manualshive.com logo in svg

Cisco 2975 - Catalyst LAN Base Switch, Software Configuration Manual

The Cisco 2975 Catalyst LAN Base Switch offers streamlined network management with robust features. Enhance your networking capabilities with ease by downloading the user manual from our website, completely free. Explore in-depth specifications and configurations to maximize the potential of this cutting-edge Cisco switch.

Share
Download
background image

 

31-2

Catalyst 2975 Switch Software Configuration Guide

OL-19720-02

Chapter 31      Configuring Network Security with ACLs

Understanding ACLs

An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies 

permit

 or 

deny

 

and a set of conditions the packet must satisfy in order to match the ACE. The meaning of 

permit

 or 

deny

 

depends on the context in which the ACL is used. 

The switch supports IP ACLs and Ethernet (MAC) ACLs:

  •

IP ACLs filter IPv4 traffic, including TCP, User Datagram Protocol (UDP), Internet Group 
Management Protocol (IGMP), and Internet Control Message Protocol (ICMP). 

  •

Ethernet ACLs filter non-IP traffic. 

This switch also supports quality of service (QoS) classification ACLs. For more information, see the 

“Classification Based on QoS ACLs” section on page 33-8

.

These sections contain this conceptual information:

  •

Supported ACLs, page 31-2

  •

Handling Fragmented and Unfragmented Traffic, page 31-4

  •

ACLs and Switch Stacks, page 31-5

Supported ACLs

  •

Port ACLs access-control traffic entering a Layer 2 interface. The switch does not support port ACLs 
in the outbound direction. You can apply only one IP access list and one MAC access list to a Layer  2 
interface. For more information, see the 

“Port ACLs” section on page 31-3

.

  •

Router ACLs access-control routed traffic between VLANs and are applied to Layer 3 interfaces in 
a specific direction (inbound or outbound). For more information, see the 

“Router ACLs” section on 

page 31-4

.

Note

Router ACLs are supported only on SVIs.

You can use input port ACLs and router ACLs on the same switch. However, a port ACL takes 
precedence over a router ACL.

  •

When an input router ACL and input port ACL exist in a switch virtual interface (SVI), incoming 
packets received on ports to which a port ACL is applied are filtered by the port ACL. Incoming 
routed IP packets received on other ports are filtered by the router ACL. Other packets are not 
filtered.

  •

When an output router ACL and input port ACL exist in an SVI, incoming packets received on the 
ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are 
filtered by the router ACL. Other packets are not filtered.

Summary of Contents for 2975 - Catalyst LAN Base Switch

Page 1: ... 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Catalyst 2975 Switch Software Configuration Guide Cisco IOS Release 12 2 55 SE August 2010 Text Part Number OL 19720 02 ...

Page 2: ...L WARRANTIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE ...

Page 3: ...s 1 8 Security Features 1 8 QoS and CoS Features 1 11 Layer 3 Features 1 12 Power over Ethernet Features 1 12 Monitoring Features 1 12 Default Settings After Initial Switch Configuration 1 13 Network Configuration Examples 1 15 Design Concepts for Using the Switch 1 15 Small to Medium Sized Network Using Catalyst 2975 Switches 1 19 Long Distance High Bandwidth Transport Configuration 1 20 Where to...

Page 4: ...formation 3 3 Default Switch Information 3 3 Understanding DHCP Based Autoconfiguration 3 4 DHCP Client Request Process 3 4 Understanding DHCP based Autoconfiguration and Image Update 3 5 DHCP Autoconfiguration 3 5 DHCP Auto Image Update 3 6 Limitations and Restrictions 3 6 Configuring DHCP Based Autoconfiguration 3 7 DHCP Server Configuration Guidelines 3 7 Configuring the TFTP Server 3 8 Configu...

Page 5: ...ion Service 4 2 Event Service 4 3 NameSpace Mapper 4 3 What You Should Know About the CNS IDs and Device Hostnames 4 3 ConfigID 4 3 DeviceID 4 4 Hostname and DeviceID 4 4 Using Hostname DeviceID and ConfigID 4 4 Understanding Cisco IOS Agents 4 5 Initial Configuration 4 5 Incremental Partial Configuration 4 6 Synchronized Configuration 4 6 Configuring Cisco IOS Agents 4 6 Enabling Automated CNS Co...

Page 6: ...Stacks 5 14 TACACS and RADIUS 5 16 LRE Profiles 5 16 Using the CLI to Manage Switch Clusters 5 16 Using SNMP to Manage Switch Clusters 5 17 C H A P T E R 6 Managing Switch Stacks 6 1 Understanding Stacks 6 1 Stack Membership 6 3 Master Election 6 4 Stack MAC Address 6 5 Member Numbers 6 6 Member Priority Values 6 6 Stack Offline Configuration 6 7 Effects of Adding a Provisioned Switch to a Stack 6...

Page 7: ... 20 Changing the Stack Membership 6 21 Accessing the CLI of a Specific Member 6 22 Displaying Stack Information 6 22 Troubleshooting Stacks 6 23 Manually Disabling a Stack Port 6 23 Re Enabling a Stack Port While Another Member Starts 6 23 Understanding the show switch stack ports summary Output 6 24 Identifying Loopback Problems 6 25 Software Loopback 6 25 Software Loopback Example No Connected S...

Page 8: ...ame 7 15 Understanding DNS 7 15 Default DNS Configuration 7 16 Setting Up DNS 7 16 Displaying the DNS Configuration 7 17 Creating a Banner 7 17 Default Banner Configuration 7 17 Configuring a Message of the Day Login Banner 7 18 Configuring a Login Banner 7 19 Managing the MAC Address Table 7 19 Building the Address Table 7 20 MAC Addresses and VLANs 7 20 MAC Addresses and Switch Stacks 7 21 Defau...

Page 9: ...ssword for a Terminal Line 9 6 Configuring Username and Password Pairs 9 7 Configuring Multiple Privilege Levels 9 8 Setting the Privilege Level for a Command 9 8 Changing the Default Privilege Level for Lines 9 9 Logging into and Exiting a Privilege Level 9 10 Controlling Switch Access with TACACS 9 10 Understanding TACACS 9 10 TACACS Operation 9 12 Configuring TACACS 9 13 Default TACACS Configur...

Page 10: ...9 39 Monitoring and Troubleshooting CoA Functionality 9 40 Configuring RADIUS Server Load Balancing 9 40 Displaying the RADIUS Configuration 9 40 Configuring the Switch for Local Authentication and Authorization 9 40 Configuring the Switch for Secure Shell 9 41 Understanding SSH 9 42 SSH Servers Integrated Clients and Supported Versions 9 42 Limitations 9 43 Configuring SSH 9 43 Configuration Guid...

Page 11: ... 802 1x Accounting Attribute Value Pairs 10 16 802 1x Readiness Check 10 17 802 1x Authentication with VLAN Assignment 10 17 802 1x Authentication with Downloadable ACLs and Redirect URLs 10 18 Cisco Secure ACS and Attribute Value Pairs for the Redirect URL 10 20 Cisco Secure ACS and Attribute Value Pairs for Downloadable ACLs 10 20 VLAN ID based MAC Authentication 10 20 802 1x Authentication with...

Page 12: ...Security 10 38 Configuring 802 1x Violation Modes 10 39 Configuring 802 1x Authentication 10 40 Configuring the Switch to RADIUS Server Communication 10 41 Configuring the Host Mode 10 43 Configuring Periodic Re Authentication 10 44 Manually Re Authenticating a Client Connected to a Port 10 45 Changing the Quiet Period 10 45 Changing the Switch to Client Retransmission Time 10 46 Setting the Switc...

Page 13: ...s 11 3 Local Web Authentication Banner 11 4 Web Authentication Customizable Web Pages 11 6 Guidelines 11 6 Web based Authentication Interactions with Other Features 11 7 Port Security 11 7 LAN Port IP 11 8 Gateway IP 11 8 ACLs 11 8 Context Based Access Control 11 8 802 1x Authentication 11 8 EtherChannel 11 8 Configuring Web Based Authentication 11 9 Default Web Based Authentication Configuration ...

Page 14: ...erfaces 12 10 Using Interface Configuration Mode 12 11 Procedures for Configuring Interfaces 12 12 Configuring a Range of Interfaces 12 12 Configuring and Using Interface Range Macros 12 14 Configuring Ethernet Interfaces 12 16 Default Ethernet Interface Configuration 12 16 Setting the Type of a Dual Purpose Uplink Port 12 17 Configuring Interface Speed and Duplex Mode 12 19 Speed and Duplex Confi...

Page 15: ...nded Range VLAN Configuration Guidelines 13 10 Creating an Extended Range VLAN 13 11 Displaying VLANs 13 12 Configuring VLAN Trunks 13 13 Trunking Overview 13 13 IEEE 802 1Q Configuration Considerations 13 14 Default Layer 2 Ethernet Interface VLAN Configuration 13 14 Configuring an Ethernet Interface as a Trunk Port 13 15 Interaction with Other Features 13 15 Configuring a Trunk Port 13 16 Defini...

Page 16: ... 14 2 Cisco IP Phone Data Traffic 14 3 Configuring Voice VLAN 14 3 Default Voice VLAN Configuration 14 3 Voice VLAN Configuration Guidelines 14 3 Configuring a Port Connected to a Cisco 7960 IP Phone 14 5 Configuring Cisco IP Phone Voice Traffic 14 5 Configuring the Priority of Incoming Data Frames 14 6 Displaying Voice VLAN 14 7 C H A P T E R 15 Configuring VTP 15 1 Understanding VTP 15 1 The VTP...

Page 17: ... State 16 7 Forwarding State 16 7 Disabled State 16 8 How a Switch or Port Becomes the Root Switch or Root Port 16 8 Spanning Tree and Redundant Connectivity 16 9 Spanning Tree Address Management 16 9 Accelerated Aging to Retain Connectivity 16 9 Spanning Tree Modes and Protocols 16 10 Supported Spanning Tree Instances 16 10 Spanning Tree Interoperability and Backward Compatibility 16 11 STP and I...

Page 18: ... 7 Port Role Naming Change 17 7 Interoperation Between Legacy and Standard Switches 17 7 Detecting Unidirectional Link Failure 17 8 MSTP and Switch Stacks 17 9 Interoperability with IEEE 802 1D STP 17 9 Understanding RSTP 17 9 Port Roles and the Active Topology 17 10 Rapid Convergence 17 11 Synchronization of Port Roles 17 12 Bridge Protocol Data Unit Format and Processing 17 13 Processing Superio...

Page 19: ... Cross Stack UplinkFast 18 5 How CSUF Works 18 6 Events that Cause Fast Convergence 18 7 Understanding BackboneFast 18 7 Understanding EtherChannel Guard 18 10 Understanding Root Guard 18 10 Understanding Loop Guard 18 11 Configuring Optional Spanning Tree Features 18 12 Default Optional Spanning Tree Configuration 18 12 Optional Spanning Tree Configuration Guidelines 18 12 Enabling Port Fast 18 1...

Page 20: ...H A P T E R 20 Configuring DHCP Features and IP Source Guard Features 20 1 Understanding DHCP Snooping 20 1 DHCP Server 20 2 DHCP Relay Agent 20 2 DHCP Snooping 20 2 Option 82 Data Insertion 20 4 DHCP Snooping Binding Database 20 7 DHCP Snooping and Switch Stacks 20 8 Configuring DHCP Snooping 20 9 Default DHCP Snooping Configuration 20 9 DHCP Snooping Configuration Guidelines 20 9 Configuring the...

Page 21: ...ate Limiting of ARP Packets 21 4 Relative Priority of ARP ACLs and DHCP Snooping Entries 21 4 Logging of Dropped Packets 21 5 Configuring Dynamic ARP Inspection 21 5 Default Dynamic ARP Inspection Configuration 21 5 Dynamic ARP Inspection Configuration Guidelines 21 6 Configuring Dynamic ARP Inspection in DHCP Environments 21 7 Configuring ARP ACLs for Non DHCP Environments 21 9 Limiting the Rate ...

Page 22: ...guration 22 19 MVR Configuration Guidelines and Limitations 22 20 Configuring MVR Global Parameters 22 20 Configuring MVR Interfaces 22 21 Displaying MVR Information 22 23 Configuring IGMP Filtering and Throttling 22 24 Default IGMP Filtering and Throttling Configuration 22 25 Configuring IGMP Profiles 22 25 Applying IGMP Profiles 22 26 Setting the Maximum Number of IGMP Groups 22 27 Configuring t...

Page 23: ...CDP 24 1 CDP and Switch Stacks 24 2 Configuring CDP 24 2 Default CDP Configuration 24 2 Configuring the CDP Characteristics 24 3 Disabling and Enabling CDP 24 3 Disabling and Enabling CDP on an Interface 24 4 Monitoring and Maintaining CDP 24 5 C H A P T E R 25 Configuring LLDP LLDP MED and Wired Location Service 25 1 Understanding LLDP LLDP MED and Wired Location Service 25 1 LLDP 25 1 LLDP MED 2...

Page 24: ...ology 27 4 SPAN Sessions 27 4 Monitored Traffic 27 5 Source Ports 27 6 Source VLANs 27 7 VLAN Filtering 27 7 Destination Port 27 8 RSPAN VLAN 27 9 SPAN and RSPAN Interaction with Other Features 27 9 SPAN and RSPAN and Switch Stacks 27 10 Configuring SPAN and RSPAN 27 10 Default SPAN and RSPAN Configuration 27 11 Configuring Local SPAN 27 11 SPAN Configuration Guidelines 27 11 Creating a Local SPAN...

Page 25: ...m Message Logging Configuration 29 4 Disabling Message Logging 29 4 Setting the Message Display Destination Device 29 5 Synchronizing Log Messages 29 6 Enabling and Disabling Time Stamps on Log Messages 29 8 Enabling and Disabling Sequence Numbers in Log Messages 29 8 Defining the Message Severity Level 29 9 Limiting Syslog Messages Sent to the History Table and to SNMP 29 10 Enabling the Configur...

Page 26: ...curity with ACLs 31 1 Understanding ACLs 31 1 Supported ACLs 31 2 Port ACLs 31 3 Router ACLs 31 4 Handling Fragmented and Unfragmented Traffic 31 4 ACLs and Switch Stacks 31 5 Configuring IPv4 ACLs 31 6 Creating Standard and Extended IPv4 ACLs 31 6 Access List Numbers 31 7 Creating a Numbered Standard ACL 31 8 Creating a Numbered Extended ACL 31 9 Resequencing ACEs in an ACL 31 13 Creating Named S...

Page 27: ...C H A P T E R 33 Configuring QoS 33 1 Understanding QoS 33 1 Basic QoS Model 33 4 Classification 33 5 Classification Based on QoS ACLs 33 8 Classification Based on Class Maps and Policy Maps 33 8 Policing and Marking 33 9 Policing on Physical Ports 33 10 Mapping Tables 33 11 Queueing and Scheduling Overview 33 12 Weighted Tail Drop 33 12 SRR Shaping and Sharing 33 13 Queueing and Scheduling on Ing...

Page 28: ...Trusted Boundary to Ensure Port Security 33 40 Enabling DSCP Transparency Mode 33 41 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain 33 42 Configuring a QoS Policy 33 44 Classifying Traffic by Using ACLs 33 45 Classifying Traffic by Using Class Maps 33 48 Classifying Policing and Marking Traffic on Physical Ports by Using Policy Maps 33 50 Classifying Policing and Marking T...

Page 29: ...for Configuring Routing 34 3 Enabling IP Unicast Routing 34 3 Assigning IP Addresses to SVIs 34 4 Configuring Static Unicast Routes 34 5 Monitoring and Maintaining the IP Network 34 5 C H A P T E R 35 Configuring IPv6 Host Functions 35 1 Understanding IPv6 35 2 IPv6 Addresses 35 2 Supported IPv6 Host Features 35 3 128 Bit Wide Unicast Addresses 35 3 DNS for IPv6 35 3 ICMPv6 35 4 Neighbor Discovery...

Page 30: ...8 Enabling MLD Immediate Leave 36 9 Configuring MLD Snooping Queries 36 10 Disabling MLD Listener Message Suppression 36 11 Displaying MLD Snooping Information 36 12 C H A P T E R 37 Configuring EtherChannels and Link State Tracking 37 1 Understanding EtherChannels 37 2 EtherChannel Overview 37 2 Port Channel Interfaces 37 4 Port Aggregation Protocol 37 5 PAgP Modes 37 6 PAgP Interaction with Virt...

Page 31: ...m a Lost or Forgotten Password 38 3 Procedure with Password Recovery Enabled 38 4 Procedure with Password Recovery Disabled 38 6 Preventing Switch Stack Problems 38 8 Recovering from a Command Switch Failure 38 8 Replacing a Failed Command Switch with a Cluster Member 38 9 Replacing a Failed Command Switch with Another Switch 38 11 Recovering from Lost Cluster Member Connectivity 38 12 Preventing ...

Page 32: ...ting CPU Utilization 38 25 Possible Symptoms of High CPU Utilization 38 25 Verifying the Problem and Cause 38 26 Troubleshooting Power over Ethernet PoE 38 27 Troubleshooting Stackwise 38 30 A P P E N D I X A Supported MIBs A 1 MIB List A 1 Using FTP to Access the MIB Files A 3 A P P E N D I X B Working with the Cisco IOS File System Configuration Files and Software Images B 1 Working with the Fla...

Page 33: ...CP B 17 Uploading a Configuration File By Using RCP B 18 Clearing Configuration Information B 18 Clearing the Startup Configuration File B 19 Deleting a Stored Configuration File B 19 Replacing and Rolling Back Configurations B 19 Understanding Configuration Replacement and Rollback B 19 Configuration Guidelines B 21 Configuring the Configuration Archive B 21 Performing a Configuration Replacement...

Page 34: ...EC Commands C 3 Unsupported Global Configuration Commands C 3 Unsupported Interface Configuration Commands C 3 MAC Address Commands C 3 Unsupported Privileged EXEC Commands C 3 Unsupported Global Configuration Commands C 4 Miscellaneous C 4 Unsupported User EXEC Commands C 4 Unsupported Privileged EXEC Commands C 4 Unsupported Global Configuration Commands C 4 Network Address Translation NAT Comma...

Page 35: ...terface Configuration Command C 6 VLAN C 6 Unsupported Global Configuration Command C 6 Unsupported vlan config Command C 6 Unsupported User EXEC Commands C 6 Unsupported vlan config Command C 6 Unsupported VLAN Database Commands C 7 VTP C 7 Unsupported Privileged EXEC Commands C 7 I N D E X ...

Page 36: ...Contents xxxvi Catalyst 2975 Switch Software Configuration Guide OL 19720 02 ...

Page 37: ...ailed information about these commands see the Catalyst 2975 Switch Command Reference for this release For information about the standard Cisco IOS Release 12 2 commands see the Cisco IOS documentation set available from the Cisco com home page at Documentation Cisco IOS Software This guide does not provide detailed information on the graphical user interfaces GUIs for the embedded device manager ...

Page 38: ...ontained in this manual Caution Means reader be careful In this situation you might do something that could result in equipment damage or loss of data Related Publications These documents provide complete information about the switch and are available from this Cisco com site http www cisco com en US products ps10081 tsd_products_support_series_home html Note Before installing configuring or upgra...

Page 39: ...tures see the Network Admission Control Software Configuration Guide Information about Cisco SFP SFP and GBIC modules is available from this Cisco com site http www cisco com en US products hw modules ps5455 prod_installation_guides_list html SFP compatibility matrix documents are available from this Cisco com site http www cisco com en US products hw modules ps5455 products_device_support_tables_...

Page 40: ...xxxviii Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Preface ...

Page 41: ...ference to IP Version 6 IPv6 Features Some features described in this chapter are available only on the cryptographic supports encryption version of the software You must obtain authorization to use this feature and to download the cryptographic version of the software from Cisco com For more information see the release notes for this release Ease of Deployment and Ease of Use Features page 1 2 Pe...

Page 42: ...mplex features such as VLANs ACLs and quality of service QoS Configuration wizards that prompt you to provide only the minimum required information to configure complex features such as QoS priorities for traffic priority levels for data applications and security Downloading an image to a switch Applying actions to multiple ports and multiple switches at the same time such as VLAN and QoS settings...

Page 43: ... points EtherChannels auto QoS with Cisco Medianet and IP phones Enhancements to add support for macro persistency LLDP based triggers MAC address and OUI based triggers remote macros as well as for automatic configuration based on these two new device types Cisco Digital Media Player Cisco DMP and Cisco IP Video Surveillance Camera Cisco IPVSC For information see the Auto Smartports Configuration...

Page 44: ...pport for basic IPv6 management Multicast Listener Discovery MLD snooping to enable efficient distribution of IP version 6 IPv6 multicast data to clients and routers in a switched network Multicast VLAN registration MVR to continuously send multicast streams in a multicast VLAN while isolating the streams from subscriber VLANs for bandwidth and security reasons IGMP filtering for controlling the s...

Page 45: ... of MIB extensions and four remote monitoring RMON groups For more information about using SNMP see Chapter 30 Configuring SNMP Cisco IOS Configuration Engine previously known to as the Cisco IOS CNS agent Configuration service automates the deployment and management of network devices and services You can automate initial configurations and configuration updates by generating switch specific conf...

Page 46: ... Secure Shell SSH connections for multiple CLI based sessions over the network In band management access through SNMP Versions 1 2c and 3 get and set requests Out of band management access through the switch console port to a directly attached terminal or to a remote terminal through a serial connection or a modem Secure Copy Protocol SCP feature to provide a secure and authenticated method for co...

Page 47: ...r VLAN spanning tree plus PVST for load balancing across VLANs Rapid PVST for load balancing across VLANs and providing rapid convergence of spanning tree instances UplinkFast cross stack UplinkFast and BackboneFast for fast convergence after a spanning tree topology change and for achieving load balancing between redundant uplinks including Gigabit uplinks and cross stack Gigabit uplinks IEEE 802...

Page 48: ... Cisco IP Phones VLAN 1 minimization for reducing the risk of spanning tree loops or storms by allowing VLAN 1 to be disabled on any individual VLAN trunk link With this feature enabled no user traffic is sent or received on the trunk The switch CPU continues to send and receive control protocol frames VLAN Flex Link Load Balancing to provide Layer 2 redundancy without requiring Spanning Tree Prot...

Page 49: ... ARP requests and responses to other ports in the same VLAN IEEE 802 1x port based authentication to prevent unauthorized devices clients from gaining access to the network These features are supported Multidomain authentication MDA to allow both a data device and a voice device such as an IP phone Cisco or non Cisco to independently authenticate on the same IEEE 802 1x enabled switch port Dynamic...

Page 50: ...he actions of remote users through authentication authorization and accounting AAA services Secure Socket Layer SSL Version 3 0 support for the HTTP 1 1 server authentication encryption and message integrity and HTTP client authentication to allow secure HTTP communications requires the cryptographic version of the software IEEE 802 1x Authentication with ACLs and the RADIUS Filter Id Attribute Su...

Page 51: ...UDP headers for high performance quality of service at the network edge allowing for differentiated service levels for different types of network traffic and for prioritizing mission critical traffic in the network Trusted port states CoS DSCP and IP precedence within a QoS domain and with a port bordering another QoS domain Trusted boundary for detecting the presence of a Cisco IP Phone trusting ...

Page 52: ...connected Cisco pre standard and IEEE 802 3af compliant powered devices from Power over Ethernet PoE capable ports if the switch detects that there is no power on the circuit Support for CDP with power consumption The powered device notifies the switch of the amount of power it is consuming Support for Cisco intelligent power management The powered device and the switch negotiate through power neg...

Page 53: ...switch at all the switch operates with these default settings Default switch IP address subnet mask and default gateway is 0 0 0 0 For more information see Chapter 3 Assigning the Switch IP Address and Default Gateway and Chapter 20 Configuring DHCP Features and IP Source Guard Features Default domain name is not configured For more information see Chapter 3 Assigning the Switch IP Address and Def...

Page 54: ... VTP version is Version 1 For more information see Chapter 15 Configuring VTP Voice VLAN is disabled For more information see Chapter 14 Configuring Voice VLAN STP PVST is enabled on VLAN 1 For more information see Chapter 16 Configuring STP MSTP is disabled For more information see Chapter 17 Configuring MSTP Optional spanning tree features are disabled For more information see Chapter 18 Configu...

Page 55: ... enabled and appear on the console For more information see Chapter 29 Configuring System Message Logging SNMP is enabled Version 1 For more information see Chapter 30 Configuring SNMP No ACLs are configured For more information see Chapter 31 Configuring Network Security with ACLs QoS is disabled For more information see Chapter 33 Configuring QoS No EtherChannels are configured For more informat...

Page 56: ...igh speed segment Use the EtherChannel feature between the switch and its connected servers and routers Table 1 2 Providing Network Services Network Demands Suggested Design Methods Efficient bandwidth usage for multimedia applications and guaranteed bandwidth for critical applications Use IGMP snooping to efficiently forward multimedia and multicast traffic Use other QoS mechanisms such as packet...

Page 57: ...ted to a Gigabit server through a 1000BASE T connection Note Stacking is supported only on Catalyst 2960 S switches running the LAN base image Figure 1 1 Cost Effective Wiring Closet An evolving demand for IP telephony Use QoS to prioritize applications such as IP telephony during congestion and to help control both delay and jitter within the network Use switches that support at least two queues ...

Page 58: ...with routing capability such as a Catalyst 3750 switch or to a router The first illustration is of an isolated high performance workgroup where the stack is connected to Catalyst 3750 switches in the distribution layer The second illustration is of a high performance workgroup in a branch office where the stack is connected to a router in the distribution layer Each switch in this configuration pr...

Page 59: ...redundant uplinks to the network core Using SFP modules provides flexibility in media and distance options through fiber optic connections The various lengths of stack cable available ranging from 0 5 meter to 3 meters provide extended connections to the switch stacks across multiple server racks for multiple stack aggregation Figure 1 3 Server Aggregation Small to Medium Sized Network Using Catal...

Page 60: ...priority traffic to allow delivery of high priority traffic Cisco CallManager controls call processing routing and Cisco IP Phone features and configuration Users with workstations running Cisco SoftPhone software can place receive and control calls from their PCs Using Cisco IP Phones Cisco CallManager software and Cisco SoftPhone software integrates telephony and IP networks and the IP network s...

Page 61: ...he receiving end separate or demultiplex the different wavelengths For more information about the CWDM SFP modules and CWDM OADM modules see the Cisco CWDM GBIC and CWDM SFP Installation Note Figure 1 5 Long Distance High Bandwidth Transport Configuration Where to Go Next Before configuring the switch review these sections for startup information Chapter 2 Using the Command Line Interface Chapter ...

Page 62: ...1 22 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 1 Overview Where to Go Next ...

Page 63: ...ently in Enter a question mark at the system prompt to obtain a list of commands available for each command mode When you start a session on the switch you begin in user mode often called user EXEC mode Only a limited subset of the commands are available in user EXEC mode For example most of the user EXEC commands are one time commands such as show commands which show the current configuration sta...

Page 64: ... a password to protect access to this mode Global configuration While in privileged EXEC mode enter the configure command Switch config To exit to privileged EXEC mode enter exit or end or press Ctrl Z Use this mode to configure parameters that apply to the entire switch Config vlan While in global configuration mode enter the vlan vlan id command Switch config vlan To exit to global configuration...

Page 65: ...information about defining interfaces see the Using Interface Configuration Mode section on page 12 11 To configure multiple interfaces with the same parameters see the Configuring a Range of Interfaces section on page 12 12 Line configuration While in global configuration mode specify a line with the line vty or line console command Switch config line To exit to global configuration mode enter ex...

Page 66: ...e the command without the keyword no to re enable a disabled feature or to enable a feature that is disabled by default Configuration commands can also have a default form The default form of a command returns the command setting to its default Most commands are disabled by default so the default form is the same as the no form However some commands are enabled by default and have variables set to...

Page 67: ...formation see the Configuration Change Notification and Logging feature module http www cisco com en US docs ios 12_3t 12_3t4 feature guide gtconlog html Note Only CLI or HTTP changes are logged Table 2 3 Common CLI Error Messages Error Message Meaning How to Get Help Ambiguous command show con You did not enter enough characters for your switch to recognize the command Re enter the command follow...

Page 68: ...rminal history size number of lines The range is from 0 to 256 Beginning in line configuration mode enter this command to configure the number of command lines the switch records for all sessions on a particular line Switch config line history size number of lines The range is from 0 to 256 Recalling Commands To recall commands from the history buffer perform one of the actions listed in Table 2 4...

Page 69: ...anipulate the command line It contains these sections Enabling and Disabling Editing Features page 2 7 optional Editing Commands through Keystrokes page 2 8 optional Editing Command Lines that Wrap page 2 9 optional Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled you can disable it re enable it or configure a specific line to have enhanced editing Th...

Page 70: ...command line The switch provides a buffer with the last ten items that you deleted Press Ctrl Y Recall the most recent entry in the buffer Press Esc Y Recall the next buffer entry The buffer contains only the last 10 items that you have deleted or cut If you press Esc Y more than ten times you cycle to the first buffer entry Delete entries if you make a mistake or change your mind Press the Delete...

Page 71: ...31 108 1 20 255 255 255 0 eq Switch config 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq 45 After you complete the entry press Ctrl A to check the complete syntax before pressing the Return key to execute the command The dollar sign appears at the end of the line to show that the line has been scrolled to the right Switch config access list 101 permit tcp 131 108 2 5 255 255 255 0 131 108 1 ...

Page 72: ...ter through the console port of one or more stack members Be careful with using multiple CLI sessions to the stack master Commands you enter in one session are not displayed in the other sessions Therefore it is possible to lose track of the session from which you entered commands If you want to configure a specific stack member port you must include the stack member number in the CLI command inte...

Page 73: ...twork connectivity with the Telnet or SSH client and the switch must have an enable secret password configured For information about configuring the switch for Telnet access see the Setting a Telnet Password for a Terminal Line section on page 9 6 The switch supports up to 16 simultaneous Telnet sessions Changes made by one Telnet user are reflected in all other Telnet sessions For information abo...

Page 74: ...2 12 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 2 Using the Command Line Interface Accessing the CLI ...

Page 75: ... the term switch refers to a standalone switch and to a switch stack Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release and the Cisco IOS IP Command Reference Volume 1 of 3 Addressing and Services from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References This chapter consists of these...

Page 76: ...sed only to load uncompress and launch the operating system After the boot loader gives the operating system control of the CPU the boot loader is not active until the next system reset or power on The boot loader also provides trap door access into the system if the operating system has problems serious enough that it cannot be used The trap door mechanism provides enough access to the system so ...

Page 77: ...tain their IP address when you remove them from a switch stack To avoid a conflict by having two devices with the same IP address in your network change the IP address of the switch that you removed from the switch stack Use a DHCP server for centralized control and automatic assignment of IP information after the server is configured Note If you are using DHCP do not respond to any of the questio...

Page 78: ... accessible in case one of the connected stack members is removed from the switch stack The DHCP server for your switch can be on the same LAN or on a different LAN than the switch If the DHCP server is running on a different LAN you should configure a DHCP relay device between your switch and the DHCP server A relay device forwards broadcast traffic between two directly connected LANs A router do...

Page 79: ...eserves the address until the client has had a chance to formally request the address If the switch accepts replies from a BOOTP server and configures itself the switch broadcasts instead of unicasts TFTP requests to obtain the switch configuration file The DHCP hostname option allows a group of switches to obtain hostnames and a standard configuration from the central management DHCP server A cli...

Page 80: ...the Configuring DHCP section of the IP addressing and Services section of the Cisco IOS IP Configuration Guide Release 12 2 After you install the switch in your network the auto image update feature starts The downloaded configuration file is saved in the running configuration of the switch and the new image is downloaded and installed on the switch When you reboot the switch the configuration is ...

Page 81: ...m a TFTP server you must configure the DHCP server with these lease options TFTP server name required Boot filename the name of the configuration file that the client needs recommended Hostname optional Depending on the settings of the DHCP server the switch can receive IP address information the configuration file or both If you do not configure the DHCP server with the lease options described pr...

Page 82: ...name if any and these files network config cisconet cfg hostname config or hostname cfg where hostname is the switch s current hostname The TFTP server addresses used include the specified TFTP server address if any and the broadcast address 255 255 255 255 For the switch to successfully download a configuration file the TFTP server must contain one or more configuration files in its base director...

Page 83: ...mand For example in Figure 3 2 configure the router interfaces as follows On interface 10 0 0 2 router config if ip helper address 20 0 0 2 router config if ip helper address 20 0 0 3 router config if ip helper address 20 0 0 4 On interface 20 0 0 1 router config if ip helper address 10 0 0 1 Figure 3 2 Relay Device Used in Autoconfiguration Obtaining Configuration Files Depending on the availabil...

Page 84: ... obtains its hostname If the hostname is not found in the file the switch uses the hostname in the DHCP reply If the hostname is not specified in the DHCP reply the switch uses the default Switch as its hostname After obtaining its hostname from the default configuration file or the DHCP reply the switch reads the configuration file that has the same name as its hostname hostname confg or hostname...

Page 85: ...ch A through Switch D Configuration Explanation In Figure 3 3 Switch A reads its configuration file as follows It obtains its IP address 10 0 0 21 from the DHCP server If no configuration filename is given in the DHCP server reply Switch A reads the network confg file from the base directory of the TFTP server It adds the contents of the network confg file to its host table It reads its host table...

Page 86: ...fig exit Switch config tftp server flash config boot text Switch config interface gigabitethernet1 0 4 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip dhcp poolname Create a name for the DHCP Server address pool and enter DHCP pool configuration mode Step 3 bootfile filename Specify the name of the configuration file that is used as a boot image Step 4 network n...

Page 87: ...te The prefix length specifies the number of bits that comprise the address prefix The prefix is an alternative way of specifying the network mask of the client The prefix length must be preceded by a forward slash Step 5 default router address Specify the IP address of the default router for a DHCP client Step 6 option 150 address Specify the IP address of the TFTP server Step 7 option 125 hex Sp...

Page 88: ...itch config tftp server flash autoinstall_dhcp Switch config interface gigabitethernet1 0 4 Switch config if no switchport Switch config if ip address 10 10 10 1 255 255 255 0 Switch config if end Configuring the Client Beginning in privileged EXEC mode follow these steps to configure a switch to download a configuration file and new image from a DHCP server Command Purpose Step 1 configure termin...

Page 89: ...the Layer 3 interface Do not assign an IP address or DHCP based autoconfiguration with a saved configuration Manually Assigning IP Information Beginning in privileged EXEC mode follow these steps to manually assign IP information to multiple switched virtual interfaces SVIs Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface vlan vlan id Enter interface confi...

Page 90: ...ng this privileged EXEC command Switch show running config Building configuration Current configuration 1363 bytes version 12 2 no service pad service timestamps debug uptime service timestamps log uptime no service password encryption hostname Stack1 enable secret 5 1 ej9 DMUvAUnZOAmvmgqBEzIxE0 output truncated interface gigabitethernet6 0 1 ip address 172 20 137 50 255 255 255 0 interface gigabi...

Page 91: ... to NVRAM Typically this occurs when you have many switches in a switch stack You can configure the size of the NVRAM buffer to support larger configuration files The new NVRAM buffer size is synced to all current and new member switches Note After you configure the NVRAM buffer size reload the switch or switch stack When you add a switch to a stack and the NVRAM size differs the new switch syncs ...

Page 92: ...figuration Automatically Downloading a Configuration File You can automatically download a configuration file to your switch by using the DHCP based autoconfiguration feature For more information see the Understanding DHCP Based Autoconfiguration section on page 3 4 Table 3 3 Default Boot Configuration Feature Default Setting Operating system software image The switch attempts to automatically boo...

Page 93: ...it to manually boot up Note This command only works properly from a standalone switch Beginning in privileged EXEC mode follow these steps to configure the switch to manually boot up during the next boot cycle Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 boot config file flash file url Specify the configuration file to load during the next boot up cycle For file...

Page 94: ... reboot the system the switch is in boot loader mode shown by the switch prompt To boot up the system use the boot filesystem file url boot loader command For filesystem use flash for the system board flash device For file url specify the path directory and the name of the bootable image Filenames and directory names are case sensitive Step 5 copy running config startup config Optional Save your e...

Page 95: ...it has a value if it is listed in the file even if the value is a null string A variable that is set to a null string for example is a variable with a value Many environment variables are predefined and have default values Environment variables store two kinds of data Data that controls code which does not read the Cisco IOS configuration file For example the name of a boot loader helper file whic...

Page 96: ...atically or manually boots up Valid values are 1 yes 0 and no If it is set to no or 0 the boot loader attempts to automatically boot up the system If it is set to anything else you must manually boot up the switch from the boot loader mode boot manual Enables manually booting up the switch during the next boot cycle and changes the setting of the MANUAL_BOOT environment variable The next time you ...

Page 97: ...load takes place at the specified time on the current day if the specified time is later than the current time or on the next day if the specified time is earlier than the current time Specifying 00 00 schedules the reload for midnight Note Use the at keyword only if the switch system clock has been set through Network Time Protocol NTP the hardware calendar or manually The time is relative to the...

Page 98: ...un 20 1996 in 344 hours and 53 minutes Proceed with reload confirm To cancel a previously scheduled reload use the reload cancel privileged EXEC command Displaying Scheduled Reload Information To display information about a previously scheduled reload or to find out if a reload has been scheduled on the switch use the show reload privileged EXEC command It displays reload information including the...

Page 99: ...iguration Engine Software The Cisco Configuration Engine is network management software that acts as a configuration service for automating the deployment and management of network devices and services see Figure 4 1 Each Configuration Engine manages a group of Cisco devices switches and routers and the services that they deliver storing their configurations and delivering them as needed The Confi...

Page 100: ...rvice to send and receive configuration change events and to send success and failure notifications The configuration server is a web server that uses configuration templates and the device specific configuration information stored in the embedded standalone mode or remote server mode directory Configuration templates are text files containing static configuration information in the form of CLI co...

Page 101: ... group ID device ID and event the mapping service returns a set of events on which to publish What You Should Know About the CNS IDs and Device Hostnames The Configuration Engine assumes that a unique identifier is associated with each configured switch This unique identifier can take on multiple synonyms where each synonym is unique within a particular namespace The event service uses namespace c...

Page 102: ...on to the event gateway and does not change even when the switch hostname is reconfigured When changing the switch hostname on the switch the only way to refresh the DeviceID is to break the connection between the switch and the event gateway Enter the no cns event global configuration command followed by the cns event global configuration command When the connection is re established the switch s...

Page 103: ... switch and includes the TFTP server IP address the path to the bootstrap configuration file and the default gateway IP address in a unicast reply to the DHCP relay agent The DHCP relay agent forwards the reply to the switch The switch automatically configures the assigned IP address on interface VLAN 1 the default and downloads the bootstrap configuration file from the TFTP server Upon successful...

Page 104: ... the updated configuration into its NVRAM The switch uses the updated configuration as its running configuration This ensures that the switch configuration is synchronized with other network activities before saving the configuration in NVRAM for use at the next reboot Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and a...

Page 105: ...tion agent DHCP server IP address assignment TFTP server IP address Path to bootstrap configuration file on the TFTP server Default gateway IP address TFTP server A bootstrap configuration file that includes the CNS configuration commands that enable the switch to communicate with the Configuration Engine The switch configured to use either the switch MAC address or the serial number instead of th...

Page 106: ...umber enter the port number for the event gateway The default port number is 11011 Optional Enter backup to show that this is the backup gateway If omitted this is the primary gateway Optional For failover time seconds enter how long the switch waits for the primary gateway route after the route to the backup gateway is established Optional For keepalive seconds enter how often the switch sends ke...

Page 107: ...on mode and specify the name of the CNS connect template Step 3 cli config text Enter a command line for the CNS connect template Repeat this step for each command line in the template Step 4 Repeat Steps 2 to 3 to configure another CNS connect template Step 5 exit Return to global configuration mode Step 6 cns connect name retries number retry interval seconds sleep seconds timeout seconds Enter ...

Page 108: ... route to the Configuration Engine whose IP address is network number Step 13 cns id interface num dns reverse ipaddress mac address event image or cns id hardware serial hostname string string udi event image Optional Set the unique EventID or ConfigID used by the Configuration Engine For interface num enter the type of interface for example ethernet group async loopback or virtual template This ...

Page 109: ...dress syntax check Enable the Cisco IOS agent and initiate an initial configuration For hostname ip address enter the hostname or the IP address of the configuration server Optional For port number enter the port number of the configuration server The default port number is 80 Optional Enable event for configuration success failure or warning messages when the configuration is finished Optional En...

Page 110: ...artial Configuration Beginning in privileged EXEC mode follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch To disable the Cisco IOS agent use the no cns config partial ip address hostname global configuration command To cancel a partial configuration use the cns config cancel privileged EXEC command Command Purpose Step 1 configure terminal Enter ...

Page 111: ... CNS Cisco IOS agent connections show cns config outstanding Displays information about incremental partial CNS configurations that have started but are not yet completed show cns config stats Displays statistics about the Cisco IOS agent show cns event connections Displays the status of the CNS event agent connections show cns event stats Displays statistics about the CNS event agent show cns eve...

Page 112: ...4 14 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 4 Configuring Cisco IOS Configuration Engine Displaying CNS Configuration ...

Page 113: ...t also includes guidelines and limitations for clusters mixed with other cluster capable Catalyst switches but it does not provide complete descriptions of the cluster features for these other switches For complete cluster information for a specific Catalyst platform refer to the software configuration guide for that switch This chapter consists of these sections Understanding Switch Clusters page...

Page 114: ...es For complete information about these switches in a switch cluster environment refer to the software configuration guide for that specific switch Command switch redundancy if a cluster command switch fails One or more switches can be designated as standby cluster command switches to avoid loss of contact with cluster members A cluster standby group is a group of standby cluster command switches ...

Page 115: ... all other cluster member switches except the cluster command and standby command switches through a common VLAN It is redundantly connected to the cluster so that connectivity to cluster member switches is maintained It is not a command or member switch of another cluster Note Standby cluster command switches must be the same type of switches as the cluster command switch For example if the clust...

Page 116: ... password for related considerations see the IP Addresses section on page 5 13 and Passwords section on page 5 14 To join a cluster a candidate switch must meet these requirements It is running cluster capable software It has CDP version 2 enabled It is not a command or cluster member switch of another cluster If a cluster standby group exists it is connected to every standby cluster command switc...

Page 117: ...uster command switch uses Cisco Discovery Protocol CDP to discover cluster member switches candidate switches neighboring switch clusters and edge devices across multiple VLANs and in star or cascaded topologies Note Do not disable CDP on the cluster command switch on cluster members or on any cluster capable switches that you might want a cluster command switch to discover For more information ab...

Page 118: ... cluster command switch discovers switches 11 12 13 and 14 because they are within three hops from the edge of the cluster It does not discover switch 15 because it is four hops from the edge of the cluster Figure 5 1 Discovery Through CDP Hops Command device Member device 10 Member device 8 Member device 9 VLAN 62 Edge of cluster VLAN 16 101321 Device 11 candidate device Candidate devices Device ...

Page 119: ...50 Catalyst 3560 or Catalyst 3750 switch the cluster can have cluster member switches in different VLANs As cluster member switches they must be connected through at least one VLAN in common with the cluster command switch The cluster command switch in Figure 5 3 has ports assigned to VLANs 9 16 and 62 and therefore discovers the switches in those VLANs It does not discover the switch in VLAN 50 I...

Page 120: ...as a Catalyst 3750 or 2975 switch or has a switch stack that switch or switch stack must be the cluster command switch The cluster command switch and standby command switch in Figure 5 4 assuming they are Catalyst 2960 Catalyst 2970 Catalyst 2975 Catalyst 3550 Catalyst 3560 or Catalyst 3750 cluster command switches have ports assigned to VLANs 9 16 and 62 The management VLAN on the cluster command...

Page 121: ...o the VLAN of the immediately upstream neighbor The new switch also configures its access port to belong to the VLAN of the immediately upstream neighbor The cluster command switch in Figure 5 5 belongs to VLANs 9 and 16 When new cluster capable switches join the cluster One cluster capable switch and its access port are assigned to VLAN 9 The other cluster capable switch and its access port are a...

Page 122: ... that meet the requirements described in the Standby Cluster Command Switch Characteristics section on page 5 3 Only one cluster standby group can be assigned per cluster The switches in the cluster standby group are ranked according to HSRP priorities The switch with the highest priority in the group is the active cluster command switch AC The switch with the next highest priority is the standby ...

Page 123: ...d switch The passive standby switch with the highest priority then becomes the standby cluster command switch When the previously active cluster command switch becomes active again it resumes its role as the active cluster command switch and the current active cluster command switch becomes the standby cluster command switch again For more information about IP address in switch clusters see the IP...

Page 124: ...nd switch This ensures that the standby cluster command switch can take over the cluster immediately after the active cluster command switch fails Automatic discovery has these limitations This limitation applies only to clusters that have Catalyst 2950 Catalyst 3550 Catalyst 3560 and Catalyst 3750 command and standby cluster command switches If the active cluster command switch and standby cluste...

Page 125: ...e new active cluster command switch to access the cluster You can assign an IP address to a cluster capable switch but it is not necessary A cluster member switch is managed and communicates with other cluster member switches through the command switch IP address If the cluster member switch leaves the cluster and it does not have its own IP address you must assign an IP address to manage it as a ...

Page 126: ...eadonly community string esN where N is the member switch number command switch readwrite community string esN where N is the member switch number If the cluster command switch has multiple read only or read write community strings only the first read only and read write strings are propagated to the cluster member switch The switches support an unlimited number of community strings and string len...

Page 127: ... connected to any VLANs not configured on the new stack master lose their connectivity to the switch cluster You must change the VLAN configuration of the stack master or the stack members and add the stack members back to the switch cluster If a cluster member switch stack reloads and a new stack master is elected the switch stack loses connectivity with the cluster command switch You must add th...

Page 128: ...ser EXEC command and the cluster member switch number to start a Telnet session through a console or Telnet connection and to access the cluster member switch CLI The command mode changes and the Cisco IOS commands operate as usual Enter the exit privileged EXEC command on the cluster member switch to return to the command switch CLI This example shows how to log into member switch 3 from the comm...

Page 129: ...manages the exchange of messages between cluster member switches and an SNMP application The cluster software on the cluster command switch appends the cluster member switch number esN where N is the switch number to the first configured read write and read only community strings on the cluster command switch and propagates them to the cluster member switch The cluster command switch uses this com...

Page 130: ...figuration Guide OL 19720 02 Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters Figure 5 7 SNMP Management for a Cluster Trap T r a p T r a p Command switch Trap 1 Trap 2 Trap 3 Member 1 Member 2 Member 3 33020 SNMP Manager ...

Page 131: ...set of up to nine Catalyst 2975 switches connected through their stack ports One of the switches controls the operation of the stack and is called the stack master The stack master and the other switches in the stack are stack members Layer 2 and Layer 3 protocols present the entire switch stack as a single entity to the network Note A switch stack is different from a switch cluster A switch clust...

Page 132: ...the stack through the same IP address even if you remove the master or any other member from the stack You can use these methods to manage stacks Network Assistant available on Cisco com Command line interface CLI over a serial connection to the console port of any member A network management application through the Simple Network Management Protocol SNMP Note Use SNMP to manage network features a...

Page 133: ... during membership changes unless you remove the master or you add powered on standalone switches or stacks Note To prevent interrupted stack operations make sure the switches that you add to or remove from the stack are powered off After adding or removing members make sure that the stack ring is operating at full bandwidth 32 Gb s Press the Mode button on a member until the Stack mode LED is on ...

Page 134: ... stack member priority value Note We recommend you assign the highest priority value to the switch that you want to be the master The switch is then re elected as master if a re election occurs 3 The switch that is not using the default interface level configuration 4 The switch with the higher priority switch software version These switch software versions are listed from highest to lowest priori...

Page 135: ...s initial election and only become members The new master is available after a few seconds In the meantime the switch stack uses the forwarding tables in memory to minimize network disruption The physical interfaces on the other available stack members are not affected while a new stack master is elected and is resetting When a new master is elected and the previous stack master becomes available ...

Page 136: ...ted with that number that member resets to its default configuration You cannot use the switch current stack member number renumber new stack member number global configuration command on a provisioned switch If you do the command is rejected If you move a stack member to a different switch stack the stack member keeps its number only if the number is not being used by another member in the stack ...

Page 137: ...t of the stack Effects of Adding a Provisioned Switch to a Stack When you add a provisioned switch to the switch stack the stack applies either the provisioned configuration or the default configuration to it Table 6 1 lists the events that occur when the switch stack compares the provisioned configuration with the provisioned switch Table 6 1 Results of Comparing the Provisioned Configuration wit...

Page 138: ... switch is in conflict with an existing stack member The stack master assigns a new stack member number to the provisioned switch The stack member numbers and the switch types match 1 If the new stack member number of the provisioned switch matches the stack member number in the provisioned configuration on the stack and 2 If the switch type of the provisioned switch matches the switch type in the...

Page 139: ...the same Cisco IOS software version have the same stack protocol version All features function properly across the stack These switches with the same software version as the master immediately join the stack If an incompatibility exists a system message describes the cause of the incompatibility on the specific stack members The master sends the message to all members For more information see the ...

Page 140: ...t occurs when the auto upgrade process cannot find the appropriate software in the stack to copy to the switch in version mismatch mode In that case the auto extract process searches all switches in the stack whether they are in version mismatch mode or not for the tar file needed to upgrade the switch stack or the switch in version mismatch mode The tar file can be in any flash file system in the...

Page 141: ... 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW archiving c2975 lanbase mz 122 46 EX c2975 lanbase mz 122 46 EX bin 4945851 bytes Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW archiving c2975 lanbase mz 122 46 EX info 450 bytes Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW archiving info 104 bytes Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW examining image Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW extracti...

Page 142: ...nd recommends that you download a tar file from the network to the switch in version mismatch mode Mar 1 00 01 11 319 STACKMGR 6 STACK_LINK_CHANGE Stack Port 2 Switch 2 has changed to state UP Mar 1 00 01 15 547 STACKMGR 6 SWITCH_ADDED_VM Switch 1 has been ADDED to the stack VERSION_MISMATCH stack_2 Mar 1 00 03 15 554 IMAGEMGR 6 AUTO_COPY_SW_INITIATED Auto copy software process initiated for switc...

Page 143: ...e specific configuration of each member is associated with its member number A stack member keeps its number unless it is manually changed or it is already used by another member in the same stack If an interface specific configuration does not exist for that member number the member uses its default interface specific configuration If an interface specific configuration exists for that member num...

Page 144: ...applications You cannot manage members as individual switches Stack Through an IP Address page 6 14 Stack Through an SSH Session page 6 14 Stack Through Console Ports page 6 15 Specific Members page 6 15 Stack Through an IP Address The stack is managed through a system level IP address You can still manage the stack through the same IP address even if you remove the master or any other stack membe...

Page 145: ...le 6 2 assume at least two switches are connected through their stack ports Table 6 2 Switch Stack Configuration Scenarios Scenario Result Master election specifically determined by existing masters Connect two powered on stacks through the stack ports Only one of the two masters becomes the new stack master Master election specifically determined by the member priority value 1 Connect two switche...

Page 146: ...ssary use the switch current stack member number renumber new stack member number global configuration command 2 Restart both members at the same time The member with the higher priority value keeps its member number The other member has a new stack member number Add a member 1 Power off the new switch 2 Through their stack ports connect the new switch to a powered on stack 3 Power on the new swit...

Page 147: ... can set the persistent MAC address feature with a time delay before the stack MAC address changes During this time period if the previous master rejoins the stack the stack continues to use that MAC address as the stack MAC address even if the switch is now a member and not a master You can also configure stack MAC persistency so that the stack MAC address never changes to the new master MAC addr...

Page 148: ...e switch stack reloads it acquires the MAC address of the master as the stack MAC address Beginning in privileged EXEC mode follow these steps to enable persistent MAC address This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 stack mac persistent timer 0 time value Enable a time delay after a stack master change before the stack MAC address...

Page 149: ... network domain If it does WARNING user traffic may be blackholed Switch config end Switch show switch Switch Stack Mac Address 0016 4727 a900 Mac persistency wait time 7 mins H W Current Switch Role Mac Address Priority Version State 1 Master 0016 4727 a900 1 0 Ready Assigning Stack Member Information Assigning a Member Number page 6 19 optional Setting the Member Priority Value page 6 20 optiona...

Page 150: ...s 1 to 9 You can display the current member number by using the show switch user EXEC command Step 3 end Return to privileged EXEC mode Step 4 reload slot stack member number Reset the stack member Step 5 show switch Verify the stack member number Step 6 copy running config startup config Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configurati...

Page 151: ...ack Membership If you remove powered on members but do not want to partition the stack Step 1 Power off the newly created stacks Step 2 Reconnect them to the original stack through their stack ports Step 3 Power on the switches Command Purpose Step 1 show switch Display summary information about the stack Step 2 configure terminal Enter global configuration mode Step 3 switch stack member number p...

Page 152: ...ed configuration changes after resetting a specific member or the stack use these privileged EXEC commands Table 6 4 Commands for Displaying Stack Information Command Description show platform stack passive links all Display all stack information such as the stack protocol version show platform stack ports buffer history Display the stack port events and history show switch Display summary informa...

Page 153: ...nected through the stack ports but some all are not in the ready state Some members are not connected through the stack ports When you enter the switch stack member number stack port port number disable privileged EXEC command and The stack is in the full ring state you can disable only one stack port This message appears Enabling disabling a stack port may cause undesired stack changes Continue c...

Page 154: ... Field Description Switch Port Member number and its stack port number Stack Port Status Absent No cable is detected on the stack port Down A cable is detected but either no connected neighbor is up or the stack port is disabled OK A cable is detected and the connected neighbor is up Neighbor Switch number of the active member at the other end of the stack cable Cable Length Valid lengths are 50 c...

Page 155: ... No 3 2 OK 1 50 cm Yes Yes Yes 1 No If you disconnect the stack cable from Port 1 on Switch 1 these messages appear 01 09 55 STACKMGR 4 STACK_LINK_CHANGE Stack Port 2 Switch 3 has changed to state DOWN 01 09 56 STACKMGR 4 STACK_LINK_CHANGE Stack Port 1 Switch 1 has changed to state DOWN Switch show switch stack ports summary Switch Stack Neighbor Cable Link Link Sync In Port Port Length OK Active ...

Page 156: ...75 switch port status Switch show switch stack ports summary Switch Stack Neighbor Cable Link Link Sync In Port Port Length OK Active OK Changes Loopback Status To LinkOK 1 1 Absent None No cable Yes No Yes 1 Yes 1 2 Absent None No cable Yes No Yes 1 Yes Software Loopback Examples Connected Stack Cables On Port 1 on Switch 1 the port status is Down and a cable is connected On Port 2 on Switch 1 th...

Page 157: ... 0000000012 2 FF08FF00 86031805 55AAFFFF FFFFFFFF 1CE61CE6 Yes Yes No cable Event type RAC 0000000013 1 FF08FF00 860302A5 AA55FFFF FFFFFFFF 1CE61CE6 Yes Yes No cable 0000000013 2 FF08FF00 86031805 55AAFFFF FFFFFFFF 1CE61CE6 Yes Yes No cable If at least one stack port on a member has an connected stack cable the Loopback HW value for both stack ports is No If neither stack port has an connected sta...

Page 158: ...905F 00000000 FFFFFFFF 0C100C14 No No No cable Event type LINK OK Stack Port 1 0000000956 1 FF08FF00 86034DAC 5555FFFF FFFFFFFF 1CE61CE6 Yes Yes No cable 0000000956 2 FF08FF00 86033431 55AAFFFF FFFFFFFF 1CE61CE6 Yes Yes No cable Event type LINK OK Stack Port 2 0000000957 1 FF08FF00 86034DAC 5555FFFF FFFFFFFF 1CE61CE6 Yes Yes No cable 0000000957 2 FF08FF00 86033431 55AAFFFF FFFFFFFF 1CE61CE6 Yes Ye...

Page 159: ...for Port 2 on Switch 1 Port 2 on Switch 1 has a port or cable problem if The In Loopback value is Yes or The Link OK Link Active or Sync OK value is No Fixing a Bad Connection Between Stack Ports StackWiseStack cables connect all members Port 2 on Switch 1 connects to Port 1 on Switch 2 This is the port status Switch show switch stack ports summary Switch Stack Neighbor Cable Link Link Sync In Por...

Page 160: ...6 30 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 6 Managing Switch Stacks Troubleshooting Stacks ...

Page 161: ... manage the system time and date on your switch using automatic configuration such as the Network Time Protocol NTP or manual configuration methods Note For complete syntax and usage information for the commands used in this section see the Cisco IOS Configuration Fundamentals Command Reference from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References These se...

Page 162: ...A stratum 1 time server has a radio or atomic clock directly attached a stratum 2 time server receives its time through NTP from a stratum 1 time server and so on A device running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP This strategy effectively builds a self organizing tree of NTP speakers NTP avoids synchronizi...

Page 163: ...isco s implementation of NTP allows a device to act as if it is synchronized through NTP when in fact it has learned the time by using other means Other devices then synchronize to that device through NTP When multiple sources of time are available NTP is always considered to be more authoritative NTP time overrides the time set by any other method Several manufacturers include NTP software for th...

Page 164: ...Authentication page 7 5 Configuring NTP Associations page 7 6 Configuring NTP Broadcast Service page 7 7 Configuring NTP Access Restrictions page 7 8 Configuring the Source IP Address for NTP Packets page 7 10 Displaying the NTP Configuration page 7 11 Default NTP Configuration Table 7 1 shows the default NTP configuration NTP is enabled on all interfaces by default All interfaces receive NTP pack...

Page 165: ...ation key 42 md5 aNiceKey Switch config ntp trusted key 42 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ntp authenticate Enable the NTP authentication feature which is disabled by default Step 3 ntp authentication key number md5 value Define the authentication keys By default none are defined For number specify a key number The range is 1 to 4294967295 md5 speci...

Page 166: ... configuration mode Step 2 ntp peer ip address version number key keyid source interface prefer or ntp server ip address version number key keyid source interface prefer Configure the switch system clock to synchronize a peer or to be synchronized by a peer peer association or Configure the switch system clock to be synchronized by a time server server association No peer or server associations ar...

Page 167: ...C mode follow these steps to configure the switch to send NTP broadcast packets to peers so that they can synchronize their clock to the switch To disable the interface from sending NTP broadcast packets use the no ntp broadcast interface configuration command This example shows how to configure a port to send NTP Version 2 packets Switch config interface gigabitethernet1 0 1 Switch config if ntp ...

Page 168: ...n two levels as described in these sections Creating an Access Group and Assigning a Basic IP Access List page 7 9 Disabling NTP Services on a Specific Interface page 7 10 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to receive NTP broadcast packets and enter interface configuration mode Step 3 ntp broadcast client En...

Page 169: ...ted Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ntp access group query only serve only serve peer access list number Create an access group and apply a basic IP access list The keywords have these meanings query only Allows only NTP control queries serve only Allows only time requests serve Allows time requests and NTP control queries but does not allow the swi...

Page 170: ...he source IP address is normally set to the address of the interface through which the NTP packet is sent Use the ntp source global configuration command when you want to use a particular source IP address for all NTP packets The address is taken from the specified interface This command is useful if the address on an interface cannot be used as the destination for reply packets Beginning in privi...

Page 171: ...other source of time is available you can manually configure the time and date after the system is restarted The time remains accurate until the next system restart We recommend that you use manual configuration only as a last resort If you have an outside source to which the switch can synchronize you do not need to manually set the system clock Note You must reset this setting if you have manual...

Page 172: ...uthoritative blank Time is authoritative Time is authoritative but NTP is not synchronized Configuring the Time Zone Beginning in privileged EXEC mode follow these steps to manually configure the time zone Command Purpose Step 1 clock set hh mm ss day month year or clock set hh mm ss month day year Manually set the system clock using one of these formats For hh mm ss specify the time in hours 24 h...

Page 173: ...ws how to specify that summer time starts on the first Sunday in April at 02 00 and ends on the last Sunday in October at 02 00 Switch config clock summer time PDT recurring 1 Sunday April 2 00 last Sunday October 2 00 Step 4 show running config Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 ...

Page 174: ...an symbol is appended The prompt is updated whenever the system name changes If you are accessing a stack member through the stack master you must use the session stack member number privileged EXEC command The stack member number range is from 1 through 9 When you use this command the stack member number is appended to the system prompt For example Switch 2 is the prompt in privileged EXEC mode f...

Page 175: ...omain Name System DNS a distributed database with which you can map hostnames to IP addresses When you configure DNS on your switch you can substitute the hostname for the IP address with all IP commands such as ping telnet connect and related Telnet support operations IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain Domain names are pieced to...

Page 176: ...e a default domain name that the software uses to complete unqualified hostnames names without a dotted decimal domain name Do not include the initial period that separates an unqualified name from the domain name At boot up time no domain name is configured however if the switch configuration comes from a BOOTP or Dynamic Host Configuration Protocol DHCP server then the default domain name might ...

Page 177: ...NS configuration information use the show running config privileged EXEC command Creating a Banner You can configure a message of the day MOTD and a login banner The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users such as impending system shutdowns The login banner also displays on all connected terminals It appears after th...

Page 178: ...ws the banner that appears from the previous configuration Unix telnet 172 2 5 4 Trying 172 2 5 4 Connected to 172 2 5 4 Escape character is This is a secure site Only authorized users are allowed For access contact technical support User Access Verification Password Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 banner motd c message c Specify the message of the ...

Page 179: ...e types of addresses Dynamic address a source MAC address that the switch learns and then ages when it is not in use Static address a manually entered unicast address that does not age and that is not lost when the switch resets The address table lists the destination MAC address the associated VLAN ID and port number associated with the address and the type static or dynamic Note For complete syn...

Page 180: ...dding the address and its associated port number to the address table As stations are added or removed from the network the switch updates the address table adding new dynamic addresses and aging out those that are not in use The aging interval is globally configured on a standalone switch or on the switch stack However the switch maintains an address table for each VLAN and STP can accelerate the...

Page 181: ...tion it floods the packet to all ports in the same VLAN as the receiving port This unnecessary flooding can impact performance Setting too long an aging time can cause the address table to be filled with unused addresses which prevents new addresses from being learned Flooding results which can impact switch performance Beginning in privileged EXEC mode follow these steps to configure the dynamic ...

Page 182: ...for which the trap is set MAC address change notifications are generated for dynamic and secure MAC addresses Notifications are not generated for self addresses multicast addresses or other static addresses Beginning in privileged EXEC mode follow these steps to configure the switch to send MAC address change notification traps to an NMS host Command Purpose Step 1 configure terminal Enter global ...

Page 183: ...ize 100 Switch config interface gigabitethernet1 0 2 Switch config if snmp trap mac notification change added You can verify your settings by entering the show mac address table notification change interface and the show mac address table notification change privileged EXEC commands Step 5 mac address table notification change interval value history size value Enter the trap interval time and the ...

Page 184: ...ble traps mac notification move Switch config mac address table notification mac move Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server host host addr traps informs version 1 2c 3 community string notification type Specify the recipient of the trap message For host addr specify the name or address of the NMS Specify traps the default to send SNMP traps to...

Page 185: ...o send SNMP informs to the host Specify the SNMP version to support Version 1 the default is not available with informs For community string specify the string to send with the notification operation Though you can set this string by using the snmp server host command we recommend that you define this string by using the snmp server community command before using the snmp server host command For n...

Page 186: ...g and Removing Static Address Entries A static address has these characteristics It is manually entered in the address table and must be manually removed It can be a unicast or multicast address It does not age and is retained when the switch restarts You can add and remove static addresses and define the forwarding behavior for them The forwarding behavior defines how a port that receives a packe...

Page 187: ... static mac addr vlan vlan id drop global configuration command one of these messages appears Only unicast addresses can be configured to be dropped CPU destined address cannot be configured as drop address Packets that are forwarded to the CPU are also not supported Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mac address table static mac addr vlan vlan id inte...

Page 188: ...mac addr vlan vlan id global configuration command This example shows how to enable unicast MAC address filtering and to configure the switch to drop packets that have a source or destination address of c2f3 220a 12f4 When a packet is received in VLAN 4 with this MAC address as its source or destination the packet is dropped Switch config mac address table static c2f3 220a 12f4 vlan 4 drop Disabli...

Page 189: ...e MAC address learning on an RSPAN VLAN The configuration is not allowed If you disable MAC address learning on a VLAN that includes a secure port MAC address learning is not disabled on that port If you disable port security the configured MAC address learning state is enabled Beginning in privileged EXEC mode follow these steps to disable MAC address learning on a VLAN To reenable MAC address le...

Page 190: ...tion represented by the arpa keyword is enabled on the IP interface ARP entries added manually to the table do not age and must be manually removed Note For CLI procedures see the Cisco IOS Release 12 2 documentation from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Table 7 4 Commands for Displaying the MAC Address Table Command Description show ip igmp snooping groups D...

Page 191: ... to balance resources To allocate ternary content addressable memory TCAM resources for different usages the switch SDM templates prioritize system resources to optimize support for certain features You can select SDM templates to optimize these features Default The default template gives balance to all functions Dual The dual IPv4 and IPv6 template allows the switch to be used in dual stack envir...

Page 192: ...itch Current Switch Role Mac Address Priority State 2 Master 000a fdfd 0100 5 Ready 4 Member 0003 fd63 9c00 5 SDM Mismatch This is an example of a syslog message notifying the stack master that a stack member is in SDM mismatch mode 2d23h STACKMGR 6 SWITCH_ADDED_SDM Switch 2 has been ADDED to the stack SDM_MISMATCH 2d23h SDM 6 MISMATCH_ADVISE 2d23h SDM 6 MISMATCH_ADVISE 2d23h SDM 6 MISMATCH_ADVISE...

Page 193: ...e 8 4 Default SDM Template The default template is the default desktop template SDM Template Configuration Guidelines When you select and configure SDM templates you must reload the switch for the configuration to take effect Do not use the routing template if you do not have routing enabled on your switch The sdm prefer lanbase routing global configuration command prevents other features from usi...

Page 194: ...g the template in use Switch show sdm prefer The current template is lanbase routing template The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 255 VLANs number of unicast mac addresses 4K number of IPv4 IGMP groups multicast routes 0 25K number of IPv4 unicast routes 4 25K number of directly connected IPv4 hosts 4K number of ...

Page 195: ...h Software Configuration Guide OL 19720 02 Chapter 8 Configuring SDM Templates Displaying the SDM Templates number of IPv4 policy based routing aces 0 number of IPv4 MAC qos aces 0 125k number of IPv4 MAC security aces 0 375k ...

Page 196: ...8 6 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 8 Configuring SDM Templates Displaying the SDM Templates ...

Page 197: ...h Access with RADIUS page 9 18 Configuring the Switch for Local Authentication and Authorization page 9 40 Configuring the Switch for Secure Shell page 9 41 Configuring the Switch for Secure Socket Layer HTTP page 9 46 Configuring the Switch for Secure Copy Protocol page 9 52 Preventing Unauthorized Access to Your Switch You can prevent unauthorized users from reconfiguring your switch and viewing...

Page 198: ...ame and password pairs but you want to store them centrally on a server instead of locally you can store them in a database on a security server Multiple networking devices can then use the same database to obtain user authentication and if necessary authorization information For more information see the Controlling Switch Access with TACACS section on page 9 10 Protecting Access to Privileged EXE...

Page 199: ...vilege level No password is defined The default is level 15 privileged EXEC level The password is encrypted before it is written to the configuration file Line password No password is defined Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode By default no ...

Page 200: ...ted password or enable secret level level password encryption type encrypted password Define a new password or change an existing password for access to privileged EXEC mode or Define a secret password which is saved using a nonreversible encryption method Optional For level the range is from 0 to 15 Level 1 is normal user EXEC mode privileges The default level is 15 privileged EXEC mode privilege...

Page 201: ... password The password recovery disable feature protects access to the switch password by disabling part of this functionality When this feature is enabled the end user can interrupt the boot process only by agreeing to set the system back to the default configuration With password recovery disabled you can still interrupt the boot process and change the password but the configuration file config ...

Page 202: ...uration command This example shows how to set the Telnet password to let45me67in89 Switch config line vty 10 Switch config line password let45me67in89 Command Purpose Step 1 Attach a PC or workstation with emulation software to the switch console port The default data characteristics of the console port are 9600 8 1 no parity You might need to press the Return key several times to see the command ...

Page 203: ...ode Step 2 username name privilege level password encryption type password Enter the username privilege level and password for each user For name specify the user ID as one word Spaces and quotation marks are not allowed Optional For level specify the privilege level the user has after gaining access The range is 0 to 15 Level 15 gives privileged EXEC mode access Level 1 gives user EXEC mode acces...

Page 204: ...ollow these steps to set the privilege level for a command mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 privilege mode level level command Set the privilege level for a command For mode enter configure for global configuration mode exec for EXEC mode interface for interface configuration mode or line for line configuration mode For level the range is from 0...

Page 205: ...de the privilege level you set using the privilege level line configuration command by logging in to the line and enabling a different privilege level They can lower the privilege level by using the disable command If users know the password to a higher privilege level they can use that password to enable the higher privilege level You might specify a high level or privilege level for your console...

Page 206: ...ACS Configuration page 9 18 Understanding TACACS TACACS is a security application that provides centralized validation of users attempting to gain access to your switch TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or Windows NT workstation You should have access to and should configure a TACACS server before the configuring TACACS features on your swi...

Page 207: ...essages to user screens For example a message could notify users that their passwords must be changed because of the company s password aging policy Authorization Provides fine grained control over user capabilities for the duration of the user s session including but not limited to setting autocommands access control session duration or protocol support You can also enforce restrictions on what c...

Page 208: ... switch eventually receives one of these responses from the TACACS daemon ACCEPT The user is authenticated and service can begin If the switch is configured to require authorization authorization begins at this time REJECT The user is not authenticated The user can be denied access or is prompted to retry the login sequence depending on the TACACS daemon ERROR An error occurred at some time during...

Page 209: ...xhausted These sections contain this configuration information Default TACACS Configuration page 9 13 Identifying the TACACS Server Host and Setting the Authentication Key page 9 13 Configuring TACACS Login Authentication page 9 14 Configuring TACACS Authorization for Privileged EXEC Access and Network Services page 9 16 Starting TACACS Accounting page 9 17 Default TACACS Configuration TACACS and ...

Page 210: ...or authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed to Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 tacacs server host hostname port integer timeout integer key string Identify the IP host or hosts maintaining a TACACS server Enter this command multiple times to create a li...

Page 211: ...character string to name the list you are creating For method1 specify the actual method the authentication algorithm tries The additional methods of authentication are used only if the previous method returns an error not if it fails Select one of these methods enable Use the enable password for authentication Before you can use this authentication method you must define an enable password by usi...

Page 212: ...AAA authorization is enabled the switch uses information retrieved from the user s profile which is located either in the local user database or on the security server to configure the user s session The user is granted access to a requested service only if the information in the user profile allows it You can use the aaa authorization global configuration command with the tacacs keyword to set pa...

Page 213: ...o aaa accounting network exec start stop method1 global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 aaa authorization network tacacs Configure the switch for user TACACS authorization for all network related service requests Step 3 aaa authorization exec tacacs Configure the switch for user TACACS authorization if the user has privileged E...

Page 214: ...nabled only through AAA commands Note For complete syntax and usage information for the commands used in this section see the Cisco IOS Security Command Reference Release 12 2 from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References These sections contain this configuration information Understanding RADIUS page 9 18 RADIUS Operation page 9 20 RADIUS Change of...

Page 215: ... host to a single utility such as Telnet or to the network through a protocol such as IEEE 802 1x For more information about this protocol see Chapter 10 Configuring IEEE 802 1x Port Based Authentication Networks that require resource accounting You can use RADIUS accounting independently of RADIUS authentication or authorization The RADIUS accounting functions allow data to be sent at the start a...

Page 216: ...luded with the ACCEPT or REJECT packets includes these items Telnet SSH rlogin or privileged EXEC services Connection parameters including the host or client IP address access list and user timeouts RADIUS Change of Authorization This section provides an overview of the RADIUS interface including available primitives and how they are used during a Change of Authorization CoA Overview page 9 20 Cha...

Page 217: ...uide 12 2 50 SE Change of Authorization Requests Change of Authorization CoA requests as described in RFC 5176 are used in a push model to allow for session identification host reauthentication and session termination The model is comprised of one request CoA Request and two possible response codes CoA acknowledgement ACK CoA ACK CoA non acknowledgement NAK CoA NAK The request is initiated from a ...

Page 218: ...ributes Calling Station Id IETF attribute 31 which contains the host MAC address Audit Session Id Cisco VSA Acct Session Id IETF attribute 44 Unless all session identification attributes included in the CoA message match the session the switch returns a Disconnect NAK or CoA NAK with the Invalid Attribute Value error code attribute Table 9 3 Error Cause Values Value Explanation 201 Residual Sessio...

Page 219: ...uthenticator and Attributes in Type Length Value TLV format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Code Identifier Length Authenticator Attributes The attributes field is used to carry Cisco VSAs CoA ACK Response Code If the authorization state is changed successfully a positive acknowledgement ACK is sent The attributes returned within CoA ACK will vary based on t...

Page 220: ...entication sequence starting with the method configured to be attempted first If the session is not yet authorized or is authorized via guest VLAN or critical VLAN or similar policies the reauthentication message restarts the access control methods beginning with the method configured to be attempted first The current authorization of the session is maintained until the reauthentication leads to a...

Page 221: ...mpletely removed the switch returns a Disconnect ACK If the switch fails over to a standby switch before returning a Disconnect ACK to the client the process is repeated on the new active switch when the request is re sent from the client If the session is not found following re sending a Disconnect ACK is sent with the Session Context Not Found error code attribute CoA Request Disable Host Port T...

Page 222: ...and it checkpoints this information before returning a CoA ACK message Need for a port bounce Port ID found in the local session context The switch initiates a port bounce disables the port for 10 seconds then re enables it If the port bounce is successful the signal that triggered the port bounce is removed from the standby stack master If the stack master fails before the port bounce completes a...

Page 223: ...uccessful communication with a listed method or the method list is exhausted You should have access to and should configure a RADIUS server before configuring RADIUS features on your switch Default RADIUS Configuration page 9 27 Identifying the RADIUS Server Host page 9 28 required Configuring RADIUS Login Authentication page 9 30 required Defining AAA Server Groups page 9 32 optional Configuring ...

Page 224: ...e device for accounting services The RADIUS host entries are tried in the order that they are configured A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange responses To configure RADIUS to use the AAA security commands you must specify the host running the RADIUS server daemon and a secret text key string that it shares with the switch The timeout retr...

Page 225: ...global configuration command setting If no timeout is set with the radius server host command the setting of the radius server timeout command is used Optional For retransmit retries specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the set...

Page 226: ...list which by coincidence is named default The default method list is automatically applied to all ports except those that have a named method list explicitly defined A method list describes the sequence and authentication methods to be queried to authenticate a user You can designate one or more security protocols to be used for authentication thus ensuring a backup system for authentication in c...

Page 227: ...US server For more information see the Identifying the RADIUS Server Host section on page 9 28 line Use the line password for authentication Before you can use this authentication method you must define a line password Use the password password line configuration command local Use the local username database for authentication You must enter username information in the database Use the username na...

Page 228: ...umentation Cisco IOS Software 12 2 Mainline Command References Defining AAA Server Groups You can configure the switch to use AAA server groups to group existing server hosts for authentication You select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list which lists the IP addresses of the selected server hosts Ser...

Page 229: ...value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key as the la...

Page 230: ... server radius group2 Switch config sg radius server 172 20 0 1 auth port 2000 acct port 2001 Switch config sg radius exit Configuring RADIUS Authorization for User Privileged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the switch uses information retrieved from the user s profile which is in the local user database or on ...

Page 231: ...o aaa accounting network exec start stop method1 global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network related service requests Step 3 aaa authorization exec radius Configure the switch for user RADIUS authorization if the user has privileged E...

Page 232: ...o RADIUS implementation supports one vendor specific option by using the format recommended in the specification Cisco s vendor ID is 9 and the supported option has vendor type 1 which is named cisco avpair The value is a string with this format protocol attribute sep value Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server key string Specify the shared ...

Page 233: ...10 10 10 10 0 0 255 255 20 20 20 20 255 255 0 0 cisco avpair ip inacl 2 deny ip 10 10 10 10 0 0 255 255 any cisco avpair mac inacl 3 deny any any decnet iv This example shows how to apply an output ACL in ASCII format to an interface for the duration of this connection cisco avpair ip outacl 2 deny ip 10 10 10 10 0 0 255 255 any Other vendors have their own unique vendor IDs options and associated...

Page 234: ...ecret text string To delete the vendor proprietary RADIUS host use the no radius server host hostname ip address non standard global configuration command To disable the key use the no radius server key global configuration command This example shows how to specify a vendor proprietary RADIUS host and to use a secret key of rad124 between the switch and the server Switch config radius server host ...

Page 235: ...tep 7 auth type any all session key Specify the type of authorization the switch uses for RADIUS clients The client must match all the configured attributes for authorization Step 8 ignore session key Optional Configure the switch to ignore the session key For more information about the ignore command see the Cisco IOS Intelligent Services Gateway Command Reference on Cisco com Step 9 ignore serve...

Page 236: ...RADIUS Configuration To display the RADIUS configuration use the show running config privileged EXEC command Configuring the Switch for Local Authentication and Authorization You can configure AAA to operate without a server by setting the switch to implement AAA in local mode The switch then handles authentication and authorization No accounting is available in this configuration Beginning in pri...

Page 237: ...m Cisco com For more information see the release notes for this release These sections contain this information Understanding SSH page 9 42 Configuring SSH page 9 43 Displaying the SSH Configuration and Status page 9 45 Step 6 username name privilege level password encryption type password Enter the local database and establish a username based authentication system Repeat this command for each us...

Page 238: ...ter running the cryptographic version of the software fails and is replaced by a switch that is running a noncryptographic version of the software We recommend that a switch running the cryptographic version of the software be the stack master SSH Servers Integrated Clients and Supported Versions The SSH feature has an SSH server and an SSH integrated client which are applications that run on the ...

Page 239: ...unning on a stack master and the stack master fails the new stack master uses the RSA key pair generated by the previous stack master If you get CLI error messages after entering the crypto key generate rsa global configuration command an RSA key pair has not been generated Reconfigure the hostname and domain and then enter the crypto key generate rsa command For more information see the Setting U...

Page 240: ...ration mode Step 2 hostname hostname Configure a hostname for your switch Step 3 ip domain name domain_name Configure a host domain for your switch Step 4 crypto key generate rsa Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair We recommend that a minimum modulus size of 1024 bits When you generate RSA keys you are prompted to enter a modulus len...

Page 241: ...ncrypted SSH connections for multiple CLI based sessions over the network are available session 0 to session 4 After the execution shell starts the CLI based session time out value returns to the default of 10 minutes Specify the number of times that a client can re authenticate to the server The default is 3 the range is 0 to 5 Repeat this step when configuring both parameters Step 4 line vty lin...

Page 242: ...tion of SSL Version 3 0 with application layer encryption HTTP over SSL is abbreviated as HTTPS the URL of a secure connection begins with https instead of http The primary role of the HTTP secure server the switch is to listen for HTTPS requests on a designated port the default HTTPS port is 443 and pass the request to the HTTP 1 1 Web server The HTTP 1 1 server processes requests and passes resp...

Page 243: ...and displaying a self signed certificate Switch show running config Building configuration output truncated crypto pki trustpoint TP self signed 3080755072 enrollment selfsigned subject name cn IOS Self Signed Certificate 3080755072 revocation check none rsakeypair TP self signed 3080755072 crypto ca certificate chain TP self signed 3080755072 certificate self signed 01 3082029F 30820208 A0030201 ...

Page 244: ...st defines the CipherSuites supported by the switch and ranks them from fastest to slowest in terms of router processing load speed 1 SSL_RSA_WITH_DES_CBC_SHA RSA key exchange RSA Public Key Cryptography with DES CBC for message encryption and SHA for message digest 2 SSL_RSA_WITH_RC4_128_MD5 RSA key exchange with RC4 128 bit encryption and MD5 for message digest 3 SSL_RSA_WITH_RC4_128_SHA RSA key...

Page 245: ...and certificates Step 4 crypto key generate rsa Optional Generate an RSA key pair RSA key pairs are required before you can obtain a certificate for the switch RSA key pairs are generated automatically You can use this command to regenerate the keys if needed Step 5 crypto ca trustpoint name Specify a local configuration name for the CA trustpoint and enter CA trustpoint configuration mode Step 6 ...

Page 246: ...http secure port port number Optional Specify the port number to be used for the HTTPS server The default port number is 443 Valid options are 443 or any number in the range 1025 to 65535 Step 5 ip http secure ciphersuite 3des ede cbc sha rc4 128 md5 rc4 128 sha des cbc sha Optional Specify the CipherSuites encryption algorithms to be used for encryption over the HTTPS connection If you do not hav...

Page 247: ...seconds life seconds requests value Optional Specify how long a connection to the HTTP server can remain open under the defined circumstances idle the maximum time period when no data is received or response data cannot be sent The range is 1 to 600 seconds The default is 180 seconds 3 minutes life the maximum time period from the time that the connection is established The range is 1 to 86400 sec...

Page 248: ... with SCP which relies on SSH for its secure transport Because SSH also relies on AAA authentication and SCP relies further on AAA authorization correct configuration is necessary Before enabling SCP you must correctly configure SSH authentication and authorization on the switch Because SCP relies on SSH for its secure transport the router must have an Rivest Shamir and Adelman RSA key pair Note W...

Page 249: ...ization and accounting AAA authorization be configured so the router can determine whether the user has the correct privilege level A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System IFS to and from a switch by using the copy command An authorized administrator can also do this from a workstation For information about how to configure and verify SCP ...

Page 250: ...9 54 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 9 Configuring Switch Based Authentication Configuring the Switch for Secure Copy Protocol ...

Page 251: ...nes a client server based access control and authentication protocol to prevent unauthorized clients from connecting to a LAN through publicly accessible ports The authentication server authenticates each client connected to a switch port before making available any switch or LAN services Until the client is authenticated IEEE 802 1x access control allows only Extensible Authentication Protocol ov...

Page 252: ...entication with Port Security page 10 25 802 1x Authentication with Wake on LAN page 10 26 802 1x Authentication with MAC Authentication Bypass page 10 26 802 1x User Distribution page 10 28 Network Admission Control Layer 2 802 1x Validation page 10 29 Flexible Authentication Ordering page 10 29 Open1x Authentication page 10 29 Using Voice Aware 802 1x Security page 10 30 802 1x Supplicant and Au...

Page 253: ...he RADIUS client which is responsible for encapsulating and decapsulating the EAP frames and interacting with the authentication server The switch is the authenticator in the 802 1x standard When the switch receives EAPOL frames and relays them to the authentication server the Ethernet header is stripped and the remaining EAP frame is re encapsulated in the RADIUS format The EAP frames are not mod...

Page 254: ...authentication timer expires You can configure the re authentication timer to use a switch specific value or to be based on values from the RADIUS server 141679 Yes No Client identity is invalid All authentication servers are down All authentication servers are down Client identity is valid The switch gets an EAPOL message and the EAPOL message exchange begins Yes No 1 1 1 1 This occurs if the swi...

Page 255: ...tication when the link state changes from down to up or periodically as long as the port remains up and unauthenticated The switch sends an EAP request identity frame to the client to request its identity Upon receipt of the frame the client responds with an EAP response identity frame However if during boot up the client does not receive an EAP request identity frame from the switch the client ca...

Page 256: ...the port becomes authorized If authorization fails and a guest VLAN is specified the switch assigns the port to the guest VLAN If the switch detects an EAPOL packet while waiting for an Ethernet packet the switch stops the MAC authentication bypass process and stops 802 1x authentication Figure 10 4 shows the message exchange during MAC authentication bypass Figure 10 4 Message Exchange During MAC...

Page 257: ... authenticated on the same port If a port becomes unauthorized in multiple host mode the switch denies network access to all of the attached clients Multidomain authentication MDA Both a data device and voice device can be authenticated on the same switch port The port is divided into a data domain and a voice domain Multiple authentication Multiple hosts can authenticate on the data VLAN This mod...

Page 258: ...nnot be applied and authorization fails Single host is the only exception to support backward compatibility More than one host can be authenticated on MDA enabled and multiauth ports The ACL policy applied for one host does not effect the traffic of another host If only one host is authenticated on a multi host port and the other hosts gain network access without authentication the ACL policy for ...

Page 259: ...me functionality as earlier 802 1x commands Table 10 2 Authentication Manager Commands and Earlier 802 1x Commands The authentication manager commands in Cisco IOS Release 12 2 50 SE or later The equivalent 802 1x commands in Cisco IOS Release 12 2 46 SE and earlier Description authentication control direction both in dot1x control direction both in Enable authentication with the wake on LAN WoL f...

Page 260: ...thentication connects to an unauthorized 802 1x port the switch requests the client s identity In this situation the client does not respond to the request the port remains in the unauthorized state and the client is not granted access to the network In contrast when an 802 1x enabled client connects to a port that is not running the 802 1x standard the client initiates the authentication process ...

Page 261: ...or removed from a switch stack 802 1x authentication is not affected as long as the IP connectivity between the RADIUS server and the stack remains intact This statement also applies if the stack master is removed from the switch stack Note that if the stack master fails a stack member becomes the new stack master by using the election process described in Chapter 6 Managing Switch Stacks and the ...

Page 262: ... enabled you can use 802 1x authentication to authenticate the port and port security to manage network access for all MAC addresses including that of the client Figure 10 5 Multiple Host Mode Example The switch supports multidomain authentication MDA which allows both a data device and a voice device such as an IP Phone Cisco or non Cisco to connect to the same switch port For more information se...

Page 263: ...voice VLAN is automatically removed and must be reauthenticated on that port Active fallback mechanisms such as guest VLAN and restricted VLAN remain configured after a port changes from single host or multiple host mode to multidomain mode Switching a port host mode from multidomain to single host or multiple hosts mode removes all authorized devices from the port If a data domain is authorized f...

Page 264: ...om the VLAN group as the first host If a VLAN list is used all hosts are subject to the conditions specified in the VLAN list Only one voice VLAN assignment is supported on a multi auth port After a VLAN is assigned to a host on the port subsequent hosts must have matching VLAN information or be denied access to the port You cannot configure a guest VLAN or an auth fail VLAN in multi auth mode The...

Page 265: ...de It does not apply to ports in multiple host mode because in that mode only the first host requires authentication If you configure the authentication violation interface configuration command with the replace keyword the authentication process on a port in multi domain mode is A new MAC address is received on a port with an existing authenticated MAC address The authentication manager replaces ...

Page 266: ...vileged EXEC command For more information about this command see the Cisco IOS Debug Command Reference Release 12 2 http www cisco com en US docs ios 12_2 debug command reference 122debug html For more information about AV pairs see RFC 3580 802 1x Remote Authentication Dial In User Service RADIUS Usage Guidelines Table 10 3 Accounting AV Pairs Attribute Number AV Pair Name START INTERIM STOP Attr...

Page 267: ...on section on page 10 12 When configured on the switch and the RADIUS server 802 1x authentication with VLAN assignment has these characteristics If no VLAN is supplied by the RADIUS server or if 802 1x authentication is disabled the port is configured in its access VLAN after successful authentication Recall that an access VLAN is a VLAN assigned to an access port All packets sent from or receive...

Page 268: ...endor specific tunnel attributes in the RADIUS server The RADIUS server must return these attributes to the switch 64 Tunnel Type VLAN 65 Tunnel Medium Type 802 81 Tunnel Private Group ID VLAN name VLAN ID or VLAN Group 83 Tunnel Preference Attribute 64 must contain the value VLAN type 13 Attribute 65 must contain the value 802 type 6 Attribute 81 specifies the VLAN name or VLAN ID assigned to the...

Page 269: ... OPEN is created and allows all traffic Policies are enforced with IP address insertion to prevent security breaches Web authentication is subject to the auth default ACL OPEN To control access for hosts with no authorization policy you can configure a directive The supported values for the directive are open and default When you configure the open directive all traffic is allowed The default dire...

Page 270: ...ber attribute The name is the ACL name The number is the version number for example 3f783768 If a downloadable ACL is configured for a client on the authentication server a default port ACL on the connected client switch port must also be configured If the default ACL is configured on the switch and the Cisco Secure ACS sends a host access policy to the switch it applies the policy to traffic from...

Page 271: ...tch no longer allows clients that fail authentication access to the guest VLAN If the switch is trying to authorize an 802 1x capable voice device and the AAA server is unavailable the authorization attempt fails but the detection of the EAPOL packet is saved in the EAPOL history When the AAA server becomes available the switch authorizes the voice device However the switch no longer allows other ...

Page 272: ...ort moves to the restricted VLAN The failed attempt count increments when the RADIUS server replies with either an EAP failure or an empty response without an EAP packet When the port moves into the restricted VLAN the failed attempt counter resets Users who fail authentication remain in the restricted VLAN until the next re authentication attempt A port in the restricted VLAN tries to re authenti...

Page 273: ...id When a new host tries to connect to the critical port that port is reinitialized and all the connected hosts are moved to the user specified access VLAN The authentication event server dead action reinitialize vlan vlan id interface configuration command is supported on all host modes Authentication Results The behavior of the inaccessible authentication bypass feature depends on the authorizat...

Page 274: ...ing Accounting is not affected if the RADIUS servers are unavailable Private VLAN You can configure inaccessible authentication bypass on a private VLAN host port The access VLAN must be a secondary private VLAN Voice VLAN Inaccessible authentication bypass is compatible with voice VLAN but the RADIUS configured or user specified access VLAN and the voice VLAN must be different Remote Switched Por...

Page 275: ...iple hosts mode You also must configure port security on the port by using the switchport port security interface configuration command When you enable port security and 802 1x authentication on a port 802 1x authentication authenticates the port and port security manages network access for all MAC addresses including that of the client You can then limit the number or group of clients that can ac...

Page 276: ... need to connect to systems that have been powered down When a host that uses WoL is attached through an 802 1x port and the host powers off the 802 1x port becomes unauthorized The port can only receive and send EAPOL packets and WoL magic packets cannot reach the host When the PC is powered off it is not authorized and the switch port is not opened When the switch uses 802 1x authentication with...

Page 277: ...ated with 802 1x During re authentication the port remains in the previously assigned VLAN If re authentication is successful the switch keeps the port in the same VLAN If re authentication fails the switch assigns the port to the guest VLAN if one is configured If re authentication is based on the Session Timeout RADIUS attribute Attribute 27 and the Termination Action RADIUS attribute Attribute ...

Page 278: ...ured by using the switch CLI If the VLAN group name is found the corresponding VLANs under this VLAN group name are searched to find the least populated VLAN Load balancing is achieved by moving the corresponding authorized user to that VLAN Note The RADIUS server can send the VLAN information in any combination of VLAN IDs VLAN names or VLAN groups 802 1x User Distribution Configuration Guideline...

Page 279: ...nt by using the show authentication or show dot1x privileged EXEC command Configure secondary private VLANs as guest VLANs Configuring NAC Layer 2 802 1x validation is similar to configuring 802 1x port based authentication except that you must configure a posture token on the RADIUS server For information about configuring NAC Layer 2 802 1x validation see the Configuring NAC Layer 2 802 1x Valid...

Page 280: ...he port 802 1x switch supplicant You can configure a switch to act as a supplicant to another switch by using the 802 1x supplicant feature This configuration is helpful in a scenario where for example a switch is outside a wiring closet and is connected to an upstream switch through a trunk port A switch configured with the 802 1x switch supplicant feature authenticates with the upstream switch f...

Page 281: ... unsupported configurations on the authenticator switch port and to change the port mode from access to trunk For information see the AutoSmartports Configuration Guide For more information see the Configuring an Authenticator and a Supplicant Switch with NEAT section on page 10 60 Using IEEE 802 1x Authentication with ACLs and the RADIUS Filter Id Attribute The switch supports both IP standard an...

Page 282: ...nically increasing unique 32 bit integer The session start time stamp a 32 bit integer This example shows how the session ID appears in the output of the show authentication command The session ID in this example is 160000050000000B288508E5 Switch show authentication sessions Interface MAC Address Method Domain Status Session ID Fa4 0 4 0000 0000 0203 mab DATA Authz Success 160000050000000B288508E...

Page 283: ...10 50 optional Configuring a Restricted VLAN page 10 51 optional Configuring the Inaccessible Authentication Bypass Feature page 10 53 optional Configuring 802 1x Authentication with WoL page 10 56 optional Configuring MAC Authentication Bypass page 10 57 optional Configuring NAC Layer 2 802 1x Validation page 10 59 optional Configuring an Authenticator and a Supplicant Switch with NEAT page 10 60...

Page 284: ...t before resending the request Maximum retransmission number 2 times number of times that the switch will send an EAP request identity frame before restarting the authentication process Client timeout period 30 seconds when relaying a request from the authentication server to the client the amount of time the switch waits for a response before resending the request to the client Authentication ser...

Page 285: ... of an 802 1x enabled port to trunk an error message appears and the port mode is not changed Dynamic ports A port in dynamic mode can negotiate with its neighbor to become a trunk port If you try to enable 802 1x authentication on a dynamic port an error message appears and 802 1x authentication is not enabled If you try to change the mode of an 802 1x enabled port to dynamic an error message app...

Page 286: ...e interface is not authenticated If the Windows XP client is configured for DHCP and has an IP address from the DHCP server receiving an EAP Success message on a critical port might not re initiate the DHCP configuration process You can configure the inaccessible authentication bypass feature and the restricted VLAN on an 802 1x port If the switch tries to re authenticate a critical port in a rest...

Page 287: ...he readiness check on the switch The readiness check is typically used before 802 1x is enabled on the switch If you use the dot1x test eapol capable privileged EXEC command without specifying an interface all the ports on the switch stack are tested When you configure the dot1x test eapol capable command on an 802 1x enabled port and the link comes up the port queries the connected client about i...

Page 288: ...le voice aware 802 1x security by entering the no version of this command This command applies to all 802 1x configured ports in the switch Note If you do not include the shutdown vlan keywords the entire port is shut down when it enters the error disabled state If you use the errdisable recovery cause security violation global configuration command to configure error disabled recovery the port is...

Page 289: ...an vlan list Optional Reenable individual VLANs that have been error disabled For interface id specify the port on which to reenable individual VLANs Optional For vlan list specify a list of VLANs to be re enabled If vlan list is not specified all VLANs are re enabled Step 5 shutdown no shutdown Optional Re enable an error disabled VLAN and clear all error disable indications Step 6 end Return to ...

Page 290: ...erformed as necessary Step 6 The switch sends an interim accounting update to the accounting server that is based on the result of re authentication Step 7 The user disconnects from the port Step 8 The switch sends a stop message to the accounting server Step 4 interface interface id Specify the port connected to the client that is to be enabled for 802 1x authentication and enter interface config...

Page 291: ...ns The default method list is automatically applied to all ports For method1 enter the group radius keywords to use the list of all RADIUS servers for authentication Note Though other keywords are visible in the command line help string only the group radius keywords are supported Step 4 dot1x system auth control Enable 802 1x authentication globally on the switch Step 5 aaa authorization network ...

Page 292: ...settings include the IP address of the switch and the key string to be shared by both the server and the switch For more information see the RADIUS server documentation Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server host hostname ip address auth port port number key string Configure the RADIUS server parameters For hostname ip address specify the hos...

Page 293: ... dot1x host mode single host multi host multi domain The keywords have these meanings multi auth Allow one client on the voice VLAN and multiple authenticated clients on the data VLAN Each host is individually authenticated Note The multi auth keyword is only available with the authentication host mode command multi host Allow multiple hosts on an 802 1x authorized port after a single host has bee...

Page 294: ...on of the client and to configure the number of seconds between re authentication attempts This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 authentication periodic or dot1x reauthentication Enable periodic re authentication of the client ...

Page 295: ...re authenticate the client connected to a port Switch dot1x re authenticate interface gigabitethernet2 0 1 Changing the Quiet Period When the switch cannot authenticate the client the switch remains idle for a set period of time and then tries again The dot1x timeout quiet period interface configuration command controls the idle period A failed client authentication might occur because the client ...

Page 296: ...cation This procedure is optional To return to the default retransmission time use the no dot1x timeout tx period interface configuration command This example shows how to set 60 as the number of seconds that the switch waits for a response to an EAP request identity frame from the client before resending the request Switch config if dot1x timeout tx period 60 Step 5 show authentication interface ...

Page 297: ... an EAP request identity request before restarting the authentication process Switch config if dot1x max req 5 Setting the Re Authentication Number You can also change the number of times that the switch restarts the authentication process before the port changes to the unauthorized state Note You should change the default value of this command only to adjust for unusual circumstances such as unre...

Page 298: ...ch config authentication mac move permit Enabling MAC Replace MAC replace allows a host to replace an authenticated host on a port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 dot1x max reauth req count Set the number of times that the switch restarts the authe...

Page 299: ...rs 00 09 55 RADIUS 4 RADIUS_DEAD RADIUS server 172 20 246 201 1645 1646 is not responding Note You must configure the RADIUS server to perform accounting tasks such as logging start stop and interim update messages and time stamps To turn on these functions enable logging of Update Watchdog packets from this AAA client in your RADIUS server Network Configuration tab Next enable CVS RADIUS Accounti...

Page 300: ... The switch supports guest VLANs in single host or multiple hosts mode Beginning in privileged EXEC mode follow these steps to configure a guest VLAN This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 aaa accounting dot1x default start stop...

Page 301: ... 802 1x compliant are moved into the restricted VLAN when the authentication server does not receive a valid username and password The switch supports restricted VLANs only in single host mode Beginning in privileged EXEC mode follow these steps to configure a restricted VLAN This procedure is optional Step 5 dot1x guest vlan vlan id Specify an active VLAN as an 802 1x guest VLAN The range is 1 to...

Page 302: ...XEC mode Step 7 show authentication interface id or show dot1x interface interface id Optional Verify your entries Step 8 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mo...

Page 303: ...ivileged EXEC mode follow these steps to configure the port as a critical port and enable the inaccessible authentication bypass feature This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server dead criteria time time tries tries Optional Set the conditions that are used to decide when a RADIUS server is considered unavailable or dea...

Page 304: ...configure the key as the last item in the radius server host command syntax because leading spaces are ignored but spaces within and at the end of the key are used If you use spaces in the key do not enclose the key in quotation marks unless the quotation marks are part of the key This key must match the encryption used on the RADIUS daemon You can also configure the authentication and encryption ...

Page 305: ...r1 idle time 30 key abc1234 Switch config dot1x critical eapol Switch config dot1x critical recovery delay 2000 Switch config interface gigabitethernet1 0 2 Switch config radius server deadtime 60 Switch config if dot1x critical Switch config if dot1x critical recovery action reinitialize Switch config if dot1x critical vlan 20 Switch config if end Step 8 dot1x critical recovery action reinitializ...

Page 306: ...onfiguration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode For the supported port types see the 802 1x Authentication Configuration Guidelines section on page 10 35 Step 3 authentication control direction both in or dot1x control direction both in Enable 802 1x authentication with WoL on the port and use these keywords to configure the ...

Page 307: ...pes see the 802 1x Authentication Configuration Guidelines section on page 10 35 Step 3 authentication port control auto or dot1x port control auto Enable 802 1x authentication on the port Step 4 dot1x mac auth bypass eap timeout activity value Enable MAC authentication bypass Optional Use the eap keyword to configure the switch to use EAP for authorization Optional Use the timeout activity keywor...

Page 308: ...lan list 30 switch config show vlan group eng dept Group Name Vlans Mapped eng dept 10 30 This example shows how to remove a VLAN from a VLAN group switch no vlan group eng dept vlan list 10 This example shows that when all the VLANs are cleared from a VLAN group the VLAN group is cleared switch config no vlan group eng dept vlan list 30 Vlan 30 is successfully cleared from vlan group eng dept swi...

Page 309: ...uest vlan vlan id Specify an active VLAN as an 802 1x guest VLAN The range is 1 to 4094 You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an 802 1x guest VLAN Step 4 authentication periodic or dot1x reauthentication Enable periodic re authentication of the client which is disabled by default Step 5 dot1x timeout reauth period seconds server Set the number of seconds between...

Page 310: ... auto Switch config if dot1x pae authenticator Switch config if spanning tree portfast trunk Beginning in privileged EXEC mode follow these steps to configure a switch as a supplicant Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cisp enable Enable CISP Step 3 interface interface id Specify the port to be configured and enter interface configuration mode Step 4 s...

Page 311: ...he ACS For more information see the Cisco Secure ACS configuration guides Note You must configure a downloadable ACL on the ACS before downloading it to the switch After authentication on the port you can use the show ip access list privileged EXEC command to display the downloaded ACLs on the port Step 5 password password Create a password for the new username Step 6 dot1x supplicant force multic...

Page 312: ...p access group acl id in Configure the default ACL on the port in the input direction Note The acl id is an access list name or number Step 8 show running config interface interface id Verify your configuration Step 9 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list a...

Page 313: ...ork default group radius Sets the authorization method to local To remove the authorization method use the no aaa authorization network default group radius command Step 8 ip device tracking Enables the IP device tracking table To disable the IP device tracking table use the no ip device tracking global configuration commands Step 9 ip device tracking probe count interval use svi Optional Configur...

Page 314: ... Beginning in privileged EXEC mode follow these steps This example shows how to configure a port attempt 802 1x authentication first followed by web authentication as fallback method Switch configure terminal Switch config interface gigabitethernet2 0 1 Switch config authentication order dot1x webauth Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mab request form...

Page 315: ...face id Specify the port to be configured and enter interface configuration mode Step 3 authentication control direction both in Optional Configure the port control as unidirectional or bidirectional Step 4 authentication fallback name Optional Configure a port to use web authentication as a fallback method for clients that do not support 802 1x authentication Step 5 authentication host mode multi...

Page 316: ...he 802 1x authentication configuration to the default values This procedure is optional Step 3 no dot1x pae Disable 802 1x authentication on the port Step 4 end Return to privileged EXEC mode Step 5 show authentication interface id or show dot1x interface interface id Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose ...

Page 317: ...mmand To display the 802 1x administrative and operational status for the switch use the show dot1x all details statistics summary privileged EXEC command To display the 802 1x administrative and operational status for a specific port use the show dot1x interface interface id privileged EXEC command Beginning with Cisco IOS Release 12 2 55 SE you can use the no dot1x logging verbose global configu...

Page 318: ...10 68 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 10 Configuring IEEE 802 1x Port Based Authentication Displaying 802 1x Statistics and Status ...

Page 319: ...nterfaces When you initiate an HTTP session web based authentication intercepts ingress HTTP packets from the host and sends an HTML login page to the users The users enter their credentials which the web based authentication feature sends to the authentication authorization and accounting AAA server for authentication If authentication succeeds web based authentication sends a Login Successful HT...

Page 320: ...tication status of the client The switch acts as an intermediary proxy between the client and the authentication server requesting identity information from the client verifying that information with the authentication server and relaying a response to the client Figure 11 1 shows the roles of these devices in a network Figure 11 1 Web Based Authentication Device Roles Host Detection The switch ma...

Page 321: ...ord and the switch sends the entries to the authentication server If the authentication succeeds the switch downloads and activates the user s access policy from the authentication server The login success page is sent to the user If the authentication fails the switch sends the login fail page The user retries the login If the maximum number of attempts fails the switch sends the login expired pa...

Page 322: ... create a banner by using the ip admission auth proxy banner http global configuration command The default banner Cisco Systems and Switch host name Authentication appear on the Login Page Cisco Systems appears on the authentication result pop up page as shown in Figure 11 2 Figure 11 2 Authentication Successful Banner You can also customize the banner as shown in Figure 11 3 Add a switch router o...

Page 323: ...Banner If you do not enable a banner only the username and password dialog boxes appear in the web authentication login screen and no banner appears when you log into the switch as shown in Figure 11 4 Figure 11 4 Login Screen With No Banner For more information see the Cisco IOS Security Command Reference and the Configuring a Web Authentication Local Banner section on page 11 16 ...

Page 324: ... set a hidden password or to confirm that the same page is not submitted twice The CLI command to redirect users to a specific URL is not available when the configured login form is enabled The administrator should ensure that the redirection is configured in the web page If the CLI command redirecting users to specific URL after authentication occurs is entered and then the command configuring we...

Page 325: ...AN Port IP page 11 8 Gateway IP page 11 8 ACLs page 11 8 Context Based Access Control page 11 8 802 1x Authentication page 11 8 EtherChannel page 11 8 Port Security You can configure web based authentication and port security on the same port Web based authentication authenticates the port and port security manages network access for all MAC addresses including that of the client You can then limi...

Page 326: ...tion host policy ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface the ACL is applied to the host traffic only after the web based authentication host policy is applied For Layer 2 web based authentication you must configure a port ACL PACL as the default access policy for ingress traffic from hosts connected to the port After authentication the web based authentication host poli...

Page 327: ...ure You can configure web based authentication only on access ports Web based authentication is not supported on trunk ports EtherChannel member ports or dynamic trunk ports You must configure the default ACL on the interface before configuring web based authentication Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface You cannot authenticate hosts on Layer 2 i...

Page 328: ...ation Cache Entries page 11 17 Configuring the Authentication Rule and Interfaces This example shows how to enable web based authentication on Fast Ethernet port 5 1 Switch config ip admission name webauth1 proxy http Switch config interface fastethernet 5 1 Switch config if ip admission webauth1 Switch config if exit Switch config ip device tracking Command Purpose Step 1 ip admission name name p...

Page 329: ...ntication login default group tacacs Switch config aaa authorization auth proxy default group tacacs Configuring Switch to RADIUS Server Communication RADIUS security servers identification Host name Host IP address Host name and specific UDP port numbers IP address and specific UDP port numbers Command Purpose Step 1 aaa new model Enables AAA functionality Step 2 aaa authentication login default ...

Page 330: ...g with the radius server host global configuration command If you want to configure these options on a per server basis use the radius server timeout radius server retransmit and the radius server key global configuration commands For more information see the Cisco IOS Security Configuration Guide Release 12 2 and the Cisco IOS Security Command Reference Release 12 2 http www cisco com en US docs ...

Page 331: ...p secure secure command the login page is always in HTTPS secure HTTP even if the user sends an HTTP request Customizing the Authentication Proxy Web Pages Specifying a Redirection URL for Successful Login Customizing the Authentication Proxy Web Pages You can configure web authentication to display four substitute HTML pages to the user in place of the switch default HTML pages during web based a...

Page 332: ...e and password and must show them as uname and pwd The custom login page should follow best practices for a web form such as page timeout hidden password and prevention of redundant submissions This example shows how to configure custom authentication proxy web pages Switch config ip admission proxy http login page file flash login htm Switch config ip admission proxy http success page file flash ...

Page 333: ...ebpage not configured HTTP Authentication success redirect to URL http www cisco com Authentication global cache time is 60 minutes Authentication global absolute time is 0 minutes Authentication global init state time is 2 minutes Authentication Proxy Watch list is disabled Authentication Proxy Max HTTP process is 7 Authentication Proxy Auditing is disabled Max Login attempts per user is 5 Config...

Page 334: ...mum number of failed login attempts to 10 Switch config ip admission max login attempts 10 Configuring a Web Authentication Local Banner Beginning in privileged EXEC mode follow these steps to configure a local banner on a switch that has web authentication configured Command Purpose Step 1 ip admission max login attempts number Set the maximum number of failed login attempts The range is 1 to 214...

Page 335: ...c ports This example shows how to view only the global web based authentication status Switch show authentication sessions This example shows how to view the web based authentication settings for gigabit interface 3 27 Switch show authentication sessions interface gigabitethernet 3 27 Step 3 end Return to privileged EXEC mode Step 4 copy running config startup config Optional Save your entries in ...

Page 336: ...11 18 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 11 Configuring Web Based Authentication Displaying Web Based Authentication Status ...

Page 337: ...complete syntax and usage information for the commands used in this chapter see the switch command reference for this release and the Cisco IOS Interface Command Reference Release 12 2 from the Cisco com page under Documentation Cisco IOS Software Release 12 2 Mainline Command References Understanding Interface Types This section describes the different types of supported interfaces with reference...

Page 338: ...or server mode These VLANs are saved in the VLAN database VLANs can be formed with ports across the stack The VLAN database is downloaded to all switches in a stack and all switches in the stack build the same VLAN database The running configuration and the saved configuration are the same for all switches in a stack Add ports to a VLAN by using the switchport interface configuration commands Iden...

Page 339: ...ID belong to the port default PVID A packet with a VLAN ID equal to the outgoing port default PVID is sent untagged All other traffic is sent with a VLAN tag Although by default a trunk port is a member of every VLAN known to the VTP you can limit VLAN membership by configuring an allowed list of VLANs for each trunk port The list of allowed VLANs affects only the associated trunk port By default ...

Page 340: ... operate only on physical ports When you configure an EtherChannel you create a port channel logical interface and assign an interface to the EtherChannel Use the channel group interface configuration command to dynamically create the port channel logical interface This command binds the physical and logical ports together For more information see Chapter 37 Configuring EtherChannels and Link Stat...

Page 341: ...te in high power mode The device changes to high power mode only when it receives confirmation from the switch High power devices can operate in low power mode on switches that do not support power negotiation CDP Cisco intelligent power management is backward compatible with CDP with power consumption the switch responds according to the CDP message that it receives CDP is not supported on third ...

Page 342: ...rty PoE devices The switch processes a request and either grants or denies power If the request is granted the switch updates the power budget If the request is denied the switch ensures that power to the port is turned off generates a syslog message and updates the LEDs Powered devices can also negotiate with the switch for more power If the switch detects a fault caused by an undervoltage overvo...

Page 343: ... allowed on the port If the IEEE class maximum wattage of the powered device is greater than the configured maximum value the switch does not provide power to the port If the switch powers a powered device but the powered device later requests through CDP messages more than the configured maximum value the switch removes power to the port The power that was allocated to the powered device is recla...

Page 344: ...e port the switch can either turn off power to the port or the switch can generate a syslog message and update the LEDs the port LED is now blinking amber while still providing power to the device based on the switch configuration By default power usage policing is disabled on all PoE ports If error recovery from the PoE error disabled state is enabled the switch automatically takes the PoE port o...

Page 345: ...by using the power inline auto max 6300 interface configuration command the configured maximum power allocation on the PoE port is 6 3 W 6300 mW The switch provides power to the connected devices on the port if the device needs up to 6 3 W If the CDP power negotiated value or the IEEE classification value exceeds the configured cutoff value the switch does not provide power to the connected device...

Page 346: ... the router back to the switch and then to Host B Figure 12 1 Connecting VLANs with Layer 2 Switches With a standard Layer 2 switch ports in different VLANs have to exchange information through a router By using the switch with routing enabled when you configure both VLAN 20 and VLAN 30 with an SVI to which an IP address is assigned packets can be sent from Host A to Host B directly through the sw...

Page 347: ...to it You can use the switch port LEDs in Stack mode to identify the stack member number of a switch For information about stack member numbers see the Member Numbers section on page 6 6 Module number The module or slot number on the switch always 0 Port number The interface number on the switch The port numbers always begin at 1 starting with the far left port when facing the front of the switch ...

Page 348: ...that will run on the interface The commands are collected and applied to the interface when you enter another interface command or enter end to return to privileged EXEC mode You can also configure a range of interfaces by using the interface range or interface range macro global configuration commands Interfaces configured in a range must be the same type and must be configured with the same feat...

Page 349: ...XEC command displays the configured VLAN interfaces VLAN interfaces not displayed by the show running config command cannot be used with the interface range command All interfaces defined in a range must be the same type all Fast Ethernet ports all Gigabit Ethernet ports all EtherChannel ports or all VLANs but you can enter multiple ranges in a command Command Purpose Step 1 configure terminal Ent...

Page 350: ...ation mode Configuring and Using Interface Range Macros You can create an interface range macro to automatically select a range of interfaces for configuration Before you can use the macro keyword in the interface range macro global configuration command string you must use the define interface range global configuration command to define the macro Beginning in privileged EXEC mode follow these st...

Page 351: ...terface rang For example gigabitethernet1 0 1 4 is a valid range gigabitethernet1 0 1 4 is not The VLAN interfaces must have been configured with the interface vlan command The show running config privileged EXEC command displays the configured VLAN interfaces VLAN interfaces not displayed by the show running config command cannot be used as interface ranges All interfaces defined as in a range mu...

Page 352: ...ng Power for Devices Connected to a PoE Port page 12 24 Configuring Power Policing page 12 26 Adding a Description for an Interface page 12 27 Default Ethernet Interface Configuration Table 12 2 shows the Ethernet interface default configuration For more details on the VLAN parameters listed in the table see Chapter 13 Configuring VLANs For details on controlling traffic to the port see Chapter 23...

Page 353: ...cast storm control Disabled See the Default Storm Control Configuration section on page 23 3 Protected port Disabled See the Configuring Protected Ports section on page 23 6 Port security Disabled See the Default Port Security Configuration section on page 23 11 Port Fast Disabled See the Default Optional Spanning Tree Configuration section on page 18 12 Auto MDIX Enabled Note The switch might not...

Page 354: ...l one of them links up In auto select mode the switch configures both types with autonegotiation of speed and duplex the default Depending on the type of installed SFP module the switch might not be able to dynamically select it For more information see the information that follows this procedure rj45 The switch disables the SFP module interface If you connect an SFP module to this port it cannot ...

Page 355: ...models can include combinations of Fast Ethernet 10 100 Mb s ports Gigabit Ethernet 10 100 1000 Mb s ports 10 Gigabit module ports and small form factor pluggable SFP module slots supporting SFP modules These sections describe how to configure the interface speed and duplex mode Speed and Duplex Configuration Guidelines page 12 19 Setting the Interface Speed and Duplex Parameters page 12 20 Speed ...

Page 356: ...e to be configured and enter interface configuration mode Step 3 speed 10 100 1000 auto 10 100 1000 nonegotiate Enter the appropriate speed parameter for the interface Enter 10 100 or 1000 to set a specific speed for the interface The 1000 keyword is available only for 10 100 1000 Mb s ports Enter auto to enable the interface to autonegotiate speed with the connected device If you use the 10 100 o...

Page 357: ...es apply to flow control settings on the device receive on or desired The port cannot send pause frames but can operate with an attached device that is required to or can send pause frames the port can receive pause frames receive off Flow control does not operate in either direction In case of congestion no indication is given to the link partner and no pause frames are sent or received by either...

Page 358: ... shows the link states that result from auto MDIX settings and correct and incorrect cabling Beginning in privileged EXEC mode follow these steps to configure auto MDIX on an interface To disable auto MDIX use the no mdix auto interface configuration command This example shows how to enable auto MDIX on a port Switch configure terminal Switch config interface gigabitethernet1 0 1 Switch config if ...

Page 359: ...ng in privileged EXEC mode follow these steps to configure a power management mode on a PoE capable port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the physical port to be configured and enter interface configuration mode Step 3 power inline auto max max wattage never static max max wattage Configure the PoE mode on the port The ...

Page 360: ...e IEEE classification The difference between what is mandated by the IEEE classification and what is actually needed by the device is reclaimed into the global power budget for use by additional devices You can then extend the switch power budget and use it more effectively For example if the switch budgets 15 400 milliwatts on each PoE port you can connect only 24 Class 0 powered devices If your ...

Page 361: ...tion mode Step 2 no cdp run Optional Disable CDP Step 3 power inline consumption default wattage Configure the power consumption of powered devices connected to each the PoE port on the switch The range for each de vice is 4000 to 15400 milliwatts The default is 15400 milliwatts Note When you use this command we recommend you also enable power policing Step 4 end Return to privileged EXEC mode Ste...

Page 362: ...ns Shut down the PoE port turn off power to it and put it in the error dsabled state Enter the power inline police command Note You can enable error detection for the PoE error disabled cause by using the errdisable detect cause inline power global configuration command You can also enable the timer to recover from the PoE error disabled state by using the errdisable recovery cause inline power in...

Page 363: ...nds one per line End with CNTL Z Switch config interface gigabitethernet1 0 2 Switch config if description Connects to Marketing Switch config if end Switch show interfaces gigabitethernet1 0 2 description Interface Status Protocol Description Gi1 0 2 admin down down Connects to Marketing Configuring Layer 3 SVIs You should configure SVIs for any VLANs for which you want to route traffic SVIs are ...

Page 364: ...y using the system mtu jumbo global configuration command Gigabit Ethernet ports are not affected by the system mtu command 10 100 ports are not affected by the system mtu jumbo command If you do not configure the system mtu jumbo command the setting of the system mtu command applies to all Gigabit Ethernet interfaces You cannot set the MTU size for an individual interface you set it for all 10 10...

Page 365: ...nfig exit Switch reload This example shows the response when you try to set Gigabit Ethernet interfaces to an out of range number Switch config system mtu jumbo 25000 Invalid input detected at marker Monitoring and Maintaining the Interfaces These sections contain interface monitoring and maintenance information Monitoring Interface Status page 12 30 Clearing and Resetting Interfaces and Counters ...

Page 366: ...nterface id switchport Optional Display administrative and operational status of switching ports show interfaces interface id description Optional Display the description configured on an interface or all interfaces and the interface status show ip interface interface id Optional Display the usability status of all interfaces configured for IP routing or the specified interface show interface inte...

Page 367: ...ly those seen with the show interface privileged EXEC command Shutting Down and Restarting the Interface Shutting down an interface disables all functions on the specified interface and marks the interface as unavailable on all monitoring command displays This information is communicated to other network servers through all dynamic routing protocols The interface is not mentioned in any routing up...

Page 368: ...12 32 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 12 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces ...

Page 369: ...LAN is a switched network that is logically segmented by function project team or application without regard to the physical locations of the users VLANs have the same attributes as physical LANs but you can group end stations even if they are not physically located on the same LAN segment Any switch port can belong to a VLAN and unicast broadcast and multicast packets are forwarded and flooded on...

Page 370: ... VLAN IDs 1 to 1005 In these versions the switch must be in VTP transparent mode when you create VLAN IDs from 1006 to 4094 Cisco IOS Release 12 2 52 SE and later support VTP version 3 VTP version 3 supports the entire VLAN range VLANs 1 to 4094 Extended range VLANs VLANs 1006 to 4094 are supported only in VTP version 3 You cannot convert from VTP version 3 to VTP version 2 if extended VLANs are c...

Page 371: ...ANs on trunk ports that are included in the list For information about configuring trunk ports see the Configuring an Ethernet Interface as a Trunk Port section on page 13 15 VTP is recommended but not required VTP maintains VLAN configuration consistency by managing the addition deletion and renaming of VLANs on a network wide basis VTP exchanges VLAN configuration messages with other switches ov...

Page 372: ...nt with the stack master Caution You can cause inconsistency in the VLAN database if you attempt to manually delete the vlan dat file If you want to modify the VLAN configuration use the commands described in these sections and in the command reference for this release To change the VTP configuration see Chapter 15 Configuring VTP You use the interface configuration mode to define the port members...

Page 373: ...s 1 to 1005 are always saved in the VLAN database If the VTP mode is transparent VTP and VLAN configuration are also saved in the switch running configuration file With VTP versions 1 and 2 the switch supports VLAN IDs 1006 through 4094 only in VTP transparent mode VTP disabled These are extended range VLANs and configuration options are limited Extended range VLANs created in VTP transparent mode...

Page 374: ...escription in the command reference for this release When you have finished the configuration you must exit VLAN configuration mode for the configuration to take effect To display the VLAN configuration enter the show vlan privileged EXEC command The configurations of VLAN IDs 1 to 1005 are always saved in the VLAN database vlan dat file If the VTP mode is transparent they are also saved in the sw...

Page 375: ...ersion 1 and 2 if the switch is in VTP transparent mode you can assign VLAN IDs greater than 1006 but they are not added to the VLAN database See the Configuring Extended Range VLANs section on page 13 10 For the list of default parameters that are assigned when you add a VLAN see the Configuring Normal Range VLANs section on page 13 4 Table 13 2 Ethernet VLAN Defaults and Ranges Parameter Default...

Page 376: ...a new VLAN Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan vlan id Enter a VLAN ID and enter VLAN configuration mode Enter a new VLAN ID to create a VLAN or enter an existing VLAN ID to modify that VLAN Note The available VLAN ID range for this command is 1 to 4094 For information about adding VLAN IDs greater than 1005 extended range VLANs see the Configuring...

Page 377: ...r line End with CNTL Z Switch config interface gigabitethernet2 0 1 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no vlan vlan id Remove the VLAN by entering the VLAN ID Step 3 end Return to privileged EXEC mode Step 4 show vlan brief Verify the VLAN removal Step 5 copy running config startup config Optional If the switch is in VTP transparent mode the VLAN confi...

Page 378: ...ended range VLAN configuration information Default VLAN Configuration page 13 10 Extended Range VLAN Configuration Guidelines page 13 10 Creating an Extended Range VLAN page 13 11 Default VLAN Configuration See Table 13 2 on page 13 7 for the default configuration for Ethernet VLANs You can change only the MTU size and the remote SPAN configuration state on extended range VLANs all other character...

Page 379: ...haracteristics see Table 13 2 and the MTU size and RSPAN configuration are the only parameters you can change See the description of the vlan global configuration command in the command reference for the default settings of all parameters In VTP version 1 or 2 if you enter an extended range VLAN ID when the switch is not in VTP transparent mode an error message is generated when you exit VLAN conf...

Page 380: ...s ports and configuration information Table 13 3 lists the privileged EXEC commands for monitoring VLANs For more details about the show command options and explanations of output fields see the command reference for this release Step 7 show vlan id vlan id Verify that the VLAN has been created Step 8 copy running config startup config Save your entries in the switch startup configuration file To ...

Page 381: ...ocol DTP which is a Point to Point Protocol However some internetworking devices might forward DTP frames improperly which could cause misconfigurations To avoid this you should configure interfaces connected to devices that do not support DTP to not forward DTP frames that is to turn off DTP If you do not intend to trunk across those links use the switchport mode access interface configuration co...

Page 382: ...t result Disabling spanning tree on the native VLAN of an IEEE 802 1Q trunk without disabling spanning tree on every VLAN in the network can potentially cause spanning tree loops We recommend that you leave spanning tree enabled on the native VLAN of an IEEE 802 1Q trunk or disable spanning tree on every VLAN in the network Make sure your network is loop free before you disable spanning tree Defau...

Page 383: ...ps but all trunks in the group must have the same configuration When a group is first created all ports follow the parameters set for the first port to be added to the group If you change the configuration of one of these parameters the switch propagates the setting you entered to all ports in the group allowed VLAN list STP port priority for each VLAN STP Port Fast setting trunk status if one por...

Page 384: ...he port to be configured for trunking and enter interface configuration mode Step 3 switchport mode dynamic auto desirable trunk Configure the interface as a Layer 2 trunk required only if the interface is a Layer 2 access port or to specify the trunking mode dynamic auto Set the interface to a trunk link if the neighboring interface is set to trunk or desirable mode This is the default dynamic de...

Page 385: ...regardless of the switchport trunk allowed setting The same is true for any VLAN that has been disabled on the port A trunk port can become a member of a VLAN if the VLAN is enabled if VTP knows of the VLAN and if the VLAN is in the allowed list for the port When VTP detects a newly enabled VLAN and the VLAN is in the allowed list for a trunk port the trunk port automatically becomes a member of t...

Page 386: ...chport trunk pruning vlan interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Select the trunk port for which VLANs should be pruned and enter interface configuration mode Step 3 switchport trunk pruning vlan add except none remove vlan list vlan vlan Configure the list of VLANs allowed to be pruned from the trunk ...

Page 387: ...upplied by parallel trunks connecting switches To avoid loops STP normally blocks all but one parallel link between switches Using load sharing you divide the traffic between the links according to which VLAN the traffic belongs You configure load sharing on trunk ports by using STP port priorities or STP path costs For load sharing using STP port priorities both load sharing links must be connect...

Page 388: ...s traffic for VLANs 3 through 6 If the active trunk fails the trunk with the lower priority takes over and carries the traffic for all of the VLANs No duplication of traffic occurs over any trunk port Figure 13 2 Load Sharing by Using STP Port Priorities Note If your switch is a member of a switch stack you must use the spanning tree vlan vlan id cost cost interface configuration command instead o...

Page 389: ... configured as a trunk and enter interface configuration mode Step 9 switchport mode trunk Configure the port as a trunk port Step 10 end Return to privileged EXEC mode Step 11 show interfaces interface id_1 switchport Verify the VLAN configuration Step 12 Repeat Steps 7 through 10 on Switch A for a second port in the switch stack Step 13 Repeat Steps 7 through 10 on Switch B to configure the trun...

Page 390: ...vileged EXEC mode Step 7 show running config Verify your entries In the display make sure that the interfaces are configured as trunk ports Step 8 show vlan When the trunk links come up Switch A receives the VTP information from the other switches Verify that Switch A has learned the VLAN configuration Step 9 configure terminal Enter global configuration mode Step 10 interface interface id_1 Defin...

Page 391: ...r not the server is in open or secure mode In secure mode the server shuts down the port when an illegal host is detected In open mode the server simply denies the host access to the port If the port is currently unassigned that is it does not yet have a VLAN assignment the VMPS provides one of these responses If the host is allowed on the port the VMPS sends the client a vlan assignment response ...

Page 392: ... dynamic access port if they are all in the same VLAN however the VMPS shuts down a dynamic access port if more than 20 hosts are active on the port If the link goes down on a dynamic access port the port returns to an isolated state and does not belong to a VLAN Any hosts that come online through the port are checked again through the VQP with the VMPS before the port is assigned to a VLAN Dynami...

Page 393: ...and the VMPS server must be the same The VLAN configured on the VMPS server should not be a voice VLAN Configuring the VMPS Client You configure dynamic VLANs by using the VMPS server The switch can be a VMPS client it cannot be a VMPS server Entering the IP Address of the VMPS You must first enter the IP address of the server to configure the switch as a client Note If the VMPS is being defined f...

Page 394: ... the default VLAN for the switch use the no switchport access vlan interface configuration command Reconfirming VLAN Memberships Beginning in privileged EXEC mode follow these steps to confirm the dynamic access port VLAN membership assignments that the switch has received from the VMPS Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify ...

Page 395: ... times that the switch attempts to contact the VMPS before querying the next server To return the switch to its default setting use the no vmps retry global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vmps reconfirm minutes Enter the number of minutes between reconfirmations of the dynamic VLAN membership The range is 1 to 120 The default ...

Page 396: ... it by entering the vmps reconfirm privileged EXEC command or its Network Assistant or SNMP equivalent This is an example of output for the show vmps privileged EXEC command Switch show vmps VQP Client Status VMPS VQP Version 1 Reconfirm Interval 60 min Server Retry Count 3 VMPS domain server 172 20 128 86 primary current 172 20 128 87 Reconfirmation status VMPS Action other Troubleshooting Dynami...

Page 397: ...mary VMPS Server 1 Catalyst 6500 series Secondary VMPS Server 2 Catalyst 6500 series Secondary VMPS Server 3 172 20 26 150 172 20 26 151 Catalyst 6500 series switch A 172 20 26 152 Switch C Ethernet segment Trunk link 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 172 20 26 157 172 20 26 158 172 20 26 159 Client switch I Client switch B End station 2 End station 1 TFTP server Dynamic acce...

Page 398: ...13 30 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 13 Configuring VLANs Configuring VMPS ...

Page 399: ...ne the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service CoS values which are both set to 5 by default Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent the switch supports quality of service QoS based on IEEE 802 1p CoS QoS uses classification and scheduling to send network traffic from the switch in a predictable manner For...

Page 400: ...device attached to the phone You can configure access ports on the switch to send Cisco Discovery Protocol CDP packets that instruct an attached phone to send voice traffic to the switch in any of these ways In the voice VLAN tagged with a Layer 2 CoS priority value In the access VLAN tagged with a Layer 2 CoS priority value In the access VLAN untagged no Layer 2 CoS priority value Note In all con...

Page 401: ...port on the phone Configuring Voice VLAN These sections contain this configuration information Default Voice VLAN Configuration page 14 3 Voice VLAN Configuration Guidelines page 14 3 Configuring a Port Connected to a Cisco 7960 IP Phone page 14 5 Default Voice VLAN Configuration The voice VLAN feature is disabled by default When the voice VLAN feature is enabled all untagged traffic is sent accor...

Page 402: ...es untagged frames and the device uses IEEE 802 1p frames The Cisco IP Phone uses IEEE 802 1Q frames and the voice VLAN is the same as the access VLAN The Cisco IP Phone and a device attached to the phone cannot communicate if they are in the same VLAN and subnet but use different frame types because traffic in the same subnet is not routed routing would eliminate the frame type difference You can...

Page 403: ...he voice traffic carries a Layer 3 IP precedence value the default is 5 Beginning in privileged EXEC mode follow these steps to configure voice traffic on a port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface connected to the phone and enter interface configuration mode Step 3 mls qos trust cos Configure the interface t...

Page 404: ...rride not trust the priority of frames arriving on the phone port from connected devices Beginning in privileged EXEC mode follow these steps to set the priority of data traffic received from the nonvoice port on the Cisco IP Phone Step 6 show interfaces interface id switchport or show running config interface interface id Verify your voice VLAN entries Verify your QoS and voice VLAN entries Step ...

Page 405: ...ed device Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitethernet1 0 1 Switch config if switchport priority extend trust Switch config if end To return the port to its default setting use the no switchport priority extend interface configuration command Displaying Voice VLAN To display voice VLAN configuration for an interface use...

Page 406: ...14 8 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 14 Configuring Voice VLAN Displaying Voice VLAN ...

Page 407: ...s and security violations Before you create VLANs you must decide whether to use VTP in your network Using VTP you can make configuration changes centrally on one or more switches and have those changes automatically communicated to all the other switches in the network Without VTP you cannot send information about VLANs to other switches VTP is designed to work in an environment where updates are...

Page 408: ...itch is in the VTP no management domain state until it receives an advertisement for a domain over a trunk link a link that carries the traffic of multiple VLANs or until you configure a domain name Until the management domain name is specified or learned you cannot create or modify VLANs on a VTP server and VLAN information is not propagated over the network If the switch receives a VTP advertise...

Page 409: ...er and transmits and receives VTP updates on its trunks but you cannot create change or delete VLANs on a VTP client VLANs are configured on another switch in the domain that is in server mode In VTP versions 1 and 2 in VTP client mode VLAN configurations are not saved in NVRAM In VTP version 3 VLAN configurations are saved in NVRAM in client mode VTP transparent VTP transparent switches do not pa...

Page 410: ...red VLAN VLAN IDs IEEE 802 1Q VLAN name VLAN type VLAN state Additional VLAN configuration information specific to the VLAN type In VTP version 3 VTP advertisements also include the primary server ID an instance number and a start index VTP Version 2 If you use VTP in your network you must decide which version of VTP to use By default VTP operates in version 1 VTP version 2 supports these features...

Page 411: ... be modified Private VLAN support Support for any database in a domain In addition to propagating VTP information version 3 can propagate Multiple Spanning Tree MST protocol database information A separate instance of the VTP protocol runs for each application that uses VTP VTP primary server and VTP secondary servers A VTP primary server updates the database information and sends updates that are...

Page 412: ...VLANs 2 through 1001 are pruning eligible switch trunk ports If the VLANs are configured as pruning ineligible the flooding continues VTP pruning is supported in all VTP versions Figure 15 1 shows a switched network without VTP pruning enabled Port 1 on Switch A and Port 2 on Switch D are assigned to the Red VLAN If a broadcast is sent from the host connected to Switch A Switch A floods the broadc...

Page 413: ... trunk pruning vlan interface configuration command see the Changing the Pruning Eligible List section on page 13 18 VTP pruning operates when an interface is trunking You can set VLAN pruning eligibility whether or not VTP pruning is enabled for the VTP domain whether or not any given VLAN exists and whether or not the interface is currently trunking VTP and Switch Stacks VTP configuration is the...

Page 414: ...g VTP Mode page 15 11 Enabling the VTP Version page 15 14 Enabling VTP Pruning page 15 15 Configuring VTP on a Per Port Basis page 15 15 Adding a VTP Client Switch to a VTP Domain page 15 16 Default VTP Configuration Table 15 2 shows the default VTP configuration VTP Configuration Guidelines You use the vtp global configuration command to set the VTP password the version the VTP file name the inte...

Page 415: ...ame Switches in VTP transparent mode do not exchange VTP messages with other switches and you do not need to configure a VTP domain name for them Note If NVRAM and DRAM storage is sufficient all switches in a VTP domain should be in VTP server mode Caution Do not configure a VTP domain if all switches are operating in VTP client mode If you configure the domain it is impossible to make changes to ...

Page 416: ... If there are TrBRF and TrCRF Token Ring networks in your environment you must enable VTP version 2 or version 3 for Token Ring VLAN switching to function properly To run Token Ring and Token Ring Net disable VTP version 2 VTP version 1 and version 2 do not propagate configuration information for extended range VLANs VLANs 1006 to 4094 You must configure these VLANs manually on each device VTP ver...

Page 417: ...low these guidelines For VTP version 1 and version 2 if extended range VLANs are configured on the switch stack you cannot change VTP mode to client or server You receive an error message and the configuration is not allowed VTP version 1 and version 2 do not propagate configuration information for extended range VLANs VLANs 1006 to 4094 You must manually configure these VLANs on each device Note ...

Page 418: ...h the same domain name This command is optional for modes other than server mode VTP server mode requires a domain name If the switch has a trunk connection to a VTP domain the switch learns the domain name from the VTP server in the domain You should configure the VTP domain before configuring other VTP parameters Step 3 vtp mode client server transparent off vlan mst unknown Configure the switch...

Page 419: ...racters Optional hidden Enter hidden to ensure that the secret key generated from the password string is saved in the nvam vlan dat file If you configure a takeover by configuring a VTP primary server you are prompted to reenter the password Optional secret Enter secret to directly configure the password The secret password must contain 32 hexadecimal characters Step 3 end Return to privileged EXE...

Page 420: ...d was configured Caution VTP version 1 and VTP version 2 are not interoperable on switches in the same VTP domain Do not enable VTP version 2 unless every switch in the VTP domain supports version 2 In TrCRF and TrBRF Token ring environments you must enable VTP version 2 or VTP version 3 for Token Ring VLAN switching to function properly For Token Ring and Token Ring Net media disable VTP version ...

Page 421: ...ng VTP on a Per Port Basis With VTP version 3 you can enable or disable VTP on a per port basis You can enable VTP only on ports that are in trunk mode Incoming and outgoing VTP traffic are blocked not forwarded Beginning in privileged EXEC mode follow these steps to enable VTP on a port To disable VTP on the interface use the no vtp interface configuration command Switch config interface gigabite...

Page 422: ...able VTP on the switch and then to change its VLAN information without affecting the other switches in the VTP domain Command Purpose Step 1 show vtp status Check the VTP configuration revision number If the number is 0 add the switch to the VTP domain If the number is greater than 0 follow these steps a Write down the domain name b Write down the configuration revision number c Continue with the ...

Page 423: ...lay counters about VTP messages that have been sent and received show vtp devices conflict Display information about all VTP version 3 devices in the domain Conflicts are VTP version 3 devices with conflicting primary servers The show vtp devices command does not display information when the switch is in transparent or off mode show vtp interface interface id Display VTP status and configuration f...

Page 424: ...15 18 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 15 Configuring VTP Monitoring VTP ...

Page 425: ...pter 17 Configuring MSTP For information about other spanning tree features such as Port Fast UplinkFast root guard and so forth see Chapter 18 Configuring Optional Spanning Tree Features Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding Spanning Tree Features page 16...

Page 426: ...rding port elected for every switched LAN segment Alternate A blocked port providing an alternate path to the root bridge in the spanning tree Backup A blocked port in a loopback configuration The switch that has all of its ports as the designated role or as the backup role is the root switch The switch that has at least one of its ports in the designated role is called the designated switch Spann...

Page 427: ... LANs for which it is the designated switch If a switch receives a configuration BPDU that contains inferior information to that currently stored for that port it discards the BPDU If the switch is a designated switch for the LAN from which the inferior BPDU was received it sends that LAN a BPDU containing the up to date information stored for that port In this way inferior information is discarde...

Page 428: ...hortest distance to the root switch is calculated for each switch based on the path cost A designated switch for each LAN segment is selected The designated switch incurs the lowest path cost when forwarding packets from that LAN to the root switch The port through which the designated switch is attached to the LAN is called the designated port Figure 16 1 Spanning Tree Port States in a Switch Sta...

Page 429: ...oot switch and the switch priority of a VLAN For example when you change the switch priority value you change the probability that the switch will be elected as the root switch Configuring a higher value decreases the probability a lower value increases the probability For more information see the Configuring the Root Switch section on page 16 16 the Configuring a Secondary Root Switch section on ...

Page 430: ...anning tree stabilizes each interface at the forwarding or blocking state When the spanning tree algorithm places a Layer 2 interface in the forwarding state this process occurs 1 The interface is in the listening state while spanning tree waits for protocol information to move the interface to the blocking state 2 While spanning tree waits the forward delay timer to expire it moves the interface ...

Page 431: ... state is the first state a Layer 2 interface enters after the blocking state The interface enters this state when the spanning tree decides that the interface should participate in frame forwarding An interface in the listening state performs these functions Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn addresses Receives B...

Page 432: ...g interfaces or link types Switch A might not be the ideal root switch By increasing the priority lowering the numerical value of the ideal switch so that it becomes the root switch you force a spanning tree recalculation to form a new topology with the ideal switch as the root Figure 16 3 Spanning Tree Topology When the spanning tree topology is calculated based on default parameters the path bet...

Page 433: ... used by different bridge protocols These addresses are static addresses that cannot be removed Regardless of the spanning tree state each switch in the stack receives but does not forward packets destined for addresses between 0x0180C2000000 and 0x0180C200000F If spanning tree is enabled the CPU on each switch in the stack receives packets destined for 0x0180C2000000 and 0x0180C2000010 If spannin...

Page 434: ...tries on a per port basis upon receiving a topology change By contrast PVST uses a short aging time for dynamically learned MAC address entries The rapid PVST uses the same configuration as PVST except where noted and the switch needs only minimal extra configuration The benefit of rapid PVST is that you can migrate a large PVST install base to rapid PVST without having to learn the complexities o...

Page 435: ...tance for all VLANs allowed on the trunks However in a network of Cisco switches connected through IEEE 802 1Q trunks the switches maintain one spanning tree instance for each VLAN allowed on the trunks When you connect a Cisco switch to a non Cisco device through an IEEE 802 1Q trunk the Cisco switch uses PVST to provide spanning tree interoperability If rapid PVST is enabled the switch uses it i...

Page 436: ... new master bridge ID If the switch stack is the spanning tree root and the stack master fails or leaves the stack the stack members elect a new stack master and a spanning tree reconvergence occurs If a neighboring switch external to the switch stack fails or is powered down normal spanning tree processing occurs Spanning tree reconvergence might occur as a result of losing a switch in the active...

Page 437: ...ee on a specific VLAN and use the spanning tree vlan vlan id global configuration command to enable spanning tree on the desired VLAN Caution Switches that are not running spanning tree still forward BPDUs that they receive so that the other switches on the VLAN that have a running spanning tree instance can break loops Therefore spanning tree must be running on enough switches to break all the lo...

Page 438: ...up their allocation of spanning tree instances Setting up allowed lists is not necessary in many cases and can make it more labor intensive to add another VLAN to the network Spanning tree commands control the configuration of VLAN spanning tree instances You create a spanning tree instance when you assign an interface to a VLAN The spanning tree instance is removed when the last interface is move...

Page 439: ...apid pvst to enable rapid PVST Step 3 interface interface id Recommended for rapid PVST mode only Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports VLANs and port channels The VLAN ID range is 1 to 4094 The port channel range is 1 to 6 Step 4 spanning tree link type point to point Recommended for rapid PVST mode only Specify that the l...

Page 440: ...ity from the default value 32768 to a significantly lower value When you enter this command the software checks the switch priority of the root switches for each VLAN Because of the extended system ID support the switch sets its own priority for the specified VLAN to 24576 if this value will cause this switch to become the root for the specified VLAN If any root switch for the specified VLAN has a...

Page 441: ...d the spanning tree vlan vlan id max age global configuration commands Beginning in privileged EXEC mode follow these steps to configure a switch to become the root for the specified VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id root global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2...

Page 442: ... state You can assign higher priority values lower numerical values to interfaces that you want selected first and lower priority values higher numerical values that you want selected last If all interfaces have the same priority value spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces Command Purpose Step 1 configure terminal ...

Page 443: ... Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree port priority priority Configure the port priority for an interface For priority the range is 0 to 240 in increments of 16 the default is 128 Valid values are 0 16 32...

Page 444: ...de Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree cost cost Configure the cost for an interface If a loop occurs spanning tree uses the path cost when selecting an interface to place into the forwarding state A low...

Page 445: ...he spanning tree vlan vlan id root secondary global configuration commands to modify the switch priority Beginning in privileged EXEC mode follow these steps to configure the switch priority of a VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id priority global configuration command Command Purpose Step 1 configure terminal Enter global configur...

Page 446: ...iable Description Hello timer Controls how often the switch broadcasts hello messages to other switches Forward delay timer Controls how long each of the listening and learning states last before the interface begins forwarding Maximum age timer Controls the amount of time the switch stores protocol information received on an interface Transmit hold count Controls the number of BPDUs that can be s...

Page 447: ...states to the forwarding state For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree vlan vlan id Verify your entries Step 5 copy running config startup config ...

Page 448: ...he clear spanning tree interface interface id privileged EXEC command For information about other keywords for the show spanning tree privileged EXEC command see the command reference for this release Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree transmit hold count value Configure the number of BPDUs that can be sent before pausing for 1 second For...

Page 449: ...d convergence of the spanning tree through explicit handshaking that eliminates the IEEE 802 1D forwarding delay and quickly transitions root ports and designated ports to the forwarding state Both MSTP and RSTP improve the spanning tree operation and maintain backward compatibility with equipment that is based on the original IEEE 802 1D spanning tree with existing Cisco proprietary Multiple Inst...

Page 450: ...ols to which MST region each switch belongs The configuration includes the name of the region the revision number and the MST VLAN to instance assignment map You configure the switch for a region by using the spanning tree mst configuration global configuration command after which the switch enters the MST configuration mode From this mode you can map VLANs to an MST instance by using the instance...

Page 451: ...an MST Region The IST connects all the MSTP switches in a region When the IST converges the root of the IST becomes the CIST regional root called the IST master before the implementation of the IEEE 802 1s standard as shown in Figure 17 1 on page 17 4 It is the switch within the region with the lowest switch ID and path cost to the CIST root The CIST regional root is also the CIST root if there is...

Page 452: ...al switch to adjacent STP switches and MST regions Figure 17 1 shows a network with three MST regions and a legacy IEEE 802 1D switch D The CIST regional root for region 1 A is also the CIST root The CIST regional root for region 2 B and the CIST regional root for region 3 C are the roots for their respective subtrees within the CIST The RSTP runs in all regions Figure 17 1 MST Regions CIST Master...

Page 453: ... whole network only the CIST parameters require the external rather than the internal or regional qualifiers The CIST root is the root switch for the unique instance that spans the whole network the CIST The CIST external root path cost is the cost to the CIST root This cost is left unchanged within an MST region Remember that an MST region looks like a single switch for the CIST The CIST external...

Page 454: ...h with a different MST configuration There is no definition of a boundary port in the IEEE 802 1s standard The IEEE 802 1Q 2002 standard identifies two kinds of messages that a port can receive internal coming from the same region and external When a message is external it is received only by the CIST If the CIST role is root or alternate or if the external BPDU is a topology change it could have ...

Page 455: ...In this case although the boundary role no longer exists the show commands identify a port as boundary in the type column of the output Interoperation Between Legacy and Standard Switches Because automatic detection of prestandard switches can fail you can use an interface configuration command to identify prestandard ports A region cannot be formed between a standard and a prestandard switch but ...

Page 456: ...it keeps its role but reverts to discarding state because disrupting connectivity in case of inconsistency is preferable to opening a bridging loop Figure 17 3 illustrates a unidirectional link failure that typically creates a bridging loop Switch A is the root switch and its BPDUs are lost on the link leading to switch B RSTP and MST BPDUs include the role and state of the sending port With this ...

Page 457: ...r more information about switch stacks see Chapter 6 Managing Switch Stacks Interoperability with IEEE 802 1D STP A switch running MSTP supports a built in protocol migration mechanism that enables it to interoperate with legacy IEEE 802 1D switches If this switch receives a legacy IEEE 802 1D configuration BPDU a BPDU with the protocol version set to 0 it sends only IEEE 802 1D BPDUs on that port...

Page 458: ... switch to that provided by the current root port Backup port Acts as a backup for the path provided by a designated port toward the leaves of the spanning tree A backup port can exist only when two ports are connected in a loopback by a point to point link or when a switch has two or more connections to a shared LAN segment Disabled port Has no role within the operation of the spanning tree A por...

Page 459: ...self as the designated switch After receiving the proposal message Switch B selects as its new root port the port from which the proposal message was received forces all nonedge ports to the blocking state and sends an agreement message a BPDU with the agreement flag set through its new root port After receiving Switch B s agreement message Switch A also immediately transitions its designated port...

Page 460: ...vidual port on the switch is synchronized if That port is in the blocking state It is an edge port a port configured to be at the edge of the network If a designated port is in the forwarding state and is not configured as an edge port it transitions to the blocking state when the RSTP forces it to synchronize with new root information In general when the RSTP forces a port to synchronize with roo...

Page 461: ...Rapid Convergence Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802 1D BPDU format except that the protocol version is set to 2 A new 1 byte Version 1 Length field is set to zero which means that no version 1 protocol information is present Table 17 3 shows the RSTP flag fields 2 Block 9 Forward 1 Proposal 4 Agreement 6 Proposal Root port Designated p...

Page 462: ... blocking state but does not send the agreement message The designated port continues sending BPDUs with the proposal flag set until the forward delay timer expires at which time the port transitions to the forwarding state Processing Inferior BPDU Information If a designated port receives an inferior BPDU higher switch ID higher path cost and so forth than currently stored for the port with a des...

Page 463: ...pired it assumes that it is connected to an IEEE 802 1D switch and starts using only IEEE 802 1D BPDUs However if the RSTP switch is using IEEE 802 1D BPDUs on a port and receives an RSTP BPDU after the timer has expired it restarts the timer and starts using RSTP BPDUs on that port Configuring MSTP Features These sections contain this configuration information Default MSTP Configuration page 17 1...

Page 464: ...VLANs run MSTP For more information see the Spanning Tree Interoperability and Backward Compatibility section on page 16 11 For information on the recommended trunk port configuration see the Interaction with Other Features section on page 13 15 All stack members run the same version of spanning tree all PVST rapid PVST or MSTP For more information see the Spanning Tree Interoperability and Backwa...

Page 465: ...uters or non Layer 2 devices For configuration guidelines about UplinkFast BackboneFast and cross stack UplinkFast see the Optional Spanning Tree Configuration Guidelines section on page 18 12 When the switch is in MST mode it uses the long path cost calculation method 32 bits to compute the path cost values With the long path cost calculation method these path cost values are supported Specifying...

Page 466: ...MST instance For instance id the range is 0 to 4094 For vlan vlan range the range is 1 to 4094 When you map VLANs to an MST instance the mapping is incremental and the VLANs specified in the command are added to or removed from the VLANs that were previously mapped To specify a VLAN range use a hyphen for example instance 1 vlan 1 63 maps VLANs 1 through 63 to MST instance 1 To specify a VLAN seri...

Page 467: ... switch priority 4096 is the value of the least significant bit of a 4 bit switch priority value as shown in Table 16 1 on page 16 5 If your network consists of switches that both do and do not support the extended system ID it is unlikely that the switch with the extended system ID support will become the root switch The extended system ID increases the switch priority value every time the VLAN n...

Page 468: ... the same network diameter and hello time values that you used when you configured the primary root switch with the spanning tree mst instance id root primary global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id root primary diameter net diameter hello time seconds Configure a switch as the root switch For insta...

Page 469: ...in the forwarding state Assign lower cost values to ports that you want selected first and higher cost values to ports that you want selected last For more information see the Configuring Path Cost section on page 17 23 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id root secondary diameter net diameter hello time seconds Configure a s...

Page 470: ...erface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces The port channel range is 1 to 6 Step 3 spanning tree mst instance id port priority priority Configure the port priority For instance id you can specify a single instance a range of instances separated by a hyphen or a series of in...

Page 471: ... configuration To return the interface to its default setting use the no spanning tree mst instance id cost interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces The por...

Page 472: ...g use the no spanning tree mst instance id priority global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id priority priority Configure the switch priority For instance id you can specify a single instance a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 409...

Page 473: ...ter global configuration mode Step 2 spanning tree mst hello time seconds Configure the hello time for all MST instances The hello time is the interval between the generation of configuration messages by the root switch These messages mean that the switch is alive For seconds the range is 1 to 10 the default is 2 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst Verify your e...

Page 474: ...e Step 2 spanning tree mst max age seconds Configure the maximum aging time for all MST instances The maximum aging time is the number of seconds a switch waits without receiving spanning tree configuration messages before attempting a reconfiguration For seconds the range is 6 to 40 the default is 20 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst Verify your entries Step ...

Page 475: ...evices By default ports can automatically detect prestandard devices but they can still receive both standard and prestandard BPDUs When there is a mismatch between a device and its neighbor only the CIST runs on the interface You can choose to set a port to send only prestandard BPDUs The prestandard flag appears in all the show commands even if the port is in STP compatibility mode Beginning in ...

Page 476: ...hich it is connected has joined the region To restart the protocol migration process force the renegotiation with neighboring switches on the switch use the clear spanning tree detected protocols privileged EXEC command To restart the protocol migration process on a specific interface use the clear spanning tree detected protocols interface interface id privileged EXEC command Displaying the MST C...

Page 477: ...6 Configuring STP For information about the Multiple Spanning Tree Protocol MSTP and how to map multiple VLANs to the same spanning tree instance see Chapter 17 Configuring MSTP Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding Optional Spanning Tree Features page 18 ...

Page 478: ...purpose of Port Fast is to minimize the time interfaces must wait for spanning tree to converge it is effective only when used on interfaces connected to end stations If you enable Port Fast on an interface connecting to another switch you risk creating a spanning tree loop You can enable this feature by using the spanning tree portfast interface configuration or the spanning tree portfast default...

Page 479: ...ure operates with some differences At the global level you can enable BPDU filtering on Port Fast enabled interfaces by using the spanning tree portfast bpdufilter default global configuration command This command prevents interfaces that are in a Port Fast operational state from sending or receiving BPDUs The interfaces still send a few BPDUs at link up before the switch begins to filter outbound...

Page 480: ...is 150 packets per second However if you enter zero station learning frames are not generated so the spanning tree topology converges more slowly after a loss of connectivity Note UplinkFast is most useful in wiring closet switches at the access or edge of the network It is not appropriate for backbone devices This feature might not be useful for other types of applications UplinkFast provides fas...

Page 481: ...CSUF provides a fast spanning tree transition fast convergence in less than 1 second under normal network conditions across a switch stack During the fast transition an alternate redundant link on the switch stack is placed in the forwarding state without causing temporary spanning tree loops or loss of connectivity to the backbone With this feature you can have a redundant and resilient network i...

Page 482: ...ate stack root port on Switch 2 or Switch 3 and puts it into the forwarding state in less than 1 second Figure 18 5 Cross Stack UplinkFast Topology When certain link loss or spanning tree events occur described in Events that Cause Fast Convergence section on page 18 7 the Fast Uplink Transition Protocol uses the neighbor list to send fast transition requests to stack members The switch sending th...

Page 483: ...r these circumstances The stack root port link fails If two switches in the stack have alternate paths to the root only one of the switches performs the fast transition The failed link which connects the stack root to the spanning tree root recovers A network reconfiguration causes a new stack root switch to be selected A network reconfiguration causes a new port on the current stack root switch t...

Page 484: ...witch has alternate paths to the root switch it uses these alternate paths to send a root link query RLQ request The switch sends the RLQ request on all alternate paths to learn if any stack member has an alternate root to the root switch and waits for an RLQ reply from other switches in the network and in the stack When a stack member receives an RLQ reply from a nonstack member on a blocked inte...

Page 485: ...tate providing a path from Switch B to Switch A The root switch election takes approximately 30 seconds twice the Forward Delay time if the default Forward Delay time of 15 seconds is set Figure 18 7 shows how BackboneFast reconfigures the topology to account for the failure of link L1 Figure 18 7 BackboneFast Example After Indirect Link Failure If a new switch is introduced into a shared medium t...

Page 486: ... in Figure 18 9 You can avoid this situation by enabling root guard on SP switch interfaces that connect to switches in your customer s network If spanning tree calculations cause an interface in the customer network to be selected as the root port root guard then places the interface in the root inconsistent blocked state to prevent the customer s switch from becoming the root switch or being in ...

Page 487: ...e ports You can enable this feature by using the spanning tree loopguard default global configuration command When the switch is operating in PVST or rapid PVST mode loop guard prevents alternate and root ports from becoming designated ports and spanning tree does not send BPDUs on root or alternate ports When the switch is operating in MST mode BPDUs are not sent on nonboundary ports only if the ...

Page 488: ...Guard page 18 19 optional Default Optional Spanning Tree Configuration Table 18 1 shows the default optional spanning tree configuration Optional Spanning Tree Configuration Guidelines You can configure PortFast BPDU guard BPDU filtering EtherChannel guard root guard or loop guard if your switch is running PVST rapid PVST or MSTP You can configure the UplinkFast the BackboneFast or the cross stack...

Page 489: ...re is optional Note You can use the spanning tree portfast default global configuration command to globally enable the Port Fast feature on all nontrunking ports To disable the Port Fast feature use the spanning tree portfast disable interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to config...

Page 490: ...Fast only on ports that connect to end stations otherwise an accidental topology loop could cause a data packet loop and disrupt switch and network operation You also can use the spanning tree bpduguard enable interface configuration command to enable BPDU guard on any port without also enabling the Port Fast feature When the port receives a BPDU it is put it in the error disabled state You can en...

Page 491: ...ture This command prevents the interface from sending or receiving BPDUs Caution Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning tree loops You can enable the BPDU filtering feature if your switch is running PVST rapid PVST or MSTP Beginning in privileged EXEC mode follow these steps to globally enable the BPDU filtering feature This ...

Page 492: ...y enabled the path cost of all interfaces and VLAN trunks is increased by 3000 if you change the path cost to 3000 or above the path cost is not altered The changes to the switch priority and the path cost reduce the chance that a switch will become the root switch When UplinkFast is disabled the switch priorities of all VLANs and path costs of all interfaces are set to default values if you did n...

Page 493: ...able it on all switches in the network BackboneFast is not supported on Token Ring VLANs This feature is supported for use with third party switches You can configure the BackboneFast feature for rapid PVST or for the MSTP but the feature remains disabled inactive until you change the spanning tree mode to PVST Beginning in privileged EXEC mode follow these steps to enable BackboneFast This proced...

Page 494: ... root guard is also enabled all the backup interfaces used by the UplinkFast feature are placed in the root inconsistent state blocked and are prevented from reaching the forwarding state Note You cannot enable both root guard and loop guard at the same time You can enable this feature if your switch is running PVST rapid PVST or MSTP Beginning in privileged EXEC mode follow these steps to enable ...

Page 495: ...face configuration command Displaying the Spanning Tree Status To display the spanning tree status use one or more of the privileged EXEC commands in Table 18 2 Command Purpose Step 1 show spanning tree active or show spanning tree mst Verify which interfaces are alternate or root ports Step 2 configure terminal Enter global configuration mode Step 3 spanning tree loopguard default Enable loop gua...

Page 496: ...anning Tree Features Displaying the Spanning Tree Status You can clear spanning tree counters by using the clear spanning tree interface interface id privileged EXEC command For information about other keywords for the show spanning tree privileged EXEC command see the command reference for this release ...

Page 497: ...r this release The chapter consists of these sections Understanding Flex Links and the MAC Address Table Move Update page 19 1 Configuring Flex Links and the MAC Address Table Move Update page 19 7 Monitoring Flex Links and the MAC Address Table Move Update page 19 14 Understanding Flex Links and the MAC Address Table Move Update This section contains this information Flex Links page 19 1 VLAN Fle...

Page 498: ... switches B and C Because they are configured as Flex Links only one of the interfaces is forwarding traffic the other is in standby mode If port 1 is the active link it begins forwarding traffic between port 1 and switch B the link between port 2 the backup link and switch C is not forwarding traffic If port 1 goes down port 2 comes up and starts forwarding traffic to switch C When port 1 comes b...

Page 499: ...page 19 3 Generating IGMP Reports page 19 4 Leaking IGMP Reports page 19 4 Configuration Examples page 19 4 Learning the Other Flex Link Port as the mrouter Port In a typical multicast network there is a querier for each VLAN A switch deployed at the edge of a network has one of its Flex Link ports receiving queries Flex Link ports are also always forwarding at any given time A port that receives ...

Page 500: ...the ingress of the access switch no duplicate multicast traffic is received by the host When the Flex Link active link fails the access switch starts accepting traffic from the backup link immediately The only disadvantage of this scheme is that it consumes bandwidth on the link between the distribution switches and on the backup link between the distribution and access switches This feature is di...

Page 501: ...ckup port Gigabit Ethernet1 0 12 is blocked When the active link Gigabit Ethernet1 0 11 goes down the backup port Gigabit Ethernet1 0 12 begins forwarding As soon as this port starts forwarding the switch sends proxy reports for the groups 228 1 5 1 and 228 1 5 2 on behalf of the host The upstream router learns the groups and starts forwarding multicast data This is the default behavior of Flex Li...

Page 502: ...ress table move update feature allows the switch to provide rapid bidirectional convergence when a primary forwarding link goes down and the standby link begins forwarding traffic In Figure 19 3 switch A is an access switch and ports 1 and 2 on switch A are connected to uplink switches B and D through a Flex Link pair Port 1 is forwarding traffic and port 2 is in the backup state Traffic from the ...

Page 503: ...milliseconds ms The PC is directly connected to switch A and the connection status does not change Switch A does not need to update the PC entry in the MAC address table Figure 19 3 MAC Address Table Move Update Example Configuring Flex Links and the MAC Address Table Move Update These sections contain this information Default Configuration page 19 8 Configuration Guidelines page 19 8 Configuring ...

Page 504: ...sical interface as Flex Links with either the port channel or the physical interface as the active link A backup link does not have to be the same type Fast Ethernet Gigabit Ethernet or port channel as the active link However you should configure both Flex Links with similar characteristics so that there are no loops or changes in behavior if the standby link begins to forward traffic STP is disab...

Page 505: ...kup Interface Pairs Active Interface Backup Interface State GigabitEthernet1 0 1 GigabitEthernet1 0 3 Active Standby Backup Up Vlans Preferred on Active Interface 1 3 5 4094 Vlans Preferred on Backup Interface 4 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface and enter interface configuration mode The interface can be a ...

Page 506: ... Bandwidth 100000 Kbit Gi1 0 1 100000 Kbit Gi1 0 2 Mac Address Move Update Vlan auto Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface and enter interface configuration mode The interface can be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 6 Step 3 switchport backup interf...

Page 507: ... Backup Interface 60 100 120 When a Flex Link interface goes down LINK_DOWN VLANs preferred on this interface are moved to the peer interface of the Flex Link pair In this example if interface Gi2 0 6 goes down Gi2 0 8 carries all VLANs of the Flex Link pair Switch show interfaces switchport backup Switch Backup Interface Pairs Active Interface Backup Interface State GigabitEthernet2 0 6 GigabitEt...

Page 508: ...ace 3 4 Preemption Mode off Bandwidth 10000 Kbit Gi1 0 3 100000 Kbit Gi1 0 4 Mac Address Move Update Vlan auto Configuring the MAC Address Table Move Update Feature This section contains this information Configuring a switch to send MAC address table move updates Configuring a switch to get MAC address table move updates Beginning in privileged EXEC mode follow these steps to configure an access s...

Page 509: ...nt 5 Rcv conforming packet count 5 Rcv invalid packet count 0 Rcv packet count this min 0 Rcv threshold exceed count 0 Rcv last sequence this min 0 Rcv last interface Po2 Rcv last src mac address 000b 462d c502 Rcv last switch ID 0403 fd6a 8700 Xmt packet count 0 Xmt packet count this min 0 Xmt threshold exceed count 0 Xmt pak buf unavail cnt 0 Xmt last interface None Beginning in privileged EXEC ...

Page 510: ...MAC Address Table Move Update Table 19 1 shows the privileged EXEC commands for monitoring the Flex Links configuration and the MAC address table move update information Step 4 show mac address table move update Verify the configuration Step 5 copy running config startup config Optional Save your entries in the switch startup configuration file Command Purpose Table 19 1 Flex Links and MAC Address...

Page 511: ...tation Cisco IOS Software 12 2 Mainline Command References This chapter consists of these sections Understanding DHCP Snooping page 20 1 Configuring DHCP Snooping page 20 9 Displaying DHCP Snooping Information page 20 14 Understanding IP Source Guard page 20 15 Configuring IP Source Guard page 20 17 Displaying IP Source Guard Information page 20 22 Understanding DHCP Server Port Based Address Allo...

Page 512: ...Relay agents forward requests and replies between clients and servers when they are not on the same physical subnet Relay agent forwarding is different from the normal Layer 2 forwarding in which IP datagrams are switched transparently between networks Relay agents receive DHCP messages and generate new DHCP messages to send on output interfaces DHCP Snooping DHCP snooping is a DHCP security featu...

Page 513: ...CPDECLINE broadcast message that has a MAC address in the DHCP snooping binding database but the interface information in the binding database does not match the interface on which the message was received A DHCP relay agent forwards a DHCP packet that includes a relay agent IP address that is not 0 0 0 0 or the relay agent forwards a packet that includes option 82 information to an untrusted port...

Page 514: ...ribers connected to the switch at the access layer Because the DHCP clients and their associated DHCP server do not reside on the same IP network or subnet a DHCP relay agent the Catalyst switch is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server Figure 20 1 DHCP Relay Agent in a Metropolitan Ethernet Network When you ...

Page 515: ... sent the DHCP request When the described sequence of events occurs the values in these fields in Figure 20 2 do not change Circuit ID suboption fields Suboption type Length of the suboption type Circuit ID type Length of the circuit ID type Remote ID suboption fields Suboption type Length of the suboption type Remote ID type Length of the remote ID type In the port field of the circuit ID subopti...

Page 516: ...rface configuration command are entered The values for these fields in the packets change from the default values when you configure the remote ID and circuit ID suboptions Circuit ID suboption fields The circuit ID type is 1 The length values are variable depending on the length of the string that you configure Remote ID suboption fields The remote ID type is 1 The length values are variable depe...

Page 517: ...mic ARP inspection or IP source guard is enabled and the DHCP snooping binding database has dynamic bindings the switch loses its connectivity If the agent is disabled and only DHCP snooping is enabled the switch does not lose its connectivity but DHCP snooping might not prevent DHCP spoofing attacks When reloading the switch reads the binding file to build the DHCP snooping binding database The s...

Page 518: ...The switch ignores an entry when one of these situations occurs The switch reads the entry and the calculated checksum value does not equal the stored checksum value The entry and the ones following it are ignored An entry has an expired lease time the switch might not remove a binding entry when the lease time expires The interface in the entry no longer exists on the system The interface is a ro...

Page 519: ...ver Enabled in Cisco IOS software requires configuration1 1 The switch responds to DHCP requests only if it is configured as a DHCP server DHCP relay agent Enabled2 2 The switch relays DHCP packets only if the IP address of the DHCP server is configured on the SVI of the DHCP client DHCP packet forwarding address None configured Checking the relay agent information Enabled invalid messages are dro...

Page 520: ...a switch port is connected to a DHCP client configure a port as untrusted by entering the no ip dhcp snooping trust interface configuration command Follow these guidelines when configuring the DHCP snooping binding database Because both NVRAM and the flash memory have limited storage capacity we recommend that you store the binding file on a TFTP server For network based URLs such as TFTP and FTP ...

Page 521: ...ow running config Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip dhcp snooping Enable DHCP snooping globally Step 3 ip dhcp snooping vlan vlan range Enable DHCP snooping on a VLAN or range of VLANs The range is 1 to 4094 You can enter a single VLAN...

Page 522: ...hcp snooping limit rate 100 Step 7 ip dhcp snooping trust Optional Configure the interface as trusted or as untrusted Use the no keyword to configure an interface to receive messages from an untrusted client The default setting is untrusted Step 8 ip dhcp snooping limit rate rate Optional Configure the number of DHCP packets per second that an interface can receive The range is 1 to 2048 By defaul...

Page 523: ...ber filename Optional Use the number parameter to specify the stack member number of the stack master The range for number is 1 to 49 ftp user password host filename http username password hostname host ip directory image name tar rcp user host filename tftp host filename Step 3 ip dhcp snooping database timeout seconds Specify in seconds how long to wait for the database transfer process to finis...

Page 524: ...ormation use the privileged EXEC commands in Table 20 2 Note If DHCP snooping is enabled and an interface changes to the down state the switch does not delete the statically configured bindings Table 20 2 Commands for Displaying DHCP Information Command Purpose show ip dhcp snooping Displays the DHCP snooping configuration for a switch show ip dhcp snooping binding Displays only the dynamically co...

Page 525: ...ource IP address filtering or with source IP and MAC address filtering Source IP Address Filtering page 20 15 Source IP and MAC Address Filtering page 20 15 IP Source Guard for Static Hosts page 20 16 Source IP Address Filtering When IPSG is enabled with this option IP traffic is filtered based on the source IP address The switch forwards IP traffic when the source IP address matches an entry in t...

Page 526: ...king table In a stacked environment when the master failover occurs the IP source guard entries for static hosts attached to member ports are retained When you enter the show ip device tracking all EXEC command the IP device tracking table displays the entries as ACTIVE Note Some IP hosts with multiple network interfaces can inject some invalid packets into a network interface The invalid packets ...

Page 527: ...operly filter traffic If you enable IP source guard with source IP and MAC address filtering DHCP snooping and port security must be enabled on the interface You must also enter the ip dhcp snooping information option global configuration command and ensure that the DHCP server supports option 82 When IP source guard is enabled with MAC address filtering the DHCP host MAC address is not learned un...

Page 528: ...e configured and enter interface configuration mode Step 3 ip verify source or ip verify source port security Enable IP source guard with source IP address filtering Enable IP source guard with source IP and MAC address filtering Note When you enable both IP source guard and Port Security by using the ip verify source port security interface configuration command there are two caveats The DHCP ser...

Page 529: ...ged EXEC mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip device tracking Turn on the IP host table and globally enable IP device tracking Step 3 interface interface id Enter interface configuration mode Step 4 switchport mode access Configure a port as access Step 5 switchport access vlan vlan id Configure the VLAN for this port Step 6 ip verify source trac...

Page 530: ...IP address Mac address Vlan Gi0 3 ip trk active 40 1 1 24 10 Gi0 3 ip trk active 40 1 1 20 10 Gi0 3 ip trk active 40 1 1 21 10 This example shows how to enable IPSG for static hosts with IP MAC filters on a Layer 2 access port to verify the valid IP MAC bindings on the interface Gi0 3 and to verify that the number of bindings on this interface has reached the maximum Switch configure terminal Ente...

Page 531: ...ice Tracking Enabled IP Device Tracking Probe Count 3 IP Device Tracking Probe Interval 30 IP Address MAC Address Vlan Interface STATE 200 1 1 8 0001 0600 0000 8 GigabitEthernet0 1 INACTIVE 200 1 1 9 0001 0600 0000 8 GigabitEthernet0 1 INACTIVE 200 1 1 10 0001 0600 0000 8 GigabitEthernet0 1 INACTIVE 200 1 1 1 0001 0600 0000 9 GigabitEthernet0 2 ACTIVE 200 1 1 1 0001 0600 0000 8 GigabitEthernet0 1 ...

Page 532: ...t0 1 INACTIVE 200 1 1 2 0001 0600 0000 8 GigabitEthernet0 1 INACTIVE 200 1 1 3 0001 0600 0000 8 GigabitEthernet0 1 INACTIVE 200 1 1 4 0001 0600 0000 8 GigabitEthernet0 1 INACTIVE 200 1 1 5 0001 0600 0000 8 GigabitEthernet0 1 INACTIVE 200 1 1 6 0001 0600 0000 8 GigabitEthernet0 1 INACTIVE 200 1 1 7 0001 0600 0000 8 GigabitEthernet0 1 INACTIVE This example displays the count of all IP device trackin...

Page 533: ...hardware address changes in the DHCP messages received on that port The DHCP protocol recognizes DHCP clients by the client identifier option in the DHCP packet Clients that do not include the client identifier option are identified by the client hardware address When you configure this feature the port name of the interface overrides the client identifier or hardware address and the actual point ...

Page 534: ...can enter the reserved only DHCP pool configuration command Unreserved addresses that are part of the network or on pool ranges are not offered to the client and other clients are not served by the pool By entering this command users can configure a group of switches with DHCP pools that share a common IP subnet and that ignore requests from clients of other switches Command Purpose Step 1 configu...

Page 535: ... subscriber identifier is based on the short name of the interface and the client preassigned IP address 10 1 1 7 switch show running config Building configuration Current configuration 4899 bytes version 12 2 hostname switch no aaa new model clock timezone EST 0 ip subnet zero ip dhcp relay information policy removal pad no ip dhcp use vrf connected ip dhcp use subscriber id client id ip dhcp sub...

Page 536: ...ddress is currently in the pool Address Client 10 1 1 7 Et1 0 For more information about configuring the DHCP server port based address allocation feature go to Cisco com and enter Cisco IOS IP Addressing Services in the Search field to access the Cisco IOS software documentation You can also access the documentation http www cisco com en US docs ios ipaddr command reference iad_book html Displayi...

Page 537: ...ion ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address For example Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A All hosts within the broadca...

Page 538: ...rcepts logs and discards ARP packets with invalid IP to MAC address bindings This capability protects the network from certain man in the middle attacks Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed The switch performs these activities Intercepts all ARP requests and responses on untrusted ports Verifies that each of these intercepted packets has a valid IP ...

Page 539: ...ypass the security check No other validation is needed at any other place in the VLAN or in the network You configure the trust setting by using the ip arp inspection trust interface configuration command Caution Use the trust state configuration carefully Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity In Figure 21 2 assume that both Switch A a...

Page 540: ...prevent a denial of service attack By default the rate for untrusted interfaces is 15 packets per second pps Trusted interfaces are not rate limited You can change this setting by using the ip arp inspection limit interface configuration command When the rate of incoming ARP packets exceeds the configured limit the switch places the port in the error disabled state The port remains in that state u...

Page 541: ...mic ARP Inspection These sections contain this configuration information Default Dynamic ARP Inspection Configuration page 21 5 Dynamic ARP Inspection Configuration Guidelines page 21 6 Configuring Dynamic ARP Inspection in DHCP Environments page 21 7 required in DHCP environments Configuring ARP ACLs for Non DHCP Environments page 21 9 required in non DHCP environments Limiting the Rate of Incomi...

Page 542: ...vate VLAN ports Note Do not enable Dynamic ARP inspection on RSPAN VLANs If Dynamic ARP inspection is enabled on RSPAN VLANs Dynamic ARP inspection packets might not reach the RSPAN destination port A physical port can join an EtherChannel port channel only when the trust state of the physical port and the channel port match Otherwise the physical port remains suspended in the port channel A port ...

Page 543: ...rp inspection limit none interface configuration command to make the rate unlimited A high rate limit on one VLAN can cause a denial of service attack to other VLANs when the software places the port in the error disabled state When you enable dynamic ARP inspection on the switch policers that were configured to police ARP traffic are no longer effective The result is that all ARP traffic is sent ...

Page 544: ...separated by a comma The range is 1 to 4094 Specify the same VLAN ID for both switches Step 4 interface interface id Specify the interface connected to the other switch and enter interface configuration mode Step 5 ip arp inspection trust Configure the connection between the switches as trusted By default all interfaces are untrusted The switch does not check ARP packets that it receives from the ...

Page 545: ... use a router to route packets between them Beginning in privileged EXEC mode follow these steps to configure an ARP ACL on Switch A This procedure is required in non DHCP environments Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 arp access list acl name Define an ARP ACL and enter ARP access list configuration mode By default no ARP access lists are defined Not...

Page 546: ...ermine whether a packet is permitted or denied if the packet does not match any clauses in the ACL ARP packets containing only IP to MAC address bindings are compared against the ACL Packets are permitted only if the access list permits them Step 6 interface interface id Specify the Switch A interface that is connected to Switch B and enter interface configuration mode Step 7 no ip arp inspection ...

Page 547: ...the default value for that trust state After you configure the rate limit the interface retains the rate limit even when its trust state is changed If you enter the no ip arp inspection limit interface configuration command the interface reverts to its default rate limit For configuration guidelines for rate limiting trunk ports and EtherChannel ports see the Dynamic ARP Inspection Configuration G...

Page 548: ...gs You can configure the switch to perform additional checks on the destination MAC address the sender and target IP addresses and the source MAC address Step 5 errdisable recovery cause arp inspection interval interval Optional Enable error recovery from the dynamic ARP inspection error disable state By default recovery is disabled and the recovery interval is 300 seconds For interval interval sp...

Page 549: ...al configuration mode Step 2 ip arp inspection validate src mac dst mac ip Perform a specific check on incoming ARP packets By default no checks are performed The keywords have these meanings For src mac check the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP requests and responses When enabled packets with different MA...

Page 550: ... 1 configure terminal Enter global configuration mode Step 2 ip arp inspection log buffer entries number logs number interval seconds Configure the dynamic ARP inspection logging buffer By default when dynamic ARP inspection is enabled denied or dropped ARP packets are logged The number of log entries is 32 The number of system messages is limited to 5 per second The logging rate interval is 1 sec...

Page 551: ...rated by a comma The range is 1 to 4094 For acl match matchlog log packets based on the ACE logging configuration If you specify the matchlog keyword in this command and the log keyword in the permit or deny ARP access list configuration command ARP packets permitted or denied by the ACL are logged For acl match none do not log packets that match ACLs For dhcp bindings all log all packets that mat...

Page 552: ... EXEC commands in Table 21 4 For more information about these commands see the command reference for this release Table 21 3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics show ip arp inspection statistics vlan vlan range Displays statistics for forwarded dropped MAC validation fa...

Page 553: ...line Command References This chapter consists of these sections Understanding IGMP Snooping page 22 1 Configuring IGMP Snooping page 22 6 Displaying IGMP Snooping Information page 22 15 Understanding Multicast VLAN Registration page 22 17 Configuring MVR page 22 19 Displaying MVR Information page 22 23 Configuring IGMP Filtering and Throttling page 22 24 Displaying IGMP Filtering and Throttling Co...

Page 554: ...e ip igmp snooping vlan vlan id static ip_address interface interface id global configuration command If you specify group membership for a multicast group address statically your setting supersedes any automatic manipulation by IGMP snooping Multicast group membership lists can consist of both user defined and IGMP snooping learned settings You can configure an IGMP snooping querier to support IG...

Page 555: ...st with IGMPv3 and IGMP http www cisco com en US docs ios 12_1t 12_1t5 feature guide dtssm5t html Joining a Multicast Group When a host connected to the switch wants to join an IP multicast group and it is an IGMP Version 2 client it sends an unsolicited IGMP join message specifying the IP multicast group to join Alternatively when the switch receives a general query from the router it forwards th...

Page 556: ...engine to send frames addressed to the 224 1 2 3 multicast IP address that are not IGMP packets to the router and to the host that has joined the group If another host for example Host 4 sends an unsolicited IGMP join message for the same group Figure 22 2 the CPU receives that message and adds the port number of Host 4 to the forwarding table as shown in Table 22 2 Note that because the forwardin...

Page 557: ...sts The switch uses IGMP snooping Immediate Leave to remove from the forwarding table an interface that sends a leave message without the switch sending group specific queries to the interface The VLAN interface is pruned from the multicast tree for the multicast group specified in the original leave message Immediate Leave ensures optimal bandwidth management for all hosts on a switched network e...

Page 558: ...itch stack that is IGMP control information from one switch is distributed to all switches in the stack See Chapter 6 Managing Switch Stacks for more information about switch stacks Regardless of the stack member through which IGMP multicast data enters the stack the data reaches the hosts that have registered for that group If a switch in the stack fails or is removed from the stack only the memb...

Page 559: ...n privileged EXEC mode follow these steps to globally enable IGMP snooping on the switch To globally disable IGMP snooping on all VLAN interfaces use the no ip igmp snooping global configuration command Table 22 3 Default IGMP Snooping Configuration Feature Default Setting IGMP snooping Enabled globally and per VLAN Multicast routers None configured Multicast router learning snooping method PIM DV...

Page 560: ...ckets or to listen to CGMP self join or proxy join packets By default the switch snoops on PIM DVMRP packets on all VLANs To learn of multicast router ports through only CGMP packets use the ip igmp snooping vlan vlan id mrouter learn cgmp global configuration command When this command is entered the router listens to only CGMP self join and CGMP proxy join packets and to no other CGMP packets To ...

Page 561: ...guration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan id mrouter learn cgmp pim dvmrp Enable IGMP snooping on a VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094 Specify the multicast router learning method cgmp Listen for CGMP packets This method is useful for reducing control traffic pim dvmrp Snoop on IGMP queries and PIM...

Page 562: ...config ip igmp snooping vlan 105 static 224 2 4 12 interface gigabitethernet1 0 1 Switch config end Enabling IGMP Immediate Leave When you enable IGMP Immediate Leave the switch immediately removes a port when it detects an IGMP Version 2 leave message on that port You should only use the Immediate Leave feature when there is a single receiver present on every port in the VLAN Note Immediate Leave...

Page 563: ...and the amount of traffic sent through the interface Beginning in privileged EXEC mode follow these steps to enable the IGMP configurable leave timer Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan id immediate leave Enable IGMP Immediate Leave on the VLAN interface Step 3 end Return to privileged EXEC mode Step 4 show ip igmp snooping vl...

Page 564: ...ithout sending a leave message If you set the TCN flood query count to 1 by using the ip igmp snooping tcn flood query count command the flooding stops after receiving 1 general query If you set the count to 7 the flooding until 7 general queries are received Groups are relearned based on the general queries received during the TCN event Beginning in privileged EXEC mode follow these steps to conf...

Page 565: ...on command to control this behavior Beginning in privileged EXEC mode follow these steps to disable multicast flooding on an interface To re enable multicast flooding on an interface use the ip igmp snooping tcn flood interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping tcn query solicit Send an IGMP leave message global ...

Page 566: ...bled in the VLAN PIM is enabled on the SVI of the corresponding VLAN Beginning in privileged EXEC mode follow these steps to enable the IGMP snooping querier feature in a VLAN Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping querier Enable the IGMP snooping querier Step 3 ip igmp snooping querier address ip_address Optional Specify an IP address for...

Page 567: ...the multicast query has IGMPv1 and IGMPv2 reports This feature is not supported when the query includes IGMPv3 reports IGMP report suppression is enabled by default When it is enabled the switch forwards only one IGMP report per multicast router query When report suppression is disabled all IGMP reports are forwarded to the multicast routers Beginning in privileged EXEC mode follow these steps to ...

Page 568: ...nt Display multicast table information for a multicast VLAN or about a specific parameter for the VLAN vlan id The VLAN ID range is 1 to 1001 and 1006 to 4094 count Display the total number of entries for the specified command options instead of the actual entries dynamic Display entries learned through IGMP snooping ip_address Display characteristics of the multicast group with the specified grou...

Page 569: ...ows traffic to cross between different VLANs You can set the switch for compatible or dynamic mode of MVR operation In compatible mode multicast data received by MVR hosts is forwarded to all MVR data ports regardless of MVR host membership on those ports The multicast data is forwarded only to those receiver ports that MVR hosts have joined either by IGMP reports or by MVR static configuration IG...

Page 570: ... is another set top box in the VLAN still subscribing to this group that set top box must respond within the maximum response time specified in the query If the CPU does not receive a response it eliminates the receiver port as a forwarding destination for this group Without Immediate Leave when the switch receives an IGMP leave message from a subscriber on a receiver port it sends out an IGMP que...

Page 571: ...rwarding behavior to allow the traffic to be forwarded from the multicast VLAN to the subscriber port in a different VLAN selectively allowing traffic to cross between two VLANs IGMP reports are sent to the same IP multicast group address as the multicast data The Switch A CPU must capture all IGMP join and leave messages from receiver ports and forward them to the multicast VLAN of the source upl...

Page 572: ...l Parameters You do not need to set the optional MVR parameters if you choose to use the default settings If you do want to change the default parameters except for the MVR VLAN you must first enable MVR Note For complete syntax and usage information for the commands used in this section see the command reference for this release Beginning in privileged EXEC mode follow these steps to configure MV...

Page 573: ...itches and does not support IGMP dynamic joins on source ports The default is compatible mode Step 7 end Return to privileged EXEC mode Step 8 show mvr or show mvr members Verify the configuration Step 9 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mvr Enable ...

Page 574: ...NABLED Step 5 mvr vlan vlan id group ip address Optional Statically configure a port to receive multicast traffic sent to the multicast VLAN and the IP multicast address A port statically configured as a member of a group remains a member of the group until statically removed Note In compatible mode this command applies to only receiver ports In dynamic mode it applies to receiver ports and source...

Page 575: ...nse time and the MVR mode show mvr interface interface id members vlan vlan id Displays all MVR interfaces and their MVR configurations When a specific interface is entered displays this information Type Receiver or Source Status One of these Active means the port is part of a VLAN Up Down means that the port is forwarding or nonforwarding Inactive means that the port is not part of any VLAN Immed...

Page 576: ...t is forwarded for normal processing You can also set the maximum number of IGMP groups that a Layer 2 interface can join IGMP filtering controls only group specific query and membership reports including join and leave reports It does not control general IGMP queries IGMP filtering has no relationship with the function that directs the forwarding of IP multicast traffic The filtering feature oper...

Page 577: ... profile to be used for filtering IGMP join requests from a port When you are in IGMP profile configuration mode you can create the profile by using these commands deny Specifies that matching addresses are denied this is the default exit Exits from igmp profile configuration mode no Negates a command or returns to its defaults permit Specifies that matching addresses are permitted range Specifies...

Page 578: ...to apply the profile to the appropriate interfaces You can apply IGMP profiles only to Layer 2 access ports You cannot apply profiles to ports that belong to an EtherChannel port group You can apply a profile to multiple interfaces but each interface can have only one profile applied to it Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp profile profile numb...

Page 579: ...Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the physical interface and enter interface configuration mode The interface must be a Layer 2 port that does not belong to an EtherChannel port group Step 3 ip igmp filter profile number Apply the specified IGMP profile to the interface The range is 1 to 4294967295 Step 4 end Return to privilege...

Page 580: ...ing table entries are either aged out or removed depending on the throttling action If you configure the throttling action as deny the entries that were previously in the forwarding table are not removed but are aged out After these entries are aged out and the maximum number of entries is in the forwarding table the switch drops the next IGMP report received on the interface If you configure the ...

Page 581: ...rface Use the privileged EXEC commands in Table 22 8 to display IGMP filtering and throttling configuration Step 4 end Return to privileged EXEC mode Step 5 show running config interface interface id Verify the configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 22 8 Commands for Displaying IGMP Filtering and Throttling...

Page 582: ...22 30 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 22 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration ...

Page 583: ...d in this chapter see the command reference for this release This chapter consists of these sections Configuring Storm Control page 23 1 Configuring Protected Ports page 23 6 Configuring Port Blocking page 23 8 Configuring Port Security page 23 9 Displaying Port Based Traffic Control Settings page 23 18 Configuring Storm Control These sections contain this conceptual and configuration information ...

Page 584: ...unicast packets are received Traffic rate in packets per second and for small frames This feature is enabled globally The threshold for small frames is configured for each interface With each method the port blocks traffic when the rising threshold is reached The port remains blocked until the traffic rate drops below the falling threshold if one is specified and then resumes normal forwarding If ...

Page 585: ...c type Default Storm Control Configuration By default unicast broadcast and multicast storm control are disabled on the switch interfaces that is the suppression level is 100 percent Configuring Storm Control and Threshold Levels You configure storm control on a port and enter the threshold level that you want to be used for a particular type of traffic However because of hardware limitations and ...

Page 586: ...n the traffic If you set the threshold to 0 0 all broadcast multicast and unicast traffic on that port is blocked For bps bps specify the rising threshold level for broadcast multicast or unicast traffic in bits per second up to one decimal place The port blocks traffic when the rising threshold is reached The range is 0 0 to 10000000000 0 Optional For bps low specify the falling threshold level i...

Page 587: ...Configuring Small Frame Arrival Rate Incoming VLAN tagged packets smaller than 67 bytes are considered small frames They are forwarded by the switch but they do not cause the switch storm control counters to increment In Cisco IOS Release 12 2 44 SE and later you can configure a port to be error disabled if small frames arrive at a specified rate threshold You globally enable the small frame arriv...

Page 588: ...port Data traffic cannot be forwarded between protected ports at Layer 2 only control traffic such as PIM packets is forwarded because these packets are processed by the CPU and forwarded in software All data traffic passing between protected ports must be forwarded through a Layer 3 device Forwarding behavior between a protected port and a nonprotected port proceeds as usual Command Purpose Step ...

Page 589: ...example port channel 5 When you enable protected ports for a port channel it is enabled for all ports in the port channel group Configuring a Protected Port Beginning in privileged EXEC mode follow these steps to define a port as a protected port To disable protected port use the no switchport protected interface configuration command This example shows how to configure a port as a protected port ...

Page 590: ...ooding of unknown multicast and unicast traffic out of a port but to flood these packets to all ports Blocking Flooded Traffic on an Interface Note The interface can be a physical interface or an EtherChannel group When you block multicast or unicast traffic for a port channel it is blocked on all ports in the port channel group Beginning in privileged EXEC mode follow these steps to disable the f...

Page 591: ... is assured the full bandwidth of the port If a port is configured as a secure port and the maximum number of secure MAC addresses is reached when the MAC address of a station attempting to access the port is different from any of the identified secure MAC addresses a security violation occurs Also if a station with a secure MAC address configured or learned on one secure port attempts to access a...

Page 592: ...the switch restarts If you save the sticky secure MAC addresses in the configuration file when the switch restarts the interface does not need to relearn these addresses If you do not save the sticky secure addresses they are lost If sticky learning is disabled the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration The maximum numbe...

Page 593: ... per VLAN In this mode the VLAN is error disabled instead of the entire port when a violation occurs Table 23 1 shows the violation mode and the actions taken when you configure an interface for port security Default Port Security Configuration Table 23 2 shows the default port security configuration for an interface Table 23 1 Security Violation Mode Actions Violation Mode Traffic is forwarded1 1...

Page 594: ... the phone When a trunk port configured with port security and assigned to an access VLAN for data traffic and to a voice VLAN for voice traffic entering the switchport voice and switchport priority extend interface configuration commands has no effect When a connected device uses the same MAC address to request an IP address for the access VLAN and then an IP address for the voice VLAN only the a...

Page 595: ... vlan id Specify the VLAN to be used for voice traffic Step 5 switchport port security Enable port security on the interface Step 6 switchport port security maximum value vlan vlan list access voice Optional Set the maximum number of secure MAC addresses for the interface The maximum number of secure MAC addresses that you can configure on a switch stack is set by the maximum number of available M...

Page 596: ...reached its maximum limit restrict When the number of secure MAC addresses reaches the limit allowed on the port packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses An SNMP trap is sent a syslog message is logged and the violation counter increments shutdown The interface is error disab...

Page 597: ...ured for voice VLAN configure a maximum of two secure MAC addresses Step 9 switchport port security mac address sticky Optional Enable sticky learning on the interface Step 10 switchport port security mac address sticky mac address vlan vlan id access voice Optional Enter a sticky secure MAC address repeating the command as many times as necessary If you configure fewer secure MAC addresses than t...

Page 598: ...ollowed by the switchport port security command to re enable port security on the interface If you use the no switchport port security mac address sticky interface configuration command to convert sticky secure MAC addresses to dynamic secure MAC addresses before entering the no switchport port security command all secure addresses on the interface except those that were manually configured are de...

Page 599: ...es on a per port basis Beginning in privileged EXEC mode follow these steps to configure port security aging Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 switchport port security aging static time time type absolute inactivity Enable or disable static agin...

Page 600: ...ack member leaves the stack the remaining stack members are notified and the secure MAC addresses configured or learned by that switch are deleted from the secure MAC address table For more information about switch stacks see Chapter 6 Managing Switch Stacks Displaying Port Based Traffic Control Settings The show interfaces interface id switchport privileged EXEC command displays among other chara...

Page 601: ...nterface id address Displays all secure MAC addresses configured on all switch interfaces or on a specified interface with aging information for each address show port security interface interface id vlan Displays the number of secure MAC addresses configured per VLAN on the specified interface Table 23 4 Commands for Displaying Traffic Control Status and Configuration continued Command Purpose ...

Page 602: ...23 20 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 23 Configuring Port Based Traffic Control Displaying Port Based Traffic Control Settings ...

Page 603: ...ices With CDP network management applications can learn the device type and the Simple Network Management Protocol SNMP agent address of neighboring devices running lower layer transparent protocols This feature enables applications to send SNMP queries to neighboring devices CDP runs on all media that support Subnetwork Access Protocol SNAP Because CDP runs over the data link layer only two syste...

Page 604: ...s a single switch in the network Therefore CDP discovers the switch stack not the individual stack members The switch stack sends CDP messages to neighboring network devices when there are changes to the switch stack membership such as stack members being added or removed Configuring CDP These sections contain this configuration information Default CDP Configuration page 24 2 Configuring the CDP C...

Page 605: ...bling and Enabling CDP CDP is enabled by default Note Switch clusters and other Cisco devices such as Cisco IP Phones regularly exchange CDP messages Disabling CDP can interrupt cluster discovery and device connectivity For more information see Chapter 5 Clustering Switches and see Getting Started with Cisco Network Assistant available on Cisco com Command Purpose Step 1 configure terminal Enter g...

Page 606: ...Beginning in privileged EXEC mode follow these steps to disable CDP on a port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no cdp run Disable CDP Step 3 end Return to privileged EXEC mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cdp run Enable CDP after disabling it Step 3 end Return to privileged EXEC mode Command Purpose...

Page 607: ...ar cdp counters Reset the traffic counters to zero clear cdp table Delete the CDP table of information about neighbors show cdp Display global information such as frequency of transmissions and the holdtime for packets being sent show cdp entry entry name protocol version Display information about a specific neighbor You can enter an asterisk to display all CDP neighbors or you can enter the name ...

Page 608: ...24 6 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 24 Configuring CDP Monitoring and Maintaining CDP ...

Page 609: ... The Cisco Discovery Protocol CDP is a device discovery protocol that runs over Layer 2 the data link layer on all Cisco manufactured devices routers bridges access servers and switches CDP allows network management applications to automatically discover and learn about other Cisco devices connected to the network To support non Cisco devices and to allow for interoperability between other devices...

Page 610: ... over Ethernet inventory management and location information By default all LLDP MED TLVs are enabled LLDP MED supports these TLVs LLDP MED capabilities TLV Allows LLDP MED endpoints to determine the capabilities that the connected device supports and has enabled Network policy TLV Allows both network connectivity devices and endpoints to advertise VLAN configurations and associated Layer 2 and La...

Page 611: ... Provides the civic address information and postal information Examples of civic location information are street address road name and postal community name information ELIN location information Provides the location information of a caller The location is determined by the Emergency location identifier number ELIN which is a phone number that routes an emergency call to the local public safety an...

Page 612: ... the association Depending on the device capabilities the switch obtains this client information at link down Slot and port that was disconnected MAC address IP address 802 1X username if applicable Device category is specified as a wired station State is specified as delete Serial number UDI Time in seconds since the switch detected the disassociation When the switch shuts down it sends an attach...

Page 613: ...face If the switchport voice vlan vlan id is already configured on an interface you can apply a network policy profile on the interface This way the interface has the voice or voice signaling VLAN network policy profile applied on the interface You cannot configure static secure MAC addresses on an interface that has a network policy profile You cannot configure a network policy profile on a priva...

Page 614: ...This example shows how to enable LLDP on an interface Switch configure terminal Switch config interface gigabitethernet1 0 1 Switch config if lldp transmit Switch config if lldp receive Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 lldp run Enable LLDP globally on the switch Step 3 interface interface id Specify the interface on which you are...

Page 615: ...nfig end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 lldp holdtime seconds Optional Specify the amount of time a receiving device should hold the information from your device before discarding it The range is 0 to 65535 seconds the default is 120 seconds Step 3 lldp reinit delay Optional Specify the delay time in seconds for LLDP to initialize on an interface T...

Page 616: ...rface This example shows how to enable a TLV on an interface Switch configure terminal Switch config interface gigabitethernet1 0 1 Switch config if lldp med tlv select inventory management Switch config if end Table 25 2 LLDP MED TLVs LLDP MED TLV Description inventory management LLDP MED inventory management TLV location LLDP MED location TLV network policy LLDP MED network policy TLV power mana...

Page 617: ... traffic The range is 1 to 4094 cos cvalue Optional Specify the Layer 2 priority class of service CoS for the configured VLAN The range is 0 to 7 the default is 5 dscp dvalue Optional Specify the differentiated services code point DSCP value for the configured VLAN The range is 0 to 63 the default is 46 dot1p Optional Configure the telephone to use IEEE 802 1p priority tagging and use VLAN 0 the n...

Page 618: ...igure terminal Enter global configuration mode Step 2 location admin tag string civic location identifier id elin location string identifier id Specify the location information for an endpoint admin tag Specify an administrative tag or site information civic location Specify civic location information elin location Specify emergency location information ELIN identifier id Specify the ID for the ci...

Page 619: ...nmsp global configuration commands This example shows how to enable NMSP on a switch and to set the location notification time to 10 seconds Switch config nmsp enable Switch config nmsp notification interval location 10 Step 7 show location Verify the configuration Step 8 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 ...

Page 620: ...re LLDP initializes on an interface show lldp entry entry name Display information about a specific neighbor You can enter an asterisk to display all neighbors or you can enter the neighbor name show lldp interface interface id Display information about interfaces with LLDP enabled You can limit the display to a specific interface show lldp neighbors interface id detail Display information about n...

Page 621: ... unidirectional links When UDLD detects a unidirectional link it disables the affected port and alerts you Unidirectional links can cause a variety of problems including spanning tree topology loops Modes of Operation UDLD supports two modes of operation normal the default and aggressive In normal mode UDLD can detect unidirectional links due to misconnected ports on fiber optic connections In agg...

Page 622: ...one of the ports is down while the other is up One of the fiber strands in the cable is disconnected In these cases UDLD disables the affected port In a point to point link UDLD hello packets can be considered as a heart beat whose presence guarantees the health of the link Conversely the loss of the heart beat means that the link must be shut down if it is not possible to re establish a bidirecti...

Page 623: ...ut UDLD restarts the link up sequence to resynchronize with any potentially out of sync neighbors If you enable aggressive mode when all the neighbors of a port have aged out either in the advertisement or in the detection phase UDLD restarts the link up sequence to resynchronize with any potentially out of sync neighbor UDLD shuts down the port if after the fast train of messages the link state i...

Page 624: ...witch When configuring the mode normal or aggressive make sure that the same mode is configured on both sides of the link Caution Loop guard works only on point to point links We recommend that each end of the link has a directly connected device that is running STP Table 26 1 Default UDLD Configuration Feature Default Setting UDLD global enable state Globally disabled UDLD per port enable state f...

Page 625: ...ic ports enable Enables UDLD in normal mode on all fiber optic ports on the switch UDLD is disabled by default An individual interface configuration overrides the setting of the udld enable global configuration command For more information about aggressive and normal modes see the Modes of Operation section on page 26 1 message time message timer interval Configures the period of time between UDLD...

Page 626: ...nables the timer to automatically recover from the UDLD error disabled state and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error disabled state Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be enabled for UDLD and enter interface configuration mode ...

Page 627: ...uring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified port or for all ports use the show udld interface id privileged EXEC command For detailed information about the fields in the command output see the command reference for this release ...

Page 628: ...26 8 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 26 Configuring UDLD Displaying UDLD Status ...

Page 629: ...vice SPAN copies or mirrors traffic received or sent or both on source ports or source VLANs to a destination port for analysis SPAN does not affect the switching of network traffic on the source ports or VLANs You must dedicate the destination port for SPAN use Except for traffic that is required for the SPAN or RSPAN session destination ports do not receive or forward traffic Only traffic that e...

Page 630: ...hin one switch all source ports or source VLANs and destination ports are in the same switch or switch stack Local SPAN copies traffic from one or more source ports in any VLAN or from one or more VLANs to a destination port for analysis For example in Figure 27 1 all traffic on port 5 the source port is mirrored to port 10 the destination port A network analyzer on port 10receives all network tra...

Page 631: ... The traffic for each RSPAN session is carried over a user specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches The RSPAN traffic from the source ports or VLANs is copied into the RSPAN VLAN and forwarded over trunk ports carrying the RSPAN VLAN to a destination session monitoring the RSPAN VLAN Each RSPAN source switch must have either ports or VLANs as RSPA...

Page 632: ... the user and form them into a stream of SPAN data which is directed to the destination port RSPAN consists of at least one RSPAN source session an RSPAN VLAN and at least one RSPAN destination session You separately configure RSPAN source sessions and RSPAN destination sessions on different network devices To configure an RSPAN source session on a device you associate a set of source ports or sou...

Page 633: ... SPAN sessions do not interfere with the normal operation of the switch However an oversubscribed SPAN destination for example a 10 Mb s port monitoring a 100 Mb s port can result in dropped or lost packets When RSPAN is enabled each packet being monitored is transmitted twice once as normal traffic and once as a monitored packet Therefore monitoring a large number of ports or VLANs could potentia...

Page 634: ...ets to be dropped at ingress source ports egress source ports or SPAN destination ports In general these characteristics are independent of one another For example A packet might be forwarded normally but dropped from monitoring due to an oversubscribed SPAN destination port An ingress packet might be dropped from normal forwarding but still appear on the SPAN destination port An egress packet dro...

Page 635: ...ist and is not monitored If ports are added to or removed from the source VLANs the traffic on the source VLAN received by those ports is added to or removed from the sources being monitored You cannot use filter VLANs in the same session with VLAN sources You can monitor only Ethernet VLANs VLAN Filtering When you monitor a trunk port as a source port by default all VLANs active on the trunk are ...

Page 636: ... a secure port It cannot be a source port It cannot be an EtherChannel group or a VLAN It can participate in only one SPAN session at a time a destination port in one SPAN session cannot be a destination port for a second SPAN session When it is active incoming traffic is disabled The port does not transmit any traffic except that required for the SPAN session Incoming traffic is never learned or ...

Page 637: ... RSPAN session is disabled On a source port SPAN does not affect the STP status STP can be active on trunk ports carrying an RSPAN VLAN CDP A SPAN destination port does not participate in CDP while the SPAN session is active After the SPAN session is disabled the port again participates in CDP VTP You can use VTP to prune an RSPAN VLAN between switches VLAN and trunking You can modify VLAN members...

Page 638: ... a port that is a SPAN destination port however IEEE 802 1x is disabled until the port is removed as a SPAN destination For SPAN sessions do not enable IEEE 802 1x on ports with monitored egress when ingress forwarding is enabled on the destination port For RSPAN source sessions do not enable IEEE 802 1x on any ports that are egress monitored SPAN and RSPAN and Switch Stacks Because the stack of s...

Page 639: ...ormal switch port only monitored traffic passes through the SPAN destination port Entering SPAN configuration commands does not remove previously configured SPAN parameters You must enter the no monitor session session_number all local remote global configuration command to delete configured SPAN parameters For local SPAN outgoing packets through the SPAN destination port carry the original encaps...

Page 640: ..._number source interface interface id vlan vlan id both rx tx Specify the SPAN session and the source port monitored port For session_number the range is 1 to 66 For interface id specify the source port or source VLAN to monitor For source interface id specify the source port to monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel numbe...

Page 641: ...config end This example shows how to disable received traffic monitoring on port 1 which was configured for bidirectional monitoring Switch config no monitor session 1 source interface gigabitethernet1 0 1 rx Step 4 monitor session session_number destination interface interface id encapsulation dot1q replicate Specify the SPAN session and the destination port monitoring port For session_number spe...

Page 642: ...stination interface gigabitethernet1 0 2 Switch config monitor session 2 source vlan 10 Switch config end Creating a Local SPAN Session and Configuring Incoming Traffic Beginning in privileged EXEC mode follow these steps to create a SPAN session to specify the source ports or VLANs and the destination ports and to enable incoming traffic on the destination port for a network security device such ...

Page 643: ...terface interface id encapsulation dot1q replicate ingress dot1q vlan vlan id untagged vlan vlan id vlan vlan id Specify the SPAN session the destination port the packet encapsulation and the ingress VLAN and encapsulation For session_number specify the session number entered in Step 3 For interface id specify the destination port The destination interface must be a physical port it cannot be an E...

Page 644: ... session_number enter the session number specified in Step 3 For vlan id the range is 1 to 4094 Optional Use a comma to specify a series of VLANs or use a hyphen to specify a range of VLANs Enter a space before and after the comma enter a space before and after the hyphen Step 5 monitor session session_number destination interface interface id encapsulation dot1q replicate Specify the SPAN session...

Page 645: ...y to RSPAN As RSPAN VLANs have special properties you should reserve a few VLANs across your network for use as RSPAN VLANs do not assign access ports to these VLANs You can apply an output ACL to RSPAN traffic to selectively filter or monitor specific packets Specify these ACLs on the RSPAN VLAN in the RSPAN source switches For RSPAN configuration you can distribute the source ports and the desti...

Page 646: ...tination switches and any intermediate switches Use VTP pruning to get an efficient flow of RSPAN traffic or manually delete the RSPAN VLAN from all trunks that do not need to carry the RSPAN traffic Beginning in privileged EXEC mode follow these steps to create an RSPAN VLAN To remove the remote SPAN characteristic from a VLAN and convert it back to a normal VLAN use the no remote span VLAN confi...

Page 647: ...monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number Valid port channel numbers are 1 to 6 For vlan id specify the source VLAN to monitor The range is 1 to 4094 excluding the RSPAN VLAN A single session can include multiple sources ports or VLANs defined in a series of commands but you cannot combine source ports and source VLANs...

Page 648: ... stack that is not the switch or switch stack on which the source session was configured Beginning in privileged EXEC mode follow these steps to define the RSPAN VLAN on that switch to create an RSPAN destination session and to specify the source RSPAN VLAN and the destination port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan vlan id Enter the VLAN ID of th...

Page 649: ...SPAN Destination Session section on page 27 20 This procedure assumes that the RSPAN VLAN has already been configured Step 7 monitor session session_number destination interface interface id Specify the RSPAN session and the destination interface For session_number enter the number defined in Step 6 In an RSPAN destination session you must use the same session number for the source RSPAN VLAN and ...

Page 650: ...oming VLAN and encapsulation For session_number enter the number defined in Step 4 In an RSPAN destination session you must use the same session number for the source RSPAN VLAN and the destination port For interface id specify the destination interface The destination interface must be a physical interface Though visible in the command line help string encapsulation replicate is not supported for...

Page 651: ...all to remove all SPAN sessions local to remove all local sessions or remote to remove all remote SPAN sessions Step 3 monitor session session_number source interface interface id Specify the characteristics of the source port monitored port and SPAN session For session_number the range is 1 to 66 For interface id specify the source port to monitor The interface specified must already be configure...

Page 652: ...uring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration use the show monitor user EXEC command You can also use the show running config privileged EXEC command to display configured SPAN or RSPAN sessions ...

Page 653: ...changed between RMON compliant console systems and network probes RMON provides you with comprehensive network fault diagnosis planning and performance tuning information Note For complete syntax and usage information for the commands used in this chapter see the System Management Commands section in the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 from the Cisco com page un...

Page 654: ...n Ethernet ports including Fast Ethernet and Gigabit Ethernet statistics depending on the switch type and supported interfaces for a specified polling interval Alarm RMON group 3 Monitors a specific management information base MIB object for a specified interval triggers an alarm at a specified value rising threshold and resets the alarm at another value falling threshold Alarms can be used with e...

Page 655: ...28 6 optional Default RMON Configuration RMON is disabled by default no alarms or events are configured Configuring RMON Alarms and Events You can configure your switch for RMON by using the command line interface CLI or an SNMP compatible network management station We recommend that you use a generic RMON console application on the network management station NMS to take advantage of the RMON netw...

Page 656: ...ue specify a number at which the alarm is triggered and one for when the alarm is reset The range for the rising threshold and falling threshold values is 2147483648 to 2147483647 Optional For event number specify the event number to trigger when the rising or falling threshold exceeds its limit Optional For owner string specify the owner of the alarm Step 3 rmon event number description string lo...

Page 657: ...rrors and generates a log entry when the event is triggered by the alarm The user jjones owns the row that is created in the event table by this command This example also generates an SNMP trap when the event is triggered Switch config rmon event 1 log trap eventtrap description High ifOutErrors owner jjones Collecting Group History Statistics on an Interface You must first configure RMON alarms a...

Page 658: ...how rmon history Display the contents of the switch history table Step 7 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which to collect statistics and enter interface configuration mode Step 3 rmon collection stat...

Page 659: ...agement Commands section in the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References Table 28 1 Commands for Displaying RMON Status Command Purpose show rmon Displays general RMON statistics show rmon alarms Displays the RMON alarm table show rmon events Displays the RMON event table show...

Page 660: ...28 8 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 28 Configuring RMON Displaying RMON Status ...

Page 661: ...nderstanding System Message Logging By default a switch sends the output from system messages and debug privileged EXEC commands to a logging process Stack members can trigger system messages A stack member that generates a system message appends its hostname in the form of hostname n where n is a switch number from 1 to 9 and redirects the output to the logging process on the stack master Though ...

Page 662: ...le output Configuring System Message Logging These sections contain this configuration information System Log Message Format page 29 2 Default System Message Logging Configuration page 29 4 Disabling Message Logging page 29 4 optional Setting the Message Display Destination Device page 29 5 optional Synchronizing Log Messages page 29 6 optional Enabling and Disabling Time Stamps on Log Messages pa...

Page 663: ...rface GigabitEthernet2 0 2 changed state to up Switch 2 00 00 48 LINEPROTO 5 UPDOWN Line protocol on Interface Vlan1 changed state to down Switch 2 00 00 48 LINEPROTO 5 UPDOWN Line protocol on Interface GigabitEthernet2 0 1 changed state to down 2 Switch 2 Table 29 1 System Log Message Elements Element Description seq no Stamps log messages with a sequence number only if the service sequence numbe...

Page 664: ...led messages appear on the console as soon as they are produced often appearing in the middle of command output Table 29 2 Default System Message Logging Configuration Feature Default Setting System message logging to the console Enabled Console severity Debugging and numerically lower levels see Table 29 3 on page 29 10 Logging file configuration No filename specified Logging buffer size 4096 byt...

Page 665: ...e buffer size too large because the switch could run out of memory for other tasks Use the show memory privileged EXEC command to view the free processor memory on the switch However this value is the maximum available and the buffer size should not be set to this amount Step 3 logging host Log messages to a UNIX syslog server host For host specify the name or IP address of the host to be used as ...

Page 666: ...C command output with solicited device output and prompts for a specific console port line or virtual terminal line You can identify the types of messages to be output asynchronously based on the level of severity You can also configure the maximum number of buffers for storing asynchronous messages for the terminal after which messages are dropped When synchronous logging of unsolicited messages ...

Page 667: ...ou can change the setting of all 16 vty lines at once by entering line vty 0 15 Or you can change the setting of the single vty line being used for your current connection For example to change the setting for vty line 2 enter line vty 2 When you enter this command the mode changes to line configuration Step 3 logging synchronous level severity level all limit number of buffers Enable synchronous ...

Page 668: ...ne log message can have the same time stamp you can display messages with sequence numbers so that you can unambiguously see a single message By default sequence numbers in log messages are not displayed Beginning in privileged EXEC mode follow these steps to enable sequence numbers in log messages This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode...

Page 669: ...tion command To disable logging to syslog servers use the no logging trap global configuration command Step 4 show running config Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 logging console level Limit messages logged to the console...

Page 670: ...layed at the informational level This message is only for information switch functionality is not affected Limiting Syslog Messages Sent to the History Table and to SNMP If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp server enable trap global configuration command you can change the level of messages sent and stored in the switch history tabl...

Page 671: ...ogging enable command followed by the logging enable command to disable and reenable logging Use the show archive log config all number end number user username session number number end number statistics provisioning privileged EXEC command to display the complete configuration log or the log for specified parameters The default is that configuration logging is disabled For information about the ...

Page 672: ...p radius 41 13 unknown user vty3 no aaa accounting system default 42 14 temi vty4 interface GigabitEthernet4 0 1 43 14 temi vty4 switchport mode trunk 44 14 temi vty4 exit 45 16 temi vty5 interface FastEthernet5 0 1 46 16 temi vty5 switchport mode trunk 47 16 temi vty5 exit Configuring UNIX Syslog Servers The next sections describe how to configure the UNIX server syslog daemon and how to define t...

Page 673: ... at this level or at a more severe level to the file specified in the next field The file must already exist and the syslog daemon must have permission to write to it Step 2 Create the log file by entering these commands at the UNIX shell prompt touch var log cisco log chmod 666 var log cisco log Step 3 Make sure the syslog daemon reads the new changes kill HUP cat etc syslog pid For more informat...

Page 674: ...r information about the fields in this display see the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References Step 4 logging facility facility type Configure the syslog facility See Table 29 4 on page 29 14 for facility type keywords The default is local7 Step 5 end Return to privileged EXE...

Page 675: ...define the relationship between the manager and the agent The SNMP agent contains MIB variables whose values the SNMP manager can request or change A manager can get a value from an agent or store a value into the agent The agent gathers data from the MIB the repository for information about device parameters and network data The agent can also respond to a manager s requests to get or set data An...

Page 676: ...rity features Message integrity ensuring that a packet was not tampered with in transit Authentication determining that the message is from a valid source Encryption mixing the contents of a package to prevent it from being read by an unauthorized source Note To select encryption enter the priv keyword This keyword is available only when the cryptographic encrypted software image is installed Both...

Page 677: ...HA algorithms SNMPv3 authPriv requires the cryptographic software image MD5 or SHA Data Encryption Standard DES or Advanced Encryption Standard AES Provides authentication based on the HMAC MD5 or HMAC SHA algorithms Allows specifying the User based Security Model USM with these encryption algorithms DES 56 bit encryption in addition to authentication based on the CBC DES DES 56 standard 3DES 168 ...

Page 678: ...access Read write RW Gives read and write access to authorized management stations to all objects in the MIB but does not allow access to the community strings When a cluster is created the command switch manages the exchange of messages among member switches and the SNMP application The Network Assistant software appends the member switch number esN where N is the switch number to the first confi...

Page 679: ...raps also consume more resources in the switch and in the network Unlike a trap which is discarded as soon as it is sent an inform request is held in memory until a response is received or the request times out Traps are sent only once but an inform might be re sent or retried several times The retries increase traffic and contribute to a higher overhead on the network Therefore traps and informs ...

Page 680: ...nfiguration Table 30 4 shows the default SNMP configuration Tunnel 5078 5142 Physical such as Gigabit Ethernet or SFP2 module interfaces 10000 14500 Null 14501 1 SVI switch virtual interface 2 SFP small form factor pluggable Table 30 3 ifIndex Values continued Interface Type ifIndex Range Table 30 4 Default SNMP Configuration Feature Default Setting SNMP agent Disabled1 1 This is the default when ...

Page 681: ...ion command fails When configuring SNMP informs you need to configure the SNMP engine ID for the remote agent in the SNMP database before you can send proxy requests or informs to it If a local user is not associated with a remote host the switch does not send informs for the auth authNoPriv and the priv authPriv authentication levels Changing the value of the SNMP engine ID has important side eff...

Page 682: ...password and permits access to the SNMP protocol You can configure one or more community strings of any length Optional For view specify the view record accessible to the community Optional Specify either read only ro if you want authorized management stations to retrieve MIB objects or specify read write rw if you want authorized management stations to retrieve and modify MIB objects By default t...

Page 683: ...to the SNMP group Beginning in privileged EXEC mode follow these steps to configure SNMP on the switch Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server engineID local engineid string remote ip addre...

Page 684: ...entication noauth Enables the noAuthNoPriv security level This is the default if no keyword is specified priv Enables Data Encryption Standard DES packet encryption also called privacy Note The priv keyword is available only when the cryptographic software image is installed Optional Enter read readview with a string not to exceed 64 characters that is the name of the view in which you can only vi...

Page 685: ...d auth is an authentication level setting session that can be either the HMAC MD5 96 md5 or the HMAC SHA 96 sha authentication level and requires a password string auth password not to exceed 64 characters If you enter v3 and the switch is running the cryptographic software image you can also configure a private priv encryption algorithm and password string priv password not to exceed 64 character...

Page 686: ...trap for SNMP configuration changes copy config Generates a trap for SNMP copy configuration changes entity Generates a trap for SNMP entity changes cpu threshold Allow CPU related traps envmon Generates environmental monitor traps You can enable any or all of these environmental traps fan shutdown status supply temperature errdisable Generates a trap for a port VLAN errdisabled You can also set a...

Page 687: ...down storm control Generates a trap for SNMP storm control You can also set a maximum trap rate per minute The range is from 0 to 1000 the default is 0 no limit is imposed a trap is sent at every occurrence stpx Generates SNMP STP Extended MIB traps syslog Generates SNMP syslog traps tty Generates a trap for TCP connections This trap is enabled by default vlan membership Generates a trap for SNMP ...

Page 688: ...e symbol as part of the SNMP community string when configuring this command Optional For notification type use the keywords listed in Table 30 5 on page 30 12 If no type is specified all notifications are sent Step 6 snmp server enable traps notification types Enable the switch to send traps or informs and specify the type of notifications to be sent For a list of notification types see Table 30 5...

Page 689: ...t enter the show snmp user privileged EXEC command Step 12 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 process cpu threshold type total process interrupt rising percentage interval seconds falling fall percentage interval seconds Set the CPU threshold notific...

Page 690: ...how running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server tftp server list access list number Limit TFTP servers used for configuration file copies through SNMP to the servers in the access list For access list number enter an IP s...

Page 691: ... snmp authentication Switch config snmp server host cisco com version 2c public This example shows how to send Entity MIB traps to the host cisco com The community string is restricted The first line enables the switch to send Entity MIB traps in addition to any traps previously enabled The second line specifies the destination of these traps and overwrites any previous snmp server host commands f...

Page 692: ...ference Table 30 6 Commands for Displaying SNMP Information Feature Default Setting show snmp Displays SNMP statistics show snmp engineID local remote Displays information on the local SNMP engine and all remote engines that have been configured on the device show snmp group Displays information on each SNMP group on the network show snmp pending Displays information on pending SNMP requests show ...

Page 693: ... traffic and restrict network use by certain users or devices ACLs filter traffic as it passes through a switch and permit or deny packets crossing specified interfaces An ACL is a sequential collection of permit and deny conditions that apply to packets When a packet is received on an interface the switch compares the fields in the packet against any applied ACLs to verify that the packet has the...

Page 694: ...s access control traffic entering a Layer 2 interface The switch does not support port ACLs in the outbound direction You can apply only one IP access list and one MAC access list to a Layer 2 interface For more information see the Port ACLs section on page 31 3 Router ACLs access control routed traffic between VLANs and are applied to Layer 3 interfaces in a specific direction inbound or outbound...

Page 695: ...ACLs control access to a network or to part of a network Figure 31 1 is an example of using port ACLs to control access to a network when all workstations are in the same VLAN ACLs applied at the Layer 2 input would allow Host A to access the Human Resources network but prevent Host B from accessing the same network Port ACLs can only be applied to Layer 2 interfaces in the inbound direction Figur...

Page 696: ...iated with outbound features configured on the egress interface are examined ACLs permit or deny packet forwarding based on how the packet matches the entries in the ACL and can be used to control access to a network or to part of a network In Figure 31 1 ACLs applied at the router input allow Host A to access the Human Resources network but prevent Host B from accessing the same network Handling ...

Page 697: ... to host 10 1 1 3 port ftp If this packet is fragmented the first fragment matches the fourth ACE a deny All other fragments also match the fourth ACE because that ACE does not check any Layer 4 information and because Layer 3 information in all fragments shows that they are being sent to host 10 1 1 3 and the earlier permit ACEs were checking different hosts ACLs and Switch Stacks ACL support is ...

Page 698: ...ch clustering feature ACL logging These are the steps to use IP ACLs on the switch Step 1 Create an ACL by specifying an access list number or name and the access conditions Step 2 Apply the ACL to interfaces or terminal lines These sections contain this configuration information Creating Standard and Extended IPv4 ACLs page 31 6 Applying an IPv4 ACL to a Terminal Line page 31 17 Applying an IPv4 ...

Page 699: ...te In addition to numbered standard and extended ACLs you can also create standard and extended named IP ACLs by using the supported numbers That is the name of a standard IP ACL can be 1 to 99 the name of an extended IP ACL can be 100 to 199 The advantage of using named ACLs instead of numbered lists is that you can delete individual entries from a named list Table 31 1 Access List Numbers Access...

Page 700: ...t 2 permit any Switch config end Switch show access lists Standard IP access list 2 10 deny 171 69 198 102 20 permit any Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Define a standard IPv4 access list by using a source address and wildcard The access list number is a decimal number from 1 to 99 or...

Page 701: ...e protocols also have specific parameters and keywords that apply to that protocol These IP protocols are supported protocol keywords are in parentheses in bold Authentication Header Protocol ahp Enhanced Interior Gateway Routing Protocol eigrp Encapsulation Security Payload esp generic routing encapsulation gre Internet Control Message Protocol icmp Internet Group Management Protocol igmp any Int...

Page 702: ...dcard applies wildcard bits to the source The destination is the network or host number to which the packet is sent The destination wildcard applies wildcard bits to the destination Source source wildcard destination and destination wildcard can be specified as The 32 bit quantity in dotted decimal format The keyword any for 0 0 0 0 255 255 255 255 any host The keyword host for a single host 0 0 0...

Page 703: ...wildcard port Possible operators include eq equal gt greater than lt less than neq not equal and range inclusive range Operators require a port number range requires two port numbers separated by a space Enter the port number as a decimal number from 0 to 65535 or the name of a TCP port To see TCP port names use the or see the Configuring IP Services section in the IP Addressing and Services chapt...

Page 704: ...ssage precedence precedence tos tos fragments time range time range name dscp dscp Optional Define an extended ICMP access list and the access conditions Enter icmp for Internet Control Message Protocol The ICMP parameters are the same as those described for most IP protocols in Step 2a with the addition of the ICMP message type and code parameters These optional keywords have these meanings icmp ...

Page 705: ... However not all commands that use IP access lists accept a named access list Note The name you give to a standard or extended ACL can also be a number in the supported range of access list numbers That is the name of a standard IP ACL can be 1 to 99 the name of an extended IP ACL can be 100 to 199 The advantage of using named ACLs instead of numbered lists is that you can delete individual entrie...

Page 706: ... named ACL is one reason you might use named ACLs instead of numbered ACLs After creating a named ACL you can apply it to interfaces see the Applying an IPv4 ACL to an Interface section on page 31 18 Step 5 show access lists number name Show the access list configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose S...

Page 707: ...ock therefore you need a reliable clock source We recommend that you use Network Time Protocol NTP to synchronize the switch clock For more information see the Managing the System Time and Date section on page 7 1 Beginning in privileged EXEC mode follow these steps to configure a time range parameter for an ACL Repeat the steps if you have multiple items that you want in effect at different times...

Page 708: ...s Extended IP access list 188 10 deny tcp any any time range new_year_day_2006 inactive 20 permit tcp any any time range workhours inactive This example uses named ACLs to permit and deny the same traffic Switch config ip access list extended deny_access Switch config ext nacl deny tcp any any time range new_year_day_2006 Switch config ext nacl exit Switch config ip access list extended may_access...

Page 709: ... terminal lines because a user can attempt to connect to any of them For procedures for applying ACLs to interfaces see the Applying an IPv4 ACL to an Interface section on page 31 18 Beginning in privileged EXEC mode follow these steps to restrict incoming and outgoing connections between a virtual terminal line and the addresses in an ACL To remove an ACL from a terminal line use the no access cl...

Page 710: ...ly an ACL to a Layer 3 interface and routing is not enabled the ACL only filters packets that are intended for the CPU such as SNMP Telnet or web traffic You do not have to enable routing to apply ACLs to Layer 2 interfaces Beginning in privileged EXEC mode follow these steps to control access to an interface To remove the specified access group use the no ip access group access list number name i...

Page 711: ...ate for software forwarded traffic is substantially less than for hardware forwarded traffic If ACLs cause large numbers of packets to be sent to the CPU the switch performance can be negatively affected When you enter the show ip access lists privileged EXEC command the match count displayed does not account for packets that are access controlled in hardware Use the show access lists hardware cou...

Page 712: ...lphanumerically precedes the other ACLs for example rename ACL 79 to ACL 1 You can now apply the first ACE in the ACL to the interface The switch allocates the ACE to available mapping bits in the Opselect index and then allocates flag related operators to use the same bits in the TCAM IPv4 ACL Configuration Examples This section provides examples of configuring and applying IPv4 ACLs For detailed...

Page 713: ...t 102 permit tcp any 128 88 0 0 0 0 255 255 eq 23 Switch config access list 102 permit tcp any 128 88 0 0 0 0 255 255 eq 25 Switch config interface gigabitethernet1 0 1 Switch config if ip access group 102 in Named ACLs This example creates an extended ACL named marketing_group The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171 69 0 0 0 0 255 255 and ...

Page 714: ...nes subnet is not allowed access Switch config ip access list standard prevention Switch config std nacl remark Do not allow Jones subnet through Switch config std nacl deny 171 69 0 0 0 0 255 255 In this example of a named ACL the Jones subnet is not allowed to use outbound Telnet Switch config ip access list extended telnetting Switch config ext nacl remark Do not allow Jones subnet to telnet ou...

Page 715: ...viously configured one Step 3 deny permit any host source MAC address source MAC address mask any host destination MAC address destination MAC address mask type mask lsap lsap mask aarp amber dec spanning decnet iv diagnostic dsm etype 6000 etype 8042 lat lavc sca mop console mop dump msdos mumps netbios vines echo vines ip xns idp 0 65535 cos cos In extended MAC access list configuration mode spe...

Page 716: ...st the inbound ACL If the ACL permits it the switch continues to process the packet If the ACL rejects the packet the switch discards it When you apply an undefined ACL to an interface the switch acts as if the ACL has not been applied and permits all packets Remember this behavior if you use undefined ACLs for network security Command Purpose Step 1 configure terminal Enter global configuration m...

Page 717: ...ed in Table 31 2 to display this information Table 31 2 Commands for Displaying Access Lists and Access Groups Command Purpose show access lists number name Display the contents of one or all current IP and MAC address access lists or a specific access list numbered or named show ip access lists number name Display the contents of all current IP access lists or a specific IP access list numbered o...

Page 718: ...31 26 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 31 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration ...

Page 719: ...re information about IP SLAs see the Cisco IOS IP SLAs Configuration Guide Release 12 4T http www cisco com en US docs ios ipsla configuration guide 12_4t sla_12_4t_book html For command syntax information see the command reference http www cisco com en US docs ios ipsla command reference sla_book html This chapter has these sections Understanding Cisco IOS IP SLAs page 32 1 Configuring IP SLAs Op...

Page 720: ...ring measurement and verification Network performance monitoring Measures the jitter latency or packet loss in the network Provides continuous reliable and predictable measurements IP service network health assessment to verify that the existing QoS is sufficient for new IP services Edge to edge network availability monitoring for proactive verification and connectivity testing of network resource...

Page 721: ... chapters in the Cisco IOS IP SLAs Configuration Guide http www cisco com en US docs ios ipsla configuration guide 12_4t sla_12_4t_book html Note The switch does not support Voice over IP VoIP service levels using the gatekeeper registration delay operations measurements Before configuring any IP SLAs application you can use the show ip sla application privileged EXEC command to verify that the op...

Page 722: ...uation the response times would not accurately represent true network delays IP SLAs minimizes these processing delays on the source device as well as on the target device if the responder is being used to determine true round trip times IP SLAs test packets use time stamping to minimize the processing delays When the IP SLAs responder is enabled it allows the target device to take time stamps whe...

Page 723: ... IP SLAs Configuration Guide http www cisco com en US docs ios ipsla configuration guide 12_4t sla_12_4t_book html This section includes this information Default Configuration page 32 5 Configuration Guidelines page 32 5 Configuring the IP SLAs Responder page 32 6 Default Configuration No IP SLAs operations are configured Configuration Guidelines For information on the IP SLAs commands see the Cis...

Page 724: ...to the documentation for the source device for configuration information Monitoring IP SLAs Operations Use the User EXEC or Privileged EXEC commands in Table 32 1 to display IP SLAs operations configuration Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip sla responder tcp connect udp echo ipaddress ip address port port number Configure the switch as an IP SLAs r...

Page 725: ...page 33 33 Displaying Standard QoS Information page 33 75 The switch supports some of the modular QoS CLI MQC commands For more information about the MQC commands see the Modular Quality of Service Command Line Interface Overview http www cisco com en US docs ios 12_2 qos configuration guide qcfmcli2 html Understanding QoS Typically networks operate on a best effort delivery basis which means that...

Page 726: ...ity bits On ports configured as Layer 2 IEEE 802 1Q trunks all traffic is in IEEE 802 1Q frames except for traffic in the native VLAN Other frame types cannot carry Layer 2 CoS values Layer 2 CoS values range from 0 for low priority to 7 for high priority Prioritization bits in Layer 3 packets Layer 3 IP packets can carry either an IP precedence value or a Differentiated Services Code Point DSCP v...

Page 727: ...packet is expected to happen closer to the edge of the network so that the core switches and routers are not overloaded with this task Switches and routers along the path can use the class information to limit the amount of resources allocated per traffic class The behavior of an individual device when handling traffic in the DiffServ architecture is called per hop behavior If all devices along a ...

Page 728: ...en when a packet is out of profile and determines what to do with the packet pass through a packet without modification mark down the QoS label in the packet or drop the packet For more information see the Policing and Marking section on page 33 9 Queueing evaluates the QoS label and the corresponding DSCP or CoS value to select into which of the two ingress queues to place a packet Queueing is en...

Page 729: ...re 33 3 Trust the CoS value in the incoming frame configure the port to trust CoS Then use the configurable CoS to DSCP map to generate a DSCP value for the packet Layer 2 ISL frame headers carry the CoS value in the 3 least significant bits of the 1 byte User field Layer 2 IEEE 802 1Q frame headers carry the CoS value in the 3 most significant bits of the Tag Control Information field CoS values ...

Page 730: ...p The IP Version 4 specification defines the 3 most significant bits of the 1 byte ToS field as the IP precedence IP precedence values range from 0 for low priority to 7 for high priority Trust the CoS value if present in the incoming packet and generate a DSCP value for the packet by using the CoS to DSCP map If the CoS value is not present use the default port CoS value Perform the classificatio...

Page 731: ...et Check if packet came with CoS label tag Use the CoS value to generate the QoS label Generate DSCP from CoS to DSCP map Use the DSCP value to generate the QoS label Yes Read next ACL Is there a match with a permit action Assign the DSCP or CoS as specified by ACL action to generate the QoS label Assign the default DSCP 0 Are there any more QoS ACLs configured for this interface Check if packet c...

Page 732: ...Ls to classify non IP traffic by using the mac access list extended global configuration command For configuration information see the Configuring a QoS Policy section on page 33 44 Classification Based on Class Maps and Policy Maps A class map is a mechanism that you use to name a specific traffic flow or class and to isolate it from all other traffic The class map defines the criteria used to ma...

Page 733: ...cer decides on a packet by packet basis whether the packet is in or out of profile and specifies the actions on the packet These actions carried out by the marker include passing through the packet without modification dropping the packet or modifying marking down the assigned DSCP of the packet and allowing the packet to pass through The configurable policed DSCP map provides the packet with a ne...

Page 734: ...d leaks at a rate that you specify as the average traffic rate in bits per second Each time a token is added to the bucket the switch verifies that there is enough room in the bucket If there is not enough room the packet is marked as nonconforming and the specified policer action is taken dropped or marked down How quickly the bucket fills is a function of the bucket depth burst byte the rate at ...

Page 735: ...ds On an ingress port configured in the DSCP trusted state if the DSCP values are different between the QoS domains you can apply the configurable DSCP to DSCP mutation map to the port that is on the boundary between the two QoS domains You configure this map by using the mls qos map dscp mutation global configuration command During policing QoS can assign another DSCP value to an IP or a non IP p...

Page 736: ...ration information see the Configuring DSCP Maps section on page 33 57 For information about the DSCP and CoS input queue threshold maps see the Queueing and Scheduling on Ingress Queues section on page 33 14 For information about the DSCP and CoS output queue threshold maps see the Queueing and Scheduling on Egress Queues section on page 33 16 Queueing and Scheduling Overview The switch has queue...

Page 737: ... Operation For more information see the Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds section on page 33 63 the Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue Set section on page 33 68 and the Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID section on page 33 70 SRR Shaping and Sharing Both the ingress and egress queues are...

Page 738: ...ion on page 33 73 Queueing and Scheduling on Ingress Queues Figure 33 7 shows the queueing and scheduling flowchart for ingress ports Figure 33 7 Queueing and Scheduling Flowchart for Ingress Ports Note SRR services the priority queue for its configured share before servicing the other queue 86693 Read QoS label DSCP or CoS value Determine ingress queue number buffer allocation and WTD thresholds ...

Page 739: ...nd Bandwidth Allocation You define the ratio allocate the amount of space with which to divide the ingress buffers between the two queues by using the mls qos srr queue input buffers percentage1 percentage2 global configuration command The buffer allocation together with the bandwidth allocation control how much data can be buffered and sent before packets are dropped You allocate bandwidth as a p...

Page 740: ...weight1 weight2 global configuration command You can combine the commands described in this section to prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues by allocating a large queue size or by servicing the queue more frequently and by adjusting queue thresholds so that packets with lower priorities are dropped For configuration information see the Configuring ...

Page 741: ... a buffer allocation scheme to reserve a minimum amount of buffers for each egress queue to prevent any queue or port from consuming all the buffers and depriving other queues and to control whether to grant buffer space to a requesting queue The switch detects whether the target queue has not consumed more buffers than its reserved amount under limit whether it has consumed all of its maximum buf...

Page 742: ...can guarantee that the allocated buffers are reserved for a specific queue in a queue set For example if there are 100 buffers for a queue you can reserve 50 percent 50 buffers The switch returns the remaining 50 buffers to the common pool You also can enable a queue in the full condition to obtain more buffers than are reserved for it by setting a maximum threshold The switch can allocate the nee...

Page 743: ...ress Queue Characteristics section on page 33 67 Note The egress queue default settings are suitable for most situations You should change them only when you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution Packet Modification A packet is classified policed and queued to provide QoS Packet modifications can occur during this process For IP and ...

Page 744: ...sted traffic through an uplink Auto QoS then performs these functions Detects the presence or absence of auto QoS devices through conditional trusted interfaces Configures QoS classification Configures egress queues These sections contain this configuration information Generated Auto QoS Configuration page 33 20 Effects of Auto QoS on the Configuration page 33 30 Auto QoS Configuration Guidelines ...

Page 745: ...acket If the packet does not have a DSCP value of 24 26 or 46 or is out of profile the switch changes the DSCP value to 0 When you enter the auto qos voip trust interface configuration command on a port connected to the network interior the switch trusts the CoS value for nonrouted ports or the DSCP value for routed ports in ingress packets the assumption is that traffic has already been classifie...

Page 746: ...obal values change with the migration of enhanced commands For a complete list of the generated commands that are applied to the running configuration see Table 33 5 Auto QoS Configuration Migration Auto QoS configuration migration from legacy auto QoS to enhanced auto QoS occurs when A switch is booted with the Cisco IOS Release 12 2 55 SE image and QoS is not enabled Any video or voice trust con...

Page 747: ...mls qos srr queue input cos map queue 1 threshold 3 0 Switch config mls qos srr queue input cos map queue 2 threshold 1 2 Switch config mls qos srr queue input cos map queue 2 threshold 2 4 6 7 Switch config mls qos srr queue input cos map queue 2 threshold 3 3 5 Switch config no mls qos srr queue input cos map Switch config mls qos srr queue input cos map queue 1 threshold 2 3 Switch config mls q...

Page 748: ...shold 2 49 50 51 52 53 54 55 56 Switch config mls qos srr queue input dscp map queue 2 threshold 2 57 58 59 60 61 62 63 Switch config mls qos srr queue input dscp map queue 2 threshold 3 24 25 26 27 28 29 30 31 Switch config mls qos srr queue input dscp map queue 2 threshold 3 40 41 42 43 44 45 46 47 Switch config no mls qos srr queue input dscp map Switch config mls qos srr queue input dscp map q...

Page 749: ...e 4 threshold 2 9 10 11 12 13 14 15 Switch config mls qos srr queue output dscp map queue 4 threshold 3 0 1 2 3 4 5 6 7 Switch config no mls qos srr queue output dscp map Switch config mls qos srr queue output dscp map queue 1 threshold 3 32 33 40 41 42 43 44 45 46 47 Switch config mls qos srr queue output dscp map queue 2 threshold 1 16 17 18 19 20 21 22 23 Switch config mls qos srr queue output ...

Page 750: ...ch config no mls qos srr queue input priority queue 1 Switch config no mls qos srr queue input priority queue 2 Switch config mls qos srr queue input bandwidth 70 30 Switch config mls qos srr queue input threshold 1 80 90 Switch config mls qos srr queue input priority queue 2 bandwidth 30 The switch automatically configures the egress queue buffer sizes It configures the bandwidth and the SRR mode...

Page 751: ...tch config class map match all AutoQoS VoIP Control Trust Switch config cmap match ip dscp cs3 af31 Switch config policy map AutoQoS Police CiscoPhone Switch config pmap class AutoQoS VoIP RTP Trust Switch config pmap c set dscp ef Switch config pmap c police 320000 8000 exceed action policed dscp transmit Switch config pmap class AutoQoS VoIP Control Trust Switch config pmap c set dscp cs3 Switch...

Page 752: ... Switch config pmap c set dscp default Switch config if service policy input AUTOQOS SRND4 CLASSIFY POLICY If you entered the auto qos classify police command the switch automatically creates class maps and policy maps Switch config mls qos map policed dscp 0 10 18 to 8 Switch config mls qos map cos dscp 0 8 16 24 32 46 48 56 Switch config class map match all AUTOQOS_MULTIENHANCED_CONF_CLASS Switc...

Page 753: ...SCOPHONE POLICY This is the enhanced configuration for the auto qos voip cisco softphone command Switch config mls qos map policed dscp 0 10 18 to 8 Switch config mls qos map cos dscp 0 8 16 24 32 46 48 56 Switch config class map match all AUTOQOS_MULTIENHANCED_CONF_CLASS Switch config cmap match access group name AUTOQOS ACL MULTIENHANCED CONF Switch config class map match all AUTOQOS_VOIP_DATA_C...

Page 754: ...be retrieved by reloading the switch without saving the current configuration to memory If the generated commands are not applied the previous running configuration is restored Auto QoS Configuration Guidelines Before configuring auto QoS you should be aware of this information Auto QoS configures the switch for VoIP with Cisco IP Phones on nonrouted and routed ports Auto QoS also configures the s...

Page 755: ...ose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port that is connected to a video device or the uplink port that is connected to another trusted switch or router in the network interior and enter interface configuration mode Step 3 auto qos voip cisco phone cisco softphone trust or Enable auto QoS The keywords have these meanings cisco phone ...

Page 756: ...ugh mode packets are switched without any rewrites and classified as best effort without any policing Displaying Auto QoS Information To display the initial auto QoS configuration use the show auto qos interface interface id privileged EXEC command To display any user changes to that configuration use the show running config privileged EXEC command You can compare the show auto qos and the show ru...

Page 757: ...equired Configuring a QoS Policy page 33 44 required Configuring DSCP Maps page 33 57 optional unless you need to use the DSCP to DSCP mutation map or the policed DSCP map Configuring Ingress Queue Characteristics page 33 63 optional Configuring Egress Queue Characteristics page 33 67 optional Default Standard QoS Configuration QoS is disabled There is no concept of trusted or untrusted ports beca...

Page 758: ...rcent Bandwidth allocation 1 1 The bandwidth is equally shared between the queues SRR sends packets in shared mode only 4 4 Priority queue bandwidth 2 2 Queue 2 is the priority queue SRR services the priority queue for its configured share before servicing the other queue 0 10 WTD drop threshold 1 100 percent 100 percent WTD drop threshold 2 100 percent 100 percent Table 33 7 Default CoS Input Que...

Page 759: ...h maps an incoming DSCP value to the same DSCP value The default policed DSCP map is a null map which maps an incoming DSCP value to the same DSCP value no markdown Maximum threshold 400 percent 400 percent 400 percent 400 percent SRR shaped weights absolute 1 25 0 0 0 SRR shared weights 2 25 25 25 25 1 A shaped weight of zero means that this queue is operating in shared mode 2 One quarter of the ...

Page 760: ...able policers plus 1 policer reserved for system internal use The maximum number of user configurable policers supported per port is 63 Policers are allocated on demand by the software and are constrained by the hardware and ASIC boundaries You cannot reserve policers per port there is no guarantee that a port will be assigned to any policer Only one policer is applied to a packet on an ingress po...

Page 761: ...orts within the QoS Domain page 33 37 Configuring the CoS Value for an Interface page 33 39 Configuring a Trusted Boundary to Ensure Port Security page 33 40 Enabling DSCP Transparency Mode page 33 41 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain page 33 42 Configuring the Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge ...

Page 762: ... follow these steps to configure the port to trust the classification of the traffic that it receives 101236 Trunk Trusted interface Traffic classification performed here Trusted boundary IP P1 P3 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be trusted and enter interface configuration mode Valid interfaces include phys...

Page 763: ...he keywords have these meanings cos Classifies an ingress packet by using the packet CoS value For an untagged packet the port default CoS value is used The default port CoS value is 0 dscp Classifies an ingress packet by using the packet DSCP value For a non IP packet the packet CoS value is used if the packet is tagged for an untagged packet the default port CoS is used Internally the switch map...

Page 764: ...ith the trusted setting you also can use the trusted boundary feature to prevent misuse of a high priority queue if a user bypasses the telephone and connects the PC directly to the switch Without trusted boundary the CoS labels generated by the PC are trusted by the switch because of the trusted CoS setting By contrast trusted boundary uses CDP to detect the presence of a Cisco IP Phone such as t...

Page 765: ...vice QoS configuration including the port trust setting policing and marking and the DSCP to DSCP mutation map If DSCP transparency is enabled by using the no mls qos rewrite ip dscp command the switch does not modify the DSCP field in the incoming packet and the DSCP field in the outgoing packet is the same as that in the incoming packet Command Purpose Step 1 configure terminal Enter global conf...

Page 766: ...ransparency and then enter the mls qos trust cos dscp interface configuration command DSCP transparency is still enabled Configuring the DSCP Trust State on a Port Bordering Another QoS Domain If you are administering two separate QoS domains between which you want to implement QoS features for IP traffic you can configure the switch ports bordering the domains to a DSCP trusted state as shown in ...

Page 767: ... which maps an incoming DSCP value to the same DSCP value For dscp mutation name enter the mutation map name You can create more than one map by specifying a new name For in dscp enter up to eight DSCP values separated by spaces Then enter the to keyword For out dscp enter a single DSCP value The DSCP range is 0 to 63 Step 3 interface interface id Specify the port to be trusted and enter interface...

Page 768: ...ust dscp Switch config if mls qos dscp mutation gi1 0 2 mutation Switch config if end Configuring a QoS Policy Configuring a QoS policy typically requires classifying traffic into classes configuring policies applied to those traffic classes and attaching policies to ports For background information see the Classification section on page 33 5 and the Policing and Marking section on page 33 9 For c...

Page 769: ...se Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create an IP standard ACL repeating the command as many times as necessary For access list number enter the access list number The range is 1 to 99 and 1300 to 1999 Use the permit keyword to permit a certain type of traffic if the conditions are matched Use the deny...

Page 770: ...ge is 100 to 199 and 2000 to 2699 Use the permit keyword to permit a certain type of traffic if the conditions are matched Use the deny keyword to deny a certain type of traffic if conditions are matched For protocol enter the name or number of an IP protocol Use the question mark to see a list of available protocol keywords For source enter the network or host from which the packet is being sent ...

Page 771: ...e type of traffic to permit or deny if the conditions are matched entering the command as many times as necessary For src MAC addr enter the MAC address of the host from which the packet is being sent You specify this by using the hexadecimal format H H H by using the any keyword as an abbreviation for source 0 0 0 source wildcard ffff ffff ffff or by using the host keyword for source 0 0 0 For ma...

Page 772: ... list number deny permit protocol source source wildcard destination destination wildcard or mac access list extended name permit deny host src MAC addr mask any host dst MAC addr dst MAC addr mask type mask Create an IP standard or extended ACL for IP traffic or a Layer 2 MAC ACL for non IP traffic repeating the command as many times as necessary For more information see the Classifying Traffic b...

Page 773: ...ch config cmap match ip dscp 10 11 12 Switch config cmap end Switch This example shows how to create a class map called class3 which matches incoming traffic with IP precedence values of 5 6 and 7 Switch config class map class3 Switch config cmap match ip precedence 5 6 7 Switch config cmap end Switch Step 4 match access group acl index or name ip dscp dscp list ip precedence ip precedence list De...

Page 774: ...one policy map per ingress port If you configure the IP precedence to DSCP map by using the mls qos map ip prec dscp dscp1 dscp8 global configuration command the settings only affect packets on ingress interfaces that are configured to trust the IP precedence value In a policy map if you set the packet IP precedence value to a new value by using the set ip precedence new precedence policy map clas...

Page 775: ...is match all Note Because only one match command per class map is supported the match all and match any keywords function the same Step 3 policy map policy map name Create a policy map by entering the policy map name and enter policy map configuration mode By default no policy maps are defined The default behavior of a policy map is to set the DSCP to 0 if the packet is an IP packet and to set the...

Page 776: ...r non IP packets that are untagged QoS derives the DSCP value by using the default port CoS value In either case the DSCP value is derived from the CoS to DSCP map For more information see the Configuring the CoS to DSCP Map section on page 33 57 Step 6 set dscp new dscp ip precedence new precedence Classify IP traffic by setting a new value in the packet For dscp new dscp enter a new DSCP value t...

Page 777: ...ig pmap c police 1000000 8000 exceed action policed dscp transmit Switch config pmap c exit Switch config pmap exit Switch config interface gigabitethernet2 0 1 Switch config if service policy input flow1t This example shows how to create a Layer 2 MAC ACL with two permit statements and attach it to an ingress port The first permit statement allows traffic from the host with MAC address 0001 0000 ...

Page 778: ...lass map cm 2 Switch config cmap match access group name ipv6 any Switch config cmap exit Switch config policy map pm1 Switch config pmap class cm 1 Switch config pmap c set dscp 4 Switch config pmap c exit Switch config pmap class cm 2 Switch config pmap c set dscp 6 Switch config pmap c exit Switch config pmap class class default Switch config pmap c set dscp 10 Switch config pmap c exit Switch ...

Page 779: ...raffic classes within the same policy map By default no aggregate policer is defined For information on the number of policers supported see the Standard QoS Configuration Guidelines section on page 33 36 For aggregate policer name specify the name of the aggregate policer For rate bps specify average traffic rate in bits per second b s The range is 8000 to 10000000000 For burst byte specify the n...

Page 780: ...cmap match access group 1 Switch config cmap exit Switch config class map ipclass2 Switch config cmap match access group 2 Switch config cmap exit Switch config policy map aggflow1 Switch config pmap class ipclass1 Switch config pmap c trust dscp Switch config pmap c police aggregate transmit1 Switch config pmap c exit Switch config pmap class ipclass2 Switch config pmap c set dscp 56 Switch confi...

Page 781: ...e Policed DSCP Map page 33 59 optional unless the null settings in the map are not appropriate Configuring the DSCP to CoS Map page 33 60 optional Configuring the DSCP to DSCP Mutation Map page 33 61 optional unless the null settings in the map are not appropriate All the maps except the DSCP to DSCP mutation map are globally defined and are applied to all ports Configuring the CoS to DSCP Map You...

Page 782: ...IP precedence values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic Table 33 13 shows the default IP precedence to DSCP map If these values are not appropriate for your network you need to modify them Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map cos dscp dscp1 dscp8 Modify the CoS to DSCP map For...

Page 783: ...ese steps to modify the policed DSCP map This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map ip prec dscp dscp1 dscp8 Modify the IP precedence to DSCP map For dscp1 dscp8 enter eight DSCP values that correspond to the IP precedence values 0 to 7 Separate each DSCP value with a space The DSCP range is 0 to 63 Step 3 end Return to p...

Page 784: ... 00 00 00 00 00 00 00 00 58 59 6 60 61 62 63 Note In this policed DSCP map the marked down DSCP values are shown in the body of the matrix The d1 column specifies the most significant digit of the original DSCP the d2 row specifies the least significant digit of the original DSCP The intersection of the d1 and d2 values provides the marked down value For example an original DSCP value of 53 corres...

Page 785: ... DSCP value of 08 corresponds to a CoS value of 0 Configuring the DSCP to DSCP Mutation Map If two QoS domains have different DSCP definitions use the DSCP to DSCP mutation map to translate one set of DSCP values to match the definition of another domain You apply the DSCP to DSCP mutation map to the receiving port ingress mutation at the boundary of a QoS administrative domain With ingress mutati...

Page 786: ...0 00 00 00 10 10 1 10 10 10 10 14 15 16 17 18 19 2 20 20 20 23 24 25 26 27 28 29 3 30 30 30 30 30 35 36 37 38 39 4 40 41 42 43 44 45 46 47 48 49 5 50 51 52 53 54 55 56 57 58 59 6 60 61 62 63 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map dscp mutation dscp mutation name in dscp to out dscp Modify the DSCP to DSCP mutation map For dscp mutation name ent...

Page 787: ...signed by DSCP or CoS value to each queue What drop percentage thresholds apply to each queue and which CoS or DSCP values map to each threshold How much of the available buffer space is allocated between the queues How much of the available bandwidth is allocated between the queues Is there traffic such as voice that should be given high priority These sections contain this configuration informat...

Page 788: ...nge is 1 to 3 The drop threshold percentage for threshold 3 is predefined It is set to the queue full state For dscp1 dscp8 enter up to eight values and separate each value with a space The range is 0 to 63 For cos1 cos8 enter up to eight values and separate each value with a space The range is 0 to 7 Step 3 mls qos srr queue input threshold queue id threshold percentage1 threshold percentage2 Ass...

Page 789: ...t setting use the no mls qos srr queue input buffers global configuration command This example shows how to allocate 60 percent of the buffer space to ingress queue 1 and 40 percent of the buffer space to ingress queue 2 Switch config mls qos srr queue input buffers 60 40 Allocating Bandwidth Between the Ingress Queues You need to specify how much of the available bandwidth is allocated between th...

Page 790: ...os srr queue input priority queue queue id bandwidth weight global configuration command Then SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr queue input bandwidth weight1 weight2 global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos srr queue in...

Page 791: ...s in the next sections You will need to make decisions about these characteristics Which packets are mapped by DSCP or CoS value to each queue and threshold ID What drop percentage thresholds apply to the queue set four egress queues per port and how much reserved and maximum memory is needed for the traffic type How much of the fixed buffer space is allocated to the queue set Does the bandwidth o...

Page 792: ...isabled and the SRR shaped and shared weights are configured the shaped mode overrides the shared mode for queue 1 and SRR services this queue in shaped mode If the egress expedite queue is disabled and the SRR shaped weights are not configured SRR services this queue in shared mode Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue Set You can guarantee the availability of ...

Page 793: ... thresholds guarantee the availability of buffers and configure the maximum memory allocation for the queue set four egress queues per port By default the WTD thresholds for queues 1 3 and 4 are set to 100 percent The thresholds for queue 2 are set to 200 percent The reserved thresholds for queues 1 2 3 and 4 are set to 50 percent The maximum thresholds for all queues are set to 400 percent For qs...

Page 794: ...mum memory that this queue can have before packets are dropped Switch config mls qos queue set output 2 buffers 40 20 20 20 Switch config mls qos queue set output 2 threshold 2 40 60 100 200 Switch config interface gigabitethernet1 0 1 Switch config if queue set 2 Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID You can prioritize traffic by placing packets with particular DSCPs...

Page 795: ...d threshold 1 DSCP values 40 47 are mapped to queue 1 and threshold 1 By default CoS values 0 and 1 are mapped to queue 2 and threshold 1 CoS values 2 and 3 are mapped to queue 3 and threshold 1 CoS values 4 6 and 7 are mapped to queue 4 and threshold 1 CoS value 5 is mapped to queue 1 and threshold 1 For queue id the range is 1 to 4 For threshold id the range is 1 to 3 The drop threshold percenta...

Page 796: ...12 5 percent Switch config interface gigabitethernet2 0 1 Switch config if srr queue bandwidth shape 8 0 0 0 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port of the outbound traffic and enter interface configuration mode Step 3 srr queue bandwidth shape weight1 weight2 weight3 weight4 Assign SRR weights to the egress queues By...

Page 797: ...s how to configure the weight ratio of the SRR scheduler running on an egress port Four queues are used and the bandwidth ratio allocated for each queue in shared mode is 1 1 2 3 4 2 1 2 3 4 3 1 2 3 4 and 4 1 2 3 4 which is 10 percent 20 percent 30 percent and 40 percent for queues 1 2 3 and 4 This means that queue 4 has four times the bandwidth of queue 1 twice the bandwidth of queue 2 and one an...

Page 798: ...can limit the bandwidth to that amount Note The egress queue default settings are suitable for most situations You should change them only when you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution Beginning in privileged EXEC mode follow these steps to limit the bandwidth on an egress port This procedure is optional Command Purpose Step 1 confi...

Page 799: ...ted and is set to 100 percent Step 4 end Return to privileged EXEC mode Step 5 show mls qos interface interface id queueing Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 33 15 Commands for Displaying Standard QoS Information Command Purpose show class map class map name Display QoS class maps which define th...

Page 800: ... criteria for incoming traffic Note Do not use the show policy map interface privileged EXEC command to display classification information for incoming traffic The control plane and interface keywords are not supported and the statistics shown in the display should be ignored show running config include rewrite Display the DSCP transparency setting Table 33 15 Commands for Displaying Standard QoS ...

Page 801: ...Network page 34 5 Note When configuring routing parameters on the switch and to allocate system resources to maximize the number of unicast routes allowed use the sdm prefer lanbase routing global configuration command to set the Switch Database Management SDM feature to the routing template For more information on the SDM templates see Chapter 8 Configuring SDM Templates or see the sdm prefer com...

Page 802: ...tes to forward packets from predetermined ports through a single path into and out of a network Dynamically calculating routes by using a routing protocol The switch supports static routes and default routes It does not support routing protocols IP Routing and Switch Stacks A switch stack appears to the network as a single switch regardless of which switch in the stack is connected to a peer For a...

Page 803: ... Software Releases 12 2 Mainline Configuration Guides In these procedures the specified interface must be a switch virtual interface SVI a VLAN interface created by using the interface vlan vlan_id global configuration command and by default a Layer 3 interface All Layer 3 interfaces on which routing will occur must have IP addresses assigned to them See the Assigning IP Addresses to SVIs section ...

Page 804: ...ers contains the official description of these IP addresses An interface can have one primary IP address A a subnet mask identifies the bits that denote the network number in an IP address Beginning in privileged EXEC mode follow these steps to assign an IP address and a network mask to an SVI Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip routing Enable IP rou...

Page 805: ...n the software can no longer find a valid next hop for the address specified as the forwarding router s address in a static route the static route is also removed from the IP routing table Monitoring and Maintaining the IP Network You can specific statistics for the routing table or database Use the privileged EXEC commands in Table 34 1 to display status Command Purpose Step 1 configure terminal ...

Page 806: ...34 6 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 34 Configuring Static IP Unicast Routing Monitoring and Maintaining the IP Network ...

Page 807: ... To enable dual stack environments supporting both IPv4 and IPv6 you must configure the switch to use the a dual IPv4 and IPv6 switch database management SDM template See the Dual IPv4 and IPv6 Protocol Stacks section on page 35 4 Note For complete syntax and usage information for the commands used in this chapter see the Cisco IOS documentation referenced in the procedures This chapter consists o...

Page 808: ...guration_Guide_Chapter html This section describes IPv6 implementation on the switch IPv6 Addresses page 35 2 Supported IPv6 Host Features page 35 3 IPv6 and Switch Stacks page 35 6 IPv6 Addresses The switch supports only IPv6 unicast addresses It does not support site local unicast addresses anycast addresses or multicast addresses The IPv6 128 bit addresses are represented as a series of eight 1...

Page 809: ...ese addresses are used on links that are aggregated through organizations and eventually to the Internet service provider These addresses are defined by a global routing prefix a subnet ID and an interface ID Current global unicast address allocation uses the range of addresses that start with binary value 001 2000 3 Addresses with a prefix of 2000 3 001 through E000 3 111 must have 64 bit interfa...

Page 810: ...ghbor that the switch is actively trying to resolve This drop avoids further load on the CPU IPv6 Stateless Autoconfiguration and Duplicate Address Detection The switch uses stateless autoconfiguration to manage link subnet and site addressing changes such as management of host and mobile IP addresses A host autonomously configures its own link local address and booting nodes send router solicitat...

Page 811: ...his template results in less TCAM capacity for each resource For more information about IPv4 and IPv6 protocol stacks see the Implementing IPv6 Addressing and Basic Connectivity chapter of Cisco IOS IPv6 Configuration Library on Cisco com SNMP and Syslog Over IPv6 To support both IPv4 and IPv6 IPv6 network management requires both IPv6 and IPv4 transports Syslog over IPv6 supports address data typ...

Page 812: ... underlying TCP IP stack supports a dual stack environment HTTP relies on the TCP IP stack and the sockets for processing network layer interactions Basic network connectivity ping must exist between the client and the server hosts before HTTP connections can be made For more information see the Managing Cisco IOS Applications over IPv6 chapter in the Cisco IOS IPv6 Configuration Library on Cisco ...

Page 813: ...ss specified in hexadecimal using 16 bit values between colons The prefix length variable preceded by a slash is a decimal value that shows how many of the high order contiguous bits of the address comprise the prefix the network portion of the address To forward IPv6 traffic on an interface you must configure a global IPv6 address on that interface Configuring an IPv6 address on an interface auto...

Page 814: ...2001 0DB8 c18 1 64 eui 64 Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 sdm prefer dual ipv4 and ipv6 default Select the SDM template that supports IPv4 and IPv6 Step 3 end Return to privileged EXEC mode Step 4 reload Reload the operating system Step 5 configure terminal Enter global configuration mode after the switch reloads Step 6 interfac...

Page 815: ... the Cisco IOS IPv6 Configuration Library on Cisco com Configuring IPv6 ICMP Rate Limiting ICMP rate limiting is enabled by default with a default interval between error messages of 100 milliseconds and a bucket size maximum number of tokens to be stored in a bucket of 10 Beginning in privileged EXEC mode follow these steps to change the ICMP rate limiting parameters To return to the default confi...

Page 816: ...t hop need not be directly connected recursion is done to find the IPv6 address of the directly connected next hop The address must be specified in hexadecimal using 16 bit values between colons interface id Specify direct static routes from point to point and broadcast interfaces With point to point interfaces there is no need to specify the IPv6 address of the next hop With broadcast interfaces ...

Page 817: ... contents of the IPv6 routing table interface interface id Optional Display only those static routes with the specified interface as an egress interface recursive Optional Display only recursive static routes The recursive keyword is mutually exclusive with the interface keyword but it can be used with or without the IPv6 prefix included in the command syntax detail Optional Display this additiona...

Page 818: ...ements live for 1800 seconds output truncated This is an example of the output from the show ipv6 protocols privileged EXEC command Switch show ipv6 protocols IPv6 Routing Protocol is connected IPv6 Routing Protocol is static IPv6 Routing Protocol is rip fer Interfaces Vlan6 GigabitEthernet2 0 4 GigabitEthernet2 0 GigabitEthernet1 0 12 Redistribution None This is an example of the output from the ...

Page 819: ...eassembled 0 reassembly timeouts 0 reassembly failures Sent 36861 generated 0 forwarded 0 fragmented into 0 fragments 0 failed 0 encapsulation failed 0 no route 0 too big 0 RPF drops 0 RPF suppressed drops Mcast 1 received 36861 sent ICMP statistics Rcvd 1 input 0 checksum errors 0 too short 0 unknown info type 0 unknown error type unreach 0 routing 0 admin 0 neighbor 0 address 0 port parameter 0 ...

Page 820: ...35 14 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 35 Configuring IPv6 Host Functions Displaying IPv6 ...

Page 821: ...s release or the Cisco IOS documentation referenced in the procedures This chapter includes these sections Understanding MLD Snooping section on page 36 1 Configuring IPv6 MLD Snooping section on page 36 5 Displaying MLD Snooping Information section on page 36 12 Understanding MLD Snooping In IP version 4 IPv4 Layer 2 switches can use Internet Group Management Protocol IGMP snooping to limit the f...

Page 822: ...LD snooping is enabled a per VLAN IPv6 multicast MAC address table is constructed in software and a per VLAN IPv6 multicast address table is constructed in software and hardware The switch then performs IPv6 multicast address based bridging in hardware These sections describe some parameters of IPv6 MLD snooping MLD Messages page 36 2 MLD Queries page 36 3 Multicast Client Aging Robustness page 36...

Page 823: ...switch When a group exists in the MLD snooping database the switch responds to a group specific query by sending an MLDv1 report When the group is unknown the group specific query is flooded to the ingress VLAN When a host wants to leave a multicast group it can send out an MLD Done message equivalent to IGMP Leave message When the switch receives an MLDv1 Done message if Immediate Leave is not en...

Page 824: ...port on which the query arrived is not the last member port for the address MLD Done Messages and Immediate Leave When the Immediate Leave feature is enabled and a host sends an MLDv1 Done message equivalent to an IGMP leave message the port on which the Done message was received is immediately deleted from the group You enable Immediate Leave on VLANs and as with IGMP snooping you should only use...

Page 825: ...the stack regardless of which switch learns of an IPv6 multicast group Report suppression and proxy reporting are done stack wide During the maximum response time only one received report for a group is forwarded to the multicast routers regardless of which switch the report arrives on The election of a new stack master does not affect the learning or bridging of IPv6 multicast data bridging of IP...

Page 826: ...alyst 6500 switch MLD snooping and IGMP snooping act independently of each other You can enable both features at the same time on the switch The maximum number of address entries allowed for the switch stack is 1000 Table 36 1 Default MLD Snooping Configuration Feature Default Setting MLD snooping Global Disabled MLD snooping per VLAN Enabled MLD snooping must be globally enabled for VLAN MLD snoo...

Page 827: ...500 switch and you are using extended VLANs in the range 1006 to 4094 IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 2975 switch to receive queries on the VLAN For normal range VLANs 1 to 1005 it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch To disable MLD snooping on a VLAN interface use the no ip...

Page 828: ... queries you can also use the command line interface CLI to add a multicast router port to a VLAN To add a multicast router port add a static connection to a multicast router use the ipv6 mld snooping vlan mrouter global configuration command on the switch Note Static connections to multicast routers are supported only on switch ports Command Purpose Step 1 configure terminal Enter global configur...

Page 829: ... a VLAN use the no ipv6 mld snooping vlan vlan id immediate leave global configuration command This example shows how to enable MLD Immediate Leave on VLAN 130 Switch configure terminal Switch config ipv6 mld snooping vlan 130 immediate leave Switch config exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 mld snooping vlan vlan id mrouter interface interfac...

Page 830: ...he default is 2 The queries are sent 1 second apart Step 5 ipv6 mld snooping vlan vlan id last listener query count count Optional Set the last listener query count on a VLAN basis This value overrides the value configured globally The range is 1 to 7 the default is 0 When set to 0 the global count value is used Queries are sent 1 second apart Step 6 ipv6 mld snooping last listener query interval ...

Page 831: ...000 Switch config exit Disabling MLD Listener Message Suppression MLD snooping listener message suppression is enabled by default When it is enabled the switch forwards only one MLD report per multicast router query When message suppression is disabled multiple MLD reports could be forwarded to the multicast routers Beginning in privileged EXEC mode follow these steps to disable MLD listener messa...

Page 832: ...rfaces When you enable MLD snooping the switch automatically learns the interface to which a multicast router is connected These are dynamically learned interfaces Optional Enter vlan vlan id to display information for a single VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094 show ipv6 mld snooping querier vlan vlan id Display information about the IPv6 address and incoming port for the most r...

Page 833: ...ecovery for the loss of a link by redistributing the load across the remaining links If a link fails EtherChannel redirects traffic from the failed link to the remaining links in the channel without intervention This chapter also describes how to configure link state tracking Unless otherwise noted the term switch refers to a standalone switch and to a switch stack Note For complete syntax and usa...

Page 834: ... Control Protocol page 37 7 EtherChannel On Mode page 37 8 Load Balancing and Forwarding Methods page 37 8 EtherChannel and Switch Stacks page 37 10 EtherChannel Overview An EtherChannel consists of individual Fast Ethernet or Gigabit Ethernet links bundled into a single logical link as shown in Figure 37 1 Figure 37 1 Typical EtherChannel Configuration 101237 Catalyst 8500 series switch Gigabit E...

Page 835: ...ependent state and continue to carry data traffic as would any other single link The port configuration does not change but the port does not participate in the EtherChannel When you configure an EtherChannel in the on mode no negotiations take place The switch forces all compatible ports to become active in the EtherChannel The other end of the channel on the other switch must also be configured ...

Page 836: ...ical ports together as shown in Figure 37 4 Use the interface port channel port channel number global configuration command to manually create the port channel logical interface Then use the channel group channel group number interface configuration command to bind the logical interface to a physical port The channel group number can be the same as the port channel number or you can use a new numb...

Page 837: ...censed by vendors to support PAgP PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports By using PAgP the switch learns the identity of partners capable of supporting PAgP and the capabilities of each port It then dynamically groups similarly configured ports into a single logical link channel or aggregate port Similarly configured ports are gro...

Page 838: ...artner is a file server or a packet analyzer that is not generating traffic In this case running PAgP on a physical port connected to a silent partner prevents that switch port from ever becoming operational However the silent setting allows PAgP to operate to attach the port to a channel group and to use the port for transmission PAgP Interaction with Virtual Switches and Dual Active Detection A ...

Page 839: ...bles Cisco switches to manage Ethernet channels between switches that conform to the IEEE 802 3ad protocol LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports By using LACP the switch learns the identity of partners capable of supporting LACP and the capabilities of each port It then dynamically groups similarly configured ports into a single ...

Page 840: ...P In the on mode a usable EtherChannel exists only when the switches at both ends of the link are configured in the on mode Ports that are configured in the on mode in the same channel group must have compatible port characteristics such as speed and duplex Ports that are not compatible are suspended even though they are configured in the on mode Caution You should use care when using the on mode ...

Page 841: ...herefore to provide load balancing packets from the same IP source address sent to different IP destination addresses could be sent on different ports in the channel But packets sent from different source IP addresses to the same destination IP address are always sent on the same port in the channel With source and destination IP address based forwarding packets are sent to an EtherChannel and dis...

Page 842: ...ly Any PAgP or LACP configuration on a winning switch stack is not affected but the PAgP or LACP configuration on the losing switch stack is lost after the stack reboots With PAgP if the stack master fails or leaves the stack a new stack master is elected A spanning tree reconvergence is not triggered unless there is a change in the EtherChannel bandwidth The new stack master synchronizes the conf...

Page 843: ...r you configure an EtherChannel configuration changes applied to the port channel interface apply to all the physical ports assigned to the port channel interface and configuration changes applied to the physical port affect only the port where you apply the configuration Default EtherChannel Configuration Table 37 3 shows the default EtherChannel configuration Table 37 3 Default EtherChannel Conf...

Page 844: ...priority for each VLAN Spanning tree Port Fast setting Do not configure a port to be a member of more than one EtherChannel group Do not configure an EtherChannel in both the PAgP and LACP modes EtherChannel groups running PAgP and LACP can coexist on the same switch or on different switches in the stack Individual EtherChannel groups can run either PAgP or LACP but they cannot interoperate Do not...

Page 845: ...2 EtherChannels You configure Layer 2 EtherChannels by assigning ports to a channel group with the channel group interface configuration command This command automatically creates the port channel logical interface If you enabled PAgP on a port in the auto or desirable mode you must reconfigure it for either the on mode or the LACP mode before adding this port to a cross stack EtherChannel PAgP do...

Page 846: ...k on Forces the port to channel without PAgP or LACP In the on mode an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not specify non silent silent is...

Page 847: ...t mode access Switch config if range switchport access vlan 10 Switch config if range channel group 5 mode active Switch config if range end This example shows how to configure a cross stack EtherChannel It uses LACP passive mode and assigns two ports on stack member 2 and one port on stack member 3 as static access ports in VLAN 10 to channel 5 Switch configure terminal Switch config interface ra...

Page 848: ...ically detect when the partner device is a physical learner and when the local device is an aggregate port learner Therefore you must manually set the learning method on the local device to learn addresses by physical ports You also must set the load distribution method to source based distribution so that any given source MAC address is always sent on the same physical port Command Purpose Step 1...

Page 849: ...configuration command The switch then sends packets to the Catalyst 1900 switch using the same port in the EtherChannel from which it learned the source address Only use the pagp learn method command in this situation Beginning in privileged EXEC mode follow these steps to configure your switch as a PAgP physical port learner and to adjust the priority so that the same port in the bundle is select...

Page 850: ... is a hardware limitation that prevents all compatible ports from aggregating Determining which ports are active and which are hot standby is a two step procedure First the system with a numerically lower system priority and system id is placed in charge of the decision Next that system decides which ports are active and which are hot standby based on its values for port priority and port number T...

Page 851: ... for example the remote system might have more restrictive hardware limitations all the ports that cannot be actively included in the EtherChannel are put in the hot standby state and are used only if one of the channeled ports fails Beginning in privileged EXEC mode follow these steps to configure the LACP port priority This procedure is optional Command Purpose Step 1 configure terminal Enter gl...

Page 852: ...nship known as teaming if the link is lost on the primary interface connectivity is transparently changed to the secondary interface Note An interface can be an aggregation of ports an EtherChannel or a single physical port in access or trunk mode Step 5 show running config or show lacp channel group number internal Verify your entries Step 6 copy running config startup config Optional Save your e...

Page 853: ...through link state group 2 Port 7 and port 8 are the upstream interfaces in link state group 2 Link state group 2 on switch B Switch B provides primary links to server 3 and server 4 through link state group 2 Port 3 is connected to server 3 and port 4 is connected to server 4 Port 3 and port 4 are the downstream interfaces in link state group 2 Port 5 and port 6 are connected to distribution swit...

Page 854: ...ver does not recognize that upstream connectivity has been lost and does not failover to the secondary interface You can recover a downstream interface link down condition by removing the failed downstream port from the link state group To recover multiple downstream interfaces disable the link state group Figure 37 6 Typical Link State Tracking Configuration 141680 Network Layer 3 link Server 1 S...

Page 855: ...more than one link state group You can configure only two link state groups per switch Configuring Link State Tracking Beginning in privileged EXEC mode follow these steps to configure a link state group and to assign an interface to a group Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 link state track number Create a link state group and enable link state track...

Page 856: ...words to display information about all link state groups Enter the group number to display information specific to the group Enter the detail keyword to display detailed information about the group This is an example of output from the show link state group 1 command Switch show link state group 1 Link State Group 1 Status Enabled Down This is an example of output from the show link state group de...

Page 857: ...S Commands Master List Release 12 2 from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References This chapter consists of these sections Recovering from a Software Failure page 38 2 Recovering from a Lost or Forgotten Password page 38 3 Preventing Switch Stack Problems page 38 8 Recovering from a Command Switch Failure page 38 8 Recovering from Lost Cluster Membe...

Page 858: ...zip program to navigate to and extract the bin file If you are using UNIX follow these steps 1 Display the contents of the tar file by using the tar tvf image_filename tar UNIX command unix 1 tar tvf image_filename tar 2 Locate the bin file and extract it by using the tar xvf image_filename tar image_filename bin UNIX command unix 1 tar xvf image_filename tar image_filename bin x c2975 lanbase mz ...

Page 859: ...he switch allows an end user with physical access to the switch to recover from a lost password by interrupting the boot process during power on and by entering a new password These recovery procedures require that you have physical access to the switch Note On these switches a system administrator can disable some of the functionality of this feature by allowing an end user to reset a password on...

Page 860: ...n on page 38 4 and follow the steps If you see a message that begins with this The password recovery mechanism has been triggered but is currently disabled go to the Procedure with Password Recovery Disabled section on page 38 6 and follow the steps Step 5 After recovering the password reload the standalone switch or the stack master Switch reload slot stack master member number Proceed with reloa...

Page 861: ...EXEC mode Switch enable Step 8 Rename the configuration file to its original name Switch rename flash config text old flash config text Note Before continuing to Step 9 power on any connected stack members and wait until they have completely initialized Failure to follow this step can result in a lost configuration depending on how your switch is set up Step 9 Copy the configuration file into memo...

Page 862: ...y disabled Access to the boot loader prompt through the password recovery mechanism is disallowed at this point However if you agree to let the system be reset back to the default system configuration access to the boot loader prompt can still be allowed Would you like to reset the system back to the default configuration y n Caution Returning the switch to the default configuration results in the...

Page 863: ... can start with a number is case sensitive and allows spaces but ignores leading spaces Step 8 Return to privileged EXEC mode Switch config exit Switch Note Before continuing to Step 9 power on any connected stack members and wait until they have completely initialized Step 9 Write the running configuration to the startup configuration file Switch copy running config startup config The new passwor...

Page 864: ... the switches have manually assigned numbers if you add remove or rearrange switches later Use the switch current stack member number renumber new stack member number global configuration command to manually assign a stack member number For more information about stack member numbers see the Member Numbers section on page 6 6 If you replace a stack member with an identical model the new switch fun...

Page 865: ...command capable switches see the release notes Replacing a Failed Command Switch with a Cluster Member To replace a failed command switch with a command capable member in the same cluster follow these steps Step 1 Disconnect the command switch from the member switches and physically remove it from the cluster Step 2 Insert the member switch in place of the failed command switch and duplicate its c...

Page 866: ... limited to 28 characters on a member switch to 31 characters Do not use n where n is a number as the last characters in a hostname for any switch When prompted for the Telnet virtual terminal password recall that it can be from 1 to 25 alphanumeric characters is case sensitive allows spaces but ignores leading spaces Step 12 When prompted for the enable secret and enable passwords enter the passw...

Page 867: ...ou may enter a question mark for help Use ctrl c to abort configuration dialog at any prompt Default settings are in square brackets Basic management setup configures only enough connectivity for management of the system extended setup will ask you to configure each interface on the system Would you like to enter basic management setup yes no Step 6 Enter Y at the first prompt The prompts in the s...

Page 868: ... Catalyst 2900 XL Catalyst 2820 and Catalyst 1900 member switches must connect to the command switch through a port that belongs to the same management VLAN A member switch Catalyst 3750 Catalyst 3560 Catalyst 3550 Catalyst 2970 Catalyst 2960 Catalyst 2950 Catalyst 3500 XL Catalyst 2900 XL Catalyst 2820 and Catalyst 1900 switch connected to the command switch through a secured port can lose connec...

Page 869: ...mmand a false link up can occur placing the port into an error disabled state To take the port out of the error disabled state enter the shutdown and the no shutdown interface configuration commands You should not connect a Cisco powered device to a port that has been configured with the power inline never command SFP Module Security and Identification Cisco small form factor pluggable SFP modules...

Page 870: ...ttings on an SFP module For more information see the show interfaces transceiver command in the command reference for this release Using Ping These sections contain this information Understanding Ping page 38 14 Executing Ping page 38 14 Understanding Ping The switch supports IP ping which you can use to test connectivity to remote hosts Ping sends an echo request packet to an address and waits fo...

Page 871: ...ng Layer 2 Traceroute The Layer 2 traceroute feature allows the switch to identify the physical path that a packet takes from a source device to a destination device Layer 2 traceroute supports only unicast source and destination MAC addresses It finds the path by using the MAC address tables of the switches in the path When the switch detects a device in the path that does not support Layer 2 tra...

Page 872: ...fy source and destination MAC addresses that belong to different VLANs the Layer 2 path is not identified and an error message appears If you specify a multicast source or destination MAC address the path is not identified and an error message appears If the source or destination MAC address belongs to multiple VLANs you must specify the VLAN to which both the source and destination MAC addresses ...

Page 873: ...e switch is a multilayer switch that is routing a particular packet this switch shows up as a hop in the traceroute output The traceroute privileged EXEC command uses the Time To Live TTL field in the IP header to cause routers and servers to generate specific return messages Traceroute starts by sending a User Datagram Protocol UDP datagram to the destination host with the TTL field set to 1 If a...

Page 874: ...71 9 4 5 0 msec 4 msec 0 msec 5 171 9 121 34 0 msec 4 msec 4 msec 6 171 9 15 9 120 msec 132 msec 128 msec 7 171 9 15 10 132 msec 128 msec 128 msec Switch The display shows the hop count the IP address of the router and the round trip time in milliseconds for each of the three probes that are sent To end a trace in progress enter the escape sequence Ctrl X by default Simultaneously press and releas...

Page 875: ...the twisted pair is soldered to the other wire If one of the twisted pair wires is open TDR can find the length at which the wire is open Use TDR to diagnose and resolve cabling problems in these situations Replacing a switch Setting up a wiring closet Troubleshooting a connection between two devices when a link cannot be established or when it is not operating properly Running TDR and Displaying ...

Page 876: ...ivileged EXEC mode and most debug commands take no arguments For example beginning in privileged EXEC mode enter this command to enable the debugging for Switched Port Analyzer SPAN Switch debug span session The switch continues to generate output until you enter the no form of the command If you enable a debug command and no output appears consider these possibilities The switch might not be prop...

Page 877: ...ages to the console produces very high overhead whereas logging messages to a virtual terminal produces less overhead Logging messages to a syslog server produces even less and logging to an internal buffer produces the least overhead of any method When stack members generate a system error message the stack master displays the error message to all stack members The syslog resides on the stack mas...

Page 878: ... Port Vlan SrcMac DstMac Cos Dscpv Gi1 0 1 0005 0001 0001 0001 0002 0002 0002 Packet 2 Lookup Key Used Index Hit A Data OutptACL 50_0D020202_0D010101 00_40000014_000A0000 01FFE 03000000 Port Vlan SrcMac DstMac Cos Dscpv Gi1 0 2 0005 0001 0001 0001 0002 0002 0002 output truncated Packet 10 Lookup Key Used Index Hit A Data OutptACL 50_0D020202_0D010101 00_40000014_000A0000 01FFE 03000000 Packet drop...

Page 879: ...Each new crashinfo file that is created uses a sequence number that is larger than any previously existing sequence number so the file with the largest sequence number describes the most recent failure Version numbers are used instead of a timestamp because the switches do not include a real time clock You cannot change the name of the file that the system will use when it creates the file However...

Page 880: ...les Hulc Quality of Service QoS access control list ACL TCAM Manager HQATM space Related to ACL and ACL like tables such as QoS classification and policy routing The output from the show platform tcam errors privileged EXEC command provides information about the TCAM memory consistency integrity on the switch Displaying TCAM Memory Consistency Check Errors Beginning in privileged EXEC mode use thi...

Page 881: ...cument on Cisco com Possible Symptoms of High CPU Utilization Note that excessive CPU utilization might result in these symptoms but the symptoms could also result from other causes Spanning tree topology changes EtherChannel links brought down due to loss of communication Failure to respond to management requests ICMP ping SNMP timeouts slow Telnet or SSH sessions UDLD flapping IP SLAs failures b...

Page 882: ...he last 5 seconds is 8 0 which has this meaning The total CPU utilization is 8 percent including both time running Cisco IOS processes and time spent handling interrupts The time spent handling interrupts is zero percent For complete information about CPU utilization and how to troubleshoot utilization problems see the Troubleshooting High CPU Utilization document on Cisco com Table 38 4 Troublesh...

Page 883: ...ood Connect a known good non PoE Ethernet device to the Ethernet cable and make sure that the powered device establishes a link and exchanges traffic with another host Verify that the total cable length from the switch front panel to the powered device is not more than 100 meters Disconnect the Ethernet cable from the switch port Use a short Ethernet cable to connect a known good Ethernet device d...

Page 884: ...existing distribution cables Enter the shut and no shut interface configuration commands and verify that an Ethernet link is established If this connection is good use a short patch cord to connect a powered device to this port and verify that it powers on If the device powers on verify that all intermediate patch panels are correctly connected Disconnect all but one of the Ethernet cables from sw...

Page 885: ...ctly If a non PoE device has link problems or a high error rate the problem might be an unreliable cable connection between the switch port and the powered device For more information see Cisco Phone Disconnects or Resets on Cisco com Non Cisco powered device does not work on Cisco PoE switch A non Cisco powered device is connected to a Cisco PoE switch but never powers on or powers on and then qu...

Page 886: ...DM templates if switch was used for other applications before you added it to the stack Incompatible IOS version between stack members and new switch see Configuration Mismatch StackWise port frequently or rapidly changing up down states flapping Error messages report stack link problems Possible traffic disruption Unreliable StackWise cable connection or interface see StackWise Port Flapping Swit...

Page 887: ... election Current stack master is rebooted or disconnected see Stack Master is Rebooted or Disconnected Port numbering seems off Verify port numbering see Stack Master Election and Port Number Assignment Enter the show switch privileged EXEC command Interpret state messages see Joining a Stack Typical Sequence States and Rules Stack members need to be upgraded Stack members running different major...

Page 888: ...38 32 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Chapter 38 Troubleshooting Troubleshooting Tables ...

Page 889: ... the configured community string always provide information for VLAN 1 To obtain the BRIDGE MIB information for other VLANs for example VLAN x use this community string in the SNMP message configured community string x CISCO ADMISSION POLICY MIB CISCO AUTH FRAMEWORK MIB CISCO CABLE DIAG MIB CISCO CDP MIB CISCO CLUSTER MIB CISCO CONFIG COPY MIB CISCO CONFIG MAN MIB CISCO ENTITY VENDORTYPE OID MIB C...

Page 890: ...ot supported CISCO POWER ETHERNET EXT MIB CISCO PRODUCTS MIB CISCO PROCESS MIB Only stack master details are shown CISCO RTTMON MIB CISCO SMI MIB CISCO STACK MIB Partial support for some objects only stack master information is supported ENTITY MIB is a better alternative CISCO STACKMAKER MIB CISCO STACKWISE MIB CISCO STP EXTENSIONS MIB CISCO SYSLOG MIB CISCO TC MIB CISCO TCP MIB CISCO UDLDP MIB C...

Page 891: ... You can also use this URL for a list of supported MIBs for the Catalyst 2975 switch ftp ftp cisco com pub mibs supportlists cat2975 cat2975 supportlist html You can access other information about MIBs and Cisco products on the Cisco web site http www cisco com public sw center netmgmt cmtk mibs shtml Using FTP to Access the MIB Files You can get each MIB file by using this procedure Step 1 Make s...

Page 892: ...A 4 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Appendix A Supported MIBs Using FTP to Access the MIB Files ...

Page 893: ...tion Files page B 8 Working with Software Images page B 23 Working with the Flash File System The flash file system is a single flash device on which you can store files It also provides several commands to help you manage software image and configuration files The default flash file system on the switch is named flash As viewed from the stack master or any stack member flash refers to the local f...

Page 894: ...le the stack master is stack member 3 therefore flash3 is aliased to flash The file system on stack member 5 is displayed as flash5 on the stack master Switch show file systems File Systems Size b Free b Type Flags Prefixes 15998976 5135872 flash rw flash flash3 opaque rw bs opaque rw vb 524288 520138 nvram rw nvram network rw tftp opaque rw null opaque rw system opaque ro xmodem opaque ro ymodem ...

Page 895: ...mory you might want to verify that the file system does not already contain a configuration file with the same name Similarly before copying a flash configuration file to another location you might want to verify its filename for use in another command To display information about files on a file system use one of the privileged EXEC commands in Table B 2 Flags Permission for file system ro read o...

Page 896: ... sw command but are no longer needed show file information file url Display information about a specific file show file descriptors Display a list of open file descriptors File descriptors are the internal representations of open files You can use this command to see if another user has a file open Table B 2 Commands for Displaying Information About Files continued Command Description Command Purp...

Page 897: ...lly you cannot copy these combinations From a running configuration to a running configuration From a startup configuration to a startup configuration From a device to the same device for example the copy flash flash command is invalid For specific examples of using the copy command with configuration files see the Working with Configuration Files section on page B 8 To copy software images either...

Page 898: ...m an existing stack member to the incompatible switch That switch automatically reloads and joins the stack as a fully functioning member Creating a tar File To create a tar file and write files into it use this privileged EXEC command archive tar create destination url flash file url For destination url specify the destination URL alias for the local or network file system and the name of the tar...

Page 899: ...example shows how to display the contents of a switch tar file that is in flash memory Switch archive tar table flash image name tar image name directory image name html directory image name html foo html 0 bytes image name image name bin 610856 bytes image name info 219 bytes This example shows how to display only the html directory and its contents Switch archive tar table flash image name html ...

Page 900: ...d configuration on server version 11 3 service timestamps log datetime localtime service linenumber service udp small servers service pt vty logging output truncated Working with Configuration Files This section describes how to create load and maintain configuration files Note For information about configuration files in switch stacks see the Stack Configuration Files section on page 6 13 Configu...

Page 901: ...ration file to several switches that have the same hardware configuration Use these guidelines when creating a configuration file We recommend that you connect through the console port for the initial configuration of the switch If you are accessing the switch through a network connection instead of through a direct connection to the console port keep in mind that some configuration changes such a...

Page 902: ...n File By Using FTP section on page B 13 or the Downloading a Configuration File By Using RCP section on page B 17 Step 2 Open the configuration file in a text editor such as vi or emacs on UNIX or Notepad on a PC Step 3 Extract the portion of the configuration file with the desired commands and save it in a new file Step 4 Copy the configuration file to the appropriate server location For example...

Page 903: ...name of the file you will use when uploading it to the server During upload operations if you are overwriting an existing file including an empty file if you had to create one on the server ensure that the permissions on the file are set correctly Permissions on the file should be world write Downloading the Configuration File By Using TFTP To configure the switch by using a configuration file dow...

Page 904: ...tion Files By Using FTP You can copy configuration files to or from an FTP server The FTP protocol requires a client to send a remote username and password on each FTP request to a server When you copy a configuration file from the switch to a server by using FTP the Cisco IOS software sends the first valid username in this list The username specified in the copy command if a username is specified...

Page 905: ... username is the one that you want to use for the FTP download You can enter the show users privileged EXEC command to view the valid username If you do not want to use this username create a new FTP username by using the ip ftp username username global configuration command during all copy operations The new username is stored in NVRAM If you are accessing the switch through a Telnet session and ...

Page 906: ...p username netadmin1 Switch config ip ftp password mypass Switch config end Switch copy ftp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile store configured from ...

Page 907: ...e TFTP which uses User Datagram Protocol UDP a connectionless protocol RCP uses TCP which is connection oriented To use RCP to copy files the server from or to which you will be copying files must support RCP The RCP copy commands rely on the rsh server or daemon on the remote system To copy files by using RCP you do not need to create a server for file distribution as you do with TFTP You only ne...

Page 908: ...tion File By Using RCP Before you begin downloading or uploading a configuration file by using RCP do these tasks Ensure that the workstation acting as the RCP server supports the remote shell rsh Ensure that the switch has a route to the RCP server The switch and the server must be in the same subnetwork if you do not have a router to route traffic between subnets Check connectivity to the RCP se...

Page 909: ...Switch configure terminal Switch config ip rcmd remote username netadmin1 Switch config end Switch copy rcp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile store ...

Page 910: ...iguration file to write switch2 confg Write file switch2 confg on host 172 16 101 101 confirm OK Clearing Configuration Information You can clear the configuration information from the startup configuration If you reboot the switch with no startup configuration the switch enters the setup program so that you can reconfigure the switch with all new settings Command Purpose Step 1 Verify that the RC...

Page 911: ...g configuration with any saved Cisco IOS configuration file You can use the rollback function to roll back to a previous configuration These sections contain this information Understanding Configuration Replacement and Rollback page B 19 Configuration Guidelines page B 21 Configuring the Configuration Archive page B 21 Performing a Configuration Replacement or Rollback Operation page B 22 Understa...

Page 912: ...py source url running config privileged EXEC command to copy a stored configuration file to the running configuration When using this command as an alternative to the configure replace target url privileged EXEC command note these major differences The copy source url running config command is a merge operation and preserves all the commands from both the source file and the running configuration ...

Page 913: ...on as the replacement configuration file for the running configuration The replacement file must be a complete configuration generated by a Cisco IOS device for example a configuration generated by the copy running config destination url command Note If you generate the replacement configuration file externally it must comply with the format of files generated by Cisco IOS devices Configuring the ...

Page 914: ...vileged EXEC mode Step 5 configure replace target url list force time seconds nolock Replace the running configuration file with a saved configuration file target url URL accessible by the file system of the saved configuration file that is to replace the running configuration such as the configuration file created in Step 2 by using the archive config privileged EXEC command list Display a list o...

Page 915: ...ly to your PC or workstation by using a web browser HTTP and then by using the device manager or Cisco Network Assistant to upgrade your switch For information about upgrading your switch by using a TFTP server or a web browser HTTP see the release notes You can replace the current image with the new one or keep the current image in flash memory after a download You upload a switch image file to a...

Page 916: ...tar file format which contains these files An info file which serves as a table of contents for the tar file One or more subdirectories containing other images and files such as Cisco IOS images and web management files This example shows some of the information contained in the info file Table B 3 provides additional details about this information system_type 0x00000000 image name image_family xx...

Page 917: ...rade a switch with an incompatible software image use the archive copy sw privileged EXEC command to copy the software image from an existing stack member to the incompatible switch That switch automatically reloads and joins the stack as a fully functioning member These sections contain this configuration information Preparing to Download or Upload an Image File By Using TFTP page B 25 Downloadin...

Page 918: ...ensure that the permissions on the file are set correctly The permission on the file should be world read Before uploading the image file you might need to create an empty file on the TFTP server To create an empty file enter the touch filename command where filename is the name of the file you will use when uploading the image to the server During upload operations if you are overwriting an exist...

Page 919: ...tering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Step 3 archive download sw overwrite reload tftp locat...

Page 920: ...rwrite the current image with the new one or keep the current image after a download You upload a switch image file to a server for backup purposes You can use this uploaded image for future downloads to the switch or another switch of the same type Note Instead of using the copy privileged EXEC command or the archive tar privileged EXEC command we recommend using the archive download sw and archi...

Page 921: ...s configured The switch forms a password named username switchname domain The variable username is the username associated with the current session switchname is the configured hostname and domain is the domain of the switch The username and password must be associated with an account on the FTP server If you are writing to the server the FTP server must be properly configured to accept the FTP wr...

Page 922: ...he Preparing to Download or Upload an Image File By Using FTP section on page B 29 Step 2 Log into the switch through the console port or a Telnet session Step 3 configure terminal Enter global configuration mode This step is required only if you override the default remote username or password see Steps 4 5 and 6 Step 4 ip ftp username username Optional Change the default remote username Step 5 i...

Page 923: ... is updated to point to the newly installed image If you kept the old image during the download process you specified the leave old sw keyword you can remove it by entering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old software image All the files in the directory an...

Page 924: ... configured by referring to the Preparing to Download or Upload a Configuration File By Using FTP section on page B 13 Step 2 Log into the switch through the console port or a Telnet session Step 3 configure terminal Enter global configuration mode This step is required only if you override the default remote username or password see Steps 4 5 and 6 Step 4 ip ftp username username Optional Change ...

Page 925: ...ing RCP page B 33 Downloading an Image File By Using RCP page B 34 Uploading an Image File By Using RCP page B 36 Preparing to Download or Upload an Image File By Using RCP RCP provides another method of downloading and uploading image files between remote hosts and the switch Unlike TFTP which uses User Datagram Protocol UDP a connectionless protocol RCP uses TCP which is connection oriented To u...

Page 926: ...new username is stored in NVRAM If you are accessing the switch through a Telnet session and you have a valid username this username is used and there is no need to set the RCP username Include the username in the archive download sw or archive upload sw privileged EXEC command if you want to specify a username only for that operation When you upload an image to the RCP to the server it must be pr...

Page 927: ...uration has been changed and not been saved For username specify the username For the RCP copy request to execute successfully an account must be defined on the network server for the remote username For more information see the Preparing to Download or Upload an Image File By Using RCP section on page B 33 For location specify the IP address of the RCP server For directory image name tar specify ...

Page 928: ... url enter the directory name of the old software image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Uploading an Image File By Using RCP You can upload an image from the switch to an RCP server You can later download this image to the same switch or to another switch of the same type The u...

Page 929: ...ge from an existing stack member to the one that has incompatible software That switch automatically reloads and joins the stack as a fully functioning member Note To successfully use the archive copy sw privileged EXEC command you must have downloaded from a TFTP server the images for both the stack member switch being added and the stack master You use the archive download sw privileged EXEC com...

Page 930: ...ber Note At least one stack member must be running the image that is to be copied to the switch that is running the incompatible software For destination system destination stack member number specify the number of the stack member the destination to which to copy the source running image file If you do not specify this stack member number the default is to copy the running image file to all stack...

Page 931: ... listed by software feature and command mode Access Control Lists page C 1 Boot Loader Commands page C 2 Debug Commands page C 2 IGMP Snooping Commands page C 2 Interface Commands page C 3 MAC Address Commands page C 3 Miscellaneous page C 4 Network Address Translation NAT Commands page C 4 QoS page C 5 RADIUS page C 5 SNMP page C 5 SNMPv3 page C 6 Spanning Tree page C 6 VLAN page C 6 VTP page C 7...

Page 932: ...pported Global Configuration Commands access list rate limit acl index precedence mask prec mask access list dynamic extended Unsupported Route Map Configuration Commands match ip address prefix list prefix list name prefix list name Boot Loader Commands Unsupported Global Configuration Commands boot buffersize Debug Commands Unsupported Privileged EXEC Commands debug platform cli redirection main...

Page 933: ...rted Interface Configuration Commands transmit interface type number MAC Address Commands Unsupported Privileged EXEC Commands show mac address table show mac address table address show mac address table aging time show mac address table count show mac address table dynamic show mac address table interface show mac address table multicast show mac address table notification show mac address table ...

Page 934: ...laneous Unsupported User EXEC Commands verify Unsupported Privileged EXEC Commands file verify auto show cable diagnostics prbs test cable diagnostics prbs Unsupported Global Configuration Commands errdisable recovery cause unicast flood l2protocol tunnel global drop threshold memory reserve critical service compress config stack mac persistent timer Network Address Translation NAT Commands Unsupp...

Page 935: ...Map Configuration Command class class default where class default is the class map name RADIUS Unsupported Global Configuration Commands aaa nas port extended aaa authentication feature default enable aaa authentication feature default line aaa nas port extended radius server attribute nas port radius server configure radius server extended portnames SNMP Unsupported Global Configuration Commands ...

Page 936: ...lobal Configuration Command spanning tree pathcost method long short Unsupported Interface Configuration Command spanning tree stack port VLAN Unsupported Global Configuration Command vlan internal allocation policy ascending descending Unsupported vlan config Command private vlan Unsupported User EXEC Commands show running config vlan show vlan ifindex vlan database Unsupported vlan config Comman...

Page 937: ...upported Commands in Cisco IOS Release 12 2 55 SE VTP Unsupported VLAN Database Commands vtp vlan show vlan private vlan VTP Unsupported Privileged EXEC Commands vtp password password pruning version number Note This command has been replaced by the vtp global configuration command ...

Page 938: ...C 8 Catalyst 2975 Switch Software Configuration Guide OL 19720 02 Appendix C Unsupported Commands in Cisco IOS Release 12 2 55 SE VTP ...

Page 939: ...0 15 with RADIUS 9 35 with TACACS 9 11 9 17 ACEs and QoS 33 8 defined 31 2 Ethernet 31 2 IP 31 2 ACLs ACEs 31 2 any keyword 31 10 applying time ranges to 31 15 to an interface 31 18 to QoS 33 8 classifying traffic for QoS 33 45 comments in 31 16 compiling 31 20 defined 31 1 31 6 examples of 31 20 33 45 extended IP configuring for QoS classification 33 46 extended IPv4 creating 31 9 matching criter...

Page 940: ...he aging time 7 21 default aging 16 9 defined 7 19 learning 7 20 removing 7 22 IPv6 35 2 MAC discovering 7 30 multicast STP address management 16 9 static adding and removing 7 26 defined 7 19 address resolution 7 30 Address Resolution Protocol See ARP advertisements CDP 24 1 LLDP 25 1 25 2 VTP 13 15 15 3 15 4 aggregatable global unicast addresses 35 3 aggregated ports See EtherChannel aggregate p...

Page 941: ...ivity 5 5 different VLANs 5 7 management VLANs 5 8 non CDP capable devices 5 7 noncluster capable devices 5 7 in switch clusters 5 5 See also CDP automatic extraction auto extract in switch stacks 6 10 automatic QoS See QoS automatic recovery clusters 5 10 See also HSRP automatic upgrades auto upgrade in switch stacks 6 10 auto MDIX configuring 12 22 described 12 22 autonegotiation duplex mode 1 3...

Page 942: ...2 C cables monitoring for unidirectional links 26 1 candidate switch automatic discovery 5 5 defined 5 4 requirements 5 4 See also command switch cluster standby group and member switch Catalyst 6000 switches authentication compatibility 10 8 CA trustpoint configuring 9 49 defined 9 46 CDP and trusted boundary 33 40 automatic discovery in switch clusters 5 5 configuring 24 2 default configuration ...

Page 943: ...uration logging 2 5 described 1 5 editing features enabling and disabling 2 7 keystroke editing 2 8 wrapped lines 2 9 error messages 2 5 filtering command output 2 10 getting help 2 3 CLI continued history changing the buffer size 2 6 described 2 6 disabling 2 7 recalling commands 2 6 managing clusters 5 16 no and default forms of commands 2 4 Client Information Signalling Protocol See CISP client...

Page 944: ...1 active AC 5 10 configuration conflicts 38 12 defined 5 2 passive PC 5 10 command switch continued password privilege levels 5 17 priority 5 10 recovery from command switch failure 5 10 38 8 from lost member connectivity 38 12 redundant 5 10 replacing with another switch 38 11 with cluster member 38 9 requirements 5 3 standby SC 5 10 See also candidate switch cluster standby group member switch a...

Page 945: ...g port based authentication violation modes 10 39 to 10 40 configuring small frame arrival rate 23 5 config vlan mode 2 2 conflicts configuration 38 12 connections secure remote 9 42 connectivity problems 38 14 38 15 38 17 consistency checks in VTP Version 2 15 5 console port connecting to 2 11 control protocol IP SLAs 32 3 corrupted software recovery steps with Xmodem 38 2 CoS in Layer 2 frames 3...

Page 946: ...LLDP 25 5 MAC address table 7 21 MAC address table move update 19 8 MSTP 17 16 MVR 22 19 default configuration continued NTP 7 4 optional spanning tree configuration 18 12 password and privilege level 9 3 RADIUS 9 27 RMON 28 3 RSPAN 27 11 SDM template 8 3 SNMP 30 6 SPAN 27 11 SSL 9 48 standard QoS 33 33 STP 16 13 switch stacks 6 17 system message logging 29 4 system name and prompt 7 15 TACACS 9 1...

Page 947: ...es 20 9 default configuration 20 9 displaying 20 14 overview 20 4 DHCP option 82 continued packet format suboption circuit ID 20 5 remote ID 20 5 remote ID suboption 20 5 DHCP server port based address allocation configuration guidelines 20 23 default configuration 20 23 described 20 23 displaying 20 26 enabling 20 24 reserved addresses 20 24 DHCP server port based address assignment support for 1...

Page 948: ...n 7 17 in IPv6 35 3 overview 7 15 setting up 7 16 support for 1 5 domain names DNS 7 15 VTP 15 9 Domain Name System See DNS downloadable ACL 10 18 10 20 10 61 downloading configuration files preparing B 10 B 13 B 16 reasons for B 8 using FTP B 13 using RCP B 17 using TFTP B 11 image files deleting old image B 27 preparing B 25 B 29 B 33 reasons for B 23 using CMS 1 2 using FTP B 30 using HTTP 1 2 ...

Page 949: ...g buffer clearing 21 16 configuring 21 13 displaying 21 16 logging of dropped packets described 21 5 man in the middle attack described 21 2 dynamic ARP inspection continued network security issues and interface trust states 21 3 priority of ARP ACLs and DHCP snooping entries 21 4 rate limiting of ARP packets configuring 21 11 described 21 4 error disabled state 21 4 statistics clearing 21 16 disp...

Page 950: ...ction with other features 37 7 interaction with virtual switches 37 6 learn method and priority configuration 37 16 modes 37 6 support for 1 4 with dual action detection 37 6 port channel interfaces described 37 4 numbering of 37 4 EtherChannel continued port groups 12 4 stack changes effects of 37 10 support for 1 4 EtherChannel guard described 18 10 disabling 18 18 enabling 18 17 Ethernet VLANs ...

Page 951: ...verview 10 29 Flex Link Multicast Fast Convergence 19 3 Flex Links configuration guidelines 19 8 configuring 19 9 19 10 configuring preferred VLAN 19 12 configuring VLAN load balancing 19 11 Flex Links continued default configuration 19 8 description 19 1 link load balancing 19 3 monitoring 19 14 VLANs 19 3 flooded traffic blocking 23 8 flow based packet classification 1 11 flowcharts QoS classifi...

Page 952: ...er standby group considerations 5 11 See also clusters cluster standby group and standby command switch HTTP over SSL see HTTPS HTTPS 9 46 configuring 9 50 self signed certificate 9 47 HTTP secure server 9 46 Hulc Forwarding TCAM Manager See HFTM space Hulc QoS ACL TCAM Manager See HQATM space I ICMP IPv6 35 4 time exceeded messages 38 17 traceroute and 38 17 ICMP ping executing 38 14 overview 38 ...

Page 953: ...P Immediate Leave configuration guidelines 22 11 described 22 5 enabling 22 10 IGMP profile applying 22 26 configuration mode 22 25 configuring 22 26 IGMP snooping and address aliasing 22 2 and stack changes 22 6 configuring 22 6 default configuration 22 7 36 6 definition 22 1 enabling and disabling 22 7 36 7 global configuration 22 7 Immediate Leave 22 5 in the switch stack 22 6 method 22 8 monit...

Page 954: ...assification 33 8 implicit deny 31 8 31 12 implicit masks 31 8 named 31 13 undefined 31 19 IP addresses 128 bit 35 2 candidate or member 5 4 5 13 classes of 34 4 cluster access 5 2 command switch 5 3 5 11 5 13 discovering 7 30 for IP routing 34 4 IPv6 35 2 redundant clusters 5 11 standby command switch 5 11 5 13 See also IP information ip igmp profile command 22 25 IP information assigned manually...

Page 955: ...2 configuration 20 22 enabling 20 18 20 19 filtering source IP address 20 15 source IP and MAC address 20 15 on provisioned switches 20 17 IP source guard continued source IP address filtering 20 15 source IP and MAC address filtering 20 15 static bindings adding 20 18 20 19 deleting 20 18 static hosts 20 19 IP traceroute executing 38 18 overview 38 17 IP unicast routing assigning IP addresses to ...

Page 956: ...es to 35 8 changing from Layer 2 mode 34 4 Layer 3 packets classification methods 33 2 LDAP 4 2 Leaking IGMP Reports 19 4 LEDs switch See hardware installation guide lightweight directory access protocol See LDAP line configuration mode 2 3 Link Aggregation Control Protocol See EtherChannel link failure detecting unidirectional 17 8 Link Layer Discovery Protocol See CDP link local unicast addresse...

Page 957: ...ding table 20 22 dynamic learning 7 20 removing 7 22 in ACLs 31 22 MAC addresses continued static adding 7 27 allowing 7 28 7 29 characteristics of 7 26 dropping 7 28 removing 7 27 MAC address learning 1 6 MAC address learning disabling on a VLAN 7 29 MAC address notification support for 1 12 MAC address table move update configuration guidelines 19 8 configuring 19 12 default configuration 19 8 d...

Page 958: ...witch automatic discovery 5 5 defined 5 2 managing 5 16 passwords 5 13 recovering from lost connectivity 38 12 member switch continued requirements 5 4 See also candidate switch cluster standby group and standby command switch memory consistency check errors displaying 38 24 example 38 24 memory consistency check routines 1 4 38 24 memory consistency integrity 1 4 38 24 messages to users through b...

Page 959: ...bor type 17 27 path cost 17 23 port priority 17 21 root switch 17 19 secondary root switch 17 20 switch priority 17 24 MSTP continued CST defined 17 3 operations between regions 17 4 default configuration 17 16 default optional feature configuration 18 12 displaying status 17 28 enabling the mode 17 17 EtherChannel guard described 18 10 enabling 18 17 extended system ID effects on root switch 17 1...

Page 960: ...ces monitoring 22 16 36 12 multicast router ports adding 22 9 36 8 multicast storm 23 2 multicast storm control command 23 4 multicast television application 22 17 multicast VLAN 22 17 Multicast VLAN Registration See MVR multidomain authentication See MDA multiple authentication 10 13 multiple authentication mode configuring 10 43 MVR and address aliasing 22 20 and IGMPv3 22 20 configuration guide...

Page 961: ...network performance measuring with IP SLAs 32 2 network policy TLV 25 2 25 8 Network Time Protocol See NTP no commands 2 4 nonhierarchical policy maps described 33 10 non IP traffic filtering 31 22 nontrunking mode 13 13 normal range VLANs 13 4 configuration guidelines 13 5 configuring 13 4 defined 13 1 NSM 4 3 NTP associations authenticating 7 5 defined 7 2 enabling broadcast messages 7 7 peer 7 ...

Page 962: ...mode 12 7 CDP with power consumption described 12 5 CDP with power negotiation described 12 5 Cisco intelligent power management 12 5 configuring 12 23 cutoff power determining 12 8 cutoff power support for 12 8 devices supported 12 4 high power devices operating in low power mode 12 5 IEEE power classification levels 12 6 monitoring 12 8 monitoring power 12 26 policing power consumption 12 26 pol...

Page 963: ... 47 switch to client retransmission time 10 46 violation modes 10 39 to 10 40 default configuration 10 33 11 9 described 10 1 port based authentication continued device roles 10 2 11 2 displaying statistics 10 67 11 17 downloadable ACLs and redirect URLs configuring 10 61 to 10 63 to 10 64 overview 10 18 to 10 20 EAPOL start frame 10 5 EAP request identity frame 10 5 EAP response identity frame 10...

Page 964: ... 10 7 port blocking 1 4 23 8 port channel See EtherChannel port description TLV 25 2 Port Fast described 18 2 enabling 18 13 mode spanning tree 13 24 Port Fast continued support for 1 7 port membership modes VLAN 13 3 port priority MSTP 17 21 STP 16 18 ports access 12 2 blocking 23 8 dual purpose uplink 12 4 dynamic access 13 3 protected 23 6 secure 23 9 static access 13 3 13 9 switch 12 2 trunks ...

Page 965: ...5 15 PVST described 16 10 IEEE 802 1Q trunking interoperability 16 11 instances supported 16 10 Q QoS and MQC commands 33 1 auto QoS categorizing traffic 33 20 configuration and defaults display 33 32 configuration guidelines 33 30 described 33 20 disabling 33 32 displaying generated commands 33 32 displaying the initial configuration 33 32 effects on running configuration 33 30 list of generated ...

Page 966: ...nabling globally 33 37 flowcharts classification 33 7 egress queueing and scheduling 33 17 ingress queueing and scheduling 33 14 policing and marking 33 11 implicit deny 33 8 QoS continued ingress queues allocating bandwidth 33 65 allocating buffer space 33 65 buffer and bandwidth allocation described 33 15 configuring shared weights for SRR 33 65 configuring the priority queue 33 66 described 33 ...

Page 967: ...tes vendor proprietary 9 38 vendor specific 9 36 RADIUS continued configuring accounting 9 35 authentication 9 30 authorization 9 34 communication global 9 28 9 36 communication per server 9 28 multiple UDP ports 9 28 default configuration 9 27 defining AAA server groups 9 32 displaying the configuration 9 40 identifying the server 9 28 in clusters 5 16 limiting the services to the user 9 34 metho...

Page 968: ...py Protocol See RCP Remote Network Monitoring See RMON Remote SPAN See RSPAN remote SPAN 27 3 report suppression IGMP described 22 6 disabling 22 15 36 11 resequencing ACL entries 31 13 reserved addresses in DHCP pools 20 24 resetting a UDLD shutdown interface 26 6 responder IP SLAs described 32 3 enabling 32 6 response time measuring with IP SLAs 32 4 restricted VLAN configuring 10 51 described 1...

Page 969: ...ce traffic to specific VLANs 27 23 specifying monitored ports 27 18 with ingress traffic enabled 27 21 source ports 27 6 transmitted traffic 27 6 VLAN based 27 7 RSTP active topology 17 10 BPDU format 17 13 processing 17 14 designated port defined 17 10 designated switch defined 17 10 interoperability with IEEE 802 1D described 17 9 restarting migration process 17 28 topology changes 17 14 overvie...

Page 970: ... severity levels defining in system messages 29 9 SFPs monitoring status of 12 30 38 14 numbering of 12 11 security and identification 38 13 status displaying 38 14 shaped round robin See SRR show access lists hw summary command 31 19 show and more command output filtering 2 10 show cdp traffic command 24 5 show cluster members command 5 16 show configuration command 12 27 show forward command 38 ...

Page 971: ...enabling 30 12 enabling MAC address notification 7 22 7 24 7 25 overview 30 1 30 4 types of 30 12 users 30 7 30 9 SNMP continued versions supported 30 2 SNMP and Syslog Over IPv6 35 5 SNMPv1 30 2 SNMPv2C 30 2 SNMPv3 30 2 snooping IGMP 22 1 software compatibility See stacks switch software images location in flash B 24 recovery procedures 38 2 scheduling reloads 3 23 tar file format described B 24 ...

Page 972: ...h stack considerations 6 14 9 42 user authentication methods supported 9 42 SSL configuration guidelines 9 49 configuring a secure HTTP client 9 51 configuring a secure HTTP server 9 50 cryptographic software image 9 46 described 9 46 monitoring 9 52 stack switch MAC address of 6 5 6 17 stack changes effects on 802 1x port based authentication 10 11 ACL configuration 31 5 CDP 24 2 cross stack Ethe...

Page 973: ...1 membership 6 3 merged 6 3 MSTP instances supported 16 10 stacks switch continued offline configuration described 6 7 effects of adding a provisioned switch 6 7 effects of removing a provisioned switch 6 9 effects of replacing a provisioned switch 6 9 provisioned configuration defined 6 7 provisioned switch defined 6 7 provisioning a new member 6 20 partitioned 6 3 38 8 provisioned switch adding ...

Page 974: ...s See addresses static MAC addressing 1 9 static routes configuring 34 5 configuring for IPv6 35 10 static VLAN membership 13 2 statistics 802 1X 11 17 802 1x 10 67 CDP 24 5 interface 12 30 LLDP 25 12 LLDP MED 25 12 NMSP 25 12 QoS ingress and egress 33 75 statistics continued RMON group Ethernet 28 6 RMON group history 28 5 SNMP input and output 30 18 VTP 15 17 sticky learning 23 10 storm control ...

Page 975: ...6 5 unexpected behavior 16 16 features supported 1 7 IEEE 802 1D and bridge ID 16 5 IEEE 802 1D and multicast addresses 16 9 IEEE 802 1t and VLAN identifier 16 5 inferior BPDU 16 3 instances supported 16 10 interface state blocking to forwarding 18 2 STP continued interface states blocking 16 7 disabled 16 8 forwarding 16 6 16 7 learning 16 7 listening 16 7 overview 16 5 interoperability and compa...

Page 976: ... switchport backup interface 19 4 19 5 switchport block multicast command 23 8 switchport block unicast command 23 8 switchport protected command 23 7 switch priority MSTP 17 24 STP 16 21 switch software features 1 1 switch virtual interface See SVI syslog See system message logging system capabilities TLV 25 2 system clock configuring daylight saving time 7 13 manually 7 11 summer time 7 13 time ...

Page 977: ... 10 tracking services accessed by user 9 17 tar files creating B 6 displaying the contents of B 7 extracting B 7 image file format B 24 TCAM memory consistency check errors displaying 38 24 example 38 24 memory consistency check routines 1 4 38 24 memory consistency integrity 1 4 38 24 portions 38 24 space HFTM 38 24 HQATM 38 24 unassigned 38 24 TDR 1 13 Telnet accessing management interfaces 2 11...

Page 978: ...P transparent mode VTP 15 3 trap door mechanism 3 2 traps configuring MAC address notification 7 22 7 24 7 25 configuring managers 30 12 defined 30 3 enabling 7 22 7 24 7 25 30 12 notification types 30 12 overview 30 1 30 4 troubleshooting connectivity problems 38 14 38 15 38 17 CPU utilization 38 25 detecting unidirectional links 26 1 displaying crash information 38 23 setting packet forwarding 3...

Page 979: ... 802 1x 10 10 unicast MAC address filtering 1 5 and adding static addresses 7 28 and broadcast MAC addresses 7 27 and CPU packets 7 27 and multicast addresses 7 27 and router MAC addresses 7 27 configuration guidelines 7 27 described 7 27 unicast storm 23 2 unicast storm control command 23 4 unicast traffic blocking 23 8 UniDirectional Link Detection protocol See UDLD UNIX syslog servers daemon co...

Page 980: ...elines 19 8 VLAN management domain 15 2 VLAN Management Policy Server See VMPS VLAN membership confirming 13 26 modes 13 3 VLAN Query Protocol See VQP VLANs adding 13 7 adding to VLAN database 13 7 aging dynamic addresses 16 10 allowed on trunk 13 17 and spanning tree instances 13 2 13 6 13 11 configuration guidelines extended range VLANs 13 10 configuration guidelines normal range VLANs 13 5 conf...

Page 981: ...ffic in 802 1p priority tagged frames 14 5 802 1Q frames 14 5 connecting to an IP phone 14 5 default configuration 14 3 described 14 1 displaying 14 7 IP phone data traffic described 14 3 IP phone voice traffic described 14 2 VQP 1 8 13 23 VTP adding a client to a domain 15 16 advertisements 13 15 15 4 and extended range VLANs 13 2 15 2 and normal range VLANs 13 2 15 2 client mode configuring 15 1...

Page 982: ...thentication 10 17 configuring 11 16 to described 1 8 web based authentication customizeable web pages 11 6 description 11 1 web based authentication interactions with other features 11 7 weighted tail drop See WTD wired location service configuring 25 10 displaying 25 12 location TLV 25 3 understanding 25 3 wizards 1 2 WTD described 33 12 setting thresholds egress queue sets 33 68 ingress queues ...

Reviews:

No comments

Related manuals for 2975 - Catalyst LAN Base Switch

Magnetrol TK1 Operating Manual preview
TK1
Brand: Magnetrol Pages: 12
Magnimage V4 Series User Manual preview
V4 Series
Brand: Magnimage Pages: 53
DirectConnect 43136 User Manual preview
43136
Brand: DirectConnect Pages: 10
Phonocar 5-981 Mounting Instructions preview
5-981
Brand: Phonocar Pages: 2
H3C LSW1GP16P0 User Manual preview
LSW1GP16P0
Brand: H3C Pages: 26
Ubiquiti EdgeSwitch Quick Start Manual preview
EdgeSwitch
Brand: Ubiquiti Pages: 14
H-Tronic TS 1000 Instruction Manual preview
TS 1000
Brand: H-Tronic Pages: 15
A-Neuvideo ANI-8PDU-24V Instruction Manual preview
ANI-8PDU-24V
Brand: A-Neuvideo Pages: 12
Power Ethernet PE 200AV T1000 Quick Setup Manual preview
PE 200AV T1000
Brand: Power Ethernet Pages: 2
Leaksafe Solutions WaterSwitch2 Installation Instructions Manual preview
WaterSwitch2
Brand: Leaksafe Solutions Pages: 12
Edimax ES-5160G+ Install Manual preview
ES-5160G+
Brand: Edimax Pages: 8
Abtus AVS-HDMI81 User'S Operation Manual preview
AVS-HDMI81
Brand: Abtus Pages: 4
PortaOne PortaSwitch Handbook preview
PortaSwitch
Brand: PortaOne Pages: 78
Abrams ASTRO 400 Installation And Configuration Manual preview
ASTRO 400
Brand: Abrams Pages: 5
Allied Telesis Extricom AT-EXLS-3000 Installation And User Manual preview
Extricom AT-EXLS-3000
Brand: Allied Telesis Pages: 120
Conceptronic CKVM2M Quick Installation Manual preview
CKVM2M
Brand: Conceptronic Pages: 28
Kramer VS-28 User Manual preview
VS-28
Brand: Kramer Pages: 10
Larson Electronics EPS-1XPB-1XPL-M1-24V Instruction Manual preview
EPS-1XPB-1XPL-M1-24V
Brand: Larson Electronics Pages: 2

Brands by name

Popular brands

Load more brands