Cisco Catalyst 2928 Software Configuration Manual Download Page 536 | Manualshive

Page: 536 / 700

background image

30-2

Catalyst 2928 Switch Software Configuration Guide

OL-23389-01

Chapter 30 Configuring Network Security with ACLs

Understanding ACLs

The switch supports IP ACLs to filter IPv4 traffic, including TCP, User Datagram Protocol (UDP),
Internet Group Management Protocol (IGMP), and Internet Control Message Protocol (ICMP).

These sections contain this conceptual information:

•

ACL Overview, page 30-2

•

Handling Fragmented and Unfragmented Traffic, page 30-3

ACL Overview

These access lists are supported:

•

Standard IP access lists using source addresses

•

Extended IP access lists using source and destination addresses and optional protocol type
information

The switch examines ACLs associated with all inbound or outbound features configured on a given
VLAN interface and permits or denies packet forwarding to and from the CPU based on how the packet
matches the entries in the ACL. In this way, ACLs control access to a network or to part of a network.

is an example of using ACLs to control access to a network when all workstations are in the

same VLAN. ACLs applied at the Layer 2 input would allow Host A to access the Human Resources
network, but prevent Host B from accessing the same network.

Port ACLs

Port ACLs access-control traffic entering a Layer 2 interface. The switch does not support port ACLs in
the outbound direction. You can apply only one IP access list and one MAC access list to a Layer 2
interface. Port ACLs can only be applied to Layer 2 interfaces in the inbound direction.

When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk
port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and
voice VLANs.

With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC
addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP
access list and a MAC access list to the interface.

«
...
534
535
536
537
538
...
»

Summary of Contents for Catalyst 2928

Page 1: ...170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Catalyst 2928 Switch Software Configuration Guide Cisco IOS Release 12 2 55 EZ November 2010 Text Part Number OL 23389 01 ...

Page 2: ... ALL WARRANTIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF T...

Page 3: ...curity Features 1 6 QoS and CoS Features 1 7 Power over Ethernet Features WS C2928 24LT C only 1 7 Monitoring Features 1 8 Default Settings After Initial Switch Configuration 1 8 Network Configuration Examples 1 11 Design Concepts for Using the Switch 1 11 Small to Medium Sized Network Using Catalyst 2928 Switches 1 14 Campus Network Using Catalyst 2928 Switches 1 15 Where to Go Next 1 16 C H A P ...

Page 4: ... Client Request Process 3 4 Understanding DHCP based Autoconfiguration and Image Update 3 4 DHCP Autoconfiguration 3 5 DHCP Auto Image Update 3 5 Limitations and Restrictions 3 5 Configuring DHCP Based Autoconfiguration 3 6 DHCP Server Configuration Guidelines 3 6 Configuring the TFTP Server 3 7 Configuring the DNS 3 7 Configuring the Relay Device 3 7 Obtaining Configuration Files 3 8 Example Conf...

Page 5: ...rstanding Cisco IOS Agents 4 5 Initial Configuration 4 5 Incremental Partial Configuration 4 6 Synchronized Configuration 4 6 Configuring Cisco IOS Agents 4 6 Enabling Automated CNS Configuration 4 6 Enabling the CNS Event Agent 4 7 Enabling the Cisco IOS CNS Agent 4 8 Enabling an Initial Configuration 4 9 Enabling a Partial Configuration 4 11 Displaying CNS Configuration 4 12 C H A P T E R 5 Clus...

Page 6: ...s 5 14 C H A P T E R 6 Configuring SDM Templates 6 1 Understanding the SDM Templates 6 1 Configuring the Switch SDM Template 6 2 Default SDM Template 6 2 SDM Template Configuration Guidelines 6 2 Displaying the SDM Templates 6 3 C H A P T E R 7 Administering the Switch 7 1 Managing the System Time and Date 7 1 Understanding the System Clock 7 1 Understanding Network Time Protocol 7 2 Configuring N...

Page 7: ...g Time 7 20 Removing Dynamic Address Entries 7 21 Configuring MAC Address Notification Traps 7 21 Adding and Removing Static Address Entries 7 23 Configuring Unicast MAC Address Filtering 7 24 Displaying Address Table Entries 7 26 Managing the ARP Table 7 26 C H A P T E R 8 Configuring Switch Based Authentication 8 1 Preventing Unauthorized Access to Your Switch 8 1 Protecting Access to Privileged...

Page 8: ... Defining AAA Server Groups 8 25 Configuring RADIUS Authorization for User Privileged Access and Network Services 8 27 Starting RADIUS Accounting 8 28 Configuring Settings for All RADIUS Servers 8 29 Configuring the Switch to Use Vendor Specific RADIUS Attributes 8 29 Configuring the Switch for Vendor Proprietary RADIUS Server Communication 8 31 Displaying the RADIUS Configuration 8 31 Configuring...

Page 9: ...ribute Value Pairs 9 8 Using IEEE 802 1x Authentication with VLAN Assignment 9 9 Using IEEE 802 1x Authentication with Guest VLAN 9 11 Using IEEE 802 1x Authentication with Restricted VLAN 9 12 Using IEEE 802 1x Authentication with Voice VLAN Ports 9 13 Using IEEE 802 1x Authentication with Port Security 9 13 Using IEEE 802 1x Authentication with MAC Authentication Bypass 9 14 802 1x Authenticatio...

Page 10: ...vice Roles 10 2 Host Detection 10 2 Session Creation 10 3 Authentication Process 10 3 Local Web Authentication Banner 10 4 Web Authentication Customizable Web Pages 10 6 Guidelines 10 6 Web based Authentication Interactions with Other Features 10 7 Port Security 10 7 LAN Port IP 10 8 Gateway IP 10 8 ACLs 10 8 Context Based Access Control 10 8 802 1x Authentication 10 8 EtherChannel 10 8 Configurin...

Page 11: ... R 12 Configuring Interface Characteristics 12 1 Understanding Interface Types 12 1 Port Based VLANs 12 2 Switch Ports 12 2 Access Ports 12 2 Trunk Ports 12 3 Power over Ethernet PoE Ports WS C2928 24LT C only 12 4 Supported Protocols and Standards 12 4 Powered Device Detection and Initial Power Allocation 12 5 Power Management Modes 12 5 Power Monitoring and Power Policing 12 6 Connecting Interfa...

Page 12: ...VLANs 13 5 Normal Range VLAN Configuration Guidelines 13 5 Saving VLAN Configuration 13 6 Default Ethernet VLAN Configuration 13 6 Creating or Modifying an Ethernet VLAN 13 7 Deleting a VLAN 13 8 Assigning Static Access Ports to a VLAN 13 9 Configuring Extended Range VLANs 13 10 Default VLAN Configuration 13 10 Extended Range VLAN Configuration Guidelines 13 10 Creating an Extended Range VLAN 13 1...

Page 13: ...Changing the Reconfirmation Interval 13 25 Changing the Retry Count 13 26 Monitoring the VMPS 13 26 Troubleshooting Dynamic Access Port VLAN Membership 13 27 VMPS Configuration Example 13 27 C H A P T E R 14 Configuring VTP 14 1 Understanding VTP 14 1 The VTP Domain 14 2 VTP Modes 14 3 VTP Advertisements 14 3 VTP Version 2 14 4 VTP Pruning 14 4 Configuring VTP 14 6 Default VTP Configuration 14 6 V...

Page 14: ...16 3 Spanning Tree Interface States 16 4 Blocking State 16 5 Listening State 16 6 Learning State 16 6 Forwarding State 16 6 Disabled State 16 6 How a Switch or Port Becomes the Root Switch or Root Port 16 7 Spanning Tree and Redundant Connectivity 16 7 Spanning Tree Address Management 16 8 Accelerated Aging to Retain Connectivity 16 8 Spanning Tree Modes and Protocols 16 9 Supported Spanning Tree ...

Page 15: ...ts 17 6 IEEE 802 1s Implementation 17 6 Port Role Naming Change 17 6 Interoperation Between Legacy and Standard Switches 17 7 Detecting Unidirectional Link Failure 17 7 Interoperability with IEEE 802 1D STP 17 8 Understanding RSTP 17 8 Port Roles and the Active Topology 17 9 Rapid Convergence 17 9 Synchronization of Port Roles 17 11 Bridge Protocol Data Unit Format and Processing 17 12 Processing ...

Page 16: ...Understanding UplinkFast 18 3 Understanding BackboneFast 18 5 Understanding EtherChannel Guard 18 7 Understanding Root Guard 18 8 Understanding Loop Guard 18 9 Configuring Optional Spanning Tree Features 18 9 Default Optional Spanning Tree Configuration 18 9 Optional Spanning Tree Configuration Guidelines 18 10 Enabling Port Fast 18 10 Enabling BPDU Guard 18 11 Enabling BPDU Filtering 18 12 Enabli...

Page 17: ...Understanding DHCP Server Port Based Address Allocation 19 21 Configuring DHCP Server Port Based Address Allocation 19 22 Default Port Based Address Allocation Configuration 19 22 Port Based Address Allocation Configuration Guidelines 19 22 Enabling DHCP Server Port Based Address Allocation 19 23 Displaying DHCP Server Port Based Address Allocation 19 25 C H A P T E R 20 Configuring Dynamic ARP In...

Page 18: ...iguring TCN Related Commands 21 11 Controlling the Multicast Flooding Time After a TCN Event 21 11 Recovering from Flood Mode 21 12 Disabling Multicast Flooding During a TCN Event 21 12 Configuring the IGMP Snooping Querier 21 13 Disabling IGMP Report Suppression 21 14 Displaying IGMP Snooping Information 21 14 Configuring IGMP Filtering and Throttling 21 16 Default IGMP Filtering and Throttling C...

Page 19: ...Port Security 22 12 Enabling and Configuring Port Security Aging 22 17 Displaying Port Based Traffic Control Settings 22 18 C H A P T E R 23 Configuring CDP 23 1 Understanding CDP 23 1 Configuring CDP 23 2 Default CDP Configuration 23 2 Configuring the CDP Characteristics 23 2 Disabling and Enabling CDP 23 3 Disabling and Enabling CDP on an Interface 23 4 Monitoring and Maintaining CDP 23 5 C H A ...

Page 20: ...standing SPAN 26 1 Local SPAN 26 2 SPAN Concepts and Terminology 26 2 SPAN Sessions 26 2 Monitored Traffic 26 3 Source Ports 26 4 Source VLANs 26 4 VLAN Filtering 26 5 Destination Port 26 5 SPAN Interaction with Other Features 26 6 Configuring SPAN 26 7 Default SPAN Configuration 26 7 Configuring Local SPAN 26 7 SPAN Configuration Guidelines 26 7 Creating a Local SPAN Session 26 8 Creating a Local...

Page 21: ...g the Message Severity Level 28 8 Limiting Syslog Messages Sent to the History Table and to SNMP 28 9 Enabling the Configuration Change Logger 28 10 Configuring UNIX Syslog Servers 28 11 Logging Messages to a UNIX Syslog Daemon 28 11 Configuring the UNIX System Logging Facility 28 12 Displaying the Logging Configuration 28 13 C H A P T E R 29 Configuring SNMP 29 1 Understanding SNMP 29 1 SNMP Vers...

Page 22: ...n ACL 30 12 Creating Named Standard and Extended ACLs 30 12 Using Time Ranges with ACLs 30 14 Including Comments in ACLs 30 15 Applying an IPv4 ACL to a Terminal Line 30 16 Applying an IPv4 ACL to a VLAN Interface 30 16 Hardware and Software Treatment of IP ACLs 30 17 Troubleshooting ACLs 30 18 IPv4 ACL Configuration Examples 30 18 Numbered ACLs 30 19 Extended ACLs 30 19 Named ACLs 30 19 Time Rang...

Page 23: ...ue Characteristics 31 14 Configuration Guidelines 31 15 Mapping CoS Values to an Egress Queue and to a Threshold ID 31 15 Configuring the Egress Expedite Queue 31 16 Displaying Standard QoS Information 31 17 C H A P T E R 32 Configuring EtherChannels 32 1 Understanding EtherChannels 32 1 EtherChannel Overview 32 2 Port Channel Interfaces 32 3 Port Aggregation Protocol 32 4 PAgP Modes 32 4 PAgP Int...

Page 24: ...ter Member Connectivity 33 11 Preventing Autonegotiation Mismatches 33 11 Troubleshooting Power over Ethernet Switch Ports 33 11 Disabled Port Caused by Power Loss 33 12 Disabled Port Caused by False Link Up 33 12 SFP Module Security and Identification 33 12 Monitoring SFP Module Status 33 13 Using Ping 33 13 Understanding Ping 33 13 Executing Ping 33 13 Using Layer 2 Traceroute 33 14 Understandin...

Page 25: ... System B 1 Displaying Available File Systems B 2 Setting the Default File System B 3 Displaying Information about Files on a File System B 3 Changing Directories and Displaying the Working Directory B 3 Creating and Removing Directories B 4 Copying Files B 4 Deleting Files B 5 Creating Displaying and Extracting tar Files B 5 Creating a tar File B 6 Displaying the Contents of a tar File B 6 Extrac...

Page 26: ...eparing to Download or Upload an Image File By Using TFTP B 21 Downloading an Image File By Using TFTP B 22 Uploading an Image File By Using TFTP B 24 Copying Image Files By Using FTP B 24 Preparing to Download or Upload an Image File By Using FTP B 25 Downloading an Image File By Using FTP B 26 Uploading an Image File By Using FTP B 27 Copying Image Files By Using RCP B 28 Preparing to Download o...

Page 27: ...pported Global Configuration Commands C 4 Network Address Translation NAT Commands C 4 Unsupported Privileged EXEC Commands C 4 QoS C 4 Unsupported Global Configuration Command C 4 Unsupported Interface Configuration Commands C 4 Unsupported Policy Map Configuration Command C 4 RADIUS C 5 Unsupported Global Configuration Commands C 5 SNMP C 5 Unsupported Global Configuration Commands C 5 Spanning ...

Page 28: ...Contents xxviii Catalyst 2928 Switch Software Configuration Guide OL 23389 01 ...

Page 29: ...e For information about the standard Cisco IOS Release 12 2 commands see the Cisco IOS documentation set available from the Cisco com home page at Technical Support Documentation Cisco IOS Software This guide does not provide detailed information on the graphical user interfaces GUIs for the embedded device manager that you can use to manage the switch However the concepts in this guide are applic...

Page 30: ...tion Means reader be careful In this situation you might do something that could result in equipment damage or loss of data Related Publications These documents provide complete information about the switch and are available from this Cisco com site http www cisco com web CN products products_netsol switches products ca2928 index html Release Notes for the Catalyst 2928 Switch Note Before installi...

Page 31: ... see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco technical documentation at http www cisco com en US docs general whatsnew whatsnew html Subscribe to the What s New in Cisco Product Documentation as a Really Simple Syndication RSS feed and set content to be delivered directly to your desktop using a reader application The RSS feeds are a free se...

Page 32: ...xxx Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Preface ...

Page 33: ...ormation see the release notes for this release Ease of Deployment and Ease of Use Features page 1 1 Performance Features page 1 2 Management Options page 1 3 Manageability Features page 1 4 includes a feature requiring the cryptographic version of the software Availability and Redundancy Features page 1 5 VLAN Features page 1 5 Security Features page 1 6 includes a feature requiring the cryptogra...

Page 34: ...tor in a network You can use Smart Install to provide zero touch image and configuration upgrade of newly deployed switches and image and configuration downloads for any client switches For more information see the Cisco Smart Install Configuration Guide Smart Install enhancements in Cisco IOS Release 12 2 55 SE supporting client backup files zero touch replacement for clients with the same produc...

Page 35: ...t Options An embedded device manager The device manager is a GUI that is integrated in the software image You use it to configure and to monitor a single switch For information about launching the device manager see the getting started guide For more information about the device manager see the switch online help CLI The Cisco IOS software supports desktop and multilayer switching features You can...

Page 36: ...on from the switch to the endpoint device CDP and LLDP enhancements for exchanging location information with video end points for dynamic location based content distribution from servers Network Time Protocol NTP for providing a consistent time stamp to all switches from an external source Cisco IOS File System IFS for providing a single interface to all file systems that the switch uses Configura...

Page 37: ...T and MSTP mode Port Fast for eliminating the forwarding delay by enabling a port to immediately change from the blocking state to the forwarding state BPDU guard for shutting down Port Fast enabled ports that receive bridge protocol data units BPDUs BPDU filtering for preventing a Port Fast enabled port from sending or receiving BPDUs Root guard for preventing switches outside the network core fr...

Page 38: ...n an invalid configuration occurs Standard and extended IP access control lists ACLs for defining inbound security policies on Layer 2 interfaces port ACLs Standard and extended IP access control lists ACLs for defining inbound security policies on Layer 2 interfaces port ACLs IEEE 802 1x port based authentication to prevent unauthorized devices clients from gaining access to the network These fea...

Page 39: ...g and scheduling Two configurable ingress queues for user traffic one queue can be the priority queue Weighted tail drop WTD as the congestion avoidance mechanism for managing the queue lengths and providing drop precedences for different traffic classifications Thresholds and queue lengths are predefined and fixed Shaped round robin SRR as the scheduling service for specifying the rate at which p...

Page 40: ...toring and traffic analysis Syslog facility for logging system messages about authentication or authorization errors resource issues and time out events Layer 2 traceroute to identify the physical path that a packet takes from a source device to a destination device Time Domain Reflector TDR to diagnose and resolve cabling problems on 10 100 and 10 100 1000 copper Ethernet ports SFP module diagnos...

Page 41: ...led For more information see Chapter 8 Configuring Switch Based Authentication IEEE 802 1x is disabled For more information see Chapter 9 Configuring IEEE 802 1x Port Based Authentication Port parameters Interface speed and duplex mode is autonegotiate For more information see Chapter 12 Configuring Interface Characteristics Auto MDIX is enabled For more information see Chapter 12 Configuring Inte...

Page 42: ...DLD is disabled For more information see Chapter 25 Configuring UDLD SPAN disabled For more information see Chapter 26 Configuring SPAN RMON is disabled For more information see Chapter 27 Configuring RMON Syslog messages are enabled and appear on the console For more information see Chapter 28 Configuring System Message Logging SNMP is enabled Version 1 For more information see Chapter 29 Configu...

Page 43: ...e to degrade and how you can configure your network to increase the bandwidth available to your network users Table 1 1 Increasing Network Performance Network Demands Suggested Design Methods Too many users on a single network segment and a growing number of users accessing the Internet Create smaller network segments so that fewer users share the bandwidth and use VLANs and IP subnets to place th...

Page 44: ...ted to a router in the distribution layer Each switch in this configuration provides users with a dedicated 1 Gb s connection to network resources Using SFP modules also provides flexibility in media and distance options through fiber optic connections Table 1 2 Providing Network Services Network Demands Suggested Design Methods Efficient bandwidth usage for multimedia applications and guaranteed ...

Page 45: ...e switches provide preferential treatment for certain data streams They segment traffic streams into different paths for processing Security features on the switch ensure rapid handling of packets Fault tolerance from the server racks to the core is achieved through dual homing of servers connected to switches which have redundant Gigabit EtherChannels Using dual SFP module uplinks from the switch...

Page 46: ...ta multimedia and voice traffic are assigned to the same VLAN only one VLAN can be configured per wiring closet When an end station in one VLAN needs to communicate with an end station in another VLAN a router routes the traffic to the destination VLAN In this network the routers are providing inter VLAN routing VLAN access control lists VLAN maps on the switch provide intra VLAN security and prev...

Page 47: ...s connect workstations and wireless access points through the core layer to a third party system that provides authentication authorization and accounting services Using a combination of web authentication and DHCP authentication the Catalyst 2928 switches and the third party system implement a stringed access control that binds a user name and password with IP address MAC address VLAN ID and port...

Page 48: ...itch review these sections for startup information Chapter 2 Using the Command Line Interface Chapter 3 Assigning the Switch IP Address and Default Gateway Third Party Device Portal Server RADIUS Server DHCP Server Policy Server Accounting Billing Information Core Layer Switch 2928 2928 2928 2928 Wired Client Wired Client Wireless Client Wireless Client Access Point Access Point 279916 Cisco Wirel...

Page 49: ...rompt to obtain a list of commands available for each command mode When you start a session on the switch you begin in user mode often called user EXEC mode Only a limited subset of the commands are available in user EXEC mode For example most of the user EXEC commands are one time commands such as show commands which show the current configuration status and clear commands which clear counters or...

Page 50: ... configuration mode enter the vlan vlan id command Switch config vlan To exit to global configuration mode enter the exit command To return to privileged EXEC mode press Ctrl Z or enter end Use this mode to configure VLAN parameters When VTP mode is transparent you can create extended range VLANs VLAN IDs greater than 1005 and save configurations in the switch startup configuration file Interface ...

Page 51: ...ue This example shows how to enter the show configuration privileged EXEC command in an abbreviated form Switch show conf Table 2 2 Help Summary Command Purpose help Obtain a brief description of the help system in any command mode abbreviated command entry Obtain a list of commands that begin with a particular character string For example Switch di dir disable disconnect abbreviated command entry...

Page 52: ...ou might encounter while using the CLI to configure your switch Using Configuration Logging You can log and view changes to the switch configuration You can use the Configuration Change Logging and Notification feature to track changes on a per session and per user basis The logger tracks each configuration command that is applied the user who entered the command the time that the Table 2 3 Common...

Page 53: ... long or complex commands or entries including access lists You can customize this feature to suit your needs as described in these sections Changing the Command History Buffer Size page 2 5 optional Recalling Commands page 2 6 optional Disabling the Command History Feature page 2 6 optional Changing the Command History Buffer Size By default the switch records ten command lines in its history buf...

Page 54: ...mmand Lines that Wrap page 2 8 optional Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled you can disable it re enable it or configure a specific line to have enhanced editing These procedures are optional To globally disable enhanced editing mode enter this command in line configuration mode Switch config line no editing Table 2 4 Recalling Commands A...

Page 55: ...line Press Esc B Move the cursor back one word Press Esc F Move the cursor forward one word Press Ctrl T Transpose the character to the left of the cursor with the character located at the cursor Recall commands from the buffer and paste them in the command line The switch provides a buffer with the last ten items that you deleted Press Ctrl Y Recall the most recent entry in the buffer Press Esc Y...

Page 56: ... 131 108 2 5 255 255 255 0 131 108 1 20 255 25 Switch config t tcp 131 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq Switch config 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq 45 After you complete the entry press Ctrl A to check the complete syntax before pressing the Return key to execute the command The dollar sign appears at the end of the line to show that the line has been scrol...

Page 57: ...re the expression protocol appears Switch show interfaces include protocol Vlan1 is up line protocol is up Vlan10 is up line protocol is down GigabitEthernet0 1 is up line protocol is down GigabitEthernet0 2 is up line protocol is up Accessing the CLI You can access the CLI through a console connection through Telnet or by using the browser Accessing the CLI through a Console Connection or through...

Page 58: ...The switch supports up to 16 simultaneous Telnet sessions Changes made by one Telnet user are reflected in all other Telnet sessions For information about configuring the switch for SSH see the Configuring the Switch for Secure Shell section on page 8 33 The switch supports up to five simultaneous secure SSH sessions After you connect through the console port through a Telnet session or through an...

Page 59: ...Configuration page 3 14 Modifying the Startup Configuration page 3 15 Scheduling a Reload of the Software Image page 3 20 Understanding the Boot Process To start your switch you need to follow the procedures in the Getting Started Guide or the hardware installation guide for installing and powering on the switch and setting up the initial switch configuration IP address subnet mask default gateway...

Page 60: ...onsole port and configured the PC or terminal emulation software baud rate and character format to match these of the switch console port Baud rate default is 9600 Data bits default is 8 Note If the data bits option is set to 8 set the parity option to none Stop bits default is 1 Parity settings default is none Assigning Switch Information You can assign IP information through the switch setup pro...

Page 61: ...h However you need to configure the DHCP server for various lease options associated with IP addresses If you are using DHCP to relay the configuration file location on the network you might also need to configure a Trivial File Transfer Protocol TFTP server and a Domain Name System DNS server The DHCP server for your switch can be on the same LAN or on a different LAN than the switch If the DHCP ...

Page 62: ...ent uses configuration information received from the server The amount of information the switch receives depends on how you configure the DHCP server For more information see the Configuring the TFTP Server section on page 3 7 If the configuration parameters sent to the client in the DHCPOFFER unicast message are invalid a configuration error exists the client returns a DHCPDECLINE broadcast mess...

Page 63: ...ame option 150 the TFTP server address and option 125 description of the file settings For procedures to configure the switch as a DHCP server see the Configuring DHCP Based Autoconfiguration section on page 3 6 and the Configuring DHCP section of the IP addressing and Services section of the Cisco IOS IP Configuration Guide Release 12 2 After you install the switch in your network the auto image ...

Page 64: ...onfigure the DHCP server with these lease options IP address of the client required Subnet mask of the client required DNS server IP address optional Router IP address default gateway address to be used by the switch required If you want the switch to receive the configuration file from a TFTP server you must configure the DHCP server with these lease options TFTP server name required Boot filenam...

Page 65: ...hese files are not accessed If you specify the TFTP server name in the DHCP server lease database you must also configure the TFTP server name to IP address mapping in the DNS server database If the TFTP server to be used is on a different LAN from the switch or if it is to be accessed by the switch through the broadcast address which occurs if the DHCP server response does not contain all the req...

Page 66: ...ssage to the TFTP server to retrieve the named configuration file from the base directory of the server and upon receipt it completes its boot up process The IP address and the configuration filename is reserved for the switch but the TFTP server address is not provided in the DHCP reply one file read method The switch receives its IP address subnet mask and the configuration filename from the DHC...

Page 67: ... router confg file If the switch cannot read the router confg file it reads the ciscortr cfg file Note The switch broadcasts TFTP server requests if the TFTP server is not obtained from the DHCP replies if all attempts to read the configuration file through unicast transmissions fail or if the TFTP server name cannot be resolved to an IP address Example Configuration Figure 3 3 shows a sample netw...

Page 68: ...0 24 DHCP Client Configuration No configuration file is present on Switch A through Switch D Configuration Explanation In Figure 3 3 Switch A reads its configuration file as follows It obtains its IP address 10 0 0 21 from the DHCP server If no configuration filename is given in the DHCP server reply Switch A reads the network confg file from the base directory of the TFTP server It adds the conte...

Page 69: ...1 0 4 Switch config if no switchport Switch config if ip address 10 10 10 1 255 255 255 0 Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip dhcp poolname Create a name for the DHCP Server address pool and enter DHCP pool configuration mode Step 3 bootfile filename Specify the name of the configuration file that is used as a boot image Step 4 n...

Page 70: ...filename Specify the name of the file that is used as a boot image Step 4 network network number mask prefix length Specify the subnet network number and mask of the DHCP address pool Note The prefix length specifies the number of bits that comprise the address prefix The prefix is an alternative way of specifying the network mask of the client The prefix length must be preceded by a forward slash...

Page 71: ...save C Caution Saving Configuration File to NVRAM May Cause You to Nolonger Automatically Download Configuration Files at Reboot C Switch config vlan 99 Switch config vlan interface vlan 99 Switch config if no shutdown Switch config if end Switch show boot BOOT path list Config file flash config text Private Config file flash private config text Enable Break no Manual Boot no HELPER path list NVRA...

Page 72: ... you made by entering this privileged EXEC command Switch show running config Building configuration Current configuration 1363 bytes version 12 1 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface vlan vlan id Enter interface configuration mode and enter the VLAN to which the IP information is assigned The VLAN range is 1 to 4094 Step 3 ip address ip addres...

Page 73: ... end To store the configuration or changes you have made to your startup configuration in flash memory enter this privileged EXEC command Switch copy running config startup config Destination filename startup config Building configuration This command saves the configuration settings that you made If you fail to do this your configuration will be lost the next time you reload the system To display...

Page 74: ... steps to specify a different configuration filename Table 3 3 Default Boot Configuration Feature Default Setting Operating system software image The switch attempts to automatically boot up the system using information in the BOOT environment variable If the variable is not set the switch attempts to load and execute the first executable image it can by performing a recursive depth first search t...

Page 75: ...ment variable Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 boot manual Enable the switch to manually boot up during the next boot cycle Step 3 end Return to privileged EXEC mode Step 4 show boot Verify your entries The boot manual global command changes...

Page 76: ...des support for nonvolatile environment variables which can be used to control how the boot loader or any other software running on the system behaves Boot loader environment variables are similar to environment variables that can be set on UNIX or DOS systems Environment variables that have values are stored in flash memory outside of the flash file system Each line in these files contains an env...

Page 77: ...he BOOT environment variable is not set the system attempts to load and execute the first executable image it can find by using a recursive depth first search through the flash file system If the BOOT variable is set but the specified images cannot be loaded the system attempts to boot the first bootable file that it can find in the flash file system boot system filesystem file url Specifies the C...

Page 78: ...ay if the specified time is later than the current time or on the next day if the specified time is earlier than the current time Specifying 00 00 schedules the reload for midnight Note Use the at keyword only if the switch system clock has been set through Network Time Protocol NTP the hardware calendar or manually The time is relative to the configured time zone on the switch To schedule reloads...

Page 79: ...un 20 1996 in 344 hours and 53 minutes Proceed with reload confirm To cancel a previously scheduled reload use the reload cancel privileged EXEC command Displaying Scheduled Reload Information To display information about a previously scheduled reload or to find out if a reload has been scheduled on the switch use the show reload privileged EXEC command It displays reload information including the...

Page 80: ...3 22 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image ...

Page 81: ...for automating the deployment and management of network devices and services see Figure 4 1 Each Configuration Engine manages a group of Cisco devices switches and routers and the services that they deliver storing their configurations and delivering them as needed The Configuration Engine automates initial configurations and configuration updates by generating device specific configuration change...

Page 82: ...ses the CNS Event Service to send and receive configuration change events and to send success and failure notifications The configuration server is a web server that uses configuration templates and the device specific configuration information stored in the embedded standalone mode or remote server mode directory Configuration templates are text files containing static configuration information i...

Page 83: ...D device ID and event the mapping service returns a set of events on which to publish What You Should Know About the CNS IDs and Device Hostnames The Cisco Configuration Engine assumes that a unique identifier is associated with each configured switch This unique identifier can take on multiple synonyms where each synonym is unique within a particular namespace The event service uses namespace con...

Page 84: ... change even when the switch hostname is reconfigured When changing the switch hostname on the switch the only way to refresh the DeviceID is to break the connection between the switch and the event gateway Enter the no cns event global configuration command followed by the cns event global configuration command When the connection is re established the switch sends its modified hostname to the ev...

Page 85: ...ch and includes the TFTP server IP address the path to the bootstrap configuration file and the default gateway IP address in a unicast reply to the DHCP relay agent The DHCP relay agent forwards the reply to the switch The switch automatically configures the assigned IP address on interface VLAN 1 the default and downloads the bootstrap configuration file from the TFTP server Upon successful down...

Page 86: ...updated configuration into its NVRAM The switch uses the updated configuration as its running configuration This ensures that the switch configuration is synchronized with other network activities before saving the configuration in NVRAM for use at the next reboot Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and automa...

Page 87: ...CNS configuration agent DHCP server IP address assignment TFTP server IP address Path to bootstrap configuration file on the TFTP server Default gateway IP address TFTP server A bootstrap configuration file that includes the CNS configuration commands that enable the switch to communicate with the Configuration Engine The switch configured to use either the switch MAC address or the serial number ...

Page 88: ...y retry count keepalive seconds retry count source ip address Enable the event agent and enter the gateway parameters For ip address hostname enter either the IP address or the hostname of the event gateway Optional For port number enter the port number for the event gateway The default port number is 11011 Optional Enter backup to show that this is the backup gateway If omitted this is the primar...

Page 89: ...face type but need not specify the interface number Optional For ping interval seconds enter the interval between successive ping attempts The range is 1 to 30 seconds The default is 10 seconds Optional For retries num enter the number of ping retries The range is 1 to 30 The default is 5 Step 3 config cli or line cli Enter config cli to connect to the Configuration Engine through the interface de...

Page 90: ...rary text string for string string as the unique ID Step 8 cns config initial ip address hostname port number event no persist page page source ip address syntax check Enable the Cisco IOS agent and initiate an initial configuration For ip address hostname enter the IP address or the hostname of the configuration server Optional For port number enter the port number of the configuration server The...

Page 91: ...steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch To disable the Cisco IOS agent use the no cns config partial ip address hostname global configuration command To cancel a partial configuration use the cns config cancel privileged EXEC command Step 10 show cns config connections Verify information about the configuration agent Step 11 show running config Ver...

Page 92: ...fig connections Displays the status of the CNS Cisco IOS agent connections show cns config outstanding Displays information about incremental partial CNS configurations that have started but are not yet completed show cns config stats Displays statistics about the Cisco IOS agent show cns event connections Displays the status of the CNS event agent connections show cns event stats Displays statist...

Page 93: ...tion command to limit access to specific hosts or networks Access should be controlled through the cluster command switch Understanding Switch Clusters A switch cluster is a set of up to 16 connected cluster capable Catalyst switches that are managed as a single entity The switches in the cluster use the switch clustering technology so that you can configure and troubleshoot a group of different C...

Page 94: ...d which ones can only be cluster member switches and the required software versions Cluster Command Switch Characteristics A cluster command switch must meet these requirements It is running Cisco IOS Release 12 2 44 SE or later It has an IP address It has Cisco Discovery Protocol CDP version 2 enabled the default It is not a command or cluster member switch of another cluster It is connected to t...

Page 95: ... not yet been added to a cluster Cluster member switches are switches that have actually been added to a switch cluster Although not required a candidate or cluster member switch can have its own IP address and password for related considerations see the IP Addresses section on page 5 12 and Passwords section on page 5 12 To join a cluster a candidate switch must meet these requirements It is runn...

Page 96: ...es Cisco Discovery Protocol CDP to discover cluster member switches candidate switches neighboring switch clusters and edge devices across multiple VLANs and in star or cascaded topologies Note Do not disable CDP on the cluster command switch on cluster members or on any cluster capable switches that you might want a cluster command switch to discover For more information about CDP see Chapter 23 ...

Page 97: ... 5 1 Discovery Through CDP Hops Discovery Through Non CDP Capable and Noncluster Capable Devices If a cluster command switch is connected to a non CDP capable third party hub such as a non Cisco hub it can discover cluster enabled devices connected to that third party hub However if the cluster command switch is connected to a noncluster capable Cisco device it cannot discover a cluster enabled de...

Page 98: ...ected through at least one VLAN in common with the cluster command switch The cluster command switch in Figure 5 3 has ports assigned to VLANs 9 16 and 62 and therefore discovers the switches in those VLANs It does not discover the switch in VLAN 50 It also does not discover the switch in VLAN 16 in the first column because the cluster command switch has no VLAN connectivity to it Catalyst 2900 XL...

Page 99: ...itch cluster has a Catalyst 3750 switch or switch stack that switch or switch stack must be the cluster command switch The cluster command switch and standby command switch in Figure 5 4 assuming they are Catalyst 2960 Catalyst 2970 Catalyst 3550 Catalyst 3560 or Catalyst 3750 cluster command switches have ports assigned to VLANs 9 16 and 62 The management VLAN on the cluster command switch is VLA...

Page 100: ...o the VLAN of the immediately upstream neighbor The new switch also configures its access port to belong to the VLAN of the immediately upstream neighbor The cluster command switch in Figure 5 5 belongs to VLANs 9 and 16 When new cluster capable switches join the cluster One cluster capable switch and its access port are assigned to VLAN 9 The other cluster capable switch and its access port are a...

Page 101: ...the cluster standby group are ranked according to HSRP priorities The switch with the highest priority in the group is the active cluster command switch AC The switch with the next highest priority is the standby cluster command switch SC The other switches in the cluster standby group are the passive cluster command switches PC If the active cluster command switch and the standby cluster command ...

Page 102: ... also apply Standby cluster command switches must be the same type of switches as the cluster command switch For example if the cluster command switch is a Catalyst 2928 switch the standby cluster command switches must also be Catalyst 2928 switches Refer to the switch configuration guide of other cluster capable switches for their requirements on standby cluster command switches If your switch cl...

Page 103: ...n information to it The active cluster command switch only forwards cluster configuration information to the standby cluster command switch You must therefore rebuild the cluster This limitation applies to all clusters If the active cluster command switch fails and there are more than two switches in the cluster standby group the new cluster command switch does not discover any Catalyst 1900 Catal...

Page 104: ... for the switch is Switch If a switch joins a cluster and it does not have a hostname the cluster command switch appends a unique member number to its own hostname and assigns it sequentially as each switch joins the cluster The number means the order in which the switch was added to the cluster For example a cluster command switch named eng cluster could name the fifth cluster member eng cluster ...

Page 105: ...arly if RADIUS is configured on a cluster member it must be configured on all cluster members Further the same switch cluster cannot have some members configured with TACACS and other members configured with RADIUS For more information about TACACS see the Controlling Switch Access with TACACS section on page 8 10 For more information about RADIUS see the Controlling Switch Access with RADIUS sect...

Page 106: ...r switch is accessed at privilege level 15 Note The Catalyst 1900 and Catalyst 2820 CLI is available only on switches running Enterprise Edition Software For more information about the Catalyst 1900 and Catalyst 2820 switches refer to the installation and configuration guides for those switches Using SNMP to Manage Switch Clusters When you first power on the switch SNMP is enabled if you enter the...

Page 107: ...ts own IP address and community strings the cluster member switch can send traps directly to the management station without going through the cluster command switch If a cluster member switch has its own IP address and community strings they can be used in addition to the access provided by the cluster command switch For more information about SNMP and community strings see Chapter 29 Configuring ...

Page 108: ...5 16 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters ...

Page 109: ...ending on how the switch is used in the network You can select a template to provide maximum system usage for some functions or use the default template to balance resources To allocate ternary content addressable memory TCAM resources for different usages the switch SDM templates prioritize system resources to optimize support for certain features You can select SDM templates to optimize these fe...

Page 110: ...ke effect Setting the SDM Template Beginning in privileged EXEC mode follow these steps to use the SDM template to maximize feature usage After the system reboots you can use the show sdm prefer privileged EXEC command to verify the new template configuration If you enter the show sdm prefer command before you enter the reload privileged EXEC command the show sdm prefer command shows the template ...

Page 111: ...Templates Displaying the SDM Templates Displaying the SDM Templates Use the show sdm prefer privileged EXEC command with no parameters to display the active template Use the show sdm prefer default qos privileged EXEC command to display the resource numbers supported by the specified template ...

Page 112: ...6 4 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 6 Configuring SDM Templates Displaying the SDM Templates ...

Page 113: ... configuration such as the Network Time Protocol NTP or manual configuration methods Note For complete syntax and usage information for the commands used in this section see the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 These sections contain this configuration information Understanding the System Clock page 7 1 Understanding Network Time Protocol page 7 2 Configuring NTP...

Page 114: ... atomic clock directly attached a stratum 2 time server receives its time through NTP from a stratum 1 time server and so on A device running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP This strategy effectively builds a self organizing tree of NTP speakers NTP avoids synchronizing to a device whose time might not be...

Page 115: ...isco s implementation of NTP allows a device to act as if it is synchronized through NTP when in fact it has learned the time by using other means Other devices then synchronize to that device through NTP When multiple sources of time are available NTP is always considered to be more authoritative NTP time overrides the time set by any other method Several manufacturers include NTP software for th...

Page 116: ... default All interfaces receive NTP packets Configuring NTP Authentication This procedure must be coordinated with the administrator of the NTP server the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server Beginning in privileged EXEC mode follow these steps to authenticate the associations communications between ...

Page 117: ...ronizes to the other device and not the other way around Step 3 ntp authentication key number md5 value Define the authentication keys By default none are defined For number specify a key number The range is 1 to 4294967295 md5 specifies that message authentication support is provided by using the message digest algorithm 5 MD5 For value enter an arbitrary string of up to eight characters for the ...

Page 118: ...be configured to send or receive broadcast messages However the information flow is one way only Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ntp peer ip address version number key keyid source interface prefer or ntp server ip address version number key keyid source interface prefer Configure the switch system clock to synchronize a peer or to be synchronized b...

Page 119: ...urpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to send NTP broadcast packets and enter interface configuration mode Step 3 ntp broadcast version number key keyid destination address Enable the interface to send NTP broadcast packets to a peer By default this feature is disabled on all interfaces Optional For number specify the N...

Page 120: ...se steps to control access to NTP services by using access lists Step 5 ntp broadcastdelay microseconds Optional Change the estimated round trip delay between the switch and the NTP broadcast server The default is 3000 microseconds the range is 1 to 999999 Step 6 end Return to privileged EXEC mode Step 7 show running config Verify your entries Step 8 copy running config startup config Optional Sav...

Page 121: ... use the no ntp access group query only serve only serve peer global configuration command This example shows how to configure the switch to allow itself to synchronize to a peer from access list 99 However the switch restricts access to allow only time requests from access list 42 Switch configure terminal Switch config ntp access group peer 99 Switch config ntp access group serve only 42 Switch ...

Page 122: ...dress is to be taken The specified interface is used for the source address for all packets sent to all destinations If a source address is to be used for a specific association use the source keyword in the ntp peer or ntp server global configuration command as described in the Configuring NTP Associations section on page 7 5 Command Purpose Step 1 configure terminal Enter global configuration mo...

Page 123: ... These sections contain this configuration information Setting the System Clock page 7 11 Displaying the Time and Date Configuration page 7 12 Configuring the Time Zone page 7 12 Configuring Summer Time Daylight Saving Time page 7 13 Setting the System Clock If you have an outside source on the network that provides time services such as an NTP server you do not need to manually set the system clo...

Page 124: ...e the time zone The minutes offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC For example the time zone for some sections of Atlantic Canada AST is UTC 3 5 where the 3 means 3 hours and 5 means 50 percent In this case the necessary command is clock timezone AST 3 30 To set the time t...

Page 125: ...lock summer time PDT recurring 1 Sunday April 2 00 last Sunday October 2 00 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock summer time zone recurring week day month hh mm week day month hh mm offset Configure summer time to start and end on the specified days every year Summer time is disabled by default If you specify clock summer time zone recurring withou...

Page 126: ...t 20 characters of the system name are used as the system prompt A greater than symbol is appended The prompt is updated whenever the system name changes For complete syntax and usage information for the commands used in this section see the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 and the Cisco IOS IP Command Reference Volume 2 of 3 Routing Protocols Release 12 2 Comman...

Page 127: ...cheme that allows a device to be identified by its location or domain Domain names are pieced together with periods as the delimiting characters For example Cisco Systems is a commercial organization that IP identifies by a com domain name so its domain name is cisco com A specific device in this domain for example the File Transfer Protocol FTP system is identified as ftp cisco com To keep track ...

Page 128: ... if the switch configuration comes from a BOOTP or Dynamic Host Configuration Protocol DHCP server then the default domain name might be set by the BOOTP or DHCP server if the servers were configured with this information Step 3 ip name server server address1 server address2 server address6 Specify the address of one or more name servers to use for name and address resolution You can specify up to...

Page 129: ...ip domain lookup global configuration command Displaying the DNS Configuration To display the DNS configuration information use the show running config privileged EXEC command Creating a Banner You can configure a message of the day MOTD and a login banner The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users such as impending...

Page 130: ...y authorized users are allowed For access contact technical support User Access Verification Password Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals This banner appears after the MOTD banner and before the login prompt Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 banner motd c message c Specify the message ...

Page 131: ...witch resets The address table lists the destination MAC address the associated VLAN ID and port number associated with the address and the type static or dynamic Note For complete syntax and usage information for the commands used in this section see the command reference for this release Building the Address Table page 7 20 MAC Addresses and VLANs page 7 20 Default MAC Address Table Configuratio...

Page 132: ...of the received packet Using the MAC address table the switch forwards the packet only to the port associated with the destination address If the destination address is on the port that sent the packet the packet is filtered and not forwarded The switch always uses the store and forward method complete packets are stored and checked for errors before transmission MAC Addresses and VLANs All addres...

Page 133: ...o verify that dynamic entries have been removed use the show mac address table dynamic privileged EXEC command Configuring MAC Address Notification Traps MAC address notification enables you to track users on a network by storing the MAC address activity on the switch Whenever the switch learns or removes a MAC address an SNMP notification can be generated and sent to the NMS If you have many user...

Page 134: ... server host command For notification type use the mac notification keyword Step 3 snmp server enable traps mac notification Enable the switch to send MAC address traps to the NMS Step 4 mac address table notification Enable the MAC address notification feature Step 5 mac address table notification interval value history size value Enter the trap interval time and the history table size Optional F...

Page 135: ...on added You can verify the previous commands by entering the show mac address table notification interface and the show mac address table notification privileged EXEC commands Adding and Removing Static Address Entries A static address has these characteristics It is manually entered in the address table and must be manually removed It can be a unicast or multicast address It does not age and is ...

Page 136: ...static mac addr vlan vlan id drop global configuration command one of these messages appears Only unicast addresses can be configured to be dropped CPU destined address cannot be configured as drop address Packets that are forwarded to the CPU are also not supported Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mac address table static mac addr vlan vlan id inter...

Page 137: ...d the VLAN from which it is received Beginning in privileged EXEC mode follow these steps to configure the switch to drop a source or destination unicast static address To disable unicast MAC address filtering use the no mac address table static mac addr vlan vlan id global configuration command This example shows how to enable unicast MAC address filtering and to configure the switch to drop pack...

Page 138: ...by the Subnetwork Access Protocol SNAP By default standard Ethernet style ARP encapsulation represented by the arpa keyword is enabled on the IP interface ARP entries added manually to the table do not age and must be manually removed For CLI procedures see the Cisco IOS Release 12 2 documentation on Cisco com Table 7 4 Commands for Displaying the MAC Address Table Command Description show ip igmp...

Page 139: ...ho dial from outside the network through an asynchronous port connect from outside the network through a serial port or connect through a terminal or workstation from within the local network To prevent unauthorized access into your switch you should configure one or more of these security features At a minimum you should configure passwords and privileges at each switch port These passwords are l...

Page 140: ...logged into a network device Note For complete syntax and usage information for the commands used in this section see the Cisco IOS Security Command Reference Release 12 2 Default Password and Privilege Level Configuration page 8 2 Setting or Changing a Static Enable Password page 8 3 Protecting Enable and Enable Secret Passwords with Encryption page 8 3 Disabling Password Recovery page 8 5 Settin...

Page 141: ...rivilege level you specify We recommend that you use the enable secret command because it uses an improved encryption algorithm If you configure the enable secret command it takes precedence over the enable password command the two commands cannot be in effect simultaneously Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 enable password password Define a new passw...

Page 142: ...onfiguration mode Step 2 enable password level level password encryption type encrypted password or enable secret level level password encryption type encrypted password Define a new password or change an existing password for access to privileged EXEC mode or Define a secret password which is saved using a nonreversible encryption method Optional For level the range is from 0 to 15 Level 1 is nor...

Page 143: ...ocess and sets the system back to default values Do not keep a backup copy of the configuration file on the switch If the switch is operating in VTP transparent mode we recommend that you also keep a backup copy of the VLAN database file on a secure server When the switch is returned to the default system configuration you can download the saved files to the switch by using the Xmodem protocol For...

Page 144: ...ser can access the switch If you have defined privilege levels you can also assign a specific privilege level with associated rights and privileges to each username and password pair Command Purpose Step 1 Attach a PC or workstation with emulation software to the switch console port The default data characteristics of the console port are 9600 8 1 no parity You might need to press the Return key s...

Page 145: ...ion Setting the Privilege Level for a Command page 8 8 Changing the Default Privilege Level for Lines page 8 9 Logging into and Exiting a Privilege Level page 8 9 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 username name privilege level password encryption type password Enter the username privilege level and password for each user For name specify the user ID a...

Page 146: ...rpose Step 1 configure terminal Enter global configuration mode Step 2 privilege mode level level command Set the privilege level for a command For mode enter configure for global configuration mode exec for EXEC mode interface for interface configuration mode or line for line configuration mode For level the range is from 0 to 15 Level 1 is for normal user EXEC mode privileges Level 15 is the lev...

Page 147: ...and Exiting a Privilege Level Beginning in privileged EXEC mode follow these steps to log in to a specified privilege level and to exit to a specified privilege level Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 line vty line Select the virtual terminal line on which to restrict access Step 3 privilege level level Change the default privilege level for the line ...

Page 148: ...s a security application that provides centralized validation of users attempting to gain access to your switch TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or Windows NT workstation You should have access to and should configure a TACACS server before the configuring TACACS features on your switch TACACS provides for separate and modular authenticati...

Page 149: ...session duration or protocol support You can also enforce restrictions on what commands a user can execute with the TACACS authorization feature Accounting Collects and sends information used for billing auditing and reporting to the TACACS daemon Network managers can use the accounting facility to track user activity for a security audit or to provide information for user billing Accounting recor...

Page 150: ...rnative method for authenticating the user CONTINUE The user is prompted for additional authentication information After authentication the user undergoes an additional authorization phase if authorization has been enabled on the switch Users must first successfully complete TACACS authentication before proceeding to TACACS authorization 3 If TACACS authorization is required the TACACS daemon is a...

Page 151: ...up servers to select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list and contains the list of IP addresses of the selected server hosts Beginning in privileged EXEC mode follow these steps to identify the IP host or host maintaining TACACS server and optionally set the encryption key Command Purpose Step 1 config...

Page 152: ...designate one or more security protocols to be used for authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed to authenticate users if that method fails to respond the software selects the next authentication method in the method list This process continues until there is successful communication with a listed aut...

Page 153: ... the enable password global configuration command group tacacs Uses TACACS authentication Before you can use this authentication method you must configure the TACACS server For more information see the Identifying the TACACS Server Host and Setting the Authentication Key section on page 8 13 line Use the line password for authentication Before you can use this authentication method you must define...

Page 154: ...hat restrict a user s network access to privileged EXEC mode The aaa authorization exec tacacs local command sets these authorization parameters Use TACACS for privileged EXEC access authorization if authentication was performed by using TACACS Use the local database if authentication was not performed by using TACACS Note Authorization is bypassed for authenticated users who log in through the CL...

Page 155: ...ontrolling Switch Access with RADIUS This section describes how to enable and configure the RADIUS which provides detailed accounting information and flexible administrative control over authentication and authorization processes RADIUS is facilitated through AAA and can be enabled only through AAA commands Note For complete syntax and usage information for the commands used in this section see th...

Page 156: ...sers and to grant access to network resources Networks already using RADIUS You can add a Cisco switch containing a RADIUS client to the network This might be the first step when you make a transition to a TACACS server See Figure 8 2 on page 8 19 Network in which the user must only access a single service Using RADIUS you can control user access to a single host to a single utility such as Telnet...

Page 157: ...he user is either not authenticated and is prompted to re enter the username and password or access is denied c CHALLENGE A challenge requires additional data from the user d CHALLENGE PASSWORD A response requests the user to select a new password The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or network authorization Users must first successfully co...

Page 158: ... is exhausted You should have access to and should configure a RADIUS server before configuring RADIUS features on your switch These sections contain this configuration information Default RADIUS Configuration page 8 20 Identifying the RADIUS Server Host page 8 20 required Configuring RADIUS Login Authentication page 8 23 required Defining AAA Server Groups page 8 25 optional Configuring RADIUS Au...

Page 159: ...rver and the switch use a shared secret text string to encrypt passwords and exchange responses To configure RADIUS to use the AAA security commands you must specify the host running the RADIUS server daemon and a secret text key string that it shares with the switch The timeout retransmission and encryption key values can be configured globally for all RADIUS servers on a per server basis or in s...

Page 160: ...global configuration command setting If no timeout is set with the radius server host command the setting of the radius server timeout command is used Optional For retransmit retries specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the set...

Page 161: ...list which by coincidence is named default The default method list is automatically applied to all ports except those that have a named method list explicitly defined A method list describes the sequence and authentication methods to be queried to authenticate a user You can designate one or more security protocols to be used for authentication thus ensuring a backup system for authentication in c...

Page 162: ...US server For more information see the Identifying the RADIUS Server Host section on page 8 20 line Use the line password for authentication Before you can use this authentication method you must define a line password Use the password password line configuration command local Use the local username database for authentication You must enter username information in the database Use the username na...

Page 163: ...e Release 12 2 Defining AAA Server Groups You can configure the switch to use AAA server groups to group existing server hosts for authentication You select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list which lists the IP addresses of the selected server hosts Server groups also can include multiple host entrie...

Page 164: ...value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key as the la...

Page 165: ...leged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the switch uses information retrieved from the user s profile which is in the local user database or on the security server to configure the user s session The user is granted access to a requested service only if the information in the user profile allows it You can use th...

Page 166: ...disable accounting use the no aaa accounting network exec start stop method1 global configuration command Step 3 aaa authorization exec radius Configure the switch for user RADIUS authorization if the user has privileged EXEC access The exec keyword might return user profile information such as autocommand information Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your...

Page 167: ...tes The full set of features available for TACACS authorization can then be used for RADIUS For example this AV pair activates Cisco s multiple named ip address pools feature during IP authorization during PPP IPCP address assignment cisco avpair ip addr pool first Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server key string Specify the shared secret te...

Page 168: ...wn unique vendor IDs options and associated VSAs For more information about vendor IDs and VSAs see RFC 2138 Remote Authentication Dial In User Service RADIUS Beginning in privileged EXEC mode follow these steps to configure the switch to recognize and use VSAs For a complete list of RADIUS attributes or more information about vendor specific attribute 26 see the RADIUS Attributes appendix in the ...

Page 169: ...al configuration command This example shows how to specify a vendor proprietary RADIUS host and to use a secret key of rad124 between the switch and the server Switch config radius server host 172 20 30 15 nonstandard Switch config radius server key rad124 Displaying the RADIUS Configuration To display the RADIUS configuration use the show running config privileged EXEC command Command Purpose Ste...

Page 170: ...ntication to use the local username database The default keyword applies the local user database authentication to all ports Step 4 aaa authorization exec local Configure user AAA authorization check the local database and allow the user to run an EXEC shell Step 5 aaa authorization network local Configure user AAA authorization for all network related service requests Step 6 username name privile...

Page 171: ...n_guide_chapter0918 6a00800ca7d5 html Note For complete syntax and usage information for the commands used in this section see the command reference for this release and the command reference for Cisco IOS Release 12 2 at this URL http www cisco com en US products sw iosswrel ps1835 products_command_reference_book09186a 0080087e33 html Understanding SSH SSH is a protocol that provides a secure rem...

Page 172: ...tion Standard AES symmetric encryption algorithm Configuring SSH Configuration Guidelines page 8 34 Setting Up the Switch to Run SSH page 8 35 required Configuring the SSH Server page 8 36 required only if you are configuring the switch as an SSH server Configuration Guidelines Follow these guidelines when configuring the switch as an SSH server or SSH client An RSA key pair generated by a SSHv1 s...

Page 173: ...ostname and an IP domain name and to generate an RSA key pair This procedure is required if you are configuring the switch as an SSH server To delete the RSA key pair use the crypto key zeroize rsa global configuration command After the RSA key pair is deleted the SSH server is automatically disabled Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 hostname hostname...

Page 174: ...onds authentication retries number Configure the SSH control parameters Specify the time out value in seconds the default is 120 seconds The range is 0 to 120 seconds This parameter applies to the SSH negotiation phase After the connection is established the switch uses the default time out values of the CLI based sessions By default up to five simultaneous encrypted SSH connections for multiple C...

Page 175: ... the HTTPS HTTP Server and Client with SSL 3 0 feature description for Cisco IOS Release 12 2 44 SE at this URL http www cisco com en US products sw iosswrel ps1839 products_feature_guide09186a008015a4c6 html Understanding Secure HTTP Servers and Clients On a secure HTTP connection data to and from an HTTP server is encrypted before being sent over the Internet HTTP with SSL encryption provides a ...

Page 176: ...if you disable the secure HTTP server so that it will be there the next time you re enable a secure HTTP connection If a self signed certificate has been generated this information is included in the output of the show running config privileged EXEC command This is a partial sample output from that command displaying a self signed certificate Switch show running config Building configuration outpu...

Page 177: ...st defines the CipherSuites supported by the switch and ranks them from fastest to slowest in terms of router processing load speed 1 SSL_RSA_WITH_DES_CBC_SHA RSA key exchange RSA Public Key Cryptography with DES CBC for message encryption and SHA for message digest 2 SSL_RSA_WITH_RC4_128_MD5 RSA key exchange with RC4 128 bit encryption and MD5 for message digest 3 SSL_RSA_WITH_RC4_128_SHA RSA key...

Page 178: ...y generate rsa Optional Generate an RSA key pair RSA key pairs are required before you can obtain a certificate for the switch RSA key pairs are generated automatically You can use this command to regenerate the keys if needed Step 5 crypto ca trustpoint name Specify a local configuration name for the CA trustpoint and enter CA trustpoint configuration mode Step 6 enrollment url url Specify the UR...

Page 179: ...http secure port port number Optional Specify the port number to be used for the HTTPS server The default port number is 443 Valid options are 443 or any number in the range 1025 to 65535 Step 5 ip http secure ciphersuite 3des ede cbc sha rc4 128 md5 rc4 128 sha des cbc sha Optional Specify the CipherSuites encryption algorithms to be used for encryption over the HTTPS connection If you do not hav...

Page 180: ...lient authentication connections to the secure HTTP client fail Beginning in privileged EXEC mode follow these steps to configure a secure HTTP client Step 11 ip http timeout policy idle seconds life seconds requests value Optional Specify how long a connection to the HTTP server can remain open under the defined circumstances idle the maximum time period when no data is received or response data ...

Page 181: ...nabling SCP you must correctly configure SSH authentication and authorization on the switch Because SCP relies on SSH for its secure transport the router must have an Rivest Shamir and Adelman RSA key pair Note When using SCP you cannot enter the password into the copy command You must enter the password when prompted Step 3 ip http client secure ciphersuite 3des ede cbc sha rc4 128 md5 rc4 128 sh...

Page 182: ...ation and accounting AAA authorization be configured so the router can determine whether the user has the correct privilege level A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System IFS to and from a switch by using the copy command An authorized administrator can also do this from a workstation For information about how to configure and verify SCP se...

Page 183: ...1x standard defines a client server based access control and authentication protocol that prevents clients from connecting to a LAN through publicly accessible ports unless they are authenticated The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN Until the client is authenticated IEEE 802 1x access co...

Page 184: ...re such as that offered in the Microsoft Windows XP operating system The client is the supplicant in the IEEE 802 1x standard Note To resolve Windows XP network connectivity and IEEE 802 1x authentication issues read the Microsoft Knowledge Base article at this URL http support microsoft com support kb articles Q303 5 97 ASP Authentication server performs the actual authentication of the client Th...

Page 185: ...ame header is removed leaving the EAP frame which is then encapsulated for Ethernet and sent to the client The devices that can act as intermediaries include the Catalyst 3750 E Catalyst 3560 E Catalyst 3750 Catalyst 3560 Catalyst 3550 Catalyst 2970 Catalyst 2960 Catalyst 2955 Catalyst 2950 Catalyst 2940 switches or a wireless access point These devices must be running software that supports the R...

Page 186: ...n Timeout RADIUS attribute Attribute 27 specifies the time after which re authentication occurs 141679 Yes No Client identity is invalid All authentication servers are down All authentication servers are down Client identity is valid The switch gets an EAPOL message and the EAPOL message exchange begins Yes No 1 1 1 1 This occurs if the switch does not detect EAPOL packets from the client Client M...

Page 187: ...frame However if during boot up the client does not receive an EAP request identity frame from the switch the client can initiate authentication by sending an EAPOL start frame which prompts the switch to request the client s identity Note If IEEE 802 1x authentication is not enabled or supported on the network access device any EAPOL frames from the client are dropped If the client does not recei...

Page 188: ...the port becomes authorized If authorization fails and a guest VLAN is specified the switch assigns the port to the guest VLAN If the switch detects an EAPOL packet while waiting for an Ethernet packet the switch stops the MAC authentication bypass process and stops IEEE 802 1x authentication Figure 9 4 shows the message exchange during MAC authentication bypass Figure 9 4 Message Exchange During ...

Page 189: ... 1x based authentication of the client This is the default setting force unauthorized causes the port to remain in the unauthorized state ignoring all attempts by the client to authenticate The switch cannot provide authentication services to the client through the port auto enables IEEE 802 1x authentication and causes the port to begin in the unauthorized state allowing only EAPOL frames to be s...

Page 190: ... standard defines how users are authorized and authenticated for network access but does not keep track of network usage IEEE 802 1x accounting is disabled by default You can enable IEEE 802 1x accounting to monitor this activity on IEEE 802 1x enabled ports User successfully authenticates User logs off Link down occurs Re authentication successfully occurs Re authentication fails The switch does ...

Page 191: ...he username of the client connected to the switch port You can use this feature to limit network access for certain users Table 9 1 Accounting AV Pairs Attribute Number AV Pair Name START INTERIM STOP Attribute 1 User Name Always Always Always Attribute 4 NAS IP Address Always Always Always Attribute 5 NAS Port Always Always Always Attribute 8 Framed IP Address Never Sometimes1 1 The Framed IP Add...

Page 192: ...EE 802 1x authentication and port security are enabled on a port the port is placed in the RADIUS server assigned VLAN If IEEE 802 1x authentication is disabled on the port it is returned to the configured access VLAN When the port is in the force authorized force unauthorized unauthorized or shutdown state it is put into the configured access VLAN If an IEEE 802 1x port is authenticated and put i...

Page 193: ...e no shutdown interface configuration command to restart the port To allow network access to clients that failed authentication configure a restricted VLAN by entering the dot1x auth fail vlan vlan id interface configuration command If devices send EAPOL packets to the switch during the lifetime of the link the switch no longer allows clients that fail authentication access to the guest VLAN Note ...

Page 194: ...led attempt counter resets Users who fail authentication remain in the restricted VLAN until the next re authentication attempt A port in the restricted VLAN tries to re authenticate at configured intervals the default is 60 seconds If re authentication fails the port remains in the restricted VLAN If re authentication is successful the port moves either to the configured VLAN or to a VLAN sent by...

Page 195: ...t you cannot configure a port VLAN that is equal to a voice VLAN Note If you enable IEEE 802 1x authentication on an access port on which a voice VLAN is configured and to which a Cisco IP Phone is connected the Cisco IP phone loses connectivity to the switch for up to 30 seconds For more information about voice VLANs see Chapter 15 Configuring Voice VLAN Using IEEE 802 1x Authentication with Port...

Page 196: ...ces such as printers If IEEE 802 1x authentication times out while waiting for an EAPOL response from the client the switch tries to authorize the client by using MAC authentication bypass When the MAC authentication bypass feature is enabled on an IEEE 802 1x port the switch uses the MAC address as the client identity The authentication server has a database of client MAC addresses that are allow...

Page 197: ...ion with Voice VLAN Ports section on page 9 13 VLAN Membership Policy Server VMPS IEEE802 1x and VMPS are mutually exclusive Private VLAN You can assign a client to a private VLAN 802 1x Authentication with Restricted VLAN You can configure a restricted VLAN also referred to as an authentication failed VLAN for each 802 1x port on a switch to provide limited services to clients that cannot access ...

Page 198: ... address or if the maximum secure address count is reached the port becomes unauthorized and error disabled Other port security features such as dynamic ARP Inspection DHCP snooping and IP source guard can be configured independently on a restricted VLAN For more information see the Configuring MAC Authentication Bypass section on page 9 31 Common Session ID Authentication manager uses a single se...

Page 199: ... Number page 9 26 optional Setting the Re Authentication Number page 9 27 optional Configuring IEEE 802 1x Accounting page 9 27 optional Configuring a Guest VLAN page 9 28 optional Configuring a Restricted VLAN page 9 29 optional Configuring MAC Authentication Bypass page 9 31 optional Disabling IEEE 802 1x Authentication on the Port page 9 31 optional Resetting the IEEE 802 1x Authentication Conf...

Page 200: ... of times that the switch restarts the authentication process before the port changes to the unauthorized state Quiet period 60 seconds number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client Retransmission time 30 seconds number of seconds that the switch should wait for a response to an EAP request identity frame from the client bef...

Page 201: ...and IEEE 802 1x authentication is not enabled If you try to change the mode of an IEEE 802 1x enabled port to trunk an error message appears and the port mode is not changed Dynamic ports A port in dynamic mode can negotiate with its neighbor to become a trunk port If you try to enable IEEE 802 1x authentication on a dynamic port an error message appears and IEEE 802 1x authentication is not enabl...

Page 202: ...EEE 802 1x client type MAC Authentication Bypass These are the MAC authentication bypass configuration guidelines Unless otherwise stated the MAC authentication bypass guidelines are the same as the IEEE 802 1x authentication guidelines For more information see the IEEE 802 1x Authentication section on page 9 19 If you disable MAC authentication bypass from a port after the port has been authorize...

Page 203: ... 802 1x authentication method list To create a default list that is used when a named list is not specified in the authentication command use the default keyword followed by the method that is to be used in default situations The default method list is automatically applied to all ports For method1 enter the group radius keywords to use the list of all RADIUS servers for authentication Note Though...

Page 204: ...s section on page 9 19 Step 11 end Return to privileged EXEC mode Step 12 show dot1x Verify your entries Step 13 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server host hostname ip address auth port port number key string Configure the RADIUS server pa...

Page 205: ... 802 1x authorized port that has the dot1x port control interface configuration command set to auto This procedure is optional To disable multiple hosts on the port use the no dot1x host mode multi host interface configuration command This example shows how to enable IEEE 802 1x authentication and to allow multiple hosts Switch config interface gigabitethernet 0 1 Switch config if dot1x port contr...

Page 206: ...he client connected to a specific port at any time by entering the dot1x re authenticate interface interface id privileged EXEC command This step is optional If you want to enable or disable periodic re authentication see the Configuring Periodic Re Authentication section on page 9 24 This example shows how to manually re authenticate the client connected to a port Switch dot1x re authenticate int...

Page 207: ...me and then resends the frame Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers Beginning in privileged EXEC mode follow these steps to change the amount of time that the switch waits for client notification This procedure is optional Command Purp...

Page 208: ...in privileged EXEC mode follow these steps to set the switch to client frame retransmission number This procedure is optional To return to the default retransmission number use the no dot1x max req interface configuration command This example shows how to set 5 as the number of times that the switch sends an EAP request identity request before restarting the authentication process Switch config if...

Page 209: ...g allows system reload events to be sent to the accounting RADIUS server for logging The server can then infer that all active IEEE 802 1x sessions are closed Because RADIUS uses the unreliable UDP transport protocol accounting messages might be lost due to poor network conditions If the switch does not receive the accounting response message from the RADIUS server after a configurable number of r...

Page 210: ...you configure a guest VLAN clients that are not IEEE 802 1x capable are put into the guest VLAN when the server does not receive a response to its EAP request identity frame Clients that are IEEE 802 1x capable but that fail authentication are not granted network access The switch supports guest VLANs in single host or multiple hosts mode Beginning in privileged EXEC mode follow these steps to con...

Page 211: ...tication server does not receive a valid username and password The switch supports restricted VLANs only in single host mode Beginning in privileged EXEC mode follow these steps to configure a restricted VLAN This procedure is optional Step 3 switchport mode access or switchport mode private vlan host Set the port to access mode or Configure the port as a private VLAN host port Step 4 dot1x port c...

Page 212: ...ctive VLAN as an IEEE 802 1x restricted VLAN The range is 1 to 4094 You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802 1x restricted VLAN Step 6 end Return to privileged EXEC mode Step 7 show dot1x interface interface id Optional Verify your entries Step 8 copy running config startup config Optional Save your entries in the configuration file Command Purpose Comm...

Page 213: ...t1x pae authenticator interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode For the supported port types see the IEEE 802 1x Authentication Configuration Guidelines section on page 9 19 Step 3 dot1x port control auto Enable IEEE 802 1x authentic...

Page 214: ...x administrative and operational status for the switch use the show dot1x all details statistics summary privileged EXEC command To display the IEEE 802 1x administrative and operational status for a specific port use the show dot1x interface interface id privileged EXEC command For detailed information about the fields in these displays see the command reference for this release Beginning with Ci...

Page 215: ...nterfaces When you initiate an HTTP session web based authentication intercepts ingress HTTP packets from the host and sends an HTML login page to the users The users enter their credentials which the web based authentication feature sends to the authentication authorization and accounting AAA server for authentication If authentication succeeds web based authentication sends a Login Successful HT...

Page 216: ...tication status of the client The switch acts as an intermediary proxy between the client and the authentication server requesting identity information from the client verifying that information with the authentication server and relaying a response to the client Figure 10 1 shows the roles of these devices in a network Figure 10 1 Web Based Authentication Device Roles Host Detection The switch ma...

Page 217: ...ord and the switch sends the entries to the authentication server If the authentication succeeds the switch downloads and activates the user s access policy from the authentication server The login success page is sent to the user If the authentication fails the switch sends the login fail page The user retries the login If the maximum number of attempts fails the switch sends the login expired pa...

Page 218: ...n command The default banner Cisco Systems and Switch host name Authentication appear on the Login Page Cisco Systems appears on the authentication result pop up page as shown in Figure 10 2 Figure 10 2 Authentication Successful Banner You can also customize the banner as shown in Figure 10 3 Add a switch router or company name to the banner by using the ip admission auth proxy banner http banner ...

Page 219: ...Banner If you do not enable a banner only the username and password dialog boxes appear in the web authentication login screen and no banner appears when you log into the switch as shown in Figure 10 4 Figure 10 4 Login Screen With No Banner For more information see the Cisco IOS Security Command Reference and the Configuring a Web Authentication Local Banner section on page 10 16 ...

Page 220: ... set a hidden password or to confirm that the same page is not submitted twice The CLI command to redirect users to a specific URL is not available when the configured login form is enabled The administrator should ensure that the redirection is configured in the web page If the CLI command redirecting users to specific URL after authentication occurs is entered and then the command configuring we...

Page 221: ...AN Port IP page 10 8 Gateway IP page 10 8 ACLs page 10 8 Context Based Access Control page 10 8 802 1x Authentication page 10 8 EtherChannel page 10 8 Port Security You can configure web based authentication and port security on the same port Web based authentication authenticates the port and port security manages network access for all MAC addresses including that of the client You can then limi...

Page 222: ...tion host policy ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface the ACL is applied to the host traffic only after the web based authentication host policy is applied For Layer 2 web based authentication you must configure a port ACL PACL as the default access policy for ingress traffic from hosts connected to the port After authentication the web based authentication host poli...

Page 223: ...ure You can configure web based authentication only on access ports Web based authentication is not supported on trunk ports EtherChannel member ports or dynamic trunk ports You must configure the default ACL on the interface before configuring web based authentication Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface You cannot authenticate hosts on Layer 2 i...

Page 224: ...ation Cache Entries page 10 17 Configuring the Authentication Rule and Interfaces This example shows how to enable web based authentication on Fast Ethernet port 5 1 Switch config ip admission name webauth1 proxy http Switch config interface fastethernet 5 1 Switch config if ip admission webauth1 Switch config if exit Switch config ip device tracking Command Purpose Step 1 ip admission name name p...

Page 225: ...ntication login default group tacacs Switch config aaa authorization auth proxy default group tacacs Configuring Switch to RADIUS Server Communication RADIUS security servers identification Host name Host IP address Host name and specific UDP port numbers IP address and specific UDP port numbers Command Purpose Step 1 aaa new model Enables AAA functionality Step 2 aaa authentication login default ...

Page 226: ...or all RADIUS servers by using with the radius server host global configuration command If you want to configure these options on a per server basis use the radius server timeout radius server retransmit and the radius server key global configuration commands For more information see the Cisco IOS Security Configuration Guide Release 12 2 and the Cisco IOS Security Command Reference Release 12 2 h...

Page 227: ...p secure secure command the login page is always in HTTPS secure HTTP even if the user sends an HTTP request Customizing the Authentication Proxy Web Pages Specifying a Redirection URL for Successful Login Customizing the Authentication Proxy Web Pages You can configure web authentication to display four substitute HTML pages to the user in place of the switch default HTML pages during web based a...

Page 228: ...e and password and must show them as uname and pwd The custom login page should follow best practices for a web form such as page timeout hidden password and prevention of redundant submissions This example shows how to configure custom authentication proxy web pages Switch config ip admission proxy http login page file flash login htm Switch config ip admission proxy http success page file flash ...

Page 229: ...ebpage not configured HTTP Authentication success redirect to URL http www cisco com Authentication global cache time is 60 minutes Authentication global absolute time is 0 minutes Authentication global init state time is 2 minutes Authentication Proxy Watch list is disabled Authentication Proxy Max HTTP process is 7 Authentication Proxy Auditing is disabled Max Login attempts per user is 5 Config...

Page 230: ...mum number of failed login attempts to 10 Switch config ip admission max login attempts 10 Configuring a Web Authentication Local Banner Beginning in privileged EXEC mode follow these steps to configure a local banner on a switch that has web authentication configured Command Purpose Step 1 ip admission max login attempts number Set the maximum number of failed login attempts The range is 1 to 214...

Page 231: ...c ports This example shows how to view only the global web based authentication status Switch show authentication sessions This example shows how to view the web based authentication settings for gigabit interface 3 27 Switch show authentication sessions interface gigabitethernet 3 27 Step 3 end Return to privileged EXEC mode Step 4 copy running config startup config Optional Save your entries in ...

Page 232: ...10 18 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 10 Configuring Web Based Authentication Displaying Web Based Authentication Status ...

Page 233: ...es stringed network access control that binds six parameters User name Password IP address MAC address VLAN ID Port number The Catalyst 2928 switch works with a third party system that includes a DHCP server portal server policy server RADIUS server and billing system Together the switch and the third party system implement the binding of the six parameters through a combination of web authenticat...

Page 234: ... accounting data Configuring Portal Based Authentication Default Portal Based Authentication Configuration page 11 2 Enabling Portal Based Authentication on the Switch page 11 3 Enabling Portal Based Authentication on an Interface page 11 4 Configuring the Switch to RADIUS Server Communication page 11 4 Default Portal Based Authentication Configuration Portal based authentication is disabled by de...

Page 235: ...For additional portal based authentication show commands see the Monitoring Portal Based Authentication section on page 11 6 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip portal auth Globally enable IP portal authentication on the switch Step 3 ip portal auth vlan vlan id Optional Configure IP portal authentication on a specific VLAN You can configure portal a...

Page 236: ...me IP address If two different host entries on the same RADIUS server are configured for the same service for example authentication the second host entry configured acts as the fail over backup to the first one The RADIUS host entries are tried in the order that they were configured Beginning in privileged EXEC mode follow these steps to configure the RADIUS server parameters on the switch This p...

Page 237: ...the switch and the key string to be shared by both the server and the switch For more information see the RADIUS server documentation Step 5 radius server attribute nas port format e VVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVV Set the NAS Port format to be used for RADIUS accounting features Step 6 radius server host hostname ip address auth port port number acct port port number key string Configure the RA...

Page 238: ...r more of these commands beginning in privileged EXEC mode Command Description show platform ip portal auth Display global information about portal based authentication show platform ip portal auth user detailed Display portal based authentication user information in brief or detailed format show platform ip portal auth user interface interface id detailed Display portal based authentication user ...

Page 239: ... and usage information for the commands used in this chapter see the switch command reference for this release and the online Cisco IOS Interface Command Reference Release 12 2 Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these interface types The r...

Page 240: ...se When VTP mode is transparent the VTP and VLAN configuration is saved in the switch running configuration and you can save it in the switch startup configuration file by entering the copy running config startup config privileged EXEC command Add ports to a VLAN by using the switchport interface configuration commands Identify the interface For a trunk port set trunk characteristics and if desire...

Page 241: ...embership by configuring an allowed list of VLANs for each trunk port The list of allowed VLANs does not affect any other port but the associated trunk port By default all possible VLANs VLAN ID 1 to 4094 are in the allowed list A trunk port can become a member of a VLAN only if VTP knows of the VLAN and if the VLAN is in the enabled state If VTP learns of a new enabled VLAN and the VLAN is in the...

Page 242: ...ls and standards to support PoE CDP with power consumption The powered device notifies the switch of the amount of power it is consuming The switch does not reply to the power consumption messages The switch can only supply power to or remove power from the PoE port Cisco intelligent power management The powered device and the switch negotiate through power negotiation CDP messages for an agreed p...

Page 243: ...available The switch tracks its power budget the amount of power available on the switch for PoE The switch performs power accounting calculations when a port is granted or denied power to keep the power budget up to date After power is applied to the port the switch uses CDP to determine the actual power consumption requirement of the connected Cisco powered devices and the switch adjusts the pow...

Page 244: ...ttage the switch delivers the maximum value Use the auto setting on any PoE port The auto mode is the default setting static The switch pre allocates power to the port even when no powered device is connected and guarantees that power will be available for the port The switch allocates the port configured maximum wattage and the amount is never adjusted through the IEEE class or by CDP messages fr...

Page 245: ...nually re enable the PoE port by using the shutdown and no shutdown interface configuration commands 4 If policing is disabled no action occurs when the powered device consumes more than the maximum power allocation on the PoE port which could adversely affect the switch Maximum Power Allocation Cutoff Power on a PoE Port When power policing is enabled the switch determines the cutoff power on the...

Page 246: ...onnected devices on the port if the device needs up to 6 3 W If the CDP power negotiated value or the IEEE classification value exceeds the configured cutoff value the switch does not provide power to the connected device After the switch turns on power to the PoE port the switch does not police the real time power consumption of the device and the device can consume more power than the maximum al...

Page 247: ... Interfaces section on page 12 10 To configure a physical interface port specify the interface type module number and switch port number and enter interface configuration mode Type Fast Ethernet fastethernet or fa for 10 100 Mb s Ethernet Gigabit Ethernet gigabitethernet or gi for 10 100 1000 Mb s Ethernet ports or small form factor pluggable SFP module Gigabit Ethernet interfaces Module number Th...

Page 248: ... 0 1 gigabitethernet0 1 gi 0 1 or gi0 1 Step 3 Follow each interface command with the interface configuration commands that the interface requires The commands that you enter define the protocols and applications that will run on the interface The commands are collected and applied to the interface when you enter another interface command or enter end to return to privileged EXEC mode You can also...

Page 249: ...nd only works with VLAN interfaces that have been configured with the interface vlan command The show running config privileged EXEC command displays the configured VLAN interfaces VLAN interfaces not displayed by the show running config command cannot be used with the interface range command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface range port rang...

Page 250: ...mode Configuring and Using Interface Range Macros You can create an interface range macro to automatically select a range of interfaces for configuration Before you can use the macro keyword in the interface range macro global configuration command string you must use the define interface range global configuration command to define the macro Beginning in privileged EXEC mode follow these steps to...

Page 251: ...ing config command cannot be used as interface ranges All interfaces defined as in a range must be the same type all Fast Ethernet ports all Gigabit Ethernet ports all EtherChannel ports or all VLANs but you can combine multiple interface types in a macro This example shows how to define an interface range named enet_list to include ports 1 and 2 and to verify the macro configuration Switch config...

Page 252: ...ils on controlling traffic to the port see Chapter 22 Configuring Port Based Traffic Control Table 12 2 Default Layer 2 Ethernet Interface Configuration Feature Default Setting Allowed VLAN range VLANs 1 to 4094 Default VLAN for access ports VLAN 1 Native VLAN for IEEE 802 1Q trunks VLAN 1 VLAN trunking Switchport mode dynamic auto supports DTP Port enable state All ports are enabled Port descript...

Page 253: ...onal Spanning Tree Configuration section on page 18 9 Auto MDIX Enabled Note The switch might not support a pre standard powered device such as Cisco IP phones and access points that do not fully support IEEE 802 3af if that powered device is connected to the switch through a crossover cable This is regardless of whether auto MIDX is enabled on the switch port Power over Ethernet PoE Enabled auto ...

Page 254: ...he RJ 45 side The switch does not have this behavior with 100BASE FX GE SFP modules Step 3 media type auto select rj45 sfp Select the interface and type of a dual purpose uplink port The keywords have these meanings auto select The switch dynamically selects the type When link up is achieved the switch disables the other type until the active link goes down When the active link goes down the switc...

Page 255: ...duplex options auto half and full However Gigabit Ethernet ports operating at 1000 Mb s do not support half duplex mode For SFP module ports the speed and duplex CLI options change depending on the SFP module type The 1000BASE x where x is BX CWDM LX SX and ZX SFP module ports support the nonegotiate keyword in the speed interface configuration command Duplex options are not supported The 1000BASE...

Page 256: ...interface configuration mode Step 3 speed 10 100 1000 auto 10 100 1000 nonegotiate Enter the appropriate speed parameter for the interface Enter 10 100 or 1000 to set a specific speed for the interface The 1000 keyword is available only for 10 100 1000 Mb s ports Enter auto to enable the interface to autonegotiate speed with the connected device If you use the 10 100 or the 1000 keywords with the ...

Page 257: ...tached device that is required to send flow control packets or with an attached device that is not required to but can send flow control packets These rules apply to flow control settings on the device receive on or desired The port cannot send pause frames but can operate with an attached device that is required to or can send pause frames the port can receive pause frames receive off Flow contro...

Page 258: ...terfaces It is not supported on 1000BASE SX or LX SFP module interfaces Table 12 3 shows the link states that result from auto MDIX settings and correct and incorrect cabling Beginning in privileged EXEC mode follow these steps to configure auto MDIX on an interface To disable auto MDIX use the no mdix auto interface configuration command This example shows how to enable auto MDIX on a port Switch...

Page 259: ...changes the port being configured drops power Depending on the new configuration the state of the other PoE ports and the state of the power budget the port might not be powered up again For example port 1 is in the auto and on state and you configure it for static mode The switch removes power from port 1 detects the powered device and repowers the port If port 1 is in the auto and on state and y...

Page 260: ...efault power requirement specified by the IEEE classification The difference between what is mandated by the IEEE classification and what is actually needed by the device is reclaimed into the global power budget for use by additional devices You can then extend the switch power budget and use it more effectively Step 3 power inline auto max max wattage never static max max wattage Configure the P...

Page 261: ...versubscribe the power supply It is recommended to enable power policing if the switch supports it Refer to documentation If the power supply is over subscribed to by up to 20 percent the switch continues to operate but its reliability is reduced If the power supply is subscribed to by more than 20 percent the short circuit protection circuitry triggers and shuts the switch down For more informati...

Page 262: ... Power Monitoring and Power Policing section Beginning in privileged EXEC mode follow these steps to enable policing of the real time power consumption of a powered device connected to a PoE port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no cdp run Optional Disable CDP Step 3 interface interface id Specify the physical port to be configured and enter interfac...

Page 263: ...able error detection for the PoE error disabled cause by using the errdisable detect cause inline power global configuration command You can also enable the timer to recover from the PoE error disabled state by using the errdisable recovery cause inline power interval interval global configuration command Generate a syslog message while still providing power to the port Enter the power inline poli...

Page 264: ...ffected by the system jumbo mtu command If you do not configure the system mtu jumbo command the setting of the system mtu command applies to all Gigabit Ethernet interfaces You cannot set the MTU size for an individual interface you set it for all 10 100 or all Gigabit Ethernet interfaces on the switch When you change the system or jumbo MTU size you must reset the switch before the new configura...

Page 265: ... an out of range number Switch config system mtu jumbo 25000 Invalid input detected at marker Monitoring and Maintaining the Interfaces These sections contain interface monitoring and maintenance information Monitoring Interface Status page 12 28 Clearing and Resetting Interfaces and Counters page 12 28 Shutting Down and Restarting the Interface page 12 29 Command Purpose Step 1 configure terminal...

Page 266: ...rfaces interface id description Display the description configured on an interface or all interfaces and the interface status show ip interface interface id Display the usability status of all interfaces configured for IP routing or the specified interface show interface interface id stats Display the input and output packets by the switching path for the interface show interfaces transceiver prop...

Page 267: ...an interface disables all functions on the specified interface and marks the interface as unavailable on all monitoring command displays This information is communicated to other network servers through all dynamic routing protocols The interface is not mentioned in any routing updates Beginning in privileged EXEC mode follow these steps to shut down an interface Use the no shutdown interface conf...

Page 268: ...12 30 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 12 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces ...

Page 269: ...lly segmented by function project team or application without regard to the physical locations of the users VLANs have the same attributes as physical LANs but you can group end stations even if they are not physically located on the same LAN segment Any switch port can belong to a VLAN and unicast broadcast and multicast packets are forwarded and flooded only to end stations in the VLAN Each VLAN...

Page 270: ...AN IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs VTP only learns normal range VLANs with VLAN IDs 1 to 1005 VLAN IDs greater than 1005 are extended range VLANs and are not stored in the VLAN database The switch must be in VTP transparent mode when you create VLAN IDs from 1006 to 4094 Although the switch supports a total of 64 normal range and extended range VLANs the number of ...

Page 271: ...g the allowed VLAN list You can also modify the pruning eligible list to block flooded traffic to VLANs on trunk ports that are included in the list For information about configuring trunk ports see the Configuring an Ethernet Interface as a Trunk Port section on page 13 14 VTP is recommended but not required VTP maintains VLAN configuration consistency by managing the addition deletion and renami...

Page 272: ... described in these sections and in the command reference for this release To change the VTP configuration see Chapter 14 Configuring VTP You use the interface configuration mode to define the port membership mode and to add and remove ports from VLANs The results of these commands are written to the running configuration file and you can display the file by entering the show running config privil...

Page 273: ...LAN Configuration Guidelines Follow these guidelines when creating and modifying normal range VLANs in your network The switch supports 64 VLANs in VTP client server and transparent modes Normal range VLANs are identified with a number between 1 and 1001 VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs VLAN configuration for VLANs 1 to 1005 are always saved in the VLAN dat...

Page 274: ...al configuration command description in the command reference for this release When you have finished the configuration you must exit VLAN configuration mode for the configuration to take effect To display the VLAN configuration enter the show vlan privileged EXEC command Saving VLAN Configuration The configurations of VLAN IDs 1 to 1005 are always saved in the VLAN database vlan dat file If the V...

Page 275: ...te When the switch is in VTP transparent mode you can assign VLAN IDs greater than 1006 but they are not added to the VLAN database See the Configuring Extended Range VLANs section on page 13 10 For the list of default parameters that are assigned when you add a VLAN see the Configuring Normal Range VLANs section on page 13 4 Table 13 2 Ethernet VLAN Defaults and Ranges Parameter Default Range VLA...

Page 276: ...come inactive They remain associated with the VLAN and thus inactive until you assign them to a new VLAN Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan vlan id Enter a VLAN ID and enter VLAN configuration mode Enter a new VLAN ID to create a VLAN or enter an existing VLAN ID to modify that VLAN Note The available VLAN ID range for this command is 1 to 4094 Fo...

Page 277: ...er line End with CNTL Z Switch config interface gigabitethernet0 1 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no vlan vlan id Remove the VLAN by entering the VLAN ID Step 3 end Return to privileged EXEC mode Step 4 show vlan brief Verify the VLAN removal Step 5 copy running config startup config Optional If the switch is in VTP transparent mode the VLAN config...

Page 278: ...reating an Extended Range VLAN page 13 11 Default VLAN Configuration See Table 13 2 on page 13 7 for the default configuration for Ethernet VLANs You can change only the MTU size and the remote SPAN configuration state on extended range VLANs all other characteristics must remain at the default state Extended Range VLAN Configuration Guidelines Follow these guidelines when creating extended range ...

Page 279: ... are not saved in the VLAN database they are saved in the switch running configuration file You can save the extended range VLAN configuration in the switch startup configuration file by using the copy running config startup config privileged EXEC command Beginning in privileged EXEC mode follow these steps to create an extended range VLAN To delete an extended range VLAN use the no vlan vlan id g...

Page 280: ...Configuration page 13 14 Configuring an Ethernet Interface as a Trunk Port page 13 14 Configuring Trunk Ports for Load Sharing page 13 18 Trunking Overview A trunk is a point to point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch Ethernet trunks carry the traffic of multiple VLANs over a single link and you can extend the VLANs acros...

Page 281: ...itches separated by a cloud of non Cisco IEEE 802 1Q switches The non Cisco IEEE 802 1Q cloud separating the Cisco switches is treated as a single trunk link between the switches Make sure the native VLAN for an IEEE 802 1Q trunk is the same on both ends of the trunk link If the native VLAN on one end of the trunk is different from the native VLAN on the other end spanning tree loops might result ...

Page 282: ... contain this configuration information Interaction with Other Features page 13 14 Defining the Allowed VLANs on a Trunk page 13 16 Changing the Pruning Eligible List page 13 17 Configuring the Native VLAN for Untagged Traffic page 13 17 Interaction with Other Features Trunking interacts with other features in these ways A trunk port cannot be a secure port Trunk ports can be grouped into EtherCha...

Page 283: ...port IEEE 802 1Q trunking Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitethernet0 2 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured for trunking and enter interface configuration mode Step 3 switchport mode dynamic auto desirable trunk Confi...

Page 284: ...LAN 1 disabled is converted to a nontrunk port it is added to the access VLAN If the access VLAN is set to 1 the port will be added to VLAN 1 regardless of the switchport trunk allowed setting The same is true for any VLAN that has been disabled on the port A trunk port can become a member of a VLAN if the VLAN is enabled if VTP knows of the VLAN and if the VLAN is in the allowed list for the port...

Page 285: ... the native VLAN configured for the port The native VLAN is VLAN 1 by default Step 6 show interfaces interface id switchport Verify your entries in the Trunking VLANs Enabled field of the display Step 7 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface in...

Page 286: ...For load sharing using STP path costs each load sharing link can be connected to the same switch or to two different switches For more information about STP see Chapter 16 Configuring STP Load Sharing Using STP Port Priorities When two ports on the same switch form a loop the switch uses the STP port priority to decide which port is enabled and which port is in a blocking state You can set the pri...

Page 287: ... VLANs 8 10 priority 128 Trunk 1 VLANs 8 10 priority 16 VLANs 3 6 priority 128 Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A Step 2 vtp domain domain name Configure a VTP administrative domain The domain name can be 1 to 32 characters Step 3 vtp mode server Configure Switch A as the VTP server Step 4 end Return to privileged EXEC mode Step 5 show vtp status ...

Page 288: ...ted by Path Cost Step 14 show vlan When the trunk links come up VTP passes the VTP and VLAN information to Switch B Verify that Switch B has learned the VLAN configuration Step 15 configure terminal Enter global configuration mode on Switch A Step 16 interface gigabitethernet 0 1 Define the interface to set the STP port priority and enter interface configuration mode Step 17 spanning tree vlan 8 1...

Page 289: ... 1 Define the interface to be configured as a trunk and enter interface configuration mode Step 3 switchport mode trunk Configure the port as a trunk port Step 4 exit Return to global configuration mode Step 5 Repeat Steps 2 through 4 on a second interface in Switch A Step 6 end Return to privileged EXEC mode Step 7 show running config Verify your entries In the display make sure that the interfac...

Page 290: ... port shutdown response depending on the secure mode of the VMPS If the switch receives an access denied response from the VMPS it continues to block traffic to and from the host MAC address The switch continues to monitor the packets directed to the port and sends a query to the VMPS when it identifies a new host address If the switch receives a port shutdown response from the VMPS it disables th...

Page 291: ...ng the port into the forwarding state IEEE 802 1x ports cannot be configured as dynamic access ports If you try to enable IEEE 802 1x on a dynamic access VQP port an error message appears and IEEE 802 1x is not enabled If you try to change an IEEE 802 1x enabled port to dynamic VLAN assignment an error message appears and the VLAN configuration is not changed Trunk ports cannot be dynamic access p...

Page 292: ...to the cluster member switch Caution Dynamic access port VLAN membership is for end stations or hubs connected to end stations Connecting dynamic access ports to other switches can cause a loss of connectivity Beginning in privileged EXEC mode follow these steps to configure a dynamic access port on a VMPS client switch Command Purpose Step 1 configure terminal Enter global configuration mode Step...

Page 293: ...ommand to log in to the member switch Beginning in privileged EXEC mode follow these steps to change the reconfirmation interval To return the switch to its default setting use the no vmps reconfirm global configuration command Step 4 switchport access vlan dynamic Configure the port as eligible for dynamic VLAN membership The dynamic access port must be connected to an end station Step 5 end Retu...

Page 294: ... query the secondary VMPS VMPS domain server the IP address of the configured VLAN membership policy servers The switch sends queries to the one marked current The one marked primary is the primary server VMPS Action the result of the most recent reconfirmation attempt A reconfirmation attempt can occur automatically when the reconfirmation interval expires or you can force it by entering the vmps...

Page 295: ... a disabled dynamic access port enter the shutdown interface configuration command followed by the no shutdown interface configuration command VMPS Configuration Example Figure 13 4 shows a network with a VMPS server switch and VMPS client switches with dynamic access ports In this example these assumptions apply The VMPS server and the VMPS client are separate switches The Catalyst 6500 series Sw...

Page 296: ...series Secondary VMPS Server 3 172 20 26 150 172 20 26 151 Catalyst 6500 series switch A 172 20 26 152 Switch C Ethernet segment Trunk link 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 172 20 26 157 172 20 26 158 172 20 26 159 Client switch I Client switch B End station 2 End station 1 TFTP server Dynamic access port Dynamic access port Switch J Switch D Switch E Switch F Switch G Switc...

Page 297: ... on one or more switches and have those changes automatically communicated to all the other switches in the network Without VTP you cannot send information about VLANs to other switches VTP is designed to work in an environment where updates are made on a single switch and are sent through VTP to other switches in the domain It does not work well in a situation where multiple updates to the VLAN d...

Page 298: ...n revision number is lower than the configuration revision number of the other switches in the VTP domain Switches in a VTP domain always use the VLAN configuration of the switch with the highest VTP configuration revision number If you add a switch that has a revision number higher than the revision number in the VTP domain it can erase all VLAN information from the VTP server and VTP domain See ...

Page 299: ...TP domain and synchronize their VLAN configurations with other switches based on advertisements received over trunk links In VTP server mode VLAN configurations are saved in NVRAM VTP server is the default mode VTP client A VTP client behaves like a VTP server and transmits and receives VTP updates on its trunks but you cannot create change or delete VLANs on a VTP client VLANs are configured on a...

Page 300: ...s VTP messages for the domain name and version and forwards a message only if the version and domain name match Because VTP Version 2 supports only one domain it forwards VTP messages in transparent mode without inspecting the version and domain name Consistency Checks In VTP Version 2 VLAN consistency checks such as VLAN names and values are performed only when you enter new information through t...

Page 301: ...h VTP pruning enabled The broadcast traffic from Switch A is not forwarded to Switches C E and F because traffic for the Red VLAN has been pruned on the links shown Port 5 on Switch B and Port 4 on Switch D Figure 14 2 Optimized Flooded Traffic with VTP Pruning Enabling VTP pruning on a VTP server enables pruning for the entire management domain Making VLANs pruning eligible or pruning ineligible ...

Page 302: ...g on an interface use the switchport trunk pruning vlan interface configuration command see the Changing the Pruning Eligible List section on page 13 17 VTP pruning operates when an interface is trunking You can set VLAN pruning eligibility whether or not VTP pruning is enabled for the VTP domain whether or not any given VLAN exists and whether or not the interface is currently trunking Configurin...

Page 303: ...omain name in the startup configuration do not match the VLAN database the domain name and VTP mode and configuration for the first 64 VLANs use the VLAN database information These sections describe guidelines you should follow when implementing VTP in your network Domain Names When configuring VTP for the first time you must always assign a domain name You must configure all switches in the VTP d...

Page 304: ... 2 If there is a Version 1 only switch it does not exchange VTP information with switches that have Version 2 enabled If there are TrBRF and TrCRF Token Ring networks in your environment you must enable VTP Version 2 for Token Ring VLAN switching to function properly To run Token Ring and Token Ring Net disable VTP Version 2 Configuration Requirements When you configure VTP you must configure a tr...

Page 305: ...VTP mode to client You receive an error message and the configuration is not allowed If you configure the switch for VTP client mode the switch does not create the VLAN database file vlan dat If the switch is then powered off it resets the VTP configuration to the default To keep the VTP configuration with VTP client mode after the switch restarts you must first configure the VTP domain name befor...

Page 306: ...t VTP mode to transparent by using the vtp mode transparent global configuration command Save this configuration to the startup configuration so that the switch boots up in VTP transparent mode Otherwise you lose the extended range VLAN configuration if the switch resets and boots up in VTP server mode the default Beginning in privileged EXEC mode follow these steps to configure VTP transparent mo...

Page 307: ...must enable VTP Version 2 for Token Ring VLAN switching to function properly For Token Ring and Token Ring Net media VTP Version 2 must be disabled For more information on VTP version configuration guidelines see the VTP Version section on page 14 8 Beginning in privileged EXEC mode follow these steps to enable VTP Version 2 To disable VTP Version 2 use the no vtp version global configuration comm...

Page 308: ...tire VTP domain Only VLANs included in the pruning eligible list can be pruned By default VLANs 2 through 1001 are pruning eligible on trunk ports Reserved VLANs and extended range VLANs cannot be pruned To change the pruning eligible VLANs see the Changing the Pruning Eligible List section on page 13 17 Adding a VTP Client Switch to a VTP Domain Before adding a VTP client to a VTP domain always v...

Page 309: ...and Purpose Step 1 show vtp status Check the VTP configuration revision number If the number is 0 add the switch to the VTP domain If the number is greater than 0 follow these steps a Write down the domain name b Write down the configuration revision number c Continue with the next steps to reset the switch configuration revision number Step 2 configure terminal Enter global configuration mode Ste...

Page 310: ...rrent VTP revision and the number of VLANs You can also display statistics about the advertisements sent and received by the switch Table 14 3 shows the privileged EXEC commands for monitoring VTP activity Table 14 3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information show vtp counters Display counters about VTP messages that have been sent and ...

Page 311: ...3 IP precedence and Layer 2 class of service CoS values which are both set to 5 by default Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent the switch supports quality of service QoS based on IEEE 802 1p CoS QoS uses classification and scheduling to send network traffic from the switch in a predictable manner For more information on QoS see Chapter 31 Conf...

Page 312: ...Layer 2 CoS priority value Note In all configurations the voice traffic carries a Layer 3 IP precedence value the default is 5 for voice traffic and 3 for voice control traffic Cisco IP Phone Data Traffic The switch can also process tagged data traffic traffic in IEEE 802 1Q or IEEE 802 1p frame types from the device attached to the access port on the Cisco IP Phone see Figure 15 1 You can configu...

Page 313: ... switch access ports voice VLAN is not supported on trunk ports Note Voice VLAN is only supported on access ports and not on trunk ports even though the configuration is allowed The voice VLAN should be present and active on the switch for the IP phone to correctly communicate on the voice VLAN Use the show vlan privileged EXEC command to see if the VLAN is present listed in the display If the VLA...

Page 314: ...rt See the Configuring IEEE 802 1x Authentication section on page 9 17 for more information Note If you enable IEEE 802 1x on an access port on which a voice VLAN is configured and to which a Cisco IP Phone is connected the phone loses connectivity to the switch for up to 30 seconds Protected port See the Configuring Protected Ports section on page 22 6 for more information A source or destination...

Page 315: ...vlan dot1p Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface connected to the phone and enter interface configuration mode Step 3 mls qos trust cos Configure the interface to classify incoming traffic packets by using the packet CoS value For untagged packets the port default CoS value is used Note Bef...

Page 316: ...ng Voice VLAN Displaying Voice VLAN To return the port to its default setting use the no switchport voice vlan interface configuration command Displaying Voice VLAN To display voice VLAN configuration for an interface use the show interfaces interface id switchport privileged EXEC command ...

Page 317: ...er 18 Configuring Optional Spanning Tree Features Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release Understanding Spanning Tree Features page 16 1 Configuring Spanning Tree Features page 16 10 Displaying the Spanning Tree Status page 16 22 Understanding Spanning Tree Features STP Overview page 16 2 Spanning Tree Topology...

Page 318: ... the designated role or as the backup role is the root switch The switch that has at least one of its ports in the designated role is called the designated switch Spanning tree forces redundant data paths into a standby blocked state If a network segment in the spanning tree fails and a redundant path exists the spanning tree algorithm recalculates the spanning tree topology and activates the stan...

Page 319: ...e results in these actions One switch in the network is elected as the root switch the logical center of the spanning tree topology in a switched network For each VLAN the switch with the highest switch priority the lowest numerical priority value is elected as the root switch If all switches are configured with the default priority 32768 the switch with the lowest MAC address in the VLAN becomes ...

Page 320: ...n occur when protocol information passes through a switched LAN As a result topology changes can take place at different times and at different places in a switched network When an interface transitions directly from nonparticipation in the spanning tree topology to the forwarding state it can create temporary data loops Interfaces must wait for new topology information to propagate through the sw...

Page 321: ...terface continues to block frame forwarding as the switch learns end station location information for the forwarding database 4 When the forward delay timer expires spanning tree moves the interface to the forwarding state where both learning and frame forwarding are enabled Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding After initialization a BPD...

Page 322: ...ning state An interface in the learning state performs these functions Discards frames received on the interface Discards frames switched from another interface for forwarding Learns addresses Receives BPDUs Forwarding State A Layer 2 interface in the forwarding state forwards frames The interface enters the forwarding state from the learning state An interface in the forwarding state performs the...

Page 323: ... switched network might not be ideal For instance connecting higher speed links to an interface that has a higher number than the root port can cause a root port change The goal is to make the fastest link the root port For example assume that one port on Switch B is a Gigabit Ethernet link and that another port on Switch B a 10 100 link is the root port Network traffic might be more efficient ove...

Page 324: ... as unknown multicast addresses Accelerated Aging to Retain Connectivity The default for aging dynamic addresses is 5 minutes the default setting of the mac address table aging time global configuration command However a spanning tree reconfiguration can cause many station locations to change Because these stations could be unreachable for 5 minutes or more during a reconfiguration the address agi...

Page 325: ...learned MAC address entries The rapid PVST uses the same configuration as PVST except where noted and the switch needs only minimal extra configuration The benefit of rapid PVST is that you can migrate a large PVST install base to rapid PVST without having to learn the complexities of the MSTP configuration and without having to reprovision your network In rapid PVST mode each VLAN runs its own sp...

Page 326: ...tance for each VLAN allowed on the trunks When you connect a Cisco switch to a non Cisco device through an IEEE 802 1Q trunk the Cisco switch uses PVST to provide spanning tree interoperability If rapid PVST is enabled the switch uses it instead of PVST The switch combines the spanning tree instance of the IEEE 802 1Q VLAN of the trunk with the spanning tree instance of the non Cisco IEEE 802 1Q s...

Page 327: ... Tree Configuration Feature Default Setting Enable state Enabled on VLAN 1 For more information see the Supported Spanning Tree Instances section on page 16 9 Spanning tree mode PVST Rapid PVST and MSTP are disabled Switch priority 32768 Spanning tree port priority configurable on a per interface basis 64 Spanning tree port cost configurable on a per interface basis 1000 Mb s 4 100 Mb s 19 10 Mb s...

Page 328: ...ng tree instances on your switch adding another VLAN anywhere in the VTP domain creates a VLAN that is not running spanning tree on that switch If you have the default allowed list on the trunk ports of that switch the new VLAN is carried on all trunk ports Depending on the topology of the network this could create a loop in the new VLAN that will not be broken particularly if there are several ad...

Page 329: ... Step 3 interface interface id Recommended for rapid PVST mode only Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports VLANs and port channels The VLAN ID range is 1 to 4094 The port channel range is 1 to 6 Step 4 spanning tree link type point to point Recommended for rapid PVST mode only Specify that the link type for this port is poin...

Page 330: ...ity from the default value 32768 to a significantly lower value When you enter this command the software checks the switch priority of the root switches for each VLAN Because of the extended system ID support the switch sets its own priority for the specified VLAN to 24576 if this value will cause this switch to become the root for the specified VLAN If any root switch for the specified VLAN has a...

Page 331: ...d the spanning tree vlan vlan id max age global configuration commands Beginning in privileged EXEC mode follow these steps to configure a switch to become the root for the specified VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id root global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2...

Page 332: ... state You can assign higher priority values lower numerical values to interfaces that you want selected first and lower priority values higher numerical values that you want selected last If all interfaces have the same priority value spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces Command Purpose Step 1 configure terminal ...

Page 333: ...ation mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree port priority priority Configure the port priority for an interface For priority the range is 0 to 240 in increments of 16 the default is 64 Valid values are 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 and 240 All other values are rejected The lower t...

Page 334: ...nterface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree cost cost Configure the cost for an interface If a loop occurs spanning tree uses the path cost when selecting an interface to place into the forwarding state A lower path cost represen...

Page 335: ...llow these steps to configure the switch priority of a VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id priority global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id priority priority Configure the switch priority of a VLAN For vlan id you can specify a single V...

Page 336: ...w often the switch broadcasts hello messages to other switches Forward delay timer Controls how long each of the listening and learning states last before the interface begins forwarding Maximum age timer Controls the amount of time the switch stores protocol information received on an interface Transmit hold count Controls the number of BPDUs that can be sent before pausing for 1 second Command P...

Page 337: ...states to the forwarding state For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree vlan vlan id Verify your entries Step 5 copy running config startup config ...

Page 338: ...he clear spanning tree interface interface id privileged EXEC command For information about other keywords for the show spanning tree privileged EXEC command see the command reference for this release Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree transmit hold count value Configure the number of BPDUs that can be sent before pausing for 1 second For...

Page 339: ...he switch is in the MST mode the Rapid Spanning Tree Protocol RSTP which is based on IEEE 802 1w is automatically enabled The RSTP provides rapid convergence of the spanning tree through explicit handshaking that eliminates the IEEE 802 1D forwarding delay and quickly transitions root ports and designated ports to the forwarding state Both MSTP and RSTP improve the spanning tree operation and main...

Page 340: ...configuration global configuration command after which the switch enters the MST configuration mode From this mode you can map VLANs to an MST instance by using the instance MST configuration command specify the region name by using the name MST configuration command and set the revision number by using the revision MST configuration command A region can have one or multiple members with the same ...

Page 341: ...path cost to the CIST root The CIST regional root is also the CIST root if there is only one region in the network If the CIST root is outside the region one of the MSTP switches at the boundary of the region is selected as the CIST regional root When an MSTP switch initializes it sends BPDUs claiming itself as the root of the CIST and the CIST regional root with both of the path costs to the CIST...

Page 342: ...ation into the BPDUs to interact with neighboring switches and compute the final spanning tree topology Because of this the spanning tree parameters related to BPDU transmission for example hello time forward time max age and max hops are configured only on the CST instance but affect all MST instances Parameters related to the spanning tree topology for example switch priority port VLAN cost and ...

Page 343: ...ST instance 0 Table 17 1 on page 17 5 compares the IEEE standard and the Cisco prestandard terminology Hop Count The IST and MST instances do not use the message age and maximum age information in the configuration BPDU to compute the spanning tree topology Instead they use the path cost to the root and a hop count mechanism similar to the IP time to live TTL mechanism By using the spanning tree m...

Page 344: ...to share a segment with a port belonging to a different region creating the possibility of receiving both internal and external messages on a port The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary unless it is running in an STP compatible mode Note If there is a legacy STP switch on the segment messages are always considered external ...

Page 345: ...for prestandard BPDU transmission Figure 17 2 illustrates this scenario Assume that A is a standard switch and B a prestandard switch both configured to be in the same region A is the root switch for the CIST and thus B has a root port BX on segment X and an alternate port BY on segment Y If segment Y flaps and the port on BY becomes the alternate before sending out a single prestandard BPDU AY ca...

Page 346: ...s because it cannot detect whether the legacy switch has been removed from the link unless the legacy switch is the designated switch A switch might also continue to assign a boundary role to a port when the switch to which this switch is connected has joined the region To restart the protocol migration process force the renegotiation with neighboring switches use the clear spanning tree detected ...

Page 347: ...e is included in the active topology A port with the alternate or backup port role is excluded from the active topology In a stable topology with consistent port roles throughout the network the RSTP ensures that every root port and designated port immediately transition to the forwarding state while all alternate and backup ports are always in the discarding state equivalent to blocking in IEEE 8...

Page 348: ...ot port After receiving Switch B s agreement message Switch A also immediately transitions its designated port to the forwarding state No loops in the network are formed because Switch B blocked all of its nonedge ports and because there is a point to point link between Switches A and B When Switch C is connected to Switch B a similar set of handshaking messages are exchanged Switch C selects the ...

Page 349: ...not configured as an edge port it transitions to the blocking state when the RSTP forces it to synchronize with new root information In general when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions its port state is set to blocking After ensuring that all of the ports are synchronized the switch sends an agreement message to the ...

Page 350: ...he state of the sending port Processing Superior BPDU Information If a port receives superior root information lower switch ID lower path cost and so forth than currently stored for the port the RSTP triggers a reconfiguration If the port is proposed and is selected as the new root port RSTP forces all the other ports to synchronize If the BPDU received is an RSTP BPDU with the proposal flag set t...

Page 351: ...ve on a root port connected to an IEEE 802 1D switch and a configuration BPDU with the TCA bit set is received the TC while timer is reset This behavior is only required to support IEEE 802 1D switches The RSTP BPDUs never have the TCA bit set Propagation When an RSTP switch receives a TC message from another switch through a designated or root port it propagates the change to all of its nonedge d...

Page 352: ...e default MSTP configuration For information about the supported number of spanning tree instances see the Supported Spanning Tree Instances section on page 16 9 MSTP Configuration Guidelines These are the configuration guidelines for MSTP When you enable MST by using the spanning tree mode mst global configuration command RSTP is automatically enabled For two or more switches to be in the same MS...

Page 353: ...the MST cloud consists of multiple MST regions one of the MST regions must contain the CST root and all of the other MST regions must have a better path to the root contained within the MST cloud than a path through the PVST or rapid PVST cloud You might have to manually configure the switches in the clouds Partitioning the network into a large number of regions is not recommended However if this ...

Page 354: ...MST instance For instance id the range is 0 to 4094 For vlan vlan range the range is 1 to 4094 When you map VLANs to an MST instance the mapping is incremental and the VLANs specified in the command are added to or removed from the VLANs that were previously mapped To specify a VLAN range use a hyphen for example instance 1 vlan 1 63 maps VLANs 1 through 63 to MST instance 1 To specify a VLAN seri...

Page 355: ... switch priority 4096 is the value of the least significant bit of a 4 bit switch priority value as shown in Table 16 1 on page 16 4 If your network consists of switches that both do and do not support the extended system ID it is unlikely that the switch with the extended system ID support will become the root switch The extended system ID increases the switch priority value every time the VLAN n...

Page 356: ... the same network diameter and hello time values that you used when you configured the primary root switch with the spanning tree mst instance id root primary global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id root primary diameter net diameter hello time seconds Configure a switch as the root switch For insta...

Page 357: ...instance id root secondary diameter net diameter hello time seconds Configure a switch as the secondary root switch For instance id you can specify a single instance a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 Optional For diameter net diameter specify the maximum number of switches between any two end stations The range is 2 to 7...

Page 358: ...s the other interfaces Beginning in privileged EXEC mode follow these steps to configure the MSTP cost of an interface This procedure is optional Step 3 spanning tree mst instance id port priority priority Configure the port priority For instance id you can specify a single instance a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 For ...

Page 359: ...you use the spanning tree mst instance id root primary and the spanning tree mst instance id root secondary global configuration commands to modify the switch priority Step 3 spanning tree mst instance id cost cost Configure the cost If a loop occurs the MSTP uses the path cost when selecting an interface to place into the forwarding state A lower path cost represents higher speed transmission For...

Page 360: ... a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 For priority the range is 0 to 61440 in increments of 4096 the default is 32768 The lower the number the more likely the switch will be chosen as the root switch Priority values are 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 and 61440 All other v...

Page 361: ...ime seconds Configure the forward time for all MST instances The forward delay is the number of seconds a port waits before changing from its spanning tree learning and listening states to the forwarding state For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst Verify your entries Step 5 copy running config startup config Optio...

Page 362: ...ions to the forwarding state Beginning in privileged EXEC mode follow these steps to override the default link type setting This procedure is optional To return the port to its default setting use the no spanning tree link type interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst max hops hop count Specify the number of ...

Page 363: ...h also can detect that a port is at the boundary of a region when it receives a legacy BPDU an MST BPDU Version 3 associated with a different region or an RST BPDU Version 2 However the switch does not automatically revert to the MSTP mode if it no longer receives IEEE 802 1D BPDUs because it cannot detect whether the legacy switch has been removed from the link unless the legacy switch is the des...

Page 364: ...ds for the show spanning tree privileged EXEC command see the command reference for this release Table 17 5 Commands for Displaying MST Status Command Purpose show spanning tree mst configuration Displays the MST region configuration show spanning tree mst configuration digest Displays the MD5 digest included in the current MSTCI show spanning tree mst instance id Displays MST information for the ...

Page 365: ... STP For information about the Multiple Spanning Tree Protocol MSTP and how to map multiple VLANs to the same spanning tree instance see Chapter 17 Configuring MSTP Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release Understanding Optional Spanning Tree Features page 18 1 Configuring Optional Spanning Tree Features page 18...

Page 366: ...ng a spanning tree loop You can enable this feature by using the spanning tree portfast interface configuration or the spanning tree portfast default global configuration command Figure 18 1 Port Fast Enabled Interfaces Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per port but the feature operates with some differences At the global level ...

Page 367: ...revents interfaces that are in a Port Fast operational state from sending or receiving BPDUs The interfaces still send a few BPDUs at link up before the switch begins to filter outbound BPDUs You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs If a BPDU is received on a Port Fast enabled interface the interface loses its Port Fast ...

Page 368: ...is 150 packets per second However if you enter zero station learning frames are not generated so the spanning tree topology converges more slowly after a loss of connectivity Note UplinkFast is most useful in wiring closet switches at the access or edge of the network It is not appropriate for backbone devices This feature might not be useful for other types of applications UplinkFast provides fas...

Page 369: ...protocol information received on an interface When a switch receives an inferior BPDU from the designated port of another switch the BPDU is a signal that the other switch might have lost its path to the root and BackboneFast tries to find an alternate path to the root BackboneFast which is enabled by using the spanning tree backbonefast global configuration command starts when a root port or bloc...

Page 370: ...tch the switch makes all interfaces on which it received an inferior BPDU its designated ports and moves them from the blocking state if they were in the blocking state through the listening and learning states and into the forwarding state Figure 18 5 shows an example topology with no link failures Switch A the root switch connects directly to Switch B over link L1 and to Switch C over link L2 Th...

Page 371: ...therChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device A misconfiguration can occur if the switch interfaces are configured in an EtherChannel but the interfaces on the other device are not A misconfiguration can also occur if the channel parameters are not the same at both ends of the EtherChannel For EtherChannel configuration guidelines see the Et...

Page 372: ... root switch The customer s switch does not become the root switch and is not in the path to the root If the switch is operating in multiple spanning tree MST mode root guard forces the interface to be a designated port If a boundary port is blocked in an internal spanning tree IST instance because of root guard the interface also is blocked in all MST instances A boundary port is an interface tha...

Page 373: ...is blocked by loop guard in all MST instances On a boundary port loop guard blocks the interface in all MST instances Configuring Optional Spanning Tree Features These sections contain this configuration information Default Optional Spanning Tree Configuration page 18 9 Optional Spanning Tree Configuration Guidelines page 18 10 Enabling Port Fast page 18 10 optional Enabling BPDU Guard page 18 11 ...

Page 374: ... For more information see Chapter 15 Configuring Voice VLAN You can enable this feature if your switch is running PVST rapid PVST or MSTP Beginning in privileged EXEC mode follow these steps to enable Port Fast This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface conf...

Page 375: ...eature provides a secure response to invalid configurations because you must manually put the port back in service Use the BPDU guard feature in a service provider network to prevent an access port from participating in the spanning tree Caution Configure Port Fast only on ports that connect to end stations otherwise an accidental topology loop could cause a data packet loop and disrupt switch and...

Page 376: ...panning tree bpdufilter enable interface configuration command to enable BPDU filtering on any interface without also enabling the Port Fast feature This command prevents the interface from sending or receiving BPDUs Caution Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning tree loops You can enable the BPDU filtering feature if your sw...

Page 377: ...t is not altered The changes to the switch priority and the path cost reduce the chance that a switch will become the root switch When UplinkFast is disabled the switch priorities of all VLANs and path costs of all interfaces are set to default values if you did not modify them from their defaults To return the update packet rate to the default setting use the no spanning tree uplinkfast max updat...

Page 378: ... command You can use the show interfaces status err disabled privileged EXEC command to show which switch ports are disabled because of an EtherChannel misconfiguration On the remote device you can enter the show etherchannel summary privileged EXEC command to verify the EtherChannel configuration After the configuration is corrected enter the shutdown and no shutdown interface configuration comma...

Page 379: ...u can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link This feature is most effective when it is configured on the entire switched network Loop guard operates only on interfaces that are considered point to point by the spanning tree Note You cannot enable both loop guard and root guard at the same time You ca...

Page 380: ...tree privileged EXEC command see the command reference for this release Step 3 spanning tree loopguard default Enable loop guard By default loop guard is disabled Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 18 2 Commands for Displaying th...

Page 381: ...n Cisco IOS Software 12 2 Mainline Command References This chapter consists of these sections Understanding DHCP Snooping page 19 1 Configuring DHCP Snooping page 19 8 Displaying DHCP Snooping Information page 19 13 Understanding IP Source Guard page 19 13 Configuring IP Source Guard page 19 15 Displaying IP Source Guard Information page 19 21 Understanding DHCP Server Port Based Address Allocatio...

Page 382: ...ayer 2 forwarding in which IP datagrams are switched transparently between networks Relay agents receive DHCP messages and generate new DHCP messages to send on output interfaces DHCP Snooping DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database also referred to as a DHCP snoopi...

Page 383: ...not match the interface on which the message was received A DHCP relay agent forwards a DHCP packet that includes a relay agent IP address that is not 0 0 0 0 or the relay agent forwards a packet that includes option 82 information to an untrusted port If the switch is an aggregation switch supporting DHCP snooping and is connected to an edge switch that is inserting DHCP option 82 information the...

Page 384: ...ribers connected to the switch at the access layer Because the DHCP clients and their associated DHCP server do not reside on the same IP network or subnet a DHCP relay agent the Catalyst switch is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server Figure 19 1 DHCP Relay Agent in a Metropolitan Ethernet Network When you ...

Page 385: ...that connects to the DHCP client that sent the DHCP request When the described sequence of events occurs the values in these fields in Figure 19 2 do not change Circuit ID suboption fields Suboption type Length of the suboption type Circuit ID type Length of the circuit ID type Remote ID suboption fields Suboption type Length of the suboption type Remote ID type Length of the remote ID type In the...

Page 386: ...rface configuration command are entered The values for these fields in the packets change from the default values when you configure the remote ID and circuit ID suboptions Circuit ID suboption fields The circuit ID type is 1 The length values are variable depending on the length of the string that you configure Remote ID suboption fields The remote ID type is 1 The length values are variable depe...

Page 387: ...mic ARP inspection or IP source guard is enabled and the DHCP snooping binding database has dynamic bindings the switch loses its connectivity If the agent is disabled and only DHCP snooping is enabled the switch does not lose its connectivity but DHCP snooping might not prevent DHCP spoofing attacks When reloading the switch reads the binding file to build the DHCP snooping binding database The s...

Page 388: ...When the switch starts and the calculated checksum value equals the stored checksum value the switch reads entries from the binding file and adds the bindings to its DHCP snooping binding database The switch ignores an entry when one of these situations occurs The switch reads the entry and the calculated checksum value does not equal the stored checksum value The entry and the ones following it a...

Page 389: ...ude configure DHCP options for devices or set up the DHCP database agent If the DHCP relay agent is enabled but DHCP snooping is disabled the DHCP option 82 data insertion feature is not supported If a switch port is connected to a DHCP server configure a port as trusted by entering the ip dhcp snooping trust interface configuration command Table 19 1 Default DHCP Snooping Configuration Feature De...

Page 390: ... untrusted device is connected If you enter this command an untrusted device might spoof the option 82 information You can display DHCP snooping statistics by entering the show ip dhcp snooping statistics user EXEC command and you can clear the snooping statistics counters by entering the clear ip dhcp snooping statistics privileged EXEC command Note Do not enable Dynamic Host Configuration Protoc...

Page 391: ...ault setting is disabled Note Enter this command only on aggregation switches that are connected to trusted devices Step 6 interface interface id Specify the interface to be configured and enter interface configuration mode Step 7 ip dhcp snooping trust Optional Configure the interface as trusted or as untrusted Use the no keyword to configure an interface to receive messages from an untrusted cli...

Page 392: ...e switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip dhcp snooping database flash filename ftp user password host filename http username password hostna me host ip directory image name tar rcp user host filename tftp host filename Specify the URL for the database agent or the binding file by using one of these forms flash filename ftp user password host file...

Page 393: ...security feature that restricts IP traffic on nonrouted Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings You can use IP source guard to prevent traffic attacks if a host tries to use the IP address of its neighbor You can enable IP source guard when DHCP snooping is enabled on an untrusted interface After IPSG is enab...

Page 394: ...ress matches an entry in the DHCP snooping binding database or a binding in the IP source binding table When a DHCP snooping binding or static IP source binding is added changed or deleted on an interface the switch modifies the port ACL by using the IP source binding changes and re applies the port ACL to the interface If you enable IPSG on an interface on which IP source bindings dynamically lea...

Page 395: ...all EXEC command the IP device tracking table displays the entries as ACTIVE Note Some IP hosts with multiple network interfaces can inject some invalid packets into a network interface The invalid packets contain the IP or MAC address for another network interface of the host as the source address The invalid packets can cause IPSG for static hosts to connect to the host to learn the invalid IP o...

Page 396: ...AN on the trunk interface the switch might not properly filter traffic If you enable IP source guard with source IP and MAC address filtering DHCP snooping and port security must be enabled on the interface You must also enter the ip dhcp snooping information option global configuration command and ensure that the DHCP server supports option 82 When IP source guard is enabled with MAC address filt...

Page 397: ...rce IP address filtering Enable IP source guard with source IP and MAC address filtering Note When you enable both IP source guard and Port Security by using the ip verify source port security interface configuration command there are two caveats The DHCP server must support option 82 or the client is not assigned an IP address The MAC address in the DHCP packet is not learned as a secure address ...

Page 398: ...s access Step 5 switchport access vlan vlan id Configure the VLAN for this port Step 6 ip verify source tracking port security Enable IPSG for static hosts with MAC address filtering Note When you enable both IP source guard and port security by using the ip verify source port security interface configuration command The DHCP server must support option 82 or the client is not assigned an IP addres...

Page 399: ...dress Vlan Gi0 3 ip trk active 40 1 1 24 10 Gi0 3 ip trk active 40 1 1 20 10 Gi0 3 ip trk active 40 1 1 21 10 This example shows how to enable IPSG for static hosts with IP MAC filters on a Layer 2 access port to verify the valid IP MAC bindings on the interface Gi0 3 and to verify that the number of bindings on this interface has reached the maximum Switch configure terminal Enter configuration c...

Page 400: ... GigabitEthernet0 2 ACTIVE 200 1 1 1 0001 0600 0000 8 GigabitEthernet0 1 INACTIVE 200 1 1 2 0001 0600 0000 9 GigabitEthernet0 2 ACTIVE 200 1 1 2 0001 0600 0000 8 GigabitEthernet0 1 INACTIVE 200 1 1 3 0001 0600 0000 9 GigabitEthernet0 2 ACTIVE 200 1 1 3 0001 0600 0000 8 GigabitEthernet0 1 INACTIVE 200 1 1 4 0001 0600 0000 9 GigabitEthernet0 2 ACTIVE 200 1 1 4 0001 0600 0000 8 GigabitEthernet0 1 INA...

Page 401: ...IP source guard information use one or more of the privileged EXEC commands in Table 19 3 Understanding DHCP Server Port Based Address Allocation DHCP server port based address allocation is a feature that enables DHCP to maintain the same IP address on an Ethernet switch port regardless of the attached device client identifier or client hardware address When Ethernet switches are deployed in the ...

Page 402: ...is only supported on a Cisco IOS DHCP server and not a third party server Configuring DHCP Server Port Based Address Allocation This section contains this configuration information Default Port Based Address Allocation Configuration page 19 22 Port Based Address Allocation Configuration Guidelines page 19 22 Enabling DHCP Server Port Based Address Allocation page 19 23 Default Port Based Address A...

Page 403: ...configuration mode Step 2 ip dhcp use subscriber id client id Configure the DHCP server to globally use the subscriber identifier as the client identifier on all incoming DHCP messages Step 3 ip dhcp subscriber id interface name Automatically generate a subscriber identifier based on the short name of the interface A subscriber identifier configured on a specific interface takes precedence over th...

Page 404: ...ssigned IP address 10 1 1 7 switch show running config Building configuration Current configuration 4899 bytes version 12 2 hostname switch no aaa new model clock timezone EST 0 ip subnet zero ip dhcp relay information policy removal pad no ip dhcp use vrf connected ip dhcp use subscriber id client id ip dhcp subscriber id interface name ip dhcp excluded address 10 1 1 1 10 1 1 3 ip dhcp pool dhcp...

Page 405: ... You can also access the documentation http www cisco com en US docs ios ipaddr command reference iad_book html Displaying DHCP Server Port Based Address Allocation To display the DHCP server port based address allocation information use one or more of the privileged EXEC commands in Table 19 4 Table 19 4 Commands for Displaying DHCP Port Based Address Allocation Information Command Purpose show i...

Page 406: ...19 26 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 19 Configuring DHCP Features and IP Source Guard Features Displaying DHCP Server Port Based Address Allocation ...

Page 407: ...AC address For example Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A All hosts within the broadcast domain receive the ARP request and Host A responds with its MAC address However because ARP allo...

Page 408: ...ensures that only valid ARP requests and responses are relayed The switch performs these activities Intercepts all ARP requests and responses on untrusted ports Verifies that each of these intercepted packets has a valid IP to MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination Drops invalid ARP packets Dynamic ARP inspection deter...

Page 409: ...ted to Switch A only Switch A binds the IP to MAC address of Host 1 Therefore if the interface between Switch A and Switch B is untrusted the ARP packets from Host 1 are dropped by Switch B Connectivity between Host 1 and Host 2 is lost Figure 20 2 ARP Packet Validation on a VLAN Enabled for Dynamic ARP Inspection Configuring interfaces to be trusted when they are actually untrusted leaves a secur...

Page 410: ...ormation see the Limiting the Rate of Incoming ARP Packets section on page 20 10 Relative Priority of ARP ACLs and DHCP Snooping Entries Dynamic ARP inspection uses the DHCP snooping binding database for the list of valid IP to MAC address bindings ARP ACLs take precedence over entries in the DHCP snooping binding database The switch uses ACLs only if you configure them by using the ip arp inspect...

Page 411: ...20 1 shows the default dynamic ARP inspection configuration Table 20 1 Default Dynamic ARP Inspection Configuration Feature Default Setting Dynamic ARP inspection Disabled on all VLANs Interface trust state All interfaces are untrusted Rate limit of incoming ARP packets The rate is 15 pps on untrusted interfaces assuming that the network is a switched network with a host connecting to as many as 1...

Page 412: ... and the channel port match Otherwise the physical port remains suspended in the port channel A port channel inherits its trust state from the first physical port that joins the channel Consequently the trust state of the first physical port need not match the trust state of the channel Conversely when you change the trust state on the port channel the switch configures a new trust state on all th...

Page 413: ... incoming ARP requests and ARP responses Make sure to enable DHCP snooping to permit ARP packets that have dynamically assigned IP addresses For configuration information see Chapter 19 Configuring DHCP Features and IP Source Guard Features For information on how to configure dynamic ARP inspection when only one switch supports the feature see the Configuring ARP ACLs for Non DHCP Environments sec...

Page 414: ...ot static it is impossible to apply the ACL configuration on Switch A you must separate Switch A from Switch B at Layer 3 and use a router to route packets between them Step 5 ip arp inspection trust Configure the connection between the switches as trusted By default all interfaces are untrusted The switch does not check ARP packets that it receives from the other switch on the trusted interface I...

Page 415: ...on see the Configuring the Log Buffer section on page 20 12 Step 4 exit Return to global configuration mode Step 5 ip arp inspection filter arp acl name vlan vlan range static Apply the ARP ACL to the VLAN By default no defined ARP ACLs are applied to any VLAN For arp acl name specify the name of the ACL created in Step 2 For vlan range specify the VLAN that the switches and hosts are in You can s...

Page 416: ...led recovery so that ports automatically emerge from this state after a specified timeout period Note Unless you configure a rate limit on an interface changing the trust state of the interface also changes its rate limit to the default value for that trust state After you configure the rate limit the interface retains the rate limit even when its trust state is changed If you enter the no ip arp ...

Page 417: ...ter interface configuration mode Step 3 ip arp inspection limit rate pps burst interval seconds none Limit the rate of incoming ARP requests and responses on the interface The default rate is 15 pps on untrusted interfaces and unlimited on trusted interfaces The burst interval is 1 second The keywords have these meanings For rate pps specify an upper limit for the number of incoming packets proces...

Page 418: ...al configuration mode Step 2 ip arp inspection validate src mac dst mac ip Perform a specific check on incoming ARP packets By default no checks are performed The keywords have these meanings For src mac check the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP requests and responses When enabled packets with different MA...

Page 419: ...spection logging buffer By default when dynamic ARP inspection is enabled denied or dropped ARP packets are logged The number of log entries is 32 The number of system messages is limited to 5 per second The logging rate interval is 1 second The keywords have these meanings For entries number specify the number of entries to be logged in the buffer The range is 0 to 1024 For logs number interval s...

Page 420: ...rated by a comma The range is 1 to 4094 For acl match matchlog log packets based on the ACE logging configuration If you specify the matchlog keyword in this command and the log keyword in the permit or deny ARP access list configuration command ARP packets permitted or denied by the ACL are logged For acl match none do not log packets that match ACLs For dhcp bindings all log all packets that mat...

Page 421: ... EXEC commands in Table 20 4 For more information about these commands see the command reference for this release Table 20 3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics show ip arp inspection statistics vlan vlan range Displays statistics for forwarded dropped MAC validation fa...

Page 422: ...20 16 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 20 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information ...

Page 423: ...ottling Configuration page 21 20 Note You can either manage IP multicast group addresses through features such as IGMP snooping or you can use static IP addresses Understanding IGMP Snooping Layer 2 switches can use IGMP snooping to constrain the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces associated wi...

Page 424: ...MP snooping in subnets without multicast interfaces because the multicast traffic does not need to be routed For more information about the IGMP snooping querier see the Configuring the IGMP Snooping Querier section on page 21 13 If a port spanning tree a port group or a VLAN ID change occurs the IGMP snooping learned multicast groups from this port on the VLAN are deleted These sections describe ...

Page 425: ...lticast group respond by sending a join message to the switch The switch CPU creates a multicast forwarding table entry for the group if it is not already present The CPU also adds the interface where the join message was received to the forwarding table entry The host associated with that interface receives multicast traffic for that multicast group See Figure 21 1 Figure 21 1 Initial IGMP Join M...

Page 426: ... queries and the switch forwards these queries through all ports in the VLAN Interested hosts respond to the queries If at least one host in the VLAN wishes to receive multicast traffic the router continues forwarding the multicast traffic to the VLAN The switch forwards multicast group traffic only to those hosts listed in the forwarding table for that IP multicast group maintained by IGMP snoopi...

Page 427: ...00 to 5000 milliseconds The timer can be set either globally or on a per VLAN basis The VLAN configuration of the leave time overrides the global configuration For configuration steps see the Configuring the IGMP Leave Timer section on page 21 10 IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports This feature is not support...

Page 428: ... Snooping Configuration Table 21 3 shows the default IGMP snooping configuration Enabling or Disabling IGMP Snooping By default IGMP snooping is globally enabled on the switch When globally enabled or disabled it is also enabled or disabled in all existing VLAN interfaces IGMP snooping is by default enabled on all VLANs but can be enabled and disabled on a per VLAN basis Global IGMP snooping overr...

Page 429: ...ch either to snoop on IGMP queries and PIM DVMRP packets or to listen to CGMP self join or proxy join packets By default the switch snoops on PIM DVMRP packets on all VLANs To learn of multicast router ports through only CGMP packets use the ip igmp snooping vlan vlan id mrouter learn cgmp global configuration command When this command is entered the router listens to only CGMP self join and CGMP ...

Page 430: ...iguration command on the switch Beginning in privileged EXEC mode follow these steps to enable a static connection to a multicast router Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan id mrouter learn cgmp pim dvmrp Enable IGMP snooping on a VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094 Specify the multicast router learning method...

Page 431: ...p igmp snooping vlan 105 static 224 2 4 12 interface gigabitethernet0 1 Switch config end Enabling IGMP Immediate Leave When you enable IGMP Immediate Leave the switch immediately removes a port when it detects an IGMP Version 2 leave message on that port You should only use the Immediate Leave feature when there is a single receiver present on every port in the VLAN Step 4 show ip igmp snooping m...

Page 432: ...ver the leave time might vary around the configured time depending on real time CPU load conditions network delays and the amount of traffic sent through the interface Beginning in privileged EXEC mode follow these steps to enable the IGMP configurable leave timer Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan id immediate leave Enable I...

Page 433: ...its location and the receiver is on same port that was blocked but is now forwarding and when a port went down without sending a leave message If you set the TCN flood query count to 1 by using the ip igmp snooping tcn flood query count command the flooding stops after receiving 1 general query If you set the count to 7 the flooding until 7 general queries are received Groups are relearned based o...

Page 434: ...th attached hosts that are subscribed to different multicast groups this flooding might exceed the capacity of the link and cause packet loss You can use the ip igmp snooping tcn flood interface configuration command to control this behavior Beginning in privileged EXEC mode follow these steps to disable multicast flooding on an interface To re enable multicast flooding on an interface use the ip ...

Page 435: ... in the VLAN PIM is enabled on the SVI of the corresponding VLAN Beginning in privileged EXEC mode follow these steps to enable the IGMP snooping querier feature in a VLAN Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping querier Enable the IGMP snooping querier Step 3 ip igmp snooping querier address ip_address Optional Specify an IP address for the...

Page 436: ...multicast query has IGMPv1 and IGMPv2 reports This feature is not supported when the query includes IGMPv3 reports IGMP report suppression is enabled by default When it is enabled the switch forwards only one IGMP report per multicast router query When report suppression is disabled all IGMP reports are forwarded to the multicast routers Beginning in privileged EXEC mode follow these steps to disa...

Page 437: ...isplay multicast table information for a multicast VLAN or about a specific parameter for the VLAN vlan id The VLAN ID range is 1 to 1001 and 1006 to 4094 count Display the total number of entries for the specified command options instead of the actual entries dynamic Display entries learned through IGMP snooping ip_address Display characteristics of the multicast group with the specified group IP...

Page 438: ...tering controls only group specific query and membership reports including join and leave reports It does not control general IGMP queries IGMP filtering has no relationship with the function that directs the forwarding of IP multicast traffic The filtering feature operates in the same manner whether CGMP is used to forward the multicast traffic IGMP filtering is applicable only to the dynamic lea...

Page 439: ... switch to have no IGMP profiles configured When a profile is configured if neither the permit nor deny keyword is included the default is to deny access to the range of IP addresses Beginning in privileged EXEC mode follow these steps to create an IGMP profile IGMP profiles None defined IGMP profile action Deny the range addresses Table 21 5 Default IGMP Filtering Configuration Feature Default Se...

Page 440: ...interfaces You can apply IGMP profiles only to Layer 2 access ports You cannot apply profiles to ports that belong to an EtherChannel port group You can apply a profile to multiple interfaces but each interface can have only one profile applied to it Beginning in privileged EXEC mode follow these steps to apply an IGMP profile to a switch port To remove a profile from an interface use the no ip ig...

Page 441: ... can join you can configure an interface to replace the existing group with the new group for which the IGMP report was received by using the ip igmp max groups action replace interface configuration command Use the no form of this command to return to the default which is to drop the IGMP join report Follow these guidelines when configuring the IGMP throttling action You can use this command on a...

Page 442: ...ng action when the maximum number of entries is in the forwarding table To return to the default action of dropping the report use the no ip igmp max groups action interface configuration command Displaying IGMP Filtering and Throttling Configuration You can display IGMP profile characteristics and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or...

Page 443: ...s for Displaying IGMP Filtering and Throttling Configuration Command Purpose show ip igmp profile profile number Displays the specified IGMP profile or all the IGMP profiles defined on the switch show running config interface interface id Displays the configuration of the specified interface or the configuration of all interfaces on the switch including if configured the maximum number of IGMP gro...

Page 444: ...21 22 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 21 Configuring IGMP Snooping Displaying IGMP Filtering and Throttling Configuration ...

Page 445: ...ontrol page 22 1 Default Storm Control Configuration page 22 3 Configuring Storm Control and Threshold Levels page 22 3 Configuring Small Frame Arrival Rate page 22 5 Understanding Storm Control Storm control prevents traffic on a LAN from being disrupted by a broadcast multicast or unicast storm on one of the physical interfaces A LAN storm occurs when packets flood the LAN creating excessive tra...

Page 446: ...ic except control traffic such as bridge protocol data unit BDPU and Cisco Discovery Protocol CDP frames are blocked The graph in Figure 22 1 shows broadcast traffic patterns on an interface over a given period of time The example can also be applied to multicast and unicast traffic In this example the broadcast traffic being forwarded exceeded the configured threshold between time intervals T1 an...

Page 447: ...ecause of hardware limitations and the way in which packets of different sizes are counted threshold percentages are approximations Depending on the sizes of the packets making up the incoming traffic the actual enforced threshold might differ from the configured level by several percentage points Note Storm control is supported on physical interfaces You can also configure storm control on an Eth...

Page 448: ...threshold level for broadcast multicast or unicast traffic in bits per second up to one decimal place The port blocks traffic when the rising threshold is reached The range is 0 0 to 10000000000 0 Optional For bps low specify the falling threshold level in bits per second up to one decimal place It can be less than or equal to the rising threshold level The port forwards traffic when traffic drops...

Page 449: ... the small frame arrival feature on the switch and then configure the small frame threshold for packets on each interface Packets smaller than the minimum size and arriving at a specified rate the threshold are dropped since the port is error disabled If the errdisable recovery cause small frame global configuration command is entered the port is re enabled after a specified time You specify the r...

Page 450: ...en protected ports at Layer 2 only control traffic such as PIM packets is forwarded because these packets are processed by the CPU and forwarded in software All data traffic passing between protected ports must be forwarded through a Layer 3 device Forwarding behavior between a protected port and a nonprotected port proceeds as usual These sections contain this configuration information Default Pr...

Page 451: ...d or nonprotected from flooding unknown unicast or multicast packets to other ports These sections contain this configuration information Default Port Blocking Configuration page 22 7 Blocking Flooded Traffic on an Interface page 22 7 Default Port Blocking Configuration The default is to not block flooding of unknown multicast and unicast traffic out of a port but to flood these packets to all por...

Page 452: ...ss the workstation attached to that port is assured the full bandwidth of the port If a port is configured as a secure port and the maximum number of secure MAC addresses is reached when the MAC address of a station attempting to access the port is different from any of the identified secure MAC addresses a security violation occurs Also if a station with a secure MAC address configured or learned...

Page 453: ...s the interface does not need to dynamically reconfigure them You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning To enable sticky learning enter the switchport port security mac address sticky interface configuration command When you enter this command the interface converts all...

Page 454: ...he maximum value or increase the number of maximum allowable addresses In this mode you are notified that a security violation has occurred An SNMP trap is sent a syslog message is logged and the violation counter increments shutdown A port security violation causes the interface to become error disabled and to shut down immediately and the port LED turns off An SNMP trap is sent a syslog message ...

Page 455: ...d If you connect more than one PC to the Cisco IP phone you must configure enough secure addresses to allow one for each PC and one for the phone When a trunk port is configured with port security and assigned to an access VLAN for data traffic and to a voice VLAN for voice traffic entering the switchport voice and switchport priority extend interface configuration commands has no effect When a co...

Page 456: ...t3 3 A VLAN Query Protocol VQP port configured with the switchport access vlan dynamic interface configuration command No SPAN source port Yes SPAN destination port No EtherChannel No Protected port Yes IEEE 802 1x port Yes Voice VLAN port4 4 You must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN Yes Command Purpo...

Page 457: ... Layer 2 functions and any other secure MAC addresses configured on interfaces Optional vlan set a per VLAN maximum value Enter one of these options after you enter the vlan keyword vlan list On a trunk port you can set a per VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas For nonspecified VLANs the per VLAN maximum value is used access On an a...

Page 458: ...reached its maximum limit restrict When the number of secure MAC addresses reaches the limit allowed on the port packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses An SNMP trap is sent a syslog message is logged and the violation counter increments shutdown The interface is error disab...

Page 459: ...ured for voice VLAN configure a maximum of two secure MAC addresses Step 9 switchport port security mac address sticky Optional Enable sticky learning on the interface Step 10 switchport port security mac address sticky mac address vlan vlan id access voice Optional Enter a sticky secure MAC address repeating the command as many times as necessary If you configure fewer secure MAC addresses than t...

Page 460: ...and followed by the switchport port security command to re enable port security on the interface If you use the no switchport port security mac address sticky interface configuration command to convert sticky secure MAC addresses to dynamic secure MAC addresses before entering the no switchport port security command all secure addresses on the interface except those that were manually configured a...

Page 461: ...es on a per port basis Beginning in privileged EXEC mode follow these steps to configure port security aging Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 switchport port security aging static time time type absolute inactivity Enable or disable static agin...

Page 462: ...fic suppression and control configuration The show storm control and show port security privileged EXEC commands display those storm control and port security settings To display traffic control information use one or more of the privileged EXEC commands in Table 22 4 Table 22 4 Commands for Displaying Traffic Control Status and Configuration Command Purpose show interfaces interface id switchport...

Page 463: ...otocols This feature enables applications to send SNMP queries to neighboring devices CDP runs on all media that support Subnetwork Access Protocol SNAP Because CDP runs over the data link layer only two systems that support different network layer protocols can learn about each other Each CDP configured device sends periodic messages to a multicast address advertising at least one address at whic...

Page 464: ...racteristics You can configure the frequency of CDP updates the amount of time to hold the information before discarding it and whether or not to send Version 2 advertisements Beginning in privileged EXEC mode follow these steps to configure the CDP timer holdtime and advertisement type Note Steps 2 through 4 are all optional and can be performed in any order Table 23 1 Default CDP Configuration F...

Page 465: ...de follow these steps to disable the CDP device discovery capability Beginning in privileged EXEC mode follow these steps to enable CDP when it has been disabled Step 3 cdp holdtime seconds Optional Specify the amount of time a receiving device should hold the information sent by your device before discarding it The range is 10 to 255 seconds the default is 180 seconds Step 4 cdp advertise v2 Opti...

Page 466: ...onfig interface gigabitethernet0 1 Switch config if cdp enable Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are disabling CDP and enter interface configuration mode Step 3 no cdp enable Disable CDP on the interface Step 4 end Return to privileged EXEC mode Step 5 copy running config s...

Page 467: ... display all CDP neighbors or you can enter the name of the neighbor about which you want information You can also limit the display to information about the protocols enabled on the specified neighbor or information about the version of software running on the device show cdp interface interface id Display information about interfaces where CDP is enabled You can limit the display to the interfac...

Page 468: ...23 6 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 23 Configuring CDP Monitoring and Maintaining CDP ...

Page 469: ...s CDP allows network management applications to automatically discover and learn about other Cisco devices connected to the network To support non Cisco devices and to allow for interoperability between other devices the switch supports the IEEE 802 1AB Link Layer Discovery Protocol LLDP LLDP is a neighbor discovery protocol that is used for network devices to advertise information about themselve...

Page 470: ...figurations and associated Layer 2 and Layer 3 attributes for the specific application on that port For example the switch can notify a phone of the VLAN number that it should use The phone can connect to any switch obtain its VLAN number and then start communicating with the call control By defining a network policy profile TLV you can create a profile for voice and voice signalling by specifying...

Page 471: ...tion and LLDP interface configuration commands Configuration Guidelines If you first configure a network policy profile on an interface you cannot apply the switchport voice vlan command on the interface If the switchport voice vlan vlan id is already configured on an interface you can apply a network policy profile on the interface This way the interface has the voice or voice signaling VLAN netw...

Page 472: ...acteristics You can configure the frequency of LLDP updates the amount of time to hold the information before discarding it and the initialization delay time You can also select the LLDP and LLDP MED TLVs to send and receive Beginning in privileged EXEC mode follow these steps to configure these characteristics Note Steps 2 through 5 are all optional and can be performed in any order Command Purpo...

Page 473: ...global configuration mode Step 2 lldp holdtime seconds Optional Specify the amount of time a receiving device should hold the information sent by your device before discarding it The range is 0 to 65535 seconds the default is 120 seconds Step 3 lldp reinit Optional Specify the delay time in seconds for LLDP to initialize on any interface The range is 2 to 5 seconds the default is 2 seconds Step 4 ...

Page 474: ...o an interface network policy LLDP MED network policy TLV power management LLDP MED power management TLV Table 24 2 LLDP MED TLVs LLDP MED TLV Description Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are configuring an LLDP MED TLV and enter interface configuration mode Step 3 lldp med tlv select tlv Spec...

Page 475: ...Specify the native VLAN for voice traffic vlan id Optional Specify the VLAN for voice traffic The range is 1 to 4094 cos cvalue Optional Specify the Layer 2 priority class of service CoS for the configured VLAN The range is 0 to 7 the default is 5 dscp dvalue Optional Specify the differentiated services code point DSCP value for the configured VLAN The range is 0 to 63 the default is 46 dot1p Opti...

Page 476: ...a specific neighbor You can enter an asterisk to display all neighbors or you can enter the name of the neighbor about which you want information show lldp interface interface id Display information about interfaces where LLDP is enabled You can limit the display to the interface about which you want information show lldp neighbors interface id detail Display information about neighbors including ...

Page 477: ... of problems including spanning tree topology loops Modes of Operation UDLD supports two modes of operation normal the default and aggressive In normal mode UDLD can detect unidirectional links due to misconnected ports on fiber optic connections In aggressive mode UDLD can also detect unidirectional links due to one way traffic on fiber optic and twisted pair links and to misconnected ports on fi...

Page 478: ...oss of the heart beat means that the link must be shut down if it is not possible to re establish a bidirectional link If both fiber strands in a cable are working normally from a Layer 1 perspective UDLD in aggressive mode detects whether those fiber strands are connected correctly and whether traffic is flowing bidirectionally between the correct neighbors This check cannot be performed by auton...

Page 479: ...in the advertisement or in the detection phase UDLD restarts the link up sequence to resynchronize with any potentially out of sync neighbor UDLD shuts down the port if after the fast train of messages the link state is still undetermined Figure 25 1 shows an example of a unidirectional link condition Figure 25 1 UDLD Detection of a Unidirectional Link Configuring UDLD Default UDLD Configuration p...

Page 480: ...essive make sure that the same mode is configured on both sides of the link Caution Loop guard works only on point to point links We recommend that each end of the link has a directly connected device that is running STP Table 25 1 Default UDLD Configuration Feature Default Setting UDLD global enable state Globally disabled UDLD per port enable state for fiber optic media Disabled on all Ethernet ...

Page 481: ... aggressive mode on all fiber optic ports enable Enables UDLD in normal mode on all fiber optic ports on the switch UDLD is disabled by default An individual interface configuration overrides the setting of the udld enable global configuration command For more information about aggressive and normal modes see the Modes of Operation section on page 25 1 message time message timer interval Configure...

Page 482: ...d the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error disabled state Displaying UDLD Status To display the UDLD status for the specified port or for all ports use the show udld interface id privileged EXEC command For detailed information about the fields in the command output see the command reference for this release Step 3 udl...

Page 483: ... traffic on the source ports or VLANs You must dedicate the destination port for SPAN use Except for traffic that is required for the SPAN session destination ports do not receive or forward traffic Only traffic that enters or leaves source ports or traffic that enters or leaves source VLANs can be monitored by using SPAN traffic routed to a source VLAN cannot be monitored For example if incoming ...

Page 484: ...send the monitored traffic to one or more destination ports A local SPAN session is an association of a destination port with source ports or source VLANs all on a single network device Local SPAN does not have separate source and destination sessions Local SPAN sessions gather a set of ingress and egress packets specified by the user and form them into a stream of SPAN data which is directed to t...

Page 485: ...py of each packet sent by the source is sent to the destination port for that SPAN session The copy is provided after the packet is modified Features that can cause a packet to be dropped during transmit processing also affect the duplicated copy for SPAN These features include IP standard and extended output ACLs and egress QoS policing Both In a SPAN session you can also monitor a port or VLAN f...

Page 486: ...ons Each source port can be configured with a direction ingress egress or both to monitor It can be any port type for example EtherChannel Fast Ethernet Gigabit Ethernet and so forth For EtherChannel sources you can monitor traffic for the entire EtherChannel or individually on a physical port as it participates in the port channel It can be an access port trunk port or voice VLAN port It cannot b...

Page 487: ...reside on the same switch as the source port When a port is configured as a SPAN destination port the configuration overwrites the original port configuration When the SPAN destination configuration is removed the port reverts to its previous configuration If a configuration change is made to the port while it is acting as a SPAN destination port the change does not take effect until the SPAN dest...

Page 488: ...up is configured as a SPAN source the entire group is monitored If a physical port is added to a monitored EtherChannel group the new port is added to the SPAN source port list If a port is removed from a monitored EtherChannel group it is automatically removed from the source port list A physical port that belongs to an EtherChannel group can be configured as a SPAN source port and still be a par...

Page 489: ... VLANs for each session You cannot mix source ports and source VLANs within a single SPAN session The destination port cannot be a source port a source port cannot be a destination port You cannot have two SPAN sessions using the same destination port When you configure a switch port as a SPAN destination port it is no longer a normal switch port only monitored traffic passes through the SPAN dest...

Page 490: ...traffic to specific VLANs by using the filter vlan keyword If a trunk port is being monitored only traffic on the VLANs specified with this keyword is monitored By default all VLANs are monitored on a trunk port You cannot mix source VLANs and filter VLANs within a single SPAN session Creating a Local SPAN Session Beginning in privileged EXEC mode follow these steps to create a SPAN session and sp...

Page 491: ...onitor both received and sent traffic This is the default rx Monitor received traffic tx Monitor sent traffic Note You can use the monitor session session_number source command multiple times to configure multiple source ports Step 4 monitor session session_number destination interface interface id encapsulation dot1q replicate Specify the SPAN session and the destination port monitoring port For ...

Page 492: ...tion replicate Switch config end This example shows how to remove port 1 as a SPAN source for SPAN session 1 Switch config no monitor session 1 source interface gigabitethernet0 1 Switch config end This example shows how to disable received traffic monitoring on port 1 which was configured for bidirectional monitoring Switch config no monitor session 1 source interface gigabitethernet0 1 rx The mo...

Page 493: ...ify the SPAN session the destination port the packet encapsulation and the ingress VLAN and encapsulation For session_number specify the session number entered in Step 3 For interface id specify the destination port The destination interface must be a physical port it cannot be an EtherChannel and it cannot be a VLAN Optional Specify a series or range of interfaces Enter a space before and after t...

Page 494: ... destination interface gigabitethernet0 2 encapsulation replicate ingress dot1q vlan 6 Switch config end Specifying VLANs to Filter Beginning in privileged EXEC mode follow these steps to limit SPAN source traffic to specific VLANs Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no monitor session session_number all local Remove any existing SPAN configuration for ...

Page 495: ...isplay configured SPAN sessions Step 5 monitor session session_number destination interface interface id encapsulation dot1q replicate Specify the SPAN session and the destination port monitoring port For session_number specify the session number entered in Step 3 For interface id specify the destination port The destination interface must be a physical port it cannot be an EtherChannel and it can...

Page 496: ...26 14 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 26 Configuring SPAN Displaying SPAN Status ...

Page 497: ... For complete syntax and usage information for the commands used in this chapter see the System Management Commands section in the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 Understanding RMON page 27 1 Configuring RMON page 27 2 Displaying RMON Status page 27 6 Understanding RMON RMON is an Internet Engineering Task Force IETF standard monitoring specification that allows...

Page 498: ...value rising threshold and resets the alarm at another value falling threshold Alarms can be used with events the alarm triggers an event which can generate a log entry or an SNMP trap Event RMON group 9 Specifies the action to take when an event is triggered by an alarm The action can be to generate a log entry or an SNMP trap Because switches supported by this software release use hardware count...

Page 499: ...and Purpose Step 1 configure terminal Enter global configuration mode Step 2 rmon alarm number variable interval absolute delta rising threshold value event number falling threshold value event number owner string Set an alarm on a MIB object For number specify the alarm number The range is 1 to 65535 For variable specify the MIB object to monitor For interval specify the time in seconds the alarm...

Page 500: ... be triggered again Switch config rmon alarm 10 ifEntry 20 1 20 delta rising threshold 15 1 falling threshold 0 owner jjohnson The following example creates RMON event number 1 by using the rmon event command The event is defined as High ifOutErrors and generates a log entry when the event is triggered by the alarm The user jjones owns the row that is created in the event table by this command Thi...

Page 501: ...ion history index buckets bucket number interval seconds owner ownername Enable history collection for the specified number of buckets and time period For index identify the RMON group of statistics The range is 1 to 65535 Optional For buckets bucket number specify the maximum number of buckets desired for the RMON collection history group of statistics The range is 1 to 65535 The default is 50 bu...

Page 502: ...erence Release 12 2 Step 3 rmon collection stats index owner ownername Enable RMON statistic collection on the interface For index specify the RMON group of statistics The range is from 1 to 65535 Optional For owner ownername enter the name of the owner of the RMON group of statistics Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your entries Step 6 show rmon statisti...

Page 503: ... also sends messages to the console Note The syslog format is compatible with 4 3 BSD UNIX When the logging process is disabled messages are sent only to the console The messages are sent as they are generated so message and debug output are interspersed with prompts or output from other commands Messages appear on the console after the process that generated them has finished You can set the seve...

Page 504: ... severity MNEMONIC description The part of the message preceding the percent sign depends on the setting of the service sequence numbers service timestamps log datetime service timestamps log datetime localtime msec show timezone or service timestamps log uptime global configuration command Table 28 1 describes the elements of syslog messages Table 28 1 System Log Message Elements Element Descript...

Page 505: ...n Disabling Message Logging Message logging is enabled by default It must be enabled to send messages to any destination other than the console When enabled log messages are sent to a logging process which logs messages to designated locations asynchronously to the processes that generated the messages MNEMONIC Text string that uniquely describes the message description Text string containing deta...

Page 506: ... enabled you can send messages to specific locations in addition to the console Beginning in privileged EXEC mode use one or more of the following commands to specify the locations that receive messages This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no logging console Disable message logging Step 3 end Return to privileged EXEC mode Step...

Page 507: ...server host For host specify the name or IP address of the host to be used as the syslog server To build a list of syslog servers that receive logging messages enter this command more than once For complete syslog server configuration steps see the Configuring UNIX Syslog Servers section on page 28 11 Step 4 logging file flash filename max file size min file size severity level number type Store l...

Page 508: ...ugh the switch console port Use the line vty line number command to specify which vty lines are to have synchronous logging enabled You use a vty connection for configurations that occur through a Telnet session The range of line numbers is from 0 to 15 You can change the setting of all 16 vty lines at once by entering line vty 0 15 Or you can change the setting of the single vty line being used f...

Page 509: ...ce numbers so that you can unambiguously see a single message By default sequence numbers in log messages are not displayed Beginning in privileged EXEC mode follow these steps to enable sequence numbers in log messages This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 service timestamps log uptime or service timestamps log datetime msec lo...

Page 510: ... terminal other than the console use the no logging monitor global configuration command To disable logging to syslog servers use the no logging trap global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 logging console level Limit messages logged to the console By default the console receives debugging messages and numerically lower levels s...

Page 511: ...command you can change the level of messages sent and stored in the switch history table You also can change the number of messages that are stored in the history table Messages are stored in the history table because SNMP traps are not guaranteed to reach their destination By default one message of the level warning and numerically lower levels see Table 28 3 on page 28 9 are stored in the histor...

Page 512: ...he show archive log config all number end number user username session number number end number statistics provisioning privileged EXEC command to display the complete configuration log or the log for specified parameters The default is that configuration logging is disabled For information about the commands see the Cisco IOS Configuration Fundamentals and Network Management Command Reference Rel...

Page 513: ...t mode trunk 47 16 temi vty5 exit Configuring UNIX Syslog Servers The next sections describe how to configure the UNIX server syslog daemon and how to define the UNIX system logging facility Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server you must configure the syslog daemon on a UNIX server This procedure is optional Log in as root and perf...

Page 514: ...the switch to identify its messages as originating from any of the UNIX syslog facilities Beginning in privileged EXEC mode follow these steps to configure UNIX system facility message logging This procedure is optional To remove a syslog server use the no logging host global configuration command and specify the syslog server IP address To disable logging to syslog servers enter the no logging tr...

Page 515: ...isplay the logging configuration and the contents of the log buffer use the show logging privileged EXEC command For information about the fields in this display see the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 Table 28 4 Logging Facility Type Keywords Facility Type Keyword Description auth Authorization system cron Cron facility daemon System daemon kern Kernel local0 7...

Page 516: ...28 14 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 28 Configuring System Message Logging Displaying the Logging Configuration ...

Page 517: ...er can be part of a network management system NMS such as CiscoWorks The agent and MIB reside on the switch To configure SNMP on the switch you define the relationship between the manager and the agent The SNMP agent contains MIB variables whose values the SNMP manager can request or change A manager can get a value from an agent or store a value into the agent The agent gathers data from the MIB ...

Page 518: ...t Authentication determining that the message is from a valid source Encryption mixing the contents of a package to prevent it from being read by an unauthorized source Note To select encryption enter the priv keyword This keyword is available only when the cryptographic encrypted software image is installed Both SNMPv1 and SNMPv2C use a community based form of security The community of managers a...

Page 519: ...HA algorithms SNMPv3 authPriv requires the cryptographic software image MD5 or SHA Data Encryption Standard DES or Advanced Encryption Standard AES Provides authentication based on the HMAC MD5 or HMAC SHA algorithms Allows specifying the User based Security Model USM with these encryption algorithms DES 56 bit encryption in addition to authentication based on the CBC DES DES 56 standard 3DES 168 ...

Page 520: ...access Read write RW Gives read and write access to authorized management stations to all objects in the MIB but does not allow access to the community strings When a cluster is created the command switch manages the exchange of messages among member switches and the SNMP application The Network Assistant software appends the member switch number esN where N is the switch number to the first confi...

Page 521: ...raps also consume more resources in the switch and in the network Unlike a trap which is discarded as soon as it is sent an inform request is held in memory until a response is received or the request times out Traps are sent only once but an inform might be re sent or retried several times The retries increase traffic and contribute to a higher overhead on the network Therefore traps and informs ...

Page 522: ...the default SNMP configuration Tunnel 5078 5142 Physical such as Gigabit Ethernet or SFP2 module interfaces 10000 14500 Null 14501 1 SVI switch virtual interface 2 SFP small form factor pluggable Table 29 3 ifIndex Values Interface Type ifIndex Range Table 29 4 Default SNMP Configuration Feature Default Setting SNMP agent Disabled1 1 This is the default when the switch starts and the startup confi...

Page 523: ...uration command fails When configuring SNMP informs you need to configure the SNMP engine ID for the remote agent in the SNMP database before you can send proxy requests or informs to it If a local user is not associated with a remote host the switch does not send informs for the auth authNoPriv and the priv authPriv authentication levels Changing the value of the SNMP engine ID has important side...

Page 524: ...re community strings of any length Optional For view specify the view record accessible to the community Optional Specify either read only ro if you want authorized management stations to retrieve MIB objects or specify read write rw if you want authorized management stations to retrieve and modify MIB objects By default the community string permits read only access to all objects Optional For acc...

Page 525: ...to the SNMP group Beginning in privileged EXEC mode follow these steps to configure SNMP on the switch Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server engineID local engineid string remote ip addre...

Page 526: ...entication noauth Enables the noAuthNoPriv security level This is the default if no keyword is specified priv Enables Data Encryption Standard DES packet encryption also called privacy Note The priv keyword is available only when the cryptographic software image is installed Optional Enter read readview with a string not to exceed 64 characters that is the name of the view in which you can only vi...

Page 527: ...v3 you have these additional options encrypted specifies that the password appears in encrypted format This keyword is available only when the v3 keyword is specified auth is an authentication level setting session that can be either the HMAC MD5 96 md5 or the HMAC SHA 96 sha authentication level and requires a password string auth password not to exceed 64 characters If you enter v3 and the switc...

Page 528: ...0 to 10000 the default is 0 which means there is no rate limit flash Generates SNMP FLASH notifications hsrp Generates a trap for Hot Standby Router Protocol HSRP changes ipmulticast Generates a trap for IP multicast routing changes mac notification Generates a trap for MAC address notifications msdp Generates a trap for Multicast Source Discovery Protocol MSDP changes ospf Generates a trap for Op...

Page 529: ...hanges vlancreate Generates SNMP VLAN created traps vlandelete Generates SNMP VLAN deleted traps vtp Generates a trap for VLAN Trunking Protocol VTP changes Table 29 5 Switch Notification Types continued Notification Type Keyword Description Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server engineID remote ip address engineid string Specify the engine ID ...

Page 530: ...ity string sent with the notification operation When version 3 is specified enter the SNMPv3 username Optional For notification type use the keywords listed in Table 29 5 on page 29 12 If no type is specified all notifications are sent Step 6 snmp server enable traps notification types Enable the switch to send traps or informs and specify the type of notifications to be sent For a list of notific...

Page 531: ...in privileged EXEC mode follow these steps to limit the TFTP servers used for saving and loading configuration files through SNMP to the servers specified in an access list Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server contact text Set the system contact string For example snmp server contact Dial System Operator at beeper 21555 Step 3 snmp server loc...

Page 532: ... access list 4 that use the comaccess community string No other SNMP managers have access to any objects SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco com using the community string public Switch config snmp server community comaccess ro 4 Switch config snmp server enable traps snmp authentication Switch config snmp server host cisco com version 2c public Step 3 access li...

Page 533: ...ssword Switch config snmp server user authuser authgroup v3 auth md5 mypassword Switch config snmp server host 192 180 1 27 informs version 3 auth authuser config Switch config snmp server enable traps Switch config snmp server inform retries 0 Displaying SNMP Status To display SNMP input and output statistics including the number of illegal community string entries errors and requested variables ...

Page 534: ...29 18 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 29 Configuring SNMP Displaying SNMP Status ...

Page 535: ...deny conditions that apply to packets When a packet is received on an interface the switch compares the fields in the packet against any applied ACLs to verify that the packet has the required permissions to be forwarded based on the criteria specified in the access lists One by one it tests packets against the conditions in an access list The first match decides whether the switch accepts or reje...

Page 536: ... ACLs control access to a network or to part of a network Figure 30 1 is an example of using ACLs to control access to a network when all workstations are in the same VLAN ACLs applied at the Layer 2 input would allow Host A to access the Human Resources network but prevent Host B from accessing the same network Port ACLs Port ACLs access control traffic entering a Layer 2 interface The switch doe...

Page 537: ...Layer 4 information cannot be applied in the standard manner to most of the fragments in a fragmented IP packet When the fragment contains no Layer 4 information and the ACE tests some Layer 4 information the matching rules are modified Permit ACEs that check the Layer 3 information in the fragment including protocol type such as TCP UDP and so on are considered to match the fragment regardless of...

Page 538: ...rk and resources of host 10 1 1 2 as it tries to reassemble the packet Fragmented packet C is from host 10 2 2 2 port 65001 going to host 10 1 1 3 port ftp If this packet is fragmented the first fragment matches the fourth ACE a deny All other fragments also match the fourth ACE because that ACE does not check any Layer 4 information and because Layer 3 information in all fragments shows that they...

Page 539: ...lists for IPv4 Standard IP access lists use source addresses for matching operations Extended IP access lists use source and destination addresses for matching operations and optional protocol type information for finer granularity of control These sections describe access lists and how to create them Access List Numbers page 30 5 Creating a Numbered Standard ACL page 30 6 Creating a Numbered Exte...

Page 540: ...C address access list No 1200 1299 IPX summary address access list No 1300 1999 IP standard access list expanded range Yes 2000 2699 IP extended access list expanded range Yes Table 30 1 Access List Numbers continued Access List Number Type Supported Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard De...

Page 541: ...he Applying an IPv4 ACL to a Terminal Line section on page 30 16 and to VLAN interfaces see the Applying an IPv4 ACL to a VLAN Interface section on page 30 16 Creating a Numbered Extended ACL Although standard ACLs use only source addresses for matching you can use extended ACL source and destination addresses for matching operations and optional protocol type information for finer granularity of ...

Page 542: ...o IOS IP Command Reference Volume 2 of 3 Routing Protocols Release 12 2 Cisco IOS IP Command Reference Volume 3 of 3 Multicast Release 12 2 These documents are available from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References Note The switch does not support dynamic or reflexive access lists It also does not support filtering based on the type of service ToS...

Page 543: ...card applies wildcard bits to the source The destination is the network or host number to which the packet is sent The destination wildcard applies wildcard bits to the destination Source source wildcard destination and destination wildcard can be specified as The 32 bit quantity in dotted decimal format The keyword any for 0 0 0 0 255 255 255 255 any host The keyword host for a single host 0 0 0 ...

Page 544: ...wildcard port Possible operators include eq equal gt greater than lt less than neq not equal and range inclusive range Operators require a port number range requires two port numbers separated by a space Enter the port number as a decimal number from 0 to 65535 or the name of a TCP port To see TCP port names use the or see the Configuring IP Services section in the IP Addressing and Services chapt...

Page 545: ...ssage precedence precedence tos tos fragments time range time range name dscp dscp Optional Define an extended ICMP access list and the access conditions Enter icmp for Internet Control Message Protocol The ICMP parameters are the same as those described for most IP protocols in Step 2a with the addition of the ICMP message type and code parameters These optional keywords have these meanings icmp ...

Page 546: ...e mode and command syntax are slightly different However not all commands that use IP access lists accept a named access list Note The name you give to a standard or extended ACL can also be a number in the supported range of access list numbers That is the name of a standard IP ACL can be 1 to 99 the name of an extended IP ACL can be 100 to 199 The advantage of using named ACLs instead of numbere...

Page 547: ...n you might use named ACLs instead of numbered ACLs After creating a named ACL you can apply it to interfaces see the Applying an IPv4 ACL to a VLAN Interface section on page 30 16 Step 4 end Return to privileged EXEC mode Step 5 show access lists number name Show the access list configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Pu...

Page 548: ...ging the System Time and Date section on page 7 1 Beginning in privileged EXEC mode follow these steps to configure a time range parameter for an ACL Repeat the steps if you have multiple items that you want in effect at different times To remove a configured time range limitation use the no time range time range name global configuration command This example shows how to configure time ranges for...

Page 549: ...l exit Switch config ip access list extended may_access Switch config ext nacl permit tcp any any time range workhours Switch config ext nacl end Switch show ip access lists Extended IP access list lpip_default 10 permit ip any any Extended IP access list deny_access 10 deny tcp any any time range new_year_day_2006 inactive Extended IP access list may_access 10 permit tcp any any time range workho...

Page 550: ...erface This section describes how to apply IPv4 ACLs to VLAN interfaces Note these guidelines Apply an ACL to either inbound or outbound VLAN interfaces to filter packets that are intended for the CPU such as SNMP Telnet or web traffic IPv4 ACLs applied to VLAN interfaces provide switch management security by limiting access to a specific host in the network or to specific applications SNMP Telnet...

Page 551: ...l packets Remember this behavior if you use undefined ACLs for network security Hardware and Software Treatment of IP ACLs ACL processing is primarily accomplished in hardware but requires forwarding of some traffic flows to the CPU for software processing If the hardware reaches its capacity to store ACL configurations packets are sent to the CPU for forwarding The forwarding rate for software fo...

Page 552: ...dcard range 5 60 permit tcp source source wildcard destination destination wildcard range 15 160 permit tcp source source wildcard destination destination wildcard range 115 1660 permit tcp source source wildcard destination destination wildcard And if this message appears ACLMGR 2 NOVMR Cannot generate hardware representation of access list chars The flag related operators are not available To av...

Page 553: ...xtended ACLs In this example suppose that you have a network connected to the Internet and you want any host on the network to be able to form TCP connections to any host on the Internet However you do not want IP hosts to be able to form TCP connections to hosts on your network except to the mail SMTP port of a dedicated mail host SMTP uses TCP port 25 on one end of the connection and a random po...

Page 554: ...kstation that belongs to Jones is allowed access and the workstation that belongs to Smith is not allowed access Switch config access list 1 remark Permit only Jones workstation through Switch config access list 1 permit 171 69 2 88 Switch config access list 1 remark Do not allow Smith workstation through Switch config access list 1 deny 171 69 3 13 In this example of a numbered ACL the Winter and...

Page 555: ...ands as described in Table 30 2 to display this information Table 30 2 Commands for Displaying Access Lists and Access Groups Command Purpose show access lists number name Display the contents of one or all current IP and MAC address access lists or a specific access list numbered or named show ip access lists number name Display the contents of all current IP access lists or a specific IP access ...

Page 556: ...30 22 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 30 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration ...

Page 557: ...17 The switch supports some of the modular QoS CLI MQC commands For more information about the MQC commands see the Modular Quality of Service Command Line Interface Overview at this site http www cisco com en US products sw iosswrel ps1835 products_configuration_guide_chapter0918 6a00800bd908 html Understanding QoS Typically networks operate on a best effort delivery basis which means that all tr...

Page 558: ...at access the Internet rely on the class information to provide the same forwarding treatment to packets with the same class information and different treatment to packets with different class information The class information in the packet can be assigned by end hosts or by switches or routers along the way based on a configured policy detailed examination of the packet or both Detailed examinati...

Page 559: ...g CoS value to select into which of the two ingress queues to place a packet Queueing is enhanced with the weighted tail drop WTD algorithm a congestion avoidance mechanism If the threshold is exceeded the packet is dropped For more information see the Queueing Overview section on page 31 4 The action at the egress port is queueing Queueing evaluates the QoS packet label and the corresponding CoS ...

Page 560: ...s at specific points to help prevent congestion as shown in Figure 31 3 Figure 31 3 Ingress and Egress Queue Location Because the total inbound bandwidth of all ports can exceed the bandwidth of the internal ring ingress queues are located after the packet is classified policed and marked and before packets are forwarded into the switch fabric Because multiple ingress ports can simultaneously send...

Page 561: ...ommands described in this section to prioritize traffic by placing packets with particular CoSs into certain queues For configuration information see the Configuring Ingress Queue Characteristics section on page 31 12 Queueing on Egress Queues Figure 31 5 shows the queueing and scheduling flowchart for egress ports Note If the expedite queue is enabled SRR services it until it is empty before serv...

Page 562: ...You can display the CoS output queue threshold map by using the show mls qos maps privileged EXEC command The queues use WTD to support distinct drop percentages for different traffic classes Each queue has three predefined default drop thresholds that are not changeable For more information about how WTD works see the Weighted Tail Drop section on page 31 4 Packet Modification A packet is classif...

Page 563: ...hen QoS is enabled Table 31 3 shows the default CoS input queue threshold map when QoS is enabled Default Egress Queue Configuration Table 31 4 shows the default egress queue configuration for each queue set when QoS is enabled All ports are mapped to queue set 1 The port bandwidth limit is set to 100 percent and rate unlimited Table 31 2 Default Ingress Queue Configuration Feature Queue 1 Queue 2...

Page 564: ...ect to all ingress QoS processing You are likely to lose data when you change queue settings therefore try to make changes when traffic is at a minimum Reserved threshold 50 percent 50 percent 50 percent 50 percent Maximum threshold 400 percent 400 percent 400 percent 400 percent SRR shaped weights absolute 1 25 0 0 0 SRR shared weights 2 25 25 25 25 1 A shaped weight of zero means that this queue...

Page 565: ...Mode page 31 11 Configuring the Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge of the QoS domain When the packets are classified at the edge the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the QoS domain Figure 31 6 shows a sample network...

Page 566: ...nfiguration mode Step 2 interface interface id Specify the port to be trusted and enter interface configuration mode Valid interfaces include physical ports Step 3 mls qos trust cos Configure the port trust state By default the port is not trusted If no keyword is specified the default is cos The keyword has this meanings cos Classifies an ingress packet by using the packet CoS value For an untagg...

Page 567: ...nd the DSCP to DSCP mutation map Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Valid interfaces include physical ports Step 3 mls qos cos default cos override Configure the default CoS value for the port For default cos specify a default CoS value to be assigned to a p...

Page 568: ... to enable DSCP transparency and then enter the mls qos trust cos interface configuration command DSCP transparency is still enabled Configuring Ingress Queue Characteristics Depending on the complexity of your network and your QoS solution you might need to perform all of the tasks in the next sections You will need to make decisions about these characteristics Which packets are assigned by CoS v...

Page 569: ...s srr queue input priority queue queue id bandwidth weight global configuration command Then SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr queue input bandwidth weight1 weight2 global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos srr queue inp...

Page 570: ...f the tasks in the next sections You will need to make decisions about these characteristics Which packets are mapped by CoS value to each queue and threshold ID What drop percentage thresholds apply to the queue set four egress queues per port and how much reserved and maximum memory is needed for the traffic type How much of the fixed buffer space is allocated to the queue set Does the bandwidth...

Page 571: ...placing packets with particular costs of service into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped Note The egress queue default settings are suitable for most situations You should change them only when you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution Beginning in privileged EXEC mode ...

Page 572: ...ch config if priority queue out Switch config if end Step 4 show mls qos maps Verify your entries The CoS output queue threshold map shows the CoS value in the top row and the corresponding queue ID and threshold ID in the second row for example queue 2 and threshold 2 2 2 Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose...

Page 573: ...r more of the privileged EXEC commands in Table 31 6 Table 31 6 Commands for Displaying Standard QoS Information Command Purpose show mls qos Display global QoS configuration information show mls qos maps cos input q cos output q Display QoS mapping information show mls qos vlan vlan id Display the policy maps attached to the specified SVI show running config include rewrite Display the CoS transp...

Page 574: ...31 18 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 31 Configuring QoS Displaying Standard QoS Information ...

Page 575: ...for the loss of a link by redistributing the load across the remaining links If a link fails EtherChannel redirects traffic from the failed link to the remaining links in the channel without intervention Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release Understanding EtherChannels page 32 1 Configuring EtherChannels page...

Page 576: ...ither PAgP or LACP mode the system negotiates with the other end of the channel to determine which ports should become active Incompatible ports are suspended Instead of a suspended state the local port is put into an independent state and continues to carry data traffic as would any other single link The port configuration does not change but the port does not participate in the EtherChannel When...

Page 577: ... physical port The channel group number can be the same as the port channel number or you can use a new number If you use a new number the channel group command dynamically creates a new port channel Each EtherChannel has a port channel logical interface numbered from 1 to 6 This port channel interface number corresponds to the one specified with the channel group interface configuration command F...

Page 578: ... Layer 2 EtherChannels trunking state and VLAN numbers Ports can form an EtherChannel when they are in different PAgP modes as long as the modes are compatible For example A port in the desirable mode can form an EtherChannel with another port that is in the desirable or auto mode A port in the auto mode can form an EtherChannel with another port in the desirable mode A port in the auto mode canno...

Page 579: ...r aggregate port Similarly configured ports are grouped based on hardware administrative and port parameter constraints For example LACP groups the ports with the same speed duplex mode native VLAN VLAN range and trunking status and type After grouping the links into an EtherChannel LACP adds the group to the spanning tree as a single switch port LACP Modes Table 32 2 shows the user configurable E...

Page 580: ... reducing part of the binary pattern formed from the addresses in the frame to a numerical value that selects one of the links in the channel EtherChannel load balancing can use MAC addresses or IP addresses source or destination addresses or both source and destination addresses The selected mode applies to all EtherChannels configured on the switch You configure the load balancing and forwarding...

Page 581: ...coming packet This forwarding method a combination of source IP and destination IP address based forwarding can be used if it is not clear whether source IP or destination IP address based forwarding is better suited on a particular switch In this method packets sent from the IP address A to IP address B from IP address A to IP address C and from IP address C to IP address B could all use differen...

Page 582: ...rn Method and Priority page 32 13 optional Configuring LACP Hot Standby Ports page 32 14 optional Note Make sure that the ports are correctly configured For more information see the EtherChannel Configuration Guidelines section on page 32 9 Note After you configure an EtherChannel configuration changes applied to the port channel interface apply to all the physical ports assigned to the port chann...

Page 583: ...rface configuration command is treated as a link failure and its traffic is transferred to one of the remaining ports in the EtherChannel When a group is first created all ports follow the parameters set for the first port to be added to the group If you change the configuration of one of these parameters you must also make the changes to all ports in the group Allowed VLAN list Spanning tree path...

Page 584: ...2 1Q is the same on all the trunks Inconsistent trunk modes on EtherChannel ports can have unexpected results An EtherChannel supports the same allowed range of VLANs on all the ports in a trunking Layer 2 EtherChannel If the allowed range of VLANs is not the same the ports do not form an EtherChannel even when PAgP is set to the auto or desirable mode Ports with different spanning tree path costs...

Page 585: ...kets on Forces the port to channel without PAgP or LACP In the on mode an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not specify non silent silent...

Page 586: ...ad balancing by using source based or destination based forwarding methods For more information see the Load Balancing and Forwarding Methods section on page 32 6 Beginning in privileged EXEC mode follow these steps to configure EtherChannel load balancing This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 port channel load balance dst ip ds...

Page 587: ...up can be swapped into operation in just a few seconds if the selected single port loses hardware signal detection You can configure which port is always selected for packet transmission by changing its priority with the pagp port priority interface configuration command The higher the priority the more likely that the port will be selected Note The switch supports address learning only on aggrega...

Page 588: ...arisons numerically lower values have higher priority The priority decides which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating Step 3 pagp learn method physical port Select the PAgP learning method By default aggregation port learning is selected which means the switch sends packets to the source by using any of the port...

Page 589: ...se the show etherchannel summary privileged EXEC command to see which ports are in the hot standby mode denoted with an H port state flag Beginning in privileged EXEC mode follow these steps to configure the LACP system priority This procedure is optional To return the LACP system priority to the default value use the no lacp system priority global configuration command Configuring the LACP Port P...

Page 590: ... interface interface id Specify the port to be configured and enter interface configuration mode Step 3 lacp port priority priority Configure the LACP port priority For priority the range is 1 to 65535 The default is 32768 The lower the value the more likely that the port will be used for LACP transmission Step 4 end Return to privileged EXEC mode Step 5 show running config or show lacp channel gr...

Page 591: ...els Displaying EtherChannel PAgP and LACP Status You can clear LACP channel group information and traffic counters by using the clear lacp channel group number counters counters privileged EXEC command For detailed information about the fields in the displays see the command reference for this release ...

Page 592: ...32 18 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 32 Configuring EtherChannels Displaying EtherChannel PAgP and LACP Status ...

Page 593: ...mary Release 12 2 This chapter consists of these sections Recovering from a Software Failure page 33 2 Recovering from a Lost or Forgotten Password page 33 3 Recovering from a Command Switch Failure page 33 7 Recovering from Lost Cluster Member Connectivity page 33 11 Note Recovery procedures require that you have physical access to the switch Preventing Autonegotiation Mismatches page 33 11 Troub...

Page 594: ... are using UNIX follow these steps 1 Display the contents of the tar file by using the tar tvf image_filename tar UNIX command switch tar tvf image_filename tar 2 Locate the bin file and extract it by using the tar xvf image_filename tar image_filename bin UNIX command switch tar xvf image_filename tar image_filename bin x c2928 lanlitek9 mz 122 55 EZ c2928 lanlitek9 mz 122 55 EZ bin 3 Verify that...

Page 595: ... access to the switch to recover from a lost password by interrupting the boot process during power on and by entering a new password These recovery procedures require that you have physical access to the switch Note On these switches a system administrator can disable some of the functionality of this feature by allowing an end user to reset a password only by agreeing to return to the default co...

Page 596: ...firm y Procedure with Password Recovery Enabled If the password recovery mechanism is enabled this message appears The system has been interrupted prior to initializing the flash file system The following commands will initialize the flash file system and finish loading the operating system software flash_init load_helper boot Step 1 Initialize the flash file system switch flash_init Step 2 If you...

Page 597: ...p 10 Enter global configuration mode Switch configure terminal Step 11 Change the password Switch config enable secret password The secret password can be from 1 to 25 alphanumeric characters can start with a number is case sensitive and allows spaces but ignores leading spaces Step 12 Return to privileged EXEC mode Switch config exit Switch Step 13 Write the running configuration to the startup c...

Page 598: ...ocess continues as if the Mode button had not been pressed you cannot access the boot loader prompt and you cannot enter a new password You see the message Press Enter to continue If you enter y yes the configuration file in flash memory and the VLAN database file are deleted When the default configuration loads you can reset the password Step 1 Elect to continue with password recovery and lose th...

Page 599: ... recover from a failed command switch You can configure a redundant command switch group by using the Hot Standby Router Protocol HSRP For more information see Chapter 5 Clustering Switches Note HSRP is the preferred method for supplying redundancy to a cluster If you have not configured a standby command switch and your command switch loses power or fails in some other way management contact with...

Page 600: ...global configuration mode Switch configure terminal Enter configuration commands one per line End with CNTL Z Step 7 Remove the member switch from the cluster Switch config no cluster commander address Step 8 Return to privileged EXEC mode Switch config end Switch Step 9 Use the setup program to configure the switch IP information This program prompts you for IP address information and passwords F...

Page 601: ... information is correct enter Y and press Return If this information is not correct enter N press Return and begin again at Step 9 Step 17 Start your browser and enter the IP address of the new command switch Step 18 From the Cluster menu select Add to Cluster to display a list of candidate switches to add to the cluster Replacing a Failed Command Switch with Another Switch To replace a failed com...

Page 602: ...characters Do not use n where n is a number as the last character in a hostname for any switch When prompted for the Telnet virtual terminal password recall that it can be from 1 to 25 alphanumeric characters is case sensitive allows spaces but ignores leading spaces Step 8 When prompted for the enable secret and enable passwords enter the passwords of the failed command switch again Step 9 When p...

Page 603: ...ed port can lose connectivity if the port is disabled because of a security violation Preventing Autonegotiation Mismatches The IEEE 802 3ab autonegotiation protocol manages the switch settings for speed 10 Mb s 100 Mb s and 1000 Mb s excluding SFP module ports and duplex half or full There are situations when this protocol can incorrectly align these settings reducing performance A mismatch occur...

Page 604: ...ion commands You should not connect a Cisco powered device to a port that has been configured with the power inline never command SFP Module Security and Identification Cisco small form factor pluggable SFP modules have a serial EEPROM that contains the module serial number the vendor name and ID a unique security code and cyclic redundancy check CRC When an SFP module is inserted in the switch th...

Page 605: ...is release Using Ping These sections contain this information Understanding Ping page 33 13 Executing Ping page 33 13 Understanding Ping The switch supports IP ping which you can use to test connectivity to remote hosts Ping sends an echo request packet to an address and waits for a reply Ping returns one of these responses Normal response The normal response hostname is alive occurs in 1 to 10 se...

Page 606: ...ng Layer 2 Traceroute The Layer 2 traceroute feature allows the switch to identify the physical path that a packet takes from a source device to a destination device Layer 2 traceroute supports only unicast source and destination MAC addresses It finds the path by using the MAC address tables of the switches in the path When the switch detects a device in the path that does not support Layer 2 tra...

Page 607: ...y a multicast source or destination MAC address the path is not identified and an error message appears If the source or destination MAC address belongs to multiple VLANs you must specify the VLAN to which both the source and destination MAC addresses belong If the VLAN is not specified the path is not identified and an error message appears The traceroute mac ip command output shows the Layer 2 p...

Page 608: ... EXEC command uses the Time To Live TTL field in the IP header to cause routers and servers to generate specific return messages Traceroute starts by sending a User Datagram Protocol UDP datagram to the destination host with the TTL field set to 1 If a router finds a TTL value of 1 or 0 it drops the datagram and sends an Internet Control Message Protocol ICMP time to live exceeded message to the s...

Page 609: ...71 9 4 5 0 msec 4 msec 0 msec 5 171 9 121 34 0 msec 4 msec 4 msec 6 171 9 15 9 120 msec 132 msec 128 msec 7 171 9 15 10 132 msec 128 msec 128 msec Switch The display shows the hop count the IP address of the router and the round trip time in milliseconds for each of the three probes that are sent To end a trace in progress enter the escape sequence Ctrl X by default Simultaneously press and releas...

Page 610: ... a shorted twisted pair can occur if one wire of the twisted pair is soldered to the other wire If one of the twisted pair wires is open TDR can find the length at which the wire is open Use TDR to diagnose and resolve cabling problems in these situations Replacing a switch Setting up a wiring closet Troubleshooting a connection between two devices when a link cannot be established or when it is n...

Page 611: ...ble a debug command and no output appears consider these possibilities The switch might not be properly configured to generate the type of traffic you want to monitor Use the show running config command to check its configuration Even if the switch is properly configured it might not generate the type of traffic you want to monitor during the particular period that debugging is enabled Depending o...

Page 612: ... Logging Using the show platform forward Command The output from the show platform forward privileged EXEC command provides some useful information about the forwarding results if a packet entering an interface is sent through the system Depending upon the parameters entered about the packet the output provides lookup table results and port maps used to calculate forwarding destinations bitmaps an...

Page 613: ...ue to failed DEJA_VU Check on Gi0 2 This is an example of the output when the packet coming in on port 1 in VLAN 5 is sent to an address already learned on the VLAN on another port It should be forwarded from the port on which the address was learned Switch show platform forward gigabitethernet0 1 vlan 5 1 1 1 0009 43a8 0145 ip 13 1 1 1 13 2 2 2 udp 10 20 Global Port Number 24 Asic Number 5 Src Re...

Page 614: ...t recent failure Version numbers are used instead of a timestamp because the switches do not include a real time clock You cannot change the name of the file that the system will use when it creates the file However after the file is created you can use the rename privileged EXEC command to rename it but the contents of the renamed file will not be displayed by the show tech support privileged EXE...

Page 615: ...n the switch Displaying TCAM Memory Consistency Check Errors Beginning in privileged EXEC mode use this command to display the TCAM memory consistency check errors detected on the switch This example shows information about the TCAM memory consistency integrity on the switch Switch show platform tcam errors TCAM Memory Consistency Checker Errors TCAM Space Values Masks Fixups Retries Failures Unas...

Page 616: ...t result in these symptoms but the symptoms could also result from other causes Spanning tree topology changes EtherChannel links brought down due to loss of communication Failure to respond to management requests ICMP ping SNMP timeouts slow Telnet or SSH sessions UDLD flapping IP SLAs failures because of SLAs responses beyond an acceptable threshold DHCP or IEEE 802 1x failures if the switch doe...

Page 617: ...on Cisco com Troubleshooting Power over Ethernet PoE Note PoE is supported only on ports 1 8 of the model WS C2928 24LT C switch Note Power over Ethernet Plus PoE is not supported on Catalyst 2928 switches Table 33 4 Troubleshooting CPU Utilization Problems Type of Problem Cause Corrective Action Interrupt percentage value is almost as high as total CPU utilization value The CPU is receiving too m...

Page 618: ...good non PoE Ethernet device to the Ethernet cable and make sure that the powered device establishes a link and exchanges traffic with another host Verify that the total cable length from the switch front panel to the powered device is not more than 100 meters Disconnect the Ethernet cable from the switch port Use a short Ethernet cable to connect a known good Ethernet device directly to this port...

Page 619: ...existing distribution cables Enter the shut and no shut interface configuration commands and verify that an Ethernet link is established If this connection is good use a short patch cord to connect a powered device to this port and verify that it powers on If the device powers on verify that all intermediate patch panels are correctly connected Disconnect all but one of the Ethernet cables from sw...

Page 620: ...ctly If a non PoE device has link problems or a high error rate the problem might be an unreliable cable connection between the switch port and the powered device For more information see Cisco Phone Disconnects or Resets on Cisco com Non Cisco powered device does not work on Cisco PoE switch A non Cisco powered device is connected to a Cisco PoE switch but never powers on or powers on and then qu...

Page 621: ...essages using the configured community string always provide information for VLAN 1 To obtain the BRIDGE MIB information for other VLANs for example VLAN x use this community string in the SNMP message configured community string x CISCO CABLE DIAG MIB CISCO CDP MIB CISCO CLUSTER MIB CISCO CONFIG COPY MIB CISCO CONFIG MAN MIB CISCO DHCP SNOOPING MIB CISCO ENTITY VENDORTYPE OID MIB CISCO ENVMON MIB...

Page 622: ...IB CISCO SMI MIB CISCO STP EXTENSIONS MIB CISCO SYSLOG MIB CISCO TC MIB CISCO TCP MIB CISCO UDLDP MIB CISCO VLAN IFTABLE RELATIONSHIP MIB CISCO VLAN MEMBERSHIP MIB CISCO VTP MIB ENTITY MIB ETHERLIKE MIB IEEE8021 PAE MIB IEEE8023 LAG MIB IF MIB In and out counters for VLANs are not supported INET ADDRESS MIB OLD CISCO CHASSIS MIB OLD CISCO FLASH MIB OLD CISCO INTERFACES MIB OLD CISCO IP MIB OLD CIS...

Page 623: ... each MIB file by using this procedure Step 1 Make sure that your FTP client is in passive mode Note Some FTP clients do not support passive mode Step 2 Use FTP to access the server ftp cisco com Step 3 Log in with the username anonymous Step 4 Enter your e mail username when prompted for the password Step 5 At the ftp prompt change directories to pub mibs v1 and pub mibs v2 Step 6 Use the get MIB...

Page 624: ...A 4 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Appendix A Supported MIBs Using FTP to Access the MIB Files ...

Page 625: ...This appendix consists of these sections Working with the Flash File System page B 1 Working with Configuration Files page B 8 Working with Software Images page B 19 Working with the Flash File System The flash file system is a single flash device on which you can store files It also provides several commands to help you manage software image and configuration files The default flash file system o...

Page 626: ...e file system in bytes Free b Amount of free memory in the file system in bytes Type Type of file system flash The file system is for a flash memory device nvram The file system is for a NVRAM device opaque The file system is a locally generated pseudo file system for example the system or a download interface such as brimux unknown The file system is an unknown type Flags Permission for file syst...

Page 627: ...ration file with the same name Similarly before copying a flash configuration file to another location you might want to verify its filename for use in another command To display information about files on a file system use one of the privileged EXEC commands in Table B 2 Changing Directories and Displaying the Working Directory Beginning in privileged EXEC mode follow these steps to change direct...

Page 628: ...overed Copying Files To copy a file from a source to a destination use the copy source url destination url privileged EXEC command For the source and destination URLs you can use running config and startup config keyword shortcuts For example the copy running config startup config command saves the currently running configuration file to the NVRAM section of flash memory to be used as the configur...

Page 629: ...ommand Use the recursive keyword for deleting a directory and all subdirectories and the files contained in it Use the force keyword to suppress the prompting that confirms a deletion of each file in the directory You are prompted only once at the beginning of this deletion process Use the force and recursive keywords for deleting old software images that were installed by using the archive downlo...

Page 630: ... file This example shows how to create a tar file This command writes the contents of the new configs directory on the local flash device to a file named saved tar on the TFTP server at 172 20 10 30 Switch archive tar create tftp 172 20 10 30 saved tar flash new configs Displaying the Contents of a tar File To display the contents of a tar file on the screen use this privileged EXEC command archiv...

Page 631: ...ename tar For the RCP the syntax is rcp username location directory tar filename tar For the TFTP the syntax is tftp location directory tar filename tar The tar filename tar is the tar file from which to extract files For flash file url dir file specify the location on the local flash file system into which the tar file is extracted Use the dir file option to specify an optional list of files or d...

Page 632: ...n your network so that all the switches have similar configurations You can copy upload configuration files from the switch to a file server by using TFTP FTP or RCP You might perform this task to back up a current configuration file to a server before changing its contents so that you can later restore the original configuration file from the server The protocol you use depends on which type of s...

Page 633: ...nfiguration file and the copied configuration file with the copied configuration file having precedence To restore a configuration file to an exact copy of a file stored on a server copy the configuration file directly to the startup configuration by using the copy ftp rcp tftp nvram startup config privileged EXEC command and reload the switch Configuration File Types and Location Startup configur...

Page 634: ...ram udp wait root usr etc in tftpd in tftpd p s tftpboot Make sure that the etc services file contains this line tftp 69 udp Note You must restart the inetd daemon after modifying the etc inetd conf and etc services files To restart the daemon either stop the inetd process and restart it or enter a fastboot command on the SunOS 4 x or a reboot command on Solaris 2 x or SunOS 5 x For more informati...

Page 635: ...uted as the file is parsed line by line This example shows how to configure the software from the file tokyo confg at IP address 172 16 2 155 Switch copy tftp 172 16 2 155 tokyo confg system running config Configure using tokyo confg from 172 16 2 155 confirm y Booting tokyo confg from 172 16 2 155 OK 874 16000 bytes Uploading the Configuration File By Using TFTP To upload a configuration file fro...

Page 636: ...sername and password must be associated with an account on the FTP server If you are writing to the server the FTP server must be properly configured to accept your FTP write request Use the ip ftp username and ip ftp password commands to specify a username and password for all copies Include the username in the copy command if you want to specify only a username for that copy operation If the ser...

Page 637: ... download a configuration file by using FTP This example shows how to copy a configuration file named host1 confg from the netadmin1 directory on the remote server with an IP address of 172 16 101 101 and to load and run those commands on the switch Switch copy ftp netadmin1 mypass 172 16 101 101 host1 confg system running config Configure using host1 confg from 172 16 101 101 confirm Connected to...

Page 638: ...on file by using FTP This example shows how to copy the running configuration file named switch2 confg to the netadmin1 directory on the remote host with an IP address of 172 16 101 101 Switch copy system running config ftp netadmin1 mypass 172 16 101 101 switch2 confg Write file switch2 confg on host 172 16 101 101 confirm Building configuration OK Connected to 172 16 101 101 Switch Command Purpo...

Page 639: ...one place to another you must have read permission on the source file and write permission on the destination file If the destination file does not exist RCP creates it for you The RCP requires a client to send a remote username with each RCP request to a server When you copy a configuration file from the switch to a server the Cisco IOS software sends the first valid username in this list The use...

Page 640: ...a Telnet session and you have a valid username this username is used and you do not need to set the RCP username Include the username in the copy command if you want to specify a username for only that copy operation When you upload a file to the RCP server it must be properly configured to accept the RCP write request from the user on the switch For UNIX systems you must add an entry to the rhost...

Page 641: ... startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile store configured from host2 config by rcp from 172 16 101 101 Uploading a Configuration File By Using RCP Beginning in ...

Page 642: ...ith no startup configuration the switch enters the setup program so that you can reconfigure the switch with all new settings Clearing the Startup Configuration File To clear the contents of your startup configuration use the erase nvram or the erase startup config privileged EXEC command Caution You cannot restore the startup configuration file after it has been deleted Deleting a Stored Configur...

Page 643: ...hen by using the device manager to upgrade your switch For information about upgrading your switch by using a TFTP server or a web browser HTTP see the release notes You can replace the current image with the new one or keep the current image in flash memory after a download You upload a switch image file to a TFTP FTP or RCP server for backup purposes You can use this uploaded image for future do...

Page 644: ... tar file One or more subdirectories containing other images and files such as Cisco IOS images and web management files This example shows some of the information contained in the info file Table B 3 provides additional details about this information system_type 0x00000000 c2928 lanlitek9 mz 122 55 EZ image_family C2928 stacking_number 1 11 info_end version_suffix lanlitek9 122 55 0 02 EZ version...

Page 645: ...ile By Using TFTP page B 24 Preparing to Download or Upload an Image File By Using TFTP Before you begin downloading or uploading an image file by using TFTP do these tasks Ensure that the workstation acting as the TFTP server is properly configured On a Sun workstation make sure that the etc inetd conf file contains this line tftp dgram udp wait root usr etc in tftpd in tftpd p s tftpboot Make su...

Page 646: ...e an empty file enter the touch filename command where filename is the name of the file you will use when uploading the image to the server During upload operations if you are overwriting an existing file including an empty file if you had to create one on the server ensure that the permissions on the file are set correctly Permissions on the file should be world write Downloading an Image File By...

Page 647: ...y entering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Step 3 archive download sw overwrite reload tftp l...

Page 648: ...You can overwrite the current image with the new one or keep the current image after a download You upload a switch image file to a server for backup purposes You can use this uploaded image for future downloads to the switch or another switch of the same type Note Instead of using the copy privileged EXEC command or the archive tar privileged EXEC command we recommend using the archive download s...

Page 649: ...l copies Include the username in the archive download sw or archive upload sw privileged EXEC command if you want to specify a username only for that operation If the server has a directory structure the image file is written to or copied from the directory associated with the username on the server For example if the image file resides in the home directory of a user on the server specify that us...

Page 650: ...emote username or password see Steps 4 5 and 6 Step 4 ip ftp username username Optional Change the default remote username Step 5 ip ftp password password Optional Change the default password Step 6 end Return to privileged EXEC mode Step 7 archive download sw overwrite reload ftp username password location directory image name tar Download the image file from the FTP server to the switch and over...

Page 651: ...entering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old software image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Uploading an Image File By Using FTP You ca...

Page 652: ...e same type Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using FTP section on page B 12 Step 2 Log into the switch through the console port or a Telnet session Step 3 configure terminal Enter global configuration mode This step is required only if you override the default remote username or pass...

Page 653: ...permission on the destination file If the destination file does not exist RCP creates it for you RCP requires a client to send a remote username on each RCP request to a server When you copy an image from the switch to a server by using RCP the Cisco IOS software sends the first valid username in this list The username specified in the archive download sw or archive upload sw privileged EXEC comma...

Page 654: ...cept the RCP write request from the user on the switch For UNIX systems you must add an entry to the rhosts file for the remote user on the RCP server For example suppose the switch contains these configuration lines hostname Switch1 ip rcmd remote username User0 If the switch IP address translates to Switch1 company com the rhosts file for User0 on the RCP server should contain this line Switch1 ...

Page 655: ...The reload option reloads the system after downloading the image unless the configuration has been changed and not been saved For username specify the username For the RCP copy request to execute successfully an account must be defined on the network server for the remote username For more information see the Preparing to Download or Upload an Image File By Using RCP section on page B 29 For locat...

Page 656: ...s associated with the embedded device manager have been installed with the existing image Beginning in privileged EXEC mode follow these steps to upload an image to an RCP server Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the Preparing to Download or Upload an Image File By Using RCP section on page B 29 Step 2 Log into the switch through the console p...

Page 657: ...g with Software Images The archive upload sw privileged EXEC command builds an image file on the server by uploading these files in order info the Cisco IOS image and the web management files After these files are uploaded the upload algorithm creates the tar file format Caution For the download and upload algorithms to operate properly do not rename image names ...

Page 658: ...B 34 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Appendix B Working with the Cisco IOS File System Configuration Files and Software Images Working with Software Images ...

Page 659: ...tware feature and command mode Access Control Lists Unsupported Privileged EXEC Commands access enable host timeout minutes access template access list number name dynamic name source destination timeout minutes clear access template access list number name dynamic name source destination show access lists rate limit destination show accounting show ip accounting checkpoint output packets access v...

Page 660: ...ands debug platform cli redirection main debug platform configuration IEEE 802 1x Commands Unsupported Privileged EXEC Command show fallback profile Unsupported Global Configuration Command fallback profile profile IGMP Snooping Commands Unsupported Global Configuration Commands ip igmp snooping tcn Interface Commands Unsupported Privileged EXEC Commands show interfaces interface id vlan vlan id c...

Page 661: ...ow mac address table address show mac address table aging time show mac address table count show mac address table dynamic show mac address table interface show mac address table multicast show mac address table notification show mac address table static show mac address table vlan show mac address table multicast Note Use the show ip igmp snooping groups privileged EXEC command to display Layer 2...

Page 662: ...Commands errdisable recovery cause unicast flood l2protocol tunnel global drop threshold service compress config stack mac persistent timer Network Address Translation NAT Commands Unsupported Privileged EXEC Commands show ip nat statistics show ip nat translations QoS Unsupported Global Configuration Command priority list Unsupported Interface Configuration Commands priority group rate limit Unsu...

Page 663: ...on feature default line aaa nas port extended radius server configure radius server extended portnames SNMP Unsupported Global Configuration Commands snmp server enable informs snmp server ifindex persist Spanning Tree Unsupported Global Configuration Command spanning tree pathcost method long short Unsupported Interface Configuration Command spanning tree stack port VLAN Unsupported Global Config...

Page 664: ... 12 2 55 EZ VTP Unsupported vlan config Command private vlan Unsupported User EXEC Commands show running config vlan show vlan ifindex show vlan private vlan VTP Unsupported Privileged EXEC Commands vtp password password pruning version number Note This command has been replaced by the vtp global configuration command ...

Page 665: ... 8 11 8 17 ACEs defined 30 1 IP 30 2 ACLs ACEs 30 1 any keyword 30 9 applying time ranges to 30 14 to an interface 30 16 ACLs continued comments in 30 15 compiling 30 18 defined 30 1 30 5 examples of 30 18 extended IPv4 creating 30 7 matching criteria 30 5 hardware and software handling 30 17 host keyword 30 10 IP creating 30 5 implicit deny 30 7 30 11 30 13 implicit masks 30 7 matching criteria 3...

Page 666: ...17 23 for STP 16 8 16 21 MAC address table 7 20 maximum for MSTP 17 23 17 24 for STP 16 21 16 22 alarms RMON 27 3 allowed VLAN list 13 16 ARP defined 1 4 7 26 table address resolution 7 26 managing 7 26 attributes RADIUS vendor proprietary 8 31 vendor specific 8 29 authentication local mode with AAA 8 32 NTP associations 7 4 RADIUS key 8 21 login 8 23 TACACS defined 8 11 key 8 13 login 8 14 See al...

Page 667: ...ding database bindings DHCP snooping database 19 7 IP source guard 19 14 binding table DHCP snooping See DHCP snooping binding database blocking packets 22 7 booting boot loader function of 3 2 boot process 3 1 manually 3 17 specific image 3 18 boot loader accessing 3 18 described 3 2 environment variables 3 18 prompt 3 18 trap door mechanism 3 2 BPDU error disabled state 18 2 filtering 18 3 RSTP ...

Page 668: ...intelligent power management 12 4 Cisco IOS File System See IFS CiscoWorks 2000 1 3 CIST regional root See MSTP CIST root See MSTP civic location 24 2 class of service See CoS clearing interfaces 12 28 CLI abbreviating commands 2 3 command modes 2 1 configuration logging 2 4 described 1 3 editing features enabling and disabling 2 6 keystroke editing 2 7 wrapped lines 2 8 error messages 2 4 filteri...

Page 669: ...gent 4 8 enabling event agent 4 7 management functions 1 3 command line interface See CLI command modes 2 1 commands abbreviating 2 3 no and default 2 4 commands setting privilege levels 8 8 command switch accessing 5 10 active AC 5 9 configuration conflicts 33 11 defined 5 1 passive PC 5 9 password privilege levels 5 14 priority 5 9 recovery from command switch failure 5 9 33 7 from lost member c...

Page 670: ... saving 3 14 configure terminal command 12 10 configuring small frame arrival rate 22 5 conflicts configuration 33 11 connections secure remote 8 33 connectivity problems 33 13 33 14 33 16 consistency checks in VTP Version 2 14 4 console port connecting to 2 9 corrupted software recovery steps with Xmodem 33 2 CoS ingress queues 31 12 in Layer 2 frames 31 2 CoS input queue threshold map for QoS 31...

Page 671: ...mmand 12 25 designing your network examples 1 11 destination addresses in IPv4 ACLs 30 9 destination IP address based forwarding EtherChannel 32 7 destination MAC address forwarding EtherChannel 32 6 detecting indirect link failures STP 18 5 device B 19 device discovery protocol 23 1 24 1 device manager benefits 1 1 described 1 2 1 3 in band management 1 4 upgrading a switch B 19 DHCP enabling rel...

Page 672: ...d interface 19 3 untrusted messages 19 2 DHCP snooping binding database adding bindings 19 12 binding file format 19 8 location 19 7 bindings 19 7 clearing agent statistics 19 13 configuration guidelines 19 10 configuring 19 12 DHCP snooping binding database continued default configuration 19 8 19 9 deleting binding file 19 13 bindings 19 13 database agent 19 13 described 19 7 displaying 19 13 ena...

Page 673: ...d configuring ACLs for non DHCP environments 20 8 in DHCP environments 20 7 log buffer 20 12 rate limit for incoming ARP packets 20 4 20 10 default configuration 20 5 denial of service attacks preventing 20 10 described 20 1 DHCP snooping binding database 20 2 displaying ARP ACLs 20 14 configuration and operating state 20 14 log buffer 20 15 statistics 20 15 trust state and rate limit 20 14 error ...

Page 674: ...elines 32 9 configuring Layer 2 interfaces 32 10 default configuration 32 9 described 32 2 displaying status 32 16 forwarding methods 32 6 32 12 IEEE 802 3ad described 32 5 EtherChannel continued interaction with STP 32 9 with VLANs 32 10 LACP described 32 5 displaying status 32 16 hot standby ports 32 14 interaction with other features 32 6 modes 32 5 port priority 32 15 system priority 32 15 loa...

Page 675: ...ying the contents of B 6 extracting B 7 image file format B 20 file system displaying available file systems B 2 displaying file information B 3 local file system names B 1 network file system names B 4 setting the default B 3 filtering show and more command output 2 9 filtering show and more command output 2 9 filters IP See ACLs IP flash device number of B 1 flooded traffic blocking 22 8 flowcha...

Page 676: ...ecovery 5 11 cluster standby group considerations 5 10 See also clusters cluster standby group and standby command switch HTTP over SSL see HTTPS HTTPS 8 37 configuring 8 41 self signed certificate 8 38 HTTP secure server 8 37 Hulc Forwarding TCAM Manager See HFTM space Hulc QoS ACL TCAM Manager See HQATM space I ICMP time exceeded messages 33 16 traceroute and 33 16 ICMP ping executing 33 13 over...

Page 677: ...idelines 21 10 described 21 5 enabling 21 9 IGMP profile applying 21 18 configuration mode 21 17 configuring 21 17 IGMP snooping and address aliasing 21 2 configuring 21 6 default configuration 21 6 definition 21 1 enabling and disabling 21 6 global configuration 21 6 Immediate Leave 21 5 method 21 7 monitoring 21 14 querier configuration guidelines 21 13 configuring 21 13 supported versions 21 2 ...

Page 678: ... IP information ip igmp profile command 21 17 IP information assigned manually 3 14 through DHCP based autoconfiguration 3 3 default configuration 3 3 IP phones and QoS 15 1 configuring 15 4 IP Port Security for Static Hosts on a Layer 2 access port 19 18 IP source guard and 802 1x 19 16 and DHCP snooping 19 13 and EtherChannels 19 16 and port security 19 16 and private VLANs 19 16 and routed port...

Page 679: ...n guide lightweight directory access protocol See LDAP line configuration mode 2 2 Link Aggregation Control Protocol See EtherChannel link failure detecting unidirectional 17 7 Link Layer Discovery Protocol See CDP links unidirectional 25 1 LLDP configuring 24 3 characteristics 24 4 default configuration 24 3 enabling 24 4 monitoring and maintaining 24 8 overview 24 1 supported TLVs 24 1 switch st...

Page 680: ...anagement VLAN considerations in switch clusters 5 7 discovery through different management VLANs 5 7 matching IPv4 ACLs 30 5 maximum aging time MSTP 17 23 STP 16 21 maximum hop count MSTP 17 24 membership mode VLAN port 13 3 member switch automatic discovery 5 4 defined 5 1 managing 5 13 passwords 5 12 recovering from lost connectivity 33 11 requirements 5 3 See also candidate switch cluster stan...

Page 681: ...d configuring forward delay time 17 23 hello time 17 22 link type for rapid convergence 17 24 maximum aging time 17 23 maximum hop count 17 24 MST region 17 15 neighbor type 17 25 path cost 17 20 port priority 17 19 root switch 17 17 secondary root switch 17 18 switch priority 17 21 CST defined 17 3 operations between regions 17 3 default configuration 17 14 default optional feature configuration ...

Page 682: ... status displaying 17 26 multicast groups Immediate Leave 21 5 joining 21 3 leaving 21 4 static joins 21 9 multicast router interfaces monitoring 21 15 multicast router ports adding 21 8 multicast storm 22 1 multicast storm control command 22 4 N named IPv4 ACLs 30 12 NameSpace Mapper See NSM native VLAN configuring 13 17 default 13 17 Network Assistant benefits 1 1 described 1 3 network configura...

Page 683: ...hannel passwords default configuration 8 2 disabling recovery of 8 5 encrypting 8 3 for security 1 6 in clusters 5 12 overview 8 1 recovery of 33 3 setting enable 8 3 enable secret 8 3 Telnet 8 6 with usernames 8 6 VTP domain 14 7 path cost MSTP 17 20 STP 16 18 PC passive command switch 5 9 performance network design 1 11 performance features 1 2 persistent self signed certificate 8 38 per VLAN sp...

Page 684: ...n server defined 9 2 RADIUS server 9 2 client defined 9 2 configuration guidelines 9 19 port based authentication continued configuring 802 1x authentication 9 20 guest VLAN 9 28 host mode 9 23 manual re authentication of a client 9 24 periodic re authentication 9 24 quiet period 9 25 RADIUS server 9 23 RADIUS server parameters on the switch 9 22 restricted VLAN 9 29 switch to client frame retrans...

Page 685: ...3 23 support for 1 5 port membership modes VLAN 13 3 port priority MSTP 17 19 STP 16 16 ports access 12 2 blocking 22 7 dynamic access 13 3 protected 22 6 secure 22 8 static access 13 3 13 9 switch 12 2 trunks 13 3 13 12 VLAN assignments 13 9 port security aging 22 17 configuring 22 12 default configuration 22 11 described 22 8 displaying 22 18 on trunk ports 22 14 sticky learning 22 9 violations ...

Page 686: ... queue characteristics 31 14 ingress queue characteristics 31 12 port trust states within the domain 31 9 default standard configuration 31 7 DSCP transparency 31 11 QoS continued egress queues buffer allocation scheme described 31 6 described 31 3 flowchart 31 5 WTD described 31 5 31 6 enabling globally 31 9 flowcharts egress queueing and scheduling 31 5 ingress queueing and scheduling 31 4 ingre...

Page 687: ...ed 16 9 IEEE 802 1Q trunking interoperability 16 10 instances supported 16 9 Rapid Spanning Tree Protocol See RSTP rcommand command 5 13 RCP configuration files downloading B 16 overview B 15 preparing the server B 16 uploading B 17 image files deleting old image B 32 downloading B 30 preparing the server B 29 uploading B 32 reconfirmation interval VMPS changing 13 25 reconfirming dynamic VLAN mem...

Page 688: ...rt for 1 5 root switch MSTP 17 17 STP 16 14 RSPAN default configuration 26 7 destination ports 26 5 displaying status 26 13 interaction with other features 26 6 monitored ports 26 4 RSPAN continued monitoring ports 26 5 overview 26 1 received traffic 26 3 sessions defined 26 2 source ports 26 4 transmitted traffic 26 3 VLAN based 26 4 RSTP active topology 17 9 BPDU format 17 12 processing 17 12 de...

Page 689: ...levels defining in system messages 28 8 SFPs monitoring status of 12 28 33 13 security and identification 33 12 status displaying 33 13 shaped round robin See SRR show access lists hw summary command 30 17 show and more command output filtering 2 9 show cdp traffic command 23 5 show cluster members command 5 13 show configuration command 12 25 show forward command 33 20 show interfaces command 12 ...

Page 690: ...1 software images location in flash B 20 recovery procedures 33 2 scheduling reloads 3 20 tar file format described B 20 See also downloading and uploading source addresses in IPv4 ACLs 30 9 source and destination IP address based forwarding EtherChannel 32 7 source and destination MAC address forwarding EtherChannel 32 6 source IP address based forwarding EtherChannel 32 7 source MAC address forw...

Page 691: ... manually 3 17 specific image 3 18 clearing B 18 configuration file automatically downloading 3 16 specifying the filename 3 16 default boot configuration 3 16 static access ports assigning to VLAN 13 9 defined 12 3 13 3 static addresses See addresses static MAC addressing 1 6 static VLAN membership 13 2 statistics 802 1X 10 17 802 1x 9 32 CDP 23 5 interface 12 28 LLDP 24 8 RMON group Ethernet 27 ...

Page 692: ...802 1D and bridge ID 16 3 IEEE 802 1D and multicast addresses 16 8 IEEE 802 1t and VLAN identifier 16 4 inferior BPDU 16 3 instances supported 16 9 interface state blocking to forwarding 18 2 STP continued interface states blocking 16 5 disabled 16 6 forwarding 16 5 16 6 learning 16 6 listening 16 6 overview 16 4 interoperability and compatibility among modes 16 10 limitations with IEEE 802 1Q tru...

Page 693: ...aylight saving time 7 13 manually 7 11 summer time 7 13 time zones 7 12 displaying the time and date 7 12 overview 7 1 See also NTP system description TLV 24 1 system message logging default configuration 28 3 defining error message severity levels 28 8 disabling 28 3 displaying the configuration 28 13 enabling 28 4 facility keywords described 28 13 level keywords described 28 9 limiting messages ...

Page 694: ...rity 1 3 33 23 portions 33 23 space HFTM 33 23 HQATM 33 23 unassigned 33 23 TDR 1 8 Telnet accessing management interfaces 2 9 number of connections 1 4 setting a password 8 6 templates SDM 6 1 temporary self signed certificate 8 38 Terminal Access Controller Access Control System Plus See TACACS terminal lines setting a password 8 6 ternary content addressable memory See TCAM TFTP configuration f...

Page 695: ... 29 11 notification types 29 12 overview 29 1 29 4 troubleshooting connectivity problems 33 13 33 14 33 16 CPU utilization 33 24 detecting unidirectional links 25 1 displaying crash information 33 22 setting packet forwarding 33 20 SFP security and identification 33 12 troubleshooting continued show forward command 33 20 with CiscoWorks 29 4 with debug commands 33 18 with ping 33 13 with system me...

Page 696: ...mand 22 4 unicast traffic blocking 22 8 UniDirectional Link Detection protocol See UDLD UNIX syslog servers daemon configuration 28 11 facilities supported 28 13 message logging configuration 28 12 unrecognized Type Length Value TLV support 14 4 upgrading software images See downloading UplinkFast described 18 3 disabling 18 13 enabling 18 13 support for 1 5 uploading configuration files preparing...

Page 697: ...strated 13 2 limiting source traffic with SPAN 26 12 modifying 13 7 native configuring 13 17 normal range 13 1 13 4 number supported 1 5 VLANs continued parameters 13 4 port membership modes 13 3 static access ports 13 9 STP and IEEE 802 1Q trunks 16 10 supported 13 2 Token Ring 13 5 traffic between 13 2 VTP modes 14 3 VLAN Trunking Protocol See VTP VLAN trunks 13 12 VMPS administering 13 26 confi...

Page 698: ...ver 14 3 14 8 transitions 14 3 transparent 14 3 14 10 monitoring 14 14 passwords 14 7 VTP continued pruning disabling 14 12 enabling 14 12 examples 14 5 overview 14 4 support for 1 5 pruning eligible list changing 13 17 server mode configuring 14 8 statistics 14 14 support for 1 5 Token Ring support 14 4 transparent mode configuring 14 10 using 14 1 version guidelines 14 8 Version 1 14 4 Version 2...

Page 699: ...1 web based authentication continued displaying statistics 10 17 switch as proxy 10 2 web based authentication interactions with other features 10 7 weighted tail drop See WTD wired location service location TLV 24 2 WTD described 31 4 support for 1 7 X Xmodem protocol 33 2 ...

Page 700: ...Index IN 36 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 ...

Reviews:

No comments

Related manuals for Catalyst 2928

Brand: Black Box Pages: 37

Brand: EMCIS Pages: 14

Brand: Macsense Pages: 13

Brand: ZKTeco Pages: 68

Industrial Network Track OSI

Brand: GarrettCom Pages: 10

Brand: Juniper Pages: 420

Ether-GSH24T v3

Brand: AirLive Pages: 2

Brand: Chase Research Pages: 114

Brand: UNICORECOMM Pages: 19

Brand: Matrix Switch Corporation Pages: 48

Modular Fast Fiber Switch Converter MT-RJ

Brand: Lindy Pages: 3

Altusen SN0100 Series

Brand: ATEN Pages: 178

Brand: bintec elmeg Pages: 32

Brand: Costar Pages: 51

Brand: Infrant Technologies Pages: 8

Brand: Westermo Pages: 20

Brand: Allied Telesis Pages: 3

Brand: D-Link Pages: 159

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands