing FormShare and StackWise are trademarks of Cisco Systems Inc Changing the Way We Work Live Pl...

Page 3: ...cal Assistance Center xxix Obtaining Additional Publications and Information xxx C H A P T E R 1 Product Overview 1 1 Catalyst 4000 Series Switches 1 1 Catalyst 2948G Switch 1 2 Catalyst 2980G Switch 1 3 Supervisor Engine Software 1 3 C H A P T E R 2 Using the Command Line Interface 2 1 Switch CLI Overview 2 1 Accessing the Switch CLI 2 2 Accessing the CLI Through the Console Port 2 2 Accessing th...

Page 4: ...etting the Management Ethernet me1 Interface IP Address 3 6 Configuring Default Gateways 3 6 Configuring the SLIP sl0 Interface on the Console Port 3 8 Using DHCP or RARP to Obtain an IP Address Configuration 3 9 Renewing and Releasing a DHCP Assigned IP Address 3 10 C H A P T E R 4 Configuring Ethernet and Fast Ethernet Switching 4 1 Understanding How Ethernet Works 4 1 Ethernet Overview 4 1 Swit...

Page 5: ...Port Connectivity 5 10 C H A P T E R 6 Configuring Fast EtherChannel and Gigabit EtherChannel 6 1 Understanding How EtherChannel Works 6 1 EtherChannel Overview 6 2 Understanding Frame Distribution 6 2 Hardware Support for EtherChannel 6 2 PAgP and LACP 6 2 EtherChannel Configuration Guidelines and Restrictions 6 3 Guidelines for Configuring a Port 6 3 Guidelines for Configuring VLANs and Trunks 6...

Page 6: ...1 Displaying EtherChannel Traffic Utilization 6 21 Disabling an EtherChannel 6 22 Displaying Spanning Tree Related Information for EtherChannels 6 22 C H A P T E R 7 Configuring Spanning Tree 7 1 Understanding How STPs Work 7 2 Understanding How a Topology Is Created 7 2 Understanding How a Switch or Port Becomes the Root Switch or Root Port 7 3 Understanding BPDUs 7 4 Calculating and Assigning Po...

Page 7: ... PVST Mode or MISTP Mode 7 31 Configuring the MISTP Bridge ID Priority 7 32 Enabling an MISTP Instance 7 36 Mapping VLANs to an MISTP Instance 7 36 Disabling MISTP PVST or MISTP 7 39 Configuring a Root Switch 7 39 Configuring a Primary Root Switch 7 39 Configuring a Secondary Root Switch 7 40 Configuring a Root Switch to Improve Convergence 7 41 Using Root Guard Preventing Switches from Becoming R...

Page 8: ...tFast BPDU Filtering 8 13 Enabling PortFast BPDU Filtering 8 13 Disabling PortFast BPDU Filtering 8 14 Configuring UplinkFast 8 15 Enabling UplinkFast 8 15 Disabling UplinkFast 8 16 Configuring BackboneFast 8 17 Enabling BackboneFast 8 17 Displaying BackboneFast Statistics 8 17 Disabling BackboneFast 8 18 Configuring Loop Guard 8 18 Enabling Loop Guard 8 18 Disabling Loop Guard 8 19 C H A P T E R ...

Page 9: ...ring VTP Version 3 9 22 Enabling VTP Version 3 9 22 Changing VTP Version 3 Modes 9 23 Configuring VTP Version 3 Passwords 9 27 Configuring a VTP Version 3 Takeover 9 28 Disabling VTP Version 3 on a Per Port Basis 9 29 VTP Version 3 show Commands 9 29 C H A P T E R 10 Configuring VLANs 10 1 Understanding How VLANs Work 10 1 VLAN Ranges 10 3 Configurable VLAN Parameters 10 4 VLAN Default Configurati...

Page 10: ...g a Trunk Link 11 5 Configuring an 802 1Q Trunk 11 5 Defining the Allowed VLANs on a Trunk 11 6 Disabling a Trunk Port 11 7 Disabling VLAN 1 on a Trunk Link 11 8 Example VLAN Trunk Configurations 11 9 802 1Q Trunk over a Gigabit EtherChannel Link Example 11 9 Load Sharing VLAN Traffic over Parallel Trunks Example 11 13 802 1Q Nonegotiate Trunk Configuration Example 11 19 C H A P T E R 12 Configuri...

Page 11: ...RP Dynamic VLAN Creation 13 4 Configuring GVRP Registration 13 4 Sending GVRP VLAN Declarations from Blocking Ports 13 6 Setting the GARP Timers 13 6 Displaying GVRP Statistics 13 7 Clearing GVRP Statistics 13 8 Disabling GVRP on Individual 802 1Q Trunk Ports 13 8 Disabling GVRP Globally 13 8 C H A P T E R 14 Configuring QoS 14 1 Understanding How QoS Works 14 1 QoS Overview 14 1 Understanding QoS...

Page 12: ...rocessing 15 5 Displaying Multicast Router Information 15 6 Displaying Multicast Group Information 15 6 Displaying CGMP Statistics 15 7 Disabling CGMP Leave Processing 15 8 Disabling CGMP Fast Leave Processing 15 8 Disabling CGMP 15 8 Configuring GMRP 15 9 GMRP Software Requirements 15 9 Default GMRP Configuration 15 9 Enabling GMRP Globally 15 9 Enabling GMRP on Individual Switch Ports 15 10 Disa...

Page 13: ...Switch 16 3 Enabling Port Security 16 3 Setting the Maximum Number of Secure MAC Addresses 16 4 Setting the Port Security Age Time 16 5 Clearing MAC Addresses 16 5 Configuring Unicast Flood Blocking on Secure Ports 16 6 Enabling MAC Address Notification 16 7 Setting the Security Violation Action 16 8 Setting the Shutdown Time 16 9 Disabling Port Security 16 9 Restricting Traffic for a Host MAC Add...

Page 14: ...Filtering 19 3 C H A P T E R 20 Checking Status and Connectivity 20 1 Checking Module Status 20 1 Checking Port Status 20 2 Displaying the Port MAC Address 20 4 Displaying Port Capabilities 20 5 Using Telnet 20 6 Changing the Login Timer 20 6 Using Secure Shell Encryption for Telnet Sessions 20 7 Monitoring User Sessions 20 8 Using Ping 20 9 Understanding How Ping Works 20 9 Executing Ping 20 10 U...

Page 15: ...nts 23 2 Default UDLD Configuration 23 2 Configuring UDLD on the Switch 23 3 Enabling UDLD Globally 23 3 Enabling UDLD on Individual Ports 23 4 Disabling UDLD on Individual Ports 23 4 Disabling UDLD Globally 23 4 Specifying the UDLD Message Interval 23 5 Enabling UDLD Aggressive Mode 23 5 Displaying the UDLD Configuration 23 6 C H A P T E R 24 Configuring SNMP 24 1 SNMP Terminology 24 1 Understand...

Page 16: ...Reflector Port 26 3 Ingress SPAN 26 3 Egress SPAN 26 3 VSPAN 26 3 Trunk VLAN Filtering 26 4 SPAN Traffic 26 4 SPAN and RSPAN Session Limits 26 4 Configuring SPAN 26 4 Understanding How SPAN Works 26 4 SPAN Configuration Guidelines 26 5 Configuring SPAN 26 6 Configuring RSPAN 26 8 RSPAN Software and Hardware Requirements 26 8 Understanding How RSPAN Works 26 8 RSPAN Configuration Guidelines 26 9 Co...

Page 17: ...4 Power Management Limitations 28 4 1400 W DC Power Supply Guidelines and Restrictions 28 5 Understanding How Power Management Works on the Catalyst 4006 Switch 28 6 Understanding Power Redundancy 28 6 1 1 Redundancy Mode Guidelines and Restrictions 28 7 1 1 Redundancy Mode Limitations 28 7 Power Consumption for Modules 28 9 Migrating a Supervisor Engine II from a Catalyst 4006 Switch to a Catalys...

Page 18: ...ow RADIUS Authentication Works 30 4 Understanding How Kerberos Authentication Works 30 5 Configuring Authentication 30 8 Authentication Default Configuration 30 8 Authentication Configuration Guidelines 30 9 Configuring Login Authentication 30 9 Configuring Local Authentication 30 12 Configuring Local User Authentication 30 15 Configuring TACACS Authentication 30 17 Configuring RADIUS Authenticati...

Page 19: ...cation Configuration Guidelines 31 8 Configuring 802 1x Authentication on the Switch 31 8 Enabling 802 1x Globally 31 8 Disabling 802 1x Globally 31 8 Enabling and Initializing 802 1x Authentication for Individual Ports 31 9 Setting and Enabling Automatic Reauthentication of the Host 31 10 Manually Reauthenticating the Host 31 10 Enabling Multiple Hosts 31 11 Disabling Multiple Hosts 31 11 Setting...

Page 20: ...ble 32 6 Clearing the BOOT Environment Variable Settings 32 7 Setting and Clearing the CONFIG_FILE Environment Variable 32 7 Setting the CONFIG_FILE Environment Variable 32 7 Clearing CONFIG_FILE Environment Variable Entries 32 8 Displaying the Switch Boot Configuration 32 8 C H A P T E R 33 Working with System Software Images 33 1 Software Image Naming Conventions 33 1 Downloading System Software...

Page 21: ...rking with Configuration Files 35 1 Creating and Using Configuration Files Guidelines 35 1 Creating a Configuration File 35 2 Configuring the Switch Using a File in Flash Memory 35 2 Copying Configuration Files Using TFTP 35 3 Downloading Configuration Files from a TFTP Server 35 3 Uploading Configuration Files to a TFTP Server 35 4 Copying Configuration Files Using rcp 35 5 Downloading Configurat...

Page 22: ...nfiguration 37 9 Displaying System Messages 37 10 C H A P T E R 38 Configuring DNS 38 1 Understanding How DNS Works 38 1 Default DNS Configuration 38 1 Configuring DNS on the Switch 38 2 Setting Up and Enabling DNS 38 2 Clearing a DNS Server 38 3 Clearing the DNS Domain Name 38 3 Disabling DNS 38 3 C H A P T E R 39 Configuring NTP 39 1 Understanding How NTP Works 39 1 Default NTP Configuration 39 ...

Page 23: ...rfaces CLIs Chapter 3 Configuring the Switch IP Address and Default Gateway Describes how to perform a baseline configuration of the switch Chapter 4 Configuring Ethernet and Fast Ethernet Switching Describes how to configure Ethernet and Fast Ethernet switching on the switch Chapter 5 Configuring Gigabit Ethernet Switching Describes how to configure Gigabit Ethernet switching on the switch Chapte...

Page 24: ...16 Configuring Port Security Describes how to configure port security on the switch Chapter 17 Configuring Unicast Flood Blocking Describes how to configure unicast flood blocking on the switch Chapter 18 Configuring the IP Permit List Describes how to configure IP permit list on the switch Chapter 19 Configuring Protocol Filtering Describes how to configure protocol filtering on Ethernet Fast Eth...

Page 25: ...pter 29 Configuring VoIP Describes how to configure your Voice over IP VoIP network Chapter 30 Configuring Switch Access Using AAA Describes how to configure local and TACACS authentication on the switch Chapter 31 Configuring 802 1x Authentication Describes how to configure IEEE 802 1x authentication on the switch Chapter 32 Modifying the Switch Boot Configuration Describes how to modify the swit...

Page 26: ...nds command options and keywords are in boldface italic font Arguments for which you supply values are in italics Elements in square brackets are optional x y z Alternative keywords are grouped in braces and separated by vertical bars x y z Optional alternative keywords are grouped in brackets and separated by vertical bars string A nonquoted set of characters Do not use quotation marks around the...

Page 27: ...isco documentation and additional literature are available in a Cisco Documentation CD ROM package which may have shipped with your product The Documentation CD ROM is updated regularly and may be more current than printed documentation The CD ROM package is available as a single unit or through an annual or quarterly subscription Registered Cisco com users can order a single Documentation CD ROM ...

Page 28: ...sco provides Cisco com which includes the Cisco Technical Assistance Center TAC website as a starting point for all technical assistance Customers and partners can obtain online documentation troubleshooting tips and sample configurations from the Cisco TAC website Cisco com registered users have complete access to the technical support resources on the Cisco TAC website including TAC tools and ut...

Page 29: ...itical impact to your business operations You and Cisco will commit all necessary resources around the clock to resolve the situation Cisco TAC Website The Cisco TAC website provides online documents and tools to help troubleshoot and resolve technical issues with Cisco products and technologies To access the Cisco TAC website go to this URL http www cisco com tac All customers partners and resell...

Page 30: ...ng Design Guide For current Cisco Press titles and other information go to Cisco Press online at this URL http www ciscopress com Packet magazine is the Cisco quarterly publication that provides the latest networking trends technology breakthroughs and Cisco products and solutions to help industry professionals get the most from their networking investment Included are networking deployment and tr...

Page 31: ... Switch page 1 2 Catalyst 2980G Switch page 1 3 Supervisor Engine Software page 1 3 Catalyst 4000 Series Switches Note For installation information and a complete description of the Catalyst 4000 series switch hardware refer to the Catalyst 4000 Series Installation Guide Catalyst 4500 Series Switch Installation Guide and the Catalyst 4912G Installation Guide Table 1 1 describes the Catalyst 4000 s...

Page 32: ...ional redundant power supplies 12 1000BASE X GBIC Gigabit Ethernet ports Catalyst 4500 Series WS C4503 Catalyst 4503 Modular 3 slot chassis 28 Gbps full duplex backplane Optional redundant power supplies WS C4506 Catalyst 4506 Modular 6 slot chassis 64 Gbps full duplex Optional redundant power supplies Table 1 1 Catalyst 4000 Series and Catalyst 4500 Series Switches continued Product Number Chassi...

Page 33: ...d configuration switch Some modules require an additional software image which is factory installed on the module The Catalyst enterprise LAN switches share a command line interface CLI with which you can configure modules and ports on the switches For more information see Chapter 2 Using the Command Line Interface For descriptions of the available CLI commands refer to the Catalyst 4500 Series Ca...

Page 34: ...1 4 Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 1 Product Overview Supervisor Engine Software ...

Page 35: ...hese sections Switch CLI Overview page 2 1 Accessing the Switch CLI page 2 2 Switch CLI Command Modes page 2 3 Accessing Help page 2 4 Command Line Editing page 2 5 History Substitution page 2 6 Abbreviating a Command page 2 6 Completing a Partial Command page 2 6 Scrolling Through Command Output page 2 6 Using Command Aliases page 2 7 Specifying Modules Ports and VLANs page 2 7 Specifying MAC Add...

Page 36: ...rmation on how to connect a terminal to the supervisor engine console port refer to the hardware documentation for your switch To access the switch CLI through the console port you first must connect a console terminal to the console port through an EIA TIA 232 RS 232 cable Make sure that the terminal is connected to the switch and that the terminal is on To access the switch CLI through the conso...

Page 37: ...tch using the IP address or the DNS host name of the switch You must configure DNS properly on the switch and on your network name server in order to use DNS host names For more information on DNS see Chapter 38 Configuring DNS This example shows how to use the telnet command to connect to a switch with the DNS host name Catalyst_1 unix_host telnet Catalyst_1 Trying 172 16 10 10 Connected to Catal...

Page 38: ...l mode enter the enable command On a new switch the privileged mode password is null If you are connecting to a new switch press Return at the Enter Password prompt Otherwise enter the privileged mode password for the switch Console enable Enter password privileged_mode_password Console enable Step 2 To exit privileged mode and return to normal mode enter the disable command Console enable disable...

Page 39: ...e switch CLI supports a number of command line editing keystrokes Table 2 1 lists the keystrokes you can use when entering and editing switch commands Table 2 1 Command Line Editing Keystrokes Keystroke Function Ctrl A Jumps to the first character of the command line Ctrl B or the Left Arrow key1 1 The arrow keys function only on ANSI compatible terminals such as VT100s Moves the cursor back one c...

Page 40: ...ess the Tab key the system completes the command as configure because it is the only command that matches the criteria Scrolling Through Command Output When the output of a command fills more than one terminal screen the output is displayed through the More program a More prompt is displayed at the bottom of the screen The More program is used for any output that has more lines than can be display...

Page 41: ...fer to the module number not the slot number For example all of the user configurable ports on these switches are logically on module 2 On modules that have user configurable ports the left most port is always port 1 To designate a specific port on a specific module the command syntax is mod_num port_num For example 3 1 specifies module 3 port 1 On the Catalyst 4912G the Catalyst 2948G and the Cat...

Page 42: ...IP alias The IP address format is 32 bits written in dotted decimal format as shown in the following example 172 16 10 1 If DNS is configured properly on the switch you can use IP host names instead of IP addresses For information on configuring DNS see Chapter 38 Configuring DNS You can also configure IP aliases on the switch which you can use in place of IP addresses IP aliases can be used for m...

Page 43: ...isplay of a Catalyst 4003 switch The display on the Catalyst 4912G the Catalyst 2948G and the Catalyst 2980G switches are similar WS X4012 bootrom version 4 5 1 built on 1999 03 29 21 04 04 H W Revisions Meteor 4 Comet 8 Board 2 Supervisor MAC addresses 00 d0 58 70 a1 00 through 00 d0 58 70 a4 ff 1024 addresses Installed memory 32 MB Testing LEDs done The system will autoboot in 5 seconds Type con...

Page 44: ... with address 00 d0 58 70 a4 ff Sending BOOTP request with address 00 d0 58 70 a4 ff Sending RARP request with address 00 d0 58 70 a4 ff Sending BOOTP request with address 00 d0 58 70 a4 ff Sending RARP request with address 00 d0 58 70 a4 ff Sending BOOTP request with address 00 d0 58 70 a4 ff Sending RARP request with address 00 d0 58 70 a4 ff Sending BOOTP request with address 00 d0 58 70 a4 ff ...

Page 45: ...ay Configuration page 3 5 Setting the In Band sc0 Interface IP Address page 3 5 Setting the Management Ethernet me1 Interface IP Address page 3 6 Configuring Default Gateways page 3 6 Configuring the SLIP sl0 Interface on the Console Port page 3 8 Using DHCP or RARP to Obtain an IP Address Configuration page 3 9 Renewing and Releasing a DHCP Assigned IP Address page 3 10 Understanding How the Swit...

Page 46: ...terfaces the me1 interface is brought down to allow BOOTP and RARP requests to broadcast out the sc0 interface Note When the switch boots with the IP address 0 0 0 0 configured on both the sc0 and me1 interfaces the me1 interface is automatically brought down by the switch software You are not asked to confirm the change and no console messages or traps are generated in this case Duplicate IP addr...

Page 47: ... to the switch Dynamic allocation The switch obtains a leased IP address for a specified period of time The IP address is revoked at the end of this period and the switch surrenders the address The switch must request another IP address In addition to the sc0 interface IP address the switch can obtain the subnet mask broadcast address default gateway address and other information DHCP learned valu...

Page 48: ... boots up The switch broadcasts ten RARP requests after all of the switch ports are online If a response is received the switch sets the in band sc0 interface IP address to the address that is specified in the RARP response If no reply is received the sc0 interface IP address remains set to 0 0 0 0 provided that DHCP requests fail as well If you reset or power cycle a switch with a RARP obtained I...

Page 49: ...fy the VLAN assignment for the in band sc0 interface Console enable set interface sc0 172 20 52 124 29 Interface sc0 IP address and netmask set Console enable set interface sc0 5 Interface sc0 vlan set Console enable Table 3 2 Switch IP Address and Default Gateway Default Configuration Feature Default Value In band sc0 interface IP address subnet mask and broadcast address set to 0 0 0 0 Assigned ...

Page 50: ...et bits or using the subnet mask in dotted decimal format To set the management Ethernet me1 interface IP address perform this task in privileged mode This example shows how to assign an IP address and subnet mask to the management Ethernet me1 interface and how to verify the interface configuration Console enable set interface me1 172 20 52 12 255 255 255 224 Interface me1 IP address and netmask ...

Page 51: ... sc0 and management Ethernet me1 interfaces are configured when you specify default gateways then the switch software automatically determines through which interface each default gateway can be reached To specify one or more default gateways perform this task in privileged mode To remove default gateway entries perform one of these tasks in privileged mode This example shows how to configure thre...

Page 52: ...way 172 20 52 33 Destination Gateway RouteMask Flags Use Interface default 10 1 1 1 0x0 G 0 me1 default 172 20 52 33 0x0 UG 12 sc0 172 20 52 32 4000 2 0xfffffff0 U 180 sc0 10 1 1 0 10 1 1 100 0xffffff00 U 22 me1 Console enable Configuring the SLIP sl0 Interface on the Console Port Use the SLIP sl0 interface for point to point SLIP connections between the switch and an IP host Caution You must use ...

Page 53: ...flags 62 DOWN BROADCAST RUNNING inet 10 1 1 100 netmask 255 255 255 0 broadcast 10 1 1 255 Console enable slip attach Console Port now running SLIP Console enable slip detach SLIP detached on Console port Console enable Using DHCP or RARP to Obtain an IP Address Configuration Note For complete information on how the switch uses DHCP or RARP to obtain its IP configuration see the Understanding How ...

Page 54: ...172 20 25 244 netmask 255 255 255 0 broadcast 172 20 25 255 dhcp server 172 20 25 254 Console Renewing and Releasing a DHCP Assigned IP Address If you are using DHCP for IP address assignment you can perform either of these tasks Renew Renew the lease on a DHCP assigned IP address Release Release the lease on a DHCP assigned IP address To renew or release a DHCP assigned IP address on the in band ...

Page 55: ...xample shows how to renew the lease on a DHCP assigned IP address Console enable set interface sc0 dhcp renew Renewing IP address Console enable Sending DHCP packet with address 00 90 0c 5a 8f ff output truncated This example shows how to release the lease on a DHCP assigned IP address Console enable set interface sc0 dhcp release Releasing IP address Console enable Sending DHCP packet with addres...

Page 56: ...500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 3 Configuring the Switch IP Address and Default Gateway Renewing and Releasing a DHCP Assigned IP Address ...

Page 57: ...x and usage information for the commands used in this chapter refer to the Catalyst 4500 Series Catalyst 2948G and Catalyst 2980G Switches Command Reference This chapter consists of these sections Understanding How Ethernet Works page 4 1 Default Ethernet and Fast Ethernet Configurations page 4 2 Configuring Ethernet and Fast Ethernet Ports page 4 3 Understanding How Ethernet Works These sections ...

Page 58: ...and the bandwidth of the network is shared by all devices that are attached to the hub If two stations establish a session that uses a significant level of bandwidth the network performance of all other stations that are attached to the hub is degraded To reduce degradation the Catalyst enterprise LAN switches treat each port as an individual segment When stations on different ports need to commun...

Page 59: ...Note For information on configuring Fast EtherChannel see Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Setting Ethernet and Fast Ethernet Port Names You can assign names to the ports on Ethernet and Fast Ethernet modules to facilitate switch administration To assign a name to a port perform this task in privileged mode Table 4 1 Ethernet and Fast Ethernet Default Configurations...

Page 60: ...ss to the switching bus simultaneously the switch uses port priority level to determine the order in which to give ports access To set the port priority level perform this task in privileged mode This example shows how to set the port priority level to high for port 1 1 and verify that the port priority is configured correctly Console enable set port level 1 1 high Port 1 1 level set to high Conso...

Page 61: ...rnet and Fast Ethernet Port Duplex Modes You can set the port duplex mode to full or half duplex for Ethernet and Fast Ethernet ports Note If the port speed is set to auto on a 10 100 Mbps Fast Ethernet port both speed and duplex are autonegotiated You cannot change the duplex mode of ports that are configured for autonegotiation For information on enabling and disabling autonegotiation on 10 100 ...

Page 62: ...e debounce timer To set the debounce timer on a port perform this task in privileged mode This example shows how to enable the debounce timer for module 2 on port 1 Console enable set port debounce 2 1 enable Debounce is enabled on port 2 1 Warning Enabling port debounce causes Link Up Down detections to be delayed It results in loss of data traffic during debouncing period which might affect the ...

Page 63: ... the ports At every t seconds where t is the user configurable timeout a process checks to see if any ports are in errdisable state If so only those ports that have the errdisable timeout set enabled are reenabled through System Control Protocol SCP messages By default all the errdisabled ports are reenabled when the global timer times out You can enable or disable errdisable timeout for any of th...

Page 64: ...onnectivity out Ethernet or Fast Ethernet ports To check connectivity out a port perform this task in privileged mode This example shows how to ping a remote host and how to trace the hop by hop path of packets through the network using traceroute Console enable ping somehost somehost is alive Console enable traceroute somehost traceroute to somehost company com 10 1 2 3 30 hops max 40 byte packet...

Page 65: ...igabit Ethernet Configuration page 5 6 Configuring Gigabit Ethernet Ports page 5 7 Understanding How Gigabit Ethernet Works The following sections describe how Gigabit Ethernet works Understanding How Gigabit Ethernet Flow Control Works Flow control is a feature that Gigabit Ethernet ports use to inhibit the transmission of incoming packets If a buffer on a Gigabit Ethernet port runs out of space ...

Page 66: ...J45 All ports Yes Catalyst 4000 Catalyst 4500 WS X4448 GB LX All ports Yes Catalyst 2948G All ports All ports No Catalyst 2980G All modules All ports No Table 5 2 Send and Receive Keyword Configurations Configuration Description send on Enables a local port to send pause frames to a remote port Enter send on when a remote port is set to receive on or receive desired send off Prevents a local port ...

Page 67: ...ed on the other Table 5 3 shows the four possible port negotiation configurations for a Gigabit Ethernet link and the resulting link status for each configuration Note On 1000BASE T Gigabit Ethernet ports you cannot configure speed or duplex mode With this release 1000BASE T ports operate only in the default configuration where the speed is 1000 and duplex mode is full You cannot disable autonegot...

Page 68: ...port IDs for each module On all modules the oversubscribed ports are segmented into groups of four ports each Each group of four ports shares 1 Gbps of bandwidth The average bandwidth that clients and servers need to connect to ports in the same group should not exceed 1 Gbps Table 5 5 shows how the oversubscribed ports are grouped for module WS 4412 2GB TX Table 5 6 shows how the oversubscribed p...

Page 69: ...configurations are shown Server A equipped with channel and trunk capable network interface cards NICs connects to the switch through a four port Gigabit EtherChannel trunk link Two ports are in one oversubscribed port group and two are in another The switch can burst up to 2 Gbps bandwidth in each direction while averaging 250 Mbps for each connected port 1 Gbps total Servers B and C also with ch...

Page 70: ...one switch Server A Server B Server C Workstation 1 Workstation 2 Workstation 3 Workstation 4 Server D 18069 Table 5 10 Gigabit Ethernet Default Configuration Feature Default Value Port enable state All ports are enabled Port name None Port priority Normal Duplex mode Full duplex Flow control Oversubscribed Gigabit Ethernet ports ports 3 18 on WS X4418 GB Flow control set to desired for receive Rx...

Page 71: ...the name for ports 2 1 and 2 2 and how to verify that the port names are configured correctly Console enable set port name 2 1 Backbone Connection Port 2 1 name set Console enable set port name 2 2 Wiring Closet Port 2 2 name set Console enable show port 2 Port Name Status Vlan Level Duplex Speed Type 2 1 Backbone Connectio connected trunk normal full 1000 1000BASESX 2 2 Wiring Closet notconnect 1...

Page 72: ...leged mode This example shows how to configure transmit and receive flow control and how to verify the flow control configuration Console enable set port flowcontrol send 2 1 on Port 2 1 flow control send administration status set to on port will send flowcontrol to far end Console enable set port flowcontrol receive 2 1 on Port 2 1 flow control receive administration status set to on port will re...

Page 73: ...port negotiation 2 1 Port Link Negotiation 2 1 enabled Console enable Disabling Port Negotiation To disable port negotiation on a 1000BASE X Gigabit Ethernet port perform this task in privileged mode This example shows how to disable port negotiation and verify the configuration Console enable set port negotiation 2 1 disable Port 2 1 negotiation disabled Console enable show port negotiation 2 1 P...

Page 74: ...hrough the network using traceroute Console enable ping somehost somehost is alive Console enable traceroute somehost traceroute to somehost company com 10 1 2 3 30 hops max 40 byte packets 1 engineering 1 company com 173 31 192 206 2 ms 1 ms 1 ms 2 engineering 2 company com 173 31 196 204 2 ms 3 ms 2 ms 3 gateway_a company com 173 16 1 201 6 ms 3 ms 3 ms 4 somehost company com 10 1 2 3 3 ms 2 ms ...

Page 75: ...t and Gigabit Ethernet modules refer to the Catalyst 4500 Series Installation Guide Note For complete syntax and usage information for the commands used in this chapter refer to the Catalyst 4500 Series Catalyst 2948G and Catalyst 2980G Switches Command Reference This chapter consists of these sections Understanding How EtherChannel Works page 6 1 PAgP and LACP page 6 2 EtherChannel Configuration ...

Page 76: ...onfiguration Guidelines and Restrictions section on page 6 3 and Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Understanding Frame Distribution EtherChannel distributes frames across the links in a channel based on the low order bits of the source and destination MAC addresses of each frame The frame distribution method is not configurable Hardware Support for Ethe...

Page 77: ...assign a port to more than one channel group at the same time Ports with different port path costs set by the set spantree portcost command can form an EtherChannel as long as they are otherwise compatibly configured Setting different port path costs does not by itself make ports incompatible for the formation of an EtherChannel PAgP and LACP manage channels differently When all the ports in a cha...

Page 78: ...VLAN Registration Protocol GVRP GARP Multicast Registration Protocol GMRP and quality of service QoS configurations An EtherChannel will not form with ports where the port security feature is enabled Do not enable the port security feature for ports in an EtherChannel An EtherChannel will not form if one of the ports is a SPAN destination port An EtherChannel will not form if protocol filtering is...

Page 79: ...le 6 1 describes each mode Both the auto and desirable modes allow ports to negotiate with connected ports to determine if they can form a channel based on criteria such as port speed trunking state native VLAN and so on Table 6 1 Channel Modes Mode Description on Forces the port to channel without negotiation PAgP packets are not exchanged The port is channeling regardless of how the peer port is...

Page 80: ... group number creates a new automatically numbered administrative group consisting of the ports you configure as an EtherChannel An administrative group can contain a maximum of eight ports You can define an EtherChannel administrative group without forming an EtherChannel Only ports belonging to the same administrative group can form a single EtherChannel In addition to the administrative group n...

Page 81: ... Device ID Port ID Platform 3 5 069003103 5500 3 5 WS C4000 3 6 069003103 5500 3 6 WS C4000 Console enable Defining an EtherChannel Administrative Group You can define EtherChannel administrative groups manually to identify groups of ports that are allowed to form an EtherChannel bundle When you create an EtherChannel port bundle an administrative group is defined automatically Administrative grou...

Page 82: ...ning Tree Port Cost To set the spanning tree port cost for an EtherChannel perform this task in privileged mode This example shows how to set the EtherChannel port path cost for channel ID 768 Console enable show channel group 20 Admin Port Status Channel Channel group Mode id 20 1 1 notconnect on 768 20 1 2 connected on 768 Admin Port Device ID Port ID Platform group 20 1 1 20 1 2 066510644 cat26...

Page 83: ...leged mode This example shows how to set the EtherChannel VLAN cost for channel ID 768 Console enable show channel group 20 Admin Port Status Channel Channel group Mode id 20 1 1 notconnect on 768 20 1 2 connected on 768 Admin Port Device ID Port ID Platform group 20 1 1 20 1 2 066510644 cat26 lnf NET25 2 1 WS C6009 Console enable Console enable set channel vlancost 768 12 Channel 768 vlancost set...

Page 84: ...ion Method mac both Port Status Channel Admin Channel Speed Duplex Vlan mode group id 3 5 connected on 56 835 a 100 a full 1 3 6 connected on 56 835 a 100 a full 1 Port ifIndex Oper group Neighbor Oper Distribution PortSecurity Oper group Method Dynamic port 3 5 377 1 mac both 3 6 377 1 mac both Port Device ID Port ID Platform 3 5 069003103 5500 3 5 WS C4000 3 6 069003103 5500 3 6 WS C4000 Port Tr...

Page 85: ...licant 3 5 disabled normal normal 3 6 disabled normal normal Port Qos Tx Qos Rx Qos Trust Qos DefCos 3 5 untrusted 0 3 6 untrusted 0 Console enable Displaying EtherChannel Traffic Statistics To display EtherChannel traffic statistics perform this task in privileged mode This example shows how to display EtherChannel traffic statistics information for EtherChannel ID 835 Console show channel 835 ma...

Page 86: ... EtherChannel Configuration Examples These sections contain Fast and Gigabit EtherChannel configuration examples Configuration Example of a Four Port Fast EtherChannel page 6 12 Configuration Example of Two Port Gigabit EtherChannel page 6 14 Note For examples of configuring VLAN trunks on EtherChannel port bundles see the Example VLAN Trunk Configurations section on page 11 9 Configuration Exampl...

Page 87: ... 4 VLAN 50 modified VLAN 1 modified VLAN Mod Ports 50 3 1 4 Switch_B enable set port speed 3 1 4 100 Ports 3 1 4 transmission speed set to 100Mbps Switch_B enable set port duplex 3 1 4 full Ports 3 1 4 set to full duplex Switch_B enable Step 2 Confirm the channeling status of the switches using the show port channel command Switch_A enable show port channel No ports channelling Switch_A enable Swi...

Page 88: ...eft bridge port 3 1 4 PAGP 5 PORTTOSTP Port 3 1 joined bridge port 3 1 4 PAGP 5 PORTTOSTP Port 3 2 joined bridge port 3 1 4 PAGP 5 PORTTOSTP Port 3 3 joined bridge port 3 1 4 PAGP 5 PORTTOSTP Port 3 4 joined bridge port 3 1 4 Step 4 After the EtherChannel bundle is negotiated enter the show port channel command to verify the configuration Switch_A enable show port channel Port Status Channel Chann...

Page 89: ...B enable show port channel No ports channelling Switch_B enable Step 3 In this example configure EtherChannel as on for all ports If you configure ports on you must configure the ports on both ends of the EtherChannel bundle on The switches will not negotiate an EtherChannel port bundle automatically in on mode The system logging messages provide information about the formation of the EtherChannel...

Page 90: ...3 1 connected on channel WS C4003 JAB023806JR 2 1 3 2 connected on channel WS C4003 JAB023806JR 2 2 Switch_B enable Understanding the LACP Use the information in these sections if you are configuring EtherChannel using LACP If you are using PAgP see the Understanding the PAgP section on page 6 5 LACP Modes You may manually turn on channeling by setting the port channel mode to on and you may turn ...

Page 91: ...s determine a port s ability to aggregate with other ports Port physical characteristics such as data rate duplex capability and point to point or shared medium Configuration constraints that you establish When enabled LACP always tries to configure the maximum number of compatible ports in a channel up to the maximum allowed by the hardware eight ports If LACP is not able to aggregate all the por...

Page 92: ... 21 Displaying EtherChannel Traffic Utilization page 6 21 Disabling an EtherChannel page 6 22 Displaying Spanning Tree Related Information for EtherChannels page 6 22 Note Before you configure the EtherChannel see the EtherChannel Configuration Guidelines and Restrictions section on page 6 3 Specifying the EtherChannel Protocol Note The default protocol is PAgP Note You can specify only one protoc...

Page 93: ... The port priority value must be a number in the range of 1 255 where higher numbers represent lower priority The default priority is 128 To specify the port priority perform this task in privileged mode This example shows how to specify the port priority as 10 for ports 1 1 to 1 4 and 2 6 to 2 8 Console enable set port lacp channel 1 1 4 2 6 8 port priority 10 Port s 1 1 4 2 6 8 port priority set...

Page 94: ...m this task in privileged mode This example assigns ports 4 1 to 4 4 the same administrative key allowing the system to pick its value Console enable set port lacp channel 4 1 4 Port s 4 1 4 are assigned to admin key 96 Console enable This example shows how to assign ports 4 4 to 4 6 the administrative key 96 you specify the 96 In this example the administrative key was previously assigned to anot...

Page 95: ...can specify the channel VLAN cost with a global command that configures both LACP and PAgP See the Setting the EtherChannel Spanning Tree Port VLAN Cost section on page 6 9 for information Clearing LACP Statistics To clear LACP statistics perform this task in privileged mode This example shows how to clear LACP statistics Console enable clear lacp channel statistics LACP channel counters are clear...

Page 96: ...splay the channel ID and the truncated port list for all ports that are channeling Ports that are not channeling are identified by their port number To display spanning tree related information for EtherChannels perform this task These examples show how to display spanning tree related information for EtherChannels Console show spantree 4 6 Port Vlan Port State Cost Priority Portfast Channel_id 4 ...

Page 97: ... BPDU Guard BPDU Filter UplinkFast BackboneFast and Loop Guard This chapter consists of these sections Understanding How STPs Work page 7 2 Understanding How PVST and MISTP Modes Work page 7 11 Understanding How Bridge Identifiers Work page 7 13 Understanding How MST Works page 7 14 Rate limited at one for every 60 seconds page 7 22 Using MISTP PVST or MISTP page 7 30 Configuring a Root Switch pag...

Page 98: ...et networks only one active path may exist between any two stations Multiple active paths between stations can cause loops in the network When loops occur some switches recognize stations on both sides of the switch This situation causes the forwarding algorithm to malfunction allowing duplicate frames to be forwarded Spanning tree algorithms provide path redundancy by defining a tree that spans a...

Page 99: ...the ideal root switch You can force a switch to become the root switch by increasing the priority that is lowering the priority number on the preferred switch This action causes the spanning tree to recalculate the topology and make the selected switch the root switch Figure 7 1 Configuring a Loop Free Topology You can also change the priority of a port in order to make it the root port When the s...

Page 100: ...s will be forwarded to the root A port for each switch is selected This is the port that provides the best path from the switch to the root switch Ports included in the STP are selected Calculating and Assigning Port Costs By calculating and assigning the port cost of the switch ports you can ensure that the shortest lowest cost distance to the root switch is used to transmit data You can calculat...

Page 101: ...0 Mbps link is removed from a 10 Gbps aggregate link Because of the limitations that are presented by automatically recalculating the topology 802 1t states that changes in bandwidth will not result in changes to the cost of the port concerned Therefore the aggregated port uses the same port cost parameters as a standalone port Understanding Spanning Tree Port States Topology changes can take plac...

Page 102: ...tch in the network goes through the blocking state and the transitory states of listening and learning at power up If properly configured each port stabilizes into the forwarding or blocking state When the spanning tree algorithm places a port in the forwarding state the following occurs The port is put into the listening state while it waits for protocol information that suggests it should go to ...

Page 103: ...blocking state performs as follows Discards frames received from the attached segment Discards frames switched from another port for forwarding Does not incorporate station location into its address database there is no learning on a blocking port so there is no address database update Receives BPDUs and directs them to the system module Does not transmit BPDUs received from the system module Rece...

Page 104: ... this point so there is no address database update Receives BPDUs and directs them to the system module Processes BPDUs received from the system module Receives and responds to network management messages Learning State A port in the learning state prepares to participate in frame forwarding The port enters the learning state from the listening state Figure 7 5 shows a port in the learning state F...

Page 105: ...ddress database Receives BPDUs and directs them to the system module Receives processes and transmits BPDUs received from the system module Receives and responds to network management messages Forwarding State A port in the forwarding state forwards frames as shown in Figure 7 6 The port enters the forwarding state from the learning state Filtering database Frame forwarding System module Port 1 BP...

Page 106: ...ork management messages Caution Use spanning tree PortFast mode only on ports directly connected to individual workstations to allow these ports to come up and go directly to the forwarding state instead of having to go through the entire spanning tree initialization process To prevent illegal topologies enable spanning tree on ports connected to switches or other devices that forward messages For...

Page 107: ...ts address database there is no learning so there is no address database update Receives BPDUs but does not direct them to the system module Does not receive BPDUs for transmission from the system module Receives and responds to network management messages Understanding How PVST and MISTP Modes Work Catalyst 4500 series switches provide two proprietary spanning tree modes based on the IEEE 802 1D ...

Page 108: ...hange UplinkFast and BackboneFast are enabled but not active in this mode because the functionality is built into the rapid STP This method provides for quick recovery of connectivity following the failure of a bridge bridge port or LAN MISTP Mode MISTP is an optional STP that runs on Catalyst 4500 series switches MISTP allows you to group multiple VLANs under a single instance of spanning tree an...

Page 109: ...e used as bridge identifiers for VLANs running under PVST or for MISTP instances The Catalyst 4500 series switches have a pool of only 64 MAC addresses You can use the show module command to view the MAC address range MAC addresses are allocated sequentially with the first MAC address in the range assigned to VLAN 1 the second in the range assigned to VLAN 2 and so forth The last MAC address in th...

Page 110: ...tion in the new Catalyst 4500 series switch then the switch remains the root switch and the spanning tree topology does not change For more information on migrating your supervisor engine from a Catalyst 4006 switch to a Catalyst 4500 series switch see the Migrating a Supervisor Engine II from a Catalyst 4006 Switch to a Catalyst 4500 Series Switch section on page 28 10 Understanding How MST Works...

Page 111: ... trees are referred to as MST instances MSTIs The IST is numbered 0 and the MSTIs are numbered 1 2 3 and so on Any given MSTI is local to the MST region that is independent of MSTIs in another region even if the MST regions are interconnected MST instances combine with the IST at the boundary of MST regions to become the CST as follows Spanning tree information for an MSTI is contained in an MSTP ...

Page 112: ...u configure the MST feature For more information see the Configuring MST section on page 7 46 RSTP provides backward compatibility with 802 1D bridges as follows RSTP selectively sends 802 1D configured BPDUs and Topology Change Notification TCN BPDUs on a per port basis When a port initializes the Migration Delay timer starts and RSTP BPDUs are transmitted While the Migration Delay timer is activ...

Page 113: ...operability A virtual bridged LAN may contain interconnected regions of SST and MST bridges Figure 7 8 shows this relationship Figure 7 8 Network with Interconnected SST and MST Regions Table 7 3 Comparison Between STP and RSTP Port States Operational Status STP Port State RSTP Port State Port Included in Active Topology Enabled Blocking1 1 IEEE 802 1D port state designation Discarding2 2 IEEE 802...

Page 114: ...gions established by MST Loop prevention is achieved by either of the following Blocking the appropriate pseudobridge ports by allowing one forwarding port on the boundary and blocking all other ports Setting the CST partitions to block the ports of the SST regions A pseudo bridge differs from a single SST bridge because the BPDUs sent from the pseudobridge s ports have different bridge identifier...

Page 115: ...ber of the MST region An MST bridge that is interconnected by a LAN A LAN s designated bridge has the same MST configuration as an MST bridge All the bridges on the LAN can process MST BPDUs If you connect two MST regions with different MST configurations the MST regions do the following Load balance across redundant paths in the network If two MST regions are redundantly connected all traffic flo...

Page 116: ...s not have a bridge These ports start forwarding as soon as the link is up MST requires that all ports are configured for each host or router To establish rapid connectivity after a failure you need to block the nonedge designated ports of an intermediate bridge If the port connects to another bridge that can send back an agreement then the port starts forwarding immediately Otherwise the port req...

Page 117: ...configure MST switches all in the same region to interact with PVST switches that have VLANs 1 100 set up to span throughout the network Configure the root for all VLANs inside the MST region The ports that belong to the MST switch at the boundary simulate PVST and send PVST BPDUs for all the VLANs This example shows the ports simulating PVST Console enable show spantree mst 3 Spanning tree mode M...

Page 118: ... The nonroot switches receive and process one BPDU during each configured time period A VLAN might not receive the BPDU as scheduled If the BPDU is not received on a VLAN at the configured time interval the BPDU is skewed Spanning tree uses the Hello Time see Configuring the Hello Time section on page 44 to detect when a connection to the root switch exists through a port and when that connection ...

Page 119: ...rity by combining the VLAN bridge priority with the system ID extension that is the ID of the VLAN To set the spanning tree bridge priority for a VLAN perform this task in privileged mode Table 7 4 PVST Default Configuration Feature Default Value VLAN 1 All ports assigned to VLAN 1 Enable state PVST enabled for all VLANs MAC address reduction Disabled Bridge priority 32 768 Bridge ID priority 32 7...

Page 120: ...1 1 not connected 4 32 disabled 0 1 2 1 not connected 4 32 disabled 0 2 1 1 not connected 100 32 disabled 0 2 2 1 not connected 100 32 disabled 0 This example shows how to set the PVST the bridge ID priority when MAC reduction is enabled Console enable set spantree priority 32768 1 Spantree 1 bridge ID priority set to 32769 bridge priority 32768 sys ID extension 1 Console enable show spantree 1 1 ...

Page 121: ...annel_id 1 1 1 not connected 4 32 disabled 0 1 2 1 not connected 4 32 disabled 0 2 1 1 not connected 100 32 disabled 0 2 2 1 not connected 100 32 disabled 0 2 3 1 forwarding 12 32 disabled 0 2 4 1 not connected 100 32 disabled Configuring PVST Port Priority You can configure the port priority of switch ports in PVST mode The port with the lowest priority value forwards frames for all VLANs The pos...

Page 122: ... the actual cost is incremented by 3000 The long mode has these parameters Portcost Portvlancost When you enable UplinkFast the actual cost is incremented by 10 000 000 EtherChannel computes the cost of a bundle using the formula AVERAGE_COST NUM_PORT The default port cost mode in PVST is short For port speeds of 10 Gb and greater you must set the default port cost mode to long To change the defau...

Page 123: ... VLAN priority value must be lower than the port priority value To configure the port VLAN priority for a port perform this task in privileged mode This example shows how to configure the port VLAN priority on a port Console enable set spantree portvlanpri 2 3 16 6 Port 2 3 vlans 6 using portpri 16 Port 2 3 vlans 1 5 7 800 802 1004 1006 4094 using portpri 32 Port 2 3 vlans 801 1005 using portpri 4...

Page 124: ...ing spanning tree even in a topology that is free of physical loops Spanning tree serves as a safeguard against misconfigurations and cabling errors Do not disable spanning tree in a VLAN without ensuring that there are no physical loops present in the VLAN To disable PVST mode perform this task in privileged mode This example shows how to disable PVST on a VLAN Console enable set spantree disable...

Page 125: ...Role Cost Prio Type 6 1 forwarding ROOT 20000 16 Shared PEER STP Console This example shows how to verify the link type edge port and guard type for port 3 6 Console show spantree 3 6 Port 3 6 Edge Port No Configured Default Port Guard Default Link Type P2P Configured Auto Port VLAN State Role Cost Prio Type 3 6 1 listening DESG 20000 32 P2P 3 6 2 listening DESG 20000 32 P2P 3 6 3 listening DESG 2...

Page 126: ...mode you first enable an MISTP instance and then map at least one VLAN to the instance You must have at least one forwarding port in the VLAN in order for the MISTP instance to be active If you are changing a switch from PVST mode to MISTP mode and you have other switches in the network that are using PVST you must first enable MISTP PVST mode on each switch on which you intend to use MISTP so tha...

Page 127: ...ou map a VLAN to an MISTP instance you can Telnet to the switch To change from PVST to MISTP PVST or MISTP perform this task in privileged mode This example shows how to set a switch to MISTP PVST mode Console enable set spantree mode mistp pvst PVST database cleaned up Spantree mode set to MISTP PVST Warning There are no VLANs mapped to any MISTP instance Console enable You can display VLAN to MI...

Page 128: ...dge priority value with the system ID extension the ID of the MISTP instance to create the bridge ID priority You can set 16 possible bridge priority values 0 4096 8192 12 288 16 384 20 480 24 576 28 672 32 768 36 864 40 960 45 056 49 152 53 248 57 344 and 61 440 To configure the bridge ID priority for an MISTP instance perform this task in privileged mode The example shows how to configure the br...

Page 129: ...configure the port cost of switch ports When forwarding frames the switch is more likely to use ports with lower port costs Assign lower numbers to ports that are attached to faster media such as full duplex and higher numbers to ports that are attached to slower media The possible range is from 1 65 535 The default differs for different media Path cost is typically equal to 1000 LAN speed in mega...

Page 130: ... with the lowest priority value forwards frames for all VLANs The possible port priority value is from 0 63 the default is 32 If all ports have the same priority value the port with the lowest port number forwards frames To configure the port priority for a port perform this task in privileged mode This example shows how to configure the port priority and verify the configuration This example show...

Page 131: ...are attached to faster media such as full duplex and higher numbers to ports that are attached to slower media The default cost differs for different media The possible value for port instance cost is from 1 268435456 To configure the port instance cost for a port perform this task in privileged mode This example shows how to configure the MISTP port instance cost on a port Console enable set span...

Page 132: ...once using the all keyword Note The software does not display the status of an MISTP instance until it has a VLAN with an active port mapped to it To enable an MISTP instance perform this task in privileged mode Note Enter the active keyword to display active ports only This example shows how to enable an MISTP instance Console enable set spantree enable mistp instance 2 Spantree 2 enabled Console...

Page 133: ... ID ext 1 VLANs mapped 6 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Port Inst Port State Cost Prio Portfast Channel_id 2 12 1 forwarding 22222222 40 disabled 0 Determining an MISTP Instance VLAN Mapping Conflicts A VLAN can only be mapped to one MISTP instance If you attempt to map a VLAN to more than one instance all of its ports are set to blocking mode You can use the show span...

Page 134: ...nd be removed from the table The timer is restarted every time an incoming BPDU confirms the mapping Entries pertaining to the root switch show inactive on the root switch itself The following examples are with VTP version 3 enabled The root switch is also the primary server for the nonroot switch The root switch is not the primary server for the switch in conflict because that switch has been par...

Page 135: ...nstance the instance still exists on the switch all of the VLANs mapped to it have all of their ports forwarding and the instance BPDUs are flooded To disable an MISTP instance perform this task in privileged mode This example shows how to disable an MISTP instance Console enable set spantree disable mistp instance 2 MI STP instance 2 disabled Configuring a Root Switch This section explains how to...

Page 136: ...4 seconds VLANs 1 10 bridge hello time set to 2 seconds VLANs 1 10 bridge forward delay set to 9 seconds Switch is now the root switch for active VLANs 1 6 Console enable To configure a switch as the primary root switch for an instance perform this task in privileged mode This example shows how to configure the primary root for an instance Console enable set spantree root mistp instance 2 4 dia 4 ...

Page 137: ...tances 1 6 Console enable Configuring a Root Switch to Improve Convergence You can configure the root switch to speed up STP convergence time To do so you must reduce the value of the Hello Time Forward Delay Timer and Maximum Age Timer parameters For information on configuring these timers see the Configuring Spanning Tree Timers section on page 7 44 Note Reduction of the value of the timer param...

Page 138: ...ng tree Hello Time Forward Delay Timer and Maximum Age Timer to 2 4 and 6 seconds Console enable set spantree hello 2 100 Spantree 100 hello time set to 7 seconds Console enable Console enable set spantree fwddelay 4 100 Spantree 100 forward delay set to 21 seconds Console enable Console enable set spantree maxage 6 100 Spantree 100 max aging time set to 36 seconds Console enable Parameter Time Ne...

Page 139: ... from becoming root perform this task in privileged mode Displaying Spanning Tree BPDU Statistics Enter the show spantree statistics bpdu command to display the total number of spanning tree BPDUs transmitted received processed and dropped The command also provides the rate of the BPDUs in seconds The BPDU counters are cleared using the clear spantree statistics bpdu command or when the system is ...

Page 140: ...a VLAN or an MISTP instance perform this task in privileged mode This example shows how to configure the spanning tree Hello time for VLAN 100 to 7 seconds Console enable set spantree hello 7 100 Spantree 100 hello time set to 7 seconds Console enable This example shows how to set the spantree Hello time for an instance to 3 seconds Console enable set spantree hello 3 mistp instance 1 Spantree 1 h...

Page 141: ...et spantree maxage command to change the spanning tree maximum aging time for a VLAN or an instance The possible range for agingtime is from 6 40 seconds To configure the spanning tree maximum aging time for a VLAN or an instance perform this task in privileged mode This example shows how to configure the spanning tree maximum aging time for VLAN 100 to 36 seconds Console enable set spantree maxag...

Page 142: ...00 10 7b bb 2f 00 Bridge ID Priority 32768 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Port Vlan Port State Cost Prio Portfast Channel_id 6 1 1 forwarding 4 32 disabled 0 6 2 1 blocking 4 32 disabled 0 Console enable Task Command Step 1 Begin in PVST mode set spantree mode mst mistp pvst mistp pvst mst Step 2 Display the STP ports show spantree active Step 3 Configure the MST regio...

Page 143: ... Revision 1 Instance VLANs IST 1 4094 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Edit buffer is locked by Console pid 142 Console enable Console enable set spantree mst 1 vlan 2 10 Edit Buffer modified Use set spantree mst config commit to apply the changes Console enable set spantree mst 1 vlan 2 20 Edit Buffer modified Use set spantree mst config commit to apply the changes Console enable set spantree ...

Page 144: ...3 4 5 6 7 8 9 10 11 12 13 14 15 NEW MST Region Configuration Not committed yet Configuration Name cisco Revision 1 Instance VLANs IST 1 51 4094 1 2 20 2 21 30 3 31 40 4 41 50 5 6 7 8 9 10 11 12 13 14 15 Edit buffer is locked by Console pid 142 Console enable Console enable set spantree mst config commit Console enable Console enable show spantree mst config Current NVRAM MST Region Configuration C...

Page 145: ... Master ID Priority 32768 IST Master Path Cost 0 Remaining Hops 20 Bridge ID MAC ADDR 00 10 7b bb 2f 00 Bridge ID Priority 32768 bridge priority 32768 sys ID ext 0 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Max Hops 20 Port State Role Cost Prio Type 6 1 forwarding ROOT 20000 32 P2P Boundary PVST 6 2 blocking ALTR 20000 32 P2P Boundary PVST Console enable show spantree mst 1 Spanni...

Page 146: ...11 12 13 14 15 Console enable Configuring the MST Bridge ID Priority You can set the bridge ID priority for an MST instance when the switch is in MST mode The switch combines the bridge priority value with the system ID extension the ID of the MST instance to create the bridge ID priority You can set 16 possible bridge priority values 0 4096 8192 12 288 16 384 20 480 24 576 28 672 32 768 36 864 40...

Page 147: ...ter media such as full duplex and higher numbers to ports attached to slower media The possible range is from 1 65 535 The default differs for different media The path cost is typically 1000 LAN speed in megabits per second To configure the port cost for a port perform this task in privileged mode This example shows how to configure the port cost on an MST instance and verify the configuration Con...

Page 148: ...30 31 40 4 forwarding BDRY 10000 30 41 50 Console enable Configuring the MST Port Instance Cost You can configure the port instance cost for an instance of MST Ports with a lower instance cost are more likely to be chosen to forward frames You should assign lower numbers to ports attached to faster media such as full duplex and higher numbers to ports attached to slower media The default cost diff...

Page 149: ...hat instance The port instance range is from 0 63 If all ports have the same priority for an MST instance the port with the lowest port number forwards frames for that instance To configure the port instance priority on an MST instance perform this task in privileged mode This example shows how to configure the port instance priority on an MST instance and verify the configuration Console enable s...

Page 150: ... guidelines for mapping and unmapping VLANS to an MST instance You can only map Ethernet VLANs to MST instances At least one VLAN in the instance must have an active port in order for MST to be active You can map as many Ethernet VLANs as you wish to an MST instance You cannot map a VLAN to more than one MST instance The Hello Time Maximum Age timer and Forward Delay timer set for mode and all spa...

Page 151: ...mst config Current NVRAM MST Region Configuration Configuration Name cisco Revision 1 Instance VLANs IST 1 51 4094 1 2 20 2 21 30 3 31 40 4 41 50 5 6 7 8 9 10 11 12 13 14 15 NEW MST Region Configuration Not committed yet Configuration Name cisco Revision 2 Instance VLANs IST 1 51 899 1000 4094 1 2 20 2 21 30 3 31 40 4 41 50 5 6 7 8 9 10 11 12 13 14 900 999 15 Edit buffer is locked by Console pid 1...

Page 152: ... 4 41 50 5 6 7 8 9 10 11 12 13 14 15 NEW MST Region Configuration Not committed yet Configuration Name cisco Revision 2 Instance VLANs IST 1 51 998 1000 4094 1 2 20 2 21 30 3 31 40 4 41 50 5 6 7 8 9 10 11 12 13 14 999 15 Edit buffer is locked by Console pid 142 Console enable Console enable set spantree mst config commit Console enable Console enable show spantree mst config Current NVRAM MST Regi...

Page 153: ...DU skewing feature perform these functions Allow you to enable or disable BPDU skewing The default is disabled Modify the show spantree summary output to show if the skew detection is enabled and for which VLANs or PVST or MISTP instances the skew was detected Provide a display of the VLAN or PVST or MISTP instance and the port affected by the skew include this information The duration in absolute...

Page 154: ... 113833 113833 Tue Nov 21 2000 06 26 05 8 20 4111 113913 Tue Nov 21 2000 06 26 05 8 22 113917 113917 Tue Nov 21 2000 06 26 05 8 24 4110 113922 Tue Nov 21 2000 06 26 05 8 26 113926 113926 Tue Nov 21 2000 06 26 05 8 28 4111 113931 Tue Nov 21 2000 06 26 05 Console enable This example shows how to configure BPDU skewing for VLAN 1 on module 8 port 4 and view the skewing statistics Console enable show ...

Page 155: ...948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 7 Configuring Spanning Tree Configuring Spanning Tree BPDU Skewing Blocking Listening Learning Forwarding STP Active Total 6 4 2 0 12 Console enable ...

Page 156: ...7 60 Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 7 Configuring Spanning Tree Configuring Spanning Tree BPDU Skewing ...

Page 157: ...e Catalyst 4500 Series Catalyst 2948G and Catalyst 2980G Switches Command Reference This chapter consists of these sections Understanding How PortFast Works page 8 1 Understanding How PortFast BPDU Guard Works page 8 2 Understanding How PortFast BPDU Filtering Works page 8 2 Understanding How UplinkFast Works page 8 3 Understanding How BackboneFast Works page 8 4 Understanding How Loop Guard Works...

Page 158: ...ementation of PortFast is to enable it only on ports that connect end stations to switches Because PortFast can be enabled on nontrunking ports connecting two switches spanning tree loops can occur because BPDUs are still being transmitted and received on those ports The PortFast BPDU guard feature prevents loops by moving a nontrunking port into an errdisable state when a BPDU is received on that...

Page 159: ...tive VLANs This enhancement might not be useful for other types of applications and should not be enabled on backbone or distribution layer switches Figure 8 1 shows an example UplinkFast network topology Switch A the root switch is connected directly to Switch B over link L1 and to Switch C over link L2 The port on Switch C that is connected to Switch B over link L3 is in blocking state Figure 8 ...

Page 160: ... An inferior BPDU identifies a single switch as both the root bridge and the designated bridge Under normal spanning tree rules the switch ignores inferior BPDUs for the configured maximum aging time specified by the set spantree maxage command The switch tries to determine if it has an alternate path to the root bridge If the inferior BPDU arrives on a blocked port the root port and other blocked...

Page 161: ... Switch C to the forwarding state providing a path from Switch B to Switch A This switchover takes approximately 30 seconds Figure 8 4 shows how BackboneFast reconfigures the topology to account for the failure of link L1 Figure 8 4 Example of BackboneFast after Indirect Link Failure If a new switch is introduced into a shared medium topology BackboneFast is not activated Figure 8 5 shows a shared...

Page 162: ...ng BPDUs again Loop guard isolates the failure and lets spanning tree converge to a stable topology without the failed link or bridge You can enable loop guard on a per port basis with the set spantree guard loop command Note Provided that you are in MST mode you can set all the ports on a switch with the set spantree global defaults loop guard command When you enable loop guard it is automaticall...

Page 163: ...at are connected to a shared link Note We recommend that you enable loop guard on root ports and alternate root ports on access switches Loop guard interacts with other features as follows Loop guard does not affect the functionality of UplinkFast or BackboneFast Root guard forces a port to always be designated as the root port Loop guard is effective only if the port is a root port or an alternat...

Page 164: ... if other links in the channel are functioning properly If a set of ports that are already blocked by loop guard are grouped together to form a channel spanning tree loses all the state information for those ports and the new channel port may obtain the forwarding state with a designated role If a channel is blocked by loop guard and the channel breaks spanning tree loses all the state information...

Page 165: ...rt to a switch port If you enable PortFast on a port that is connected to another Layer 2 device like a switch you might create network loops To enable PortFast on a trunk port perform this task in privileged mode This example shows how to enable PortFast on port 1 of module 4 of a trunk port bring the trunk port to a forwarding state and verify the configuration the PortFast status is shown in th...

Page 166: ...ows how to disable PortFast on port 1 of module 4 Console enable set spantree portfast 4 1 disable Spantree port 4 1 fast start disabled Console enable To reset PortFast on a switch or trunk port to its default settings perform this task in privileged mode This example shows how to disable PortFast on port 1 of module 4 Console enable set spantree portfast 4 1 default Spantree port 4 1 fast start ...

Page 167: ...ture is configured on an individual port and the PortFast BPDU guard option is configured either globally or on a per port basis When you disable PortFast on a port PortFast BPDU guard becomes inactive The port configuration overrides the global configuration unless the port configuration is set to default If the port configuration is set to default the global configuration is checked If the port ...

Page 168: ... 4 4 0 0 0 4 4 5 0 0 0 4 4 6 0 0 0 4 4 10 0 0 0 4 4 20 0 0 0 4 4 999 0 0 0 4 4 1003 0 0 0 0 0 1005 0 0 0 0 0 Blocking Listening Learning Forwarding STP Active Total 0 0 0 85 85 Console enable Disabling PortFast BPDU Guard To disable PortFast BPDU guard perform this task in privileged mode This example shows how to disable PortFast BPDU guard on the switch and verify the configuration Console enabl...

Page 169: ...at port To enable PortFast BPDU filtering perform this task in privileged mode Note For additional PVST information see Chapter 7 Configuring Spanning Tree By default BPDU filtering is set for each port This example shows how to enable PortFast BPDU filtering on the port and verify the configuration in PVST mode Console enable set spantree portfast bpdu filter 6 1 enable Warning Ports enabled with...

Page 170: ...tering on the switch and verify the configuration Console enable set spantree portfast bpdu filter disable Spantree portfast bpdu filter disabled on this switch Console enable show spantree summary Summary of connected spanning tree ports by vlan Portfast bpdu filter disabled for bridge Uplinkfast disabled for bridge Backbonefast disabled for bridge Vlan Blocking Listening Learning Forwarding STP ...

Page 171: ...es in the network that have protocol filtering enabled The all protocols on keywords cause the switch to generate multicasts for each protocol filtering group On switches with both UplinkFast and protocol filtering enabled or if no other switches have protocol filtering enabled you do not need to use the all protocols on keywords Note When you enable UplinkFast it affects all VLANs on the switch Y...

Page 172: ...ee uplinkfast command This command restores the port VLAN costs on all ports to the default minus one 18 and the port cost to the default value 19 If you have configured per VLAN load sharing on redundant trunk links the load sharing configuration can be affected by this command You can disable only spanning tree UplinkFast processing on the switch using the set spantree uplinkfast disable command...

Page 173: ...linkfast uplinkfast disabled for bridge Console enable Configuring BackboneFast The following sections describe how to configure the BackboneFast feature on the switch Enabling BackboneFast Note You must enable BackboneFast on all switches in the network BackboneFast is not supported on Token Ring VLANs This feature is supported for use with third party switches To enable BackboneFast on the switc...

Page 174: ...Ns 0 Number of RLQ req PDUs transmitted all VLANs 0 Number of RLQ res PDUs transmitted all VLANs 0 Console enable Disabling BackboneFast To disable BackboneFast on the switch perform this task in privileged mode This example shows how to disable BackboneFast on the switch and how to verify the configuration Console enable set spantree backbonefast disable Backbonefast enabled for all VLANs Console...

Page 175: ...ee loop guard feature on a per port basis To disable loop guard on all the ports on a switch use the set spantree mst global defaults loop guard command To disable loop guard on the switch perform this task in privileged mode This example shows how to disable loop guard on port 5 1 Console enable set spantree guard none 5 1 Rootguard is disabled on port 5 1 disabling loopguard will disable rootgua...

Page 176: ...eries Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 8 Configuring Spanning Tree PortFast BPDU Guard BPDU Filter UplinkFast BackboneFast and Loop Configuring Loop Guard ...

Page 177: ...ge 9 6 Understanding How VTP Version 3 Works page 9 13 Default VTP Version 3 Configuration page 9 22 Configuring VTP Version 3 page 9 22 Understanding How VTP Version 1 and Version 2 Work VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition deletion and renaming of VLANs on a network wide basis VTP minimizes misconfigurations and configuration ...

Page 178: ... the management domain name and the VTP configuration revision number The switch ignores advertisements with a different management domain name or an earlier configuration revision number If you configure the switch as VTP transparent you can create and modify VLANs but the changes affect only the individual switch When you make a change to the VLAN configuration on a VTP server the change is prop...

Page 179: ... name VTP configuration revision number VLAN configuration including the maximum transmission unit MTU size for each VLAN Frame format Understanding VTP Version 2 If you use VTP in your network you must decide whether to use VTP version 1 version 2 or version 3 for details on version 3 see the Understanding How VTP Version 3 Works section on page 9 13 VTP version 2 supports the following features ...

Page 180: ...s the appropriate network devices By default VTP pruning is disabled Make sure that all devices in the management domain support VTP pruning before enabling it Figure 9 1 shows a switched network without VTP pruning enabled Port 1 on Switch 1 and port 2 on Switch 4 are assigned to the Red VLAN A broadcast is sent from the host that is connected to Switch 1 Switch 1 floods the broadcast and every s...

Page 181: ...d To make a VLAN pruning ineligible enter the clear vtp pruneeligible command To make a VLAN pruning eligible again enter the set vtp pruneeligible command You can set VLAN pruning eligibility regardless of whether VTP pruning is enabled or disabled for the domain Pruning eligibility always applies to the local device only not for the entire VTP domain Default VTP Version 1 and Version 2 Configura...

Page 182: ...o not enable VTP version 2 on a switch unless all of the switches in the same VTP domain are version 2 capable When you enable VTP version 2 on a switch all of the version 2 capable switches in the domain enable VTP version 2 Enabling or disabling VTP pruning on a VTP server enables or disables VTP pruning for the entire management domain Making VLANs pruning eligible or pruning ineligible on a sw...

Page 183: ...in Name Lab_Network Password configured hidden Notifications disabled Updater ID 172 20 52 19 Feature Mode Revision VLAN Server 0 Pruning disabled VLANs prune eligible 2 1000 Console enable Configuring a VTP Client When a switch is in VTP client mode you cannot change the VLAN configuration on the switch The client switch receives VTP updates from a VTP server in the management domain and modifies...

Page 184: ... VTP transparent switch running VTP version 2 does forward received VTP advertisements out all of its trunk links Note Network devices in VTP transparent mode do not send VTP join messages On Catalyst 4500 series switches with trunk connections to network devices in VTP transparent mode configure the VLANs that are used by the transparent mode network devices or that need to be carried across trun...

Page 185: ...otifications disabled Updater ID 172 20 52 19 Feature Mode Revision VLAN Off 0 Pruning disabled VLANs prune eligible 2 1000 Console enable Enabling VTP Version 2 VTP version 2 is disabled by default on VTP version 2 capable switches When you enable VTP version 2 on a switch every VTP version 2 capable switch in the VTP domain will enable version 2 as well Caution VTP version 1 and VTP version 2 ar...

Page 186: ...ID 172 20 52 19 Feature Mode Revision VLAN Off 0 Pruning disabled VLANs prune eligible 2 1000 Console enable Disabling VTP Version 2 To disable VTP version 2 perform this task in privileged mode This example shows how to disable VTP version 2 Console enable set vtp version 1 This command will enable VTP version 1 function in the entire management domain Warning trbrf trcrf vlans will not work prop...

Page 187: ...uned on this device VTP domain Lab_Network modified Console enable set vtp pruneeligible 250 255 Vlans 2 99 250 255 501 1000 1024 4094 eligible for pruning on this device VTP domain Lab_Network modified Console enable show vtp domain Version running VTP1 VTP3 capable Domain Name Lab_Network Password configured hidden Notifications disabled Updater ID 172 20 52 19 Feature Mode Revision VLAN Server ...

Page 188: ...nable Displaying VTP Statistics To display VTP statistics including the VTP advertisements that are sent and received and VTP errors perform this task This example shows how to display VTP statistics on the switch Console enable show vtp statistics VTP statistics summary advts received 0 subset advts received 0 request advts received 0 summary advts transmitted 7843 subset advts transmitted 4 requ...

Page 189: ...that is associated with a given feature VTP version 3 handles the configuration propagation of multiple databases features independent of one another by running multiple instances of the protocol Note In software release 8 1 1 the only supported database propagation is for the VLAN database These sections describe VTP version 3 VTP Version 3 Authentication page 9 13 VTP Version 3 Per Port Configur...

Page 190: ... information on per port configuration options see the Disabling VTP Version 3 on a Per Port Basis section on page 9 29 VTP Version 3 Domains Modes and Partitions The main differences between VTP version 3 domains and modes and VTP version 1 and VTP version 2 are as follows A VTP version 3 server can be configured as primary or secondary VTP version 3 modes server client and transparent are specif...

Page 191: ...ion on page 9 13 VTP version 3 switches lock on the primary server that generated their configuration and only listen to further VTP database updates from this primary server This differs significantly from VTP version 1 and VTP version 2 where a switch would always accept a superior configuration from a neighbor in the same domain A VTP version 3 switch only accepts a superior configuration that ...

Page 192: ...configured switch If a new switch is added to a domain it will not propagate its configuration until you manually designate it as the new primary server For information on using the takeover mechanism to reconfigure partitioned VTP domains see the Reconfiguring a Partitioned VTP Domain section on page 9 16 Reconfiguring a Partitioned VTP Domain Partitioning of a VTP domain is specific to the insta...

Page 193: ...ing configurations when you enter the show vtp conflicts command and prompts you for confirmation before taking over a server has conflicting information if it belongs to the same VTP domain but has a different primary server The takeover leaves this switch server X in Figure 9 5 as the only primary server controlling the VTP domain If you have a hidden password configured you need to reenter the ...

Page 194: ...ection on page 9 23 Client Mode VTP version 3 clients have characteristics that are similar to VTP version 1 and VTP version 2 clients as follows A VTP client accepts a VTP configuration from the network but cannot generate or alter the configuration A VTP client stores the VTP configuration that it receives in RAM not NVRAM When a VTP client boots it needs to reacquire the entire configuration th...

Page 195: ...ange in the mode configuration Any VTP domain configuration change such as version domain name or domain password Transparent and VTP Off Modes In VTP version 3 the transparent mode is specific to the instance The off mode in VTP version 3 is similar to the previous VTP versions and is not specific to an instance In both modes you are allowed to configure locally the features that VTP is controlli...

Page 196: ... database related parameters and domain related parameters on a primary server In any mode configuring a domain related parameter immediately invalidates all the databases Domain parameters are the domain name the VTP version and the authentication method password In addition to invalidating the databases configuring a domain related parameter also reverts a primary server to a secondary server Wh...

Page 197: ...runk This situation forces legacy neighboring switches to keep advertising their presence on the link If a VTP version 3 switch does not receive a legacy packet on a trunk for a certain period of time it is considered to be a VTP version 3 only trunk and will not advertise a scaled down version of the VLAN database on the trunk Even when advertising a VTP version 2 database on a trunk VTP version ...

Page 198: ...P Version 3 These sections describe how to configure VTP version 3 Enabling VTP Version 3 page 9 22 Changing VTP Version 3 Modes page 9 23 Configuring VTP Version 3 Passwords page 9 27 Configuring a VTP Version 3 Takeover page 9 28 Disabling VTP Version 3 on a Per Port Basis page 9 29 VTP Version 3 show Commands page 9 29 Enabling VTP Version 3 Use the set vtp version version_number command to spe...

Page 199: ...2 1000 Console enable Changing VTP Version 3 Modes Note For additional details see the VTP Version 3 Modes section on page 9 18 Each database is propagated by an instance of the VTP protocol As these instances are independent they can operate in different modes The set vtp mode command allows you to set the mode for a particular VTP instance The VTP instance is identified by the name of the featur...

Page 200: ... running VTP3 Domain Name ENG Password not configured Notifications disabled Switch ID 00d0 004c 1800 Feature Mode Revision Primary ID Primary Description VLAN Server 0 0000 0000 0000 UNKNOWN Off Pruning disabled VLANs prune eligible 2 1000 Console enable Configuring a VTP Version 3 Client When a switch is in VTP client mode you cannot change the VLAN configuration on the switch The client switch ...

Page 201: ...TP transparent you disable VTP on the switch A VTP transparent switch does not send VTP updates and does not act on VTP updates that are received from other switches Note Network devices in VTP transparent mode do not send VTP join messages On Catalyst 4500 series switches with trunk connections to network devices in VTP transparent mode configure the VLANs that are used by the transparent mode ne...

Page 202: ...nts are not forwarded To disable VTP using the off mode perform this task in privileged mode This example shows how to disable VTP using the off mode Console enable set vtp mode off Changing VTP mode for all features VTP3 domain server modified Note Because there is only the VLAN database in release 8 1 1 using the above example without specifying the vlan keyword results in the same configuration...

Page 203: ...nd that can be shown in the configuration A plain text password or an encrypted hexadecimal secret value These two formats are exclusive if you configure a plain text password it replaces a current secret password and similarly if you paste a secret password into the configuration the initial password is removed To set VTP passwords perform this task in privileged mode This example shows how to se...

Page 204: ...e switch first tries to discover some conflicting servers in the domain Conflicting servers are servers that follow a different primary server than the one in the configuration of the local switch You are prompted by the local switch for confirmation before proceeding with the takeover The prompting is necessary because taking over the domain involves overwriting the configuration of any conflicti...

Page 205: ...hat are received on the port are dropped By default VTP is enabled and advertisements are received and sent on all trunks To disable VTP on a per port basis perform this task in privileged mode This example shows how to disable VTP on a per port basis and verify the configuration Console enable set port vtp 3 1 2 disable VTP is disabled on ports 3 1 2 Console enable show port vtp 3 Port VTP Status...

Page 206: ...9 30 Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 9 Configuring VTP Configuring VTP Version 3 ...

Page 207: ...e VLANs page 10 16 Understanding How VLANs Work A VLAN is a group of end stations with a common set of requirements independent of physical location A VLAN has the same attributes as a physical LAN but allows you to group end stations even if the VLANs are not located physically on the same LAN segment VLANs allow you to group ports on a switch to limit unicast multicast and broadcast traffic floo...

Page 208: ...so that you can access another switch on the same VLAN directly without a router Only one IP address at a time can be assigned to the in band interface If you change the IP address and assign the interface to a different VLAN the previous IP address and VLAN assignment are overwritten You can set the following parameters when you create a VLAN in the management domain VLAN number VLAN name VLAN ty...

Page 209: ...5 Table 10 1 describes the VLAN ranges Table 10 1 VLAN Ranges VLANs Range Usage Propagated by VTP Y N 0 4095 Reserved range For system use only You cannot see or use these VLANs N A 1 Normal range Cisco default You can use this VLAN but you cannot delete it Yes 2 1000 Normal range Used for Ethernet VLANs you can create use and delete these VLANs Yes 1001 Reserved You cannot create or use this VLAN...

Page 210: ...endent of any VTP version or mode VLAN number VLAN name VLAN type Ethernet FDDI and FDDINET VLAN state active or suspended Multi Instance Spanning Tree Protocol MISTP instance Private VLAN type primary isolated community two way community or none SAID MTU for the VLAN VLAN to use when translating from one VLAN media type to another VLANs 1 1005 only requires a different VLAN number for each media ...

Page 211: ... VLAN will be an Ethernet VLAN Consider the following when creating or modifying extended range VLANs You can create only extended range Ethernet VLANs You can create and delete only extended range VLANs from the CLI or SNMP You cannot use VTP to manage these VLANs they must be statically configured on each switch You cannot use extended range VLANs if you have dot1q to isl mappings You can config...

Page 212: ...r more information about configuring VTP see Chapter 9 Configuring VTP Note With VTP version 3 you can manage extended range VLANs 1025 4094 These VLANs are propagated with VTP version 3 Before configuring extended range VLANs VLANs 1025 4094 you must first enable MAC address reduction When you enable MAC address reduction the system commits the IDs for extended range VLANs After you enable MAC ad...

Page 213: ...to change the vlan 500 name from Engineering to Development and verify the configuration Console enable set vlan 500 name Development Vlan 500 configuration successful Console enable show vlan 500 VLAN Name Status IfIndex Mod Ports Vlans 500 Development active 344 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 500 enet 100500 1500 0 0 VLAN AREHops STEHops Backup CRF Console ena...

Page 214: ...Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 500 enet 100500 1500 0 0 501 enet 100501 1500 0 0 502 enet 100502 1500 0 0 503 enet 100503 1500 0 0 520 enet 100520 1500 0 0 VLAN AREHops STEHops Backup CRF Console enable To modify VLAN parameters on an existing normal range VLAN perform this task in privileged mode This example shows how to change the state of an Ethernet VLAN and ver...

Page 215: ...acreduction enable MAC address reduction enabled Console enable set vlan 2000 Vlan 2000 configuration successful Console enable show vlan 2000 VLAN Name Status IfIndex Mod Ports Vlans 2000 VLAN2000 active 61 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 2000 enet 102000 1500 0 0 VLAN Inst DynCreated RSPAN 2000 static disabled VLAN AREHops STEHops Backup CRF 1q VLAN Console ena...

Page 216: ... VLAN A VLAN that is created in a management domain remains unused until you assign one or more switch ports to the VLAN If you specify a VLAN that does not exist the VLAN is created and the specified ports are assigned to it To assign one or more switch ports to a VLAN perform this task in privileged mode This example shows how to assign switch ports to a VLAN and verify the assignment Console en...

Page 217: ...able 10 1 and 1025 4094 The valid range of VLANs that are specified in the IEEE 802 1Q standard is 0 4095 In a network environment with non Cisco devices that are connected to Cisco switches through 802 1Q trunks you can map 802 1Q VLAN numbers that are greater than 1000 to ISL VLAN numbers If you use any VLANs in the extended range 1025 4094 for dot1q mappings you cannot use any of the extended r...

Page 218: ...rform this task in privileged mode This example shows how to clear the VLAN mapping for 802 1Q VLAN 2000 Console enable clear vlan mapping dot1q 2000 Vlan 2000 mapping entry deleted Console enable This example shows how to clear all 802 1Q to ISL VLAN mappings Console enable clear vlan mapping dot1q all All vlan mapping entries deleted Console enable Deleting a VLAN When you delete a VLAN in VTP s...

Page 219: ...d will deactivate all ports on vlan 500 in the entire management domain Do you want to continue y n n y Vlan 500 deleted Console enable Configuring Auxiliary VLANs The following sections describe how to configure auxiliary VLANs to use with IP phones Understanding Auxiliary VLANs An IP phone contains an integrated three port 10 100 switch The ports which are dedicated connections are described as ...

Page 220: ...necting a phone would have separate VLANs that are configured for carrying the following Voice traffic to and from the IP phone auxiliary VLAN Data traffic to and from the PC that is connected to the switch through the access port of the IP phone native VLAN Isolating the phones on a separate auxiliary VLAN increases the quality of the voice traffic and allows a large number of phones to be added ...

Page 221: ...ype difference You cannot use switch commands to configure a frame type that is used by traffic received from a device attached to the phone s access port With software release 6 2 1 and later releases dynamic ports can belong to two VLANs a native VLAN and an auxiliary VLAN See Chapter 12 Configuring Dynamic VLAN Membership with VMPS for configuration details for auxiliary VLANs Configuring Auxil...

Page 222: ...s follows A promiscuous port communicates with all other private VLAN ports and is the port that you use to communicate with routers LocalDirector the CSS11000 backup servers and administrative workstations Note If a broadcast or multicast packet comes from the promiscuous port it is sent to all the ports in the private VLAN domain that is to all the community and isolated ports An isolated port h...

Page 223: ...in this private VLAN After designating the VLANs you must bind them together and associate them to the promiscuous port You can extend private VLANs across multiple Ethernet switches by trunking the primary isolated and any community VLANs to other switches that support private VLANs In an Ethernet switched environment you can assign an individual VLAN and associated IP subnet to each individual o...

Page 224: ...dware and software restrictions You can use the sc0 interface in a private VLAN that is assigned to either an isolated or community VLAN but not as a promiscuous port to a primary VLAN You cannot set private VLAN ports to trunking mode or channeling or have dynamic VLAN memberships If you attempt such a configuration a warning message is displayed and the command is rejected Isolated and community...

Page 225: ...VLANs together or use SPAN on only one VLAN to separately monitor egress or ingress traffic IGMP snooping and multicast shortcuts are not supported in private VLANs You cannot enable EtherChannel on isolated community or promiscuous ports You cannot set a VLAN to a private VLAN if the VLAN has dynamic access control entries ACEs that are configured on it You can stop Layer 3 switching on an isolat...

Page 226: ...1 pvlan type isolated Vlan 901 configuration successful Console enable set vlan 902 pvlan type community Vlan 902 configuration successful Console enable set vlan 903 pvlan type community Vlan 903 configuration successful Console enable This example shows how to bind VLAN 901 to primary VLAN 7 and assign port 4 3 as the isolated port Console enable set pvlan 7 901 4 3 Successfully set the followin...

Page 227: ... and 902 on 3 1 Console enable set pvlan mapping 7 903 3 1 Successfully set mapping between 7 and 903 on 3 1 This example shows how to verify the private VLAN configuration Console enable show vlan 7 VLAN Name Status IfIndex Mod Ports Vlans 7 VLAN0007 active 35 4 4 6 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 7 enet 100010 1500 0 0 VLAN DynCreated RSPAN 7 static disabled VL...

Page 228: ...g configuration Console enable set pvlan 10 20 Console enable set pvlan mapping 10 20 3 1 Console enable set pvlan mapping 10 20 5 2 Console enable set trunk 5 1 desirable isl 1 1005 1025 4094 Console enable show pvlan capability 5 20 Port 5 20 can be made a private vlan port Console enable show pvlan Primary Secondary Secondary Type Ports 10 20 isolated Console enable show pvlan capability 3 1 Po...

Page 229: ...s between the isolated or community ports and the promiscuous port If you delete all the mappings on a promiscuous port the promiscuous port becomes inactive When a private VLAN port is set to inactive it displays pvlan as its VLAN number in the show port output You might set a private VLAN port to inactive for the following reasons The primary isolated or community VLAN to which it belongs is cle...

Page 230: ...10 24 Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 10 Configuring VLANs Configuring Private VLANs ...

Page 231: ...1 1 Default Trunk Configuration page 11 5 Configuring a Trunk Link page 11 5 Disabling VLAN 1 on a Trunk Link page 11 8 Example VLAN Trunk Configurations page 11 9 Understanding How VLAN Trunks Work The following sections describe how VLAN trunks work on the Catalyst enterprise LAN switches Trunking Overview A trunk is a point to point link between one or more switch ports and another networking d...

Page 232: ...nd Gigabit Ethernet ports Table 11 2 lists the encapsulation type used with the set trunk command and describes how it functions on Fast Ethernet and Gigabit Ethernet ports You can use the show port capabilities command to determine which encapsulation types a particular port supports Table 11 1 Fast Ethernet and Gigabit Ethernet Trunking Modes Mode Function on Puts the port into permanent trunkin...

Page 233: ...s are hardware dependent Table 11 4 shows which switches have available hardware that supports the two trunking encapsulations To determine whether a specific piece of hardware supports trunking and to determine which trunking encapsulations are supported see your hardware documentation or use the show port capabilities command Table 11 3 Results of Possible Fast Ethernet and Gigabit Ethernet Trun...

Page 234: ...change spanning tree BPDUs on each VLAN allowed on the trunks The BPDUs on the native VLAN of the trunk are sent untagged to the reserved IEEE 802 1d spanning tree multicast MAC address 01 80 C2 00 00 00 The BPDUs on all other VLANs on the trunk are sent tagged to the reserved Cisco Shared Spanning Tree SSTP multicast MAC address 01 00 0c cc cc cd Non Cisco 802 1Q switches maintain only a single i...

Page 235: ...ANs removed from the trunk configuration Configuring a Trunk Link The following sections describe how to configure a trunk link on Fast Ethernet and Gigabit Ethernet ports and how to define the allowed VLAN range on a trunk Configuring an 802 1Q Trunk Note Some hardware does not support 802 1Q encapsulation To determine whether your hardware supports 802 1Q see your hardware documentation or use t...

Page 236: ...n successful Console enable set trunk 2 9 desirable dot1q Port s 2 9 trunk mode set to desirable Port s 2 9 trunk type set to dot1q Console enable 07 02 1998 18 22 25 DTP 5 Port 2 9 has become dot1q trunk Console enable show trunk Port Mode Encapsulation Status Native vlan 2 9 desirable dot1q trunking 1 Port Vlans allowed on trunk 2 9 1 10 20 100 Port Vlans allowed and active in management domain ...

Page 237: ...allowed vlans modified to 10 20 100 1002 1003 1004 1005 Console enable clear trunk 1 1 1 9 11 19 21 99 101 1001 Removing Vlan s 1 9 11 19 21 99 101 100 from allowed list Port 1 1 allowed vlans modified to 10 20 100 Console enable show trunk 1 1 Port Mode Encapsulation Status Native vlan 1 1 desirable dot1q trunking 1 Port Vlans allowed on trunk 1 1 1 10 20 100 Port Vlans allowed and active in mana...

Page 238: ... Trunking Protocol VTP Port Aggregation Protocol PAgP Dynamic Trunking Protocol DTP and so forth Caution By default the sc0 interface management VLAN is VLAN 1 If you disable VLAN 1 you will have to configure another VLAN to be the management VLAN for sc0 When a trunk port with VLAN 1 disabled becomes a nontrunk port it is added to the native VLAN If the native VLAN is VLAN 1 the port is enabled a...

Page 239: ...gure an 802 1Q trunk over a Gigabit EtherChannel link between two switches with 802 1Q capable hardware Use the show port capabilities command to see if your hardware is 802 1Q capable Figure 11 1 shows two switches connected through four 1000BASE SX Gigabit Ethernet ports Figure 11 1 IEEE 802 1Q Trunk over Gigabit EtherChannel Link Note For complete information on configuring Gigabit EtherChannel...

Page 240: ... 5 PORTFROMSTP Port 2 3 left bridge port 2 3 ETHC 5 PORTTOSTP Port 2 3 joined bridge port 2 3 6 ETHC 5 PORTTOSTP Port 2 4 joined bridge port 2 3 6 ETHC 5 PORTTOSTP Port 2 5 joined bridge port 2 3 6 ETHC 5 PORTTOSTP Port 2 6 joined bridge port 2 3 6 Switch_B enable DTP 5 TRUNKPORTON Port 3 3 has become dot1q trunk DTP 5 TRUNKPORTON Port 3 4 has become dot1q trunk ETHC 5 PORTFROMSTP Port 3 3 left br...

Page 241: ...025 4094 Port Vlans allowed and active in management domain 3 3 1 1005 1025 4094 3 4 1 1005 1025 4094 3 5 1 1005 1025 4094 3 6 1 1005 1025 4094 Port Vlans in spanning tree forwarding state and not pruned 3 3 1 1005 1025 4094 3 4 1 1005 1025 4094 3 5 1 1005 1025 4094 3 6 1 1005 1025 4094 Switch_B enable Step 4 Confirm the channeling and trunking status of the switches by entering the show port chan...

Page 242: ...t 3 5 left bridge port 3 5 ETHC 5 PORTFROMSTP Port 3 6 left bridge port 3 6 ETHC 5 PORTFROMSTP Port 3 4 left bridge port 3 4 ETHC 5 PORTFROMSTP Port 3 5 left bridge port 3 5 ETHC 5 PORTFROMSTP Port 3 6 left bridge port 3 6 ETHC 5 PORTFROMSTP Port 3 3 left bridge port 3 3 ETHC 5 PORTTOSTP Port 3 3 joined bridge port 3 3 6 ETHC 5 PORTTOSTP Port 3 4 joined bridge port 3 3 6 ETHC 5 PORTTOSTP Port 3 5 ...

Page 243: ...h 1 to prevent forwarding loops Trunk 2 is not used to forward traffic unless Trunk 1 fails To configure the switches so that traffic from multiple VLANs is load balanced over the parallel trunks follow these steps Step 1 Configure a VTP domain on both Switch 1 and Switch 2 by entering the set vtp command so that the VLAN information configured on Switch 1 is learned by Switch 2 Make sure that Swi...

Page 244: ...1 12 5 1 2 10 VLAN0010 active 11 VLAN0011 active 20 VLAN0020 active 30 VLAN0030 active 40 VLAN0040 active 50 VLAN0050 active 60 VLAN0060 active 1002 fddi default active 1003 token ring default active 1004 fddinet default active 1005 trnet default active Switch_1 enable Step 4 Configure the supervisor engine uplinks on Switch 1 as 802 1Q trunk ports by entering the set trunk command Specifying the ...

Page 245: ...0 active 60 VLAN0060 active 1002 fddi default active 1003 token ring default active 1004 fddinet default active 1005 trnet default active Switch_2 enable Step 7 Spanning tree takes one to two minutes to converge After the network stabilizes check the spanning tree state of each trunk port on Switch 1 by entering the show spantree command Trunk 1 is forwarding for all VLANs Trunk 2 is blocking for ...

Page 246: ... 1 9 11 19 21 1004 using portpri 32 Port 1 1 vlans 10 20 using portpri 1 Port 1 1 vlans 1005 using portpri 4 Switch_1 enable set spantree portvlanpri 1 1 1 30 Port 1 1 vlans 1 9 11 19 21 29 31 1004 using portpri 32 Port 1 1 vlans 10 20 30 using portpri 1 Port 1 1 vlans 1005 using portpri 4 Switch_1 enable Step 10 On Switch 1 change the port VLAN priority for the Group 2 VLANs on Trunk 2 port 1 2 t...

Page 247: ...ns 40 50 60 using portpri 1 Port 1 2 vlans 1005 using portpri 4 Switch_2 enable Step 13 When you have configured the port VLAN priorities on both ends of the link the spanning tree converges to use the new configuration Check the spanning tree port states on Switch 1 by entering the show spantree command The Group 1 VLANs should be forwarding on Trunk 1 and blocking on Trunk 2 The Group 2 VLANs sh...

Page 248: ...rt Group method 1 1 1 not connected 19 32 disabled Switch_1 enable show spantree 1 2 Port Vlan Port State Cost Priority Fast Start Group method 1 2 1 learning 19 32 disabled 1 2 10 learning 19 32 disabled 1 2 20 learning 19 32 disabled 1 2 30 learning 19 32 disabled 1 2 40 forwarding 19 1 disabled 1 2 50 forwarding 19 1 disabled 1 2 60 forwarding 19 1 disabled 1 2 1003 not connected 19 32 disabled...

Page 249: ...dot1q Port s 1 1 trunk mode set to nonegotiate Port s 1 1 trunk type set to dot1q Switch 1 enable 04 15 1998 22 02 17 DISL 5 Port 1 1 has become dot1q trunk Switch 2 enable 04 15 1998 22 01 42 SPANTREE 2 Rcved 1Q BPDU on non 1Q trunk port 4 1 vlan 1 04 15 1998 22 01 42 SPANTREE 2 Block 4 1 on rcving vlan 1 for inc trunk port 04 15 1998 22 01 42 SPANTREE 2 Block 4 1 on rcving vlan 1 for inc peer vl...

Page 250: ...0 32 disabled 4 2 1 not connected 100 32 disabled output truncated Switch 2 enable show spantree statistics 4 1 Port 4 1 VLAN 1 SpanningTree enabled for vlanNo 1 BPDU related parameters port spanning tree enabled state broken port_id 0x8142 port number 0x142 path cost 100 message age port VLAN 1 20 designated_root 00 60 09 79 c3 00 designated_cost 0 designated_bridge 00 60 09 79 c3 00 designated_p...

Page 251: ...d Spanning tree type ieee Designated Root 00 60 09 79 c3 00 Designated Root Priority 32768 Designated Root Cost 0 Designated Root Port 1 1 Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Bridge ID MAC ADDR 00 10 29 b5 30 00 Bridge ID Priority 49152 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Port Vlan Port State Cost Priority Fast Start Group method 1 1 1 forwarding 4 32 ...

Page 252: ...Designated Root Priority 32768 Designated Root Cost 0 Designated Root Port 1 0 Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Bridge ID MAC ADDR 00 60 09 79 c3 00 Bridge ID Priority 32768 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Port Vlan Port State Cost Priority Fast Start Group method 1 1 1 not connected 4 32 disabled 1 2 1 not connected 4 32 disabled 4 1 1 forwardi...

Page 253: ... Configuring VMPS page 12 4 Troubleshooting VMPS and Dynamic Port VLAN Membership page 12 11 VMPS Example page 12 12 Dynamic Port VLAN Membership with Auxiliary VLANs page 12 14 Understanding How VMPS Works With VMPS you can dynamically assign switch ports to VLANs based on the source MAC address of the device connected to the port When you move a host from a port on one switch in the network to a...

Page 254: ...oftware release 6 2 1 a port can belong to a native VLAN and an auxiliary VLAN See the Dynamic Port VLAN Membership with Auxiliary VLANs section on page 12 14 for complete details When the link comes up a dynamic port is isolated from its static VLAN The source MAC address from the first packet of a new host on the dynamic port is sent to the VMPS server which attempts to match the MAC address to ...

Page 255: ...orts as dynamic When you configure a port as dynamic spanning tree PortFast is enabled automatically for that port Automatic enabling of spanning tree PortFast prevents applications on the host from timing out and entering loops caused by incorrect configurations You can disable spanning tree PortFast mode on a dynamic port If you reconfigure a port from a static port to a dynamic port on the same...

Page 256: ...to the switch Step 2 On the VMPS primary and backup servers do the following a Specify the location and name of the VMPS database file b Enable VMPS See the Configuring the VMPS Server section on page 12 7 for more information Step 3 On the VMPS clients do the following a Specify the IP addresses for the primary and backup VMSP servers b Configure ports to dynamic mode See the Configuring VMPS Cli...

Page 257: ...dc ba98 7654 is set to NONE This setting explicitly denies this MAC address from accessing the network Section 3 Port groups lists groups of ports on various switches in your network that you want grouped together You use these port groups when defining VLAN port policies Define a port group name for each port group and then list all the ports that you want included in the port group A port is ide...

Page 258: ...S File Format version 1 1 Always begin the configuration file with the word VMPS vmps domain domain name The VMPS domain must be defined vmps mode open secure The default mode is open vmps fallback vlan name vmps no domain req allow deny The default value is allow vmps domain WBU vmps mode open vmps fallback default vmps no domain req deny Section 2 MAC ADDRESSES MAC Addresses vmps mac addrs addre...

Page 259: ...not communicate with each other about the VMPS database You must enable VMPS on each server and manually update each VMPS server when you update the VMPS database To configure a VMPS server perform this task in privileged mode You must complete this task for the primary and any backup VMPS servers in your network This example shows how to set the VMPS database as Bldg G db on the TFTP server with ...

Page 260: ...server VMPS Client Status VMPS VQP Version 1 Reconfirm Interval 60 min Server Retry Count 3 VMPS domain server 192 0 0 1 primary 192 0 0 6 192 0 0 9 This example shows how to set ports 1 to 3 on module 3 to dynamic mode disable trunking port 1 on module 2 to make it a dynamic port and verify the port configuration Console enable set port membership 3 1 3 dynamic Ports 3 1 3 vlan assignment set to ...

Page 261: ...f these tasks in privileged mode To show VMPS statistics perform this task in privileged mode Maintaining VMPS To clear VMPS statistics perform this task in privileged mode To clear a VMPS server entry from the VMPS client perform this task in privileged mode Task Command Show the VLAN to which a MAC address is mapped in the database show vmps mac mac_address Show the MAC addresses that are mapped...

Page 262: ...e host releases the VLAN or disconnects from the port This example shows how to disable VMPS on the switch Console enable set vmps state disable All the VMPS configuration information will be lost and the resources released on disable Do you want to continue y n n y Vlan Membership Policy Server disabled Console enable Configuring Static Ports To return a port to the static mode perform this task ...

Page 263: ...ing the set logging level vmps command Troubleshooting Dynamic Ports A dynamic port might shut down under these circumstances VMPS is in secure mode and it is illegal for the host to connect to the port The port shuts down to prevent the host from connecting to the network More than 50 active hosts reside on a dynamic port To reenable a dynamic port that has been shut down enter the set port enabl...

Page 264: ...re multicast packets with a destination address of 01000CCCCCCD VMPS Example Figure 12 1 shows a network with a VMPS server switch two backup VMPS servers and VMPS client switches with dynamic ports In this example the following assumptions apply The VMPS server and the VMPS client are separate switches Switch 1 is the primary VMPS server Switch 3 and Switch 10 are secondary VMPS servers End stati...

Page 265: ...IP address of the TFTP server on which the ASCII file resides Console enable set vmps tftpserver 172 20 22 7 Bldg G db b Enable VMPS Console enable set vmps state enable Router Primary VMPS Server 1 Secondary VMPS Server 2 Secondary VMPS Server 3 172 20 26 150 172 20 26 151 172 20 26 152 Ethernet segment 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 172 20 26 157 172 20 26 158 172 20 26 ...

Page 266: ... 26 159 c Verify the VMPS server addresses Console enable show vmps server Step 4 Configure port 3 1 on Switch 2 as dynamic Console enable set port membership 3 1 dynamic Step 5 Connect End Station 2 on port 3 1 When End Station 2 sends a packet Switch 2 sends a query to the primary VMPS server Switch 1 Switch 1 responds with a message to assign port 3 1 to the VLAN specified in the VMPS database ...

Page 267: ...s from the IP phone are tagged with the auxiliary VLAN ID All such tagged packets are considered to be packets from the phone and all other packets are considered to be packets from the PC When configuring the auxiliary VLAN ID with untagged frames you need to configure the VMPS server with the IP phone s MAC address see the VMPS Example section on page 12 12 for information on configuring VMPS Fo...

Page 268: ...oftware Configuration Guide Release 8 1 78 15486 01 Chapter 12 Configuring Dynamic VLAN Membership with VMPS Dynamic Port VLAN Membership with Auxiliary VLANs Console enable set port auxiliaryvlan 5 10 223 Auxiliary vlan cannot be set to 223 as PVID 223 Console enable ...

Page 269: ...RP Configuration page 13 2 GVRP Configuration Guidelines page 13 2 Configuring GVRP on the Switch page 13 2 Understanding How GVRP Works GARP and GVRP are industry standard protocols described in IEEE 802 1p GVRP is a GARP application that provides 802 1Q compliant VLAN pruning and dynamic VLAN creation on 802 1Q trunk ports With GVRP the switch can exchange VLAN configuration information with oth...

Page 270: ...must enable GVRP globally before any GVRP will process on the switch Enabling GVRP globally enables GVRP to perform VLAN pruning on 802 1Q trunk links Pruning occurs only on GVRP enabled trunks For information on setting the per trunk port GVRP enable state see the Enabling GVRP on Individual 802 1Q Trunk Ports section on page 13 3 To enable dynamic VLAN creation you must explicitly enable dynamic...

Page 271: ...P will not function on any ports until you enable it globally For information on configuring GVRP globally on the switch see the Enabling GVRP Globally section on page 13 2 There are two per port GVRP states The static GVRP state configured in the CLI and stored in NVRAM The actual GVRP state of the ports active GVRP participants You can configure the static GVRP port state on any 802 1Q capable s...

Page 272: ...onfiguration or negotiated using DTP while dynamic VLAN creation is enabled dynamic VLAN creation is automatically disabled until the conditions for enabling dynamic VLAN creation are restored Note VLANs can only be created dynamically on 802 1Q trunks in the normal registration mode To enable GVRP dynamic VLAN creation on the switch perform this task in privileged mode This example shows how to e...

Page 273: ... 1 1 Registrar Administrative Control set to fixed on port 1 1 Console enable Setting GVRP Forbidden Registration Configuring an 802 1Q trunk port in forbidden registration mode deregisters all VLANs except VLAN 1 and prevents any further VLAN creation or registration on the trunk port To configure GVRP forbidden registration on an 802 1Q trunk port perform this task in privileged mode This exampl...

Page 274: ...rp applicant active 4 2 3 4 9 10 4 12 24 Applicant was set to active on port s 4 2 3 4 9 10 4 12 24 Console enable Use the normal keyword to return to the default state active mode disabled Setting the GARP Timers Note The commands set gvrp timer and show gvrp timer are aliases for set garp timer and show garp timer The aliases may be used if desired Note Modifying the GARP timer values affects th...

Page 275: ...liseconds Console enable set garp timer join 200 GMRP GARP join timer value is set to 200 milliseconds Console enable show garp timer Timer Timer Value milliseconds Join 200 Leave 600 LeaveAll 10000 Console enable Displaying GVRP Statistics To display GVRP statistics on the switch perform this task This example shows how to display GVRP statistics for port 1 1 Console enable show gvrp statistics 1...

Page 276: ... individual 802 1Q trunk ports perform this task in privileged mode This example shows how to disable GVRP on 802 1Q trunk port 1 1 Console set gvrp disable 1 1 GVRP disabled on 1 1 Console Disabling GVRP Globally To disable GVRP globally on the switch perform this task in privileged mode This example shows how to disable GVRP globally on the switch Console enable set gvrp disable GVRP disabled Co...

Page 277: ...oS Terminology page 14 2 Understanding Classification and Marking at the Ingress Port page 14 3 Understanding Scheduling page 14 3 QoS Overview Typically networks operate on a best effort delivery basis which means that all traffic has equal priority and an equal chance of being delivered in a timely manner When congestion occurs all traffic has an equal chance of being dropped QoS selects network...

Page 278: ...y is used in this chapter QoS labels are used to prioritize traffic Layer 2 CoS values Layer 2 802 1Q frame headers have a 2 byte Tag Control Information field that carries the CoS value in the three most significant bits the User Priority bits Other frame types cannot carry CoS values CoS values range between 0 low priority and 7 high priority Classification is the selection of traffic to be mark...

Page 279: ... ingress port QoS accepts the User Priority bits as the CoS value QoS classifies and marks all other frame types that enter the switch with the default CoS value configured for the entire switch You cannot mark traffic on a per port basis Note The Catalyst 4500 series 2948G and 2980G switches support frame classification and marking only on unclassified frames entering the switch Understanding Sch...

Page 280: ...efault Switch CoS Value page 14 5 Mapping CoS Values to Transmit Queues and Drop Thresholds page 14 6 Reverting to the Default CoS to Transmit Queue and Drop Threshold Mapping page 14 6 Displaying QoS Information page 14 7 Reverting to QoS Defaults page 14 7 Disabling QoS page 14 7 Note Because entering some QoS commands disables and then reenables ports which can cause spanning tree topology chan...

Page 281: ...ow to set CoS equal to 7 in all unclassified frames that are received on the switch and verify the configuration Console enable set qos defaultcos 7 qos defaultcos set to 7 Console enable Reverting to the Default Switch CoS Value To revert to the default switch CoS value on the switch perform this task in privileged mode This example shows how to revert to the default CoS value for port 8 1 and ve...

Page 282: ...and drop threshold perform this task in privileged mode This example shows how to map CoS values 4 through 7 to the second transmit queue and the first drop threshold for that queue on a 2q1t port Console enable set qos map 2q1t 2 1 cos 4 7 Qos tx priority queue and threshold mapped to cos successfully Console enable Reverting to the Default CoS to Transmit Queue and Drop Threshold Mapping Enter t...

Page 283: ...Threshold Mapping Queue Threshold CoS 1 1 0 1 2 3 2 1 4 5 6 7 Console Reverting to QoS Defaults To revert to QoS defaults perform this task in privileged mode This example shows how to revert to QoS defaults Console enable clear qos config This command will disable QoS and take values back to factory default Do you want to continue y n n y QoS config cleared Console enable Note Reverting to defaul...

Page 284: ...948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 14 Configuring QoS Configuring QoS on the Switch This example shows how to disable QoS Console enable set qos disable QoS is disabled Console enable ...

Page 285: ...RP page 15 9 Configuring Multicast Router Ports and Group Entries page 15 15 Filtering IGMP Traffic page 15 17 Understanding How Multicasting Works The following sections describe how multicasting works on the Catalyst enterprise LAN switches Understanding Multicasting and Multicast Services Operation CGMP IGMP snooping and GMRP manage multicast traffic in switches by allowing directed switching o...

Page 286: ...ackboneFast and Loop Guard Joining a Multicast Group When a host wants to join an IP multicast group it sends an IGMP join message specifying its MAC address and the IP multicast group it wants to join The CGMP IGMP capable router then builds a CGMP IGMP join message and multicasts the join message to the well known address to which the switches listen Upon receipt of the join message each switch ...

Page 287: ...h allows it to support the multicast traffic of any Layer 3 protocol such as IP IPX and so forth GMRP software components run on both the switch and on the host Cisco is not a source for GMRP host software On the host GMRP is typically used with IGMP the host GMRP software generates Layer 2 GMRP versions of the host s Layer 3 IGMP control packets The switch receives both the Layer 2 GMRP and the L...

Page 288: ...on the switch perform this task in privileged mode This example shows how to enable CGMP and verify the configuration Console enable set cgmp enable CGMP support for IP multicast enabled Console enable show cgmp statistics 1 CGMP enabled CGMP statistics for vlan 1 valid rx pkts received 211915 invalid rx pkts received 0 valid cgmp joins received 211729 valid cgmp leaves received 186 valid igmp lea...

Page 289: ...leave CGMP enabled CGMP leave enabled CGMP FastLeave disabled Console enable Enabling CGMP Fast Leave Processing To enable CGMP fast leave processing on the switch perform this task in privileged mode This example shows how to enable CGMP fast leave processing and verify the configuration Console enable set cgmp fastleave enable CGMP fastleave processing enabled Console enable Console enable show ...

Page 290: ...example shows how to display information on all multicast router ports the asterisk next to the multicast router on port 3 1 indicates that the entry was configured manually Console enable show multicast router CGMP enabled IGMP disabled Port Vlan 2 1 99 2 2 255 3 1 1 Total Number of Entries 4 Configured Console enable This example shows how to display only those multicast router ports that were l...

Page 291: ...ask This example shows how to display CGMP statistics Console enable show cgmp statistics CGMP enabled CGMP statistics for vlan 1 valid rx pkts received 211915 invalid rx pkts received 0 valid cgmp joins received 211729 valid cgmp leaves received 186 valid igmp leaves received 0 valid igmp queries received 3122 igmp gs queries transmitted 0 igmp leaves transmitted 0 failures to add GDA to EARL 0 t...

Page 292: ...CGMP Fast Leave Processing To disable CGMP fast leave processing on the switch perform this task in privileged mode This example shows how to disable CGMP fast leave processing Console enable set cgmp fastleave disable CGMP FastLeave processing disabled Console enable Disabling CGMP To disable CGMP on the switch perform this task in privileged mode This example shows how to disable CGMP Console en...

Page 293: ...lly on the switch perform this task in privileged mode This example shows how to enable GMRP globally and verify the configuration Console enable set gmrp enable GMRP enabled Console enable show gmrp configuration Global GMRP Configuration GMRP Feature is currently enabled on this switch GMRP Timers milliseconds Join 200 Leave 600 LeaveAll 10000 Table 15 2 GMRP Default Configuration Feature Defaul...

Page 294: ...le enable show gmrp configuration Global GMRP Configuration GMRP Feature is currently enabled on this switch GMRP Timers milliseconds Join 200 Leave 600 LeaveAll 10000 Port based GMRP Configuration Port GMRP Status Registration ForwardAll 1 1 2 3 1 6 1 9 6 12 6 15 48 Enabled Normal Disabled 6 10 11 6 13 14 Disabled Normal Disabled Console enable Disabling GMRP on Individual Switch Ports Note You c...

Page 295: ...warded to the port We recommend enabling this option on any port that is connected to a router Forward all can also forward all registered multicast traffic to a port with a network analyzer or probe attached To forward a copy of all GMRP multicast packets that are registered on the switch to a port perform this task in privileged mode This example shows how to enable the GMRP forward all option o...

Page 296: ...he port but the port ignores any subsequent registrations or deregistrations on other ports A port in fixed registration mode continues to register multicast groups that are specific to the port You must return the port to normal registration mode to deregister multicast groups on the port To configure GMRP fixed registration on a port perform this task in privileged mode This example shows how to...

Page 297: ...P Registration is set forbidden on port 2 10 Console enable show gmrp configuration Global GMRP Configuration GMRP Feature is currently enabled on this switch GMRP Timers milliseconds Join 200 Leave 600 LeaveAll 10000 Port based GMRP Configuration GMRP Status Registration ForwardAll Port s Enabled Normal Disabled 1 1 4 2 1 9 2 11 48 3 1 24 5 1 Enabled Forbidden Disabled 2 10 Console enable Setting...

Page 298: ...cted devices If the GARP timers are set differently on the Layer 2 connected devices GARP applications for example GMRP and GVRP will not operate successfully To adjust the GARP timer values perform this task in privileged mode This example shows how to set GARP timers and verify the configuration Console enable set garp timer leaveall 12000 GMRP GARP leaveAll timer value is set to 12000 milliseco...

Page 299: ...nable Clearing GMRP Statistics To clear all GMRP statistics on the switch perform this task in privileged mode This example shows how to clear the GMRP statistics for all VLANs Console enable clear gmrp statistics all Console enable Disabling GMRP To disable GMRP globally on the switch perform this task in privileged mode This example shows how to disable GMRP globally Console enable set gmrp disa...

Page 300: ...enable Configuring Multicast Groups To configure a multicast group manually perform this task in privileged mode This example shows how to configure multicast groups manually and verify the configuration the asterisks indicate that the entry was manually configured Console enable set cam static 01 00 11 22 33 44 2 6 12 Static multicast entry added to CAM table Console enable set cam static 01 11 2...

Page 301: ...disable manually configured multicast group entries perform this task in privileged mode This example shows how to disable a multicast group entry from the CAM table Console enable clear cam 01 11 22 33 44 55 1 CAM entry cleared Console enable Filtering IGMP Traffic Internet Group Management Protocol IGMP filtering allows an administrator to configure IP multicast group profiles consisting of one ...

Page 302: ...ffic using MPEG encoding In access switches filters specify which video channels multicast addresses are allowed to be received by every customer In ETTH a typical access switch has two high speed uplink ports The other ports are user ports each connected to a different end subscriber who has a box that generates IGMP report and leave messages You can define which channels IP multicast addresses t...

Page 303: ...ble Console enable This example shows how to verify the enable configuration status of IGMP multicast filtering on the switch Console enable show igmp filter igmp filter is enabled Console enable Disabling and Verifying IGMP Multicast Filtering To disable IGMP traffic filtering on the switch perform this task in privileged mode This example shows how to disable IGMP multicast filtering Console ena...

Page 304: ...r profile perform this task in privileged mode This example shows how to add the multicast IP address 226 1 1 1 to IGMP multicast filter profile 1 Console enable set igmp filter profile 1 226 1 1 1 Successfully add ip s to profile Console enable This example shows how to list an IP address for profile 1 when the IGMP multicast filter match action is denied Console enable show igmp filter profile 1...

Page 305: ...y Console enable This example shows how to verify the status of an IGMP multicast filter profile to deny IP addresses Console enable show igmp filter profile 1 match action igmp filter match action is denied Console enable Removing an IGMP Multicast Filter Profile To remove a multicast address from an IGMP multicast filter profile or to remove the filter profile perform this task in privileged mod...

Page 306: ... to remove all IGMP multicast filter profiles Console enable clear igmp filter all Successfully remove all the profile s Console enable This example shows how to verify that all IGMP multicast filter profiles were deleted Console enable show igmp filter all Console enable Assigning and Displaying Port Filter Associations To assign and display IGMP multicast filter associations to a port or port li...

Page 307: ...ll ports Console enable show igmp filter map all Port Profile 2 1 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 10 2 11 2 12 2 13 2 14 2 15 2 16 2 46 2 47 2 48 Console enable Removing IGMP Multicast Port Filter Associations To remove the association of IGMP multicast filters with ports perform this task in privileged mode Note The filter is not removed when the association is removed This example shows how ...

Page 308: ...15 24 Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 15 Configuring Multicast Services Filtering IGMP Traffic ...

Page 309: ...ort when the MAC address of the station attempting to access the port is different from any of the MAC addresses that are specified for that port Alternatively you can use port security to filter traffic that is destined to or received from a specific host that is based on the host MAC address Allowing Traffic Based on the Host MAC Address The total number of MAC addresses that can be specified pe...

Page 310: ...to remain enabled during a security violation and drop only packets that are coming in from insecure hosts Note If you configure a secure port in restrictive mode and a station is connected to the port whose MAC address is already configured as a secure MAC address on another port on the switch the port in restrictive mode shuts down instead of restricting traffic from that station For example if ...

Page 311: ...cribe how to configure port security Enabling Port Security Port security is either autoconfigured or enabled manually by specifying a MAC address If a MAC address is not specified the source address from the incoming traffic is autoconfigured and secured up to the maximum number of MAC addresses allowed These autoconfigured MAC Addresses remain secured for a time depending upon the aging timer se...

Page 312: ...90 2b 03 34 08 as the secure mac address Trunking disabled for Port 2 1 due to Security Mode Console enable Setting the Maximum Number of Secure MAC Addresses You can set the number of MAC addresses to secure on a port By default at least one MAC address per port can be secured In addition to this default a global resource of up to 1024 MAC addresses is available to be shared by the ports This mea...

Page 313: ... secure addresses To set the age time on a port perform this task in privileged mode Console enable set port security 4 7 age 600 Secure address age time set to 600 minutes for port 4 7 Console enable Clearing MAC Addresses Enter the clear port security command to clear MAC addresses from a list of secure addresses on a port Note If you enter the clear command on a MAC address that is in use the n...

Page 314: ...ation Console enable set port security 4 1 unicast flood disable Port 4 1 security flood mode set to disable Console enable show port security 4 1 Port Security Violation Shutdown Time Age Time Max Addr Trap IfIndex 4 1 disabled shutdown 0 0 1 disabled 50 Port Num Addr Secure Src Addr Age Left Last Src Addr Shutdown Time Left 4 1 0 Port Flooding on Address Limit 4 1 Disabled Console enable show po...

Page 315: ...tored in memory between notifications To set the interval time between notifications and verify the configuration perform this task in privileged mode If the set cam notification interval is set to 0 the switch will send notification immediately If the notifications are sent immediately they will have an impact on the performance of the switch You can generate SNMP traps whenever a MAC address cha...

Page 316: ... log size 300 MAC addresses added 3 MAC addresses removed 5 MAC addresses added overflowed 0 MAC addresses removed overflowed 0 MAC address SNMP traps generated 0 Console enable set snmp trap enable macnotification SNMP MAC notification trap enabled Console enable Setting the Security Violation Action You can set a port to the following two modes to handle a security violation Shutdown Shuts down ...

Page 317: ...00 minutes on port 4 7 Console enable set port security 4 7 shutdown 600 Secure address shutdown time set to 600 minutes for port 4 7 Console enable Disabling Port Security To disable port security perform this task in privileged mode This example shows how to disable security on a port Console enable set port security 2 1 disable Port 2 1 port security disabled Console enable show port security 2...

Page 318: ...enable This example shows how to display the static CAM entries Console show cam static VLAN Dest MAC Route Des CoS Destination Ports or VCs Protocol Type 3 04 04 05 06 07 08 FILTER Console enable Monitoring Port Security You can view the following port security information List of secure MAC addresses for a port Maximum number of secure addresses that are allowed on a port Total number of secure ...

Page 319: ...ics 3 24 Port Total Addrs Maximum Addrs 3 24 4 10 Console enable Port Total Addrs Maximum Addrs 3 24 1 10 Console enable This example shows how to display port security statistics on a module Console enable show port security statistics 3 Port Total Addrs Maximum Addrs 3 1 0 1 3 2 0 1 3 3 0 1 3 4 0 1 3 5 0 1 3 6 0 1 Module 3 Total ports 6 Total secure ports 0 Total MAC addresses 6 Total global add...

Page 320: ...st 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 16 Configuring Port Security Monitoring Port Security Total ports 48 Total MAC address es 48 Total global address space used out of 1024 0 Status installed Console enable ...

Page 321: ...anding How Unicast Flood Blocking Works You can enable unicast flood blocking on any Ethernet port on a per port basis Unicast flood blocking allows you to drop unicast flood packets on an Ethernet port that has only one host that is connected to the port All Ethernet ports on a switch are configured to allow unicast flooding With unicast flood blocking you can drop unicast flood packets before th...

Page 322: ...l You cannot configure a port channel on a unicast flood blocking port Unicast flood blocking and GARP VLAN Registration Protocol GVRP are mutually exclusive You cannot configure the port to block unicast flood packets and exchange VLAN configuration information with GVRP switches at the same time Configuring Unicast Flood Blocking on the Switch These sections describe how to configure unicast flo...

Page 323: ...onfigure unicast flood blocking perform this task in privileged mode This example shows how to disable unicast flood blocking on a port Console enable set port unicast flood 4 1 enable Unicast Flooding is successfully enabled on the port 4 1 Console enable Displaying Unicast Flood Blocking To display unicast flood blocking information perform this task in privileged mode This example shows how to ...

Page 324: ...Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 17 Configuring Unicast Flood Blocking Configuring Unicast Flood Blocking on the Switch ...

Page 325: ...response the request times out If you want to log unauthorized access attempts to the console or a syslog server you must change the logging severity level for IP as described in the Enabling the IP Permit List section on page 18 3 If you want to generate SNMP traps when unauthorized access attempts are made you must enable IP permit list ippermit SNMP traps as described in the Enabling the IP Per...

Page 326: ...it list perform this task in privileged mode Note You can use the set security acl command to set permit lists more efficiently This example shows how to add IP addresses to IP permit list and verify the configuration Console enable set ip permit 172 16 0 0 255 255 0 0 telnet 172 16 0 0 with mask 255 255 0 0 added to Telnet permit list Console enable set ip permit 172 20 52 32 255 255 0 0 snmp 172...

Page 327: ...pped by the switch that you are configuring We recommend that you disable the IP permit list before clearing IP permit entries or host addresses To enable the IP permit list on the switch perform this task in privileged mode This example shows how to enable the IP permit list and verify the configuration Console enable set ip permit enable Telnet Snmp and Ssh permit list enabled Console enable set...

Page 328: ...ble Disabling the IP Permit List To disable the IP permit list on the switch perform this task in privileged mode This example shows how to disable the IP permit list Console enable set ip permit disable IP permit list disabled Console enable Clearing an IP Permit List Entry You can clear an IP address from the SNMP permit list SSH permit list the Telnet permit list or all lists If you do not spec...

Page 329: ...2 100 101 102 172 100 101 102 cleared from IP permit list Console enable clear ip permit 172 160 161 0 255 255 192 0 snmp 172 160 128 0 with mask 255 255 192 0 cleared from snmp permit list Console enable clear ip permit 172 100 101 102 telnet 172 100 101 102 cleared from telnet permit list Console enable clear ip permit all IP permit list cleared Console enable Task Command Step 1 Disable the IP ...

Page 330: ...8 6 Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 18 Configuring the IP Permit List Configuring the IP Permit List on the Switch ...

Page 331: ...is in addition to the filtering that is provided by port VLAN membership Protocol filtering identifies ports on a protocol basis A port can be a member of one or more of the protocol groups Flood traffic for each protocol group is forwarded out a port only if that port belongs to the appropriate protocol group Layer 2 protocols such as Spanning Tree Protocol STP and Cisco Discovery Protocol CDP ar...

Page 332: ...there is a directly connected end station that is connected to the port The default port configuration for IPX and Group is auto Packets are classified into these protocol groups IP ip IPX ipx AppleTalk and DECnet group Packets not belonging to any of these protocols Default Protocol Filtering Configuration Table 19 1 shows the default protocol filtering configuration Configuring Protocol Filterin...

Page 333: ...able set port protocol 3 1 4 ipx off IPX protocol disabled on ports 3 1 4 Console enable set port protocol 3 1 4 group auto Group protocol set to auto mode on ports 3 1 4 Console enable show port protocol 3 1 4 Port Vlan IP IP Hosts IPX IPX Hosts Group Group Hosts 3 1 4 on 1 off 0 auto off 0 3 2 5 on 1 off 0 auto on 1 3 3 2 on 1 off 0 auto off 0 3 4 4 on 1 off 0 auto on 1 Console enable Disabling ...

Page 334: ...9 4 Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 19 Configuring Protocol Filtering Configuring Protocol Filtering on the Switch ...

Page 335: ...g Telnet page 20 6 Changing the Login Timer page 20 6 Using Secure Shell Encryption for Telnet Sessions page 20 7 Monitoring User Sessions page 20 8 Using Ping page 20 9 Using Layer 2 Traceroute page 20 11 Using IP Traceroute page 20 12 Checking Module Status The Catalyst enterprise LAN switches are multimodule systems You can see what modules are installed as well as the MAC address ranges and ve...

Page 336: ...ailed information on the switch ports using the show port command To display summary information on all of the ports on the switch enter the show port command with no arguments Specify a particular module number to see information on the ports on that module only Enter both the module number and the port number to see detailed information about the specified port The Catalyst 4912G 2948G and 2980G...

Page 337: ... not channel 3 3 connected off not channel 3 4 connected off not channel 3 5 notconnect off not channel 3 6 notconnect off not channel Port Align Err FCS Err Xmit Err Rcv Err UnderSize 3 1 0 0 0 0 3 2 0 0 0 0 3 3 0 0 0 0 3 4 0 0 0 0 3 5 0 0 0 0 3 6 0 0 0 0 Port Single Col Multi Coll Late Coll Excess Col Carri Sen Runts Giants 3 1 0 0 0 0 0 0 0 3 2 0 0 0 0 0 0 0 3 3 0 0 0 0 0 0 0 3 4 0 0 0 0 0 0 0 ...

Page 338: ... Address In addition to displaying the MAC address range for a module using the show module command you can display the MAC address of a specific port in the switch using the show port mac address command To display the MAC address for a specific port perform this task in privileged mode This example shows you how to display the MAC address of a specific port Console show port mac address 4 1 Port...

Page 339: ...ynamic Fast start yes QOS scheduling rx none tx 2q1t CoS rewrite no ToS rewrite no Rewrite no UDLD yes Inline power no AuxiliaryVlan 1 1000 untagged none SPAN source destination Model WS X4148 Port 2 2 Type 10 100BaseTX Speed auto 10 100 Duplex half full Trunk encap type 802 1Q Trunk mode on off desirable auto nonegotiate Channel 2 1 48 Flow control no Security yes Membership static dynamic Fast s...

Page 340: ...me cases the default gateway for the switch For information about setting the IP address and default gateway see Chapter 3 Configuring the Switch IP Address and Default Gateway To open a Telnet session to another device on the network from the switch perform this task in privileged mode This example shows how to open a Telnet session from the switch to the remote host labsparc Console enable telne...

Page 341: ... SSH feature provides security for Telnet sessions to the switch SSH is supported for remote logins to the switch only Telnet sessions that are initiated from the switch cannot be encrypted To use this feature you must install the application on the client accessing the switch and you must configure SSH the switch The current implementation of SSH supports version 1 both the data encryption standa...

Page 342: ...ple shows the output of the show users command when TACACS authentication is enabled for console and Telnet sessions Console enable show users Session User Location console sam telnet jake jake mac bigcorp com telnet tim tim nt bigcorp com telnet suzy suzy pc bigcorp com Console enable This example shows how to display information about user sessions using the noalias keyword to display the IP add...

Page 343: ...e mode In normal executive mode the ping command supports the s parameter which allows you to specify the packet size and packet count In privileged executive mode the ping command allows you to specify the packet size packet count and the wait time Table 20 1 lists the default values that apply to the ping s command Ping will return one of the following responses Normal response The normal respon...

Page 344: ..._seq 3 time 2 ms 808 bytes from 12 20 2 3 icmp_seq 4 time 2 ms 808 bytes from 12 20 2 3 icmp_seq 5 time 2 ms 808 bytes from 12 20 2 3 icmp_seq 6 time 2 ms 808 bytes from 12 20 2 3 icmp_seq 7 time 2 ms 808 bytes from 12 20 2 3 icmp_seq 8 time 2 ms 808 bytes from 12 20 2 3 icmp_seq 9 time 3 ms 17 20 2 3 PING Statistics 10 packets transmitted 10 packets received 0 packet loss round trip ms min avg ma...

Page 345: ...er all of the switches in the path including the source and destination must be reachable from the switch All switches in the path must be reachable from each other You can trace a Layer 2 path by specifying the source and destination IP addresses or IP aliases or the MAC addresses If the source and destination belong to multiple VLANs and you specify MAC addresses you can also specify a VLAN The ...

Page 346: ...ate specific return messages Traceroute starts by sending a User Datagram Protocol UDP datagram to the destination host with the TTL field set to 1 If a router finds a TTL value of 1 or 0 it drops the datagram and sends back an Internet Control Message Protocol ICMP time exceeded message to the sender The traceroute facility determines the address of the first hop by examining the source address f...

Page 347: ...eroute to 10 1 1 100 10 1 1 100 30 hops max 40 byte packets 1 10 1 1 1 10 1 1 1 1 ms 2 ms 1 ms 2 10 1 1 100 10 1 1 100 2 ms 2 ms 2 ms Console enable This example shows how to perform a traceroute with six queries to each hop with packets of 1400 bytes each Console enable traceroute q 6 10 1 1 100 1400 traceroute to 10 1 1 100 10 1 1 100 30 hops max 1440 byte packets 1 10 1 1 1 10 1 1 1 2 ms 2 ms 2...

Page 348: ...20 14 Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 20 Checking Status and Connectivity Using IP Traceroute ...

Page 349: ...col that runs on all Cisco manufactured equipment including routers bridges access and communication servers and switches Using CDP you can view information about all the Cisco devices that are directly attached to the switch In addition CDP detects native VLAN and port duplex mismatches Network management applications can retrieve the device type and SNMP agent address of neighboring Cisco device...

Page 350: ...Console enable show cdp CDP enabled Message Interval 60 Hold Time 180 Console enable This example shows how to disable CDP globally and verify the configuration Console enable set cdp disable CDP disabled globally Console enable show cdp CDP disabled Message Interval 60 Hold Time 180 Console enable Setting the CDP Enable State on a Port You can enable or disable CDP on a per port basis You must en...

Page 351: ...abled 3 3 disabled 3 4 disabled 3 5 disabled 3 6 disabled 3 7 enabled 3 8 enabled 3 9 enabled 3 10 enabled 3 11 enabled 3 12 enabled Console enable This example shows how to enable CDP on ports 3 1 2 and verify the configuration Console enable set cdp enable 3 1 2 CDP enabled on ports 3 1 2 Console enable show cdp port 3 CDP enabled Message Interval 60 Hold Time 180 Port CDP Status 3 1 enabled 3 2...

Page 352: ... 180 Console enable Setting the CDP Holdtime The CDP holdtime specifies how much time can pass between CDP messages from neighboring devices before the device is no longer considered connected and the neighbor entry is aged out To set the default CDP holdtime perform this task in privileged mode This example shows how to set the default CDP holdtime to 225 seconds and verify the configuration Cons...

Page 353: ...form 2 3 JAB023807H1 2948 2 2 WS C2948 3 1 JAB023806JR 4003 2 1 WS C4003 3 2 JAB023806JR 4003 2 2 WS C4003 3 5 JAB023806JR 4003 2 5 WS C4003 3 6 JAB023806JR 4003 2 6 WS C4003 Console enable This example shows how to display the native VLAN for each port that is connected on the neighboring device there is a native VLAN mismatch between port 3 6 on the local switch and port 2 6 on the neighbor devi...

Page 354: ...0G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 21 Configuring CDP Configuring CDP on the Switch Platform WS C2948 Port ID Port on Neighbors s Device 2 2 VTP Management Domain Lab_Network Native VLAN 522 Duplex full Console enable ...

Page 355: ... utility allows you to collect and analyze data for each physical port on a switch The Switch TopN Reports utility collects the following data for each physical port Port utilization util Number of in and out bytes bytes Number of in and out packets pkts Number of in and out broadcast packets bcst Number of in and out multicast packets mcst Number of in errors in errors Number of buffer overflow e...

Page 356: ...specify the background option processing begins and the system prompt reappears immediately When processing completes Switch TopN reports do not display immediately on the screen but are saved for later viewing The system notifies you when the Switch TopN reports are complete by sending a syslog message to the screen Enter the show top report report_num command to view the completed Switch TopN re...

Page 357: ...ws how to run the Switch TopN Reports utility with the background option Console enable show top 5 pkts background Console enable 06 16 1998 17 21 08 MGMT 5 TopN report 4 started by Console Console enable 06 16 1998 17 21 39 MGMT 5 TopN report 4 available Console enable show top report 4 Start Time 06 16 1998 17 21 08 End Time 06 16 1998 17 21 39 PortType all Metric pkts Tx Rx Port Band Uti Bytes ...

Page 358: ...r Over width Tx Rx Tx Rx Tx Rx Tx Rx Rx flow 1 1 100 0 7880 83 0 83 0 0 2 12 100 0 0 0 0 0 0 0 2 11 100 0 0 0 0 0 0 0 2 10 100 0 0 0 0 0 0 0 2 9 100 0 0 0 0 0 0 0 Console enable show top report Rpt Start time Int N Metric Status Owner type machine user 1 06 16 1998 17 05 00 30 20 Util done telnet 172 16 52 3 2 06 16 1998 17 05 59 30 5 Util done telnet 172 16 52 3 3 06 16 1998 17 08 06 30 5 Pkts do...

Page 359: ...h TopN report and how to remove all stored reports Console enable clear top 4 Console enable 06 16 1998 17 36 45 MGMT 5 TopN report 4 killed by Console Console enable clear top all 06 16 1998 17 36 52 MGMT 5 TopN report 1 killed by Console 06 16 1998 17 36 52 MGMT 5 TopN report 2 killed by Console Console enable 06 16 1998 17 36 52 MGMT 5 TopN report 3 killed by Console 06 16 1998 17 36 52 MGMT 5 ...

Page 360: ...22 6 Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 22 Using Switch TopN Reports Running and Viewing Switch TopN Reports ...

Page 361: ...ree topology loops UDLD is a Layer 2 protocol that works with Layer 1 mechanisms such as autonegotiation to determine the physical status of a link At Layer 1 autonegotiation handles physical signaling and fault detection UDLD also performs tasks that autonegotiation cannot perform such as detecting the identities of neighbors and shutting down misconnected ports When both autonegotiation and UDLD...

Page 362: ...sage interval between UDLD messages Previously the message interval was fixed at 60 seconds With a configurable message interval UDLD reacts much faster to link failures Figure 23 1 shows an example of a unidirectional link condition Switch B successfully receives traffic from Switch A on the port However Switch A does not receive traffic from Switch B on the same port UDLD detects the problem and...

Page 363: ...ly You must enable UDLD globally before any port can use UDLD To enable UDLD globally on the switch perform this task in privileged mode This example shows how to enable UDLD globally and verify the configuration Console enable set udld enable UDLD enabled globally Console enable show udld UDLD enabled Console enable Table 23 1 UDLD Default Configuration Feature Default Value UDLD global enable st...

Page 364: ...Ports To disable UDLD on individual ports perform this task in privileged mode This example shows how to disable UDLD on port 4 1 Console enable set udld disable 4 1 UDLD disabled on port 4 1 Console enable Disabling UDLD Globally To disable UDLD globally on the switch perform this task in privileged mode This example shows how to disable UDLD globally Console enable set udld disable UDLD disabled...

Page 365: ...nto errdisable state To prevent spanning tree loops normal UDLD with a 15 second message interval is fast enough to shut down a unidirectional link before a blocking port transitions to forwarding state when default spanning tree parameters are used Enabling UDLD aggressive mode provides additional benefits in the following cases One side of a link has a port stuck both Tx and Rx One side of a lin...

Page 366: ...seconds Console enable To display UDLD configuration for a module or port perform this task in privileged mode This example shows how to display the UDLD configuration for ports on module 4 Console enable show udld port 4 UDLD enabled Message Interval 10 seconds Port Admin Status Aggressive Mode Link State 4 1 enabled disabled bidirectional 4 2 enabled disabled bidirectional 4 3 enabled disabled u...

Page 367: ...us is enabled or disabled Aggressive Mode Status of whether aggressive mode is enabled or disabled Link State Status of the link undetermined detection in progress neighboring UDLD has been disabled not applicable UDLD has been disabled shutdown unidirectional link has been detected and the port is disabled or bidirectional bidirectional link has been detected and the port is disabled Table 23 2 s...

Page 368: ...23 8 Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 23 Configuring UDLD Configuring UDLD on the Switch ...

Page 369: ...talyst 2948G and Catalyst 2980G Switches Command Reference This chapter consists of these sections SNMP Terminology page 24 1 Understanding How SNMP Works page 24 3 Understanding How SNMPv1 and SNMPv2c Work page 24 5 SNMPv1 and SNMPv2c Default Configuration page 24 6 Configuring SNMPv1 and SNMPv2c from an NMS page 24 6 Configuring SNMPv1 and SNMPv2c from the CLI page 24 6 Understanding SNMPv3 page...

Page 370: ...from an unauthorized user by scrambling the contents of an SNMP packet group A set of users belonging to a particular security model A group defines the access rights for all the users belonging to it Access rights define the SNMP objects that can be read written to or created In addition the group defines the notifications that a user is allowed to receive notification host An SNMP entity to whic...

Page 371: ...d security See the Understanding SNMPv3 section on page 24 11 for more information on SNMPv3 SNMP Version 2c SNMPv2c This second version of SNMP supports centralized and distributed network management strategies and includes improvements in the Structure of Management Information SMI protocol operations management architecture and security SNMP engine A copy of SNMP that can reside on the local or...

Page 372: ...curity model and security level for its users SNMP ifindex Persistence Feature The SNMP ifIndex persistence feature is always enabled With the ifIndex persistence feature the ifIndex value of the port and VLAN is always retained and used after the following occurrences Switch reboot High availability switchover Software upgrade Module reset Module removal and insertion of the same type of module F...

Page 373: ...ested by the NMS SNMP trap This function is used to notify an NMS that a significant event has occurred at an agent When a trap condition occurs the SNMP agent sends an SNMP trap message to any NMS that is specified as a trap receiver under the following conditions When a port or module goes up or down When temperature limitations are exceeded When there are spanning tree topology changes When the...

Page 374: ...ports up to 20 trap receivers through the RMON2 trap destination table Configure the RMON2 trap destination table from the NMS Configuring SNMPv1 and SNMPv2c from the CLI Note This section provides basic SNMPv1 and SNMPv2c configuration information For detailed information on the SNMP commands supported by the Catalyst enterprise LAN switches refer to the Catalyst 4500 Series Catalyst 2948G and Ca...

Page 375: ...N Extended RMON module is not present Traps Enabled Port Module Chassis Bridge Repeater Vtp Auth ippermit Vmps config entity stpx Port Traps Enabled 1 1 2 4 1 48 5 1 Community Access Community String read only Everyone read write Administrators read write all Root Trap Rec Address Trap Rec Community 172 16 10 10 read write 172 16 10 20 read write all Console enable Note To disable access for an SN...

Page 376: ...nmp community ext public1 read only Community string public1 is created with access type as read only Console enable This example shows how to restrict the community string to an access number Console enable set snmp community ext private1 read write access 2 Community string private1 is created with access type as read write access number 2 Console enable This example shows how to change the acce...

Page 377: ...ifying Access Numbers for Hosts You can specify a list of access numbers that are associated with one or more hosts to limit which hosts can use a specific community string to access the system You can specify more than one IP address that is associated with an access number by separating each IP address with a space If the new IP address uses an existing access number the switch addes the new IP ...

Page 378: ... IP addresses that are associated with access numbers from the CLI perform this task in privileged mode These examples show how to clear IP addresses that are associated with access numbers Console enable clear snmp access list 101 All IP addresses associated with access number 101 have been cleared Console enable Console enable clear snmp access list 2 172 20 60 8 Access number 2 no longer associ...

Page 379: ...3 are as follows Message integrity Ensuring that a packet has not been tampered with in transit Authentication Determining that the message is from a valid source Encryption Scrambling contents of packet to prevent it from being seen by an unauthorized source Benefits of SNMPv3 SNMPv3 provides the following benefits for managing your network SNMP devices can collect data securely without being tam...

Page 380: ...repares them for transmission by wrapping them in a message header and returning them to the Dispatcher The Message Processing Subsystem also accepts incoming messages from the Dispatcher processes each message header and returns the enclosed PDU to the Dispatcher An implementation of the Message Processing Subsystem may support a single message format corresponding to a single version of SNMP SNM...

Page 381: ...y an unauthorized SNMP entity An unauthorized user trying to masquerade as an authorized user Anyone modifying the message stream Anyone eavesdropping The USM currently defines the use of HMAC MD5 96 and HMAC SHA 96 as the possible authentication protocols and CBC DES as the privacy protocol SNMPv1 and SNMPv2c security models provide only weak authentication community names and no privacy Access C...

Page 382: ...security model in different security levels set snmp access hex groupname security model v3 noauthentication authentication privacy read hex readview write hex writeview notify hex notifyview context hex contextname exact prefix volatile nonvolatile Step 4 Specify the target addresses for notifications set snmp notify hex notifyname tag hex notifytag trap inform volatile nonvolatile Step 5 Set the...

Page 383: ... Snmp targetaddr name was set to router_2 with param p2 ipAddr 172 20 30 1 udpport 162 timeout 1500 retries 3 storageType nonvolatile These examples show how to set SNMP target parameters Console enable set snmp targetparams p1 user guestuser1 security model v3 message processing v3 authentication Snmp target params was set to p1 v3 authentication message processing v3 user guestuser1 nonvolatile ...

Page 384: ...OF_MIB_VIEW_EXCEPTION This example shows how to verify the SNMPv2c setup for public access from a workstation workstation getnext v2c 10 6 4 201 public snmpEngineID snmpEngineID 0 00 00 00 09 00 10 7b f2 82 00 00 00 This example shows how to increase guestgroup s access right to read privileges for snmpEngineMibView Console enable set snmp view snmpEngineMibView 1 3 6 1 6 3 10 2 1 included Snmp vi...

Page 385: ...vacy password privacypasswd2 REPORT received cannot recover usmStatsUnsupportedSecLevels 0 1 Using CiscoWorks2000 CiscoWorks2000 is a family of web based and management platform independent products for managing Cisco enterprise networks and devices CiscoWorks2000 includes Resource Manager Essentials and CWSI Campus which allow you to deploy configure monitor manage and troubleshoot a switched int...

Page 386: ...24 18 Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 24 Configuring SNMP Using CiscoWorks2000 ...

Page 387: ...ides embedded support for these components of the RMON specification see the Supported RMON and RMON2 MIB Objects section on page 25 2 for details The following RMON groups are defined in RFC 1757 Statistics RMON group 1 for Ethernet Fast Ethernet Fast EtherChannel and Gigabit Ethernet switch ports uses 140 bytes of supervisor engine module RAM per port History RMON group 2 for Ethernet Fast Ether...

Page 388: ...1 2 4 1 48 5 1 Community Access Community String read only Everyone read write Administrators read write all Root Trap Rec Address Trap Rec Community 172 16 10 10 read write 172 16 10 20 read write all Console enable Viewing RMON Data Access to RMON data is available only on an NMS that supports RFC 1757 and RFC 1513 see the Using CiscoWorks2000 section on page 24 17 You cannot access RMON data th...

Page 389: ... 1 mib 2 1 rmon 16 history 2 etherHistoryTable 2 Periodically samples and saves statistics group counters for later retrieval RFC 1757 RFC 1757 Supervisor engine mib 2 1 rmon 16 alarm 3 A threshold set on critical RMON variables for network management RFC 1757 Supervisor engine mib 2 1 rmon 16 event 9 Generates SNMP traps when an Alarms group threshold is exceeded and logs the events RFC 1757 Supe...

Page 390: ...25 4 Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 25 Configuring RMON Supported RMON and RMON2 MIB Objects ...

Page 391: ...g How SPAN and RSPAN Work The following sections describe the concepts and terminology that are associated with SPAN and RSPAN configuration SPAN Session A SPAN session is an association of a destination port with a set of source ports configured with parameters that specify the monitored network traffic You can configure multiple SPAN sessions in a switched network SPAN sessions do not interfere ...

Page 392: ...s monitored for network traffic analysis The traffic through the source ports can be categorized as ingress egress or both You can monitor one or more source ports in a single SPAN session with user specified traffic types ingress egress or both that are applicable for all the source ports You can configure source ports in any VLAN You can configure VLANs as source ports src_vlans which means that...

Page 393: ...ctor ports Gigabit uplink ports on the WS 4013 Supervisor II Gigabit uplink ports on the 2980G A Gigabit ports on the WS 4232 L3 module The SPAN line in the output of the show port capabilities command indicates whether a port can be used as a reflector port Ingress SPAN Ingress SPAN copies network traffic that is received by the source ports for analysis at the destination port Egress SPAN Egress...

Page 394: ... in the selected list of filter VLANs SPAN includes only the ports that belong to one or more of the selected VLANs in the operational sources When a VLAN is cleared it is removed from the VLAN filter list A SPAN session is disabled if the VLAN filter list becomes empty Trunk VLAN filtering is not applicable to VSPAN sessions Trunk VLAN filtering is available for local SPAN sessions and RSPAN sess...

Page 395: ...eived on the SPAN destination port using the learning disable keywords If you want the switch to learn source MAC addresses from traffic that is received on the SPAN destination port enter the learning enable keywords By default the switch learns source MAC addresses from incoming traffic learning enable if the inpkts option is enabled The source MAC address learning options only affect traffic th...

Page 396: ...rwrote Port 3 6 to monitor transmit receive traffic of Port 2 4 Incoming Packets disabled Learning enabled Console enable show span Destination Port 3 6 Admin Source Port 2 4 Oper Source None Direction transmit receive Incoming Packets disabled Learning enabled Filter Status active Total local span sessions 1 Console enable This example shows how to set VLAN 522 as the SPAN source and port 2 1 as ...

Page 397: ...rce and port 2 5 as the SPAN destination Console enable set span 3 1 2 3 Overwrote Port 2 3 to monitor transmit receive traffic of Port 3 1 Incoming Packets disabled Learning enabled Console enable set span 3 2 2 5 tx create Created Port 2 5 to monitor transmit traffic of Port 3 2 Incoming Packets disabled Learning enabled Console enable show span Destination Port 2 3 Admin Source Port 3 1 Oper So...

Page 398: ...g RSPAN The following sections describe how to configure RSPAN RSPAN Software and Hardware Requirements You must have software release 6 3 1 or a later release to use the RSPAN functionality on the Catalyst 4500 series switches or to use a Catalyst 4500 series switch as an intermediate switch in an RSPAN session RSPAN supervisor engine requirements are as follows For source switches Any Catalyst 4...

Page 399: ...fic see Figure 26 2 The traffic type for sources ingress egress or both in an RSPAN session can be different for source switches but must be the same for all source ports on a given switch Do not configure any ports in an RSPAN VLAN except those selected to carry RSPAN traffic Learning is disabled on the RSPAN VLAN Figure 26 2 Flow of RSPAN Monitored Traffic RSPAN Configuration Guidelines This sec...

Page 400: ...hat the special properties of RSPAN VLANs are supported in all the switches to avoid unwanted traffic in these VLANs Incoming traffic on the RSPAN destination port is disabled by default You can enable it using the inpkts enable keywords However while the port receives traffic for its assigned VLAN it does not participate in spanning tree for that VLAN To avoid creating spanning tree loops with in...

Page 401: ...et rspan source 2 3 500 reflector 2 34 rx Rspan Type Source Destination Reflector Port 2 34 Rspan Vlan 500 Admin Source Port 2 3 Oper Source Port 2 3 Direction receive Incoming Packets Learning Filter Status active Console enable 2001 May 02 13 22 17 SYS 5 SPAN_CFGSTATECHG remote span source session active for remote span vlan 500 This example shows how to specify port 2 3 as a source port for RSP...

Page 402: ...f the RSPAN destination port is connected to another device and reception of incoming packets is enabled using the inpkts enable keywords the RSPAN destination port receives traffic for the VLAN to which the RSPAN destination port belongs However the RSPAN destination port does not participate in spanning tree for that VLAN so avoid creating network loops with the RSPAN destination port This examp...

Page 403: ...te span Console enable This example shows how to disable one source session by rspan_vlan number Console enable set rspan disable source 903 Disabled monitoring of all source s on the switch for rspan_vlan 903 Console enable This example shows how to disable all enabled destination sessions on the switch Console enable set rspan disable destination all This command will disable all remote span des...

Page 404: ...ch C or Switch D Figure 26 3 Single RSPAN Session Modifying an Active RSPAN Session This example shows how to modify an active RSPAN session Use Figure 26 3 for reference see Table 26 2 for the necessary commands to disable an RSPAN session and to add or remove source ports from an RSPAN session Table 26 1 Configuring a Single RSPAN Session Switch Ports Reflector Port RSPAN VLAN Direction RSPAN CL...

Page 405: ...ing probes would be placed in the data center and B source Remove source port 3 2 from RSPAN session set rspan source 3 1 3 3 901 reflector 3 4 B source Add source port 3 2 to RSPAN session set rspan source 3 1 3 901 reflector 3 4 Table 26 2 Making Modifications to an Active RSPAN Session continued Switch Action RSPAN CLI Commands Table 26 3 Adding RSPAN Source Ports in Intermediate Switch Switch ...

Page 406: ...re 26 5 Configuring Multiple RSPAN Sessions Adding Multiple Network Analyzers to an RSPAN Session You can attach multiple network analyzers probes to the same RSPAN session For example in Figure 26 6 you can add probe 3 in Switch B to monitor RSPAN VLAN 901 using the set rspan destination 1 2 901 command Similarly you could add source ports to Switch C Table 26 4 Configuring Multiple RSPAN Session...

Page 407: ...4 3 4 4 Switch A 3 1 3 2 3 3 1 2 1 1 Switch C Switch F Switch D Switch E Switch B Probe 2 Probe 1 Destination switch data center Intermediate switch es distribution Source switch es access 58637 T1 T2 T6 T3 T5 T4 Probe 3 Table 26 5 Disabling the RSPAN Sessions Switch Port Reflector Port RSPAN VLAN s Direction RSPAN CLI Commands A source 2 1 2 2 3 901 Ingress set rspan disable source 901 B source 3...

Page 408: ...26 18 Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 26 Configuring SPAN and RSPAN Configuring RSPAN ...

Page 409: ...sing Command Aliases page 27 6 Defining and Using IP Aliases page 27 7 Configuring Permanent and Static ARP Entries page 27 8 Configuring Static Routes page 27 9 Scheduling a System Reset page 27 10 Generating System Status Reports for Tech Support page 27 12 Setting the System Name and System Prompt The system name on the switch is a user configurable string that identifies the device The default...

Page 410: ...otocol SNMP When you configure a route using the set ip route command When you clear the system name using the set system name command When you enable DNS or specify DNS servers If you configured the system name no DNS lookup is performed Configuring the System Name and Prompt The following sections describe how to configure the system name and prompt Setting the System Name To set the system name...

Page 411: ... and location perform this task in privileged mode This example shows how to set the system contact to sysadmin corp com and location to Sunnyvale CA Console enable set system contact sysadmin corp com System contact set Console enable set system location Sunnyvale CA System location set This example shows how to verify the configuration Console enable show system PS1 Status PS2 Status PS3 Status ...

Page 412: ... and time Console enable set time Fri 06 15 01 12 30 00 Fri Jun 15 2001 12 30 00 Console enable show time Fri Jun 15 2001 12 30 02 Console enable Creating a Login Banner You can create a single or multiline message of the day MOTD banner that appears on the screen when someone logs in to the switch The first character following the motd keyword is used to delimit the beginning and end of the banne...

Page 413: ...motd MOTD banner cleared Console enable EnablingorDisablingthe CiscoSystemsConsole Telnet Login Banner By default the Cisco Systems Console Telnet login banner is enabled To enable or disable the Cisco Systems Console Telnet login banner perform this task in privileged mode This example shows how to enable the Cisco Systems Console Telnet login banner Console enable set banner telnet enable Cisco ...

Page 414: ...mmand alias The parameter argument is the text the user types at the command line to activate the command To define a command alias on the switch perform this task in privileged mode This example shows how to define two command aliases sm3 which executes the show module 3 1 command sp3 which executes the show port 3 command Console enable set alias sm3 show module 3 Command alias added Console ena...

Page 415: ...tatus Channel Admin Ch Mode Group Id 3 1 notconnect auto silent 29 0 Port Align Err FCS Err Xmit Err Rcv Err UnderSize 3 1 0 0 0 0 Port Single Col Multi Coll Late Coll Excess Col Carri Sen Runts Giants 3 1 0 0 0 0 0 0 0 Last Time Cleared Mon Jun 26 2000 08 53 49 Console enable Defining and Using IP Aliases You can use the set ip alias command to define aliases for IP addresses IP aliases can make ...

Page 416: ...so that it does not age out by configuring it as either static or permanent When you configure a static ARP entry using the set arp static command the entry is removed from the ARP cache after a system reset When you configure a permanent ARP by using the set arp permanent command the ARP entry is retained even after a system reset Because most hosts support dynamic resolution you usually do not n...

Page 417: ...e Configuring Static Routes Note For information on configuring a default gateway default route see the Configuring Default Gateways section on page 3 6 In some situations you might need to add a static routing table entry for one or more destination networks Static route entries consist of the destination IP network address the IP address of the next hop router and the metric hop count for the ro...

Page 418: ...2 20 52 120 172 20 52 124 0xfffffff8 U 1 sc0 default default 0xff000000 UH 0 sl0 Console enable Scheduling a System Reset You can use the reset at command to schedule a system to reset at a future time This feature allows you to upgrade software during business hours and schedule the system upgrade after business hours to avoid a major impact on users You can also use the schedule reset feature wh...

Page 419: ...0 08 18 Software upgrade to 6 3 1 Reset scheduled at 23 00 00 Sat Aug 18 2001 Reset reason Software upgrade to 6 3 1 Proceed with scheduled reset y n n y Reset mindown scheduled for 23 00 00 Sat Aug 18 2001 in 0 day 8 hours 39 minutes Console enable Scheduling a Reset Within a Specified Amount of Time You can schedule a reset within a specified time with the reset in command For instance if the cu...

Page 420: ...mmands Refer to the Catalyst 4500 Series Catalyst 2948G and Catalyst 2980G Switches Command Reference for these commands You can upload the report to a TFTP server and send it to the Cisco Technical Assistance Center TAC You can use keywords to limit the report such as for specific modules VLANs and ports If you do not specify any keywords a report for the entire system is generated To write and s...

Page 421: ...ks on the Catalyst 4500 Series Switches page 28 1 Understanding How Power Management Works on the Catalyst 4006 Switch page 28 6 Power Consumption for Modules page 28 9 Migrating a Supervisor Engine II from a Catalyst 4006 Switch to a Catalyst 4500 Series Switch page 28 10 Understanding How Inline Power Works page 28 11 Configuring Power Management page 28 14 Configuring Inline Power page 28 18 Un...

Page 422: ...ower management modes Redundant mode Uses one power supply as a primary power supply and the second power supply as a backup If the primary power supply fails the second power supply supports the switch without disrupting the network Both power supplies must have the same wattage A single power supply must have enough power to support the switch configuration By default the power supplies in the C...

Page 423: ...ate the chassis and inline power requirements when a system boots Modules are brought up first followed by powered devices See Table 28 1 on page 28 4 for a list of the maximum available power for chassis and inline power for each power supply Combined Mode Guidelines This section describes the guidelines for using combined mode in the Catalyst 4500 series switches The two power supplies must be t...

Page 424: ...pplies If you insert a single power supply into the switch and then set combined mode the switch displays this message Insufficient power supplies present for specified configuration Table 28 1 Available Power Power Supply Redundant Mode W Combined Mode W 1000 W AC Chassis1 1000 Inline 0 1 The chassis power includes power for the supervisor engine s all line cards and the fan tray Chassis 1667 Inl...

Page 425: ...is section describes the guidelines and restrictions for using a 1400 W DC power supply in the Catalyst 4500 series switches Caution Do not use the 1400 W DC power supply with any other power supply even for a hot swap or other short term emergency because you can seriously damage your switch The 1400 W DC power supply works with a variety of DC sources The DC input can vary from 300 W to 7500 W R...

Page 426: ...e might not support a fully loaded chassis If your switch has only two power supplies and is in 2 1 redundancy mode the default mode there is no redundancy You can create redundancy with only two power supplies by setting the power redundancy to operate in 1 1 redundancy mode one primary plus one redundant power supply However 1 1 redundancy does not support all configurations The modules for the ...

Page 427: ...tem considers it removed A single power supply provides 400 W or 650 W Two 400 W power supplies provide 750 W Two 650 W power supplies supply only 750 W this power supply cooling capacity restriction applies to the Catalyst 4006 switch When considering the 1 1 redundancy mode you must carefully plan the configuration of the module power usage of your chassis An incorrect configuration will disrupt...

Page 428: ...ble the timer starts again The switch may require several evaluation cycles to stabilize the system You can either remove the extra modules or change the power budget to 2 1 redundancy mode If you change to 2 1 redundancy mode each module in reset mode is brought up one at a time to an operational state If you use a 400 W power supply and a 650 W power supply in your switch the switch acts as if t...

Page 429: ... switch backplane 10 10 6 port 1000BASE X GBIC Gigabit Ethernet WS X4306 GB 35 30 32 port 10 100 Fast Ethernet RJ 45 WS X4232 RJ XX 50 35 Catalyst 4000 Access Gateway Module with IP FW IOS WS X4604 GWY 120 60 24 port 100BASE FX Fast Ethernet switching module WS X4124 FX MT 90 75 32 port 10 100 Fast Ethernet RJ 45 plus 2 port 1000BASE X GBIC Gigabit Ethernet WS 4232 GB RJ 55 35 48 port 100BASE FX F...

Page 430: ... that is added to a system ID extension The system ID extension which is the VLAN number can vary from 1 to 4094 If the switch is in VLAN 1 the new bridge ID priority will be 32 789 Because 32 769 is greater than 32 768 this switch cannot become the root switch The Catalyst 4006 switch is a root switch In this case the spanning tree topology may change If the other switches in the network are not ...

Page 431: ...red device and to disable the detection mechanism If your switch has a module that can provide inline power to end stations you can set each port on the module to detect and apply inline power automatically if the end station requires power Note For information on powering powered devices that are connected to other Catalyst switching modules refer to the Catalyst Family Inline Power Patch Panel I...

Page 432: ... is connected Each port has a status that is defined as one of the following on Power is supplied by the port off The power is not supplied by the port Power deny The supervisor engine does not have enough power to allocate to the port or the power that is configured for the port is less than the power that is required by the port The power is not being supplied by the port err disable The port ca...

Page 433: ...ic port by sending a message to the switching module The power for a port in Auto mode is then added back to the available system power Power for ports in Static mode is not added back to the available system power This situation occurs only when you power off the phone through the CLI or SNMP Phone Removal The switching module informs the supervisor engine if a powered phone is removed using a li...

Page 434: ...ndant mode on the Catalyst 4500 series switch perform this task in privileged mode Catalyst Switch Switching module discovers the powered device using proprietary discovery mechanism Third party powered device Switching module will not discover the powered device Supervisor engine will not know about powered device unless powered device has a separate source of power If you insert a Cisco legacy p...

Page 435: ...able Setting Combined Mode on the Catalyst 4500 Series Switches To set combined mode on the Catalyst 4500 series switch perform this task in privileged mode This example shows how to set the power management mode to combined mode Console enable set power bedget 2 Console enable show environment power Total Inline Power Available 1333 00 Watts 26 66 Amps 50V Total Inline Power Drawn From the System...

Page 436: ...pported To Module Watts Per Module Watts Per Port Watts 2 0 00 830 562 15 400 3 0 00 830 562 15 400 4 0 00 830 562 15 400 5 0 00 830 562 15 400 6 0 00 830 562 15 400 DC Power supplies are configured for 5000Watts DC input Power Budget is 1 supply Power Available to the System excluding voice power 1360 Watts 113 33 Amps 12V Power Drawn from the System excluding voice power 485 Watts 40 42 Amps 12V...

Page 437: ...1 Amps 51V Module Inline Power Allocated mA 1 0 2 0 3 0 Power Budget is 2 supplies Power Available to the System excluding voice power 750 Watts 62 06 Amps 12V Power Drawn from the System excluding voice power 265 Watts 22 01 Amps 12V Remaining Power excluding voice power 485 Watts 40 05 Amps 12V Console enable Displaying System Information To display information on the power supplies installed in...

Page 438: ...perform this task in privileged mode Task Command Step 1 Change the nondefault configuration mode to text and specify the configuration file to use at boot up set config mode text bootflash switch cfg Step 2 Save the current nondefault configuration to NVRAM write memory Step 3 Save the configuration on the Catalyst 4006 switch copy config flash Step 4 Remove the supervisor engine from the Catalys...

Page 439: ...800 mWatt Console enable Setting the Default Power Allocation for a Port By default the switch allocates 7 W to a port when it discovers a powered device on the port This number automatically adjusts downward to the amount the powered device actually requires when the switch receives a CDP packet from the powered device Normally this automatic method works very well and no further configuration is...

Page 440: ...orts Console show port inlinepower 6 1 Configured Default Inline Power allocation per port 15 400 Watts 0 36 Amps 42V Total inline power drawn by module 6 26 46 Watts 0 63 Amps 42V Port InlinePowered PowerAllocated Device IEEE class DiscoverMode Admin Oper Detected mWatt mA 42V 6 1 static on yes 5040 120 Cisco None cisco Port Maximum Power Actual Consumption absentCounter OverCurrent mWatt mA 42V ...

Page 441: ...ngine software release 6 1 1 or later releases Catalyst 4006 Catalyst 4500 series and Catalyst 6500 series switches running supervisor engine software release 8 1 or later releases for IEEE 802 3af compliance Cisco CallManager release 3 0 or later releases If you want to utilize inline power Table 29 1 lists the Catalyst 4500 series components that support inline power If you do not want to utiliz...

Page 442: ...hone Figure 29 1 IP Phone Connected to a Catalyst 4000 Family Switch When you connect an IP phone to a 10 100 port on the Catalyst 4500 series switch you can use the access port PC to phone jack of the IP phone to connect a PC Packets to and from the PC and to and from the phone share the same physical link to the switch and the same port of the switch Introducing IP based phones into existing swi...

Page 443: ...e power if necessary The Catalyst 4500 series switch can sense if it is connected to a Cisco IP Phone The Catalyst 4006 or Catalyst 4500 series switch can supply inline power to an IP Phone if there is no power on the circuit An IP Phone can also be connected to an AC power source in which case the phone provides the power to the voice circuit If there is power on the circuit the switch does not s...

Page 444: ...29 4 Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 29 Configuring VoIP Configuring VoIP on a Switch ...

Page 445: ...d devices from connecting to a LAN through publicly accessible ports see Chapter 31 Configuring 802 1x Authentication Note For information on configuring ports to allow or restrict traffic based on host MAC addresses see Chapter 16 Configuring Port Security This chapter consists of these sections Understanding How Authentication Works page 30 1 Configuring Authentication page 30 8 Authentication E...

Page 446: ...t authentication enable attempt command to set login limits for accessing enable mode The configurable range is three default to ten tries Setting the limit to zero 0 disables login authentication All authentication methods RADIUS TACACS Kerberos or local are supported The lockout delay time is also configurable from the CLI and SNMP with the set authentication login lockout command You would use ...

Page 447: ...S Authentication Works TACACS is an enhanced version of TACACS which is a User Datagram Protocol UDP based access control protocol that is specified by RFC 1492 TACACS controls access to network devices by exchanging Network Access Server NAS information between a network device and a centralized database to determine the identity of a user or device TACACS uses TCP to ensure reliable delivery and...

Page 448: ...able all other authentication methods local authentication is reenabled automatically Understanding How RADIUS Authentication Works RADIUS is a client server authentication and authorization access protocol that is used by the NAS to authenticate users attempting to connect to a network device The NAS functions as a client passing user information to one or more RADIUS servers The NAS permits or d...

Page 449: ...guards against intruders who might pick up the encrypted tickets from the network Table 30 1 defines terms used in Kerberos Table 30 1 Kerberos Terminology Term Definition Kerberized Applications and services that have been modified to support the Kerberos credential infrastructure Kerberos credential General term referring to authentication tickets such as ticket granting tickets and service cred...

Page 450: ...request to the KDC This request contains the user s identity and a message saying that it wants to Telnet to the switch This request is encrypted using the TGT 4 When the KDC successfully decrypts the service credential request with the TGT that it issued to the client it builds a service to the switch The service credential has the client s identity and the identity of the desired Telnet server T...

Page 451: ...non Kerberized login When you launch a non Kerberized login the following process takes place 1 The switch prompts you for a username and password 2 The switch requests a TGT from the KDC so that you can be authenticated to the switch 3 The KDC sends an encrypted TGT to the switch which contains your identity KDC s identity and TGT s expiration time 4 The switch tries to decrypt the TGT with the p...

Page 452: ...fault Authentication Configuration Feature Default Login authentication console and Telnet Enabled Local authentication console and Telnet Enabled Local user authentication Disabled TACACS login authentication console and Telnet Disabled TACACS enable authentication console and Telnet Disabled TACACS key None specified TACACS login attempts 3 times TACACS server timeout 5 sec TACACS directed reque...

Page 453: ...hentication requests are sent to this server first You can specify a particular server as primary by using the primary keyword RADIUS and TACACS support one privileged mode only level 1 Kerberos authentication does not work if TACACS is also used as an authentication mechanism Before you can enable local user authentication you must define at least one username Local user accounts and passwords mu...

Page 454: ... disabled disabled radius disabled disabled disabled kerberos disabled disabled disabled local enabled primary enabled primary enabled primary attempt limit 5 5 lockout timeout sec 50 50 Enable Authentication Console Session Telnet Session Http Session tacacs disabled disabled disabled radius disabled disabled disabled kerberos disabled disabled disabled local enabled primary enabled primary enabl...

Page 455: ...on tacacs disabled disabled disabled radius disabled disabled disabled kerberos disabled disabled disabled local enabled primary enabled primary enabled primary attempt limit 5 5 lockout timeout sec 50 50 Enable Authentication Console Session Telnet Session Http Session tacacs disabled disabled disabled radius disabled disabled disabled kerberos disabled disabled disabled local enabled primary ena...

Page 456: ...able for console and telnet session Console enable set authentication enable local enable local enable authentication set to enable for console and telnet session Console enable show authentication Login Authentication Console Session Telnet Session tacacs disabled disabled radius disabled disabled kerberos disabled disabled local enabled primary enabled primary Enable Authentication Console Sessi...

Page 457: ...tting the Enable Password The enable password controls access to the privileged mode CLI Passwords are case sensitive contain up to 30 characters and use any printable ASCII characters including a space Note Passwords that are set in software release 5 3 and earlier releases remain non case sensitive You must reset the password after installing software release 5 4 or a later release to activate c...

Page 458: ...ation set to disable for console and telnet session Console enable show authentication Login Authentication Console Session Telnet Session tacacs disabled disabled radius enabled primary enabled primary kerberos disabled disabled local disabled disabled Enable Authentication Console Session Telnet Session tacacs disabled disabled radius enabled primary enabled primary kerberos disabled disabled lo...

Page 459: ...r your old password press Return Step 8 Enter and confirm your new password Configuring Local User Authentication The following sections describe how to configure local user authentication authentication on the switch Creating a Local User Account Local user accounts and passwords must be fewer than 65 characters in length and can consist of any alphanumeric characters Local user accounts must con...

Page 460: ...disabled disabled kerberos disabled disabled disabled local enabled primary enabled primary enabled primary attempt limit 3 3 lockout timeout sec disabled disabled Local User Authentication enabled Console enable Disabling Local User Authentication To disable local user authentication on the switch perform this task in privileged mode This example shows how to disable local user authentication for...

Page 461: ...tion for the switch and how to verify the configuration Console enable clear localuser number1 Console enable show localusers Username Privilege Level picard 15 Console enable Configuring TACACS Authentication The following sections describe how to configure TACACS authentication on the switch Specifying TACACS Servers Specify one or more TACACS servers before you enable TACACS authentication on t...

Page 462: ...al enabled primary enabled primary Enable Authentication Console Session Telnet Session tacacs disabled disabled radius disabled disabled local enabled primary enabled primary Tacacs key Tacacs login attempts 3 Tacacs timeout 5 seconds Tacacs direct request disabled Tacacs Server Status 172 20 52 3 172 20 52 2 primary 172 20 52 10 Console enable Enabling TACACS Authentication Note Specify at least...

Page 463: ...enabled enabled Console enable Specifying the TACACS Key Note If you configure a TACACS key on the client make sure that you configure an identical key on the TACACS server To specify the TACACS key perform this task in privileged mode This example shows how to specify the TACACS key and verify the configuration Console enable set tacacs key Secret_TACACS_key The tacacs key has been set to Secret_...

Page 464: ...cacs timeout 30 Tacacs timeout set to 30 seconds Console enable show tacacs Tacacs key Secret_TACACS_key Tacacs login attempts 3 Tacacs timeout 30 seconds Tacacs direct request disabled Tacacs Server Status 172 20 52 3 172 20 52 2 primary 172 20 52 10 Console enable Setting the TACACS Login Attempts You can set the number of failed login attempts that are allowed To set the number of login attempt...

Page 465: ...d request and verify the configuration Console enable set tacacs directedrequest enable Tacacs direct request has been enabled Console enable show tacacs Tacacs key Secret_TACACS_key Tacacs login attempts 5 Tacacs timeout 30 seconds Tacacs direct request enabled Tacacs Server Status 172 20 52 3 172 20 52 2 primary 172 20 52 10 Console enable Disabling TACACS Directed Request To disable TACACS dire...

Page 466: ...l All TACACS servers cleared Console enable Clearing the TACACS Key To clear the TACACS key perform this task in privileged mode This example shows how to clear the TACACS key Console enable clear tacacs key TACACS server key cleared Console enable Disabling TACACS Authentication If you disable TACACS authentication with both RADIUS and local authentication disabled local authentication is reenabl...

Page 467: ...ed local enabled primary enabled primary Console enable Configuring RADIUS Authentication The following sections describe how to configure RADIUS authentication on the switch Specifying RADIUS Servers To specify one or more RADIUS servers perform this task in privileged mode Task Command Step 1 Disable TACACS authentication for normal login mode Use the console or telnet keywords if you want to di...

Page 468: ... Note Specify at least one RADIUS server before enabling RADIUS authentication on the switch For information on specifying a RADIUS server see the Specifying RADIUS Servers section on page 30 23 You can enable RADIUS authentication for login and enable access to the switch If desired you can use the console and telnet keywords to specify that RADIUS authentication be used only on console or Telnet...

Page 469: ...le and telnet session Console enable set authentication enable radius enable radius enable authentication set to enable for console and telnet session Console enable show authentication Login Authentication Console Session Telnet Session tacacs disabled disabled radius enabled primary enabled primary local enabled enabled Enable Authentication Console Session Telnet Session tacacs disabled disable...

Page 470: ... the RADIUS server The default timeout is 5 seconds To set the RADIUS timeout interval perform this task in privileged mode This example shows how to set the RADIUS timeout interval and verify the configuration Console enable set radius timeout 10 Radius timeout set to 10 seconds Console enable show radius Login Authentication Console Session Telnet Session tacacs disabled disabled radius enabled ...

Page 471: ...radius enabled primary enabled primary local enabled enabled Radius Deadtime 0 minutes Radius Key Secret_RADIUS_key Radius Retransmit 4 Radius Timeout 10 seconds Radius Server Status Auth port 172 20 52 3 primary 1812 Console enable Setting the RADIUS Dead Time You can configure the switch so that when a RADIUS server does not respond to an authentication request the switch marks that server as de...

Page 472: ... Server Status Auth port 172 20 52 3 primary 1812 172 20 52 2 1812 Console enable Specifying Optional Attributes for RADIUS Servers You can specify optional attributes in the RADIUS ACCESS_REQUEST packet The set radius attribute command allows you to specify the transmission of certain optional attributes such as Framed IP address NAS Port Called Station Id Calling Station Id and so on You can set...

Page 473: ... req disable Transmission of Framed ip address in access request packet is disabled Console enable Clearing RADIUS Servers To clear one or more RADIUS servers perform this task in privileged mode This example shows how to clear a single RADIUS server from the configuration Console enable clear radius server 172 20 52 3 172 20 52 3 cleared from radius server table Console enable This example shows ...

Page 474: ...If you disable RADIUS authentication with both TACACS and local authentication disabled local authentication is reenabled automatically To disable RADIUS authentication perform this task in privileged mode This example shows how to disable RADIUS authentication Console enable set authentication login radius disable radius login authentication set to disable for console and telnet session Console e...

Page 475: ... In the following example a database called CISCO EDU is created usr local sbin kdb5_util create r CISCO EDU s Step 2 Add the switch to the database The following example adds a switch called Cat4012 to the CISCO EDU database ank host Cat4012 cisco edu CISCO EDU Step 3 Add the username as follows ank user1 CISCO EDU Step 4 Add the Administrative Principals as follows ank user1 admin CISCO EDU Step...

Page 476: ...ethod for the console and verify the configuration Console enable set authentication login kerberos enable console kerberos login authentication set to enable for console session Console enable show authentication Login Authentication Console Session Telnet Session tacacs disabled disabled radius disabled disabled kerberos enabled primary enabled primary local enabled enabled Enable Authentication...

Page 477: ...Specifying a Kerberos Server You can specify to the switch which KDC to use in a specific Kerberos realm Optionally you can also specify the port number of the port the KDC is monitoring The Kerberos server maintains information that you enter in a table with one entry for each Kerberos realm The maximum number of entries in the table is 100 To specify the Kerberos server perform this task in priv...

Page 478: ...VTAB files to the hosts in your Kerberos realm is to copy them onto physical media and then manually copy the files onto the system To copy SRVTAB files to a switch that does not have a physical media drive you must transfer them through the network by using the Trivial File Transfer Protocol TFTP When you copy the SRVTAB file from the switch to the KDC the switch parses the information in this fi...

Page 479: ...T Mandatory Kerberos Credentials Forwarding Enabled Kerberos Pre Authentication Method set to None Kerberos config key Kerberos SRVTAB Entries Srvtab Entry 1 host niners cisco com CISCO COM 0 932423923 1 1 8 03 5 00 50 0 0 0 Srvtab Entry 2 host niners cisco edu CISCO EDU 0 933974942 1 1 8 00 58 127 223 9 Console enable Deleting an SRVTAB Entry To delete an SRVTAB entry perform this task in privile...

Page 480: ...ros Kerberos Local Realm CISCO COM Kerberos server entries Realm CISCO COM Server 187 0 2 1 Port 750 Realm CISCO COM Server 187 20 2 1 Port 750 Kerberos Domain Realm entries Domain cisco com Realm CISCO COM Kerberos Clients NOT Mandatory Kerberos Credentials Forwarding Enabled Kerberos Pre Authentication Method set to None Kerberos config key Kerberos SRVTAB Entries Srvtab Entry 1 host aspen niner...

Page 481: ...ge Console enable clear kerberos clients mandatory Kerberos clients mandatory cleared Console enable show kerberos Kerberos Local Realm not configured Kerberos server entries Kerberos Domain Realm entries Kerberos Clients NOT Mandatory Kerberos Credentials Forwarding Disabled Kerberos Pre Authentication Method set to None Kerberos config key Kerberos SRVTAB Entries Console enable Kerberos server e...

Page 482: ... host aspen niners cisco edu CISCO EDU 0 933974942 1 1 8 12151 88 3 11 Console enable To clear the DES key perform this task in privileged mode This example shows how to clear the DES key Console enable clear key config key Kerberos config key cleared Console enable Encrypting a Telnet Session After a user authenticates to the switch using Kerberos and wants to Telnet to a different switch or host...

Page 483: ...CO COM Server 187 0 2 1 Port 750 Realm CISCO COM Server 187 20 2 1 Port 750 Kerberos Domain Realm entries Domain cisco com Realm CISCO COM Kerberos Clients NOT Mandatory Kerberos Credentials Forwarding Enabled Kerberos Pre Authentication Method set to None Kerberos config key Kerberos SRVTAB Entries Srvtab Entry 1 host niners cisco com CISCO COM 0 932423923 1 1 8 03 5 00 50 0 0 0 Srvtab Entry 2 ho...

Page 484: ...Figure 30 3 Example of a TACACS Network Topology This example shows how to configure the switch so that TACACS authentication is enabled for Telnet connections and local authentication is enabled for console connections In addition a TACACS encryption key is specified Console enable show tacacs Tacacs key Tacacs login attempts 3 Tacacs timeout 5 seconds Tacacs direct request disabled Tacacs Server...

Page 485: ...or for configuration enable mode commands only When a user enters a command the authorization server receives the command and user information and compares it against an access list If the user is authorized to enter that command the command is executed otherwise the command is not executed EXEC mode normal login When the authorization feature is enabled for EXEC mode the user must supply a valid ...

Page 486: ...authorization for configuration commands only the switch verifies that the argument string matches one of the commands listed above If there is no match the switch completes the command If there is a match the switch forwards the command to the NAS for authorization If you have enabled authorization for all commands the switch forwards the command to the NAS for authorization RADIUS Authorization ...

Page 487: ...ion and connection type when enabling authorization Configure RADIUS and TACACS servers before enabling authorization See the Specifying TACACS Servers section on page 30 17 or the Specifying RADIUS Servers section on page 30 23 for more information on server setup Configure RADIUS and TACACS keys to encrypt protocol packets before enabling authorization See the Specifying the TACACS Key section o...

Page 488: ...ccessfully enabled commands authorization Console enable This example shows how to verify the configuration Console enable show authorization Telnet Primary Fallback exec tacacs deny enable tacacs deny commands Task Command Step 1 Enable authorization for normal login mode Enter the console or telnet keywords if you want to enable authorization only for console port or Telnet connection attempts E...

Page 489: ...d enable authorization Console enable Task Command Step 1 Disable authorization for normal mode Enter the console or telnet keywords if you want to disable authorization only for console port or Telnet connection attempts Enter the both keyword to enable authorization for both console port and Telnet connection attempts set authorization exec disable console telnet both Step 2 Disable authorizatio...

Page 490: ... Telnet Primary Fallback exec tacacs deny enable tacacs deny commands config tacacs deny all tacacs deny Console Primary Fallback exec tacacs deny enable tacacs deny commands config tacacs deny all tacacs deny Console enable Authorization Example Figure 30 4 shows a simple example of network topology that uses TACACS In this example TACACS authorization is enabled for enable mode access to the swi...

Page 491: ...e enable set authorization enable enable tacacs deny both Successfully enabled enable authorization Console enable set authorization commands enable config tacacs deny both Successfully enabled commands authorization Console enable show authorization Telnet Primary Fallback exec tacacs deny enable tacacs deny commands config tacacs deny all Console Primary Fallback exec tacacs deny enable tacacs d...

Page 492: ...rd is created and sent to the NAS the system then deletes the record from memory The amount of memory that is used by the NAS for accounting varies depending on the number of concurrent accountable events Accounting Events You can configure accounting for the following types of events EXEC mode accounting Provides information about user EXEC sessions normal login sessions on the NAS This informati...

Page 493: ...nd traffic statistics However you might want redundancy and also to monitor both start and stop records of events occurring on the NAS Specifying RADIUS Servers To specify one or more RADIUS servers perform this task in privileged mode This example shows how to specify a RADIUS server and verify the configuration Console enable set radius server 172 20 52 3 172 20 52 3 with auth port 1812 added to...

Page 494: ...ame enable command Note RADIUS and TACACS accounting are the same except that RADIUS does not do command accounting periodic updates or allow null username suppression Configuring Accounting The following sections describe how to configure accounting for both TACACS and RADIUS Accounting Default Configuration Table 30 4 shows the default accounting configuration Accounting Configuration Guidelines...

Page 495: ...unting system enable stop only tacacs Accounting set to enable for system events in stop only mode Console enable Console enable set accounting commands enable all stop only tacacs Accounting set to enable for commands all events in stop only mode Console enable This example shows how to suppress accounting of unknown users Console enable set accounting suppress null username enable Accounting wil...

Page 496: ...24 User null Priv 0 Overall Accounting Traffic Starts Stops Active Exec 0 0 0 Connect 0 0 0 Command 0 0 0 System 1 0 0 Console enable Disabling Accounting To disable accounting on the switch perform this task in privileged mode This example shows how to disable stop only accounting Console enable set accounting connect disable Accounting set to disable for connect events Console enable Console ena...

Page 497: ...y the configuration Console enable show accounting Event Method Mode exec connect system commands config all TACACS Suppress for no username disabled Update Frequency new info Accounting information Active Accounted actions on tty0 User null Priv 0 Active Accounted actions on tty288091924 User null Priv 0 Overall Accounting Traffic Starts Stops Active Exec 0 0 0 Connect 0 0 0 Command 0 0 0 System ...

Page 498: ...e set accounting commands enable all stop only tacacs Accounting set to enable for commands all events in stop only mode Console enable set accounting update periodic 120 Accounting updates will be periodic at 120 minute intervals Console enable show accounting Event Method Mode exec tacacs stop only connect tacacs stop only system tacacs stop only commands config all tacacs stop only TACACS Suppr...

Page 499: ...rks page 31 1 Authentication Default Configuration page 31 7 Authentication Configuration Guidelines page 31 8 Configuring 802 1x Authentication on the Switch page 31 8 Understanding How 802 1x Authentication Works IEEE 802 1x is a client server based access control and authentication protocol that restricts unauthorized devices from connecting to a local area network LAN through publicly accessib...

Page 500: ...nsparent to the host In this release the Remote Authentication Dial In User Service RADIUS security system with Extensible Authentication Protocol EAP extensions is the only supported authentication server it is available in Cisco Secure Access Control Server version 3 0 RADIUS operates in a client server model in which secure authentication information is exchanged between the RADIUS server and o...

Page 501: ...e any EAPOL frames from the host are dropped If the host does not receive an EAP request identity frame after three attempts to start authentication the host transmits frames as if the port is in the authorized state A port that is in the authorized state means that the host has been successfully authenticated For more information see the Ports in Authorized and Unauthorized States section on page...

Page 502: ... The port transmits and receives normal traffic without 802 1x based authentication of the host This is the default setting force unauthorized Causes the port to remain in the unauthorized state ignoring all attempts by the host to authenticate The switch cannot provide authentication services to the host through the interface auto Enables 802 1x authentication and causes the port to begin in the ...

Page 503: ... to do so by the authentication server Authentication server Entity that provides the authentication service for the authenticator PAE It checks the credentials of the host PAE and then notifies its client the authenticator PAE whether the host PAE is authorized to access the LAN switch services Authorized state Status of the port after the host PAE is authorized Both Bidirectional flow control in...

Page 504: ... assignment from the RADIUS server The VLAN assignment feature allows you to restrict users to a specific VLAN For example you could put guest users in a VLAN with limited access to the network 802 1x authenticated ports are assigned to a VLAN based on the username of the host that is connected to the port The VLAN assignment feature works with the RADIUS server which has a database of username to...

Page 505: ...Type 802 81 Tunnel Private Group Id VLAN NAME Attribute 64 must contain the value VLAN type 13 Attribute 65 must contain the value 802 type 6 Attribute 81 specifies the VLAN name in which the successfully authenticated 802 1x host should be put Note You must specify the VLAN by its name and not by its number Authentication Default Configuration Table 31 2 shows the default configuration for authen...

Page 506: ...tination on an 802 1x port However you can configure an 802 1x port as a SPAN source port Configuring 802 1x Authentication on the Switch The following sections describe how to configure 802 1x authentication on the switch Enabling 802 1x Globally You must enable 802 1x authentication for the entire system before configuring it for individual ports After you globally enable 802 1x authentication y...

Page 507: ...cifying RADIUS Servers section on page 30 23 To enable and initialize 802 1x authentication for access to the switch perform this task in privileged mode This example shows how to enable 802 1x authentication on port 1 in module 4 initialize 802 1x authentication on the same port and verify the configuration Console enable set port dot1x 4 1 port control auto Port 4 1 dot1x port control is set to ...

Page 508: ...d 7200 dot1x re authperiod set to 7200 seconds Console enable set port dot1x 4 1 re authentication enable Port 4 1 re authentication enabled Console enable show port dot1x 4 1 Port Auth State BEnd State Port Control Port Status 4 1 connecting finished auto unauthorized Port Multiple Host Re authentication 4 1 disabled enabled Manually Reauthenticating the Host You can manually reauthenticate the h...

Page 509: ... You can disable multiple user access on any port where it is enabled To disable multiple user access on a specific port perform this task in privileged mode This example shows how to disable access for multiple hosts on port 1 on module 4 Console enable set port dot1x 4 1 multiple host disable Port 4 1 multiple hosts not allowed Setting the Quiet Period When the authenticator cannot authenticate ...

Page 510: ...s Console enable set dot1x tx period 15 dot1x tx period set to 15 seconds Setting the Supplicant to Host Retransmission Time for EAP Request Frames The host notifies the back end authenticator that it received the EAP request frame When the back end authenticator does not receive this notification the back end authenticator waits a set period of time and then retransmits the frame You may set the ...

Page 511: ...x server timeout 15 dot1x server timeout set to 15 seconds Setting the Back End Authenticator to Host Frame Retransmission Number The authentication server notifies the back end authenticator each time that it receives a specific number of frames When the back end authenticator does not receive this notification after sending the frames the back end authenticator waits a set period of time and the...

Page 512: ... retransmitted from the back end authenticator to the host perform this task in privileged mode This example shows how to set the number of retransmitted frames that are sent from the back end authenticator to the host to 4 console enable set dot1x max req 4 dot1x max req count set to 4 Console enable Setting the Back End Authenticator to Host Frame Retransmission Number The authentication server ...

Page 513: ... will disable dot1x on all ports and take dot1x parameter values back to factory defaults Do you want to continue y n n y Dot1x config cleared Console enable 2002 Sep 06 11 34 27 SECURITY 1 DOT1X_BACKEND_SERVER No Radiu s servers configured Setting the Trace Severity You can alter the trace severity for 802 1x authentication The number setting affects the number of trace messages that are displaye...

Page 514: ...in normal mode This example shows how to display the values for all the parameters that are associated with the authenticator PAE and back end authenticator on port 1 on module 4 Console enable show port dot1x 4 1 Port Auth State BEnd State Port Control Port Status 4 1 connecting finished auto unauthorized Port Multiple Host Re authentication 4 1 disabled enabled To display the statistics for the ...

Page 515: ...off Rx_Resp Id Rx_Resp 4 1 97 0 97 0 0 0 0 Port Rx_Invalid Rx_Len_Err Rx_Total Last_Rx_Frm_Ver Last_Rx_Frm_Src_Mac 4 1 0 0 0 0 00 00 00 00 00 00 To display the global 802 1x parameters perform this task in normal mode This example shows how to display the global 802 1x parameters Console enable show dot1x PAE Capability Authenticator Only Protocol Version 1 system auth control enabled re authentic...

Page 516: ... Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 31 Configuring 802 1x Authentication Configuring 802 1x Authentication on the Switch ...

Page 517: ... Setting and Clearing the CONFIG_FILE Environment Variable page 32 7 Displaying the Switch Boot Configuration page 32 8 Understanding How the Switch Boot Configuration Works The following sections describe how the boot configuration works on the Catalyst 4500 series 2948G and 2980G switches Understanding the Boot Process The boot process involves two software images ROM monitor and supervisor engi...

Page 518: ...Configuration Register The configuration register determines whether the switch loads an operating system image and where the system image is stored The configuration register boot field determines if and how the ROM monitor loads a supervisor engine system image at startup You can modify the boot field to force the switch to boot a particular system image at startup instead of using the default s...

Page 519: ...clear the entire BOOT environment variable and then redefine the list in the desired order Understanding the CONFIG_FILE Environment Variable In software release 5 2 and later releases you can use the CONFIG_FILE environment variable to specify a list of configuration files on various devices to use to configure the switch at startup You can specify one of the following functions Nonrecurring When...

Page 520: ...d in the configuration register This command affects only the configuration register bits that control the boot field and leaves the remaining bits unaltered The following boot methods are supported ROM monitor Use the rommon keyword to keep the switch in ROM monitor mode at startup Bootflash Use the bootflash keyword to cause the switch to boot from the first image stored in the onboard Flash mem...

Page 521: ...re recurring or nonrecurring The remaining configuration register bits are unaltered Caution With the CONFIG_FILE environment variable set to recurring the current configuration in NVRAM is erased each time the switch is restarted and the switch is configured using the specified configuration files With the CONFIG_FILE environment variable set to non recurring the current configuration in NVRAM is...

Page 522: ... Console enable set boot config register ignore config enable Configuration register is 0x1860 ignore config enabled auto config recurring console baud 9600 boot the ROM monitor Console enable Setting the BOOT Environment Variable The next two sections describe how to modify the BOOT environment variable Setting the BOOT Environment Variable To add a system image to the BOOT environment variable p...

Page 523: ...ironment variable Note For more information about using configuration files see Chapter 35 Working with Configuration Files Setting the CONFIG_FILE Environment Variable You can specify multiple configuration files with the set boot auto config command by separating them with a semicolon You must specify both the device name and the filename for each configuration file Note You cannot prepend or ap...

Page 524: ...e CONFIG_FILE environment variable Console enable clear boot auto config CONFIG_FILE variable Console enable Displaying the Switch Boot Configuration To display the current configuration register BOOT environment variable and CONFIG_FILE environment variable settings perform this task in privileged mode This example shows how to display the current configuration register BOOT environment variable ...

Page 525: ...ages to the Switch Using TFTP page 33 1 Uploading System Software Images to a TFTP Server page 33 4 Downloading System Software Images to the Switch Using rcp page 33 5 Uploading System Software Images to an rcp Server page 33 8 Upgrading the ROM Monitor page 33 9 Software Image Naming Conventions The software images on the Catalyst 4500 series switches use the following naming conventions Softwar...

Page 526: ...et correctly Permissions on the file should be at least read for the specific username If you are not using a Telnet session with a valid username you can use the set rcp username command to specify a valid username Ensure that a power interruption or other problem does not occur during the download procedure this can corrupt the Flash code If the Flash code is corrupted you can connect to the swi...

Page 527: ...ngine Images Using TFTP section on page 33 2 This example shows a complete TFTP download procedure of a supervisor engine software image Console enable show version 1 Mod Port Model Serial Versions 1 0 WS X4012 JAB03130104 Hw 1 5 Gsp 6 1 1 4 Nmp 6 1 0 104 Console enable copy tftp flash IP address or name of remote host 172 20 52 3 Name of file to copy from cat4000 6 1 1 bin Flash device bootflash ...

Page 528: ...assed Boot image bootflash cat4000 6 1 1 bin Cisco Systems Console Enter password 07 21 2000 13 52 51 SYS 5 Module 1 is online 07 21 2000 13 53 11 SYS 5 Module 4 is online 07 21 2000 13 53 11 SYS 5 Module 5 is online 07 21 2000 13 53 14 PAGP 5 Port 1 1 joined bridge port 1 1 07 21 2000 13 53 14 PAGP 5 Port 1 2 joined bridge port 1 2 07 21 2000 13 53 40 SYS 5 Module 2 is online 07 21 2000 13 53 45 ...

Page 529: ...ions on the file are world write Uploading Software Images to a TFTP Server To upload a software image on a switch to a TFTP server for storage follow these steps Step 1 Log in to the switch through the console port or a Telnet session Step 2 Upload the software image to the TFTP server using the copy flash tftp command When prompted specify the TFTP server address and destination filename On plat...

Page 530: ...ent username create a new rcp username using the set rcp username command The new username will be stored in NVRAM If you are accessing the switch through a Telnet session with a valid username this username will be used and there is no need to set the rcp username A power interruption or other problem during the download procedure can corrupt the Flash code If the Flash code is corrupted you can ...

Page 531: ...tware image Console enable show version 1 Mod Port Model Serial Versions 1 2 WS X5530 007451586 Hw 1 3 Fw 3 1 2 Fw1 3 1 2 Sw 4 1 2 Console enable copy rcp flash IP address or name of remote host 172 20 52 3 Name of file to copy from cat4000 6 1 1 bin Flash device bootflash Name of file to copy to cat6000 6 1 1 bin 4369664 bytes available on device bootflash proceed y n n y CCCCCCCCCCCCCCCCCCCCCCCC...

Page 532: ...sed Boot image bootflash cat4000 6 1 1 bin Cisco Systems Console Enter password 07 21 2000 13 52 51 SYS 5 Module 1 is online 07 21 2000 13 53 11 SYS 5 Module 4 is online 07 21 2000 13 53 11 SYS 5 Module 5 is online 07 21 2000 13 53 14 PAGP 5 Port 1 1 joined bridge port 1 1 07 21 2000 13 53 14 PAGP 5 Port 1 2 joined bridge port 1 2 07 21 2000 13 53 40 SYS 5 Module 2 is online 07 21 2000 13 53 45 SY...

Page 533: ...nd When prompted specify the rcp server address and the destination filename On platforms that support the Flash file systems you are first prompted for the Flash device and source filename If desired you can use the copy file id rcp command on these platforms The software image is uploaded to the rcp server This example shows how to upload the supervisor engine software image to an rcp server Con...

Page 534: ... c 1995 2001 by Cisco Systems Inc NMP S W compiled on May 24 2001 21 12 09 GSP S W compiled on May 24 2001 18 39 50 System Bootstrap Version 6 1 2 Hardware Version 1 0 Model WS C4003 Serial xxxxxxxxx Console enable Step 3 Use the dir bootflash command to ensure that there is sufficient space in Flash memory to store the promupgrade image If there is insufficient space delete one or more images and...

Page 535: ...mupgrade image to the boot string Note Make sure that you use the prepend keyword with the set boot system flash command The switch always boots the first image in the boot string and you want the promupgrade image to boot first This example shows how to prepend the promupgrade image to the boot string Console enable set boot system flash bootflash cat4000 promupgrade 6 1 4 bin prepend BOOT variab...

Page 536: ...tes at offset 0x0 Done Beginning write of system prom 467456 bytes at offset 0x0 This could take as little as 10 seconds or up to 2 minutes Please DO NOT RESET Success System will reset in 2 seconds The switch reboots back into the supervisor engine software 0 00 530856 ig0 00 10 7b aa d3 fe is 172 20 59 203 0 00 531616 netmask 255 255 255 0 0 00 531967 broadcast 172 20 59 255 0 00 532342 gateway ...

Page 537: ...does not know which image to boot This example shows how to remove the promupgrade image cat 4000 promupgrade 6 1 4 bin from the boot sequence Notice that the response message shows the system image for software release 5 5 8 in the autoboot string Console enable clear boot system flash bootflash cat4000 promupgrade 6 1 4 bin BOOT variable bootflash cat4000 5 5 8 bin 1 Step 11 Enter del to delete ...

Page 538: ...33 14 Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 33 Working with System Software Images Upgrading the ROM Monitor ...

Page 539: ...atalyst 4500 series 2948G and 2980G switches have one Flash device botflash Working With the Flash File System on the Switch The following sections describe how to work with the Flash file system Setting the Default Flash Device When you set the default Flash device for the system the default device is assumed when you enter a Flash file system command without specifying the Flash device To set th...

Page 540: ...ly to DRAM You will need to enter the write memory command to store the configuration in nonvolatile storage Note VLAN commands are not saved as part of the configuration file when the switch is operating in text mode with the VTP mode set to server To set the text file configuration mode perform this task in privileged mode This example shows how to configure the system to save its configuration ...

Page 541: ...t config cfg 3 D ffffffff 81a027ca 45220 15 7004 Apr 19 1998 10 05 59 4003_config cfg 1213952 bytes available 6388224 bytes used Console enable Displaying the Contents of a File on a Flash Device In software release 5 2 and later releases you can display the contents of a file on a Flash device onscreen Enter the dump keyword to display a hex dump of the file To display the contents of a file on a...

Page 542: ...35 bytes set ip dns server 172 16 10 70 primary 172 16 10 70 added to DNS server table as primary server set ip dns server 172 16 10 140 172 16 10 140 added to DNS server table as backup server set ip dns enable DNS is enabled set ip dns domain corp com Default DNS domain name set to corp com Console enable This example shows how to download a configuration file from a TFTP server for storage in b...

Page 543: ...g cfg tftp IP address or name of remote host 172 20 52 3 Name of file to copy to 4012_config cfg File has been copied successfully Console enable This example shows how to upload an image from a remote host into Flash memory using the copy rcp flash command Console enable copy rcp flash IP address or name of remote host 172 20 52 3 Name of file to copy from cat4000 6 1 1 bin Flash device bootflash...

Page 544: ...then undelete the desired file A file can be deleted and undeleted up to 15 times To restore deleted files on a Flash device perform this task in privileged mode This example shows how to restore a deleted file Console enable dir deleted ED type crc seek nlen length date time name 6 D ffffffff 42da7f71 657a00 14 135 Jul 17 1999 11 30 05 dns_config cfg 1213952 bytes available 3231989 bytes used Con...

Page 545: ...ecksum To verify the checksum of a file on a Flash device perform this task in privileged mode This example shows how to verify the checksum of a file Console enable verify cat4000 4 4 1 bin CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCC File bootflash cat4000 4 4 1 bin verified OK Console enable Task Command Verify the checksum of a file on a Flas...

Page 546: ...Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 34 Working With the Flash File System Working With the Flash File System on the Switch ...

Page 547: ...ration files on the Flash file system see Chapter 34 Working With the Flash File System Creating and Using Configuration Files Guidelines Configuration files can help you configure your switch Configuration files can contain some or all the commands needed to configure one or more switches For example you might want to download the same configuration file to several switches that have the same har...

Page 548: ...num port_num Creating a Configuration File When creating a configuration file you must list commands in a logical way so that the system can respond appropriately To create a configuration file follow these steps Step 1 Download an existing configuration from a switch Step 2 Open the configuration file in a text editor such as vi or emacs on UNIX or Notepad on a PC Step 3 Extract the portion of th...

Page 549: ... cfg y n n y Finished network download 134 bytes set ip dns server 172 16 10 70 primary 172 16 10 70 added to DNS server table as primary server set ip dns server 172 16 10 140 172 16 10 140 added to DNS server table as backup server set ip dns enable DNS is enabled set ip dns domain corp com Default DNS domain name set to corp com Console enable Console enable Copying Configuration Files Using TF...

Page 550: ...iguration file to the appropriate TFTP directory on the workstation Step 2 Log in to the switch through the console port or a Telnet session Step 3 Configure the switch using the configuration file downloaded from the TFTP server using the copy tftp config or the configure network command Specify the IP address or host name of the TFTP server and the name of the file to download The configuration ...

Page 551: ...to a TFTP Server To upload a configuration file from a switch to a TFTP server for storage follow these steps Step 1 Log in to the switch through the console port or a Telnet session Step 2 Upload the switch configuration to the TFTP server using the copy config tftp or the write network command Specify the IP address or host name of the TFTP server and the destination filename The file is uploade...

Page 552: ... show users command to view the current valid username If you do not want to use the current username create a new rcp username using the set rcp username command The new username will be stored in NVRAM If you are accessing the switch through a Telnet session with a valid username this username will be used and there is no need to set the rcp username Configuring the Switch Using a File on an rcp...

Page 553: ...eck connectivity to the rcp server using the ping command If you are overwriting an existing file including an empty file if you had to create one ensure that the permissions on the file are set correctly Make sure that the permissions on the file are set to user write Uploading a Configuration File to an rcp Server To upload a configuration file from a switch to an rcp server for storage follow t...

Page 554: ...nsole enable To clear the configuration on an individual module perform this task in privileged mode Note If you remove a module and replace it with a module of another type for example if you remove a Fast Ethernet module and insert a Token Ring module the module configuration is inconsistent The output of the show module command indicates this problem To resolve the inconsistency clear the confi...

Page 555: ...nal traffic congestion The switch acceleration feature is supported on Catalyst 4006 switches with Supervisor Engine II and on the Catalyst 4000 family Backplane Channel Module The switch acceleration feature reduces internal traffic congestion by creating a full mesh connection between the switch engines SEs Supervisor Engine II has three switch engines that switch traffic to and from the modules...

Page 556: ...eshed interconnections exist between SEs there is dual link load balancing between SE1 and SE2 and between SE2 and SE3 Gigabit Ethernet uplink port connections This mode requires that the Backplane Channel Module is installed and that switch acceleration is not configured on the supervisor engine Option D Fully meshed interconnections and multi link load balancing exist between all SEs there are n...

Page 557: ... acceleration may impact performance for 1 2 seconds Do you want to continue y n n y Switch Acceleration on module 1 disabled Console enable Displaying Switch Acceleration Information To display switch acceleration status perform this task in privileged mode This example shows how to display the current status of the switch acceleration feature Console show switchacceleration 1 Module 1 has switch...

Page 558: ...e Gigabit Ethernet uplink connections As an alternative you can configure switch acceleration on the supervisor engine to get dual link load balancing between all three SEs Note If you want to keep the uplink connections do not enable switch acceleration on the supervisor engine You can insert or remove a Backplane Channel Module at any time When you remove the Backplane Channel Module traffic mig...

Page 559: ...he system message logging facility you can do the following Get logging information for monitoring and troubleshooting Select the types of captured logging information Select the destination of captured logging information By default the switch logs normal but significant system messages to its internal buffer and sends these messages to the system console You can specify which system messages sho...

Page 560: ...gic fddi Fiber Distributed Data Interface filesys Flash file system gvrp GARP VLAN Registration Protocol ip IP permit list kernel Kernel mgmt Management messages mcast Multicast messages pagp Port Aggregation Protocol protfilt Protocol filtering pruning VTP pruning qos Quality of Service radius RADIUS authentication rmon Remote Monitoring security Port security snmp Simple Network Management Proto...

Page 561: ... 01 42 SYS 5 MOD_OK Module 6 is online 1999 Apr 16 10 02 27 PAGP 5 PORTTOSTP Port 3 1 joined bridge port 3 1 1999 Apr 16 10 02 28 PAGP 5 PORTTOSTP Port 3 2 joined bridge port 3 2 Table 37 2 Definitions of System Message Log Severity Levels Severity Level Keyword Description 0 emergencies System unusable 1 alerts Immediate action required 2 critical Critical condition 3 errors Error conditions 4 wa...

Page 562: ...odule 3 is online 1999 Apr 16 10 01 42 SYS 5 MOD_OK Module 6 is online 1999 Apr 16 10 02 27 PAGP 5 PORTTOSTP Port 3 1 joined bridge port 3 1 1999 Apr 16 10 02 28 PAGP 5 PORTTOSTP Port 3 2 joined bridge port 3 2 Table 37 4 Definitions of System Message Log Severity Levels Severity Level Keyword Description 0 emergencies System unusable 1 alerts Immediate action required 2 critical Critical conditio...

Page 563: ...le logging to a Telnet session disconnect the session and later reconnect logging is enabled for the new session Note If you enter the set logging session command while connected through the console port the command has the same effect as entering the set logging console command However if you enter the set logging console command while connected through a Telnet session the default console loggin...

Page 564: ... This example shows how to set the logging severity level to 5 for all facilities for the current session only Console enable set logging level all 5 All system logging facilities for this session set to severity 5 notifications Console enable This example shows how to set the default logging severity level to 3 for the cdp facility Console enable set logging level cdp 3 default System logging fac...

Page 565: ...ber of syslog messages to messages with a severity level of notifications 5 Console enable set logging history severity 5 System logging history set to severity 5 Console enable Configuring the syslog Daemon on a UNIX syslog Server Before you can send system log messages to a UNIX syslog server you must configure the syslog daemon on a UNIX server To configure the syslog daemon follow these steps ...

Page 566: ...he UNIX server as described in the Configuring the syslog Daemon on a UNIX syslog Server section on page 37 7 To configure the switch to log messages to a syslog server perform this task in privileged mode This example shows how to specify a syslog server set the facility and severity levels and enable logging to the server Console enable set logging server 10 10 10 100 10 10 10 100 added to Syste...

Page 567: ...ging Configuration Enter the show logging command to display the current system message logging configuration Enter the noalias keyword to display the IP addresses instead of the host names of the configured syslog servers To display the current system message logging configuration perform this task This example shows how to display the current system message logging configuration Console enable s...

Page 568: ...ages in the switch logging buffer If you do not specify number_of_messages the default is to display the last 20 messages in the buffer To display the messages in the switch logging buffer perform one of these tasks This example shows how to display the first five messages in the buffer Console enable show logging buffer 5 1999 Apr 16 08 40 11 SYS 5 MOD_OK Module 1 is online 1999 Apr 16 08 40 14 S...

Page 569: ...on the Switch This example shows how to display the last five messages in the buffer Console enable show logging buffer 5 PAGP 5 PORTFROMSTP Port 3 1 left bridge port 3 1 SPANTREE 5 PORTDEL_SUCCESS 3 2 deleted from vlan 1 PAgP_Group_Rx PAGP 5 PORTFROMSTP Port 3 2 left bridge port 3 2 PAGP 5 PORTTOSTP Port 3 1 joined bridge port 3 1 2 PAGP 5 PORTTOSTP Port 3 2 joined bridge port 3 1 2 Console enabl...

Page 570: ...Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 37 Configuring System Message Logging Configuring System Message Logging on the Switch ...

Page 571: ...orks DNS is a distributed database with which you can map host names to IP addresses through the DNS protocol from a DNS server When you configure DNS on the switch you can substitute the host name for the IP address with all IP commands such as ping telnet upload and download To use DNS you must have a DNS name server on your network You can specify a primary DNS name server on the switch as well...

Page 572: ...ver Console enable set ip dns server 10 2 24 54 primary 10 2 24 54 added to DNS server table as primary server Console enable set ip dns server 10 12 12 24 10 12 12 24 added to DNS server table as backup server Console enable set ip dns domain corp com Default DNS domain name set to corp com Console enable set ip dns enable DNS is enabled Console enable show ip dns DNS is currently enabled The def...

Page 573: ...NS Domain Name To clear the default DNS domain name perform this task in privileged mode This example shows how to clear the default DNS domain name Console enable clear ip dns domain Default DNS domain name cleared Console enable Disabling DNS To disable DNS perform this task in privileged mode This example shows how to disable DNS on the switch Console enable set ip dns disable DNS is disabled C...

Page 574: ...38 4 Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Chapter 38 Configuring DNS Configuring DNS on the Switch ...

Page 575: ...versal Time UTC which is the same as Greenwich Mean Time An NTP network usually gets its time from an authoritative time source such as a radio clock or an atomic clock that is attached to a time server NTP distributes this time across the network NTP is extremely efficient no more than one packet per minute is necessary to synchronize two machines to within a millisecond of one another NTP uses a...

Page 576: ...rk from the public NTP servers available on the IP Internet If the network is isolated from the Internet Cisco s NTP implementation allows a machine to be configured so that it acts as though it is synchronized using NTP when it actually has determined the time using other methods Other machines synchronize to that machine using NTP Default NTP Configuration Table 39 1 shows the default NTP config...

Page 577: ...hours Summertime disabled Last NTP update Broadcast client mode enabled Broadcast delay 4000 microseconds Client mode disabled NTP Server Console enable Configuring NTP in Client Mode Configure the switch in NTP client mode if you want the client switch to regularly send time of day requests to an NTP server You can configure up to ten server addresses per client To configure the switch in NTP cli...

Page 578: ...Each authentication key is actually a pair of two keys A public key number A 32 bit integer that can range from 1 4 294 967 295 A secret key string An arbitrary string of 32 characters including all printable characters and spaces To authenticate the message the client authentication key must match the key on the server Therefore the authentication key must be securely distributed in advance the c...

Page 579: ...he switch to display the time in that time zone You must enable NTP before you set the time zone If NTP is not enabled this command has no effect If you enable NTP and do not specify a time zone UTC is shown by default To set the time zone perform this task in privileged mode This example shows how to set the time zone on the switch Console enable set timezone Pacific 8 Timezone set to Pacific off...

Page 580: ...disabled and set to start Sun Feb 13 2000 03 00 00 end Sat Aug 26 2000 14 00 00 Offset 30 minutes Recurring yes starting at 3 00am Sunday of the third week of February and ending 14 00pm Saturday of the fourth week of August Console enable To enable the daylight saving time clock adjustment to a nonrecurring specific date perform this task in privileged mode This example shows how to set the nonre...

Page 581: ...orm this task in privileged mode This example shows how to clear the time zone settings Console enable clear timezone Timezone name and offset cleared Console enable Clearing NTP Servers To clear an NTP server address from the NTP servers table on the switch perform this task in privileged mode This example shows how to clear an NTP server address from the NTP server table Console enable clear ntp...

Page 582: ...ble set ntp broadcastclient disable NTP Broadcast Client mode disabled Console enable To disable NTP client mode on the switch perform this task in privileged mode This example shows how to disable NTP client mode on the switch Console enable set ntp client disable NTP Client mode disabled Console enable Task Command Step 1 Disable NTP broadcast client mode set ntp broadcastclient disable Step 2 V...

Page 583: ... ADM add drop multiplexer AFI Authority and Format Identifier AMP active monitor present APaRT automated packet recognition translation ARP Address Resolution Protocol ASP ATM switch processor ATM Asynchronous Transfer Mode B BDPU bridge protocol data unit BRF Bridge Relay Function BUS broadcast and unknown server C CAM content addressable memory CAS column address strobe CBR constant bit rate ...

Page 584: ...tion D DCC Data Country Code DEC Digital Equipment Corporation DFI domain specific part format identifier DHCP Dynamic Host Configuration Protocol DISL dynamic inter switch link DMP data movement processor DNS Domain Name System DoD Department of Defense DRiP Dual Ring Protocol DSAP destination service access point DTP Dynamic Trunking Protocol DTR dedicated Token Ring data terminal ready E EARL E...

Page 585: ...ple Server Redundancy Protocol FTP foil twisted pair FTTH fiber to the home G GARP General Attribute Registration Protocol GBIC Gigabit Interface Converter GMRP GARP Multicast Registration Protocol GSP Gigabit Switch Platform GVRP GARP VLAN Registration Protocol H HDX half duplex I ICD International Code Designator ICMP Internet Control Message Protocol IDP Initial Domain Part IGMP Internet Group ...

Page 586: ...andardization K KDC key distribution center L LAN local area network LANE LAN Emulation LAT local area transport LCP Link Control Protocol LEC LAN Emulation Client LECS LAN Emulation Configuration Server LEM link error monitor LER link error rate LES LAN Emulation Server LLC logical link control M MAC Media Access Control MAP Manufacturing Automation Protocol MBS maximum burst size MCP Master Comm...

Page 587: ...lient MPOA multiprotocol over ATM MPS multiprotocol over ATM server MTU maximum transmission unit N NAUN nearest available upstream neighbor NBMA non broadcast multi access NBS non bused spare NDE NetFlow Data Export NFFC NetFlow Feature Card NFFC II Enhanced NetFlow Feature Card NFLS NetFlow LAN Switching NHC Next Hop Client NHRP Next Hop Resolution Protocol NHS Next Hop Server NMP Network Manage...

Page 588: ... module PCM pulse code modulation PCMCIA Personal Computer Memory Card International Association PCR peak cell rate PDU protocol data unit PHY physical sublayer PIM protocol independent multicast PLCP physical layer convergence procedure PLIM physical layer interface module PPP Point to Point Protocol PVC permanent virtual circuit or permanent virtual connection in ATM terminology Q QoS quality of...

Page 589: ...SAMBA synergy advanced multipurpose bus arbiter SAP service access point SAR segmentation and reassembly SCP Serial Control Protocol SCR sustainable cell rate SDP Session Description Protocol SE search engine SLIP Serial Line Internet Protocol SM single mode SMP standby monitor present SMT station management SNA Systems Network Architecture SNAP Subnetwork Access Protocol SNMP Simple Network Manag...

Page 590: ...tem Plus TCP IP Transmission Control Protocol Internet Protocol TFTP Trivial File Transfer Protocol TGT ticket granting ticket TIA Telecommunications Industry Association TLV type length value TOS type of service TrBRF Token Ring Bridge Relay Function TrCRF Token Ring Concentrator Relay Function TRT token rotation timer TTL time to live TTY teletype U UART universal asynchronous receiver transmitt...

Page 591: ...rtual circuit VCC virtual channel connection VCD Virtual Channel Descriptor VCI 1 virtual channel identifier 2 virtual connection identifier VCR Virtual Configuration Register VLAN virtual LAN VMPS VLAN Membership Policy Server VPI virtual path identifier VQP VLAN Query Protocol VTP VLAN Trunking Protocol W WRED weighted random early detect WRR Weighted Round Robin ...

Page 592: ...A 10 Catalyst 4500 Series Catalyst 2948G Catalyst 2980G Switches Software Configuration Guide Release 8 1 78 15486 01 Appendix A Acronyms ...

Page 593: ...ounting TACACS accounting adding multicast filter profiles 15 20 addresses See IP addresses MAC addresses Address Resolution Protocol See ARP administration switch 27 1 38 1 administrative groups EtherChannel 6 6 advertisements VTP 9 3 aliases See command aliases IP aliases aliases command 2 7 ARP configuring entries 27 8 assigning port filter associations 15 22 attempts limiting telnet 30 10 audi...

Page 594: ... 2948G switches overview table 1 2 Catalyst 2980G switches overview table 1 3 CDP default configuration 21 2 disabling globally 21 2 disabling on ports 21 2 displaying neighbor information 21 5 enabling globally 21 2 enabling on ports 21 2 overview 21 1 setting holdtime 21 4 setting message interval 21 4 CGMP clearing multicast groups 15 17 clearing multicast router ports 15 17 configuring multica...

Page 595: ...verview 24 5 CONFIG_FILE variable setting recurrence 32 5 configuration clearing the 35 8 configuration files creating 35 2 downloading via RCP 35 6 downloading via TFTP 35 4 guidelines 35 1 uploading preparation 35 5 35 7 uploading to RCP server 35 7 uploading to TFTP server 35 5 configuration guidelines TACACS accounting 30 50 configuration register default setting 32 4 ignoring NVRAM at boot 32...

Page 596: ...bling 38 3 enabling 38 2 overview 38 1 setting domain names 38 2 setting up 38 2 system name and 27 1 system prompt and 27 1 DNS servers clearing 38 3 specifying 38 2 documentation conventions xxvi organization xxiii related xxv domain names clearing 38 3 setting 38 2 Domain Name System See DNS downloading configuration files 35 4 35 6 software images 33 2 33 6 drop thresholds CoS mapping 14 6 tra...

Page 597: ...erChannel Ethernet autonegotiation 4 5 checking connectivity 4 8 default configuration 4 2 overview 4 1 setting port duplex 4 5 setting port name 4 3 setting port priority 4 4 setting port speed 4 4 See also protocol filtering examples conventions xxvi extended range VLANs See VLANs F Fast EtherChannel example 6 12 overview 6 2 See also EtherChannel Gigabit EtherChannel Fast Ethernet autonegotiati...

Page 598: ...orward all option 15 11 disabling globally 15 15 disabling per port 15 10 enabling forward all option 15 11 enabling globally 15 9 enabling per port 15 10 overview 15 3 registration 15 12 to 15 13 setting timers 15 13 software requirements 15 9 viewing statistics 15 14 group profiles IGMP multicast 15 17 GVRP clearing statistics 13 8 configuring registration 13 4 disabling 13 8 enabling 13 2 regis...

Page 599: ...t list 18 2 automatic assignment 3 2 CIDR 27 9 clearing from IP permit list 18 4 creating aliases 27 7 default gateway 3 6 designating 2 8 DHCP and 3 9 me1 interface and 3 6 RARP and 3 9 sc0 interface and 3 5 sl0 interface and 3 9 static routes 27 9 VLANs and 10 2 IP aliases creating 27 7 designating 2 8 IP multicast CGMP and 15 4 GMRP and 15 9 group entries 15 15 overview 15 1 router ports and gr...

Page 600: ...lters 15 22 listing port filter associations 15 22 load balancing 7 14 load sharing trunking and 11 13 local authentication configuration guidelines 30 9 default configuration 30 8 30 50 disabling 30 14 enabling 30 12 overview 30 2 password recovery 30 14 setting enable password 30 13 local user authentication deleting an account 30 15 30 17 disabling 30 16 enabling 30 16 overview 30 3 setting pas...

Page 601: ...t 7 33 port instance cost 7 35 port instance priority 7 35 port priority 7 34 unmapping VLANs from 7 39 modes switch CLI 2 3 modules checking status 20 1 configuring Ethernet 4 1 19 1 configuring Fast Ethernet 4 1 6 1 19 1 configuring Gigabit Ethernet 5 1 configuring supervisor engine 3 1 designating on command line 2 7 Ethernet configuring 6 1 Fast Ethernet configuring 6 1 Gigabit Ethernet config...

Page 602: ...nce 7 14 network management configuring 25 1 See also RMON SNMP Network Time Protocol See NTP New Software Features in Release 7 7 extended VLAN support with VTP version 3 10 3 10 4 10 6 10 9 NFFC NFFC II IGMP snooping and 15 4 protocol filtering and 19 1 NMS SPAN configuring 26 1 nonvolatile random access memory See NVRAM normal mode switch CLI 2 3 normal range VLANs See VLANs NTP clearing time z...

Page 603: ...port control command 31 4 authorized and unauthorized 31 4 switch as proxy 31 2 RADIUS client 31 2 port cost EtherChannel 6 8 PVST 7 25 port debounce timer disabling 4 6 displaying 4 6 enabling 4 6 PortFast configuring 8 8 multiple spanning tree 7 15 PortFast BPDU guard configuring 8 13 disabling 8 14 port filter associations assigning and listing 15 22 port IP multicast filtering 15 20 port names...

Page 604: ...ndant mode 28 2 voice 28 11 power supplies fixed 28 2 variable 28 2 priority See port priority private VLANs configuration guidelines 10 17 creating 10 19 deleting community VLANs 10 23 deleting isolated VLANs 10 23 deleting mapping 10 23 deleting primary VLANs 10 22 hardware interactions 10 18 isolated VLAN 10 17 overview 10 16 primary VLAN 10 17 software interactions 10 18 privileged mode switch...

Page 605: ...ng optional attributes 30 28 setting deadtime 30 27 setting retransmit count 30 27 setting timeout 30 26 using a RADIUS server for 802 1x VLAN assignment 31 6 RADIUS keys clearing 30 29 specifying 30 25 RADIUS servers clearing 30 29 specifying 30 23 30 49 rapid PVST configuring 7 28 overview 7 12 rapid Spanning Tree Protocol See RSTP 7 16 RARP sc0 interface and 3 9 using 3 9 rcp downloading config...

Page 606: ...tates 7 17 running configuration downloading via rcp 35 6 S sc0 interface assigning IP address 3 5 configuring 3 5 DHCP and 3 9 overview 3 1 3 4 RARP and 3 9 VLAN assignment 10 2 secure ports disabling unicast flood blocking 16 6 enabling unicast flood blocking 16 6 secure shell encryption See SSH security configuring 18 1 configuring passwords 30 13 IP permit list 18 1 set spantree portcost comma...

Page 607: ... spanning tree PortFast See PortFast Spanning Tree Protocol See STP spanning tree UplinkFast See UplinkFast speed setting 10 100 Fast Ethernet port 4 4 SSH 20 7 configuring 20 7 SST 7 15 interoperability 7 17 static route configuring 27 9 status reports system 27 12 STP BPDUs and 7 3 forward delay timer 7 44 hello time 7 44 MAC address allocation 7 13 MAC address reduction enabling 10 6 maximum ag...

Page 608: ...gging levels 37 6 setting session settings 37 5 severity levels table 37 3 37 4 syslog servers configuring 37 8 system clock setting 27 4 system contact setting 27 3 system images downloading using rcp 33 6 downloading using TFTP 33 2 switch specifying startup 32 1 uploading 33 9 uploading 33 5 system location setting 27 3 system message logging changing enable state timestamp 37 6 configuring 37 ...

Page 609: ...tempts 30 10 monitoring user sessions 20 8 system message logging settings 37 5 text file configuration mode setting the configuration mode 34 2 TFTP downloading software images 33 2 uploading configuration files 35 5 uploading software images 33 5 time setting 27 4 time exceeded messages 20 12 timers configuring forward delay 7 44 configuring hello time 7 44 configuring maximum aging time 7 44 GA...

Page 610: ...e UDLD UplinkFast configuring 8 15 dummy MAC addresses 8 4 multiple spanning tree 7 15 overview 8 3 uploading configuration files 35 5 35 7 software images 33 5 33 9 supervisor 33 9 user sessions disconnecting 20 8 monitoring 20 8 using IGMP traffic filtering 15 18 V verifying disabled IGMP multicast filtering 15 19 verifying enabled IGMP multicast filtering 15 19 verifying IGMP filter match actio...

Page 611: ...firm dynamic port assignments 12 10 reconfirming membership 12 10 troubleshooting 12 11 troubleshooting dynamic ports 12 11 VMPS clients configuring 12 8 VMPS database creating 12 4 downloading 12 10 example configuration file 12 6 global settings 12 4 MAC addresses 12 5 port groups 12 5 VLAN groups 12 5 VLAN port policies 12 5 VMPS servers configuring 12 7 voice interfaces configuring 29 1 Voice ...

Page 612: ...rent mode configuring 9 8 version 2 disabling 9 10 enabling 9 9 overview 9 3 version 3 configuring 9 22 default configuration 9 22 naming extended range VLANs 10 4 10 9 propagation of extended range VLANs 10 3 10 6 understanding 9 13 with private VLANs 10 18 VTP pruning configuring 9 11 disabling 9 12 overview 9 4 W write tech support command 27 12 ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands