manualshive.com logo in svg

Cisco 4006 - Catalyst Switch, Configuration Manual, Page: 480 / 614

Share
Download
Cisco 4006 - Catalyst Switch Configuration Manual Download Page 480

 

30-34

Catalyst 4500 Series,  Catalyst 2948G, Catalyst 2948G-GE-TX,  and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX

78-15908-01

Chapter 30      Configuring Switch Access Using AAA

Configuring Authentication

Copying SRVTAB Files

To allow remote users to authenticate to the switch using Kerberos credentials, the switch must share a 
key with the KDC. You must give the switch a copy of the file that is stored in the KDC that contains the 
key. These files are called SRVTAB files on the switch and KEYTAB files on the servers. 

The most secure method of copying SRVTAB files to the hosts in your Kerberos realm is to copy them 
onto physical media and then manually copy the files onto the system. To copy SRVTAB files to a switch 
that does not have a physical media drive, you must transfer them through the network by using the 
Trivial File Transfer Protocol (TFTP).

When you copy the SRVTAB file from the switch to the KDC, the switch parses the information in this 
file and stores it in the running configuration in the Kerberos SRVTAB entry format. If you enter the 
SRVTAB directly into the switch, create an entry for each Kerberos principal (service) on the switch. 
The entries are maintained in the SRVTAB table. The maximum size of the table is 20 entries. 

To retrieve SRVTAB files to the switch from the KDC, perform this task in privileged mode:

This example shows how to retrieve an SRVTAB file from the KDC, enter an SRVTAB directly into the 
switch, and verify the configuration:

Console> (enable) set kerberos srvtab remote 187.20.32.10 /users/jdoe/krb5/ninerskeytab

Console> (enable)

Console> (enable) set kerberos srvtab entry host/[email protected] 0 932423923 1 

1 8 03;;5>00>50;0=0=0

Kerberos SRVTAB entry set to 

Principal:host/[email protected]

Principal Type:0

Timestamp:932423923

Key version number:1

Key type:1

Key length:8

Encrypted key tab:03;;5>00>50;0=0=0

Console> (enable) show kerberos 

Kerberos Local Realm:CISCO.COM 

Kerberos server entries:

Realm:CISCO.COM,  Server:187.0.2.1,  Port:750

Realm:CISCO.COM,  Server:187.20.2.1,  Port:750

 

Kerberos Domain<->Realm entries:

Domain:cisco.com,  Realm:CISCO.COM 

 

Task

Command

Step 1

Retrieve a specified SRVTAB file from the KDC. set kerberos srvtab remote {hostname | 

ip-addressfilename

Step 2

(Optional) You can enter the SRVTAB directly 
into the switch.

set kerberos srvtab entry kerberos-principal 
principal-type timestamp key-version number 
key-type key-length encrypted-keytab

Summary of Contents for 4006 - Catalyst Switch

Page 1: ...95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Catalyst 4500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX Customer Order Number DOC 7815908 Text Part Number 78 15908 01 ...

Page 2: ...DING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCIP CCSP the Cisco Arrow logo the Cisco Powered Network mark Cisco Unity Follow Me Browsing FormShare and StackWise are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn ...

Page 3: ... Opening a TAC Case xxx TAC Case Priority Definitions xxxi Obtaining Additional Publications and Information xxxi C H A P T E R 1 Product Overview 1 1 Catalyst 4000 and Catalyst 4500 Series Switches 1 1 Catalyst 2948G Switch 1 2 Catalyst 2948G GE TX Switch 1 3 Catalyst 2980G Switch 1 3 Supervisor Engine Software 1 3 C H A P T E R 2 Using the Command Line Interface 2 1 Switch CLI Overview 2 1 Acces...

Page 4: ...t Gateway Configuration 3 5 Setting the In Band sc0 Interface IP Address 3 5 Setting the Management Ethernet me1 Interface IP Address 3 6 Configuring Default Gateways 3 7 Configuring the SLIP sl0 Interface on the Console Port 3 8 Using DHCP or RARP to Obtain an IP Address Configuration 3 10 Renewing and Releasing a DHCP Assigned IP Address 3 11 C H A P T E R 4 Configuring Ethernet and Fast Etherne...

Page 5: ...gabit Ethernet Port Timeout Periods 5 9 Checking Gigabit Ethernet Port Connectivity 5 10 C H A P T E R 6 Configuring Fast EtherChannel and Gigabit EtherChannel 6 1 Understanding How EtherChannel Works 6 1 EtherChannel Overview 6 2 Understanding Frame Distribution 6 2 Hardware Support for EtherChannel 6 2 PAgP and LACP 6 2 EtherChannel Configuration Guidelines and Restrictions 6 3 Guidelines for Co...

Page 6: ...l VLAN Cost 6 21 Clearing LACP Statistics 6 21 Displaying EtherChannel Traffic Utilization 6 21 Disabling an EtherChannel 6 22 Displaying Spanning Tree Related Information for EtherChannels 6 22 C H A P T E R 7 Configuring Spanning Tree 7 1 Understanding How STPs Work 7 2 Understanding How a Topology Is Created 7 2 Understanding How a Switch or Port Becomes the Root Switch or Root Port 7 3 Underst...

Page 7: ... Rapid PVST 7 28 Using MISTP PVST or MISTP 7 30 Default MISTP Mode Configuration 7 30 Setting the MISTP PVST Mode or MISTP Mode 7 31 Configuring the MISTP Bridge ID Priority 7 32 Enabling an MISTP Instance 7 36 Mapping VLANs to an MISTP Instance 7 36 Disabling MISTP PVST or MISTP 7 39 Configuring a Root Switch 7 39 Configuring a Primary Root Switch 7 39 Configuring a Secondary Root Switch 7 40 Con...

Page 8: ...tFast 8 10 Resetting PortFast 8 11 Configuring PortFast BPDU Guard 8 11 Enabling PortFast BPDU Guard 8 11 Disabling PortFast BPDU Guard 8 12 Configuring PortFast BPDU Filtering 8 13 Enabling PortFast BPDU Filtering 8 13 Disabling PortFast BPDU Filtering 8 14 Configuring UplinkFast 8 15 Enabling UplinkFast 8 15 Disabling UplinkFast 8 16 Configuring BackboneFast 8 17 Enabling BackboneFast 8 17 Displ...

Page 9: ...es and Partitions 9 14 VTP Version 3 Modes 9 18 VTP Version 3 Databases 9 19 Default VTP Version 3 Configuration 9 22 Configuring VTP Version 3 9 22 Enabling VTP Version 3 9 22 Changing VTP Version 3 Modes 9 23 Configuring VTP Version 3 Passwords 9 27 Configuring a VTP Version 3 Takeover 9 28 Disabling VTP Version 3 on a Per Port Basis 9 29 VTP Version 3 show Commands 9 30 C H A P T E R 10 Configu...

Page 10: ...psulation Types 11 2 Trunking Support 11 3 802 1Q Trunk Restrictions 11 4 Default Trunk Configuration 11 5 Configuring a Trunk Link 11 5 Configuring an 802 1Q Trunk 11 5 Defining the Allowed VLANs on a Trunk 11 6 Disabling a Trunk Port 11 7 Disabling VLAN 1 on a Trunk Link 11 8 Example VLAN Trunk Configurations 11 9 802 1Q Trunk over a Gigabit EtherChannel Link Example 11 9 Load Sharing VLAN Traff...

Page 11: ... 2 GVRP Configuration Guidelines 13 2 Configuring GVRP on the Switch 13 2 Enabling GVRP Globally 13 2 Enabling GVRP on Individual 802 1Q Trunk Ports 13 3 Enabling GVRP Dynamic VLAN Creation 13 4 Configuring GVRP Registration 13 4 Sending GVRP VLAN Declarations from Blocking Ports 13 6 Setting the GARP Timers 13 6 Displaying GVRP Statistics 13 7 Clearing GVRP Statistics 13 8 Disabling GVRP on Indiv...

Page 12: ...P 15 4 CGMP Hardware and Software Requirements 15 4 Default CGMP Configuration 15 4 Enabling CGMP 15 4 Enabling CGMP Leave Processing 15 5 Enabling CGMP Fast Leave Processing 15 5 Displaying Multicast Router Information 15 6 Displaying Multicast Group Information 15 6 Displaying CGMP Statistics 15 7 Disabling CGMP Leave Processing 15 8 Disabling CGMP Fast Leave Processing 15 8 Disabling CGMP 15 8 ...

Page 13: ...Address 16 2 Blocking Unicast Flood Packets on Secure Ports 16 3 Port Security Configuration Guidelines 16 3 Configuring Port Security on the Switch 16 3 Enabling Port Security 16 3 Setting the Maximum Number of Secure MAC Addresses 16 4 Setting the Port Security Age Time 16 5 Clearing MAC Addresses 16 5 Configuring Unicast Flood Blocking on Secure Ports 16 6 Enabling MAC Address Notification 16 7...

Page 14: ...ocol Filtering Configuration 19 2 Configuring Protocol Filtering on the Switch 19 2 Configuring Protocol Filtering 19 2 Disabling Protocol Filtering 19 3 C H A P T E R 20 Checking Status and Connectivity 20 1 Checking Module Status 20 1 Checking Port Status 20 2 Displaying the Port MAC Address 20 4 Displaying Port Capabilities 20 5 Using Telnet 20 6 Changing the Login Timer 20 6 Using Secure Shell...

Page 15: ...nning and Viewing Switch TopN Reports 22 3 C H A P T E R 23 Configuring UDLD 23 1 Understanding How UDLD Works 23 1 UDLD Software and Hardware Requirements 23 2 Default UDLD Configuration 23 2 Configuring UDLD on the Switch 23 3 Enabling UDLD Globally 23 3 Enabling UDLD on Individual Ports 23 4 Disabling UDLD on Individual Ports 23 4 Disabling UDLD Globally 23 4 Specifying the UDLD Message Interva...

Page 16: ...Understanding How SPAN and RSPAN Work 26 1 SPAN Session 26 1 Destination Port 26 2 Source Port 26 2 Reflector Port 26 3 Ingress SPAN 26 3 Egress SPAN 26 3 VSPAN 26 3 Trunk VLAN Filtering 26 4 SPAN Traffic 26 4 SPAN and RSPAN Session Limits 26 4 Configuring SPAN 26 4 Understanding How SPAN Works 26 4 SPAN Configuration Guidelines 26 5 Configuring SPAN 26 6 Configuring RSPAN 26 8 RSPAN Software and ...

Page 17: ...nt Overview 28 2 Understanding Power Management Modes 28 2 Available Power for Power Supplies 28 4 Power Management Limitations 28 4 1400 W DC Power Supply Guidelines and Restrictions 28 5 Understanding How Power Management Works on the Catalyst 4006 Switch 28 6 Understanding Power Redundancy 28 6 1 1 Redundancy Mode Guidelines and Restrictions 28 7 1 1 Redundancy Mode Limitations 28 7 Power Consu...

Page 18: ...ntication Works 30 3 Understanding How TACACS Authentication Works 30 3 Understanding How RADIUS Authentication Works 30 4 Understanding How Kerberos Authentication Works 30 5 Configuring Authentication 30 8 Authentication Default Configuration 30 8 Authentication Configuration Guidelines 30 9 Configuring Login Authentication 30 9 Configuring Local Authentication 30 12 Configuring Local User Authe...

Page 19: ...Server 31 5 802 1x Parameters Configurable on the Switch 31 6 802 1x VLAN Assignment Using a RADIUS Server 31 6 Using 802 1x Authentication with Port Security 31 7 Using 802 1x Authentication on Ports Configured for Auxiliary VLAN Traffic 31 8 Using 802 1x Authentication for Guest VLANs 31 8 Authentication Default Configuration 31 9 Authentication Configuration Guidelines 31 9 Configuring 802 1x A...

Page 20: ... BOOT Environment Variable 32 3 Understanding the CONFIG_FILE Environment Variable 32 3 Default Switch Boot Configuration 32 4 Setting the Configuration Register 32 4 Setting the Boot Field in the Configuration Register 32 4 Setting CONFIG_FILE Recurrence 32 5 Setting the Switch to Ignore the NVRAM Configuration 32 6 Setting the BOOT Environment Variable 32 6 Setting the BOOT Environment Variable ...

Page 21: ... Device 34 1 Setting the Text File Configuration Mode 34 2 Listing the Files on a Flash Device 34 2 Displaying the Contents of a File on a Flash Device 34 3 Copying Files 34 4 Deleting Files 34 5 Restoring Deleted Files 34 6 Verifying a File Checksum 34 7 C H A P T E R 35 Working with Configuration Files 35 1 Creating and Using Configuration Files Guidelines 35 1 Creating a Configuration File 35 2...

Page 22: ...ng Buffer Size 37 6 Limiting the Number of syslog Messages 37 6 Configuring the syslog Daemon on a UNIX syslog Server 37 7 Configuring syslog Servers 37 7 Displaying the Logging Configuration 37 9 Displaying System Messages 37 10 C H A P T E R 38 Configuring DNS 38 1 Understanding How DNS Works 38 1 Default DNS Configuration 38 2 Configuring DNS on the Switch 38 2 Setting Up and Enabling DNS 38 2 ...

Page 23: ...s Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Clearing the Time Zone 39 7 Clearing NTP Servers 39 7 Disabling NTP 39 8 A P P E N D I X A Acronyms A 1 I N D E X ...

Page 24: ...Contents xxiv Catalyst 4500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 ...

Page 25: ...and line interfaces CLIs Chapter 3 Configuring the Switch IP Address and Default Gateway Describes how to perform a baseline configuration of the switch Chapter 4 Configuring Ethernet and Fast Ethernet Switching Describes how to configure Ethernet and Fast Ethernet switching on the switch Chapter 5 Configuring Gigabit Ethernet Switching Describes how to configure Gigabit Ethernet switching on the ...

Page 26: ...witch Chapter 16 Configuring Port Security Describes how to configure port security on the switch Chapter 17 Configuring Unicast Flood Blocking Describes how to configure unicast flood blocking on the switch Chapter 18 Configuring the IP Permit List Describes how to configure IP permit list on the switch Chapter 19 Configuring Protocol Filtering Describes how to configure protocol filtering on Eth...

Page 27: ... configure your Voice over IP VoIP network Chapter 30 Configuring Switch Access Using AAA Describes how to configure local and TACACS authentication on the switch Chapter 31 Configuring 802 1x Authentication Describes how to configure IEEE 802 1x authentication on the switch Chapter 32 Modifying the Switch Boot Configuration Describes how to modify the switch boot configuration including the BOOT ...

Page 28: ...es use these conventions boldface font Commands command options and keywords are in boldface italic font Arguments for which you supply values are in italics Elements in square brackets are optional x y z Alternative keywords are grouped in braces and separated by vertical bars x y z Optional alternative keywords are grouped in brackets and separated by vertical bars string A nonquoted set of char...

Page 29: ...e htm You can access the Cisco website at this URL http www cisco com International Cisco websites can be accessed from this URL http www cisco com public countries_languages shtml Documentation CD ROM Cisco documentation and additional literature are available in a Cisco Documentation CD ROM package which may have shipped with your product The Documentation CD ROM is updated regularly and may be ...

Page 30: ...883 We appreciate your comments Obtaining Technical Assistance For all customers partners resellers and distributors who hold valid Cisco service contracts the Cisco Technical Assistance Center TAC provides 24 hour award winning technical support services online and over the phone Cisco com features the Cisco TAC website as an online starting point for technical assistance Cisco TAC Website The Ci...

Page 31: ...ess operations remain functional You and Cisco will commit resources during normal business hours to restore service to satisfactory levels Priority 4 P4 You require information or assistance with Cisco product capabilities installation or configuration There is little or no effect on your business operations Obtaining Additional Publications and Information Information about Cisco products techno...

Page 32: ... Magazine at this URL http www cisco com go iqmagazine Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing developing and operating public and private internets and intranets You can access the Internet Protocol Journal at this URL http www cisco com en US about ac123 ac147 about_cisco_the_internet_protocol_journal html Tr...

Page 33: ... 1 2 Catalyst 2948G GE TX Switch page 1 3 Catalyst 2980G Switch page 1 3 Supervisor Engine Software page 1 3 Catalyst 4000 and Catalyst 4500 Series Switches Note For installation information and a complete description of the Catalyst 4000 series or Catalyst 4500 series switch hardware refer to the Catalyst 4000 Family Installation Guide Catalyst 4500 Series Switch Installation Guide and the Cataly...

Page 34: ... switch 12 Gbps backplane Optional redundant power supplies 12 1000BASE X GBIC Gigabit Ethernet ports Catalyst 4500 Series WS C4503 Catalyst 4503 Modular 3 slot chassis 28 Gbps full duplex backplane Optional redundant power supplies WS C4506 Catalyst 4506 Modular 6 slot chassis 64 Gbps full duplex Optional redundant power supplies Table 1 1 Catalyst 4000 and 4500 Series Switch continued Product Nu...

Page 35: ...0G Installation Guide Table 1 4 describes the Catalyst 2980G switch Supervisor Engine Software The supervisor engine software is factory installed on every supervisor engine module or fixed configuration switch Some modules require an additional software image which is factory installed on the module Table 1 3 Catalyst 2948G Switch Product Number Chassis Description WS C2948G GE TX Catalyst 2948G ...

Page 36: ...r Engine Software The Catalyst enterprise LAN switches share a command line interface CLI with which you can configure modules and ports on the switches For more information see Chapter 2 Using the Command Line Interface For descriptions of the available CLI commands refer to the Catalyst 4500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Command Reference ...

Page 37: ...ns This chapter consists of these sections Switch CLI Overview page 2 1 Accessing the Switch CLI page 2 2 Switch CLI Command Modes page 2 3 Accessing Help page 2 4 Command Line Editing page 2 5 History Substitution page 2 6 Abbreviating a Command page 2 6 Completing a Partial Command page 2 6 Scrolling Through Command Output page 2 6 Using Command Aliases page 2 7 Specifying Modules Ports and VLAN...

Page 38: ...e Port Note For complete information on how to connect a terminal to the supervisor engine console port refer to the hardware documentation for your switch To access the switch CLI through the console port you must connect a console terminal to the console port through an EIA TIA 232 RS 232 cable Make sure that the terminal is connected to the switch and that the terminal is on To access the switc...

Page 39: ...lnet to the switch using the IP address or the DNS host name of the switch You must configure DNS on the switch and on your network name server in order to use DNS host names For more information on DNS see Chapter 38 Configuring DNS This example shows how to use the telnet command to connect to a switch with the DNS host name Catalyst_1 unix_host telnet Catalyst_1 Trying 172 16 10 10 Connected to...

Page 40: ...p 1 From normal mode enter the enable command On a new switch the privileged mode password is null If you are connecting to a new switch press Return at the Enter Password prompt Otherwise enter the privileged mode password for the switch Console enable Enter password privileged_mode_password Console enable Step 2 To exit privileged mode and return to normal mode enter the disable command Console ...

Page 41: ... command line editing keystrokes Table 2 1 lists the keystrokes that you can use when entering and editing switch commands Table 2 1 Command Line Editing Keystrokes Keystroke Function Ctrl A Jumps to the first character of the command line Ctrl B or the Left Arrow key1 1 The arrow keys function only on ANSI compatible terminals such as VT100s Moves the cursor back one character Ctrl C Escapes and ...

Page 42: ...press the Tab key the system completes the command as configure because it is the only command that matches the criteria Scrolling Through Command Output When the output of a command fills more than one terminal screen the output is displayed through the More program a More prompt is displayed at the bottom of the screen The More program is used for any output that has more lines than can be displ...

Page 43: ...witches you must refer to the module number not the slot number For example all of the user configurable ports on these switches are logically on module 2 On modules that have user configurable ports the left most port is always port 1 To designate a specific port on a specific module the command syntax is mod_num port_num For example 3 1 specifies module 3 port 1 On the Catalyst 4912G the Catalys...

Page 44: ... host name or IP alias The IP address format is 32 bits written in dotted decimal format as shown in the following example 172 16 10 1 If DNS is configured properly on the switch you can use IP host names instead of IP addresses For information on configuring DNS see Chapter 38 Configuring DNS You can also configure IP aliases on the switch which you can use in place of IP addresses IP aliases can...

Page 45: ...xample shows the bootup display of a Catalyst 4003 switch The display on the Catalyst 4912G the Catalyst 2948G and the Catalyst 2980G switches are similar WS X4012 bootrom version 4 5 1 built on 1999 03 29 21 04 04 H W Revisions Meteor 4 Comet 8 Board 2 Supervisor MAC addresses 00 d0 58 70 a1 00 through 00 d0 58 70 a4 ff 1024 addresses Installed memory 32 MB Testing LEDs done The system will autob...

Page 46: ...g RARP request with address 00 d0 58 70 a4 ff Sending BOOTP request with address 00 d0 58 70 a4 ff Sending RARP request with address 00 d0 58 70 a4 ff Sending BOOTP request with address 00 d0 58 70 a4 ff Sending RARP request with address 00 d0 58 70 a4 ff Sending BOOTP request with address 00 d0 58 70 a4 ff Sending RARP request with address 00 d0 58 70 a4 ff Sending BOOTP request with address 00 d...

Page 47: ... Interfaces Work page 3 1 Understanding How Automatic IP Configuration Works page 3 2 Preparing to Configure the IP Address and Default Gateway page 3 4 Default IP Address and Default Gateway Configuration page 3 5 Setting the In Band sc0 Interface IP Address page 3 5 Setting the Management Ethernet me1 Interface IP Address page 3 6 Configuring Default Gateways page 3 7 Configuring the SLIP sl0 In...

Page 48: ... a command that causes sc0 and me1 to have the same IP address or occupy the same subnet the switch software brings one of the interfaces down In most cases the switch software brings down the sc0 interface after you confirm the change However when the switch boots with the IP address 0 0 0 0 configured on both the sc0 and me1 interfaces the me1 interface is brought down to allow BOOTP and RARP re...

Page 49: ...ator maps the switch MAC address to an IP address at the DHCP server Automatic allocation The switch obtains an IP address when it first contacts the DHCP server The address is permanently assigned to the switch Dynamic allocation The switch obtains a leased IP address for a specified period of time The IP address is revoked at the end of this period and the switch surrenders the address The switc...

Page 50: ...ress on the RARP server The switch retrieves its IP address from the server automatically when it boots up The switch broadcasts ten RARP requests after all of the switch ports are online If a response is received the switch sets the in band sc0 interface IP address to the address that is specified in the RARP response If no reply is received the sc0 interface IP address remains set to 0 0 0 0 pro...

Page 51: ...cify the subnet mask netmask using the number of subnet bits or using the subnet mask in dotted decimal format To set the IP address and VLAN membership of the in band sc0 management interface perform this task in privileged mode Table 3 2 Switch IP Address and Default Gateway Default Configuration Feature Default Value In band sc0 interface IP address subnet mask and broadcast address set to 0 0 ...

Page 52: ...e you can Telnet to the switch or use SNMP to manage the switch you must assign an IP address to either the in band sc0 logical interface or the management Ethernet me1 interface The me1 interface is present only on the Catalyst 4500 series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G switches You can specify the subnet mask netmask using the number of subnet bits or using the subnet mas...

Page 53: ... primary gateway is lost the switch attempts to use the backup gateways in the order that they were configured The switch sends periodic ping messages to determine whether each default gateway is up or down If connectivity to the primary gateway is restored the switch resumes sending traffic to the primary gateway If both the in band sc0 and management Ethernet me1 interfaces are configured when y...

Page 54: ... netmask 255 255 255 240 broadcast 172 20 52 47 me1 flags 63 UP BROADCAST RUNNING inet 10 1 1 100 netmask 255 255 255 0 broadcast 10 1 1 255 Console enable set ip route default 172 20 52 33 Route added Console enable set ip route default 10 1 1 1 Route added Console enable show ip route Fragmentation Redirect Unreachable enabled enabled enabled The primary gateway 172 20 52 33 Destination Gateway ...

Page 55: ...lags 51 UP POINTOPOINT RUNNING slip 10 1 1 1 dest 10 1 1 2 sc0 flags 63 UP BROADCAST RUNNING vlan 522 inet 172 20 52 38 netmask 255 255 255 240 broadcast 172 20 52 7 me1 flags 62 DOWN BROADCAST RUNNING inet 10 1 1 100 netmask 255 255 255 0 broadcast 10 1 1 255 Console enable slip attach Console Port now running SLIP Console enable slip detach SLIP detached on Console port Console enable Task Comma...

Page 56: ...up server NTP server 172 16 25 253 added NTP server 172 16 25 252 added MGMT 5 DHCP_S Assigned IP address 172 20 25 244 from DHCP Server 172 20 25 254 Console enable show interface sl0 flags 51 UP POINTOPOINT RUNNING slip 0 0 0 0 dest 0 0 0 0 sc0 flags 63 UP BROADCAST RUNNING vlan 1 inet 172 20 25 244 netmask 255 255 255 0 broadcast 172 20 25 255 dhcp server 172 20 25 254 Console Task Command Step...

Page 57: ...a DHCP assigned IP address on the in band sc0 management interface perform one of these tasks in privileged mode This example shows how to renew the lease on a DHCP assigned IP address Console enable set interface sc0 dhcp renew Renewing IP address Console enable Sending DHCP packet with address 00 90 0c 5a 8f ff output truncated This example shows how to release the lease on a DHCP assigned IP ad...

Page 58: ...alyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 3 Configuring the Switch IP Address and Default Gateway Renewing and Releasing a DHCP Assigned IP Address ...

Page 59: ... and usage information for the commands that are used in this chapter refer to the Catalyst 4500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Command Reference This chapter consists of these sections Understanding How Ethernet Works page 4 1 Default Ethernet and Fast Ethernet Configurations page 4 2 Configuring Ethernet and Fast Ethernet Ports page 4 3 Understanding How E...

Page 60: ...ithin the hub and the bandwidth of the network is shared by all devices that are attached to the hub If two stations establish a session that uses a significant level of bandwidth the network performance of all other stations that are attached to the hub is degraded To reduce degradation the Catalyst enterprise LAN switches treat each port as an individual segment When stations on different ports ...

Page 61: ...vity page 4 8 Note For information on configuring Fast EtherChannel see Chapter 6 Configuring Fast EtherChannel and Gigabit EtherChannel Setting Ethernet and Fast Ethernet Port Names You can assign names to the ports on Ethernet and Fast Ethernet modules to facilitate switch administration To assign a name to a port perform this task in privileged mode Table 4 1 Ethernet and Fast Ethernet Default ...

Page 62: ...s request access to the switching bus simultaneously the switch uses port priority level to determine the order in which to give ports access To set the port priority level perform this task in privileged mode This example shows how to set the port priority level to high for port 1 1 and verify that the port priority is configured correctly Console enable set port level 1 1 high Port 1 1 level set...

Page 63: ...e Setting Ethernet and Fast Ethernet Port Duplex Modes You can set the port duplex mode to full or half duplex for Ethernet and Fast Ethernet ports Note If the port speed is set to auto on a 10 100 Mbps Fast Ethernet port both speed and duplex are autonegotiated You cannot change the duplex mode of ports that are configured for autonegotiation For information on enabling and disabling autonegotiat...

Page 64: ...tch enables the debounce timer To set the debounce timer on a port perform this task in privileged mode This example shows how to enable the debounce timer for module 2 on port 1 Console enable set port debounce 2 1 enable Debounce is enabled on port 2 1 Warning Enabling port debounce causes Link Up Down detections to be delayed It results in loss of data traffic during debouncing period which mig...

Page 65: ...tained for all the ports At every t seconds where t is the user configurable timeout a process checks to see if any ports are in errdisable state If so only those ports that have the errdisable timeout set enabled are reenabled through System Control Protocol SCP messages By default all the errdisabled ports are reenabled when the global timer times out You can enable or disable errdisable timeout...

Page 66: ...ands to test connectivity out Ethernet or Fast Ethernet ports To check connectivity out a port perform this task in privileged mode This example shows how to ping a remote host and how to trace the hop by hop path of packets through the network using traceroute Console enable ping somehost somehost is alive Console enable traceroute somehost traceroute to somehost company com 10 1 2 3 30 hops max ...

Page 67: ...Works page 5 1 Default Gigabit Ethernet Configuration page 5 6 Configuring Gigabit Ethernet Ports page 5 7 Understanding How Gigabit Ethernet Works The following sections describe how Gigabit Ethernet works Understanding How Gigabit Ethernet Flow Control Works Flow control is a feature that Gigabit Ethernet ports use to inhibit the transmission of incoming packets If a buffer on a Gigabit Ethernet...

Page 68: ...412 2GB T Oversubscribed ports 1 12 Yes Catalyst 4000 Catalyst 4500 WS X4424 GB RJ45 All ports Yes Catalyst 4000 Catalyst 4500 WS X4448 GB RJ45 WS X4548 GB RJ45 All ports Yes Catalyst 4000 Catalyst 4500 WS X4448 GB LX All ports Yes Catalyst 2948G All ports All ports No Catalyst 2948G GE TX Ports 1 48 Ports 49 52 Yes No Catalyst 2980G All modules All ports No Table 5 2 Send and Receive Keyword Conf...

Page 69: ...he other Table 5 3 shows the four possible port negotiation configurations for a Gigabit Ethernet link and the resulting link status for each configuration Note On 1000BASE T Gigabit Ethernet ports you cannot configure speed or duplex mode With this release 1000BASE T ports operate only in the default configuration where the speed is 1000 and duplex mode is full You cannot disable autonegotiation ...

Page 70: ...This Gigabit Ethernet optical line terminator module provides 48 oversubscribed ports possible blocking On all modules each uplink module port has 1 Gbps dedicated bandwidth These ports typically connect to the network backbone Table 5 4 lists the uplink module port IDs for each module On all modules the oversubscribed ports are segmented into groups of four ports each Each group of four ports sha...

Page 71: ...hese configurations are shown Server A equipped with channel and trunk capable network interface cards NICs connects to the switch through a four port Gigabit EtherChannel trunk link Two ports are in one oversubscribed port group and two are in another The switch can burst up to 2 Gbps bandwidth in each direction while averaging 250 Mbps for each connected port 1 Gbps total Servers B and C also wi...

Page 72: ...uration THIS ASSEMBLY CONTAINS ELECTROSTATIC SENSITIVE DEVICES CAUTION 0 100 Network backbone Gigabit EtherChannel bundles Backbone switch Server A Server B Server C Workstation 1 Workstation 2 Workstation 3 Workstation 4 Server D 18069 Table 5 10 Gigabit Ethernet Default Configuration Feature Default Value Port enable state All ports are enabled Port name None Port priority Normal Duplex mode Ful...

Page 73: ...eged mode This example shows how to assign the name for ports 2 1 and 2 2 and how to verify that the port names are configured correctly Console enable set port name 2 1 Backbone Connection Port 2 1 name set Console enable set port name 2 2 Wiring Closet Port 2 2 name set Console enable show port 2 Port Name Status Vlan Level Duplex Speed Type 2 1 Backbone Connectio connected trunk normal full 100...

Page 74: ...ole enable Configuring Flow Control on Gigabit Ethernet Ports To configure flow control on a Gigabit Ethernet port perform this task in privileged mode This example shows how to configure transmit and receive flow control and how to verify the flow control configuration Console enable set port flowcontrol send 2 1 on Port 2 1 flow control send administration status set to on port will send flowcon...

Page 75: ...e enable show port negotiation 2 1 Port Link Negotiation 2 1 enabled Console enable Disabling Port Negotiation To disable port negotiation on a 1000BASE X Gigabit Ethernet port perform this task in privileged mode This example shows how to disable port negotiation and verify the configuration Console enable set port negotiation 2 1 disable Port 2 1 negotiation disabled Console enable show port neg...

Page 76: ...ets through the network using traceroute Console enable ping somehost somehost is alive Console enable traceroute somehost traceroute to somehost company com 10 1 2 3 30 hops max 40 byte packets 1 engineering 1 company com 173 31 192 206 2 ms 1 ms 1 ms 2 engineering 2 company com 173 31 196 204 2 ms 3 ms 2 ms 3 gateway_a company com 173 16 1 201 6 ms 3 ms 3 ms 4 somehost company com 10 1 2 3 3 ms ...

Page 77: ...rnet and Gigabit Ethernet modules refer to the Catalyst 4000 Family Installation Guide Note For complete syntax and usage information for the commands that are used in this chapter refer to the Catalyst 4500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Command Reference This chapter consists of these sections Understanding How EtherChannel Works page 6 1 PAgP and LACP pag...

Page 78: ...the EtherChannel Configuration Guidelines and Restrictions section on page 6 3 and Chapter 11 Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports Understanding Frame Distribution EtherChannel distributes frames across the links in a channel based on the low order bits of the source and destination MAC addresses of each frame The frame distribution method is not configurable Hardwar...

Page 79: ...ink failure and its traffic is transferred to one of the remaining ports in the EtherChannel You cannot assign a port to more than one channel group at the same time Ports with different port path costs set by the set spantree portcost command can form an EtherChannel as long as they are otherwise compatibly configured Setting different port path costs does not by itself make ports incompatible fo...

Page 80: ...Channel s interaction with other features An EtherChannel will not form with ports that have different GARP VLAN Registration Protocol GVRP GARP Multicast Registration Protocol GMRP and quality of service QoS configurations An EtherChannel will not form with ports where the port security feature is enabled Do not enable the port security feature for ports in an EtherChannel An EtherChannel will no...

Page 81: ...ribes each mode Both the auto and desirable modes allow ports to negotiate with connected ports to determine if they can form a channel based on criteria such as port speed trunking state native VLAN and so on Table 6 1 Channel Modes Mode Description on Forces the port to channel without negotiation PAgP packets are not exchanged The port is channeling regardless of how the peer port is configured...

Page 82: ...nistrative group number creates a new automatically numbered administrative group consisting of the ports that you configure as an EtherChannel An administrative group can contain a maximum of eight ports You can define an EtherChannel administrative group without forming an EtherChannel Only ports that belong to the same administrative group can form a single EtherChannel In addition to the admin...

Page 83: ...d on 57 835 Port Device ID Port ID Platform 3 5 069003103 5500 3 5 WS C4000 3 6 069003103 5500 3 6 WS C4000 Console enable Defining an EtherChannel Administrative Group You can define EtherChannel administrative groups manually to identify groups of ports that are allowed to form an EtherChannel bundle When you create an EtherChannel port bundle an administrative group is defined automatically Adm...

Page 84: ...annel Spanning Tree Port Cost To set the spanning tree port cost for an EtherChannel perform this task in privileged mode This example shows how to set the EtherChannel port path cost for channel ID 768 Console enable show channel group 20 Admin Port Status Channel Channel group Mode id 20 1 1 notconnect on 768 20 1 2 connected on 768 Admin Port Device ID Port ID Platform group 20 1 1 20 1 2 06651...

Page 85: ... in privileged mode This example shows how to set the EtherChannel VLAN cost for channel ID 768 Console enable show channel group 20 Admin Port Status Channel Channel group Mode id 20 1 1 notconnect on 768 20 1 2 connected on 768 Admin Port Device ID Port ID Platform group 20 1 1 20 1 2 066510644 cat26 lnf NET25 2 1 WS C6009 Console enable Console enable set channel vlancost 768 12 Channel 768 vla...

Page 86: ...rame Distribution Method mac both Port Status Channel Admin Channel Speed Duplex Vlan mode group id 3 5 connected on 56 835 a 100 a full 1 3 6 connected on 56 835 a 100 a full 1 Port ifIndex Oper group Neighbor Oper Distribution PortSecurity Oper group Method Dynamic port 3 5 377 1 mac both 3 6 377 1 mac both Port Device ID Port ID Platform 3 5 069003103 5500 3 5 WS C4000 3 6 069003103 5500 3 6 WS...

Page 87: ...gistration applicant 3 5 disabled normal normal 3 6 disabled normal normal Port Qos Tx Qos Rx Qos Trust Qos DefCos 3 5 untrusted 0 3 6 untrusted 0 Console enable Displaying EtherChannel Traffic Statistics To display EtherChannel traffic statistics perform this task in privileged mode This example shows how to display EtherChannel traffic statistics information for EtherChannel ID 835 Console show ...

Page 88: ...e enable EtherChannel Configuration Examples These sections contain Fast and Gigabit EtherChannel configuration examples Configuration Example of a Four Port Fast EtherChannel page 6 12 Configuration Example of a Two Port Gigabit EtherChannel page 6 14 Note For examples of configuring VLAN trunks on EtherChannel port bundles see the Example VLAN Trunk Configurations section on page 11 9 Configurat...

Page 89: ...et vlan 50 3 1 4 VLAN 50 modified VLAN 1 modified VLAN Mod Ports 50 3 1 4 Switch_B enable set port speed 3 1 4 100 Ports 3 1 4 transmission speed set to 100Mbps Switch_B enable set port duplex 3 1 4 full Ports 3 1 4 set to full duplex Switch_B enable Step 2 Confirm the channeling status of the switches using the show port channel command Switch_A enable show port channel No ports channelling Switc...

Page 90: ...ort 3 4 left bridge port 3 1 4 PAGP 5 PORTTOSTP Port 3 1 joined bridge port 3 1 4 PAGP 5 PORTTOSTP Port 3 2 joined bridge port 3 1 4 PAGP 5 PORTTOSTP Port 3 3 joined bridge port 3 1 4 PAGP 5 PORTTOSTP Port 3 4 joined bridge port 3 1 4 Step 4 After the EtherChannel bundle is negotiated enter the show port channel command to verify the configuration Switch_A enable show port channel Port Status Chan...

Page 91: ...enable Switch_B enable show port channel No ports channelling Switch_B enable Step 3 In this example configure EtherChannel as on for all ports If you configure ports on you must configure the ports on both ends of the EtherChannel bundle on The switches will not negotiate an EtherChannel port bundle automatically in on mode The system logging messages provide information about the formation of th...

Page 92: ...tus device port 3 1 connected on channel WS C4003 JAB023806JR 2 1 3 2 connected on channel WS C4003 JAB023806JR 2 2 Switch_B enable Understanding LACP Use the information in these sections if you are configuring EtherChannel using LACP If you are using PAgP see the Understanding PAgP section on page 6 5 LACP Modes You may manually turn on channeling by setting the port channel mode to on and you m...

Page 93: ...g factors determine a port s ability to aggregate with other ports Port physical characteristics such as data rate duplex capability and point to point or shared medium Configuration constraints that you establish When enabled LACP always tries to configure the maximum number of compatible ports in a channel up to the maximum that is allowed by the hardware eight ports If LACP is not able to aggre...

Page 94: ...ACP Statistics page 6 21 Displaying EtherChannel Traffic Utilization page 6 21 Disabling an EtherChannel page 6 22 Displaying Spanning Tree Related Information for EtherChannels page 6 22 Note Before you configure the EtherChannel see the EtherChannel Configuration Guidelines and Restrictions section on page 6 3 Specifying the EtherChannel Protocol Note The default protocol is PAgP Note You can sp...

Page 95: ...t Priority The port priority value must be a number in the range of 1 255 where higher numbers represent lower priority The default priority is 128 To specify the port priority perform this task in privileged mode This example shows how to specify the port priority as 10 for ports 1 1 to 1 4 and 2 6 to 2 8 Console enable set port lacp channel 1 1 4 2 6 8 port priority 10 Port s 1 1 4 2 6 8 port pr...

Page 96: ...e perform this task in privileged mode This example assigns ports 4 1 to 4 4 the same administrative key allowing the system to pick its value Console enable set port lacp channel 4 1 4 Port s 4 1 4 are assigned to admin key 96 Console enable This example shows how to assign ports 4 4 to 4 6 the administrative key 96 you specify the 96 In this example the administrative key was previously assigned...

Page 97: ...VLAN Cost You can specify the channel VLAN cost with a global command that configures both LACP and PAgP See the Setting the EtherChannel Spanning Tree Port VLAN Cost section on page 6 9 for information Clearing LACP Statistics To clear LACP statistics perform this task in privileged mode This example shows how to clear LACP statistics Console enable clear lacp channel statistics LACP channel coun...

Page 98: ...els You can display the channel ID and the truncated port list for all ports that are channeling Ports that are not channeling are identified by their port number To display spanning tree related information for EtherChannels perform this task These examples show how to display spanning tree related information for EtherChannels Console show spantree 4 6 Port Vlan Port State Cost Priority Portfast...

Page 99: ...ng Spanning Tree PortFast BPDU Guard BPDU Filter UplinkFast BackboneFast and Loop Guard This chapter consists of these sections Understanding How STPs Work page 7 2 Understanding How PVST and MISTP Modes Work page 7 11 Understanding How Bridge Identifiers Work page 7 13 Understanding How MST Works page 7 14 Using MISTP PVST or MISTP page 7 30 Configuring a Root Switch page 7 39 Configuring Spannin...

Page 100: ... on page 7 2 In Ethernet networks only one active path may exist between any two stations Multiple active paths between stations can cause loops in the network When loops occur some switches recognize stations on both sides of the switch This situation causes the forwarding algorithm to malfunction allowing duplicate frames to be forwarded Spanning tree algorithms provide path redundancy by defini...

Page 101: ...itch A might not be the ideal root switch You can force a switch to become the root switch by increasing the priority lowering the priority number on the preferred switch This action causes the spanning tree to recalculate the topology and make the selected switch the root switch Figure 7 1 Configuring a Loop Free Topology You can also change the priority of a port to make it the root port When th...

Page 102: ...gh which frames will be forwarded to the root A port for each switch is selected This is the port that provides the best path from the switch to the root switch Ports included in the STP are selected Calculating and Assigning Port Costs By calculating and assigning the port cost of the switch ports you can ensure that the shortest lowest cost distance to the root switch is used to transmit data Yo...

Page 103: ...o the bandwidth of the aggregate link for example if a 10 Mbps link is removed from a 10 Gbps aggregate link Because of the limitations that are presented by automatically recalculating the topology 802 1t states that changes in bandwidth will not result in changes to the cost of the port concerned Therefore the aggregated port uses the same port cost parameters as a standalone port Understanding ...

Page 104: ...king Protocol VTP When you enable spanning tree every switch in the network goes through the blocking state and the transitory states of listening and learning at power up If properly configured each port stabilizes into the forwarding or blocking state When the spanning tree algorithm places a port in the forwarding state the following occurs The port is put into the listening state while it wait...

Page 105: ...blocking state performs as follows Discards frames that are received from the attached segment Discards frames that are switched from another port for forwarding Does not incorporate station location into its address database there is no learning on a blocking port so there is no address database update Receives BPDUs and directs them to the system module Does not transmit BPDUs that are received ...

Page 106: ...e is no learning at this point so there is no address database update Receives BPDUs and directs them to the system module Processes BPDUs that are received from the system module Receives and responds to network management messages Learning State A port in the learning state prepares to participate in frame forwarding The port enters the learning state from the listening state Figure 7 5 shows a ...

Page 107: ...location into its address database Receives BPDUs and directs them to the system module Receives processes and transmits BPDUs that are received from the system module Receives and responds to network management messages Forwarding State A port in the forwarding state forwards frames as shown in Figure 7 6 The port enters the forwarding state from the learning state Filtering database Frame forwar...

Page 108: ...eives and responds to network management messages Caution Use spanning tree PortFast mode only on ports that are directly connected to individual workstations to allow these ports to come up and go directly to the forwarding state instead of going through the entire spanning tree initialization To prevent illegal topologies enable spanning tree on ports that are connected to switches or other devi...

Page 109: ...station location into its address database there is no learning so there is no address database update Receives BPDUs but does not direct them to the system module Does not receive BPDUs for transmission from the system module Receives and responds to network management messages Understanding How PVST and MISTP Modes Work Catalyst 4500 series switches provide two proprietary spanning tree modes ba...

Page 110: ...apid PVST uses the same configuration as PVST and you need only minimal extra configuration With Rapid PVST dynamic CAM entries are flushed immediately per port upon any topology change UplinkFast and BackboneFast are enabled but not active in this mode because the functionality is built into the rapid STP This method provides for quick recovery of connectivity following the failure of a bridge br...

Page 111: ...lain how MAC addresses are used in PVST and MISTP as unique bridge identifiers MAC Address Allocation Catalyst 4000 series switches have a pool of 1024 MAC addresses that can be used as bridge identifiers for VLANs running under PVST or for MISTP instances The Catalyst 4500 series switches have a pool of only 64 MAC addresses You can use the show module command to view the MAC address range MAC ad...

Page 112: ...tratively and you use the same configuration in the new Catalyst 4500 series switch then the switch remains the root switch and the spanning tree topology does not change For more information on migrating your supervisor engine from a Catalyst 4006 switch to a Catalyst 4500 series switch see the Migrating a Supervisor Engine II from a Catalyst 4006 Switch to a Catalyst 4500 Series Switch section o...

Page 113: ...These spanning trees are referred to as MST instances MSTIs The IST is numbered 0 and the MSTIs are numbered 1 2 3 and so on Any given MSTI is local to the MST region that is independent of MSTIs in another region even if the MST regions are interconnected MST instances combine with the IST at the boundary of MST regions to become the CST as follows Spanning tree information for an MSTI is contain...

Page 114: ...RSTP when you configure the MST feature For more information see the Configuring MST section on page 7 46 RSTP provides backward compatibility with 802 1D bridges as follows RSTP selectively sends 802 1D configured BPDUs and Topology Change Notification TCN BPDUs on a per port basis When a port initializes the Migration Delay timer starts and RSTP BPDUs are transmitted While the Migration Delay ti...

Page 115: ...iscarding state MST to SST Interoperability A virtual bridged LAN may contain interconnected regions of SST and MST bridges See Figure 7 8 Figure 7 8 Network with Interconnected SST and MST Regions Table 7 3 Comparison Between STP and RSTP Port States Operational Status STP Port State RSTP Port State Port Included in Active Topology Enabled Blocking1 1 IEEE 802 1D port state designation Discarding...

Page 116: ...ST regions that are established by MST Loop prevention is achieved by either of the following Blocking the appropriate pseudobridge ports by allowing one forwarding port on the boundary and blocking all other ports Setting the CST partitions to block the ports of the SST regions A pseudobridge differs from a single SST bridge because the BPDUs that are sent from the pseudobridge s ports have diffe...

Page 117: ...s the only member of the MST region An MST bridge that is interconnected by a LAN A LAN s designated bridge has the same MST configuration as an MST bridge All the bridges on the LAN can process MST BPDUs If you connect two MST regions with different MST configurations the MST regions do the following Load balance across redundant paths in the network If two MST regions are redundantly connected a...

Page 118: ...nected by it does not have a bridge These ports start forwarding as soon as the link is up MST requires that all ports are configured for each host or router To establish rapid connectivity after a failure you need to block the nonedge designated ports of an intermediate bridge If the port connects to another bridge that can send back an agreement then the port starts forwarding immediately Otherw...

Page 119: ...ogy where you configure MST switches all in the same region to interact with PVST switches that have VLANs 1 100 set up to span throughout the network Configure the root for all VLANs inside the MST region The ports that belong to the MST switch at the boundary simulate PVST and send PVST BPDUs for all the VLANs This example shows the ports simulating PVST Console enable show spantree mst 3 Spanni...

Page 120: ...ive and process one BPDU during each configured time period A VLAN might not receive the BPDU as scheduled If the BPDU is not received on a VLAN at the configured time interval the BPDU is skewed Spanning tree uses the Hello Time see the Configuring the Hello Time section on page 7 44 to detect when a connection to the root switch exists through a port and when that connection is lost This feature...

Page 121: ...he VLAN bridge priority with the system ID extension the ID of the VLAN To set the spanning tree bridge priority for a VLAN perform this task in privileged mode Table 7 4 PVST Default Configuration Feature Default Value VLAN 1 All ports assigned to VLAN 1 Enable state PVST enabled for all VLANs MAC address reduction Disabled Bridge priority 32 768 Bridge ID priority 32 769 bridge priority plus sys...

Page 122: ...st Channel_id 1 1 1 not connected 4 32 disabled 0 1 2 1 not connected 4 32 disabled 0 2 1 1 not connected 100 32 disabled 0 2 2 1 not connected 100 32 disabled 0 This example shows how to set the PVST bridge ID priority when MAC reduction is enabled Console enable set spantree priority 32768 1 Spantree 1 bridge ID priority set to 32769 bridge priority 32768 sys ID extension 1 Console enable show s...

Page 123: ...io Portfast Channel_id 1 1 1 not connected 4 32 disabled 0 1 2 1 not connected 4 32 disabled 0 2 1 1 not connected 100 32 disabled 0 2 2 1 not connected 100 32 disabled 0 2 3 1 forwarding 12 32 disabled 0 2 4 1 not connected 100 32 disabled Configuring PVST Port Priority You can configure the port priority of switch ports in PVST mode The port with the lowest priority value forwards frames for all...

Page 124: ...u enable UplinkFast the actual cost is incremented by 3000 The long mode has these parameters Portcost Portvlancost When you enable UplinkFast the actual cost is incremented by 10 000 000 EtherChannel computes the cost of a bundle using the formula AVERAGE_COST NUM_PORT The default port cost mode in PVST is short For port speeds of 10 Gb and greater you must set the default port cost mode to long ...

Page 125: ... VLAN The port VLAN priority value must be lower than the port priority value To configure the port VLAN priority for a port perform this task in privileged mode This example shows how to configure the port VLAN priority on a port Console enable set spantree portvlanpri 2 3 16 6 Port 2 3 vlans 6 using portpri 16 Port 2 3 vlans 1 5 7 800 802 1004 1006 4094 using portpri 32 Port 2 3 vlans 801 1005 u...

Page 126: ...commend disabling spanning tree even in a topology that is free of physical loops Spanning tree serves as a safeguard against misconfigurations and cabling errors Do not disable spanning tree in a VLAN without ensuring that there are no physical loops present in the VLAN To disable PVST mode perform this task in privileged mode This example shows how to disable PVST on a VLAN Console enable set sp...

Page 127: ...t State Role Cost Prio Type 6 1 forwarding ROOT 20000 16 Shared PEER STP Console This example shows how to verify the link type edge port and guard type for port 3 6 Console show spantree 3 6 Port 3 6 Edge Port No Configured Default Port Guard Default Link Type P2P Configured Auto Port VLAN State Role Cost Prio Type 3 6 1 listening DESG 20000 32 P2P 3 6 2 listening DESG 20000 32 P2P 3 6 3 listenin...

Page 128: ...es to run MISTP To use MISTP mode you first enable an MISTP instance and then map at least one VLAN to the instance You must have at least one forwarding port in the VLAN for the MISTP instance to be active If you are changing a switch from PVST mode to MISTP mode and you have other switches in the network that are using PVST you must first enable MISTP PVST mode on each switch on which you intend...

Page 129: ...ce you map a VLAN to an MISTP instance you can Telnet to the switch To change from PVST to MISTP PVST or MISTP perform this task in privileged mode This example shows how to set a switch to MISTP PVST mode Console enable set spantree mode mistp pvst PVST database cleaned up Spantree mode set to MISTP PVST Warning There are no VLANs mapped to any MISTP instance Console enable You can display VLAN t...

Page 130: ...mbines the bridge priority value with the system ID extension the ID of the MISTP instance to create the bridge ID priority You can set 16 possible bridge priority values 0 4096 8192 12 288 16 384 20 480 24 576 28 672 32 768 36 864 40 960 45 056 49 152 53 248 57 344 and 61 440 To configure the bridge ID priority for an MISTP instance perform this task in privileged mode The example shows how to co...

Page 131: ... Cost You can configure the port cost of switch ports When forwarding frames the switch is more likely to use ports with lower port costs Assign lower numbers to ports that are attached to faster media such as full duplex and higher numbers to ports that are attached to slower media The possible range is from 1 65 535 The default differs for different media Path cost is typically equal to 1000 LAN...

Page 132: ...y of switch ports The port with the lowest priority value forwards frames for all VLANs The possible port priority value is from 0 63 the default is 32 If all ports have the same priority value the port with the lowest port number forwards frames To configure the port priority for a port perform this task in privileged mode This example shows how to configure the port priority and verify the confi...

Page 133: ...faster media such as full duplex and higher numbers to ports that are attached to slower media The default cost differs for different media The possible value for port instance cost is from 1 268435456 To configure the port instance cost for a port perform this task in privileged mode This example shows how to configure the MISTP port instance cost on a port Console enable set spantree portinstanc...

Page 134: ... instances at once using the all keyword Note The software does not display the status of an MISTP instance until it has a VLAN with an active port mapped to it To enable an MISTP instance perform this task in privileged mode Note Enter the active keyword to display active ports only This example shows how to enable an MISTP instance Console enable set spantree enable mistp instance 2 Spantree 2 e...

Page 135: ...rity 49152 sys ID ext 1 VLANs mapped 6 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Port Inst Port State Cost Prio Portfast Channel_id 2 12 1 forwarding 22222222 40 disabled 0 Determining an MISTP Instance VLAN Mapping Conflicts A VLAN can only be mapped to one MISTP instance If you attempt to map a VLAN to more than one instance all of its ports are set to blocking mode You can use...

Page 136: ... will expire and be removed from the table The timer is restarted every time an incoming BPDU confirms the mapping Entries pertaining to the root switch show inactive on the root switch itself The following examples are with VTP version 3 enabled The root switch is also the primary server for the nonroot switch The root switch is not the primary server for the switch in conflict because that switc...

Page 137: ...ee on an MISTP instance the instance still exists on the switch all of the VLANs mapped to it have all of their ports forwarding and the instance BPDUs are flooded To disable an MISTP instance perform this task in privileged mode This example shows how to disable an MISTP instance Console enable set spantree disable mistp instance 2 MI STP instance 2 disabled Configuring a Root Switch This section...

Page 138: ... time set to 14 seconds VLANs 1 10 bridge hello time set to 2 seconds VLANs 1 10 bridge forward delay set to 9 seconds Switch is now the root switch for active VLANs 1 6 Console enable To configure a switch as the primary root switch for an instance perform this task in privileged mode This example shows how to configure the primary root for an instance Console enable set spantree root mistp insta...

Page 139: ...h is now the root switch for active Instances 1 6 Console enable Configuring a Root Switch to Improve Convergence You can configure the root switch to speed up STP convergence time by reducing the value of the Hello Time Forward Delay Timer and Maximum Age Timer parameters For more information see the Configuring Spanning Tree Timers section on page 7 44 Note Reducing the timer parameters is possi...

Page 140: ...panning tree Hello Time Forward Delay Timer and Maximum Age Timer to 2 4 and 6 seconds Console enable set spantree hello 2 100 Spantree 100 hello time set to 7 seconds Console enable Console enable set spantree fwddelay 4 100 Spantree 100 forward delay set to 21 seconds Console enable Console enable set spantree maxage 6 100 Spantree 100 max aging time set to 36 seconds Console enable Parameter Ti...

Page 141: ...event switches from becoming root perform this task in privileged mode Displaying Spanning Tree BPDU Statistics Enter the show spantree statistics bpdu command to display the total number of spanning tree BPDUs transmitted received processed and dropped The command also provides the rate of the BPDUs in seconds The BPDU counters are cleared using the clear spantree statistics bpdu command or when ...

Page 142: ...a VLAN or an MISTP instance perform this task in privileged mode This example shows how to configure the spanning tree Hello time for VLAN 100 to 7 seconds Console enable set spantree hello 7 100 Spantree 100 hello time set to 7 seconds Console enable This example shows how to set the spantree Hello time for an instance to 3 seconds Console enable set spantree hello 3 mistp instance 1 Spantree 1 h...

Page 143: ...me Enter the set spantree maxage command to change the spanning tree maximum aging time for a VLAN or an instance The possible range for agingtime is from 6 40 seconds To configure the spanning tree maximum aging time for a VLAN or an instance perform this task in privileged mode This example shows how to configure the spanning tree maximum aging time for VLAN 100 to 36 seconds Console enable set ...

Page 144: ...e ID MAC ADDR 00 10 7b bb 2f 00 Bridge ID Priority 32768 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Port Vlan Port State Cost Prio Portfast Channel_id 6 1 1 forwarding 4 32 disabled 0 6 2 1 blocking 4 32 disabled 0 Console enable Task Command Step 1 Begin in PVST mode set spantree mode mst mistp pvst mistp pvst mst Step 2 Display the STP ports show spantree active Step 3 Configure...

Page 145: ...ion Name cisco Revision 1 Instance VLANs IST 1 4094 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Edit buffer is locked by Console pid 142 Console enable Console enable set spantree mst 1 vlan 2 10 Edit Buffer modified Use set spantree mst config commit to apply the changes Console enable set spantree mst 1 vlan 2 20 Edit Buffer modified Use set spantree mst config commit to apply the changes Console enable...

Page 146: ...ST 1 4094 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 NEW MST Region Configuration Not committed yet Configuration Name cisco Revision 1 Instance VLANs IST 1 51 4094 1 2 20 2 21 30 3 31 40 4 41 50 5 6 7 8 9 10 11 12 13 14 15 Edit buffer is locked by Console pid 142 Console enable Console enable set spantree mst config commit Console enable Console enable show spantree mst config Current NVRAM MST Region C...

Page 147: ...b bb 2f 00 IST Master ID Priority 32768 IST Master Path Cost 0 Remaining Hops 20 Bridge ID MAC ADDR 00 10 7b bb 2f 00 Bridge ID Priority 32768 bridge priority 32768 sys ID ext 0 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Max Hops 20 Port State Role Cost Prio Type 6 1 forwarding ROOT 20000 32 P2P Boundary PVST 6 2 blocking ALTR 20000 32 P2P Boundary PVST Console enable show spantre...

Page 148: ... 5 6 7 8 9 10 11 12 13 14 15 Console enable Configuring the MST Bridge ID Priority You can set the bridge ID priority for an MST instance when the switch is in MST mode The switch combines the bridge priority value with the system ID extension the ID of the MST instance to create the bridge ID priority You can set 16 possible bridge priority values 0 4096 8192 12 288 16 384 20 480 24 576 28 672 32...

Page 149: ...ttached to faster media such as full duplex and higher numbers to ports that are attached to slower media The possible range is from 1 65 535 The default differs for different media The path cost is typically 1000 LAN speed in megabits per second To configure the port cost for a port perform this task in privileged mode This example shows how to configure the port cost on an MST instance and verif...

Page 150: ...0000 30 31 40 4 forwarding BDRY 10000 30 41 50 Console enable Configuring the MST Port Instance Cost You can configure the port instance cost for an instance of MST Ports with a lower instance cost are more likely to be chosen to forward frames You should assign lower numbers to ports that are attached to faster media such as full duplex and higher numbers to ports that are attached to slower medi...

Page 151: ...s frames for that instance The port instance range is from 0 63 If all ports have the same priority for an MST instance the port with the lowest port number forwards frames for that instance To configure the port instance priority on an MST instance perform this task in privileged mode This example shows how to configure the port instance priority on an MST instance and verify the configuration Co...

Page 152: ...T Follow these guidelines for mapping and unmapping VLANS to an MST instance You can only map Ethernet VLANs to MST instances At least one VLAN in the instance must have an active port in order for MST to be active You can map as many Ethernet VLANs as you wish to an MST instance You cannot map a VLAN to more than one MST instance The Hello Time Maximum Age timer and Forward Delay timer set for mo...

Page 153: ...show spantree mst config Current NVRAM MST Region Configuration Configuration Name cisco Revision 1 Instance VLANs IST 1 51 4094 1 2 20 2 21 30 3 31 40 4 41 50 5 6 7 8 9 10 11 12 13 14 15 NEW MST Region Configuration Not committed yet Configuration Name cisco Revision 2 Instance VLANs IST 1 51 899 1000 4094 1 2 20 2 21 30 3 31 40 4 41 50 5 6 7 8 9 10 11 12 13 14 900 999 15 Edit buffer is locked by...

Page 154: ... 21 30 3 31 40 4 41 50 5 6 7 8 9 10 11 12 13 14 15 NEW MST Region Configuration Not committed yet Configuration Name cisco Revision 2 Instance VLANs IST 1 51 998 1000 4094 1 2 20 2 21 30 3 31 40 4 41 50 5 6 7 8 9 10 11 12 13 14 999 15 Edit buffer is locked by Console pid 142 Console enable Console enable set spantree mst config commit Console enable Console enable show spantree mst config Current ...

Page 155: ... tree BPDU skewing feature perform these functions Allow you to enable or disable BPDU skewing The default is disabled Modify the show spantree summary output to show if the skew detection is enabled and for which VLANs or PVST or MISTP instances the skew was detected Provide a display of the VLAN or PVST or MISTP instance and the port that is affected by the skew and include this information The ...

Page 156: ...26 05 8 18 113833 113833 Tue Nov 21 2000 06 26 05 8 20 4111 113913 Tue Nov 21 2000 06 26 05 8 22 113917 113917 Tue Nov 21 2000 06 26 05 8 24 4110 113922 Tue Nov 21 2000 06 26 05 8 26 113926 113926 Tue Nov 21 2000 06 26 05 8 28 4111 113931 Tue Nov 21 2000 06 26 05 Console enable This example shows how to configure BPDU skewing for VLAN 1 on module 8 port 4 and view the skewing statistics Console en...

Page 157: ...2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 7 Configuring Spanning Tree Configuring Spanning Tree BPDU Skewing Blocking Listening Learning Forwarding STP Active Total 6 4 2 0 12 Console enable ...

Page 158: ...lyst 4500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 7 Configuring Spanning Tree Configuring Spanning Tree BPDU Skewing ...

Page 159: ...mplete syntax and usage information for the commands that are used in this chapter refer to the Catalyst 4500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Command Reference This chapter consists of these sections Understanding How PortFast Works page 8 2 Understanding How PortFast BPDU Guard Works page 8 2 Understanding How PortFast BPDU Filtering Works page 8 2 Understan...

Page 160: ...st mode is supported only on nontrunking access ports because these ports typically do not transmit or receive BPDUs The most secure implementation of PortFast is to enable it only on ports that connect end stations to switches Because PortFast can be enabled on nontrunking ports connecting two switches spanning tree loops can occur because BPDUs are still being transmitted and received on those p...

Page 161: ...d number of active VLANs This enhancement might not be useful for other types of applications and should not be enabled on backbone or distribution layer switches Figure 8 1 shows an example UplinkFast network topology Switch A the root switch is connected directly to Switch B over link L1 and to Switch C over link L2 The port on Switch C that is connected to Switch B over link L3 is in blocking s...

Page 162: ...ction to the root bridge An inferior BPDU identifies a single switch as both the root bridge and the designated bridge Under normal spanning tree rules the switch ignores inferior BPDUs for the configured maximum aging time specified by the set spantree maxage command The switch tries to determine if it has an alternate path to the root bridge If the inferior BPDU arrives on a blocked port the roo...

Page 163: ...ons the port on Switch C to the forwarding state providing a path from Switch B to Switch A This switchover takes approximately 30 seconds Figure 8 4 shows how BackboneFast reconfigures the topology to account for the failure of link L1 Figure 8 4 Example of BackboneFast after Indirect Link Failure If a new switch is introduced into a shared medium topology BackboneFast is not activated Figure 8 5...

Page 164: ... starts receiving BPDUs again Loop guard isolates the failure and lets spanning tree converge to a stable topology without the failed link or bridge You can enable loop guard per port with the set spantree guard loop command Note When you are in MST mode you can set all the ports on a switch with the set spantree global defaults loop guard command When you enable loop guard it is automatically app...

Page 165: ...rd on ports that are connected to a shared link Note We recommend that you enable loop guard on root ports and alternate root ports on access switches Loop guard interacts with other features as follows Loop guard does not affect the functionality of UplinkFast or BackboneFast Root guard forces a port to always be designated as the root port Loop guard is effective only if the port is a root port ...

Page 166: ...ks the channel even if other links in the channel are functioning properly If a set of ports that are already blocked by loop guard are grouped together to form a channel spanning tree loses all the state information for those ports and the new channel port may obtain the forwarding state with a designated role If a channel is blocked by loop guard and the channel breaks spanning tree loses all th...

Page 167: ... a switch port to a switch port If you enable PortFast on a port that is connected to another Layer 2 device such as a switch you might create network loops To enable PortFast on a trunk port perform this task in privileged mode This example shows how to enable PortFast on port 1 of module 4 of a trunk port bring the trunk port to a forwarding state and verify the configuration the PortFast status...

Page 168: ...This example shows how to disable PortFast on port 1 of module 4 Console enable set spantree portfast 4 1 disable Spantree port 4 1 fast start disabled Console enable To reset PortFast on a switch or trunk port to its default settings perform this task in privileged mode This example shows how to disable PortFast on port 1 of module 4 Console enable set spantree portfast 4 1 default Spantree port ...

Page 169: ...e PortFast feature is configured on an individual port and the PortFast BPDU guard option is configured either globally or on a per port basis When you disable PortFast on a port PortFast BPDU guard becomes inactive The port configuration overrides the global configuration unless the port configuration is set to default If the port configuration is set to default the global configuration is checke...

Page 170: ...0 0 4 4 3 0 0 0 4 4 4 0 0 0 4 4 5 0 0 0 4 4 6 0 0 0 4 4 10 0 0 0 4 4 20 0 0 0 4 4 999 0 0 0 4 4 1003 0 0 0 0 0 1005 0 0 0 0 0 Blocking Listening Learning Forwarding STP Active Total 0 0 0 85 85 Console enable Disabling PortFast BPDU Guard To disable PortFast BPDU guard perform this task in privileged mode This example shows how to disable PortFast BPDU guard on the switch and verify the configurat...

Page 171: ...nactive for that port To enable PortFast BPDU filtering perform this task in privileged mode Note For additional PVST information see Chapter 7 Configuring Spanning Tree By default BPDU filtering is set for each port This example shows how to enable PortFast BPDU filtering on the port and verify the configuration in PVST mode Console enable set spantree portfast bpdu filter 6 1 enable Warning Port...

Page 172: ...PortFast BPDU filtering on the switch and verify the configuration Console enable set spantree portfast bpdu filter disable Spantree portfast bpdu filter disabled on this switch Console enable show spantree summary Summary of connected spanning tree ports by vlan Portfast bpdu filter disabled for bridge Uplinkfast disabled for bridge Backbonefast disabled for bridge Vlan Blocking Listening Learnin...

Page 173: ...ering enabled The all protocols on keywords cause the switch to generate multicasts for each protocol filtering group On switches with both UplinkFast and protocol filtering enabled or if no other switches have protocol filtering enabled you do not need to use the all protocols on keywords Note When you enable UplinkFast it affects all VLANs on the switch You cannot configure UplinkFast on a per V...

Page 174: ...tion can be affected by this command You can disable only spanning tree UplinkFast processing on the switch using the set spantree uplinkfast disable command This command does not affect the bridge priority port cost and port VLAN cost values on the switch Note When you disable UplinkFast it affects all VLANs on the switch You cannot disable UplinkFast on a per VLAN basis To disable UplinkFast on ...

Page 175: ...r use with third party switches To enable BackboneFast on the switch perform this task in privileged mode This example shows how to enable BackboneFast on the switch and verify the configuration Console enable set spantree backbonefast enable Backbonefast enabled for all VLANs Console enable show spantree backbonefast Backbonefast is enabled Console enable Displaying BackboneFast Statistics To dis...

Page 176: ...ast disable Backbonefast enabled for all VLANs Console enable show spantree backbonefast Backbonefast is disabled Console enable Configuring Loop Guard The following sections describe how to configure loop guard Enabling Loop Guard Enter the set spantree guard command to enable spanning tree loop guard on a per port basis To set all the ports on the switch use the set spantree mst global defaults ...

Page 177: ...port basis To disable loop guard on all the ports on a switch use the set spantree mst global defaults loop guard command To disable loop guard on the switch perform this task in privileged mode This example shows how to disable loop guard on port 5 1 Console enable set spantree guard none 5 1 Rootguard is disabled on port 5 1 disabling loopguard will disable rootguard on this port Do you want to ...

Page 178: ...48G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 8 Configuring Spanning Tree PortFast BPDU Guard BPDU Filter UplinkFast BackboneFast and Loop Guard Configuring Loop Guard ...

Page 179: ... VTP Version 1 and Version 2 page 9 6 Understanding How VTP Version 3 Works page 9 13 Default VTP Version 3 Configuration page 9 22 Configuring VTP Version 3 page 9 22 Understanding How VTP Version 1 and Version 2 Work VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition deletion and renaming of VLANs on a network wide basis VTP minimizes misco...

Page 180: ...nk it inherits the management domain name and the VTP configuration revision number The switch ignores advertisements with a different management domain name or an earlier configuration revision number If you configure the switch as VTP transparent you can create and modify VLANs but the changes affect only the individual switch When you make a change to the VLAN configuration on a VTP server the ...

Page 181: ... 1Q VTP domain name VTP configuration revision number VLAN configuration including the maximum transmission unit MTU size for each VLAN Frame format Understanding VTP Version 2 If you use VTP in your network you must decide whether to use VTP version 1 version 2 or version 3 for details on version 3 see the Understanding How VTP Version 3 Works section on page 9 13 VTP version 2 supports the follo...

Page 182: ...t use to access the appropriate network devices By default VTP pruning is disabled Make sure that all devices in the management domain support VTP pruning before enabling it Figure 9 1 shows a switched network without VTP pruning enabled Port 1 on Switch 1 and port 2 on Switch 4 are assigned to the Red VLAN A broadcast is sent from the host that is connected to Switch 1 Switch 1 floods the broadca...

Page 183: ...annot be pruned To make a VLAN pruning ineligible enter the clear vtp pruneeligible command To make a VLAN pruning eligible again enter the set vtp pruneeligible command You can set VLAN pruning eligibility regardless of whether VTP pruning is enabled or disabled for the domain Pruning eligibility always applies to the local device only not for the entire VTP domain Default VTP Version 1 and Versi...

Page 184: ...ed by default Do not enable VTP version 2 on a switch unless all of the switches in the same VTP domain are version 2 capable When you enable VTP version 2 on a switch all of the version 2 capable switches in the domain enable VTP version 2 Enabling or disabling VTP pruning on a VTP server enables or disables VTP pruning for the entire management domain Making VLANs pruning eligible or pruning ine...

Page 185: ...3 capable Domain Name Lab_Network Password configured hidden Notifications disabled Updater ID 172 20 52 19 Feature Mode Revision VLAN Server 0 Pruning disabled VLANs prune eligible 2 1000 Console enable Configuring a VTP Client When a switch is in VTP client mode you cannot change the VLAN configuration on the switch The client switch receives VTP updates from a VTP server in the management domai...

Page 186: ...ches However a VTP transparent switch running VTP version 2 does forward received VTP advertisements out all of its trunk links Note Network devices in VTP transparent mode do not send VTP join messages On Catalyst 4500 series switches with trunk connections to network devices in VTP transparent mode configure the VLANs that are used by the transparent mode network devices or that need to be carri...

Page 187: ...gured hidden Notifications disabled Updater ID 172 20 52 19 Feature Mode Revision VLAN Off 0 Pruning disabled VLANs prune eligible 2 1000 Console enable Enabling VTP Version 2 VTP version 2 is disabled by default on VTP version 2 capable switches When you enable VTP version 2 on a switch every VTP version 2 capable switch in the VTP domain will enable version 2 as well Caution VTP version 1 and VT...

Page 188: ...abled Updater ID 172 20 52 19 Feature Mode Revision VLAN Off 0 Pruning disabled VLANs prune eligible 2 1000 Console enable Disabling VTP Version 2 To disable VTP version 2 perform this task in privileged mode This example shows how to disable VTP version 2 Console enable set vtp version 1 This command will enable VTP version 1 function in the entire management domain Warning trbrf trcrf vlans will...

Page 189: ...ll not be pruned on this device VTP domain Lab_Network modified Console enable set vtp pruneeligible 250 255 Vlans 2 99 250 255 501 1000 1024 4094 eligible for pruning on this device VTP domain Lab_Network modified Console enable show vtp domain Version running VTP1 VTP3 capable Domain Name Lab_Network Password configured hidden Notifications disabled Updater ID 172 20 52 19 Feature Mode Revision ...

Page 190: ...fied Console enable Displaying VTP Statistics To display VTP statistics including the VTP advertisements that are sent and received and VTP errors perform this task This example shows how to display VTP statistics on the switch Console enable show vtp statistics VTP statistics summary advts received 0 subset advts received 0 request advts received 0 summary advts transmitted 7843 subset advts tran...

Page 191: ...database that is associated with a given feature VTP version 3 handles the configuration propagation of multiple databases features independent of one another by running multiple instances of the protocol Note In software release 8 1 1 the only supported database propagation is for the VLAN database These sections describe VTP version 3 VTP Version 3 Authentication page 9 13 VTP Version 3 Per Port...

Page 192: ...ocols For more information on per port configuration options see the Disabling VTP Version 3 on a Per Port Basis section on page 9 29 VTP Version 3 Domains Modes and Partitions The main differences between VTP version 3 domains and modes and VTP version 1 and VTP version 2 are as follows A VTP version 3 server can be configured as primary or secondary VTP version 3 modes server client and transpar...

Page 193: ...entication section on page 9 13 VTP version 3 switches lock on the primary server that generated their configuration and only listen to further VTP database updates from this primary server This process differs significantly from VTP version 1 and VTP version 2 where a switch would always accept a superior configuration from a neighbor in the same domain A VTP version 3 switch accepts only a super...

Page 194: ...rtion of a misconfigured switch If a new switch is added to a domain it will not propagate its configuration until you manually designate it as the new primary server For information on using the takeover mechanism to reconfigure partitioned VTP domains see the Reconfiguring a Partitioned VTP Domain section on page 9 16 Reconfiguring a Partitioned VTP Domain Partitioning of a VTP domain is specifi...

Page 195: ...onflicting configurations when you enter the show vtp conflicts command and prompts you for confirmation before taking over a server has conflicting information if it belongs to the same VTP domain but has a different primary server The takeover leaves this switch server X in Figure 9 5 as the only primary server controlling the VTP domain If you have a hidden password configured you need to reent...

Page 196: ...on 3 Modes section on page 9 23 Client Mode VTP version 3 clients are similar to VTP version 1 and VTP version 2 clients as follows A VTP client accepts a VTP configuration from the network but cannot generate or alter the configuration A VTP client stores the VTP configuration that it receives in RAM not NVRAM When a VTP client boots it needs to reacquire the entire configuration that is propagat...

Page 197: ...ver A change in the mode configuration Any VTP domain configuration change such as version domain name or domain password Transparent and VTP Off Modes In VTP version 3 the transparent mode is specific to the instance The off mode in VTP version 3 is similar to the previous VTP versions and is not specific to an instance In both modes you are allowed to configure locally the features that VTP is c...

Page 198: ...in related parameter such as the domain name VTP version and the authentication method password all the databases become invalidated In addition to invalidating the databases configuring a domain related parameter also reverts a primary server to a secondary server When you change a domain parameter the switch is inserted into a new domain To prevent the wrong database from accidentally being inse...

Page 199: ... 2 packet on the trunk This situation forces legacy neighboring switches to keep advertising their presence on the link If a VTP version 3 switch does not receive a legacy packet on a trunk for a certain period of time it is considered to be a VTP version 3 only trunk and does not advertise a scaled down version of the VLAN database on the trunk Even when advertising a VTP version 2 database on a ...

Page 200: ...Configuring VTP Version 3 These sections describe how to configure VTP version 3 Enabling VTP Version 3 page 9 22 Changing VTP Version 3 Modes page 9 23 Configuring VTP Version 3 Passwords page 9 27 Configuring a VTP Version 3 Takeover page 9 28 Disabling VTP Version 3 on a Per Port Basis page 9 29 VTP Version 3 show Commands page 9 30 Enabling VTP Version 3 Use the set vtp version version_number ...

Page 201: ...2 1000 Console enable Changing VTP Version 3 Modes Note For more information on the modes in VTP version 3 see the VTP Version 3 Modes section on page 9 18 Each database is propagated by an instance of the VTP protocol As these instances are independent they can operate in different modes The set vtp mode command allows you to set the mode for a particular VTP instance The VTP instance is identifi...

Page 202: ...Console enable show vtp domain Version running VTP3 Domain Name ENG Password not configured Notifications disabled Switch ID 00d0 004c 1800 Feature Mode Revision Primary ID Primary Description VLAN Server 0 0000 0000 0000 UNKNOWN Off Pruning disabled VLANs prune eligible 2 1000 Console enable Configuring a VTP Version 3 Client When a switch is in VTP client mode you cannot change the VLAN configur...

Page 203: ...switch as VTP transparent you disable VTP on the switch A VTP transparent switch does not send VTP updates and does not act on VTP updates that are received from other switches Note Network devices in VTP transparent mode do not send VTP join messages On Catalyst 4500 series switches with trunk connections to network devices in VTP transparent mode configure the VLANs that are used by the transpar...

Page 204: ...ot forwarded To disable VTP using the off mode perform this task in privileged mode This example shows how to disable VTP using the off mode Console enable set vtp mode off Changing VTP mode for all features VTP3 domain server modified Note Because there is only the VLAN database in release 8 1 1 and later releases if you do not specify the vlan keyword with the set vtp moder off command you will ...

Page 205: ...t vtp passwd command that can be shown in the configuration A plain text password or an encrypted hexadecimal secret value These two formats are exclusive if you configure a plain text password it replaces a current secret password and if you paste a secret password into the configuration the initial password is removed To configure VTP passwords perform this task in privileged mode This example s...

Page 206: ...eenter it If you do not specify the force keyword the switch tries to discover some conflicting servers in the domain Conflicting servers follow a different primary server than the one in the configuration of the local switch You are prompted by the local switch for confirmation before proceeding with the takeover The prompting is necessary because taking over the domain involves overwriting the c...

Page 207: ...ion 3 Per Port Configuration section on page 9 14 Use the set port vtp mod port enable disable command to enable or disable VTP on a per port basis This capability might be used on trunks leading to nontrusted hosts When you disable a port no VTP packets are sent on the port and any VTP packets that are received on the port are dropped By default VTP is enabled and advertisements are received and ...

Page 208: ...ith conflicting conflicts configurations Use the domain keyword to display information that is specific to the VTP domain and use the statistics keyword to display VTP statistics Switches in transparent or off mode are not part of the VTP domain and do not respond to requests In addition clients or servers that do not have a valid database do not respond to requests For complete syntax and usage i...

Page 209: ...ate VLANs page 10 16 Understanding How VLANs Work A VLAN is a group of end stations with a common set of requirements independent of physical location A VLAN has the same attributes as a physical LAN but allows you to group end stations even if the VLANs are not located physically on the same LAN segment VLANs allow you to group ports on a switch to limit unicast multicast and broadcast traffic fl...

Page 210: ... to any VLAN so that you can access another switch on the same VLAN directly without a router Only one IP address at a time can be assigned to the in band interface If you change the IP address and assign the interface to a different VLAN the previous IP address and VLAN assignment are overwritten You can set these parameters when you create a VLAN in the management domain VLAN number VLAN name VL...

Page 211: ...4 4095 Table 10 1 describes the VLAN ranges Table 10 1 VLAN Ranges VLANs Range Usage Propagated by VTP Y N 0 4095 Reserved range For system use only You cannot see or use these VLANs N A 1 Normal range Cisco default You can use this VLAN but you cannot delete it Yes 2 1000 Normal range Used for Ethernet VLANs you can create use and delete these VLANs Yes 1001 Reserved You cannot create or use this...

Page 212: ...ility is independent of any VTP version or mode VLAN number VLAN name VLAN type Ethernet FDDI and FDDINET VLAN state active or suspended Multi Instance Spanning Tree Protocol MISTP instance Private VLAN type primary isolated community two way community or none SAID MTU for the VLAN VLAN to use when translating from one VLAN media type to another VLANs 1 1005 only requires a different VLAN number f...

Page 213: ... By default the VLAN will be an Ethernet VLAN Note the following when creating or modifying extended range VLANs You can create only extended range Ethernet VLANs You can create and delete only extended range VLANs from the CLI or SNMP You cannot use VTP to manage these VLANs they must be statically configured on each switch You cannot use extended range VLANs if you have dot1q to isl mappings You...

Page 214: ...ormal range VLANs For more information see Chapter 9 Configuring VTP Note With VTP version 3 you can manage extended range VLANs 1025 4094 These VLANs are propagated with VTP version 3 Before configuring extended range VLANs VLANs 1025 4094 you must first enable MAC address reduction When you enable MAC address reduction the system commits the IDs for extended range VLANs After you enable MAC addr...

Page 215: ...ple shows how to change the vlan 500 name from Engineering to Development and verify the configuration Console enable set vlan 500 name Development Vlan 500 configuration successful Console enable show vlan 500 VLAN Name Status IfIndex Mod Ports Vlans 500 Development active 344 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 500 enet 100500 1500 0 0 VLAN AREHops STEHops Backup C...

Page 216: ...tive 362 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 500 enet 100500 1500 0 0 501 enet 100501 1500 0 0 502 enet 100502 1500 0 0 503 enet 100503 1500 0 0 520 enet 100520 1500 0 0 VLAN AREHops STEHops Backup CRF Console enable To modify VLAN parameters on an existing normal range VLAN perform this task in privileged mode This example shows how to change the state of an Etherne...

Page 217: ...set spantree macreduction enable MAC address reduction enabled Console enable set vlan 2000 Vlan 2000 configuration successful Console enable show vlan 2000 VLAN Name Status IfIndex Mod Ports Vlans 2000 VLAN2000 active 61 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 2000 enet 102000 1500 0 0 VLAN Inst DynCreated RSPAN 2000 static disabled VLAN AREHops STEHops Backup CRF 1q VL...

Page 218: ...tch Ports to a VLAN A VLAN that is created in a management domain remains unused until you assign one or more switch ports to the VLAN If you specify a VLAN that does not exist the VLAN is created and the specified ports are assigned to it To assign one or more switch ports to a VLAN perform this task in privileged mode This example shows how to assign switch ports to a VLAN and verify the assignm...

Page 219: ...is 1 1000 and 1002 1005 see Table 10 1 and 1025 4094 The valid range of VLANs that are specified in 802 1Q is 0 4095 In a network with non Cisco devices that are connected to Cisco switches through 802 1Q trunks you can map 802 1Q VLAN numbers that are greater than 1000 to ISL VLAN numbers If you use any VLANs in the extended range 1025 4094 for dot1q mappings you cannot use any of the extended ra...

Page 220: ...mapping perform this task in privileged mode This example shows how to clear the VLAN mapping for 802 1Q VLAN 2000 Console enable clear vlan mapping dot1q 2000 Vlan 2000 mapping entry deleted Console enable This example shows how to clear all 802 1Q to ISL VLAN mappings Console enable clear vlan mapping dot1q all All vlan mapping entries deleted Console enable Deleting a VLAN When you delete a VLA...

Page 221: ...ch The ports which are dedicated connections are described as follows Port 1 connects to the Catalyst 4500 series switch or other device that supports Voice over IP VoIP Port 2 is an internal 10 100 interface that carries the phone traffic Port 3 connects to a PC or other device Figure 10 2 shows how you can connect a Cisco IP Phone to a Catalyst 4500 series switch When the IP phone connects to a ...

Page 222: ...P addresses A new VLAN means a new subnet and a new set of IP addresses You can configure switch ports to send Cisco Discovery Protocol CDP packets that instruct an attached Cisco IP Phone to transmit voice traffic to the switch in these frame types 802 1Q frames carrying the auxiliary VLAN ID and Layer 2 CoS set to 5 the switch port drops all 802 1Q frames except those carrying the auxiliary VLAN...

Page 223: ...t With software release 6 2 1 and later releases dynamic ports can belong to two VLANs a native VLAN and an auxiliary VLAN See Chapter 12 Configuring Dynamic VLAN Membership with VMPS for configuration details for auxiliary VLANs Configuring Auxiliary VLANs To configure auxiliary VLANs perform this task in privileged mode This example shows how to add voice ports to auxiliary VLANs specify an enca...

Page 224: ...cates with all other private VLAN ports and is the port that you use to communicate with routers LocalDirector the CSS11000 backup servers and administrative workstations Note If a broadcast or multicast packet comes from the promiscuous port it is sent to all the ports in the private VLAN domain all the community and isolated ports An isolated port has complete Layer 2 separation including broadc...

Page 225: ...ty VLANs in this private VLAN After designating the VLANs you must bind them together and associate them to the promiscuous port You can extend private VLANs across multiple Ethernet switches by trunking the primary isolated and any community VLANs to other switches that support private VLANs In an Ethernet switched environment you can assign an individual VLAN and associated IP subnet to each ind...

Page 226: ...ANs note these hardware and software restrictions You can use the sc0 interface in a private VLAN that is assigned to either an isolated or community VLAN but not as a promiscuous port to a primary VLAN You cannot set private VLAN ports to trunking mode or channeling or have dynamic VLAN memberships If you attempt such a configuration a warning message is displayed and the command is rejected Isol...

Page 227: ...and community VLANs together or use SPAN on only one VLAN to separately monitor egress or ingress traffic IGMP snooping and multicast shortcuts are not supported in private VLANs You cannot enable EtherChannel on isolated community or promiscuous ports You cannot set a VLAN to a private VLAN if the VLAN has dynamic access control entries ACEs that are configured on it You can stop Layer 3 switchin...

Page 228: ...le set vlan 901 pvlan type isolated Vlan 901 configuration successful Console enable set vlan 902 pvlan type community Vlan 902 configuration successful Console enable set vlan 903 pvlan type community Vlan 903 configuration successful Console enable This example shows how to bind VLAN 901 to primary VLAN 7 and assign port 4 3 as the isolated port Console enable set pvlan 7 901 4 3 Successfully se...

Page 229: ...ping between 7 and 902 on 3 1 Console enable set pvlan mapping 7 903 3 1 Successfully set mapping between 7 and 903 on 3 1 This example shows how to verify the private VLAN configuration Console enable show vlan 7 VLAN Name Status IfIndex Mod Ports Vlans 7 VLAN0007 active 35 4 4 6 VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2 7 enet 100010 1500 0 0 VLAN DynCreated RSPAN 7 stat...

Page 230: ...n the following configuration Console enable set pvlan 10 20 Console enable set pvlan mapping 10 20 3 1 Console enable set pvlan mapping 10 20 5 2 Console enable set trunk 5 1 desirable isl 1 1005 1025 4094 Console enable show pvlan capability 5 20 Port 5 20 can be made a private vlan port Console enable show pvlan Primary Secondary Secondary Type Ports 10 20 isolated Console enable show pvlan cap...

Page 231: ...ectivity breaks between the isolated or community ports and the promiscuous port If you delete all the mappings on a promiscuous port the promiscuous port becomes inactive When a private VLAN port is set to inactive it displays pvlan as its VLAN number in the show port output You might set a private VLAN port to inactive for the following reasons The primary isolated or community VLAN to which it ...

Page 232: ...10 24 Catalyst 4500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 10 Configuring VLANs Configuring Private VLANs ...

Page 233: ...st 2948G GE TX and Catalyst 2980G Switches Command Reference This chapter consists of these sections Understanding How VLAN Trunks Work page 11 1 Default Trunk Configuration page 11 5 Configuring a Trunk Link page 11 5 Disabling VLAN 1 on a Trunk Link page 11 8 Example VLAN Trunk Configurations page 11 9 Understanding How VLAN Trunks Work The following sections describe how VLAN trunks work on the...

Page 234: ...s Table 11 1 lists the trunking modes that are used with the set trunk command and describes how they function on Fast Ethernet and Gigabit Ethernet ports Table 11 2 lists the encapsulation type that is used with the set trunk command and describes how it functions on Fast Ethernet and Gigabit Ethernet ports You can use the show port capabilities command to determine which encapsulation types a pa...

Page 235: ...unking capabilities are hardware dependent Table 11 4 shows which switches have available hardware that supports the two trunking encapsulations To determine whether a specific piece of hardware supports trunking and to determine which trunking encapsulations are supported see your hardware documentation or use the show port capabilities command Table 11 3 Results of Possible Fast Ethernet and Gig...

Page 236: ...t MAC address 01 80 C2 00 00 00 The BPDUs on all other VLANs on the trunk are sent tagged to the reserved Cisco Shared Spanning Tree SSTP multicast MAC address 01 00 0c cc cc cd Non Cisco 802 1Q switches maintain only a single instance of spanning tree the Mono Spanning Tree or MST that defines the spanning tree topology for all VLANs When you connect a Cisco switch to a non Cisco switch through a...

Page 237: ...s removed from the trunk configuration Configuring a Trunk Link The following sections describe how to configure a trunk link on Fast Ethernet and Gigabit Ethernet ports and how to define the allowed VLAN range on a trunk Configuring an 802 1Q Trunk Note Some hardware does not support 802 1Q encapsulation To determine whether your hardware supports 802 1Q see your hardware documentation or use the...

Page 238: ...onfiguration successful Console enable set trunk 2 9 desirable dot1q Port s 2 9 trunk mode set to desirable Port s 2 9 trunk type set to dot1q Console enable 07 02 1998 18 22 25 DTP 5 Port 2 9 has become dot1q trunk Console enable show trunk Port Mode Encapsulation Status Native vlan 2 9 desirable dot1q trunking 1 Port Vlans allowed on trunk 2 9 1 10 20 100 Port Vlans allowed and active in managem...

Page 239: ...Port s 1 1 allowed vlans modified to 10 20 100 1002 1003 1004 1005 Console enable clear trunk 1 1 1 9 11 19 21 99 101 1001 Removing Vlan s 1 9 11 19 21 99 101 100 from allowed list Port 1 1 allowed vlans modified to 10 20 100 Console enable show trunk 1 1 Port Mode Encapsulation Status Native vlan 1 1 desirable dot1q trunking 1 Port Vlans allowed on trunk 1 1 1 10 20 100 Port Vlans allowed and act...

Page 240: ...col CDP VLAN Trunking Protocol VTP Port Aggregation Protocol PAgP Dynamic Trunking Protocol DTP and so forth Caution By default the sc0 interface management VLAN is VLAN 1 If you disable VLAN 1 you will have to configure another VLAN to be the management VLAN for sc0 When a trunk port with VLAN 1 disabled becomes a nontrunk port it is added to the native VLAN If the native VLAN is VLAN 1 the port ...

Page 241: ...ow to configure an 802 1Q trunk over a Gigabit EtherChannel link between two switches with 802 1Q capable hardware Use the show port capabilities command to see if your hardware is 802 1Q capable Figure 11 1 shows two switches that are connected through four 1000BASE SX Gigabit Ethernet ports Figure 11 1 IEEE 802 1Q Trunk over Gigabit EtherChannel Link Note For more information on configuring Giga...

Page 242: ...ort 2 3 6 ETHC 5 PORTFROMSTP Port 2 3 left bridge port 2 3 ETHC 5 PORTTOSTP Port 2 3 joined bridge port 2 3 6 ETHC 5 PORTTOSTP Port 2 4 joined bridge port 2 3 6 ETHC 5 PORTTOSTP Port 2 5 joined bridge port 2 3 6 ETHC 5 PORTTOSTP Port 2 6 joined bridge port 2 3 6 Switch_B enable DTP 5 TRUNKPORTON Port 3 3 has become dot1q trunk DTP 5 TRUNKPORTON Port 3 4 has become dot1q trunk ETHC 5 PORTFROMSTP Po...

Page 243: ...4 3 6 1 1005 1025 4094 Port Vlans allowed and active in management domain 3 3 1 1005 1025 4094 3 4 1 1005 1025 4094 3 5 1 1005 1025 4094 3 6 1 1005 1025 4094 Port Vlans in spanning tree forwarding state and not pruned 3 3 1 1005 1025 4094 3 4 1 1005 1025 4094 3 5 1 1005 1025 4094 3 6 1 1005 1025 4094 Switch_B enable Step 4 Confirm the channeling and trunking status of the switches by entering the ...

Page 244: ...ORTFROMSTP Port 3 5 left bridge port 3 5 ETHC 5 PORTFROMSTP Port 3 6 left bridge port 3 6 ETHC 5 PORTFROMSTP Port 3 4 left bridge port 3 4 ETHC 5 PORTFROMSTP Port 3 5 left bridge port 3 5 ETHC 5 PORTFROMSTP Port 3 6 left bridge port 3 6 ETHC 5 PORTFROMSTP Port 3 3 left bridge port 3 3 ETHC 5 PORTTOSTP Port 3 3 joined bridge port 3 3 6 ETHC 5 PORTTOSTP Port 3 4 joined bridge port 3 3 6 ETHC 5 PORTT...

Page 245: ... 1 2 Trunk 2 for each VLAN on Switch 1 to prevent forwarding loops Trunk 2 is not used to forward traffic unless Trunk 1 fails To configure the switches so that traffic from multiple VLANs is load balanced over the parallel trunks follow these steps Step 1 Configure a VTP domain on both Switch 1 and Switch 2 by entering the set vtp command so that the VLAN information that is configured on Switch ...

Page 246: ...ow vlan VLAN Name Status Mod Ports Vlans 1 default active 1 1 2 2 1 12 5 1 2 10 VLAN0010 active 11 VLAN0011 active 20 VLAN0020 active 30 VLAN0030 active 40 VLAN0040 active 50 VLAN0050 active 60 VLAN0060 active 1002 fddi default active 1003 token ring default active 1004 fddinet default active 1005 trnet default active Switch_1 enable Step 4 Configure the supervisor engine uplinks on Switch 1 as 80...

Page 247: ...e 20 VLAN0020 active 30 VLAN0030 active 40 VLAN0040 active 50 VLAN0050 active 60 VLAN0060 active 1002 fddi default active 1003 token ring default active 1004 fddinet default active 1005 trnet default active Switch_2 enable Step 7 Spanning tree takes 1 to 2 minutes to converge After the network stabilizes check the spanning tree state of each trunk port on Switch 1 by entering the show spantree com...

Page 248: ...1 1 vlans 1005 using portpri 4 Switch_1 enable set spantree portvlanpri 1 1 1 20 Port 1 1 vlans 1 9 11 19 21 1004 using portpri 32 Port 1 1 vlans 10 20 using portpri 1 Port 1 1 vlans 1005 using portpri 4 Switch_1 enable set spantree portvlanpri 1 1 1 30 Port 1 1 vlans 1 9 11 19 21 29 31 1004 using portpri 32 Port 1 1 vlans 10 20 30 using portpri 1 Port 1 1 vlans 1005 using portpri 4 Switch_1 enabl...

Page 249: ...1 2 vlans 1 39 41 49 51 59 61 1004 using portpri 32 Port 1 2 vlans 40 50 60 using portpri 1 Port 1 2 vlans 1005 using portpri 4 Switch_2 enable Step 13 When you have configured the port VLAN priorities on both ends of the link the spanning tree converges to use the new configuration Check the spanning tree port states on Switch 1 by entering the show spantree command The Group 1 VLANs should be fo...

Page 250: ...t Start Group method 1 1 1 not connected 19 32 disabled Switch_1 enable show spantree 1 2 Port Vlan Port State Cost Priority Fast Start Group method 1 2 1 learning 19 32 disabled 1 2 10 learning 19 32 disabled 1 2 20 learning 19 32 disabled 1 2 30 learning 19 32 disabled 1 2 40 forwarding 19 1 disabled 1 2 50 forwarding 19 1 disabled 1 2 60 forwarding 19 1 disabled 1 2 1003 not connected 19 32 dis...

Page 251: ...unk type set to dot1q Switch 1 enable 04 15 1998 22 02 17 DISL 5 Port 1 1 has become dot1q trunk Switch 2 enable 04 15 1998 22 01 42 SPANTREE 2 Rcved 1Q BPDU on non 1Q trunk port 4 1 vlan 1 04 15 1998 22 01 42 SPANTREE 2 Block 4 1 on rcving vlan 1 for inc trunk port 04 15 1998 22 01 42 SPANTREE 2 Block 4 1 on rcving vlan 1 for inc peer vlan 2 Switch 2 enable Note After you configure the port on Sw...

Page 252: ...show spantree statistics 4 1 Port 4 1 VLAN 1 SpanningTree enabled for vlanNo 1 BPDU related parameters port spanning tree enabled state broken port_id 0x8142 port number 0x142 path cost 100 message age port VLAN 1 20 designated_root 00 60 09 79 c3 00 designated_cost 0 designated_bridge 00 60 09 79 c3 00 designated_port 0x8142 top_change_ack FALSE config_pending FALSE port_inconsistency port_type p...

Page 253: ...panning tree enabled Spanning tree type ieee Designated Root 00 60 09 79 c3 00 Designated Root Priority 32768 Designated Root Cost 0 Designated Root Port 1 1 Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Bridge ID MAC ADDR 00 10 29 b5 30 00 Bridge ID Priority 49152 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Port Vlan Port State Cost Priority Fast Start Group method 1 1...

Page 254: ...0 09 79 c3 00 Designated Root Priority 32768 Designated Root Cost 0 Designated Root Port 1 0 Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Bridge ID MAC ADDR 00 60 09 79 c3 00 Bridge ID Priority 32768 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Port Vlan Port State Cost Priority Fast Start Group method 1 1 1 not connected 4 32 disabled 1 2 1 not connected 4 32 disabled ...

Page 255: ...orts and VMPS page 12 3 Configuring VMPS page 12 4 Troubleshooting VMPS and Dynamic Port VLAN Membership page 12 10 VMPS Example page 12 11 Dynamic Port VLAN Membership with Auxiliary VLANs page 12 14 Understanding How VMPS Works With VMPS you can dynamically assign switch ports to VLANs that are based on the source MAC address of the device connected to the port When you move a host from a port o...

Page 256: ...can belong to a native VLAN and an auxiliary VLAN See the Dynamic Port VLAN Membership with Auxiliary VLANs section on page 12 14 for more information When the link comes up a dynamic port is isolated from its static VLAN The source MAC address from the first packet of a new host on the dynamic port is sent to the VMPS server which attempts to match the MAC address to a VLAN in the VMPS database I...

Page 257: ...tions You can disable spanning tree PortFast mode on a dynamic port If you reconfigure a port from a static port to a dynamic port on the same VLAN the port connects immediately to that VLAN However VMPS checks the legality of the specific host on the dynamic port after a specified period Static secure ports cannot become dynamic ports You must turn off security on the static secure port before it...

Page 258: ...eate a VMPS database and store it on a TFTP server The VMPS parser is line based Start each entry in the file on a new line The example at the end of this section corresponds to the information that is described below The VMPS database can have up to five sections Section 1 Global settings lists the settings for the VMPS domain name security mode fallback VLAN and the policy for VMPS and VTP domai...

Page 259: ...2 8 on the VMPS client 172 20 26 141 Executive Row consists of port 1 2 and 1 3 on the VMPS client 198 4 254 222 and all ports on the VMPS client 198 4 254 223 Section 4 VLAN groups lists groups of VLANs that you want to associate together You use these VLAN groups when defining VLAN port policies Define the VLAN group name and then list each VLAN name that you want to include in the VLAN group Yo...

Page 260: ...4 vlan name NONE address fedc ba23 1245 vlan name Purple Section 3 PORT GROUPS Port Groups vmps port group group name device device id port port name all ports vmps port group WiringCloset1 device 198 92 30 32 port 3 2 device 172 20 26 141 port 2 8 vmps port group Executive Row device 198 4 254 222 port 1 2 device 198 4 254 222 port 1 3 device 198 4 254 223 all ports Section 4 VLAN GROUPS VLAN gro...

Page 261: ...rver set to 172 20 22 7 VMPS configuration filename set to Bldg G db Console enable set vmps state enable Vlan Membership Policy Server enable is in progress Console enable Configuring VMPS Clients When you configure a VMPS client you must configure VMPS on the VMPS client before setting dynamic ports You cannot make trunk ports or secure ports a dynamic port If you attempt to make a trunk port a ...

Page 262: ...n Server Retry Count 3 VMPS domain server 192 0 0 1 primary 192 0 0 6 192 0 0 9 This example shows how to set ports 1 to 3 on module 3 to dynamic mode disable trunking port 1 on module 2 to make it a dynamic port and verify the port configuration Console enable set port membership 3 1 3 dynamic Ports 3 1 3 vlan assignment set to dynamic Console enable set port membership 2 1 dynamic Spantree port ...

Page 263: ... perform this task in privileged mode This example shows how to reconfirm dynamic port VLAN membership assignments Console enable reconfirm vmps reconfirm process started Use show dvlan statistics to see reconfirm status Console enable Task Command Show the VLAN to which a MAC address is mapped in the database show vmps mac mac_address Show the MAC addresses that are mapped to a VLAN in the databa...

Page 264: ...lost and the resources released on disable Do you want to continue y n n y Vlan Membership Policy Server disabled Console enable Configuring Static Ports To return a port to the static mode perform this task in privileged mode This example shows how to return port 1 on module 3 to static mode Console enable set port membership 3 1 static Port 3 1 vlan assignment set to static Spantree port fast st...

Page 265: ...move a PC from a hub that is connected to the switch to a direct port on the VMPS client both ports remain assigned to the same VLAN The VMPS query and response messages are multicast packets with a destination address of 01000CCCCCCD VMPS Example Figure 12 1 shows a network with a VMPS server switch two backup VMPS servers and VMPS client switches with dynamic ports In this example the following ...

Page 266: ...guration file is called Bldg G db and is stored on a TFTP server with IP address 172 20 22 7 Figure 12 1 Dynamic Port VLAN Membership Configuration Router Primary VMPS Server 1 Secondary VMPS Server 2 Secondary VMPS Server 3 172 20 26 150 172 20 26 151 172 20 26 152 Ethernet segment 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 172 20 26 157 172 20 26 158 172 20 26 159 Client Client End ...

Page 267: ...at Steps a and b for Switch 3 After you enter these commands the file Bldg G db is downloaded to each switch Step 3 Configure the VMPS server addresses on each VMPS client a Configure the IP address for the primary VMPS server Console enable set vmps server 172 20 26 150 primary b Configure the IP addresses for the backup VMPS servers Console enable set vmps server 172 20 26 152 Console enable set...

Page 268: ...is section lists the guidelines for configuring dynamic port VLAN membership for auxiliary VLANs Read the Configuration Guidelines for Dynamic Ports and VMPS section on page 12 3 before you begin the configuration Configuration of the native VLAN ID is dynamic for the PC that is connected to the access port of the IP phone Configuration of the auxiliary VLAN ID is not dynamic you need to configure...

Page 269: ...ets and without 802 1p priority Console enable This example shows how to specify port 5 9 as a dynamic port Console enable set port membership 5 9 dynamic Warning Auxiliary Vlan set to dot1p untagged on dynamic port VMPS will be queried for IP phones Port 5 9 vlan assignment set to dynamic Spantree port fast start option enabled for ports 5 9 Console enable This example shows that the auxiliary VL...

Page 270: ... Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 12 Configuring Dynamic VLAN Membership with VMPS Dynamic Port VLAN Membership with Auxiliary VLANs ...

Page 271: ...s page 13 1 Default GVRP Configuration page 13 2 GVRP Configuration Guidelines page 13 2 Configuring GVRP on the Switch page 13 2 Understanding How GVRP Works GARP and GVRP are industry standard protocols that are described in IEEE 802 1p GVRP is a GARP application that provides 802 1Q compliant VLAN pruning and dynamic VLAN creation on 802 1Q trunk ports With GVRP the switch can exchange VLAN con...

Page 272: ...GVRP Globally You must enable GVRP globally before any GVRP will process on the switch Enabling GVRP globally enables GVRP to perform VLAN pruning on 802 1Q trunk links Pruning occurs only on GVRP enabled trunks For information on setting the per trunk port GVRP enable state see the Enabling GVRP on Individual 802 1Q Trunk Ports section on page 13 3 To enable dynamic VLAN creation you must explici...

Page 273: ...owever GVRP will not function on any ports until you enable it globally For information on configuring GVRP globally on the switch see the Enabling GVRP Globally section on page 13 2 There are two per port GVRP states The static GVRP state that is configured in the CLI and stored in NVRAM The actual GVRP state of the ports active GVRP participants You can configure the static GVRP port state on an...

Page 274: ...ither by CLI configuration or negotiated using DTP while dynamic VLAN creation is enabled dynamic VLAN creation is automatically disabled until the conditions for enabling dynamic VLAN creation are restored Note VLANs can only be created dynamically on 802 1Q trunks in the normal registration mode To enable GVRP dynamic VLAN creation on the switch perform this task in privileged mode This example ...

Page 275: ...stration fixed 1 1 Registrar Administrative Control set to fixed on port 1 1 Console enable Setting GVRP Forbidden Registration Configuring an 802 1Q trunk port in forbidden registration mode deregisters all VLANs except VLAN 1 and prevents any further VLAN creation or registration on the trunk port To configure GVRP forbidden registration on an 802 1Q trunk port perform this task in privileged mo...

Page 276: ...Console enable set gvrp applicant active 4 2 3 4 9 10 4 12 24 Applicant was set to active on port s 4 2 3 4 9 10 4 12 24 Console enable Use the normal keyword to return to the default state active mode disabled Setting the GARP Timers Note The commands set gvrp timer and show gvrp timer are aliases for set garp timer and show garp timer The aliases may be used if desired Note Modifying the GARP ti...

Page 277: ...set to 600 milliseconds Console enable set garp timer join 200 GMRP GARP join timer value is set to 200 milliseconds Console enable show garp timer Timer Timer Value milliseconds Join 200 Leave 600 LeaveAll 10000 Console enable Displaying GVRP Statistics To display GVRP statistics on the switch perform this task This example shows how to display GVRP statistics for port 1 1 Console enable show gvr...

Page 278: ...isable GVRP on individual 802 1Q trunk ports perform this task in privileged mode This example shows how to disable GVRP on 802 1Q trunk port 1 1 Console set gvrp disable 1 1 GVRP disabled on 1 1 Console Disabling GVRP Globally To disable GVRP globally on the switch perform this task in privileged mode This example shows how to disable GVRP globally on the switch Console enable set gvrp disable GV...

Page 279: ...iew page 14 1 Understanding QoS Terminology page 14 2 Understanding Classification and Marking at the Ingress Port page 14 3 Understanding Scheduling page 14 3 QoS Overview Typically networks operate on a best effort delivery basis which means that all traffic has equal priority and an equal chance of being delivered in a timely manner When congestion occurs all traffic has an equal chance of bein...

Page 280: ...QoS terminology is used in this chapter QoS labels are used to prioritize traffic Layer 2 CoS values Layer 2 802 1Q frame headers have a 2 byte Tag Control Information field that carries the CoS value in the three most significant bits the User Priority bits Other frame types cannot carry CoS values CoS values range between 0 low priority and 7 high priority Classification is the selection of traf...

Page 281: ...gh a supported ingress port QoS accepts the User Priority bits as the CoS value QoS classifies and marks all other frame types that enter the switch with the default CoS value that is configured for the entire switch You cannot mark traffic on a per port basis Note The Catalyst 4500 series 2948G and 2980G switches support frame classification and marking only on unclassified frames entering the sw...

Page 282: ...rting to the Default Switch CoS Value page 14 5 Mapping CoS Values to Transmit Queues and Drop Thresholds page 14 6 Reverting to the Default CoS to Transmit Queue and Drop Threshold Mapping page 14 6 Displaying QoS Information page 14 7 Reverting to QoS Defaults page 14 7 Disabling QoS page 14 7 Note Because entering some QoS commands disables and then reenables ports which can cause spanning tree...

Page 283: ...xample shows how to set CoS equal to 7 in all unclassified frames that are received on the switch and verify the configuration Console enable set qos defaultcos 7 qos defaultcos set to 7 Console enable Reverting to the Default Switch CoS Value To revert to the default switch CoS value on the switch perform this task in privileged mode This example shows how to revert to the default CoS value for p...

Page 284: ...ransmit queue and drop threshold perform this task in privileged mode This example shows how to map CoS values 4 through 7 to the second transmit queue and the first drop threshold for that queue on a 2q1t port Console enable set qos map 2q1t 2 1 cos 4 7 Qos tx priority queue and threshold mapped to cos successfully Console enable Reverting to the Default CoS to Transmit Queue and Drop Threshold M...

Page 285: ...S 4 Queue and Threshold Mapping Queue Threshold CoS 1 1 0 1 2 3 2 1 4 5 6 7 Console Reverting to QoS Defaults To revert to QoS defaults perform this task in privileged mode This example shows how to revert to QoS defaults Console enable clear qos config This command will disable QoS and take values back to factory default Do you want to continue y n n y QoS config cleared Console enable Note Rever...

Page 286: ...2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 14 Configuring QoS Configuring QoS on the Switch This example shows how to disable QoS Console enable set qos disable QoS is disabled Console enable ...

Page 287: ...MP page 15 4 Configuring GMRP page 15 9 Configuring Multicast Router Ports and Group Entries page 15 15 Filtering IGMP Traffic page 15 17 Understanding How Multicasting Works The following sections describe how multicasting works on the Catalyst enterprise LAN switches Understanding Multicasting and Multicast Services Operation CGMP IGMP snooping and GMRP manage multicast traffic in switches by al...

Page 288: ...r UplinkFast BackboneFast and Loop Guard Joining a Multicast Group When a host wants to join an IP multicast group it sends an IGMP join message specifying its MAC address and the IP multicast group it wants to join The CGMP IGMP capable router then builds a CGMP IGMP join message and multicasts the join message to the well known address to which the switches listen Upon receipt of the join messag...

Page 289: ... independent which allows it to support the multicast traffic of any Layer 3 protocol such as IP IPX and so forth GMRP software components run on both the switch and on the host Cisco is not a source for GMRP host software On the host GMRP is typically used with IGMP The host GMRP software generates Layer 2 GMRP versions of the host s Layer 3 IGMP control packets The switch receives both the Layer...

Page 290: ...o enable CGMP on the switch perform this task in privileged mode This example shows how to enable CGMP and verify the configuration Console enable set cgmp enable CGMP support for IP multicast enabled Console enable show cgmp statistics 1 CGMP enabled CGMP statistics for vlan 1 valid rx pkts received 211915 invalid rx pkts received 0 valid cgmp joins received 211729 valid cgmp leaves received 186 ...

Page 291: ...ble show cgmp leave CGMP enabled CGMP leave enabled CGMP FastLeave disabled Console enable Enabling CGMP Fast Leave Processing To enable CGMP fast leave processing on the switch perform this task in privileged mode This example shows how to enable CGMP fast leave processing and verify the configuration Console enable set cgmp fastleave enable CGMP fastleave processing enabled Console enable Consol...

Page 292: ... vlan_id This example shows how to display information on all multicast router ports the asterisk next to the multicast router on port 3 1 indicates that the entry was configured manually Console enable show multicast router CGMP enabled IGMP disabled Port Vlan 2 1 99 2 2 255 3 1 1 Total Number of Entries 4 Configured Console enable This example shows how to display only those multicast router por...

Page 293: ...perform this task This example shows how to display CGMP statistics Console enable show cgmp statistics CGMP enabled CGMP statistics for vlan 1 valid rx pkts received 211915 invalid rx pkts received 0 valid cgmp joins received 211729 valid cgmp leaves received 186 valid igmp leaves received 0 valid igmp queries received 3122 igmp gs queries transmitted 0 igmp leaves transmitted 0 failures to add G...

Page 294: ...ble Disabling CGMP Fast Leave Processing To disable CGMP fast leave processing on the switch perform this task in privileged mode This example shows how to disable CGMP fast leave processing Console enable set cgmp fastleave disable CGMP FastLeave processing disabled Console enable Disabling CGMP To disable CGMP on the switch perform this task in privileged mode This example shows how to disable C...

Page 295: ...ble GMRP globally on the switch perform this task in privileged mode This example shows how to enable GMRP globally and verify the configuration Console enable set gmrp enable GMRP enabled Console enable show gmrp configuration Global GMRP Configuration GMRP Feature is currently enabled on this switch GMRP Timers milliseconds Join 200 Leave 600 LeaveAll 10000 Table 15 2 GMRP Default Configuration ...

Page 296: ...ort 6 12 Console enable show gmrp configuration Global GMRP Configuration GMRP Feature is currently enabled on this switch GMRP Timers milliseconds Join 200 Leave 600 LeaveAll 10000 Port based GMRP Configuration Port GMRP Status Registration ForwardAll 1 1 2 3 1 6 1 9 6 12 6 15 48 Enabled Normal Disabled 6 10 11 6 13 14 Disabled Normal Disabled Console enable Disabling GMRP on Individual Switch Po...

Page 297: ... switch is forwarded to the port We recommend enabling this option on any port that is connected to a router Forward all can also forward all registered multicast traffic to a port with a network analyzer or probe attached To forward a copy of all GMRP multicast packets that are registered on the switch to a port perform this task in privileged mode This example shows how to enable the GMRP forwar...

Page 298: ...egistered on the port but the port ignores any subsequent registrations or deregistrations on other ports A port in fixed registration mode continues to register multicast groups that are specific to the port You must return the port to normal registration mode to deregister multicast groups on the port To configure GMRP fixed registration on a port perform this task in privileged mode This exampl...

Page 299: ...idden 2 10 GMRP Registration is set forbidden on port 2 10 Console enable show gmrp configuration Global GMRP Configuration GMRP Feature is currently enabled on this switch GMRP Timers milliseconds Join 200 Leave 600 LeaveAll 10000 Port based GMRP Configuration GMRP Status Registration ForwardAll Port s Enabled Normal Disabled 1 1 4 2 1 9 2 11 48 3 1 24 5 1 Enabled Forbidden Disabled 2 10 Console ...

Page 300: ...all Layer 2 connected devices If the GARP timers are set differently on the Layer 2 connected devices GARP applications for example GMRP and GVRP will not operate successfully To adjust the GARP timer values perform this task in privileged mode This example shows how to set GARP timers and verify the configuration Console enable set garp timer leaveall 12000 GMRP GARP leaveAll timer value is set t...

Page 301: ...ed 0 Console enable Clearing GMRP Statistics To clear all GMRP statistics on the switch perform this task in privileged mode This example shows how to clear the GMRP statistics for all VLANs Console enable clear gmrp statistics all Console enable Disabling GMRP To disable GMRP globally on the switch perform this task in privileged mode This example shows how to disable GMRP globally Console enable...

Page 302: ...gured Console enable Configuring Multicast Groups To configure a multicast group manually perform this task in privileged mode This example shows how to configure multicast groups manually and verify the configuration the asterisks indicate that the entry was manually configured Console enable set cam static 01 00 11 22 33 44 2 6 12 Static multicast entry added to CAM table Console enable set cam ...

Page 303: ...privileged mode This example shows how to disable a multicast group entry from the CAM table Console enable clear cam 01 11 22 33 44 55 1 CAM entry cleared Console enable Filtering IGMP Traffic IGMP filtering allows an administrator to configure IP multicast group profiles consisting of one or more ranges of IP multicast addresses The administrator associates these profiles with a filtering and mo...

Page 304: ... addresses are allowed to be received by every customer In ETTH a typical access switch has two high speed uplink ports The other ports are user ports each connected to a different end subscriber who has a box that generates IGMP report and leave messages You can define which channels IP multicast addresses to monitor and the minimum monitoring interval If an end subscriber is looking at a channel...

Page 305: ...ter set to enable Console enable This example shows how to verify the enable configuration status of IGMP multicast filtering on the switch Console enable show igmp filter igmp filter is enabled Console enable Disabling and Verifying IGMP Multicast Filtering To disable IGMP traffic filtering on the switch perform this task in privileged mode This example shows how to disable IGMP multicast filteri...

Page 306: ... the multicast IP address 226 1 1 1 to IGMP multicast filter profile 1 Console enable set igmp filter profile 1 226 1 1 1 Successfully add ip s to profile Console enable This example shows how to list an IP address for profile 1 when the IGMP multicast filter match action is denied Console enable show igmp filter profile 1 ProfileId 1 FilterMode deny IP Range 226 1 1 1 Console enable Permitting an...

Page 307: ...er profile 1 match action igmp filter match action is denied Console enable Removing an IGMP Multicast Filter Profile To remove a multicast address from an IGMP multicast filter profile or to remove the filter profile perform this task in privileged mode Note When you remove a filter all associations between the filter and associated ports are removed This example shows how to remove an IP address...

Page 308: ...s example shows how to verify that all IGMP multicast filter profiles were deleted Console enable show igmp filter all Console enable Assigning and Displaying Port Filter Associations To assign and display IGMP multicast filter associations to a port or port list perform this task in privileged mode This example shows how to assign an association of module 2 port 1 to IGMP multicast filter profile...

Page 309: ... 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 10 2 11 2 12 2 13 2 14 2 15 2 16 2 46 2 47 2 48 Console enable Removing IGMP Multicast Port Filter Associations To remove the association of IGMP multicast filters with ports perform this task in privileged mode Note The filter is not removed when the association is removed This example shows how to remove the association of IGMP multicast filter profiles with a po...

Page 310: ... Catalyst 4500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 15 Configuring Multicast Services Filtering IGMP Traffic ...

Page 311: ...thernet or Gigabit Ethernet port when the MAC address of the station attempting to access the port is different from any of the MAC addresses that are specified for that port Alternatively you can use port security to filter traffic that is destined to or received from a specific host that is based on the host MAC address Allowing Traffic Based on the Host MAC Address The total number of MAC addre...

Page 312: ...gure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts Note If you configure a secure port in restrictive mode and a station is connected to the port whose MAC address is already configured as a secure MAC address on another port on the switch the port in restrictive mode shuts down instead of restricting traffic from that station F...

Page 313: ... configure SPAN destination on a secure port Do not configure dynamic static or permanent CAM entries on a secure port Configuring Port Security on the Switch The following sections describe how to configure port security Enabling Port Security Port security is either autoconfigured or enabled manually by specifying a MAC address If a MAC address is not specified the source address from the incomi...

Page 314: ...Time Cleared Fri Jul 10 1998 17 53 38 This example shows how to enable port security on a port and manually specify the secure MAC address Console enable set port security 2 1 enable 00 90 2b 03 34 08 Port 2 1 port security enabled with 00 90 2b 03 34 08 as the secure mac address Trunking disabled for Port 2 1 due to Security Mode Console enable Setting the Maximum Number of Secure MAC Addresses Y...

Page 315: ...ort After the age time expires for a MAC address the entry for that MAC address on the port is removed from the secure address list The valid range is from 1 1440 minutes Setting the age time to zero disables aging of secure addresses To set the age time on a port perform this task in privileged mode Console enable set port security 4 7 age 600 Secure address age time set to 600 minutes for port 4...

Page 316: ...ode This example shows how to configure the switch to disable unicast flood packets on a port and verify its configuration Console enable set port security 4 1 unicast flood disable Port 4 1 security flood mode set to disable Console enable show port security 4 1 Port Security Violation Shutdown Time Age Time Max Addr Trap IfIndex 4 1 disabled shutdown 0 0 1 disabled 50 Port Num Addr Secure Src Ad...

Page 317: ... enable MAC address notification globally perform this task in privileged mode MAC addresses are stored in memory between notifications To set the interval time between notifications and verify the configuration perform this task in privileged mode If the set cam notification interval is set to 0 the switch will send notification immediately If the notifications are sent immediately they will have...

Page 318: ... enable set cam notification removed enable 3 3 6 MAC address change notifications for removed addresses are enabled on port s 3 3 6 Console enable set cam notification interval 10 MAC address change notification interval set to 10 seconds Console enable show cam notification all MAC address change detection enabled CAM notification interval 10 second s MAC address change history log size 300 MAC ...

Page 319: ...the VLAN aging time to expire before you attempt to connect the host to the port again Setting the Shutdown Time You can specify how long a port is to remain disabled in the event of a security violation By default the port is shut down permanently The valid range is from 1 1440 minutes If you set the time to zero the shutdown is disabled for this port Note When the shutdown timeout expires the po...

Page 320: ...le shows how to create a filter for a specific MAC address Console enable set cam static filter 00 02 03 04 05 06 1 Filter entry added to CAM table Console enable This example shows how to clear the filter Console enable clear cam 00 02 03 04 05 06 1 CAM entry cleared Console enable This example shows how to display the static CAM entries Console show cam static VLAN Dest MAC Route Des CoS Destina...

Page 321: ...d 921 Port Num Addr Secure Src Addr Age Left Last Src Addr Shutdown Time Left 3 24 4 00 e0 4f ac b4 00 60 00 e0 4f ac b4 00 no 00 11 22 33 44 55 0 00 11 22 33 44 66 0 00 11 22 33 44 77 0 Console enable show port security statistics 3 24 Port Total Addrs Maximum Addrs 3 24 4 10 Console enable Port Total Addrs Maximum Addrs 3 24 1 10 Console enable This example shows how to display port security sta...

Page 322: ...is example shows how to display port security statistics on the system Console enable show port security statistics system Module 1 Total ports 2 Total MAC address es 2 Total global address space used out of 1024 0 Status installed Module 3 Module does not support port security feature Module 6 Total ports 48 Total MAC address es 48 Total global address space used out of 1024 0 Status installed Co...

Page 323: ... the Switch page 17 2 Understanding How Unicast Flood Blocking Works You can enable unicast flood blocking on any Ethernet port on a per port basis Unicast flood blocking allows you to drop unicast flood packets on an Ethernet port that has only one host that is connected to the port All Ethernet ports on a switch are configured to allow unicast flooding With unicast flood blocking you can drop un...

Page 324: ... a port channel You cannot configure a port channel on a unicast flood blocking port Unicast flood blocking and GARP VLAN Registration Protocol GVRP are mutually exclusive You cannot configure the port to block unicast flood packets and exchange VLAN configuration information with GVRP switches at the same time Configuring Unicast Flood Blocking on the Switch These sections describe how to configu...

Page 325: ... blocking To configure unicast flood blocking perform this task in privileged mode This example shows how to disable unicast flood blocking on a port Console enable set port unicast flood 4 1 enable Unicast Flooding is successfully enabled on the port 4 1 Console enable Displaying Unicast Flood Blocking To display unicast flood blocking information perform this task in privileged mode This example...

Page 326: ...Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 17 Configuring Unicast Flood Blocking Configuring Unicast Flood Blocking on the Switch ...

Page 327: ...ized IP addresses receive no response the request times out If you want to log unauthorized access attempts to the console or a syslog server you must change the logging severity level for IP as described in the Enabling the IP Permit List section on page 18 3 If you want to generate SNMP traps when unauthorized access attempts are made you must enable IP permit list ippermit SNMP traps as describ...

Page 328: ...t list perform this task in privileged mode This example shows how to add IP addresses to the IP permit list and verify the configuration Console enable set ip permit 172 16 0 0 255 255 0 0 telnet 172 16 0 0 with mask 255 255 0 0 added to Telnet permit list Console enable set ip permit 172 20 52 32 255 255 0 0 snmp 172 20 52 32 with mask 255 255 0 0 added to Snmp permit list Console enable set ip ...

Page 329: ...fore clearing IP permit entries or host addresses To enable the IP permit list on the switch perform this task in privileged mode This example shows how to enable the IP permit list and verify the configuration Console enable set ip permit enable Telnet Snmp and Ssh permit list enabled Console enable set snmp trap enable ippermit SNMP IP Permit traps enabled Console enable set logging level ip 4 d...

Page 330: ...P permit list on the switch perform this task in privileged mode This example shows how to disable the IP permit list Console enable set ip permit disable IP permit list disabled Console enable Clearing an IP Permit List Entry You can clear an IP address from the SNMP permit list Secure Shell SSH permit list the Telnet permit list or all lists If you do not specify which permit list to clear the I...

Page 331: ...r ip permit 172 100 101 102 172 100 101 102 cleared from IP permit list Console enable clear ip permit 172 160 161 0 255 255 192 0 snmp 172 160 128 0 with mask 255 255 192 0 cleared from snmp permit list Console enable clear ip permit 172 100 101 102 telnet 172 100 101 102 cleared from telnet permit list Console enable clear ip permit all IP permit list cleared Console enable Task Command Step 1 D...

Page 332: ...500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 18 Configuring the IP Permit List Configuring the IP Permit List on the Switch ...

Page 333: ...otocol groups This filtering is in addition to the filtering that is provided by port VLAN membership Protocol filtering identifies ports on a protocol basis A port can be a member of one or more of the protocol groups Flood traffic for each protocol group is forwarded out a port only if that port belongs to the appropriate protocol group Layer 2 protocols such as Spanning Tree Protocol STP and Ci...

Page 334: ...or IP only if there is a directly connected end station that is connected to the port The default port configuration for IPX and Group is auto Packets are classified into these protocol groups IP ip IPX ipx AppleTalk and DECnet group Packets not belonging to any of these protocols Default Protocol Filtering Configuration Table 19 1 shows the default protocol filtering configuration Configuring Pro...

Page 335: ...1 4 Console enable set port protocol 3 1 4 ipx off IPX protocol disabled on ports 3 1 4 Console enable set port protocol 3 1 4 group auto Group protocol set to auto mode on ports 3 1 4 Console enable show port protocol 3 1 4 Port Vlan IP IP Hosts IPX IPX Hosts Group Group Hosts 3 1 4 on 1 off 0 auto off 0 3 2 5 on 1 off 0 auto on 1 3 3 2 on 1 off 0 auto off 0 3 4 4 on 1 off 0 auto on 1 Console ena...

Page 336: ...500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 19 Configuring Protocol Filtering Configuring Protocol Filtering on the Switch ...

Page 337: ...bilities page 20 5 Using Telnet page 20 6 Changing the Login Timer page 20 6 Using Secure Shell Encryption for Telnet Sessions page 20 7 Monitoring User Sessions page 20 8 Using Ping page 20 9 Using Layer 2 Traceroute page 20 11 Using IP Traceroute page 20 12 Checking Module Status The Catalyst enterprise LAN switches are multimodule systems You can see what modules are installed as well as the MA...

Page 338: ...tatus You can display summary or detailed information on the switch ports using the show port command To display summary information on all of the ports on the switch enter the show port command with no arguments Specify a particular module number to see information on the ports on that module only Enter both the module number and the port number to see detailed information about the specified por...

Page 339: ...us device port 3 1 connected off not channel 3 2 connected off not channel 3 3 connected off not channel 3 4 connected off not channel 3 5 notconnect off not channel 3 6 notconnect off not channel Port Align Err FCS Err Xmit Err Rcv Err UnderSize 3 1 0 0 0 0 3 2 0 0 0 0 3 3 0 0 0 0 3 4 0 0 0 0 3 5 0 0 0 0 3 6 0 0 0 0 Port Single Col Multi Coll Late Coll Excess Col Carri Sen Runts Giants 3 1 0 0 0 ...

Page 340: ...ole enable Displaying the Port MAC Address In addition to displaying the MAC address range for a module using the show module command you can display the MAC address of a specific port in the switch using the show port mac address command To display the MAC address for a specific port perform this task in privileged mode This example shows you how to display the MAC address of a specific port Cons...

Page 341: ...rship static dynamic Fast start yes QOS scheduling rx none tx 2q1t CoS rewrite no ToS rewrite no Rewrite no UDLD yes Inline power no AuxiliaryVlan 1 1000 untagged none SPAN source destination Model WS X4148 Port 2 2 Type 10 100BaseTX Speed auto 10 100 Duplex half full Trunk encap type 802 1Q Trunk mode on off desirable auto nonegotiate Channel 2 1 48 Flow control no Security yes Membership static ...

Page 342: ...ress and in some cases the default gateway for the switch For information about setting the IP address and default gateway see Chapter 3 Configuring the Switch IP Address and Default Gateway To open a Telnet session to another device on the network from the switch perform this task in privileged mode This example shows how to open a Telnet session from the switch to the remote host labsparc Consol...

Page 343: ...ides security for Telnet sessions to the switch Secure Shell encryption is supported for remote logins to the switch only Telnet sessions that are initiated from the switch cannot be encrypted To use this feature you must install the application on the client accessing the switch and you must configure Secure Shell encryption on the switch The current implementation of Secure Shell encryption supp...

Page 344: ...able This example shows the output of the show users command when TACACS authentication is enabled for console and Telnet sessions Console enable show users Session User Location console sam telnet jake jake mac bigcorp com telnet tim tim nt bigcorp com telnet suzy suzy pc bigcorp com Console enable This example shows how to display information about user sessions using the noalias keyword to disp...

Page 345: ...d privileged EXEC mode In normal EXEC mode the ping command supports the s parameter which allows you to specify the packet size and packet count In privileged EXEC mode the ping command allows you to specify the packet size packet count and the wait time Table 20 1 lists the default values that apply to the ping s command Ping will return one of the following responses Normal response The normal ...

Page 346: ...m 12 20 2 3 icmp_seq 3 time 2 ms 808 bytes from 12 20 2 3 icmp_seq 4 time 2 ms 808 bytes from 12 20 2 3 icmp_seq 5 time 2 ms 808 bytes from 12 20 2 3 icmp_seq 6 time 2 ms 808 bytes from 12 20 2 3 icmp_seq 7 time 2 ms 808 bytes from 12 20 2 3 icmp_seq 8 time 2 ms 808 bytes from 12 20 2 3 icmp_seq 9 time 3 ms 17 20 2 3 PING Statistics 10 packets transmitted 10 packets received 0 packet loss round tr...

Page 347: ...rent to CDP l2trace will not be able to trace the Layer 2 path through those devices You can use this Layer 2 traceroute from a switch that is not in the Layer 2 path between the source and the destination however all of the switches in the path including the source and destination must be reachable from the switch All switches in the path must be reachable from each other You can trace a Layer 2 ...

Page 348: ...l network layer Layer 3 devices such as routers that the traffic passes through on the way to the destination Switches can participate as the source or destination of the traceroute command but will not appear as a hop in the traceroute command output The traceroute command uses the Time To Live TTL field in the IP header to cause routers and servers to generate specific return messages Traceroute...

Page 349: ... 10 1 1 100 30 hops max 40 byte packets 1 10 1 1 1 10 1 1 1 1 ms 2 ms 1 ms 2 10 1 1 100 10 1 1 100 2 ms 2 ms 2 ms Console enable This example shows how to perform a traceroute with six queries to each hop with packets of 1400 bytes each Console enable traceroute q 6 10 1 1 100 1400 traceroute to 10 1 1 100 10 1 1 100 30 hops max 1440 byte packets 1 10 1 1 1 10 1 1 1 2 ms 2 ms 2 ms 1 ms 2 ms 2 ms 2...

Page 350: ...4 Catalyst 4500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 20 Checking Status and Connectivity Using IP Traceroute ...

Page 351: ...ns on all Cisco manufactured equipment including routers bridges access and communication servers and switches Using CDP you can view information about all the Cisco devices that are directly attached to the switch In addition CDP detects native VLAN and port duplex mismatches Network management applications can retrieve the device type and SNMP agent address of neighboring Cisco devices using CDP...

Page 352: ...dp CDP enabled Message Interval 60 Hold Time 180 Console enable This example shows how to disable CDP globally and verify the configuration Console enable set cdp disable CDP disabled globally Console enable show cdp CDP disabled Message Interval 60 Hold Time 180 Console enable Setting the CDP Enable State on a Port You can enable or disable CDP on a per port basis You must enable CDP globally bef...

Page 353: ...sabled 3 2 disabled 3 3 disabled 3 4 disabled 3 5 disabled 3 6 disabled 3 7 enabled 3 8 enabled 3 9 enabled 3 10 enabled 3 11 enabled 3 12 enabled Console enable This example shows how to enable CDP on ports 3 1 2 and verify the configuration Console enable set cdp enable 3 1 2 CDP enabled on ports 3 1 2 Console enable show cdp port 3 CDP enabled Message Interval 60 Hold Time 180 Port CDP Status 3...

Page 354: ... 100 Hold Time 180 Console enable Setting the CDP Holdtime The CDP holdtime specifies how much time can pass between CDP messages from neighboring devices before the device is no longer considered connected and the neighbor entry is aged out To set the default CDP holdtime perform this task in privileged mode This example shows how to set the default CDP holdtime to 225 seconds and verify the conf...

Page 355: ...D Port ID Platform 2 3 JAB023807H1 2948 2 2 WS C2948 3 1 JAB023806JR 4003 2 1 WS C4003 3 2 JAB023806JR 4003 2 2 WS C4003 3 5 JAB023806JR 4003 2 5 WS C4003 3 6 JAB023806JR 4003 2 6 WS C4003 Console enable This example shows how to display the native VLAN for each port that is connected on the neighboring device there is a native VLAN mismatch between port 3 6 on the local switch and port 2 6 on the...

Page 356: ...atalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 21 Configuring CDP Configuring CDP on the Switch Platform WS C2948 Port ID Port on Neighbors s Device 2 2 VTP Management Domain Lab_Network Native VLAN 522 Duplex full Console enable ...

Page 357: ...s The Switch TopN Reports utility allows you to collect and analyze data for each physical port on a switch The Switch TopN Reports utility collects the following data for each physical port Port utilization util Number of in and out bytes bytes Number of in and out packets pkts Number of in and out broadcast packets bcst Number of in and out multicast packets mcst Number of in errors in errors Nu...

Page 358: ...mand and specify the background keyword processing begins and the system prompt reappears immediately When processing completes Switch TopN reports do not display immediately on the screen but are saved for later viewing The system notifies you when the Switch TopN reports are complete by sending a syslog message to the screen Enter the show top report report_num command to view the completed Swit...

Page 359: ...is example shows how to run the Switch TopN Reports utility with the background keyword Console enable show top 5 pkts background Console enable 06 16 1998 17 21 08 MGMT 5 TopN report 4 started by Console Console enable 06 16 1998 17 21 39 MGMT 5 TopN report 4 available Console enable show top report 4 Start Time 06 16 1998 17 21 08 End Time 06 16 1998 17 21 39 PortType all Metric pkts Tx Rx Port ...

Page 360: ...Bcst Mcst Error Over width Tx Rx Tx Rx Tx Rx Tx Rx Rx flow 1 1 100 0 7880 83 0 83 0 0 2 12 100 0 0 0 0 0 0 0 2 11 100 0 0 0 0 0 0 0 2 10 100 0 0 0 0 0 0 0 2 9 100 0 0 0 0 0 0 0 Console enable show top report Rpt Start time Int N Metric Status Owner type machine user 1 06 16 1998 17 05 00 30 20 Util done telnet 172 16 52 3 2 06 16 1998 17 05 59 30 5 Util done telnet 172 16 52 3 3 06 16 1998 17 08 0...

Page 361: ...specific Switch TopN report and how to remove all stored reports Console enable clear top 4 Console enable 06 16 1998 17 36 45 MGMT 5 TopN report 4 killed by Console Console enable clear top all 06 16 1998 17 36 52 MGMT 5 TopN report 1 killed by Console 06 16 1998 17 36 52 MGMT 5 TopN report 2 killed by Console Console enable 06 16 1998 17 36 52 MGMT 5 TopN report 3 killed by Console 06 16 1998 17...

Page 362: ...yst 4500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 22 Using Switch TopN Reports Running and Viewing Switch TopN Reports ...

Page 363: ...problems including spanning tree topology loops UDLD is a Layer 2 protocol that works with Layer 1 mechanisms such as autonegotiation to determine the physical status of a link At Layer 1 autonegotiation handles physical signaling and fault detection UDLD also performs tasks that autonegotiation cannot perform such as detecting the identities of neighbors and shutting down misconnected ports When ...

Page 364: ...pecify the message interval between UDLD messages Previously the message interval was fixed at 60 seconds With a configurable message interval UDLD reacts much faster to link failures Figure 23 1 shows an example of a unidirectional link condition Switch B successfully receives traffic from Switch A on the port However Switch A does not receive traffic from Switch B on the same port UDLD detects t...

Page 365: ...ng UDLD Globally You must enable UDLD globally before any port can use UDLD To enable UDLD globally on the switch perform this task in privileged mode This example shows how to enable UDLD globally and verify the configuration Console enable set udld enable UDLD enabled globally Console enable show udld UDLD enabled Console enable Table 23 1 UDLD Default Configuration Feature Default Value UDLD gl...

Page 366: ...on Individual Ports To disable UDLD on individual ports perform this task in privileged mode This example shows how to disable UDLD on port 4 1 Console enable set udld disable 4 1 UDLD disabled on port 4 1 Console enable Disabling UDLD Globally To disable UDLD globally on the switch perform this task in privileged mode This example shows how to disable UDLD globally Console enable set udld disable...

Page 367: ... port is put into errdisable state To prevent spanning tree loops normal UDLD with a 15 second message interval is fast enough to shut down a unidirectional link before a blocking port transitions to forwarding state when default spanning tree parameters are used Enabling UDLD aggressive mode provides additional benefits in the following cases One side of a link has a port stuck both Tx and Rx One...

Page 368: ...e Interval 10 seconds Console enable To display UDLD configuration for a module or port perform this task in privileged mode This example shows how to display the UDLD configuration for ports on module 4 Console enable show udld port 4 UDLD enabled Message Interval 10 seconds Port Admin Status Aggressive Mode Link State 4 1 enabled disabled bidirectional 4 2 enabled disabled bidirectional 4 3 enab...

Page 369: ...n status is enabled or disabled Aggressive Mode Status of whether aggressive mode is enabled or disabled Link State Status of the link undetermined a detection is in progress and a neighboring UDLD has been disabled not applicable UDLD has been disabled shutdown a unidirectional link has been detected and the port is disabled or bidirectional a bidirectional link has been detected and the port is ...

Page 370: ...3 8 Catalyst 4500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 23 Configuring UDLD Configuring UDLD on the Switch ...

Page 371: ...r to the Catalyst 4500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Command Reference This chapter consists of these sections SNMP Terminology page 24 1 Understanding How SNMP Works page 24 3 Understanding How SNMPv1 and SNMPv2c Work page 24 5 SNMPv1 and SNMPv2c Default Configuration page 24 6 Understanding SNMPv3 page 24 6 Configuring SNMP from an NMS page 24 9 Configuri...

Page 372: ...ding data from an unauthorized user by scrambling the contents of an SNMP packet group A set of users belonging to a particular security model A group defines the access rights for all the users belonging to it Access rights define the SNMP objects that can be read written to or created In addition the group defines the notifications that a user is allowed to receive notification host An SNMP enti...

Page 373: ...istration and security See the Understanding SNMPv3 section on page 24 6 for more information on SNMPv3 SNMP Version 2c SNMPv2c This second version of SNMP supports centralized and distributed network management strategies and includes improvements in the Structure of Management Information SMI protocol operations management architecture and security SNMP engine A copy of SNMP that can reside on t...

Page 374: ...urity model and security level for its users SNMP ifindex Persistence Feature The SNMP ifIndex persistence feature is always enabled With the ifIndex persistence feature the ifIndex value of the port and VLAN is always retained and used after the following occurrences Switch reboot High availability switchover Software upgrade Module reset Module removal and insertion of the same type of module Fo...

Page 375: ...t is requested by the NMS SNMP trap This function is used to notify an NMS that a significant event has occurred at an agent When a trap condition occurs the SNMP agent sends an SNMP trap message to any NMS that is specified as a trap receiver under the following conditions When a port or module goes up or down When temperature limitations are exceeded When there are spanning tree topology changes...

Page 376: ...n transit Authentication Determining that the message is from a valid source Encryption Scrambling contents of a packet to prevent it from being seen by an unauthorized source Benefits of SNMPv3 SNMPv3 provides the following benefits for managing your network SNMP devices can collect data securely without being tampered with or corrupted You can encrypt confidential information such as SNMP set co...

Page 377: ... for sending messages Message Processing Subsystem The Message Processing Subsystem accepts outgoing PDUs from the Dispatcher and prepares them for transmission by wrapping them in a message header and returning them to the Dispatcher The Message Processing Subsystem also accepts incoming messages from the Dispatcher processes each message header and returns the enclosed PDU to the Dispatcher An i...

Page 378: ...the following potential security threats An authorized user sending a message that gets modified in transit by an unauthorized SNMP entity An unauthorized user trying to masquerade as an authorized user Anyone modifying the message stream Anyone eavesdropping The USM currently defines the use of HMAC MD5 96 and HMAC SHA 96 as the possible authentication protocols and CBC DES as the privacy protoco...

Page 379: ...oWorks solutions including CiscoWorks LAN Management Solution LMS and CiscoWorks Routed WAN Management Solution RWAN By default the separate CWI software image is not present in Flash memory You must install it separately with the CV image For more information on the CWI CiscoView and installing the images on your switch refer to this URL http www cisco com en US partner products hw switches ps663...

Page 380: ...e all All SNMP traps enabled Console enable show snmp RMON Disabled Extended RMON Extended RMON module is not present Traps Enabled Port Module Chassis Bridge Repeater Vtp Auth ippermit Vmps config entity stpx Port Traps Enabled 1 1 2 4 1 48 5 1 Community Access Community String read only Everyone read write Administrators read write all Root Trap Rec Address Trap Rec Community 172 16 10 10 read w...

Page 381: ...y Console enable This example shows how to restrict the community string to an access number Console enable set snmp community ext private1 read write access 2 Community string private1 is created with access type as read write access number 2 Console enable This example shows how to change the access number to the community string Console enable set snmp community ext private1 read write access 3...

Page 382: ... access the system You can specify more than one IP address that is associated with an access number by separating each IP address with a space If the new IP address uses an existing access number the switch addes the new IP addresses to the list To specify an access number for a host from the CLI perform this task in privileged mode These examples show how to specify an access number for a host C...

Page 383: ... clear snmp access list 101 All IP addresses associated with access number 101 have been cleared Console enable Console enable clear snmp access list 2 172 20 60 8 Access number 2 no longer associated with 172 20 60 8 Console enable Specifying and Displaying an Interface Alias You can specify and display an interface alias The length of the alias can be up to 64 characters To specify and display a...

Page 384: ...ntication authentication privacy read hex readview write hex writeview notify hex notifyview context hex contextname exact prefix volatile nonvolatile Step 4 Specify the target addresses for notifications set snmp notify hex notifyname tag hex notifytag trap inform volatile nonvolatile Step 5 Set the snmpTargetAddrEntry in the target address table set snmp targetaddr hex addrname param hex paramsn...

Page 385: ...p2 172 20 30 1 Snmp targetaddr name was set to router_2 with param p2 ipAddr 172 20 30 1 udpport 162 timeout 1500 retries 3 storageType nonvolatile These examples show how to set SNMP target parameters Console enable set snmp targetparams p1 user guestuser1 security model v3 message processing v3 authentication Snmp target params was set to p1 v3 authentication message processing v3 user guestuser...

Page 386: ...D_OF_MIB_VIEW_EXCEPTION This example shows how to verify the SNMPv2c setup for public access from a workstation workstation getnext v2c 10 6 4 201 public snmpEngineID snmpEngineID 0 00 00 00 09 00 10 7b f2 82 00 00 00 This example shows how to increase guestgroup s access right to read privileges for snmpEngineMibView Console enable set snmp view snmpEngineMibView 1 3 6 1 6 3 10 2 1 included Snmp ...

Page 387: ...r2password Enter Privacy password privacypasswd2 REPORT received cannot recover usmStatsUnsupportedSecLevels 0 1 Using CiscoWorks2000 CiscoWorks2000 is a family of web based and management platform independent products for managing Cisco enterprise networks and devices CiscoWorks2000 includes Resource Manager Essentials and CWSI Campus which allow you to deploy configure monitor manage and trouble...

Page 388: ...24 18 Catalyst 4500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 24 Configuring SNMP Using CiscoWorks2000 ...

Page 389: ...ation that allows various network agents and console systems to exchange network monitoring data The supervisor engine software provides embedded support for these components of the RMON specification see the Supported RMON and RMON2 MIB Objects section on page 25 3 for details The following RMON groups are defined in RFC 1757 Statistics RMON group 1 for Ethernet Fast Ethernet Fast EtherChannel an...

Page 390: ...Extended RMON Extended RMON module is not present Traps Enabled Port Module Chassis Bridge Repeater Vtp Auth ippermit Vmps config entity stpx Port Traps Enabled 1 1 2 4 1 48 5 1 Community Access Community String read only Everyone read write Administrators read write all Root Trap Rec Address Trap Rec Community 172 16 10 10 read write 172 16 10 20 read write all Console enable Viewing RMON Data Ac...

Page 391: ...errors etc RFC 1757 Supervisor engine mib 2 1 rmon 16 history 2 historyControlTable 1 mib 2 1 rmon 16 history 2 etherHistoryTable 2 Periodically samples and saves statistics group counters for later retrieval RFC 1757 RFC 1757 Supervisor engine mib 2 1 rmon 16 alarm 3 A threshold set on critical RMON variables for network management RFC 1757 Supervisor engine mib 2 1 rmon 16 event 9 Generates SNMP...

Page 392: ... Catalyst 4500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 25 Configuring RMON Supported RMON and RMON2 MIB Objects ...

Page 393: ... SPAN or RSPAN from a Network Management System NMS refer to the NMS documentation and see the Using CiscoWorks2000 section on page 24 17 Understanding How SPAN and RSPAN Work The following sections describe the concepts and terminology that are associated with SPAN and RSPAN configuration SPAN Session A SPAN session is an association of a destination port with a set of source ports configured wit...

Page 394: ...mmand reflects the trunking status for the port prior to SPAN session configuration Source Port A source port is a switch port that is monitored for network traffic analysis The traffic through the source ports can be categorized as ingress egress or both You can monitor one or more source ports in a single SPAN session with user specified traffic types ingress egress or both that are applicable f...

Page 395: ...g ports cannot be used as reflector ports Gigabit uplink ports on the WS 4013 Supervisor II Gigabit uplink ports on the 2980G A Gigabit ports on the WS 4232 L3 module The SPAN line in the output of the show port capabilities command indicates whether a port can be used as a reflector port Ingress SPAN Ingress SPAN copies network traffic that is received by the source ports for analysis at the dest...

Page 396: ...are not included in the selected list of filter VLANs SPAN includes only the ports that belong to one or more of the selected VLANs in the operational sources When a VLAN is cleared it is removed from the VLAN filter list A SPAN session is disabled if the VLAN filter list becomes empty Trunk VLAN filtering is not applicable to VSPAN sessions Trunk VLAN filtering is available for local SPAN session...

Page 397: ...c that is received on the SPAN destination port by entering the learning disable keywords If you want the switch to learn source MAC addresses from traffic that is received on the SPAN destination port enter the learning enable keywords By default the switch learns source MAC addresses from incoming traffic learning enable if the inpkts keyword is enabled The source MAC address learning options on...

Page 398: ... span 2 4 3 6 Overwrote Port 3 6 to monitor transmit receive traffic of Port 2 4 Incoming Packets disabled Learning enabled Console enable show span Destination Port 3 6 Admin Source Port 2 4 Oper Source None Direction transmit receive Incoming Packets disabled Learning enabled Filter Status active Total local span sessions 1 Console enable This example shows how to set VLAN 522 as the SPAN source...

Page 399: ...2 as the SPAN source and port 2 5 as the SPAN destination Console enable set span 3 1 2 3 Overwrote Port 2 3 to monitor transmit receive traffic of Port 3 1 Incoming Packets disabled Learning enabled Console enable set span 3 2 2 5 tx create Created Port 2 5 to monitor transmit traffic of Port 3 2 Incoming Packets disabled Learning enabled Console enable show span Destination Port 2 3 Admin Source...

Page 400: ...nsole enable Configuring RSPAN The following sections describe how to configure RSPAN RSPAN Software and Hardware Requirements You must have software release 6 3 1 or a later release to use RSPAN on the Catalyst 4500 series switches or to use a Catalyst 4500 series switch as an intermediate switch in an RSPAN session RSPAN supervisor engine requirements are as follows For source switches Any Catal...

Page 401: ... receives the traffic see Figure 26 2 The traffic type for sources ingress egress or both in an RSPAN session can be different for source switches but must be the same for all source ports on a given switch Do not configure any ports in an RSPAN VLAN except those selected to carry RSPAN traffic Learning is disabled on the RSPAN VLAN Figure 26 2 Flow of RSPAN Monitored Traffic RSPAN Configuration G...

Page 402: ...hat the special properties of RSPAN VLANs are supported in all the switches to avoid unwanted traffic in these VLANs Incoming traffic on the RSPAN destination port is disabled by default You can enable it by entering the inpkts enable keywords However while the port receives traffic for its assigned VLAN it does not participate in spanning tree for that VLAN To avoid creating spanning tree loops w...

Page 403: ...sole enable set rspan source 2 3 500 reflector 2 34 rx Rspan Type Source Destination Reflector Port 2 34 Rspan Vlan 500 Admin Source Port 2 3 Oper Source Port 2 3 Direction receive Incoming Packets Learning Filter Status active Console enable 2001 May 02 13 22 17 SYS 5 SPAN_CFGSTATECHG remote span source session active for remote span vlan 500 This example shows how to specify port 2 3 as a source...

Page 404: ... Console enable To configure RSPAN destination ports perform this task in privileged mode Caution If the RSPAN destination port is connected to another device and reception of incoming packets is enabled by entering the inpkts enable keywords the RSPAN destination port receives traffic for the VLAN to which the RSPAN destination port belongs However the RSPAN destination port does not participate ...

Page 405: ...ll This command will disable all remote span source session s Do you want to continue y n n y Disabled monitoring of all source s on the switch for remote span Console enable This example shows how to disable one source session by rspan_vlan number Console enable set rspan disable source 903 Disabled monitoring of all source s on the switch for rspan_vlan 903 Console enable This example shows how ...

Page 406: ... in Figure 26 3 and Table 26 1 the RSPAN session may be disabled in Switch A Switch B or both switches without modifying the configuration in Switch C or Switch D Figure 26 3 Single RSPAN Session Modifying an Active RSPAN Session This example shows how to modify an active RSPAN session Figure 26 3 shows a single RSPAN session see Table 26 2 for the commands to disable an RSPAN session and to add o...

Page 407: ...ata center and source ports in Table 26 2 Making Modifications to an Active RSPAN Session Switch Action RSPAN CLI Commands A source Disable the RSPAN session set rspan disable source 901 B source Remove source port 3 2 from the RSPAN session set rspan source 3 1 3 3 901 reflector 3 4 B source Add source port 3 2 to the RSPAN session set rspan source 3 1 3 901 reflector 3 4 Table 26 3 Adding RSPAN ...

Page 408: ...itch Figure 26 5 Configuring Multiple RSPAN Sessions Adding Multiple Network Analyzers to an RSPAN Session You can attach multiple network analyzers probes to the same RSPAN session In Figure 26 6 you can add probe 3 in Switch B to monitor RSPAN VLAN 901 by entering the set rspan destination 1 2 901 command Similarly you could add source ports to Switch C Table 26 4 Configuring Multiple RSPAN Sess...

Page 409: ... 4 4 Switch A 3 1 3 2 3 3 1 2 1 1 Switch C Switch F Switch D Switch E Switch B Probe 2 Probe 1 Destination switch data center Intermediate switch es distribution Source switch es access 58637 T1 T2 T6 T3 T5 T4 Probe 3 Table 26 5 Disabling the RSPAN Sessions Switch Port Reflector Port RSPAN VLAN s Direction RSPAN CLI Commands A source 2 1 2 2 3 901 Ingress set rspan disable source 901 B source 3 1 ...

Page 410: ...26 18 Catalyst 4500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 26 Configuring SPAN and RSPAN Configuring RSPAN ...

Page 411: ...page 27 5 Defining and Using Command Aliases page 27 6 Defining and Using IP Aliases page 27 7 Configuring Permanent and Static ARP Entries page 27 8 Configuring Static Routes page 27 9 Scheduling a System Reset page 27 10 Generating System Status Reports for Tech Support page 27 12 Setting the System Name and System Prompt The system name on the switch is a user configurable string that identifie...

Page 412: ...ement Protocol SNMP When you configure a route using the set ip route command When you clear the system name using the set system name command When you enable DNS or specify DNS servers If you configured the system name no DNS lookup is performed Configuring the System Name and Prompt The following sections describe how to configure the system name and prompt Setting the System Name To set the sys...

Page 413: ...system contact and location perform this task in privileged mode This example shows how to set the system contact to sysadmin corp com and location to Sunnyvale CA Console enable set system contact sysadmin corp com System contact set Console enable set system location Sunnyvale CA System location set This example shows how to verify the configuration Console enable show system PS1 Status PS2 Stat...

Page 414: ...e current date and time Console enable set time Fri 06 15 01 12 30 00 Fri Jun 15 2001 12 30 00 Console enable show time Fri Jun 15 2001 12 30 02 Console enable Creating a Login Banner You can create a single or multiline message of the day MOTD banner that appears on the screen when someone logs in to the switch The first character following the motd keyword is used to delimit the beginning and en...

Page 415: ...le set banner motd MOTD banner cleared Console enable EnablingorDisablingthe CiscoSystemsConsole Telnet Login Banner By default the Cisco Systems Console Telnet login banner is enabled To enable or disable the Cisco Systems Console Telnet login banner perform this task in privileged mode This example shows how to enable the Cisco Systems Console Telnet login banner Console enable set banner telnet...

Page 416: ... for the command alias The parameter argument is the text that the user types at the command line to activate the command To define a command alias on the switch perform this task in privileged mode This example shows how to define two command aliases sm3 which executes the show module 3 1 command sp3 which executes the show port 3 command Console enable set alias sm3 show module 3 Command alias a...

Page 417: ...it Err Rcv Err UnderSize 3 1 0 0 0 0 Port Single Col Multi Coll Late Coll Excess Col Carri Sen Runts Giants 3 1 0 0 0 0 0 0 0 Last Time Cleared Mon Jun 26 2000 08 53 49 Console enable Defining and Using IP Aliases You can use the set ip alias command to define aliases for IP addresses IP aliases can make it easier to refer to other network devices when you use ping telnet and other commands even w...

Page 418: ...emoved from the ARP cache after a system reset When you configure a permanent ARP by using the set arp permanent command the ARP entry is retained even after a system reset Because most hosts support dynamic resolution you usually do not need to specify static or permanent ARP cache entries When a device does not respond to ARP requests you can configure an ARP entry to be statically or permanentl...

Page 419: ...ntry for one or more destination networks Static route entries consist of the destination IP network address the IP address of the next hop router and the metric hop count for the route In software release 5 1 and later releases you can configure Classless InterDomain Routing CIDR routes such as IP supernets in the switch IP routing table You can specify the subnet mask for a destination network u...

Page 420: ... to reset at a future time This feature allows you to upgrade software during business hours and schedule the system upgrade after business hours to avoid a major impact on users You can also use the schedule reset feature when trying out new features on a switch To avoid misconfiguration or the possibility of losing network connectivity to the device you can set up the startup configuration featu...

Page 421: ...are upgrade to 6 3 1 Reset scheduled at 23 00 00 Sat Aug 18 2001 Reset reason Software upgrade to 6 3 1 Proceed with scheduled reset y n n y Reset mindown scheduled for 23 00 00 Sat Aug 18 2001 in 0 day 8 hours 39 minutes Console enable Scheduling a Reset Within a Specified Amount of Time You can schedule a reset within a specified time by entering the reset in command For example if the current s...

Page 422: ...mands Refer to the Catalyst 4500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Command Reference for these commands You can upload the report to a TFTP server and send it to the Cisco Technical Assistance Center TAC You can use keywords to limit the report such as for specific modules VLANs and ports If you do not specify any keywords a report for the entire system is gene...

Page 423: ...ng How Power Management Works on the Catalyst 4500 Series Switches page 28 1 Understanding How Power Management Works on the Catalyst 4006 Switch page 28 6 Power Consumption for Modules page 28 9 Migrating a Supervisor Engine II from a Catalyst 4006 Switch to a Catalyst 4500 Series Switch page 28 10 Understanding How PoE Works page 28 11 Configuring Power Management page 28 14 Configuring PoE page...

Page 424: ...s switches support these two power management modes Redundant mode Uses one power supply as a primary power supply and the second power supply as a backup If the primary power supply fails the second power supply supports the switch without disrupting the network Both power supplies must have the same wattage A single power supply must have enough power to support the switch configuration By defau...

Page 425: ...er supplies automatically adjust the power resources to accommodate the chassis and PoE requirements when a system boots Modules are brought up first followed by powered devices See Table 28 1 on page 28 4 for a list of the maximum available power for chassis and PoE for each power supply Combined Mode Guidelines This section describes the guidelines for using combined mode in the Catalyst 4500 se...

Page 426: ...hat is provided by the power supplies If you insert a single power supply into the switch and then set combined mode the switch displays this message Insufficient power supplies present for specified configuration Table 28 1 Available Power Power Supply Redundant Mode W Combined Mode W 1000 W AC Chassis1 1000 PoE 0 1 The chassis power includes power for the supervisor engine s all line cards and t...

Page 427: ...nes and Restrictions This section describes the guidelines and restrictions for using a 1400 W DC power supply in the Catalyst 4500 series switches Caution Do not use the 1400 W DC power supply with any other power supply even for a hot swap or other short term emergency because you can seriously damage your switch The 1400 W DC power supply works with a variety of DC sources The DC input can vary...

Page 428: ...redundancy mode might not support a fully loaded chassis If your switch has only two power supplies and is in 2 1 redundancy mode the default mode there is no redundancy You can create redundancy with only two power supplies by setting the power redundancy to operate in 1 1 redundancy mode one primary plus one redundant power supply However 1 1 redundancy does not support all configurations The mo...

Page 429: ...upply cooling capacity restriction applies to the Catalyst 4006 switch When considering the 1 1 redundancy mode you must carefully plan the configuration of the module power usage of your chassis An incorrect configuration will disrupt your system during the evaluation cycle To avoid a disruption ensure that your configuration is within the power limits or return to the default 2 1 redundancy conf...

Page 430: ...he power budget to 2 1 redundancy mode If you change to 2 1 redundancy mode each module in reset mode is brought up one at a time to an operational state If you use a 400 W power supply and a 650 W power supply in your switch the switch acts as if there were two 400 W power supplies If you have one 400 W power supply and one 650 W power supply in 1 1 redundancy mode and a second 650 W power supply...

Page 431: ... Catalyst 4506 switch backplane 10 10 6 port 1000BASE X GBIC Gigabit Ethernet WS X4306 GB 35 30 32 port 10 100 Fast Ethernet RJ 45 WS X4232 RJ XX 50 35 Catalyst 4000 Access Gateway Module with IP FW IOS WS X4604 GWY 120 60 24 port 100BASE FX Fast Ethernet switching module WS X4124 FX MT 90 75 32 port 10 100 Fast Ethernet RJ 45 plus 2 port 1000BASE X GBIC Gigabit Ethernet WS 4232 GB RJ 55 35 48 por...

Page 432: ...bridge ID priority that is added to a system ID extension The system ID extension which is the VLAN number can vary from 1 to 4094 If the switch is in VLAN 1 the new bridge ID priority will be 32 789 Because 32 769 is greater than 32 768 this switch cannot become the root switch The Catalyst 4006 switch is a root switch In this case the spanning tree topology may change If the other switches in th...

Page 433: ... powered device and to disable the detection mechanism If your switch has a module that can provide PoE to end stations you can set each port on the module to detect and apply PoE automatically if the end station requires power Note For information on powering powered devices that are connected to other Catalyst switching modules refer to the Catalyst Family Inline Power Patch Panel Installation N...

Page 434: ...following on Power is supplied by the port off The power is not supplied by the port Power deny The supervisor engine does not have enough power to allocate to the port or the power that is configured for the port is less than the power that is required by the port The power is not being supplied by the port err disable The port cannot provide power to the connected device that is configured in St...

Page 435: ...ff power to a specific port by sending a message to the switching module The power for a port in Auto mode is then added back to the available system power Power for ports in Static mode is not added back to the available system power This situation occurs only when you power off the phone through the CLI or SNMP Phone Removal The switching module informs the supervisor engine if a powered phone i...

Page 436: ...es To set redundant mode on the Catalyst 4500 series switch perform this task in privileged mode Catalyst Switch Switching module discovers the powered device using proprietary discovery mechanism Third party powered device Switching module will not discover the powered device Supervisor engine will not know about powered device unless powered device has a separate source of power If you insert a ...

Page 437: ...12V Console enable Setting Combined Mode on the Catalyst 4500 Series Switches To set combined mode on the Catalyst 4500 series switch perform this task in privileged mode This example shows how to set the power management mode to combined mode Console enable set power bedget 2 Console enable show environment power Total Inline Power Available 1333 00 Watts 26 66 Amps 50V Total Inline Power Drawn F...

Page 438: ...ported Max H W Supported To Module Watts Per Module Watts Per Port Watts 2 0 00 830 562 15 400 3 0 00 830 562 15 400 4 0 00 830 562 15 400 5 0 00 830 562 15 400 6 0 00 830 562 15 400 DC Power supplies are configured for 5000Watts DC input Power Budget is 1 supply Power Available to the System excluding voice power 1360 Watts 113 33 Amps 12V Power Drawn from the System excluding voice power 485 Wat...

Page 439: ...0 Watts 0 11 Amps 51V Module Inline Power Allocated mA 1 0 2 0 3 0 Power Budget is 2 supplies Power Available to the System excluding voice power 750 Watts 62 06 Amps 12V Power Drawn from the System excluding voice power 265 Watts 22 01 Amps 12V Remaining Power excluding voice power 485 Watts 40 05 Amps 12V Console enable Displaying System Information To display information about the power supplie...

Page 440: ... perform this task in privileged mode Task Command Step 1 Change the nondefault configuration mode to text and specify the configuration file to use at boot up set config mode text bootflash switch cfg Step 2 Save the current nondefault configuration to NVRAM write memory Step 3 Save the configuration on the Catalyst 4006 switch copy config flash Step 4 Remove the supervisor engine from the Cataly...

Page 441: ...attage to 800 mWatt Console enable Setting the Default Power Allocation for a Port By default the switch allocates 7 W to a port when it discovers a powered device on the port This number automatically adjusts downward to the amount that the powered device actually requires when the switch receives a CDP packet from the powered device Normally this automatic method works very well and no further c...

Page 442: ...ividual ports Console show port inlinepower 6 1 Configured Default Inline Power allocation per port 15 400 Watts 0 36 Amps 42V Total inline power drawn by module 6 26 46 Watts 0 63 Amps 42V Port InlinePowered PowerAllocated Device IEEE class DiscoverMode Admin Oper Detected mWatt mA 42V 6 1 static on yes 5040 120 Cisco None cisco Port Maximum Power Actual Consumption absentCounter OverCurrent mWat...

Page 443: ...80G Switches Command Reference Hardware and Software Requirements The hardware and software requirements for the Catalyst 4500 series switches and Cisco CallManager are as follows Catalyst 4006 Catalyst 4500 series Catalyst 5000 family and Catalyst 6500 series switches running supervisor engine software release 6 1 1 or later releases Catalyst 4006 Catalyst 4500 series and Catalyst 6500 series swi...

Page 444: ...e removed to verify that an IP phone has been removed from the network An IP phone contains an integrated three port 10 100 switch The ports are dedicated connections as described below Port 1 connects to the switch or other device that supports VoIP Port 2 is an internal 10 100 interface that carries the phone traffic Port 3 connects to a PC or other device Figure 29 1 shows one way to configure ...

Page 445: ...ss port of the IP phone native VLAN Isolating the phones on a separate auxiliary VLAN increases the quality of the voice traffic and allows a large number of phones to be added to an existing network where there are not enough IP addresses a new VLAN requires a new subnet and a new set of IP addresses Configuring VoIP on a Switch To make an IP phone work in your voice network you must do the follo...

Page 446: ...29 4 Catalyst 4500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 29 Configuring VoIP Configuring VoIP on a Switch ...

Page 447: ...n to restrict unauthorized devices from connecting to a LAN through publicly accessible ports see Chapter 31 Configuring 802 1x Authentication Note For information on configuring ports to allow or restrict traffic that is based on host MAC addresses see Chapter 16 Configuring Port Security This chapter consists of these sections Understanding How Authentication Works page 30 1 Configuring Authenti...

Page 448: ...uld use the set authentication enable attempt command to set login limits for accessing enable mode The configurable range is three default to ten tries Setting the limit to zero 0 disables login authentication All authentication methods RADIUS TACACS Kerberos or local are supported The lockout delay time is also configurable from the CLI and SNMP with the set authentication login lockout command ...

Page 449: ...ing How TACACS Authentication Works TACACS is an enhanced version of TACACS which is a User Datagram Protocol UDP based access control protocol that is specified by RFC 1492 TACACS controls access to network devices by exchanging Network Access Server NAS information between a network device and a centralized database to determine the identity of a user or device TACACS uses TCP to ensure reliable...

Page 450: ...isable all other authentication methods local authentication is reenabled automatically Understanding How RADIUS Authentication Works RADIUS is a client server authentication and authorization access protocol that is used by the NAS to authenticate users attempting to connect to a network device The NAS functions as a client passing user information to one or more RADIUS servers The NAS permits or...

Page 451: ...eros also guards against intruders who might pick up the encrypted tickets from the network Table 30 1 defines terms that are used in Kerberos Table 30 1 Kerberos Terminology Term Definition Kerberized Applications and services that have been modified to support the Kerberos credential infrastructure Kerberos credential General term referring to authentication tickets such as ticket granting ticke...

Page 452: ...d sends this request to the KDC This request contains the user s identity and a message saying that it wants to Telnet to the switch This request is encrypted using the TGT 4 When the KDC successfully decrypts the service credential request with the TGT that it issued to the client it builds a service to the switch The service credential has the client s identity and the identity of the desired Te...

Page 453: ...et does not support non Kerberized login When you launch a non Kerberized login the following process takes place 1 The switch prompts you for a username and password 2 The switch requests a TGT from the KDC so that you can be authenticated to the switch 3 The KDC sends an encrypted TGT to the switch which contains your identity KDC s identity and TGT s expiration time 4 The switch tries to decryp...

Page 454: ... Table 30 2 Default Authentication Configuration Feature Default Login authentication console and Telnet Enabled Local authentication console and Telnet Enabled Local user authentication Disabled TACACS login authentication console and Telnet Disabled TACACS enable authentication console and Telnet Disabled TACACS key None specified TACACS login attempts 3 times TACACS server timeout 5 sec TACACS ...

Page 455: ...rver and authentication requests are sent to this server first You can specify a particular server as primary by using the primary keyword RADIUS and TACACS support one privileged mode only level 1 Kerberos authentication does not work if TACACS is also used as an authentication mechanism Before you can enable local user authentication you must define at least one username Local user accounts and ...

Page 456: ...abled disabled disabled radius disabled disabled disabled kerberos disabled disabled disabled local enabled primary enabled primary enabled primary attempt limit 5 5 lockout timeout sec 50 50 Enable Authentication Console Session Telnet Session Http Session tacacs disabled disabled disabled radius disabled disabled disabled kerberos disabled disabled disabled local enabled primary enabled primary ...

Page 457: ...ion Http Session tacacs disabled disabled disabled radius disabled disabled disabled kerberos disabled disabled disabled local enabled primary enabled primary enabled primary attempt limit 5 5 lockout timeout sec 50 50 Enable Authentication Console Session Telnet Session Http Session tacacs disabled disabled disabled radius disabled disabled disabled kerberos disabled disabled disabled local enabl...

Page 458: ...set to enable for console and telnet session Console enable show authentication Login Authentication Console Session Telnet Session tacacs disabled disabled radius disabled disabled kerberos disabled disabled local enabled primary enabled primary Enable Authentication Console Session Telnet Session tacacs disabled disabled radius disabled disabled kerberos disabled disabled local enabled primary e...

Page 459: ... CLI Passwords are case sensitive contain up to 30 characters and use any printable ASCII characters including a space Note Passwords that are set in software release 5 3 and earlier releases remain non case sensitive You must reset the password after installing software release 5 4 or a later release to activate case sensitivity To set the enable password for local authentication perform this tas...

Page 460: ...on set to disable for console and telnet session Console enable show authentication Login Authentication Console Session Telnet Session tacacs disabled disabled radius enabled primary enabled primary kerberos disabled disabled local disabled disabled Enable Authentication Console Session Telnet Session tacacs disabled disabled radius enabled primary enabled primary kerberos disabled disabled local...

Page 461: ... 7 When prompted for your old password press Return Step 8 Enter and confirm your new password Configuring Local User Authentication The following sections describe how to configure local user authentication authentication on the switch Creating a Local User Account Local user accounts and passwords must be fewer than 65 characters and can consist of any alphanumeric characters Local user accounts...

Page 462: ...isabled disabled kerberos disabled disabled disabled local enabled primary enabled primary enabled primary attempt limit 3 3 lockout timeout sec disabled disabled Local User Authentication enabled Console enable Disabling Local User Authentication To disable local user authentication on the switch perform this task in privileged mode This example shows how to disable local user authentication for ...

Page 463: ...d 15 Console enable Configuring TACACS Authentication The following sections describe how to configure TACACS authentication on the switch Specifying TACACS Servers Specify one or more TACACS servers before you enable TACACS authentication on the switch The first server that you specify is the primary server unless you explicitly make one server the primary server by using the primary keyword To s...

Page 464: ...the switch For more information on specifying TACACS servers see the Specifying TACACS Servers section on page 30 17 You can enable TACACS authentication for login and enable access to the switch If desired you can enter the console and telnet keywords to specify that TACACS authentication is used only on console or Telnet connections If you are using both RADIUS and TACACS you can enter the prima...

Page 465: ...n Telnet Session tacacs enabled primary enabled primary radius disabled disabled local enabled enabled Console enable Specifying the TACACS Key Note If you configure a TACACS key on the client make sure that you configure an identical key on the TACACS server To specify the TACACS key perform this task in privileged mode This example shows how to specify the TACACS key and verify the configuration...

Page 466: ...re allowed To set the number of login attempts that are allowed perform this task in privileged mode This example shows how to set the number of login attempts and verify the configuration Console enable set tacacs attempts 5 Tacacs number of attempts set to 5 Console enable show tacacs Tacacs key Secret_TACACS_key Tacacs login attempts 5 Tacacs timeout 30 seconds Tacacs direct request disabled Ta...

Page 467: ...ected Request To disable TACACS directed request perform this task in privileged mode This example shows how to disable TACACS directed request Console enable set tacacs directedrequest disable Tacacs direct request has been disabled Console enable Clearing TACACS Servers To clear one or more TACACS servers perform this task in privileged mode Task Command Step 1 Enable TACACS directed request on ...

Page 468: ...ACACS authentication perform this task in privileged mode This example shows how to disable TACACS authentication for console and Telnet connections and how to verify the configuration Console enable set authentication login tacacs disable tacacs login authentication set to disable for console and telnet session Console enable set authentication enable tacacs disable tacacs enable authentication s...

Page 469: ...ows how to specify a RADIUS server and verify the configuration Console enable set radius server 172 20 52 3 172 20 52 3 with auth port 1812 added to radius server table as primary server Console enable show radius Login Authentication Console Session Telnet Session tacacs disabled disabled radius disabled disabled local enabled primary enabled primary Enable Authentication Console Session Telnet ...

Page 470: ...t 4500 series switch with your assigned username and password john hello you can enter enable mode using the password that is assigned to the enab15 user If your RADIUS server does not support the enab15 username you can set the service type attribute attribute 6 to Administrative value 6 for a RADUIS user to directly launch the user into enable mode without asking for a separate enable password T...

Page 471: ...y the RADIUS key and verify the configuration in normal mode the RADIUS key value is hidden Console enable set radius key Secret_RADIUS_key Radius key set to Secret_RADIUS_key Console enable show radius Login Authentication Console Session Telnet Session tacacs disabled disabled radius enabled primary enabled primary local enabled enabled Enable Authentication Console Session Telnet Session tacacs...

Page 472: ... Radius Retransmit 2 Radius Timeout 10 seconds Radius Server Status Auth port 172 20 52 3 primary 1812 Console enable Setting the RADIUS Retransmit Count You can set the number of times the switch will attempt to contact a RADIUS server before the next configured server is tried By default each RADIUS server will be tried two times To set the RADIUS retransmit count perform this task in privileged...

Page 473: ...ADIUS server that is marked dead Configuring a dead time speeds up the authentication process by eliminating timeouts and retransmissions to the dead RADIUS server If you configure only one RADIUS server or if all of the configured servers are marked dead the dead time is ignored because there are no alternate servers available To set the RADIUS dead time perform this task in privileged mode This ...

Page 474: ...8 To specify optional attributes for the RADIUS server perform this task in privileged mode This example shows how to specify and enable the framed IP address attribute by number Console enable set radius attribute 8 include in access req enable Transmission of Framed ip address in access request packet is enabled Console enable show radius RADIUS Deadtime 0 minutes RADIUS Key 123456 RADIUS Retran...

Page 475: ...is task in privileged mode This example shows how to clear the RADIUS key and verify the configuration Console enable clear radius key Radius key cleared Console enable show radius Login Authentication Console Session Telnet Session tacacs disabled disabled radius disabled disabled local enabled primary enabled primary Enable Authentication Console Session Telnet Session tacacs disabled disabled r...

Page 476: ...lnet Session tacacs disabled disabled radius disabled disabled local enabled primary enabled primary Enable Authentication Console Session Telnet Session tacacs disabled disabled radius disabled disabled local enabled primary enabled primary Console enable Configuring Kerberos Authentication Before you can use Kerberos as an authentication method on the switch you need to configure the Kerberos se...

Page 477: ...as follows usr local sbin krb4kdc usr local sbin kadmind Enabling Kerberos To enable Kerberos authentication perform this task in privileged mode This example shows how to enable Kerberos as the login authentication method for Telnet and verify the configuration Console enable set authentication login kerberos enable telnet kerberos login authentication set to enable for telnet session Console ena...

Page 478: ...istered to a Kerberos server To authenticate a user defined in the Kerberos database the switch must know the host name or IP address of the host running the KDC and the name of the Kerberos realm To configure the switch to authenticate to the KDC in a specified Kerberos realm perform this task in privileged mode Note Make sure that you enter the realm in uppercase letters Kerberos will not authen...

Page 479: ...SCO COM 187 0 2 1 750 deleted Console enable Mapping a Kerberos Realm to a Host Name or DNS Domain Optionally you can map a host name or Domain Name Server DNS domain to a Kerberos realm To map a Kerberos realm to either a host name or DNS domain perform this task in privileged mode This example shows how to map a Kerberos realm called CISCO COM to a DNS domain and how to clear the entry Console e...

Page 480: ...an entry for each Kerberos principal service on the switch The entries are maintained in the SRVTAB table The maximum size of the table is 20 entries To retrieve SRVTAB files to the switch from the KDC perform this task in privileged mode This example shows how to retrieve an SRVTAB file from the KDC enter an SRVTAB directly into the switch and verify the configuration Console enable set kerberos ...

Page 481: ...authenticate from the switch to Kerberized remote hosts on the network using Kerberized Telnet As an additional layer of security you can configure the switch so that after users authenticate to it these users can authenticate only to other services on the network with Kerberized clients If you do not make Kerberos authentication mandatory and Kerberos authentication fails the application attempts...

Page 482: ...arding configuration perform this task in privileged mode This example shows how to disable the credentials forwarding configuration and verify the change Console enable clear kerberos credentials forward Kerberos credentials forwarding disabled Console enable show kerberos Kerberos Local Realm not configured Kerberos server entries Kerberos Domain Realm entries Kerberos Clients NOT Mandatory Kerb...

Page 483: ... so that when the show kerberos command is executed the secret key is not displayed in clear text The key should be eight characters or less To define a DES key perform this task in privileged mode This example shows how to define a DES key and verify the configuration Console enable set key config key abcd Kerberos config key set to abcd Console enable show kerberos Kerberos Local Realm CISCO COM...

Page 484: ...nfigure a Telnet session for Kerberos authentication and encryption Console enable telnet encrypt kerberos 172 20 52 5 Monitoring and Maintaining Kerberos Use these commands to display and clear Kerberos configurations on the switch show kerberos show kerberos creds clear kerberos creds To display the Kerberos configuration perform this task in privileged mode This example shows how to display the...

Page 485: ...uthentication Example Figure 30 3 shows a simple network topology using TACACS In this example TACACS authentication is enabled and local authentication is disabled for both login and enable access to the switch for all Telnet connections When Workstation A attempts to connect to the switch the user is challenged for a TACACS username and password Only local authentication is enabled for both logi...

Page 486: ...le for telnet session Console enable set authentication enable local disable telnet local enable authentication set to disable for telnet session Console enable show tacacs Tacacs key tintin_et_milou Tacacs login attempts 3 Tacacs timeout 5 seconds Tacacs direct request disabled Tacacs Server Status 172 20 52 10 primary Console enable Understanding How Authorization Works The Catalyst 4500 series ...

Page 487: ... mode TACACS Primary and Fallback Options You can specify the primary and fallback options that are used in the authorization process The following primary options and fallback options are available tacacs If you have been authenticated and there is no response from the TACACS server authorization succeeds immediately if authenticated If you have been authenticated and there is no response from th...

Page 488: ...he user profile When you log in using RADIUS authentication and you do not have Administrative Shell 6 Service Type access the NAS authenticates you and logs you in to EXEC mode if authentication succeeds If you have Administrative Shell 6 Service Type access the NAS authenticates you and logs you in to privileged mode if authentication succeeds Configuring Authorization The following sections des...

Page 489: ...able mode authorization for console and Telnet connections Authorization is configured with the tacacs option The fallback option is deny Console enable set authorization enable enable tacacs deny both Successfully enabled enable authorization Console Task Command Step 1 Enable authorization for normal login mode Enter the console or telnet keywords if you want to enable the authorization only for...

Page 490: ...Console Primary Fallback exec tacacs deny enable tacacs deny commands config tacacs deny all Console enable Disabling TACACS Authorization To disable TACACS authorization on the switch perform this task in privileged mode Task Command Step 1 Disable authorization for normal mode Enter the console or telnet keywords if you want to disable the authorization only for the console port or for the Telne...

Page 491: ...ACS command authorization for both console and Telnet connections and how to verify the configuration Console enable set authorization commands disable both Successfully disabled commands authorization Console enable This example shows how to verify the configuration Console enable show authorization Telnet Primary Fallback exec tacacs deny enable tacacs deny commands config tacacs deny all tacacs...

Page 492: ...the feature and sends a response either executing the command or denying access Figure 30 4 Example of a TACACS Network Topology This example shows that TACACS authorization is enabled for enable mode access to the switch for both Telnet and console connections authorizing configuration commands Console enable set authorization enable enable tacacs deny both Successfully enabled enable authorizati...

Page 493: ...nse to the NAS acknowledging the request All transactions between the NAS and server are authenticated using a key After accounting has been enabled and an accountable event occurs on the system the accounting information is gathered dynamically in memory When the event ends an accounting record is created and sent to the NAS the system then deletes the record from memory The amount of memory that...

Page 494: ...mand accounting No users are associated with system events therefore the start stop option in the set accounting system command is ignored for system events The stop only option in the set accounting commands provides complete accounting information Note Stop records include complete information of the event when the event started its duration and traffic statistics However you might want redundan...

Page 495: ...d to keep up to date connection and session information even if the NAS restarts and loses the initial start time You must set a time lapse between periodic updates Valid intervals are from 1 to 71582 minutes Suppressing Accounting You can configure the system to suppress accounting when an unknown user with no username accesses the switch by using the set accounting suppress null username enable ...

Page 496: ...sections describe how to configure RADIUS and TACACS accounting on the switch Enabling Accounting To enable accounting on the switch perform this task in privileged mode This example shows how to enable stop only TACACS accounting events Console enable set accounting connect enable stop only tacacs Accounting set to enable for connect events in stop only mode Console enable Console enable set acco...

Page 497: ...ting updates will be periodic at 120 minute intervals Console enable This example shows how to verify the configuration Console enable show accounting Event Method Mode exec tacacs stop only connect tacacs stop only system tacacs stop only commands config all tacacs stop only TACACS Suppress for no username enabled Update Frequency periodic Interval 120 Accounting information Active Accounted acti...

Page 498: ...mands all events Console enable This example shows how to disable suppression of unknown users Console enable set accounting suppress null username disable Accounting will be not be suppressed for user with no username Console enable This example shows how to verify the configuration Console enable show accounting Event Method Mode exec connect system commands config all TACACS Suppress for no use...

Page 499: ...le enable set accounting connect enable stop only tacacs Accounting set to enable for connect events in stop only mode Console enable set accounting exec enable stop only tacacs Accounting set to enable for exec events in stop only mode Console enable set accounting commands enable all stop only tacacs Accounting set to enable for commands all events in stop only mode Console enable set accounting...

Page 500: ...st 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 30 Configuring Switch Access Using AAA Accounting Example Connect 0 0 0 Command 0 0 0 System 1 0 0 Console enable ...

Page 501: ...tanding How 802 1x Authentication Works page 31 1 Authentication Default Configuration page 31 9 Authentication Configuration Guidelines page 31 9 Configuring 802 1x Authentication on the Switch page 31 10 Understanding How 802 1x Authentication Works IEEE 802 1x is a client server based access control and authentication protocol that restricts unauthorized devices from connecting to a local area ...

Page 502: ... the host In this release the Remote Authentication Dial In User Service RADIUS security system with Extensible Authentication Protocol EAP extensions is the only supported authentication server it is available in Cisco Secure Access Control Server version 3 0 RADIUS operates in a client server model in which secure authentication information is exchanged between the RADIUS server and one or more ...

Page 503: ...k access device any EAPOL frames from the host are dropped If the host does not receive an EAP request identity frame after three attempts to start authentication the host transmits frames as if the port is in the authorized state A port that is in the authorized state means that the host has been successfully authenticated For more information see the Ports in Authorized and Unauthorized States s...

Page 504: ...e port transmits and receives normal traffic without 802 1x based authentication of the host This is the default setting force unauthorized Causes the port to remain in the unauthorized state ignoring all attempts by the host to authenticate The switch cannot provide authentication services to the host through the interface auto Enables 802 1x authentication and causes the port to begin in the una...

Page 505: ...st when instructed to do so by the authentication server Authentication server Entity that provides the authentication service for the authenticator PAE It checks the credentials of the host PAE and then notifies its client the authenticator PAE whether the host PAE is authorized to access the LAN switch services Authorized state Status of the port after the host PAE is authorized Both Bidirection...

Page 506: ...server VLAN assignments allow you to restrict users to a specific VLAN For example you could put guest users in a VLAN with limited access to the network 802 1x authenticated ports are assigned to a VLAN that is based on the username of the host that is connected to the port VLAN assignments work with the RADIUS server which has a database of username to VLAN mappings After a successful 802 1x aut...

Page 507: ...rity feature See Chapter 16 Configuring Port Security for information on configuring ports to allow or restrict traffic that is based on host MAC addresses If you enable port security for only one MAC address on a specific port the RADIUS server authenticates only that MAC address Users that are connected through all other MAC addresses are denied access If you enable port security for multiple MA...

Page 508: ...as a guest VLAN but it must be active before a host can use it Hosts are assigned to the guest VLAN only when the set port dot1x mod port port control auto keyword is used Changing the set port dot1x mod port port control keyword from auto to force authorized or force unauthorized removes the host from the guest VLAN and returns the host to the port VLAN Guest VLANs are supported in both single au...

Page 509: ...off channeling on that port You cannot enable channeling on an 802 1x port You cannot enable 802 1x on a switched port analyzer SPAN destination port and you cannot configure SPAN destination on an 802 1x port However you can configure an 802 1x port as a SPAN source port You cannot enable the multiple authentication keyword on an 802 1x enabled auxiliary VLAN port We do not recommend enabling the...

Page 510: ...ion for Individual Ports section on page 31 10 To globally enable 802 1x authentication perform this task in privileged mode This example shows how to globally enable 802 1x authentication Console enable set dot1x system auth control enable dot1x system auth control enabled Disabling 802 1x Globally When you enable 802 1x authentication for the entire system you can disable it globally When you di...

Page 511: ...connecting finished auto unauthorized Port Multiple Host Re authentication 4 1 disabled disabled Enabling Multiple 802 1x Authentications You can specify multiple authentications so that more than one host can gain access to an 802 1x port Multiple authentication is Cisco proprietary and allows multiple dot1x hosts on a port every host is authenticated separately Use these guidelines when enabling...

Page 512: ...tomatic 802 1x host reauthentication If you do not specify a time period before you enable host reauthentication 802 1x defaults to 3600 seconds the valid values are from 1 65 535 seconds You can enable automatic 802 1x host reauthentication for hosts that are connected to a specific port To manually reauthenticate the host that is connected to a specific port see the Manually Reauthenticating the...

Page 513: ...uthenticate the host that is connected to port 1 on module 4 Console enable set port dot1x 4 1 re authenticate Port 4 1 re authenticating dot1x re authentication successful dot1x port 4 1 authorized Enabling Multiple Hosts You can enable a specific port to allow multiple users When a port is enabled for multiple users and a host that is connected to that port is authorized successfully any host wi...

Page 514: ...ds To set the value for the quiet period perform this task in privileged mode This example shows how to set the quiet period to 45 seconds Console enable set dot1x quiet period 45 dot1x quiet period set to 45 seconds Setting the Authenticator to Host Retransmission Time for EAP Request Identity Frames The host notifies the authenticator that it received the EAP request identity frame When the auth...

Page 515: ... seconds Console enable set dot1x supp timeout 15 dot1x supp timeout set to 15 seconds Setting the Back End Authenticator to Authentication Server Retransmission Time for Transport Layer Packets The authentication server notifies the back end authenticator each time that it receives a transport layer packet When the back end authenticator does not receive a notification after sending a packet the ...

Page 516: ...dot1x max req 4 dot1x max req set to 4 Setting the Shutdown Timeout Period If a port is shut down because of a security violation you must either manually reenable it or configure the shutdown timeout period after which the port can be enabled again To set the period of time that a port will be disabled after a security violation perform this task in privileged mode This example shows how to set t...

Page 517: ...smits the frames You may set the number of frames that the back end authenticator retransmits from 1 10 the default is 2 To set the number of frames that are retransmitted from the back end authenticator to the host perform this task in privileged mode This example shows how to set the number of retransmitted frames that are sent from the back end authenticator to the host to 4 Console enable set ...

Page 518: ...in more messages To set the trace severity for 802 1x perform this task in privileged mode This example shows how to set the trace severity for 802 1x authentication to 5 Console enable set trace dot1x 5 DOT1X tracing set to 5 Warning Turning on trace may affect the operation of the system Use with caution This example shows how to add port 3 3 to 802 1x guest VLAN 200 Console enable set port dot1...

Page 519: ...d auto unauthorized Port Multiple Host Re authentication 4 1 disabled enabled To display the statistics for the different types of EAP frames that are transmitted and received by the authenticator on a specific port on a specific module perform this task in normal mode This example shows how to display the statistics for the different types of EAP frames that are transmitted and received by the au...

Page 520: ...rform this task in normal mode This example shows how to display the global 802 1x parameters Console enable show dot1x PAE Capability Authenticator Only Protocol Version 1 system auth control enabled re authentication disabled max req 2 quiet period 60 seconds re authperiod 3600 seconds server timeout 30 seconds supp timeout 30 seconds tx period 30 seconds Task Command Display the PAE capabilitie...

Page 521: ...ment Variable page 32 6 Setting and Clearing the CONFIG_FILE Environment Variable page 32 7 Displaying the Switch Boot Configuration page 32 8 Understanding How the Switch Boot Configuration Works The following sections describe how the boot configuration works on the Catalyst 4500 series 2948G 2948G GE TX and 2980G switches Understanding the Boot Process The boot process involves two software ima...

Page 522: ... Exception handling Understanding the Configuration Register The configuration register determines whether the switch loads an operating system image and where the system image is stored The configuration register boot field determines if and how the ROM monitor loads a supervisor engine system image at startup You can modify the boot field to force the switch to boot a particular system image at ...

Page 523: ...red order or you can clear the entire BOOT environment variable and then redefine the list in the desired order Understanding the CONFIG_FILE Environment Variable In software release 5 2 and later releases you can use the CONFIG_FILE environment variable to specify a list of configuration files on various devices to use to configure the switch at startup You can specify one of the following functi...

Page 524: ... boot field in the configuration register This command affects only the configuration register bits that control the boot field and leaves the remaining bits unaltered The following boot methods are supported ROM monitor Use the rommon keyword to keep the switch in ROM monitor mode at startup Bootflash Use the bootflash keyword to cause the switch to boot from the first image that is stored in the...

Page 525: ...ble settings are recurring or nonrecurring The remaining configuration register bits are unaltered Caution With the CONFIG_FILE environment variable set to recurring the current configuration in NVRAM is erased each time that the switch is restarted and the switch is configured using the specified configuration files With the CONFIG_FILE environment variable set to non recurring the current config...

Page 526: ...the NVRAM configuration at the next startup Console enable set boot config register ignore config enable Configuration register is 0x1860 ignore config enabled auto config recurring console baud 9600 boot the ROM monitor Console enable Setting the BOOT Environment Variable The next two sections describe how to modify the BOOT environment variable Setting the BOOT Environment Variable To add a syst...

Page 527: ..._FILE environment variable Note For more information about using configuration files see Chapter 35 Working with Configuration Files Setting the CONFIG_FILE Environment Variable You can specify multiple configuration files with the set boot auto config command by separating them with a semicolon You must specify both the device name and the filename for each configuration file Note You cannot prep...

Page 528: ...e entries in the CONFIG_FILE environment variable Console enable clear boot auto config CONFIG_FILE variable Console enable Displaying the Switch Boot Configuration To display the current configuration register BOOT environment variable and CONFIG_FILE environment variable settings perform this task in privileged mode This example shows how to display the current configuration register BOOT enviro...

Page 529: ...ownloading System Software Images to the Switch Using TFTP page 33 1 Uploading System Software Images to a TFTP Server page 33 4 Downloading System Software Images to the Switch Using rcp page 33 5 Uploading System Software Images to an rcp Server page 33 8 Upgrading the ROM Monitor page 33 9 Software Image Naming Conventions The software images on the Catalyst 4500 series switches use the followi...

Page 530: ...ons on the file are set correctly Permissions on the file should be set to read for the specific username If you are not using a Telnet session with a valid username you can enter the set rcp username command to specify a valid username Ensure that a power interruption or other problem does not occur during the download because an interruption or problem can corrupt the Flash code If the Flash cod...

Page 531: ...TP server see the Downloading Supervisor Engine Images Using TFTP section on page 33 2 This example shows a complete TFTP download procedure of a supervisor engine software image Console enable show version 1 Mod Port Model Serial Versions 1 0 WS X4012 JAB03130104 Hw 1 5 Gsp 6 1 1 4 Nmp 6 1 0 104 Console enable copy tftp flash IP address or name of remote host 172 20 52 3 Name of file to copy from...

Page 532: ...2 Cache test Passed Boot image bootflash cat4000 6 1 1 bin Cisco Systems Console Enter password 07 21 2000 13 52 51 SYS 5 Module 1 is online 07 21 2000 13 53 11 SYS 5 Module 4 is online 07 21 2000 13 53 11 SYS 5 Module 5 is online 07 21 2000 13 53 14 PAGP 5 Port 1 1 joined bridge port 1 1 07 21 2000 13 53 14 PAGP 5 Port 1 2 joined bridge port 1 2 07 21 2000 13 53 40 SYS 5 Module 2 is online 07 21 ...

Page 533: ... the permissions on the file are set to world write Uploading Software Images to a TFTP Server To upload a software image on a switch to a TFTP server for storage follow these steps Step 1 Log in to the switch through the console port or a Telnet session Step 2 Upload the software image to the TFTP server by entering the copy flash tftp command When prompted specify the TFTP server address and des...

Page 534: ...se the current username create a new rcp username by entering the set rcp username command The new username is stored in NVRAM If you are accessing the switch through a Telnet session with a valid username this username is used and you do not need to set the rcp username A power interruption or other problem during the download procedure can corrupt the Flash code If the Flash code is corrupted yo...

Page 535: ...upervisor engine software image Console enable show version 1 Mod Port Model Serial Versions 1 2 WS X5530 007451586 Hw 1 3 Fw 3 1 2 Fw1 3 1 2 Sw 4 1 2 Console enable copy rcp flash IP address or name of remote host 172 20 52 3 Name of file to copy from cat4000 6 1 1 bin Flash device bootflash Name of file to copy to cat6000 6 1 1 bin 4369664 bytes available on device bootflash proceed y n n y CCCC...

Page 536: ...Cache test Passed Boot image bootflash cat4000 6 1 1 bin Cisco Systems Console Enter password 07 21 2000 13 52 51 SYS 5 Module 1 is online 07 21 2000 13 53 11 SYS 5 Module 4 is online 07 21 2000 13 53 11 SYS 5 Module 5 is online 07 21 2000 13 53 14 PAGP 5 Port 1 1 joined bridge port 1 1 07 21 2000 13 53 14 PAGP 5 Port 1 2 joined bridge port 1 2 07 21 2000 13 53 40 SYS 5 Module 2 is online 07 21 20...

Page 537: ...he copy flash rcp command When prompted specify the rcp server address and the destination filename On platforms that support the Flash file systems you are first prompted for the Flash device and source filename If desired you can enter the copy file id rcp command on these platforms The software image is uploaded to the rcp server This example shows how to upload the supervisor engine software i...

Page 538: ...95 2001 by Cisco Systems Inc NMP S W compiled on May 24 2001 21 12 09 GSP S W compiled on May 24 2001 18 39 50 System Bootstrap Version 6 1 2 Hardware Version 1 0 Model WS C4003 Serial xxxxxxxxx Console enable Step 3 Enter the dir bootflash command to ensure that there is sufficient space in Flash memory to store the promupgrade image If there is insufficient space delete one or more images and th...

Page 539: ...ure that you enter the prepend keyword with the set boot system flash command The switch always boots the first image in the boot string and you want the promupgrade image to boot first This example shows how to prepend the promupgrade image to the boot string Console enable set boot system flash bootflash cat4000 promupgrade 6 1 4 bin prepend BOOT variable bootflash cat4000 promupgrade 6 1 4 bin ...

Page 540: ... of 524288 bytes at offset 0x0 Done Beginning write of system prom 467456 bytes at offset 0x0 This could take as little as 10 seconds or up to 2 minutes Please DO NOT RESET Success System will reset in 2 seconds The switch reboots back into the supervisor engine software 0 00 530856 ig0 00 10 7b aa d3 fe is 172 20 59 203 0 00 531616 netmask 255 255 255 0 0 00 531967 broadcast 172 20 59 255 0 00 53...

Page 541: ...switch does not know which image to boot This example shows how to remove the promupgrade image cat 4000 promupgrade 6 1 4 bin from the boot sequence Notice that the response message shows the system image for software release 5 5 8 in the autoboot string Console enable clear boot system flash bootflash cat4000 promupgrade 6 1 4 bin BOOT variable bootflash cat4000 5 5 8 bin 1 Step 11 Enter the del...

Page 542: ...alyst 4500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 33 Working with System Software Images Upgrading the ROM Monitor ...

Page 543: ...nfiguration files The Catalyst 4500 series 2948G 2948G GE TX and 2980G switches have one Flash device bootflash Working With the Flash File System on the Switch The following sections describe how to work with the Flash file system Setting the Default Flash Device When you set the default Flash device for the system the default device is assumed when you enter a Flash file system command without s...

Page 544: ...are written only to DRAM You will need to enter the write memory command to store the configuration in nonvolatile storage Note VLAN commands are not saved as part of the configuration file when the switch is operating in text mode with the VTP mode set to server To set the text file configuration mode perform this task in privileged mode This example shows how to configure the system to save its ...

Page 545: ...003 default config cfg 3 D ffffffff 81a027ca 45220 15 7004 Apr 19 1998 10 05 59 4003_config cfg 1213952 bytes available 6388224 bytes used Console enable Displaying the Contents of a File on a Flash Device In software release 5 2 and later releases you can display the contents of a file on a Flash device onscreen Enter the dump keyword to display a hexadecimal dump of the file To display the conte...

Page 546: ...ork download 135 bytes set ip dns server 172 16 10 70 primary 172 16 10 70 added to DNS server table as primary server set ip dns server 172 16 10 140 172 16 10 140 added to DNS server table as backup server set ip dns enable DNS is enabled set ip dns domain corp com Default DNS domain name set to corp com Console enable This example shows how to download a configuration file from a TFTP server fo...

Page 547: ...ash 4012_config cfg tftp IP address or name of remote host 172 20 52 3 Name of file to copy to 4012_config cfg File has been copied successfully Console enable This example shows how to upload an image from a remote host into Flash memory using the copy rcp flash command Console enable copy rcp flash IP address or name of remote host 172 20 52 3 Name of file to copy from cat4000 6 1 1 bin Flash de...

Page 548: ...ting file and then undelete the desired file A file can be deleted and undeleted up to 15 times To restore deleted files on a Flash device perform this task in privileged mode This example shows how to restore a deleted file Console enable dir deleted ED type crc seek nlen length date time name 6 D ffffffff 42da7f71 657a00 14 135 Jul 17 1999 11 30 05 dns_config cfg 1213952 bytes available 3231989 ...

Page 549: ...ying a File Checksum To verify the checksum of a file on a Flash device perform this task in privileged mode This example shows how to verify the checksum of a file Console enable verify cat4000 4 4 1 bin CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCC File bootflash cat4000 4 4 1 bin verified OK Console enable Task Command Verify the checksum of a ...

Page 550: ...Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 34 Working With the Flash File System Working With the Flash File System on the Switch ...

Page 551: ...ation on working with configuration files on the Flash file system see Chapter 34 Working With the Flash File System Creating and Using Configuration Files Guidelines Configuration files can help you configure your switch Configuration files can contain some or all the commands needed to configure one or more switches For example you might want to download the same configuration file to several sw...

Page 552: ...le mod_num port_num Creating a Configuration File When creating a configuration file you must list commands in a logical way so that the system can respond appropriately To create a configuration file follow these steps Step 1 Download an existing configuration from a switch Step 2 Open the configuration file in a text editor such as vi or emacs on UNIX or Notepad on a PC Step 3 Extract the portio...

Page 553: ...otflash dns config cfg y n n y Finished network download 134 bytes set ip dns server 172 16 10 70 primary 172 16 10 70 added to DNS server table as primary server set ip dns server 172 16 10 140 172 16 10 140 added to DNS server table as backup server set ip dns enable DNS is enabled set ip dns domain corp com Default DNS domain name set to corp com Console enable Console enable Copying Configurat...

Page 554: ...nfiguration file to the appropriate TFTP directory on the workstation Step 2 Log in to the switch through the console port or a Telnet session Step 3 Configure the switch using the configuration file that is downloaded from the TFTP server using the copy tftp config command or the configure network command Specify the IP address or host name of the TFTP server and the name of the file to download ...

Page 555: ...ration File to a TFTP Server To upload a configuration file from a switch to a TFTP server for storage follow these steps Step 1 Log in to the switch through the console port or a Telnet session Step 2 Upload the switch configuration to the TFTP server using the copy config tftp command or the write network command Specify the IP address or host name of the TFTP server and the destination filename...

Page 556: ...ter the show users command to view the current valid username If you do not want to use the current username create a new rcp username using the set rcp username command The new username will be stored in NVRAM If you are accessing the switch through a Telnet session with a valid username this username will be used and there is no need to set the rcp username Configuring the Switch Using a File on...

Page 557: ...ffic between subnets Check connectivity to the rcp server using the ping command If you are overwriting an existing file including an empty file if you had to create one ensure that the permissions on the file are set correctly Make sure that the permissions on the file are set to user write Uploading a Configuration File to an rcp Server To upload a configuration file from a switch to an rcp serv...

Page 558: ...ion cleared Console enable To clear the configuration on an individual module perform this task in privileged mode Note If you remove a module and replace it with a module of another type for example if you remove a Fast Ethernet module and insert a Token Ring module the module configuration is inconsistent The output of the show module command indicates this problem To resolve the inconsistency c...

Page 559: ...ervisor engine performance benefits Increased bandwidth between switch engines Full mesh connectivity between switch engines Reduced internal traffic congestion Switch acceleration which is supported on Catalyst 4006 switches with Supervisor Engine II and on the Catalyst 4000 family Backplane Channel Module reduces internal traffic congestion by creating a full mesh connection between the switch e...

Page 560: ...on Configuration Modes Option A No switch acceleration is configured default Option B Fully meshed interconnections exist between SEs there are no Gigabit Ethernet uplink port connections This mode requires that you enable switch acceleration on the supervisor engine Option C Fully meshed interconnections exist between SEs there is dual link load balancing between SE1 and SE2 and between SE2 and S...

Page 561: ...abling switch acceleration may impact performance for 1 2 seconds Do you want to continue y n n y Switch Acceleration on module 1 enabled Console enable This example shows how to disable switch acceleration on the switch Console enable set switchacceleration disable 1 Enabling or Disabling switch acceleration may impact performance for 1 2 seconds Do you want to continue y n n y Switch Acceleratio...

Page 562: ... connection between all three switch engines Multilink load balancing between SE1 and SE2 and between SE2 and SE3 Supervisor engine Gigabit Ethernet uplink connections As an alternative you can configure switch acceleration on the supervisor engine to get dual link load balancing between all three SEs Note If you want to keep the uplink connections do not enable switch acceleration on the supervis...

Page 563: ...s With the system message logging facility you can do the following Get logging information for monitoring and troubleshooting Select the types of captured logging information Select the destination of captured logging information By default the switch logs normal but significant system messages to its internal buffer and sends these messages to the system console You can specify which system mess...

Page 564: ...col dvlan Dynamic VLAN earl Enhanced Address Recognition Logic ethc Ethernet Channel filesys Flash file system gl2pt Generic Layer Protocol Tunneling gvrp GARP VLAN Registration Protocol ip IP permit list kernel Kernel mcast Multicast messages mgmt Management messages pagp Port Aggregation Protocol protfilt Protocol filtering pruning VTP pruning pvlan Private VLAN qos Quality of Service radius RAD...

Page 565: ...dge port 3 1 1999 Apr 16 10 02 28 PAGP 5 PORTTOSTP Port 3 2 joined bridge port 3 2 Default System Message Logging Configuration Table 37 3 describes the severity levels that are supported by the system message logs Table 37 2 System Log Message Elements Element Description mm dd yyy hh mm ss Date and time of the error or event This information appears only if you configure this with the set loggin...

Page 566: ... logging on the switch Configuring Session Logging Settings By default system logging messages are sent to console and Telnet sessions that are based on the default logging facility and severity values If desired you can disable logging to the console or logging to a given Telnet session When you disable or enable logging to console sessions the enable state is applied to all future console sessio...

Page 567: ...e logging to the current Telnet session Console enable set logging session disable System logging messages will not be sent to the current login session Console enable Configuring the System Message Logging Levels You can change the severity level for each logging facility using the set logging level command Enter the all keyword to specify all facilities Enter the default keyword to make the spec...

Page 568: ... shows how to enable the time stamp display on system logging messages Console enable set logging timestamp enable System logging messages timestamp will be enabled Console enable Setting the Logging Buffer Size To set the number of messages to log to the logging buffer perform this task in privileged mode This example shows how to set the logging buffer size to 200 messages Console enable set log...

Page 569: ...cters between user debug and var log myfile log Refer to entries in the etc syslog conf file for further examples The switch sends messages according to specified facility types and severity levels The user keyword specifies the UNIX logging facility that is used The messages from the switch are generated by user processes The debug keyword specifies the severity level of the condition that is bei...

Page 570: ... task in privileged mode This example shows how to delete a syslog server from the syslog server table Console enable clear logging server 10 10 10 100 System logging server 10 10 10 100 removed from system logging server table Console enable To disable logging to the syslog server perform this task in privileged mode This example shows how to disable logging to syslog servers Console enable set l...

Page 571: ... system message logging configuration Console enable show logging Logging buffer size 200 timestamp option disabled Logging history size 1 severity notifications 5 Logging console enabled Logging server enabled syslog bigcorp com server facility LOCAL5 server severity notifications 5 Facility Default Severity Current Session Severity cdp 3 3 drip 2 5 dtp 5 5 dvlan 2 5 earl 2 5 fddi 2 5 filesys 2 5...

Page 572: ...S 5 MOD_OK Module 1 is online 1999 Apr 16 08 40 14 SYS 5 MOD_OK Module 3 is online 1999 Apr 16 08 40 14 SYS 5 MOD_OK Module 2 is online 1999 Apr 16 08 41 15 PAGP 5 PORTTOSTP Port 2 1 joined bridge port 2 1 1999 Apr 16 08 41 15 PAGP 5 PORTTOSTP Port 2 2 joined bridge port 2 2 This example shows how to display the last five messages in the buffer Console enable show logging buffer 5 PAGP 5 PORTFROMS...

Page 573: ...age 38 1 Default DNS Configuration page 38 2 Configuring DNS on the Switch page 38 2 Understanding How DNS Works DNS is a distributed database with which you can map host names to IP addresses through the DNS protocol from a DNS server When you configure DNS on the switch you can substitute the host name for the IP address with all IP commands such as ping telnet upload and download To use DNS you...

Page 574: ...s server 10 2 2 1 10 2 2 1 added to DNS server table as primary server Console enable set ip dns server 10 2 24 54 primary 10 2 24 54 added to DNS server table as primary server Console enable set ip dns server 10 12 12 24 10 12 12 24 added to DNS server table as backup server Console enable set ip dns domain corp com Default DNS domain name set to corp com Console enable set ip dns enable DNS is ...

Page 575: ... table Console enable clear ip dns server all All DNS servers cleared Console enable Clearing the DNS Domain Name To clear the default DNS domain name perform this task in privileged mode This example shows how to clear the default DNS domain name Console enable clear ip dns domain Default DNS domain name cleared Console enable Disabling DNS To disable DNS perform this task in privileged mode Task...

Page 576: ...TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Chapter 38 Configuring DNS Configuring DNS on the Switch This example shows how to disable DNS on the switch Console enable set ip dns disable DNS is disabled Console enable ...

Page 577: ...nication uses Coordinated Universal Time UTC which is the same as Greenwich Mean Time An NTP network usually gets its time from an authoritative time source such as a radio clock or an atomic clock that is attached to a time server NTP distributes this time across the network NTP is extremely efficient no more than one packet per minute is necessary to synchronize two machines to within a millisec...

Page 578: ...for your network from the public NTP servers available on the IP Internet If the network is isolated from the Internet Cisco s NTP implementation allows a machine to be configured so that it acts as though it is synchronized using NTP when it actually has determined the time using other methods Other machines synchronize to that machine using NTP Default NTP Configuration Table 39 1 shows the defa...

Page 579: ...from UTC is 0 hours Summertime disabled Last NTP update Broadcast client mode enabled Broadcast delay 4000 microseconds Client mode disabled NTP Server Console enable Configuring NTP in Client Mode Configure the switch in NTP client mode if you want the client switch to regularly send time of day requests to an NTP server You can configure up to ten server addresses per client To configure the swi...

Page 580: ... trusted NTP servers The authentication feature is documented in RFC 1305 You can configure up to ten authentication keys per client Each authentication key is actually a pair of two keys A public key number A 32 bit integer that can range from 1 4 294 967 295 A secret key string An arbitrary string of 32 characters including all printable characters and spaces To authenticate the message the clie...

Page 581: ...abled NTP Server Server Key 172 16 52 65 Key Number Mode Key String Console enable Setting the Time Zone You can set a time zone for the switch to display the time in that time zone You must enable NTP before you set the time zone If NTP is not enabled this command has no effect If you enable NTP and do not specify a time zone UTC is shown by default To set the time zone perform this task in privi...

Page 582: ...30 Summer time is disabled and set to start Sun Feb 13 2000 03 00 00 end Sat Aug 26 2000 14 00 00 Offset 30 minutes Recurring yes starting at 3 00am Sunday of the third week of February and ending 14 00pm Saturday of the fourth week of August Console enable To enable the daylight saving time clock adjustment to a nonrecurring specific date perform this task in privileged mode This example shows ho...

Page 583: ...ne to UTC perform this task in privileged mode This example shows how to clear the time zone settings Console enable clear timezone Timezone name and offset cleared Console enable Clearing NTP Servers To clear an NTP server address from the NTP servers table on the switch perform this task in privileged mode This example shows how to clear an NTP server address from the NTP server table Console en...

Page 584: ...ch Console enable set ntp broadcastclient disable NTP Broadcast Client mode disabled Console enable To disable NTP client mode on the switch perform this task in privileged mode This example shows how to disable NTP client mode on the switch Console enable set ntp client disable NTP Client mode disabled Console enable Task Command Step 1 Disable NTP broadcast client mode set ntp broadcastclient di...

Page 585: ... control entry ADM add drop multiplexer AFI Authority and Format Identifier AMP active monitor present APaRT automated packet recognition translation ARP Address Resolution Protocol ASP ATM switch processor ATM Asynchronous Transfer Mode B BDPU bridge protocol data unit BRF Bridge Relay Function BUS broadcast and unknown server C CAM content addressable memory CAS column address strobe CBR constan...

Page 586: ...tor Relay Function D DCC Data Country Code DEC Digital Equipment Corporation DFI domain specific part format identifier DHCP Dynamic Host Configuration Protocol DISL dynamic inter switch link DMP data movement processor DNS Domain Name System DoD Department of Defense DRiP Dual Ring Protocol DSAP destination service access point DTP Dynamic Trunking Protocol DTR dedicated Token Ring data terminal ...

Page 587: ...FSSRP Fast Simple Server Redundancy Protocol FTP foil twisted pair FTTH fiber to the home G GARP General Attribute Registration Protocol GBIC Gigabit Interface Converter GMRP GARP Multicast Registration Protocol GSP Gigabit Switch Platform GVRP GARP VLAN Registration Protocol H HDX half duplex I ICD International Code Designator ICMP Internet Control Message Protocol IDP Initial Domain Part IGMP I...

Page 588: ...nization of Standardization K KDC key distribution center L LAN local area network LANE LAN Emulation LAT local area transport LCP Link Control Protocol LEC LAN Emulation Client LECS LAN Emulation Configuration Server LEM link error monitor LER link error rate LES LAN Emulation Server LLC logical link control M MAC Media Access Control MAP Manufacturing Automation Protocol MBS maximum burst size M...

Page 589: ...col over ATM client MPOA multiprotocol over ATM MPS multiprotocol over ATM server MTU maximum transmission unit N NAUN nearest available upstream neighbor NBMA non broadcast multi access NBS non bused spare NDE NetFlow Data Export NFFC NetFlow Feature Card NFFC II Enhanced NetFlow Feature Card NFLS NetFlow LAN Switching NHC Next Hop Client NHRP Next Hop Resolution Protocol NHS Next Hop Server NMP ...

Page 590: ...er module PCM pulse code modulation PCMCIA Personal Computer Memory Card International Association PCR peak cell rate PDU protocol data unit PHY physical sublayer PIM protocol independent multicast PLCP physical layer convergence procedure PLIM physical layer interface module PPP Point to Point Protocol PVC permanent virtual circuit or permanent virtual connection in ATM terminology Q QoS quality ...

Page 591: ...nced multipurpose bus arbiter SAP service access point SAR segmentation and reassembly SCP Serial Control Protocol SCR sustainable cell rate SDP Session Description Protocol SE search engine SLIP Serial Line Internet Protocol SM single mode SMP standby monitor present SMT station management SNA Systems Network Architecture SNAP Subnetwork Access Protocol SNMP Simple Network Management Protocol SPA...

Page 592: ...lus TCP IP Transmission Control Protocol Internet Protocol TFTP Trivial File Transfer Protocol TGT ticket granting ticket TIA Telecommunications Industry Association TLV type length value TOS type of service TrBRF Token Ring Bridge Relay Function TrCRF Token Ring Concentrator Relay Function TRT token rotation timer TTL time to live TTY teletype U UART universal asynchronous receiver transmitter UB...

Page 593: ...bit rate VC virtual circuit VCC virtual channel connection VCD Virtual Channel Descriptor VCI 1 virtual channel identifier 2 virtual connection identifier VCR Virtual Configuration Register VLAN virtual LAN VMPS VLAN Membership Policy Server VPI virtual path identifier VQP VLAN Query Protocol VTP VLAN Trunking Protocol W WRED weighted random early detect WRR Weighted Round Robin ...

Page 594: ...A 10 Catalyst 4500 Series Catalyst 2948G Catalyst 2948G GE TX and Catalyst 2980G Switches Software Configuration Guide Release 8 2GLX 78 15908 01 Appendix A Acronyms ...

Page 595: ...sabling 30 51 enabling 30 50 overview 30 47 See also RADIUS accounting TACACS accounting adding multicast filter profiles 15 20 addresses See IP addresses MAC addresses Address Resolution Protocol See ARP administration switch 27 1 38 1 administrative groups EtherChannel 6 6 advertisements VTP 9 3 aliases See command aliases IP aliases aliases command 2 7 ARP configuring entries 27 8 assigning por...

Page 596: ... 7 23 bridge protocol data unit See BPDU C Catalyst 2948G switches overview table 1 2 1 3 Catalyst 2980G switches overview table 1 3 Catalyst Web Interface 24 9 CDP default configuration 21 1 disabling globally 21 2 disabling on ports 21 2 displaying neighbor information 21 5 enabling globally 21 2 enabling on ports 21 2 overview 21 1 setting holdtime 21 4 setting message interval 21 4 CGMP cleari...

Page 597: ... 7 15 common spanning tree See CST community ports definition 10 16 community strings defining 24 9 overview 24 5 CONFIG_FILE variable setting recurrence 32 5 configuration clearing the 35 8 configuration files creating 35 2 downloading via RCP 35 6 downloading via TFTP 35 4 guidelines 35 1 uploading preparation 35 5 35 7 uploading to RCP server 35 7 uploading to TFTP server 35 5 configuration gui...

Page 598: ...c0 interface and 3 10 disabling IGMP multicast filtering 15 19 DISL See DTP DNS clearing domain names 38 3 default configuration 38 2 disabling 38 3 enabling 38 2 overview 38 1 setting domain names 38 2 setting up 38 2 system name and 27 1 system prompt and 27 1 DNS servers clearing 38 3 specifying 38 2 documentation conventions xxviii organization xxv related xxvii domain names clearing 38 3 sett...

Page 599: ...ACP 6 16 overview 6 1 PAgP and 6 5 port costs 6 8 port VLAN costs 6 9 sample configuration 11 9 See also Fast EtherChannel Gigabit EtherChannel Ethernet autonegotiation 4 5 checking connectivity 4 8 default configuration 4 2 overview 4 1 setting port duplex 4 5 setting port name 4 3 setting port priority 4 4 setting port speed 4 4 See also protocol filtering examples conventions xxviii extended ra...

Page 600: ...3 setting port names 5 7 setting port priority 5 8 GMRP clearing statistics 15 15 default configuration 15 9 disabling forward all option 15 11 disabling globally 15 15 disabling per port 15 10 enabling forward all option 15 11 enabling globally 15 9 enabling per port 15 10 overview 15 3 registration 15 12 to 15 13 setting timers 15 13 software requirements 15 9 viewing statistics 15 14 group prof...

Page 601: ...ol See ICMP Internet Group Management Protocol See IGMP Inter Switch Link See ISL IP addresses adding to IP permit list 18 2 automatic assignment 3 2 CIDR 27 9 clearing from IP permit list 18 4 creating aliases 27 7 default gateway 3 7 designating 2 8 DHCP and 3 10 me1 interface and 3 6 RARP and 3 10 sc0 interface and 3 5 sl0 interface and 3 10 static routes 27 9 VLANs and 10 2 IP aliases creating...

Page 602: ...ling 15 5 limiting telnet attempts 30 10 Link Aggregation Control Protocol See LACP listing all multicast filters 15 22 listing port filter associations 15 22 load balancing 7 14 load sharing trunking and 11 13 local authentication configuration guidelines 30 9 default configuration 30 8 30 49 disabling 30 14 enabling 30 12 overview 30 2 password recovery 30 14 setting enable password 30 13 local ...

Page 603: ...AN 7 37 default configuration 7 30 enabling an instance 7 36 mapping VLANs to 7 36 MISTP PVST 7 30 port cost 7 33 port instance cost 7 35 port instance priority 7 35 port priority 7 34 unmapping VLANs from 7 39 modes switch CLI 2 3 modules checking status 20 1 configuring Ethernet 4 1 19 1 configuring Fast Ethernet 4 1 6 1 19 1 configuring Gigabit Ethernet 5 1 configuring supervisor engine 3 1 des...

Page 604: ...1 4 neighbor devices displaying 21 5 NetFlow Feature Card See NFFC NFFCII network fault tolerance 7 14 network management configuring 25 1 See also RMON SNMP Network Time Protocol See NTP New Software Features in Release 7 7 extended VLAN support with VTP version 3 10 3 10 4 10 6 10 9 NFFC NFFC II IGMP snooping and 15 4 protocol filtering and 19 1 NMS SPAN configuring 26 1 nonvolatile random acces...

Page 605: ...ice roles 31 2 EAPOL start frame 31 3 EAP request identity frame 31 3 EAP response identity frame 31 3 encapsulation 31 2 initiation and message exchange 31 3 ports authorization state and dot1x port control command 31 4 authorized and unauthorized 31 4 switch as proxy 31 2 RADIUS client 31 2 port cost EtherChannel 6 8 PVST 7 25 port debounce timer disabling 4 6 displaying 4 6 enabling 4 6 PortFas...

Page 606: ...9 port VLAN priority configuring 7 27 power inline 29 3 power PoE 28 11 power budget setting 28 16 power management Catalyst 4500 series 28 1 28 6 Catalyst 4500 series power supplies 28 4 combined mode 28 2 configuring combined mode 28 3 configuring redundant mode 28 3 redundancy 28 6 redundant mode 28 2 voice 28 11 power supplies fixed 28 2 variable 28 2 priority See port priority private VLANs c...

Page 607: ... 51 enabling 30 50 overview 30 47 sample configuration 30 53 specifying servers 30 48 suppressing accounting 30 49 updating the server 30 49 RADIUS authentication configuration guidelines 30 9 default configuration 30 8 30 49 disabling 30 30 enabling 30 24 overview 30 4 servers specifying optional attributes 30 28 setting deadtime 30 27 setting retransmit count 30 26 setting timeout 30 25 using a ...

Page 608: ...9 See also root guard router multicast See multicast routers RSPAN configuration examples 26 14 to 26 17 configuration guidelines 26 9 configuring from CLI 26 10 configuring multiple RSPAN sessions 26 15 configuring single RSPAN session 26 14 disabling 26 13 hardware requirements 26 8 overview 26 1 session limits 26 4 See also SPAN VSPAN RSTP overview 7 16 port roles 7 16 port states 7 17 running ...

Page 609: ... 5 software restraints 15 18 SPAN configuration guidelines 26 5 configuring 26 6 destination port 26 2 disabling 26 8 egress 26 3 ingress 26 3 NMS and 26 1 overview 26 4 session limits 26 4 sessions 26 1 source ports 26 2 traffic 26 4 spanning tree dummy MAC addresses and 8 4 EtherChannel port costs 6 8 EtherChannel port VLAN costs 6 9 spanning tree BackboneFast convergence See BackboneFast spanni...

Page 610: ...22 1 running 22 3 viewing 22 3 syslog configuring 37 4 configuring daemon 37 7 configuring servers 37 7 default configuration 37 3 displaying configuration 37 9 displaying message log 37 10 facilities table 37 2 limiting the number of syslog messages 37 6 message format 37 3 37 4 overview 37 1 setting buffer size 37 6 setting logging levels 37 5 setting session settings 37 4 severity levels table ...

Page 611: ... command authorization 30 41 configuration guidelines 30 42 default configuration 30 42 disabling 30 44 enabling 30 43 fallback options 30 41 overview 30 40 primary options 30 41 sample configuration 30 46 TACACS keys clearing 30 22 specifying 30 19 Telnet disconnecting user sessions 20 8 executing 20 6 limiting attempts 30 10 monitoring user sessions 20 8 system message logging settings 37 5 text...

Page 612: ...quirements 23 2 overview 23 1 software requirements 23 2 specifying message interval 23 5 unauthorized ports with 802 1X 31 4 unclassified frames 14 3 unicast flood blocking configuring 17 1 to 17 3 blocking MAC addresses 17 1 guidelines for 17 2 disabling 17 3 disabling on a secure port 16 6 displaying 17 3 enabling 17 2 enabling on a secure port 16 6 UniDirectional Link Detection See UDLD Uplink...

Page 613: ...guring dynamic port membership 12 7 configuring port statistics 12 10 configuring VMPS clients 12 7 configuring VMPS servers 12 7 database 12 4 default configuration 12 2 disabling 12 10 downloading VMPS database 12 10 error messages table 12 11 example 12 11 for auxiliary VLANs 12 14 monitoring 12 9 overview 12 1 reconfirm dynamic port assignments 12 9 reconfirming membership 12 9 troubleshooting...

Page 614: ...12 overview 9 1 pruning configuring 9 11 disabling 9 12 figure 9 4 overview 9 4 server configuring 9 7 statistics 9 12 transparent mode configuring 9 8 version 2 disabling 9 10 enabling 9 9 overview 9 3 version 3 configuring 9 22 default configuration 9 22 naming extended range VLANs 10 4 10 9 propagation of extended range VLANs 10 3 10 6 understanding 9 13 with private VLANs 10 18 VTP pruning con...

Reviews:

No comments