manualshive.com logo in svg

Cisco Catalyst 2360, Software Configuration Manual

The Cisco Catalyst 2360 Software Configuration Manual is essential for harnessing the full potential of this powerful networking device. Available for free download from our website, this comprehensive manual provides step-by-step instructions and insights to optimize your network setup. Unlock advanced features and streamline operations effortlessly with this invaluable resource.

Share
Download
background image

 

7-40

Catalyst 2360 Switch Software Configuration Guide

OL-19808-01

Chapter 7      Configuring Switch-Based Authentication

Configuring the Switch for Secure Socket Layer HTTP

Use the 

no

 

crypto ca trustpoint 

name

 

global configuration command to delete all identity information 

and certificates associated with the CA. 

Configuring the Secure HTTP Server

If you are using a certificate authority for certification, you should use the previous procedure to 
configure the CA trustpoint on the switch before enabling the HTTP server. If you have not configured 
a CA trustpoint, a self-signed certificate is generated the first time that you enable the secure HTTP 
server. After you have configured the server, you can configure options (path, access list to apply, 
maximum number of connections, or timeout policy) that apply to both standard and secure HTTP 
servers.

Beginning in privileged EXEC mode, follow these steps to configure a secure HTTP server:

Step 4

crypto key generate rsa 

(Optional) Generate an RSA key pair. RSA key pairs are required before 
you can obtain a certificate for the switch. RSA key pairs are generated 
automatically. You can use this command to regenerate the keys, if 
needed. 

Step 5

crypto ca trustpoint 

name

 

Specify a local configuration name for the CA trustpoint and enter CA 
trustpoint configuration mode.

Step 6

enrollment url 

url

 

Specify the URL to which the switch should send certificate requests.

Step 7

enrollment http-proxy 

host-name 

port-number

(Optional) Configure the switch to obtain certificates from the CA 
through an HTTP proxy server. 

Step 8

crl query 

url

 

Configure the switch to request a certificate revocation list (CRL) to 
ensure that the certificate of the peer has not been revoked. 

Step 9

primary 

(Optional) Specify that the trustpoint should be used as the primary 
(default) trustpoint for CA requests. 

Step 10

exit

Exit CA trustpoint configuration mode and return to global configuration 
mode.

Step 11

crypto ca authentication 

name

 

Authenticate the CA by getting the public key of the CA. Use the same 
name used in Step 5.

Step 12

crypto ca enroll 

name

 

Obtain the certificate from the specified CA trustpoint. This command 
requests a signed certificate for each RSA key pair.

Step 13

end

Return to privileged EXEC mode.

Step 14

show crypto ca trustpoints 

Verify the configuration.

Step 15

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Command

Purpose

Command

Purpose

Step 1

show ip http server status

(Optional) Display the status of the HTTP server to determine if the secure 
HTTP server feature is supported in the software. You should see one of 
these lines in the output:

HTTP secure server capability: Present

or

HTTP secure server capability: Not present

Step 2

configure terminal

Enter global configuration mode.

Summary of Contents for Catalyst 2360

Page 1: ...s Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Catalyst 2360 Switch Software Configuration Guide Cisco IOS 12 2 53 EY June 2010 Text Part Number OL 19808 01 ...

Page 2: ...TIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR I...

Page 3: ...eatures 1 5 QoS and CoS Features 1 6 Monitoring Features 1 6 Default Settings After Initial Switch Configuration 1 6 Where to Go Next 1 8 C H A P T E R 2 Using the Command Line Interface 2 1 Understanding Command Modes 2 1 Understanding the Help System 2 3 Understanding Abbreviated Commands 2 4 Understanding no and default Forms of Commands 2 4 Understanding CLI Error Messages 2 5 Using Configurat...

Page 4: ...and Restrictions 3 5 Configuring DHCP Based Autoconfiguration 3 6 DHCP Server Configuration Guidelines 3 6 Configuring the TFTP Server 3 6 Configuring the DNS 3 7 Configuring the Relay Device 3 7 Obtaining Configuration Files 3 8 Example Configuration 3 9 Manually Assigning IP Information 3 10 Checking and Saving the Running Configuration 3 11 Modifying the Startup Configuration 3 12 Default Boot ...

Page 5: ... the CLI to Manage Switch Clusters 4 11 Catalyst 1900 and Catalyst 2820 CLI Considerations 4 12 Using SNMP to Manage Switch Clusters 4 12 C H A P T E R 5 Administering the Switch 5 1 Managing the System Time and Date 5 1 Understanding the System Clock 5 1 Understanding Network Time Protocol 5 2 Configuring NTP 5 3 Default NTP Configuration 5 4 Configuring NTP Authentication 5 4 Configuring NTP Ass...

Page 6: ... 22 Managing the ARP Table 5 22 C H A P T E R 6 Using the SDM Default Template 6 1 Default SDM Template 6 1 Displaying the SDM Templates 6 1 C H A P T E R 7 Configuring Switch Based Authentication 7 1 Preventing Unauthorized Access to Your Switch 7 1 Protecting Access to Privileged EXEC Commands 7 2 Default Password and Privilege Level Configuration 7 2 Setting or Changing a Static Enable Password...

Page 7: ...Starting RADIUS Accounting 7 27 Configuring Settings for All RADIUS Servers 7 28 Configuring the Switch to Use Vendor Specific RADIUS Attributes 7 28 Configuring the Switch for Vendor Proprietary RADIUS Server Communication 7 29 Displaying the RADIUS Configuration 7 30 Configuring the Switch for Local Authentication and Authorization 7 31 Configuring the Switch for Secure Shell 7 32 Understanding ...

Page 8: ...B Ports 8 5 USB Mini Type B Console Port 8 5 Console Port Change Logs 8 6 Configuring the Console Media Type 8 6 Configuring the USB Inactivity Timeout 8 7 USB Type A Port 8 8 Using Interface Configuration Mode 8 9 Procedures for Configuring Interfaces 8 10 Configuring a Range of Interfaces 8 11 Configuring and Using Interface Range Macros 8 12 Using the Ethernet Management Port 8 14 Understanding...

Page 9: ...es 9 5 VLAN Configuration Mode Options 9 6 VLAN Configuration in config vlan Mode 9 6 VLAN Configuration in VLAN Database Configuration Mode 9 6 Saving VLAN Configuration 9 6 Default Ethernet VLAN Configuration 9 7 Creating or Modifying an Ethernet VLAN 9 8 Deleting a VLAN 9 9 Assigning Static Access Ports to a VLAN 9 10 Configuring Extended Range VLANs 9 11 Default VLAN Configuration 9 11 Extende...

Page 10: ...obal Configuration Mode 10 7 VTP Configuration in VLAN Database Configuration Mode 10 7 VTP Configuration Guidelines 10 8 Domain Names 10 8 Passwords 10 8 VTP Version 10 8 Configuration Requirements 10 9 Configuring a VTP Server 10 9 Configuring a VTP Client 10 11 Disabling VTP VTP Transparent Mode 10 12 Enabling VTP Version 2 10 13 Enabling VTP Pruning 10 14 Adding a VTP Client Switch to a VTP Do...

Page 11: ...Disabling Spanning Tree 11 14 Configuring the Root Switch 11 14 Configuring a Secondary Root Switch 11 16 Configuring Port Priority 11 16 Configuring Path Cost 11 18 Configuring the Switch Priority of a VLAN 11 19 Configuring Spanning Tree Timers 11 20 Configuring the Hello Time 11 20 Configuring the Forwarding Delay Time for a VLAN 11 21 Configuring the Maximum Aging Time for a VLAN 11 21 Configu...

Page 12: ...witch 12 18 Configuring Port Priority 12 19 Configuring Path Cost 12 20 Configuring the Switch Priority 12 21 Configuring the Hello Time 12 22 Configuring the Forwarding Delay Time 12 23 Configuring the Maximum Aging Time 12 23 Configuring the Maximum Hop Count 12 24 Specifying the Link Type to Ensure Rapid Transitions 12 24 Designating the Neighbor Type 12 25 Restarting the Protocol Migration Pro...

Page 13: ... 2 Configuring DHCP Features 14 2 Default DHCP Configuration 14 2 Configuring the DHCP Server 14 3 Configuring the DHCP Relay Agent 14 3 Specifying the Packet Forwarding Address 14 3 Enabling the Cisco IOS DHCP Server Database 14 4 C H A P T E R 15 Configuring IGMP Snooping 15 1 Understanding IGMP Snooping 15 1 IGMP Versions 15 2 Joining a Multicast Group 15 3 Leaving a Multicast Group 15 5 Immedi...

Page 14: ... IGMP Filtering and Throttling Configuration 15 21 C H A P T E R 16 Configuring IPv6 MLD Snooping 16 1 Understanding MLD Snooping 16 1 MLD Messages 16 3 MLD Queries 16 3 Multicast Client Aging Robustness 16 3 Multicast Router Discovery 16 4 MLD Reports 16 4 MLD Done Messages and Immediate Leave 16 4 Topology Change Notification Processing 16 5 Configuring IPv6 MLD Snooping 16 5 Default MLD Snoopin...

Page 15: ...Globally 18 5 Disabling and Enabling LLDP on an Interface 18 5 Configuring LLDP MED TLVs 18 6 Monitoring and Maintaining LLDP and LLDP MED 18 7 C H A P T E R 19 Configuring UDLD 19 1 Understanding UDLD 19 1 Modes of Operation 19 1 Methods to Detect Unidirectional Links 19 2 Configuring UDLD 19 3 Default UDLD Configuration 19 3 Configuration Guidelines 19 4 Enabling UDLD Globally 19 4 Enabling UDLD...

Page 16: ...thernet Statistics on an Interface 21 5 Displaying RMON Status 21 6 C H A P T E R 22 Configuring System Message Logging 22 1 Understanding System Message Logging 22 1 Configuring System Message Logging 22 2 System Log Message Format 22 2 Default System Message Logging Configuration 22 3 Disabling Message Logging 22 4 Setting the Message Display Destination Device 22 5 Synchronizing Log Messages 22...

Page 17: ...e Agent Contact and Location Information 23 15 Limiting TFTP Servers Used Through SNMP 23 15 SNMP Examples 23 16 Displaying SNMP Status 23 17 C H A P T E R 24 Managing Network Security with ACLs 24 1 Understanding ACLs 24 1 Handling Fragmented and Unfragmented Traffic 24 2 Configuring IPv4 ACLs 24 3 Creating Standard and Extended IPv4 ACLs 24 3 Access List Numbers 24 4 Creating a Numbered Standard...

Page 18: ...5 5 Configuring the CoS Value for an Interface 25 6 Configuring a Trusted Boundary to Ensure Port Security 25 7 Configuring the Egress Expedite Queue 25 8 Displaying QoS Information 25 8 C H A P T E R 26 Configuring EtherChannels and Link State Tracking 26 1 Understanding EtherChannels 26 1 EtherChannel Overview 26 2 Port Channel Interfaces 26 4 Port Aggregation Protocol 26 5 PAgP Modes 26 5 PAgP ...

Page 19: ...guring IPv6 Unicast Hosts 27 1 Understanding IPv6 27 1 IPv6 Addresses 27 2 Supported IPv6 Host Features 27 2 128 Bit Wide Unicast Addresses 27 3 DNS for IPv6 27 3 ICMPv6 27 3 Default Router Preference 27 3 IPv6 Stateless Autoconfiguration and Duplicate Address Detection 27 4 IPv6 Applications 27 4 SNMP and Syslog Over IPv6 27 4 HTTP s Over IPv6 27 5 Configuring IPv6 27 5 Default IPv6 Configuration...

Page 20: ...Understanding IP Traceroute 28 16 Executing IP Traceroute 28 16 Using Debug Commands 28 17 Enabling Debugging on a Specific Feature 28 18 Enabling All System Diagnostics 28 18 Redirecting Debug and Error Message Output 28 18 Using the show platform forward Command 28 19 Using the crashinfo Files 28 21 Basic crashinfo Files 28 21 Extended crashinfo Files 28 21 Using On Board Failure Logging 28 22 U...

Page 21: ...ownloading the Configuration File By Using TFTP B 11 Uploading the Configuration File By Using TFTP B 11 Copying Configuration Files By Using FTP B 12 Preparing to Download or Upload a Configuration File By Using FTP B 13 Downloading a Configuration File By Using FTP B 13 Uploading a Configuration File By Using FTP B 14 Copying Configuration Files By Using RCP B 15 Preparing to Download or Upload ...

Page 22: ...ommands C 1 Access Control Lists Commands C 1 Unsupported Privileged EXEC Commands C 1 Unsupported Global Configuration Commands C 2 Unsupported Route Map Configuration Commands C 2 Archive Commands C 2 Unsupported Privileged EXEC Commands C 2 ARP Commands C 2 Unsupported User EXEC Commands C 2 Unsupported Global Configuration Commands C 2 Unsupported ARP Access List Configuration Commands C 2 Boo...

Page 23: ... Commands C 7 Unsupported User EXEC Commands C 7 Unsupported Privileged EXEC Commands C 7 Unsupported Global Configuration Commands C 7 NetFlow Commands C 7 Unsupported Global Configuration Commands C 7 Network Address Translation NAT Commands C 7 Unsupported Privileged EXEC Commands C 7 Port Security Commands C 8 Unsupported Privileged EXEC Commands C 8 Power Supply Commands C 8 Unsupported User ...

Page 24: ...L 19808 01 VLAN Commands C 10 Unsupported User EXEC Commands C 10 Unsupported Privileged EXEC Command C 10 Unsupported Global Configuration Command C 10 Unsupported VLAN Configuration Commands C 10 VTP Commands C 10 Unsupported Privileged EXEC Command C 10 I N D E X ...

Page 25: ...e detailed information on the GUIs for the embedded device manager that you can use to manage the switch However the concepts in this guide are applicable to the GUI user For information about the device manager see the switch online help This guide does not describe system messages you might encounter or how to install your switch For more information see the Catalyst 2360 System Message Guide an...

Page 26: ...upgrading the switch see these documents For initial configuration information see the Using Express Setup section in the getting started guide or the Configuring the Switch with the CLI Based Setup Program appendix in the hardware installation guide For device manager requirements see the System Requirements section in the release notes For upgrading information see the Downloading Software secti...

Page 27: ...l Obtaining Documentation and Submitting a Service Request For information on obtaining documentation submitting a service request and gathering additional information see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco technical documentation at http www cisco com en US docs general whatsnew whatsnew html Subscribe to the What s New in Cisco Produc...

Page 28: ...xxviii Catalyst 2360 Switch Software Configuration Guide OL 19808 01 Preface ...

Page 29: ...1 3 Availability and Redundancy Features page 1 4 VLAN Features page 1 5 Security Features page 1 5 QoS and CoS Features page 1 6 Monitoring Features page 1 6 Default Settings After Initial Switch Configuration page 1 6 Deployment Features Express Setup for quickly configuring a switch for the first time with basic IP information contact information switch and Telnet passwords and Simple Network M...

Page 30: ...re the connection appropriately SFP support for 10 Gigabit speeds Support for up to 9216 bytes the maximum packet size or maximum transmission unit MTU size for frames that are bridged in hardware and software through Gigabit Ethernet ports and 10 Gigabit Ethernet ports 802 3x flow control on all ports The switch does not send pause frames EtherChannel for enhanced fault tolerance and to provide u...

Page 31: ...in Name System DNS and TFTP server names DHCP relay for forwarding User Datagram Protocol UDP broadcasts including IP address requests from DHCP clients DHCP server for automatic assignment of IP addresses and other DHCP options to IP hosts DHCP server port based address allocation for the preassignment of an IP address to a switch port Directed unicast requests to a DNS server for identifying a s...

Page 32: ...agement of host and mobile IP addresses DHCP server port based address allocation for the preassignment of an IP address to a switch port Wired location service sends location and attachment tracking information for connected devices to a Cisco Mobility Services Engine MSE CPU threshold trap monitors CPU use Support for including a hostname in the option 12 field of DHCPDISCOVER packets This provi...

Page 33: ...ffic and network security by establishing VLAN groups for high security users and network resources Dynamic Trunking Protocol DTP to negotiate trunking on a link between two devices and to negotiate the type of trunking encapsulation 802 1Q to be used VLAN Trunking Protocol VTP and VTP pruning to reduce network traffic by restricting flooded traffic to links for stations receiving the traffic VLAN...

Page 34: ...trusion Detection Systems IDS to monitor repel and report network security violations Four groups history statistics alarms and events of embedded RMON agents for network monitoring and traffic analysis Syslog facility for logging system messages about authentication or authorization errors resource issues and time out events Online diagnostics to test the hardware functionality of the supervisor ...

Page 35: ...Port parameters Operating mode is Layer 2 switchport For information see Chapter 8 Configuring Interface Characteristics Interface speed and duplex mode is autonegotiate For information see Chapter 8 Configuring Interface Characteristics Auto MDIX is enabled For information see Chapter 8 Configuring Interface Characteristics Flow control is off For information see Chapter 8 Configuring Interface C...

Page 36: ...and appear on the console For information see Chapter 22 Configuring System Message Logging SNMP is enabled Version 1 For information see Chapter 23 Configuring SNMP QoS is disabled For information see Chapter 25 Configuring QoS No EtherChannels are configured For information see Chapter 26 Configuring EtherChannels and Link State Tracking Where to Go Next Chapter 2 Using the Command Line Interfac...

Page 37: ...rompt to obtain a list of commands available for each command mode When you start a session on the switch you begin in user mode often called user EXEC mode Only a limited subset of the commands are available in user EXEC mode For example most of the user EXEC commands are one time commands such as show commands which show the current configuration status and clear commands which clear counters or...

Page 38: ... a password to protect access to this mode Global configuration While in privileged EXEC mode enter the configure command Switch config To exit to privileged EXEC mode enter exit or end or press Ctrl Z Use this mode to configure parameters that apply to the entire switch Config vlan While in global configuration mode enter the vlan vlan id command Switch config vlan To exit to global configuration...

Page 39: ... information about defining interfaces see the Using Interface Configuration Mode section on page 8 9 To configure multiple interfaces with the same parameters see the Configuring a Range of Interfaces section on page 8 11 Line configuration While in global configuration mode specify a line with the line vty or line console command Switch config line To exit to global configuration mode enter exit...

Page 40: ...e the command without the keyword no to re enable a disabled feature or to enable a feature that is disabled by default Configuration commands can also have a default form The default form of a command returns the command setting to its default Most commands are disabled by default so the default form is the same as the no form However some commands are enabled by default and have variables set to...

Page 41: ...nd Logging section of the Cisco IOS Configuration Fundamentals Configuration Guide Release 12 4 at this URL http www cisco com en US products ps6350 products_configuration_guide_chapter09186a0080454f 73 html Note Only CLI or HTTP changes are logged Table 2 3 Common CLI Error Messages Error Message Meaning How to Get Help Ambiguous command show con You did not enter enough characters for your switc...

Page 42: ...rminal history size number of lines The range is from 0 to 256 Beginning in line configuration mode enter this command to configure the number of command lines the switch records for all sessions on a particular line Switch config line history size number of lines The range is from 0 to 256 Recalling Commands To recall commands from the history buffer perform one of the actions listed in Table 2 4...

Page 43: ...anipulate the command line It contains these sections Enabling and Disabling Editing Features page 2 7 optional Editing Commands through Keystrokes page 2 8 optional Editing Command Lines that Wrap page 2 9 optional Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled you can disable it re enable it or configure a specific line to have enhanced editing Th...

Page 44: ...command line The switch provides a buffer with the last ten items that you deleted Press Ctrl Y Recall the most recent entry in the buffer Press Esc Y Recall the next buffer entry The buffer contains only the last 10 items that you have deleted or cut If you press Esc Y more than ten times you cycle to the first buffer entry Delete entries if you make a mistake or change your mind Press the Delete...

Page 45: ...config 101 permit tcp 131 108 2 5 255 255 255 0 131 108 1 20 255 25 Switch config t tcp 131 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq Switch config 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq 45 After you complete the entry press Ctrl A to check the complete syntax before pressing the Return key to execute the command The dollar sign appears at the end of the line to show that th...

Page 46: ...abitEthernet0 1 is up line protocol is down GigabitEthernet0 2 is up line protocol is up Accessing the CLI You can access the CLI through a console connection through Telnet or by using the browser Accessing the CLI through a Console Connection or through Telnet Before you can access the CLI you must connect a terminal or a PC to the switch console or connect a PC to the Ethernet management port a...

Page 47: ... up to 16 simultaneous Telnet sessions Changes made by one Telnet user are reflected in all other Telnet sessions For information about configuring the switch for SSH see the Configuring the Switch for Secure Shell section on page 7 32 The switch supports up to five simultaneous secure SSH sessions After you connect through the console port through the Ethernet management port through a Telnet ses...

Page 48: ...2 12 Catalyst 2360 Switch Software Configuration Guide OL 19808 01 Chapter 2 Using the Command Line Interface Accessing the CLI ...

Page 49: ...ing the Running Configuration page 3 11 Modifying the Startup Configuration page 3 12 Scheduling a Reload of the Software Image page 3 17 Note Information in this chapter about configuring IP addresses and DHCP is specific to IP Version 4 IPv4 Understanding the Boot Process To start your switch you need to follow the procedures in the hardware installation guide for installing and powering on the ...

Page 50: ... page 7 5 Before you can assign switch information make sure you have connected a PC or terminal to the console port or a PC to the Ethernet management port and make sure you have configured the PC or terminal emulation software baud rate and character format to match these of the switch console port Baud rate default is 9600 Data bits default is 8 Note If the data bits option is set to 8 set the ...

Page 51: ...ed with IP addresses If you are using DHCP to relay the configuration file location on the network you might also need to configure a Trivial File Transfer Protocol TFTP server and a Domain Name System DNS server The DHCP server for your switch can be on the same LAN or on a different LAN than the switch If the DHCP server is running on a different LAN you should configure a DHCP relay device betw...

Page 52: ...to the client in the DHCPOFFER unicast message are invalid a configuration error exists the client returns a DHCPDECLINE broadcast message to the DHCP server The DHCP server sends the client a DHCPNAK denial broadcast message which means that the offered configuration parameters have not been assigned that an error has occurred during the negotiation of the parameters or that the client has been s...

Page 53: ...erver address and option 125 description of the file settings For procedures to configure the switch as a DHCP server see the Configuring DHCP section of the IP addressing and Services section of the Cisco IOS IP Configuration Guide Release 12 2 After you install the switch in your network the auto image update feature starts The downloaded configuration file is saved in the running configuration ...

Page 54: ...lt gateway address to be used by the switch required If you want the switch to receive the configuration file from a TFTP server you must configure the DHCP server with these lease options TFTP server name required Boot filename the name of the configuration file that the client needs recommended Hostname optional Depending on the settings of the DHCP server the switch can receive IP address infor...

Page 55: ...contain all the required information described previously a relay must be configured to forward the TFTP packets to the TFTP server For more information see the Configuring the Relay Device section on page 3 7 The preferred solution is to configure the DHCP server with all the required information Configuring the DNS The DHCP server uses the DNS server to resolve the TFTP server name to an IP addr...

Page 56: ...the switch but the TFTP server address is not provided in the DHCP reply one file read method The switch receives its IP address subnet mask and the configuration filename from the DHCP server The switch sends a broadcast message to a TFTP server to retrieve the named configuration file from the base directory of the server and upon receipt it completes its boot up process Only the IP address is r...

Page 57: ...nnot be resolved to an IP address Example Configuration Figure 3 3 shows a sample network for retrieving IP information by using DHCP based autoconfiguration Figure 3 3 DHCP Based Autoconfiguration Network Example Table 3 2 shows the configuration of the reserved leases on the DHCP server Switch 1 00e0 9f1e 2001 Cisco router 111394 Switch 2 00e0 9f1e 2002 Switch 3 00e0 9f1e 2003 DHCP server DNS se...

Page 58: ...3 Switch A reads its configuration file as follows It obtains its IP address 10 0 0 21 from the DHCP server If no configuration filename is given in the DHCP server reply Switch A reads the network confg file from the base directory of the TFTP server It adds the contents of the network confg file to its host table It reads its host table by indexing its IP address 10 0 0 21 to its hostname switch...

Page 59: ...uptime no service password encryption enable secret 5 1 ej9 DMUvAUnZOAmvmgqBEzIxE0 output truncated interface gigabitethernet6 0 1 no switchport ip address 172 20 137 50 255 255 255 0 interface gigabitethernet6 0 2 mvr type source output truncated Step 3 ip address ip address subnet mask Enter the IP address and subnet mask Step 4 exit Return to global configuration mode Step 5 ip default gateway ...

Page 60: ...uration settings that you made If you fail to do this your configuration will be lost the next time you reload the system To display information stored in the NVRAM section of flash memory use the show startup config or more startup config privileged EXEC command For more information about alternative locations from which to copy the configuration file see Appendix B Working with the Cisco IOS Fil...

Page 61: ...filename Table 3 3 Default Boot Configuration Feature Default Setting Operating system software image The switch attempts to automatically boot up the system using information in the BOOT environment variable If the variable is not set the switch attempts to load and execute the first executable image it can by performing a recursive depth first search throughout the flash file system The Cisco IO...

Page 62: ...ory each encountered subdirectory is completely searched before continuing the search in the original directory However you can specify a specific image to boot up Step 4 show boot Verify your entries The boot config file global configuration command changes the setting of the CONFIG_FILE environment variable Step 5 copy running config startup config Optional Save your entries in the configuration...

Page 63: ...ll string A variable that is set to a null string for example is a variable with a value Many environment variables are predefined and have default values Environment variables store two kinds of data Data that controls code which does not read the Cisco IOS configuration file For example the name of a boot loader helper file which extends or patches the functionality of the boot loader can be sto...

Page 64: ... flash file system boot system filesystem file url Specifies the Cisco IOS image to load during the next boot cycle This command changes the setting of the BOOT environment variable MANUAL_BOOT set MANUAL_BOOT yes Decides whether the switch automatically or manually boots Valid values are 1 yes 0 and no If it is set to no or 0 the boot loader attempts to automatically boot up the system If it is s...

Page 65: ...g up to 255 characters in length reload at hh mm month day day month text This command schedules a reload of the software to take place at the specified time using a 24 hour clock If you specify the month and day the reload is scheduled to take place at the specified time and date If you do not specify the month and day the reload takes place at the specified time on the current day if the specifi...

Page 66: ...nvironment variable points to a startup configuration file that no longer exists If you proceed in this situation the system enters setup mode upon reload This example shows how to reload the software on the switch on the current day at 7 30 p m Switch reload at 19 30 Reload scheduled for 19 30 00 UTC Wed Jun 5 1996 in 2 hours and 25 minutes Proceed with reload confirm This example shows how to re...

Page 67: ...it does not provide complete descriptions of the cluster features for these other switches For complete cluster information for a specific Catalyst platform see the software configuration guide for that switch This chapter consists of these sections Understanding Switch Clusters page 4 2 Planning a Switch Cluster page 4 4 Using the CLI to Manage Switch Clusters page 4 11 Using SNMP to Manage Switc...

Page 68: ...ed as standby cluster command switches to avoid loss of contact with cluster members A cluster standby group is a group of standby cluster command switches Management of a variety of Catalyst switches through a single IP address This conserves on IP addresses especially if you have a limited number of them All communication with the switch cluster is through the cluster command switch IP address T...

Page 69: ...he cluster command and standby command switches through a common VLAN It is redundantly connected to the cluster so that connectivity to cluster member switches is maintained It is not a command or member switch of another cluster Note Standby cluster command switches must be the same type of switches as the cluster command switch See the switch configuration guide of other cluster capable switche...

Page 70: ...2960 Catalyst 2970 Catalyst 3550 Catalyst 3560 Catalyst 3560 E Catalyst 3750 or Catalyst 3750 E cluster command switch Candidate and cluster member switches can connect through any VLAN in common with the cluster command switch Planning a Switch Cluster Anticipating conflicts and compatibility issues is a high priority when you manage several switches through a cluster This section describes these...

Page 71: ... VLANs page 4 7 Discovery Through Different Management VLANs page 4 7 Discovery Through Routed Ports page 4 8 Discovery of Newly Installed Switches page 4 9 Discovery Through CDP Hops By using CDP a cluster command switch can discover switches up to seven CDP hops away the default is three hops from the edge of the cluster The edge of the cluster is where the last cluster member switches are conne...

Page 72: ...ot discover a cluster enabled device connected beyond the noncluster capable Cisco device Figure 4 2 shows that the cluster command switch discovers the switch that is connected to a third party hub However the cluster command switch does not discover the switch that is connected to a Catalyst 5000 switch Figure 4 2 Discovery Through Non CDP Capable and Noncluster Capable Devices Command device Me...

Page 73: ...lyst 2360 switch must be connected to the cluster command switch through their management VLAN For information about discovery through management VLANs see the Discovery Through Different Management VLANs section on page 4 7 For more information about VLANs see Chapter 9 Configuring VLANs Figure 4 3 Discovery Through Different VLANs Discovery Through Different Management VLANs Cluster command swit...

Page 74: ... Discovery Through Routed Ports If the cluster command switch has a routed port RP configured it discovers only candidate and cluster member switches in the same VLAN as the routed port For more information about routed ports see the Switch Virtual Interfaces section on page 8 3 The Layer 3 cluster command switch in Figure 4 5 can discover the switches in VLANs 9 and 62 but not the switch in VLAN ...

Page 75: ...he VLAN of the immediately upstream neighbor The new switch also configures its access port to belong to the VLAN of the immediately upstream neighbor The cluster command switch in Figure 4 6 belongs to VLANs 9 and 16 When new cluster capable switches join the cluster One cluster capable switch and its access port are assigned to VLAN 9 The other cluster capable switch and its access port are assi...

Page 76: ... for the switch is Switch If a switch joins a cluster and it does not have a hostname the cluster command switch appends a unique member number to its own hostname and assigns it sequentially as each switch joins the cluster The number means the order in which the switch was added to the cluster For example a cluster command switch named eng cluster could name the fifth cluster member eng cluster ...

Page 77: ...if RADIUS is configured on a cluster member it must be configured on all cluster members Further the same switch cluster cannot have some members configured with TACACS and other members configured with RADIUS For more information about TACACS see the Controlling Switch Access with TACACS section on page 7 10 For more information about RADIUS see the Controlling Switch Access with RADIUS section o...

Page 78: ...r switch is accessed at privilege level 15 Note The Catalyst 1900 and Catalyst 2820 CLI is available only on switches running Enterprise Edition Software For more information about the Catalyst 1900 and Catalyst 2820 switches see the installation and configuration guides for those switches Using SNMP to Manage Switch Clusters When you first power on the switch SNMP is enabled if you enter the IP i...

Page 79: ...ts own IP address and community strings the cluster member switch can send traps directly to the management station without going through the cluster command switch If a cluster member switch has its own IP address and community strings they can be used in addition to the access provided by the cluster command switch For more information about SNMP and community strings see Chapter 23 Configuring ...

Page 80: ...4 14 Catalyst 2360 Switch Software Configuration Guide OL 19808 01 Chapter 4 Clustering Switches Using SNMP to Manage Switch Clusters ...

Page 81: ...itch using automatic configuration such as the Network Time Protocol NTP or manual configuration methods Note For complete syntax and usage information for the commands used in this section see the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 These sections contain this configuration information Understanding the System Clock page 5 1 Understanding Network Time Protocol page...

Page 82: ...atomic clock directly attached a stratum 2 time server receives its time through NTP from a stratum 1 time server and so on A device running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP This strategy effectively builds a self organizing tree of NTP speakers NTP avoids synchronizing to a device whose time might not be ...

Page 83: ...nchronize to that device through NTP When multiple sources of time are available NTP is always considered to be more authoritative NTP time overrides the time set by any other method Several manufacturers include NTP software for their host systems and a publicly available version for systems running UNIX and its various derivatives is also available This software allows host systems to be time sy...

Page 84: ...r the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server Beginning in privileged EXEC mode follow these steps to authenticate the associations communications between devices running NTP that provide for accurate timekeeping with other devices for security purposes Table 5 1 Default NTP Configuration Feature Defaul...

Page 85: ...ronizes to the other device and not the other way around Step 3 ntp authentication key number md5 value Define the authentication keys By default none are defined For number specify a key number The range is 1 to 4294967295 md5 specifies that message authentication support is provided by using the message digest algorithm 5 MD5 For value enter an arbitrary string of up to eight characters for the ...

Page 86: ...e interface prefer Configure the switch system clock to synchronize a peer or to be synchronized by a peer peer association or Configure the switch system clock to be synchronized by a time server server association No peer or server associations are defined by default For ip address in a peer association specify either the IP address of the peer providing or being provided the clock synchronizati...

Page 87: ...sic IP access list The keywords have these meanings query only Allows only NTP control queries serve only Allows only time requests serve Allows time requests and NTP control queries but does not allow the switch to synchronize to the remote device peer Allows time requests and NTP control queries and allows the switch to synchronize to the remote device For access list number enter a standard IP ...

Page 88: ...of the interface through which the NTP packet is sent Use the ntp source global configuration command when you want to use a particular source IP address for all NTP packets The address is taken from the specified interface This command is useful if the address on an interface cannot be used as the destination for reply packets Beginning in privileged EXEC mode follow these steps to configure a sp...

Page 89: ...o manually set the system clock to 1 32 p m on July 23 2001 Switch clock set 13 32 00 23 July 2001 Displaying the Time and Date Configuration To display the time and date configuration use the show clock detail privileged EXEC command The system clock keeps an authoritative flag that shows whether the time is authoritative believed to be accurate If the system clock has been set by a timing source...

Page 90: ...ock timezone AST 3 30 To set the time to UTC use the no clock timezone global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock timezone zone hours offset minutes offset Set the time zone The switch keeps internal time in universal time coordinated UTC so this command is used only for display purposes and when the time is manually set For ...

Page 91: ...lock summer time PDT recurring 1 Sunday April 2 00 last Sunday October 2 00 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock summer time zone recurring week day month hh mm week day month hh mm offset Configure summer time to start and end on the specified days every year Summer time is disabled by default If you specify clock summer time zone recurring withou...

Page 92: ...t 20 characters of the system name are used as the system prompt A greater than symbol is appended The prompt is updated whenever the system name changes For complete syntax and usage information for the commands used in this section see the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 and the Cisco IOS IP Command Reference Volume 2 of 3 Routing Protocols Release 12 2 Comman...

Page 93: ...cheme that allows a device to be identified by its location or domain Domain names are pieced together with periods as the delimiting characters For example Cisco Systems is a commercial organization that IP identifies by a com domain name so its domain name is cisco com A specific device in this domain for example the File Transfer Protocol FTP system is identified as ftp cisco com To keep track ...

Page 94: ...arates an unqualified name from the domain name At boot time no domain name is configured however if the switch configuration comes from a BOOTP or Dynamic Host Configuration Protocol DHCP server then the default domain name might be set by the BOOTP or DHCP server if the servers were configured with this information Step 3 ip name server server address1 server address2 server address6 Specify the...

Page 95: ...nfiguration command Displaying the DNS Configuration To display the DNS configuration information use the show running config privileged EXEC command Creating a Banner You can configure a message of the day MOTD and a login banner The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users such as impending system shutdowns The logi...

Page 96: ...ws the banner that appears from the previous configuration Unix telnet 172 2 5 4 Trying 172 2 5 4 Connected to 172 2 5 4 Escape character is This is a secure site Only authorized users are allowed For access contact technical support User Access Verification Password Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 banner motd c message c Specify the message of the ...

Page 97: ...e types of addresses Dynamic address a source MAC address that the switch learns and then ages when it is not in use Static address a manually entered unicast address that does not age and that is not lost when the switch resets The address table lists the destination MAC address the associated VLAN ID and port number associated with the address and the type static or dynamic Note For complete syn...

Page 98: ...at are not in use The aging interval is globally configured However the switch maintains an address table for each VLAN and STP can accelerate the aging interval on a per VLAN basis The switch sends packets between any combination of ports based on the destination address of the received packet Using the MAC address table the switch forwards the packet only to the port associated with the destinat...

Page 99: ...use the clear mac address table dynamic command in privileged EXEC mode You can also remove a specific MAC address clear mac address table dynamic address mac address remove all addresses on the specified physical port or port channel clear mac address table dynamic interface interface id or remove all addresses on a specified VLAN clear mac address table dynamic vlan vlan id To verify that dynami...

Page 100: ...ress table use the no mac address table static mac addr vlan vlan id interface interface id global configuration command This example shows how to add the static address c2f3 220a 12f4 to the MAC address table When a packet is received in VLAN 4 with this MAC address as its destination address the packet is forwarded to the specified port Switch config mac address table static c2f3 220a 12f4 vlan ...

Page 101: ...c mac addr vlan vlan id drop command the switch drops packets with the specified MAC address as a source or destination If you enter the mac address table static mac addr vlan vlan id drop global configuration command followed by the mac address table static mac addr vlan vlan id interface interface id command the switch adds the MAC address as a static address You enable unicast MAC address filte...

Page 102: ...ink layer frame and sent over the network Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol SNAP By default standard Ethernet style ARP encapsulation represented by the arpa keyword is enabled on the IP interface ARP entries added manually to the table do not age and must be manually removed For CLI pr...

Page 103: ...rce numbers associated with that template Switch show sdm prefer The current template is desktop default template The selected template optimizes the resources in the switch to support this level of features for 0 routed interfaces and 255 VLANs number of unicast mac addresses 8K number of IPv4 IGMP groups 0 25K number of IPv6 multicast groups 0 25K number of IPv4 MAC qos aces 0 375k number of IPv...

Page 104: ... 2 Catalyst 2360 Switch Software Configuration Guide OL 19808 01 Chapter 6 Using the SDM Default Template Displaying the SDM Templates number of IPv6 qos aces 0 number of IPv6 security aces 0 125k Switch ...

Page 105: ...6 3 Catalyst 2360 Switch Software Configuration Guide OL 19808 01 Chapter 6 Using the SDM Default Template Displaying the SDM Templates ...

Page 106: ...6 4 Catalyst 2360 Switch Software Configuration Guide OL 19808 01 Chapter 6 Using the SDM Default Template Displaying the SDM Templates ...

Page 107: ...ers who dial from outside the network through an asynchronous port connect from outside the network through a serial port or connect through a terminal or workstation from within the local network To prevent unauthorized access into your switch you should configure one or more of these security features At a minimum you should configure passwords and privileges at each switch port These passwords ...

Page 108: ...e information for the commands used in this section see the Cisco IOS Security Command Reference Release 12 2 These sections contain this configuration information Default Password and Privilege Level Configuration page 7 2 Setting or Changing a Static Enable Password page 7 3 Protecting Enable and Enable Secret Passwords with Encryption page 7 3 Disabling Password Recovery page 7 5 Setting a Teln...

Page 109: ...rivilege level you specify We recommend that you use the enable secret command because it uses an improved encryption algorithm If you configure the enable secret command it takes precedence over the enable password command the two commands cannot be in effect simultaneously Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 enable password password Define a new passw...

Page 110: ...onfiguration mode Step 2 enable password level level password encryption type encrypted password or enable secret level level password encryption type encrypted password Define a new password or change an existing password for access to privileged EXEC mode or Define a secret password which is saved using a nonreversible encryption method Optional For level the range is from 0 to 15 Level 1 is nor...

Page 111: ...ocess and sets the system back to default values Do not keep a backup copy of the configuration file on the switch If the switch is operating in VTP transparent mode we recommend that you also keep a backup copy of the VLAN database file on a secure server When the switch is returned to the default system configuration you can download the saved files to the switch by using the Xmodem protocol For...

Page 112: ...ch If you have defined privilege levels you can also assign a specific privilege level with associated rights and privileges to each username and password pair Command Purpose Step 1 Attach a PC or workstation with emulation software to the switch console port or attach a PC to the Ethernet management port The default data characteristics of the console port are 9600 8 1 no parity You might need t...

Page 113: ...ion Setting the Privilege Level for a Command page 7 8 Changing the Default Privilege Level for Lines page 7 9 Logging into and Exiting a Privilege Level page 7 9 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 username name privilege level password encryption type password Enter the username privilege level and password for each user For name specify the user ID a...

Page 114: ...rpose Step 1 configure terminal Enter global configuration mode Step 2 privilege mode level level command Set the privilege level for a command For mode enter configure for global configuration mode exec for EXEC mode interface for interface configuration mode or line for line configuration mode For level the range is from 0 to 15 Level 1 is for normal user EXEC mode privileges Level 15 is the lev...

Page 115: ...and Exiting a Privilege Level Beginning in privileged EXEC mode follow these steps to log in to a specified privilege level and to exit to a specified privilege level Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 line vty line Select the virtual terminal line on which to restrict access Step 3 privilege level level Change the default privilege level for the line ...

Page 116: ... provide each service authentication authorization and accounting independently Each service can be tied into its own database to take advantage of other services available on that server or on the network depending on the capabilities of the daemon The goal of TACACS is to provide a method for managing multiple network access points from a single management service Your switch can be a network ac...

Page 117: ...receives one of these responses from the TACACS daemon ACCEPT The user is authenticated and service can begin If the switch is configured to require authorization authorization begins at this time REJECT The user is not authenticated The user can be denied access or is prompted to retry the login sequence depending on the TACACS daemon ERROR An error occurred at some time during authentication wit...

Page 118: ...in Authentication page 7 13 Configuring TACACS Authorization for Privileged EXEC Access and Network Services page 7 15 Starting TACACS Accounting page 7 16 Default TACACS Configuration TACACS and AAA are disabled by default To prevent a lapse in security you cannot configure TACACS through a network management application When enabled TACACS can authenticate users accessing the switch through the ...

Page 119: ...or authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed to Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 tacacs server host hostname port integer timeout integer key string Identify the IP host or hosts maintaining a TACACS server Enter this command multiple times to create a li...

Page 120: ...character string to name the list you are creating For method1 specify the actual method the authentication algorithm tries The additional methods of authentication are used only if the previous method returns an error not if it fails Select one of these methods enable Use the enable password for authentication Before you can use this authentication method you must define an enable password by usi...

Page 121: ...ormation retrieved from the user s profile which is located either in the local user database or on the security server to configure the user s session The user is granted access to a requested service only if the information in the user profile allows it You can use the aaa authorization global configuration command with the tacacs keyword to set parameters that restrict a user s network access t...

Page 122: ...nfiguration command Displaying the TACACS Configuration To display TACACS server statistics use the show tacacs privileged EXEC command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 aaa authorization network tacacs Configure the switch for user TACACS authorization for all network related service requests Step 3 aaa authorization exec tacacs Configure the switch ...

Page 123: ...curity environments in which applications support the RADIUS protocol such as in an access environment that uses a smart card access control system In one case RADIUS has been used with Enigma s security cards to validates users and to grant access to network resources Networks already using RADIUS You can add a Cisco switch containing a RADIUS client to the network This might be the first step wh...

Page 124: ...he user is either not authenticated and is prompted to re enter the username and password or access is denied c CHALLENGE A challenge requires additional data from the user d CHALLENGE PASSWORD A response requests the user to select a new password The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or network authorization Users must first successfully co...

Page 125: ... is exhausted You should have access to and should configure a RADIUS server before configuring RADIUS features on your switch These sections contain this configuration information Default RADIUS Configuration page 7 19 Identifying the RADIUS Server Host page 7 19 required Configuring RADIUS Login Authentication page 7 22 required Defining AAA Server Groups page 7 24 optional Configuring RADIUS Au...

Page 126: ...rver and the switch use a shared secret text string to encrypt passwords and exchange responses To configure RADIUS to use the AAA security commands you must specify the host running the RADIUS server daemon and a secret text key string that it shares with the switch The timeout retransmission and encryption key values can be configured globally for all RADIUS servers on a per server basis or in s...

Page 127: ... the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon ...

Page 128: ...ed and the sequence in which they are performed it must be applied to a specific port before any of the defined authentication methods are performed The only exception is the default method list which by coincidence is named default The default method list is automatically applied to all ports except those that have a named method list explicitly defined A method list describes the sequence and au...

Page 129: ...US server For more information see the Identifying the RADIUS Server Host section on page 7 19 line Use the line password for authentication Before you can use this authentication method you must define a line password Use the password password line configuration command local Use the local username database for authentication You must enter username information in the database Use the username na...

Page 130: ...e Release 12 2 Defining AAA Server Groups You can configure the switch to use AAA server groups to group existing server hosts for authentication You select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list which lists the IP addresses of the selected server hosts Server groups also can include multiple host entrie...

Page 131: ...value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key as the la...

Page 132: ...leged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the switch uses information retrieved from the user s profile which is in the local user database or on the security server to configure the user s session The user is granted access to a requested service only if the information in the user profile allows it You can use th...

Page 133: ...disable accounting use the no aaa accounting network exec start stop method1 global configuration command Step 3 aaa authorization exec radius Configure the switch for user RADIUS authorization if the user has privileged EXEC access The exec keyword might return user profile information such as autocommand information Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your...

Page 134: ...tes The full set of features available for TACACS authorization can then be used for RADIUS For example this AV pair activates Cisco s multiple named ip address pools feature during IP authorization during PPP IPCP address assignment cisco avpair ip addr pool first Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server key string Specify the shared secret te...

Page 135: ...C mode follow these steps to configure the switch to recognize and use VSAs For a complete list of RADIUS attributes or more information about vendor specific attribute 26 see the RADIUS Attributes appendix in the Cisco IOS Security Configuration Guide Release 12 2 Configuring the Switch for Vendor Proprietary RADIUS Server Communication Although an IETF draft standard for RADIUS specifies a metho...

Page 136: ...r host 172 20 30 15 nonstandard Switch config radius server key rad124 Displaying the RADIUS Configuration To display the RADIUS configuration use the show running config privileged EXEC command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server host hostname ip address non standard Specify the IP address or hostname of the remote RADIUS server host and ...

Page 137: ...tep 4 aaa authorization exec local Configure user AAA authorization check the local database and allow the user to run an EXEC shell Step 5 aaa authorization network local Configure user AAA authorization for all network related service requests Step 6 username name privilege level password encryption type password Enter the local database and establish a username based authentication system Repea...

Page 138: ...3 Displaying the SSH Configuration and Status page 7 36 For SSH configuration examples see the SSH Configuration Examples section in the Configuring Secure Shell section in the Other Security Features chapter of the Cisco IOS Security Configuration Guide Cisco IOS Release 12 2 at this URL http www cisco com en US products sw iosswrel ps1835 products_configuration_guide_chapter0918 6a00800ca7d5 htm...

Page 139: ...these user authentication methods TACACS for more information see the Controlling Switch Access with TACACS section on page 7 10 RADIUS for more information see the Controlling Switch Access with RADIUS section on page 7 17 Local authentication and authorization for more information see the Configuring the Switch for Local Authentication and Authorization section on page 7 31 Note This software re...

Page 140: ...SSH 1 Download the cryptographic software image from Cisco com This step is required For more information see the release notes for this release 2 Configure a hostname and IP domain name for the switch Follow this procedure only if you are configuring the switch as an SSH server 3 Generate an RSA key pair for the switch which automatically enables SSH Follow this procedure only if you are configur...

Page 141: ...r example if the SSH client supports SSHv1 and SSHv2 the SSH server selects SSHv2 Step 3 ip ssh timeout seconds authentication retries number Configure the SSH control parameters Specify the time out value in seconds the default is 120 seconds The range is 0 to 120 seconds This parameter applies to the SSH negotiation phase After the connection is established the switch uses the default time out v...

Page 142: ...re the cryptographic encrypted software image must be installed on your switch You must obtain authorization to use this feature and to download the cryptographic software files from Cisco com For more information about the cryptographic image see the release notes for this release These sections contain this information Understanding Secure HTTP Servers and Clients page 7 37 Configuring Secure HT...

Page 143: ...e obtained from a specified CA trustpoint to the client The client usually a Web browser in turn has a public key that allows it to authenticate the certificate For secure HTTP connections we highly recommend that you configure a CA trustpoint If a CA trustpoint is not configured for the device running the HTTPS server the server certifies itself and generates the needed RSA key pair Because a sel...

Page 144: ...tication by itself For additional information on Certificate Authorities see the Configuring Certification Authority Interoperability chapter in the Cisco IOS Security Configuration Guide Release 12 2 CipherSuites A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection When connecting to the HTTPS server the client Web browser offers a list of supported...

Page 145: ...points are configured No self signed certificates are generated SSL Configuration Guidelines When SSL is used in a switch cluster the SSL session terminates at the cluster commander Cluster member switches must run standard HTTP Before you configure a CA trustpoint you should ensure that the system clock is set If the clock is not set the certificate is rejected due to an incorrect date Configurin...

Page 146: ...ustpoint configuration mode Step 6 enrollment url url Specify the URL to which the switch should send certificate requests Step 7 enrollment http proxy host name port number Optional Configure the switch to obtain certificates from the CA through an HTTP proxy server Step 8 crl query url Configure the switch to request a certificate revocation list CRL to ensure that the certificate of the peer ha...

Page 147: ...cate from the server but the server does not attempt to authenticate the client Step 7 ip http secure trustpoint name Specify the CA trustpoint to use to get an X 509v3 security certificate and to authenticate the client certificate connection Note Use of this command assumes you have already configured a CA trustpoint according to the previous procedure Step 8 ip http path path name Optional Set ...

Page 148: ...move a client trustpoint configuration Use the no ip http client secure ciphersuite to remove a previously configured CipherSuite specification for the client Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip http client secure trustpoint name Optional Specify the CA trustpoint to be used if the remote HTTP server requests client authentication Using this command ...

Page 149: ...ot enter the password into the copy command You must enter the password when prompted Information About Secure Copy To configure the Secure Copy feature you should understand these concepts The behavior of SCP is similar to that of remote copy rcp which comes from the Berkeley r tools suite except that SCP relies on SSH for security SCP also requires that authentication authorization and accountin...

Page 150: ...7 44 Catalyst 2360 Switch Software Configuration Guide OL 19808 01 Chapter 7 Configuring Switch Based Authentication Configuring the Switch for Secure Copy Protocol ...

Page 151: ...this release and the online Cisco IOS Interface Command Reference Release 12 2 Understanding Interface Types Port Based VLANs page 8 1 Switch Ports page 8 2 Ethernet Management Port page 8 3 Switch Virtual Interfaces page 8 3 EtherChannel Port Groups page 8 4 10 Gigabit Ethernet Interfaces page 8 4 Connecting Interfaces page 8 5 Port Based VLANs A VLAN is a switched network that is logically segme...

Page 152: ... to which it can belong For an access port set and define the VLAN to which it belongs Switch Ports Switch ports are Layer 2 only interfaces associated with a physical port Ports belong to one or more VLANs You can configure a port as an access port or trunk port or let the Dynamic Trunking Protocol DTP operate on a per port basis to set the switchport mode by negotiating with the port on the othe...

Page 153: ...agement port instead of the switch console port for network management When connecting a PC to the Ethernet management port you must assign an IP address See the Using the Ethernet Management Port section on page 8 14 for information about this port Switch Virtual Interfaces A switch virtual interface SVI represents a VLAN of ports as one interface to the routing or bridging function to only provi...

Page 154: ...ring autostate exclude see the Configuring SVI Autostate Exclude section on page 8 21 EtherChannel Port Groups EtherChannel port groups treat multiple ports as one switch port These port groups act as a single logical port for high bandwidth connections between switches or between switches and servers An EtherChannel balances the traffic load across the links in the channel If a link within the Et...

Page 155: ...SB mini Type B console connection and an RJ 45 console port Console output appears on devices connected to both ports but console input is active on only one port at a time The USB connector takes precedence over the RJ 45 connector Note Windows PCs require a driver for the USB port See the hardware installation guide for driver installation instructions Use the supplied USB Type A to USB mini Typ...

Page 156: ...onsole media type is RJ45 You can configure the console type to always be RJ 45 and you can configure an inactivity timeout for the USB connector Configuring the Console Media Type Beginning in privileged EXEC mode follow these steps to select the RJ45 console media type If you configure the RJ 45 console USB console operation is disabled and input always remains with the RJ 45 console This config...

Page 157: ...ivileged EXEC mode follow these steps to configure an inactivity timeout This example configures the inactivity timeout to 30 minutes Switch configure terminal Switch config line console 0 Switch config line usb inactivity timeout 30 To disable the configuration use these commands Switch config line console 0 switch config line no usb inactivity timeout If there is no input activity on a USB conso...

Page 158: ...oot system flash usbflash0 c2360 universalk9 mz To disable booting from flash enter the no form of the command This is sample output from the show usb device command Switch show usb device Host Controller 1 Address 0x1 Device Configured YES Device Supported YES Description STEC USB 1GB Manufacturer STEC Version 1 0 Serial Number STI 3D508232204731 Device Handle 0x1010000 USB Version Compliance 2 0...

Page 159: ...re a range of interfaces see the Configuring a Range of Interfaces section on page 8 11 To configure a physical interface specify the interface type module number and switch port number and enter interface configuration mode Type Fast Ethernet fastethernet or fa for 10 100 Mb s Ethernet Gigabit Ethernet gigabitethernet or gi for 10 100 1000 Mb s Ethernet ports 10 Gigabit Ethernet tengigabitetherne...

Page 160: ...ese general instructions apply to all interface configuration processes Step 1 Enter the configure terminal command at the privileged EXEC prompt Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config Step 2 Enter the interface global configuration command Identify the interface type and the port number In this example Gigabit Ethernet port 1 on switch 1 ...

Page 161: ... 0 port channel port channel number port channel number where the port channel number is 1 to 48 Note When you use the interface range command with port channels the first and last port channel number must be active port channels Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface range port range macro macro_name Specify the range of interfaces VLANs or phys...

Page 162: ...e range gigabitethernet0 1 3 tengigabitethernet0 1 2 Switch config if range flowcontrol receive on If you enter multiple configuration commands while you are in interface range mode each command is executed as it is entered The commands are not batched and executed after you exit interface range mode If you exit interface range configuration mode while the commands are being executed some commands...

Page 163: ...terfaces VLAN interfaces not displayed by the show running config command cannot be used as interface ranges All interfaces defined as in a range must be the same type all Gigabit Ethernet ports all 10 Gigabit Ethernet ports all EtherChannel ports or all VLANs but you can combine multiple interface types in a macro This example shows how to define an interface range named enet_list to include port...

Page 164: ...TP and the Ethernet Management Port page 8 15 Understanding the Ethernet Management Port The Ethernet management port also referred to as the Fa0 or fastethernet0 port is a Layer 3 host port to which you can connect a PC You can use the Ethernet management port instead of the switch console port for network management When connecting a PC to the Ethernet management port you must assign an IP addre...

Page 165: ...e configuration command To enable the port use the no shutdown interface configuration command To find out the link status to the PC you can monitor the LED for the Ethernet management port The LED is greenwhen the link is active and the LED is off when the link is down The LED is amber when there is a POST failure To display the link status use the show interfaces fastethernet 0 privileged EXEC c...

Page 166: ...ble image from the TFTP server and enters the command line interface For more details see the command reference for this release copy tftp source file url filesystem destination file url Copies a Cisco IOS image from the TFTP server to the specified location For more details see the command reference for this release 1 ARP Address Resolution Protocol Table 8 1 Boot Loader Commands continued Comman...

Page 167: ...it Ethernet ports operating at 1000 Mb s do not support half duplex mode For SFP module ports the speed and duplex CLI options change depending on the SFP module type The 1000BASE x where x is BX CWDM LX SX and ZX SFP module ports support the nonegotiate keyword in the speed interface configuration command Duplex options are not supported The 1000BASE T SFP module ports support the same speed and ...

Page 168: ...ter for the interface Enter 10 100 or 1000 to set a specific speed for the interface The 1000 keyword is available only for 10 100 1000 Mb s ports Enter auto to enable the interface to autonegotiate speed with the connected device If you use the 10 100 or the 1000 keywords with the auto keyword the port autonegotiates only at the specified speeds The nonegotiate keyword is available only for SFP m...

Page 169: ...rules apply to flow control settings on the device receive on or desired The port cannot send pause frames but can operate with an attached device that is required to or can send pause frames the port can receive pause frames receive off Flow control does not operate in either direction In case of congestion no indication is given to the link partner and no pause frames are sent or received by eit...

Page 170: ... 1000BASE SX or LX SFP module interfaces Table 8 3 shows the link states that result from auto MDIX settings and correct and incorrect cabling Beginning in privileged EXEC mode follow these steps to configure auto MDIX on an interface To disable auto MDIX use the no mdix auto interface configuration command This example shows how to enable auto MDIX on a port Switch configure terminal Switch confi...

Page 171: ...atus Protocol Description Gi1 0 2 admin down down Connects to Marketing Configuring SVI Autostate Exclude The switch supports a maximum of 64 switch virtual interfaces SVIs Configuring SVI autostate exclude on an access or trunk port in an SVI excludes that port in the calculation of the status of the SVI line state up or down status even if it belongs to the same VLAN When the excluded port is in...

Page 172: ...bytes command to change the system jumbo MTU size you must reload the switch before the new configuration takes effect The system MTU setting is saved in the switch environmental variable in NVRAM and becomes effective when the switch reloads The MTU settings you enter with the system mtu jumbo command are not saved in the switch Cisco IOS configuration file even if you enter the copy running conf...

Page 173: ...You globally enable the small frame arrival feature on the switch and then configure the small frame threshold for packets on each interface Packets smaller than the minimum size and arriving at a specified rate the threshold are dropped since the port is error disabled If the errdisable recovery cause small frame global configuration command is entered the port is re enabled after a specified tim...

Page 174: ...tware and the hardware the configuration and statistics about the interfaces Table 8 4 lists some of these interface monitoring commands You can display the full list of show commands by using the show command at the privileged EXEC prompt These commands are fully described in the Cisco IOS Interface Command Reference Release 12 2 Step 3 errdisable recovery interval interval Optional Specify the t...

Page 175: ...ay the description configured on an interface or all interfaces and the interface status show interface interface id stats Display the input and output packets by the switching path for the interface show interfaces interface id Optional Display speed and duplex on the interface show interfaces transceiver dom supported list Optional Display Digital Optical Monitoring DOM status on the connect SFP...

Page 176: ...mmunicated to other network servers through all dynamic routing protocols The interface is not mentioned in any routing updates Beginning in privileged EXEC mode follow these steps to shut down an interface Use the no shutdown interface configuration command to restart the interface To verify that an interface is disabled enter the show interfaces privileged EXEC command A disabled interface is sh...

Page 177: ...plication without regard to the physical locations of the users VLANs have the same attributes as physical LANs but you can group end stations even if they are not physically located on the same LAN segment Any switch port can belong to a VLAN and unicast broadcast and multicast packets are forwarded and flooded only to end stations in the VLAN Each VLAN is considered a logical network and packets...

Page 178: ...rtual Interfaces section on page 8 3 Supported VLANs The switch supports VLANs in VTP client server and transparent modes VLANs are identified by a number from 1 to 4094 VLAN IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs VTP only learns normal range VLANs with VLAN IDs 1 to 1005 VLAN IDs greater than 1005 are extended range VLANs and are not stored in the VLAN database The switc...

Page 179: ...s section on page 9 11 Configurations for VLAN IDs 1 to 1005 are written to the file vlan dat VLAN database and you can display them by entering the show vlan privileged EXEC command The vlan dat file is stored in flash memory Table 9 1 Port Membership Modes and Characteristics Membership Mode VLAN Membership Characteristics VTP Characteristics Static access A static access port can belong to one ...

Page 180: ...ernet Fiber Distributed Data Interface FDDI FDDI network entity title NET TrBRF or TrCRF Token Ring Token Ring Net VLAN state active or suspended Maximum transmission unit MTU for the VLAN Security Association Identifier SAID Bridge identification number for TrBRF VLANs Ring number for FDDI and TrCRF VLANs Parent VLAN number for TrCRF VLANs Spanning Tree Protocol STP type for TrCRF VLANs VLAN numb...

Page 181: ... VLANs section on page 9 11 Before you can create a VLAN the switch must be in VTP server mode or VTP transparent mode If the switch is a VTP server you must define a VTP domain or VTP will not function The switch does not support Token Ring or FDDI media The switch does not forward FDDI FDDI Net TrCRF or TrBRF traffic but it does propagate the VLAN configuration through VTP The switch supports 64...

Page 182: ...and You must use this config vlan mode when creating extended range VLANs VLAN IDs greater than 1005 See the Configuring Extended Range VLANs section on page 9 11 VLAN Configuration in VLAN Database Configuration Mode To access VLAN database configuration mode enter the vlan database privileged EXEC command Then enter the vlan command with a new VLAN ID to create a VLAN or enter an existing VLAN I...

Page 183: ...nd VLAN configuration for the first 1005 VLANs use the VLAN database information Caution If the VLAN database configuration is used at startup and the startup configuration file contains extended range VLAN configuration this information is lost when the system boots up Default Ethernet VLAN Configuration Table 9 2 shows the default configuration for Ethernet VLANs Note The switch supports Etherne...

Page 184: ...nal Switch config vlan 20 Switch config vlan name test20 Switch config vlan end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan vlan id Enter a VLAN ID and enter config vlan mode Enter a new VLAN ID to create a VLAN or enter an existing VLAN ID to modify that VLAN Note The available VLAN ID range for this command is 1 to 4094 For information about adding VLAN ...

Page 185: ...y on that specific switch You cannot delete the default VLANs for the different media types Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005 Command Purpose Step 1 vlan database Enter VLAN database configuration mode Step 2 vlan vlan id name vlan name Add an Ethernet VLAN by assigning a number to it The range is 1 to 1001 You can create or modify a range of consecutive VLANs by entering v...

Page 186: ...that does not exist the new VLAN is created See the Creating or Modifying an Ethernet VLAN section on page 9 8 Beginning in privileged EXEC mode follow these steps to assign a port to a VLAN in the VLAN database Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no vlan vlan id Remove the VLAN by entering the VLAN ID Step 3 end Return to privileged EXEC mode Step 4 sh...

Page 187: ... supported in VLAN database configuration mode accessed by entering the vlan database privileged EXEC command Extended range VLAN configurations are not stored in the VLAN database but because VTP mode is transparent they are stored in the switch running configuration file and you can save the configuration in the startup configuration file by using the copy running config startup config privilege...

Page 188: ...number of spanning tree instances we recommend that you configure the IEEE 802 1s Multiple STP MSTP on your switch to map multiple VLANs to a single spanning tree instance For more information about MSTP see Chapter 12 Configuring MSTP Although the switch supports a total of 128 normal range and extended range VLANs the number of SVIs and other configured features affects the use of the switch har...

Page 189: ...Step 1 configure terminal Enter global configuration mode Step 2 vtp mode transparent Configure the switch for VTP transparent mode disabling VTP Step 3 vlan vlan id Enter an extended range VLAN ID and enter config vlan mode The range is 1006 to 4094 Step 4 mtu mtu size Optional Modify the VLAN by changing the MTU size Note Although all VLAN commands appear in the CLI help in config vlan mode only...

Page 190: ...rfaces and another networking device such as a router or a switch Ethernet trunks carry the traffic of multiple VLANs over a single link and you can extend the VLANs across an entire network The IEEE 802 1Q industry standard trunking encapsulation is available on all Ethernet interfaces You can configure a trunk on a single Ethernet interface or on an EtherChannel bundle For more information about...

Page 191: ... non Cisco device through an IEEE 802 1Q trunk the Cisco switch combines the spanning tree instance of the VLAN of the trunk with the spanning tree instance of the non Cisco IEEE 802 1Q switch However spanning tree information for each VLAN is maintained by Cisco switches separated by a cloud of non Cisco IEEE 802 1Q switches The non Cisco IEEE 802 1Q cloud separating the Cisco switches is treated...

Page 192: ... one trunk port is configured on the switch and that this trunk port is connected to the trunk port of a second switch Otherwise the switch cannot receive any VTP advertisements These sections contain this configuration information Interaction with Other Features page 9 17 Defining the Allowed VLANs on a Trunk page 9 18 Changing the Pruning Eligible List page 9 19 Configuring the Native VLAN for U...

Page 193: ...e id Specify the port to be configured for trunking and enter interface configuration mode Step 3 switchport mode dynamic auto desirable trunk Configure the interface as a Layer 2 trunk required only if the interface is a Layer 2 access port or tunnel port or to specify the trunking mode dynamic auto Set the interface to a trunk link if the neighboring interface is set to trunk or desirable mode T...

Page 194: ...t that VLAN 1 always be enabled on every trunk link You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic including spanning tree advertisements is sent or received on VLAN 1 To reduce the risk of spanning tree loops or storms you can disable VLAN 1 on any individual VLAN trunk port by removing VLAN 1 from the allowed list When you ...

Page 195: ...094 or a range of VLANs described by two VLAN numbers the lower one first separated by a hyphen Do not enter any spaces between comma separated VLAN parameters or in hyphen specified ranges All VLANs are allowed by default Step 5 end Return to privileged EXEC mode Step 6 show interfaces interface id switchport Verify your entries in the Trunking VLANs Enabled field of the display Step 7 copy runni...

Page 196: ...s sent untagged otherwise the switch sends the packet with a tag Configuring Trunk Ports for Load Sharing Load sharing divides the bandwidth supplied by parallel trunks connecting switches To avoid loops STP normally blocks all but one parallel link between switches Using load sharing you divide the traffic between the links according to which VLAN the traffic belongs Step 5 show interfaces interf...

Page 197: ... this example the switches are configured as follows VLANs 8 through 10 are assigned a port priority of 16 on Trunk 1 VLANs 3 through 6 retain the default port priority of 128 on Trunk 1 VLANs 3 through 6 are assigned a port priority of 16 on Trunk 2 VLANs 8 through 10 retain the default port priority of 128 on Trunk 2 In this way Trunk 1 carries traffic for VLANs 8 through 10 and Trunk 2 carries ...

Page 198: ...a trunk port Note The Catalyst 2360 switch supports only IEEE 802 1q trunking Step 10 end Return to privileged EXEC mode Step 11 show interfaces gigabitethernet 0 1 switchport Verify the VLAN configuration Step 12 Repeat Steps 7 through 11on Switch A for a second port in the switch Step 13 Repeat Steps 7 through 11on Switch B to configure the trunk ports that connect to the trunk ports configured ...

Page 199: ... Return to privileged EXEC mode Step 7 show running config Verify your entries In the display make sure that the interfaces are configured as trunk ports Step 8 show vlan When the trunk links come up Switch A receives the VTP information from the other switches Verify that Switch A has learned the VLAN configuration Step 9 configure terminal Enter global configuration mode Step 10 interface gigabi...

Page 200: ...9 24 Catalyst 2360 Switch Software Configuration Guide OL 19808 01 Chapter 9 Configuring VLANs Configuring VLAN Trunks ...

Page 201: ...ke configuration changes centrally on one or more switches and have those changes automatically communicated to all the other switches in the network Without VTP you cannot send information about VLANs to other switches VTP is designed to work in an environment where updates are made on a single switch and are sent through VTP to other switches in the domain It does not work well in a situation wh...

Page 202: ...ys verify that its VTP configuration revision number is lower than the configuration revision number of the other switches in the VTP domain Switches in a VTP domain always use the VLAN configuration of the switch with the highest VTP configuration revision number If you add a switch that has a revision number higher than the revision number in the VTP domain it can erase all VLAN information from...

Page 203: ...TP domain and synchronize their VLAN configurations with other switches based on advertisements received over trunk links In VTP server mode VLAN configurations are saved in NVRAM VTP server is the default mode VTP client A VTP client behaves like a VTP server and transmits and receives VTP updates on its trunks but you cannot create change or delete VLANs on a VTP client VLANs are configured on a...

Page 204: ...ects VTP messages for the domain name and version and forwards a message only if the version and domain name match Because VTP Version 2 supports only one domain it forwards VTP messages in transparent mode without inspecting the version and domain name Consistency Checks In VTP Version 2 VLAN consistency checks such as VLAN names and values are performed only when you enter new information throug...

Page 205: ...h VTP pruning enabled The broadcast traffic from Switch A is not forwarded to Switches C E and F because traffic for the Red VLAN has been pruned on the links shown Port 5 on Switch B and Port 4 on Switch D Figure 10 2 Optimized Flooded Traffic with VTP Pruning Enabling VTP pruning on a VTP server enables pruning for the entire management domain Making VLANs pruning eligible or pruning ineligible ...

Page 206: ...use the switchport trunk pruning vlan interface configuration command see the Changing the Pruning Eligible List section on page 9 19 VTP pruning operates when an interface is trunking You can set VLAN pruning eligibility whether or not VTP pruning is enabled for the VTP domain whether or not any given VLAN exists and whether or not the interface is currently trunking Configuring VTP These section...

Page 207: ...tch startup configuration file and reboot the switch the switch configuration is selected as follows If the VTP mode is transparent in the startup configuration and the VLAN database and the VTP domain name from the VLAN database matches that in the startup configuration file the VLAN database is ignored cleared and the VTP and VLAN configurations in the startup configuration file are used The VLA...

Page 208: ...a domain password all domain switches must share the same password and you must configure the password on each switch in the management domain Switches without a password or with the wrong password reject VTP advertisements If you configure a VTP password for a domain a switch that is booted without a VTP configuration does not accept VTP advertisements until you configure it with the correct pass...

Page 209: ...r this release If you are configuring extended range VLANs on the switch the switch must be in VTP transparent mode Configuring a VTP Server When a switch is in VTP server mode you can change the VLAN configuration and have it propagated throughout the network Note If extended range VLANs are configured on the switch you cannot change VTP mode to server You receive an error message and the configu...

Page 210: ...ation command This example shows how to use VLAN database configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword Switch vlan database Switch vlan vtp server Switch vlan vtp domain eng_group Switch vlan vtp password mypassword Switch vlan exit APPLY completed Exiting Switch Command Purpose Step 1 vlan database Enter VLAN database config...

Page 211: ...To return the switch to a no password state use the no vtp password privileged EXEC command When you configure a domain name it cannot be removed you can only reassign a switch to a different domain Note You can also configure a VTP client by using the vlan database privileged EXEC command to enter VLAN database configuration mode and entering the vtp client command similar to the second procedure...

Page 212: ...uration command Note If extended range VLANs are configured on the switch you cannot change the VTP mode to server You receive an error message and the configuration is not allowed Note You can also configure VTP transparent mode by using the vlan database privileged EXEC command to enter VLAN database configuration mode and by entering the vtp transparent command similar to the second procedure u...

Page 213: ...ction properly For Token Ring and Token Ring Net media VTP Version 2 must be disabled For more information on VTP version configuration guidelines see the VTP Version section on page 10 8 Beginning in privileged EXEC mode follow these steps to enable VTP Version 2 To disable VTP Version 2 use the no vtp version global configuration command Note You can also enable VTP Version 2 by using the vlan d...

Page 214: ...tire VTP domain Only VLANs included in the pruning eligible list can be pruned By default VLANs 2 through 1001 are pruning eligible on trunk ports Reserved VLANs and extended range VLANs cannot be pruned To change the pruning eligible VLANs see the Changing the Pruning Eligible List section on page 9 19 Adding a VTP Client Switch to a VTP Domain Before adding a VTP client to a VTP domain always ve...

Page 215: ...and Purpose Step 1 show vtp status Check the VTP configuration revision number If the number is 0 add the switch to the VTP domain If the number is greater than 0 follow these steps a Write down the domain name b Write down the configuration revision number c Continue with the next steps to reset the switch configuration revision number Step 2 configure terminal Enter global configuration mode Ste...

Page 216: ...rrent VTP revision and the number of VLANs You can also display statistics about the advertisements sent and received by the switch Table 10 3 shows the privileged EXEC commands for monitoring VTP activity Table 10 3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information show vtp counters Display counters about VTP messages that have been sent and ...

Page 217: ...ee Chapter 13 Configuring Optional Spanning Tree Features Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding Spanning Tree Features page 11 1 Configuring Spanning Tree Features page 11 10 Displaying the Spanning Tree Status page 11 22 Understanding Spanning Tree Featur...

Page 218: ...Alternate A blocked port providing an alternate path to the root bridge in the spanning tree Backup A blocked port in a loopback configuration The switch that has all of its ports as the designated role or as the backup role is the root switch The switch that has at least one of its ports in the designated role is called the designated switch Spanning tree forces redundant data paths into a standb...

Page 219: ...nfiguration BPDU that contains inferior information to that currently stored for that port it discards the BPDU If the switch is a designated switch for the LAN from which the inferior BPDU was received it sends that LAN a BPDU containing the up to date information stored for that port In this way inferior information is discarded and superior information is propagated on the network A BPDU exchan...

Page 220: ...ed as the root switch Configuring a higher value decreases the probability a lower value increases the probability For more information see the Configuring the Root Switch section on page 11 14 the Configuring a Secondary Root Switch section on page 11 16 and the Configuring the Switch Priority of a VLAN section on page 11 19 Spanning Tree Interface States Propagation delays can occur when protoco...

Page 221: ...ocess occurs 1 The interface is in the listening state while spanning tree waits for protocol information to move the interface to the blocking state 2 While spanning tree waits the forward delay timer to expire it moves the interface to the learning state and resets the forward delay timer 3 In the learning state the interface continues to block frame forwarding as the switch learns end station l...

Page 222: ...ld participate in frame forwarding An interface in the listening state performs these functions Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn addresses Receives BPDUs Learning State A Layer 2 interface in the learning state prepares to participate in frame forwarding The interface enters the learning state from the listening...

Page 223: ...g interfaces or link types Switch A might not be the ideal root switch By increasing the priority lowering the numerical value of the ideal switch so that it becomes the root switch you force a spanning tree recalculation to form a new topology with the ideal switch as the root Figure 11 2 Spanning Tree Topology When the spanning tree topology is calculated based on default parameters the path bet...

Page 224: ...0x0180C2000010 to be used by different bridge protocols These addresses are static addresses that cannot be removed Regardless of the spanning tree state each switch receives but does not forward packets destined for addresses between 0x0180C2000000 and 0x0180C200000F If spanning tree is enabled the CPU on the switch receives packets destined for 0x0180C2000000 and 0x0180C2000010 If spanning tree ...

Page 225: ...rgence the rapid PVST immediately deletes dynamically learned MAC address entries on a per port basis upon receiving a topology change By contrast PVST uses a short aging time for dynamically learned MAC address entries The rapid PVST uses the same configuration as PVST except where noted and the switch needs only minimal extra configuration The benefit of rapid PVST is that you can migrate a larg...

Page 226: ...e for each VLAN allowed on the trunks When you connect a Cisco switch to a non Cisco device through an IEEE 802 1Q trunk the Cisco switch uses PVST to provide spanning tree interoperability If rapid PVST is enabled the switch uses it instead of PVST The switch combines the spanning tree instance of the IEEE 802 1Q VLAN of the trunk with the spanning tree instance of the non Cisco IEEE 802 1Q switc...

Page 227: ...s on the switch The remaining VLANs operate with spanning tree disabled However you can map multiple VLANs to the same spanning tree instances by using MSTP For more information see Chapter 12 Configuring MSTP Table 11 3 Default Spanning Tree Configuration Feature Default Setting Enable state Enabled on VLAN 1 For more information see the Supported Spanning Tree Instances section on page 11 9 Span...

Page 228: ...f that switch the new VLAN is carried on all trunk ports Depending on the topology of the network this could create a loop in the new VLAN that will not be broken particularly if there are several adjacent switches that have all run out of spanning tree instances You can prevent this possibility by setting up allowed lists on the trunk ports of switches that have used up their allocation of spanni...

Page 229: ...Step 3 interface interface id Recommended for rapid PVST mode only Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports VLANs and port channels The VLAN ID range is 1 to 4094 The port channel range is 1 to 48 Step 4 spanning tree link type point to point Recommended for rapid PVST mode only Specify that the link type for this port is poin...

Page 230: ...ity from the default value 32768 to a significantly lower value When you enter this command the software checks the switch priority of the root switches for each VLAN Because of the extended system ID support the switch sets its own priority for the specified VLAN to 24576 if this value will cause this switch to become the root for the specified VLAN If any root switch for the specified VLAN has a...

Page 231: ...d the spanning tree vlan vlan id max age global configuration commands Beginning in privileged EXEC mode follow these steps to configure a switch to become the root for the specified VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id root global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2...

Page 232: ... state You can assign higher priority values lower numerical values to interfaces that you want selected first and lower priority values higher numerical values that you want selected last If all interfaces have the same priority value spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces Command Purpose Step 1 configure terminal ...

Page 233: ...ion mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree port priority priority Configure the port priority for an interface For priority the range is 0 to 240 in increments of 16 the default is 128 Valid values are 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 and 240 All other values are rejected The lower th...

Page 234: ...nterface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree cost cost Configure the cost for an interface If a loop occurs spanning tree uses the path cost when selecting an interface to place into the forwarding state A lower path cost represen...

Page 235: ...ow these steps to configure the switch priority of a VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id priority global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id priority priority Configure the switch priority of a VLAN For vlan id you can specify a single VLA...

Page 236: ...iable Description Hello timer Controls how often the switch broadcasts hello messages to other switches Forward delay timer Controls how long each of the listening and learning states last before the interface begins forwarding Maximum age timer Controls the amount of time the switch stores protocol information received on an interface Transmit hold count Controls the number of BPDUs that can be s...

Page 237: ...states to the forwarding state For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree vlan vlan id Verify your entries Step 5 copy running config startup config ...

Page 238: ...he clear spanning tree interface interface id privileged EXEC command For information about other keywords for the show spanning tree privileged EXEC command see the command reference for this release Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree transmit hold count value Configure the number of BPDUs that can be sent before pausing for 1 second For...

Page 239: ...id Spanning Tree Protocol RSTP which is based on IEEE 802 1w is automatically enabled The RSTP provides rapid convergence of the spanning tree through explicit handshaking that eliminates the IEEE 802 1D forwarding delay and quickly transitions root ports and designated ports to the forwarding state Both MSTP and RSTP improve the spanning tree operation and maintain backward compatibility with equ...

Page 240: ...ith the same MST configuration information A collection of interconnected switches that have the same MST configuration comprises an MST region as shown in Figure 12 1 on page 12 4 The MST configuration controls to which MST region each switch belongs The configuration includes the name of the region the revision number and the MST VLAN to instance assignment map You configure the switch for a reg...

Page 241: ...rithm running among switches that support the IEEE 802 1w IEEE 802 1s and IEEE 802 1D standards The CIST inside an MST region is the same as the CST outside a region For more information see the Operations Within an MST Region section on page 12 3 and the Operations Between MST Regions section on page 12 4 Note The implementation of the IEEE 802 1s standard changes some of the terminology associat...

Page 242: ...djacent STP switches and MST regions Figure 12 1 shows a network with three MST regions and a legacy IEEE 802 1D switch D The CIST regional root for region 1 A is also the CIST root The CIST regional root for region 2 B and the CIST regional root for region 3 C are the roots for their respective subtrees within the CIST The RSTP runs in all regions Figure 12 1 MST Regions CIST Masters and CST Root...

Page 243: ...he region The CIST regional root acts as a root switch for the IST The CIST internal root path cost is the cost to the CIST regional root in a region This cost is only relevant to the IST instance 0 Table 12 1 on page 12 5 compares the IEEE standard and the Cisco prestandard terminology Hop Count The IST and MST instances do not use the message age and maximum age information in the configuration ...

Page 244: ...eats a port that receives an external message as a boundary port This means a port cannot receive a mix of internal and external messages An MST region includes both switches and LANs A segment belongs to the region of its designated port Therefore a port in a different region than the designated port for a segment is a boundary port This definition allows two ports internal to a region to share a...

Page 245: ... switches can fail you can use an interface configuration command to identify prestandard ports A region cannot be formed between a standard and a prestandard switch but they can interoperate by using the CIST Only the capability of load balancing over different instances is lost in that particular case The CLI displays different flags depending on the port configuration when a port receives prest...

Page 246: ...ation BPDU a BPDU with the protocol version set to 0 it sends only IEEE 802 1D BPDUs on that port An MSTP switch also can detect that a port is at the boundary of a region when it receives a legacy BPDU an MSTP BPDU Version 3 associated with a different region or an RSTP BPDU Version 2 However the switch does not automatically revert to the MSTP mode if it no longer receives IEEE 802 1D BPDUs beca...

Page 247: ...switch to that provided by the current root port Backup port Acts as a backup for the path provided by a designated port toward the leaves of the spanning tree A backup port can exist only when two ports are connected in a loopback by a point to point link or when a switch has two or more connections to a shared LAN segment Disabled port Has no role within the operation of the spanning tree A port...

Page 248: ...al value than the priority of Switch B Switch A sends a proposal message a configuration BPDU with the proposal flag set to Switch B proposing itself as the designated switch After receiving the proposal message Switch B selects as its new root port the port from which the proposal message was received forces all nonedge ports to the blocking state and sends an agreement message a BPDU with the ag...

Page 249: ...n the forwarding state and is not configured as an edge port it transitions to the blocking state when the RSTP forces it to synchronize with new root information In general when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions its port state is set to blocking After ensuring that all of the ports are synchronized the switch send...

Page 250: ...he proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN The port role in the proposal message is always set to the designated port The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal The port role in the agreement message is always set to the root port 2 Block 9 Forward 1 Proposal 4 Agreement 6 Proposal Root port Designated p...

Page 251: ...nd so forth than currently stored for the port with a designated port role it immediately replies with its own information Topology Changes This section describes the differences between the RSTP and the IEEE 802 1D in handling spanning tree topology changes Detection Unlike IEEE 802 1D in which any transition between the blocking and the forwarding state causes a topology change only transitions ...

Page 252: ...in this configuration information Default MSTP Configuration page 12 14 MSTP Configuration Guidelines page 12 15 Specifying the MST Region Configuration and Enabling MSTP page 12 16 required Configuring the Root Switch page 12 17 optional Configuring a Secondary Root Switch page 12 18 optional Configuring Port Priority page 12 19 optional Configuring Path Cost page 12 20 optional Configuring the S...

Page 253: ...the MST region by using the command line interface CLI or through the SNMP support For load balancing across redundant paths in the network to work all VLAN to instance mapping assignments must match otherwise all traffic flows on a single link All MST boundary ports must be forwarding for load balancing between a PVST and an MST cloud or between a rapid PVST and an MST cloud For this to occur the...

Page 254: ... the range is 1 to 4094 When you map VLANs to an MST instance the mapping is incremental and the VLANs specified in the command are added to or removed from the VLANs that were previously mapped To specify a VLAN range use a hyphen for example instance 1 vlan 1 63 maps VLANs 1 through 63 to MST instance 1 To specify a VLAN series use a comma for example instance 1 vlan 10 20 30 maps VLANs 10 20 an...

Page 255: ...t switch To configure a switch to become the root use the spanning tree mst instance id root global configuration command to modify the switch priority from the default value 32768 to a significantly lower value so that the switch becomes the root switch for the specified spanning tree instance When you enter this command the switch checks the switch priorities of the root switches Because of the ...

Page 256: ... fails This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch You can execute this command on more than one switch to configure multiple backup root switches Use the same network diameter and hello time values that you used when you configured the primary root switch with the spanning tree mst instance id root ...

Page 257: ...instance id root secondary diameter net diameter hello time seconds Configure a switch as the secondary root switch For instance id you can specify a single instance a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 Optional For diameter net diameter specify the maximum number of switches between any two end stations The range is 2 to 7...

Page 258: ... the other interfaces Beginning in privileged EXEC mode follow these steps to configure the MSTP cost of an interface This procedure is optional Step 3 spanning tree mst instance id port priority priority Configure the port priority For instance id you can specify a single instance a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 For p...

Page 259: ...ou use the spanning tree mst instance id root primary and the spanning tree mst instance id root secondary global configuration commands to modify the switch priority Step 3 spanning tree mst instance id cost cost Configure the cost If a loop occurs the MSTP uses the path cost when selecting an interface to place into the forwarding state A lower path cost represents higher speed transmission For ...

Page 260: ... a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 For priority the range is 0 to 61440 in increments of 4096 the default is 32768 The lower the number the more likely the switch will be chosen as the root switch Priority values are 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 and 61440 All other v...

Page 261: ...ime seconds Configure the forward time for all MST instances The forward delay is the number of seconds a port waits before changing from its spanning tree learning and listening states to the forwarding state For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst Verify your entries Step 5 copy running config startup config Optio...

Page 262: ...ions to the forwarding state Beginning in privileged EXEC mode follow these steps to override the default link type setting This procedure is optional To return the port to its default setting use the no spanning tree link type interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst max hops hop count Specify the number of ...

Page 263: ...h also can detect that a port is at the boundary of a region when it receives a legacy BPDU an MST BPDU Version 3 associated with a different region or an RST BPDU Version 2 However the switch does not automatically revert to the MSTP mode if it no longer receives IEEE 802 1D BPDUs because it cannot detect whether the legacy switch has been removed from the link unless the legacy switch is the des...

Page 264: ...ds for the show spanning tree privileged EXEC command see the command reference for this release Table 12 5 Commands for Displaying MST Status Command Purpose show spanning tree mst configuration Displays the MST region configuration show spanning tree mst configuration digest Displays the MD5 digest included in the current MSTCI show spanning tree mst instance id Displays MST information for the ...

Page 265: ...ng Tree Protocol MSTP and how to map multiple VLANs to the same spanning tree instance see Chapter 12 Configuring MSTP Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding Optional Spanning Tree Features page 13 1 Configuring Optional Spanning Tree Features page 13 9 Dis...

Page 266: ...ng a spanning tree loop You can enable this feature by using the spanning tree portfast interface configuration or the spanning tree portfast default global configuration command Figure 13 1 Port Fast Enabled Interfaces Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per port but the feature operates with some differences At the global level ...

Page 267: ...revents interfaces that are in a Port Fast operational state from sending or receiving BPDUs The interfaces still send a few BPDUs at link up before the switch begins to filter outbound BPDUs You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs If a BPDU is received on a Port Fast enabled interface the interface loses its Port Fast ...

Page 268: ...is 150 packets per second However if you enter zero station learning frames are not generated so the spanning tree topology converges more slowly after a loss of connectivity Note UplinkFast is most useful in wiring closet switches at the access or edge of the network It is not appropriate for backbone devices This feature might not be useful for other types of applications UplinkFast provides fas...

Page 269: ...protocol information received on an interface When a switch receives an inferior BPDU from the designated port of another switch the BPDU is a signal that the other switch might have lost its path to the root and BackboneFast tries to find an alternate path to the root BackboneFast which is enabled by using the spanning tree backbonefast global configuration command starts when a root port or bloc...

Page 270: ...e or more alternate paths can still connect to the root switch the switch makes all interfaces on which it received an inferior BPDU its designated ports and moves them from the blocking state if they were in the blocking state through the listening and learning states and into the forwarding state Figure 13 5 shows an example topology with no link failures Switch A the root switch connects direct...

Page 271: ...therChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device A misconfiguration can occur if the switch interfaces are configured in an EtherChannel but the interfaces on the other device are not A misconfiguration can also occur if the channel parameters are not the same at both ends of the EtherChannel For EtherChannel configuration guidelines see the Et...

Page 272: ... root switch The customer s switch does not become the root switch and is not in the path to the root If the switch is operating in multiple spanning tree MST mode root guard forces the interface to be a designated port If a boundary port is blocked in an internal spanning tree IST instance because of root guard the interface also is blocked in all MST instances A boundary port is an interface tha...

Page 273: ...is blocked by loop guard in all MST instances On a boundary port loop guard blocks the interface in all MST instances Configuring Optional Spanning Tree Features These sections contain this configuration information Default Optional Spanning Tree Configuration page 13 9 Optional Spanning Tree Configuration Guidelines page 13 10 Enabling Port Fast page 13 10 optional Enabling BPDU Guard page 13 11 ...

Page 274: ...t storms and address learning problems You can enable this feature if your switch is running PVST rapid PVST or MSTP Beginning in privileged EXEC mode follow these steps to enable Port Fast This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Step 3...

Page 275: ...U guard feature provides a secure response to invalid configurations because you must manually put the port back in service Use the BPDU guard feature in a service provider network to prevent an access port from participating in the spanning tree Caution Configure Port Fast only on ports that connect to end stations otherwise an accidental topology loop could cause a data packet loop and disrupt s...

Page 276: ...panning tree bpdufilter enable interface configuration command to enable BPDU filtering on any interface without also enabling the Port Fast feature This command prevents the interface from sending or receiving BPDUs Caution Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning tree loops You can enable the BPDU filtering feature if your sw...

Page 277: ...t is not altered The changes to the switch priority and the path cost reduce the chance that a switch will become the root switch When UplinkFast is disabled the switch priorities of all VLANs and path costs of all interfaces are set to default values if you did not modify them from their defaults To return the update packet rate to the default setting use the no spanning tree uplinkfast max updat...

Page 278: ... command You can use the show interfaces status err disabled privileged EXEC command to show which switch ports are disabled because of an EtherChannel misconfiguration On the remote device you can enter the show etherchannel summary privileged EXEC command to verify the EtherChannel configuration After the configuration is corrected enter the shutdown and no shutdown interface configuration comma...

Page 279: ...u can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link This feature is most effective when it is configured on the entire switched network Loop guard operates only on interfaces that are considered point to point by the spanning tree Note You cannot enable both loop guard and root guard at the same time You ca...

Page 280: ...tree privileged EXEC command see the command reference for this release Step 3 spanning tree loopguard default Enable loop guard By default loop guard is disabled Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 13 2 Commands for Displaying th...

Page 281: ...administration of IP addresses DHCP also helps conserve the limited IP address space because IP addresses no longer need to be permanently assigned to hosts only those hosts that are connected to the network consume IP addresses See these sections DHCP Server page 14 2 DHCP Relay Agent page 14 2 A DHCP relay agent is a device that forwards DHCP packets between clients and servers Relay agents forw...

Page 282: ...e DHCP based autoconfiguration process the designated DHCP server uses the Cisco IOS DHCP server database It has IP addresses address bindings and configuration parameters such as the boot file An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database You can manually assign the client IP address or the DHCP server can allocate an IP ad...

Page 283: ...onfigure the switch with the ip helper address address interface configuration command The general rule is to configure the command on the Layer 3 interface closest to the client The address used in the ip helper address command can be a specific DHCP server IP address or it can be the network address if other DHCP servers are on the destination network segment Using the network address enables an...

Page 284: ...he DHCP packet forwarding address The helper address can be a specific DHCP server address or it can be the network address if other DHCP servers are on the destination network segment Using the network address enables other servers to respond to DHCP requests If you have multiple servers you can configure one helper address for each server Step 5 exit Return to global configuration mode Step 6 in...

Page 285: ...figuring IGMP Snooping page 15 6 Displaying IGMP Snooping Information page 15 15 Configuring IGMP Filtering and Throttling page 15 16 Displaying IGMP Filtering and Throttling Configuration page 15 21 Note You can either manage IP multicast group addresses through features such as IGMP snooping or you can use static IP addresses Understanding IGMP Snooping Layer 2 switches can use IGMP snooping to ...

Page 286: ... snooping learned settings You can configure an IGMP snooping querier to support IGMP snooping in subnets without multicast interfaces because the multicast traffic does not need to be routed For more information about the IGMP snooping querier see the Configuring the IGMP Snooping Querier section on page 15 13 If a port spanning tree a port group or a VLAN ID change occurs the IGMP snooping learn...

Page 287: ...multicast group and it is an IGMP Version 2 client it sends an unsolicited IGMP join message specifying the IP multicast group to join Alternatively when the switch receives a general query from the router it forwards the query to all ports in the VLAN IGMP Version 1 or Version 2 hosts wanting to join the multicast group respond by sending a join message to the switch The switch CPU creates a mult...

Page 288: ...e to send frames addressed to the 224 1 2 3 multicast IP address that are not IGMP packets to the router and to the host that has joined the group If another host for example Host 4 sends an unsolicited IGMP join message for the same group Figure 15 2 the CPU receives that message and adds the port number of Host 4 to the forwarding table as shown in Table 15 2 Note that because the forwarding tab...

Page 289: ...The switch uses IGMP snooping Immediate Leave to remove from the forwarding table an interface that sends a leave message without the switch sending group specific queries to the interface The VLAN interface is pruned from the multicast tree for the multicast group specified in the original leave message Immediate Leave ensures optimal bandwidth management for all hosts on a switched network even ...

Page 290: ... are forwarded to the multicast routers For configuration steps see the Disabling IGMP Report Suppression section on page 15 15 Configuring IGMP Snooping IGMP snooping allows switches to examine IGMP packets and make forwarding decisions based on their content These sections contain this configuration information Default IGMP Snooping Configuration page 15 6 Enabling or Disabling IGMP Snooping pag...

Page 291: ... enable IGMP snooping on a VLAN interface To disable IGMP snooping on a VLAN interface use the no ip igmp snooping vlan vlan id global configuration command for the specified VLAN number IGMP snooping querier Disabled IGMP report suppression Enabled 1 TCN Topology Change Notification Table 15 3 Default IGMP Snooping Configuration continued Feature Default Setting Command Purpose Step 1 configure t...

Page 292: ...MRP packets use the ip igmp snooping vlan vlan id mrouter learn pim dvmrp global configuration command Note If you want to use CGMP as the learning method and no multicast routers in the VLAN are CGMP proxy enabled you must enter the ip cgmp router only command to dynamically access the router Beginning in privileged EXEC mode follow these steps to alter the method in which a VLAN interface dynami...

Page 293: ...statically configure a host on an interface Beginning in privileged EXEC mode follow these steps to add a Layer 2 port as a member of a multicast group Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan id mrouter interface interface id Specify the multicast router VLAN ID and the interface to the multicast router The VLAN ID range is 1 to 1...

Page 294: ...he no ip igmp snooping vlan vlan id immediate leave global configuration command This example shows how to enable IGMP Immediate Leave on VLAN 130 Switch configure terminal Switch config ip igmp snooping vlan 130 immediate leave Switch config end Configuring the IGMP Leave Timer Follows these guidelines when configuring the IGMP leave timer You can configure the leave time globally or on a per VLA...

Page 295: ...lticast traffic is flooded after a TCN event by using the ip igmp snooping tcn flood query count global configuration command This command configures the number of general queries for which multicast data traffic is flooded after a TCN event Some examples of TCN events are when the client changed its location and the receiver is on same port that was blocked but is now forwarding and when a port w...

Page 296: ...igmp snooping tcn query solicit global configuration command Disabling Multicast Flooding During a TCN Event When the switch receives a TCN multicast traffic is flooded to all the ports until 2 general queries are received If the switch has many ports with attached hosts that are subscribed to different multicast groups this flooding might exceed the capacity of the link and cause packet loss You ...

Page 297: ...IGMP snooping querier does not generate an IGMP general query if it cannot find an available IP address on the switch The IGMP snooping querier supports IGMP Versions 1 and 2 When administratively enabled the IGMP snooping querier moves to the nonquerier state if it detects the presence of a multicast router in the network When it is administratively enabled the IGMP snooping querier moves to the ...

Page 298: ... not specify an IP address the querier tries to use the global IP address configured for the IGMP querier Note The IGMP snooping querier does not generate an IGMP general query if it cannot find an IP address on the switch Step 4 ip igmp snooping querier query interval interval count Optional Set the interval between IGMP queriers The range is 1 to 18000 seconds Step 5 ip igmp snooping querier tcn...

Page 299: ...r a VLAN configured for IGMP snooping To display IGMP snooping information use one or more of the privileged EXEC commands in Table 15 4 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no ip igmp snooping report suppression Disable IGMP report suppression Step 3 end Return to privileged EXEC mode Step 4 show ip igmp snooping Verify that IGMP report suppression is d...

Page 300: ...an also set the maximum number of IGMP groups that a Layer 2 interface can join show ip igmp snooping groups vlan vlan id ip_address count dynamic count user count Display multicast table information for a multicast VLAN or about a specific parameter for the VLAN vlan id The VLAN ID range is 1 to 1001 and 1006 to 4094 count Display the total number of entries for the specified command options inst...

Page 301: ... interface to drop the IGMP report or to replace the randomly selected multicast entry with the received IGMP report Note IGMPv3 join and leave messages are not supported on switches running IGMP filtering These sections contain this configuration information Default IGMP Filtering and Throttling Configuration page 15 17 Configuring IGMP Profiles page 15 18 optional Applying IGMP Profiles page 15 ...

Page 302: ... to the range of IP addresses Beginning in privileged EXEC mode follow these steps to create an IGMP profile To delete a profile use the no ip igmp profile profile number global configuration command To delete an IP multicast address or range of IP multicast addresses use the no range ip multicast address IGMP profile configuration command Command Purpose Step 1 configure terminal Enter global con...

Page 303: ...ne profile applied to it Beginning in privileged EXEC mode follow these steps to apply an IGMP profile to a switch port To remove a profile from an interface use the no ip igmp filter profile number interface configuration command This example shows how to apply IGMP profile 4 to a port Switch config interface gigabitethernet0 2 Switch config if ip igmp filter 4 Switch config if end Setting the Ma...

Page 304: ...on This restriction can be applied only to Layer 2 ports You can use this command on a logical EtherChannel interface but cannot use it on ports that belong to an EtherChannel port group When the maximum group limitation is set to the default no maximum entering the ip igmp max groups action deny replace command has no effect If you configure the throttling action and set the maximum group limitat...

Page 305: ...mmands in Table 15 6 to display IGMP filtering and throttling configuration Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the physical interface to be configured and enter interface configuration mode The interface can be a Layer 2 port that does not belong to an EtherChannel group or an EtherChannel interface The interface cannot b...

Page 306: ...15 22 Catalyst 2360 Switch Software Configuration Guide OL 19808 01 Chapter 15 Configuring IGMP Snooping Displaying IGMP Filtering and Throttling Configuration ...

Page 307: ...s This chapter includes these sections Understanding MLD Snooping section on page 16 1 Configuring IPv6 MLD Snooping section on page 16 5 Displaying MLD Snooping Information section on page 16 11 Understanding MLD Snooping In IP Version 4 IPv4 Layer 2 switches can use Internet Group Management Protocol IGMP snooping to limit the flooding of multicast traffic by dynamically configuring Layer 2 inte...

Page 308: ...ort MLDv2 enhanced snooping MESS which sets up IPv6 source and destination multicast address based forwarding MLD snooping can be enabled or disabled globally or per VLAN When MLD snooping is enabled a per VLAN IPv6 multicast MAC address table is constructed in software and a per VLAN IPv6 multicast address table is constructed in software and hardware The switch then performs IPv6 multicast addre...

Page 309: ...sing From the received query MLD snooping builds the IPv6 multicast address database It detects multicast router ports maintains timers sets report response time learns the querier IP source address for the VLAN learns the querier port in the VLAN and maintains multicast address aging Note When the IPv6 multicast router is a Catalyst 6500 switch and you are using extended VLANs in the range 1006 t...

Page 310: ...thin the VLAN is forwarded using this address When MLD snooping is disabled reports are flooded in the ingress VLAN When MLD snooping is enabled MLD report suppression called listener message suppression is automatically enabled With report suppression the switch forwards the first MLDv1 report received by a group to IPv6 multicast routers subsequent reports for the group are not sent to the route...

Page 311: ... sets the VLAN to flood all IPv6 multicast traffic with a configured number of MLDv1 queries before it begins sending multicast data only to selected ports You set this value by using the ipv6 mld snooping tcn flood query count global configuration command The default is to send two queries The switch also generates MLDv1 global Done messages with valid link local IPv6 source addresses when the sw...

Page 312: ...MLD snooping is globally disabled on the switch and enabled on all VLANs When MLD snooping is globally disabled it is also disabled on all VLANs When you globally enable MLD snooping the VLAN configuration overrides the global configuration That is MLD snooping is enabled only on VLAN interfaces in the default state enabled You can enable and disable MLD snooping on a per VLAN basis or for a range...

Page 313: ...nable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch To disable MLD snooping on a VLAN interface use the no ipv6 mld snooping vlan vlan id global configuration command for the specified VLAN number Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 mld snooping Globally enable MLD snooping on the switch Step 3 end Return to privileged EXEC mode Step 4 ...

Page 314: ...queries you can also use the command line interface CLI to add a multicast router port to a VLAN To add a multicast router port add a static connection to a multicast router use the ipv6 mld snooping vlan mrouter global configuration command on the switch Note Static connections to multicast routers are supported only on switch ports Command Purpose Step 1 configure terminal Enter global configura...

Page 315: ... a VLAN use the no ipv6 mld snooping vlan vlan id immediate leave global configuration command This example shows how to enable MLD Immediate Leave on VLAN 130 Switch configure terminal Switch config ipv6 mld snooping vlan 130 immediate leave Switch config exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 mld snooping vlan vlan id mrouter interface interfac...

Page 316: ...he default is 2 The queries are sent 1 second apart Step 5 ipv6 mld snooping vlan vlan id last listener query count count Optional Set the last listener query count on a VLAN basis This value overrides the value configured globally The range is 1 to 7 the default is 0 When set to 0 the global count value is used Queries are sent 1 second apart Step 6 ipv6 mld snooping last listener query interval ...

Page 317: ...ly one MLD report per multicast router query When message suppression is disabled multiple MLD reports could be forwarded to the multicast routers Beginning in privileged EXEC mode follow these steps to disable MLD listener message suppression To re enable MLD message suppression use the ipv6 mld snooping listener message suppression global configuration command Displaying MLD Snooping Information...

Page 318: ...nter vlan vlan id to display information for a single VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094 show ipv6 mld snooping querier vlan vlan id Display information about the IPv6 address and incoming port for the most recently received MLD query messages in the VLAN Optional Enter vlan vlan id to display information for a single VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094 show ipv6...

Page 319: ...e and the Simple Network Management Protocol SNMP agent address of neighboring devices running lower layer transparent protocols This feature enables applications to send SNMP queries to neighboring devices CDP runs on all media that support Subnetwork Access Protocol SNAP Because CDP runs over the data link layer only two systems that support different network layer protocols can learn about each...

Page 320: ...Note Steps 2 through 4 are all optional and can be performed in any order Table 17 1 Default CDP Configuration Feature Default Setting CDP global state Enabled CDP interface state Enabled CDP timer packet update frequency 60 seconds CDP holdtime before discarding 180 seconds CDP Version 2 advertisements Enabled Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cdp ti...

Page 321: ...e Chapter 4 Clustering Switches and see Getting Started with Cisco Network Assistant available on Cisco com Beginning in privileged EXEC mode follow these steps to disable the CDP device discovery capability Beginning in privileged EXEC mode follow these steps to enable CDP when it has been disabled This example shows how to enable CDP if it has been disabled Switch configure terminal Switch confi...

Page 322: ...witch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are disabling CDP and enter interface configuration mode Step 3 no cdp enable Disable CDP on the interface Step 4 end Return to privileged EXEC mode Step 5 copy running config startup config Optional Save your entries in the configuration fi...

Page 323: ...n enter an asterisk to display all CDP neighbors or you can enter the name of the neighbor about which you want information You can also limit the display to information about the protocols enabled on the specified neighbor or information about the version of software running on the device show cdp interface interface id Display information about interfaces where CDP is enabled You can limit the d...

Page 324: ...17 6 Catalyst 2360 Switch Software Configuration Guide OL 19808 01 Chapter 17 Configuring CDP Monitoring and Maintaining CDP ...

Page 325: ...LLDP and LLDP MED This section contains this conceptual information Understanding LLDP page 18 1 Understanding LLDP MED page 18 2 Understanding LLDP The Cisco Discovery Protocol CDP is a device discovery protocol that runs over Layer 2 the data link layer on all Cisco manufactured devices routers bridges access servers and switches CDP allows network management applications to automatically discov...

Page 326: ...h as switches It specifically provides support for voice over IP VoIP applications and provides additional TLVs for capabilities discovery network policy Power over Ethernet and inventory management LLDP MED supports these TLVs LLDP MED capabilities TLV Allows LLDP MED endpoints to determine the capabilities that the connected device supports and what capabilities the device has enabled Network po...

Page 327: ...P can use to call back the emergency caller Configuring LLDP and LLDP MED This section contains this configuration information Default LLDP Configuration page 18 3 Configuring LLDP Characteristics page 18 4 Disabling and Enabling LLDP Globally page 18 5 Disabling and Enabling LLDP on an Interface page 18 5 Configuring LLDP MED TLVs page 18 6 Default LLDP Configuration Table 18 1 shows the default ...

Page 328: ...30 Switch config end For additional LLDP show commands see the Monitoring and Maintaining LLDP and LLDP MED section on page 18 7 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 lldp holdtime seconds Optional Specify the amount of time a receiving device should hold the information sent by your device before discarding it The range is 0 to 65535 seconds the default ...

Page 329: ...ported interfaces to send and to receive LLDP information Beginning in privileged EXEC mode follow these steps to disable LLDP on an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no lldp run Disable LLDP Step 3 end Return to privileged EXEC mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 lldp run Enable LLDP Step 3 ...

Page 330: ... been aged out it only sends LLDP packets again By using the lldp med tlv select interface configuration command you can configure the interface to send or not send these TLVs Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are enabling LLDP MED and enter interface configuration mode Step 3 lldp transmit LLD...

Page 331: ...end Return to privileged EXEC mode Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are configuring an LLDP MED TLV and enter interface configuration mode Step 3 lldp med tlv select med tlv Specify the TLV to enable...

Page 332: ...rmation about neighbors including device type interface type and number holdtime settings capabilities and port ID You can limit the display to neighbors of a specific interface or expand the display to provide more detailed information show lldp traffic Display LLDP counters including the number of packets sent and received number of packets discarded and number of unrecognized TLVs Command Descr...

Page 333: ...ariety of problems including spanning tree topology loops Modes of Operation UDLD supports two modes of operation normal the default and aggressive In normal mode UDLD can detect unidirectional links due to misconnected ports on fiber optic connections In aggressive mode UDLD can also detect unidirectional links due to one way traffic on fiber optic and twisted pair links and to misconnected ports...

Page 334: ...oss of the heart beat means that the link must be shut down if it is not possible to re establish a bidirectional link If both fiber strands in a cable are working normally from a Layer 1 perspective UDLD in aggressive mode detects whether those fiber strands are connected correctly and whether traffic is flowing bidirectionally between the correct neighbors This check cannot be performed by auton...

Page 335: ...e to resynchronize with any potentially out of sync neighbor UDLD shuts down the port if after the fast train of messages the link state is still undetermined Figure 19 1 UDLD Detection of a Unidirectional Link Configuring UDLD Default UDLD Configuration page 19 3 Configuration Guidelines page 19 4 Enabling UDLD Globally page 19 4 Enabling UDLD on an Interface page 19 5 Resetting an Interface Disa...

Page 336: ...bled Table 19 1 Default UDLD Configuration continued Feature Default Setting Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 udld aggressive enable message time message timer interval Specify the UDLD mode of operation aggressive Enables UDLD in aggressive mode on all fiber optic ports enable Enables UDLD in normal mode on all fiber optic ports on the switch UDLD i...

Page 337: ...led port Step 4 show udld Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be enabled for UDLD and enter interface configuration mode Step 3 udld port aggressive UDLD is disabled by default udld...

Page 338: ...n command re enables the disabled fiber optic port The errdisable recovery cause udld global configuration command enables the timer to automatically recover from the UDLD error disabled state and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error disabled state Displaying UDLD Status To display the UDLD status for the specified...

Page 339: ...source ports or VLANs You must dedicate the destination port for SPAN use Except for traffic that is required for the SPAN session destination ports do not receive or forward traffic Only traffic that enters or leaves source ports or traffic that enters or leaves source VLANs can be monitored by using SPAN traffic routed to a source VLAN cannot be monitored For example if incoming traffic is being...

Page 340: ...s or one or more VLANs and send the monitored traffic to one or more destination ports A local SPAN session is an association of a destination port with source ports or source VLANs all on a single network device Local SPAN does not have separate source and destination sessions Local SPAN sessions gather a set of ingress and egress packets specified by the user and form them into a stream of SPAN ...

Page 341: ... Protocol VTP Dynamic Trunking Protocol DTP Spanning Tree Protocol STP and Port Aggregation Protocol PAgP However when you enter the encapsulation replicate keywords when configuring a destination port these changes occur Packets are sent on the destination port with the same encapsulation untagged or IEEE 802 1Q that they had on the source port Packets of all types including BPDU and Layer 2 prot...

Page 342: ...s for that VLAN VSPAN has these characteristics All active ports in the source VLAN are included as source ports and can be monitored in either or both directions On a given port only traffic on the monitored VLAN is sent to the destination port If a destination port belongs to a source VLAN it is excluded from the source list and is not monitored If ports are added to or removed from the source V...

Page 343: ...ming traffic is disabled The port does not transmit any traffic except that required for the SPAN session Incoming traffic is never learned or forwarded on a destination port If ingress traffic forwarding is enabled for a network security device the destination port forwards traffic at Layer 2 It does not participate in any of the Layer 2 protocols STP VTP CDP DTP PagP A destination port that belo...

Page 344: ...es in the EtherChannel However if a physical port that belongs to an EtherChannel group is configured as a SPAN destination it is removed from the group After the port is removed from the SPAN session it rejoins the EtherChannel group Ports removed from an EtherChannel group remain members of the group but they are in the inactive or suspended state If a physical port that belongs to an EtherChann...

Page 345: ...ion command to delete configured SPAN parameters For local SPAN outgoing packets through the SPAN destination port carry the original encapsulation headers untagged or IEEE 802 1Q if the encapsulation replicate keywords are specified If the keywords are not specified the packets are sent in native form You can configure a disabled port to be a source or destination port but the SPAN function does ...

Page 346: ...tors both sent and received traffic both Monitor both received and sent traffic This is the default rx Monitor received traffic tx Monitor sent traffic Note You can use the monitor session session_number source command multiple times to configure multiple source ports Step 4 monitor session session_number destination interface interface id encapsulation replicate Specify the SPAN session and the d...

Page 347: ...ethernet0 2 encapsulation replicate Switch config end This example shows how to remove port 1 as a SPAN source for SPAN session 1 Switch config no monitor session 1 source interface gigabitethernet0 1 Switch config end This example shows how to disable received traffic monitoring on port 1 which was configured for bidirectional monitoring Switch config no monitor session 1 source interface gigabit...

Page 348: ...monitor session session_number destination interface interface id encapsulation replicate ingress dot1q vlan vlan id untagged vlan vlan id vlan vlan id Specify the SPAN session the destination port the packet encapsulation and the ingress VLAN and encapsulation For session_number specify the session number entered in Step 3 For interface id specify the destination port The destination interface mu...

Page 349: ...ve all SPAN sessions local to remove all local sessions or remote to remove all remote SPAN sessions Step 3 monitor session session_number source interface interface id Specify the characteristics of the source port monitored port and SPAN session For session_number the range is 1 to 66 For interface id specify the source port to monitor The interface specified must already be configured as a trun...

Page 350: ...1 Switch config no monitor session 1 Switch config monitor session 1 source interface gigabitethernet0 2 rx Switch config monitor session 1 filter vlan 1 5 9 Switch config monitor session 1 destination interface gigabitethernet0 1 Switch config end Displaying SPAN Status To display the current SPAN configuration use the show monitor user EXEC command You can also use the show running config privil...

Page 351: ... and usage information for the commands used in this chapter see the System Management Commands section in the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 This chapter consists of these sections Understanding RMON page 21 1 Configuring RMON page 21 2 Displaying RMON Status page 21 6 Understanding RMON RMON is an Internet Engineering Task Force IETF standard monitoring speci...

Page 352: ...resets the alarm at another value falling threshold Alarms can be used with events the alarm triggers an event which can generate a log entry or an SNMP trap Event RMON group 9 Specifies the action to take when an event is triggered by an alarm The action can be to generate a log entry or an SNMP trap Because switches supported by this software release use hardware counters for RMON data processin...

Page 353: ...and Purpose Step 1 configure terminal Enter global configuration mode Step 2 rmon alarm number variable interval absolute delta rising threshold value event number falling threshold value event number owner string Set an alarm on a MIB object For number specify the alarm number The range is 1 to 65535 For variable specify the MIB object to monitor For interval specify the time in seconds the alarm...

Page 354: ... be triggered again Switch config rmon alarm 10 ifEntry 20 1 20 delta rising threshold 15 1 falling threshold 0 owner jjohnson The following example creates RMON event number 1 by using the rmon event command The event is defined as High ifOutErrors and generates a log entry when the event is triggered by the alarm The user jjones owns the row that is created in the event table by this command Thi...

Page 355: ...ion history index buckets bucket number interval seconds owner ownername Enable history collection for the specified number of buckets and time period For index identify the RMON group of statistics The range is 1 to 65535 Optional For buckets bucket number specify the maximum number of buckets desired for the RMON collection history group of statistics The range is 1 to 65535 The default is 50 bu...

Page 356: ...erence Release 12 2 Step 3 rmon collection stats index owner ownername Enable RMON statistic collection on the interface For index specify the RMON group of statistics The range is from 1 to 65535 Optional For owner ownername enter the name of the owner of the RMON group of statistics Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your entries Step 6 show rmon statisti...

Page 357: ... and debug privileged EXEC commands to a logging process The logging process controls the distribution of logging messages to various destinations such as the logging buffer terminal lines or a UNIX syslog server depending on your configuration The process also sends messages to the console Note The syslog format is compatible with 4 3 BSD UNIX When the logging process is disabled messages are sen...

Page 358: ... page 22 4 optional Setting the Message Display Destination Device page 22 5 optional Synchronizing Log Messages page 22 6 optional Enabling and Disabling Time Stamps on Log Messages page 22 7 optional Enabling and Disabling Sequence Numbers in Log Messages page 22 8 optional Defining the Message Severity Level page 22 8 optional Limiting Syslog Messages Sent to the History Table and to SNMP page ...

Page 359: ... sequence number only if the service sequence numbers global configuration command is configured For more information see the Enabling and Disabling Sequence Numbers in Log Messages section on page 22 8 timestamp formats mm dd hh mm ss or hh mm ss short uptime or d h long uptime Date and time of the message or event This information appears only if the service timestamps log datetime log global co...

Page 360: ...mand output The logging synchronous global configuration command also affects the display of messages to the console When this command is enabled messages appear only after you press Return For more information see the Synchronizing Log Messages section on page 22 6 To re enable message logging after it has been disabled use the logging on global configuration command Time stamps Disabled Synchron...

Page 361: ...y the name or IP address of the host to be used as the syslog server To build a list of syslog servers that receive logging messages enter this command more than once For complete syslog server configuration steps see the Configuring UNIX Syslog Servers section on page 22 12 Step 4 logging file flash filename max file size min file size severity level number type Store log messages in a file in fl...

Page 362: ...g of unsolicited messages and debug command output is enabled unsolicited device output appears on the console or printed after solicited device output appears or is printed Unsolicited messages and debug command output appears on the console after the prompt for user input is returned Therefore unsolicited messages and debug command output are not interspersed with solicited device output and pro...

Page 363: ...is value are printed asynchronously Low numbers mean greater severity and high numbers mean lesser severity The default is 2 Optional Specifying level all means that all messages are printed asynchronously regardless of the severity level Optional For limit number of buffers specify the number of buffers to be queued for the terminal after which new messages are dropped The range is 0 to 214748364...

Page 364: ...umbers enabled 000019 SYS 5 CONFIG_I Configured from console by vty2 10 34 195 36 Switch 2 Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message which are described in Table 22 3 Beginning in privileged EXEC mode follow these steps to define the message severity level This procedure is optional Command Purpose St...

Page 365: ...om the debug commands displayed at the debugging level Debug commands are typically used only by the Technical Assistance Center Interface up or down transitions and system restart messages displayed at the notifications level This message is only for information switch functionality is not affected Step 4 logging trap level Limit messages logged to the syslog servers By default syslog servers rec...

Page 366: ...e new message entry to be stored To return the logging of syslog messages to the default level use the no logging history global configuration command To return the number of messages in the history table to the default value use the no logging history size global configuration command Enabling the Configuration Change Logger You can enable a configuration logger to keep track of configuration cha...

Page 367: ...itch config archive log config Switch config archive log cfg logging enable Switch config archive log cfg logging size 500 Switch config archive log cfg end This is an example of output for the configuration log Switch show archive log config all idx sess user line Logged command 38 11 unknown user vty3 no aaa authorization config commands 39 12 unknown user vty3 no aaa authorization network defau...

Page 368: ...rmation on the facilities The debug keyword specifies the syslog level see Table 22 3 on page 22 9 for information on the severity levels The syslog daemon sends messages at this level or at a more severe level to the file specified in the next field The file must already exist and the syslog daemon must have permission to write to it Step 2 Create the log file by entering these commands at the UN...

Page 369: ...ay see the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 Step 3 logging trap level Limit messages logged to the syslog servers Be default syslog servers receive informational messages and lower See Table 22 3 on page 22 9 for level keywords Step 4 logging facility facility type Configure the syslog facility See Table 22 4 on page 22 13 for facility type keywords The default i...

Page 370: ...22 14 Catalyst 2360 Switch Software Configuration Guide OL 19808 01 Chapter 22 Configuring System Message Logging Displaying the Logging Configuration ...

Page 371: ...agement system NMS such as CiscoWorks The agent and MIB reside on the switch To configure SNMP on the switch you define the relationship between the manager and the agent The SNMP agent contains MIB variables whose values the SNMP manager can request or change A manager can get a value from an agent or store a value into the agent The agent gathers data from the MIB the repository for information ...

Page 372: ...t Authentication determining that the message is from a valid source Encryption mixing the contents of a package to prevent it from being read by an unauthorized source Note To select encryption enter the priv keyword This keyword is available only when the cryptographic encrypted software image is installed Both SNMPv1 and SNMPv2C use a community based form of security The community of managers a...

Page 373: ...3 authNoPriv MD5 or SHA No Provides authentication based on the HMAC MD5 or HMAC SHA algorithms SNMPv3 authPriv requires the cryptographic software image MD5 or SHA DES Provides authentication based on the HMAC MD5 or HMAC SHA algorithms Provides DES 56 bit encryption in addition to authentication based on the CBC DES DES 56 standard Table 23 2 SNMP Operations Operation Description get request Ret...

Page 374: ...mmunity string definitions on the switch A community string can have one of these attributes Read only RO Gives read access to authorized management stations to all objects in the MIB except the community strings but does not allow write access Read write RW Gives read and write access to authorized management stations to all objects in the MIB but does not allow access to the community strings Wh...

Page 375: ...rms Note SNMPv1 does not support informs Traps are unreliable because the receiver does not send an acknowledgment when it receives a trap and the sender cannot determine if the trap was received When an SNMP manager receives an inform request it acknowledges the message with an SNMP response protocol data unit PDU If the sender does not receive a response the inform request can be sent again Beca...

Page 376: ...x value to an interface Note The switch might not use sequential values within a range Configuring SNMP These sections contain this configuration information Default SNMP Configuration page 23 7 SNMP Configuration Guidelines page 23 7 Disabling the SNMP Agent page 23 8 Configuring Community Strings page 23 8 Configuring SNMP Groups and Users page 23 10 Configuring SNMP Notifications page 23 12 Set...

Page 377: ...obal configuration with the remote option The remote agent s SNMP engine ID and user password are used to compute the authentication and privacy digests If you do not configure the remote engine ID first the configuration command fails When configuring SNMP informs you need to configure the SNMP engine ID for the remote agent in the SNMP database before you can send proxy requests or informs to it...

Page 378: ...ng Community Strings You use the SNMP community string to define the relationship between the SNMP manager and the agent The community string acts like a password to permit access to the agent on the switch Optionally you can specify one or more of these characteristics associated with the string An access list of IP addresses of the SNMP managers that are permitted to use the community string to ...

Page 379: ...d write rw if you want authorized management stations to retrieve and modify MIB objects By default the community string permits read only access to all objects Optional For access list number enter an IP standard access list numbered from 1 to 99 and 1300 to 1999 Step 3 access list access list number deny permit source source wildcard Optional If you specified an IP standard access list number in...

Page 380: ...rs to the SNMP group Beginning in privileged EXEC mode follow these steps to configure SNMP on the switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server engineID local engineid string remote ip address udp port port number engineid string Configure a name for either the local or remote copy of SNMP The engineid string is a 24 character ID string with t...

Page 381: ...entication noauth Enables the noAuthNoPriv security level This is the default if no keyword is specified priv Enables Data Encryption Standard DES packet encryption also called privacy Note The priv keyword is available only when the cryptographic software image is installed Optional Enter read readview with a string not to exceed 64 characters that is the name of the view in which you can only vi...

Page 382: ...SNMP group The username is the name of the user on the host that connects to the agent The groupname is the name of the group to which the user is associated Enter remote to specify a remote SNMP entity to which the user belongs and the hostname or IP address of that entity with the optional UDP port number The default is 162 Enter the SNMP version number v1 v2c or v3 If you enter v3 you have thes...

Page 383: ... entity Generates a trap for SNMP entity changes envmon Generates environmental monitor traps You can enable any or all of these environmental traps fan shutdown status supply temperature flash Generates SNMP FLASH notifications fru ctrl Generates entity field replaceable unit FRU control traps rtr Generates a trap for the SNMP Response Time Reporter RTR snmp Generates a trap for SNMP type notific...

Page 384: ...yword is available only when the cryptographic software image is installed For community string when version 1 or version 2c is specified enter the password like community string sent with the notification operation When version 3 is specified enter the SNMPv3 username Note The symbol is used for delimiting the context information Avoid using the symbol as part of the SNMP community string when co...

Page 385: ...escriptions can be accessed through the configuration file Limiting TFTP Servers Used Through SNMP Beginning in privileged EXEC mode follow these steps to limit the TFTP servers used for saving and loading configuration files through SNMP to the servers specified in an access list Step 11 show running config Verify your entries Step 12 copy running config startup config Optional Save your entries ...

Page 386: ...cisco com using the community string public Switch config snmp server community comaccess ro 4 Switch config snmp server enable traps snmp authentication Switch config snmp server host cisco com version 2c public This example shows how to send Entity MIB traps to the host cisco com The community string is restricted The first line enables the switch to send Entity MIB traps in addition to any trap...

Page 387: ... config snmp server host 192 180 1 27 informs version 3 auth authuser config Switch config snmp server enable traps Switch config snmp server inform retries 0 Displaying SNMP Status To display SNMP input and output statistics including the number of illegal community string entries errors and requested variables use the show snmp privileged EXEC command You also can use the other privileged EXEC c...

Page 388: ...23 18 Catalyst 2360 Switch Software Configuration Guide OL 19808 01 Chapter 23 Configuring SNMP Displaying SNMP Status ...

Page 389: ...e switch compares the fields in the packet against any applied ACLs to verify that the packet has the required permissions to be forwarded based on the criteria specified in the access lists One by one it tests packets against the conditions in an access list The first match decides whether the switch accepts or rejects the packets Because the switch stops testing after the first match the order o...

Page 390: ...ote In the first and second ACEs in the examples the eq keyword after the destination address means to test for the TCP destination port well known numbers equaling Simple Mail Transfer Protocol SMTP and Telnet respectively Packet A is a TCP packet from host 10 2 2 2 port 65000 going to host 10 1 1 1 on the SMTP port If this packet is fragmented the first fragment matches the first ACE a permit as...

Page 391: ...tep 2 Apply the ACL to the management VLAN You can also apply standard and extended IP ACLs to VLAN maps These sections contain this configuration information Creating Standard and Extended IPv4 ACLs page 24 3 Applying an IPv4 ACL to a Terminal Line page 24 12 Applying an IPv4 ACL to a Management VLAN page 24 13 IPv4 ACL Configuration Examples page 24 14 Creating Standard and Extended IPv4 ACLs Th...

Page 392: ... by using the supported numbers That is the name of a standard IP ACL can be 1 to 99 the name of an extended IP ACL can be 100 to 199 The advantage of using named ACLs instead of numbered lists is that you can delete individual entries from a named list Table 24 1 Access List Numbers Access List Number Type Supported 1 99 IP standard access list Yes 100 199 IP extended access list Yes 200 299 Prot...

Page 393: ...how access lists Standard IP access list 2 10 deny 171 69 198 102 20 permit any Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Define a standard IPv4 access list by using a source address and wildcard The access list number is a decimal number from 1 to 99 or 1300 to 1999 Enter deny or permit to spe...

Page 394: ...red list Some protocols also have specific parameters and keywords that apply to that protocol These IP protocols are supported protocol keywords are in parentheses in bold Authentication Header Protocol ahp Enhanced Interior Gateway Routing Protocol eigrp Encapsulation Security Payload esp generic routing encapsulation gre Internet Control Message Protocol icmp Internet Group Management Protocol ...

Page 395: ... or remove access list entries from a numbered access list Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit remark source source wildcard any host destination destination wildcard log Define an extended IPv4 access list and the access conditions The access list number is a decimal number from 100 to 199 or 2000 to 2699 Ente...

Page 396: ... number You can use named ACLs to configure more IPv4 access lists than if you were to use numbered access lists If you identify your access list with a name rather than a number the mode and command syntax are slightly different However not all commands that use IP access lists accept a named access list Note The name you give to a standard or extended ACL can also be a number in the supported ra...

Page 397: ...upported Step 4 end Return to privileged EXEC mode Step 5 show access lists number name Show the access list configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip access list extended name Define an extended IPv4 access list using a name and ent...

Page 398: ...ified time period or on specified days of the week The time range keyword and argument are referenced in the named and numbered extended ACL task tables in the previous sections the Creating Standard and Extended IPv4 ACLs section on page 24 3 and the Creating Named Standard and Extended ACLs section on page 24 8 Using time ranges allows you more control over permitting or denying a user access to...

Page 399: ... TCP traffic during work hours Switch config access list 188 deny tcp any any time range new_year_day_2006 Switch config access list 188 permit tcp any any time range workhours Switch config end Switch show access lists Extended IP access list 188 10 deny tcp any any time range new_year_day_2006 inactive 20 permit tcp any any time range workhours inactive This example uses named ACLs to permit and...

Page 400: ...global configuration command To remove the remark use the no form of this command In this example the workstation that belongs to Jones is allowed access and the workstation that belongs to Smith is not allowed access Switch config access list 1 remark Permit only Jones workstation through Switch config access list 1 permit 171 69 2 88 Switch config access list 1 remark Do not allow Smith through ...

Page 401: ...ine console vty line number Identify a specific line to configure and enter in line configuration mode console Specify the console terminal line The console port is DCE vty Specify a virtual terminal for remote console access The line number is the first line number in a contiguous group that you want to configure when the line type is specified The range is from 0 to 16 Step 3 access class access...

Page 402: ...an extended ACL to deny to a port traffic coming from port 80 HTTP It permits all other types of traffic Switch config access list 106 deny tcp any any eq 80 Switch config access list 106 permit ip any any Switch config end Switch config interface vlan 1 Switch config if ip access group 106 in Numbered ACLs This ACL accepts addresses on network 36 0 0 0 subnets and denies all packets coming from 5...

Page 403: ... p m 18 00 The example allows UDP traffic only on Saturday and Sunday from noon to 8 00 p m 20 00 Switch config time range no http Switch config periodic weekdays 8 00 to 18 00 Switch config time range udp yes Switch config periodic weekend 12 00 to 20 00 Switch config ip access list extended strict Switch config ext nacl deny tcp any any eq www time range no http Switch config ext nacl permit udp...

Page 404: ...he ip access group interface configuration command to apply ACLs you can display the access groups applied on the management VLAN You can use the privileged EXEC commands as described in Table 24 2 to display this information Table 24 2 Commands for Displaying Access Lists and Access Groups Command Purpose show access lists number name Display the contents of one or all current IP and MAC address ...

Page 405: ...c types across the stack Note For complete syntax and usage information for the commands used in this chapter see the command reference this release This chapter consists of these sections Understanding QoS page 25 1 Configuring QoS page 25 3 Displaying QoS Information page 25 8 Understanding QoS Typically networks operate on a best effort delivery basis which means that all traffic has equal prio...

Page 406: ... QoS features offered by your internetworking devices the traffic types and patterns in your network and the granularity of control that you need over incoming and outgoing traffic Basic QoS Model To implement QoS the switch must distinguish packets or flow from one another classify assign a label to indicate the given quality of service as the packets move through the switch make the packets comp...

Page 407: ... port trust state on all ports is untrusted The default egress queue settings are described in the Default Egress Queue Configuration section on page 25 3 Default Egress Queue Configuration Table 25 1 shows the default egress queue configuration for each queue set when QoS is enabled All ports are mapped to queue set 1 The port bandwidth limit is set to 100 percent and rate unlimited Table 25 2 sh...

Page 408: ...ic is at a minimum Enabling QoS Globally By default QoS is disabled on the switch Beginning in privileged EXEC mode follow these steps to enable QoS This procedure is required To disable QoS use the no mls qos global configuration command Configuring Classification Using Port Trust States These sections describe how to classify incoming traffic by using port trust states Depending on your network ...

Page 409: ...Figure 25 1 Port Trusted States within the QoS Domain Beginning in privileged EXEC mode follow these steps to configure the port to trust the classification of the traffic that it receives 101236 Trunk Trusted interface Traffic classification performed here Trusted boundary IP P1 P3 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the ...

Page 410: ...2 interface interface id Specify the port to be configured and enter interface configuration mode Valid interfaces include physical ports Step 3 mls qos cos default cos override Configure the default CoS value for the port For default cos specify a default CoS value to be assigned to a port If the packet is untagged the default CoS value becomes the packet CoS value The CoS range is 0 to 7 The def...

Page 411: ...d CoS setting By contrast trusted boundary uses CDP to detect the presence of other devices on a switch port If the device is not detected the trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high priority queue In some situations you can prevent a PC connected to the device from taking advantage of a high priority data queue You can use the switchp...

Page 412: ...l Enter global configuration mode Step 2 mls qos Enable QoS on a switch Step 3 interface interface id Specify the egress port and enter interface configuration mode Step 4 priority queue out Enable the egress expedite queue which is disabled by default Step 5 end Return to privileged EXEC mode Step 6 show running config Verify your entries Step 7 copy running config startup config Optional Save yo...

Page 413: ...nel redirects traffic from the failed link to the remaining links in the channel without intervention This chapter also describes how to configure link state tracking Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding EtherChannels page 26 1 Configuring EtherChannels p...

Page 414: ...e an EtherChannel in one of these modes Port Aggregation Protocol PAgP Link Aggregation Control Protocol LACP or On Configure both ends of the EtherChannel in the same mode When you configure one end of an EtherChannel in either PAgP or LACP mode the system negotiates with the other end of the channel to determine which ports should become active If the remote port cannot negotiate an EtherChannel...

Page 415: ...hat failed link moves to the remaining links within the EtherChannel If traps are enabled on the switch a trap is sent for a failure that identifies the switch the EtherChannel and the failed link Inbound broadcast and multicast packets on one link in an EtherChannel are blocked from returning on any other link of the EtherChannel Figure 26 2 Single Switch EtherChannel Switch 1 Switch stack Switch...

Page 416: ... dynamically creates a new port channel For Layer 2 ports the channel group command binds the physical port and the logical interface together as shown in Figure 26 3 Each EtherChannel has a port channel logical interface numbered from 1 to 48 This port channel interface number corresponds to the one specified with the channel group interface configuration command Figure 26 3 Relationship of Physi...

Page 417: ...te with partner ports to form an EtherChannel based on criteria such as port speed and for Layer 2 EtherChannels trunking state and VLAN numbers Ports can form an EtherChannel when they are in different PAgP modes as long as the modes are compatible For example A port in the desirable mode can form an EtherChannel with another port that is in the desirable or auto mode A port in the auto mode can ...

Page 418: ... state PAgP Interaction with Other Features The Dynamic Trunking Protocol DTP and the Cisco Discovery Protocol CDP send and receive packets over the physical ports in the EtherChannel Trunk ports send and receive PAgP protocol data units PDUs on the lowest numbered VLAN In Layer 2 EtherChannels the first port in the channel that comes up provides its MAC address to the EtherChannel If this port is...

Page 419: ... the channel that comes up provides its MAC address to the EtherChannel If this port is removed from the bundle one of the remaining ports in the bundle provides its MAC address to the EtherChannel LACP sends and receives LACP PDUs only from ports that are up and have LACP enabled for the active or passive mode EtherChannel On Mode EtherChannel on mode can be used to manually configure an EtherCha...

Page 420: ...bution can be used if it is not clear whether source MAC or destination MAC address forwarding is better suited on a particular switch With source and destination MAC address forwarding packets sent from host A to host B host A to host C and host C to host B could all use different ports in the channel With source IP address based forwarding when packets are forwarded to an EtherChannel they are d...

Page 421: ...to a single MAC address using the destination MAC address always chooses the same link in the channel Using source addresses or IP addresses might result in better load balancing Figure 26 4 Load Distribution and Forwarding Methods Configuring EtherChannels These sections contain this configuration information Default EtherChannel Configuration page 26 10 EtherChannel Configuration Guidelines page...

Page 422: ...s on the switch Configure a PAgP EtherChannel with up to eight Ethernet ports of the same type Configure a LACP EtherChannel with up to16 Ethernet ports of the same type Up to eight ports can be active and up to eight ports can be in standby mode Configure all ports in an EtherChannel to operate at the same speeds and duplex modes Enable all ports in an EtherChannel A port in an EtherChannel that ...

Page 423: ...fy that the trunking mode IEEE 802 1Q is the same on all the trunks Inconsistent trunk modes on EtherChannel ports can have unexpected results An EtherChannel supports the same allowed range of VLANs on all the ports in a trunking Layer 2 EtherChannel If the allowed range of VLANs is not the same the ports do not form an EtherChannel even when PAgP is set to the auto or desirable mode Ports with d...

Page 424: ...ding PAgP packets on Forces the port to channel without PAgP or LACP In the on mode an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not specify non ...

Page 425: ... configure EtherChannel load balancing by using source based or destination based forwarding methods For more information see the Load Balancing and Forwarding Methods section on page 26 8 Beginning in privileged EXEC mode follow these steps to configure EtherChannel load balancing This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 port chan...

Page 426: ...n the group can be swapped into operation in just a few seconds if the selected single port loses hardware signal detection You can configure which port is always selected for packet transmission by changing its priority with the pagp port priority interface configuration command The higher the priority the more likely that the port will be selected Note The switch supports address learning only o...

Page 427: ...nts in priority order LACP system priority System ID the switch MAC address LACP port priority Port number Step 3 pagp learn method physical port Select the PAgP learning method By default aggregation port learning is selected which means the switch sends packets to the source by using any of the ports in the EtherChannel With aggregate port learning it is not important on which physical port the ...

Page 428: ...channel By changing this value from the default you can affect how the software selects active and standby links You can use the show etherchannel summary privileged EXEC command to see which ports are in the hot standby mode denoted with an H port state flag Beginning in privileged EXEC mode follow these steps to configure the LACP system priority This procedure is optional To return the LACP sys...

Page 429: ...p port priority priority Configure the LACP port priority For priority the range is 1 to 65535 The default is 32768 The lower the value the more likely that the port will be used for LACP transmission Step 4 end Return to privileged EXEC mode Step 5 show running config or show lacp channel group number internal Verify your entries Step 6 copy running config startup config Optional Save your entrie...

Page 430: ...vides redundancy in the network when used with server network interface card NIC adapter teaming When the server network adapters are configured in a primary or secondary relationship known as teaming and the link is lost on the primary interface connectivity transparently changes to the secondary interface Figure 26 5 on page 26 19 shows a network configured with link state tracking To enable lin...

Page 431: ...des primary links to server 1 and server 2 through link state group 1 Port 1 is connected to server 1 and port 2 is connected to server 2 Port 1 and port 2 are the downstream interfaces in link state group 1 Port 5 and port 6 are connected to distribution switch 1 through link state group 1 Port 5 and port 6 are the upstream interfaces in link state group 1 141680 Network Layer 3 link Server 1 Ser...

Page 432: ...e connectivity because the distribution switch or router fails the cables are disconnected or the link is lost These are the interactions between the downstream and upstream interfaces when link state tracking is enabled If any of the upstream interfaces are in the link up state the downstream interfaces can change to or remain in the link up state If all of the upstream interfaces become unavaila...

Page 433: ...ou can configure only two link state groups per switch Configuring Link State Tracking Beginning in privileged EXEC mode follow these steps to configure a link state group and to assign an interface to a group Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 link state track number Create a link state group and enable link state tracking The group number can be 1 to...

Page 434: ...uration command Displaying Link State Tracking Status Use the show link state group command to display the link state group information Enter this command without keywords to display information about all link state groups Enter the group number to display information specific to the group Enter the detail keyword to display detailed information about the group This is an example of output from th...

Page 435: ...y quality of service QoS and globally unique addresses The IPv6 address space reduces the need for private addresses and Network Address Translation NAT processing by border routers at network edges For information about how Cisco Systems implements IPv6 go to this URL http www cisco com en US products ps6553 products_ios_technology_home html For information about IPv6 and other features in this c...

Page 436: ...ddressing and Basic Connectivity chapter of Cisco IOS IPv6 Configuration Library on Cisco com In the Information About Implementing Basic Connectivity for IPv6 chapter these sections apply to the switch IPv6 Address Formats IPv6 Address Output Display Simplified IPv6 Packet Header Supported IPv6 Host Features These sections describe the IPv6 protocol features supported by the switch 128 Bit Wide U...

Page 437: ...t addresses in the Implementing IPv6 Addressing and Basic Connectivity chapter in the Cisco IOS IPv6 Configuration Library on Cisco com DNS for IPv6 IPv6 supports Domain Name System DNS record types in the DNS name to address and address to name lookup processes The DNS AAAA resource record types support IPv6 addresses and are equivalent to an A address record in IPv4 The switch supports DNS resol...

Page 438: ... and Syslog Over IPv6 To support both IPv4 and IPv6 IPv6 network management requires both IPv6 and IPv4 transports Syslog over IPv6 supports address data types for these transports SNMP and syslog over IPv6 provide these features Support for both IPv4 and IPv6 IPv6 transport for SNMP and to modify the SNMP agent to support traps for an IPv6 host SNMP and syslog related MIBs to support IPv6 address...

Page 439: ...r processing network layer interactions Basic network connectivity ping must exist between the client and the server hosts before HTTP connections can be made For more information see the Managing Cisco IOS Applications over IPv6 chapter in the Cisco IOS IPv6 Configuration Library on Cisco com For more information about IPv4 and IPv6 protocol stacks see the Implementing IPv6 Addressing and Basic C...

Page 440: ...onfiguring IPv6 see the Implementing Addressing and Basic Connectivity for IPv6 chapter in the Cisco IOS IPv6 Configuration Library on Cisco com Beginning in privileged EXEC mode follow these steps to assign an IPv6 address to an interface and enable IPv6 forwarding Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration...

Page 441: ... 20B 46FF FE2F D940 subnet is 2001 0DB8 c18 1 64 EUI Joined group address es FF02 1 FF02 2 FF02 1 FF2F D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND rout...

Page 442: ...limiting parameters To return to the default configuration use the no ipv6 icmp error interval global configuration command This example shows how to configure an IPv6 ICMP error message interval of 50 milliseconds and a bucket size of 20 tokens Switch config ipv6 icmp error interval 50 20 Displaying IPv6 For complete syntax and usage information on these commands see the Cisco IOS command referen...

Page 443: ...w ipv6 static Display IPv6 static routes show ipv6 traffic Display IPv6 traffic statistics Table 27 3 Commands for Displaying IPv4 and IPv6 Address Types Command Purpose show ip http server history Display the previous 20 connections to the HTTP server including the IP address accessed and the time when the connection was closed show ip http server connection Display the current connections to the...

Page 444: ...27 10 Catalyst 2360 Switch Software Configuration Guide OL 19808 01 Chapter 27 Configuring IPv6 Unicast Hosts Displaying IPv6 ...

Page 445: ...mand Summary Release 12 2 This chapter consists of these sections Recovering from a Software Failure page 28 2 Recovering from a Lost or Forgotten Password page 28 3 Recovering from a Command Switch Failure page 28 8 Recovering from Lost Cluster Member Connectivity page 28 11 Note Recovery procedures require that you have physical access to the switch Preventing Autonegotiation Mismatches page 28 ...

Page 446: ...teps 1 Display the contents of the tar file by using the tar tvf image_filename tar UNIX command switch tar tvf image_filename tar 2 Locate the bin file and extract it by using the tar xvf image_filename tar image_filename bin UNIX command switch tar xvf image_filename tar image_filename bin x c2360 universalk9 tar 122 53 EY bin 3970586 bytes 7756 tape blocks 3 Verify that the bin file was extract...

Page 447: ...te the flash image_filename bin file from the switch Recovering from a Lost or Forgotten Password The default configuration for the switch allows an end user with physical access to the switch to recover from a lost password by interrupting the boot process during power on and by entering a new password These recovery procedures require that you have physical access to the switch Note On these swi...

Page 448: ...eral lines of information about the software appear with instructions informing you if the password recovery procedure has been disabled or not If you see a message that begins with this The system has been interrupted prior to initializing the flash file system The following commands will initialize the flash file system proceed to the Procedure with Password Recovery Enabled section on page 28 4...

Page 449: ...t up the system switch boot You are prompted to start the setup program Enter N at the prompt Continue with the configuration dialog yes no N Step 7 At the switch prompt enter privileged EXEC mode Switch enable Step 8 Rename the configuration file to its original name Switch rename flash config text old flash config text Step 9 Copy the configuration file into memory Switch copy flash config text ...

Page 450: ...r prompt through the password recovery mechanism is disallowed at this point However if you agree to let the system be reset back to the default system configuration access to the boot loader prompt can still be allowed Would you like to reset the system back to the default configuration y n Caution Returning the switch to the default configuration results in the loss of all existing configuration...

Page 451: ...an be from 1 to 25 alphanumeric characters can start with a number is case sensitive and allows spaces but ignores leading spaces Step 8 Return to privileged EXEC mode Switch config exit Switch Step 9 Write the running configuration to the startup configuration file Switch copy running config startup config The new password is now in the startup configuration Note This procedure is likely to leave...

Page 452: ...28 8 Replacing a Failed Command Switch with Another Switch page 28 10 These recovery procedures require that you have physical access to the switch For information on command capable switches see the release notes Replacing a Failed Command Switch with a Cluster Member To replace a failed command switch with a command capable member in the same cluster follow these steps Step 1 Disconnect the comm...

Page 453: ...rn to start the setup program Step 11 Respond to the questions in the setup program When prompted for the hostname recall that on a command switch the hostname is limited to 28 characters on a member switch to 31 characters Do not use n where n is a number as the last characters in a hostname for any switch When prompted for the Telnet virtual terminal password recall that it can be from 1 to 25 a...

Page 454: ...privileged EXEC mode enter setup and press Return Switch setup System Configuration Dialog Continue with configuration dialog yes no y At any point you may enter a question mark for help Use ctrl c to abort configuration dialog at any prompt Default settings are in square brackets Basic management setup configures only enough connectivity for management of the system extended setup will ask you to...

Page 455: ... XL Catalyst 2820 and Catalyst 1900 switch cannot connect to the command switch through a port that is defined as a network port Catalyst 3500 XL Catalyst 2900 XL Catalyst 2820 and Catalyst 1900 member switches must connect to the command switch through a port that belongs to the same management VLAN A member switch Catalyst 3750 E Catalyst 3750 Catalyst 3560 E Catalyst 3560 Catalyst 3550 Catalyst...

Page 456: ...tus and enter a time interval for recovering from the error disabled state After the elapsed interval the switch brings the interface out of the error disabled state and retries the operation For more information about the errdisable recovery command see the command reference for this release If the module is identified as a Cisco SFP module but the system is unable to read vendor data information...

Page 457: ...ost message is returned Destination unreachable If the default gateway cannot reach the specified network a destination unreachable message is returned Network or host unreachable If there is no entry in the route table for the host or network a network or host unreachable message is returned Executing Ping Beginning in privileged EXEC mode use this command to ping another device on the network fr...

Page 458: ...tinues to send Layer 2 trace queries and lets them time out The switch can only identify the path from the source device to the destination device It cannot identify the path that a packet takes from source host to the source device or from the destination device to the destination host Usage Guidelines These are the Layer 2 traceroute usage guidelines Cisco Discovery Protocol CDP must be enabled ...

Page 459: ... when the specified source and destination IP addresses belong to the same subnet When you specify the IP addresses the switch uses the Address Resolution Protocol ARP to associate the IP addresses with the corresponding MAC addresses and the VLAN IDs If an ARP entry exists for the specified IP address the switch uses the associated MAC address and identifies the physical path If an ARP entry does...

Page 460: ...he address of the first hop by examining the source address field of the ICMP time to live exceeded message To identify the next hop traceroute sends a UDP packet with a TTL value of 2 The first router decrements the TTL field by 1 and sends the datagram to the next router The second router sees a TTL value of 1 discards the datagram and returns the time to live exceeded message to the source This...

Page 461: ... page 28 18 Enabling All System Diagnostics page 28 18 Redirecting Debug and Error Message Output page 28 18 Caution Because debugging output is assigned high priority in the CPU process it can render the system unusable For this reason use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff It is best to use debug commands du...

Page 462: ...nter the undebug form of the command Switch undebug span session To display the state of each debugging option enter this command in privileged EXEC mode Switch show debugging Enabling All System Diagnostics Beginning in privileged EXEC mode enter this command to enable all system diagnostics Switch debug all Caution Because debugging output takes priority over other network traffic and because th...

Page 463: ... information for the show platform forward command see the switch command reference for this release Most of the information in the output from the command is useful mainly for technical support personnel who have access to detailed information about the switch application specific integrated circuits ASICs However packet forwarding information can also be helpful in troubleshooting This is an exa...

Page 464: ... MAC address in VLAN 5 and the destination IP address unknown Because there is no default route set the packet should be dropped Switch show platform forward gigabitethernet0 1 vlan 5 1 1 1 03 e319 ee44 ip 13 1 1 1 13 2 2 2 udp 10 20 Global Port Number 24 Asic Number 5 Src Real Vlan Id 5 Mapped Vlan Id 5 Ingress Lookup Key Used Index Hit A Data L3Local 00_00000000_00000000 90_00001400_0D020202 010...

Page 465: ...hinfo_n where n is a sequence number Each new crashinfo file that is created uses a sequence number that is larger than any previously existing sequence number so the file with the largest sequence number describes the most recent failure Version numbers are used instead of a timestamp because the switches do not include a real time clock You cannot change the name of the file that the system will...

Page 466: ...uggable SFP modules The switch stores this information in the flash memory CLI commands Record of the OBFL CLI commands that are entered on a standalone switch or a switch stack member Environment data Unique device identifier UDI information for a standalone switch or a stack member and for all the connected FRU devices the product identification PID the version identification VID and the serial ...

Page 467: ... privileged EXEC commands in Table 28 3 For more command options for the show logging onboard command and for examples of OBFL data see the command reference for this release Table 28 3 Commands for Displaying OBFL Information Command Purpose show logging onboard module switch number clilog Displays the OBFL CLI commands that were entered on a standalone switch or the specified stack members show ...

Page 468: ...28 24 Catalyst 2360 Switch Software Configuration Guide OL 19808 01 Chapter 28 Troubleshooting Using On Board Failure Logging ...

Page 469: ...e Diagnostics With online diagnostics you can test and verify the hardware functionality of the switch while the switch is connected to a live network The online diagnostics contain packet switching tests that check different hardware components and verify the data path and the control signals The online diagnostics detect problems in these areas Hardware components Interfaces Ethernet ports and s...

Page 470: ...ay and time on the switch Switch config diagnostic schedule test TestPortAsicCam on december 3 2006 22 25 For more examples see the Examples section of the diagnostic schedule command in the command reference for this release Command Purpose diagnostic schedule test name test id test id range all basic non disruptive daily hh mm on mm dd yyyy hh mm weekly day of week hh mm Schedule on demand diagn...

Page 471: ... output test id ID number of the test that appears in the show diagnostic content command output test id range ID numbers of the tests that appear in the show diagnostic content command output all All of the diagnostic tests When specifying the interval set these parameters hh mm ss Monitoring interval in hours minutes and seconds The range for hh is 0 to 24 and the range for mm and ss is 0 to 60 ...

Page 472: ... health monitoring test Switch config diagnostic monitor threshold switch 3 test 1 failure count 50 Switch config diagnostic monitor interval switch 3 test TestPortAsicRingLoopback Step 5 diagnostic monitor test name test id test id range all Enable the specified health monitoring tests When specifying the tests use one of these parameters name Name of the test that appears in the show diagnostic ...

Page 473: ...ocess This example shows how to start a diagnostic test by using the test name Switch diagnostic start switch 2 test TestInlinePwrCtlr This example shows how to start all of the basic diagnostic tests Switch diagnostic start switch 1 test all Command Purpose diagnostic start test name test id test id range all basic non disruptive Start the diagnostic tests You can specify the tests by using one o...

Page 474: ...diagnostic command in the command reference for this release Table 29 1 Commands for Diagnostic Test Configuration and Results Command Purpose show diagnostic content Display the online diagnostics configured for a switch show diagnostic status Display the currently running diagnostic tests show diagnostic result detail test name test id test id range all detail Display the online diagnostics test...

Page 475: ...gle VLAN By default SNMP messages using the configured community string always provide information for VLAN 1 To obtain the BRIDGE MIB information for other VLANs for example VLAN n use this community string in the SNMP message configured community string n CISCO CABLE DIAG MIB CISCO CDP MIB CISCO CLUSTER MIB CISCO CONFIG COPY MIB CISCO CONFIG MAN MIB CISCO ENTITY FRU CONTROL MIB CISCO ENVMON MIB ...

Page 476: ...CISCO SMI MIB CISCO STP EXTENSIONS MIB CISCO SYSLOG MIB CISCO TC MIB CISCO TCP MIB CISCO UDLDP MIB CISCO VLAN IFTABLE RELATIONSHIP MIB CISCO VLAN MEMBERSHIP MIB CISCO VTP MIB ENTITY MIB ETHERLIKE MIB IEEE8021 PAE MIB IEEE8023 LAG MIB IF MIB In and out counters for VLANs are not supported IF MIB INET ADDRESS MIB OLD CISCO CHASSIS MIB OLD CISCO FLASH MIB OLD CISCO INTERFACES MIB OLD CISCO IP MIB OLD...

Page 477: ...blic sw center netmgmt cmtk mibs shtml Using FTP to Access the MIB Files You can get each MIB file by using this procedure Step 1 Make sure that your FTP client is in passive mode Note Some FTP clients do not support passive mode Step 2 Use FTP to access the server ftp cisco com Step 3 Log in with the username anonymous Step 4 Enter your e mail username when prompted for the password Step 5 At the...

Page 478: ...F i n a l R ev i ew C i s c o C o n f i d e n t i a l A 4 Catalyst 2360 Switch Software Configuration Guide OL 19808 01 Chapter A Supported MIBs Using FTP to Access the MIB Files ...

Page 479: ...ons Working with the Flash File System page B 1 Working with Configuration Files page B 8 Working with Software Images page B 23 Working with the Flash File System The flash file system is a single flash device on which you can store files It also provides several commands to help you manage software image and configuration files The default flash file system on the switch is named flash These sec...

Page 480: ... file system in bytes Free b Amount of free memory in the file system in bytes Type Type of file system flash The file system is for a flash memory device nvram The file system is for a NVRAM device opaque The file system is a locally generated pseudo file system for example the system or a download interface such as brimux unknown The file system is an unknown type Flags Permission for file syste...

Page 481: ... verify that the file system does not already contain a configuration file with the same name Similarly before copying a flash configuration file to another location you might want to verify its filename for use in another command To display information about files on a file system use one of the privileged EXEC commands in Table B 2 To display information about the driver text object in the CISCO...

Page 482: ...t were installed by using the archive download sw command but are no longer needed For filesystem use flash for the system board flash device For file url enter the name of the directory to be deleted All the files in the directory and the directory are removed Caution When files and directories are deleted their contents cannot be recovered Command Purpose Step 1 dir filesystem Display the direct...

Page 483: ...mand is invalid For specific examples of using the copy command with configuration files see the Working with Configuration Files section on page B 8 To copy software images either by downloading a new version or by uploading the existing one use the archive download sw or the archive upload sw privileged EXEC command For more information see the Working with Software Images section on page B 23 D...

Page 484: ...e is the file to be created These options are supported Local flash file system syntax flash FTP syntax ftp username password location directory filename RCP syntax rcp username location directory filename TFTP syntax tftp location directory filename For flash file url specify the location on the local flash file system in which the new file is created You can also specify an optional list of file...

Page 485: ... 556 bytes c2360 universal9k tar 122 53 EY html xhome htm 9373 bytes c2360 universal9k tar 122 53 EY html menu css 1654 bytes output truncated This example shows how to extract the contents of a file located on the TFTP server at 172 20 10 30 Switch archive xtract tftp 172 20 10 30 saved flash new configs This example shows how to display the contents of a configuration file on a TFTP server Switc...

Page 486: ...lar to the original switch By copying the file to the new switch you can change the relevant parts rather than recreating the whole file To load the same configuration commands on all the switches in your network so that all the switches have similar configurations You can copy upload configuration files from the switch to a file server by using TFTP FTP or RCP You might perform this task to back ...

Page 487: ...e The switch does not erase the existing running configuration before adding the commands If a command in the copied configuration file replaces a command in the existing configuration file the existing command is erased For example if the copied configuration file contains a different IP address in a particular command than the existing configuration the IP address in the copied configuration is ...

Page 488: ...sing configuration files you create download from another switch or download from a TFTP server You can copy upload configuration files to a TFTP server for storage These sections contain this configuration information Preparing to Download or Upload a Configuration File By Using TFTP page B 10 Downloading the Configuration File By Using TFTP page B 11 Uploading the Configuration File By Using TFT...

Page 489: ...operly configured by referring to the Preparing to Download or Upload a Configuration File By Using TFTP section on page B 10 Step 3 Log into the switch through the console port the Ethernet management port or a Telnet session Step 4 Download the configuration file from the TFTP server to configure the switch Specify the IP address or hostname of the TFTP server and the name of the file to downloa...

Page 490: ...username specified in the copy command if a username is specified The username set by the ip ftp username username global configuration command if the command is configured Anonymous The switch sends the first valid password in this list The password specified in the copy command if a password is specified The password set by the ip ftp password password global configuration command if the command...

Page 491: ... new FTP username by using the ip ftp username username global configuration command during all copy operations The new username is stored in NVRAM If you are accessing the switch through a Telnet session and you have a valid username this username is used and you do not need to set the FTP username Include the username in the copy command if you want to specify a username for only that copy opera...

Page 492: ...witch config ip ftp password mypass Switch config end Switch copy ftp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile store configured from host2 config by ftp fr...

Page 493: ...e TFTP which uses User Datagram Protocol UDP a connectionless protocol RCP uses TCP which is connection oriented To use RCP to copy files the server from or to which you will be copying files must support RCP The RCP copy commands rely on the rsh server or daemon on the remote system To copy files by using RCP you do not need to create a server for file distribution as you do with TFTP You only ne...

Page 494: ...ion File By Using RCP Before you begin downloading or uploading a configuration file by using RCP do these tasks Ensure that the workstation acting as the RCP server supports the remote shell rsh Ensure that the switch has a route to the RCP server The switch and the server must be in the same subnetwork if you do not have a router to route traffic between subnets Check connectivity to the RCP ser...

Page 495: ...e terminal Switch config ip rcmd remote username netadmin1 Switch config end Switch copy rcp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile store configured from...

Page 496: ...te username netadmin2 Switch config end Switch copy nvram startup config rcp Remote host 172 16 101 101 Name of configuration file to write switch2 confg Write file switch2 confg on host 172 16 101 101 confirm OK Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using RCP section on page B 16 Step 2 ...

Page 497: ... configuration command you might be prompted for confirmation before you delete a file By default the switch prompts for confirmation on destructive file operations For more information about the file prompt command see the Cisco IOS Command Reference for Release 12 2 Caution You cannot restore a file after it has been deleted Replacing and Rolling Back Configurations The configuration replacement...

Page 498: ...re replace command the running configuration is compared with the specified replacement configuration and a set of configuration differences is generated The resulting differences are used to replace the configuration The configuration replacement operation is usually completed in no more than three passes To prevent looping behavior no more than five passes are performed You can use the copy sour...

Page 499: ...vice When using the configure replace command you must specify a saved configuration as the replacement configuration file for the running configuration The replacement file must be a complete configuration generated by a Cisco IOS device for example a configuration generated by the copy running config destination url command Note If you generate the replacement configuration file externally it mu...

Page 500: ...ileged EXEC mode Step 5 configure replace target url list force time seconds nolock Replace the running configuration file with a saved configuration file target url URL accessible by the file system of the saved configuration file that is to replace the running configuration such as the configuration file created in Step 2 by using the archive config privileged EXEC command list Display a list of...

Page 501: ...feature set for example upgrading from the noncryptographic image with the IP services feature set to the cryptographic image with the advanced IP services feature set You can also use the boot auto download sw global configuration command to specify a URL to use to get an image for automatic software upgrades When you enter this command the master switch uses this URL in case of a version mismatc...

Page 502: ...ges on a Server or Cisco com Software images on a server or downloaded from Cisco com are in a file format which contains these files An info file which serves as a table of contents for the file One or more subdirectories containing other images and files such as Cisco IOS images and web management files This example shows some of the information contained in the info file Table B 3 provides addi...

Page 503: ...ng an Image File By Using TFTP page B 28 Preparing to Download or Upload an Image File By Using TFTP Before you begin downloading or uploading an image file by using TFTP do these tasks Ensure that the workstation acting as the TFTP server is properly configured On a Sun workstation make sure that the etc inetd conf file contains this line tftp dgram udp wait root usr etc in tftpd in tftpd p s tft...

Page 504: ...er the touch filename command where filename is the name of the file you will use when uploading the image to the server During upload operations if you are overwriting an existing file including an empty file if you had to create one on the server ensure that the permissions on the file are set correctly Permissions on the file should be world write Downloading an Image File By Using TFTP You can...

Page 505: ...e The allow feature upgrade option allows installation of a software images with different feature sets Optional The directory option specifies a directory for the images The overwrite option overwrites the software image in flash memory with the downloaded image The reload option reloads the system after downloading the image unless the configuration has been changed and not been saved For locati...

Page 506: ...the same type Use the upload feature only if the web management pages associated with the embedded device manager have been installed with the existing image Beginning in privileged EXEC mode follow these steps to upload an image to a TFTP server The archive upload sw privileged EXEC command builds an image file on the server by uploading these files in order info the Cisco IOS image and the web m...

Page 507: ...he FTP protocol requires a client to send a remote username and password on each FTP request to a server When you copy an image file from the switch to a server by using FTP the Cisco IOS software sends the first valid username in this list The username specified in the archive download sw or archive upload sw privileged EXEC command if a username is specified The username set by the ip ftp userna...

Page 508: ...he new username is stored in NVRAM If you are accessing the switch through a Telnet session and you have a valid username this username is used and you do not need to set the FTP username Include the username in the archive download sw or archive upload sw privileged EXEC command if you want to specify a username for that operation only When you upload an image file to the FTP server it must be pr...

Page 509: ...n saved For username password specify the username and password these must be associated with an account on the FTP server For more information see the Preparing to Download or Upload an Image File By Using FTP section on page B 29 For location specify the IP address of the FTP server For directory image name1 tar directory image name2 tar image name3 tar image name4 tar specify the directory opti...

Page 510: ...nter the directory name of the old software image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Uploading an Image File By Using FTP You can upload an image from the switch to an FTP server You can later download this image to the same switch or to another switch of the same type Use the upl...

Page 511: ... the same type Note Instead of using the copy privileged EXEC command or the archive tar privileged EXEC command we recommend using the archive download sw and archive upload sw privileged EXEC commands to download and upload software image files These sections contain this configuration information Preparing to Download or Upload an Image File By Using RCP page B 34 Downloading an Image File By U...

Page 512: ...tch hostname For the RCP copy request to execute successfully an account must be defined on the network server for the remote username If the server has a directory structure the image file is written to or copied from the directory associated with the remote username on the server For example if the image file resides in the home directory of a user on the server specify that user s name as the r...

Page 513: ...e Beginning in privileged EXEC mode follow Steps 1 through 6 to download a new image from an RCP server and overwrite the existing image To keep the current image go to Step 6 Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the Preparing to Download or Upload an Image File By Using RCP section on page B 34 Step 2 Log into the switch through the console port...

Page 514: ...ion on page B 34 For location specify the IP address of the RCP server For directory image name1 tar directory image name2 tar image name3 tar image name4 tar specify the directory optional and the images to download Directory and image names are case sensitive Step 7 archive download sw directory leave old sw reload tftp location directory image name1 tar image name2 tar image name3 tar image nam...

Page 515: ... the old software during the download process you specified the leave old sw keyword you can remove it by entering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old software image All the files in the directory and the directory are removed Caution For the download and u...

Page 516: ...es Step 5 end Return to privileged EXEC mode Step 6 archive upload sw rcp username location directory image na me tar Upload the currently running switch image to the RCP server For username specify the username for the RCP copy request to execute define an account on the network server for the remote username For more information see the Preparing to Download or Upload an Image File By Using RCP ...

Page 517: ...is is not a complete list The unsupported commands are listed by software feature and command mode 802 1x Commands Unsupported Privileged EXEC Commands debug dot1x Access Control Lists Commands Unsupported Privileged EXEC Commands access enable host timeout minutes access template access list number name dynamic name source destination timeout minutes clear access template access list number name ...

Page 518: ...mask access list dynamic extended Unsupported Route Map Configuration Commands match ip address prefix list prefix list name prefix list name Archive Commands Unsupported Privileged EXEC Commands archive config logging persistent show archive config show archive log ARP Commands Unsupported User EXEC Commands show arp access list Unsupported Global Configuration Commands arp access list Unsupporte...

Page 519: ...update user policy policy filename group group name expression repository url location Parameters are not supported for this command event manager run policy name paramater1 paramater15 Unsupported Global Configuration Commands no event manager directory user repository url location event manager applet applet name maxrun Unsupported Commands in Applet Configuration Mode no event interface name in...

Page 520: ... ip igmp snooping tcn Inline Power Commands Unsupported User EXEC Commands show controllers power inline Unsupported Privileged EXEC Commands debug ilpower Interface Commands Unsupported Privileged EXEC Commands show interfaces interface id vlan vlan id crb fair queue irb mac accounting precedence irb random detect rate limit shape Unsupported Global Configuration Commands interface tunnel Unsuppo...

Page 521: ...e neighbor description network backdoor table map Unsupported VPN Configuration Commands All Unsupported Route Map Commands match route type for policy based routing PBR set as path tag prepend as path string set automatic tag set dampening half life reuse suppress max suppress time set default interface interface id interface id set interface interface id interface id set ip default next hop ip a...

Page 522: ...address table count show mac address table dynamic show mac address table interface show mac address table multicast show mac address table notification show mac address table static show mac address table vlan show mac address table multicast Note Use the show ip igmp snooping groups privileged EXEC command to display Layer 2 multicast address table entries for a VLAN Unsupported Global Configura...

Page 523: ...iagnostics prbs Unsupported Global Configuration Commands errdisable recovery cause unicast flood errdisable recovery psecure violation errdisable recovery security violation l2protocol tunnel global drop threshold service compress config track object number rtr NetFlow Commands Unsupported Global Configuration Commands ip flow aggregation cache ip flow cache entries ip flow export Network Address...

Page 524: ...ommands clear port security debug port security show platform port security show port security Power Supply Commands Unsupported User EXEC Commands power supply QoS Commands Unsupported Global Configuration Command priority list Unsupported Interface Configuration Commands priority group rate limit Unsupported Policy Map Configuration Command class class default where class default is the class ma...

Page 525: ...feature default enable aaa authentication feature default line radius server attribute nas port radius server configure radius server extended portnames SNMP Commands Unsupported Global Configuration Commands snmp server enable informs snmp server ifindex persist Spanning Tree Commands Unsupported Global Configuration Command spanning tree pathcost method long short Stacking Related Commands Unsup...

Page 526: ...nfig vlan show vlan ifindex Unsupported Privileged EXEC Command show vlan access map vlan database Unsupported Global Configuration Command vlan internal allocation policy ascending descending Unsupported VLAN Configuration Commands vlan VTP Commands Unsupported Privileged EXEC Command vtp password password pruning version number Note This command has been replaced by the vtp global configuration ...

Page 527: ...ACS 7 11 7 16 ACEs defined 24 1 ACLs ACEs 24 1 applying time ranges to 24 10 to an interface 24 13 comments in 24 12 compiling 24 14 defined 24 1 24 3 examples of 24 14 extended IPv4 creating 24 6 matching criteria 24 3 IP creating 24 3 implicit deny 24 5 24 8 24 9 implicit masks 24 5 matching criteria 24 3 IPv4 applying to interfaces 24 13 creating 24 3 matching criteria 24 3 named 24 8 numbers 2...

Page 528: ... RMON 21 3 allowed VLAN list 9 18 ARP defined 1 3 5 22 table address resolution 5 22 managing 5 22 attributes RADIUS vendor proprietary 7 29 vendor specific 7 28 authentication local mode with AAA 7 31 NTP associations 5 4 RADIUS key 7 20 login 7 22 TACACS defined 7 10 key 7 12 login 7 13 authoritative time source described 5 2 authorization with RADIUS 7 26 with TACACS 7 11 7 15 autoconfiguration...

Page 529: ...or disabled state 13 2 filtering 13 3 RSTP format 12 12 BPDU filtering described 13 3 disabling 13 12 enabling 13 12 support for 1 5 BPDU guard described 13 2 disabling 13 12 enabling 13 11 support for 1 5 bridge protocol data unit See BPDU C cables monitoring for unidirectional links 19 1 candidate switch automatic discovery 4 4 defined 4 3 requirements 4 3 See also command switch cluster standby...

Page 530: ...changing the buffer size 2 6 described 2 6 disabling 2 7 recalling commands 2 6 managing clusters 4 11 no and default forms of commands 2 4 client mode VTP 10 3 clock See system clock clusters switch accessing 4 10 automatic discovery 4 4 benefits 1 1 compatibility 4 4 described 4 1 LRE profile considerations 4 11 managing through CLI 4 11 through SNMP 4 12 planning 4 4 planning considerations aut...

Page 531: ... 13 using RCP B 17 using TFTP B 11 invalid combinations when copying B 5 limiting TFTP server access 23 15 obtaining with DHCP 3 8 password recovery disable considerations 7 5 replacing and rolling back guidelines for B 21 replacing a running configuration B 19 B 20 rolling back a running configuration B 19 B 20 specifying the filename 3 13 system contact and location information 23 15 types and l...

Page 532: ...ration 13 9 password and privilege level 7 2 RADIUS 7 19 RMON 21 3 RSPAN 20 6 SNMP 23 7 SPAN 20 6 SSL 7 39 standard QoS 25 3 STP 11 11 system message logging 22 3 system name and prompt 5 13 TACACS 7 12 UDLD 19 3 VLAN Layer 2 Ethernet interfaces 9 16 VLANs 9 7 VTP 10 6 default gateway 3 11 default router preference See DRP deleting VLANs 9 9 description command 8 21 destination addresses in IPv4 A...

Page 533: ...ating and removing B 4 displaying the working B 4 discovery clusters See automatic discovery DNS and DHCP based autoconfiguration 3 7 default configuration 5 14 displaying the configuration 5 15 in IPv6 27 3 overview 5 13 setting up 5 14 support for 1 3 DOM Digital Optical Monitoring 8 25 domain names DNS 5 13 VTP 10 8 Domain Name System See DNS downloading configuration files preparing B 10 B 13 ...

Page 534: ...us 26 17 hot standby ports 26 15 interaction with other features 26 7 modes 26 7 port priority 26 16 system priority 26 16 load balancing 26 8 26 13 logical interfaces described 26 4 PAgP aggregate port learners 26 14 compatibility with Catalyst 1900 26 14 described 26 5 displaying status 26 17 interaction with other features 26 6 interaction with virtual switches 26 6 learn method and priority co...

Page 535: ...playing the contents of B 7 extended crashinfo description 28 21 location 28 22 tar creating B 6 displaying the contents of B 6 extracting B 7 image file format B 24 file system displaying available file systems B 2 displaying file information B 3 local file system names B 1 network file system names B 5 setting the default B 3 filtering show and more command output 2 10 filtering show and more co...

Page 536: ...CMP IPv6 27 3 time exceeded messages 28 16 traceroute and 28 16 unreachable messages 24 13 ICMP ping executing 28 13 overview 28 13 ICMPv6 27 3 IDS appliances and ingress SPAN 20 10 IEEE 802 1D See STP IEEE 802 1Q configuration limitations 9 15 encapsulation 9 14 native VLAN for untagged traffic 9 20 IEEE 802 1s See MSTP IEEE 802 1w See RSTP IEEE 802 3ad See EtherChannel IEEE 802 3x flow control 8...

Page 537: ...port for 1 2 VLAN configuration 15 7 IGMP throttling configuring 15 20 default configuration 15 17 described 15 17 displaying action 15 21 Immediate Leave IGMP described 15 5 enabling 16 9 initial configuration defaults 1 6 Express Setup 1 1 interface range macros 8 12 interface command 8 9 to 8 10 interface configuration mode 2 3 interfaces auto MDIX configuring 8 20 configuring procedure 8 10 co...

Page 538: ...s 27 2 address formats 27 2 applications 27 4 assigning address 27 6 autoconfiguration 27 4 default configuration 27 5 default router preference DRP 27 3 defined 27 1 forwarding 27 6 ICMP 27 3 monitoring 27 8 Stateless Autoconfiguration 27 4 supported features 27 2 J join messages IGMP 15 3 K keepalive messages 11 2 Kerberos support for 1 6 L LACP See EtherChannel Layer 2 frames classification wit...

Page 539: ...int Discovery See LLDP MED local SPAN 20 2 location TLV 18 3 18 6 login authentication with RADIUS 7 22 with TACACS 7 13 login banners 5 15 log messages See system message logging loop guard described 13 9 enabling 13 15 support for 1 5 LRE profiles considerations in switch clusters 4 11 M MAC addresses aging time 5 19 and VLAN association 5 18 building the address table 5 18 default configuration...

Page 540: ...nks 19 1 CDP 17 5 features 1 6 IGMP filters 15 21 snooping 15 15 16 11 interfaces 8 24 IPv6 27 8 multicast router interfaces 15 16 16 12 network traffic for analysis with probe 20 2 SFP status 8 25 28 12 speed and duplex mode 8 18 traffic flowing among switches 21 1 VLANs 9 14 VTP 10 16 MSTP boundary ports configuration guidelines 12 15 described 12 6 BPDU filtering described 13 3 enabling 13 12 B...

Page 541: ...2 16 described 12 2 hop count mechanism 12 5 IST 12 3 supported spanning tree instances 12 2 optional features supported 1 5 overview 12 2 Port Fast described 13 2 enabling 13 10 preventing root switch selection 13 8 root guard described 13 8 enabling 13 15 root switch configuring 12 17 effects of extended system ID 12 17 unexpected behavior 12 17 shutdown Port Fast enabled port 13 2 status displa...

Page 542: ...22 displaying 28 23 on board failure logging See OBFL online diagnostics described 29 1 overview 29 1 running tests 29 5 options management 1 3 P PAgP See EtherChannel passwords default configuration 7 2 disabling recovery of 7 5 encrypting 7 3 for security 1 5 in clusters 4 10 overview 7 1 recovery of 28 3 setting enable 7 3 enable secret 7 3 Telnet 7 6 with usernames 7 6 VTP domain 10 8 path cos...

Page 543: ... 7 2 7 7 setting a command with 7 8 pruning VTP disabling in VTP domain 10 14 on a port 9 20 enabling in VTP domain 10 14 on a port 9 19 examples 10 5 overview 10 4 pruning eligible list changing 9 19 for VTP pruning 10 4 VLANs 10 14 PVST described 11 9 IEEE 802 1Q trunking interoperability 11 10 instances supported 11 9 Q QoS classification forwarding treatment 25 2 configuration guidelines stand...

Page 544: ...PVST rapid PVST described 11 9 IEEE 802 1Q trunking interoperability 11 10 instances supported 11 9 Rapid Spanning Tree Protocol See RSTP rcommand command 4 11 RCP configuration files downloading B 17 overview B 15 preparing the server B 16 uploading B 18 image files deleting old image B 37 downloading B 35 preparing the server B 34 uploading B 37 recovery procedures 28 1 redundancy EtherChannel 2...

Page 545: ...nitored ports 20 3 monitoring ports 20 5 received traffic 20 3 session limits 20 7 sessions defined 20 2 source ports 20 3 transmitted traffic 20 3 VLAN based 20 4 RSTP active topology 12 9 BPDU format 12 12 processing 12 13 designated port defined 12 9 designated switch defined 12 9 interoperability with IEEE 802 1D described 12 8 restarting migration process 12 25 topology changes 12 13 overview...

Page 546: ...w lldp traffic command 18 8 show platform forward command 28 19 show running config command displaying ACLs 24 13 interface description in 8 21 shutdown command on interfaces 8 26 Simple Network Management Protocol See SNMP small frame arrival rate configuring 8 23 SNAP 17 1 SNMP accessing MIB variables with 23 4 agent described 23 4 disabling 23 8 authentication level 23 11 community strings conf...

Page 547: ... with other features 20 5 monitored ports 20 3 monitoring ports 20 5 overview 1 6 received traffic 20 3 session limits 20 7 sessions configuring ingress forwarding 20 11 creating 20 7 defined 20 2 limiting source traffic to specific VLANs 20 11 removing destination monitoring ports 20 9 specifying monitored ports 20 7 with ingress traffic enabled 20 10 source ports 20 3 transmitted traffic 20 3 VL...

Page 548: ...ribed 13 2 disabling 13 12 enabling 13 11 BPDU message exchange 11 3 configuration guidelines 11 11 13 10 configuring forward delay time 11 21 hello time 11 20 maximum aging time 11 21 path cost 11 18 port priority 11 16 root switch 11 14 secondary root switch 11 16 spanning tree mode 11 13 switch priority 11 19 transmit hold count 11 22 counters clearing 11 22 default configuration 11 11 default ...

Page 549: ...ity 11 8 root guard described 13 8 enabling 13 15 root port defined 11 3 root switch configuring 11 14 effects of extended system ID 11 4 11 14 election 11 3 unexpected behavior 11 14 shutdown Port Fast enabled port 13 2 status displaying 11 22 superior BPDU 11 3 timers described 11 20 UplinkFast described 13 3 enabling 13 13 stratum NTP 5 2 summer time 5 11 SunNet Manager 1 3 SVI autostate exclud...

Page 550: ...em prompt default setting 5 12 5 13 T TACACS accounting defined 7 11 authentication defined 7 10 authorization defined 7 10 configuring accounting 7 16 authentication key 7 12 authorization 7 15 login authentication 7 13 default configuration 7 12 displaying the configuration 7 16 identifying the server 7 12 in clusters 4 11 limiting the services to the user 7 15 operation of 7 11 overview 7 10 su...

Page 551: ...iguring managers 23 12 defined 23 3 enabling 23 12 notification types 23 12 overview 23 1 23 5 troubleshooting connectivity problems 28 13 28 14 28 15 displaying crash information 28 21 setting packet forwarding 28 19 SFP security and identification 28 12 show forward command 28 19 with CiscoWorks 23 4 with debug commands 28 17 with ping 28 13 with system message logging 22 1 with traceroute 28 16...

Page 552: ... 22 13 message logging configuration 22 12 unrecognized Type Length Value TLV support 10 4 upgrading software images See downloading UplinkFast described 13 3 disabling 13 13 enabling 13 13 support for 1 4 uploading configuration files preparing B 10 B 13 B 16 reasons for B 8 using FTP B 14 using RCP B 18 using TFTP B 11 image files preparing B 25 B 29 B 34 reasons for B 23 using FTP B 32 using RC...

Page 553: ...ffic with SPAN 20 11 modifying 9 8 native configuring 9 20 normal range 9 1 9 3 number supported 1 5 parameters 9 4 port membership modes 9 3 static access ports 9 10 STP and IEEE 802 1Q trunks 11 10 supported 9 2 Token Ring 9 5 traffic between 9 2 VTP modes 10 3 VLAN Trunking Protocol See VTP VLAN trunks 9 14 VTP adding a client to a domain 10 14 advertisements 9 16 10 3 and extended range VLANs ...

Page 554: ...10 14 examples 10 5 overview 10 4 support for 1 5 pruning eligible list changing 9 19 server mode configuring 10 9 statistics 10 16 support for 1 5 Token Ring support 10 4 transparent mode configuring 10 12 using 10 1 version guidelines 10 8 Version 1 10 4 Version 2 configuration guidelines 10 8 disabling 10 13 enabling 10 13 overview 10 4 ...

Reviews:

No comments

Related manuals for Catalyst 2360

AbleNet HouseMate Quick Start Manual preview
HouseMate
Brand: AbleNet Pages: 2
IBM BNT Installation Manual preview
BNT
Brand: IBM Pages: 88
i3 International S244 Quick Start Manual preview
S244
Brand: i3 International Pages: 2
DANLERS CESF PIR Installation Notes preview
CESF PIR
Brand: DANLERS Pages: 2
Pathway connectivity solutions 1016 Manual preview
1016
Brand: Pathway connectivity solutions Pages: 2
Jasco AS2006 Manual preview
AS2006
Brand: Jasco Pages: 2
Tecsis MagSwitch Operating Manual preview
MagSwitch
Brand: Tecsis Pages: 2
StarTech.com SV431DHD4KU User Manual preview
SV431DHD4KU
Brand: StarTech.com Pages: 24
GALCO EX95000 Series Quick Start Manual preview
EX95000 Series
Brand: GALCO Pages: 22
Eaton ATR Series Instruction Leaflet preview
ATR Series
Brand: Eaton Pages: 2
Jerguson JB**D Series Installation, Operation & Maintenance Manual preview
JB**D Series
Brand: Jerguson Pages: 16
Lantech TGS-L6216XT User Manual preview
TGS-L6216XT
Brand: Lantech Pages: 24
Maiwe MISCOM7028GX Series User Manual preview
MISCOM7028GX Series
Brand: Maiwe Pages: 22
Vanco Evolution EVMX4442 Manual preview
Evolution EVMX4442
Brand: Vanco Pages: 12
Allied Telesis AT 8000/8POE Installation Manual preview
AT 8000/8POE
Brand: Allied Telesis Pages: 56
HB Products HBSC2-SSR Instruction Manual preview
HBSC2-SSR
Brand: HB Products Pages: 6
Omron D4JL Series Manual preview
D4JL Series
Brand: Omron Pages: 31
ATEN VM0404 User Manual preview
VM0404
Brand: ATEN Pages: 31

Brands by name

Popular brands

Load more brands