manualshive.com logo in svg

Cisco 2950 - Catalyst Switch, Configuration Manual

Share
Download
Cisco 2950 - Catalyst Switch Configuration Manual Download Page 39

 

1-5

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide

78-11380-10

Chapter 1      Overview

Features

IEEE 802.1s Multiple Spanning Tree Protocol (MSTP) for grouping VLANs into a spanning-tree 
instance and for providing multiple forwarding paths for data traffic and load balancing and rapid 
per-VLAN Spanning-Tree plus (rapid-PVST+) based on the IEEE 802.1w Rapid Spanning Tree 
Protocol (RSTP) for rapid convergence of the spanning tree by immediately transitioning root and 
designated ports to the forwarding state

Optional spanning-tree features available in the PVST+, rapid PVST+, and MSTP modes:

Port Fast for eliminating the forwarding delay by enabling a port to immediately transition from 
the blocking state to the forwarding state

BPDU guard for shutting down Port Fast-enabled ports that receive BPDUs

BPDU filtering for preventing a Port Fast-enabled port from sending or receiving BPDUs

Root guard for preventing switches outside the network core from becoming the spanning-tree 
root

Loop guard for preventing alternate or root ports from becoming designated ports because of a 
failure that leads to a unidirectional link

VLAN Support

The switches support 250 port-based VLANs for assigning users to VLANs associated with 
appropriate network resources, traffic patterns, and bandwidth 

Note

The Catalyst 2950-12, Catalyst 2950-24, Catalyst 2950SX-24, Catalyst 2950SX-48-SI, and 
Catalyst 2950T-48-SI switches support only 64 port-based VLANs.

The switch supports up to 4094 VLAN IDs to allow service provider networks to support the number of 
VLANs allowed by the IEEE 802.1Q standard

 

(available only with the EI)

IEEE 802.1Q trunking protocol on all ports for network moves, adds, and changes; management and 
control of broadcast and multicast traffic; and network security by establishing VLAN groups for 
high-security users and network resources

VLAN Membership Policy Server (VMPS) for dynamic VLAN membership

VLAN Trunking Protocol (VTP) pruning for reducing network traffic by restricting flooded traffic 
to links destined for stations receiving the traffic

Dynamic Trunking Protocol (DTP) for negotiating trunking on a link between two devices and for 
negotiating the type of trunking encapsulation (802.1Q) to be used

Voice VLAN for creating subnets for voice traffic from Cisco IP Phones

VLAN 1 minimization to reduce the risk of spanning-tree loops or storms by allowing VLAN 1 to 
be disabled on any individual VLAN trunk link. With this feature enabled, no user traffic is sent or 
received. The switch CPU continues to send and receive control protocol frames.

Security

Bridge protocol data unit (BPDU) guard for shutting down a Port Fast-configured port when an 
invalid configuration occurs

Protected port option for restricting the forwarding of traffic to designated ports on the same switch

Password-protected access (read-only and read-write access) to management interfaces (CMS and 
CLI) for protection against unauthorized configuration changes

Port security option for limiting and identifying MAC addresses of the stations allowed to access 
the port

Port security aging to set the aging time for secure addresses on a port

Summary of Contents for 2950 - Catalyst Switch

Page 1: ...an Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide Cisco IOS Release 12 1 20 EA2 May 2004 Customer Order Number DOC 7811380 Text Part Number 78 11380 10 ...

Page 2: ...ITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCIP CCSP the Cisco Arrow logo the Cisco Powered Network mark Cisco Unity Follow Me Browsing FormShare and StackWise are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn and iQ...

Page 3: ...i Obtaining Additional Publications and Information xxxiv C H A P T E R 1 Overview 1 1 Features 1 1 Management Options 1 8 Management Interface Options 1 8 Advantages of Using CMS and Clustering Switches 1 9 Network Configuration Examples 1 10 Design Concepts for Using the Switch 1 10 Small to Medium Sized Network Configuration 1 13 Collapsed Backbone and Switch Cluster Configuration 1 14 Hotel Ne...

Page 4: ... and more Commands 2 9 Accessing the CLI 2 9 Accessing the CLI from a Browser 2 10 C H A P T E R 3 Configuring Catalyst 2955 Switch Alarms 3 1 Understanding Catalyst 2955 Switch Alarms 3 1 Global Status Monitoring Alarms 3 2 FCS Error Hysteresis Threshold 3 2 Port Status Monitoring Alarms 3 3 Triggering Alarm Options 3 3 Configuring Catalyst 2955 Switch Alarms 3 4 Default Catalyst 2955 Switch Alar...

Page 5: ... Toolbar and Feature Bar 4 2 Online Help 4 5 Configuration Modes 4 5 Guide Mode 4 5 Expert Mode 4 6 Wizards 4 6 Privilege Levels 4 7 Access to Older Switches in a Cluster 4 7 Configuring CMS 4 7 CMS Requirements 4 8 Minimum Hardware Configuration 4 8 Operating System and Browser Support 4 8 CMS Plug In 4 9 Cross Platform Considerations 4 9 HTTP Access to CMS 4 9 Specifying an HTTP Port Nondefault ...

Page 6: ...ecking and Saving the Running Configuration 5 11 Modifying the Startup Configuration 5 11 Default Boot Configuration 5 12 Automatically Downloading a Configuration File 5 12 Specifying the Filename to Read and Write the System Configuration 5 12 Booting Manually 5 13 Booting a Specific Software Image 5 13 Controlling Environment Variables 5 14 Scheduling a Reload of the Software Image 5 16 Configu...

Page 7: ...mand Switch Characteristics 7 3 Candidate Switch and Member Switch Characteristics 7 4 Planning a Switch Cluster 7 5 Automatic Discovery of Cluster Candidates and Members 7 5 Discovery through CDP Hops 7 6 Discovery through Non CDP Capable and Noncluster Capable Devices 7 7 Discovery through the Same Management VLAN 7 8 Discovery through Different Management VLANs 7 9 Discovery of Newly Installed ...

Page 8: ...hentication 8 4 Configuring NTP Associations 8 6 Configuring NTP Broadcast Service 8 7 Configuring NTP Access Restrictions 8 8 Configuring the Source IP Address for NTP Packets 8 10 Displaying the NTP Configuration 8 11 Configuring Time and Date Manually 8 11 Setting the System Clock 8 12 Displaying the Time and Date Configuration 8 12 Configuring the Time Zone 8 13 Configuring Summer Time Dayligh...

Page 9: ...g or Changing a Static Enable Password 9 3 Protecting Enable and Enable Secret Passwords with Encryption 9 4 Disabling Password Recovery 9 5 Setting a Telnet Password for a Terminal Line 9 6 Configuring Username and Password Pairs 9 7 Configuring Multiple Privilege Levels 9 8 Setting the Privilege Level for a Command 9 8 Changing the Default Privilege Level for Lines 9 9 Logging into and Exiting a...

Page 10: ...rstanding SSH 9 33 SSH Servers Integrated Clients and Supported Versions 9 33 Limitations 9 34 Configuring SSH 9 34 Configuration Guidelines 9 34 Cryptographic Software Image Guidelines 9 35 Setting Up the Switch to Run SSH 9 35 Configuring the SSH Server 9 36 Displaying the SSH Configuration and Status 9 37 C H A P T E R 10 Configuring 802 1x Port Based Authentication 10 1 Understanding 802 1x Po...

Page 11: ...unk Ports 11 2 Port Based VLANs 11 3 EtherChannel Port Groups 11 3 Connecting Interfaces 11 4 Using the Interface Command 11 4 Procedures for Configuring Interfaces 11 5 Configuring a Range of Interfaces 11 5 Configuring and Using Interface Range Macros 11 7 Configuring Ethernet Interfaces 11 8 Default Ethernet Interface Configuration 11 9 Configuring Interface Speed and Duplex Mode 11 10 Configur...

Page 12: ...ks 13 6 LRE Link Monitor 13 7 LRE Message Logging Process 13 8 Configuring LRE Ports 13 8 Default LRE Configuration 13 9 Environmental Guidelines for LRE Links 13 9 Guidelines for Using LRE Profiles 13 10 CPE Ethernet Link Guidelines 13 11 Guidelines for Configuring Cisco 575 LRE CPEs and 576 LRE 997 CPEs 13 11 Guidelines for Configuring Cisco 585 LRE CPEs 13 12 Assigning a Global Profile to All L...

Page 13: ...e Interface States 14 4 Blocking State 14 6 Listening State 14 6 Learning State 14 6 Forwarding State 14 6 Disabled State 14 7 How a Switch or Port Becomes the Root Switch or Root Port 14 7 Spanning Tree and Redundant Connectivity 14 8 Spanning Tree Address Management 14 8 Accelerated Aging to Retain Connectivity 14 8 Spanning Tree Modes and Protocols 14 9 Supported Spanning Tree Instances 14 9 Sp...

Page 14: ...y Ports 15 5 Interoperability with 802 1D STP 15 5 Understanding RSTP 15 6 Port Roles and the Active Topology 15 6 Rapid Convergence 15 7 Synchronization of Port Roles 15 8 Bridge Protocol Data Unit Format and Processing 15 9 Processing Superior BPDU Information 15 10 Processing Inferior BPDU Information 15 10 Topology Changes 15 10 Configuring MSTP Features 15 11 Default MSTP Configuration 15 12 ...

Page 15: ...6 7 Limitations 16 7 Connecting the Stack Ports 16 8 Understanding BackboneFast 16 9 Understanding EtherChannel Guard 16 11 Understanding Root Guard 16 11 Understanding Loop Guard 16 12 Configuring Optional Spanning Tree Features 16 12 Default Optional Spanning Tree Configuration 16 13 Optional Spanning Tree Configuration Guidelines 16 13 Enabling Port Fast 16 13 Enabling BPDU Guard 16 14 Enabling...

Page 16: ...ration Guidelines 17 12 Creating an Extended Range VLAN 17 13 Displaying VLANs 17 14 Configuring VLAN Trunks 17 15 Trunking Overview 17 15 802 1Q Configuration Considerations 17 16 Default Layer 2 Ethernet Interface VLAN Configuration 17 17 Configuring an Ethernet Interface as a Trunk Port 17 17 Interaction with Other Features 17 18 Configuring a Trunk Port 17 18 Defining the Allowed VLANs on a Tr...

Page 17: ...rstanding VTP 18 1 The VTP Domain 18 2 VTP Modes 18 3 VTP Advertisements 18 3 VTP Version 2 18 4 VTP Pruning 18 4 Configuring VTP 18 6 Default VTP Configuration 18 6 VTP Configuration Options 18 7 VTP Configuration in Global Configuration Mode 18 7 VTP Configuration in VLAN Configuration Mode 18 7 VTP Configuration Guidelines 18 8 Domain Names 18 8 Passwords 18 8 Upgrading from Previous Software R...

Page 18: ...ority of Incoming Data Frames 19 6 Displaying Voice VLAN 19 6 C H A P T E R 20 Configuring DHCP Features 20 1 Understanding DHCP Features 20 1 DHCP Server 20 2 DHCP Relay Agent 20 2 DHCP Snooping 20 2 Option 82 Data Insertion 20 3 Configuring DHCP Features 20 5 Default DHCP Configuration 20 5 DHCP Snooping Configuration Guidelines 20 6 Configuring the DHCP Server 20 6 Enabling DHCP Snooping and Op...

Page 19: ... MVR Configuration 21 17 MVR Configuration Guidelines and Limitations 21 17 Configuring MVR Global Parameters 21 18 Configuring MVR Interfaces 21 19 Displaying MVR Information 21 21 Configuring IGMP Filtering and Throttling 21 21 Default IGMP Filtering and Throttling Configuration 21 22 Configuring IGMP Profiles 21 22 Applying IGMP Profiles 21 24 Setting the Maximum Number of IGMP Groups 21 25 Con...

Page 20: ...ings 22 13 C H A P T E R 23 Configuring UDLD 23 1 Understanding UDLD 23 1 Modes of Operation 23 1 Methods to Detect Unidirectional Links 23 2 Configuring UDLD 23 4 Default UDLD Configuration 23 4 Configuration Guidelines 23 4 Enabling UDLD Globally 23 5 Enabling UDLD on an Interface 23 5 Resetting an Interface Shut Down by UDLD 23 6 Displaying UDLD Status 23 7 C H A P T E R 24 Configuring CDP 24 1...

Page 21: ... Configuration Guidelines 25 7 Creating a SPAN Session and Specifying Ports to Monitor 25 8 Creating a SPAN Session and Enabling Ingress Traffic 25 9 Removing Ports from a SPAN Session 25 11 Configuring RSPAN 25 12 RSPAN Configuration Guidelines 25 12 Configuring a VLAN as an RSPAN VLAN 25 13 Creating an RSPAN Source Session 25 13 Creating an RSPAN Destination Session 25 15 Removing Ports from an ...

Page 22: ...t to the History Table and to SNMP 27 10 Configuring UNIX Syslog Servers 27 11 Logging Messages to a UNIX Syslog Daemon 27 11 Configuring the UNIX System Logging Facility 27 11 Displaying the Logging Configuration 27 13 C H A P T E R 28 Configuring SNMP 28 1 Understanding SNMP 28 1 SNMP Versions 28 2 SNMP Manager Functions 28 3 SNMP Agent Functions 28 4 SNMP Community Strings 28 4 Using SNMP to Ac...

Page 23: ...ing Time Ranges to ACLs 29 15 Including Comments About Entries in ACLs 29 17 Creating Named MAC Extended ACLs 29 18 Creating MAC Access Groups 29 19 Applying ACLs to Terminal Lines or Physical Interfaces 29 19 Applying ACLs to a Terminal Line 29 20 Applying ACLs to a Physical Interface 29 20 Displaying ACL Information 29 21 Displaying ACLs 29 21 Displaying Access Groups 29 22 Examples for Compilin...

Page 24: ...ort Trust States 30 20 Configuring the Trust State on Ports within the QoS Domain 30 20 Configuring the CoS Value for an Interface 30 23 Configuring Trusted Boundary 30 23 Enabling Pass Through Mode 30 25 Configuring a QoS Policy 30 26 Classifying Traffic by Using ACLs 30 27 Classifying Traffic by Using Class Maps 30 30 Classifying Policing and Marking Traffic by Using Policy Maps 30 31 Configurin...

Page 25: ...ng Hot Standby Ports 31 13 Configuring the LACP System Priority 31 13 Displaying EtherChannel PAgP and LACP Status 31 14 C H A P T E R 32 Troubleshooting 32 1 Using Recovery Procedures 32 1 Recovering from Corrupted Software 32 2 Recovering from Lost or Forgotten Passwords on Non LRE Catalyst 2950 Switches 32 2 Recovering from Lost or Forgotten Passwords on Catalyst 2950 LRE Switches 32 4 Password...

Page 26: ...Images B 1 Working with the Flash File System B 1 Displaying Available File Systems B 2 Setting the Default File System B 3 Displaying Information about Files on a File System B 3 Changing Directories and Displaying the Working Directory B 4 Creating and Removing Directories B 4 Copying Files B 5 Deleting Files B 5 Creating Displaying and Extracting tar Files B 6 Creating a tar File B 6 Displaying...

Page 27: ...the Startup Configuration File B 19 Deleting a Stored Configuration File B 19 Working with Software Images B 19 Image Location on the Switch B 20 tar File Format of Images on a Server or Cisco com B 20 Copying Image Files By Using TFTP B 21 Preparing to Download or Upload an Image File By Using TFTP B 21 Downloading an Image File By Using TFTP B 22 Uploading an Image File By Using TFTP B 23 Copyin...

Page 28: ...Contents xxviii Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78 11380 10 ...

Page 29: ...es to process alarms related to the temperature power supply conditions and status of the Ethernet ports Use this guide with other documents for information about these topics Requirements This guide assumes that you have met the hardware and software requirements and cluster compatibility requirements described in the release notes Start up information This guide assumes that you have assigned sw...

Page 30: ...For this information refer to the system message guide for this release and to the hardware installation guide Conventions This publication uses these conventions to convey instructions and information Command descriptions use these conventions Commands and keywords are in boldface text Arguments for which you supply values are in italic Square brackets mean optional elements Braces group required...

Page 31: ... 7811380 Catalyst 2950 and Catalyst 2955 Switch Command Reference order number DOC 7811381 Catalyst 2950 and Catalyst 2955 Switch System Message Guide order number DOC 7814233 Catalyst 2950 Desktop Switch Hardware Installation Guide order number DOC 7811157 Catalyst 2955 Hardware Installation Guide order number DOC 7814944 For information about related products refer to these documents Cluster Man...

Page 32: ...adquarters California USA at 408 526 7208 or elsewhere in North America by calling 800 553 NETS 6387 Documentation Feedback You can send comments about technical documentation to bug doc cisco com You can submit comments by using the response card if present behind the front cover of your document or by writing to the following address Cisco Systems Attn Customer Document Ordering 170 West Tasman ...

Page 33: ...he Cisco TAC by telephone S1 or S2 service requests are those in which your production network is down or severely degraded Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly To open a service request by telephone use one of the following numbers Asia Pacific 61 2 8446 7411 Australia 1 800 805 227 EMEA 32 2 704 55 55 US...

Page 34: ...s Each quarter Packet delivers coverage of the latest industry trends technology breakthroughs and Cisco products and solutions as well as network deployment and troubleshooting tips configuration examples customer case studies certification and training information and links to scores of in depth online resources You can access Packet magazine at this URL http www cisco com packet iQ Magazine is ...

Page 35: ...rsion 4 IPv4 Layer 3 IP version 6 IPv6 packets are treated as non IP packets Features The switch software supports the switches listed in Table 1 1 and in the release notes Table 1 1 Switches Supported Switch Software Image Catalyst 2950 12 SI1 Catalyst 2950 24 SI Catalyst 2950C 24 EI2 Catalyst 2950G 12 EI EI Catalyst 2950G 24 EI EI Catalyst 2950G 24 EI DC EI Catalyst 2950G 48 EI EI Catalyst 2950S...

Page 36: ... configurations for simplified deployment across the network Cluster Management Suite CMS software for simplifying switch and switch cluster management through a web browser such as Netscape Communicator or Microsoft Internet Explorer from anywhere in your intranet Switch clustering technology used with CMS for Unified configuration monitoring authentication and software upgrade of multiple switch...

Page 37: ...2950G 24 EI DC 2950G 48 EI and 2955 switches Per port broadcast storm control for preventing faulty end stations from degrading overall system performance with broadcast storms Port Aggregation Protocol PAgP and Link Aggregation Control Protocol LACP for automatic creation of EtherChannel links Internet Group Management Protocol IGMP snooping for IGMP versions 1 2 and 3 to limit flooding of IP mul...

Page 38: ...ed session In band management access through up to 16 simultaneous Telnet connections for multiple command line interface CLI based sessions over the network In band management access through up to 5 simultaneous encrypted Secure Shell SSH connections for multiple CLI based sessions over the network only available in the enhanced cryptographic software image In band management access through SNMP ...

Page 39: ...ports up to 4094 VLAN IDs to allow service provider networks to support the number of VLANs allowed by the IEEE 802 1Q standard available only with the EI IEEE 802 1Q trunking protocol on all ports for network moves adds and changes management and control of broadcast and multicast traffic and network security by establishing VLAN groups for high security users and network resources VLAN Membershi...

Page 40: ...Services Code Point IP DSCP and CoS marking priorities on a per port basis for protecting the performance of mission critical applications only available with the EI Flow based packet classification classification based on information in the MAC IP and TCP UDP headers for high performance quality of service at the network edge allowing for differentiated service levels for different types of netwo...

Page 41: ...nd 3 structured and unstructured cable such as existing telephone lines in multi unit multidwelling and multitenant buildings Up to 15 Mbps of bandwidth to remote Ethernet devices at distances of up to 4921 feet 1500 meters on each switch LRE port Compliance with American National Standards Institute ANSI and European Telecommunication Standards Institute ETSI standards for spectral mode compatibi...

Page 42: ...ork topologies to gather link information and display switch images to modify switch and port level settings For more information about CMS see Chapter 4 Getting Started with CMS CLI The switch Cisco IOS CLI software is enhanced to support desktop switching features You can configure and monitor the switch and switch cluster members from the CLI You can access the CLI either by connecting your man...

Page 43: ...ultiple ports and multiple switches at the same time to avoid re entering the same commands for each individual port or switch Here are some examples of globally setting and managing multiple ports and switches Port configuration such as speed and duplex settings Port and console port security settings NTP STP VLAN and quality of service QoS configurations Inventory and statistic reporting and lin...

Page 44: ...formance to degrade and how you can configure your network to increase the bandwidth available to your network users Bandwidth alone is not the only consideration when designing your network As your network traffic profiles evolve consider providing network services that can support applications such as voice and data integration and security Table 1 4 describes some network demands and how you ca...

Page 45: ...ackbone Compare this with the switches in a GigaStack configuration where the 1 Gbps connection is shared among the switches With the high speed uplink to the distribution server the user can efficiently obtain and store data from servers Using these Gigabit Ethernet modules also provides flexibility in media and distance options 1000BASE T GBIC copper connections of up to 328 feet 100 meters 1000...

Page 46: ...ths between Catalyst 3550 12T L3 switches To enhance network reliability and load balancing for different VLANs and subnets you can connect the Catalyst 2950 switches again in a star configuration to two backbone switches If one of the backbone switches fails the second backbone switch preserves connectivity between the switches and network resources Figure 1 1 Example Configurations Si Si Si Cata...

Page 47: ...Fast Ethernet or Gigabit Ethernet that interconnects segments and network resources It is required if numerous segments require access to the servers The Catalyst 2900 XL Catalyst 2950 Catalyst 3500 XL and Catalyst 3550 switches in this network are connected through a GigaStack GBIC on each switch to form a 1 Gbps network backbone This GigaStack can also be configured as a switch cluster with prim...

Page 48: ...etwork uses VLANs to segment the network logically into well defined broadcast groups and for security management Data and multimedia traffic are configured on the same VLAN Voice traffic from the Cisco IP Phones are configured on separate voice VLAN IDs VVIDs You can have up to four VVIDs per wiring closet If data multimedia and voice traffic are assigned to the same VLAN only one VLAN can be con...

Page 49: ...e for connecting to a POTS telephone One or more RJ 45 Ethernet ports for connecting to devices such as a customer s laptop the room IP phone the television set top box or a room environmental control device A Cisco 575 LRE CPE provides one Ethernet connection a Cisco 585 LRE CPE provides four When connected to the CPE device the Ethernet devices and room telephone share the same telephone line IP...

Page 50: ...g telephones Integrated Services Digital Network ISDN telephone network and PBX switches that use the 0 to 700 kHz frequency range Data to and from the room devices such as e mail for the laptop and IP multicast traffic for the television are transferred through the LRE link which is established between the CPE RJ 11 wall port and the LRE port on an LRE switch The upstream and downstream rates on ...

Page 51: ...splitters Cisco 2600 router Servers Catalyst 2950ST 8 LRE and 2950ST 24 LRE switches Catalyst 2950 or Catalyst 3550 switch Patch panel 89514 POTS telephones Laptop Cisco 575 LRE CPE Laptop POTS telephones Required microfilter Required microfilter Required microfilter Cisco 585 LRE CPE IP phone Laptop Environmental controls Required microfilter Set top box TV IP POTS telephone POTS telephone Cisco ...

Page 52: ...hone line Note All telephones not directly connected to the office CPE device require microfilters with a 300 ohm termination Microfilters improve voice call quality when voice and data equipment are using the same telephone line They also prevent nonfiltered telephone rings and nonfiltered telephone transitions such as on hook to off hook from interrupting the Ethernet connection Note Cisco LRE p...

Page 53: ...55 switches The Catalyst 6500 switch provides the workgroups with Gigabit access to core resources Cisco 7000 series router for access to the WAN and the Internet Server farm that includes a call processing server running Cisco CallManager software Cisco CallManager controls call processing routing and IP phone features and configuration Cisco Access gateway such as Cisco Access Digital Trunk Gate...

Page 54: ...hes can be Catalyst 2950 switches providing customers with high speed connections to the MAN Catalyst 2900 LRE XL or 2950 LRE Layer 2 only switches also can be used as residential switches for customers requiring connectivity through existing telephone lines The Catalyst LRE switches can then connect to another residential switch or to an aggregation switch For more information about these switche...

Page 55: ...devices from becoming the STP root switch All ports have IGMP snooping or CGMP enabled for multicast traffic management ACLs on the uplink ports to the aggregating Catalyst 3550 multilayer switches provide security and bandwidth management The aggregating switches and routers provide services such as those described in the previous examples Small to Medium Sized Network Configuration and Large Cam...

Page 56: ...p multiplexer OADM modules over distances of up to 393 701 feet 74 5 miles or 120 km The CWDM OADM modules combine or multiplex the different CWDM wavelengths allowing them to travel simultaneously on the same fiber optic cable The CWDM OADM modules on the receiving end separate or demultiplex the different wavelengths For more information about the CWDM GBIC modules and CWDM OADM modules refer to...

Page 57: ...nds available for each command mode When you start a session on the switch you begin in user mode often called user EXEC mode Only a limited subset of the commands are available in user EXEC mode For example most of the user EXEC commands are one time commands such as show commands which show the current configuration status and clear commands which clear counters or interfaces The user EXEC comma...

Page 58: ...ered Use a password to protect access to this mode Global configuration While in privileged EXEC mode enter the configure command Switch config To exit to privileged EXEC mode enter exit or end or press Ctrl Z Use this mode to configure parameters that apply to the entire switch Config vlan While in global configuration mode enter the vlan vlan id command Switch config vlan To exit to global confi...

Page 59: ...figure multiple interfaces with the same parameters see the Configuring a Range of Interfaces section on page 11 5 Line configuration While in global configuration mode specify a line with the line vty or line console command Switch config line To exit to global configuration mode enter exit To return to privileged EXEC mode press Ctrl Z or enter end Use this mode to configure parameters for the t...

Page 60: ... of an interface Use the command without the keyword no to re enable a disabled feature or to enable a feature that is disabled by default Configuration commands can also have a default form The default form of a command returns the command setting to its default Most commands are disabled by default so the default form is the same as the no form However some commands are enabled by default and ha...

Page 61: ...sion Switch terminal history size number of lines The range is from 0 to 256 Beginning in line configuration mode enter this command to configure the number of command lines the switch records for all sessions on a particular line Switch config line history size number of lines The range is from 0 to 256 Table 2 3 Common CLI Error Messages Error Message Meaning How to Get Help Ambiguous command sh...

Page 62: ...page 2 8 Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled you can disable it To re enable the enhanced editing mode for the current terminal session enter this command in privileged EXEC mode Switch terminal editing Table 2 4 Recalling Commands Action1 1 The arrow keys function only on ANSI compatible terminals such as VT100s Result Press Ctrl P or th...

Page 63: ...o the left of the cursor with the character located at the cursor Recall commands from the buffer and paste them in the command line The switch provides a buffer with the last ten items that you deleted Press Ctrl Y Recall the most recent entry in the buffer Press Esc Y Recall the next buffer entry The buffer contains only the last 10 items that you have deleted or cut If you press Esc Y more than...

Page 64: ...01 permit tcp 131 108 2 5 255 255 255 0 131 108 1 20 255 25 Switch config t tcp 131 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq Switch config 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq 45 After you complete the entry press Ctrl A to check the complete syntax before pressing the Return key to execute the command The dollar sign appears at the end of the line to show that the line h...

Page 65: ...PC to the switch console port and power on the switch as described in the hardware installation guide that shipped with your switch Then to understand the boot process and the options available for assigning IP information see Chapter 5 Assigning the Switch IP Address and Default Gateway If your switch is already configured you can access the CLI through a local console connection or through a rem...

Page 66: ...e supported browsers Step 2 In the URL field enter the IP address of the command switch Step 3 When the Cisco Systems Access page appears click Telnet to start a Telnet session Step 4 Enter the switch password The user EXEC prompt appears on the management station Note Copies of the CMS pages that you display are saved in your browser memory cache until you exit the browser session A password is n...

Page 67: ...st 2955 switch software monitors switch conditions on a per port or a switch basis If the conditions present on the switch or port do not match the parameters set by the user the switch software triggers an alarm or a system message By default the switch software sends the system messages to a system message logging facility or a syslog facility You can also configure the switch to send Simple Net...

Page 68: ...0 8 5 10 2 0 05 5 percent The FCS hysteresis threshold is applied to all ports on the Catalyst 2955 switch The allowable range is from 1 to 10 percent The default value is 10 percent See the Configuring the FCS Bit Error Rate Alarm section on page 3 7 for more information Table 3 1 Catalyst 2955 Global Status Monitoring Alarms Alarm Description Power Supply Alarm The switch monitors dual DC power ...

Page 69: ... or other signaling device You can associate any alarm condition with either alarm relay or both relays Each fault condition is assigned a severity level based on the Cisco IOS System Error Message Severity Level See the Configuring Catalyst 2955 Switch Alarms section on page 3 4 for more information on configuring the relays Table 3 2 Catalyst 2955 Port Status Monitoring Alarms Alarm Description ...

Page 70: ...ch Alarms This section describes how to configure the Catalyst 2955 switch alarms Default Catalyst 2955 Switch Alarm Configuration page 3 4 Configuring the Power Supply Alarm page 3 5 Configuring the Switch Temperature Alarms page 3 6 Configuring the FCS Bit Error Rate Alarm page 3 7 Configuring Alarm Profiles page 3 9 Enabling SNMP Traps page 3 11 Default Catalyst 2955 Switch Alarm Configuration ...

Page 71: ... supply global configuration command to associate the power supply alarm to a relay You can also configure all alarms and traps associated with the power supply alarm to be sent to syslog and the SNMP server Beginning in privileged EXEC mode follow these steps to associate the power supply alarm to a relay Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 power suppl...

Page 72: ...es how to configure the temperature alarms on your switch It contains this configuration information Setting a Secondary Temperature Threshold for the Switch page 3 6 Associating the Temperature Alarms to a Relay page 3 7 Setting a Secondary Temperature Threshold for the Switch In global configuration mode you can use the alarm facility temperature secondary command to set a lower temperature thre...

Page 73: ...P server Switch config alarm facility temperature secondary 45 Switch config alarm facility temperature secondary relay minor Switch config alarm facility temperature secondary syslog Switch config alarm facility temperature secondary notifies This example sets the first primary temperature alarm to the major relay All alarms and traps associated with this alarm will be sent to a syslog server Swi...

Page 74: ...configuration command to set the FCS error hysteresis threshold Note The FCS hysteresis threshold is applied to all ports of a Catalyst 2955 switch Beginning in privileged EXEC mode follow these steps to set the FCS error hysteresis threshold for a switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter the interface to be configured and...

Page 75: ...ly alarm enabled in the defaultPort profile is the Port is not Operating alarm Beginning in privileged EXEC mode follow these steps to create an alarm profile To delete an alarm profile use the no alarm profile name global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 alarm profile name Create the new profile or identify an existing profile ...

Page 76: ...heir corresponding alarm definitions For a description of these alarms see the Port Status Monitoring Alarms section on page 3 3 Attaching an Alarm Profile to a Specific Port In interface configuration mode you can use the alarm profile command to attach an alarm profile to a specific port Beginning in privileged EXEC mode follow these steps to attach an alarm profile to a port To detach an alarm ...

Page 77: ...t 2955 Switch Alarms Status To display the global and port alarm status use one or more of the privileged EXEC commands in Table 3 5 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server enable traps alarms Enable the switch to send SNMP traps Step 3 end Return to privileged EXEC mode Step 4 show alarm settings Verify the configuration Step 5 copy running con...

Page 78: ...3 12 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78 11380 10 Chapter 3 Configuring Catalyst 2955 Switch Alarms Displaying Catalyst 2955 Switch Alarms Status ...

Page 79: ...es for managing switch clusters and individual switches from web browsers such as Netscape Communicator or Microsoft Internet Explorer Front panel and topology views of your network as shown in Figure 4 7 on page 4 13 and Figure 4 8 on page 4 14 that can be displayed at the same time A menu bar a toolbar and a feature bar as shown in Figure 4 6 on page 4 13 to access configuration and management o...

Page 80: ...preferences install CMS on your PC or workstation and show or hide the feature bar Note CMS is downloaded to your browser each time you launch CMS You can increase the speed at which CMS loads by permanently installing CMS on your PC or workstation Select CMS Installation and Distributions and click Install CMS will be installed locally and load faster the next time that you launch it Window Choos...

Page 81: ... Macros Display or configure Smartports macros on a port VLAN1 Display VLAN membership assign ports to VLANs and change the administration mode Inventory Display the device type the software version the IP address and other information about a switch Refresh Update the views with the latest status Front Panel Display the Front Panel view Topology Display the Topology view Topology Options Select t...

Page 82: ...in your cluster are displayed in the feature bar You can search for features that are available for your cluster by clicking Search and entering a feature name as shown in Figure 4 2 Access modes affect the availability of features from CMS Some CMS features are not available in read only mode For more information about how access modes affect CMS see the Privilege Levels section on page 4 7 1 Fea...

Page 83: ...ments to Cisco Systems Inc We appreciate and value your comments Configuration Modes You can change the CMS interaction mode to either expert or guide mode Expert mode displays a configuration window in which you configure the feature options Guide mode takes you through each feature option and provides information about the parameter Guide Mode Guide mode is for users who want a step by step appr...

Page 84: ...n Expert Mode If you change the interaction mode after selecting a configuration option the mode change does not take effect until you select another configuration option Wizards Similar to guide mode wizards provide a step by step approach for completing a specific configuration task Unlike guide mode a wizard does not prompt you to provide information for all of the feature options Instead it pr...

Page 85: ...15 Entering zero denies access to CMS Note You must have privilege level 15 to access CMS through a TACACS or RADIUS server For more information about privilege levels see the Preventing Unauthorized Access to Your Switch section on page 9 1 and the Configuring Multiple Privilege Levels section on page 9 8 Access to Older Switches in a Cluster If your cluster has these member switches running earl...

Page 86: ...g at 143 MHz with 64 MB of DRAM Table 4 2 lists the minimum platforms for running CMS Operating System and Browser Support You can access the CMS interface by using the operating systems and browsers listed in Table 4 3 CMS checks the browser version when starting a session to ensure that the browser is supported Table 4 2 Minimum Hardware Configuration OS Processor Speed DRAM Number of Colors Res...

Page 87: ...is Cisco IOS release When you select Device Device Manager for a cluster member a new browser session launches and the CMS version for that switch appears Catalyst 1900 and 2820 switches only Here are examples of how CMS can differ between Cisco IOS releases and switch platforms The CMS versions in these software releases might appear to be similar but they are not the same as this release For exa...

Page 88: ...ace display the switch home page as described in the Launching CMS section on page 4 10 Displaying CMS This section provides these topics about displaying CMS Launching CMS section on page 4 10 Front Panel View section on page 4 13 Topology View section on page 4 14 Launching CMS To display the switch home page follow these steps Step 1 Enter the switch IP address in the browser and press Enter St...

Page 89: ... IP address to an unconfigured switch For more information refer to the hardware installation guide Cluster Management Suite Launches CMS Tools Accesses diagnostic and monitoring tools such as Telnet Extended Ping and the show interfaces privileged EXEC command Help Resources Provides links to the Cisco website technical documentation and the Cisco Technical Assistance Center TAC Step 3 Click Clus...

Page 90: ...struct you how to correctly configure your PC or workstation If the CMS Startup Report appears click the links and follow the instructions to configure your PC or workstation Note If your PC or workstation is correctly configured for CMS you do not see the CMS Startup Report Note If you are running Windows and need to both upgrade your web browser and install the CMS plug in you must upgrade your ...

Page 91: ... front panel image displays only the front panel of that switch The Front Panel view displays the front panel image of the command switch and any other switches that were selected the last time the view was displayed You can choose and configure the switches that appear in Front Panel view You can drag the switches that appear and re arrange them You can right click on a switch port to configure t...

Page 92: ...When CMS is launched from a command switch the Topology view appears by default When you click the topology button on the tool bar the Topology view displays the command switch shown by the CMD label and the devices that are connected to it as shown in Figure 4 8 You can right click on a switch or link icon to display a menu for that icon Figure 4 8 Topology View and Device Popup Menus Note Figure...

Page 93: ...to other clusters candidate switches and devices that are not eligible to join the cluster such as routers access points IP phones and so on Note The Topology view displays only the switch cluster and network neighborhood of the specific command or member switch that you access To display a different switch cluster you need to access the command switch or member switch of that cluster CMS Icons Fo...

Page 94: ...4 16 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78 11380 10 Chapter 4 Getting Started with CMS Where to Go Next ...

Page 95: ...ing Configuration page 5 11 Modifying the Startup Configuration page 5 11 available only on the Catalyst 2950 LRE switch Scheduling a Reload of the Software Image page 5 16 available only on the Catalyst 2950 LRE switch Understanding the Boot Process To start your switch you need to follow the procedures in the hardware installation guide about installing and powering on the switch and setting up ...

Page 96: ...mation make sure you have connected a PC or terminal to the console port and configured the PC or terminal emulation software baud rate and character format to match these of the switch console port Baud rate default is 9600 Data bits default is 8 Stop bits default is 1 Parity settings default is none Note If you are using Express Setup do not connect any devices to the switch before starting Expr...

Page 97: ...e 5 1 shows the default switch information Understanding DHCP Based Autoconfiguration DHCP provides configuration information to Internet hosts and internetworking devices This protocol consists of two components one for delivering configuration parameters from a DHCP server to a device and a mechanism for allocating network addresses to devices DHCP is built on a client server model in which desi...

Page 98: ...resent and the service config global configuration command is enabled on the switch In this case the switch broadcasts TFTP requests for the configuration file Figure 5 1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP server Figure 5 1 DHCP Client and Server Message Exchange The client Switch A broadcasts a DHCPDISCOVER message to locate a DHCP server The DH...

Page 99: ...hese sections describe how to configure DHCP based autoconfiguration DHCP Server Configuration Guidelines page 5 5 Configuring the TFTP Server page 5 6 Configuring the DNS page 5 7 Configuring the Relay Device page 5 7 Obtaining Configuration Files page 5 8 Example Configuration page 5 9 If your DHCP server is a Cisco device or if you are configuring the switch as a DHCP server refer to the IP Add...

Page 100: ...configuration filename the TFTP server or if the configuration file could not be downloaded the switch attempts to download a configuration file by using various combinations of filenames and TFTP server addresses The files include the specified configuration filename if any and these files network config cisconet cfg hostname config or hostname cfg where hostname is the switch s current hostname ...

Page 101: ...figure a relay device also referred to an a relay agent when a switch sends broadcast packets that require a response from a host on a different LAN Examples of broadcast packets that the switch might send are DHCP DNS and in some cases TFTP packets You must configure this relay device to forward received broadcast packets on an interface to the destination host If the relay device is a Cisco rout...

Page 102: ...ilename is not provided two file read method The switch receives its IP address subnet mask and the TFTP server address from the DHCP server The switch sends a unicast message to the TFTP server to retrieve the network confg or cisconet cfg default configuration file If the network confg file cannot be read the switch reads the cisconet cfg file The default configuration file contains the host nam...

Page 103: ...ains a configuration file for each switch switcha confg switchb confg and so forth as shown in this display prompt cd tftpserver work prompt ls network confg switcha confg Switch 1 00e0 9f1e 2001 Cisco router 111394 Switch 2 00e0 9f1e 2002 Switch 3 00e0 9f1e 2003 DHCP server DNS server TFTP server tftpserver 10 0 0 1 10 0 0 10 10 0 0 2 10 0 0 3 Switch 4 00e0 9f1e 2004 Table 5 2 DHCP Server Configu...

Page 104: ...on files and IP addresses in the same way Manually Assigning IP Information Beginning in privileged EXEC mode follow these steps to manually assign IP information to VLANs or ports Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface vlan vlan id Enter interface configuration mode and enter the VLAN to which the IP information is assigned The range is 1 to 409...

Page 105: ... have made to your startup configuration in flash memory enter the copy running config startup config privileged EXEC command This command saves the configuration settings that you made If you fail to do this your configuration will be lost the next time you reload the system To display information stored in the NVRAM section of flash memory use the show startup config or more startup config privi...

Page 106: ...t the system using information in the BOOT environment variable If the variable is not set the switch attempts to load and execute the first executable image it can by performing a recursive depth first search throughout the flash file system The software image is stored in a directory that has the same name as the image file excluding the bin extension In a depth first search of a directory each ...

Page 107: ...rming a recursive depth first search throughout the flash file system In a depth first search of a directory each encountered subdirectory is completely searched before continuing the search in the original directory However you can specify a specific image to boot Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 boot manual Enable the switch to manually boot during...

Page 108: ...ontains an environment variable name and an equal sign followed by the value of the variable A variable has no value if it is not listed in this file it has a value if it is listed in the file even if the value is a null string A variable that is set to a null string for example is a variable with a value Many environment variables are predefined and have default values Command Purpose Step 1 conf...

Page 109: ...d Cisco IOS Global Configuration Command MANUAL_BOOT set MANUAL_BOOT yes Decides whether the switch automatically or manually boots Valid values are 1 yes 0 and no If it is set to no or 0 the boot loader attempts to automatically boot the system If it is set to anything else you must manually boot the switch from the boot loader mode boot manual Enables manually booting the switch during the next ...

Page 110: ... the reload is scheduled to take place at the specified time and date If you do not specify the month and day the reload takes place at the specified time on the current day if the specified time is later than the current time or on the next day if the specified time is earlier than the current time Specifying 00 00 schedules the reload for midnight CONFIG_FILE set CONFIG_FILE flash file url Chang...

Page 111: ...itch prompts you to save the configuration before reloading During the save operation the system requests whether you want to proceed with the save if the CONFIG_FILE environment variable points to a startup configuration file that no longer exists If you proceed in this situation the system enters setup mode upon reload This example shows how to reload the software on the switch on the current da...

Page 112: ...5 18 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78 11380 10 Chapter 5 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image ...

Page 113: ...s Configuration Registrar Software The IE2100 Series Configuration Registrar is a network management device that acts as a configuration service for automating the deployment and management of network devices and services see Figure 6 1 Each Configuration Registrar manages a group of Cisco IOS devices switches and routers and the services that they deliver storing their configurations and deliveri...

Page 114: ... CNS Configuration Service uses the CNS Event Service to send and receive configuration change events and to send success and failure notifications The configuration server is a web server that uses configuration templates and the device specific configuration information stored in the embedded standalone mode or remote server mode directory Configuration templates are text files containing static...

Page 115: ...r when given a unique group ID device ID and event the mapping service returns a set of events on which to publish What You Should Know About ConfigID DeviceID and Host Name The Configuration Registrar assumes that a unique identifier is associated with each configured switch This unique identifier can take on multiple synonyms where each synonym is unique within a particular namespace The event s...

Page 116: ...ID is fixed at the time of the connection to the event gateway and does not change even when the switch host name is reconfigured When changing the switch host name on the switch the only way to refresh the deviceID is to break the connection between the switch and the event gateway Enter the no cns event global configuration command followed by the cns event global configuration command When the ...

Page 117: ...cludes the TFTP server IP address the path to the bootstrap configuration file and the default gateway IP address in a unicast reply to the DHCP relay agent The DHCP relay agent forwards the reply to the switch The switch automatically configures the assigned IP address on interface VLAN 1 the default and downloads the bootstrap configuration file from the TFTP server Upon successful download of t...

Page 118: ...n defer application of the configuration upon receipt of a write signal event The write signal event tells the switch not to save the updated configuration into its NVRAM The switch uses the updated configuration as its running configuration This ensures that the switch configuration is synchronized with other network activities before saving the configuration in NVRAM for use at the next reboot C...

Page 119: ...Enable DHCP relay agent IP routing if used as default gateway DHCP server IP address assignment TFTP server IP address Path to bootstrap configuration file on the TFTP server Default gateway IP address TFTP server Create a bootstrap configuration file that includes the CNS configuration commands that enable the switch to communicate with the IE2100 Configuration Registrar Configure the switch to u...

Page 120: ...t agent and enter the gateway parameters For ip address hostname enter either the IP address or the host name of the event gateway Optional For port number enter the port number for the event gateway The default port number is 11011 Optional Enter backup to show that this is the backup gateway If omitted this is the primary gateway Optional For init retry retry count enter the number of initial re...

Page 121: ...ng interval seconds retries num Enter the connect interface config submode and specify the interface for connecting to the Configuration Registrar Enter the interface prefix for the connecting interface You must specify the interface type but need not specify the interface number Optional For ping interval seconds enter the interval between successive ping attempts The range is 1 to 30 seconds The...

Page 122: ...Ethernet Group Async Loopback or Virtual Template This setting specifies from which interface the IP or MAC address should be retrieved to define the unique ID For dns reverse ipaddress mac address enter dns reverse to retrieve the host name and assign it as the unique ID enter ipaddress to use the IP address or enter mac address to use the MAC address as the unique ID Optional Enter event to set ...

Page 123: ...umber event no persist page page source ip address syntax check Enable the configuration agent and initiate an initial configuration For ip address hostname enter the IP address or the host name of the configuration server Optional For port number enter the port number of the configuration server The default port number is 80 Optional Enable event for configuration success failure or warning messa...

Page 124: ...uration mode Step 2 cns config partial ip address hostname port number source ip address Enable the configuration agent and initiate a partial configuration For ip address hostname enter the IP address or the host name of the configuration server Optional For port number enter the port number of the configuration server The default port number is 80 Optional Enter source ip address to use for the ...

Page 125: ...onfig connections Displays the status of the CNS configuration agent connections show cns config outstanding Displays information about incremental partial CNS configurations that have started but are not yet completed show cns config stats Displays statistics about the CNS configuration agent show cns event connections Displays the status of the CNS event agent connections show cns event stats Di...

Page 126: ...6 14 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78 11380 10 Chapter 6 Configuring IE2100 CNS Agents Displaying CNS Configuration ...

Page 127: ... information about switch clusters and the clustering options For complete procedures about using CMS to configure switch clusters refer to the online help For the CLI cluster commands refer to the switch command reference Refer to the release notes for the list of Catalyst switches eligible for switch clustering including which ones can be command switches and which ones can only be member switch...

Page 128: ...he cluster network Cluster members are connected to the command switch according to the connectivity guidelines described in the Automatic Discovery of Cluster Candidates and Members section on page 7 5 Command switch redundancy if a command switch fails One or more switches can be designated as standby command switches to avoid loss of contact with cluster members A cluster standby group is a gro...

Page 129: ... management VLAN Note The CMP NAT ACL access list is created when a device is configured as the command switch Configuring any other access list on the switch can restrict access to it and affect the discovery of member and candidate switches We strongly recommend that the highest end command capable switch in the cluster be the command switch If your switch cluster has a Catalyst 3550 switch that...

Page 130: ...f other cluster capable switches for their requirements on standby cluster command switches Candidate Switch and Member Switch Characteristics Candidate switches are cluster capable switches that have not yet been added to a cluster Member switches are switches that have actually been added to a switch cluster Although not required a candidate or member switch can have its own IP address and passw...

Page 131: ...e versions and for the browser and Java plug in configurations We do not recommend using the ip http access class global configuration command to limit access to specific hosts or networks Access should be controlled through the cluster command switch or by applying ACLs on interfaces that are configured with an IP address Automatic Discovery of Cluster Candidates and Members The command switch us...

Page 132: ...m to the list of candidate switches In Figure 7 1 the non LRE Catalyst 2950 command switch is running a release earlier than Cisco IOS Release 12 1 9 EA1 and has ports assigned to management VLAN 16 In Figure 7 2 the non LRE Catalyst 2950 command switch is running Cisco IOS Release 12 1 9 EA1 or later and has ports assigned to VLANs 16 and 62 The CDP hop count is three Each command switch discover...

Page 133: ...nnot discover a cluster enabled device connected beyond the noncluster capable Cisco device Figure 7 3 shows that the command switch discovers the switch that is connected to a third party hub However the cluster command switch does not discover the switch that is connected to a Catalyst 5000 switch Refer to the release notes for the Catalyst switches that can be part of a switch cluster Figure 7 ...

Page 134: ...ches can manage cluster members even if they belong to different management VLANs See the Discovery through Different Management VLANs section on page 7 9 The cluster in Figure 7 4 has a command switch that is a Catalyst 2900 XL switch a Catalyst 3500 XL switch or a non LRE Catalyst 2950 switch running a release earlier than Cisco IOS Release 12 1 9 EA1 with ports assigned to management VLAN 9 It ...

Page 135: ...all cluster members through its management VLAN The default management VLAN is VLAN 1 For information about discovery through the same management VLAN on these switches see the Discovery through the Same Management VLAN section on page 7 8 The cluster command switch and standby command switch in Figure 7 5 assuming they are recommended command and standby switches have ports assigned to VLANs 9 16...

Page 136: ...7 6 shows a non LRE Catalyst 2950 command switch running a release earlier than Cisco IOS Release 12 1 9 EA1 that belongs to management VLAN 16 When the new candidate switches join the cluster their management VLAN and access ports change from VLAN 1 to VLAN 16 The command switch in Figure 7 7 is a non LRE Catalyst 2950 running Cisco IOS Release 12 1 9 EA1 or later a Catalyst 2950 LRE switch or a ...

Page 137: ...itch is a Catalyst 2950 LRE switch all standby command switches must be Catalyst 2950 LRE switches When the command switch is a Catalyst 2940 switch all standby command switches must be Catalyst 2940 switches When the command switch is a non LRE Catalyst 2950 switch running Cisco IOS Release 12 1 6 EA2 or later all standby command switches must be non LRE Catalyst 2950 switches running Cisco IOS R...

Page 138: ...ve command switch The active command switch receives traffic destined for the virtual IP address To manage the cluster you must access the active command switch through the virtual IP address not through the command switch IP address This is in case the IP address of the active command switch is different from the virtual IP address of the cluster standby group If the active command switch fails t...

Page 139: ...ber switches cannot be more than 16 Each standby group member Figure 7 8 must be connected to the command switch through its management VLAN Each standby group member must also be redundantly connected to each other through the management VLAN Catalyst 1900 Catalyst 2820 Catalyst 2900 XL Catalyst 2940 Catalyst 2950 Catalyst 2955 and Catalyst 3500 XL member switches must be connected to the cluster...

Page 140: ...XL member switches You must again add these member switches to the cluster When the previously active command switch resumes its active role it receives a copy of the latest cluster configuration from the active command switch including members that were added while it was down The active command switch sends a copy of the cluster configuration to the cluster standby group IP Addresses You must as...

Page 141: ...it when it leaves the cluster If no command switch password is configured the member switch inherits a null password Member switches only inherit the command switch password If you change the member switch password to be different from the command switch password and save the change the switch is not manageable by the command switch until you change the member switch password to match the command ...

Page 142: ...s that change the switch or cluster configuration are not shown in read only mode Privilege level 0 denies access to CMS For more information about CMS access modes see the Privilege Levels section on page 4 7 Note If your cluster has these member switches running earlier software releases and if you have read only access to these member switches some configuration windows for those switches displ...

Page 143: ...s long as each member switch has either a trunk connection or a connection to the new command switch management VLAN From the command switch use the cluster management vlan global configuration command to change the cluster management VLAN to a different management VLAN Caution You can change the management VLAN through a console connection without interrupting the console connection However chang...

Page 144: ... 7 3 the Planning a Switch Cluster section on page 7 5 and the release notes We strongly recommend that the highest end command capable switch in the cluster be the command switch If your switch cluster has a Catalyst 3550 switch that switch should be the command switch If your switch cluster has Catalyst 2900 XL Catalyst 2940 Catalyst 2950 Catalyst 2950 LRE Catalyst 2955 and Catalyst 3500 XL swit...

Page 145: ...e Topology view candidate switches are cyan and member switches are green To add more than one candidate switch press Ctrl and left click the candidates that you want to add Instead of using CMS to add members to the cluster you can use the cluster member global configuration command from the command switch Use the password option in this command if the candidate switch has a password You can sele...

Page 146: ... Add to Cluster Window Figure 7 11 Using the Topology View to Add Member Switches Enter the password of the candidate switch If no password exists for the switch leave this field blank Select a switch and click Add Press Ctrl and left click to select more than one switch 2900 LRE 24 1 65724 Thin line means a connection to a candidate switch Right click a candidate switch to display the pop up menu...

Page 147: ...co IOS Release 12 1 6 EA2 or later When the command switch is running Cisco IOS Release 12 0 5 WC2 or earlier the standby command switches can be these switches Catalyst 2900 XL non LRE Catalyst 2950 and Catalyst 3500 XL switches These abbreviations are appended to the switch host names in the Standby Command Group list to show their eligibility or status in the cluster standby group AC Active com...

Page 148: ...e icons links and colors see the Topology View section on page 4 14 Step 4 Select Reports Inventory to display an inventory of the switches in the cluster Figure 7 13 The summary includes information such as switch model numbers serial numbers software versions IP information and location You can also display port and switch statistics from Reports Port Statistics and Port Port Settings Runtime St...

Page 149: ...tion and to access the member switch CLI The command mode changes and the CLI commands operate as usual Enter the exit privileged EXEC command on the member switch to return to the command switch CLI This example shows how to log into member switch 3 from the command switch CLI switch rcommand 3 If you do not know the member switch number enter the show cluster members privileged EXEC command on t...

Page 150: ... program to enter the IP information and SNMP was not enabled you can enable it as described in the Configuring SNMP section on page 28 5 On Catalyst 1900 and Catalyst 2820 switches SNMP is enabled by default When you create a cluster the command switch manages the exchange of messages between member switches and an SNMP application The cluster software on the command switch appends the member swi...

Page 151: ...tware Configuration Guide 78 11380 10 Chapter 7 Clustering Switches Using SNMP to Manage Switch Clusters Figure 7 14 SNMP Management for a Cluster Trap T r a p T r a p Command switch Trap 1 Trap 2 Trap 3 Member 1 Member 2 Member 3 33020 SNMP Manager ...

Page 152: ...7 26 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78 11380 10 Chapter 7 Clustering Switches Using SNMP to Manage Switch Clusters ...

Page 153: ...itch using automatic configuration such as the Network Time Protocol NTP or manual configuration methods Note For complete syntax and usage information for the commands used in this section refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12 1 This section contains this configuration information Understanding the System Clock page 8 1 Understanding Network ...

Page 154: ... device running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP This strategy effectively builds a self organizing tree of NTP speakers NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a device that is not synchronized NTP also compares the time reported by several devices a...

Page 155: ...TP time overrides the time set by any other method Several manufacturers include NTP software for their host systems and a publicly available version for systems running UNIX and its various derivatives is also available This software allows host systems to be time synchronized as well Configuring NTP The switch does not have a hardware supported clock and it cannot function as an NTP master clock...

Page 156: ...the default NTP configuration NTP is enabled on all interfaces by default All interfaces receive NTP packets Configuring NTP Authentication This procedure must be coordinated with the administrator of the NTP server the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server Table 8 1 Default NTP Configuration Feature ...

Page 157: ...configuration mode Step 2 ntp authenticate Enable the NTP authentication feature which is disabled by default Step 3 ntp authentication key number md5 value Define the authentication keys By default none are defined For number specify a key number The range is 1 to 4294967295 md5 specifies that message authentication support is provided by using the message digest algorithm 5 MD5 For value enter a...

Page 158: ...er global configuration mode Step 2 ntp peer ip address version number key keyid source interface prefer or ntp server ip address version number key keyid source interface prefer Configure the switch system clock to synchronize a peer or to be synchronized by a peer peer association or Configure the switch system clock to be synchronized by a time server server association No peer or server associ...

Page 159: ...ged EXEC mode follow these steps to configure the switch to send NTP broadcast packets to peers so that they can synchronize their clock to the switch To disable the interface from sending NTP broadcast packets use the no ntp broadcast interface configuration command This example shows how to configure a port to send NTP version 2 packets Switch config interface gigabitethernet0 1 Switch config if...

Page 160: ...access on two levels as described in these sections Creating an Access Group and Assigning a Basic IP Access List page 8 9 Disabling NTP Services on a Specific Interface page 8 10 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to receive NTP broadcast packets and enter interface configuration mode Step 3 ntp broadcast c...

Page 161: ... serve peer access list number Create an access group and apply a basic IP access list The keywords have these meanings query only Allows only NTP control queries serve only Allows only time requests serve Allows time requests and NTP control queries but does not allow the switch to synchronize to the remote device peer Allows time requests and NTP control queries and allows the switch to synchron...

Page 162: ...ices are enabled on all interfaces by default Beginning in privileged EXEC mode follow these steps to disable NTP packets from being received on an interface To re enable receipt of NTP packets on an interface use the no ntp disable interface configuration command Configuring the Source IP Address for NTP Packets When the switch sends an NTP packet the source IP address is normally set to the addr...

Page 163: ...co IOS Release 12 1 Configuring Time and Date Manually If no other source of time is available you can manually configure the time and date after the system is restarted The time remains accurate until the next system restart We recommend that you use manual configuration only as a last resort If you have an outside source to which the switch can synchronize you do not need to manually set the sys...

Page 164: ... been set by a timing source such as NTP the flag is set If the time is not authoritative it is used only for display purposes Until the clock is authoritative and the authoritative flag is set the flag prevents peers from synchronizing to the clock when the peers time is invalid The symbol that precedes the show clock display has this meaning Time is not authoritative blank Time is authoritative ...

Page 165: ...and is clock timezone AST 3 30 To set the time to UTC use the no clock timezone global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock timezone zone hours offset minutes offset Set the time zone The switch keeps internal time in universal time coordinated UTC so this command is used only for display purposes and when the time is manually...

Page 166: ... config clock summer time PDT recurring 1 Sunday April 2 00 last Sunday October 2 00 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock summer time zone recurring week day month hh mm week day month hh mm offset Configure summer time to start and end on the specified days every year Summer time is disabled by default If you specify clock summer time zone recurri...

Page 167: ...n April 26 2001 at 02 00 Switch config clock summer time pdt date 12 October 2000 2 00 26 April 2001 2 00 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock summer time zone date month date year hh mm month date year hh mm offset or clock summer time zone date date month year hh mm date month year hh mm offset Configure summer time to start on the first date and...

Page 168: ...and Prompt Configuration page 8 16 Configuring a System Name page 8 16 Configuring a System Prompt page 8 17 Understanding DNS page 8 17 Default System Name and Prompt Configuration The default switch system name and prompt is Switch Configuring a System Name Beginning in privileged EXEC mode follow these steps to manually configure a system name When you set the system name it is also used as the...

Page 169: ...A specific device in this domain for example the File Transfer Protocol FTP system is identified as ftp cisco com To keep track of domain names IP has defined the concept of a domain name server which holds a cache or database of names mapped to IP addresses To map domain names to IP addresses you must first identify the host names specify the name server that is present on your network and enable...

Page 170: ...e initial period that separates an unqualified name from the domain name At boot time no domain name is configured however if the switch configuration comes from a BOOTP or DHCP server then the default domain name might be set by the BOOTP or DHCP server if the servers were configured with this information Step 3 ip name server server address1 server address2 server address6 Specify the address of...

Page 171: ...nfiguration information use the show running config privileged EXEC command Creating a Banner You can configure a message of the day MOTD and a login banner The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users such as impending system shutdowns The login banner also displays on all connected terminals It appears after the MOT...

Page 172: ...example shows the banner displayed from the previous configuration Unix telnet 172 2 5 4 Trying 172 2 5 4 Connected to 172 2 5 4 Escape character is This is a secure site Only authorized users are allowed For access contact technical support User Access Verification Password Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 banner motd c message c Specify the message...

Page 173: ...le includes these types of addresses Dynamic address a source MAC address that the switch learns and then ages when it is not in use Static address a manually entered unicast or multicast address that does not age and that is not lost when the switch resets The address table lists the destination MAC address the associated VLAN ID and port number associated with the address Note For complete synta...

Page 174: ...ng new dynamic addresses and aging out those that are not in use The aging interval is configured on a per switch basis However the switch maintains an address table for each VLAN and STP can accelerate the aging interval on a per VLAN basis The switch sends packets between any combination of ports based on the destination address of the received packet Using the MAC address table the switch forwa...

Page 175: ... be filled with unused addresses which prevents new addresses from being learned Beginning in privileged EXEC mode follow these steps to configure the dynamic address table aging time To return to the default value use the no mac address table aging time global configuration command Table 8 3 Default MAC Address Table Configuration Feature Default Setting Aging time 300 seconds Dynamic addresses A...

Page 176: ...stores the MAC address activity for each hardware port for which the trap is enabled MAC address notifications are generated for dynamic and secure MAC addresses events are not generated for self addresses multicast addresses or other static addresses Beginning in privileged EXEC mode follow these steps to configure the switch to send MAC address notification traps to an NMS host Command Purpose S...

Page 177: ...nfig interface fastethernet0 4 Switch config if snmp trap mac notification added You can verify the previous commands by entering the show mac address table notification interface and the show mac address table notification privileged EXEC commands Step 5 mac address table notification interval value history size value Enter the trap interval time and the history table size Optional For interval v...

Page 178: ... mode follow these steps to add a static address To remove static entries from the address table use the no mac address table static mac addr vlan vlan id interface interface id global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mac address table static mac addr vlan vlan id interface interface id Add a static address to the MAC address ta...

Page 179: ... MAC address as a static address or drops packets with that MAC address depending on which command was entered last The second command that you entered overrides the first command For example if you enter the mac address table static mac addr vlan vlan id interface interface id global configuration command followed by the mac address table static mac addr vlan vlan id drop command the switch drops...

Page 180: ...pid retrieval Then the IP datagram is encapsulated in a link layer frame and sent over the network Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol SNAP By default standard Ethernet style ARP encapsulation represented by the arpa keyword is enabled on the IP interface ARP entries added manually to the...

Page 181: ...itch you should configure one or more of these security features At a minimum you should configure passwords and privileges at each switch port These passwords are locally stored on the switch When users attempt to access the switch through a port or line they must enter the password specified for the port or line before they can access the switch For more information see the Protecting Access to ...

Page 182: ... this configuration information Default Password and Privilege Level Configuration page 9 2 Setting or Changing a Static Enable Password page 9 3 Protecting Enable and Enable Secret Passwords with Encryption page 9 4 Disabling Password Recovery page 9 5 Setting a Telnet Password for a Terminal Line page 9 6 Configuring Username and Password Pairs page 9 7 Configuring Multiple Privilege Levels page...

Page 183: ...password password Define a new password or change an existing password for access to privileged EXEC mode By default no password is defined For password specify a string from 1 to 25 alphanumeric characters The string cannot start with a number is case sensitive and allows spaces but ignores leading spaces It can contain the question mark character if you precede the question mark with the key com...

Page 184: ...d or enable secret level level password encryption type encrypted password Define a new password or change an existing password for access to privileged EXEC mode or Define a secret password which is saved using a nonreversible encryption method Optional For level the range is from 0 to 15 Level 1 is normal user EXEC mode privileges The default level is 15 privileged EXEC mode privileges For passw...

Page 185: ...sword by interrupting the boot process while the switch is powering on and then by entering a new password The password recovery disable feature protects access to the switch password by disabling part of this functionality When this feature is enabled the end user can interrupt the boot process only by agreeing to set the system back to the default configuration With password recovery disabled yo...

Page 186: ...re terminal Enter global configuration mode Step 2 no service password recovery Disable password recovery This setting is saved in an area of the flash memory that is accessible by the boot loader and the software image but it is not part of the file system and is not accessible by any user Step 3 end Return to privileged EXEC mode Step 4 show version Verify the configuration by checking the last ...

Page 187: ... the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 username name privilege level password encryption type password Enter the username privilege level and password for each user For name specify the user ID as one word Spaces and quotation marks are not allowed Optional For level specify the privilege level the user has after gai...

Page 188: ...guration information Setting the Privilege Level for a Command page 9 8 Changing the Default Privilege Level for Lines page 9 9 Logging into and Exiting a Privilege Level page 9 10 Setting the Privilege Level for a Command Beginning in privileged EXEC mode follow these steps to set the privilege level for a command mode Command Purpose Step 1 configure terminal Enter global configuration mode Step...

Page 189: ...l They can lower the privilege level by using the disable command If users know the password to a higher privilege level they can use that password to enable the higher privilege level You might specify a high level or privilege level for your console line to restrict line usage To return to the default line privilege level use the no privilege level line configuration command Step 5 show running ...

Page 190: ...lication that provides centralized validation of users attempting to gain access to your switch TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or Windows NT workstation You should have access to and should configure a TACACS server before the configuring TACACS features on your switch TACACS provides for separate and modular authentication authorization...

Page 191: ... control session duration or protocol support You can also enforce restrictions on what commands a user can execute with the TACACS authorization feature Accounting Collects and sends information used for billing auditing and reporting to the TACACS daemon Network managers can use the accounting facility to track user activity for a security audit or to provide information for user billing Account...

Page 192: ...an alternative method for authenticating the user CONTINUE The user is prompted for additional authentication information After authentication the user undergoes an additional authorization phase if authorization has been enabled on the switch Users must first successfully complete TACACS authentication before proceeding to TACACS authorization 3 If TACACS authorization is required the TACACS daem...

Page 193: ... can group servers to select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list and contains the list of IP addresses of the selected server hosts Beginning in privileged EXEC mode follow these steps to identify the IP host or host maintaining TACACS server and optionally set the encryption key Command Purpose Step ...

Page 194: ...ist A method list describes the sequence and authentication methods to be queried to authenticate a user You can designate one or more security protocols to be used for authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed to authenticate users if that method fails to respond the software selects the next authenti...

Page 195: ...ses TACACS authentication Before you can use this authentication method you must configure the TACACS server For more information see the Identifying the TACACS Server Host and Setting the Authentication Key section on page 9 13 line Use the line password for authentication Before you can use this authentication method you must define a line password Use the password password line configuration co...

Page 196: ...restrict a user s network access to privileged EXEC mode The aaa authorization exec tacacs local command sets these authorization parameters Use TACACS for privileged EXEC access authorization if authentication was performed by using TACACS Use the local database if authentication was not performed by using TACACS Note Authorization is bypassed for authenticated users who log in through the CLI ev...

Page 197: ... follow these steps to enable TACACS accounting for each privilege level and for network services To disable accounting use the no aaa accounting network exec start stop method1 global configuration command Displaying the TACACS Configuration To display TACACS server statistics use the show tacacs privileged EXEC command Command Purpose Step 1 configure terminal Enter global configuration mode Ste...

Page 198: ...hat require access security Networks with multiple vendor access servers each supporting RADIUS For example access servers from several vendors use a single RADIUS server based security database In an IP based network with multiple vendors access servers dial in users are authenticated through a RADIUS server that has been customized to work with the Kerberos security system Turnkey network securi...

Page 199: ...a RADIUS server these events occur 1 The user is prompted to enter a username and password 2 The username and encrypted password are sent over the network to the RADIUS server 3 The user receives one of these responses from the RADIUS server a ACCEPT The user is authenticated b REJECT The user is either not authenticated and is prompted to re enter the username and password or access is denied c C...

Page 200: ...ext method in the list This process continues until there is successful communication with a listed method or the method list is exhausted You should have access to and should configure a RADIUS server before configuring RADIUS features on your switch This section contains this configuration information Default RADIUS Configuration page 9 20 Identifying the RADIUS Server Host page 9 21 required Co...

Page 201: ...counting services The RADIUS host entries are tried in the order that they are configured A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange responses To configure RADIUS to use the AAA security commands you must specify the host running the RADIUS server daemon and a secret text key string that it shares with the switch The timeout retransmission and ...

Page 202: ...rver timeout command is used Optional For retransmit retries specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authenticati...

Page 203: ...ethod list defines the types of authentication to be performed and the sequence in which they are performed it must be applied to a specific interface before any of the defined authentication methods are performed The only exception is the default method list which by coincidence is named default The default method list is automatically applied to all interfaces except those that have a named meth...

Page 204: ...must define an enable password by using the enable password global configuration command group radius Use RADIUS authentication Before you can use this authentication method you must configure the RADIUS server For more information see the Identifying the RADIUS Server Host section on page 9 21 line Use the line password for authentication Before you can use this authentication method you must def...

Page 205: ...ed with a global server host list which lists the IP addresses of the selected server hosts Server groups also can include multiple host entries for the same server if each entry has a unique identifier the combination of the IP address and UDP port number allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service If you configure two different host entrie...

Page 206: ...etransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key...

Page 207: ...aaa group server radius group2 Switch config sg radius server 172 20 0 1 auth port 2000 acct port 2001 Switch config sg radius exit Configuring RADIUS Authorization for User Privileged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the switch uses information retrieved from the user s profile which is in the local user databa...

Page 208: ... no aaa accounting network exec start stop method1 global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network related service requests Step 3 aaa authorization exec radius Configure the switch for user RADIUS authorization to determine if the user h...

Page 209: ...n the Cisco TACACS specification and sep is for mandatory attributes and is for optional attributes The full set of features available for TACACS authorization can then be used for RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server key string Specify the shared secret text string used between the switch and all RADIUS servers Note The key is a tex...

Page 210: ...tch for Vendor Proprietary RADIUS Server Communication Although an IETF draft standard for RADIUS specifies a method for communicating vendor proprietary information between the switch and the RADIUS server some vendors have extended the RADIUS attribute set in a unique way Cisco IOS software supports a subset of vendor proprietary RADIUS attributes As mentioned earlier to configure RADIUS whether...

Page 211: ...the show running config privileged EXEC command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server host hostname ip address non standard Specify the IP address or host name of the remote RADIUS server host and identify that it is using a vendor proprietary implementation of RADIUS Step 3 radius server key string Specify the shared secret text string used...

Page 212: ...tep 4 aaa authorization exec local Configure user AAA authorization to determine if the user is allowed to run an EXEC shell by checking the local database Step 5 aaa authorization network local Configure user AAA authorization for all network related service requests Step 6 username name privilege level password encryption type password Enter the local database and establish a username based auth...

Page 213: ...ge information for the commands used in this section refer to the command reference for this release and the command reference for Cisco IOS Release 12 2 at this URL http www cisco com univercd cc td doc product software ios122 122cgcr index htm Understanding SSH SSH is a protocol that provides a secure remote connection to a device SSH provides more security for remote connections than Telnet doe...

Page 214: ...n information Configuration Guidelines page 9 34 Cryptographic Software Image Guidelines page 9 35 Setting Up the Switch to Run SSH page 9 35 required Configuring the SSH Server page 9 36 required only if you are configuring the switch as an SSH server Configuration Guidelines Follow these guidelines when configuring the switch as an SSH server or SSH client An RSA key pair generated by a SSHv1 se...

Page 215: ...you are configuring the switch as an SSH server 3 Generate an RSA key pair for the switch which automatically enables SSH Follow this procedure only if you are configuring the switch as an SSH server 4 Configure user authentication for local or remote access This step is required For more information see the Configuring the Switch for Local Authentication and Authorization section on page 9 32 Beg...

Page 216: ...client For example if the SSH client sports SSHv1 and SSHv2 the SSH server selects SSHv2 Step 3 ip ssh timeout seconds authentication retries number Configure the SSH control parameters Specify the time out value in seconds the default is 120 seconds The range is 0 to 120 seconds This parameter applies to the SSH negotiation phase After the connection is established the switch uses the default tim...

Page 217: ...able 9 2 For more information about these commands refer to the Secure Shell Commands section in the Other Security Features chapter of the Cisco IOS Security Command Reference Cisco IOS Release 12 2 at this URL http www cisco com univercd cc td doc product software ios122 122cgcr fsecur_r fothercr srfssh htm Table 9 2 Commands for Displaying the SSH Server Configuration and Status Command Purpose...

Page 218: ...9 38 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78 11380 10 Chapter 9 Configuring Switch Based Authentication Configuring the Switch for Secure Shell ...

Page 219: ...access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN Until the client is authenticated 802 1x access control allows only Extensi...

Page 220: ...N and switch services Because the switch acts as the proxy the authentication service is transparent to the client In this release the RADIUS security system with Extensible Authentication Protocol EAP extensions is the only supported authentication server It is available in Cisco Secure Access Control Server Version 3 0 or later RADIUS operates in a client server model in which secure authenticat...

Page 221: ...ation information Upon receipt of the frame the client responds with an EAP response identity frame However if during bootup the client does not receive an EAP request identity frame from the switch the client can initiate authentication by sending an EAPOL start frame which prompts the switch to request the client s identity Note If 802 1x is not enabled or supported on the network access device ...

Page 222: ...ed the client sends the request for a fixed number of times Because no response is received the client begins sending frames as if the port is in the authorized state You control the port authorization state by using the dot1x port control interface configuration command and these keywords force authorized disables 802 1x authentication and causes the port to transition to the authorized state wit...

Page 223: ...ess but does not keep track of network usage 802 1x accounting is disabled by default You can enable 802 1x accounting to monitor this activity on 802 1x enabled ports User successfully authenticates User logs off Link down occurs Re authentication successfully occurs Re authentication fails The switch does not log 802 1x accounting information Instead it sends this information to the RADIUS serve...

Page 224: ...bled A security violation occurs if the client is authenticated but port security table is full This can happen if the maximum number of secure hosts has been statically configured or if the client ages out of the secure host table If the client s address is aged out its place in the secure host table can be taken by another host The port security violation modes determine the action for security ...

Page 225: ...about voice VLANs see Chapter 19 Configuring Voice VLAN Using 802 1x with VLAN Assignment For switches running the EI you can limit network access for certain users by using VLAN assignment After successful 802 1x authentication of a port the RADIUS server sends the VLAN assignment to configure the switch port The RADIUS server database maintains the username to VLAN mappings which assigns the VLA...

Page 226: ...LAN for each 802 1x port on the switch to provide limited services to clients for example how to download the 802 1x client These clients might be upgrading their system for 802 1x authentication and some hosts such as Windows 98 systems might not be 802 1x capable If an 802 1x port is configured the switch assigns clients to a guest VLAN for the 802 1x port when one of these situations occurs The...

Page 227: ...g the Switch to Client Retransmission Time page 10 15 optional Setting the Switch to Client Frame Retransmission Number page 10 16 optional Configuring the Host Mode page 10 17 optional Configuring a Guest VLAN page 10 18 optional Resetting the 802 1x Configuration to the Default Values page 10 18 optional Configuring 802 1x Authentication page 10 19 optional Configuring 802 1x Accounting page 10 ...

Page 228: ...d port to dynamic VLAN assignment an error message appears and the VLAN configuration is not changed EtherChannel ports Do not configure a port that is an active or a not yet active member of an EtherChannel as an 802 1x port If you try to enable 802 1x on an EtherChannel port an error message appears and 802 1x is not enabled Quiet period 60 seconds number of seconds that the switch remains in th...

Page 229: ...ient is connected you might need to get a host IP address from a DHCP server You can also change the settings for restarting the 802 1x authentication process on the switch before the DHCP process on the client times out and tries to get a host IP address from the DHCP server Decrease the settings for the 802 1x authentication process 802 1x quiet period and switch to client transmission time Upgr...

Page 230: ...tion command use the default keyword followed by the methods that are to be used in default situations The default method list is automatically applied to all interfaces Enter at least one of these keywords group radius Use the list of all RADIUS servers for authentication none Use no authentication The client is automatically authenticated by the switch without using the information supplied by t...

Page 231: ...ese steps to configure the RADIUS server parameters on the switch This procedure is required To delete the specified RADIUS server use the no radius server host hostname ip address global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server host hostname ip address auth port port number key string Configure the RADIUS server parameter...

Page 232: ...enabling re authentication the number of seconds between re authentication attempts is 3600 Beginning in privileged EXEC mode follow these steps to enable periodic re authentication of the client and to configure the number of seconds between re authentication attempts This procedure is optional To disable periodic re authentication use the no dot1x reauthentication interface configuration command...

Page 233: ...period This procedure is optional To return to the default quiet time use the no dot1x timeout quiet period interface configuration command This example shows how to set the quiet time on the switch to 30 seconds Switch config if dot1x timeout quiet period 30 Changing the Switch to Client Retransmission Time The client responds to the EAP request identity frame from the switch with an EAP response...

Page 234: ...hentication servers Beginning in privileged EXEC mode follow these steps to set the switch to client frame retransmission number This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 dot1x timeout tx period seconds Set the number of secon...

Page 235: ...re denied access to the network With the multiple hosts mode enabled you can use 802 1x to authenticate the port and port security to manage network access for all MAC addresses including that of the client for switches running the EI Beginning in privileged EXEC mode follow these steps to allow multiple hosts clients on an 802 1x authorized port that has the dot1x port control interface configura...

Page 236: ...an EAP request identity frame from the client before resending the request and to enable VLAN 2 as an 802 1x guest VLAN when an 802 1x port is connected to a DHCP client Switch config if dot1x timeout quiet period 3 Switch config if dot1x timeout tx period 15 Switch config if dot1x guest vlan 2 Resetting the 802 1x Configuration to the Default Values Beginning in privileged EXEC mode follow these ...

Page 237: ...ure the switch for all network related service requests This is the 802 1x authentication authorization and accounting process Step 1 A user connects to a port on the switch Step 2 Authentication is performed Step 3 VLAN assignment is enabled as appropriate based on the RADIUS server configuration Step 4 The switch sends a start message to an accounting server Step 5 Re authentication is performed...

Page 238: ...is used when a named list is not specified in the authentication command use the default keyword followed by the methods that are to be used in default situations The default method list is automatically applied to all ports Enter at least one of these keywords group radius Use the list of all RADIUS servers for authentication none Use no authentication The client is automatically authenticated by...

Page 239: ...ault start stop group radius Displaying 802 1x Statistics and Status To display 802 1x statistics for all interfaces use the show dot1x all statistics privileged EXEC command To display 802 1x statistics for a specific interface use the show dot1x statistics interface interface id privileged EXEC command To display the 802 1x administrative and operational status for the switch use the show dot1x ...

Page 240: ...10 22 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78 11380 10 Chapter 10 Configuring 802 1x Port Based Authentication Displaying 802 1x Statistics and Status ...

Page 241: ...ypes The rest of the chapter describes configuration procedures for switch ports Switch ports are Layer 2 only interfaces associated with a physical port They are used for managing the physical interface and associated Layer 2 protocols and do not handle routing or bridging A switch port can be an access port or a trunk port You can configure a port as an access port or trunk port or let the Dynam...

Page 242: ...namic access ports on the switch are assigned to a VLAN by a VLAN Membership Policy Server VMPS The VMPS can be a Catalyst 6000 series switch the Catalyst 2950 or Catalyst 2955 switch does not support the function of a VMPS You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone Fr...

Page 243: ... with VTP mode set to transparent Extended range VLANs are not added to the VLAN database When VTP mode is transparent the VTP and VLAN configuration is saved in the switch running configuration and you can save it in the switch startup configuration file by entering the copy running config startup config privileged EXEC command Add ports to a VLAN by using the switchport interface configuration c...

Page 244: ...rnet Gigabit Ethernet gigabitethernet or gi or LRE longreachethernet or lo Slot The slot number on the switch always 0 on this switch Port number The interface number on the switch The port numbers always begin at 1 starting at the left when facing the front of the switch for example fastethernet 0 1 fastethernet 0 2 If there is more than one interface type for example 10 100 ports and Gigabit Eth...

Page 245: ...e commands you enter define the protocols and applications that will run on the interface The commands are collected and applied to the interface when you enter another interface command or enter end to return to privileged EXEC mode You can also configure a range of interfaces by using the interface range or interface range macro global configuration commands Interfaces configured in a range must...

Page 246: ... config command cannot be used with the interface range command All interfaces in a range must be the same type that is all Fast Ethernet ports all Gigabit Ethernet ports all EtherChannel ports or VLAN interfaces This example shows how to use the interface range global configuration command to set the speed on Fast Ethernet interfaces 0 1 to 0 5 to 100 Mbps Switch configure terminal Switch config ...

Page 247: ...define the macro Beginning in privileged EXEC mode follow these steps to define an interface range macro Use the no define interface range macro_name global configuration command to delete a macro When using the define interface range global configuration command note these guidelines Valid entries for interface range vlan vlan ID vlan ID where VLAN ID is from 1 to 1005 with the SI installed or 1 ...

Page 248: ...ypes in a macro This example shows how to define an interface range macro named enet_list to select Fast Ethernet ports 1 to 4 and to verify the macro configuration Switch configure terminal Switch config define interface range enet_list fastethernet0 1 4 Switch config end Switch show running config include define define interface range enet_list FastEthernet0 1 4 This example shows how to create ...

Page 249: ...n Feature Default Setting Operating mode Layer 2 Allowed VLAN range VLANs 1 to 1005 with the SI installed or 1 to 4094 with the EI installed Default VLAN for access ports VLAN 1 Native VLAN for 802 1Q trunks VLAN 1 VLAN trunking Switchport mode dynamic desirable supports DTP Port enable state All ports are enabled Port description None defined Speed Autonegotiate Duplex mode Autonegotiate Flow con...

Page 250: ...le and SFP module interfaces You can configure duplex mode on any Fast Ethernet interfaces that are not set to autonegotiate You can configure duplex mode on the 10 100 1000 ports on the Catalyst 2950 LRE Catalyst 2950T 24 Catalyst 2950T 48 SI and Catalyst 2955T 24 switches but cannot configure duplex mode on these interfaces 100BASE FX ports on the Catalyst 2950C 24 switch 1000BASE SX ports on th...

Page 251: ...he Catalyst 2950T 48 SI switches support the half keyword when the interface speed is 10 or 100 Mbps 10 100 1000 ports on the Catalyst 2950 LRE or the Catalyst 2955T 12 switch can operate at 10 or 100 Mbps in either half or full duplex mode The ports can operate at 1000 Mbps only in full duplex mode Fiber optic SFP module ports on the Catalyst 2950 LRE switch operate only at 1000 Mbps in full dupl...

Page 252: ...nfiguration mode Step 2 interface interface id Enter interface configuration mode and the physical interface identification Step 3 speed 10 100 1000 auto nonegotiate Enter the appropriate speed parameter for the interface or enter auto or nonegotiate Note The 1000 keyword is available only for 10 100 1000 Mbps ports 100BASE FX ports operate only at 100 Mbps 1000BASE SX ports and GBIC module ports ...

Page 253: ...ink partner or the remote device of the congestion by sending a pause frame Upon receipt of a pause frame the remote device stops sending any data packets which prevents any loss of data packets during the congestion period Note We strongly recommend that you do not configure IEEE 802 3z flow control when quality of service QoS is configured on the switch Before configuring flow control on an inte...

Page 254: ...y the results Switch configure terminal Switch config interface gigabitethernet0 1 Switch config if flowcontrol receive off Switch config if flowcontrol send off Switch config if end Switch show running config Adding a Description for an Interface You can add a description about an interface to help you remember its function The description appears in the output of these commands show configuratio...

Page 255: ...ion of the software and the hardware the controller status and statistics about the interfaces Table 11 2 lists some of these interface monitoring commands You can display the full list of show commands by using the show command at the privileged EXEC prompt These commands are fully described in the Cisco IOS Interface Command Reference for Cisco IOS Release 12 1 Step 5 show interfaces interface i...

Page 256: ...guments are specified to clear only a specific interface type from a specific interface number Note The clear counters privileged EXEC command does not clear counters retrieved by using Simple Network Management Protocol SNMP but only those seen with the show interfaces privileged EXEC command output This example shows how to clear and reset the counters on a port Switch clear counters fastetherne...

Page 257: ...thernet ports on CPE device use the cpe shutdown port port id interface configuration command This example shows how to shut down a port Switch configure terminal Switch config interface fastethernet0 5 Switch config if shutdown Switch config if Sep 30 08 33 47 LINK 5 CHANGED Interface FastEthernet0 5 changed state to a administratively down This example shows how to re enable a port Switch config...

Page 258: ...11 18 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78 11380 10 Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces ...

Page 259: ...et of CLI commands that you define Smartports macros do not contain new CLI commands they are simply a group of existing CLI commands When you apply a Smartports macro on an interface the CLI commands within the macro are configured on the interface When the macro is applied to an interface the existing interface configurations are not lost The new commands are added to the interface and are saved...

Page 260: ...rtports Macro Configuration Guidelines page 12 3 Creating Smartports Macros page 12 4 Applying Smartports Macros page 12 5 Applying Cisco default Smartports Macros page 12 6 Default Smartports Macro Configuration There are no Smartports macros enabled cisco phone Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port This macro i...

Page 261: ...al macro was applied You need to reapply the updated macro on the interface to apply the new or changed commands You can use the macro global trace macro name global configuration command or the macro trace macro name interface configuration command to apply and debug a macro to find any syntax or configuration errors If a command fails because of a syntax error or a configuration error the macro ...

Page 262: ...and enter a macro name A macro definition can contain up to 3000 characters Enter the macro commands with one command per line Use the character to end the macro Use the character at the beginning of a line to enter comment text within the macro Optional You can define keywords within a macro by using a help string to specify the keywords Enter macro keywords word to define the keywords that are a...

Page 263: ...ering the keyword values the commands are invalid and are not applied Step 3 macro global description text Optional Enter a description about the macro that is applied to the switch Step 4 interface interface id Optional Enter interface configuration mode and specify the interface on which to apply the macro Step 5 default interface interface id Optional Clear all configuration from the specified ...

Page 264: ...onfig if end Switch show parser macro description Interface Macro Description Gi0 2 desktop config This example shows how to apply the user created macro called desktop config and to replace all occurrences of VLAN 1 with VLAN 25 Switch config if macro apply desktop config vlan 25 Applying Cisco Default Smartports Macros Beginning in privileged EXEC mode follow these steps to apply a Smartports ma...

Page 265: ...ivity timer switchport port security violation restrict switchport port security aging time 2 switchport port security aging type inactivity Configure port as an edge network port spanning tree portfast spanning tree bpduguard enable Switch Switch configure terminal Switch config fastethernet0 4 Switch config if macro apply cisco desktop AVID 25 Step 6 default interface interface id Optional Clear...

Page 266: ...e or more of the privileged EXEC commands in Table 12 2 Table 12 2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros show parser macro name macro name Displays a specific macro show parser macro brief Displays the configured macro names show parser macro description interface interface id Displays the macro description for all interfaces or ...

Page 267: ...command reference for this release and the Cisco IOS Interface Command Reference for Cisco IOS Release 12 1 For information about which Cisco LRE customer premises equipment CPE devices are supported by the LRE switches see Table 1 2 on page 1 2 Understanding LRE Features These sections describe LRE features Ports on the Catalyst 2950 LRE Switches page 13 1 LRE Links and LRE Profiles page 13 2 LRE...

Page 268: ...port The LRE link provides symmetric and asymmetric bandwidth for data voice and video traffic Symmetric transmission occurs when the downstream and upstream bandwidths are the same Asymmetric transmission occurs when the downstream and the upstream bandwidths differ Downstream transmission refers to the traffic going from the LRE switch to the CPE device Upstream transmission refers to the traffi...

Page 269: ...by the show controllers lre profile names privileged EXEC command output Table 13 1 LRE Profiles for the Catalyst 2950ST 8 LRE and the 2950ST 24 LRE Switches Profile Name LRE Link Downstream Rate Mbps LRE Link Upstream Rate Mbps Theoretical Minimum SNR Downstream Theoretical Minimum SNR Upstream LRE 15 16 667 18 750 31 25 LRE 10 default 12 500 12 500 25 19 LRE 5 6 250 6 250 16 13 LRE 998 15 4 16 6...

Page 270: ...s the newly assigned profile Use the LL profiles LRE 5LL LRE 10LL and LRE 15LL on the Catalyst 2950ST 8 LRE and 2950ST 24 LRE switches with care These profiles have the low latency LL feature enabled and the interleave feature disabled The LL feature does not delay data transmission but it makes data more susceptible to interruptions on the LRE link All other profiles have the interleave feature e...

Page 271: ...te selection the switch uses a sequence to choose an appropriate profile for a given LRE interface Table 13 3 LRE Rate Selection Sequences for the Catalyst 2950ST 8 LRE and the 2950ST 24 LRE Switches LRE SEQ COMPLETE REACH LRE SEQ DOWNSTREAM LRE SEQ SYM LRE SEQ SYM LONGREACH LRE SEQ SYMLL LRE SEQ UPSTREAM LRE SEQ VIDEO TRANSMIT1 LRE SEQ VIDEO TRANSMIT2 LRE 15 LRE 15 LRE 15 LRE 5 LRE 15LL LRE 15 LR...

Page 272: ...o 576 LRE 997 CPE only from the CLI For information about the switch LEDs refer to the Catalyst 2950 Desktop Switch Hardware Installation Guide Keep these considerations in mind when you have CPE devices connected to the LRE ports Use the shutdown interface configuration command to disable the LRE interface transmitter on any LRE ports This prevents access to the LRE port and prevents the power em...

Page 273: ... information see the Link Qualification and SNR Margins section on page 13 16 Reed Solomon RS errors The RS Forward Error Correction circuit corrects small bursts of errors so that noise events do not cause Ethernet frame check sequence FCS errors This is implemented in the octal chip as a 32 bit counter The count resets on read Transmit TX Power in dBm Hz This is fixed for the switch and adjusts ...

Page 274: ...the information to the LRE message logging process and to the system message logging process For information about configuring this feature see the Configuring Syslog Export section on page 13 22 Configuring LRE Ports These sections describe configuration guidelines and how to assign a profile to all or to individual LRE ports These sections contain more information about LRE links ports and profi...

Page 275: ...e The maximum distance supported on the LRE link is from 3500 to 5000 feet 1524 meters depending on the profile The higher the rate the shorter the distance In buildings where LRE traffic runs over bundled telco cabling the maximum distance is approximately 30 percent lower Each terminated bridge tap in a room can further reduce LRE link distances by 300 feet 91 meters The quality of the cable the...

Page 276: ...ignal Anywhere from one wire pair to every wire pair in the cable can carry LRE signals at the same time LRE operates in full cable binders and adjusts power levels on each LRE link to maximize the performance of all connections The greatest impact on LRE performance is from the frequency response of the cable at the higher frequencies LRE signals are more susceptible to interference at higher fre...

Page 277: ...7 CPEs You can configure the CPE Ethernet port to operate at 10 or 100 Mbps and at half or full duplex mode depending on the capability of the remote Ethernet device Autonegotiation for port speed and duplex mode is supported The default speed for the CPE Ethernet port is auto The default duplex mode is half duplex with back pressure When the default speed is set to 10 or 100 Mbps with half duplex...

Page 278: ...rt to another Ethernet port on the same CPE device can create a loop If this happens the switch stops sending to the CPE device and blocks Ethernet traffic coming from the CPE device Assigning a Global Profile to All LRE Ports Global profiles are set on a switch wide basis Port sequences global sequences and port profiles have priority over global profiles see the Precedence section on page 13 15 ...

Page 279: ...e Guidelines for Using LRE Profiles section on page 13 10 Changes to the global sequence settings are immediately put in effect and the global mode automatically becomes the active mode Beginning in privileged EXEC mode follow these steps to assign a global sequence to the LRE ports To delete the assigned sequence use the no lre rate selection sequence sequence name global configuration command Co...

Page 280: ...yst 2950ST 24 LRE 997 switch You can use the rate selection feature to automatically choose a profile from a set of profiles that the switch port uses to establish an LRE link a link between an LRE switch port and an attached CPE device Rate selection is enabled by default but you must choose a sequence for rate selection to start in other words there is no default sequence defined When rate selec...

Page 281: ... for the given port only with the given profile 4 Global profile rate selection is enabled for the entire switch with the given profile See Table 13 1 on page 13 3 and Table 13 2 on page 13 4 for the list of profiles and Table 13 3 on page 13 5 and Table 13 4 on page 13 6 for the list of system defined sequences You can also use CLI commands or CMS to define your own sequences Note If rate selecti...

Page 282: ...k is established When a link is activated if the SNR requirements do not match the configured margin level the link is not established Downstream means the remote end of the link and upstream the local end The link has to satisfy both the local and remote margin requirements If either one is not met the link is advertised as down This command has no significance if rate selection is disabled on th...

Page 283: ...4 1 1 56 4 13 15 17 20 LRE 7 8 333 16 19 21 23 26 LRE 8 9 375 64 25 27 30 34 LRE 5 6 25 4 13 15 17 20 LRE 10 12 5 16 19 21 23 26 LRE 15 18 75 64 25 27 30 34 LRE 10 5 6 25 4 13 15 17 20 LRE 10 3 3 125 16 19 21 23 26 LRE 10 1 1 56 4 13 15 17 20 LRE 15 5 6 250 4 13 15 17 20 LRE 15 3 3 125 16 19 21 23 26 LRE 15 1 1 563 4 13 15 17 20 LRE 998 15 4 4 688 64 25 27 29 32 LRE 997 10 4 4 688 64 25 27 29 32 L...

Page 284: ... Table 13 8 SNR Requirements for Downstream Rates for the Catalyst 2950ST 24 LRE 997 Switches Profile Gross Data Rate QAM Theoretical Minimum SNR Low Noise SNR Medium Noise SNR High Noise SNR LRE 12 9 12 500 256 31 33 35 38 LRE 12 3 12 500 256 31 33 35 38 LRE 9 9 375 64 25 27 29 32 LRE 9 6 9 375 64 25 27 29 32 LRE 9 4 9 375 64 25 27 29 32 LRE 9 3 9 375 64 25 27 29 32 LRE 6 default 6 250 16 19 21 2...

Page 285: ...sistence interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter the number of the LRE port to be configured and enter interface configuration mode Step 3 margin downstream value upstream value Enter the downstream or upstream margin value in dB For the values see Table 13 6 on page 13 16 Table 13 7 on page 13 17...

Page 286: ...ta applications If a lower latency of frame transmission is required you can use a lower interleave value but the LRE switch will have less tolerance to noise Follow these guidelines for configuring the interleave delay Interleave delay is applicable only when the non LL profiles are used Existing LL profiles are supported Interleave block size values of 0 1 2 8 or 16 are supported Different ports...

Page 287: ... configuration command all LRE links are reset to the UP state Before configuring the reference TX power level follow these guidelines Verify how this command affects the network in a lab environment Make sure that all the CPEs in the production network are running the same LRE binary version Use the show controllers lre cpe version privileged EXEC command to display the binary version on all CPE ...

Page 288: ...message logging process and to the system message logging process Before enabling this feature follow these guidelines Make sure that LRE logging is enabled Make sure that the console severity in the system message logging configuration is set to debugging For more information see Chapter 27 Configuring System Message Logging Step 3 end Return to privileged EXEC mode Step 4 show controllers lre st...

Page 289: ...es include Allowing you to use an earlier version of the LRE software if required Simplifying the upgrade process as much as possible especially in cases where you want to upgrade multiple CPE devices by using a single command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 lre syslog Enable the switch to send debugging messages from the LRE logging process to the ...

Page 290: ...ades of LRE binaries If you wish to override the automatic switch selection of LRE binaries these methods are available Global LRE upgrade configuration commands LRE controller configuration commands You can specify the LRE binary or binaries for a specified target type A target type is the family and optionally the model or model revision of a device containing one or more upgradable hardware ele...

Page 291: ...he system default selection of an LRE binary that will be applied on either end of a particular LRE link Controller configurations take precedence over global upgrade configurations The preserve keyword causes the LRE upgrade mechanism to not upgrade the local controller on which preserve is configured or any of the CPE devices connected to that controller If you want to preserve in other words no...

Page 292: ...ownstream but more reliable The increased reliability is required for a successful LRE binary transfer The LRE link stays at a slower speed for the duration of the upgrade Ethernet connectivity is available When the upgrade is complete the CPE device is again reset so that the upgraded LRE binaries are loaded and executed on the target CPE devices and local LRE chipsets Ethernet connectivity is ag...

Page 293: ... 59 LINK 3 UPDOWN Interface LongReachEthernet0 1 changed state to up 00 24 02 LINEPROTO 5 UPDOWN Line protocol on Interface LongReachEthernet0 1 changed state to up Operation resumes in the profile link up state Switch Displaying LRE Status To display the LRE information use one or more of the privileged EXEC commands in Table 13 10 For detailed information about the fields in the command outputs ...

Page 294: ...13 28 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78 11380 10 Chapter 13 Configuring LRE Displaying LRE Status ...

Page 295: ...so forth see Chapter 16 Configuring Optional Spanning Tree Features Note For complete syntax and usage information for the commands used in this chapter refer to the command reference for this release This chapter consists of these sections Understanding Spanning Tree Features page 14 1 Configuring Spanning Tree Features page 14 11 Displaying the Spanning Tree Status page 14 24 Understanding Spann...

Page 296: ...e to each port based on the role of the port in the active topology Root A forwarding port elected for the spanning tree topology Designated A forwarding port elected for every switched LAN segment Alternate A blocked port providing an alternate path to the root port in the spanning tree Backup A blocked port in a loopback configuration Switches that have ports with these assigned roles are called...

Page 297: ... that currently stored for that port it discards the BPDU If the switch is a designated switch for the LAN from which the inferior BPDU was received it sends that LAN a BPDU containing the up to date information stored for that port In this way inferior information is discarded and superior information is propagated on the network A BPDU exchange results in these actions One switch in the network ...

Page 298: ...stem ID affects how you manually configure the root switch the secondary root switch and the switch priority of a VLAN For example when you change the switch priority value you change the probability that the switch will be elected as the root switch Configuring a higher value decreases the probability a lower value increases the probability For more information see the Configuring the Root Switch...

Page 299: ...ch VLAN or network goes through the blocking state and the transitory states of listening and learning Spanning tree stabilizes each interface at the forwarding or blocking state When the spanning tree algorithm places a Layer 2 interface in the forwarding state this process occurs 1 The interface is in the listening state while spanning tree waits for protocol information to transition the interf...

Page 300: ...ning State The listening state is the first state a Layer 2 interface enters after the blocking state The interface enters this state when the spanning tree determines that the interface should participate in frame forwarding An interface in the listening state performs as follows Discards frames received on the port Discards frames switched from another interface for forwarding Does not learn add...

Page 301: ... interfaces or link types Switch A might not be the ideal root switch By increasing the priority lowering the numerical value of the ideal switch so that it becomes the root switch you force a spanning tree recalculation to form a new topology with the ideal switch as the root Figure 14 2 Spanning Tree Topology When the spanning tree topology is calculated based on default parameters the path betw...

Page 302: ... 0x0180C2000010 to be used by different bridge protocols These addresses are static addresses that cannot be removed Regardless of the spanning tree state the switch receives but does not forward packets destined for addresses between 0x0180C2000000 and 0x0180C200000F If spanning tree is enabled the switch CPU receives packets destined for 0x0180C2000000 and 0x0180C2000010 If spanning tree is disa...

Page 303: ...apid convergence the rapid PVST immediately deletes dynamically learned MAC address entries on a per port basis upon receiving a topology change By contrast PVST uses a short aging time for dynamically learned MAC address entries The rapid PVST uses the same configuration as PVST except where noted and the switch needs only minimal extra configuration The benefit of rapid PVST is that you can migr...

Page 304: ...res only one spanning tree instance for all VLANs allowed on the trunks However in a network of Cisco switches connected through 802 1Q trunks the switches maintain one spanning tree instance for each VLAN allowed on the trunks When you connect a Cisco switch to a non Cisco device through an 802 1Q trunk the Cisco switch uses PVST to provide spanning tree interoperability If rapid PVST is enabled ...

Page 305: ... a VLAN page 14 20 optional Configuring Spanning Tree Timers page 14 21 optional Default Spanning Tree Configuration Table 14 3 shows the default spanning tree configuration Table 14 3 Default Spanning Tree Configuration Feature Default Setting Enable state Enabled on VLAN 1 For more information see the Supported Spanning Tree Instances section on page 14 9 Spanning tree mode PVST Rapid PVST and M...

Page 306: ...t storm Note If you have already used all available spanning tree instances on your switch adding another VLAN anywhere in the VTP domain creates a VLAN that is not running spanning tree on that switch If you have the default allowed list on the trunk ports of that switch the new VLAN is carried on all trunk ports Depending on the topology of the network this could create a loop in the new VLAN th...

Page 307: ...face id Recommended for rapid PVST mode only Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports VLANs and port channels Valid VLAN IDs are 1 to 1005 when the SI is installed and 1 to 4094 when the EI is installed The port channel range is 1 to 6 Step 4 spanning tree link type point to point Recommended for rapid PVST mode only Specify t...

Page 308: ...n id root global configuration command to modify the switch priority from the default value 32768 to a significantly lower value When you enter this command the switch checks the switch priority of the root switches for each VLAN Because of the extended system ID support the switch sets its own priority for the specified VLAN to 24576 if this value will cause this switch to become the root for the...

Page 309: ...2768 entering the spanning tree vlan 100 root primary command on the switch sets the switch priority for VLAN 100 to 8192 which causes this switch to become the root switch for VLAN 100 Note If your network consists of switches that both do and do not support the extended system ID it is unlikely that the switch with the extended system ID support will become the root switch The extended system ID...

Page 310: ...work diameter and hello time values as you used when you configured the primary root switch with the spanning tree vlan vlan id root primary global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id root primary diameter net diameter hello time seconds Configure a switch to become the root for the specified VLAN For vla...

Page 311: ...pose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id root secondary diameter net diameter hello time seconds Configure a switch to become the secondary root for the specified VLAN For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 1005 w...

Page 312: ...l interfaces and port channel logical interfaces port channel port channel number Step 3 spanning tree port priority priority Configure the port priority for an interface For priority the range is 0 to 240 in increments of 16 The default is 128 The lower the number the higher the priority Valid priority values are 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 and 240 All other values are rej...

Page 313: ...nterface to configure and enter interface configuration mode Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number Step 3 spanning tree cost cost Configure the cost for an interface If a loop occurs spanning tree uses the path cost when selecting an interface to place into the forwarding state A lower path cost represents higher speed tra...

Page 314: ...he switch priority of a VLAN This procedure is optional To return the switch to its default setting use the no spanning tree vlan vlan id priority global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id priority priority Configure the switch priority of a VLAN For vlan id you can specify a single VLAN identified by VL...

Page 315: ...4 Spanning Tree Timers Variable Description Hello timer Determines how often the switch broadcasts hello messages to other switches Forward delay timer Determines how long each of the listening and learning states last before the interface begins forwarding Maximum age timer Determines the amount of time the switch stores protocol information received on an interface Command Purpose Step 1 configu...

Page 316: ...ge of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 1005 when the SI is installed and 1 to 4094 when the EI is installed For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree vlan vlan id Verify your entries Step 5 copy running config startup config Optional Save your entries in the configura...

Page 317: ...ascaded stacks that use the GigaStack GBIC Table 14 5 shows the default spanning tree settings and those that are acceptable for these configurations Figure 14 4 Gigabit Ethernet Stack Table 14 5 Default and Acceptable Spanning Tree Parameter Settings in seconds STP Parameter STP Default Acceptable for Option 1 Acceptable for Option 2 Acceptable for Option 3 Hello Time 2 1 1 1 Max Age 20 6 10 6 Fo...

Page 318: ... For information about other keywords for the show spanning tree privileged EXEC command refer to the command reference for this release Table 14 6 Commands for Displaying Spanning Tree Status Command Purpose show spanning tree active Displays spanning tree information on active interfaces only show spanning tree detail Displays a detailed summary of interface information show spanning tree interf...

Page 319: ...mentt When the switch is in the MST mode the Rapid Spanning Tree Protocol RSTP which is based on IEEE 802 1w is automatically enabled The RSTP provides rapid convergence of the spanning tree through explicit handshaking that eliminates the IEEE 802 1D forwarding delay and quickly transitions root ports and designated ports to the forwarding state Both MSTP and RSTP improve the spanning tree operat...

Page 320: ...egion by using the spanning tree mst configuration global configuration command after which the switch enters the MST configuration mode From this mode you can map VLANs to an MST instance by using the instance MST configuration command specify the region name by using the name MST configuration command and set the revision number by using the revision MST configuration command A region can have o...

Page 321: ... master When an MSTP switch initializes it sends BPDUs claiming itself as the root of the CST and the IST master with both of the path costs to the CST root and to the IST master set to zero The switch also initializes all of its MST instances and claims to be the root for all of them If the switch receives superior MST root information lower bridge ID lower path cost and so forth than currently s...

Page 322: ...igured on both the CST instance and the MST instance MSTP switches use version 3 RSTP BPDUs or 802 1D STP BPDUs to communicate with legacy 802 1D switches MSTP switches use MSTP BPDUs to communicate with MSTP switches Hop Count The IST and MST instances do not use the message age and maximum age information in the configuration BPDU to compute the spanning tree topology Instead they use the path c...

Page 323: ...ons to the forwarding state because of an agreement received from its peer port the MST ports also immediately transition to the forwarding state If a boundary port transitions to the forwarding state in an IST instance it is forwarding in all MST instances and a topology change is triggered If a boundary port with the IST root or designated port role receives a topology change notice external to ...

Page 324: ...oles to individual ports Root port Provides the best path lowest cost when the switch forwards packets to the root switch Designated port Connects to the designated switch which incurs the lowest path cost when forwarding packets from that LAN to the root switch The port through which the designated switch is attached to the LAN is called the designated port Alternate port Offers an alternate path...

Page 325: ...oint link and all of the ports are in the blocking state Assume that the priority of Switch A is a smaller numerical value than the priority of Switch B Switch A sends a proposal message a configuration BPDU with the proposal flag set to Switch B proposing itself as the designated switch After receiving the proposal message Switch B selects as its new root port the port from which the proposal mes...

Page 326: ... individual port on the switch is synchronized if That port is in the blocking state It is an edge port a port configured to be at the edge of the network If a designated port is in the forwarding state and is not configured as an edge port it transitions to the blocking state when the RSTP forces it to synchronize with new root information In general when the RSTP forces a port to synchronize wit...

Page 327: ...tch sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN The port role in the proposal message is always set to the designated port The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal The port role in the agreement message is always set to the root port 2 Block 9 Forward 1 Proposal 4 Agreement 6 Proposal Root port De...

Page 328: ...y timer expires at which time the port transitions to the forwarding state Processing Inferior BPDU Information If a designated port receives an inferior BPDU higher bridge ID higher path cost and so forth than currently stored for the port with a designated port role it immediately replies with its own information Topology Changes This section describes the differences between the RSTP and the 80...

Page 329: ...igration delay timer has expired it assumes that it is connected to an 802 1D switch and starts using only 802 1D BPDUs However if the RSTP switch is using 802 1D BPDUs on a port and receives an RSTP BPDU after the timer has expired it restarts the timer and starts using RSTP BPDUs on that port Configuring MSTP Features These sections describe how to configure basic MSTP features Default MSTP Conf...

Page 330: ...more information see the Spanning Tree Interoperability and Backward Compatibility section on page 14 10 VTP propagation of the MST configuration is not supported However you can manually configure the MST configuration region name revision number and VLAN to instance mapping on each switch within the MST region by using the command line interface CLI or through the SNMP support For load balancing...

Page 331: ...stances You can assign a VLAN to only one spanning tree instance at a time Beginning in privileged EXEC mode follow these steps to specify the MST region configuration and enable MSTP This procedure is required Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst configuration Enter MST configuration mode Step 3 instance instance id vlan vlan range Map...

Page 332: ...h config Configuring the Root Switch The switch maintains a spanning tree instance for the group of VLANs mapped to it A bridge ID consisting of the switch priority and the switch MAC address is associated with each instance The switch with the lowest bridge ID becomes the root switch for the group of VLANs To configure a switch to become the root use the spanning tree mst instance id root global ...

Page 333: ...een any two end stations in the Layer 2 network When you specify the network diameter the switch automatically sets an optimal hello time forward delay time and maximum age time for a network of that diameter which can significantly reduce the convergence time You can use the hello keyword to override the automatically calculated hello time Note After configuring the switch as the root switch we r...

Page 334: ... EXEC mode follow these steps to configure a switch as the secondary root switch This procedure is optional Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst instance id Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Ste...

Page 335: ...se the show running config interface privileged EXEC command to confirm the configuration To return the interface to its default setting use the no spanning tree mst instance id port priority interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode...

Page 336: ...nfirm the configuration To return the interface to its default setting use the no spanning tree mst instance id cost interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channels Valid port chann...

Page 337: ...the hello time Note Exercise care when using this command For most situations we recommend that you use the spanning tree mst instance id root primary and the spanning tree mst instance id root secondary global configuration commands to modify the hello time Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id priority priority Configure th...

Page 338: ...econds Configure the hello time for all MST instances The hello time is the interval between the generation of configuration messages by the root switch These messages mean that the switch is alive For seconds the range is 1 to 10 the default is 2 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst Verify your entries Step 5 copy running config startup config Optional Save your...

Page 339: ...ration mode Step 2 spanning tree mst max age seconds Configure the maximum aging time for all MST instances The maximum aging time is the number of seconds a switch waits without receiving spanning tree configuration messages before attempting a reconfiguration For seconds the range is 6 to 40 the default is 20 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst Verify your ent...

Page 340: ...n set to 0 it sends only 802 1D BPDUs on that port An MSTP switch can also detect that a port is at the boundary of a region when it receives a legacy BPDU an MST BPDU version 3 associated with a different region or an RST BPDU version 2 However the switch does not automatically revert to the MSTP mode if it no longer receives 802 1D BPDUs because it cannot determine whether the legacy switch has ...

Page 341: ...XEC command refer to the command reference for this release Table 15 4 Commands for Displaying MST Status Command Purpose show spanning tree mst configuration Displays the MST region configuration show spanning tree mst instance id Displays MST information for the specified instance show spanning tree mst interface interface id Displays MST information for the specified interface Valid interfaces ...

Page 342: ...15 24 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78 11380 10 Chapter 15 Configuring MSTP Displaying the MST Configuration and Status ...

Page 343: ...TP and how to map multiple VLANs to the same spanning tree instance see Chapter 15 Configuring MSTP Note For complete syntax and usage information for the commands used in this chapter refer to the command reference for this release This chapter consists of these sections Understanding Optional Spanning Tree Features page 16 1 Configuring Optional Spanning Tree Features page 16 12 Displaying the S...

Page 344: ... configuration or the spanning tree portfast default global configuration command Figure 16 1 Port Fast Enabled Ports Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per interface but the feature operates with some differences At the global level you can enable BPDU guard on Port Fast enabled ports by using the spanning tree portfast bpduguar...

Page 345: ... these ports do not receive BPDUs If a BPDU is received on a Port Fast enabled port the port loses its Port Fast operational status and BPDU filtering is disabled At the interface level you can enable BPDU filtering on any port without also enabling the Port Fast feature by using the spanning tree bpdufilter enable interface configuration command This command prevents the port from sending or rece...

Page 346: ...kFast is most useful in wiring closet switches at the access or edge of the network It is not appropriate for backbone devices This feature might not be useful for other types of applications UplinkFast provides fast convergence after a direct link failure and achieves load balancing between redundant Layer 2 links using uplink groups An uplink group is a set of Layer 2 interfaces per VLAN only on...

Page 347: ...ation see the Events that Cause Fast Convergence section on page 16 7 How CSUF Works CSUF ensures that one link in the stack is elected as the path to the root As shown in Figure 16 5 Switches A B and C are cascaded through the GigaStack GBIC module to form a multidrop backbone which communicates control and data traffic across the switches at the access layer The switches in the stack use their s...

Page 348: ...st and bridge ID If the sending switch is the best choice as the stack root each switch in the stack returns an acknowledgement otherwise it does not respond to the sending switch drops the packet The sending switch then has not received acknowledgements from all stack switches When acknowledgements are received from all stack switches the Fast Uplink Transition Protocol on the sending switch imme...

Page 349: ...ot comes back up the normal spanning tree convergence occurs Normal spanning tree convergence 30 to 40 seconds occurs under these conditions The stack root switch is powered off or the software failed The stack root switch which was powered off or failed is powered on A new switch which might become the stack root is added to the stack A switch other than the stack root is powered off or failed A ...

Page 350: ...ce GigaStack GBIC connection for normal convergence SPEED SYSTEM RPS STATUS UTIL DUPLX Catalyst 3500 1 2 Catalyst 3550 12T MODE 1 1 1 1 1 1 1 1 1 1 SPEED SYSTEM RPS STATUS UTIL DUPLX Catalyst 3500 1 2 Catalyst 3550 12T MODE 1 1 1 1 1 1 1 1 1 1 2 1 1 1 1 2 1 2 Catalyst 2950G 24 1 1X 2X 11X 12X 13X 14X 15X 16X 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 2 1 1 2 1 2 Catalyst 2950G 12...

Page 351: ...he root port and other blocked ports on the switch become alternate paths to the root switch Self looped ports are not considered alternate paths to the root switch If the inferior BPDU arrives on the root port all blocked ports become alternate paths to the root switch If the inferior BPDU arrives on the root port and there are no blocked ports the switch assumes that it has lost connectivity to ...

Page 352: ...warding state providing a path from Switch B to Switch A This switchover takes approximately 30 seconds twice the Forward Delay time if the default Forward Delay time of 15 seconds is set Figure 16 8 shows how BackboneFast reconfigures the topology to account for the failure of link L1 Figure 16 8 BackboneFast Example After Indirect Link Failure If a new switch is introduced into a shared medium t...

Page 353: ...re itself and select a customer switch as the root switch as shown in Figure 16 10 You can avoid this situation by enabling root guard on SP switch interfaces that connect to switches in your customer s network If spanning tree calculations cause an interface in the customer network to be selected as the root port root guard then places the interface in the root inconsistent blocked state to preve...

Page 354: ...ternate ports When the switch is operating in MST mode BPDUs are not sent on nonboundary ports only if the port is blocked by loop guard in all MST instances On a boundary port loop guard blocks the port in all MST instances Configuring Optional Spanning Tree Features These sections describe how to configure optional spanning tree features Default Optional Spanning Tree Configuration page 16 13 Op...

Page 355: ...t feature enabled is moved directly to the spanning tree forwarding state without waiting for the standard forward time delay Caution Use Port Fast only when connecting a single end station to an access or trunk port Enabling this feature on a port connected to a switch or hub could prevent spanning tree from detecting and disabling loops in your network which could cause broadcast storms and addr...

Page 356: ...manually put the port back in service Use the BPDU guard feature in a service provider network to prevent an access port from participating in the spanning tree Caution Configure Port Fast only on ports that connect to end stations otherwise an accidental topology loop could cause a data packet loop and disrupt switch and network operation Command Purpose Step 1 configure terminal Enter global con...

Page 357: ...ally enable BPDU filtering on a switch so that hosts connected to these ports do not receive BPDUs If a BPDU is received on a Port Fast enabled port the port loses its Port Fast operational status and BPDU filtering is disabled Caution Configure Port Fast only on ports that connect to end stations otherwise an accidental topology loop could cause a data packet loop and disrupt switch and network o...

Page 358: ...idual VLAN You can enable the UplinkFast feature for rapid PVST or for the MSTP but the feature remains disabled inactive until you change the spanning tree mode to PVST Beginning in privileged EXEC mode follow these steps to enable UplinkFast This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree portfast bpdufilter default Global...

Page 359: ... inactive until you change the spanning tree mode to PVST Beginning in privileged EXEC mode follow these steps to enable CSUF This procedure is optional Step 4 show spanning tree summary Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 s...

Page 360: ...hese steps to enable BackboneFast This procedure is optional To disable the BackboneFast feature use the no spanning tree backbonefast global configuration command Enabling EtherChannel Guard You can enable EtherChannel guard to detect an EtherChannel misconfiguration that causes a loop You can enable this feature if your switch is running PVST rapid PVST or MSTP Beginning in privileged EXEC mode ...

Page 361: ...eature are placed in the root inconsistent state blocked and are prevented from reaching the forwarding state Note You cannot enable both root guard and loop guard at the same time You can enable this feature if your switch is running PVST rapid PVST or MSTP Beginning in privileged EXEC mode follow these steps to enable root guard on an interface This procedure is optional To disable root guard us...

Page 362: ... show spanning tree privileged EXEC command refer to the command reference for this release Command Purpose Step 1 show spanning tree active or show spanning tree mst Determine which ports are alternate or root ports Step 2 configure terminal Enter global configuration mode Step 3 spanning tree loopguard default Enable loop guard By default loop guard is disabled Step 4 end Return to privileged EX...

Page 363: ...ork that is logically segmented by function project team or application without regard to the physical locations of the users VLANs have the same attributes as physical LANs but you can group end stations even if they are not physically located on the same LAN segment Any switch port can belong to a VLAN and unicast broadcast and multicast packets are forwarded and flooded only to end stations in ...

Page 364: ...efer to the release notes for the list of switches that support each image VLANs are identified with a number from 1 to 4094 when the EI is installed and 1 to 1005 when the SI is installed VLAN IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs VTP only learns normal range VLANs with VLAN IDs 1 to 1005 VLAN IDs greater than 1005 are extended range VLANs and are not stored in the VLAN...

Page 365: ...can be limited by configuring the allowed VLAN list You can also modify the pruning eligible list to block flooded traffic to VLANs on trunk ports that are included in the list For information about configuring trunk ports see the Configuring an Ethernet Interface as a Trunk Port section on page 17 17 VTP is recommended but not required VTP maintains VLAN configuration consistency by managing the ...

Page 366: ...use the commands described in these sections and in the command reference for this release To change the VTP configuration see Chapter 18 Configuring VTP You use the interface configuration mode to define the port membership mode and to add and remove ports from VLANs The results of these commands are written to the running configuration file and you can display the file by entering the show runni...

Page 367: ... active VLANs 1002 to 1005 are reserved for Token Ring and FDDI Normal range VLANs are identified with a number between 1 and 1001 VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs VLAN configuration for VLANs 1 to 1005 are always saved in the VLAN database If VTP mode is transparent VTP and VLAN configuration is also saved in the switch running configuration file The switc...

Page 368: ...ter the vlan global configuration command with a VLAN ID Enter a new VLAN ID to create a VLAN or with an existing VLAN ID to modify the VLAN You can use the default VLAN configuration Table 17 2 or enter multiple commands to configure the VLAN For more information about commands available in this mode refer to the vlan global configuration command description in the command reference for this rele...

Page 369: ...LAN database If the VTP mode or domain name in the startup configuration does not match the VLAN database the domain name and VTP mode and configuration for the first 1005 VLANs use the VLAN database information If VTP mode is server the domain name and VLAN configuration for the first 1005 VLANs use the VLAN database information If the switch is running Cisco IOS Release 12 1 9 EA1 or later and y...

Page 370: ...te or modify an Ethernet VLAN Table 17 2 Ethernet VLAN Defaults and Ranges Parameter Default Range VLAN ID 1 1 to 4094when the EI is installed and 1 to 1005 when the SI is installed Note Extended range VLANs VLAN IDs 1006 to 4094 are not saved in the VLAN database VLAN name VLANxxxx where xxxx represents four numeric digits including leading zeros equal to the VLAN ID number No range 802 10 SAID 1...

Page 371: ...ivileged EXEC mode Step 7 show vlan name vlan name id vlan id Verify your entries Step 8 copy running config startup config Optional If the switch is in VTP transparent mode the VLAN configuration is saved in the running configuration file as well as in the VLAN database This saves the configuration in the switch startup configuration file Command Purpose Command Purpose Step 1 vlan database Enter...

Page 372: ...lete the default VLANs for the different media types Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005 Caution When you delete a VLAN any ports assigned to that VLAN become inactive They remain associated with the VLAN and thus inactive until you assign them to a new VLAN Beginning in privileged EXEC mode follow these steps to delete a VLAN on the switch by using global configuration mode ...

Page 373: ...configuration command This example shows how to configure a port as an access port in VLAN 2 Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface fastethernet0 1 Switch config if switchport mode access Switch config if switchport access vlan 2 Switch config if end Switch Command Purpose Step 1 configure terminal Enter global configuration mode...

Page 374: ...on about extended range VLANs Default VLAN Configuration page 17 12 Extended Range VLAN Configuration Guidelines page 17 12 Creating an Extended Range VLAN page 17 13 Displaying VLANs page 17 14 Default VLAN Configuration See Table 17 2 on page 17 8 for the default configuration for Ethernet VLANs You can change only the MTU size on extended range VLANs all other characteristics must remain at the...

Page 375: ...ted Extended range VLANs are not saved in the VLAN database they are saved in the switch running configuration file You can save the extended range VLAN configuration in the switch startup configuration file by using the copy running config startup config privileged EXEC command Note Before you create an extended range VLAN you can verify that the VLAN ID is not used internally by entering the sho...

Page 376: ...status ports and configuration information To view normal range VLANs in the VLAN database 1 to 1005 use the show VLAN configuration command accessed by entering the vlan database privileged EXEC command For a list of the VLAN IDs on the switch use the show running config vlan privileged EXEC command optionally entering a VLAN ID range Table 17 3 lists the commands for monitoring VLANs For more de...

Page 377: ... connected by 802 1Q trunks Figure 17 2 Switches in an 802 1Q Trunking Environment You can configure a trunk on a single Ethernet interface or on an EtherChannel bundle For more information about EtherChannel see Chapter 31 Configuring EtherChannels Ethernet trunk interfaces support different trunking modes see Table 17 4 You can set an interface as trunking or nontrunking or to negotiate trunking...

Page 378: ...nect a Cisco switch to a non Cisco device through an 802 1Q trunk the Cisco switch combines the spanning tree instance of the VLAN of the trunk with the spanning tree instance of the non Cisco 802 1Q switch However spanning tree information for each VLAN is maintained by Cisco switches separated by a cloud of non Cisco 802 1Q switches The non Cisco 802 1Q cloud separating the Cisco switches is tre...

Page 379: ...unk ports send and receive VTP advertisements to use VTP you must ensure that at least one trunk port is configured on the switch and that this trunk port is connected to the trunk port of a second switch Otherwise the switch cannot receive any VTP advertisements This section includes these procedures for configuring an Ethernet interface as a trunk port on the switch Interaction with Other Featur...

Page 380: ...led port to dynamic the port mode is not changed Protected ports are supported on 802 1Q trunks Configuring a Trunk Port Beginning in privileged EXEC mode follow these steps to configure a port as an 802 1Q trunk port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter the interface configuration mode and the port to be configured for trunk...

Page 381: ...nimization VLAN 1 minimization disables VLAN 1 the default VLAN on all Cisco switch trunk ports on an individual VLAN trunk link As a result no user traffic including spanning tree advertisements is sent or received on VLAN 1 When you remove VLAN 1 from a trunk port the interface continues to send and receive management traffic for example Cisco Discovery Protocol CDP Port Aggregation Protocol PAg...

Page 382: ...en the EI is installed and 1 to 1005 when the SI is installed or a range of VLANs described by two VLAN numbers the lower one first separated by a hyphen Do not enter any spaces between comma separated VLAN parameters or in hyphen specified ranges All VLANs are allowed by default Step 5 end Return to privileged EXEC mode Step 6 show interfaces interface id switchport Verify your entries in the Tru...

Page 383: ... interface configuration command If a packet has a VLAN ID that is the same as the outgoing port native VLAN ID the packet is sent untagged otherwise the switch sends the packet with a tag Step 4 end Return to privileged EXEC mode Step 5 show interfaces interface id switchport Verify your entries in the Pruning VLANs Enabled field of the display Step 6 copy running config startup config Optional S...

Page 384: ... priorities on a parallel trunk port so that the port carries all the traffic for a given VLAN The trunk port with the higher priority lower values for a VLAN is forwarding traffic for that VLAN The trunk port with the lower priority higher values for the same VLAN remains in a blocking state for that VLAN One trunk port sends or receives all traffic for the VLAN Figure 17 3 shows two trunks conne...

Page 385: ...EXEC mode Step 11 show interfaces fastethernet0 1 switchport Verify the VLAN configuration Step 12 Repeat Steps 7 through 11 on Switch A for Fast Ethernet port 0 2 Step 13 Repeat Steps 7 through 11 on Switch B to configure the trunk ports on Fast Ethernet ports 0 1 and 0 2 Step 14 show vlan When the trunk links come up VTP passes the VTP and VLAN information to Switch B Verify that Switch B has le...

Page 386: ...ow these steps to configure the network shown in Figure 17 4 90573 Switch A Switch B Trunk port 1 VLANs 2 4 path cost 30 VLANs 8 10 path cost 19 Trunk port 2 VLANs 8 10 path cost 30 VLANs 2 4 path cost 19 Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A Step 2 interface fastethernet 0 1 Enter interface configuration mode and define Fast Ethernet port 0 1 as the...

Page 387: ...hether the server shuts down the port when a VLAN is not allowed on it or just denies the port access to the VLAN In response to a request the VMPS takes one of these actions If the assigned VLAN is restricted to a group of ports the VMPS verifies the requesting port against this group and responds as follows If the VLAN is allowed on the port the VMPS sends the VLAN name to the client in response...

Page 388: ...rifies that the domain name in the packet matches its own domain name before accepting the request and responds to the client with the assigned VLAN number for the client If there is no match the VMPS either denies the request or shuts down the port depending on the VMPS secure mode setting Multiple hosts MAC addresses can be active on a dynamic port if they are all in the same VLAN however the VM...

Page 389: ...nd 802 1X is not enabled If you try to change an 802 1X enabled port to dynamic VLAN assignment an error message appears and the VLAN configuration is not changed Trunk ports cannot be dynamic access ports but you can enter the switchport access vlan dynamic interface configuration command for a trunk port In this case the switch retains the setting and applies it if the port is later configured a...

Page 390: ...mand privileged EXEC command to log into the member switch Caution Dynamic port VLAN membership is for end stations or hubs connected to end stations Connecting dynamic access ports to other switches can cause a loss of connectivity Beginning in privileged EXEC mode follow these steps to configure a dynamic access port on a VMPS client switch Command Purpose Step 1 configure terminal Enter global ...

Page 391: ... the VLAN membership information received from the VMPS You can set the number of minutes after which reconfirmation occurs If you are configuring a member switch in a cluster this parameter must be equal to or greater than the reconfirmation setting on the command switch You must also first use the rcommand privileged EXEC command to log into the member switch Beginning in privileged EXEC mode fo...

Page 392: ...mode Step 2 vmps retry count Change the retry count The retry range is from 1 to 10 the default is 3 Step 3 end Return to privileged EXEC mode Step 4 show vmps Verify your entry in the Server Retry Count field of the display Step 5 copy running config startup config Optional Save your entries in the configuration file VMPS VQP Version The version of VQP used to communicate with the VMPS The switch...

Page 393: ...ow the host to connect to the port The VMPS shuts down the port to prevent the host from connecting to the network More than 20 active hosts reside on a dynamic port To re enable a disabled dynamic port enter the no shutdown interface configuration command VMPS Configuration Example Figure 17 5 shows a network with a VMPS server switch and VMPS client switches with dynamic ports In this example th...

Page 394: ...yst 6500 series Secondary VMPS Server 3 172 20 26 150 172 20 26 151 Catalyst 6500 series switch A 172 20 26 152 Switch C Ethernet segment Trunk link 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 172 20 26 157 172 20 26 158 172 20 26 159 Client switch I Client switch B End station 2 End station 1 TFTP server Dynamic access port Dynamic access port Switch J Switch D Switch E Switch F Switc...

Page 395: ...nconsistencies that can cause several problems such as duplicate VLAN names incorrect VLAN type specifications and security violations Before you create VLANs you must decide whether to use VTP in your network Using VTP you can make configuration changes centrally on one or more switches and have those changes automatically communicated to all the other switches in the network Without VTP you cann...

Page 396: ...ways verify that its VTP configuration revision number is lower than the configuration revision number of the other switches in the VTP domain Switches in a VTP domain always use the VLAN configuration of the switch with the highest VTP configuration revision number If you add a switch that has a revision number higher than the revision number in the VTP domain it can erase all VLAN information fr...

Page 397: ...can create modify and delete VLANs and specify other configuration parameters such as the VTP version for the entire VTP domain VTP servers advertise their VLAN configurations to other switches in the same VTP domain and synchronize their VLAN configurations with other switches based on advertisements received over trunk links In VTP server mode VLAN configurations are saved in NVRAM VTP server is...

Page 398: ...n transparent mode without inspecting the version and domain name Consistency Checks In VTP version 2 VLAN consistency checks such as VLAN names and values are performed only when you enter new information through the CLI the Cluster Management Software CMS or SNMP Consistency checks are not performed when new information is obtained from a VTP message or when information is read from NVRAM If the...

Page 399: ...nt domain Making VLANs pruning eligible or pruning ineligible affects pruning eligibility for those VLANs on that device only not on all switches in the VTP domain See the Enabling VTP Pruning section on page 18 14 VTP pruning takes effect several seconds after you enable it VTP pruning does not prune traffic from VLANs that are pruning ineligible VLAN 1 and VLANs 1002 to 1005 are always pruning i...

Page 400: ...t VLAN pruning eligibility whether or not VTP pruning is enabled for the VTP domain whether or not any given VLAN exists and whether or not the interface is currently trunking Configuring VTP This section includes guidelines and procedures for configuring VTP These sections are included Default VTP Configuration page 18 6 VTP Configuration Options page 18 7 VTP Configuration Guidelines page 18 8 C...

Page 401: ...up configuration file the VLAN database is ignored cleared and the VTP and VLAN configurations in the startup configuration file are used The VLAN database revision number remains unchanged in the VLAN database If the VTP mode or domain name in the startup configuration do not match the VLAN database the domain name and VTP mode and configuration for the first 1005 VLANs use the VLAN database info...

Page 402: ... Switches without a password or with the wrong password reject VTP advertisements If you configure a VTP password for a domain a switch that is booted without a VTP configuration does not accept VTP advertisements until you configure it with the correct password After the configuration the switch accepts the next VTP advertisement that uses the same password and domain name in the advertisement If...

Page 403: ...unk port so that the switch can send and receive VTP advertisements For more information see the Configuring VLAN Trunks section on page 17 15 If you are configuring VTP on a cluster member switch to a VLAN use the rcommand privileged EXEC command to log into the member switch For more information about the command refer to the command reference for this release If you are configuring extended ran...

Page 404: ...password for the VTP domain The password can be from 8 to 64 characters If you configure a VTP password the VTP domain does not function properly if you do not assign the same password to each switch in the domain Step 5 end Return to privileged EXEC mode Step 6 show vtp status Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display Command Purpose Command Purpo...

Page 405: ...that domain Therefore make sure you configure at least one switch as a VTP server Beginning in privileged EXEC mode follow these steps to configure the switch as a VTP client Use the no vtp mode global configuration command to return the switch to VTP server mode To return the switch to a no password state use the no vtp password global configuration command When you configure a domain name it can...

Page 406: ...TP mode to transparent by using the vtp mode transparent global configuration command Save this configuration to the startup configuration so that the switch boots up in VTP transparent mode Otherwise you lose the extended range VLAN configuration if the switch resets and boots up in VTP server mode the default Beginning in privileged EXEC mode follow these steps to configure VTP transparent mode ...

Page 407: ...same VTP domain Every switch in the VTP domain must use the same VTP version Do not enable VTP version 2 unless every switch in the VTP domain supports version 2 Note In TrCRF and TrBRF Token ring environments you must enable VTP version 2 for Token Ring VLAN switching to function properly For Token Ring and Token Ring Net media VTP version 2 must be disabled For more information on VTP version co...

Page 408: ...n the pruning eligible list can be pruned By default VLANs 2 through 1001 are pruning eligible on trunk ports Extended range VLANs cannot be pruned To change the pruning eligible VLANs see the Changing the Pruning Eligible List section on page 17 20 Adding a VTP Client Switch to a VTP Domain Before adding a VTP client to a VTP domain always verify that its VTP configuration revision number is lowe...

Page 409: ... Purpose Step 1 show vtp status Check the VTP configuration revision number If the number is 0 add the switch to the VTP domain If the number is greater than 0 follow these steps a Write down the domain name b Write down the configuration revision number c Continue with the next steps to reset the configuration revision number on the switch Step 2 configure terminal Enter global configuration mode...

Page 410: ...me the current VTP revision and the number of VLANs You can also display statistics about the advertisements sent and received by the switch Table 18 3 shows the privileged EXEC commands for monitoring VTP activity Table 18 3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information show vtp counters Display counters about VTP messages that have been ...

Page 411: ...ct to a Cisco 7960 IP Phone and carry IP voice traffic Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent the switch supports quality of service QoS based on IEEE 802 1p class of service CoS QoS uses classification and scheduling to send network traffic from the switch in a predictable manner For more information on QoS see Chapter 30 Configuring QoS The Cis...

Page 412: ...t contains this configuration information Default Voice VLAN Configuration page 19 2 Voice VLAN Configuration Guidelines page 19 3 Configuring a Port to Connect to a Cisco 7960 IP Phone page 19 3 Default Voice VLAN Configuration The voice VLAN feature is disabled by default When the voice VLAN feature is enabled all untagged traffic is sent according to the default CoS priority of the port The def...

Page 413: ...s section on page 17 28 for more information Secure port See the Configuring Port Security section on page 22 7 for more information 802 1x authenticated port See the Using 802 1x with Voice VLAN Ports section on page 10 7 for more information Note If you enable 802 1x on an access port on which a voice VLAN is configured and to which a Cisco IP Phone is connected the Cisco IP Phone loses connecti...

Page 414: ...tion mode Step 3 switchport voice vlan vlan id Instruct the Cisco IP Phone to forward all voice traffic through the specified VLAN By default the Cisco IP Phone forwards the voice traffic with an 802 1Q priority of 5 Valid VLAN IDs are from 1 to 4094 when the enhanced software image EI is installed and 1 to 1001 when the standard software image is installed Step 4 end Return to privileged EXEC mod...

Page 415: ...witchport priority extend interface configuration command or the switchport priority extend cos 0 interface configuration command to return the port to its default setting Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the interface connected to the IP phone Step 3 switchport priority extend cos...

Page 416: ...switchport priority extend cos 0 interface configuration command to return the port to its default setting Displaying Voice VLAN To display voice VLAN for an interface use the show interfaces interface id switchport privileged EXEC command For detailed information about the fields in the display refer to the command reference for this release Command Purpose Step 1 configure terminal Enter global ...

Page 417: ...r consists of these sections Understanding DHCP Features page 20 1 Configuring DHCP Features page 20 5 Displaying DHCP Information page 20 8 Understanding DHCP Features DHCP is widely used in LAN environments to dynamically assign host IP addresses from a centralized server which significantly reduces the overhead of administration of IP addresses DHCP also helps conserve the limited IP address sp...

Page 418: ...nd DHCP servers You can use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch Note For DHCP snooping to function properly all DHCP servers must be connected to the switch through trusted interfaces An untrusted message is a message that is received from outside the network or firewall When you...

Page 419: ...ents DHCP can centrally manage the IP address assignments for a large number of subscribers When the DHCP option 82 feature is enabled on the switch a subscriber device is identified by the switch port through which it connects to the network in addition to its MAC address Multiple hosts on the subscriber LAN can be connected to the same port on the access switch and are uniquely identified Note T...

Page 420: ... addresses that can be assigned to a single remote ID or circuit ID Then the DHCP server echoes the option 82 field in the DHCP reply The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch When the client and server are on the same subnet the server broadcasts the reply The switch verifies that it originally inserted the option 82 data by inspecting...

Page 421: ...ration Length Length Circuit ID type Suboption type Circuit ID Suboption Frame Format Remote ID Suboption Frame Format 6 bytes MAC address 1 byte 1 byte 1 byte Suboption type 1 byte Length Length Remote ID type 1 byte 1 byte 1 byte 1 byte 116300 4 0 6 1 6 0 8 2 Module Port 1 byte 1 byte 2 bytes VLAN Table 20 1 Default DHCP Configuration Feature Default Setting DHCP server Enabled1 DHCP relay agent...

Page 422: ...a insertion feature is not supported If a switch port is connected to a DHCP server configure a port as trusted by entering the ip dhcp snooping trust interface configuration command If a switch port is connected to a DHCP client configure a port as untrusted by entering the no ip dhcp snooping trust interface configuration command Configuring the DHCP Server The Catalyst 2955 switch can act as a ...

Page 423: ... 4094 You can enter a single VLAN ID identified by VLAN ID number a series of VLAN IDs separated by commas a range of VLAN IDs separated by hyphens or a range of VLAN IDs separated by entering the starting and ending VLAN IDs separated by a space Step 4 ip dhcp snooping information option Enable the switch to insert and remove DHCP relay information option 82 field in forwarded DHCP request messag...

Page 424: ...35 41 0 0 51 286 dynamic 41 FastEthernet0 3 00 D0 B7 1B 35 DE 41 0 0 52 237 dynamic 41 FastEthernet0 3 00 00 00 00 00 01 40 0 0 46 286 dynamic 40 FastEthernet0 9 00 00 00 00 00 03 42 0 0 33 286 dynamic 42 FastEthernet0 9 00 00 00 00 00 02 41 0 0 53 286 dynamic 41 FastEthernet0 9 Table 20 2 describes the fields in the show ip dhcp snooping binding command output Displaying the DHCP Snooping Configu...

Page 425: ...rstanding Multicast VLAN Registration page 21 14 Configuring MVR page 21 17 Displaying MVR Information page 21 21 Configuring IGMP Filtering and Throttling page 21 21 Displaying IGMP Filtering and Throttling Configuration page 21 27 Note For MAC addresses that map to IP multicast groups you can either manage them through features such as IGMP snooping and MVR or you can use static MAC addresses Ho...

Page 426: ...mbership lists can consist of both user defined and IGMP snooping learned settings If a port spanning tree a port group or a VLAN ID change occurs the IGMP snooping learned multicast groups from this port on the VLAN are deleted The switches support a maximum of 255 IP multicast groups These sections describe characteristics of IGMP snooping on the switch IGMP Versions page 21 2 Joining a Multicas...

Page 427: ...the switch The switch CPU creates a multicast forwarding table entry for the group if it is not already present The CPU also adds the interface where the join message was received to the forwarding table entry The host associated with that interface receives multicast traffic for that multicast group See Figure 21 1 Figure 21 1 Initial IGMP Join Message Router A sends a general query to the switch...

Page 428: ... Table 21 2 Note that because the forwarding table directs IGMP messages to only the CPU the message is not flooded to other ports on the switch Any known multicast traffic is forwarded to the group and not to the CPU Any unknown multicast traffic is flooded to the VLAN and sent to the CPU until it becomes known Figure 21 2 Second Host Joining a Multicast Group Leaving a Multicast Group The router...

Page 429: ...cted to each port If Immediate Leave is enabled in VLANs where more than one host is connected to a port some hosts might inadvertently be dropped IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports This feature is not supported when the query includes IGMPv3 reports The switch uses IGMP report suppression to forward only on...

Page 430: ...using the IGMP join messages When the switch receives traffic for new IP multicast groups it floods the packet to all ports in the same VLAN This unnecessary flooding can impact switch performance If aging is disabled and you want to delete multicast addresses that the switch learned by using source only learning re enable aging of the forwarding table entries The switch can now age out the multic...

Page 431: ...on a VLAN interface To disable IGMP snooping on a VLAN interface use the no ip igmp snooping vlan vlan id global configuration command for the specified VLAN number IGMP snooping Immediate Leave Disabled Static groups None configured IP multicast source only learning Enabled PIM v2 multicast router discovery Enabled Aging forward table entries when source only learning is enabled Enabled The defau...

Page 432: ...rts through only PIM DVMRP packets use the ip igmp snooping vlan vlan id mrouter learn pim dvmrp global configuration command Beginning in privileged EXEC mode follow these steps to alter the method in which a VLAN interface dynamically accesses a multicast router This example shows how to configure IGMP snooping to use CGMP packets as the learning method Switch configure terminal Switch config ip...

Page 433: ...om the VLAN use the no ip igmp snooping vlan vlan id mrouter interface interface id global configuration command This example shows how to enable a static connection to a multicast router and verify the configuration Switch configure terminal Switch config ip igmp snooping vlan 200 mrouter interface gigabitethernet0 1 Switch config end Switch show ip igmp snooping mrouter vlan 200 vlan ports 200 G...

Page 434: ...removes a port when it detects an IGMP version 2 leave message on that port You should use the Immediate Leave feature only when there is a single receiver present on every port in the VLAN Immediate Leave is supported with only IGMP version 2 hosts Beginning in privileged EXEC mode follow these steps to enable IGMP Immediate Leave processing Command Purpose Step 1 configure terminal Enter global ...

Page 435: ...P multicast source only learning method is enabled by default The switch learns the IP multicast group from the IP multicast data stream and only forwards traffic to the multicast router ports If IP multicast source only learning is disabled by using the no ip igmp snooping source only learning global configuration command the switch floods unknown multicast traffic to the VLAN and sends the traff...

Page 436: ...tch config end Configuring the Aging Time You can set the aging time for forwarding table entries that the switch learns by using the IP multicast source only learning method Beginning in privileged EXEC mode follow these steps to configure the aging time Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no ip igmp snooping source only learning Disable IP multicast s...

Page 437: ...figuration information for all VLANs on the switch or for a specified VLAN Optional Enter vlan vlan id to display information for a single VLAN show ip igmp snooping group vlan vlan id Display information about the IGMP multicast groups the compatibility mode and the ports that are associated with each group Optional Enter vlan vlan id to display information for a single VLAN show ip igmp snooping...

Page 438: ...R IP multicast streams and their associated MAC addresses in the switch forwarding table intercepts the IGMP messages and modifies the forwarding table to include or remove the subscriber as a receiver of the multicast stream even though the receivers might be in a different VLAN from the source This forwarding behavior selectively allows traffic to cross between different VLANs The switch has the...

Page 439: ... MVR source ports When a subscriber changes channels or turns off the television the set top box sends an IGMP leave message for the multicast stream The switch CPU sends an IGMP group specific query through the receiver port VLAN If there is another set top box in the VLAN still subscribing to this group that set top box must respond within the maximum response time If the CPU does not receive a ...

Page 440: ...the multicast VLAN on the Layer 3 device The access layer switch Switch A modifies the forwarding behavior to allow the traffic to be forwarded from the multicast VLAN to the subscriber port in a different VLAN selectively allowing traffic to cross between two VLANs IGMP reports are sent to the same MAC addresses as the multicast data The Switch A CPU must capture all IGMP join and leave messages ...

Page 441: ...not belong to the multicast VLAN The maximum number of multicast entries that can be configured on a switch that is the maximum number of television channels that can be received is 256 Each channel is one multicast stream destined for a unique IP multicast address These IP addresses cannot alias between themselves or with the reserved IP multicast addresses in the range 224 0 0 xxx MVR does not s...

Page 442: ...uld correspond to one television channel Note Each IP address translates to a multicast 48 bit MAC address If an IP address being configured translates aliases to a previously configured MAC address or to any reserved multicast MAC addresses the command fails Step 4 mvr querytime value Optional Define the maximum time to wait for IGMP report memberships on a receiver port before removing the port ...

Page 443: ...he port to configure and enter interface configuration mode Step 4 mvr type source receiver Configure an MVR port as one of these source Configure uplink ports that receive and send multicast data as source ports Subscribers cannot be directly connected to source ports All source ports on a switch belong to the single multicast VLAN receiver Configure a port as a receiver port if it is a subscribe...

Page 444: ...ch config interface gigabitethernet0 1 Switch config if mvr type receiver Switch config if mvr vlan 22 group 228 1 23 4 Switch config if mvr immediate Switch config end Switch show mvr interface gigabitethernet0 1 Type RECEIVER Status ACTIVE Immediate Leave ENABLED Step 6 mvr immediate Optional Enable the Immediate Leave feature of MVR on the port Note This command applies to only receiver ports a...

Page 445: ...ion permits access to the multicast group the IGMP report from the port is forwarded for normal processing IGMP filtering controls only group specific query and membership reports including join and leave reports It does not control general IGMP queries IGMP filtering has no relationship with the function that directs the forwarding of IP multicast traffic The filtering feature operates in the sam...

Page 446: ...he Maximum Number of IGMP Groups page 21 25 optional Configuring the IGMP Throttling Action page 21 25 optional Default IGMP Filtering and Throttling Configuration Table 21 7 shows the default IGMP filtering configuration When the maximum number of groups is in forwarding table the default IGMP throttling action is to deny the IGMP report For configuration guidelines see the Configuring the IGMP T...

Page 447: ...he default it would not appear in the show ip igmp profile output display Switch config ip igmp profile 4 Switch config igmp profile permit Switch config igmp profile range 229 9 9 0 Switch config igmp profile end Switch show ip igmp profile 4 IGMP Profile 4 permit range 229 9 9 0 229 9 9 0 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp profile profile num...

Page 448: ...ow to apply IGMP profile 4 to a port and verify the configuration Switch config interface fastethernet0 2 Switch config if ip igmp filter 4 Switch config if end Switch show running config interface fastethernet0 2 Building configuration Current configuration 123 bytes interface FastEthernet0 2 no ip address shutdown snmp trap link status ip igmp max groups 25 ip igmp filter 4 end Command Purpose S...

Page 449: ...n join you can configure an interface to remove a randomly selected multicast entry in the forwarding table and to add the next IGMP group to it by using the ip igmp max groups action replace interface configuration command Use the no form of this command to return to the default which is to drop the IGMP join report Follow these guidelines when configuring the IGMP throttling action You can use t...

Page 450: ... to configure the throttling action when the maximum number of entries is in the forwarding table To return to the default action of dropping the report use the no ip igmp max groups action interface configuration command This example shows how to configure an interface to remove a randomly selected multicast entry in the forwarding table and to add an IGMP group to the forwarding table when the m...

Page 451: ...guration for all interfaces on the switch or for a specified interface Use the privileged EXEC commands in Table 21 8 to display IGMP filtering and throttling configuration Table 21 8 Commands for Displaying IGMP Filtering and Throttling Configuration show ip igmp profile profile number Displays the specified IGMP profile or all the IGMP profiles defined on the switch show running configuration in...

Page 452: ...21 28 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78 11380 10 Chapter 21 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration ...

Page 453: ...ter refer to the command reference for this release This chapter consists of these sections Configuring Storm Control page 22 1 Configuring Protected Ports page 22 4 Configuring Port Blocking page 22 5 Configuring Port Security page 22 7 Displaying Port Based Traffic Control Settings page 22 13 Configuring Storm Control These sections include storm control configuration information and procedures ...

Page 454: ...st traffic When a switch uses the bandwidth based method the rising threshold is the percentage of total available bandwidth associated with multicast broadcast or unicast traffic before forwarding is blocked The falling threshold is the percentage of total available bandwidth below which the switch resumes normal forwarding In general the higher the level the less effective the protection against...

Page 455: ...cify the rising threshold level for broadcast multicast or unicast traffic in packets per second The storm control action occurs when traffic reaches this level This option is supported only on non LRE Catalyst 2950 switches running Cisco IOS Release 12 1 14 EA1 or later For pps low specify the falling threshold level in packets per second that can be less than or equal to the rising threshold lev...

Page 456: ...ts defined You can configure protected ports on a physical interface or an EtherChannel group When you enable protected ports for a port channel it is enabled for all ports in the port channel group Both LRE interface ports and CPE device ports can be configured as protected ports When you use a Cisco 575 LRE CPE or a Cisco 576 LRE 997 CPE device the cpe protected interface configuration command i...

Page 457: ...cast or multicast packets Note Blocking unicast or multicast traffic is not automatically enabled on protected ports you must explicitly configure it The port blocking feature is only supported on these switches Catalyst 2950 Long Reach Ethernet LRE switches running Cisco IOS Release 12 1 14 EA1 or later Catalyst 2950G 12 EI 2950G 24 EI 2950G 24 EI DC 2950G 48 EI and 2955 switches running Cisco IO...

Page 458: ...e terminal Enter global configuration mode Step 2 interface interface id Specify the interface to configure and enter interface configuration mode Step 3 switchport block multicast Block unknown multicast forwarding to the port Step 4 switchport block unicast Block unknown unicast forwarding to the port Step 5 end Return to privileged EXEC mode Step 6 show interfaces interface id switchport Verify...

Page 459: ...n the switch restarts Sticky secure MAC addresses These can be dynamically learned or manually configured stored in the address table and added to the running configuration If these addresses are saved in the configuration file the interface does not need to dynamically relearn them when the switch restarts Although sticky secure addresses can be manually configured we do not recommend it You can ...

Page 460: ...or increase the number of maximum allowable addresses In this mode you are notified that a security violation has occurred Specifically an SNMP trap is sent a syslog message is logged and the violation counter increments shutdown In this mode a port security violation causes the interface to immediately become error disabled and turns off the port LED It also sends an SNMP trap logs a syslog messa...

Page 461: ...d with a voice VLAN you must set the maximum allowed secure addresses on the port to at least two If any type of port security is enabled on the access VLAN dynamic port security is automatically enabled on the voice VLAN When a voice VLAN is configured on a secure port that is also configured as a sticky secure port all addresses seen on the voice VLAN are learned as dynamic secure addresses and ...

Page 462: ...addresses You are not notified that a security violation has occurred restrict When the number of secure MAC addresses reaches the limit allowed on the port packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses In this mode you are notified that a security violation has occurred Specifica...

Page 463: ...sses on an interface use the clear port security dynamic interface interface id privileged EXEC command To delete a sticky secure MAC addresses from the address table use the clear port security sticky address mac address privileged EXEC command To delete all the sticky addresses on an interface use the clear port security sticky interface interface id privileged EXEC command This example shows ho...

Page 464: ... a port Switch config interface fastethernet0 1 Switch config if switchport port security aging time 120 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port on which you want to enable port security aging and enter interface configuration mode Note The switch does not support port security aging of sticky secure addresses Step 3 ...

Page 465: ...administrative and operational status of all switching nonrouting ports or the specified port including port blocking and port protection settings show storm control interface id broadcast multicast unicast Displays storm control suppression levels set on all interfaces or the specified interface for the specified traffic type or for broadcast traffic if no traffic type is entered show interfaces ...

Page 466: ...22 14 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78 11380 10 Chapter 22 Configuring Port Based Traffic Control Displaying Port Based Traffic Control Settings ...

Page 467: ...idirectional link it administratively shuts down the affected port and alerts you Unidirectional links can cause a variety of problems including spanning tree topology loops Modes of Operation UDLD supports two modes of operation normal the default and aggressive In normal mode UDLD can detect unidirectional links due to misconnected interfaces on fiber optic connections In aggressive mode UDLD ca...

Page 468: ...e of the interfaces is down while the other is up One of the fiber strands in the cable is disconnected In these cases UDLD shuts down the affected interface In a point to point link UDLD hello packets can be considered as a heart beat whose presence guarantees the health of the link Conversely the loss of the heart beat means that the link must be shut down if it is not possible to re establish a...

Page 469: ... the interface is shut down If UDLD in normal mode is in the advertisement or in the detection phase and all the neighbor cache entries are aged out UDLD restarts the link up sequence to resynchronize with any potentially out of sync neighbors If you enable aggressive mode when all the neighbors of a port have aged out either in the advertisement or in the detection phase UDLD restarts the link up...

Page 470: ...efault UDLD configuration Configuration Guidelines These are the UDLD configuration guidelines A UDLD capable interface also cannot detect a unidirectional link if it is connected to a UDLD incapable port of another switch When configuring the mode normal or aggressive make sure that the same mode is configured on both sides of the link Table 23 1 Default UDLD Configuration Feature Default Setting...

Page 471: ...mode on all fiber optic interfaces enable Enables UDLD in normal mode on all fiber optic interfaces on the switch UDLD is disabled by default An individual interface configuration overrides the setting of the udld enable global configuration command For more information about aggressive and normal modes see the Modes of Operation section on page 23 1 message time message timer interval Configures ...

Page 472: ... aggressive interface configuration command re enables UDLD on the specified interface The errdisable recovery cause udld global configuration command enables the timer to automatically recover from the UDLD error disabled state and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error disabled state Step 3 udld port aggressive Spe...

Page 473: ...onfiguring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified interface or for all interfaces use the show udld interface id privileged EXEC command For detailed information about the fields in the display refer to the command reference for this release ...

Page 474: ...23 8 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78 11380 10 Chapter 23 Configuring UDLD Displaying UDLD Status ...

Page 475: ...vice type and the Simple Network Management Protocol SNMP agent address of neighboring devices running lower layer transparent protocols This feature enables applications to send SNMP queries to neighboring devices CDP runs on all media that support Subnetwork Access Protocol SNAP Because CDP runs over the data link layer only two systems that support different network layer protocols can learn ab...

Page 476: ... CDP timer holdtime and advertisement type Note Steps 2 through 4 are all optional and can be performed in any order Table 24 1 Default CDP Configuration Feature Default Setting CDP global state Enabled CDP interface state Enabled CDP timer packet update frequency 60 seconds CDP holdtime before discarding 180 seconds CDP Version 2 advertisements Enabled Command Purpose Step 1 configure terminal En...

Page 477: ...rupt cluster discovery For more information see Chapter 7 Clustering Switches Beginning in privileged EXEC mode follow these steps to disable the CDP device discovery capability Beginning in privileged EXEC mode follow these steps to enable CDP when it has been disabled This example shows how to enable CDP if it has been disabled Switch configure terminal Switch config cdp run Switch config end St...

Page 478: ...if cdp enable Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are disabling CDP and enter interface configuration mode Step 3 no cdp enable Disable CDP on the interface Step 4 end Return to privileged EXEC mode Step 5 copy running config startup config Optional Save your entries in the c...

Page 479: ... display all CDP neighbors or you can enter the name of the neighbor about which you want information You can also limit the display to information about the protocols enabled on the specified neighbor or information about the version of software running on the device show cdp interface interface id Display information about interfaces where CDP is enabled You can limit the display to the interfac...

Page 480: ...24 6 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78 11380 10 Chapter 24 Configuring CDP Monitoring and Maintaining CDP ...

Page 481: ...ring SPAN page 25 7 Configuring RSPAN page 25 12 Displaying SPAN and RSPAN Status page 25 17 Understanding SPAN and RSPAN You can analyze network traffic passing through ports by using SPAN to send a copy of the traffic to another port on the switch that has been connected to a SwitchProbe device or other Remote Monitoring RMON probe or security device SPAN mirrors received or sent or both traffic...

Page 482: ... and RSPAN do not affect the switching of network traffic on source ports a copy of the packets received or sent by the source interfaces are sent to the destination interface Except for traffic that is required for the SPAN or RSPAN session reflector ports and destination ports do not receive or forward traffic You can use the SPAN destination port to inject traffic from a network security device...

Page 483: ...ce A copy of each packet received by the source is sent to the destination port for that SPAN session You can monitor a series or range of ingress ports in a SPAN session At the destination port if tagging is enabled the packets appear with the 802 1Q header If no tagging is specified packets appear in the native format Packets that are modified because of quality of service QoS for example modifi...

Page 484: ...t receives a copy of traffic from the source port The destination port has these characteristics It must reside on the same switch as the source port for a local SPAN session It can be any Ethernet physical port It cannot be a source port or a reflector port It cannot be an EtherChannel group or a VLAN It can be a physical port that is assigned to an EtherChannel group even if the EtherChannel gro...

Page 485: ...subscribed it could become congested This could affect traffic forwarding on one or more of the source ports If the bandwidth of the reflector port is not sufficient for the traffic volume from the corresponding source ports the excess packets are dropped A 10 100 port reflects at 100 Mbps A Gigabit port reflects at 1 Gbps SPAN Traffic You can use local SPAN to monitor all network traffic includin...

Page 486: ...nel group Ports removed from an EtherChannel group remain members of the group but they are in the down or standalone state If a physical port that belongs to an EtherChannel group is a destination or reflector port and the EtherChannel group is a source the port is removed from the EtherChannel group and from the list of monitored ports QoS For ingress monitoring the packets sent to the SPAN dest...

Page 487: ... You cannot have two SPAN sessions using the same destination port An EtherChannel port can be a SPAN source port it cannot be a SPAN destination port For SPAN source ports you can monitor sent and received traffic for a single port or for a series or range of ports When you configure a switch port as a SPAN destination port it is no longer a normal switch port only monitored traffic passes throug...

Page 488: ... tx Specify the SPAN session and the source port monitored port For session_number specify 1 For interface id specify the source port to monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number Optional Specify a series or range of interfaces Enter a space before and after the comma enter a space before and after the hyphen Optional ...

Page 489: ...a Cisco IDS Sensor Appliance Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no monitor session session_number all local remote Clear any existing SPAN configuration for the session For session_number specify 1 Specify all to remove all SPAN sessions local to remove all local sessions or remote to remove all remote SPAN sessions Step 3 monitor session session_numbe...

Page 490: ...the destination port Switch config monitor session 1 destination interface fastethernet0 5 encapsulation dot1q Step 4 monitor session session_number destination interface interface id encapsulation dot1q ingress vlan vlan id Specify the SPAN session the destination port monitoring port the packet encapsulation and the ingress VLAN For session_number specify 1 For interface id specify the destinati...

Page 491: ... config no monitor session 1 source interface fastethernet0 1 rx The monitoring of traffic received on port 1 is disabled but traffic sent from this port continues to be monitored Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no monitor session session_number source interface interface id both rx tx Specify the characteristics of the source port monitored port an...

Page 492: ...ur network A port cannot serve as an RSPAN source port or RSPAN destination port while designated as an RSPAN reflector port When you configure a switch port as a reflector port it is no longer a normal switch port only looped back traffic passes through the reflector port RSPAN does not support BPDU packet monitoring or other Layer 2 switch protocols In a network consisting of only Catalyst 2950 ...

Page 493: ...s how to create RSPAN VLAN 901 Switch config vlan 901 Switch config vlan remote span Switch config vlan end Creating an RSPAN Source Session Beginning in privileged EXEC mode follow these steps to start an RSPAN source session and to specify the monitored source and the destination RSPAN VLAN Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan vlan id Enter a VLAN...

Page 494: ...erfaces include physical interfaces and port channel logical interfaces port channel port channel number Optional Specify a series or range of interfaces Enter a space before and after the comma enter a space before and after the hyphen Optional Specify the direction of traffic to monitor If you do not specify a traffic direction the source interface sends both sent and received traffic both Monit...

Page 495: ...2 monitor session session_number source remote vlan vlan id Specify the RSPAN session and the source RSPAN VLAN For session_number specify the session number identified with this RSPAN session For vlan id specify the source RSPAN VLAN to monitor Step 3 monitor session session_number destination interface interface id encapsulation dot1q Specify the RSPAN session and the destination interface For s...

Page 496: ...igure terminal Enter global configuration mode Step 2 no monitor session session_number source interface interface id both rx tx Specify the characteristics of the RSPAN source port monitored port to remove For session_number specify the session number identified with this RSPAN session For interface id specify the source port to no longer monitor Valid interfaces include physical interfaces and p...

Page 497: ...se the show monitor privileged EXEC command This is an example of output for the show monitor privileged EXEC command for SPAN source session 1 Switch show monitor session 1 Session 1 Type Local Session Source Ports RX Only None TX Only None Both Fa0 4 Source VLANs RX Only None TX Only None Both None Source RSPAN VLAN None Destination Ports Fa0 5 Encapsulation DOT1Q Ingress Enabled default VLAN 5 ...

Page 498: ...25 18 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78 11380 10 Chapter 25 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status ...

Page 499: ...uning information Note For complete syntax and usage information for the commands used in this chapter refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12 1 This chapter consists of these sections Understanding RMON page 26 1 Configuring RMON page 26 2 Displaying RMON Status page 26 6 Understanding RMON RMON is an Internet Engineering Task Force IETF standa...

Page 500: ...arms can be used with events the alarm triggers an event which can generate a log entry or an SNMP trap Event RMON group 9 Determines the action to take when an event is triggered by an alarm The action can be to generate a log entry or an SNMP trap Because switches supported by this software release use hardware counters for RMON data processing the monitoring is more efficient and little process...

Page 501: ...g in privileged EXEC mode follow these steps to enable RMON alarms and events Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 rmon alarm number variable interval absolute delta rising threshold value event number falling threshold value event number owner string Set an alarm on a MIB object For number specify the alarm number The range is 1 to 65535 For variable sp...

Page 502: ... reset and can be triggered again Switch config rmon alarm 10 ifEntry 20 1 20 delta rising threshold 15 1 falling threshold 0 owner jjohnson The following example creates RMON event number 1 by using the rmon event command The event is defined as High ifOutErrors and generates a log entry when the event is triggered by the alarm The user jjones owns the row that is created in the event table by th...

Page 503: ...e range is 1 to 65535 Optional For buckets bucket number specify the maximum number of buckets desired for the RMON collection history group of statistics The range is 1 to 65535 The default is 50 buckets Optional For interval seconds specify the number of seconds in each polling cycle Optional For owner ownername enter the name of the owner of the RMON group of statistics Step 4 end Return to pri...

Page 504: ...in these displays refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12 1 Step 6 show rmon statistics Display the contents of the switch statistics table Step 7 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 26 1 Commands for Displaying RMON Status Command Purpose show rmon Displays general RMON s...

Page 505: ...ver depending on your configuration The process also sends messages to the console Note The syslog format is compatible with 4 3 BSD UNIX When the logging process is disabled messages are sent only to the console The messages are sent as they are generated so message and debug output are interspersed with prompts or output from other commands Messages appear on the console after the process that g...

Page 506: ...description The part of the message preceding the percent sign depends on the setting of the service sequence numbers service timestamps log datetime service timestamps log datetime localtime msec show timezone or service timestamps log uptime global configuration command Table 27 1 describes the elements of syslog messages Table 27 1 System Log Message Elements Element Description seq no Stamps l...

Page 507: ...0 34 195 36 Mar 1 18 48 50 483 UTC SYS 5 CONFIG_I Configured from console by vty2 10 34 195 36 Default System Message Logging Configuration Table 27 2 shows the default system message logging configuration MNEMONIC Text string that uniquely describes the message description Text string containing detailed information about the event being reported Table 27 1 System Log Message Elements continued E...

Page 508: ...see the Synchronizing Log Messages section on page 27 6 To re enable message logging after it has been disabled use the logging on global configuration command Setting the Message Display Destination Device If message logging is enabled you can send messages to specific locations in addition to the console Beginning in privileged EXEC mode use one or more of the following commands to specify the l...

Page 509: ... server configuration steps see the Configuring UNIX Syslog Servers section on page 27 11 Step 4 logging file flash filename max file size min file size severity level number type Store log messages in a file in flash memory For filename enter the log message filename Optional For max file size specify the maximum logging file size The range is 4096 to 2147483647 The default is 4069 bytes Optional...

Page 510: ...ure terminal Enter global configuration mode Step 2 line console vty line number ending line number Specify the line to be configured for synchronous logging of messages Use the console keyword for configurations that occur through the switch console port Use the line vty line number command to specify which vty lines are to have synchronous logging enabled You use a vty connection for configurati...

Page 511: ...195 36 This example shows part of a logging display with the service timestamps log uptime global configuration command enabled 00 00 46 LINK 3 UPDOWN Interface Port channel1 changed state to up Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter...

Page 512: ...27 3 Beginning in privileged EXEC mode follow these steps to define the message severity level Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 service sequence numbers Enable sequence numbers Step 3 end Return to privileged EXEC mode Step 4 show running config Verify your entries Step 5 copy running config startup config Optional Save your entries in the configurat...

Page 513: ...n how to recover from these malfunctions refer to the system message guide for this release Output from the debug commands displayed at the debugging level Debug commands are typically used only by the Technical Assistance Center Interface up or down transitions and system restart messages displayed at the notifications level This message is only for information switch functionality is not affecte...

Page 514: ...l configuration command the oldest message entry is deleted from the table to allow the new message entry to be stored To return the logging of syslog messages to the default level use the no logging history global configuration command To return the number of messages in the history table to the default value use the no logging history size global configuration command Command Purpose Step 1 conf...

Page 515: ...12 for information on the facilities The debug keyword specifies the syslog level see Table 27 3 on page 27 9 for information on the severity levels The syslog daemon sends messages at this level or at a more severe level to the file specified in the next field The file must already exist and the syslog daemon must have permission to write to it Step 2 Create the log file by entering these command...

Page 516: ...rs receive informational messages and lower See Table 27 3 on page 27 9 for level keywords Step 4 logging facility facility type Configure the syslog facility See Table 27 4 on page 27 12 for facility type keywords The default is local7 Step 5 end Return to privileged EXEC mode Step 6 show running config Verify your entries Step 7 copy running config startup config Optional Save your entries in th...

Page 517: ...Displaying the Logging Configuration Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer use the show logging privileged EXEC command For information about the fields in this display refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12 1 ...

Page 518: ...27 14 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78 11380 10 Chapter 27 Configuring System Message Logging Displaying the Logging Configuration ...

Page 519: ...an be part of a network management system NMS such as CiscoWorks The agent and MIB reside on the switch To configure SNMP on the switch you define the relationship between the manager and the agent The SNMP agent contains MIB variables whose values the SNMP manager can request or change A manager can get a value from an agent or store a value into the agent The agent gathers data from the MIB the ...

Page 520: ...ation determining that the message is from a valid source Encryption mixing the contents of a package to prevent it from being read by an unauthorized source Note To select encryption enter the priv keyword This keyword is available only when the cryptographic encrypted software image is installed Both SNMPv1 and SNMPv2C use a community based form of security The community of managers able to acce...

Page 521: ...No Uses a username match for authentication SNMPv3 authNoPriv MD5 or SHA No Provides authentication based on the HMAC MD5 or HMAC SHA algorithms SNMPv3 authPriv requires the cryptographic software image MD5 or SHA DES Provides authentication based on the HMAC MD5 or HMAC SHA algorithms Provides DES 56 bit encryption in addition to authentication based on the CBC DES DES 56 standard Table 28 2 SNMP...

Page 522: ... community strings but does not allow write access Read write RW Gives read and write access to authorized management stations to all objects in the MIB but does not allow access to the community strings Note When a cluster is created the command switch manages the exchange of messages among member switches and the SNMP application The Cluster Management software appends the member switch number e...

Page 523: ...hat make informs more reliable than traps also consume more resources in the switch and in the network Unlike a trap which is discarded as soon as it is sent an inform request is held in memory until a response is received or the request times out Traps are sent only once but an inform might be re sent or retried several times The retries increase traffic and contribute to a higher overhead on the...

Page 524: ...ociated with that user Modifying the group s notify view affects all users associated with that group Refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12 1 for information about when you should configure notify views To configure a remote user specify the IP address or port number for the remote SNMP agent of the device where the user resides Before you configure rem...

Page 525: ...no snmp server global configuration command disables all running versions Version 1 Version 2C and Version 3 on the device No specific Cisco IOS command exists to enable SNMP The first snmp server global configuration command that you enter enables all versions of SNMP Configuring Community Strings You use the SNMP community string to define the relationship between the SNMP manager and the agent ...

Page 526: ...you want authorized management stations to retrieve and modify MIB objects By default the community string permits read only access to all objects Optional For access list number enter an IP standard access list numbered from 1 to 99 and 1300 to 1999 Step 3 access list access list number deny permit source source wildcard Optional If you specified an IP standard access list number in Step 2 then c...

Page 527: ...C mode follow these steps to configure SNMP on the switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server engineID local engineid string remote ip address udp port port number engineid string Configure a name for either the local or remote copy of SNMP The engineid string is a 24 character ID string with the name of the copy of SNMP You need not specify...

Page 528: ...A packet authentication noauth The noAuthNoPriv security level This is the default if no keyword is specified priv Enables Data Encryption Standard DES packet encryption also called privacy Note The priv keyword is available only when the cryptographic software image is installed Optional Enter read readview with a string not to exceed 64 characters that is the name of the view in which you can on...

Page 529: ...group The username is the name of the user on the host that connects to the agent The groupname is the name of the group to which the user is associated Enter remote to specify a remote SNMP entity to which the user belongs and the hostname or IP address of that entity with the optional UDP port number The default is 162 Enter the SNMP version number v1 v2c or v3 If you enter v3 you have these add...

Page 530: ... Generates SNMP FLASH notifications hsrp Generates a trap for Hot Standby Router Protocol HSRP changes mac notification Generates a trap for MAC address notifications port security Generates SNMP port security traps You can also set a maximum trap rate per second The range is from 0 to 1000 the default is 0 which means that there is no rate limit rtr Generates a trap for the SNMP Response Time Rep...

Page 531: ...e The priv keyword is available only when the cryptographic software image is installed For community string when version 1 or version 2c is specified enter the password like community string sent with the notification operation When version 3 is specified enter the SNMPv3 username Optional For notification type use the keywords listed in Table 28 4 on page 28 11 If no type is specified all notifi...

Page 532: ...llow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file Limiting TFTP Servers Used Through SNMP Beginning in privileged EXEC mode follow these steps to limit the TFTP servers used for saving and loading configuration files through SNMP to the servers specified in an access list Command Purpose Step 1 config...

Page 533: ...embers of access list 4 that use the comaccess community string No other SNMP managers have access to any objects SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco com using the community string public Switch config snmp server community comaccess ro 4 Switch config snmp server enable traps snmp authentication Switch config snmp server host cisco com version 2c public Step 3 ...

Page 534: ...fig snmp server enable traps Switch config snmp server host myhost cisco com public Displaying SNMP Status To display SNMP input and output statistics including the number of illegal community string entries errors and requested variables use the show snmp privileged EXEC command You can also use the other privileged EXEC commands in Table 28 5 to display SNMP information For information about the...

Page 535: ...usage information for the commands used in this chapter refer to the command reference for this release and the Configuring IP Services section of the Cisco IOS IP and IP Routing Configuration Guide Cisco IOS Release 12 1 and the Cisco IOS IP and IP Routing Command Reference Cisco IOS Release 12 1 This chapter consists of these sections Understanding ACLs page 29 2 Configuring ACLs page 29 6 Displ...

Page 536: ...fferent parts of a network or to decide which types of traffic are forwarded or blocked at switch interfaces For example you can allow e mail traffic to be forwarded but not Telnet traffic ACLs can be configured to block inbound traffic An ACL contains an ordered list of access control entries ACEs Each ACE specifies permit or deny and a set of conditions the packet must satisfy in order to match ...

Page 537: ...e ACE tests some Layer 4 information the matching rules are modified Permit ACEs that check the Layer 3 information in the fragment including protocol type such as TCP UDP and so on are considered to match the fragment regardless of what the missing Layer 4 information might have been Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains Layer 4 information C...

Page 538: ... that ACE does not check any Layer 4 information and because Layer 3 information in all fragments shows that they are being sent to host 10 1 1 3 and the earlier permit ACEs were checking different hosts Understanding Access Control Parameters Before configuring ACLs on the switches you must have a thorough understanding of the access control parameters ACPs ACPs are referred to as masks in the sw...

Page 539: ...here are significant restrictions for configuring ACLs on the switches Only four user defined masks can be defined for the entire system These can be used for either security or quality of service QoS but cannot be shared by QoS and security You can configure as many ACLs as you require However a system error message appears if ACLs with more than four different masks are applied to interfaces For...

Page 540: ...certain mask restrictions apply to the ACLs See the Creating a Numbered Standard ACL section on page 29 9 and the Creating a Numbered Extended ACL section on page 29 10 for creating these ACLs Note You can also apply ACLs to a management interface without the above limitations For information refer to the Configuring IP Services section of the Cisco IOS IP and IP Routing Configuration Guide Cisco ...

Page 541: ...s in an access list one by one The first match determines whether the switch accepts or rejects the packet Because the switch stops testing conditions after the first match the order of the conditions is critical If no conditions match the switch denies the packet Follow these steps to use ACLs Step 1 Create an ACL by specifying an access list number or name and access conditions Step 2 Apply the ...

Page 542: ... IP ACL can be 1 to 99 the name of an extended IP ACL can be 100 to 199 The advantage of using named ACLs instead of numbered lists is that you can delete individual entries from a named list Table 29 2 Access List Numbers ACL Number Type Supported 1 99 IP standard access list Yes 100 199 IP extended access list Yes 200 299 Protocol type code access list No 300 399 DECnet access list No 400 499 XN...

Page 543: ...ask from an associated IP host address ACL specification 0 0 0 0 is assumed to be the mask Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit remark source source wildcard host source any Define a standard IP ACL by using a source address and wildcard The access list number is a decimal number from 1 to 99 or 1300 to 1999 Ent...

Page 544: ...at protocol These IP protocols are supported on physical interfaces protocol keywords are in parentheses in bold Internet Protocol ip Transmission Control Protocol tcp or User Datagram Protocol udp Supported parameters can be grouped into these categories TCP UDP Table 29 3 lists the possible filtering parameters for ACEs for each protocol type For more details about the specific keywords relative...

Page 545: ...xtended access lists remember that after you create the list any additions are placed at the end of the list You cannot reorder the list or selectively add or remove ACEs from a numbered list Note For information about creating ACLs to apply to management interfaces refer to the Configuring IP Services section of Cisco IOS IP and IP Routing Configuration Guide Release 12 1 and the Cisco IOS IP and...

Page 546: ...r can be only eq equal If operator is after source source wildcard conditions match when the source port matches the defined port If operator is after destination destination wildcard conditions match when the destination port matches the defined port The port is a decimal number or name of a TCP or UDP port The number can be from 0 to 65535 Use TCP port names only for TCP traffic Use UDP port nam...

Page 547: ... statement for all packets if the access list does not find a match before reaching the end With standard access lists if you omit the mask from an associated IP host address ACL specification 0 0 0 0 is assumed to be the mask After creating an ACL you must apply it to a line or interface as described in the Applying ACLs to Terminal Lines or Physical Interfaces section on page 29 19 Creating Name...

Page 548: ...ion Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip access list extended name access list number Define an extended IP access list by using a name and enter access list configuration mode Note The name can be a number from 100 to 199 Step 3 deny permit protocol source ...

Page 549: ...ions to the access list You can use the time range to define when the permit or deny statements in the ACL are in effect The time range keyword and argument are referenced in the named and numbered extended ACL task tables in the Creating Standard and Extended IP ACLs section on page 29 7 and the Creating Named Standard and Extended ACLs section on page 29 13 These are some of the many benefits of...

Page 550: ...59 01 January 2000 time range entry thanksgiving_2000 inactive absolute start 00 00 22 November 2000 end 23 59 23 November 2000 time range entry workhours inactive periodic weekdays 8 00 to 12 00 periodic weekdays 13 00 to 17 00 To apply a time range you must reference it by name for example workhours in an extended ACL that can implement time ranges This example shows how to create and verify ext...

Page 551: ...omments remarks about entries in any IP standard or extended ACL The remarks make the ACL easier for you to understand and scan Each remark line is limited to 100 characters The remark can go before or after a permit or deny statement You should be consistent about where you put the remark so that it is clear which remark describes which permit or deny statement For example it would be confusing t...

Page 552: ...traffic but permitting all other types of traffic Switch config mac access list extended mac1 Switch config ext macl deny any any decnet iv Switch config ext macl permit any any Switch config ext macl end Switch show access list Extended MAC access list mac1 deny any any decnet iv permit any any Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mac access list extend...

Page 553: ...ckets Remember this behavior if you use undefined ACLs as a means of network security Applying ACLs to Terminal Lines or Physical Interfaces Note Before applying an ACL to a physical interface see the Guidelines for Applying ACLs to Physical Interfaces section on page 29 5 You can apply ACLs to any management interface For information on creating ACLs on management interfaces refer to the Configur...

Page 554: ...s to a Physical Interface Beginning in privileged EXEC mode follow these steps to control access to a Layer 2 interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 line console vty line number Identify a specific line for configuration and enter in line configuration mode Enter console for the console terminal line The console port is DCE Enter vty for a virtua...

Page 555: ...plied to the interface and permits all packets Remember this behavior if you use undefined ACLs for network security Displaying ACL Information You can display the ACLs that are configured on the switch and you can display the ACLs that have been applied to physical and management interfaces This section consists of these topics Displaying ACLs page 29 21 Displaying Access Groups page 29 22 Displa...

Page 556: ... 20 Standard IP access list 34 permit 10 24 35 56 permit 23 45 56 34 Extended IP access list 120 Displaying Access Groups Note This feature is available only if your switch is running the EI You use the ip access group interface configuration command to apply ACLs to a Layer 3 interface When IP is enabled on an interface you can use the show ip interface interface id privileged EXEC command to vie...

Page 557: ...Gigabit Ethernet interface 0 1 Switch show running config interface gigabitethernet0 1 Building configuration Current configuration 112 bytes interface GigabitEthernet0 1 ip access group 11 in snmp trap link status no cdp enable end Examples for Compiling ACLs For detailed information about compiling ACLs refer to the Security Configuration Guide and the IP Services chapter of the Cisco IOS IP and...

Page 558: ...20 128 64 Switch config access list 6 permit 172 20 128 64 0 0 0 0 Switch config end Switch config interface gigabitethernet0 1 Switch config if ip access group 6 in This example uses an extended ACL to deny traffic from port 80 HTTP It permits all other types of traffic Switch config access list 106 deny tcp any any eq 80 Switch config access list 106 permit ip any any Switch config interface gig...

Page 559: ...ber on the other end The same port numbers are used throughout the life of the connection Mail packets coming in from the Internet have a destination port of 25 Because the secure system behind the switch always accepts mail connections on port 25 the incoming services are controlled Named ACL Example The Marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171...

Page 560: ...s list 100 remark Do not allow Smith to browse the web Switch config access list 100 deny host 171 69 3 13 any eq www In this example of a named ACL the Jones subnet is not allowed access Switch config ip access list standard prevention Switch config std nacl remark Do not allow Jones subnet through Switch config std nacl deny 171 69 0 0 0 0 255 255 In this example of a named ACL the Jones subnet ...

Page 561: ... complete syntax and usage information for the commands used in this chapter refer to the command reference for this release The switch supports some of the modular QoS CLI MQC commands For more information about the MQC commands refer to the Modular Quality of Service Command Line Interface Overview at this URL http www cisco com univercd cc td doc product software ios122 122cgcr fqos_c fqcprt8 q...

Page 562: ...1 on page 30 1 Typically networks operate on a best effort delivery basis which means that all traffic has equal priority and an equal chance of being delivered in a timely manner When congestion occurs all traffic has an equal chance of being dropped When you configure the QoS feature you can select specific network traffic prioritize it according to its relative importance and use congestion man...

Page 563: ...the packet is expected to happen closer to the edge of the network so that the core switches and routers are not overloaded Switches and routers along the path can use the class information to limit the amount of resources allocated per traffic class The behavior of an individual device when handling traffic in the DiffServ architecture is called per hop behavior If all devices along a path have a...

Page 564: ...cides what to do with the packet pass through a packet without modification mark down the DSCP value in the packet or drop the packet For more information see the Policing and Marking section on page 30 7 Actions at the egress interface include queueing and scheduling Queueing evaluates the CoS value and determines which of the four egress queues in which to place the packet Scheduling services th...

Page 565: ...default port CoS value and classifies traffic based on the CoS value For IP traffic you have these classification options Trust the IP DSCP in the incoming packet configure the port to trust DSCP The switch assigns the same DSCP to the packet for internal use The IETF defines the 6 most significant bits of the 1 byte ToS field as the DSCP The priority represented by a particular DSCP value is conf...

Page 566: ...ific traffic flow or class from all other traffic The class map defines the criteria used to match against a specific traffic flow to further classify it the criteria can include matching the access group defined by the ACL If you have more than one type of traffic that you want to classify you can create another class map and use a different name After a packet is matched against the class map cr...

Page 567: ... bandwidth limits specified in the policer separately to each matched traffic class You configure this type of policer within a policy map by using the policy map configuration command When configuring policing and policers keep these items in mind By default no policers are configured Policers can only be configured on a physical port There is no support for policing at a VLAN level Only one poli...

Page 568: ...set up 802 1p CoS on a Catalyst 2950 or Catalyst 2955 switch that operates with the Catalyst 6000 family of switches refer to the Catalyst 6000 documentation There are differences in the 802 1p implementation that you should understand to ensure compatibility Port Priority Frames received from users in the administratively defined VLANs are classified or tagged for transmission to other devices Ba...

Page 569: ...rresponds to the relative importance of the queue For example if one queue has a weight of 3 and another has a weight of 4 three packets are sent from the first queue for every four that are sent from the second queue By using this scheduling low priority queues have the opportunity to send packets even though the high priority queues are not empty Strict priority and WRR scheduling Strict priorit...

Page 570: ...ous Software Release page 30 14 Enabling Auto QoS for VoIP page 30 14 Generated Auto QoS Configuration When auto QoS is enabled it uses the ingress packet label to classify traffic and to configure the egress queues as described in Table 30 2 Table 30 3 lists the generated auto QoS configuration for the egress queues Table 30 2 Traffic Types Packet Labels and Egress Queues VoIP1 Data Traffic 1 VoI...

Page 571: ... When you enter the auto qos voip trust interface configuration command on a port connected to the interior of the network the switch trusts the CoS value in ingress packets the assumption is that traffic has already been classified by other edge devices The switch configures egress queues on the port according to the settings in Table 30 3 For information about the trusted boundary feature see th...

Page 572: ...SoftPhone to an ingress interface on which auto QoS with the Cisco SoftPhone feature is enabled Switch config if service policy input AutoQoS Police SoftPhone The switch automatically assigns egress queue usage as shown in Table 30 3 on page 30 10 on this interface The switch enables the egress expedite queue and assigns WRR weights to queues 1 2 and 3 The lowest value for a WRR queue is 1 When th...

Page 573: ...1 20 EA2 or later auto QoS configures the switch for VoIP with Cisco IP Phones and with devices running the Cisco SoftPhone application Note When a device running Cisco SoftPhone is connected to a port the switch supports only one Cisco SoftPhone application per port To take advantage of the auto QoS defaults you should enable auto QoS before you configure other QoS commands If necessary you can f...

Page 574: ...VoIP Beginning in privileged EXEC mode follow these steps to enable auto QoS for VoIP within a QoS domain Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface that is connected to a Cisco IP Phone and enter interface configuration mode You also can specify the uplink interface that is connected to another trusted witch or rou...

Page 575: ...nd section on page 32 21 This example shows how to enable auto QoS and to trust the QoS labels in incoming packets when the device connected to the interface is detected as a Cisco IP Phone Switch config interface fastethernet0 1 Switch config if auto qos voip cisco phone This example shows how to enable auto QoS and to trust the QoS labels in incoming packets when the switch or router connected t...

Page 576: ...The intelligent wiring closets in Figure 30 3 are composed of Catalyst 2950 switches running the EI and Catalyst 3550 switches The object of this example is to prioritize the VoIP traffic over all other traffic To do so enable auto QoS on the switches at the edge of the QoS domains in the wiring closets 101234 Cisco router To Internet Trunk link Trunk link Cisco IP phones End stations Cisco IP pho...

Page 577: ...to QoS on the interface and specify that the interface is connected to a Cisco IP Phone The QoS labels of incoming packets are trusted only when the IP phone is detected Step 6 exit Return to global configuration mode Step 7 Repeat Steps 4 to 6 for as many ports as are connected to the Cisco IP Phone Step 8 interface interface id Specify the switch port identified as connected to a trusted switch ...

Page 578: ...an also display the QoS information as described in the Displaying Standard QoS Information section Default Standard QoS Configuration page 30 18 Configuration Guidelines page 30 19 Configuring Classification Using Port Trust States page 30 20 Configuring a QoS Policy page 30 26 Configuring CoS Maps page 30 34 Configuring the Egress Queues page 30 37 Default Standard QoS Configuration This is the ...

Page 579: ... and routing update packets that the switch receives Only an ACL that is created for physical interfaces can be attached to a class map Only one ACL per class map and only one match command per class map are supported The ACL can have multiple access control entries which are commands that match fields against the contents of the packet Policy maps with ACL classification in the egress direction a...

Page 580: ...in are classified at the edge of the QoS domain When the packets are classified at the edge the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the QoS domain Figure 30 4 shows a sample network topology Table 30 5 Interaction Between Policy Maps and Security ACLs Policy Map Conditions Security ...

Page 581: ...ode follow these steps to configure the port to trust the classification of the traffic that it receives 101236 Trunk Trusted interface Traffic classification performed here Trusted boundary IP P1 P3 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be trusted and enter interface configuration mode Valid interfaces incl...

Page 582: ... the packet CoS value dscp Classifies ingress packets with packet DSCP values For non IP packets the packet CoS value is set to 0 for tagged packets the default port CoS is used for untagged packets Internally the switch modifies the CoS value by using the DSCP to CoS map This keyword is available only if your switch is running the EI Note In software releases earlier than Cisco IOS Release 12 1 1...

Page 583: ...er types of traffic in the network By using the mls qos trust cos interface configuration command you configure the switch port to which the telephone is connected to trust the CoS labels of all traffic received on that port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be trusted and enter interface configuration m...

Page 584: ...this command is entered and the port is connected to a Cisco IP Phone the port does not trust the classification of traffic that it receives To disable trusted boundary use the no mls qos trust device interface configuration command If you enter the mls qos cos override interface configuration command the port does not trust the classification of the traffic that it receives even when it is connec...

Page 585: ...nable pass through mode Table 30 6 Port Configurations When Trusted Boundary is Enabled Port Configuration When a Cisco IP Phone is Present When a Cisco IP Phone is Absent The port trusts the CoS value of the incoming packet The packet CoS value is trusted The packet CoS value is assigned the default CoS value The port trusts the DSCP value of the incoming packet The packet DSCP value is trusted F...

Page 586: ...e and the mls qos trust cos dscp interface commands are already configured pass through mode is disabled Configuring a QoS Policy Note This feature is available only if your switch is running the EI Configuring a QoS policy typically requires classifying traffic into classes configuring policies applied to those traffic classes and attaching policies to interfaces For background information see th...

Page 587: ...nter global configuration mode Step 2 access list access list number permit remark source source wildcard host source any Create an IP standard ACL repeating the command as many times as necessary For access list number enter the ACL number The range is 1 to 99 and 1300 to 1999 Enter permit to specify whether to permit access if conditions are matched Enter remark to specify an ACL entry comment u...

Page 588: ...t For source wildcard enter the wildcard bits by placing ones in the bit positions that you want to ignore You specify the source and source wilcard by using dotted decimal notation by using the any keyword as an abbreviation for source 0 0 0 0 source wildcard 255 255 255 255 or by using the host keyword for source 0 0 0 0 For destination enter the network or host to which the packet is being sent...

Page 589: ...t After entering this command the mode changes to extended MAC ACL configuration Step 3 permit any host source MAC address any host destination MAC address aarp amber appletalk dec spanning decnet iv diagnostic dsm etype 6000 etype 8042 lat lavc sca mop console mop dump msdos mumps netbios vines echo vines ip xns idp Enter permit to permit access if conditions are matched Note Deny statements are ...

Page 590: ...rion to classify traffic Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number permit source source wildcard host source any or access list access list number permit remark protocol source source wildcard host source any operator port destination destination wildcard host destination any operator port dscp dscp value time range time range n...

Page 591: ...out of profile marking or dropping A policy map also has these characteristics A policy map can contain multiple class statements each with different match criteria and policers A separate policy map class can exist for each type of traffic received through an interface You can attach only one policy map per interface in the input direction Step 4 match access group acl index access group name acl...

Page 592: ...y Using ACLs section on page 30 27 Note Deny statements are not supported for QoS ACLs See the Classification Based on QoS ACLs section on page 30 5 for more details For more information on the mac access list extended name command see the Creating Named MAC Extended ACLs section on page 29 18 Step 3 policy map policy map name Create a policy map by entering the policy map name and enter policy ma...

Page 593: ...ngress Gigabit capable Ethernet ports and up to 6 policers on ingress 10 100 Ethernet ports For rate bps specify average traffic rate in bits per second bps The range is 1 Mbps to 100 Mbps for 10 100 Ethernet ports and 8 Mbps to 1000 Mbps for the Gigabit capable Ethernet ports For burst byte specify the normal burst size in bytes The values supported on the 10 100 ports are 4096 8192 16384 32768 a...

Page 594: ...tatements and attach it to an ingress interface The first permit statement allows traffic from the host with MAC address 0001 0000 0001 destined for the host with MAC address 0002 0000 0001 Switch config mac access list extended maclist1 Switch config ext mac permit host 0001 0000 0001 host 0002 0000 0001 Switch config ext mac exit Switch config mac access list extended maclist2 Switch config ext ...

Page 595: ...o modify and display the CoS to DSCP map Switch configure terminal Switch config mls qos map cos dscp 8 8 8 8 24 32 56 56 Switch config end Switch show mls qos maps cos dscp Cos dscp map cos 0 1 2 3 4 5 6 7 dscp 8 8 8 8 24 32 56 56 Table 30 7 Default CoS to DSCP Map CoS value 0 1 2 3 4 5 6 7 DSCP value 0 8 16 24 32 40 48 56 Command Purpose Step 1 configure terminal Enter global configuration mode ...

Page 596: ...ue 7 For the remaining DSCP values the DSCP to CoS mapping is the default Switch config mls qos map dscp cos 26 48 to 7 Switch config exit Switch show mls qos maps dscp cos Dscp cos map dscp 0 8 10 16 18 24 26 32 34 40 46 48 56 cos 0 1 1 2 2 3 7 4 4 5 5 7 7 Table 30 8 Default DSCP to CoS Map DSCP values 0 8 10 16 18 24 26 32 34 40 46 48 56 CoS values 0 1 2 3 4 5 6 7 Command Purpose Step 1 configur...

Page 597: ...Configuring CoS Priority Queues Beginning in privileged EXEC mode follow these steps to configure the CoS priority queues To disable the new CoS settings and return to default settings use the no wrr queue cos map global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 wrr queue cos map qid cos1 cosn Specify the queue ID of the CoS priority que...

Page 598: ...urpose Step 1 configure terminal Enter global configuration mode Step 2 wrr queue bandwidth weight1 weight4 Assign WRR weights to the four CoS queues These are the ranges for the WRR values For weight1 weight2 and weight3 the range is 1 to 255 For weight4 the range is 0 to 255 When weight4 is set to 0 queue 4 is configured as the expedite queue Note In software releases earlier than Cisco IOS Rele...

Page 599: ...map name 1 1 Available only on a switch running the EI Display QoS class maps which define the match criteria to classify traffic show policy map policy map name class class name 1 Display QoS policy maps which define classification criteria for incoming traffic show mls qos maps cos dscp dscp cos 1 Display QoS mapping information Maps are used to generate an internal DSCP value which represents t...

Page 600: ...es at the ingress ports by setting a default CoS priority switchport priority default default priority id interface configuration command for each port For IEEE 802 1Q frames with tag information the priority value from the header frame is used On the Catalyst 3524 PWR XL and 3548 XL switches you can override this priority with the default value by using the switchport priority default override in...

Page 601: ... global configuration mode Step 2 access list 1 permit 172 20 10 16 Define an IP standard ACL and permit traffic from the video server at 172 20 10 16 Step 3 class map videoclass Create a class map called videoclass and enter class map configuration mode Step 4 match access group 1 Define the match criterion by matching the traffic specified by ACL 1 Step 5 exit Return to global configuration mode...

Page 602: ...apter 30 Configuring QoS Standard QoS Configuration Examples Step 18 show class map videoclass show policy map videopolicy show mls qos maps cos dscp dscp cos Verify your entries Step 19 copy running config startup config Optional Save your entries in the configuration file Command Purpose ...

Page 603: ...ng the load across the remaining links If a link fails EtherChannel redirects traffic from the failed link to the remaining links in the channel without intervention This chapter consists of these sections Understanding EtherChannels page 31 1 Configuring EtherChannels page 31 7 Displaying EtherChannel PAgP and LACP Status page 31 14 Note For complete syntax and usage information for the commands ...

Page 604: ... within an EtherChannel fails traffic previously carried over that failed link changes to the remaining links within the EtherChannel A trap is sent for a failure identifying the switch the EtherChannel and the failed link Inbound broadcast and multicast packets on one link in an EtherChannel are blocked from returning on any other link of the EtherChannel Understanding Port Channel Interfaces Whe...

Page 605: ...els by exchanging packets between Ethernet interfaces PAgP is a Cisco proprietary protocol that can be run only on Cisco switches and on those switches licensed by licensed vendors to support PAgP LACP is defined in IEEE 802 3ad and allows Cisco switches to manage Ethernet channels between switches that conform to the 802 3ad protocol By using one of these protocols a switch learns the identity of...

Page 606: ...ch is connected to a partner that is PAgP capable you can configure the switch interface for nonsilent operation by using the non silent keyword If you do not specify non silent with the auto or desirable mode silent mode is assumed The silent mode is used when the switch is connected to a device that is not PAgP capable and seldom if ever sends packets An example of a silent partner is a file ser...

Page 607: ...ot be configured in both the PAgP and LACP modes Caution You should exercise care when setting the mode to on manual configuration All ports configured in the on mode are bundled in the same group and are forced to have similar characteristics If the group is misconfigured packet loss or spanning tree loops might occur Physical Learners and Aggregate Port Learners Network devices are classified as...

Page 608: ...nt ports in the channel but packets from the same host use the same port in the channel and the MAC address learned by the switch does not change With destination MAC address forwarding when packets are forwarded to an EtherChannel they are distributed across the ports in the channel based on the destination host s MAC address of the incoming packet Therefore packets to the same destination are fo...

Page 609: ...g EtherChannel Load Balancing page 31 11 Configuring the PAgP Learn Method and Priority page 31 12 Note Make sure that the interfaces are correctly configured see the EtherChannel Configuration Guidelines section on page 31 8 Note After you configure an EtherChannel configuration changes applied to the port channel interface apply to all the physical interfaces assigned to the port channel interfa...

Page 610: ...the first port to be added to the group If you change the configuration of one of these parameters you must also make the changes to all ports in the group Allowed VLAN list Spanning tree path cost for each VLAN Spanning tree port priority for each VLAN Spanning tree Port Fast setting Do not configure a secure port as part of an EtherChannel Do not configure a port that is an active or a not yet a...

Page 611: ... make interfaces incompatible for the formation of an EtherChannel Configure only PAgP type EtherChannels on Catalyst 2950 Long Reach Ethernet LRE switch ports Configuring Layer 2 EtherChannels You configure Layer 2 EtherChannels by configuring the Ethernet interfaces with the channel group interface configuration command which creates the port channel logical interface You cannot put a Layer 2 in...

Page 612: ...aces by sending PAgP packets on Forces the interface to channel without PAgP With the on mode a usable EtherChannel exists only when an interface group in the on mode is connected to another interface group in the on mode non silent If your switch is connected to a partner that is PAgP capable you can configure the switch interface for nonsilent operation You can configure an interface with the no...

Page 613: ... global configuration mode Step 2 port channel load balance dst mac src mac Configure an EtherChannel load balancing method The default is src mac Select one of these keywords to determine the load distribution method dst mac Load distribution is based on the destination host MAC address of the incoming packet Packets to the same destination are sent on the same port but packets to different desti...

Page 614: ...rface configuration command set to auto or desirable the switch automatically uses the load distribution method based on the source MAC address regardless of the configured load distribution method If the link partner to the Catalyst 2950 or Catalyst 2955 switch is a physical learner that has the channel group interface configuration command set to on set the load distribution method based on the ...

Page 615: ...alue of 32768 Note If LACP is not able to aggregate all the ports that are compatible for example the remote system might have more restrictive hardware limitations all the ports that cannot be actively included in the EtherChannel are put in hot standby state and are used only if one of the channeled ports fails Configuring the LACP System Priority You can set the system priority for all of the E...

Page 616: ...LACP Status Command Description show etherchannel channel group number detail load balance port port channel summary Displays EtherChannel information in a detailed and one line summary form Also displays the load balance or frame distribution scheme port and port channel information show pagp channel group number counters internal neighbor 1 1 You can clear PAgP channel group information and traf...

Page 617: ...elease and the Cisco IOS Command Summary for Cisco IOS Release 12 1 This chapter consists of these sections Using Recovery Procedures page 32 1 Preventing Autonegotiation Mismatches page 32 14 GBIC and SFP Module Security and Identification page 32 14 Diagnosing Connectivity Problems page 32 15 Diagnosing LRE Connection Problems page 32 18 Using Debug Commands page 32 19 Using the show controllers...

Page 618: ...are to 9600 baud Step 3 Disconnect the switch power cord Step 4 Reconnect the power cord to the switch The software image does not load The switch starts in boot loader mode which is indicated by the switch prompt Step 5 Use the boot loader to enter commands and start the transfer switch copy xmodem flash image_filename bin Step 6 When the Xmodem request appears use the appropriate command on the ...

Page 619: ...e port Step 7 Load any helper files switch load_helper Step 8 Display the contents of flash memory switch dir flash The switch file system appears in the directory Step 9 Rename the configuration file to config text old This file contains the password definition switch rename flash config text flash config text old Step 10 Boot the system switch boot You are prompted to start the setup program Ent...

Page 620: ... an end user to reset a password only by agreeing to return to the default configuration If you are an end user trying to reset a password and password recover has been disabled a status message shows this during the recovery process Follow these steps if you have forgotten or lost the switch password Step 1 Connect a terminal or PC with terminal emulation software to the switch console port Step ...

Page 621: ...rd recovery is enabled Step 1 Initialize the flash file system switch flash_init Step 2 If you had set the console port speed to anything other than 9600 it has been reset to that particular speed Change the emulation software line speed to match that of the switch console port Step 3 Load any helper files switch load_helper Step 4 Display the contents of flash memory switch dir flash The switch f...

Page 622: ...Note This procedure is likely to leave your switch VLAN interface in a shutdown state You can see which interface is in this state by entering the show running config privileged EXEC command To re enable the interface enter the interface vlan vlan id global configuration command and specify the VLAN ID of the shutdown interface With the switch in interface configuration mode enter the no shutdown ...

Page 623: ...tion y n Y Step 2 Load any helper files Switch load_helper Step 3 Display the contents of flash memory switch dir flash The switch file system appears in the directory Step 4 Boot the system Switch boot You are prompted to start the setup program To continue with password recovery enter N at the prompt Continue with the configuration dialog yes no N Step 5 At the switch prompt enter privileged EXE...

Page 624: ...different for each operating system On a SUN work station running UNIX Ctrl C is the break key On a PC running Windows 2000 Ctrl Break is the break key Cisco TAC has tabulated break keys for most common operating systems and an alternative break key sequence for those terminal emulators that do not support the break keys Refer to http www cisco com warp public 701 61 html how to for that list Foll...

Page 625: ...rt speed to anything other than 9600 it has been reset to that particular speed Change the emulation software line speed to match that of the switch console port Step 7 Load any helper files switch load_helper Step 8 Display the contents of flash memory as in this example switch dir flash Directory of flash The switch file system appears in the directory Step 9 Rename the configuration file to con...

Page 626: ...ing redundancy to a cluster If you have not configured a standby command switch and your command switch loses power or fails in some other way management contact with the member switches is lost and you must install a new command switch However connectivity between switches that are still connected is not affected and the member switches forward packets as usual You can manage the members as stand...

Page 627: ... enter privileged EXEC mode Switch enable Switch Step 5 Enter the password of the failed command switch Step 6 Enter global configuration mode Switch configure terminal Enter configuration commands one per line End with CNTL Z Step 7 Remove the member switch from the cluster Switch config no cluster commander address Step 8 Return to privileged EXEC mode Switch config end Switch Step 9 Use the set...

Page 628: ... the cluster command switch and press Return Step 14 When prompted assign a name to the cluster and press Return The cluster name can be 1 to 31 alphanumeric characters dashes or underscores Step 15 After the initial configuration appears verify that the addresses are correct Step 16 If the displayed information is correct enter Y and press Return If this information is not correct enter N press R...

Page 629: ...and press Return to start the setup program Step 7 Respond to the questions in the setup program When prompted for the host name recall that on a command switch the host name is limited to 28 characters Do not use n where n is a number as the last characters in a host name for any switch When prompted for the Telnet virtual terminal password recall that it can be from 1 to 25 alphanumeric characte...

Page 630: ...s reducing performance A mismatch occurs under these circumstances A manually set speed or duplex parameter is different from the manually set speed or duplex parameter on the connected port A port is set to autonegotiate and the connected port is set to full duplex with no autonegotiation To maximize switch performance and ensure a link follow one of these guidelines when changing the settings fo...

Page 631: ...ng The switch supports IP ping which you can use to test connectivity to remote hosts Ping sends an echo request packet to an address and waits for a reply Ping returns one of these responses Normal response The normal response hostname is alive occurs in 1 to 10 seconds depending on network traffic Destination does not respond If the host does not respond a no answer message is returned Unknown h...

Page 632: ...al Path page 32 18 Understanding Layer 2 Traceroute The Layer 2 traceroute feature allows the switch to identify the physical path that a packet takes from a source device to a destination device Layer 2 traceroute supports only unicast source and destination MAC addresses It determines the path by using the MAC address tables of the switches in the path When the switch detects a device in the pat...

Page 633: ...resses that belong to different VLANs the Layer 2 path is not identified and an error message appears If you specify a multicast source or destination MAC address the path is not identified and an error message appears If the source or destination MAC address belongs to multiple VLANs you must specify the VLAN to which both the source and destination MAC addresses belong If the VLAN is not specifi...

Page 634: ...ises equipment CPE device upgrade troubleshooting information see the Upgrading LRE Switch Firmware section on page 13 23 Table 32 2 LRE Port Problems Problem Suspected Cause and Suggested Solution Amber LRE port LED The switch and CPE device are unable to establish an LRE link using the selected profile Change to a profile with a lower data rate for example use LRE 5 instead of LRE 15 Reduce the ...

Page 635: ... Reduce the effect of stubs or bridge taps by terminating them with 300 ohm microfilters Ethernet performance degradation due to excessive network latency The interleave feature introduces extra latency to increase noise margin Adjust upper layer network protocols to allow for high latency Change to a profile with a higher data rate to increase link bandwidth This decreases the noise margin Choose...

Page 636: ... debug command and no output appears consider these possibilities The switch might not be properly configured to generate the type of traffic that you want to monitor Use the show running config command to verify the configuration Even if the switch is properly configured it might not generate the type of traffic that you want to monitor during the particular period that debugging is enabled Depen...

Page 637: ...st overhead of any method For more information about system message logging see Chapter 27 Configuring System Message Logging Using the debug auto qos Command You can use the debug auto qos privileged EXEC command to display quality of service QoS commands that are automatically generated when automatic QoS auto QoS is enabled Beginning in privileged EXEC mode follow these steps to display the QoS...

Page 638: ...ion about the fields in the command output refer to the switch command reference for this release Step 5 end Return to privileged EXEC mode Step 6 show auto qos interface interface id Verify your entries This command displays the auto QoS configuration that was initially applied it does not display any user changes to the configuration that might be in effect Command Purpose Table 32 3 Commands fo...

Page 639: ...ctory on the flash file system flash crashinfo crashinfo_n where n is a sequence number Each new crashinfo file that is created uses a sequence number that is larger than any previously existing sequence number so the file with the largest sequence number describes the most recent failure Version numbers are used instead of a timestamp because the switches do not include a real time clock You cann...

Page 640: ...32 24 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78 11380 10 Chapter 32 Troubleshooting Using the crashinfo File ...

Page 641: ...Y MIB CISCO ENVMON MIB and CISCO ENTITY ALARM MIB BRIDGE MIB RFC1493 CISCO 2900 MIB CISCO BULK FILE MIB CISCO CDP MIB CISCO CLUSTER MIB CISCO_CONFIG_COPY_MIB CISCO CONFIG MAN MIB CISCO ENTITY MIB CISCO ENTITY ALARM MIB Catalyst 2955 only CISCO ENTITY VENDORTYPE OID MIB CISCO_ENVMON_MIB CISCO FLASH MIB CISCO FTP CLIENT MIB CISCO IETF VDSL LINE MIB Catalyst 2950 Long Reach Ethernet LRE only CISCO IG...

Page 642: ... and sub_rtt_rmonlib CISCO SMI CISCO_STACKMAKER_MIB CISCO STP EXTENSIONS MIB CISCO SYSLOG MIB CISCO TC CISCO TCP MIB CISCO VLAN MEMBERSHIP MIB CISCO VTP MIB ENTITY MIB IEEE8021 PAE MIB IANAifType MIB IF MIB RFC 1573 OLD CISCO CHASSIS MIB OLD CISCO CPU MIB OLD CISCO INTERFACES MIB OLD CISCO IP MIB OLD CISCO MEMORY MIB OLD CISCO SYSTEM MIB OLD CISCO TCP MIB OLD CISCO TS MIB RFC1213 MIB RFC1398 MIB R...

Page 643: ...the MIB Files You can obtain each MIB file by using this procedure Step 1 Use FTP to access the server ftp cisco com Step 2 Log in with the username anonymous Step 3 Enter your e mail username when prompted for the password Step 4 At the ftp prompt change directories to pub mibs v1 and the pub mibs v2 Step 5 Use the get MIB_filename command to obtain a copy of the MIB file You can also access info...

Page 644: ...A 4 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78 11380 10 Appendix A Supported MIBs Using FTP to Access the MIB Files ...

Page 645: ...sists of these sections Working with the Flash File System page B 1 Working with Configuration Files page B 8 Working with Software Images page B 19 Working with the Flash File System The flash file system on your switch provides several commands to help you manage software image and configuration files The flash file system is a single flash device on which you can store files This flash device i...

Page 646: ...118592 flash rw flash 16128000 11118592 unknown rw zflash 32768 26363 nvram rw nvram network rw tftp opaque rw null opaque rw system opaque ro xmodem opaque ro ymodem network rw rcp network rw ftp Table B 1 show file systems Field Descriptions Field Value Size b Amount of memory in the file system in bytes Free b Amount of free memory in the file system in bytes Type Type of file system flash The ...

Page 647: ... its contents For example before copying a new configuration file to flash memory you might want to verify that the file system does not already contain a configuration file with the same name Similarly before copying a flash configuration file to another location you might want to verify its filename for use in another command Flags Permission for file system ro read only rw read write wo write o...

Page 648: ...out each of the files on a file system show file information file url Display information about a specific file show file descriptors Display a list of open file descriptors File descriptors are the internal representations of open files You can use this command to see if another user has a file open Command Purpose Step 1 dir filesystem Display the directories on the specified file system For fil...

Page 649: ...VRAM section of flash memory to be used as the configuration during system initialization You can also copy to and from special file systems xmodem ymodem as the source or destination for the file from a network machine that uses the Xmodem or Ymodem protocol Network file system URLs include ftp rcp and tftp and have these syntaxes FTP ftp username password location directory filename Remote Copy ...

Page 650: ...ice Switch delete myconfig Creating Displaying and Extracting tar Files You can create a tar file and write files into it list the files in a tar file and extract the files from a tar file as described in the next sections Creating a tar File To create a tar file and write files into it use the privileged EXEC command archive tar create destination url flash file url For destination url specify th...

Page 651: ...121 21 EA1 directory c2950lre i6l2q4 mz 121 21 EA1 html directory c2950lre i6l2q4 mz 121 21 EA1 html foo html 0 bytes c2950lre i6l2q4 mz 121 21 EA1 c2950lre i6l2q4 mz 121 21 EA1 bin 610856 bytes c2950lre i6l2q4 mz 121 21 EA1 info 219 bytes info ver 219 bytes This example shows how to display only the c2950lre i6l2q4 mz 121 21 EA1 html directory and its contents Switch archive tar table flash c2950...

Page 652: ...ng the setup program or by entering the setup privileged EXEC command For more information see Chapter 5 Assigning the Switch IP Address and Default Gateway You can copy download configuration files from a TFTP FTP or RCP server to the running configuration or startup configuration of the switch You might want to perform this for one of these reasons To restore a backed up configuration file To us...

Page 653: ... enable secret secret password global configuration command Enter a blank line for this command The password is saved in the configuration file as clear text If passwords already exist you cannot enter the enable secret secret password global configuration command in the file because the password verification will fail If you enter a password in the configuration file the switch mistakenly attempt...

Page 654: ...uration file Step 1 Copy an existing configuration from a switch to a server For more information see the Downloading the Configuration File By Using TFTP section on page B 11 the Downloading a Configuration File By Using FTP section on page B 13 or the Downloading a Configuration File By Using RCP section on page B 17 Step 2 Open the configuration file in a text editor such as vi or emacs on UNIX...

Page 655: ...ly tftpboot on a UNIX workstation For download operations ensure that the permissions on the file are set correctly The permission on the file should be world read Before uploading the configuration file you might need to create an empty file on the TFTP server To create an empty file enter the touch filename command where filename is the name of the file you will use when uploading it to the serv...

Page 656: ...ilename copy nvram startup config tftp location directory filename The file is uploaded to the TFTP server This example shows how to upload a configuration file from a switch to a TFTP server Switch copy system running config tftp 172 16 2 155 tokyo confg Write file tokyo confg on host 172 16 2 155 confirm y Writing tokyo confg OK Copying Configuration Files By Using FTP You can copy configuration...

Page 657: ...twork if you do not have a router to route traffic between subnets Check connectivity to the FTP server by using the ping command If you are accessing the switch through the console or a Telnet session and you do not have a valid username make sure that the current FTP username is the one that you want to use for the FTP download You can enter the show users privileged EXEC command to view the val...

Page 658: ...g end Switch copy ftp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile store configured from host2 config by ftp from 172 16 101 101 Uploading a Configuration File...

Page 659: ...tch Unlike TFTP which uses User Datagram Protocol UDP a connectionless protocol RCP uses TCP which is connection oriented To use RCP to copy files the server from or to which you will be copying files must support RCP The RCP copy commands rely on the rsh server or daemon on the remote system To copy files by using RCP you do not need to create a server for file distribution as you do with TFTP Yo...

Page 660: ...ile By Using RCP Before you begin downloading or uploading a configuration file by using RCP do these tasks Ensure that the workstation acting as the RCP server supports the remote shell rsh Ensure that the switch has a route to the RCP server The switch and the server must be in the same subnetwork if you do not have a router to route traffic between subnets Check connectivity to the RCP server b...

Page 661: ...guration Switch configure terminal Switch config ip rcmd remote username netadmin1 Switch config end Switch copy rcp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volati...

Page 662: ...itch config ip rcmd remote username netadmin2 Switch config end Switch copy nvram startup config rcp Remote host 172 16 101 101 Name of configuration file to write switch2 confg Write file switch2 confg on host 172 16 101 101 confirm OK Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using RCP sect...

Page 663: ...bout the file prompt command refer to the Cisco IOS Command Reference for Release 12 1 Caution You cannot restore a file after it has been deleted Working with Software Images This section describes how to archive download and upload software image files which contain the system software Cisco IOS code and the web management HTML files You download a switch image file from a TFTP FTP or RCP server...

Page 664: ... or downloaded from Cisco com are provided in a tar file format which contains these files info file The info file is always at the beginning of the tar file and has information about the files within it Cisco IOS image Web management files needed by the HTTP server on the switch LRE binary files needed for the proper functioning of LRE interfaces and LRE CPE devices info ver file The info ver fil...

Page 665: ...ftpboot Make sure that the etc services file contains this line tftp 69 udp Note You must restart the inetd daemon after modifying the etc inetd conf and etc services files To restart the daemon either stop the inetd process and restart it or enter a fastboot command on the SunOS 4 x or a reboot command on Solaris 2 x or SunOS 5 x For more information on the TFTP daemon refer to the documentation ...

Page 666: ...TP server is properly configured see the Preparing to Download or Upload an Image File By Using TFTP section on page B 21 Step 2 Log into the switch through the console port or a Telnet session Step 3 archive download sw overwrite reload tftp location directory image name tar Download the image file from the TFTP server to the switch and overwrite the current image The overwrite option overwrites ...

Page 667: ...point to the newly installed image If you kept the old image during the download process you specified the leave old sw keyword you can remove it by entering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old image All the files in the directory and the directory are remo...

Page 668: ...ile By Using FTP You can copy images files to or from an FTP server The FTP protocol requires a client to send a remote username and password on each FTP request to a server When you copy an image file from the switch to a server by using FTP the software sends the first valid username in this list The username specified in the archive download sw or archive upload sw privileged EXEC command if a ...

Page 669: ...chive operations The new username is stored in NVRAM If you are accessing the switch through a Telnet session and you have a valid username this username is used and you do not need to set the FTP username Include the username in the archive download sw or archive upload sw privileged EXEC command if you want to specify a username for that operation only When you upload an image file to the FTP se...

Page 670: ...ge in flash with the downloaded image The reload option reloads the system after downloading the image unless the configuration has been changed and not been saved For username password specify the username and password these must be associated with an account on the FTP server For more information see the Preparing to Download or Upload an Image File By Using FTP section on page B 24 For location...

Page 671: ...S have been installed with the existing image Beginning in privileged EXEC mode follow these steps to upload an image to an FTP server Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using FTP section on page B 13 Step 2 Log into the switch through the console port or a Telnet session Step 3 config...

Page 672: ...CP to copy files the server from or to which you will be copying files must support RCP The RCP copy commands rely on the rsh server or daemon on the remote system To copy files by using RCP you do not need to create a server for file distribution as you do with TFTP You only need to have access to a server that supports the remote shell rsh Most UNIX systems support rsh Because you are copying a ...

Page 673: ...rchive download sw or archive upload sw privileged EXEC command if you want to specify a username only for that operation When you upload an image to the RCP to the server it must be properly configured to accept the RCP write request from the user on the switch For UNIX systems you must add an entry to the rhosts file for the remote user on the RCP server For example suppose the switch contains t...

Page 674: ...ge The reload option reloads the system after downloading the image unless the configuration has been changed and not been saved For username specify the username For the RCP copy request to execute successfully an account must be defined on the network server for the remote username For more information see the Preparing to Download or Upload an Image File By Using RCP section on page B 28 For lo...

Page 675: ...the HTML pages associated with the CMS have been installed with the existing image Beginning in privileged EXEC mode follow these steps to upload an image to an RCP server Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the Preparing to Download or Upload an Image File By Using RCP section on page B 28 Step 2 Log into the switch through the console port or ...

Page 676: ...ges Working with Software Images The archive upload sw privileged EXEC command builds an image file on the server by uploading these files in order info the Cisco IOS image the HTML files and info ver After these files are uploaded the upload algorithm creates the tar file format Caution For the download and upload algorithms to operate properly do not rename image names ...

Page 677: ...ccess control parameter See ACP access denied response VMPS 17 25 access groups viewing 29 22 29 23 accessing clusters switch 7 14 command switches 7 12 member switches 7 14 switch clusters 7 14 access lists See ACLs access ports defined 11 2 in switch clusters 7 10 accounting with 802 1x 10 5 10 20 with RADIUS 9 28 with TACACS 9 11 9 17 ACEs defined 29 2 Ethernet 29 2 IP 29 2 Layer 3 parameters 2...

Page 678: ...29 8 protocol parameters 29 10 standard IP configuring for QoS classification 30 27 creating 29 9 matching criteria 29 7 time ranges 29 15 unsupported features 29 7 ACP system defined mask 29 4 understanding 29 4 user defined mask 29 4 addresses displaying the MAC address table 8 28 dynamic accelerated aging 14 8 changing the aging time 8 23 default aging 14 8 defined 8 21 learning 8 22 removing 8...

Page 679: ...d new switches 7 10 connectivity 7 5 management VLANs 7 8 7 9 non CDP capable devices 7 7 non cluster capable devices 7 7 creating a cluster standby group 7 21 in switch clusters 7 5 See also CDP automatic QoS See QoS automatic recovery clusters 7 11 See also HSRP autonegotiation interface configuration guidelines 11 11 mismatches 32 14 auxiliary VLAN See voice VLAN B BackboneFast described 16 9 e...

Page 680: ...hold 3 8 Catalyst 2955 continued configuring the power supply alarm setting the power mode 3 4 3 5 setting the power supply alarm options 3 5 configuring the temperature alarms associating the temperature alarms to a relay 3 7 setting a secondary temperature threshold 3 6 default alarm configuration 3 4 displaying Catalyst 2955 switch alarms 3 11 enabling SNMP traps 3 11 FCS error hysteresis thres...

Page 681: ...features enabling and disabling 2 6 keystroke editing 2 7 wrapped lines 2 8 error messages 2 5 getting help 2 3 history changing the buffer size 2 5 described 2 5 disabling 2 6 recalling commands 2 6 CLI continued managing clusters 7 23 no and default forms of commands 2 4 client mode VTP 18 3 clock See system clock clusters switch accessing 7 14 adding member switches 7 19 automatic discovery 7 5...

Page 682: ...14 defined 7 2 enabling 7 18 passive PC 7 11 7 21 password privilege levels 7 24 command switch continued priority 7 11 recovery from command switch failure 7 11 from failure 32 10 from lost member connectivity 32 14 redundant 7 11 7 21 replacing with another switch 32 12 with cluster member 32 11 requirements 7 3 standby SC 7 11 7 21 See also candidate switch cluster standby group member switch a...

Page 683: ...ation settings saving 5 11 configure terminal command 11 5 configuring duplex mode 13 11 for an LRE upgrade 13 24 LRE ports 13 8 speed on Cisco 575 LRE CPE 13 11 config vlan mode 2 2 17 6 conflicts configuration 32 14 connections secure remote 9 33 connectivity problems 32 15 consistency checks in VTP version 2 18 4 console port connecting to 2 9 conventions command xxx for examples xxx publicatio...

Page 684: ...DHCP option 82 20 5 DHCP snooping 20 5 DNS 8 18 EtherChannel 31 8 IGMP filtering 21 22 IGMP snooping 21 6 IGMP throttling 21 22 initial switch information 5 3 default configuration continued Layer 2 interfaces 11 9 MAC address table 8 23 MSTP 15 12 MVR 21 17 NTP 8 4 optional spanning tree features 16 13 password and privilege level 9 2 QoS 30 18 RADIUS 9 20 RMON 26 3 RSPAN 25 7 SNMP 28 6 SPAN 25 7...

Page 685: ...ssage exchange process 20 4 option 82 data insertion 20 3 trusted interface 20 2 untrusted interface 20 2 untrusted messages 20 2 DHCP snooping binding database described 20 2 displaying 20 8 entries 20 2 DHCP snooping binding table See DHCP snooping binding database Differentiated Services architecture QoS 30 2 Differentiated Services Code Point 30 3 digital telephone networks 1 7 directories cha...

Page 686: ...nment variables function of 5 15 location in Flash 5 14 error messages during command entry 2 5 setting the display destination device 27 4 severity levels 27 8 system message format 27 2 EtherChannel automatic creation of 31 3 configuration guidelines 31 8 default configuration 31 8 destination MAC address forwarding 31 6 displaying status 31 14 forwarding methods 31 11 interaction with STP 31 8 ...

Page 687: ...es copying B 5 deleting B 5 displaying the contents of B 8 tar creating B 6 displaying the contents of B 7 extracting B 7 image file format B 20 files crashinfo description 32 23 displaying the contents of 32 23 location 32 23 file system displaying available file systems B 2 displaying file information B 3 local file system names B 1 network file system names B 5 setting the default B 3 filtering...

Page 688: ...2 6 history table level and number of syslog messages 27 10 host names abbreviations appended to 7 21 in clusters 7 15 hosts limit on dynamic ports 17 31 HP OpenView 1 8 HSRP automatic cluster recovery 7 14 cluster standby group considerations 7 12 See also clusters cluster standby group and standby command switch I ICMP ping executing 32 15 overview 32 15 IDS using with SPAN and RSPAN 25 2 IE2100...

Page 689: ...0 Series CNS Agents See IE2100 interface number 11 4 range macros 11 7 interface command 11 4 11 5 interface configuration mode 2 3 interfaces Cisco IOS supported 1 8 configuration guidelines 11 10 configuring 11 5 configuring duplex mode 11 10 configuring speed 11 10 counters clearing 11 16 described 11 14 descriptive name adding 11 14 displaying information about 11 15 flow control 11 13 monitor...

Page 690: ... IP protocols in ACLs 29 12 IPv4 1 1 IPv6 1 1 IP version 4 1 1 IP version 6 1 1 ISDN 1 7 J Java plug in configuration 7 1 join messages IGMP 21 3 L LACP See EtherChannel Layer 2 frames classification with CoS 30 2 Layer 2 interfaces default configuration 11 9 Layer 2 traceroute and ARP 32 17 and CDP 32 17 described 32 16 IP addresses and subnets 32 17 MAC addresses and VLANs 32 17 multicast traffi...

Page 691: ...tics 13 7 described 13 1 link qualification 13 16 LRE links considerations 13 9 described 13 2 statistics 13 11 preventing loss of data 13 11 LRE ports continued rate selection described 13 14 sequences 13 5 troubleshooting 32 18 LRE profiles assigning global profiles 13 13 port sequences 13 14 private profiles 13 13 public profiles 13 12 considerations 13 10 described 13 2 rate selection 13 14 ta...

Page 692: ...r QoS configuring DSCP 30 34 DSCP to CoS 30 36 described 30 5 matching ACLs 29 7 maximum aging time MSTP 15 21 STP 14 22 maximum hop count MSTP 15 21 membership mode VLAN port 17 3 member switch adding 7 19 automatic discovery 7 5 defined 7 2 managing 7 23 passwords 7 14 recovering from lost connectivity 32 14 requirements 7 4 See also candidate switch cluster standby group and standby command swi...

Page 693: ...dary root switch 15 16 switch priority 15 19 CST defined 15 3 operations between regions 15 3 default configuration 15 12 MSTP continued default optional feature configuration 16 13 displaying status 15 23 enabling the mode 15 13 EtherChannel guard described 16 11 enabling 16 18 extended system ID effects on root switch 15 14 effects on secondary root switch 15 16 unexpected behavior 15 15 instanc...

Page 694: ...P ACLs 29 13 NameSpace Mapper See NSM native VLAN configuring 17 21 default 17 21 network examples collapsed backbone and switch cluster 1 14 design concepts cost effective wiring closet 1 11 high performance workgroup 1 11 network performance 1 10 network services 1 10 redundant Gigabit backbone 1 12 hotel network 1 15 large campus 1 19 long distance high bandwidth transport configuration 1 22 se...

Page 695: ...1 16 path cost MSTP 15 18 STP 14 19 PBX 1 15 PC passive command switch 7 11 7 21 performing an LRE upgrade 13 24 persistence LRE link 13 19 per VLAN spanning tree plus See PVST physical ports 11 1 PIM DVMRP as snooping method 21 8 ping character output description 32 16 executing 32 15 overview 32 15 plain old telephone service See POTS splitters and POTS telephones policers configuring for each m...

Page 696: ...psulation 10 2 initiation and message exchange 10 3 method lists 10 11 10 19 per user ACLs AAA authorization 10 19 ports authorization state and dot1x port control command 10 4 authorized and unauthorized 10 4 resetting to default values 10 18 software upgrade changes 10 11 switch as proxy 10 2 RADIUS client 10 2 topologies supported 10 5 port based authentication continued upgrading from a previo...

Page 697: ...ult for lines 9 9 command switch 7 24 exiting 9 10 logging into 9 10 mapping on member switches 7 24 overview 9 2 9 8 setting a command with 9 8 profile acquisition automatic 13 14 profile locking 13 15 profiles LRE considerations 13 10 default assigning 13 13 described 13 2 private assigning 13 13 public assigning 13 12 rate selection 13 14 See also LRE ports and CPE protected ports 1 3 22 4 prun...

Page 698: ...nd WRR 30 37 default port CoS value 30 23 egress queues 30 37 IP extended ACLs 30 28 IP standard ACLs 30 27 MAC ACLs 30 29 policy maps 30 31 QoS configuring continued port trust states within the domain 30 20 QoS policy 30 26 trusted boundary 30 24 default auto configuration 30 10 default configuration 30 18 displaying statistics 30 39 egress port scheduling 30 9 enabling expedite queue 30 38 expe...

Page 699: ...king services accessed by user 9 28 range macro 11 7 of interfaces 11 6 rapid convergence 15 7 rapid per VLAN spanning tree plus See rapid PVST rapid PVST 802 1Q trunking interoperability 14 10 described 14 9 instances supported 14 9 rapid PVST 17 2 Rapid Spanning Tree Protocol See RSTP rate selection definition of 13 14 sequences 13 5 rate selections list of sequences 13 5 13 6 rcommand command 7...

Page 700: ...tistics collecting group Ethernet 26 5 collecting group history 26 5 root guard described 16 11 enabling 16 19 support for 1 5 root switch MSTP 15 14 STP 14 14 RSPAN configuration guidelines 25 12 default configuration 25 7 destination ports 25 4 displaying status 25 17 IDS 25 2 interaction with other features 25 5 monitored ports 25 4 monitoring ports 25 4 overview 1 7 25 1 received traffic 25 3 ...

Page 701: ...9 3 10 3 11 show and more command output filtering 2 9 show cdp traffic command 24 5 show cluster members command 7 23 show configuration command 11 14 show controllers ethernet controller command 13 7 show controllers lre profile commands 13 12 13 13 13 16 13 19 show controllers lre profile mapping 3 7 show controllers lre status commands 13 11 13 13 13 14 13 21 13 22 show interfaces command 11 1...

Page 702: ...s 13 16 upstream rate requirements 13 17 13 18 software VLAN considerations 18 8 software images location in flash B 20 recovery procedures 32 2 scheduling reloads 5 16 tar file format described B 20 See also downloading and uploading source addresses in ACLs 29 12 SPAN configuration guidelines 25 7 default configuration 25 7 destination ports 25 4 displaying status 25 17 IDS 25 2 interaction with...

Page 703: ... 802 1x 10 21 CDP 24 5 interface 11 15 QoS ingress and egress 30 39 RMON group Ethernet 26 5 RMON group history 26 5 SNMP input and output 28 16 VTP 18 16 sticky learning configuration file 22 7 defined 22 7 disabling 22 7 enabling 22 7 saving addresses 22 7 storm control described 22 2 displaying 22 13 STP accelerating root port selection 16 4 BackboneFast described 16 9 enabling 16 18 BPDU filte...

Page 704: ...7 24 using port priorities 17 22 loop guard described 16 12 enabling 16 19 modes supported 14 9 multicast addresses affect of 14 8 overview 14 2 path costs 17 24 STP continued Port Fast described 16 2 enabling 16 13 port priorities 17 23 preventing root switch selection 16 11 protocols supported 14 9 redundant connectivity 14 8 root guard described 16 11 enabling 16 19 root port defined 14 3 root ...

Page 705: ...X syslog servers configuring the daemon 27 11 configuring the logging facility 27 11 facilities supported 27 12 system name default configuration 8 16 default setting 8 16 manual configuration 8 16 See also DNS system prompt default setting 8 16 manual configuration 8 17 T TACACS accounting defined 9 11 authentication defined 9 11 authorization defined 9 11 configuring accounting 9 17 authenticati...

Page 706: ...raffic 32 16 usage guidelines 32 17 traffic blocking flooded 22 5 fragmented 29 3 unfragmented 29 3 traffic policing 1 6 transparent mode VTP 18 3 18 12 trap door mechanism 5 2 traps configuring MAC address notification 8 24 configuring managers 28 11 defined 28 3 enabling 8 24 28 11 notification types 28 11 overview 28 1 28 4 troubleshooting connectivity problems 32 15 detecting unidirectional li...

Page 707: ...tion 27 11 unrecognized Type Length Value TLV support 18 4 upgrade behavior details 13 26 configuring for 13 24 controller configuration 13 25 example 13 26 global configuration 13 25 LRE switch firmware upgrade 13 23 performing 13 24 upgrading software VLAN considerations 18 8 upgrading software images See downloading UplinkFast described 16 3 enabling 16 16 support for 1 4 uploading configuratio...

Page 708: ...illustrated 17 2 modifying 17 8 native configuring 17 21 normal range 17 1 17 4 parameters 17 4 port membership modes 17 3 VLANs continued static access ports 17 11 STP and 802 1Q trunks 14 10 supported 17 2 Token Ring 17 5 trunks VLAN 1 minimization 17 19 VTP modes 18 3 VLAN Trunking Protocol See VTP VLAN trunks 17 15 VMPS administering 17 30 configuration example 17 31 configuration guidelines 1...

Page 709: ...e 18 11 server mode 18 9 transparent mode 18 12 consistency checks 18 4 default configuration 18 6 described 18 1 disabling 18 12 domain names 18 8 domains 18 2 modes client 18 3 18 11 server 18 3 18 9 transitions 18 3 transparent 18 3 18 12 monitoring 18 16 passwords 18 8 VTP continued pruning disabling 18 14 enabling 18 14 examples 18 5 overview 18 4 pruning eligible list changing 17 20 server m...

Page 710: ...Index IN 34 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78 11380 10 ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands