hit counter script
Cisco 2950G 24 - Catalyst Switch Software Configuration Manual

Cisco 2950G 24 - Catalyst Switch Software Configuration Manual

Desktop switch
Hide thumbs Also See for 2950G 24 - Catalyst Switch:
Table of Contents

Advertisement

Catalyst 2950 Desktop Switch Software
Configuration Guide
Cisco IOS Release 12.1(11)EA1 and 12.1(11)YJ
November 2002
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: DOC-7814982=
Text Part Number: 78-14982-01

Advertisement

Table of Contents
loading

Summary of Contents for Cisco 2950G 24 - Catalyst Switch

  • Page 1 Catalyst 2950 Desktop Switch Software Configuration Guide Cisco IOS Release 12.1(11)EA1 and 12.1(11)YJ November 2002 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7814982=...
  • Page 2 FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.;...
  • Page 3 Documentation Feedback Obtaining Technical Assistance Cisco.com xxxi Technical Assistance Center xxxi Cisco TAC Website xxxi Cisco TAC Escalation Center xxxii Overview C H A P T E R Features Management Options Management Interface Options Advantages of Using CMS and Clustering Switches...
  • Page 4: Table Of Contents

    Contents Using the Command-Line Interface C H A P T E R IOS Command Modes Getting Help Specifying Ports in Interface Configuration Mode Abbreviating Commands Using no and default Forms of Commands Understanding CLI Messages Using Command History Changing the Command History Buffer Size Recalling Commands Disabling the Command History Feature Using Editing Features...
  • Page 5 Contents Topology View Popup Menus 3-22 Link Popup Menu 3-22 Device Popup Menus 3-23 Interaction Modes 3-25 Guide Mode 3-25 Expert Mode 3-25 Wizards 3-26 Tool Tips 3-26 Online Help 3-26 CMS Window Components 3-28 Host Name List 3-28 Tabs, Lists, and Tables 3-29 Filter Editor 3-29...
  • Page 6 Contents Example Configuration Manually Assigning IP Information 4-10 Checking and Saving the Running Configuration 4-10 Configuring IE2100 CNS Agents C H A P T E R Understanding IE2100 Series Configuration Registrar Software CNS Configuration Service CNS Event Service NameSpace Mapper What You Should Know About ConfigID, DeviceID, and Host Name ConfigID DeviceID...
  • Page 7 Contents Virtual IP Addresses 6-13 Other Considerations for Cluster Standby Groups 6-13 Automatic Recovery of Cluster Configuration 6-15 IP Addresses 6-15 Host Names 6-16 Passwords 6-16 SNMP Community Strings 6-16 TACACS+ and RADIUS 6-17 Access Modes in CMS 6-17 Management VLAN 6-18 LRE Profiles 6-18...
  • Page 8 Contents Identifying the TACACS+ Server Host and Setting the Authentication Key 7-13 Configuring TACACS+ Login Authentication 7-14 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 7-16 Starting TACACS+ Accounting 7-17 Displaying the TACACS+ Configuration 7-17 Controlling Switch Access with RADIUS 7-18 Understanding RADIUS 7-18...
  • Page 9 Contents Configuring a System Name and Prompt 7-48 Default System Name and Prompt Configuration 7-48 Configuring a System Name 7-48 Configuring a System Prompt 7-49 Understanding DNS 7-49 Default DNS Configuration 7-50 Setting Up DNS 7-50 Displaying the DNS Configuration 7-51 Creating a Banner 7-51...
  • Page 10 Contents Changing the Switch-to-Client Retransmission Time 8-12 Setting the Switch-to-Client Frame-Retransmission Number 8-13 Enabling Multiple Hosts 8-13 Resetting the 802.1X Configuration to the Default Values 8-14 Displaying 802.1X Statistics and Status 8-14 Configuring the Switch Interfaces C H A P T E R Understanding Interface Types Access Ports Trunk Ports...
  • Page 11 Contents Guidelines for Using LRE Profiles 10-7 CPE Ethernet Link Guidelines 10-7 Considerations for Connected Cisco 575 LRE CPEs 10-7 Considerations for Connected Cisco 585 LRE CPEs 10-8 Assigning a Global Profile to All LRE Ports 10-8 Assigning a Profile to a Specific LRE Port...
  • Page 12 Contents Spanning Tree and Redundant Connectivity 11-8 Accelerated Aging to Retain Connectivity 11-9 Configuring Spanning-Tree Features 11-9 Default STP Configuration 11-10 STP Configuration Guidelines 11-10 Disabling STP 11-12 Configuring the Root Switch 11-12 Configuring a Secondary Root Switch 11-14 Configuring the Port Priority 11-15 Configuring the Path Cost 11-16...
  • Page 13 Contents Configuring a Secondary Root Switch 12-16 Configuring the Port Priority 12-17 Configuring the Path Cost 12-18 Configuring the Switch Priority 12-19 Configuring the Hello Time 12-19 Configuring the Forwarding-Delay Time 12-20 Configuring the Maximum-Aging Time 12-21 Configuring the Maximum-Hop Count 12-21 Specifying the Link Type to Ensure Rapid Transitions 12-22...
  • Page 14 Contents Configuring VLANs 14-1 C H A P T E R Understanding VLANs 14-1 Supported VLANs 14-2 VLAN Port Membership Modes 14-3 Configuring Normal-Range VLANs 14-4 Token Ring VLANs 14-5 Normal-Range VLAN Configuration Guidelines 14-5 VLAN Configuration Mode Options 14-6 VLAN Configuration in config-vlan Mode 14-6 VLAN Configuration in VLAN Configuration Mode...
  • Page 15 Contents Configuring the VMPS Client 14-28 Entering the IP Address of the VMPS 14-28 Configuring Dynamic Access Ports on VMPS Clients 14-29 Reconfirming VLAN Memberships 14-30 Changing the Reconfirmation Interval 14-30 Changing the Retry Count 14-30 Monitoring the VMPS 14-31 Troubleshooting Dynamic Port VLAN Membership 14-31 VMPS Configuration Example...
  • Page 16 Default Voice VLAN Configuration 16-2 Voice VLAN Configuration Guidelines 16-3 Configuring a Port to Connect to a Cisco 7960 IP Phone 16-3 Configuring Ports to Carry Voice Traffic in 802.1Q Frames 16-4 Configuring Ports to Carry Voice Traffic in 802.1P Priority Tagged Frames...
  • Page 17 Contents Configuring Port-Based Traffic Control 18-1 C H A P T E R Configuring Storm Control 18-1 Understanding Storm Control 18-1 Default Storm Control Configuration 18-2 Enabling Storm Control 18-2 Disabling Storm Control 18-3 Configuring Protected Ports 18-3 Configuring Port Security 18-4 Understanding Port Security 18-5...
  • Page 18 Contents SPAN Session 21-3 Traffic Types 21-3 Source Port 21-4 Destination Port 21-5 Reflector Port 21-5 VLAN-Based SPAN 21-6 SPAN Traffic 21-6 SPAN and RSPAN Interaction with Other Features 21-7 SPAN and RSPAN Session Limits 21-8 Default SPAN and RSPAN Configuration 21-8 Configuring SPAN 21-8...
  • Page 19 Contents Setting the Message Display Destination Device 23-4 Synchronizing Log Messages 23-6 Enabling and Disabling Timestamps on Log Messages 23-7 Enabling and Disabling Sequence Numbers in Log Messages 23-8 Defining the Message Severity Level 23-8 Limiting Syslog Messages Sent to the History Table and to SNMP 23-10 Configuring UNIX Syslog Servers 23-10...
  • Page 20 Contents ACL Numbers 25-8 Creating a Numbered Standard ACL 25-9 Creating a Numbered Extended ACL 25-10 Creating Named Standard and Extended ACLs 25-13 Applying Time Ranges to ACLs 25-15 Including Comments About Entries in ACLs 25-17 Creating Named MAC Extended ACLs 25-18 Creating MAC Access Groups 25-19...
  • Page 21 Contents Configuring Trusted Boundary 26-13 Enabling Pass-Through Mode 26-15 Configuring a QoS Policy 26-16 Classifying Traffic by Using ACLs 26-16 Classifying Traffic by Using Class Maps 26-20 Classifying, Policing, and Marking Traffic by Using Policy Maps 26-21 Configuring CoS Maps 26-24 Configuring the CoS-to-DSCP Map 26-25...
  • Page 22 Contents Replacing a Failed Command Switch with a Cluster Member 28-9 Replacing a Failed Command Switch with Another Switch 28-10 Recovering from Lost Member Connectivity 28-11 Preventing Autonegotiation Mismatches 28-12 Troubleshooting LRE Port Configuration 28-12 GBIC and SFP Module Security and Identification 28-13 Using Debug Commands 28-14...
  • Page 23 Working with Software Images B-20 Image Location on the Switch B-20 tar File Format of Images on a Server or Cisco.com B-21 Copying Image Files By Using TFTP B-22 Preparing to Download or Upload an Image File By Using TFTP...
  • Page 24 Contents Catalyst 2950 Desktop Switch Software Configuration Guide xxiv 78-14982-01...
  • Page 25 Preface Audience The Catalyst 2950 Desktop Switch Software Configuration Guide is for the network manager responsible for configuring the Catalyst 2950 switches, hereafter referred to as the switches. Before using this guide, you should be familiar with the concepts and terminology of Ethernet and local area networking.
  • Page 26: Chapter 2 Using The Command-Line Interface

    Catalyst 2950 Desktop Switch Hardware Installation Guide. Note This guide does not repeat the concepts and CLI procedures provided in the standard Cisco IOS Release 12.1 documentation. For information about the standard IOS Release 12.1 commands, refer to the IOS documentation set available from the Cisco.com home page at Service and Support >...
  • Page 27 MAC addresses; and how to set the aging time for all secure addresses. Chapter 20, “Configuring CDP,” describes how to configure Cisco Discovery Protocol (CDP) on your switch. Chapter 21, “Configuring SPAN and RSPAN,”...
  • Page 28 Preface Conventions Chapter 25, “Configuring Network Security with ACLs,” describes how to configure network security by using access control lists (ACLs). Chapter 26, “Configuring QoS,” describes how to configure quality of service (QoS) on your switch. With this feature, you can provide preferential treatment to certain types traffic. Chapter 27, “Configuring EtherChannels,”...
  • Page 29: Related Publications

    These documents provide complete information about the switch and are available from this Cisco.com site: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/index.htm You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation” section on page xxix.
  • Page 30: Ordering Documentation

    North America, by calling 800 553-NETS (6387). Documentation Feedback If you are reading Cisco product documentation on the World Wide Web, you can send us your comments by completing the online survey. When you display the document listing for this platform, click Give Us Your Feedback.
  • Page 31 Cisco TAC Website You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to this URL: http://www.cisco.com/tac...
  • Page 32 Obtaining Technical Assistance If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC Web Site, you can open a case online by using the TAC Case Open tool at this URL: http://www.cisco.com/tac/caseopen...
  • Page 33 C H A P T E R Overview This chapter provides these topics about the Catalyst 2950 switch software: • Features, page 1-1 Management Options, page 1-7 • • Network Configuration Examples, page 1-8 Where to Go Next, page 1-21 •...
  • Page 34 Long-Reach Ethernet rather than Fast Ethernet and Gigabit for the Gigabit ports. For information about the Cisco LRE CPE devices, refer to the Cisco LRE CPE Hardware Installation Guide. For information about the nonhomologated Cisco LRE POTS splitter, refer to the Installation Notes for the Cisco LRE 48 POTS Splitter.
  • Page 35 • Support for frames larger than 1500 bytes. The Catalyst 2950G-12-EI, 2950G-24-EI, 2950G-24-EI-DC, and 2950G-48-EI switches running Cisco IOS Release 12.1(6)EA2 or later support frame sizes from 1500 to 1530 bytes Per-port broadcast storm control for preventing faulty end stations from degrading overall system •...
  • Page 36 Address Resolution Protocol (ARP) for identifying a switch through its IP address and its corresponding MAC address • Cisco Discovery Protocol (CDP) versions 1 and 2 for network topology discovery and mapping between the switch and other Cisco devices on the network •...
  • Page 37 Dynamic Trunking Protocol (DTP) for negotiating trunking on a link between two devices and for negotiating the type of trunking encapsulation (802.1Q) to be used • Voice VLAN for creating subnets for voice traffic from Cisco IP Phones Security Bridge protocol data unit (BPDU) guard for shutting down a Port Fast-configured port when an •...
  • Page 38 Support for IEEE 802.1P CoS scheduling for classification and preferential treatment of – high-priority voice traffic Trusted boundary (detect the presence of a Cisco IP phone, trust the CoS value received, and – ensure port security. If the IP phone is not detected, disable the trusted setting on the port and prevent misuse of a high-priority queue.)
  • Page 39: Management Options

    Using CMS and switch clusters can simplify and minimize your configuration and monitoring tasks. You can use Cisco switch clustering technology to manage up to 16 interconnected and supported Catalyst switches through one IP address as if they were a single entity. This can conserve IP addresses if you have a limited number of them.
  • Page 40: Network Configuration Examples

    Manage and monitor interconnected Catalyst switches (refer to the release notes for a list of supported switches), regardless of their geographic proximity and interconnection media, including Ethernet, Fast Ethernet, Fast EtherChannel, Cisco GigaStack Gigabit Interface Converter (GBIC), Gigabit Ethernet, and Gigabit EtherChannel connections.
  • Page 41 Chapter 1 Overview Network Configuration Examples Table 1-2 Increasing Network Performance Network Demands Suggested Design Methods Too many users on a single network segment • Create smaller network segments so that fewer users share the and a growing number of users accessing the bandwidth, and use VLANs and IP subnets to place the network Internet resources in the same logical network as the users who access those...
  • Page 42 The GigaStack GBIC supports one full-duplex link (in a point-to-point configuration) or up to nine half-duplex links (in a stack configuration) to other Gigabit Ethernet devices. Using the required Cisco proprietary signaling and cabling, the GigaStack GBIC-to-GigaStack GBIC connection cannot exceed 3 feet (1 meter).
  • Page 43 Chapter 1 Overview Network Configuration Examples Figure 1-1 Example Configurations Catalyst 2950 switch Cost-Effective Catalyst 2900, Wiring Closet Catalyst 2950, Catalyst 3500, and Catalyst 3550 GigaStack cluster Catalyst 3550-12T or Catalyst 3550-12G switch Gigabit server High-Performance Workgroup Catalyst 2900, Catalyst 2950, Catalyst 3500, and Catalyst 3550 cluster Catalyst 3550-12T or Catalyst 3550-12T or...
  • Page 44 Fast Ethernet or Fast EtherChannel switch port. Connecting a router to a Fast Ethernet switch port provides multiple, simultaneous access to the Internet through one line. Figure 1-2 Small to Medium-Sized Network Configuration Cisco 2600 router 100 Mbps (200 Mbps full duplex) Gigabit server...
  • Page 45: Collapsed Backbone And Switch Cluster Configuration

    Each 10/100 inline-power port on the Catalyst 3524-PWR XL switches provides –48 VDC power to the Cisco IP Phone. The IP phone can receive redundant power when it also is connected to an AC power source. IP phones not connected to the Catalyst 3524-PWR XL switches receive power from an AC power source.
  • Page 46: Large Campus Configuration

    • CallManager controls call processing, routing, and IP phone features and configuration. Cisco Access gateway (such as Cisco Access Digital Trunk Gateway or Cisco Access Analog Trunk • Gateway) that connects the IP network to the Public Switched Telephone Network (PSTN) or to users in an IP telephony network.
  • Page 47 6500 switch 1 Gbps (2 Gbps full duplex) Catalyst 2950, 2900, 3500, and 3550 Catalyst 3524-PWR GigaStack cluster GigaStack cluster Cisco IP Phones Cisco IP Phones Workstations running Cisco SoftPhone software Catalyst 2950 Desktop Switch Software Configuration Guide 1-15 78-14982-01...
  • Page 48: Hotel Network Configuration

    Catalyst 2950 LRE switches in a hotel network environment with approximately 200 rooms. This network includes a PBX switchboard, a router, and high-speed servers. Connected to the telephone line in each hotel room is an LRE CPE device, such as a Cisco LRE CPE device. The LRE CPE device provides: Two RJ-11 ports, one for connecting to the telephone jack on the wall and one for connecting to a •...
  • Page 49 Cisco 585 microfilter LRE CPE Floor 3 Patch panel Cisco Catalyst 2950 LRE switches LRE 48 POTS splitters Servers PSTN Catalyst 2900 XL Cisco 2600 router or Catalyst 3500 XL switch Catalyst 2950 Desktop Switch Software Configuration Guide 1-17 78-14982-01...
  • Page 50: Multidwelling Network Using Catalyst 2950 Switches

    Chapter 1 Overview Network Configuration Examples Multidwelling Network Using Catalyst 2950 Switches A growing segment of residential and commercial customers are requiring high-speed access to Ethernet metropolitan-area networks (MANs). Figure 1-6 shows a configuration for a Gigabit Ethernet MAN ring using Catalyst 3550 multilayer switches as aggregation switches in the mini-point-of-presence (POP) location.
  • Page 51 Chapter 1 Overview Network Configuration Examples Figure 1-6 Catalyst 2950 Switches in a MAN Configuration Cisco 12000 Service Gigabit switch routers Provider Catalyst 6500 switches Catalyst 3550 multilayer switches Mini-POP Gigabit MAN Catalyst switches Residential location Set-top box Residential gateway (hub)
  • Page 52 A common wavelength for long-distance transmissions is 1550 nm. Up to eight CWDM GBIC modules, with any combination of wavelengths, can connect to a Cisco CWDM Passive Optical System. It combines (or multiplexes) the different CWDM wavelengths, allowing them to travel simultaneously on the same fiber-optic cable.
  • Page 53: Where To Go Next

    Chapter 1 Overview Where to Go Next Where to Go Next Before configuring the switch, review these sections for start up information: • Chapter 2, “Using the Command-Line Interface” Chapter 3, “Getting Started with CMS” • Chapter 4, “Assigning the Switch IP Address and Default Gateway” •...
  • Page 54 Chapter 1 Overview Where to Go Next Catalyst 2950 Desktop Switch Software Configuration Guide 1-22 78-14982-01...
  • Page 55: Ios Command Modes

    • IOS Command Modes The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode.
  • Page 56 Chapter 2 Using the Command-Line Interface IOS Command Modes Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the host name Switch. Table 2-1 Command Mode Summary Mode...
  • Page 57: Getting Help

    Chapter 2 Using the Command-Line Interface Getting Help Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method About This Mode VLAN configuration While in privileged To exit to privileged Use this mode to configure Switch(vlan)# EXEC mode, enter EXEC mode, enter VLAN parameters for the vlan database...
  • Page 58: Specifying Ports In Interface Configuration Mode

    Chapter 2 Using the Command-Line Interface Specifying Ports in Interface Configuration Mode Table 2-2 Help Summary (continued) Command Purpose command ? List the associated keywords for a command. For example: Switch> show ? command keyword ? List the associated arguments for a keyword. For example: Switch(config)# cdp holdtime ? <10-255>...
  • Page 59: Abbreviating Commands

    Chapter 2 Using the Command-Line Interface Abbreviating Commands • Port number—The number of the physical port on the switch. Refer to your switch for the port numbers. Abbreviating Commands You have to enter only enough characters for the switch to recognize the command as unique. This example shows how to enter the show configuration privileged EXEC command: Switch# show conf Using no and default Forms of Commands...
  • Page 60: Using Command History

    Chapter 2 Using the Command-Line Interface Using Command History Using Command History The IOS provides a history or record of commands that you have entered. This feature is particularly useful for recalling long or complex commands or entries, including access lists. You can customize the command history feature to suit your needs as described in these sections: •...
  • Page 61: Disabling The Command History Feature

    Chapter 2 Using the Command-Line Interface Using Editing Features Disabling the Command History Feature The command history feature is automatically enabled. To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command. To disable command history for the line, enter the no history line configuration command. Using Editing Features This section describes the editing features that can help you manipulate the command line.
  • Page 62: Editing Commands Through Keystrokes

    Chapter 2 Using the Command-Line Interface Using Editing Features Editing Commands through Keystrokes Table 2-5 shows the keystrokes that you need to edit command lines. Table 2-5 Editing Commands through Keystrokes Capability Keystroke Purpose Move around the command line to Press Ctrl-B, or press the Move the cursor back one character.
  • Page 63: Editing Command Lines That Wrap

    Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke Purpose Scroll down a line or screen on Press the Return key. Scroll down one line. displays that are longer than the terminal screen can display.
  • Page 64: Searching And Filtering Output Of Show And More Commands

    Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Use line wrapping with the command history feature to recall and modify previous complex command entries. For information about recalling previous command entries, see the “Editing Commands through Keystrokes”...
  • Page 65: Accessing The Cli From A Browser

    Access page. You can access the CLI by clicking Web Console - HTML access to the command line interface from a cached copy of the Cisco Systems Access page. To prevent unauthorized access to CMS and the CLI, exit your browser to end the browser session.
  • Page 66 Chapter 2 Using the Command-Line Interface Accessing the CLI from a Browser Catalyst 2950 Desktop Switch Software Configuration Guide 2-12 78-14982-01...
  • Page 67 C H A P T E R Getting Started with CMS This chapter provides these topics about the Cluster Management Suite (CMS) software: • Features, page 3-2 Front Panel View, page 3-4 • • Topology View, page 3-10 Menus and Toolbar, page 3-15 •...
  • Page 68: Chapter 3 Getting Started With Cm

    Chapter 3 Getting Started with CMS Features Features CMS provides these features (see Figure 3-1) for managing switch clusters and individual switches from Web browsers such as Netscape Communicator or Microsoft Internet Explorer: • Two views of your network that can be displayed at the same time: –...
  • Page 69 Chapter 3 Getting Started with CMS Features • Two levels of access to the configuration options: read-write access for users allowed to change switch settings; read-only access for users allowed to only view switch settings. • Consistent set of GUI components (such as tabs, buttons, drop-down lists, tables, and so on) for a uniform approach to viewing and setting configuration parameters (see Figure 3-1).
  • Page 70: Front Panel View

    Chapter 3 Getting Started with CMS Front Panel View Front Panel View When CMS is launched from a command switch, the Front Panel view displays the front-panel images of all the switches in the cluster (see Figure 3-2 for an 2950 LRE switch and Figure 3-3 for a 2950 non-LRE switch).
  • Page 71 Chapter 3 Getting Started with CMS Front Panel View Figure 3-3 Front Panel View from a 2950 Command Switch cluster1 10.1.1.2 Cluster tree. Right-click a member Right-click the switch image to display command switch the device pop-up image to display the menu, and select an cluster pop-up menu, option to view or change...
  • Page 72: Cluster Tree

    Chapter 3 Getting Started with CMS Front Panel View Figure 3-5 Front Panel View from a 2950 non-LRE Standalone Switch 2950-24 2950-24 Left-click the Mode LEDs display the Right-click a port to Press Ctrl, and then button to change current port mode display the port pop-up left-click ports to select the meaning of the...
  • Page 73: Front-Panel Images

    Chapter 3 Getting Started with CMS Front Panel View Front-Panel Images You can manage the switch from a remote station by using the front-panel images. The front-panel images are updated based on the network polling interval that you set from CMS > Preferences. This section includes descriptions of the LED images.
  • Page 74: Redundant Power System Led

    Cisco RPS 300 (model PWR300-AC-RPS-N1)—Catalyst 2900 LRE XL, Catalyst 2950, Catalyst 3524-PWR XL, and Catalyst 3550 switches Cisco RPS 600 (model PWR600-AC-RPS)—Catalyst 2900 XL and Catalyst 3500 XL switches, • except the Catalyst 2900 LRE XL and Catalyst 3524-PWR XL switches Refer to the appropriate switch hardware documentation for RPS descriptions specific for the switch.
  • Page 75: Vlan Membership Modes

    Chapter 3 Getting Started with CMS Front Panel View To select or change a mode, click the Mode button until the desired mode LED is green. Table 3-4 Port Modes Mode LED Description STAT Link status of the ports or the Ethernet link status on the remote customer premises equipment (CPE) device.
  • Page 76: Topology View

    Chapter 3 Getting Started with CMS Topology View Table 3-6 VLAN Membership Modes Mode Color Static access Light green Dynamic access Pink 802.1Q trunk Peach Negotiate trunk White Topology View The Topology view displays how the devices within a switch cluster are connected and how the switch cluster is connected to other clusters and devices.
  • Page 77 Chapter 3 Getting Started with CMS Topology View Figure 3-8 Expand Cluster View Cluster members of cluster1 and other devices connected to cluster1. Right-click a Right-click a link icon to display device icon to display a link popup menu. a device popup menu. Figure 3-9 Collapse Cluster View Neighboring cluster...
  • Page 78: Topology Icons

    Customer premises equipment (CPE) devices that are connected to Long-Reach Ethernet (LRE) • switches Devices that are not eligible to join the cluster, such as Cisco IP phones, Cisco access points, and • Cisco Discovery Protocol (CDP)-capable hubs and routers...
  • Page 79: Device And Link Labels

    Chapter 3 Getting Started with CMS Topology View Figure 3-11 Topology-View Link Icons Device and Link Labels The Topology view displays device and link information by using these labels: • Cluster and switch names • Switch MAC and IP addresses •...
  • Page 80: Colors In The Topology View

    Chapter 3 Getting Started with CMS Topology View Colors in the Topology View The colors of the Topology view icons show the status of the devices and links (see Table 3-7, Table 3-8, Table 3-9). Table 3-7 Device Icon Colors Icon Color Color Meaning Green The device is operating.
  • Page 81: Topology Display Options

    Chapter 3 Getting Started with CMS Menus and Toolbar Topology Display Options You can set the type of information displayed in the Topology view by changing the settings in the Topology Options window. To display this window, select View > Topology Options. From this window, you can select: Device icons (including IP Phones, CPE devices, Neighbors, Access Points, and Candidates) that •...
  • Page 82 Chapter 3 Getting Started with CMS Menus and Toolbar Note • We strongly recommend that the highest-end, command-capable switch in the cluster be the command switch: – If your switch cluster has a Catalyst 3550 switch, that switch should be the command switch. –...
  • Page 83 Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-11 Menu Bar Menu-Bar Options Task Page Setup Set default document printer properties to be used when printing from CMS. Print Preview View the way the CMS window or help file will appear when printed. Print Print a CMS window or help file.
  • Page 84 Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-11 Menu Bar (continued) Menu-Bar Options Task Display and configure STP parameters for a switch. IGMP Snooping Enable and disable Internet Group Management Protocol (IGMP) snooping and IGMP Immediate-Leave processing on the switch. Join or leave multicast groups, and configure multicast routers.
  • Page 85 Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-11 Menu Bar (continued) Menu-Bar Options Task Voice VLAN Configure a port to use a voice VLAN for voice traffic, separating it from the VLANs for data traffic. Reports Inventory Display the device type, software version, IP address, and other information about a switch.
  • Page 86: Toolbar

    Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-11 Menu Bar (continued) Menu-Bar Options Task Help For Active Window Display the help for the active open window. This is the same as clicking Help from the active window. Contents List all of the available online help topics.
  • Page 87: Front Panel View Popup Menus

    Chapter 3 Getting Started with CMS Menus and Toolbar 1. Not available in read-only mode. For more information about the read-only and read-write access modes, see the “Access Modes in CMS” section on page 3-31. Some options from this menu option are not available in read-only mode. 3.
  • Page 88: Topology View Popup Menus

    Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-14 Port Popup Menu (continued) Popup Menu Option Task Link Graphs Display a graph showing the bandwidth used by the selected link. Select All Ports Select all ports on the switch for global configuration. 1.
  • Page 89: Device Popup Menus

    Chapter 3 Getting Started with CMS Menus and Toolbar Figure 3-12 Multilink Decomposer Window Device Popup Menus Specific devices in the Topology view display a specific popup menu: Cluster (see Table 3-16) • • Command switch (see Table 3-17) • Member or standby command switch (see Table 3-18)
  • Page 90 Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-17 Device Popup Menu of a Command-Switch Icon Popup Menu Option Task Collapse cluster View the neighborhood outside a specific cluster. Host Name Change the host name of a switch. Bandwidth Graphs Display graphs that plot the total bandwidth in use by the switch.
  • Page 91: Interaction Modes

    Device Manager Access the web management interface of the device. Note This option is available on Cisco access points, but not on Cisco IP phones, hubs, routers and on unknown devices such as some Cisco devices and third-party devices. Disqualification Code Display the reason why the device could not join the cluster.
  • Page 92: Wizards

    • You can send us feedback about the information provided in the online help. Click Feedback to display an online form. After completing the form, click Submit to send your comments to Cisco. We appreciate and value your comments. Catalyst 2950 Desktop Switch Software Configuration Guide...
  • Page 93 Chapter 3 Getting Started with CMS Online Help Figure 3-13 Help Contents and Index Glossary of terms used in the online help. Enter the first Click Back and Forward to redisplay Legend of icons and color codes. letters of the topic, previously displayed pages.
  • Page 94: Cms Window Components

    Chapter 3 Getting Started with CMS CMS Window Components CMS Window Components CMS windows consistently present configuration information. Figure 3-15 shows the components of a typical CMS window. Figure 3-15 CMS Window Components OK saves your changes and closes the window. Apply saves your changes and leaves the window open.
  • Page 95: Tabs, Lists, And Tables

    Filter Editor, refer to the online help. Icons Used in Windows Some window have icons for sorting information in tables, for showing which cells in a table are editable, and for displaying further information from Cisco.com (see Figure 3-16). Figure 3-16 Window Icons...
  • Page 96: Buttons

    You can access the CLI by clicking Monitor the router - HTML access to the command line interface from a cached copy of the Cisco Systems Access page. To prevent unauthorized access to CMS and the CLI, exit your browser to end the browser session.
  • Page 97: Access Modes In Cms

    Chapter 3 Getting Started with CMS Accessing CMS To access CMS, follow these steps: Enter the switch IP address and your privilege level in the browser Location field (Netscape Step 1 Communicator) or Address field (Microsoft Internet Explorer). For example: http://10.1.126.45:184/level/14/ where is the switch IP address,...
  • Page 98: Http Access To Cms

    Chapter 3 Getting Started with CMS Verifying Your Changes • These switches do not support read-only mode on CMS: – Catalyst 1900 and Catalyst 2820 – Catalyst 2900 XL switches with 4-MB CPU DRAM In read-only mode, these switches appear as unavailable devices and cannot be configured from CMS.
  • Page 99: Saving Your Configuration

    Chapter 3 Getting Started with CMS Saving Your Configuration Saving Your Configuration The Save Configuration option is not available if your switch access level is read-only. For more Note information about the read-only access mode, see the “Access Modes in CMS” section on page 3-31.
  • Page 100: Using Different Versions Of Cms

    Refer to the documentation specific to the switch and its IOS release for descriptions of the CMS version you are using. Where to Go Next Before configuring the switch, refer to these places for start-up information: Switch release notes on Cisco.com: • CMS software requirements –...
  • Page 101: Chapter 4 Assigning The Switch Ip Address And Default Gateway

    C H A P T E R Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assign the switch IP address and default gateway information) by using a variety of automatic and manual methods. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
  • Page 102: Assigning Switch Information

    For more information about the setup program, refer to the release notes on Cisco.com. Use a DHCP server for centralized control and automatic assignment of IP information once the server is configured.
  • Page 103: Default Switch Information

    Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Default Switch Information Table 4-1 shows the default switch information. Table 4-1 Default Switch Information Feature Default Setting IP address and subnet mask No IP address or subnet mask are defined. Default gateway No default gateway is defined.
  • Page 104: Dhcp Client Request Process

    Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DHCP Client Request Process When you boot your switch, the switch automatically requests configuration information from a DHCP server only if a configuration file is not present on the switch. DHCP autoconfiguration does not occur under these conditions: When a configuration file is present and the service config global configuration command is •...
  • Page 105: Configuring The Dhcp Server

    “Configuring the Relay Device” section on page 4-6. If your DHCP server is a Cisco device, refer to the “IP Addressing and Services” section in the Cisco IOS IP and IP Routing Configuration Guide for Release 12.1. Configuring the TFTP Server Based on the DHCP server configuration, the switch attempts to download one or more configuration files from the TFTP server.
  • Page 106: Configuring The Dns

    TFTP packets. You must configure this relay device to forward received broadcast packets on an interface to the destination host. If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
  • Page 107: Obtaining Configuration Files

    Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Figure 4-2 Relay Device Used in Autoconfiguration Switch Cisco router (DHCP client) (Relay) 10.0.0.2 10.0.0.1 20.0.0.1 20.0.0.2 20.0.0.3 20.0.0.4 DHCP server TFTP server DNS server Obtaining Configuration Files...
  • Page 108: Example Configuration

    Figure 4-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (maritsu) Table 4-2 shows the configuration of the reserved leases on the DHCP server.
  • Page 109 Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DNS Server Configuration The DNS server maps the TFTP server name maritsu to IP address 10.0.0.3. TFTP Server Configuration (on UNIX) The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method.
  • Page 110: Manually Assigning Ip Information

    Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs) or ports: Command Purpose Step 1...
  • Page 111 Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration hostname Switch enable secret 5 $1$ej9.$DMUvAUnZOAmvmgqBEzIxE0 ip subnet-zero vlan 3020 cluster enable Test 0 cluster member 1 mac-address 0030.9439.0900 cluster member 2 mac-address 0001.425b.4d80 spanning-tree extend system-id interface Port-channel1 no ip address...
  • Page 112 Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration no ip address shutdown interface Vlan1 ip address 172.20.139.133 255.255.255.224 no ip route-cache ip default-gateway 172.20.139.129 ip http server ip access-list extended CMP-NAT-ACL snmp-server engineID local 8000000903000005742809C1 snmp-server community public RO snmp-server community public@es0 RO snmp-server enable traps MAC-Notification...
  • Page 113: Chapter 5 Configuring Ie2100 Cns Agents

    Services (CNS) embedded agents on your switch. To use the feature described in this chapter, you must have the enhanced software image (EI) installed on your switch. For complete syntax and usage information for the commands used in this section, refer to the Cisco Note Intelligence Engine 2100 Series Configuration Registrar Manual, and select Cisco IOS Software Release 12.2 >...
  • Page 114: Chapter 5 Configuring Ie2100 Cn Agent

    Chapter 5 Configuring IE2100 CNS Agents Understanding IE2100 Series Configuration Registrar Software Figure 5-1 Configuration Registrar Architectural Overview Service provider network Data service Configuration directory registrar Configuration server Event service Web-based user interface Order entry configuration management These sections contain this conceptual information: •...
  • Page 115: Cns Event Service

    ID or group ID, and event. Cisco IOS devices recognize only event subject-names that match those configured in Cisco IOS software; for example, cisco.cns.config.load. You can use the namespace mapping service to designate events by using any desired naming convention.
  • Page 116: Deviceid

    Configuration Registrar. The origin of the deviceID is defined by the Cisco IOS host name of the switch. However, the deviceID variable and its usage reside within the event gateway, which is adjacent to the switch.
  • Page 117: Understanding Cns Embedded Agents

    Chapter 5 Configuring IE2100 CNS Agents Understanding CNS Embedded Agents Understanding CNS Embedded Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the CNS configuration agent. The CNS configuration agent feature supports the switch by providing: •...
  • Page 118: Incremental (Partial) Configuration

    Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Incremental (Partial) Configuration After the network is running, new services can be added by using the CNS configuration agent. Incremental (partial) configurations can be sent to the switch. The actual configuration can be sent as an event payload by way of the event gateway (push operation) or as a signal event that triggers the switch to initiate a pull operation.
  • Page 119 For more information about running the setup program and creating templates on the Configuration Note Registrar, refer to the Cisco Intelligence Engine 2100 Series Configuration Registrar Manual. Catalyst 2950 Desktop Switch Software Configuration Guide 78-14982-01...
  • Page 120: Enabling The Cns Event Agent

    Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Enabling the CNS Event Agent Note You must enable the CNS event agent on the switch before you enable the CNS configuration agent. Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch: Command Purpose Step 1...
  • Page 121: Enabling The Cns Configuration Agent

    Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents To disable the CNS event agent, use the no cns event {ip-address | hostname} global configuration command. This example shows how to enable the CNS event agent, set the IP address gateway to 10.180.1.27, set 120 seconds as the keepalive interval, and set 10 as the retry count.
  • Page 122 Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Command Purpose Step 3 config-cli Enter config-cli to connect to the Configuration Registrar through the interface defined in cns config line-cli connect-intf. Enter line-cli to connect to the Registrar through modem dialup lines. The config-cli interface configuration Note command accepts the special directive...
  • Page 123 Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Command Purpose Step 8 cns config initial {ip-address | hostname} [port-number] Enable the configuration agent, and initiate an initial [event] [no-persist] [page page] [source ip-address] configuration. [syntax-check] • For {ip-address | hostname}, enter the IP address or the host name of the configuration server.
  • Page 124: Enabling A Partial Configuration

    Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the CNS configuration agent and to initiate a partial configuration on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
  • Page 125: Displaying Cns Configuration

    Chapter 5 Configuring IE2100 CNS Agents Displaying CNS Configuration Displaying CNS Configuration You can use the privileged EXEC commands in Table 5-2 to display CNS Configuration information. Table 5-2 Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS configuration agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed.
  • Page 126 Chapter 5 Configuring IE2100 CNS Agents Displaying CNS Configuration Catalyst 2950 Desktop Switch Software Configuration Guide 5-14 78-14982-01...
  • Page 127: Chapter 6 Clustering Switches

    C H A P T E R Clustering Switches This chapter provides these topics to help you get started with switch clustering: • Understanding Switch Clusters, page 6-2 Planning a Switch Cluster, page 6-5 • • Creating a Switch Cluster, page 6-19 Using the CLI to Manage Switch Clusters, page 6-25 •...
  • Page 128: Understanding Switch Clusters

    Chapter 6 Clustering Switches Understanding Switch Clusters Understanding Switch Clusters A switch cluster is a group of connected Catalyst switches that are managed as a single entity. In a switch cluster, 1 switch must be the command switch and up to 15 switches can be member switches. The total number of switches in a cluster cannot exceed 16 switches.
  • Page 129: Command Switch Characteristics

    • It has an IP address. • It has Cisco Discovery Protocol (CDP) version 2 enabled (the default). It is not a command or member switch of another cluster. • If the Catalyst 2950 command switch is running Release 12.1(9)EA1 or later, it is connected to the •...
  • Page 130: Candidate Switch And Member Switch Characteristics

    Chapter 6 Clustering Switches Understanding Switch Clusters Note Catalyst 2950 command switches running Release 12.1(9)EA1 or later can connect to standby command switches in the management VLAN. • It is redundantly connected to the cluster so that connectivity to member switches is maintained. •...
  • Page 131: Planning A Switch Cluster

    Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The command switch uses Cisco Discovery Protocol (CDP) to discover member switches, candidate switches, neighboring switch clusters, and edge devices in star or cascaded topologies.
  • Page 132: Discovery Through Cdp Hops

    Chapter 6 Clustering Switches Planning a Switch Cluster Discovery through CDP Hops By using CDP, a command switch can discover switches up to seven CDP hops away (the default is three hops) from the edge of the cluster. The edge of the cluster is where the last member switches are connected to the cluster and to candidate switches.
  • Page 133: Discovery Through Non-Cdp-Capable And Noncluster-Capable Devices

    Switch 15 Discovery through Non-CDP-Capable and Noncluster-Capable Devices If a command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
  • Page 134: Discovery Through The Same Management Vlan

    Chapter 6 Clustering Switches Planning a Switch Cluster Discovery through the Same Management VLAN A Catalyst 2900 XL command switch, a Catalyst 2950 command switch running a release earlier than Release 12.1(9)EA1, or a Catalyst 3500 XL command switch must connect to all cluster members through its management VLAN.
  • Page 135: Discovery Through Different Management Vlans

    Chapter 6 Clustering Switches Planning a Switch Cluster Discovery through Different Management VLANs We recommend using a Catalyst 3550 command switch or a Catalyst 2950 command switch running Release 12.1(9)EA1 or later. These command switches can discover and manage member switches in different VLANs and different management VLANs.
  • Page 136: Discovery Of Newly Installed Switches

    Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-6 Discovery through Different Management VLANs with a Layer 3 Command Switch Catalyst 3550 Catalyst 3550 command switch standby command switch VLAN 9 VLAN 16 VLAN 62 VLAN 9 Switch 3 (management VLAN 16) Switch 5...
  • Page 137 Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-7 Discovery of Newly Installed Switches in the Same Management VLAN Command switch VLAN 16 VLAN 16 Catalyst 2950 Catalyst 3500 XL switch switch (Management (Management VLAN 16) VLAN 16) VLAN 16 VLAN 16 New (out-of-box) New (out-of-box)
  • Page 138: Hsrp And Standby Command Switches

    The default HSRP standby hold time interval is 10 seconds. The default HSRP standby hello time interval is 3 seconds. For more information about the standby hold time and hello time intervals, refer to the Release 12.1 documentation set on Cisco.com. These connectivity guidelines ensure automatic discovery of the switch cluster, cluster candidates, connected switch clusters, and neighboring edge devices.
  • Page 139: Virtual Ip Addresses

    Chapter 6 Clustering Switches Planning a Switch Cluster Virtual IP Addresses You need to assign a unique virtual IP address and group number and name to the cluster standby group. This information must be configured on the management VLAN on the active command switch. The active command switch receives traffic destined for the virtual IP address.
  • Page 140 Chapter 6 Clustering Switches Planning a Switch Cluster • All standby-group members must be members of the cluster. Note There is no limit to the number of switches that you can assign as standby command switches. However, the total number of switches in the cluster—which would include the active command switch, standby-group members, and member switches—cannot be more than 16.
  • Page 141: Automatic Recovery Of Cluster Configuration

    Chapter 6 Clustering Switches Planning a Switch Cluster Automatic Recovery of Cluster Configuration The active command switch continually forwards cluster-configuration information (but not device-configuration information) to the standby command switch. This ensures that the standby command switch can take over the cluster immediately after the active command switch fails. Automatic discovery has these limitations: This limitation applies only to clusters that have Catalyst 2950 and Catalyst 3550 command and •...
  • Page 142: Host Names

    Chapter 6 Clustering Switches Planning a Switch Cluster Host Names You do not need to assign a host name to either a command switch or an eligible cluster member. However, a host name assigned to the command switch can help to identify the switch cluster. The default host name for the switch is Switch.
  • Page 143: Tacacs+ And Radius

    Chapter 6 Clustering Switches Planning a Switch Cluster TACACS+ and RADIUS Inconsistent authentication configurations in switch clusters cause CMS to continually prompt for a user name and password. If Terminal Access Controller Access Control System Plus (TACACS+) is configured on a cluster member, it must be configured on all cluster members. Similarly, if Remote Authentication Dial-In User Service (RADIUS) is configured on a cluster member, it must be configured on all cluster members.
  • Page 144: Management Vlan

    Chapter 6 Clustering Switches Planning a Switch Cluster Management VLAN Communication with the switch management interfaces is through the command-switch IP address. The IP address is associated with the management VLAN, which by default is VLAN 1. To manage switches in a cluster, the command switch, member switches, and candidate switches must be connected through ports assigned to the command-switch management VLAN.
  • Page 145: Availability Of Switch-Specific Features In Switch Clusters

    Chapter 6 Clustering Switches Creating a Switch Cluster Availability of Switch-Specific Features in Switch Clusters The menu bar on the command switch displays all options available from the switch cluster. Therefore, features specific to a member switch are available from the command-switch menu bar. For example, Device >...
  • Page 146: Adding Member Switches

    Chapter 6 Clustering Switches Creating a Switch Cluster If you did not enable a command switch during initial switch setup, launch Device Manager from a command-capable switch, and select Cluster > Create Cluster. Enter a cluster number (the default is 0), and use up to 31 characters to name the cluster (see Figure 6-10).
  • Page 147 Chapter 6 Clustering Switches Creating a Switch Cluster If a candidate switch in the group has a password different from the group, only that specific candidate switch is not added to the cluster. When a candidate switch joins a cluster, it inherits the command-switch password. For more information about setting passwords, see the “Passwords”...
  • Page 148: Creating A Cluster Standby Group

    Chapter 6 Clustering Switches Creating a Switch Cluster Figure 6-12 Using the Topology View to Add Member Switches Thin line means a Right-click a candidate connection to a switch to display the candidate switch. pop-up menu, and select Add to Cluster to add the switch to the cluster.
  • Page 149 The default HSRP standby hold time interval is 10 seconds. The default HSRP standby hello time interval is 3 seconds. For more information about the standby hold time and hello time intervals, refer to the Cisco IOS Release 12.1 documentation set on Cisco.com. Figure 6-13 Standby Command Configuration Window 3550C (cisco WS-C3550-C-24, HC, ...
  • Page 150: Verifying A Switch Cluster

    Chapter 6 Clustering Switches Creating a Switch Cluster Verifying a Switch Cluster When you finish adding cluster members, follow these steps to verify the cluster: Enter the command switch IP address in the browser Location field (Netscape Communicator) or Step 1 Address field (Microsoft Internet Explorer) to access all switches in the cluster.
  • Page 151: Using The Cli To Manage Switch Clusters

    Chapter 6 Clustering Switches Using the CLI to Manage Switch Clusters Using the CLI to Manage Switch Clusters You can configure member switches from the CLI by first logging into the command switch. Enter the rcommand user EXEC command and the member switch number to start a Telnet session (through a console or Telnet connection) and to access the member switch CLI.
  • Page 152: Using Snmp To Manage Switch Clusters

    Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Using SNMP to Manage Switch Clusters When you first power on the switch, SNMP is enabled if you enter the IP information by using the setup program and accept its proposed configuration. If you did not use the setup program to enter the IP information and SNMP was not enabled, you can enable it as described in the “Configuring SNMP”...
  • Page 153: Preventing Unauthorized Access To Your Switch

    C H A P T E R Administering the Switch This chapter describes how to perform one-time operations to administer your switch. This chapter consists of these sections: Preventing Unauthorized Access to Your Switch, page 7-1 • • Protecting Access to Privileged EXEC Commands, page 7-2 Controlling Switch Access with TACACS+, page 7-10 •...
  • Page 154: Chapter 7 Administering The Switch

    Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device. For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Note Security Command Reference for Release 12.1.
  • Page 155: Setting Or Changing A Static Enable Password

    Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1...
  • Page 156: Protecting Enable And Enable Secret Passwords With Encryption

    By default, no password is defined. • (Optional) For encryption-type, only type 5, a Cisco proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password you copy...
  • Page 157: Disabling Password Recovery

    Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands If both the enable and enable secret passwords are defined, users must enter the enable secret password. Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level.
  • Page 158: Setting A Telnet Password For A Terminal Line

    Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to disable password recovery: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no service password-recovery Disable password recovery. This setting is saved in an area of the Flash memory that is accessible by the boot loader and the IOS image, but it is not part of the file system and is not accessible by any user.
  • Page 159: Configuring Username And Password Pairs

    Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands Command Purpose Step 7 show running-config Verify your entries. The password is listed under the command line vty 0 15. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the password, use the no password global configuration command.
  • Page 160: Configuring Multiple Privilege Levels

    Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands To disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command.
  • Page 161: Changing The Default Privilege Level For Lines

    Chapter 7 Administering the Switch Protecting Access to Privileged EXEC Commands Command Purpose Step 5 show running-config Verify your entries. The first command displays the password and access level configuration. The second command displays the privilege level configuration. show privilege Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
  • Page 162: Logging Into And Exiting A Privilege Level

    (AAA) and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.1. This section contains this configuration information: •...
  • Page 163 Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ Figure 7-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ Catalyst 6500 server 1) series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) Catalyst 2950 or 3550 switches 171.20.10.8 Configure the switches with the TACACS+ server addresses.
  • Page 164: Tacacs+ Operation

    Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the user.
  • Page 165: Default Tacacs+ Configuration

    Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ This section contains this configuration information: • Default TACACS+ Configuration, page 7-13 • Identifying the TACACS+ Server Host and Setting the Authentication Key, page 7-13 • Configuring TACACS+ Login Authentication, page 7-14 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page •...
  • Page 166: Configuring Tacacs+ Login Authentication

    Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ Command Purpose Step 4 aaa group server tacacs+ group-name (Optional) Define the AAA server-group with a group name. This command puts the switch in a server group subconfiguration mode. Step 5 server ip-address (Optional) Associate a particular TACACS+ server with the defined server group.
  • Page 167 Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to configure login authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication login {default | Create a login authentication method list.
  • Page 168: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services

    Chapter 7 Administering the Switch Controlling Switch Access with TACACS+ To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
  • Page 169: Starting Tacacs+ Accounting

    (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting for each Cisco IOS privilege level and for network services:...
  • Page 170: Controlling Switch Access With Radius

    RADIUS is facilitated through AAA and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.1. This section contains this configuration information: •...
  • Page 171: Radius Operation

    • Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
  • Page 172: Configuring Radius

    Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Configuring RADIUS This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication.
  • Page 173 Chapter 7 Administering the Switch Controlling Switch Access with RADIUS You identify RADIUS security servers by their host name or IP address, host name and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
  • Page 174 Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or host name of the remote RADIUS server host. ip-address} [auth-port port-number] •...
  • Page 175: Configuring Radius Login Authentication

    Chapter 7 Administering the Switch Controlling Switch Access with RADIUS This example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting: Switch(config)# radius-server host host1 Note You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch.
  • Page 176 Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication login {default | Create a login authentication method list. list-name} method1 [method2...] To create a default list that is used when a named list is not specified •...
  • Page 177: Defining Aaa Server Groups

    Chapter 7 Administering the Switch Controlling Switch Access with RADIUS To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
  • Page 178 Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or host name of the remote RADIUS server host.
  • Page 179: Configuring Radius Authorization For User Privileged Access And Network Services

    Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Command Purpose Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 7-23.
  • Page 180: Starting Radius Accounting

    (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
  • Page 181: Configuring Settings For All Radius Servers

    1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and * for optional attributes.
  • Page 182: Configuring The Switch For Vendor-Proprietary Radius Server Communication

    Chapter 7 Administering the Switch Controlling Switch Access with RADIUS For example, the following AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP’s IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ The following example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“...
  • Page 183: Displaying The Radius Configuration

    Chapter 7 Administering the Switch Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to specify a vendor-proprietary RADIUS server host and a shared secret text string: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | ip-address} non-standard Specify the IP address or host name of the remote...
  • Page 184: Configuring The Switch For Local Authentication And Authorization

    Chapter 7 Administering the Switch Configuring the Switch for Local Authentication and Authorization Configuring the Switch for Local Authentication and Authorization You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration.
  • Page 185: Configuring The Switch For Secure Shell

    Local Authentication and Authorization” section on page 7-32) For more information about SSH, refer to the “Configuring Secure Shell” section in the Cisco IOS Security Configuration Guide for Release 12.2. The SSH feature in this software release does not support IP Security (IPSec).
  • Page 186: Managing The System Time And Date

    Network Time Protocol (NTP), or manual configuration methods. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This section contains this configuration information: Understanding the System Clock, page 7-34 •...
  • Page 187 Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
  • Page 188: Configuring Ntp

    Chapter 7 Administering the Switch Managing the System Time and Date Figure 7-3 Typical NTP Network Configuration Catalyst 6500 series switch (NTP master) Local workgroup servers Catalyst 2950 or 3550 switch Catalyst 2950 or Catalyst 2950 or 3550 switch 3550 switch These switches are configured in NTP server mode (server association) with the Catalyst 6500 series switch.
  • Page 189: Default Ntp Configuration

    Chapter 7 Administering the Switch Managing the System Time and Date Default NTP Configuration Table 7-2 shows the default NTP configuration. Table 7-2 Default NTP Configuration Feature Default Setting NTP authentication Disabled. No authentication key is specified. NTP peer or server associations None configured.
  • Page 190: Configuring Ntp Associations

    Chapter 7 Administering the Switch Managing the System Time and Date Command Purpose Step 5 Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable NTP authentication, use the no ntp authenticate global configuration command.
  • Page 191: Configuring Ntp Broadcast Service

    Chapter 7 Administering the Switch Managing the System Time and Date Command Purpose Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. You need to configure only one end of an association;...
  • Page 192: Configuring Ntp Access Restrictions

    Chapter 7 Administering the Switch Managing the System Time and Date Command Purpose Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 7 Configure the connected peers to receive NTP broadcast packets as described in the next procedure. To disable the interface from sending NTP broadcast packets, use the no ntp broadcast interface configuration command.
  • Page 193 Chapter 7 Administering the Switch Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1...
  • Page 194: Configuring The Source Ip Address For Ntp Packets

    Chapter 7 Administering the Switch Managing the System Time and Date If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted.
  • Page 195: Displaying The Ntp Configuration

    [detail] • show ntp status For detailed information about the fields in these displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. Configuring Time and Date Manually If no other source of time is available, you can manually configure the time and date after the system is restarted.
  • Page 196: Setting The System Clock

    Chapter 7 Administering the Switch Managing the System Time and Date Setting the System Clock If you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock. Beginning in privileged EXEC mode, follow these steps to set the system clock: Command Purpose...
  • Page 197: Configuring The Time Zone

    Chapter 7 Administering the Switch Managing the System Time and Date Configuring the Time Zone Beginning in privileged EXEC mode, follow these steps to manually configure the time zone: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock timezone zone hours-offset Set the time zone.
  • Page 198: Configuring Summer Time (Daylight Saving Time)

    Chapter 7 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1...
  • Page 199 Chapter 7 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1...
  • Page 200: Configuring A System Name And Prompt

    Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP and IP Routing Command Reference for Release 12.1.
  • Page 201: Configuring A System Prompt

    Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.
  • Page 202: Default Dns Configuration

    Chapter 7 Administering the Switch Configuring a System Name and Prompt Default DNS Configuration Table 7-3 shows the default DNS configuration. Table 7-3 Default DNS Configuration Feature Default Setting DNS enable state Enabled. DNS default domain name None configured. DNS servers No name server addresses are configured.
  • Page 203: Displaying The Dns Configuration

    The login banner also displays on all connected terminals. It is displayed after the MOTD banner and before the login prompts. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This section contains this configuration information: •...
  • Page 204: Configuring A Message-Of-The-Day Login Banner

    Chapter 7 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1...
  • Page 205: Configuring A Login Banner

    Chapter 7 Administering the Switch Creating a Banner Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1...
  • Page 206: Managing The Mac Address Table

    Chapter 7 Administering the Switch Managing the MAC Address Table Managing the MAC Address Table The MAC address table contains address information that the switch uses to forward traffic between ports. All MAC addresses in the address table are associated with one or more ports. The address table includes these types of addresses: •...
  • Page 207: Mac Addresses And Vlans

    Chapter 7 Administering the Switch Managing the MAC Address Table MAC Addresses and VLANs All addresses are associated with a VLAN. An address can exist in more than one VLAN and have different destinations in each. Multicast addresses, for example, could be forwarded to port 1 in VLAN 1 and ports 9, 10, and 11 in VLAN 5.
  • Page 208: Removing Dynamic Address Entries

    Chapter 7 Administering the Switch Managing the MAC Address Table Command Purpose Step 4 show mac address-table aging-time Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default value, use the no mac address-table aging-time global configuration command. Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC mode.
  • Page 209 Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message.
  • Page 210: Adding And Removing Static Address Entries

    Chapter 7 Administering the Switch Managing the MAC Address Table Command Purpose Step 9 show mac address-table notification interface Verify your entries. show running-config Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the switch from sending MAC address notification traps, use the no snmp-server enable traps mac-notification global configuration command.
  • Page 211: Adding And Removing Secure Addresses

    Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to add a static address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table static mac-addr Add a static address to the MAC address table. vlan vlan-id interface interface-id •...
  • Page 212: Displaying Address Table Entries

    Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to add a secure address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface, and enter interface configuration mode. Step 3 switchport port-security Add a secure address.
  • Page 213: Managing The Arp Table

    The switch software is regularly updated with new features and bug fixes, and you might want to upgrade your Catalyst 2950 switch with the latest software release. New software releases are posted on Cisco.com and are available through authorized resellers. Cisco also supplies a TFTP server that you can download from Cisco.com.
  • Page 214 Chapter 7 Administering the Switch Switch Software Releases Catalyst 2950 Desktop Switch Software Configuration Guide 7-62 78-14982-01...
  • Page 215: Understanding 802.1X Port-Based Authentication

    C H A P T E R Configuring 802.1X Port-Based Authentication This chapter describes how to configure IEEE 802.1X port-based authentication to prevent unauthorized devices (clients) from gaining access to the network. As LANs extend to hotels, airports, and corporate lobbies, insecure environments could be created.
  • Page 216: C H A P T E R 8 Configuring 802.1X Port-Based Authentication

    In this release, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
  • Page 217: Authentication Initiation And Message Exchange

    Chapter 8 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Authentication Initiation and Message Exchange The switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x port-control auto interface configuration command, the switch must initiate authentication when it determines that the port link state transitions from down to up.
  • Page 218: Ports In Authorized And Unauthorized States

    Chapter 8 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Ports in Authorized and Unauthorized States The switch port state determines whether or not the client is granted access to the network. The port starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for 802.1X protocol packets.
  • Page 219: Supported Topologies

    Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Supported Topologies The 802.1X port-based authentication is supported in two topologies: • Point-to-point • Wireless LAN In a point-to-point configuration (see Figure 8-1 on page 8-2), only one client can be connected to the 802.1X-enabled switch port.
  • Page 220: Default 802.1X Configuration

    Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Default 802.1X Configuration Table 8-1 shows the default 802.1X configuration. Table 8-1 Default 802.1X Configuration Feature Default Setting Authentication, authorization, and Disabled. accounting (AAA) RADIUS server • IP address • None specified. UDP authentication port 1812.
  • Page 221: 802.1X Configuration Guidelines

    Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication 802.1X Configuration Guidelines These are the 802.1X authentication configuration guidelines: • When 802.1X is enabled, ports are authenticated before any other Layer 2 features are enabled. • The 802.1X protocol is supported on Layer 2 static-access ports, but it is not supported on these port types: –...
  • Page 222: Enabling 802.1X Authentication

    Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Enabling 802.1X Authentication To enable 802.1X port-based authentication, you must enable AAA and specify the authentication method list. A method list describes the sequence and authentication methods to be queried to authenticate a user.
  • Page 223: Configuring The Switch-To-Radius-Server Communication

    Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication This example shows how to enable AAA and 802.1X on Fast Ethernet port 0/1: Switch# configure terminal Switch(config)# aaa new-model Switch(config)# aaa authentication dot1x default group radius Switch(config)# interface fastethernet0/1 Switch(config-if)# dot1x port-control auto Switch(config-if)# end Configuring the Switch-to-RADIUS-Server Communication RADIUS security servers are identified by their host name or IP address, host name and specific UDP...
  • Page 224: Enabling Periodic Re-Authentication

    Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the RADIUS server: Switch(config)# radius-server host 172.l20.39.46 auth-port 1612 key rad123 You can globally configure the timeout, retransmission, and encryption key values for all RADIUS...
  • Page 225: Manually Re-Authenticating A Client Connected To A Port

    Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Manually Re-Authenticating a Client Connected to a Port You can manually re-authenticate the client connected to a specific port at any time by entering the dot1x re-authenticate interface interface-id privileged EXEC command. If you want to enable or disable periodic re-authentication, see the “Enabling Periodic Re-Authentication”...
  • Page 226: Changing The Switch-To-Client Retransmission Time

    Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Changing the Switch-to-Client Retransmission Time The client responds to the EAP-request/identity frame from the switch with an EAP-response/identity frame. If the switch does not receive this response, it waits a set period of time (known as the retransmission time) and then resends the frame.
  • Page 227: Setting The Switch-To-Client Frame-Retransmission Number

    Chapter 8 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Setting the Switch-to-Client Frame-Retransmission Number In addition to changing the switch-to-client retransmission time, you can change the number of times that the switch sends an EAP-request/identity frame (assuming no response is received) to the client before restarting the authentication process.
  • Page 228: Resetting The 802.1X Configuration To The Default Values

    Chapter 8 Configuring 802.1X Port-Based Authentication Displaying 802.1X Statistics and Status Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show dot1x interface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable multiple hosts on the port, use the no dot1x multiple-hosts interface configuration command.
  • Page 229: Chapter 9 Configuring The Switch Interfaces

    Monitoring and Maintaining the Interfaces, page 9-16 Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and the online Cisco IOS Interface Command Reference for Release 12.1. Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these interface types.
  • Page 230: Access Ports

    Chapter 9 Configuring the Switch Interfaces Understanding Interface Types These sections describes these types of interfaces: • Access Ports, page 9-2 • Trunk Ports, page 9-2 • Port-Based VLANs, page 9-3 EtherChannel Port Groups, page 9-3 • Connecting Interfaces, page 9-3 •...
  • Page 231: Port-Based Vlans

    Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. Exceptions are the DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol (PAgP), which operate only on physical ports.
  • Page 232: Using The Interface Command

    Chapter 9 Configuring the Switch Interfaces Using the Interface Command Figure 9-1 Connecting VLANs with Layer 2 Switches Cisco router Switch Host A Host B VLAN 20 VLAN 30 Using the Interface Command To configure a physical interface (port), use the interface global configuration command to enter interface configuration mode and to specify the interface type, slot, and number.
  • Page 233 Chapter 9 Configuring the Switch Interfaces Using the Interface Command Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# Enter the interface global configuration command. Identify the interface type and the number of the Step 2 connector. In this example, Gigabit Ethernet interface 0/1 is selected: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# Note...
  • Page 234: Configuring A Range Of Interfaces

    Chapter 9 Configuring the Switch Interfaces Using the Interface Command Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected...
  • Page 235 Chapter 9 Configuring the Switch Interfaces Using the Interface Command – gigabitethernet slot/{first port} - {last port}, where slot is 0 – port-channel port-channel-number - port-channel-number, where port-channel-number is from 1 to 6 • You must add a space between the interface numbers and the hyphen when using the interface range command.
  • Page 236: Configuring And Using Interface-Range Macros

    Chapter 9 Configuring the Switch Interfaces Using the Interface Command Configuring and Using Interface-Range Macros You can create an interface-range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface range macro global configuration command string, you must use the define interface-range global configuration command to define the macro.
  • Page 237: Configuring Switch Interfaces

    Chapter 9 Configuring the Switch Interfaces Configuring Switch Interfaces This example shows how to define an interface-range macro named enet_list to select Fast Ethernet ports 1 to 4 and to verify the macro configuration: Switch# configure terminal Switch(config)# define interface-range enet_list fastethernet0/1 - 4 Switch(config)# end Switch# show running-config | include define define interface-range enet_list FastEthernet0/1 - 4...
  • Page 238: Default Ethernet Interface Configuration

    Chapter 9 Configuring the Switch Interfaces Configuring Switch Interfaces Default Ethernet Interface Configuration Table 9-1 shows the Ethernet interface default configuration. For more details on the VLAN parameters listed in the table, see Chapter 14, “Configuring VLANs.” For details on controlling traffic to the port, Chapter 18, “Configuring Port-Based Traffic Control.”...
  • Page 239: Configuring Interface Speed And Duplex Mode

    Note By using the media-type auto-select command in Cisco IOS command-line interface (CLI), you can configure the Catalyst 2950 LRE so that the SFP module port does not take precedence over the 10/100/1000 port. In that scenario, whichever media type establishes a link first will have precedence over the other.
  • Page 240: Configuration Guidelines

    Chapter 9 Configuring the Switch Interfaces Configuring Switch Interfaces Note You cannot configure speed or duplex mode on Gigabit Interface Converter (GBIC) ports, but for certain types of GBICs, you can configure speed to not negotiate (nonegotiate) if the GBIC ports are connected to a device that does not support autonegotiation.
  • Page 241: Setting The Interface Speed And Duplex Parameters

    Chapter 9 Configuring the Switch Interfaces Configuring Switch Interfaces Setting the Interface Speed and Duplex Parameters The Ethernet link settings on the CPE Ethernet ports have special considerations and different default Note settings from the 10/100 ports. For this information, see the “Ports on the 2950 LRE”...
  • Page 242: Configuring Media Types For Gigabit Interfaces

    Chapter 9 Configuring the Switch Interfaces Configuring Switch Interfaces service timestamps log uptime no service password-encryption hostname Switch <output truncated> interface FastEthernet0/3 switchport mode trunk no ip address duplex half speed 10 <output truncated> Configuring Media Types for Gigabit Interfaces You can use the media-type interface configuration command to configure the media-type for Gigabit iinterfaces.
  • Page 243 Chapter 9 Configuring the Switch Interfaces Configuring Switch Interfaces These rules apply to flow control settings on the device: • receive on (or desired) and send on: Flow control operates in both directions; both the local and the remote devices can send pause frames to show link congestion. •...
  • Page 244: Adding A Description For An Interface

    (You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference for Release 12.1. Catalyst 2950 Desktop Switch Software Configuration Guide...
  • Page 245 Chapter 9 Configuring the Switch Interfaces Monitoring and Maintaining the Interfaces Table 9-2 Show Commands for Interfaces Command Purpose show interfaces [interface-id] Display the status and configuration of all interfaces or a specific interface. show interfaces interface-id status [err-disabled] Display interface status or a list of interfaces in error-disabled state. show interfaces [media | <interface-id>...
  • Page 246 Chapter 9 Configuring the Switch Interfaces Monitoring and Maintaining the Interfaces Operational Mode: down <output truncated> This example shows how to display the running configuration of Fast Ethernet interface 0/2: Switch# show running-config interface fastethernet0/2 Building configuration... Current configuration : 131 bytes interface FastEthernet0/2 switchport mode access switchport protected...
  • Page 247: Clearing And Resetting Interfaces And Counters

    Chapter 9 Configuring the Switch Interfaces Monitoring and Maintaining the Interfaces Clearing and Resetting Interfaces and Counters Table 9-3 lists the clear privileged EXEC commands that you can use to clear counters and reset interfaces. Table 9-3 Clear Commands for Interfaces Command Purpose clear counters [interface-id]...
  • Page 248 Chapter 9 Configuring the Switch Interfaces Monitoring and Maintaining the Interfaces Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entry. Use the no shutdown interface configuration command to restart the interface. This example shows how to shut down Fast Ethernet interface 0/5: Switch# configure terminal Switch(config)# interface fastethernet0/5 Switch(config-if)# shutdown...
  • Page 249: Chapter 10 Configuring Lre

    LRE link—This is the connection between the switch LRE port and the RJ-11 wall port on an LRE customer premises equipment (CPE) device such as the Cisco 575 LRE CPE or Cisco 585 LRE CPE. This connection can be through categorized or noncategorized unshielded twisted-pair cable and can extend to distances of up to 4921 feet (1500 m).
  • Page 250: Lre Links And Lre Profiles

    LRE link can affect the actual LRE link performance. Contact Cisco Systems for information about limitations and optimization of LRE link performance. The downstream and upstream rates in the table are slightly less than the gross data rates displayed by the show controllers lre profile names privileged EXEC command.
  • Page 251 Chapter 10 Configuring LRE LRE Links and LRE Profiles Table 10-1 LRE Profiles LRE Link LRE Link Theoretical Theoretical Downstream Rate Upstream Rate Min SNR Min SNR Profile Name (Mbps) (Mbps) Downstream Upstream LRE-15 16.667 18.750 LRE-10 (default) 12.500 12.500 LRE-5 6.250 6.250...
  • Page 252: Lre Sequences

    Table 10-2 outlines the predefined sequences for rate selection contained in Cisco IOS. When executing rate selection, the switch uses a sequences to choose an appropriate profile for a given LRE interface. Table 10-2 LRE Rate Selection Sequences...
  • Page 253: Cpe Ethernet Links

    Ethernet device, such as a PC. Note From CMS and the CLI, you can configure and monitor the Ethernet link on a Cisco 575 LRE CPE and Cisco 585 LRE CPE. For information about the switch LEDs, see the Catalyst 2950 Series Hardware Installation Guide.
  • Page 254: Environmental Guidelines For Lre Links

    Chapter 10 Configuring LRE Configuring LRE Ports Environmental Guidelines for LRE Links The guidelines for your LRE environment are based on these factors: • Maximum distance between the LRE switch and CPE devices—LRE runs on Category 1, 2, and 3 structured and unstructured cable.
  • Page 255: Guidelines For Using Lre Profiles

    Considerations for Connected Cisco 575 LRE CPEs You can configure the Cisco 575 LRE CPE Ethernet port to operate at 10 or 100 Mbps and at half- or full-duplex mode, depending on the capability of the remote Ethernet device. Autonegotiation for port speed and duplex mode is supported.
  • Page 256: Assigning A Global Profile To All Lre Ports

    When the default speed is set to 10 or 100 Mbps with half duplex, the values set are the same. If the remote values are 10 Mbps with full duplex, the Cisco 575 LRE CPE Ethernet port is profile independent. All LRE profiles are set to be 10 Mbps with half duplex except for LRE-10 (the default), which is set to 10 Mpbs with full duplex.
  • Page 257: Assigning A Profile To A Specific Lre Port

    Chapter 10 Configuring LRE Configuring LRE Ports Use the show controllers lre privileged EXEC commands to display the LRE link statistics and profile information on the LRE ports. For information about these commands, refer to the switch command reference. Assigning a Profile to a Specific LRE Port You can set profiles on a per-port basis.
  • Page 258: Assigning A Sequence To A Specific Lre Port

    Chapter 10 Configuring LRE Configuring LRE Ports Assigning a Sequence to a Specific LRE Port You can set sequences on a per-port basis. You can assign the same sequence or different sequences to the LRE ports on the switch. If you assign a sequence on a port basis, it overrides any previously or subsequently set profiles or global sequence.
  • Page 259: Precedence

    Chapter 10 Configuring LRE Configuring LRE Ports In any of these cases, rate selection obtains the optimal profile for your line conditions. Note When an LRE link is lost for fewer than 25 seconds, the switch does not execute rate selection to re-establish the link.
  • Page 260: Link Qualification And Snr Margins

    Chapter 10 Configuring LRE Configuring LRE Ports Link Qualification and SNR Margins When rate selection is running, the SNR is used as an indicator of link quality. The switch does not provide any internal mechanism to ensure link quality. There can be different requirements for link quality, depending on the required bit-error rate and the noise level of the environment.
  • Page 261 Chapter 10 Configuring LRE Configuring LRE Ports Table 10-4 SNR Requirements for Upstream Rates Gross Data Theoretical Medium Noise High Noise Profile Rate Minimum SNR Low Noise SNR LRE-4-1 1.56 LRE-7 8.333 LRE-8 9.375 LRE-5 6.25 LRE-10 12.5 LRE-15 18.75 LRE-10-5 6.25 LRE-10-3...
  • Page 262: Lre Link Persistence

    Chapter 10 Configuring LRE Configuring LRE Ports Note The margin command is effective with any profile, but only in conjunction with rate selection and only when a link is being activated. LRE Link Persistence A brief LRE link down and up transition can cause the rest of the IOS modules to react immediately, for example, the Dynamic MAC addresses are removed from that ports table.
  • Page 263: Upgrading Lre Switch Firmware

    Chapter 10 Configuring LRE Upgrading LRE Switch Firmware • Link Fail Counts: The number of times the link failed. A link fail interrupts operation of the Ethernet link for a small number of milliseconds. During this interruption, some packets might be dropped (depending on traffic levels).
  • Page 264: Performing An Lre Upgrade

    Chapter 10 Configuring LRE Upgrading LRE Switch Firmware If you wish to override the switch’s automatic selection of LRE binaries, you have these methods available: • Global LRE Upgrade Configuration Commands • LRE Controller configuration commands You can use config global commands to specify the LRE binary or binaries for a specified target type. (A target type is the family [and optionally the model or model revision] of a device containing one or more upgradable hardware elements.) A target can be a local LRE controller on the switch or a remote CPE device.
  • Page 265: Global Configuration Of Lre Upgrades

    Chapter 10 Configuring LRE Upgrading LRE Switch Firmware Global Configuration of LRE Upgrades Beginning in privileged EXEC mode, follow these steps to perform a system-wide upgrade to configure the LRE binary to apply to a target device and upgradable hardware element combination: Command Purpose Step 1...
  • Page 266: Lre Upgrade Behavior Details

    Chapter 10 Configuring LRE Upgrading LRE Switch Firmware LRE Upgrade Behavior Details You see on the console screen when you start an upgrade: Switch>en Switch#hw-module slot 0 upgrade lre You are about to start an LRE upgrade on all LRE interfaces. Users on LRE links being upgraded will experience a temporary disruption of Ethernet connectivity.
  • Page 267 Chapter 10 Configuring LRE Upgrading LRE Switch Firmware The CPE device has finished resetting. The desired profile is applied. 00:23:58: %LRE_LINK-3-UPDOWN: Interface Lo0/1, changed state to UP 00:23:59: %LINK-3-UPDOWN: Interface LongReachEthernet0/1, changed state to up 00:24:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface LongReachEthernet0/1, changed state to up Operation resumes in the profile link up state.
  • Page 268 Chapter 10 Configuring LRE Upgrading LRE Switch Firmware Catalyst 2950 Desktop Switch Software Configuration Guide 10-20 78-14982-01...
  • Page 269: Understanding Spanning-Tree Features

    C H A P T E R Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on your switch. For information about the Rapid Spanning Tree Protocol (RSTP) and the Multiple Spanning Tree Protocol (MSTP), see Chapter 12, “Configuring RSTP and MSTP.”...
  • Page 270: Configuring Stp

    Chapter 11 Configuring STP Understanding Spanning-Tree Features • Spanning Tree and Redundant Connectivity, page 11-8 • Accelerated Aging to Retain Connectivity, page 11-9 STP Overview STP is a Layer 2 link management protocol that provides path redundancy while preventing loops in the network.
  • Page 271: Election Of The Root Switch

    Chapter 11 Configuring STP Understanding Spanning-Tree Features • Message age • The identifier of the sending interface • Values for the hello, forward delay, and max-age protocol timers When a switch receives a configuration BPDU that contains superior information (lower bridge ID, lower path cost, and so forth), it stores the information for that port.
  • Page 272: Bridge Id, Switch Priority, And Extended System Id

    Chapter 11 Configuring STP Understanding Spanning-Tree Features BPDUs contain information about the sending switch and its ports, including switch and MAC addresses, switch priority, port priority, and path cost. Spanning tree uses this information to elect the root switch and root port for the switched network and the root port and designated port for each switched segment.
  • Page 273: Creating The Spanning-Tree Topology

    Chapter 11 Configuring STP Understanding Spanning-Tree Features Creating the Spanning-Tree Topology Figure 11-1, Switch A is elected as the root switch because the switch priority of all the switches is set to the default (32768) and Switch A has the lowest MAC address. However, because of traffic patterns, number of forwarding interfaces, or link types, Switch A might not be the ideal root switch.
  • Page 274 Chapter 11 Configuring STP Understanding Spanning-Tree Features An interface moves through these states: • From initialization to blocking • From blocking to listening or to disabled • From listening to learning or to disabled From learning to forwarding or to disabled •...
  • Page 275: Blocking State

    Chapter 11 Configuring STP Understanding Spanning-Tree Features Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to each interface in the switch. A switch initially functions as the root until it exchanges BPDUs with other switches.
  • Page 276: Disabled State

    However, in a network of Cisco switches connected through 802.1Q trunks, the switches maintain one spanning-tree instance for each VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch uses per-VLAN spanning tree+ (PVST+) to provide spanning-tree interoperability. It combines the spanning-tree instance of the 802.1Q VLAN of the trunk with the spanning-tree instance of the...
  • Page 277: Accelerated Aging To Retain Connectivity

    Chapter 11 Configuring STP Configuring Spanning-Tree Features Figure 11-3 Spanning Tree and Redundant Connectivity Switch A Catalyst 2950 or 3550 switch Switch C Catalyst 2950 or 3550 Catalyst 2950 or 3550 switch switch Switch B Active link Blocked link Workstations You can also create redundant links between switches by using EtherChannel groups.
  • Page 278: Default Stp Configuration

    Chapter 11 Configuring STP Configuring Spanning-Tree Features • Configuring the Hello Time, page 11-19 • Configuring the Forwarding-Delay Time for a VLAN, page 11-19 • Configuring the Maximum-Aging Time for a VLAN, page 11-20 • Configuring STP for Use in a Cascaded Stack, page 11-20 Default STP Configuration Table 11-3 shows the default STP configuration.
  • Page 279 Chapter 11 Configuring STP Configuring Spanning-Tree Features Switches that are not running spanning tree still forward BPDUs that they receive so that the other Caution switches on the VLAN that have a running spanning-tree instance can break loops. Therefore, spanning tree must be running on enough switches to break all the loops in the network;...
  • Page 280: Disabling Stp

    Chapter 11 Configuring STP Configuring Spanning-Tree Features Disabling STP STP is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning-tree limit specified in Table 11-3. Disable STP only if you are sure there are no loops in the network topology. When STP is disabled and loops are present in the topology, excessive traffic and indefinite packet Caution duplication can drastically reduce network performance.
  • Page 281 Chapter 11 Configuring STP Configuring Spanning-Tree Features These examples show the effect of the spanning-tree vlan vlan-id root command with and without the extended system ID support: • For Catalyst 2950 switches with the extended system ID (Release 12.1(9)EA1 and later), if all network devices in VLAN 20 have the default priority of 32768, entering the spanning-tree vlan 20 root primary command on the switch sets the switch priority to 24576, which causes this switch to become the root switch for VLAN 20.
  • Page 282: Configuring A Secondary Root Switch

    Chapter 11 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to a switch to become the root for the specified VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root primary Configure a switch to become the root for the specified VLAN.
  • Page 283: Configuring The Port Priority

    Cisco IOS uses the port priority value when the interface is configured as an access port and uses VLAN port priority values when the interface is configured as a trunk port.
  • Page 284: Configuring The Path Cost

    Chapter 11 Configuring STP Configuring Spanning-Tree Features Command Purpose Step 3 spanning-tree port-priority priority Configure the port priority for an interface that is an access port. For priority, the range is 0 to 255; the default is 128. The lower the number, the higher the priority. Step 4 spanning-tree vlan vlan-id port-priority priority Configure the VLAN port priority for an interface that is a...
  • Page 285 Chapter 11 Configuring STP Configuring Spanning-Tree Features Command Purpose Step 3 spanning-tree cost cost Configure the cost for an interface that is an access port. If a loop occurs, spanning tree uses the path cost when selecting an interface to place into the forwarding state. A lower path cost represents higher-speed transmission.
  • Page 286: Configuring The Switch Priority Of A Vlan

    Chapter 11 Configuring STP Configuring Spanning-Tree Features Configuring the Switch Priority of a VLAN You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree vlan vlan-id root primary and the spanning-tree vlan vlan-id root secondary global configuration commands to modify the switch priority.
  • Page 287: Configuring The Hello Time

    Chapter 11 Configuring STP Configuring Spanning-Tree Features Configuring the Hello Time You can configure the interval between the generation of configuration messages by the root switch by changing the hello time. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree vlan vlan-id root primary and the spanning-tree vlan vlan-id root secondary global configuration commands to modify the hello time.
  • Page 288: Configuring The Maximum-Aging Time For A Vlan

    Chapter 11 Configuring STP Configuring Spanning-Tree Features To return the switch to its default setting, use the no spanning-tree vlan vlan-id forward-time global configuration command. Configuring the Maximum-Aging Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for a VLAN: Command Purpose...
  • Page 289: Displaying The Spanning-Tree Status

    Chapter 11 Configuring STP Displaying the Spanning-Tree Status Figure 11-4 Gigabit Ethernet Stack Catalyst 2950 Cisco 7000 Catalyst 3550 or 3550 router series switch switches Layer 3 Catalyst Catalyst 2950 or 3550 Catalyst backbone 3550 or switches 2950 6000 series...
  • Page 290 Chapter 11 Configuring STP Displaying the Spanning-Tree Status Catalyst 2950 Desktop Switch Software Configuration Guide 11-22 78-14982-01...
  • Page 291: Chapter 12 Configuring Rstp And Mstp

    C H A P T E R Configuring RSTP and MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1W Rapid Spanning Tree Protocol (RSTP) and the IEEE 802.1S Multiple STP (MSTP) on your switch. To use the features described in this chapter, you must have the enhanced software image (EI) installed on your switch.
  • Page 292: Understanding Rstp

    Chapter 12 Configuring RSTP and MSTP Understanding RSTP Understanding RSTP The RSTP takes advantage of point-to-point wiring and provides rapid convergence of the spanning tree. Reconfiguration of the spanning tree can occur in less than 1 second (in contrast to 50 seconds with the default settings in the 802.1D spanning tree), which is critical for networks carrying delay-sensitive traffic such as voice and video.
  • Page 293: Rapid Convergence

    Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide documents the port state as blocking instead of discarding. Designated ports start in the listening state. Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of switch, a switch port, or a LAN.
  • Page 294: Synchronization Of Port Roles

    Chapter 12 Configuring RSTP and MSTP Understanding RSTP Figure 12-1 Proposal and Agreement Handshaking for Rapid Convergence Switch A Switch B Proposal Designated Root switch Agreement Designated Switch C Root switch Proposal Designated Root switch Agreement DP = designated port RP = root port F = forwarding Synchronization of Port Roles...
  • Page 295: Bridge Protocol Data Unit Format And Processing

    Chapter 12 Configuring RSTP and MSTP Understanding RSTP Figure 12-2 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5. Forward Edge port 2. Block 3. Block 9. Forward 11. Forward 8. Agreement 6. Proposal 7. Proposal 10. Agreement Root port Designated port Bridge Protocol Data Unit Format and Processing...
  • Page 296: Processing Superior Bpdu Information

    Chapter 12 Configuring RSTP and MSTP Understanding RSTP The RSTP does not have a separate topology change notification (TCN) BPDU. It uses the topology change (TC) flag to show the topology changes. However, for interoperability with 802.1D switches, the RSTP switch processes and generates TCN BPDUs. The learning and forwarding flags are set according to the state of the sending port.
  • Page 297: Understanding Mstp

    Chapter 12 Configuring RSTP and MSTP Understanding MSTP • Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the topology change to all of its nonedge, edge, designated ports, and root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them.
  • Page 298: Ist, Cist, And Cst

    Chapter 12 Configuring RSTP and MSTP Understanding MSTP IST, CIST, and CST Unlike PVST+ in which all the spanning-tree instances are independent, the MSTP establishes and maintains two types of spanning-trees: • An internal spanning tree (IST), which is the spanning tree that runs in an MST region. Within each MST region, the MSTP maintains multiple spanning-tree instances.
  • Page 299: Operations Between Mst Regions

    Chapter 12 Configuring RSTP and MSTP Understanding MSTP Operations Between MST Regions If there are multiple regions or legacy 802.1D switches within the network, MSTP establishes and maintains the CST, which includes all MST regions and all legacy STP switches in the network. The MST instances combine with the IST at the boundary of the region to become the CST.
  • Page 300: Hop Count

    Chapter 12 Configuring RSTP and MSTP Understanding MSTP Hop Count The IST and MST instances do not use the message-age and maximum-age information in the configuration BPDU to compute the spanning-tree topology. Instead, they use the path cost to the root and a hop-count mechanism similar to the IP time-to-live (TTL) mechanism.
  • Page 301: Interoperability With 802.1D Stp

    Chapter 12 Configuring RSTP and MSTP Interoperability with 802.1D STP Interoperability with 802.1D STP A switch running both MSTP and RSTP supports a built-in protocol migration mechanism that enables it to interoperate with legacy 802.1D switches. If this switch receives a legacy 802.1D configuration BPDU (a BPDU with the protocol version set to 0), it sends only 802.1D BPDUs on that port.
  • Page 302: Default Rstp And Mstp Configuration

    Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Default RSTP and MSTP Configuration Table 12-3 shows the default RSTP and MSTP configuration. Table 12-3 Default RSTP and MSTP Configuration Feature Default Setting Spanning-tree mode PVST (MSTP and RSTP are disabled). Switch priority (configurable on a per-CIST interface basis) 32768.
  • Page 303: Specifying The Mst Region Configuration And Enabling Mstp

    Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Specifying the MST Region Configuration and Enabling MSTP For two or more switches to be in the same MST region, they must have the same VLAN-to-instance mapping, the same configuration revision number, and the same name. A region can have one member or multiple members with the same MST configuration;...
  • Page 304: Configuring The Root Switch

    Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features configuration command. To return to the default revision number, use the no revision MST configuration command.To re-enable PVST, use the no spanning-tree mode or the spanning-tree mode pvst global configuration command.
  • Page 305 Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Note The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not configure an access switch as the spanning-tree primary root. Use the diameter keyword, which is available only for MST instance 0, to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network).
  • Page 306: Configuring A Secondary Root Switch

    Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Configuring a Secondary Root Switch When you configure a Catalyst 2950 switch that supports the extended system ID as the secondary root, the spanning-tree switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified instance if the primary root switch fails.
  • Page 307: Configuring The Port Priority

    Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Configuring the Port Priority If a loop occurs, the MSTP uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last.
  • Page 308: Configuring The Path Cost

    Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Configuring the Path Cost The MSTP path cost default value is derived from the media speed of an interface. If a loop occurs, the MSTP uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
  • Page 309: Configuring The Switch Priority

    Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Configuring the Switch Priority You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority.
  • Page 310: Configuring The Forwarding-Delay Time

    Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the hello time for all MST instances: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst hello-time seconds Configure the hello time for all MST instances.
  • Page 311: Configuring The Maximum-Aging Time

    Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Configuring the Maximum-Aging Time Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for all MST instances: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-age seconds Configure the maximum-aging time for all MST instances.
  • Page 312: Specifying The Link Type To Ensure Rapid Transitions

    Chapter 12 Configuring RSTP and MSTP Configuring RSTP and MSTP Features Specifying the Link Type to Ensure Rapid Transitions If you connect a port to another port through a point-to-point link and the local port becomes a designated port, the RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the “Rapid Convergence”...
  • Page 313: Displaying The Mst Configuration And Status

    Chapter 12 Configuring RSTP and MSTP Displaying the MST Configuration and Status Displaying the MST Configuration and Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 12-4: Table 12-4 Commands for Displaying MST Status Command Purpose show spanning-tree mst configuration...
  • Page 314 Chapter 12 Configuring RSTP and MSTP Displaying the MST Configuration and Status Catalyst 2950 Desktop Switch Software Configuration Guide 12-24 78-14982-01...
  • Page 315 C H A P T E R Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features. You can configure all of these features when your switch is running the per-VLAN spanning-tree (PVST). You can only configure the noted features when your switch is running the Multiple Spanning Tree Protocol (MSTP).
  • Page 316: Understanding Optional Spanning-Tree Features

    Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. You can use Port Fast on ports connected to a single workstation or server, as shown in Figure 13-1, to allow those devices to...
  • Page 317: Understanding Bpdu Guard

    Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences. At the global level, you can enable BPDU guard on Port Fast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command.
  • Page 318: Understanding Uplinkfast

    Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding UplinkFast Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 13-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops. Figure 13-2 Switches in a Hierarchical Network Backbone switches Root bridge...
  • Page 319: Understanding Cross-Stack Uplinkfast

    Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 13-3 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked port on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure...
  • Page 320: How Csuf Works

    Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features How CSUF Works CSUF ensures that one link in the stack is elected as the path to the root. As shown in Figure 13-5, Switches A, B, and C are cascaded through the GigaStack GBIC to form a multidrop backbone, which communicates control and data traffic across the switches at the access layer.
  • Page 321: Events That Cause Fast Convergence

    Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features The switch sending the fast-transition request needs to do a fast transition to the forwarding state of a port that it has chosen as the root port, and it must obtain an acknowledgement from each stack switch before performing the fast transition.
  • Page 322: Limitations

    Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Limitations These limitations apply to CSUF: CSUF uses the GigaStack GBIC and runs on all Catalyst 3550 switches, all Catalyst 3500 XL • switches, Catalyst 2950 switches with GBIC module slots, and only on modular Catalyst 2900 XL switches that have the 1000BASE-X module installed.
  • Page 323 Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 13-6 GigaStack GBIC Connections and Spanning-Tree Convergence GigaStack GBIC connection for fast convergence Catalyst 3550-12T Catalyst 3550-12T Catalyst 3500 Catalyst 3500 Catalyst 3508G XL Catalyst 2950G-24 Catalyst 3500 Catalyst 2950 11 12 13 14 15 16...
  • Page 324: Understanding Backbonefast

    Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding BackboneFast BackboneFast detects indirect failures in the core of the backbone. BackboneFast is a complementary technology to the UplinkFast feature, which responds to failures on links directly connected to access switches.
  • Page 325 Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If link L1 fails as shown in Figure 13-8, Switch C cannot detect this failure because it is not connected directly to link L1. However, because Switch B is directly connected to the root switch over L1, it detects the failure, elects itself the root, and begins sending BPDUs to Switch C, identifying itself as the root.
  • Page 326: Understanding Root Guard

    Chapter 13 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Root Guard The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. In such a topology, the spanning tree can reconfigure itself and select a customer switch as the root switch, as shown in Figure 13-10.
  • Page 327 Chapter 13 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Understanding Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. This feature is most effective when it is configured on the entire switched network.
  • Page 328: Default Optional Spanning-Tree Configuration

    Chapter 13 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Default Optional Spanning-Tree Configuration Table 13-1 shows the default optional spanning-tree configuration. Table 13-1 Default Optional Spanning-Tree Configuration Feature Default Setting Port Fast, BPDU filtering, BPDU guard Globally disabled (unless they are individually configured per interface).
  • Page 329: Enabling Bpdu Guard

    Chapter 13 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show spanning-tree interface interface-id Verify your entries. portfast Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. You can use the spanning-tree portfast default global configuration command to globally enable the Note Port Fast feature on all nontrunking ports.
  • Page 330: Enabling Bpdu Filtering

    Chapter 13 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Purpose Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable BPDU guard, use the no spanning-tree portfast bpduguard default global configuration command.
  • Page 331: Enabling Uplinkfast For Use With Redundant Links

    Chapter 13 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features To disable BPDU filtering, use the no spanning-tree portfast bpdufilter default global configuration command. You can override the setting of the no spanning-tree portfast bpdufilter default global configuration command by using the spanning-tree bpdufilter enable interface configuration command. Enabling UplinkFast for Use with Redundant Links UplinkFast cannot be enabled on VLANs that have been configured for switch priority.
  • Page 332: Enabling Cross-Stack Uplinkfast

    Chapter 13 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling Cross-Stack UplinkFast Before enabling CSUF, make sure your stack switches are properly connected. For more information, see the “Connecting the Stack Ports” section on page 13-8. The CSUF feature is supported only when the switch is running PVST. Beginning in privileged EXEC mode, follow these steps to enable CSUF: Command Purpose...
  • Page 333: Enabling Backbonefast

    Chapter 13 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling BackboneFast You can enable BackboneFast to detect indirect link failures and to start the spanning-tree reconfiguration sooner. Note If you use BackboneFast, you must enable it on all switches in the network. BackboneFast is not supported on Token Ring VLANs.
  • Page 334: Enabling Loop Guard

    Chapter 13 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable root guard, use the no spanning-tree guard interface configuration command. Enabling Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link.
  • Page 335: Displaying The Spanning-Tree Status

    Chapter 13 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 13-2: Table 13-2 Commands for Displaying the Spanning-Tree Status Command Purpose show spanning-tree active Displays spanning-tree information on active interfaces only.
  • Page 336 Chapter 13 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Catalyst 2950 Desktop Switch Software Configuration Guide 13-22 78-14982-01...
  • Page 337: Understanding Vlans

    C H A P T E R Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094). It includes information about VLAN modes and the VLAN Membership Policy Server (VMPS). For complete syntax and usage information for the commands used in this chapter, refer to the command Note reference for this release.
  • Page 338: Chapter 14 Configuring Vlan

    Figure 14-1 VLANs as Logically Defined Networks Engineering Marketing Accounting VLAN VLAN VLAN Cisco router Floor 3 Fast Ethernet Floor 2 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
  • Page 339: Vlan Port Membership Modes

    Chapter 14 Configuring VLANs Understanding VLANs VLAN Port Membership Modes You configure a port to belong to a VLAN by assigning a membership mode that determines the kind of traffic the port carries and the number of VLANs to which it can belong. Table 14-1 lists the membership modes and membership and VTP characteristics.
  • Page 340: Configuring Normal-Range Vlans

    Chapter 14 Configuring VLANs Configuring Normal-Range VLANs Configuring Normal-Range VLANs Normal-range VLANs are VLANs with VLAN IDs 1 to 1005. If the switch is in VTP server or transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database.
  • Page 341: Token Ring Vlans

    Chapter 14 Configuring VLANs Configuring Normal-Range VLANs This section includes information about these topics about normal-range VLANs: • Token Ring VLANs, page 14-5 • Normal-Range VLAN Configuration Guidelines, page 14-5 • VLAN Configuration Mode Options, page 14-6 Saving VLAN Configuration, page 14-7 •...
  • Page 342: Vlan Configuration Mode Options

    Chapter 14 Configuring VLANs Configuring Normal-Range VLANs • The switch supports 64 spanning-tree instances. If a switch has more active VLANs than supported spanning-tree instances, spanning tree can be enabled on 64 VLANs and is disabled on the remaining VLANs. If you have already used all available spanning-tree instances on a switch, adding another VLAN anywhere in the VTP domain creates a VLAN on that switch that is not running spanning-tree.
  • Page 343: Saving Vlan Configuration

    Chapter 14 Configuring VLANs Configuring Normal-Range VLANs Saving VLAN Configuration The configurations of VLAN IDs 1 to 1005 are always saved in the VLAN database (vlan.dat file). If VTP mode is transparent, they are also saved in the switch running configuration file and you can enter the copy running-config startup-config privileged EXEC command to save the configuration in the startup configuration file.
  • Page 344: Default Ethernet Vlan Configuration

    Chapter 14 Configuring VLANs Configuring Normal-Range VLANs Default Ethernet VLAN Configuration Table 14-2 shows the default configuration for Ethernet VLANs. Note The switch supports Ethernet interfaces exclusively. Because FDDI and Token Ring VLANs are not locally supported, you only configure FDDI and Token Ring media-specific characteristics for VTP global advertisements to other switches.
  • Page 345 Chapter 14 Configuring VLANs Configuring Normal-Range VLANs Beginning in privileged EXEC mode, follow these steps to use config-vlan mode to create or modify an Ethernet VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan vlan-id Enter a VLAN ID, and enter config-vlan mode.
  • Page 346: Deleting A Vlan

    Chapter 14 Configuring VLANs Configuring Normal-Range VLANs Command Purpose Step 4 exit Update the VLAN database, propagate it throughout the administrative domain, and return to privileged EXEC mode. Step 5 show vlan {name vlan-name | id vlan-id} Verify your entries. Step 6 copy running-config startup config (Optional) If the switch is in VTP transparent mode, the VLAN...
  • Page 347: Assigning Static-Access Ports To A Vlan

    Chapter 14 Configuring VLANs Configuring Normal-Range VLANs Assigning Static-Access Ports to a VLAN You can assign a static-access port to a VLAN without having VTP globally propagate VLAN configuration information (VTP is disabled). If you are assigning a port on a cluster member switch to a VLAN, first use the rcommand privileged EXEC command to log in to the member switch.
  • Page 348: Configuring Extended-Range Vlans

    Chapter 14 Configuring VLANs Configuring Extended-Range VLANs Configuring Extended-Range VLANs When the switch is in VTP transparent mode (VTP disabled) and the EI is installed), you can create extended-range VLANs (in the range 1006 to 4094). Extended-range VLANs enable service providers to extend their infrastructure to a greater number of customers.
  • Page 349: Creating An Extended-Range Vlan

    Chapter 14 Configuring VLANs Configuring Extended-Range VLANs • STP is enabled by default on extended-range VLANs, but you can disable it by using the no spanning-tree vlan vlan-id global configuration command. When the maximum number of spanning-tree instances (64) are on the switch, spanning tree is disabled on any newly created VLANs.
  • Page 350: Displaying Vlans

    Chapter 14 Configuring VLANs Displaying VLANs To delete an extended-range VLAN, use the no vlan vlan-id global configuration command. The procedure for assigning static-access ports to an extended-range VLAN is the same as for normal-range VLANs. See the “Assigning Static-Access Ports to a VLAN” section on page 14-11.
  • Page 351: Configuring Vlan Trunks

    Chapter 14 Configuring VLANs Configuring VLAN Trunks Configuring VLAN Trunks These sections describe how VLAN trunks function on the switch: • Trunking Overview, page 14-15 802.1Q Configuration Considerations, page 14-16 • Default Layer 2 Ethernet Interface VLAN Configuration, page 14-17 •...
  • Page 352: 802.1Q Configuration Considerations

    VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco 802.1Q switch.
  • Page 353: Default Layer 2 Ethernet Interface Vlan Configuration

    Chapter 14 Configuring VLANs Configuring VLAN Trunks • Disabling spanning tree on the native VLAN of an 802.1Q trunk without disabling spanning tree on every VLAN in the network can potentially cause spanning-tree loops. We recommend that you leave spanning tree enabled on the native VLAN of an 802.1Q trunk or disable spanning tree on every VLAN in the network.
  • Page 354: Configuring A Trunk Port

    Chapter 14 Configuring VLANs Configuring VLAN Trunks – STP Port Fast setting – trunk status: if one port in a port group ceases to be a trunk, all ports cease to be trunks. • If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode is not changed.
  • Page 355: Defining The Allowed Vlans On A Trunk

    Chapter 14 Configuring VLANs Configuring VLAN Trunks This example shows how to configure the Fast Ethernet interface 0/4 as an 802.1Q trunk. The example assumes that the neighbor interface is configured to support 802.1Q trunking. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
  • Page 356: Changing The Pruning-Eligible List

    Chapter 14 Configuring VLANs Configuring VLAN Trunks This example shows how to remove VLAN 2 from the allowed VLAN list: Switch(config)# interface fastethernet0/1 Switch(config-if)# switchport trunk allowed vlan remove 2 Switch(config-if)# end Switch# Changing the Pruning-Eligible List The pruning-eligible list applies only to trunk ports. Each trunk port has its own eligibility list. VTP pruning must be enabled for this procedure to take effect.
  • Page 357: Load Sharing Using Stp

    Chapter 14 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to configure the native VLAN on an 802.1Q trunk: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and define the interface that is configured as the 802.1Q trunk.
  • Page 358 Chapter 14 Configuring VLANs Configuring VLAN Trunks In this way, Trunk 1 carries traffic for VLANs 8 through 10, and Trunk 2 carries traffic for VLANs 3 through 6. If the active trunk fails, the trunk with the lower priority takes over and carries the traffic for all of the VLANs.
  • Page 359: Load Sharing Using Stp Path Cost

    Chapter 14 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 17 spanning-tree vlan 8 port-priority 10 Assign the port priority of 10 for VLAN 8. Step 18 spanning-tree vlan 9 port-priority 10 Assign the port priority of 10 for VLAN 9. Step 19 spanning-tree vlan 10 port-priority 10 Assign the port priority of 10 for VLAN 10.
  • Page 360: Configuring Vmps

    Chapter 14 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 14-4: Command Purpose Step 1 configure terminal Enter global configuration mode on Switch 1. Step 2 interface fastethernet 0/1 Enter interface configuration mode, and define Fast Ethernet port 0/1 as the interface to be configured as a trunk.
  • Page 361: Understanding Vmps

    Chapter 14 Configuring VLANs Configuring VMPS • “Monitoring the VMPS” section on page 14-31 • “Troubleshooting Dynamic Port VLAN Membership” section on page 14-31 • “VMPS Configuration Example” section on page 14-32 Understanding VMPS When the VMPS receives a VQP request from a client switch, it searches its database for a MAC-address-to-VLAN mapping.
  • Page 362: Vmps Database Configuration File

    Chapter 14 Configuring VLANs Configuring VMPS If the link goes down on a dynamic port, the port returns to an isolated state and does not belong to a VLAN. Any hosts that come online through the port are checked again through the VQP with the VMPS before the port is assigned to a VLAN.
  • Page 363: Default Vmps Configuration

    Chapter 14 Configuring VLANs Configuring VMPS ! address <addr> vlan-name <vlan_name> address 0012.2233.4455 vlan-name hardware address 0000.6509.a080 vlan-name hardware address aabb.ccdd.eeff vlan-name Green address 1223.5678.9abc vlan-name ExecStaff address fedc.ba98.7654 vlan-name --NONE-- address fedc.ba23.1245 vlan-name Purple !Port Groups !vmps-port-group <group-name> ! device <device-id> { port <port-name> | all-ports } vmps-port-group WiringCloset1 device 198.92.30.32 port 0/2 device 172.20.26.141 port 0/8...
  • Page 364: Vmps Configuration Guidelines

    Chapter 14 Configuring VLANs Configuring VMPS VMPS Configuration Guidelines These guidelines and restrictions apply to dynamic port VLAN membership: • You must configure the VMPS before you configure ports as dynamic. • The communication between a cluster of switches and VMPS is managed by the command switch and includes port-naming conventions that are different from standard port names.
  • Page 365: Configuring Dynamic Access Ports On Vmps Clients

    Chapter 14 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to enter the IP address of the VMPS: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vmps server ipaddress primary Enter the IP address of the switch acting as the primary VMPS server. Step 3 vmps server ipaddress Enter the IP address of the switch acting as a secondary VMPS server.
  • Page 366: Reconfirming Vlan Memberships

    Chapter 14 Configuring VLANs Configuring VMPS Reconfirming VLAN Memberships Beginning in privileged EXEC mode, follow these steps to confirm the dynamic port VLAN membership assignments that the switch has received from the VMPS: Command Purpose Step 1 vmps reconfirm Reconfirm dynamic port VLAN membership. Step 2 show vmps Verify the dynamic VLAN reconfirmation status.
  • Page 367: Monitoring The Vmps

    Chapter 14 Configuring VLANs Configuring VMPS To return the switch to its default setting, use the no vmps retry global configuration command. Monitoring the VMPS You can display information about the VMPS by using the show vmps privileged EXEC command. The switch displays this information about the VMPS: VMPS VQP Version The version of VQP used to communicate with the VMPS.
  • Page 368: Vmps Configuration Example

    Chapter 14 Configuring VLANs Configuring VMPS VMPS Configuration Example Figure 14-5 shows a network with a VMPS server switch and VMPS client switches with dynamic ports. In this example, these assumptions apply: • The VMPS server and the VMPS client are separate switches. •...
  • Page 369 C H A P T E R Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
  • Page 370: Configuring Vtp

    Chapter 15 Configuring VTP Understanding VTP The VTP Domain A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name. A switch can be in only one VTP domain.You make global VLAN configuration changes for the domain by using the command-line interface (CLI), Cluster Management Suite (CMS) software, or Simple Network Management Protocol (SNMP).
  • Page 371: Vtp Modes

    Chapter 15 Configuring VTP Understanding VTP VTP Modes You can configure a supported switch to be in one of the VTP modes listed in Table 15-1. Table 15-1 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs and specify other configuration parameters (such as the VTP version) for the entire VTP domain.
  • Page 372: Vtp Version 2

    Chapter 15 Configuring VTP Understanding VTP • MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each VLAN. • Frame format VTP advertisements distribute this VLAN information for each configured VLAN: • VLAN IDs • VLAN name VLAN type •...
  • Page 373 Chapter 15 Configuring VTP Understanding VTP Figure 15-1 Flooding Traffic without VTP Pruning Switch 4 Port 2 Switch 5 Switch 2 VLAN Port 1 Switch 6 Switch 3 Switch 1 Figure 15-2 shows a switched network with VTP pruning enabled. The broadcast traffic from Switch 1 is not forwarded to Switches 3, 5, and 6 because traffic for the Red VLAN has been pruned on the links shown (Port 5 on Switch 2 and Port 4 on Switch 4).
  • Page 374: Default Vtp Configuration

    Chapter 15 Configuring VTP Configuring VTP VTP pruning is not designed to function in VTP transparent mode. If one or more switches in the network are in VTP transparent mode, you should do one of these: • Turn off VTP pruning in the entire network. •...
  • Page 375: Vtp Configuration Options

    Chapter 15 Configuring VTP Configuring VTP VTP Configuration Options You can configure VTP by using these configuration modes. • VTP Configuration in Global Configuration Modes, page 15-7 • VTP Configuration in VLAN Configuration Mode, page 15-7 You access VLAN configuration mode by entering the vlan database privileged EXEC command. For detailed information about vtp commands, refer to the command reference for this release.
  • Page 376: Vtp Configuration Guidelines

    Chapter 15 Configuring VTP Configuring VTP VTP Configuration Guidelines These sections describe guidelines you should follow when implementing VTP in your network. Domain Names When configuring VTP for the first time, you must always assign a domain name. You must configure all switches in the VTP domain with the same domain name.
  • Page 377: Vtp Version

    Chapter 15 Configuring VTP Configuring VTP VTP Version Follow these guidelines when deciding which VTP version to implement: All switches in a VTP domain must run the same VTP version. • A VTP version 2-capable switch can operate in the same VTP domain as a switch running VTP •...
  • Page 378 Chapter 15 Configuring VTP Configuring VTP Command Purpose Step 4 vtp password password (Optional) Set the password for the VTP domain. The password can be from 8 to 64 characters. If you configure a VTP password, the VTP domain does not function properly if you do not assign the same password to each switch in the domain.
  • Page 379: Configuring A Vtp Client

    Chapter 15 Configuring VTP Configuring VTP This example shows how to use VLAN configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch# vlan database Switch(vlan)# vtp server Switch(vlan)# vtp domain eng_group Switch(vlan)# vtp password mypassword Switch(vlan)# exit APPLY completed.
  • Page 380: Disabling Vtp (Vtp Transparent Mode)

    Chapter 15 Configuring VTP Configuring VTP Note You can also configure a VTP client by using the vlan database privileged EXEC command to enter VLAN configuration mode and entering the vtp client command, similar to the second procedure under “Configuring a VTP Server” section on page 15-9.
  • Page 381: Enabling Vtp Version 2

    Chapter 15 Configuring VTP Configuring VTP Note You can also configure VTP transparent mode by using the vlan database privileged EXEC command to enter VLAN configuration mode and by entering the vtp transparent command, similar to the second procedure under the “Configuring a VTP Server”...
  • Page 382: Enabling Vtp Pruning

    Chapter 15 Configuring VTP Configuring VTP Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You can only enable VTP pruning on a switch in VTP server mode.
  • Page 383: Adding A Vtp Client Switch To A Vtp Domain

    Chapter 15 Configuring VTP Configuring VTP Adding a VTP Client Switch to a VTP Domain Before adding a VTP client to a VTP domain, always verify that its VTP configuration revision number is lower than the configuration revision number of the other switches in the VTP domain. Switches in a VTP domain always use the VLAN configuration of the switch with the highest VTP configuration revision number.
  • Page 384: Monitoring Vtp

    Chapter 15 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 15-3 shows the privileged EXEC commands for monitoring VTP activity.
  • Page 385: Chapter 16 Configuring Voice Vlan

    The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. The switch can connect to a Cisco 7960 IP Phone and carry IP voice traffic. Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1P class of service (CoS).
  • Page 386: Configuring Voice Vlan

    Default Voice VLAN Configuration, page 16-2 • Voice VLAN Configuration Guidelines, page 16-3 • Configuring a Port to Connect to a Cisco 7960 IP Phone, page 16-3 • Default Voice VLAN Configuration The voice VLAN feature is disabled by default.
  • Page 387: Voice Vlan Configuration Guidelines

    Configuring a Port to Connect to a Cisco 7960 IP Phone Because a Cisco 7960 IP Phone also supports a connection to a PC or other device, a port connecting the switch to a Cisco 7960 IP Phone can carry mixed traffic.
  • Page 388: Configuring Ports To Carry Voice Traffic In 802.1Q Frames

    Step 3 switchport voice vlan vlan-id Instruct the Cisco IP phone to forward all voice traffic through the specified VLAN. By default, the Cisco IP phone forwards the voice traffic with an 802.1Q priority of 5. Valid VLAN IDs are from 1 to 4094 when the enhanced software image (EI) is installed and 1 to 1001 when the standard software image is installed.
  • Page 389: Overriding The Cos Priority Of Incoming Data Frames

    Overriding the CoS Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco 7960 IP Phone port. The PC can generate packets with an assigned CoS value. You can configure the switch to override the priority of frames arriving on the IP phone port from connected devices.
  • Page 390: Configuring The Ip Phone To Trust The Cos Priority Of Incoming Data Frames

    Configuring the IP Phone to Trust the CoS Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco 7960 IP Phone port. The PC can generate packets with an assigned CoS value. You can configure the switch to trust the priority of frames arriving on the IP phone port from connected devices.
  • Page 391: Understanding Igmp Snooping

    For complete syntax and usage information for the commands used in this chapter, refer to the switch Note command reference for this release and the Cisco IOS Release Network Protocols Command Reference, Part 1, for Release 12.1. This chapter consists of these sections: •...
  • Page 392: Chapter 17 Configuring Igmp Snooping And Mvr

    Chapter 17 Configuring IGMP Snooping and MVR Understanding IGMP Snooping the switch adds the host port number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership reports from the multicast clients.
  • Page 393 Chapter 17 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 17-1 Initial IGMP Join Message Router A IGMP report 224.1.2.3 VLAN Switching engine Forwarding table Host 1 Host 2 Host 3 Host 4 Router A sends a general query to the switch, which forwards the query to ports 2 through 5, all members of the same VLAN.
  • Page 394: Leaving A Multicast Group

    Chapter 17 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 17-2 Second Host Joining a Multicast Group Router A VLAN Switching engine Forwarding table Host 1 Host 2 Host 3 Host 4 Table 17-2 Updated IGMP Snooping Forwarding Table Destination Address Type of Packet Ports...
  • Page 395: Configuring Igmp Snooping

    Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Note You should only use the Immediate-Leave processing feature on VLANs where a single host is connected to each port. If Immediate Leave is enabled in VLANs where more than one host is connected to a port, some hosts might be inadvertently dropped.
  • Page 396: Setting The Snooping Method

    Snooping on IGMP queries, Protocol Independent Multicast (PIM) packets, and Distance Vector • Multicast Routing Protocol (DVMRP) packets Listening to Cisco Group Management Protocol (CGMP) packets from other routers • Statically connecting to a multicast router port with the ip igmp snooping mrouter global •...
  • Page 397: Configuring A Multicast Router Port

    Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to alter the method in which a VLAN interface dynamically accesses a multicast router: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id mrouter Enable IGMP snooping on a VLAN.The VLAN ID range is 1 to 1005...
  • Page 398: Configuring A Host Statically To Join A Group

    Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 3 Return to privileged EXEC mode. Step 4 show ip igmp snooping mrouter [vlan vlan-id] Verify that IGMP snooping is enabled on the VLAN interface. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
  • Page 399: Enabling Igmp Immediate-Leave Processing

    Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Snooping This example shows how to statically configure a host on an interface and verify the configuration: Switch# configure terminal Switch(config)# ip igmp snooping vlan 1 static 0100.5e00.0203 interface gigabitethernet0/1 Switch(config)# end Switch# show mac address-table multicast vlan 1 Vlan Mac Address...
  • Page 400 Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Snooping If you disable IP multicast-source-only learning with the ip igmp snooping source-only-learning global configuration command, the switch floods unknown multicast traffic to the VLAN and sends the traffic to the CPU until the traffic becomes known. When the switch receives an IGMP report from a host for a particular multicast group, the switch forwards traffic from this multicast group only to the multicast router ports.
  • Page 401: Displaying Igmp Snooping Information

    Chapter 17 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Displaying IGMP Snooping Information You can display IGMP snooping information for dynamically learned and statically configured router ports and VLAN interfaces. You can also display MAC address multicast entries for a VLAN configured for IGMP snooping.
  • Page 402 Chapter 17 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information IGMP snooping immediate-leave is disabled on this Vlan IGMP snooping mrouter learn mode is pim-dvmrp on this Vlan IGMP snooping is running in IGMP_ONLY mode on this Vlan This is an example of output from the show ip igmp snooping privileged EXEC command for a specific VLAN interface: Switch# show ip igmp snooping vlan 1 vlan 1...
  • Page 403: Understanding Multicast Vlan Registration

    Chapter 17 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service provider network (for example, the broadcast of multiple television channels over a service-provider network).
  • Page 404 Enable the Immediate Leave feature only on receiver ports to which a single receiver device is connected. Figure 17-3 Multicast VLAN Registration Example Multicast VLAN Cisco router Multicast server Catalyst 3550 switch...
  • Page 405: Configuring Mvr

    Chapter 17 Configuring IGMP Snooping and MVR Configuring MVR MVR eliminates the need to duplicate television-channel multicast traffic for subscribers in each VLAN. Multicast traffic for all channels is only sent around the VLAN trunk once—only on the multicast VLAN. Although the IGMP leave and join message in the VLAN to which the subscriber port is assigned.
  • Page 406: Mvr Configuration Guidelines And Limitations

    Chapter 17 Configuring IGMP Snooping and MVR Configuring MVR MVR Configuration Guidelines and Limitations Follow these guidelines when configuring MVR: • Receiver ports cannot be trunk ports. Receiver ports on a switch can be in different VLANs, but should not belong to the multicast VLAN. •...
  • Page 407: Configuring Mvr Interfaces

    Chapter 17 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 6 mvr mode {dynamic | compatible} (Optional) Specify the MVR mode of operation: • dynamic—Allows dynamic MVR membership on source ports. • compatible—Is compatible with Catalyst 3500 XL and Catalyst 2900 XL switches and does not support IGMP dynamic joins on source ports.
  • Page 408 Chapter 17 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 4 mvr type {source | receiver} Configure an MVR port as one of these: • source—Configure uplink ports that receive and send multicast data as source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN.
  • Page 409: Displaying Mvr Information

    Chapter 17 Configuring IGMP Snooping and MVR Displaying MVR Information This is an example of output from the show mvr interface privileged EXEC command when the member keyword is included: Switch# show mvr interface fastethernet0/2 members 224.0.1.1 DYNAMIC ACTIVE Displaying MVR Information You can display MVR information for the switch or for a specified interface.
  • Page 410: Configuring Igmp Filtering

    Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Filtering This is an example of output from the show mvr interface privileged EXEC command for a specified interface: Switch# show mvr interface fastethernet0/2 224.0.1.1 DYNAMIC ACTIVE This is an example of output from the show mvr interface privileged EXEC command when the members keyword is included: Switch# show mvr interface fastethernet0/2 members 224.0.1.1...
  • Page 411: Default Igmp Filtering Configuration

    Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Default IGMP Filtering Configuration Table 17-7 shows the default IGMP filtering configuration. Table 17-7 Default IGMP Filtering Configuration Feature Default Setting IGMP filters None applied IGMP Maximum number of IGMP groups No maximum set IGMP profiles None defined...
  • Page 412: Applying Igmp Profiles

    Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Command Purpose Step 6 show ip igmp profile profile number Verify the profile configuration. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete a profile, use the no ip igmp profile profile number global configuration command. To delete an IP multicast address or range of IP multicast addresses, use the no range ip multicast address IGMP profile configuration command.
  • Page 413: Setting The Maximum Number Of Igmp Groups

    Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Current configuration : 123 bytes interface FastEthernet0/12 no ip address shutdown snmp trap link-status ip igmp max-groups 25 ip igmp filter 4 Setting the Maximum Number of IGMP Groups You can set the maximum number of IGMP groups that a Layer 2 interface can join by using the ip igmp mac-groups interface configuration command.
  • Page 414: Displaying Igmp Filtering Configuration

    Chapter 17 Configuring IGMP Snooping and MVR Displaying IGMP Filtering Configuration Displaying IGMP Filtering Configuration You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface. Use the privileged EXEC commands in Table 17-8 to display IGMP filtering configuration:...
  • Page 415: Configuring Storm Control

    C H A P T E R Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the command Note reference for this release.
  • Page 416: Default Storm Control Configuration

    Chapter 18 Configuring Port-Based Traffic Control Configuring Storm Control The rising threshold is the percentage of total available bandwidth associated with multicast, broadcast, or unicast traffic before forwarding is blocked. The falling threshold is the percentage of total available bandwidth below which the switch resumes normal forwarding. In general, the higher the level, the less effective the protection against broadcast storms.
  • Page 417: C H A P T E R 18 Configuring Port-Based Traffic Control

    Chapter 18 Configuring Port-Based Traffic Control Configuring Protected Ports Disabling Storm Control Beginning in privileged EXEC mode, follow these steps to disable storm control: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to configure, and enter interface configuration mode. Step 3 no storm-control {broadcast | Disable port storm control.
  • Page 418: Configuring Port Security

    Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security Beginning in privileged EXEC mode, follow these steps to define a port as a protected port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the type and number of the physical interface to configure, for example gigabitethernet0/1, and enter interface configuration mode.
  • Page 419: Understanding Port Security

    Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security Understanding Port Security This section contains information about these topics: • Secure MAC Addresses, page 18-5 • Security Violations, page 18-6 Secure MAC Addresses A secure port can have from 1 to 132 associated secure addresses. After you have set the maximum number of secure MAC addresses on a port, the secure addresses are included in an address table in one of these ways: •...
  • Page 420: Security Violations

    Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security This is an example of text from the running configuration when sticky learning is enabled on an interface: <output truncated> interface FastEthernet0/2 switchport mode access switchport port-security switchport port-security maximum 6 switchport port-security aging time 5 switchport port-security aging static switchport port-security mac-address sticky...
  • Page 421: Default Port Security Configuration

    When you enable port security on a voice VLAN port, you must set the maximum allowed secure • addresses on the port to at least two. When the port is connected to a Cisco IP phone, the IP phone requires two MAC addresses: one for the access VLAN and the other for the voice VLAN.
  • Page 422 Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 5 switchport port-security maximum (Optional) Set the maximum number of secure MAC addresses for the value interface. The range is 1 to 132; the default is 1. Step 6 switchport port-security violation (Optional) Set the violation mode, the action to be taken when a security {protect | restrict | shutdown}...
  • Page 423 Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table.
  • Page 424: Enabling And Configuring Port Security Aging

    Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security This example shows how to configure a static secure MAC address and a sticky secure MAC address on Fast Ethernet port 12 and verify the configuration: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
  • Page 425 Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security Beginning in privileged EXEC mode, follow these steps to configure port security aging: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port on which you want to enable port security aging, and enter interface configuration mode.
  • Page 426: Displaying Port-Based Traffic Control Settings

    Chapter 18 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Displaying Port-Based Traffic Control Settings The show interfaces interface-id switchport privileged EXEC command displays (among other characteristics) the interface traffic suppression and control configuration. The show interfaces counters privileged EXEC commands display the count of discarded packets. The show storm-control and show port-security privileged EXEC commands display those features.
  • Page 427: Chapter 19 Configuring Udld

    C H A P T E R Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
  • Page 428 Chapter 19 Configuring UDLD Understanding UDLD UDLD operates by using two mechanisms: • Neighbor database maintenance UDLD learns about other UDLD-capable neighbors by periodically sending a hello packet (also called an advertisement or probe) on every active interface to keep each device informed about its neighbors.
  • Page 429: Default Udld Configuration

    Chapter 19 Configuring UDLD Configuring UDLD Configuring UDLD This section describes how to configure UDLD on your switch. It contains this configuration information: • Default UDLD Configuration, page 19-3 • Enabling UDLD Globally, page 19-4 Enabling UDLD on an Interface, page 19-4 •...
  • Page 430: Enabling Udld Globally

    Chapter 19 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or the normal mode and to set the configurable message timer on all fiber-optic interfaces on the switch: Command Purpose Step 1...
  • Page 431: Resetting An Interface Shut Down By Udld

    Chapter 19 Configuring UDLD Configuring UDLD Command Purpose Step 3 udld {aggressive | enable} Specify the UDLD mode of operation: • aggressive—Enables UDLD in aggressive mode on the specified interface. For details on the usage guidelines for the aggressive mode, refer to the command reference guide. •...
  • Page 432: Displaying Udld Status

    Chapter 19 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified interface or for all interfaces, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the display, refer to the command reference for this release. Catalyst 2950 Desktop Switch Software Configuration Guide 19-6 78-14982-01...
  • Page 433: Chapter 20 Configuring Cdp

    Monitoring and Maintaining CDP, page 20-5 Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
  • Page 434: Configuring Cdp

    Chapter 20 Configuring CDP Configuring CDP Configuring CDP These sections include CDP configuration information and procedures: • Default CDP Configuration, page 20-2 Configuring the CDP Characteristics, page 20-2 • Disabling and Enabling CDP, page 20-3 • Disabling and Enabling CDP on an Interface, page 20-4 •...
  • Page 435: Disabling And Enabling Cdp

    Chapter 20 Configuring CDP Configuring CDP Command Purpose Step 6 show cdp Verify configuration by displaying global information about CDP on the device. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the CDP commands to return to the default settings. This example shows how to configure and verify CDP characteristics.
  • Page 436: Disabling And Enabling Cdp On An Interface

    Chapter 20 Configuring CDP Configuring CDP This example shows how to enable CDP if it has been disabled. Switch# configure terminal Switch(config)# cdp run Switch(config)# end Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface: Command Purpose...
  • Page 437: Monitoring And Maintaining Cdp

    Chapter 20 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors.
  • Page 438 Chapter 20 Configuring CDP Monitoring and Maintaining CDP Catalyst 2950 Desktop Switch Software Configuration Guide 20-6 78-14982-01...
  • Page 439: Chapter 21 Configuring Span And Rspan

    C H A P T E R Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
  • Page 440 Chapter 21 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 21-1 Example SPAN Configuration Port 5 traffic mirrored 1 2 3 4 5 6 7 8 9 10 11 12 on Port 10 Network analyzer Only traffic that enters or leaves source ports or traffic that enters source VLANs can be monitored by using SPAN;...
  • Page 441: Span And Rspan Concepts And Terminology

    Chapter 21 Configuring SPAN and RSPAN Understanding SPAN and RSPAN SPAN and RSPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN and RSPAN configuration. SPAN Session A local SPAN session is an association of a destination port with source ports and source VLANs. An RSPAN session is an association of source ports and source VLANs across your network with an RSPAN VLAN.
  • Page 442: Source Port

    Chapter 21 Configuring SPAN and RSPAN Understanding SPAN and RSPAN standard and extended output ACLs for unicast and ingress QoS policing.VLAN maps, ingress QoS policing, and policy-based routing. Switch congestion that causes packets to be dropped also has no effect on SPAN. Transmit (Tx) SPAN—The goal of transmit (or egress) SPAN is to monitor as much as possible all •...
  • Page 443: Destination Port

    Chapter 21 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Destination Port Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports and VLANs. The destination port has these characteristics: It must reside on the same switch as the source port (for a local SPAN session).
  • Page 444: Vlan-Based Span

    You can use local SPAN to monitor all network traffic, including multicast and bridge protocol data unit (BPDU) packets, and Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PagP) packets.
  • Page 445: Span And Rspan Interaction With Other Features

    SPAN or RSPAN session is disabled. On a source port, SPAN does not affect the STP status. STP can be active on trunk ports carrying an RSPAN VLAN. Cisco Discovery Protocol (CDP)—A SPAN destination port does not participate in CDP while the •...
  • Page 446: Span And Rspan Session Limits

    Chapter 21 Configuring SPAN and RSPAN Configuring SPAN SPAN and RSPAN Session Limits You can configure (and store in NVRAM) a maximum of two SPAN or RSPAN sessions on each switch. You can divide the two sessions between SPAN, RSPAN source, and RSPAN destination sessions. You can configure multiple source ports or source VLANs for each session.
  • Page 447: Creating A Span Session And Specifying Ports To Monitor

    Chapter 21 Configuring SPAN and RSPAN Configuring SPAN • When you configure a switch port as a SPAN destination port, it is no longer a normal switch port; only monitored traffic passes through the SPAN destination port. • A trunk port can be a source port or a destination port. Outgoing packets through the SPAN destination port carry the configured encapsulation headers—either Inter-Switch Link (ISL) or IEEE 802.1Q.
  • Page 448 Chapter 21 Configuring SPAN and RSPAN Configuring SPAN Command Purpose Step 3 monitor session session_number source Specify the SPAN session and the source port (monitored port). interface interface-id [, | -] [both | rx | tx] For session_number, specify 1 or 2. For interface-id, specify the source port to monitor.
  • Page 449: Removing Ports From A Span Session

    Chapter 21 Configuring SPAN and RSPAN Configuring SPAN Removing Ports from a SPAN Session Beginning in privileged EXEC mode, follow these steps to remove a port as a SPAN source for a session: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session session_number source Specify the characteristics of the source port (monitored port) and...
  • Page 450: Specifying Vlans To Monitor

    Chapter 21 Configuring SPAN and RSPAN Configuring SPAN Specifying VLANs to Monitor VLAN monitoring is similar to port monitoring. Beginning in privileged EXEC mode, follow these steps to specify VLANs to monitor: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all Clear any existing SPAN configuration for the session.
  • Page 451: Specifying Vlans To Filter

    Chapter 21 Configuring SPAN and RSPAN Configuring SPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to limit SPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | Clear any existing SPAN configuration for the session.
  • Page 452: Configuring Rspan

    Chapter 21 Configuring SPAN and RSPAN Configuring RSPAN Configuring RSPAN This section describes how to configure RSPAN on your switch. It contains this configuration information: • RSPAN Configuration Guidelines, page 21-14 • Creating an RSPAN Session, page 21-15 Creating an RSPAN Destination Session, page 21-16 •...
  • Page 453: Creating An Rspan Session

    Chapter 21 Configuring SPAN and RSPAN Configuring RSPAN • You should create an RSPAN VLAN before configuring an RSPAN source or destination session. • If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted flooding of RSPAN traffic across the network for VLAN-IDs that are lower than 1005.
  • Page 454: Creating An Rspan Destination Session

    Chapter 21 Configuring SPAN and RSPAN Configuring RSPAN Command Purpose Step 6 show monitor [session session_number] Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. This example shows how to clear any existing RSPAN configuration for session 1, configure RSPAN session 1 to monitor multiple source interfaces, and configure the destination RSPAN VLAN and the reflector-port.
  • Page 455: Removing Ports From An Rspan Session

    Chapter 21 Configuring SPAN and RSPAN Configuring RSPAN Removing Ports from an RSPAN Session Beginning in privileged EXEC mode, follow these steps to remove a port as an RSPAN source for a session: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session session_number source Specify the characteristics of the RSPAN source port (monitored...
  • Page 456: Specifying Vlans To Monitor

    Chapter 21 Configuring SPAN and RSPAN Configuring RSPAN Specifying VLANs to Monitor VLAN monitoring is similar to port monitoring. Beginning in privileged EXEC mode, follow these steps to specify VLANs to monitor: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all Clear any existing SPAN configuration for the session.
  • Page 457: Specifying Vlans To Filter

    Chapter 21 Configuring SPAN and RSPAN Configuring RSPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to limit RSPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | Clear any existing SPAN configuration for the session.
  • Page 458: Displaying Span And Rspan Status

    Chapter 21 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the status of the current SPAN or RSPAN configuration, use the show monitor privileged EXEC command. This is an example of output for the show monitor privileged EXEC command for RSPAN source session 1: Switch# show monitor session 1 Session 1...
  • Page 459: Chapter 22 Configuring Rmon

    RMON-compliant console systems and network probes. RMON provides you with comprehensive network-fault diagnosis, planning, and performance-tuning information. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This chapter consists of these sections: •...
  • Page 460: Configuring Rmon

    Chapter 22 Configuring RMON Configuring RMON Figure 22-1 Remote Monitoring Example Network management station with generic RMON console application Catalyst 3550 switch RMON alarms and events configured. SNMP configured. RMON history and statistic collection enabled. Catalyst 2950 Catalyst 3550 switch switch Workstations Workstations...
  • Page 461: Default Rmon Configuration

    Chapter 22 Configuring RMON Configuring RMON Note RMON configuration, status, and display for remote CPE FE interfaces is supported through SNMP only by using the RMON-MIB. Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Only RMON 1 is supported on the switch.
  • Page 462 Chapter 22 Configuring RMON Configuring RMON Command Purpose Step 3 rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535.
  • Page 463: Configuring Rmon Collection On An Interface

    Chapter 22 Configuring RMON Configuring RMON Configuring RMON Collection on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface: Command Purpose Step 1...
  • Page 464: Displaying Rmon Status

    Displays the RMON history table. show rmon statistics Displays the RMON statistics table. For information about the fields in these displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. Catalyst 2950 Desktop Switch Software Configuration Guide...
  • Page 465: Chapter 23 Configuring System Message Logging

    Configuring System Message Logging This chapter describes how to configure system message logging on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Configuration Fundamentals Command Reference for Release 12.1.
  • Page 466: Configuring System Message Logging

    Chapter 23 Configuring System Message Logging Configuring System Message Logging Configuring System Message Logging These sections describe how to configure system message logging: • System Log Message Format, page 23-2 Default System Message Logging Configuration, page 23-3 • Disabling and Enabling Message Logging, page 23-4 •...
  • Page 467: Default System Message Logging Configuration

    Chapter 23 Configuring System Message Logging Configuring System Message Logging Table 23-1 System Log Message Elements (continued) Element Description MNEMONIC Text string that uniquely describes the message. description Text string containing detailed information about the event being reported. This example shows a partial switch system message: 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up...
  • Page 468: Disabling And Enabling Message Logging

    Chapter 23 Configuring System Message Logging Configuring System Message Logging Disabling and Enabling Message Logging Message logging is enabled by default. It must be enabled to send messages to any destination other than the console. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages.
  • Page 469 Chapter 23 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 3 logging host Log messages to a UNIX syslog server host. For host, specify the name or IP address of the host to be used as the syslog server.
  • Page 470: Synchronizing Log Messages

    Chapter 23 Configuring System Message Logging Configuring System Message Logging Synchronizing Log Messages You can configure the system to synchronize unsolicited messages and debug privileged EXEC command output with solicited device output and prompts for a specific console port line or virtual terminal line.
  • Page 471: Enabling And Disabling Timestamps On Log Messages

    Chapter 23 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command.
  • Page 472: Enabling And Disabling Sequence Numbers In Log Messages

    Chapter 23 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Sequence Numbers in Log Messages Because there is a chance that more than one log message can have the same timestamp, you can display messages with sequence numbers so that you can unambiguously refer to a single message. By default, sequence numbers in log messages are not displayed.
  • Page 473 Chapter 23 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 6 show running-config Verify your entries. show logging Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Specifying a level causes messages at that level and numerically lower levels to be displayed at the Note destination.
  • Page 474: Limiting Syslog Messages Sent To The History Table And To Snmp

    Chapter 23 Configuring System Message Logging Configuring System Message Logging Limiting Syslog Messages Sent to the History Table and to SNMP If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the switch history table.
  • Page 475: Logging Messages To A Unix Syslog Daemon

    Add a line such as the following to the file /etc/syslog.conf: Step 1 local7.debug /usr/adm/logs/cisco.log The local7 keyword specifies the logging facility to be used; see Table 23-4 on page 23-12 information on the facilities. The debug keyword specifies the syslog level; see Table 23-3 on page 23-9 for information on the severity levels.
  • Page 476: Displaying The Logging Configuration

    Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
  • Page 477: Chapter 24 Configuring Snmp

    Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This chapter consists of these sections: Understanding SNMP, page 24-1 •...
  • Page 478: Snmp Versions

    Chapter 24 Configuring SNMP Understanding SNMP • Using SNMP to Access MIB Variables, page 24-4 • SNMP Notifications, page 24-5 SNMP Versions This software release supports these SNMP versions: SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in •...
  • Page 479: Snmp Manager Functions

    Chapter 24 Configuring SNMP Understanding SNMP Table 24-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv3 noAuthNoPriv Username...
  • Page 480: Snmp Community Strings

    Chapter 24 Configuring SNMP Understanding SNMP SNMP Community Strings SNMP community strings authenticate access to MIB objects and function as embedded passwords. In order for the NMS to access the switch, the community string definitions on the NMS must match at least one of the three community string definitions on the switch.
  • Page 481: Snmp Notifications

    Chapter 24 Configuring SNMP Configuring SNMP SNMP Notifications SNMP allows the switch to send notifications to SNMP managers when particular events occur. SNMP notifications can be sent as traps or inform requests. In command syntax, unless there is an option in the command to select either traps or informs, the keyword traps refers to either traps or informs, or both.
  • Page 482: Default Snmp Configuration

    Modifying the group's notify view affects all users associated with that group. Refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1 for information about when you should configure notify views.
  • Page 483: Disabling The Snmp Agent

    Chapter 24 Configuring SNMP Configuring SNMP Disabling the SNMP Agent Beginning in privileged EXEC mode, follow these steps to disable the SNMP agent: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no snmp-server Disable the SNMP agent operation. Step 3 Return to privileged EXEC mode.
  • Page 484: Configuring Snmp Groups And Users

    Chapter 24 Configuring SNMP Configuring SNMP Command Purpose Step 3 access-list access-list-number {deny | (Optional) If you specified an IP standard access list number in permit} source [source-wildcard] Step 2, then create the list, repeating the command as many times as necessary.
  • Page 485 Chapter 24 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure SNMP on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server engineID {local engineid-string Configure a name for either the local or remote copy of SNMP. | remote ip-address [udp-port port-number] •...
  • Page 486: Configuring Snmp Notifications

    Chapter 24 Configuring SNMP Configuring SNMP Command Purpose Step 4 snmp-server user username groupname Configure a new user to an SNMP group. [remote host [udp-port port]] {v1 | v2c | v3 • The username is the name of the user on the host that connects [auth {md5 | sha} auth-password]} to the agent.
  • Page 487 Generates a trap for SNMP-type notifications. syslog Generates a trap for SNMP syslog notifications. Sends Cisco enterprise-specific notifications when a Transmission Control Protocol (TCP) connection closes. udp-port Sends notification of the User Datagram Protocol (UDP) port number of the host.
  • Page 488 Chapter 24 Configuring SNMP Configuring SNMP Command Purpose Step 5 snmp-server host host-addr Specify the recipient of an SNMP trap operation. [traps | informs] [version {1 | 2c | 3 • For host-addr, specify the name or Internet address of the host (the [auth | noauth | priv]}] targeted recipient).
  • Page 489: Setting The Agent Contact And Location Information

    Chapter 24 Configuring SNMP Configuring SNMP Setting the Agent Contact and Location Information Beginning in privileged EXEC mode, follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file: Command Purpose Step 1...
  • Page 490: Snmp Examples

    Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
  • Page 491: Displaying Snmp Status

    EXEC commands in Table 24-5 to display SNMP information. For information about the fields in the output displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. Table 24-5 Commands for Displaying SNMP Information Feature...
  • Page 492 Chapter 24 Configuring SNMP Displaying SNMP Status Catalyst 2950 Desktop Switch Software Configuration Guide 24-16 78-14982-01...
  • Page 493: Chapter 25 Configuring Network Security With Acls

    For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release and the “Configuring IP Services” section of the Cisco IOS IP and IP Routing Configuration Guide and the Command Reference for IOS Release 12.1.
  • Page 494: Understanding Acls

    Chapter 25 Configuring Network Security with ACLs Understanding ACLs Understanding ACLs Packet filtering can limit network traffic and restrict network use by certain users or devices. ACLs can filter traffic as it passes through a switch and permit or deny packets at specified interfaces. An ACL is a sequential collection of permit and deny conditions that apply to packets.
  • Page 495: Handling Fragmented And Unfragmented Traffic

    Chapter 25 Configuring Network Security with ACLs Understanding ACLs Figure 25-1 Using ACLs to Control Traffic to a Network Host A Catalyst 2950 switch Host B Human Research & Resources Development network network = ACL denying traffic from Host B and permitting traffic from Host A = Packet Handling Fragmented and Unfragmented Traffic...
  • Page 496: Understanding Access Control Parameters

    Chapter 25 Configuring Network Security with ACLs Understanding ACLs • Packet A is a TCP packet from host 10.2.2.2, port 65000, going to host 10.1.1.1 on the SMTP port. If this packet is fragmented, the first fragment matches the first ACE (a permit), as if it were a complete packet because all Layer 4 information is present.
  • Page 497 All other combinations of system-defined and user-defined masks are allowed in security ACLs. The switch ACL configuration is consistent with other Cisco Catalyst switches. However, there are significant restrictions for configuring ACLs on the switches. Only four user-defined masks can be defined for the entire system. These can be used for either security or quality of service (QoS) but cannot be shared by QoS and security.
  • Page 498: Guidelines For Applying Acls To Physical Interfaces

    “Creating MAC Access Groups” section on page 25-19 Configuring ACLs on a Layer 2 interface is the same as configuring ACLs on Cisco routers. The process is briefly described here. For more detailed information about configuring router ACLs, refer to the “Configuring IP Services”...
  • Page 499: Unsupported Features

    Chapter 25 Configuring Network Security with ACLs Configuring ACLs Unsupported Features The switch does not support these IOS router ACL-related features: • Non-IP protocol ACLs (see Table 25-2 on page 25-8) • Bridge-group ACLs • IP accounting ACL support on the outbound direction •...
  • Page 500: Acl Numbers

    Chapter 25 Configuring Network Security with ACLs Configuring ACLs ACL Numbers The number you use to denote your ACL shows the type of access list that you are creating. Table 25-2 lists the access list number and corresponding type and shows whether or not they are supported by the switch.
  • Page 501: Creating A Numbered Standard Acl

    For information about creating ACLs to apply to a management interface, refer to the “Configuring IP Note Services” section of the Cisco IOS IP and IP Routing Configuration Guide and the Command Reference for IOS Release 12.1. You can these apply these ACLs only to a management interface.
  • Page 502: Creating A Numbered Extended Acl

    1. X in a protocol column means support for the filtering parameter. 2. No support for type of service (ToS) minimize monetary cost bit. For more details about the specific keywords relative to each protocol, refer to the Cisco IP and IP Routing Command Reference for IOS Release 12.1.
  • Page 503 For information about creating ACLs to apply to management interfaces, refer to the “Configuring IP Services” section of Cisco IOS IP and IP Routing Configuration Guide and the Command Reference for IOS Release 12.1. You can apply ACLs only to a management interface or the CPU, such as SNMP, Telnet, or web traffic.
  • Page 504 Chapter 25 Configuring Network Security with ACLs Configuring ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number Define an extended IP access list and the access conditions. {deny | permit | remark} protocol The access-list-number is a decimal number from 100 to 199 or 2000 to 2699.
  • Page 505: Creating Named Standard And Extended Acls

    Chapter 25 Configuring Network Security with ACLs Configuring ACLs Use the no access-list access-list-number global configuration command to delete the entire access list. You cannot delete individual ACEs from numbered access lists. This example shows how to create and display an extended access list to deny Telnet access from any host in network 171.69.198.0 to any host in network 172.20.52.0 and permit any others.
  • Page 506 Chapter 25 Configuring Network Security with ACLs Configuring ACLs Beginning in privileged EXEC mode, follow these steps to create a standard named access list using names: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip access-list standard {name | Define a standard IP access list by using a name, and enter access-list-number} access-list configuration mode.
  • Page 507: Applying Time Ranges To Acls

    Chapter 25 Configuring Network Security with ACLs Configuring ACLs Command Purpose Step 5 show access-lists [number | name] Show the access list configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. When making the standard and extended ACL, remember that, by default, the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end.
  • Page 508 Chapter 25 Configuring Network Security with ACLs Configuring ACLs Command Purpose Step 3 absolute [start time date] Specify when the function it will be applied to is operational. Use some [end time date] combination of these commands; multiple periodic statements are allowed;...
  • Page 509: Including Comments About Entries In Acls

    Chapter 25 Configuring Network Security with ACLs Configuring ACLs deny tcp any any time-range new_year_day_2000 (inactive) deny tcp any any time-range thanskgiving_2000 (active) deny tcp any any time-range christmas_2000 (inactive) permit tcp any any time-range workhours (inactive) This example uses named ACLs to permit and deny the same traffic. Switch(config)# ip access-list extended deny_access Switch(config-ext-nacl)# deny tcp any any time-range new_year_day_2000 Switch(config-ext-nacl)# deny tcp any any time-range thanksgiving_2000...
  • Page 510: Creating Named Mac Extended Acls

    Chapter 25 Configuring Network Security with ACLs Configuring ACLs In this example, the Jones subnet is not allowed to use outbound Telnet: Switch(config)# ip access-list extended telnetting Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out Switch(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet Creating Named MAC Extended ACLs You can filter Layer 2 traffic on a physical Layer 2 interface by using MAC addresses and named MAC extended ACLs.
  • Page 511: Creating Mac Access Groups

    Chapter 25 Configuring Network Security with ACLs Configuring ACLs This example shows how to create and display an access list named mac1, denying only EtherType DECnet Phase IV traffic, but permitting all other types of traffic. Switch(config)# mac access-list extended mac1 Switch(config-ext-macl)# deny any any decnet-iv Switch(config-ext-macl)# permit any any Switch(config-ext-macl)# end...
  • Page 512: Applying Acls To Terminal Lines Or Physical Interfaces

    You can apply ACLs to any management interface. For information on creating ACLs on management interfaces, refer to the “Configuring IP Services” section of the Cisco IOS IP and IP Routing Configuration Guide and the Command Reference for IOS Release 12.1.
  • Page 513: Applying Acls To A Physical Interface

    Chapter 25 Configuring Network Security with ACLs Displaying ACL Information Applying ACLs to a Physical Interface Beginning in privileged EXEC mode, follow these steps to control access to a Layer 2 interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Identify a specific interface for configuration and enter interface...
  • Page 514: Displaying Acls

    Chapter 25 Configuring Network Security with ACLs Displaying ACL Information Displaying ACLs You can display existing ACLs by using show commands. Beginning in privileged EXEC mode, follow these steps to display access lists: Command Purpose Step 1 show access-lists [number | name] Show information about all IP and MAC address access lists or about a specific access list (numbered or named).
  • Page 515: Displaying Access Groups

    Services” chapter of the Cisco IOS IP and IP Routing Configuration Guide for IOS Release 12.1. Figure 25-2 shows a small networked office with a stack of switches that are connected to a Cisco router. A host is connected to the network through the Internet using a WAN link.
  • Page 516 Create an extended ACL, and filter traffic to deny HTTP access to all Internet hosts but allow all other types of access. Figure 25-2 Using Switch ACLs to Control Traffic Internet Workstation Cisco router Catalyst 2950 Catalyst 2950 Catalyst 2950 workstations This example uses a standard ACL to allow access to a specific Internet host with the address 172.20.128.64.
  • Page 517: Numbered Acl Examples

    Chapter 25 Configuring Network Security with ACLs Examples for Compiling ACLs Numbered ACL Examples This example shows that the switch accepts addresses on network 36.0.0.0 subnets and denies all packets coming from 56.0.0.0 subnets. The ACL is then applied to packets entering Gigabit Ethernet interface 0/1.
  • Page 518 Chapter 25 Configuring Network Security with ACLs Examples for Compiling ACLs In this example of a numbered ACL, the Winter and Smith workstations are not allowed to browse the web: Switch(config)# access-list 100 remark Do not allow Winter to browse the web Switch(config)# access-list 100 deny host 171.69.3.85 any eq www Switch(config)# access-list 100 remark Do not allow Smith to browse the web Switch(config)# access-list 100 deny host 171.69.3.13 any eq www...
  • Page 519: Chapter 26 Configuring Qos

    C H A P T E R Configuring This chapter describes how to configure quality of service (QoS) by using QoS commands. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size.
  • Page 520: Understanding Qos

    Chapter 26 Configuring QoS Understanding QoS • Video wizard—Gives traffic that originates from specified video servers a higher priority than the priority of data traffic. The wizard assumes that the video servers are connected to a single device in the cluster. Refer to the video wizard online help for procedures about using this wizard. This chapter consists of these sections: •...
  • Page 521: Basic Qos Model

    Chapter 26 Configuring QoS Understanding QoS Figure 26-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 IP header Data header Layer 2 802.1Q/P Frame Start frame Preamble Data delimiter 3 bits used for CoS (user priority) Layer 3 IPv4 Packet Version Offset TTL Proto FCS IP-SA IP-DA Data length...
  • Page 522: Classification

    Chapter 26 Configuring QoS Understanding QoS • Marking evaluates the policer and configuration information for the action to be taken when a packet is out of profile and decides what to do with the packet (pass through a packet without modification, mark down the DSCP value in the packet, or drop the packet).
  • Page 523: Classification Based On Qos Acls

    Chapter 26 Configuring QoS Understanding QoS The trust DSCP configuration is meaningless for non-IP traffic. If you configure a port with this option and non-IP traffic is received, the switch assigns the default port CoS value and classifies traffic based on the CoS value. For IP traffic, you have these classification options: •...
  • Page 524: Classification Based On Class Maps And Policy Maps

    Chapter 26 Configuring QoS Understanding QoS Classification Based on Class Maps and Policy Maps A class map is a mechanism that you use to isolate and name a specific traffic flow (or class) from all other traffic. The class map defines the criteria used to match against a specific traffic flow to further classify it;...
  • Page 525: Mapping Tables

    Chapter 26 Configuring QoS Understanding QoS • Only one policer can be applied to a packet in the input direction. • Only the average rate and committed burst parameters are configurable. • Policing occurs on the ingress interfaces: – 60 policers are supported on ingress Gigabit-capable Ethernet ports. 6 policers are supported on ingress 10/100 Ethernet ports.
  • Page 526: Port Priority

    Chapter 26 Configuring QoS Understanding QoS Port Priority Frames received from users in the administratively-defined VLANs are classified or tagged for transmission to other devices. Based on rules that you define, a unique identifier (the tag) is inserted in each frame header before it is forwarded. The tag is examined and understood by each device before any broadcasts or transmissions to other switches, routers, or end stations.
  • Page 527: Configuring Qos

    Chapter 26 Configuring QoS Configuring QoS Configuring QoS Before configuring QoS, you must have a thorough understanding of these items: • The types of applications used and the traffic patterns on your network. Traffic characteristics and needs of your network. Is the traffic bursty? Do you need to reserve •...
  • Page 528: Configuration Guidelines

    Chapter 26 Configuring QoS Configuring QoS Configuration Guidelines Note These guidelines are applicable only if your switch is running the EI. Before beginning the QoS configuration, you should be aware of this information: • If you have EtherChannel ports configured on your switch, you must configure QoS classification, policing, mapping, and queueing on the individual physical ports that comprise the EtherChannel.
  • Page 529 Chapter 26 Configuring QoS Configuring QoS Note Both the EI and SI support this feature. Configuring the Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge of the QoS domain. When the packets are classified at the edge, the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the QoS domain.
  • Page 530 Chapter 26 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be trusted.
  • Page 531: Configuring The Cos Value For An Interface

    802.1Q header. The header contains the VLAN information and the CoS 3-bit field, which determines the priority of the packet. For most Cisco IP phone configurations, the traffic sent from the telephone to the switch is trusted to ensure that voice traffic is properly prioritized over other types of traffic in the network.
  • Page 532 When you enter the no mls qos trust interface configuration command, trusted boundary is not disabled. If this command is entered and the port is connected to a Cisco IP phone, the port does not trust the classification of traffic that it receives. To disable trusted boundary, use the no mls qos trust device...
  • Page 533: Enabling Pass-Through Mode

    Configuring QoS Configuring QoS Table 26-2 Port Configurations When Trusted Boundary is Enabled Port Configuration When a Cisco IP Phone is Present When a Cisco IP Phone is Absent The port trusts the CoS value The packet CoS value is trusted.
  • Page 534: Configuring A Qos Policy

    Chapter 26 Configuring QoS Configuring QoS Configuring a QoS Policy Note This feature is available only if your switch is running the EI. Configuring a QoS policy typically requires classifying traffic into classes, configuring policies applied to those traffic classes, and attaching policies to interfaces. For background information, see the “Classification”...
  • Page 535 Chapter 26 Configuring QoS Configuring QoS Command Purpose Step 3 Return to privileged EXEC mode. Step 4 show access-lists Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. For more information about creating IP standard ACLs, see the “Guidelines for Applying ACLs to Physical Interfaces”...
  • Page 536 Chapter 26 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number Create an IP extended ACL, repeating the command as many times as {permit | remark} protocol necessary.
  • Page 537 Chapter 26 Configuring QoS Configuring QoS Command Purpose Step 4 show access-lists Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. For more information about creating IP extended ACLs, see the “Guidelines for Applying ACLs to Physical Interfaces”...
  • Page 538 Chapter 26 Configuring QoS Configuring QoS This example shows how to create a Layer 2 MAC ACL with a permit statement. The statement allows traffic from the host with MAC address 0001.0000.0001 to the host with MAC address 0002.0000.0001. Switch(config)# mac access-list extended maclist1 Switch(config-ext-macl)# permit host 0001.0000.0001 host 0002.0000.0001 Classifying Traffic by Using Class Maps You use the class-map global configuration command to isolate a specific traffic flow (or class) from...
  • Page 539: Classifying, Policing, And Marking Traffic By Using Policy Maps

    Chapter 26 Configuring QoS Configuring QoS Command Purpose Step 4 match {access-group acl-index | Define the match criterion to classify traffic. access-group name acl-name | ip dscp By default, no match criterion is supported. dscp-list} Only one match criterion per class map is supported, and only one ACL per class map is supported.
  • Page 540 Chapter 26 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to create a policy map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number permit Create an IP standard or extended ACL for IP traffic or a Layer 2 MAC {source source-wildcard | host source | ACL for non-IP traffic, repeating the command as many times as any}...
  • Page 541 Chapter 26 Configuring QoS Configuring QoS Command Purpose Step 5 set {ip dscp new-dscp} Classify IP traffic by setting a new value in the packet. For ip dscp new-dscp, enter a new DSCP value to be assigned to the classified traffic. The supported DSCP values are 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56.
  • Page 542: Configuring Cos Maps

    Chapter 26 Configuring QoS Configuring QoS Switch(config)# access-list 1 permit 10.1.0.0 0.0.255.255 Switch(config)# class-map ipclass1 Switch(config-cmap)# match access-group 1 Switch(config-cmap)# exit Switch(config)# policy-map flow1t Switch(config-pmap)# class ipclass1 Switch(config-pmap-c)# police 5000000 8192 exceed-action dscp 10 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# service-policy input flow1t This example shows how to create a Layer 2 MAC ACL with two permit statements and attach it to an...
  • Page 543: Configuring The Cos-To-Dscp Map

    Chapter 26 Configuring QoS Configuring QoS Configuring the CoS-to-DSCP Map You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic. Table 26-3 shows the default CoS-to-DSCP map. Table 26-3 Default CoS-to-DSCP Map CoS value DSCP value...
  • Page 544: Configuring The Dscp-To-Cos Map

    Chapter 26 Configuring QoS Configuring QoS Configuring the DSCP-to-CoS Map You use the DSCP-to-CoS map to map DSCP values in incoming packets to a CoS value, which is used to select one of the four egress queues. The switch supports these DSCP values: 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56. Table 26-4 shows the default DSCP-to-CoS map.
  • Page 545: Configuring Cos And Wrr

    Chapter 26 Configuring QoS Configuring QoS Configuring CoS and WRR Note This feature is supported by both the EI and SI. This section describes how to configure CoS priorities and weighted round-robin (WRR): • Configuring CoS Priority Queues, page 26-27 Configuring WRR, page 26-27 •...
  • Page 546: Displaying Qos Information

    Chapter 26 Configuring QoS Displaying QoS Information To disable the WRR scheduler and enable the strict priority scheduler, use the no wrr-queue bandwidth global configuration command. Displaying QoS Information To display QoS information, use one or more of the privileged EXEC commands in Table 26-5: Table 26-5 Commands for Displaying QoS Information...
  • Page 547: Qos Configuration Examples

    • QoS Configuration for the Existing Wiring Closet, page 26-30 QoS Configuration for the Intelligent Wiring Closet, page 26-30 • Figure 26-4 QoS Configuration Example Network Cisco router To Internet Gigabit Ethernet 0/5 Catalyst 3550-12G switch Gigabit Ethernet 0/2 Gigabit Ethernet 0/1...
  • Page 548: Qos Configuration For The Existing Wiring Closet

    Chapter 26 Configuring QoS QoS Configuration Examples QoS Configuration for the Existing Wiring Closet The existing wiring closet in Figure 26-4 consists of existing Catalyst 2900 XL and 3500 XL switches. These switches are running IOS release 12.0(5)XP or later, which supports the QoS-based IEEE 802.1P CoS values.
  • Page 549 Chapter 26 Configuring QoS QoS Configuration Examples Command Purpose Step 9 police 5000000 8192 exceed-action drop Define a policer for the classified video traffic to drop traffic that exceeds 5-Mbps average traffic rate with an 8192-byte burst size. Step 10 exit Return to policy-map configuration mode.
  • Page 550 Chapter 26 Configuring QoS QoS Configuration Examples Catalyst 2950 Desktop Switch Software Configuration Guide 26-32 78-14982-01...
  • Page 551: Chapter 27 Configuring Etherchannels

    C H A P T E R Configuring EtherChannels This chapter describes how to configure EtherChannel on Layer 2 interfaces. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
  • Page 552: Understanding Port-Channel Interfaces

    Chapter 27 Configuring EtherChannels Understanding EtherChannels Figure 27-1 Typical EtherChannel Configuration Catalyst 8500, 6000, 5500, or 4000 series switch Gigabit EtherChannel Catalyst 3550-12T switch 1000BASE-X 1000BASE-X Catalyst 3550-12T Catalyst 2950G-24 switch switch 10/100 10/100 Switched Switched links links Workstations Workstations Each EtherChannel can consist of up to eight compatibly configured Ethernet interfaces.
  • Page 553: Understanding The Port Aggregation Protocol

    Chapter 27 Configuring EtherChannels Understanding EtherChannels Figure 27-2 Relationship of Physical Ports, Logical Port Channels, and Channel Groups Logical Logical port-channel port-channel Channel-group binding SYS T STA T UTIL DUP LX SPE ED MOD E Ca tal ys t 29 SER IES 10/100 ports GBIC module...
  • Page 554: Pagp Modes

    Chapter 27 Configuring EtherChannels Understanding EtherChannels PAgP Modes Table 27-1 shows the user-configurable EtherChannel modes for the channel-group interface configuration command: on, auto, and desirable. Switch interfaces exchange PAgP packets only with partner interfaces configured in the auto or desirable modes; interfaces configured in the on mode do not exchange PAgP packets.
  • Page 555: Physical Learners And Aggregate-Port Learners

    The switch supports up to eight ports in a PAgP group. PAgP Interaction with Other Features The Dynamic Trunking Protocol (DTP) and Cisco Discovery Protocol (CDP) send and receive packets over the physical interfaces in the EtherChannel. Trunk ports send and receive PAgP protocol data units (PDUs) on the lowest numbered VLAN.
  • Page 556 IP addresses might result in better load balancing. Figure 27-3 Load Distribution and Forwarding Methods Catalyst 2950 or 3550 switch with source-based forwarding enabled EtherChannel Cisco router with destination-based forwarding enabled Catalyst 2950 Desktop Switch Software Configuration Guide 27-6 78-14982-01...
  • Page 557: Configuring Etherchannels

    Chapter 27 Configuring EtherChannels Configuring EtherChannels Configuring EtherChannels These sections describe how to configure EtherChannel interfaces: • Default EtherChannel Configuration, page 27-7 EtherChannel Configuration Guidelines, page 27-8 • Configuring Layer 2 EtherChannels, page 27-8 • Configuring EtherChannel Load Balancing, page 27-10 •...
  • Page 558: Etherchannel Configuration Guidelines

    Chapter 27 Configuring EtherChannels Configuring EtherChannels EtherChannel Configuration Guidelines If improperly configured, some EtherChannel interfaces are automatically disabled to avoid network loops and other problems. Follow these guidelines to avoid configuration problems: • Configure an EtherChannel with up to eight Ethernet interfaces of the same type. Note Do not configure a GigaStack GBIC port as part of an EtherChannel.
  • Page 559 Chapter 27 Configuring EtherChannels Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to assign a Layer 2 Ethernet interface to a Layer 2 EtherChannel: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify a physical interface to configure.
  • Page 560: Configuring Etherchannel Load Balancing

    Chapter 27 Configuring EtherChannels Configuring EtherChannels To remove an interface from the EtherChannel group, use the no channel-group interface configuration command. If you delete the EtherChannel by using the no interface port-channel global configuration command without removing the physical interfaces, the physical interfaces are shutdown. If you do not want the member physical interfaces to shut down, remove the physical interfaces before deleting the EtherChannel.
  • Page 561: Configuring The Pagp Learn Method And Priority

    Chapter 27 Configuring EtherChannels Displaying EtherChannel and PAgP Status Command Purpose Step 4 show etherchannel load-balance Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return EtherChannel load balancing to the default configuration, use the no port-channel load-balance global configuration command.
  • Page 562 Chapter 27 Configuring EtherChannels Displaying EtherChannel and PAgP Status Catalyst 2950 Desktop Switch Software Configuration Guide 27-12 78-14982-01...
  • Page 563: Chapter 28 Troubleshooting

    Depending on the nature of the problem, you can use the command-line interface (CLI) or the Cluster Management Suite (CMS) to identify and solve problems. To identify and resolve Cisco-approved Course Wave Division Multiplexer (CWDM) Gigabit Interface Converter (GBIC) problems, you must have the enhanced software image (EI) installed on your switch.
  • Page 564 Chapter 28 Troubleshooting LRE Statistics Table 28-1 Ethernet Port Statistics Statistic Type Explanation Transmit Unicast Frames The total number of well-formed unicast frames sent by a port. It excludes frames sent with errors or with multicast or broadcast destination addresses. Multicast Frames The total number of well-formed multicast frames sent by a port.
  • Page 565 Chapter 28 Troubleshooting LRE Statistics Table 28-1 Ethernet Port Statistics (continued) Statistic Type Explanation Multicast Frames The total number of well-formed multicast frames received by a port. It excludes frames received with errors, with unicast or broadcast destination addresses, or with oversized or undersized frames.
  • Page 566 Chapter 28 Troubleshooting LRE Statistics Table 28-2 LRE Link Statistics Statistic Type Explanation Upstream Bandwidth Usage The percentage of the bandwidth used for upstream traffic, based on the current upstream rate and actual upstream speed of LRE link. Downstream Bandwidth The percentage of the bandwidth used for downstream traffic, based on the current Usage downstream rate and actual downstream speed of the LRE link.
  • Page 567 Chapter 28 Troubleshooting LRE Statistics Table 28-3 CPE Ethernet Link Statistics (continued) Counter Description Transmit Late Collisions The total number of frames discarded because of late collisions detected during transmission. It includes all transmit frames that had a collision after the transmission of the frame's 64th byte.
  • Page 568: Using Recovery Procedures

    Chapter 28 Troubleshooting Using Recovery Procedures Using Recovery Procedures These recovery procedures require that you have physical access to the switch: • Recovering from Corrupted Software, page 28-6 Recovering from a Lost or Forgotten Password, page 28-6 • Recovering from a Command Switch Failure, page 28-8 •...
  • Page 569 Chapter 28 Troubleshooting Using Recovery Procedures Step 3 Unplug the switch power cord. Step 4 Press the Mode button, and at the same time, reconnect the power cord to the switch. You can release the Mode button a second or two after the LED above port 1X goes off. Several lines of information about the software appear, as do instructions: The system has been interrupted prior to initializing the flash file system.
  • Page 570: Recovering From A Command Switch Failure

    Chapter 28 Troubleshooting Using Recovery Procedures Step 13 Copy the configuration file into memory: switch# copy flash:config.text system:running-config Source filename [config.text]? Destination filename [running-config]? Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can use the following normal commands to change the password.
  • Page 571: Replacing A Failed Command Switch With A Cluster Member

    Chapter 28 Troubleshooting Using Recovery Procedures Replacing a Failed Command Switch with a Cluster Member To replace a failed command switch with a command-capable member in the same cluster, follow these steps: Step 1 Disconnect the command switch from the member switches, and physically remove it from the cluster. Step 2 Insert the member switch in place of the failed command switch, and duplicate its connections to the cluster members.
  • Page 572: Replacing A Failed Command Switch With Another Switch

    Chapter 28 Troubleshooting Using Recovery Procedures Step 11 Respond to the questions in the setup program. When prompted for the host name, recall that on a command switch, the host name is limited to 28 characters; on a member switch to 31 characters. Do not use -n, where n is a number, as the last characters in a host name for any switch.
  • Page 573: Recovering From Lost Member Connectivity

    Chapter 28 Troubleshooting Using Recovery Procedures Basic management setup configures only enough connectivity for management of the system, extended setup will ask you to configure each interface on the system Would you like to enter basic management setup? [yes/no]: Step 6 Enter Y at the first prompt.
  • Page 574: Preventing Autonegotiation Mismatches

    Chapter 28 Troubleshooting Preventing Autonegotiation Mismatches Preventing Autonegotiation Mismatches The IEEE 802.3AB autonegotiation protocol manages the switch settings for speed (10 Mbps, 100 Mbps, and 1000 Mbps excluding GBIC ports) and duplex (half or full). There are situations when this protocol can incorrectly align these settings, reducing performance.
  • Page 575: Gbic And Sfp Module Security And Identification

    ID, the security code, or CRC is invalid, the switch places the interface in an error-disabled state. If you are using a non-Cisco approved GBIC module, remove the GBIC from the switch, and replace it Note with a Cisco-approved module.
  • Page 576: Using Debug Commands

    For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
  • Page 577: Enabling All-System Diagnostics

    The information in the file includes the IOS image name and version that failed, a dump of the processor registers, and a stack trace. You can provide this information to the Cisco technical support representative by using the show tech-support privileged EXEC command.
  • Page 578 Chapter 28 Troubleshooting Using the crashinfo File Each new crashinfo file that is created uses a sequence number that is larger than any previously-existing sequence number, so the file with the largest sequence number describes the most recent failure. Version numbers are used instead of a timestamp because the switches do not include a real-time clock.
  • Page 579: Appendix

    This appendix lists the supported management information base (MIBs) for this release. It contains these sections: MIB List, page A-1 • • Using FTP to Access the MIB Files, page A-2 MIB List • BRIDGE-MIB (RFC1493) CISCO-CDP-MIB • • CISCO-2900-MIB CISCO-CLUSTER-MIB • CISCO-CONFIG-MAN-MIB • •...
  • Page 580: Using Ftp To Access The Mib Files

    • UDP-MIB • Note The IF-MIB and the CISCO-IETF-VDSL-LINE-MIB are supported as read-only MIBs for the FE interfaces for the CPE devices. Using FTP to Access the MIB Files Follow these steps to obtain each MIB file: Use FTP to access the server ftp.cisco.com.
  • Page 581 Change directories to wsc2900xl for a list of Catalyst 2900 XL MIBs. Step 6 Use the get MIB_filename command to obtain a copy of the MIB file. You can also access information about MIBs on the Cisco web site: Note http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml...
  • Page 582 Appendix A Supported MIBs Using FTP to Access the MIB Files Catalyst 2950 Desktop Switch Software Configuration Guide 78-14982-01...
  • Page 583: Appendix

    Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 LRE Command Reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This appendix consists of these sections: •...
  • Page 584: Displaying Available File Systems

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC command as shown in this example: Switch# show file systems File Systems: Size(b)
  • Page 585: A P P E N D I X B Working With The Ios File System, Configuration Files, And Software Images

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Table B-1 show file systems Field Descriptions (continued) Field Value Flags Permission for file system. ro—read-only. rw—read/write. wo—write-only. Prefixes Alias for file system. bs:—Read-only file system;...
  • Page 586: Changing Directories And Displaying The Working Directory

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System To display information about files on a file system, use one of the privileged EXEC commands in Table B-2: Table B-2 Commands for Displaying Information About Files Command Description...
  • Page 587: Copying Files

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System To delete a directory with all its files and subdirectories, use the delete /force /recursive filesystem:/file-url privileged EXEC command. Use the /recursive keyword to delete the named directory and all subdirectories and the files contained in it.
  • Page 588: Creating, Displaying, And Extracting Tar Files

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Use the /recursive keyword for deleting a directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are prompted only once at the beginning of this deletion process.
  • Page 589: Displaying The Contents Of A Tar File

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying the Contents of a tar File To display the contents of a tar file on the screen, use this privileged EXEC command: archive tar /table source-url For source-url, specify the source URL alias for the local or network file system.
  • Page 590: Displaying The Contents Of A File

    This section describes how to create, load, and maintain configuration files. Configuration files contain commands entered to customize the function of the Cisco IOS software. To better benefit from these instructions, your switch must contain a minimal configuration for interacting with the system software.
  • Page 591: Guidelines For Creating And Using Configuration Files

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files You can copy (upload) configuration files from the switch to a file server by using TFTP, FTP, or RCP. You might perform this task to back up a current configuration file to a server before changing its contents so that you can later restore the original configuration file from the server.
  • Page 592: Configuration File Types And Location

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Note The copy {ftp: | rcp: | tftp:} system:running-config privileged EXEC command loads the configuration files on the switch as if you were entering the commands at the command line. The switch does not erase the existing running configuration before adding the commands.
  • Page 593: Copying Configuration Files By Using Tftp

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Copying Configuration Files By Using TFTP You can configure the switch by using configuration files you create, download from another switch, or download from a TFTP server. You can copy (upload) configuration files to a TFTP server for storage. This section includes this information: •...
  • Page 594: Downloading The Configuration File By Using Tftp

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading the Configuration File By Using TFTP To configure the switch by using a configuration file downloaded from a TFTP server, follow these steps: Step 1 Copy the configuration file to the appropriate TFTP directory on the workstation.
  • Page 595: Copying Configuration Files By Using Ftp

    The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy a configuration file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.
  • Page 596 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files NVRAM. If you are accessing the switch through a Telnet session and you have a valid username, this username is used, and you do not need to set the FTP username. Include the username in the copy command if you want to specify a username for only that copy operation.
  • Page 597 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Switch# copy ftp: nvram:startup-config Address of remote host [255.255.255.255]? 172.16.101.101 Name of configuration file[rtr2-confg]? host2-confg Configure using host2-confg from 172.16.101.101?[confirm] Connected to 172.16.101.101 Loading 1112 byte file host2-confg:![OK] [OK] Switch#...
  • Page 598: Copying Configuration Files By Using Rcp

    The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: •...
  • Page 599 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Preparing to Download or Upload a Configuration File By Using RCP Before you begin downloading or uploading a configuration file by using RCP, do these tasks: Ensure that the workstation acting as the RCP server supports the remote shell (rsh).
  • Page 600 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 5 Return to privileged EXEC mode. Step 6 copy Using RCP, copy the configuration file from a network rcp:[[[//[username@]location]/directory]/filename] server to the running configuration or to the startup system:running-config configuration file.
  • Page 601: Clearing Configuration Information

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 4 ip rcmd remote-username username (Optional) Specify the remote username. Step 5 Return to privileged EXEC mode. Step 6 copy system:running-config Using RCP, copy the configuration file from a switch running rcp:[[[//[username@]location]/directory]/filename] or startup configuration file to a network server.
  • Page 602: Deleting A Stored Configuration File

    Depending on the setting of the file prompt global configuration command, you might be prompted for confirmation before you delete a file. By default, the switch prompts for confirmation on destructive file operations. For more information about the file prompt command, refer to the Cisco IOS Command Reference for Release 12.1.
  • Page 603: Tar File Format Of Images On A Server Or Cisco.com

    Working with the IOS File System, Configuration Files, and Software Images Working with Software Images tar File Format of Images on a Server or Cisco.com Software images located on a server or downloaded from Cisco.com are provided in a tar file format, which contains these files: •...
  • Page 604: Copying Image Files By Using Tftp

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Copying Image Files By Using TFTP You can download a switch image from a TFTP server or upload the image from the switch to a TFTP server.
  • Page 605 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Downloading an Image File By Using TFTP You can download a new image file and replace the current image or keep the current image. Beginning in privileged EXEC mode, follow Steps 1 through 3 to download a new image from a TFTP server and overwrite the existing image.
  • Page 606 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Note If the Flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version, you must specify the /overwrite option. However, the 2950 LRE only supports one complete set of IOS, HTML, and LRE binary files, and one IOS binary on the flash.
  • Page 607: Copying Image Files By Using Ftp

    The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy an image file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: •...
  • Page 608 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Before you begin downloading or uploading an image file by using FTP, do these tasks: • Ensure that the switch has a route to the FTP server. The switch and the FTP server must be in the same subnetwork if you do not have a router to route traffic between subnets.
  • Page 609 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 7 archive download-sw /overwrite /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and overwrite the current image. /image-name.tar •...
  • Page 610 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board Flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
  • Page 611: Copying Image Files By Using Rcp

    RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the switch to a server by using RCP, the Cisco IOS software sends the first valid username in this list: •...
  • Page 612 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images For the RCP copy request to execute successfully, an account must be defined on the network server for the remote username. If the server has a directory structure, the image file is written to or copied from the directory associated with the remote username on the server.
  • Page 613 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 5 Return to privileged EXEC mode. Step 6 archive download-sw /overwrite /reload Download the image file from the RCP server to the switch, rcp:[[[//[username@]location]/directory]/image-na and overwrite the current image.
  • Page 614 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images If you specify the /leave-old-sw, the existing files are not removed. If there is not enough room to install the new image an keep the running image, the download process stops, and an error message is displayed.
  • Page 615 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 5 Return to privileged EXEC mode. Step 6 archive upload-sw Upload the currently running switch image to the RCP rcp:[[[//[username@]location]/directory]/image-na server.
  • Page 616 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Catalyst 2950 Desktop Switch Software Configuration Guide B-34 78-14982-01...
  • Page 617: I N D E X

    I N D E X switch clusters 6-15 Numerics access levels, CMS 3-31 802.1D access lists See STP See ACLs 802.1Q access ports and trunk ports defined configuration limitations 14-16 in switch clusters 6-10 native VLAN for untagged traffic 14-20 accounting trunk mode 3-10...
  • Page 618 Index displaying interface default aging 25-23 11-9 examples of 25-23 defined 7-54 extended IP learning 7-54 configuring for QoS classification removing 26-18 7-56 creating 25-10 matching criteria adding secure 25-7 7-59 host keyword discovering 25-9 7-61 multicast STP address management 11-8 creating 25-7...
  • Page 619 Index ARP table autonegotiation address resolution 7-61 interface configuration guidelines 9-12 managing mismatches 7-61 28-12 asymmetric digital subscriber line auxiliary VLAN See ADSL See voice VLAN attributes, RADIUS vendor-proprietary 7-30 vendor-specific 7-29 authentication BackboneFast local mode with AAA 7-32 described 13-10 NTP associations 7-37...
  • Page 620 Index disabling Cisco Discovery Protocol 18-3 browser configuration 3-1, 6-1 See CDP buttons, CMS Cisco Intelligence Engine 2100 Series Configuration 3-30 Registrar See IE2100 Cisco IP Phones 1-13 Cisco LRE 48 POTS Splitter (PS-1M-LRE-48) 1-2, 1-16 cables, monitoring for unidirectional links...
  • Page 621 Index See CMS defined clusters, switch requirements accessing virtual IP address 6-15 6-13 adding member switches See also HSRP 6-20 automatic discovery cluster tree automatic recovery described 6-12 command switch configuration 6-19 compatibility accessing 3-30 creating 6-19 access levels 3-31 creating a cluster standby group advantages 6-22...
  • Page 622 Index no and default collapsed backbone and switch cluster 1-13 setting privilege levels design concepts command switch cost-effective wiring closet accessing high-performance workgroup 6-13 1-10 active (AC) 6-12, 6-23 network performance command switch with HSRP disabled (CC) network services 6-23 configuration conflicts redundant Gigabit backbone 28-11...
  • Page 623 9-19 802.1X banners 7-51 Ethernet link guidelines 10-7 20-2 Ethernet links 10-1, 10-5 7-50 considerations for Cisco 575 LRE CPE 10-7 EtherChannel 27-7 considerations for Cisco 585 LRE CPE 10-8 IGMP filtering 17-21 statistics 28-4 IGMP snooping...
  • Page 624 Index RMON lease options 22-3 RSPAN 21-8 for IP address information RSTP and MSTP for receiving the configuration file 12-12 SNMP overview 24-6 SPAN 21-8 relationship to BOOTP Differentiated Services architecture, QoS 11-10 26-2 system message logging Differentiated Services Code Point 23-3 26-2 system name and prompt...
  • Page 625 Index using FTP error checking, CMS B-26 3-32 using RCP B-30 error messages using TFTP during command entry B-23 DSCP setting the display destination device 1-6, 26-2 23-4 DSCP-to-CoS map for QoS 26-26 severity levels 23-8 system message format 1-5, 14-15 23-2 duplex mode EtherChannel...
  • Page 626 Index ETSI file system European Telecommunication Standards Institute displaying available file systems See ETSI displaying file information events, RMON local file system names 22-3 examples network file system names conventions for setting the default xxviii network configuration filtering show and more command output 2-10 Expand Cluster view 3-11...
  • Page 627 Index disabling recalling commands GBICs history table, level and number of syslog messages 23-10 1000BASE-LX/LH module 1-10 host name list, CMS 3-28 1000BASE-SX module 1-10 host names 1000BASE-ZX module 1-10 abbreviations appended to 6-23 CWDM module 1-20 in clusters 6-16 GigaStack module hosts, limit on dynamic ports 14-31...
  • Page 628 Index configuration service interface described number event service range macros described interface command 9-4, 9-5 support for interface configuration mode IEEE 802.1P interfaces 16-1 IGMP configuration guidelines 9-12 joining multicast group 17-2 configuring join messages 17-2 configuring duplex mode 9-11 leave processing, enabling configuring speed 17-9...
  • Page 629 Index extended, creating 25-10 for QoS classification 26-16 Layer 2 frames, classification with CoS 26-2 implicit deny 25-9, 25-13, 25-15 Layer 2 interfaces, default configuration 9-10 implicit masks 25-9 Layer 2 trunks 14-15 management interfaces, applying to 25-20 Layer 3 packets, classification methods 26-2 named 25-13...
  • Page 630 10-9 assigning a public profile 10-8 assigning the default profile 10-9 MAC addresses CPE Ethernet links adding secure 7-59 Cisco 575 LRE CPE considerations 10-7 aging time 7-55 Cisco 585 LRE CPE considerations 10-8 and VLAN association 7-55 described 10-1, 10-5...
  • Page 631 Index management VLAN MIBs changing 6-18 accessing files with FTP considerations in switch clusters location of files 6-8, 6-9, 6-18 discovery through different management VLANs overview 24-1 discovery through same management VLAN SNMP interaction with 24-4 IP address supported 6-18 MANs microfilters, phone 1-16, 10-7...
  • Page 632 Index described operations within a region 12-10 12-8 BPDU filtering loop guard described described 13-3 13-13 enabling enabling 13-16 13-20 BPDU guard mapping VLANs to MST instance 12-13 described MST region 13-3 enabling CIST 13-15 12-8 CIST, described 12-8 configuring 12-13 configuration guidelines 12-12...
  • Page 633 Index See Cisco LRE POTS Splitter (PS-1M-LRE-48) configuring interfaces 17-17 nontrunking mode 14-16 default configuration normal-range VLANs 17-15 described configuration modes 17-13 14-6 modes 17-17 defined 14-1 monitoring 17-19 setting global parameters 17-16 associations authenticating 7-37 defined 7-35 enabling broadcast messages...
  • Page 634 Index passwords 1-18 default configuration Port Aggregation Protocol disabling recovery of See EtherChannel encrypting See PAgP in clusters 6-16, 6-20 port-based authentication in CMS authentication server 3-30 overview defined recovery of 28-6 RADIUS server setting client, defined enable configuration guidelines enable secret configuring Telnet...
  • Page 635 POTS splitters port membership modes, VLAN 3-9, 14-3 homologated 1-16 port modes nonhomologated 1-16 described See also Cisco LRE 48 POTS Splitter (PS-1M-LRE-48) LEDs POTS telephones 1-16, 10-7 port pop-up menu, Front Panel view 3-21 precedence 10-11 port priority preferential treatment of traffic...
  • Page 636 Index 3-31 command switch 6-25 exiting 7-10 basic model 26-3 logging into 7-10 classification mapping on member switches 6-25 class maps, described 26-6 overview 7-2, 7-8 defined 26-3 setting a command with in frames and packets 26-3 profile acquisition, automatic 10-10 IP ACLs, described 26-5...
  • Page 637 Index ingress port scheduling accounting 26-8 7-28 IP phones, detection and trusted settings 26-13 authentication 7-23 mapping tables authorization 7-27 CoS-to-DSCP communication, global 26-25 7-21, 7-29 displaying 26-28 communication, per-server 7-20, 7-21 DSCP-to-CoS multiple UDP ports 26-26 7-21 types of default configuration 26-5 7-20...
  • Page 638 Index read-only access mode 1757, RMON 3-31 22-2 read-write access mode 3-31 1901, SNMPv2C 24-2 reconfirmation interval, VMPS, changing 1902 to 1907, SNMPv2 14-30 24-2 recovery procedures 2236, IP multicast and IGMP 28-6 17-2 redundancy 2273-2275, SNMPv3 24-2 EtherChannel RMON 27-2 default configuration 22-3...
  • Page 639 Index removing source (monitored) ports Secure Shell 21-17 specifying monitored ports 21-15 See SSH source ports security, port 21-4 18-4 transmitted traffic sequence numbers in log messages 21-4 23-8 VLAN-based 21-6 sequences 10-4 RSTP table of 10-4 active topology, determining sequences, LRE 12-2 BPDU...
  • Page 640 Index SNAP versions supported 20-1 24-2 SNMP snooping, IGMP 17-1 accessing MIB variables with 24-4 agent definition of 10-12 described 24-3 downstream rate requirements 10-12 disabling margins 24-7 10-12 community strings upstream rate requirements 10-13 configuring 24-7 software for cluster switches 24-4 releases overview...
  • Page 641 Index source ports LRE link 21-4 28-4 transmitted traffic 21-4 port 28-2 VLAN-based QoS ingress and egress 21-6 26-28 spanning tree and native VLANs RMON group Ethernet 14-17 22-5 Spanning Tree Protocol RMON group history 22-5 See STP SNMP input and output 24-15 speed, configuring on interfaces 9-11...
  • Page 642 Index enabling redundant connectivity 13-18 11-8 default configuration 11-10 root guard default optional feature configuration described 13-14 13-12 designated port, defined enabling 11-3 13-19 designated switch, defined 11-3 root port, defined 11-3 detecting indirect link failures root switch 13-10 disabling affects of extended system ID 11-12 11-4, 11-12...
  • Page 643 Index displaying the time and date authorization, defined 7-44 7-11 overview 7-34 configuring See also NTP accounting 7-17 system message logging authentication key 7-13 default configuration 23-3 authorization 7-16 defining error message severity levels login authentication 23-8 7-14 disabling default configuration 23-4 7-13 displaying the configuration...
  • Page 644 Index limiting access by servers troubleshooting 24-13 time detecting unidirectional links 19-1 See NTP and system clock displaying crash information 28-15 time-range command GBIC security and identification 25-15 28-13 time ranges in ACLs 25-15 LRE ports 28-12 timestamps in log messages statistics 23-7 28-1...
  • Page 645 Index neighbor database user EXEC mode 19-2 overview 19-1 username-based authentication resetting an interface 19-5 status, displaying 19-6 unauthorized ports with 802.1X UniDirectional Link Detection protocol verifying changes in CMS 3-32 See UDLD version-dependent transparent mode 15-4 UNIX syslog servers virtual IP address daemon configuration 23-11...
  • Page 646 14-9 14-30 creating in VLAN configuration mode 14-9 retry count, changing 14-30 default configuration voice VLAN 14-8 deleting Cisco 7960 phone, port connections 14-10 16-1 described 9-3, 14-1 configuration guidelines 16-3 displaying 14-14 configuring IP phones for data traffic extended-range...
  • Page 647 Index server mode Weighted Round Robin 15-9 transparent mode 15-12 See WRR consistency checks window components, CMS 15-4 3-28 default configuration wizards 15-6 3-26 described 15-1 disabling configuring 15-12 26-27 domain names defining 15-8 26-8 domains 15-2 description 26-8 modes client 15-3, 15-11 server...
  • Page 648 Index Catalyst 2950 Desktop Switch Software Configuration Guide IN-32 78-14982-01...

This manual is also suitable for:

Catalyst 2950

Table of Contents