Page 1 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide Cisco IOS Release 12.1(20)EA2 May 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7811380=...
Page 2 CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,...
Page 3: Table Of Contents
Cisco.com xxxi Ordering Documentation xxxii Documentation Feedback xxxii Obtaining Technical Assistance xxxii Cisco Technical Support Website xxxiii Submitting a Service Request xxxiii Definitions of Service Request Severity xxxiii Obtaining Additional Publications and Information xxxiv Overview C H A P T E R...
Page 4 Contents Using the Command-Line Interface C H A P T E R Cisco IOS Command Modes Getting Help Abbreviating Commands Using no and default Forms of Commands Understanding CLI Messages Using Command History Changing the Command History Buffer Size Recalling Commands...
Page 5 Contents Configuring Alarm Profiles Creating or Modifying an Alarm Profile Attaching an Alarm Profile to a Specific Port 3-10 Enabling SNMP Traps 3-11 Displaying Catalyst 2955 Switch Alarms Status 3-11 Getting Started with CMS C H A P T E R Understanding CMS Front Panel View Topology View...
Page 6 Contents Assigning the Switch IP Address and Default Gateway C H A P T E R Understanding the Boot Process Assigning Switch Information Default Switch Information Understanding DHCP-Based Autoconfiguration DHCP Client Request Process Configuring DHCP-Based Autoconfiguration DHCP Server Configuration Guidelines Configuring the TFTP Server Configuring the DNS Configuring the Relay Device...
Page 7 Contents Understanding CNS Embedded Agents Initial Configuration Incremental (Partial) Configuration Synchronized Configuration Configuring CNS Embedded Agents Enabling Automated CNS Configuration Enabling the CNS Event Agent Enabling the CNS Configuration Agent Enabling an Initial Configuration Enabling a Partial Configuration 6-12 Displaying CNS Configuration 6-13 Clustering Switches C H A P T E R...
Page 8 Contents Creating a Switch Cluster 7-18 Enabling a Command Switch 7-18 Adding Member Switches 7-19 Creating a Cluster Standby Group 7-21 Verifying a Switch Cluster 7-22 Using the CLI to Manage Switch Clusters 7-23 Catalyst 1900 and Catalyst 2820 CLI Considerations 7-24 Using SNMP to Manage Switch Clusters 7-24...
Page 9 Contents Managing the MAC Address Table 8-21 Building the Address Table 8-22 MAC Addresses and VLANs 8-22 Default MAC Address Table Configuration 8-23 Changing the Address Aging Time 8-23 Removing Dynamic Address Entries 8-24 Configuring MAC Address Notification Traps 8-24 Adding and Removing Static Address Entries 8-26 Configuring Unicast MAC Address Filtering...
Page 10 Contents Configuring RADIUS 9-20 Default RADIUS Configuration 9-20 Identifying the RADIUS Server Host 9-21 Configuring RADIUS Login Authentication 9-23 Defining AAA Server Groups 9-25 Configuring RADIUS Authorization for User Privileged Access and Network Services 9-27 Starting RADIUS Accounting 9-28 Configuring Settings for All RADIUS Servers 9-29 Configuring the Switch to Use Vendor-Specific RADIUS Attributes 9-29...
Page 11 Contents Configuring the Switch-to-RADIUS-Server Communication 10-13 Enabling Periodic Re-Authentication 10-14 Manually Re-Authenticating a Client Connected to a Port 10-15 Changing the Quiet Period 10-15 Changing the Switch-to-Client Retransmission Time 10-15 Setting the Switch-to-Client Frame-Retransmission Number 10-16 Configuring the Host Mode 10-17 Configuring a Guest VLAN 10-18...
Page 12 Guidelines for Using LRE Profiles 13-10 CPE Ethernet Link Guidelines 13-11 Guidelines for Configuring Cisco 575 LRE CPEs and 576 LRE 997 CPEs 13-11 Guidelines for Configuring Cisco 585 LRE CPEs 13-12 Assigning a Global Profile to All LRE Ports...
Page 13 Contents Configuring CPE Toggle 13-22 Configuring Syslog Export 13-22 Upgrading LRE Switch Firmware 13-23 Configuring for an LRE Upgrade 13-24 Performing an LRE Upgrade 13-24 Global Configuration of LRE Upgrades 13-25 Controller Configuration of LRE Upgrades 13-25 LRE Upgrade Details 13-26 LRE Upgrade Example 13-26...
Page 14 Contents Configuring the Switch Priority of a VLAN 14-20 Configuring Spanning-Tree Timers 14-21 Configuring the Hello Time 14-21 Configuring the Forwarding-Delay Time for a VLAN 14-22 Configuring the Maximum-Aging Time for a VLAN 14-22 Configuring Spanning Tree for Use in a Cascaded Stack 14-23 Displaying the Spanning-Tree Status 14-24...
Page 15 Contents Specifying the Link Type to Ensure Rapid Transitions 15-22 Restarting the Protocol Migration Process 15-22 Displaying the MST Configuration and Status 15-23 Configuring Optional Spanning-Tree Features 16-1 C H A P T E R Understanding Optional Spanning-Tree Features 16-1 Understanding Port Fast 16-2 Understanding BPDU Guard...
Page 16 Contents Configuring Normal-Range VLANs 17-4 Token Ring VLANs 17-5 Normal-Range VLAN Configuration Guidelines 17-5 VLAN Configuration Mode Options 17-6 VLAN Configuration in config-vlan Mode 17-6 VLAN Configuration in VLAN Configuration Mode 17-6 Saving VLAN Configuration 17-7 Default Ethernet VLAN Configuration 17-7 Creating or Modifying an Ethernet VLAN 17-8...
Page 17 Contents Configuring the VMPS Client 17-28 Entering the IP Address of the VMPS 17-28 Configuring Dynamic Access Ports on VMPS Clients 17-28 Reconfirming VLAN Memberships 17-29 Changing the Reconfirmation Interval 17-29 Changing the Retry Count 17-30 Monitoring the VMPS 17-30 Troubleshooting Dynamic Port VLAN Membership 17-31 VMPS Configuration Example...
Page 18 Default Voice VLAN Configuration 19-2 Voice VLAN Configuration Guidelines 19-3 Configuring a Port to Connect to a Cisco 7960 IP Phone 19-3 Configuring Ports to Carry Voice Traffic in 802.1Q Frames 19-4 Configuring Ports to Carry Voice Traffic in 802.1p Priority-Tagged Frames...
Page 19 Contents Configuring IGMP Snooping 21-6 Default IGMP Snooping Configuration 21-6 Enabling or Disabling IGMP Snooping 21-7 Setting the Snooping Method 21-8 Configuring a Multicast Router Port 21-9 Configuring a Host Statically to Join a Group 21-10 Enabling IGMP Immediate-Leave Processing 21-10 Disabling IGMP Report Suppression 21-11...
Page 20 Contents Configuring Port Security 22-7 Understanding Port Security 22-7 Secure MAC Addresses 22-7 Security Violations 22-8 Default Port Security Configuration 22-9 Port Security Configuration Guidelines 22-9 Enabling and Configuring Port Security 22-10 Enabling and Configuring Port Security Aging 22-12 Displaying Port-Based Traffic Control Settings 22-13 Configuring UDLD 23-1...
Page 21 Contents Configuring SPAN and RSPAN 25-1 C H A P T E R Understanding SPAN and RSPAN 25-1 SPAN and RSPAN Concepts and Terminology 25-3 SPAN Session 25-3 Traffic Types 25-3 Source Port 25-4 Destination Port 25-4 Reflector Port 25-5 SPAN Traffic 25-5 SPAN and RSPAN Interaction with Other Features...
Page 22 Contents Configuring System Message Logging 27-1 C H A P T E R Understanding System Message Logging 27-1 Configuring System Message Logging 27-2 System Log Message Format 27-2 Default System Message Logging Configuration 27-3 Disabling and Enabling Message Logging 27-4 Setting the Message Display Destination Device 27-4 Synchronizing Log Messages...
Page 23 Contents Configuring Network Security with ACLs 29-1 C H A P T E R Understanding ACLs 29-2 Handling Fragmented and Unfragmented Traffic 29-3 Understanding Access Control Parameters 29-4 Guidelines for Applying ACLs to Physical Interfaces 29-5 Configuring ACLs 29-6 Unsupported Features 29-7 Creating Standard and Extended IP ACLs 29-7...
Page 24 Contents Queueing and Scheduling 30-8 How Class of Service Works 30-8 Port Priority 30-8 Port Scheduling 30-8 Egress CoS Queues 30-9 Configuring Auto-QoS 30-9 Generated Auto-QoS Configuration 30-10 Effects of Auto-QoS on the Configuration 30-13 Configuration Guidelines 30-13 Upgrading from a Previous Software Release 30-14 Enabling Auto-QoS for VoIP 30-14...
Page 25 Contents Configuring EtherChannels 31-1 C H A P T E R Understanding EtherChannels 31-1 Understanding Port-Channel Interfaces 31-2 Understanding the Port Aggregation Protocol and Link Aggregation Protocol 31-3 PAgP and LACP Modes 31-4 Physical Learners and Aggregate-Port Learners 31-5 PAgP and LACP Interaction with Other Features 31-6 Understanding Load Balancing and Forwarding Methods 31-6...
Page 26 A P P E N D I X MIB List Using FTP to Access the MIB Files Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System...
Page 27 Working with Software Images B-19 Image Location on the Switch B-20 tar File Format of Images on a Server or Cisco.com B-20 Copying Image Files By Using TFTP B-21 Preparing to Download or Upload an Image File By Using TFTP...
Page 28 Contents Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide xxviii 78-11380-10...
Page 29 This guide is for the networking professional managing the Catalyst 2950 and 2955 switches, hereafter referred to as the switches. Before using this guide, you should have experience working with the Cisco IOS and be familiar with the concepts and terminology of Ethernet and local area networking.
Page 30 This guide does not repeat the concepts and CLI procedures provided in the standard Cisco IOS Release 12.1 documentation. For information about the standard Cisco IOS Release 12.1 commands, refer to the Cisco IOS documentation set available from the Cisco.com home page at Service and...
Page 31: Related Publications
These documents provide complete information about the switch and are available from this Cisco.com site: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/index.htm You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation” section on page xxxi.
Page 32: Ordering Documentation
Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.
Page 33: Submitting A Service Request
URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
Page 34: Obtaining Additional Publications And Information
Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as • ordering and customer support services. Access the Cisco Product Catalog at this URL: http://cisco.com/univercd/cc/td/doc/pcat/...
Page 35: Features
C H A P T E R Overview This chapter provides these topics about the Catalyst 2950 and Catalyst 2955 switch software: • Features, page 1-1 Management Options, page 1-8 • • Network Configuration Examples, page 1-10 Where to Go Next, page 1-22 •...
Page 36: Chapter 1 Overview
Catalyst 2955T-12 1. SI = standard software image 2. EI = enhanced software image Certain Cisco Long-Reach Ethernet (LRE) customer premises equipment (CPE) devices are not supported by certain Catalyst 2950 LRE switches. In Table 1-2, Yes means that the CPE is supported by the switch;...
Page 37 Dynamic address learning for enhanced security • Manageability Cisco Intelligence Engine 2100 (IE2100) Series Cisco Networking Services (CNS) embedded • agents for automating switch management, configuration storage and delivery (available only with the EI) DHCP-based autoconfiguration for automatically configuring the switch during startup with IP •...
Page 38 Unicast MAC address filtering to drop packets with specific source or destination MAC addresses • (available only with the EI) Cisco Discovery Protocol (CDP) versions 1 and 2 for network topology discovery and mapping • between the switch and other Cisco devices on the network Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external •...
Page 39 • negotiating the type of trunking encapsulation (802.1Q) to be used Voice VLAN for creating subnets for voice traffic from Cisco IP Phones • VLAN 1 minimization to reduce the risk of spanning-tree loops or storms by allowing VLAN 1 to •...
Page 40 – Trusted boundary (detect the presence of a Cisco IP Phone, trust the CoS value received, and ensure port security. If the IP phone is not detected, disable the trusted setting on the port and prevent misuse of a high-priority queue.) Policing •...
Page 41 – Switch LRE ports and the Ethernet ports on remote LRE customer premises equipment (CPE) devices, such as the Cisco 575 LRE CPE or the Cisco 585 LRE CPE – CPE Ethernet ports and remote Ethernet devices, such as a PC •...
Page 42: Chapter 2 Using The Command-Line Interface
Chapter 4, “Getting Started with CMS.” • CLI—The switch Cisco IOS CLI software is enhanced to support desktop-switching features. You can configure and monitor the switch and switch cluster members from the CLI. You can access the CLI either by connecting your management station directly to the switch console port or by using Telnet or SSH from a remote management station.
Page 43: Advantages Of Using Cms And Clustering Switches
Using CMS and switch clusters can simplify and minimize your configuration and monitoring tasks. You can use Cisco switch clustering technology to manage up to 16 interconnected and supported Catalyst switches through one IP address as if they were a single entity. This can conserve IP addresses if you have a limited number of them.
Page 44: Network Configuration Examples
Chapter 1 Overview Network Configuration Examples Network Configuration Examples This section provides network configuration concepts and includes examples of using the switch to create dedicated network segments and interconnecting the segments through Fast Ethernet and Gigabit Ethernet connections. • “Design Concepts for Using the Switch” section on page 1-10 •...
Page 45 Chapter 1 Overview Network Configuration Examples Table 1-4 Providing Network Services Network Demands Suggested Design Methods High demand for multimedia support • Use IGMP and MVR to efficiently forward multicast traffic. High demand for protecting mission-critical • Use VLANs and protected ports to provide security and port isolation. applications •...
Page 46 The GigaStack GBIC supports one full-duplex link (in a point-to-point configuration) or up to nine half-duplex links (in a stack configuration) to other Gigabit Ethernet devices. Using the required Cisco proprietary signaling and cabling, the GigaStack GBIC-to-GigaStack GBIC connection cannot exceed 3 feet (1 meter).
Page 47: Small To Medium-Sized Network Configuration
Figure 1-2 Small to Medium-Sized Network Configuration Cisco 2600 router 100 Mbps (200 Mbps full duplex) Gigabit server...
Page 48: Collapsed Backbone And Switch Cluster Configuration
Each 10/100 inline-power port on the Catalyst 3550-24PWR switches provides –48 VDC power to the Cisco IP Phone. The IP phone can receive redundant power when it is also connected to an AC power source. IP phones not connected to the Catalyst 3550-24PWR switches receive power from an AC power source.
Page 49: Hotel Network Configuration
200 rooms. This network includes a PBX switchboard, a router, and high-speed servers. Connected to the telephone line in each hotel room is an LRE CPE device, such as a Cisco LRE CPE device. The LRE CPE device provides: •...
Page 50 Through a patch panel, the telephone line from each room connects to a nonhomologated POTS splitter, such as the Cisco LRE 48 POTS Splitter. The splitter routes data (high-frequency) and voice (low-frequency) traffic from the telephone line to a Catalyst 2950 LRE switch and digital private branch exchange (PBX).
Page 51 LRE CPE Floor 3 Patch panel Cisco Catalyst 2950ST-8 LRE and LRE 48 2950ST-24 LRE switches POTS splitters Servers PSTN Catalyst 2950 or Cisco 2600 router Catalyst 3550 switch Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 1-17 78-11380-10...
Page 52: Service-Provider Central-Office Configuration
(high-frequency) to a Catalyst 2950 LRE switch and voice (low-frequency) traffic from the telephone line to a PSTN. Connected to the telephone line in each office is an Cisco 576 LRE 997 CPE device. The LRE CPE device provides: •...
Page 53: Large Campus Configuration
CallManager controls call processing, routing, and IP phone features and configuration. • Cisco Access gateway (such as Cisco Access Digital Trunk Gateway or Cisco Access Analog Trunk Gateway) that connects the IP network to the Public Switched Telephone Network (PSTN) or to users in an IP telephony network.
Page 54: Multidwelling Network Using Catalyst 2950 Switches
Catalyst 2950, 2900 XL, 3500 XL, and 3550 Catalyst 3550-24PWR GigaStack cluster cluster Cisco IP Phones Cisco IP Phones Workstations running Cisco SoftPhone software Multidwelling Network Using Catalyst 2950 Switches A growing segment of residential and commercial customers are requiring high-speed access to Ethernet metropolitan-area networks (MANs).
Page 55 The aggregating switches and routers provide services such as those described in the previous examples, “Small to Medium-Sized Network Configuration” and “Large Campus Configuration.” Figure 1-7 Catalyst 2950 Switches in a MAN Configuration Cisco 12000 Service Gigabit switch routers Provider Catalyst 6500 switches Catalyst 3550...
Page 56: Long-Distance, High-Bandwidth Transport Configuration
The CWDM OADM modules on the receiving end separate (or demultiplex) the different wavelengths. For more information about the CWDM GBIC modules and CWDM OADM modules, refer to the Cisco CWDM GBIC and CWDM SFP Installation Note. Figure 1-8...
Page 57: Cisco Ios Command Modes
C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) that you can use to configure your Catalyst 2950 and Catalyst 2955 switches. It contains these sections: Cisco IOS Command Modes, page 2-1 •...
Page 58 Chapter 2 Using the Command-Line Interface Cisco IOS Command Modes Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the host name Switch.
Page 59: Getting Help
Chapter 2 Using the Command-Line Interface Getting Help Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method About This Mode Interface While in global To exit to global Use this mode to configure Switch(config-if)# configuration configuration mode, configuration mode, parameters for the switch enter the interface...
Page 60: Abbreviating Commands
Chapter 2 Using the Command-Line Interface Abbreviating Commands Table 2-2 Help Summary (continued) Command Purpose command ? List the associated keywords for a command. For example: Switch> show ? command keyword ? List the associated arguments for a keyword. For example: Switch(config)# cdp holdtime ? <10-255>...
Page 61: Understanding Cli Messages
Chapter 2 Using the Command-Line Interface Understanding CLI Messages Understanding CLI Messages Table 2-3 lists some error messages that you might encounter while using the CLI to configure your switch. Table 2-3 Common CLI Error Messages Error Message Meaning How to Get Help You did not enter enough characters Re-enter the command followed by a question mark (?) % Ambiguous command:...
Page 62: Recalling Commands
Chapter 2 Using the Command-Line Interface Using Editing Features Recalling Commands To recall commands from the history buffer, perform one of the actions listed in Table 2-4: Table 2-4 Recalling Commands Action Result Press Ctrl-P or the up arrow key. Recall commands in the history buffer, beginning with the most recent command.
Page 63: Editing Commands Through Keystrokes
Chapter 2 Using the Command-Line Interface Using Editing Features To reconfigure a specific line to have enhanced editing mode, enter this command in line configuration mode: Switch(config-line)# editing To globally disable enhanced editing mode, enter this command in line configuration mode: Switch(config-line)# no editing Editing Commands through Keystrokes Table 2-5...
Page 64: Editing Command Lines That Wrap
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke Purpose Scroll down a line or screen on Press the Return key. Scroll down one line. displays that are longer than the Press the Space bar.
Page 65: Searching And Filtering Output Of Show And More Commands
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Use line wrapping with the command history feature to recall and modify previous complex command entries. For information about recalling previous command entries, see the “Editing Commands through Keystrokes”...
Page 66: Accessing The Cli From A Browser
Access page. You can access the CLI by clicking Web Console - HTML access to the command line interface from a cached copy of the Cisco Systems Access page. To prevent unauthorized access to CMS and the CLI, exit your browser to end the browser session.
Page 67: Understanding Catalyst 2955 Switch Alarms
C H A P T E R Configuring Catalyst 2955 Switch Alarms This section describes how to configure the different alarms for the Catalyst 2955 switch. The alarms described in this chapter are not available on the Catalyst 2950 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release.
Page 68: C H A P T E R 3 Configuring Catalyst 2955 Switch Alarms
Chapter 3 Configuring Catalyst 2955 Switch Alarms Understanding Catalyst 2955 Switch Alarms Global Status Monitoring Alarms The Catalyst 2955 switch contains facilities for processing alarms related to temperature and power supply conditions. These are referred to as global or facility alarms. Table 3-1 lists the three global alarms and their descriptions and functions.
Page 69: Port Status Monitoring Alarms
You can associate any alarm condition with either alarm relay or both relays. Each fault condition is assigned a severity level based on the Cisco IOS System Error Message Severity Level.
Page 70: Default Catalyst 2955 Switch Alarm Configuration
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms • SNMP Traps SNMP is an application-layer protocol that provides a message format for communication between managers and agents. The SNMP system consists of an SNMP manager, an SNMP agent, and a management information base (MIB).
Page 71: Configuring The Power Supply Alarm
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms Configuring the Power Supply Alarm This section describes how to configure the power supply alarm on your switch. It contains this configuration information: • Setting the Power Mode, page 3-5 •...
Page 72: Configuring The Switch Temperature Alarms
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms To disable sending the alarm to a relay, to syslog, or to an SNMP server, use the no alarm facility power-supply relay, no alarm facility power-supply notifies, or no alarm facility power-supply syslog global configuration commands.
Page 73: Associating The Temperature Alarms To A Relay
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms Associating the Temperature Alarms to a Relay By default, the primary temperature alarm is associated to the major relay. You can use the alarm facility temperature command to associate the primary temperature alarm to the minor relay, to an SNMP trap, to a syslog message, or to associate the secondary temperature alarm to the major or minor relay, an SNMP trap, or a syslog message.
Page 74 Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms Setting the FCS Error Threshold The switch generates an FCS bit error rate alarm when the actual FCS bit error rate is close to the configured FCS bit error rate. Use the fcs-threshold interface configuration command to set the FCS error threshold.
Page 75: Configuring Alarm Profiles
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms Use the no alarm facility fcs-hysteresis command to set the FCS error hysteresis threshold to its default value. Note The show running config command displays any FCS error hysteresis that is not the default value. This example shows how to set the FCS error hysteresis at 5 percent.
Page 76: Attaching An Alarm Profile To A Specific Port
Chapter 3 Configuring Catalyst 2955 Switch Alarms Configuring Catalyst 2955 Switch Alarms This example creates or modifies the alarm profile fastE for the fastEthernetPort with link-down (alarmList ID 3) and an FCS error rate of 30 percent (alarmList ID 4) alarms enabled. The link-down alarm is connected to the minor relay, and the FCS error rate alarm is connected to the major relay.
Page 77: Enabling Snmp Traps
Chapter 3 Configuring Catalyst 2955 Switch Alarms Displaying Catalyst 2955 Switch Alarms Status This example detaches an alarm profile named fastE from a port. Switch(config)# interface FastEthernet 0/2 Switch(config-if)# no alarm profile fastE Enabling SNMP Traps Use the snmp-server enable traps alarms global configuration command to enable the switch to send alarm traps.
Page 78 Chapter 3 Configuring Catalyst 2955 Switch Alarms Displaying Catalyst 2955 Switch Alarms Status Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 3-12 78-11380-10...
Page 79: Chapter 4 Getting Started With Cms
C H A P T E R Getting Started with CMS This chapter contains these sections that describe the Cluster Management Suite (CMS) on the Catalyst 2950 or Catalyst 2955 switch: “Understanding CMS” section on page 4-1 • • “Configuring CMS” section on page 4-7 “Displaying CMS”...
Page 80: Topology View
Chapter 4 Getting Started with CMS Understanding CMS Topology View The Topology view displays a network map that uses icons representing switch clusters, the command switch, cluster members, cluster candidates, neighboring devices that are not eligible to join a cluster, and link types.
Page 81 Chapter 4 Getting Started with CMS Understanding CMS Table 4-1 Toolbar Buttons (continued) Toolbar Option Icon Task Port Settings Display and configure port parameters on a switch. Smartports Display or configure Smartports macros on a switch. Device Macros Smartports Display or configure Smartports macros on a port. Port Macros VLAN Display VLAN membership, assign ports to VLANs, and change the administration mode.
Page 82 Chapter 4 Getting Started with CMS Understanding CMS Figure 4-2 Features Tab and Search Tab 1 Features tab 2 Search tab Only features supported by the devices in your cluster are displayed in the feature bar. Note You can search for features that are available for your cluster by clicking Search and entering a feature name, as shown in Figure 4-2.
Page 83: Online Help
You can send us feedback about the information provided in the online help. Click Feedback to display an online form. After completing the form, click Submit to send your comments to Cisco Systems Inc. We appreciate and value your comments.
Page 84: Expert Mode
Chapter 4 Getting Started with CMS Understanding CMS Figure 4-3 Guide Mode and Wizards Guide mode icon Wizards Guide mode is not available if your switch access level is read-only. For more information about the read-only access mode, see the “Privilege Levels”...
Page 85: Privilege Levels
If your cluster has these member switches running earlier software releases and if you have read-only access to these member switches, some configuration windows for those switches display incomplete information: Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS Release 12.0(5)WC2 • or earlier Catalyst 2950 member switches running Cisco IOS Release 12.0(5)WC2 or earlier...
Page 86: Cms Requirements
Chapter 4 Getting Started with CMS Configuring CMS CMS Requirements This section describes the hardware and software requirements for running CMS: • “Minimum Hardware Configuration” section on page 4-8 • “Operating System and Browser Support” section on page 4-8 • “CMS Plug-In”...
Page 87: Cms Plug-In
CMS on the Catalyst 1900 and Catalyst 2820 switches is referred to as Switch Manager. Cluster management options are not available on these switches. This is the earliest version of CMS. Refer to the documentation specific to the switch and its Cisco IOS release for descriptions of the CMS version.
Page 88: Specifying An Http Port (Nondefault Configuration Only)
• enable—Enable password, which is the default method of HTTP server user authentication, is used. • local—Local user database, as defined on the Cisco router or access server, is used. tacacs—TACACS server is used. • Step 3 Return to privileged EXEC mode.
Page 89 Tools—Accesses diagnostic and monitoring tools, such as Telnet, Extended Ping, and the show interfaces privileged EXEC command • Help Resources—Provides links to the Cisco website, technical documentation, and the Cisco Technical Assistance Center (TAC) Step 3 Click Cluster Management Suite to launch the CMS interface. The CMS Startup Report runs and verifies that your PC or workstation can correctly run CMS.
Page 90 Chapter 4 Getting Started with CMS Displaying CMS If you are running an unsupported operating system, web browser, CMS plug-in or Java plug-in, or if the plug-in is not enabled, the CMS Startup Report page appears, as shown in Figure 4-5.
Page 91: Front Panel View
Chapter 4 Getting Started with CMS Displaying CMS Front Panel View When CMS is launched from a command switch, you can display the Front Panel view by clicking the Front Panel button on the tool bar, as shown in Figure 4-6.
Page 92: Topology View
Chapter 4 Getting Started with CMS Displaying CMS Note Figure 4-7 shows a cluster with a Catalyst 3550 switch as the command switch. Refer to the release notes for a list of switches that can be members of a cluster with a Catalyst 2950 or a Catalyst 2955 switch as the command switch.
Page 93: Cms Icons
Chapter 4 Getting Started with CMS Where to Go Next The Topology view shows how the devices within a switch cluster are connected and how the switch cluster is connected to other clusters and devices. From this view, you can add and remove cluster members.
Page 94 Chapter 4 Getting Started with CMS Where to Go Next Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 4-16 78-11380-10...
Page 95: Chapter 5 Assigning The Switch Ip Address And Default Gateway
For complete syntax and usage information for the commands used in this chapter, refer to the command Note reference for this release and the Cisco IOS IP and IP Routing Command Reference, Release 12.1. This chapter consists of these sections: Understanding the Boot Process, page 5-1 •...
Page 96: Assigning Switch Information
The Catalyst 2955 switches do not support Express Setup. Non-LRE Catalyst 2950 switches running a release prior to Cisco IOS Release 12.1(14)EA1 and Catalyst 2950 LRE switches running a release prior to Cisco IOS Release 12.1(19)EA1 do not support Express Setup.
Page 97: Default Switch Information
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information CLI-based setup program also allows you to configure your switch as a command or member switch of a cluster or as a standalone switch. For more information about the Express Setup and CLI-based setup programs, refer to the hardware installation guide for your switch.
Page 98: Dhcp Client Request Process
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information With DHCP-based autoconfiguration, no DHCP client-side configuration is needed on your switch. However, you need to configure the DHCP server for various lease options associated with IP addresses. If you are using DHCP to relay the configuration file location on the network, you might also need to configure a TFTP server and a Domain Name System (DNS) server.
Page 99: Configuring Dhcp-Based Autoconfiguration
Example Configuration, page 5-9 • If your DHCP server is a Cisco device, or if you are configuring the switch as a DHCP server, refer to the “IP Addressing and Services” section in the Cisco IOS IP and IP Routing Configuration Guide for Cisco IOS Release 12.1 for additional information about configuring DHCP.
Page 100 Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information If you want the switch to receive the configuration file from a TFTP server, you must configure the DHCP server with these lease options: • TFTP server name (required) •...
Page 101: Configuring The Dns
If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
Page 102: Obtaining Configuration Files
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Obtaining Configuration Files Depending on the availability of the IP address and the configuration filename in the DHCP reserved lease, the switch obtains its configuration information in these ways: The IP address and the configuration filename is reserved for the switch and provided in the DHCP •...
Page 103: Example Configuration
Figure 5-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (tftpserver) Table 5-2 shows the configuration of the reserved leases on the DHCP server.
Page 104: Manually Assigning Ip Information
Chapter 5 Assigning the Switch IP Address and Default Gateway Assigning Switch Information switchb-confg switchc-confg switchd-confg prompt> cat network-confg ip host switch1 10.0.0.21 ip host switch2 10.0.0.22 ip host switch3 10.0.0.23 ip host switch4 10.0.0.24 DHCP Client Configuration No configuration file is present on Switch A through Switch D. Configuration Explanation Figure 5-3, Switch A reads its configuration file as follows:...
Page 105: Checking And Saving The Running Configuration
EXEC command: For information about the output of this command, refer to the Cisco IOS Configuration Fundamental Command Reference for Release 12.1. To store the configuration or changes you have made to your startup configuration in flash memory, enter the copy running-config startup-config privileged EXEC command.
Page 106: Default Boot Configuration
Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename that will be loaded during the next boot cycle.
Page 107: Booting Manually
Chapter 5 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration To return to the default setting, use the no boot config-file global configuration command. Booting Manually By default, the switch automatically boots; however, you can configure it to manually boot. Beginning in privileged EXEC mode, follow these steps to configure the switch to manually boot during the next boot cycle: Command...
Page 108: Controlling Environment Variables
Chapter 5 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Beginning in privileged EXEC mode, follow these steps to configure the switch to boot a specific image during the next boot cycle: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 109 Cisco IOS configuration file can be stored as an environment variable. You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. It is not necessary to alter the setting of the environment variables.
Page 110: Scheduling A Reload Of The Software Image
Scheduling a Reload of the Software Image Table 5-5 Environment Variables (continued) Variable Boot Loader Command Cisco IOS Global Configuration Command CONFIG_FILE set CONFIG_FILE flash:/file-url boot config-file flash:/file-url Changes the filename that the software uses Specifies the filename that the software uses...
Page 111: Displaying Scheduled Reload Information
Chapter 5 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Note Use the at keyword only if the switch system clock has been set (through Network Time Protocol (NTP), the hardware calendar, or manually). The time is relative to the configured time zone on the switch.
Page 112 Chapter 5 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 5-18 78-11380-10...
Page 113: Chapter 6 Configuring Ie2100 Cns Agents
Services (CNS) embedded agents on your Catalyst 2950 or Catalyst 2955 switch. To use the feature described in this chapter, you must have the enhanced software image (EI) installed on your switch. For complete syntax and usage information for the commands used in this section, refer to the Cisco Note Intelligence Engine 2100 Series Configuration Registrar Manual, and select Cisco IOS Software Release 12.2 >...
Page 114: Chapter 6 Configuring Ie2100 Cn Agent
Chapter 6 Configuring IE2100 CNS Agents Understanding IE2100 Series Configuration Registrar Software Figure 6-1 Configuration Registrar Architectural Overview Service provider network Data service Configuration directory registrar Configuration server Event service Web-based user interface Order entry configuration management These sections contain this conceptual information: •...
Page 115: Cns Event Service
ID or group ID, and event. Cisco IOS devices recognize only event subject-names that match those configured in Cisco IOS software; for example, cisco.cns.config.load. You can use the namespace mapping service to designate events by using any desired naming convention.
Page 116: Deviceid
Configuration Registrar. The origin of the deviceID is defined by the Cisco IOS host name of the switch. However, the deviceID variable and its usage reside within the event gateway, which is adjacent to the switch.
Page 117: Understanding Cns Embedded Agents
Chapter 6 Configuring IE2100 CNS Agents Understanding CNS Embedded Agents Understanding CNS Embedded Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the CNS configuration agent. The CNS configuration agent feature supports the switch by providing: •...
Page 118: Incremental (Partial) Configuration
NVRAM for use at the next reboot. Configuring CNS Embedded Agents The CNS agents embedded in the switch Cisco IOS software allow the switch to be connected and automatically configured as described in the “Enabling Automated CNS Configuration” section on page 6-6.
Page 119 For more information about running the setup program and creating templates on the Configuration Note Registrar, refer to the Cisco Intelligence Engine 2100 Series Configuration Registrar Manual. Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78-11380-10...
Page 120: Enabling The Cns Event Agent
Chapter 6 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Enabling the CNS Event Agent Note You must enable the CNS event agent on the switch before you enable the CNS configuration agent. Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch: Command Purpose Step 1...
Page 121: Enabling The Cns Configuration Agent
Chapter 6 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Enabling the CNS Configuration Agent After enabling the CNS event agent, start the CNS configuration agent on the switch. You can enable the configuration agent with these commands: • the cns config initial global configuration command enables the configuration agent and initiates an initial configuration on the switch.
Page 122 Chapter 6 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Command Purpose Step 6 ip route network-number Establish a static route to the Configuration Registrar whose IP address is network-number. Step 7 cns id interface num {dns-reverse | ipaddress | Set the unique eventID or configID used by the mac-address} [event] Configuration Registrar.
Page 123 Chapter 6 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Command Purpose Step 8 cns config initial {ip-address | hostname} [port-number] Enable the configuration agent, and initiate an initial [event] [no-persist] [page page] [source ip-address] configuration. [syntax-check] • For {ip-address | hostname}, enter the IP address or the host name of the configuration server.
Page 124: Enabling A Partial Configuration
Chapter 6 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the CNS configuration agent and to initiate a partial configuration on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 125: Displaying Cns Configuration
Chapter 6 Configuring IE2100 CNS Agents Displaying CNS Configuration Displaying CNS Configuration You can use the privileged EXEC commands in Table 6-2 to display CNS Configuration information. Table 6-2 Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS configuration agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed.
Page 126 Chapter 6 Configuring IE2100 CNS Agents Displaying CNS Configuration Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 6-14 78-11380-10...
Page 127: Chapter 7 Clustering Switches
C H A P T E R Clustering Switches This chapter provides these topics to help you get started with switch clustering: • Understanding Switch Clusters, page 7-2 Planning a Switch Cluster, page 7-5 • • Creating a Switch Cluster, page 7-18 Using the CLI to Manage Switch Clusters, page 7-23 •...
Page 128: Understanding Switch Clusters
Chapter 7 Clustering Switches Understanding Switch Clusters Understanding Switch Clusters A switch cluster is a group of connected Catalyst switches that are managed as a single entity. In a switch cluster, 1 switch must be the command switch and up to 15 switches can be member switches. The total number of switches in a cluster cannot exceed 16 switches.
Page 129: Command Switch Characteristics
VLAN and to the member switches through a common VLAN. If a non-LRE Catalyst 2950 command switch is running Cisco IOS Release 12.1(9)EA1 or later, it • is connected to the standby command switches through the management VLAN and to the member switches through a common VLAN.
Page 130: Candidate Switch And Member Switch Characteristics
VLAN. • If a non-LRE Catalyst 2950 member or candidate switch is running a release earlier than Cisco IOS Release 12.1(9)EA1, it is connected to the command switch through the command-switch management VLAN.
Page 131: Planning A Switch Cluster
ACLs on interfaces that are configured with an IP address. Automatic Discovery of Cluster Candidates and Members The command switch uses Cisco Discovery Protocol (CDP) to discover member switches, candidate switches, neighboring switch clusters, and edge devices in star or cascaded topologies.
Page 132 Figure 7-2, the non-LRE Catalyst 2950 command switch is running Cisco IOS Release 12.1(9)EA1 or later and has ports assigned to VLANs 16 and 62. The CDP hop count is three. Each command switch discovers switches 11, 12, 13, and 14 because they are within three hops from the edge of the cluster. It does not discover switch 15 because it is four hops from the edge of the cluster.
Page 133: Discovery Through Non-Cdp-Capable And Noncluster-Capable Devices
Switch 15 Discovery through Non-CDP-Capable and Noncluster-Capable Devices If a command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Page 134: Discovery Through The Same Management Vlan
Catalyst 2955 switch, a Catalyst 2950 LRE switch, a non-LRE Catalyst 2950 command switch running Cisco IOS Release 12.1(9)EA1 or later, or a Catalyst 2940 switch. These command switches can manage cluster members even if they belong to different management VLANs. See the “Discovery...
Page 135: Discovery Through Different Management Vlans
We recommend using as a command switch a Catalyst 3550 switch, a Catalyst 2955 switch, a Catalyst 2950 LRE switch, a non-LRE Catalyst 2950 switch running Cisco IOS Release 12.1(9)EA1 or later, or a Catalyst 2940 switch. These command switches can discover and manage member switches in different VLANs and different management VLANs.
Page 136: Discovery Of Newly Installed Switches
Figure 7-6 shows a non-LRE Catalyst 2950 command switch running a release earlier than Cisco IOS Release 12.1(9)EA1 that belongs to management VLAN 16. When the new candidate switches join the cluster, their management VLAN and access ports change from VLAN 1 to VLAN 16.
Page 137: Hsrp And Standby Command Switches
When the command switch is a Catalyst 2940 switch, all standby command switches must be • Catalyst 2940 switches. When the command switch is a non-LRE Catalyst 2950 switch running Cisco IOS • Release 12.1(6)EA2 or later, all standby command switches must be non-LRE Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later.
Page 138: Virtual Ip Addresses
Chapter 7 Clustering Switches Planning a Switch Cluster standby priority interface configuration command in the Cisco IOS Release 12.1 documentation set. The HSRP commands are the same for changing the priority of cluster standby group members and router-redundancy group members.
Page 139 Release 12.1(6)EA2 or later, all standby command switches must be non-LRE Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later. When the command switch is running Cisco IOS Release 12.0(5)WC2 or earlier, the standby – command switches can be these switches: Catalyst 2900 XL, non-LRE Catalyst 2950, and Catalyst 3500 XL switches.
Page 140: Automatic Recovery Of Cluster Configuration
Chapter 7 Clustering Switches Planning a Switch Cluster Automatic Recovery of Cluster Configuration The active command switch continually forwards cluster-configuration information (but not device-configuration information) to the standby command switch. This ensures that the standby command switch can take over the cluster immediately after the active command switch fails. Automatic discovery has these limitations: This limitation applies only to clusters that have Catalyst 2940, Catalyst 2950, Catalyst 2955, and •...
Page 141: Host Names
Chapter 7 Clustering Switches Planning a Switch Cluster Host Names You do not need to assign a host name to either a command switch or an eligible cluster member. However, a host name assigned to the command switch can help to identify the switch cluster. The default host name for the switch is Switch.
Page 142: Tacacs+ And Radius
• read-only access to these member switches, some configuration windows for those switches display incomplete information: Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS – Release 12.0(5)WC2 or earlier Non-LRE Catalyst 2950 member switches running Cisco IOS Release 12.0(5)WC2 or earlier –...
Page 143: Lre Profiles
Planning a Switch Cluster • If the command switch is a Catalyst 2950 running Cisco IOS Release 12.1(9)EA1 or later or a Catalyst 2955, candidate and member switches can belong to different management VLANs. However, they must connect to the command switch through their management VLAN.
Page 144: Creating A Switch Cluster
Chapter 7 Clustering Switches Creating a Switch Cluster Creating a Switch Cluster Using CMS to create a cluster is easier than using the CLI commands. This section provides this information: • Enabling a Command Switch, page 7-18 • Adding Member Switches, page 7-19 Creating a Cluster Standby Group, page 7-21 •...
Page 145: Adding Member Switches
Chapter 7 Clustering Switches Creating a Switch Cluster Figure 7-9 Create Cluster Window C3550-12T Enter up to 31 characters to name the cluster. Adding Member Switches As explained in the “Automatic Discovery of Cluster Candidates and Members” section on page 7-5, the command switch automatically discovers candidate switches.
Page 146 Chapter 7 Clustering Switches Creating a Switch Cluster For additional authentication considerations in switch clusters, see the “TACACS+ and RADIUS” section on page 7-16. Figure 7-10 Add to Cluster Window Select a switch, and click 2900-LRE-24-1 Add. Press Ctrl and left- click to select more than one switch.
Page 147: Creating A Cluster Standby Group
Cisco IOS Release 12.1(6)EA2 or later. • When the command switch is running Cisco IOS Release 12.0(5)WC2 or earlier, the standby command switches can be these switches: Catalyst 2900 XL, non-LRE Catalyst 2950, and Catalyst 3500 XL switches.
Page 148: Verifying A Switch Cluster
Chapter 7 Clustering Switches Creating a Switch Cluster Figure 7-12 Standby Command Configuration Window 3550C (cisco WS-C3550-C-24, HC, ... Active command switch. NMS-3550-12T-149 (cisco WS-C3550-1 3550-150 (cisco WS-C3550-12T, SC, ... Standby command switch. Must be a valid IP address in the same subnet as the active command switch.
Page 149: Using The Cli To Manage Switch Clusters
Chapter 7 Clustering Switches Using the CLI to Manage Switch Clusters Figure 7-13 Inventory Window 12.1(4)EA1 10.10.10.6 10.10.10.7 12.0(5)WC2 10.1.1.2, 10.10.10.1, 10. 12.1(4)EA1 10.10.10.2 10.10.10.3 12.1(6)EA2 10.10.10.9 13.0(5)XU If you lose connectivity with a member switch or if a command switch fails, see the “Using Recovery Procedures”...
Page 150: Catalyst 1900 And Catalyst 2820 Cli Considerations
Chapter 7 Clustering Switches Using SNMP to Manage Switch Clusters Catalyst 1900 and Catalyst 2820 CLI Considerations If your switch cluster has Catalyst 1900 and Catalyst 2820 switches running standard edition software, the Telnet session accesses the management console (a menu-driven interface) if the command switch is at privilege level 15.
Page 151 Chapter 7 Clustering Switches Using SNMP to Manage Switch Clusters Figure 7-14 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3 Member 1 Member 2 Member 3 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 7-25 78-11380-10...
Page 152 Chapter 7 Clustering Switches Using SNMP to Manage Switch Clusters Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 7-26 78-11380-10...
Page 153: Managing The System Time And Date
You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Note Configuration Fundamentals Command Reference for Cisco IOS Release 12.1.
Page 154: Chapter 8 Administering The Switch
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Page 155: Configuring Ntp
Switch F Workstations If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as though it is synchronized through NTP, when in fact it has determined the time by using other means. Other devices then synchronize to that device through NTP.
Page 156: Default Ntp Configuration
Chapter 8 Administering the Switch Managing the System Time and Date This section contains this configuration information: • Default NTP Configuration, page 8-4 • Configuring NTP Authentication, page 8-4 • Configuring NTP Associations, page 8-6 Configuring NTP Broadcast Service, page 8-7 •...
Page 157 Chapter 8 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to authenticate the associations (communications between devices running NTP that provide for accurate timekeeping) with other devices for security purposes: Command Purpose Step 1 configure terminal...
Page 158: Configuring Ntp Associations
Chapter 8 Administering the Switch Managing the System Time and Date Configuring NTP Associations An NTP association can be a peer association (this switch can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this switch synchronizes to the other device, and not the other way around).
Page 159: Configuring Ntp Broadcast Service
Chapter 8 Administering the Switch Managing the System Time and Date Configuring NTP Broadcast Service The communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association.
Page 160: Configuring Ntp Access Restrictions
Chapter 8 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure the switch to receive NTP broadcast packets from connected peers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to receive NTP broadcast packets, and enter interface...
Page 161 Chapter 8 Administering the Switch Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1...
Page 162: Configuring The Source Ip Address For Ntp Packets
Chapter 8 Administering the Switch Managing the System Time and Date If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted.
Page 163: Displaying The Ntp Configuration
[detail] • show ntp status For detailed information about the fields in these displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12.1. Configuring Time and Date Manually If no other source of time is available, you can manually configure the time and date after the system is restarted.
Page 164: Setting The System Clock
Chapter 8 Administering the Switch Managing the System Time and Date Setting the System Clock If you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock. Beginning in privileged EXEC mode, follow these steps to set the system clock: Command Purpose...
Page 165: Configuring The Time Zone
Chapter 8 Administering the Switch Managing the System Time and Date Configuring the Time Zone Beginning in privileged EXEC mode, follow these steps to manually configure the time zone: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock timezone zone hours-offset Set the time zone.
Page 166: Configuring Summer Time (Daylight Saving Time)
Chapter 8 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1...
Page 167 Chapter 8 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1...
Page 168: Configuring A System Name And Prompt
Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12.1 and the Cisco IOS IP and IP Routing Command Reference for Cisco IOS Release 12.1.
Page 169: Configuring A System Prompt
Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.
Page 170: Default Dns Configuration
Chapter 8 Administering the Switch Configuring a System Name and Prompt Default DNS Configuration Table 8-2 shows the default DNS configuration. Table 8-2 Default DNS Configuration Feature Default Setting DNS enable state Enabled. DNS default domain name None configured. DNS servers No name server addresses are configured.
Page 171: Displaying The Dns Configuration
The login banner also displays on all connected terminals. It appears after the MOTD banner and before the login prompts. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12.1. This section contains this configuration information: •...
Page 172: Configuring A Message-Of-The-Day Login Banner
Chapter 8 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1...
Page 173: Configuring A Login Banner
Chapter 8 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1...
Page 174: Building The Address Table
Chapter 8 Administering the Switch Managing the MAC Address Table This section contains this configuration information: • Building the Address Table, page 8-22 • MAC Addresses and VLANs, page 8-22 • Default MAC Address Table Configuration, page 8-23 Changing the Address Aging Time, page 8-23 •...
Page 175: Default Mac Address Table Configuration
Chapter 8 Administering the Switch Managing the MAC Address Table Default MAC Address Table Configuration Table 8-3 shows the default MAC address table configuration. Table 8-3 Default MAC Address Table Configuration Feature Default Setting Aging time 300 seconds Dynamic addresses Automatically learned Static addresses None configured...
Page 176: Removing Dynamic Address Entries
Chapter 8 Administering the Switch Managing the MAC Address Table Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC mode. You can also remove a specific MAC address (clear mac address-table dynamic address mac-address), remove all addresses on the specified physical port or port channel (clear mac address-table dynamic interface interface-id), or remove all addresses on a specified VLAN (clear mac address-table dynamic vlan vlan-id).
Page 177 Chapter 8 Administering the Switch Managing the MAC Address Table Command Purpose Step 5 mac address-table notification [interval value] | Enter the trap interval time and the history table size. [history-size value] • (Optional) For interval value, specify the notification trap interval in seconds between each set of traps that are generated to the NMS.
Page 178: Adding And Removing Static Address Entries
Chapter 8 Administering the Switch Managing the MAC Address Table Adding and Removing Static Address Entries A static address has these characteristics: • It is manually entered in the address table and must be manually removed. • It can be a unicast or multicast address. •...
Page 179: Configuring Unicast Mac Address Filtering
Chapter 8 Administering the Switch Managing the MAC Address Table This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a packet is received in VLAN 4 with this MAC address as its destination address, the packets is forwarded to the specified interface: Switch(config)# mac address-table static c2f3.220a.12f4 vlan 4 interface gigabitethernet0/1...
Page 180: Displaying Address Table Entries
(represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed. For CLI procedures, refer to the Cisco IOS Release 12.1 documentation on Cisco.com. Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide...
Page 181: Configuring Switch-Based Authentication
C H A P T E R Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 2950 or Catalyst 2955 switch. This chapter consists of these sections: Preventing Unauthorized Access to Your Switch, page 9-1 •...
Page 182: C H A P T E R 9 Configuring Switch-Based Authentication
Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Cisco IOS Release 12.1.
Page 183: Setting Or Changing A Static Enable Password
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1...
Page 184: Protecting Enable And Enable Secret Passwords With Encryption
By default, no password is defined. • (Optional) For encryption-type, only type 5, a Cisco proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password you copy...
Page 185: Disabling Password Recovery
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands If both the enable and enable secret passwords are defined, users must enter the enable secret password. Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level.
Page 186: Setting A Telnet Password For A Terminal Line
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to disable password recovery: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no service password-recovery Disable password recovery. This setting is saved in an area of the flash memory that is accessible by the boot loader and the software image, but it is not part of the file system and is not accessible by any user.
Page 187: Configuring Username And Password Pairs
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Command Purpose Step 7 show running-config Verify your entries. The password is listed under the command line vty 0 15. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the password, use the no password global configuration command.
Page 188: Configuring Multiple Privilege Levels
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands To disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command.
Page 189: Changing The Default Privilege Level For Lines
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Command Purpose Step 5 show running-config Verify your entries. The first command displays the password and access level configuration. The second command displays the privilege level configuration. show privilege Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Page 190: Logging Into And Exiting A Privilege Level
TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Cisco IOS Release 12.1. This section contains this configuration information: •...
Page 191 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 9-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ Catalyst 6500 server 1) series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) 171.20.10.8 Configure the switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers).
Page 192: Tacacs+ Operation
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch by using TACACS+, this process occurs: When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to show to the user.
Page 193: Default Tacacs+ Configuration
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ This section contains this configuration information: • Default TACACS+ Configuration, page 9-13 • Identifying the TACACS+ Server Host and Setting the Authentication Key, page 9-13 • Configuring TACACS+ Login Authentication, page 9-14 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page •...
Page 194: Configuring Tacacs+ Login Authentication
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 4 aaa group server tacacs+ group-name (Optional) Define the AAA server-group with a group name. This command puts the switch in a server group subconfiguration mode. Step 5 server ip-address (Optional) Associate a particular TACACS+ server with the defined server group.
Page 195 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to configure login authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication login {default | Create a login authentication method list.
Page 196: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Page 197: Starting Tacacs+ Accounting
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Starting TACACS+ Accounting The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to the TACACS+ security server in the form of accounting records.
Page 198: Controlling Switch Access With Radius
RADIUS is facilitated through AAA and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Cisco IOS Release 12.1.
Page 199: Radius Operation
• Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
Page 200: Configuring Radius
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring RADIUS This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication.
Page 201: Identifying The Radius Server Host
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Identifying the RADIUS Server Host Switch-to-RADIUS-server communication involves several components: Host name or IP address • Authentication destination port • • Accounting destination port • Key string • Timeout period •...
Page 202 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or host name of the remote RADIUS server host.
Page 203: Configuring Radius Login Authentication
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2 This example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting: Switch(config)# radius-server host host1...
Page 204 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA.
Page 205: Defining Aaa Server Groups
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command.
Page 206 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or host name of the remote RADIUS server host.
Page 207: Configuring Radius Authorization For User Privileged Access And Network Services
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 9-23.
Page 208: Starting Radius Accounting
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
Page 209: Configuring Settings For All Radius Servers
1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Page 210: Configuring The Switch For Vendor-Proprietary Radius Server Communication
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP’s IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“...
Page 211: Displaying The Radius Configuration
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to specify a vendor-proprietary RADIUS server host and a shared secret text string: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | ip-address} non-standard Specify the IP address or host name of the remote...
Page 212: Configuring The Switch For Local Authentication And Authorization
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Local Authentication and Authorization Configuring the Switch for Local Authentication and Authorization You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration.
Page 213: Configuring The Switch For Secure Shell
You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
Page 214: Limitations
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell SSH also supports these user authentication methods: • TACACS+ (for more information, see the “Controlling Switch Access with TACACS+” section on page 9-10) • RADIUS (for more information, see the “Controlling Switch Access with RADIUS”...
Page 215: Cryptographic Software Image Guidelines
Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: Download the cryptographic software image from Cisco.com. This step is required. For more information, refer to the release notes for this release.
Page 216: Configuring The Ssh Server
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. After the RSA key pair is deleted, the SSH server is automatically disabled. Configuring the SSH Server Beginning in privileged EXEC mode, follow these steps to configure the SSH server: Command Purpose...
Page 217: Displaying The Ssh Configuration And Status
Shows the status of the SSH server. For more information about these commands, refer to the “Secure Shell Commands” section in the “Other Security Features” chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fothercr/...
Page 218 Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 9-38 78-11380-10...
Page 219 Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
Page 220: Understanding 802.1X Port-Based Authentication
Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Page 221: Authentication Initiation And Message Exchange
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication support EAP within the native frame format. When the switch receives frames from the authentication server, the server’s frame header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the client. The devices that can act as intermediaries include the Catalyst 3750, Catalyst 3550, Catalyst 2970, Catalyst 2955, Catalyst 2950, Catalyst 2940 switches, or a wireless access point.
Page 222: Ports In Authorized And Unauthorized States
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication Figure 10-2 Message Exchange Authentication server Client (RADIUS) EAPOL-Start EAP-Request/Identity EAP-Response/Identity RADIUS Access-Request EAP-Request/OTP RADIUS Access-Challenge EAP-Response/OTP RADIUS Access-Request EAP-Success RADIUS Access-Accept Port Authorized EAPOL-Logoff Port Unauthorized Ports in Authorized and Unauthorized States The switch port state determines whether or not the client is granted access to the network.
Page 223: 802.1X Accounting
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication received. The switch requests the identity of the client and begins relaying authentication messages between the client and the authentication server. Each client attempting to access the network is uniquely identified by the switch by using the client’s MAC address. If the client is successfully authenticated (receives an Accept frame from the authentication server), the port state changes to authorized, and all frames from the authenticated client are allowed through the port.
Page 224: Using 802.1X With Port Security
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication Figure 10-3 Wireless LAN Example Authentication server Access point (RADIUS) Wireless clients Using 802.1x with Port Security For switches running the enhanced software image (EI), you can enable an 802.1x port for port security in either single-host or multiple-hosts mode.
Page 225: Using 802.1X With Voice Vlan Ports
CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several Cisco IP phones are connected in series, the switch recognizes only the one directly connected to it. When 802.1x is enabled on a voice VLAN port, the switch drops packets from unrecognized Cisco IP phones more than one hop away.
Page 226: Using 802.1X With Guest Vlan
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication • If an 802.1x port is authenticated and put in the RADIUS server assigned VLAN, any change to the port access VLAN configuration does not take effect. • The 802.1x with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
Page 227: Configuring 802.1X Authentication
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring 802.1x Authentication These sections describe how to configure 802.1x port-based authentication on your switch: • Default 802.1x Configuration, page 10-9 802.1x Configuration Guidelines, page 10-10 • Upgrading from a Previous Software Release, page 10-11 •...
Page 228: 802.1X Configuration Guidelines
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Table 10-1 Default 802.1x Configuration (continued) Feature Default Setting Quiet period 60 seconds (number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client). Retransmission time 30 seconds (number of seconds that the switch should wait for a response to an EAP request/identity frame...
Page 229: Upgrading From A Previous Software Release
Some global configuration commands became interface configuration commands, and new commands were added. If you have 802.1x configured on the switch and you upgrade to Cisco IOS Release 12.1(14)EA1 or later, the configuration file will not contain the new commands, and 802.1x will not operate. After the upgrade is complete, make sure to globally enable 802.1x by using the dot1x system-auth-control global...
Page 230 Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication To allow VLAN assignment (for switches running the EI), you must enable AAA authorization to configure the switch for all network-related service requests. Beginning in privileged EXEC mode, follow these steps to configure 802.1x port-based authentication. This procedure is required.
Page 231: Configuring The Switch-To-Radius-Server Communication
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication This example shows how to enable AAA and 802.1x on a port: Switch# configure terminal Switch(config)# aaa new-model Switch(config)# aaa authentication dot1x default group radius Switch(config)# dot1x system-auth-control Switch(config)# interface fastethernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# dot1x port-control auto Switch(config-if)# end...
Page 232: Enabling Periodic Re-Authentication
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the RADIUS server: Switch(config)# radius-server host 172.l20.39.46 auth-port 1612 key rad123 You can globally configure the timeout, retransmission, and encryption key values for all RADIUS...
Page 233: Manually Re-Authenticating A Client Connected To A Port
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Manually Re-Authenticating a Client Connected to a Port You can manually re-authenticate the client connected to a specific port at any time by entering the dot1x re-authenticate interface interface-id privileged EXEC command. This step is optional. If you want to enable or disable periodic re-authentication, see the “Enabling Periodic Re-Authentication”...
Page 234: Setting The Switch-To-Client Frame-Retransmission Number
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to change the amount of time that the switch waits for client notification. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 235: Configuring The Host Mode
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication To return to the default retransmission number, use the no dot1x max-req interface configuration command. This example shows how to set 5 as the number of times that the switch sends an EAP-request/identity request before restarting the authentication process: Switch(config-if)# dot1x max-req 5 Configuring the Host Mode...
Page 236: Configuring A Guest Vlan
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring a Guest VLAN For switches running the EI, when you configure a guest VLAN, clients that are not 802.1x-capable are put into the guest VLAN when the server does not receive a response to its EAPOL request/identity frame.
Page 237: Configuring 802.1X Authentication
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 3 dot1x default Reset the configurable 802.1x parameters to the default values. Step 4 Return to privileged EXEC mode. Step 5 show dot1x interface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Page 238: Configuring 802.1X Accounting
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 3 aaa authentication dot1x {default} Create an 802.1x authentication method list. method1 [method2...] To create a default list that is used when a named list is not specified in the authentication command, use the default keyword followed by the methods that are to be used in default situations.
Page 239: Displaying 802.1X Statistics And Status
Chapter 10 Configuring 802.1x Port-Based Authentication Displaying 802.1x Statistics and Status Note You must configure the RADIUS server to perform accounting tasks, such as logging start, stop, and interim-update messages and time stamps. To turn on these functions, enable logging of “Update/Watchdog packets from this AAA client”...
Page 240 Chapter 10 Configuring 802.1x Port-Based Authentication Displaying 802.1x Statistics and Status Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 10-22 78-11380-10...
Page 241: Chapter 11 Configuring Interface Characteristics
Monitoring and Maintaining the Interfaces, page 11-15 Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and the online Cisco IOS Interface Command Reference for Cisco IOS Release 12.1. Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these interface types.
Page 242: Access Ports
VMPS. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. From more information about voice VLAN ports, see Chapter 19, “Configuring Voice VLAN.”...
Page 243: Port-Based Vlans
Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. Exceptions are the DTP, the Cisco Discovery Protocol (CDP), the Port Aggregation Protocol (PAgP), and Link Aggregation Control Protocol (LACP) which operate only on physical ports.
Page 244: Connecting Interfaces
You can identify physical interfaces by physically checking the interface location on the switch. You can also use the Cisco IOS show privileged EXEC commands to display information about a specific interface or all the interfaces on the switch. The remainder of this chapter primarily provides physical interface configuration procedures.
Page 245: Procedures For Configuring Interfaces
Chapter 11 Configuring Interface Characteristics Using the Interface Command Procedures for Configuring Interfaces These general instructions apply to all interface configuration processes. Enter the configure terminal command at the privileged EXEC prompt: Step 1 Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# Enter the interface global configuration command.
Page 246 Chapter 11 Configuring Interface Characteristics Using the Interface Command Beginning in privileged EXEC mode, follow these steps to configure a range of interfaces with the same parameters: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface range {port-range | macro Enter interface-range configuration mode by entering the range of macro_name} interfaces (VLANs or physical ports) to be configured.
Page 247: Configuring And Using Interface-Range Macros
Chapter 11 Configuring Interface Characteristics Using the Interface Command This example shows how to use a comma to add different interface type strings to the range to enable all Fast Ethernet interfaces in the range 0/1 to 0/3 and Gigabit Ethernet interfaces 0/1 and 0/2: Switch# configure terminal Switch(config)# interface range fastethernet0/1 - 3, gigabitethernet0/1 - 2 Switch(config-if-range)# no shutdown...
Page 248: Configuring Ethernet Interfaces
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces – longreachethernet slot/{first port} - {last port}, where slot is 0 – port-channel port-channel-number - port-channel-number, where port-channel-number is from 1 to 6. • You must add a space between the interface numbers and the hyphen when entering an interface-range.
Page 249: Default Ethernet Interface Configuration
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces These sections describe the default interface configuration and the optional features that you can configure on most physical interfaces: • Default Ethernet Interface Configuration, page 11-9 • Configuring Interface Speed and Duplex Mode, page 11-10 •...
Page 250: Configuring Interface Speed And Duplex Mode
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring Interface Speed and Duplex Mode The 10/100 Ethernet interfaces on a non-LRE switch operate in 10 or 100 Mbps and in either full- or half-duplex mode. The 10/100/1000 Ethernet interfaces on Catalyst 2950 LRE, Catalyst 2950T-24, Catalyst 2950T-48-SI, and Catalyst 2955T-24 switches operate at 10 or 100 Mbps in either full- or half-duplex mode or at 1000 Mbps only in full-duplex mode.
Page 251 Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces • If both ends of the line support autonegotiation, we highly recommend the default setting of autonegotiation. • When connecting an interface to a 100BASE-T device that does not autonegotiate, set the speed to a non-auto value (for example, nonegotiate) and set the duplex mode to full or half to match the device.
Page 252 Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Setting the Interface Speed and Duplex Parameters on a Non-LRE Switch Port Beginning in privileged EXEC mode, follow these steps to set the speed and duplex mode for a physical interface on a non-LRE switch: Command Purpose Step 1...
Page 253: Configuring Media Types For Gigabit Ethernet Interfaces On Lre Switches
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Command Purpose Step 6 show running-config Display the LRE interface speed and duplex mode configuration. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no local speed and no local duplex interface configuration commands to return the interface to the default speed and duplex settings.
Page 254: Adding A Description For An Interface
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces • receive off and send on: The port sends pause frames if the remote device supports flow control but cannot receive pause frames from the remote device. • receive off and send desired: The port cannot receive pause frames but can send pause frames if the attached device supports flow control.
Page 255: Monitoring And Maintaining The Interfaces
(You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference for Cisco IOS Release 12.1. Table 11-2 show Commands for Interfaces...
Page 256: Clearing And Resetting Interfaces And Counters
For examples of the output from these commands, refer to the command reference for this release and to the Cisco IOS Interface Command Reference for Cisco IOS Release 12.1. If you enter the show interfaces interfaces-id privileged EXEC command on a LRE switch interface, the command output shows the statistics for the LRE interface.
Page 257: Shutting Down And Restarting The Interface
Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces This example shows how to clear and reset a port: Switch# clear interface fastethernet0/5 Shutting Down and Restarting the Interface Shutting down an interface disables all functions on the specified interface and marks the interface as unavailable on all monitoring command displays.
Page 258 Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 11-18 78-11380-10...
Page 259: Chapter 12 Configuring Smartports Macros
When the macro is applied to an interface, the existing interface configurations are not lost. The new commands are added to the interface and are saved in the running configuration file. There are Cisco-default Smartports macros embedded in the switch software (see Table 12-1).
Page 260: Configuring Smartports Macros
Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
Page 261: Smartports Macro Configuration Guidelines
Cisco-default macro with the required values by using the parameter value keywords. The Cisco-default macros use the $ character to help identify required keywords. There is no restriction on using the $ character to define keywords when you create a macro.
Page 262: Creating Smartports Macros
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros Creating Smartports Macros Beginning in privileged EXEC mode, follow these steps to create a Smartports macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro name macro-name Create a macro definition, and enter a macro name. A macro definition can contain up to 3000 characters.
Page 263: Applying Smartports Macros
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros Applying Smartports Macros Beginning in privileged EXEC mode, follow these steps to apply a Smartports macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro global {apply | trace} Apply each individual command defined in the macro to the switch by macro-name [parameter {value}] entering macro global apply macro-name.
Page 264: Applying Cisco-Default Smartports Macros
Enter global configuration mode. Step 4 macro global {apply | trace} Append the Cisco-default macro with the required values by using the macro-name [parameter {value}] parameter value keywords and apply the macro to the switch. [parameter {value}] [parameter...
Page 265 You can delete a macro-applied configuration on an interface by entering the default interface interface-id interface configuration command. This example shows how to display the cisco-desktop macro, how to apply the macro, and to set the access VLAN ID to 25 on an interface:...
Page 266: Displaying Smartports Macros
Chapter 12 Configuring Smartports Macros Displaying Smartports Macros Displaying Smartports Macros To display the Smartports macros, use one or more of the privileged EXEC commands in Table 12-2. Table 12-2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros.
Page 267: Configuring Lre
Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and the Cisco IOS Interface Command Reference for Cisco IOS Release 12.1. For information about which Cisco LRE customer premises equipment (CPE) devices are supported by...
Page 268: Chapter 13 Configuring Lre
LRE link—This is the connection between the switch LRE port and the RJ-11 wall port on an LRE CPE device such as the Cisco 575 LRE CPE or the Cisco 585 LRE CPE. This connection can be through categorized or noncategorized unshielded twisted-pair cable and can extend to distances of up to 5000 feet (1524 meters).
Page 269 LRE link can affect the actual LRE link performance. Contact Cisco Systems for information about limitations and optimization of LRE link performance. The downstream and upstream rates in the table are slightly less than the gross data rates shown by the show controllers lre profile names privileged EXEC command output.
Page 270 Chapter 13 Configuring LRE Understanding LRE Features Table 13-2 LRE Profiles for the Catalyst 2950ST-24 LRE 997 Switches Theoretical LRE Link LRE Link Upstream Rate Theoretical Minimum Minimum SNR Profile Name Downstream Rate (Mbps) (Mbps) SNR Downstream Upstream LRE-12-9 12.500 9.375 LRE-12-3 12.500...
Page 271: Lre Sequences
Chapter 13 Configuring LRE Understanding LRE Features LRE Sequences The LRE switches are shipped with predefined sequences. Sequences are sets of profiles and are used with the rate selection feature. The rate selection feature enables the switch to automatically select profiles.
Page 272: Cpe Ethernet Links
Note From CMS and the CLI, you can configure and monitor the Ethernet link on a Cisco 575 LRE CPE and the Cisco 585 LRE CPE. You can configure and monitor the Ethernet link on a Cisco 576 LRE 997 CPE only from the CLI.
Page 273: Lre Link Monitor
30 seconds. This feature is enabled by default. CPE toggle cannot be disabled on a Cisco 575 LRE or Cisco 576 LRE 997 CPE link but can be disabled on a Cisco 585 LRE CPE. For more information, see the “Configuring CPE Toggle”...
Page 274: Lre Message Logging Process
Chapter 13 Configuring LRE Configuring LRE Ports LRE Message Logging Process The Catalyst 2950 LRE switch software monitors switch conditions on a per-port basis and sends the debugging messages to an LRE message logging process that is different than the system message logging process described in Chapter 27, “Configuring System Message Logging.”...
Page 275: Default Lre Configuration
Chapter 13 Configuring LRE Configuring LRE Ports Default LRE Configuration This is the default LRE configuration: • On the Catalyst 2950ST-8 LRE and the Catalyst 2950ST-24 LRE switches, the profile on all LRE ports is LRE-10. • On the Catalyst 2950ST-24 LRE 997 switches, the profile on all LRE ports is LRE-6. •...
Page 276: Guidelines For Using Lre Profiles
Chapter 13 Configuring LRE Configuring LRE Ports • Age and type of wiring—You can estimate the type of wiring you have based on your site’s age and type. – Newer installations less than 15 years old often use Category 3 cable in bundles of 25 pairs. There is no significant difference between 25-pair bundles and larger bundles.
Page 277: Cpe Ethernet Link Guidelines
LRE ports. For information about this command, refer to the switch command reference. CPE Ethernet Link Guidelines Follow these guidelines when configuring CPE Ethernet links: Guidelines for Configuring Cisco 575 LRE CPEs and 576 LRE 997 CPEs, page 13-11 • Guidelines for Configuring Cisco 585 LRE CPEs, page 13-12 •...
Page 278: Guidelines For Configuring Cisco 585 Lre Cpes
Cisco 575 LRE CPE or the 576 LRE 997 CPE Ethernet port. You cannot disable CPE toggle on a link from a Cisco 575 LRE or Cisco 576 LRE CPE to a remote device (such as a PC).
Page 279: Assigning A Profile To A Specific Lre Port
Chapter 13 Configuring LRE Configuring LRE Ports Assigning a Profile to a Specific LRE Port You can set profiles on a per-port basis. You can assign the same profile or different profiles to the LRE ports on the switch. The default active profile on all LRE ports is LRE-10 on the Catalyst 2950ST-8 LRE and 2950ST-24 LRE switches and LRE-6 on the Catalyst 2950ST-24 LRE 997 switch.
Page 280: Assigning A Sequence To A Specific Lre Port
Chapter 13 Configuring LRE Configuring LRE Ports To display the LRE link statistics and sequence information on the LRE ports, use the show controllers lre status sequence details privileged EXEC command. Assigning a Sequence to a Specific LRE Port You can set sequences on a per-port basis. You can assign the same sequence or different sequences to the LRE ports on the switch.
Page 281: Precedence
Chapter 13 Configuring LRE Configuring LRE Ports • When a link is lost for 25 seconds before being restored • When a configured sequence is modified In any of these cases, rate selection obtains the optimal profile for your line conditions. When an LRE link is lost for fewer than 25 seconds, the switch does not execute rate selection to Note re-establish the link.
Page 282: Link Qualification And Snr Margins
Chapter 13 Configuring LRE Configuring LRE Ports Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show controllers lre profile details Verify the change. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To unlock a port, use the no rate selection profile lock interface configuration command. Link Qualification and SNR Margins When rate selection is running, the SNR is used as an indicator of link quality.
Page 283 Chapter 13 Configuring LRE Configuring LRE Ports Table 13-6 SNR Requirements for Downstream Rates for the Catalyst 2950ST-8 LRE and the Catalyst 2950ST-24 LRE Switches (continued) Quadrature Amplitude Gross Data Modulation Theoretical Medium Noise High Noise Profile Rate (QAM) Minimum SNR Low Noise SNR LRE-15-1 16.667...
Page 284 Chapter 13 Configuring LRE Configuring LRE Ports Table 13-8 SNR Requirements for Downstream Rates for the Catalyst 2950ST-24 LRE 997 Switches Gross Data Theoretical Medium Noise High Noise Profile Rate Minimum SNR Low Noise SNR LRE-12-9 12.500 LRE-12-3 12.500 LRE-9 9.375 LRE-9-6 9.375...
Page 285: Configuring Lre Link Persistence
Chapter 13 Configuring LRE Configuring LRE Ports Beginning in privileged EXEC mode, follow these steps to assign a margin to a specific LRE port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter the number of the LRE port to be configured, and enter interface configuration mode.
Page 286: Configuring Lre Link Monitor
Chapter 13 Configuring LRE Configuring LRE Ports Configuring LRE Link Monitor When link monitor is enabled, an LRE switch feature tracks undesirable or interesting conditions on a link or takes system-defined actions after certain thresholds are reached. Beginning in privileged EXEC mode, follow these steps to enable link monitor: Command Purpose Step 1...
Page 287: Configuring Upstream Power Back-Off
Chapter 13 Configuring LRE Configuring LRE Ports Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show controllers lre status interleave Verify the change. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the port to its default setting, use the no interleave downstream value upstream value interface configuration command.
Page 288: Configuring Cpe Toggle
Configuring CPE Toggle The CPE toggle feature is enabled by default. It cannot be disabled on a link from a Cisco 575 LRE or Cisco 576 LRE 997 CPE to a remote Ethernet device (such as PC). You can disable CPE toggle on a Cisco 585 LRE CPE link. Then the CPE Ethernet link does not transition to the up state when the LRE link comes up.
Page 289: Upgrading Lre Switch Firmware
Chapter 13 Configuring LRE Upgrading LRE Switch Firmware Beginning in privileged EXEC mode, follow these steps to enable the switch to send debugging messages to the LRE message logging process and to the system message logging process: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 290: Configuring For An Lre Upgrade
Chapter 13 Configuring LRE Upgrading LRE Switch Firmware Note Whether upgrading a single CPE device or all CPE devices connected to an LRE switch, the expected duration of an LRE upgrade is 3 to 6 minutes. (CPE devices connected to marginal links might take longer than this to upgrade.) You perform an upgrade by using the hw-module slot module-slot-number upgrade lre [force] [local ctrlr-unit-number | remote interface-id] privileged EXEC command.
Page 291: Global Configuration Of Lre Upgrades
Chapter 13 Configuring LRE Upgrading LRE Switch Firmware When executing upgrades, you can elect to upgrade a single CPE device or local controller by using the hw-module slot module-slot-number upgrade lre [force] [local ctrlr-unit-number | remote interface-id] privileged EXEC command. If no local or remote option is given, a system-wide upgrade is performed.
Page 292: Lre Upgrade Details
Chapter 13 Configuring LRE Upgrading LRE Switch Firmware The no upgrade controller configuration command removes the command for applying a particular LRE binary. To resume default upgrade behavior for a given controller, do not configure the custom upgrade commands on that controller. LRE Upgrade Details This example shows how to upgrade your LRE switch: Switch>...
Page 293: Displaying Lre Status
Chapter 13 Configuring LRE Displaying LRE Status The CPE device finishes resetting. Ethernet connectivity is available but at low speeds. Upgrade data transfer begins. 00:23:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface LongReachEthernet0/1, changed state to down Upgrade data transfer is complete. Reset the CPE device. 00:23:56: %LINK-3-UPDOWN: Interface LongReachEthernet0/1, changed state to up The CPE device has finished resetting.
Page 294 Chapter 13 Configuring LRE Displaying LRE Status Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 13-28 78-11380-10...
Page 295: Configuring Stp
Catalyst 2950 or Catalyst 2955 switch. The switch uses the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or it can use the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard.
Page 296: Chapter 14 Configuring Stp
Chapter 14 Configuring STP Understanding Spanning-Tree Features • Spanning-Tree Interoperability and Backward Compatibility, page 14-10 • STP and IEEE 802.1Q Trunks, page 14-10 For configuration information, see the “Configuring Spanning-Tree Features” section on page 14-11. For information about optional spanning-tree features, see Chapter 16, “Configuring Optional Spanning-Tree Features.”...
Page 297: Spanning-Tree Topology And Bpdus
Chapter 14 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is determined by these elements: • The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch •...
Page 298: Bridge Id, Switch Priority, And Extended System Id
MAC address. In Cisco IOS Release 12.1(9)EA1 and later, Catalyst 2950 and Catalyst 2955 switches support the 802.1t spanning-tree extensions. Some of the bits previously used for the switch priority are now used as the VLAN identifier.
Page 299 Chapter 14 Configuring STP Understanding Spanning-Tree Features • Forwarding—The interface forwards frames. • Disabled—The interface is not participating in spanning tree because of a shutdown port, no link on the port, or no spanning-tree instance running on the port. An interface moves through these states: •...
Page 300: Blocking State
Chapter 14 Configuring STP Understanding Spanning-Tree Features Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to each interface in the switch. A switch initially functions as the root until it exchanges BPDUs with other switches.
Page 301: Disabled State
Chapter 14 Configuring STP Understanding Spanning-Tree Features Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational. A disabled interface performs as follows: Discards frames received on the port •...
Page 302: Spanning Tree And Redundant Connectivity
Chapter 14 Configuring STP Understanding Spanning-Tree Features Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices. Spanning tree automatically disables one interface but enables it if the other one fails, as shown in Figure 14-3.
Page 303: Spanning-Tree Modes And Protocols
Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary extensions. It is the default spanning-tree mode used on all Ethernet, Fast Ethernet, and Gigabit Ethernet port-based VLANs.
Page 304: Spanning-Tree Interoperability And Backward Compatibility
VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+.
Page 305: Configuring Spanning-Tree Features
Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Features These sections describe how to configure spanning-tree features: • Default Spanning-Tree Configuration, page 14-11 Spanning-Tree Configuration Guidelines, page 14-12 • Changing the Spanning-Tree Mode, page 14-13 (required) • Disabling Spanning Tree, page 14-14 (optional) •...
Page 306: Spanning-Tree Configuration Guidelines
Chapter 14 Configuring STP Configuring Spanning-Tree Features Spanning-Tree Configuration Guidelines If more VLANs are defined in the VTP than there are spanning-tree instances, you can enable PVST+ or rapid PVST+ on only 64 VLANs. If the number of VLANs exceeds 64, we recommend that you enable the MSTP to map multiple VLANs to a single spanning-tree instance.
Page 307: Changing The Spanning-Tree Mode
Chapter 14 Configuring STP Configuring Spanning-Tree Features Changing the Spanning-Tree Mode The switch supports three spanning-tree modes: PVST+, rapid PVST+, or MSTP. By default, the switch runs the PVST+ protocol. Beginning in privileged EXEC mode, follow these steps to change the spanning-tree mode. If you want to enable a mode that is different from the default mode, this procedure is required.
Page 308: Disabling Spanning Tree
Chapter 14 Configuring STP Configuring Spanning-Tree Features Disabling Spanning Tree Spanning tree is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning-tree limit specified in the “Supported Spanning-Tree Instances” section on page 14-9. Disable spanning tree only if you are sure there are no loops in the network topology.
Page 309 For Catalyst 2950 switches without the extended system ID (software earlier than Cisco IOS Release 12.1(9)EA1), if all network devices in VLAN 100 have the default priority of 32768, entering the spanning-tree vlan 100 root primary command on the switch sets the switch priority for VLAN 100 to 8192, which causes this switch to become the root switch for VLAN 100.
Page 310: Configuring A Secondary Root Switch
For Catalyst 2950 switches without the extended system ID support (software earlier than Cisco IOS Release 12.1(9)EA1), the switch priority is changed to 16384. You can execute this command on more than one switch to configure multiple backup root switches. Use the same network diameter and hello-time values as you used when you configured the primary root switch with the spanning-tree vlan vlan-id root primary global configuration command.
Page 311: Configuring The Port Priority
Chapter 14 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure a switch to become the secondary root for the specified VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root secondary Configure a switch to become the secondary root for the specified...
Page 312 Chapter 14 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure the port priority of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.
Page 313: Configuring The Path Cost
Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring the Path Cost The spanning-tree path cost default value is derived from the media speed of an interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Page 314: Configuring The Switch Priority Of A Vlan
Chapter 14 Configuring STP Configuring Spanning-Tree Features To return the interface to its default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree path costs, see the “Load Sharing Using STP”...
Page 315: Configuring Spanning-Tree Timers
Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 14-4 describes the timers that affect the entire spanning-tree performance. Table 14-4 Spanning-Tree Timers Variable Description Hello timer Determines how often the switch broadcasts hello messages to other switches. Forward-delay timer Determines how long each of the listening and learning states last before the interface begins forwarding.
Page 316: Configuring The Forwarding-Delay Time For A Vlan
Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 317: Configuring Spanning Tree For Use In A Cascaded Stack
STP Default Acceptable for Option 1 Acceptable for Option 2 Acceptable for Option 3 Hello Time Max Age Forwarding Delay Figure 14-4 Gigabit Ethernet Stack Catalyst 2950, Cisco 7000 Catalyst 3550 2955, or 3550 router series switch switches Layer 3 Catalyst...
Page 318: Displaying The Spanning-Tree Status
Chapter 14 Configuring STP Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 14-6: Table 14-6 Commands for Displaying Spanning-Tree Status Command Purpose show spanning-tree active Displays spanning-tree information on active interfaces only.
Page 319: Chapter 15 Configuring Mstp
C H A P T E R Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on your Catalyst 2950 or Catalyst 2955 switch. Note The multiple spanning-tree (MST) implementation is a pre-standard implementation. It is based on the draft version of the IEEE standard.
Page 320: Understanding Mstp
Chapter 15 Configuring MSTP Understanding MSTP Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic, enables load balancing, and reduces the number of spanning-tree instances required to support a large number of VLANs.
Page 321: Operations Within An Mst Region
Chapter 15 Configuring MSTP Understanding MSTP All MST instances within the same region share the same protocol timers, but each MST instance has its own topology parameters, such as root switch ID, root path cost, and so forth. By default, all VLANs are assigned to the IST.
Page 322: Hop Count
Chapter 15 Configuring MSTP Understanding MSTP Figure 15-1 MST Regions, IST Masters, and the CST Root IST master and CST root Legacy 802.1D MST Region 1 IST master IST master MST Region 2 MST Region 3 Figure 15-1 does not show additional MST instances for each region. Note that the topology of MST instances can be different from that of the IST for the same region.
Page 323: Boundary Ports
Chapter 15 Configuring MSTP Understanding MSTP received remaining hop count by one and propagates this value as the remaining hop count in the BPDUs it generates. When the count reaches zero, the switch discards the BPDU and ages the information held for the port.
Page 324: Understanding Rstp
Chapter 15 Configuring MSTP Understanding RSTP Understanding RSTP The RSTP takes advantage of point-to-point wiring and provides rapid convergence of the spanning tree. Reconfiguration of the spanning tree can occur in less than 1 second (in contrast to 50 seconds with the default settings in the 802.1D spanning tree), which is critical for networks carrying delay-sensitive traffic such as voice and video.
Page 325: Rapid Convergence
Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide documents the port state as blocking instead of discarding. Designated ports start in the listening state. Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN.
Page 326: Synchronization Of Port Roles
Chapter 15 Configuring MSTP Understanding RSTP The switch determines the link type from the port duplex mode: a full-duplex port is considered to have a point-to-point connection; a half-duplex port is considered to have a shared connection. You can override the default setting that is determined by the duplex setting by using the spanning-tree link-type interface configuration command.
Page 327: Bridge Protocol Data Unit Format And Processing
Chapter 15 Configuring MSTP Understanding RSTP Figure 15-3 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5. Forward Edge port 2. Block 3. Block 9. Forward 11. Forward 8. Agreement 6. Proposal 7. Proposal 10. Agreement Root port Designated port Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802.1D BPDU format except that the protocol version...
Page 328: Processing Superior Bpdu Information
Chapter 15 Configuring MSTP Understanding RSTP The RSTP does not have a separate topology change notification (TCN) BPDU. It uses the topology change (TC) flag to show the topology changes. However, for interoperability with 802.1D switches, the RSTP switch processes and generates TCN BPDUs. The learning and forwarding flags are set according to the state of the sending port.
Page 329: Configuring Mstp Features
Chapter 15 Configuring MSTP Configuring MSTP Features • Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them.
Page 330: Default Mstp Configuration
• When you enable MST by using the spanning-tree mode mst global configuration command, RSTP is automatically enabled. Per-VLAN RSTP is not supported in software releases earlier than Cisco IOS Release 12.1(13)EA1. For two or more switches to be in the same MST region, they must have the same VLAN-to-instance •...
Page 331: Specifying The Mst Region Configuration And Enabling Mstp
Chapter 15 Configuring MSTP Configuring MSTP Features of the MST regions must contain the CST root, and all of the other MST regions must have a better path to the root contained within the MST cloud than a path through the PVST+ or rapid-PVST+ cloud.
Page 332: Configuring The Root Switch
Chapter 15 Configuring MSTP Configuring MSTP Features Command Purpose Step 8 spanning-tree mode mst Enable MSTP. RSTP is also enabled. Changing spanning-tree modes can disrupt traffic because all Caution spanning-tree instances are stopped for the previous mode and restarted in the new mode. You cannot run both MSTP and PVST+ or both MSTP and rapid PVST+ at the same time.
Page 333 Table 14-1 on page 14-4.) Note Catalyst 2950 switches running software earlier than Cisco IOS Release 12.1(9)EA1 do not support the extended system ID. Catalyst 2950 switches running software earlier than Cisco IOS Release 12.1(9)EA1 do not support the MSTP.
Page 334: Configuring A Secondary Root Switch
This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch. For Catalyst 2950 switches without the extended system ID support (software earlier than Cisco IOS Release 12.1(9)EA1), the switch priority is changed to 16384.
Page 335: Configuring The Port Priority
Chapter 15 Configuring MSTP Configuring MSTP Features To return the switch to its default setting, use the no spanning-tree mst instance-id root global configuration command. Configuring the Port Priority If a loop occurs, the MSTP uses the port priority when selecting an interface to put into the forwarding state.
Page 336: Configuring The Path Cost
Chapter 15 Configuring MSTP Configuring MSTP Features Configuring the Path Cost The MSTP path cost default value is derived from the media speed of an interface. If a loop occurs, the MSTP uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Page 337: Configuring The Switch Priority
Chapter 15 Configuring MSTP Configuring MSTP Features Configuring the Switch Priority You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority.
Page 338: Configuring The Forwarding-Delay Time
Chapter 15 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the hello time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst hello-time seconds Configure the hello time for all MST instances.
Page 339: Configuring The Maximum-Aging Time
Chapter 15 Configuring MSTP Configuring MSTP Features Configuring the Maximum-Aging Time Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-age seconds Configure the maximum-aging time for all MST instances.
Page 340: Specifying The Link Type To Ensure Rapid Transitions
Chapter 15 Configuring MSTP Configuring MSTP Features Specifying the Link Type to Ensure Rapid Transitions If you connect a port to another port through a point-to-point link and the local port becomes a designated port, the RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the “Rapid Convergence”...
Page 341: Displaying The Mst Configuration And Status
Chapter 15 Configuring MSTP Displaying the MST Configuration and Status Displaying the MST Configuration and Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 15-4: Table 15-4 Commands for Displaying MST Status Command Purpose show spanning-tree mst configuration...
Page 342 Chapter 15 Configuring MSTP Displaying the MST Configuration and Status Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 15-24 78-11380-10...
Page 343: Understanding Optional Spanning-Tree Features
C H A P T E R Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on your Catalyst 2950 or Catalyst 2955 switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+).
Page 344: C H A P T E R 16 Configuring Optional Spanning-Tree Features
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. You can use Port Fast on ports connected to a single workstation or server, as shown in Figure 16-1, to allow those devices to...
Page 345: Understanding Bpdu Filtering
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features You can enable the BPDU guard feature for the entire switch or for an interface. Understanding BPDU Filtering The BPDU filtering feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences.
Page 346 Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If a switch looses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port. By enabling UplinkFast with the spanning-tree uplinkfast global configuration command, you can accelerate the choice of a new root port when a link or switch fails or when the spanning tree reconfigures itself.
Page 347: Understanding Cross-Stack Uplinkfast
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 16-4 UplinkFast Example After Direct Link Failure Switch A (Root) Switch B Link failure UplinkFast transitions port directly to forwarding state. Switch C Understanding Cross-Stack UplinkFast Cross-stack UplinkFast (CSUF) provides a fast spanning-tree transition (fast convergence in less than 1 second under normal network conditions) across a stack of switches that use the GigaStack GBIC modules connected in a shared cascaded configuration (multidrop backbone).
Page 348 Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 16-5 Cross-Stack UplinkFast Topology Backbone Spanning- tree root Forward Forward Forward Link A Link B Link C (Root link) (Alternate (Alternate redundant redundant link) link) 100 or 1000 Mbps 100 or 1000 Mbps 100 or 1000 Mbps Alternate stack-...
Page 349: Events That Cause Fast Convergence
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Events that Cause Fast Convergence Depending on the network event or failure, the CSUF fast convergence might or might not occur. Fast convergence (less than 1 second under normal network conditions) occurs under these circumstances: The stack-root port link fails.
Page 350: Connecting The Stack Ports
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Connecting the Stack Ports A fast transition occurs across the stack of switches if the multidrop backbone connections are a continuous link from one GigaStack GBIC module to another as shown in the top half of Figure 16-6.
Page 351: Understanding Backbonefast
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding BackboneFast BackboneFast detects indirect failures in the core of the backbone. BackboneFast is a complementary technology to the UplinkFast feature, which responds to failures on links directly connected to access switches.
Page 352 Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If link L1 fails as shown in Figure 16-8, Switch C cannot detect this failure because it is not connected directly to link L1. However, because Switch B is directly connected to the root switch over L1, it detects the failure, elects itself the root, and begins sending BPDUs to Switch C, identifying itself as the root.
Page 353: Understanding Etherchannel Guard
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding EtherChannel Guard You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device. A misconfiguration can occur if the switch interfaces are configured in an EtherChannel, but the interfaces on the other device are not.
Page 354: Understanding Loop Guard
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Figure 16-10 Root Guard in a Service-Provider Network Customer network Service-provider network Potential spanning-tree root without root guard enabled Desired root switch Enable the root-guard feature on these interfaces to prevent switches in the customer network from becoming the root switch or being...
Page 355: Default Optional Spanning-Tree Configuration
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features • Enabling BackboneFast, page 16-18 (optional) • Enabling EtherChannel Guard, page 16-18 (optional) • Enabling Root Guard, page 16-19 (optional) • Enabling Loop Guard, page 16-19 (optional) Default Optional Spanning-Tree Configuration Table 16-1 shows the default optional spanning-tree configuration.
Page 356: Enabling Bpdu Guard
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to enable Port Fast. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.
Page 357: Enabling Bpdu Filtering
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can also use the spanning-tree bpduguard enable interface configuration command to enable BPDU guard on any port without also enabling the Port Fast feature. When the port receives a BPDU, it is put in the error-disabled state.
Page 358: Enabling Uplinkfast For Use With Redundant Links
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to globally enable the BPDU filtering feature. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree portfast bpdufilter default Globally enable BPDU filtering.
Page 359: Enabling Cross-Stack Uplinkfast
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Purpose Step 4 show spanning-tree summary Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. When UplinkFast is enabled, the switch priority of all VLANs is set to 49152. If you change the path cost to a value less than 3000 and you enable UplinkFast or UplinkFast is already enabled, the path cost of all interfaces and VLAN trunks is increased by 3000 (if you change the path cost to 3000 or above, the path cost is not altered).
Page 360: Enabling Backbonefast
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features To disable CSUF on an interface, use the no spanning-tree stack-port interface configuration command. To disable UplinkFast on the switch and all its VLANs, use the no spanning-tree uplinkfast global configuration command. Enabling BackboneFast You can enable BackboneFast to detect indirect link failures and to start the spanning-tree reconfiguration sooner.
Page 361: Enabling Root Guard
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features To disable the EtherChannel guard feature, use the no spanning-tree etherchannel guard misconfig global configuration command. You can use the show interfaces status err-disabled privileged EXEC command to determine which switch ports are disabled because of an EtherChannel misconfiguration.
Page 362: Displaying The Spanning-Tree Status
Chapter 16 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status You can enable this feature if your switch is running PVST+, rapid PVST+, or MSTP. Beginning in privileged EXEC mode, follow these steps to enable loop guard. This procedure is optional. Command Purpose Step 1...
Page 363: Understanding Vlans
C H A P T E R Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on your Catalyst 2950 or Catalyst 2955 switch. It includes information about VLAN modes and the VLAN Membership Policy Server (VMPS). For complete syntax and usage information for the commands used in this chapter, refer to the command Note reference for this release.
Page 364: Chapter 17 Configuring Vlan
Figure 17-1 VLANs as Logically Defined Networks Engineering Marketing Accounting VLAN VLAN VLAN Cisco router Floor 3 Fast Ethernet Floor 2 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Page 365: Vlan Port Membership Modes
Dynamic Access Ports on VMPS Clients” section on page 17-28. Voice VLAN A voice VLAN port is an access port attached to a Cisco VTP is not required; it has no affect on IP Phone, configured to use one VLAN for voice traffic voice VLAN.
Page 366: Configuring Normal-Range Vlans
Chapter 17 Configuring VLANs Configuring Normal-Range VLANs Configuring Normal-Range VLANs Normal-range VLANs are VLANs with VLAN IDs 1 to 1005. If the switch is in VTP server or transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database.
Page 367: Token Ring Vlans
Chapter 17 Configuring VLANs Configuring Normal-Range VLANs This section includes information about these topics about normal-range VLANs: • Token Ring VLANs, page 17-5 • Normal-Range VLAN Configuration Guidelines, page 17-5 • VLAN Configuration Mode Options, page 17-6 Saving VLAN Configuration, page 17-7 •...
Page 368: Vlan Configuration Mode Options
Chapter 17 Configuring VLANs Configuring Normal-Range VLANs is to allow all VLANs), the new VLAN is carried on all trunk ports. Depending on the topology of the network, this could create a loop in the new VLAN that would not be broken, particularly if there are several adjacent switches that all have run out of spanning-tree instances.
Page 369: Saving Vlan Configuration
If VTP mode is server, the domain name and VLAN configuration for the first 1005 VLANs use the • VLAN database information If the switch is running Cisco IOS Release 12.1(9)EA1 or later and you use an older startup • configuration file to boot up the switch, the configuration file does not contain VTP or VLAN information, and the switch uses the VLAN database configurations.
Page 370: Creating Or Modifying An Ethernet Vlan
Chapter 17 Configuring VLANs Configuring Normal-Range VLANs Table 17-2 Ethernet VLAN Defaults and Ranges Parameter Default Range VLAN ID 1 to 4094when the EI is installed and 1 to 1005 when the SI is installed. Note Extended-range VLANs (VLAN IDs 1006 to 4094) are not saved in the VLAN database.
Page 371 Chapter 17 Configuring VLANs Configuring Normal-Range VLANs Command Purpose Step 3 name vlan-name (Optional) Enter a name for the VLAN. If no name is entered for the VLAN, the default is to append the vlan-id with leading zeros to the word VLAN.
Page 372: Deleting A Vlan
Chapter 17 Configuring VLANs Configuring Normal-Range VLANs Note You cannot configure an RSPAN VLAN in VLAN database configuration mode. To return the VLAN name to the default settings, use the no vlan vlan-id name or no vlan vlan-id mtu VLAN configuration command. This example shows how to use VLAN database configuration mode to create Ethernet VLAN 20, name it test20, and add it to the VLAN database: Switch# vlan database...
Page 373: Assigning Static-Access Ports To A Vlan
Chapter 17 Configuring VLANs Configuring Normal-Range VLANs Assigning Static-Access Ports to a VLAN You can assign a static-access port to a VLAN without having VTP globally propagate VLAN configuration information by disabling VTP (VTP transparent mode). If you are assigning a port on a cluster member switch to a VLAN, first use the rcommand privileged EXEC command to log in to the member switch.
Page 374: Configuring Extended-Range Vlans
Chapter 17 Configuring VLANs Configuring Extended-Range VLANs Configuring Extended-Range VLANs When the switch is in VTP transparent mode (VTP disabled) and the EI is installed), you can create extended-range VLANs (in the range 1006 to 4094). Extended-range VLANs enable service providers to extend their infrastructure to a greater number of customers.
Page 375: Creating An Extended-Range Vlan
Chapter 17 Configuring VLANs Configuring Extended-Range VLANs • VLANs in the extended range are not supported by VQP. They cannot be configured by VMPS. • STP is enabled by default on extended-range VLANs, but you can disable it by using the no spanning-tree vlan vlan-id global configuration command.
Page 376: Displaying Vlans
Chapter 17 Configuring VLANs Displaying VLANs To delete an extended-range VLAN, use the no vlan vlan-id global configuration command. The procedure for assigning static-access ports to an extended-range VLAN is the same as for normal-range VLANs. See the “Assigning Static-Access Ports to a VLAN” section on page 17-11.
Page 377: Configuring Vlan Trunks
Chapter 17 Configuring VLANs Configuring VLAN Trunks Configuring VLAN Trunks These sections describe how VLAN trunks function on the switch: • Trunking Overview, page 17-15 802.1Q Configuration Considerations, page 17-16 • Default Layer 2 Ethernet Interface VLAN Configuration, page 17-17 •...
Page 378: 802.1Q Configuration Considerations
VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco 802.1Q switch.
Page 379: Default Layer 2 Ethernet Interface Vlan Configuration
Chapter 17 Configuring VLANs Configuring VLAN Trunks • Make sure the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. If the native VLAN on one end of the trunk is different from the native VLAN on the other end, spanning-tree loops might result.
Page 380: Interaction With Other Features
Chapter 17 Configuring VLANs Configuring VLAN Trunks Interaction with Other Features Trunking interacts with other features in these ways: A trunk port cannot be a secure port. • Trunk ports can be grouped into EtherChannel port groups, but all trunks in the group must have the •...
Page 381: Defining The Allowed Vlans On A Trunk
VLAN 1 from the allowed list. This is known as VLAN 1 minimization. VLAN 1 minimization disables VLAN 1 (the default VLAN on all Cisco switch trunk ports) on an individual VLAN trunk link. As a result, no user traffic, including spanning-tree advertisements, is sent or received on VLAN 1.
Page 382: Changing The Pruning-Eligible List
Chapter 17 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 4 switchport trunk allowed vlan {add | (Optional) Configure the list of VLANs allowed on the trunk. all | except | remove} vlan-list For explanations about using the add, all, except, and remove keywords, refer to the command reference for this release.
Page 383: Configuring The Native Vlan For Untagged Traffic
Chapter 17 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show interfaces interface-id switchport Verify your entries in the Pruning VLANs Enabled field of the display. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default pruning-eligible list of all VLANs, use the no switchport trunk pruning vlan interface configuration command.
Page 384: Load Sharing Using Stp
Chapter 17 Configuring VLANs Configuring VLAN Trunks Load Sharing Using STP Load sharing divides the bandwidth supplied by parallel trunks connecting switches. To avoid loops, STP normally blocks all but one parallel link between switches. Using load sharing, you divide the traffic between the links according to which VLAN the traffic belongs.
Page 385 Chapter 17 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 17-3. Command Purpose Step 1 configure terminal Enter global configuration mode on Switch 1. Step 2 vtp domain domain-name Configure a VTP administrative domain.
Page 386: Load Sharing Using Stp Path Cost
Chapter 17 Configuring VLANs Configuring VLAN Trunks Load Sharing Using STP Path Cost You can configure parallel trunks to share VLAN traffic by setting different path costs on a trunk and associating the path costs with different sets of VLANs. The VLANs keep the traffic separate. Because no loops exist, STP does not disable the ports, and redundancy is maintained in the event of a lost link.
Page 387: Configuring Vmps
Chapter 17 Configuring VLANs Configuring VMPS Command Purpose Step 11 spanning-tree vlan 2-4 cost 30 Set the spanning-tree path cost to 30 for VLANs 2 through 4. Step 12 Return to global configuration mode. Step 13 Repeat Steps 9 through 11 on Switch A interface Fast Ethernet 0/2, and set the spanning-tree path cost to 30 for VLANs 8, 9, and 10.
Page 388: Dynamic Port Vlan Membership
Chapter 17 Configuring VLANs Configuring VMPS • If the VLAN in the database does not match the current VLAN on the port and active hosts exist on the port, the VMPS sends an access-denied or a port-shutdown response, depending on the secure mode of the VMPS.
Page 389: Default Vmps Client Configuration
Chapter 17 Configuring VLANs Configuring VMPS Default VMPS Client Configuration Table 17-6 shows the default VMPS and dynamic port configuration on client switches. Table 17-6 Default VMPS Client and Dynamic Port Configuration Feature Default Setting VMPS domain server None VMPS reconfirm interval 60 minutes VMPS server retry count Dynamic ports...
Page 390: Configuring The Vmps Client
Chapter 17 Configuring VLANs Configuring VMPS Configuring the VMPS Client You configure dynamic VLANs by using the VMPS (server). The switch can be a VMPS client; it cannot be a VMPS server. Entering the IP Address of the VMPS You must first enter the IP address of the server to configure the switch as a client. Note If the VMPS is being defined for a cluster of switches, enter the address on the command switch.
Page 391: Reconfirming Vlan Memberships
Chapter 17 Configuring VLANs Configuring VMPS Command Purpose Step 4 switchport access vlan dynamic Configure the port as eligible for dynamic VLAN membership. The dynamic access port must be connected to an end station. Step 5 Return to privileged EXEC mode. Step 6 show interfaces interface-id switchport Verify your entries in the Operational Mode field of the display.
Page 392: Changing The Retry Count
Chapter 17 Configuring VLANs Configuring VMPS Command Purpose Step 4 show vmps Verify the dynamic VLAN reconfirmation status in the Reconfirm Interval field of the display. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no vmps reconfirm global configuration command. Changing the Retry Count Beginning in privileged EXEC mode, follow these steps to change the number of times that the switch attempts to contact the VMPS before querying the next server:...
Page 393: Troubleshooting Dynamic Port Vlan Membership
Chapter 17 Configuring VLANs Configuring VMPS This is an example of output for the show vmps privileged EXEC command: Switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.86 (primary, current) 172.20.128.87 Reconfirmation status ---------------------...
Page 394 Chapter 17 Configuring VLANs Configuring VMPS Figure 17-5 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6500 series switch A Primary VMPS Router Server 1 172.20.26.150 172.20.22.7 Client switch B Dynamic-access port 172.20.26.151 station 1 Trunk port Switch C Catalyst 6500 series 172.20.26.152 Secondary VMPS Server 2...
Page 395: Configuring Vtp
C H A P T E R Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs on your Catalyst 2950 or Catalyst 2955 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Page 396: Chapter 18 Configuring Vtp
Chapter 18 Configuring VTP Understanding VTP The VTP Domain A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name. A switch can be in only one VTP domain.You make global VLAN configuration changes for the domain by using the command-line interface (CLI), Cluster Management Suite (CMS) software, or Simple Network Management Protocol (SNMP).
Page 397: Vtp Modes
Chapter 18 Configuring VTP Understanding VTP VTP Modes You can configure a supported switch to be in one of the VTP modes listed in Table 18-1. Table 18-1 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs and specify other configuration parameters (such as the VTP version) for the entire VTP domain.
Page 398: Vtp Version 2
Chapter 18 Configuring VTP Understanding VTP • MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each VLAN. • Frame format VTP advertisements distribute this VLAN information for each configured VLAN: • VLAN IDs • VLAN name VLAN type •...
Page 399 Chapter 18 Configuring VTP Understanding VTP Figure 18-1 Flooding Traffic without VTP Pruning Switch D Port 2 Switch E Switch B VLAN Port 1 Switch F Switch C Switch A Figure 18-2 shows a switched network with VTP pruning enabled. The broadcast traffic from Switch A is not forwarded to Switches C, E, and F because traffic for the Red VLAN has been pruned on the links shown (Port 5 on Switch B and Port 4 on Switch D).
Page 400: Default Vtp Configuration
Chapter 18 Configuring VTP Configuring VTP VTP pruning is not designed to function in VTP transparent mode. If one or more switches in the network are in VTP transparent mode, you should do one of these: • Turn off VTP pruning in the entire network. •...
Page 401: Vtp Configuration Options
Chapter 18 Configuring VTP Configuring VTP VTP Configuration Options You can configure VTP by using these configuration modes. • VTP Configuration in Global Configuration Mode, page 18-7 • VTP Configuration in VLAN Configuration Mode, page 18-7 You access VLAN configuration mode by entering the vlan database privileged EXEC command. For detailed information about vtp commands, refer to the command reference for this release.
Page 402: Vtp Configuration Guidelines
Chapter 18 Configuring VTP Configuring VTP VTP Configuration Guidelines These sections describe guidelines you should follow when implementing VTP in your network. Domain Names When configuring VTP for the first time, you must always assign a domain name. You must configure all switches in the VTP domain with the same domain name.
Page 403: Vtp Version
Chapter 18 Configuring VTP Configuring VTP VTP Version Follow these guidelines when deciding which VTP version to implement: All switches in a VTP domain must run the same VTP version. • A VTP version 2-capable switch can operate in the same VTP domain as a switch running VTP •...
Page 404 Chapter 18 Configuring VTP Configuring VTP Command Purpose Step 4 vtp password password (Optional) Set the password for the VTP domain. The password can be from 8 to 64 characters. If you configure a VTP password, the VTP domain does not function properly if you do not assign the same password to each switch in the domain.
Page 405: Configuring A Vtp Client
Chapter 18 Configuring VTP Configuring VTP This example shows how to use VLAN configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch# vlan database Switch(vlan)# vtp server Switch(vlan)# vtp domain eng_group Switch(vlan)# vtp password mypassword Switch(vlan)# exit APPLY completed.
Page 406: Disabling Vtp (Vtp Transparent Mode)
Chapter 18 Configuring VTP Configuring VTP Note You can also configure a VTP client by using the vlan database privileged EXEC command to enter VLAN configuration mode and entering the vtp client command, similar to the second procedure under “Configuring a VTP Server” section on page 18-9.
Page 407: Enabling Vtp Version 2
Chapter 18 Configuring VTP Configuring VTP Note You can also configure VTP transparent mode by using the vlan database privileged EXEC command to enter VLAN configuration mode and by entering the vtp transparent command, similar to the second procedure under the “Configuring a VTP Server”...
Page 408: Enabling Vtp Pruning
Chapter 18 Configuring VTP Configuring VTP Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You can only enable VTP pruning on a switch in VTP server mode.
Page 409 Chapter 18 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to verify and reset the VTP configuration revision number on a switch before adding it to a VTP domain: Command Purpose Step 1 show vtp status Check the VTP configuration revision number.
Page 410: Monitoring Vtp
Chapter 18 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 18-3 shows the privileged EXEC commands for monitoring VTP activity.
Page 411: Chapter 19 Configuring Voice Vlan
The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. The switch can connect to a Cisco 7960 IP Phone and carry IP voice traffic. Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1p class of service (CoS).
Page 412: Configuring Voice Vlan
0. Note In software releases earlier than Cisco IOS Release 12.1(13)EA1, the CoS value is trusted for all 802.1p or 802.1Q tagged traffic, and the IP Phone does not override the priority of the incoming traffic. Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide...
Page 413: Voice Vlan Configuration Guidelines
Configuring a Port to Connect to a Cisco 7960 IP Phone Because a Cisco 7960 IP Phone also supports a connection to a PC or other device, a port connecting the switch to a Cisco 7960 IP Phone can carry mixed traffic.
Page 414 Step 3 switchport voice vlan vlan-id Instruct the Cisco IP Phone to forward all voice traffic through the specified VLAN. By default, the Cisco IP Phone forwards the voice traffic with an 802.1Q priority of 5. Valid VLAN IDs are from 1 to 4094 when the enhanced software image (EI) is installed and 1 to 1001 when the standard software image is installed.
Page 415 Overriding the CoS Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco 7960 IP Phone port. The PC can generate packets with an assigned CoS value. You can configure the switch to override the priority of frames arriving on the IP phone port from connected devices.
Page 416: Displaying Voice Vlan
Configuring the IP Phone to Trust the CoS Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco 7960 IP Phone port. The PC can generate packets with an assigned CoS value. You can configure the switch to trust the priority of frames arriving on the IP phone port from connected devices.
Page 417: Configuring Dhcp Features
For complete syntax and usage information for the commands used in this chapter, refer to the command Note reference for this release, and refer to the “IP Addressing and Services” section in the Cisco IOS IP and IP Routing Command Reference, Release 12.1.
Page 418: Dhcp Server
Chapter 20 Configuring DHCP Features Understanding DHCP Features DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them. If the DHCP server cannot give the DHCP client the requested configuration parameters from its database, it can forward the request to one or more secondary DHCP servers defined by the network administrator.
Page 419: Option-82 Data Insertion
Chapter 20 Configuring DHCP Features Understanding DHCP Features The switch drops a DHCP packet when one of these situations occurs: • A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received from outside the network or firewall. •...
Page 420 Chapter 20 Configuring DHCP Features Understanding DHCP Features When you enable the DHCP snooping information option 82 on the switch, this sequence of events occurs: • The host (DHCP client) generates a DHCP request and broadcasts it on the network. •...
Page 421: Configuring Dhcp Features
Chapter 20 Configuring DHCP Features Configuring DHCP Features Figure 20-2 Suboption Packet Formats Circuit ID Suboption Frame Format Suboption Circuit type ID type Length Length VLAN Module Port 1 byte 1 byte 1 byte 1 byte 2 bytes 1 byte 1 byte Remote ID Suboption Frame Format Suboption Remote...
Page 422: Default Dhcp Configuration
Configuring the DHCP Server The Catalyst 2955 switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. These features are not operational.
Page 423: Enabling Dhcp Snooping And Option 82
Chapter 20 Configuring DHCP Features Configuring DHCP Features Enabling DHCP Snooping and Option 82 Beginning in privileged EXEC mode, follow these steps to enable DHCP snooping on the switch. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip dhcp snooping Enable DHCP snooping globally.
Page 424: Displaying Dhcp Information
Chapter 20 Configuring DHCP Features Displaying DHCP Information Displaying DHCP Information You can display a DHCP snooping binding table and configuration information for all interfaces on a switch. Displaying a Binding Table The DHCP snooping binding table for each switch has binding entries that correspond to untrusted ports. The table does not have information about hosts interconnected with a trusted port.
Page 425: Understanding Igmp Snooping
Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and the Cisco IOS Release Network Protocols Command Reference, Part 1, for Cisco IOS Release 12.1. This chapter consists of these sections: Understanding IGMP Snooping, page 21-1 •...
Page 426: Chapter 21 Configuring Igmp Snooping And Mvr
Chapter 21 Configuring IGMP Snooping and MVR Understanding IGMP Snooping the switch adds the host port number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership reports from the multicast clients.
Page 427: Joining A Multicast Group
An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast (SSM) feature. For more information, refer to the “Configuring IP Multicast Layer 3 Switching” chapter in the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, Cisco IOS Release 12.1(12c)EW at this URL: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_12/config/mcastmls.htm...
Page 428: Leaving A Multicast Group
Chapter 21 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Note that the switch hardware can distinguish IGMP information packets from other packets for the multicast group. • The first entry in the table tells the switching engine to send IGMP packets to only the switch CPU. This prevents the CPU from becoming overloaded with multicast frames.
Page 429: Immediate-Leave Processing
Chapter 21 Configuring IGMP Snooping and MVR Understanding IGMP Snooping When hosts want to leave a multicast group, they can either silently leave, or they can send a leave message. When the switch receives a leave message from a host, it sends out a MAC-based general query to determine if any other devices connected to that interface are interested in traffic for the specific multicast group.
Page 430: Configuring Igmp Snooping
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Snooping The default learning method is IP multicast-source-only learning. You can disable IP multicast-source-only learning by using the no ip igmp snooping source-only-learning global configuration command. In addition to IGMP query packets, the switch also uses Protocol-Independent Multicast protocol version 2 (PIMv2) packets for multicast router discovery.
Page 431: Enabling Or Disabling Igmp Snooping
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Table 21-3 Default IGMP Snooping Configuration (continued) Feature Default Setting IGMP snooping Immediate Leave Disabled. Static groups None configured. IP multicast-source-only learning Enabled. PIM v2 multicast router discovery Enabled Aging forward-table entries (when source-only Enabled.
Page 432: Setting The Snooping Method
• Snooping on IGMP queries, Protocol Independent Multicast (PIM) packets, and Distance Vector Multicast Routing Protocol (DVMRP) packets Listening to Cisco Group Management Protocol (CGMP) packets from other routers • • Statically connecting to a multicast router port with the ip igmp snooping mrouter global...
Page 433: Configuring A Multicast Router Port
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Vlan 1: -------- IGMP snooping :Enabled Immediate leave :Disabled Multicast router learning mode :pim-dvmrp Source only learning age timer CGMP interoperability mode :IGMP_ONLY To return to the default learning method, use the no ip igmp snooping vlan vlan-id mrouter learn cgmp global configuration command.
Page 434: Configuring A Host Statically To Join A Group
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring a Host Statically to Join a Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure a host on an interface. Beginning in privileged EXEC mode, follow these steps to add a Layer 2 port as a member of a multicast group: Command Purpose...
Page 435: Disabling Igmp Report Suppression
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 4 show ip igmp snooping vlan vlan-id Verify that Immediate Leave is enabled on the VLAN. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable IGMP Immediate-Leave on a VLAN, use the no ip igmp snooping vlan vlan-id immediate-leave global configuration command.
Page 436: Configuring The Aging Time
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Note We strongly recommend that you do not disable IP multicast-source-only learning. IP multicast-source-only learning should be disabled only if your network is not composed of IP multicast-source-only networks and if disabling this learning method improves the network performance.
Page 437: Displaying Igmp Snooping Information
Chapter 21 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information To disable the aging of the forwarding table entries, enter the ip igmp snooping source-only-learning age-timer 0 global configuration command. If you disable source-only learning by using the no ip igmp snooping source-only learning global configuration command and the aging time is enabled, it has no effect on the switch.
Page 438: Understanding Multicast Vlan Registration
Chapter 21 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service provider network (for example, the broadcast of multiple television channels over a service-provider network).
Page 439: Using Mvr In A Multicast Television Application
Chapter 21 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Using MVR in a Multicast Television Application In a multicast television application, a PC or a television with a set-top box can receive the multicast stream. Multiple set-top boxes or PCs can be connected to one subscriber port, which is a switch port configured as an MVR receiver port.
Page 440 Chapter 21 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Figure 21-3 Multicast VLAN Registration Example Multicast VLAN Cisco router Multicast server Switch B Multicast Multicast data data Switch A RP1 RP2 RP3 RP4 RP5 RP6 RP7 Customer premises...
Page 441: Configuring Mvr
Chapter 21 Configuring IGMP Snooping and MVR Configuring MVR Configuring MVR These sections include basic MVR configuration information: • Default MVR Configuration, page 21-17 MVR Configuration Guidelines and Limitations, page 21-17 • Configuring MVR Global Parameters, page 21-18 • Configuring MVR Interfaces, page 21-19 •...
Page 442: Configuring Mvr Global Parameters
Chapter 21 Configuring IGMP Snooping and MVR Configuring MVR Configuring MVR Global Parameters You do not need to set the optional MVR parameters if you choose to use the default settings. If you do want to change the default parameters (except for the MVR VLAN), you must first enable MVR. Beginning in privileged EXEC mode, follow these steps to configure MVR parameters: Command Purpose...
Page 443: Configuring Mvr Interfaces
Chapter 21 Configuring IGMP Snooping and MVR Configuring MVR This example shows how to enable MVR, configure the MVR group address, set the query time to 1 second (10 tenths), specify the MVR multicast VLAN as VLAN 22, set the MVR mode as dynamic, and verify the results: Switch(config)# mvr Switch(config)# mvr group 228.1.23.4...
Page 444 Chapter 21 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 6 mvr immediate (Optional) Enable the Immediate Leave feature of MVR on the port. Note This command applies to only receiver ports and should only be enabled on receiver ports to which a single receiver device is connected.
Page 445: Displaying Mvr Information
Chapter 21 Configuring IGMP Snooping and MVR Displaying MVR Information Displaying MVR Information You can display MVR information for the switch or for a specified interface. Beginning in privileged EXEC mode, use the commands in Table 21-6 to display MVR configuration: Table 21-6 Commands for Displaying MVR Information show mvr Displays MVR status and values for the switch—whether MVR is enabled or disabled,...
Page 446: Default Igmp Filtering And Throttling Configuration
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Note IGMPv3 join and leave messages are not supported on switches running IGMP filtering. You can also set the maximum number of IGMP groups that a Layer 2 interface can join. With the IGMP throttling feature, you can also set the maximum number of IGMP groups that a Layer 2 interface can join.
Page 447 Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling • permit: Specifies that matching addresses are permitted. • range: Specifies a range of IP addresses for the profile. You can enter a single IP address or a range with a start and an end address.
Page 448: Applying Igmp Profiles
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Applying IGMP Profiles To control access as defined in an IGMP profile, use the ip igmp filter interface configuration command to apply the profile to the appropriate interfaces. You can apply IGMP profiles to Layer 2 ports only. You cannot apply profiles to ports that belong to an EtherChannel port group.
Page 449: Setting The Maximum Number Of Igmp Groups
Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Setting the Maximum Number of IGMP Groups You can set the maximum number of IGMP groups that a Layer 2 interface can join by using the ip igmp max-groups interface configuration command.
Page 450 Chapter 21 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling • If you configure the throttling action and set the maximum group limitation after an interface has added multicast entries to the forwarding table, the forwarding-table entries are either aged out or removed, depending on the throttling action.
Page 451: Displaying Igmp Filtering And Throttling Configuration
Chapter 21 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Displaying IGMP Filtering and Throttling Configuration You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface. You can also display the IGMP throttling configuration for all interfaces on the switch or for a specified interface.
Page 452 Chapter 21 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 21-28 78-11380-10...
Page 453: Configuring Storm Control
C H A P T E R Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on your Catalyst 2950 or Catalyst 2955 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Page 454: Understanding Storm Control
In general, the higher the level, the less effective the protection against broadcast storms. When a non-LRE Catalyst 2950 switch running Cisco IOS Release 12.1(14)EA1 or later uses traffic rates as the threshold values, the rising and falling thresholds are in packets per second. The rising threshold is the rate at which multicast, broadcast, and unicast traffic is received before forwarding is blocked.
Page 455: C H A P T E R 22 Configuring Port-Based Traffic Control
The storm control action occurs when traffic reaches this level. This option is supported only on non-LRE Catalyst 2950 switches running Cisco IOS Release 12.1(14)EA1 or later. For pps-low, specify the falling threshold level in packets per second that can be less than or equal to the rising threshold level.
Page 456: Disabling Storm Control
Both LRE interface ports and CPE device ports can be configured as protected ports. When you use a Cisco 575 LRE CPE or a Cisco 576 LRE 997 CPE device, the cpe protected interface configuration command is not available.
Page 457: Configuring Port Blocking
Blocking unicast or multicast traffic is not automatically enabled on protected ports; you must explicitly Note configure it. The port blocking feature is only supported on these switches: Catalyst 2950 Long-Reach Ethernet (LRE) switches running Cisco IOS Release 12.1(14)EA1 • or later Catalyst 2950G-12-EI, 2950G-24-EI, 2950G-24-EI-DC, 2950G-48-EI, and 2955 switches running •...
Page 458: Resuming Normal Forwarding On A Port
Chapter 22 Configuring Port-Based Traffic Control Configuring Port Blocking Beginning in privileged EXEC mode, follow these steps to disable the flooding of multicast and unicast packets to an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to configure and enter interface configuration mode.
Page 459: Configuring Port Security
Chapter 22 Configuring Port-Based Traffic Control Configuring Port Security Configuring Port Security You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.
Page 460: Security Violations
Chapter 22 Configuring Port-Based Traffic Control Configuring Port Security Security Violations It is a security violation when one of these situations occurs: The maximum number of secure MAC addresses have been added to the address table, and a station • whose MAC address is not in the address table attempts to access the interface.
Page 461: Default Port Security Configuration
Chapter 22 Configuring Port-Based Traffic Control Configuring Port Security Default Port Security Configuration Table 22-2 shows the default port security configuration for an interface. Table 22-2 Default Port Security Configuration Feature Default Setting Port security Disabled. Maximum number of secure MAC addresses One.
Page 462: Enabling And Configuring Port Security
Chapter 22 Configuring Port-Based Traffic Control Configuring Port Security Enabling and Configuring Port Security Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port: Command Purpose Step 1...
Page 463 Chapter 22 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 8 switchport port-security mac-address (Optional) Enable sticky learning on the interface. sticky Step 9 Return to privileged EXEC mode. Step 10 show port-security Verify your entries. Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file.
Page 464: Enabling And Configuring Port Security Aging
Chapter 22 Configuring Port-Based Traffic Control Configuring Port Security Enabling and Configuring Port Security Aging You can use port security aging to set the aging time for static and dynamic secure addresses on a port. Two types of aging are supported per port: •...
Page 465: Displaying Port-Based Traffic Control Settings
Chapter 22 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings This example shows how to set the aging time as 2 minutes for the inactivity aging type with aging enabled for the configured secure addresses on the interface: Switch(config-if)# switchport port-security aging time 2 Switch(config-if)# switchport port-security aging type inactivity Switch(config-if)# switchport port-security aging static You can verify the previous commands by entering the show port-security interface interface-id...
Page 466 Chapter 22 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 22-14 78-11380-10...
Page 467: Chapter 23 Configuring Udld
C H A P T E R Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on your Catalyst 2950 or Catalyst 2955 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Page 468: Methods To Detect Unidirectional Links
Chapter 23 Configuring UDLD Understanding UDLD A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device. In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic interface are misconnected and the Layer 1 mechanisms do not detect this misconnection.
Page 469 Chapter 23 Configuring UDLD Understanding UDLD • Event-driven detection and echoing UDLD relies on echoing as its detection mechanism. Whenever a UDLD device learns about a new neighbor or receives a resynchronization request from an out-of-sync neighbor, it restarts the detection window on its side of the connection and sends echo messages in reply.
Page 470: Configuring Udld
Chapter 23 Configuring UDLD Configuring UDLD Configuring UDLD This section describes how to configure UDLD on your switch. It contains this configuration information: • Default UDLD Configuration, page 23-4 • Configuration Guidelines, page 23-4 Enabling UDLD Globally, page 23-5 • Enabling UDLD on an Interface, page 23-5 •...
Page 471: Enabling Udld Globally
Chapter 23 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic interfaces on the switch: Command Purpose Step 1...
Page 472: Resetting An Interface Shut Down By Udld
Chapter 23 Configuring UDLD Configuring UDLD Command Purpose Step 3 udld port [aggressive] Specify the UDLD mode of operation: • (Optional) aggressive— Enables UDLD in aggressive mode on the specified interface. UDLD is disabled by default. If you do not enter the aggressive keyword, the switch enables UDLD in normal mode.
Page 473: Displaying Udld Status
Chapter 23 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified interface or for all interfaces, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the display, refer to the command reference for this release. Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 23-7 78-11380-10...
Page 474 Chapter 23 Configuring UDLD Displaying UDLD Status Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 23-8 78-11380-10...
Page 475: Chapter 24 Configuring Cdp
• Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
Page 476: Configuring Cdp
Chapter 24 Configuring CDP Configuring CDP Configuring CDP These sections include CDP configuration information and procedures: • Default CDP Configuration, page 24-2 Configuring the CDP Characteristics, page 24-2 • Disabling and Enabling CDP, page 24-3 • Disabling and Enabling CDP on an Interface, page 24-4 •...
Page 477: Disabling And Enabling Cdp
Chapter 24 Configuring CDP Configuring CDP Command Purpose Step 6 show cdp Verify your settings. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the CDP commands to return to the default settings. This example shows how to configure CDP characteristics.
Page 478: Disabling And Enabling Cdp On An Interface
Chapter 24 Configuring CDP Configuring CDP Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface: Command Purpose Step 1...
Page 479: Monitoring And Maintaining Cdp
Chapter 24 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors.
Page 480 Chapter 24 Configuring CDP Monitoring and Maintaining CDP Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 24-6 78-11380-10...
Page 481: Chapter 25 Configuring Span And Rspan
C H A P T E R Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on your Catalyst 2950 or Catalyst 2955 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Page 482 You can use the SPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) Sensor Appliance to a destination port, the IDS device can send TCP Reset packets to close down the TCP session of a suspected attacker.
Page 483: Span And Rspan Concepts And Terminology
Chapter 25 Configuring SPAN and RSPAN Understanding SPAN and RSPAN SPAN and RSPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN and RSPAN configuration. SPAN Session A local SPAN session is an association of a destination port with source ports. You can monitor incoming or outgoing traffic on a series or range of ports.
Page 484: Source Port
• It does not participate in spanning tree while the SPAN session is active. When it is a destination port, it does not participate in any of the Layer 2 protocols— Cisco • Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), Port Aggregation Protocol (PagP), and Link Aggregation Control Protocol (LACP).
Page 485: Reflector Port
SPAN or RSPAN session is disabled. On a source port, SPAN does not affect the STP status. STP can be active on trunk ports carrying an RSPAN VLAN. Cisco Discovery Protocol (CDP)—A SPAN destination port does not participate in CDP while the •...
Page 486: Span And Rspan Session Limits
Chapter 25 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • VLAN Trunking Protocol (VTP)—You can use VTP to prune an RSPAN VLAN between switches. • VLAN and trunking—You can modify VLAN membership or trunk settings for source, destination, or reflector ports at any time. However, changes in VLAN membership or trunk settings for a destination or reflector port do not take effect until you disable the SPAN or RSPAN session.
Page 487: Default Span And Rspan Configuration
Chapter 25 Configuring SPAN and RSPAN Configuring SPAN Default SPAN and RSPAN Configuration Table 25-1 shows the default SPAN and RSPAN configuration. Table 25-1 Default SPAN and RSPAN Configuration Feature Default Setting SPAN state Disabled. Source port traffic to monitor Both received and sent traffic (both).
Page 488: Creating A Span Session And Specifying Ports To Monitor
Chapter 25 Configuring SPAN and RSPAN Configuring SPAN • When SPAN is enabled, configuration changes have these results: – If you change the VLAN configuration of a destination port, the change is not effective until SPAN is disabled. – If you disable all source ports or the destination port, the SPAN function stops until both a source and the destination port are enabled.
Page 489: Creating A Span Session And Enabling Ingress Traffic
Beginning in privileged EXEC mode, follow these steps to create a SPAN session, to specify the source and destination ports, and to enable ingress traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance): Command...
Page 490 Chapter 25 Configuring SPAN and RSPAN Configuring SPAN Command Purpose Step 4 monitor session session_number Specify the SPAN session, the destination port (monitoring port), the destination interface interface-id packet encapsulation, and the ingress VLAN. [encapsulation {dot1q}] [ingress vlan For session_number, specify 1. vlan id] For interface-id, specify the destination port.
Page 491: Removing Ports From A Span Session
Chapter 25 Configuring SPAN and RSPAN Configuring SPAN Removing Ports from a SPAN Session Beginning in privileged EXEC mode, follow these steps to remove a port as a SPAN source for a session: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session session_number source Specify the characteristics of the source port (monitored port) and...
Page 492: Configuring Rspan
Chapter 25 Configuring SPAN and RSPAN Configuring RSPAN Configuring RSPAN This section describes how to configure RSPAN on your switch. It contains this configuration information: • RSPAN Configuration Guidelines, page 25-12 • Configuring a VLAN as an RSPAN VLAN, page 25-13 Creating an RSPAN Source Session, page 25-13 •...
Page 493: Configuring A Vlan As An Rspan Vlan
Chapter 25 Configuring SPAN and RSPAN Configuring RSPAN Configuring a VLAN as an RSPAN VLAN First create a new VLAN to be the RSPAN VLAN for the RSPAN session. You must create the RSPAN VLAN in all switches that will participate in RSPAN. If the RSPAN VLAN-ID is in the normal range (lower than 1005) and VTP is enabled in the network, you can create the RSPAN VLAN in one switch, and VTP propagates it to the other switches in the VTP domain.
Page 494 Chapter 25 Configuring SPAN and RSPAN Configuring RSPAN Command Purpose Step 3 monitor session session_number source Specify the RSPAN session and the source port (monitored port). interface interface-id [, | -] [both | rx | tx] For session_number, specify the session number identified with this RSPAN session.
Page 495: Creating An Rspan Destination Session
Chapter 25 Configuring SPAN and RSPAN Configuring RSPAN Creating an RSPAN Destination Session Beginning in privileged EXEC mode, follow these steps to create an RSPAN destination session and to specify the source RSPAN VLAN and the destination port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 496: Removing Ports From An Rspan Session
Chapter 25 Configuring SPAN and RSPAN Configuring RSPAN Removing Ports from an RSPAN Session Beginning in privileged EXEC mode, follow these steps to remove a port as an RSPAN source for a session: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session session_number source Specify the characteristics of the RSPAN source port (monitored...
Page 497: Displaying Span And Rspan Status
Chapter 25 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the status of the current SPAN or RSPAN configuration, use the show monitor privileged EXEC command. This is an example of output for the show monitor privileged EXEC command for SPAN source session 1: Switch# show monitor session 1 Session 1...
Page 498 Chapter 25 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 25-18 78-11380-10...
Page 499: Chapter 26 Configuring Rmon
RMON provides you with comprehensive network-fault diagnosis, planning, and performance-tuning information. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12.1. This chapter consists of these sections: Understanding RMON, page 26-1 •...
Page 500: Configuring Rmon
Chapter 26 Configuring RMON Configuring RMON Figure 26-1 Remote Monitoring Example Network management station with generic RMON console application RMON alarms and events configured. SNMP configured. RMON history and statistic collection enabled. Workstations Workstations The switch supports these RMON groups (defined in RFC 1757): Statistics (RMON group 1)—Collects Ethernet, Fast Ethernet, and Gigabit Ethernet statistics on an •...
Page 501: Default Rmon Configuration
Chapter 26 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Only RMON 1 is supported on the switch. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station.
Page 502 Chapter 26 Configuring RMON Configuring RMON Command Purpose Step 3 rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535.
Page 503: Configuring Rmon Collection On An Interface
Chapter 26 Configuring RMON Configuring RMON Configuring RMON Collection on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface: Command Purpose Step 1...
Page 504: Displaying Rmon Status
Displays the RMON history table. show rmon statistics Displays the RMON statistics table. For information about the fields in these displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12.1. Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide...
Page 505: Chapter 27 Configuring System Message Logging
This chapter describes how to configure system message logging on your Catalyst 2950 or Catalyst 2955 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12.1. This chapter consists of these sections: •...
Page 506: Configuring System Message Logging
Chapter 27 Configuring System Message Logging Configuring System Message Logging Configuring System Message Logging These sections describe how to configure system message logging: • System Log Message Format, page 27-2 Default System Message Logging Configuration, page 27-3 • Disabling and Enabling Message Logging, page 27-4 •...
Page 507: Default System Message Logging Configuration
Chapter 27 Configuring System Message Logging Configuring System Message Logging Table 27-1 System Log Message Elements (continued) Element Description MNEMONIC Text string that uniquely describes the message. description Text string containing detailed information about the event being reported. This example shows a partial switch system message: 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up...
Page 508: Disabling And Enabling Message Logging
Chapter 27 Configuring System Message Logging Configuring System Message Logging Disabling and Enabling Message Logging Message logging is enabled by default. It must be enabled to send messages to any destination other than the console. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages.
Page 509 Chapter 27 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 3 logging host Log messages to a UNIX syslog server host. For host, specify the name or IP address of the host to be used as the syslog server.
Page 510: Synchronizing Log Messages
Chapter 27 Configuring System Message Logging Configuring System Message Logging Synchronizing Log Messages You can configure the system to synchronize unsolicited messages and debug privileged EXEC command output with solicited device output and prompts for a specific console port line or virtual terminal line.
Page 511: Enabling And Disabling Timestamps On Log Messages
Chapter 27 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command.
Page 512: Enabling And Disabling Sequence Numbers In Log Messages
Chapter 27 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Sequence Numbers in Log Messages Because there is a chance that more than one log message can have the same timestamp, you can display messages with sequence numbers so that you can unambiguously refer to a single message. By default, sequence numbers in log messages are not displayed.
Page 513 Chapter 27 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 6 show running-config Verify your entries. show logging Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Specifying a level causes messages at that level and numerically lower levels to appear at the destination. Note To disable logging to the console, use the no logging console global configuration command.
Page 514: Limiting Syslog Messages Sent To The History Table And To Snmp
Chapter 27 Configuring System Message Logging Configuring System Message Logging Limiting Syslog Messages Sent to the History Table and to SNMP If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the switch history table.
Page 515: Configuring Unix Syslog Servers
Add a line such as the following to the file /etc/syslog.conf: Step 1 local7.debug /usr/adm/logs/cisco.log The local7 keyword specifies the logging facility to be used; see Table 27-4 on page 27-12 information on the facilities. The debug keyword specifies the syslog level; see Table 27-3 on page 27-9 for information on the severity levels.
Page 516 Chapter 27 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 3 logging trap level Limit messages logged to the syslog servers. Be default, syslog servers receive informational messages and lower. See Table 27-3 on page 27-9 for level keywords. Step 4 logging facility facility-type Configure the syslog facility.
Page 517: Displaying The Logging Configuration
To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12.1.
Page 518 Chapter 27 Configuring System Message Logging Displaying the Logging Configuration Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 27-14 78-11380-10...
Page 519: Chapter 28 Configuring Snmp
Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This chapter consists of these sections: Understanding SNMP, page 28-1 •...
Page 520: Snmp Versions
Chapter 28 Configuring SNMP Understanding SNMP • Using SNMP to Access MIB Variables, page 28-4 • SNMP Notifications, page 28-5 SNMP Versions This software release supports these SNMP versions: SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in •...
Page 521: Snmp Manager Functions
Chapter 28 Configuring SNMP Understanding SNMP Table 28-1 identifies the characteristics of the different combinations of security models and levels. Table 28-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No...
Page 522: Snmp Agent Functions
Chapter 28 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. •...
Page 523: Snmp Notifications
Chapter 28 Configuring SNMP Configuring SNMP Figure 28-1 SNMP Network Get-request, Get-next-request, Network device Get-bulk, Set-request Get-response, traps SNMP Agent SNMP Manager For information on supported MIBs and how to access them, see Appendix A, “Supported MIBs.” SNMP Notifications SNMP allows the switch to send notifications to SNMP managers when particular events occur. SNMP notifications can be sent as traps or inform requests.
Page 524: Default Snmp Configuration
Modifying the group's notify view affects all users associated with that group. Refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1 for information about when you should configure notify views.
Page 525: Disabling The Snmp Agent
The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
Page 526 Chapter 28 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure a community string on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server community string [view Configure the community string. view-name] [ro | rw] [access-list-number] •...
Page 527: Configuring Snmp Groups And Users
Chapter 28 Configuring SNMP Configuring SNMP This example shows how to assign the string comaccess to SNMP, to allow read-only access, and to specify that IP access list 4 can use the community string to gain access to the switch SNMP agent: Switch(config)# snmp-server community comaccess ro 4 Configuring SNMP Groups and Users You can specify an identification name (engineID) for the local or remote SNMP server engine on the...
Page 528 Chapter 28 Configuring SNMP Configuring SNMP Command Purpose Step 3 snmp-server group groupname {v1 | v2c | v3 Configure a new SNMP group on the remote device. {auth | noauth | priv}} [read readview] • For groupname, specify the name of the group. [write writeview] [notify notifyview] [access •...
Page 529: Configuring Snmp Notifications
A trap manager is a management station that receives and processes traps. Traps are system alerts that the switch generates when certain events occur. By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Note Many commands use the word traps in the command syntax.
Page 530 Generates a trap for SNMP-type notifications. stpx Generates SNMP STP Extended MIB traps. syslog Generates SNMP syslog traps. Sends Cisco enterprise-specific notifications when a Transmission Control Protocol (TCP) connection closes. vlan-membership Generates a trap for SNMP VLAN membership changes. vlancreate Generates SNMP VLAN-created traps.
Page 531 Chapter 28 Configuring SNMP Configuring SNMP Command Purpose Step 3 snmp-server user username Configure an SNMP user to be associated with the remote host created in groupname {remote host [udp-port Step 2. port]} {v1 [access access-list] | v2c Note You cannot configure a remote user for an address without first [access access-list] | v3 [encrypted] configuring the engine ID for the remote host.
Page 532: Setting The Agent Contact And Location Information
Chapter 28 Configuring SNMP Configuring SNMP The snmp-server host command specifies which hosts receive the notifications. The snmp-server enable trap command globally enables the mechanism for the specified notification (for traps and informs). To enable a host to receive an inform, you must configure an snmp-server host informs command for the host and globally enable informs by using the snmp-server enable traps command.
Page 533: Snmp Examples
This example shows how to allow read-only access for all objects to members of access list 4 that use the comaccess community string. No other SNMP managers have access to any objects. SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco.com using the community string public.
Page 534: Displaying Snmp Status
Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
Page 535: Chapter 29 Configuring Network Security With Acls
For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release and the “Configuring IP Services” section of the Cisco IOS IP and IP Routing Configuration Guide, Cisco IOS Release 12.1 and the Cisco IOS IP and IP Routing Command Reference, Cisco IOS Release 12.1.
Page 536: Understanding Acls
Chapter 29 Configuring Network Security with ACLs Understanding ACLs Understanding ACLs Packet filtering can limit network traffic and restrict network use by certain users or devices. ACLs can filter traffic as it passes through a switch and permit or deny packets at specified interfaces. An ACL is a sequential collection of permit and deny conditions that apply to packets.
Page 537: Handling Fragmented And Unfragmented Traffic
Chapter 29 Configuring Network Security with ACLs Understanding ACLs Figure 29-1 Using ACLs to Control Traffic to a Network Host A Host B Human Research & Resources Development network network = ACL denying traffic from Host B and permitting traffic from Host A = Packet Handling Fragmented and Unfragmented Traffic IP packets can be fragmented as they cross the network.
Page 538: Understanding Access Control Parameters
Chapter 29 Configuring Network Security with ACLs Understanding ACLs • Packet A is a TCP packet from host 10.2.2.2, port 65000, going to host 10.1.1.1 on the SMTP port. If this packet is fragmented, the first fragment matches the first ACE (a permit), as if it were a complete packet because all Layer 4 information is present.
Page 539: Guidelines For Applying Acls To Physical Interfaces
All other combinations of system-defined and user-defined masks are allowed in security ACLs. The switch ACL configuration is consistent with other Cisco Catalyst switches. However, there are significant restrictions for configuring ACLs on the switches. Only four user-defined masks can be defined for the entire system. These can be used for either security or quality of service (QoS) but cannot be shared by QoS and security.
Page 540: Configuring Acls
“Creating MAC Access Groups” section on page 29-19 • Configuring ACLs on a Layer 2 interface is the same as configuring ACLs on Cisco routers. The process is briefly described here. For more detailed information about configuring router ACLs, refer to the “Configuring IP Services”...
Page 541: Unsupported Features
Chapter 29 Configuring Network Security with ACLs Configuring ACLs Unsupported Features The switch does not support these Cisco IOS router ACL-related features: • Non-IP protocol ACLs (see Table 29-2 on page 29-8) • Bridge-group ACLs • IP accounting ACL support on the outbound direction •...
Page 542: Acl Numbers
Chapter 29 Configuring Network Security with ACLs Configuring ACLs ACL Numbers The number you use to denote your ACL shows the type of access list that you are creating. Table 29-2 lists the access list number and corresponding type and shows whether or not they are supported by the switch.
Page 543: Creating A Numbered Standard Acl
For information about creating ACLs to apply to a management interface, refer to the “Configuring IP Note Services” section of the Cisco IOS IP and IP Routing Configuration Guide, Cisco IOS Release 12.1 and the Cisco IOS IP and IP Routing Command Reference, Cisco IOS Release 12.1. You can these apply these ACLs only to a management interface.
Page 544: Creating A Numbered Extended Acl
1. X in a protocol column means support for the filtering parameter. 2. No support for type of service (ToS) minimize monetary cost bit. For more details about the specific keywords relative to each protocol, refer to the Cisco IP and IP Routing Command Reference, Cisco IOS Release 12.1.
Page 545 For information about creating ACLs to apply to management interfaces, refer to the “Configuring IP Services” section of Cisco IOS IP and IP Routing Configuration Guide, Release 12.1 and the Cisco IOS IP and IP Routing Command Reference, Cisco IOS Release 12.1. You can apply ACLs only to a management interface or the CPU, such as SNMP, Telnet, or web traffic.
Page 546 Chapter 29 Configuring Network Security with ACLs Configuring ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number Define an extended IP access list and the access conditions. {deny | permit | remark} protocol The access-list-number is a decimal number from 100 to 199 or 2000 to 2699.
Page 547: Creating Named Standard And Extended Acls
Chapter 29 Configuring Network Security with ACLs Configuring ACLs Use the no access-list access-list-number global configuration command to delete the entire access list. You cannot delete individual ACEs from numbered access lists. This example shows how to create and display an extended access list to deny Telnet access from any host in network 171.69.198.0 to any host in network 172.20.52.0 and permit any others.
Page 548 Chapter 29 Configuring Network Security with ACLs Configuring ACLs Beginning in privileged EXEC mode, follow these steps to create a standard named access list using names: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip access-list standard {name | Define a standard IP access list by using a name, and enter access-list-number} access-list configuration mode.
Page 549: Applying Time Ranges To Acls
Chapter 29 Configuring Network Security with ACLs Configuring ACLs Command Purpose Step 5 show access-lists [number | name] Show the access list configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. When making the standard and extended ACL, remember that, by default, the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end.
Page 550 Chapter 29 Configuring Network Security with ACLs Configuring ACLs Command Purpose Step 3 absolute [start time date] Specify when the function it will be applied to is operational. Use some [end time date] combination of these commands; multiple periodic statements are allowed;...
Page 551: Including Comments About Entries In Acls
Chapter 29 Configuring Network Security with ACLs Configuring ACLs Switch# show access-lists Extended IP access list 188 deny tcp any any time-range new_year_day_2000 (inactive) deny tcp any any time-range thanskgiving_2000 (active) deny tcp any any time-range christmas_2000 (inactive) permit tcp any any time-range workhours (inactive) This example uses named ACLs to permit and deny the same traffic.
Page 552: Creating Named Mac Extended Acls
Chapter 29 Configuring Network Security with ACLs Configuring ACLs Creating Named MAC Extended ACLs You can filter Layer 2 traffic on a physical Layer 2 interface by using MAC addresses and named MAC extended ACLs. The procedure is similar to that of configuring other extended named access lists. Note Named MAC extended ACLs are used as a part of the mac access-group privileged EXEC command.
Page 553: Creating Mac Access Groups
You can apply ACLs to any management interface. For information on creating ACLs on management interfaces, refer to the “Configuring IP Services” section of the Cisco IOS IP and IP Routing Configuration Guide, Cisco IOS Release 12.1 and the Cisco IOS IP and IP Routing Command Reference, Cisco IOS Release 12.1.
Page 554: Applying Acls To A Terminal Line
Chapter 29 Configuring Network Security with ACLs Applying ACLs to Terminal Lines or Physical Interfaces After you create an ACL, you can apply it to one or more management interfaces or terminal lines. ACLs can be applied on inbound interfaces. This section describes how to accomplish this task for both terminal lines and network interfaces.
Page 555: Displaying Acl Information
Chapter 29 Configuring Network Security with ACLs Displaying ACL Information Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show running-config Display the access list configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. This example shows how to apply access list 2 on an interface to filter packets entering the interface: Switch(config)# interface gigabitethernet0/2 Router(config-if)# ip access-group 2 in...
Page 556: Displaying Access Groups
Chapter 29 Configuring Network Security with ACLs Displaying ACL Information This example shows all standard and extended ACLs: Switch# show access-lists Standard IP access list 1 permit 172.20.10.10 Standard IP ACL 10 permit 12.12.12.12 Standard IP access list 12 deny 1.3.3.2 Standard IP access list 32 permit 172.20.20.20...
Page 557: Examples For Compiling Acls
Examples for Compiling ACLs For detailed information about compiling ACLs, refer to the Security Configuration Guide and the “IP Services” chapter of the Cisco IOS IP and IP Routing Configuration Guide, Cisco IOS Release 12.1. Figure 29-2 shows a small networked office with a number of switches that are connected to a Cisco router.
Page 558 Examples for Compiling ACLs Figure 29-2 Using Switch ACLs to Control Traffic Internet Workstation Cisco router workstations This example uses a standard ACL to allow access to a specific Internet host with the address 172.20.128.64. Switch(config)# access-list 6 permit 172.20.128.64 0.0.0.0...
Page 559: Numbered Acl Examples
Chapter 29 Configuring Network Security with ACLs Examples for Compiling ACLs Numbered ACL Examples This example shows that the switch accepts addresses on network 36.0.0.0 subnets and denies all packets coming from 56.0.0.0 subnets. The ACL is then applied to packets entering an interface. Switch(config)# access-list 2 permit 36.0.0.0 0.255.255.255 Switch(config)# access-list 2 deny 56.0.0.0 0.255.255.255 Switch(config)# interface gigabitethernet0/1...
Page 560 Chapter 29 Configuring Network Security with ACLs Examples for Compiling ACLs In this example of a numbered ACL, the Winter and Smith workstations are not allowed to browse the web: Switch(config)# access-list 100 remark Do not allow Winter to browse the web Switch(config)# access-list 100 deny host 171.69.3.85 any eq www Switch(config)# access-list 100 remark Do not allow Smith to browse the web Switch(config)# access-list 100 deny host 171.69.3.13 any eq www...
Page 561: Configuring Qos
The switch supports some of the modular QoS CLI (MQC) commands. For more information about the MQC commands, refer to the “Modular Quality of Service Command Line Interface Overview” at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt8/qcfmdcli.ht m#89799 QoS can be configured either by using the Cluster Management Suite (CMS) or through the command-line interface (CLI).
Page 562: Chapter 30 Configuring Qo
Chapter 30 Configuring QoS Understanding QoS You can also use these wizards to configure QoS only if your switch is running the EI: • Priority data wizard—Lets you assign priority levels to data applications based on their TCP or UDP ports.
Page 563 Chapter 30 Configuring QoS Understanding QoS • Prioritization bits in Layer 3 packets Layer 3 IP packets can carry a Differentiated Services Code Point (DSCP) value. The supported DSCP values are 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56. Figure 30-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2...
Page 564: Basic Qos Model
Chapter 30 Configuring QoS Understanding QoS Basic QoS Model Figure 30-2 shows the basic QoS model. Actions at the ingress interface include classifying traffic, policing, and marking: Note If you have the SI installed on your switch, only the queueing and scheduling features are available. •...
Page 565: Classification
Chapter 30 Configuring QoS Understanding QoS Classification Note This feature is available only if your switch is running the EI. Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification occurs only on a physical interface basis. No support exists for classifying packets at the VLAN level.
Page 566: Classification Based On Class Maps And Policy Maps
Chapter 30 Configuring QoS Understanding QoS • Configuration of a deny action is not supported in QoS ACLs on the switch. • System-defined masks are allowed in class maps with these restrictions: – A combination of system-defined and user-defined masks cannot be used in the multiple class maps that are a part of a policy map.
Page 567: Policing And Marking
Chapter 30 Configuring QoS Understanding QoS A policy map also has these characteristics: • A policy map can contain multiple class statements. • A separate policy-map class can exist for each type of traffic received through an interface. • A policy-map configuration state supersedes any actions due to an interface trust state. For configuration information, see the “Configuring a QoS Policy”...
Page 568: Mapping Tables
Chapter 30 Configuring QoS Understanding QoS Mapping Tables Note This feature is available only if your switch is running the EI. During classification, QoS uses a configurable CoS-to-DSCP map to derive an internal DSCP value from the received CoS value. This DSCP value represents the priority of the traffic. Before the traffic reaches the scheduling stage, QoS uses the configurable DSCP-to-CoS map to derive a CoS value from the internal DSCP value.
Page 569: Egress Cos Queues
Chapter 30 Configuring QoS Configuring Auto-QoS CoS configures each transmit port (the egress port) with a normal-priority transmit queue and a high-priority transmit queue, depending on the frame tag or the port information. Frames in the normal-priority queue are forwarded only after frames in the high-priority queue are forwarded. The switch (802.1P user priority) has four priority queues.
Page 570: Generated Auto-Qos Configuration
Configuring QoS Configuring Auto-QoS You use auto-QoS commands to identify ports connected to Cisco IP Phones and to devices running the Cisco SoftPhone application. You also use the commands to identify ports that receive trusted traffic through an uplink. Auto-QoS then performs these functions: Detects the presence or absence of IP phones •...
Page 571 When you enter the auto qos voip cisco-phone interface configuration command on a port at the edge of a network that is connected to a Cisco IP Phone, the switch enables the trusted boundary feature. The switch uses the Cisco Discovery Protocol (CDP) to detect the presence or absence of a Cisco IP Phone.
Page 572 Configuring Auto-QoS Table 30-4 Generated Auto-QoS Configuration Description Automatically Generated QoS Command Equivalent If you entered the auto qos voip cisco-softphone command, Switch(config)# class-map match-all AutoQoS-VoIP-RTP-Trust the switch automatically creates class maps and policy maps. Switch(config-cmap)# match ip dscp 46...
Page 573: Effects Of Auto-Qos On The Configuration
• By default, the CDP is enabled on all interfaces. For auto-QoS to function properly, do not disable the CDP. When auto-QoS is enabled for VoIP with the Cisco SoftPhone, the switch uses one mask for the • auto-QoS configuration.
Page 574: Upgrading From A Previous Software Release
The generated auto-QoS configuration was changed and support for the Cisco SoftPhone feature was added. If auto-QoS is configured on the switch, your switch is running a release earlier than Cisco IOS Release 12.2(20)EA2, and you upgrade to Cisco IOS Release 12.2(20)EA2 or later, the configuration file will not contain the new configuration, and auto-QoS will not operate.
Page 575: Displaying Auto-Qos Information
“Using the debug auto qos Command” section on page 32-21. This example shows how to enable auto-QoS and to trust the QoS labels in incoming packets when the device connected to the interface is detected as a Cisco IP Phone: Switch(config)# interface fastethernet0/1 Switch(config-if)# auto qos voip cisco-phone...
Page 576: Auto-Qos Configuration Example
IP phones IP phones Cisco IP phones Cisco IP phones The intelligent wiring closets in Figure 30-3 are composed of Catalyst 2950 switches running the EI and Catalyst 3550 switches. The object of this example is to prioritize the VoIP traffic over all other traffic.
Page 577 Return to global configuration mode. Step 7 Repeat Steps 4 to 6 for as many ports as are connected to the Cisco IP Phone. Step 8 interface interface-id Specify the switch port identified as connected to a trusted switch or router, and enter interface configuration mode.
Page 578: Configuring Standard Qos
Chapter 30 Configuring QoS Configuring Standard QoS Configuring Standard QoS Before configuring standard QoS, you must have a thorough understanding of these items: • The types of applications used and the traffic patterns on your network. Traffic characteristics and needs of your network. Is the traffic bursty? Do you need to reserve •...
Page 579: Configuration Guidelines
Configuring Standard QoS Note In software releases earlier than Cisco IOS Release 12.1(11)EA1, the switch uses the CoS value of incoming packets without modifying the DSCP value. You can configure this by enabling pass-through mode on the port. For more information, see the “Enabling Pass-Through Mode”...
Page 580: Configuring Classification Using Port Trust States
Chapter 30 Configuring QoS Configuring Standard QoS Table 30-5 Interaction Between Policy Maps and Security ACLs Security-ACL Policy-Map Conditions Conditions Action When the packet is in profile. Permit specified Traffic is forwarded. packets. When the packet is out of profile and the Drop specified Traffic is dropped.
Page 581 Chapter 30 Configuring QoS Configuring Standard QoS Figure 30-4 Port Trusted States within the QoS Domain Trusted interface Trunk Traffic classification performed here Trusted boundary Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose...
Page 582 CoS is used for untagged packets. Internally, the switch modifies the CoS value by using the DSCP-to-CoS map. This keyword is available only if your switch is running the EI. In software releases earlier than Cisco IOS Note Release 12.1(11)EA1, the mls qos trust command is available only when the switch is running the EI.
Page 583: Configuring Trusted Boundary
To return to the default setting, use the no mls qos cos {default-cos | override} interface configuration command. Configuring Trusted Boundary In a typical network, you connect a Cisco IP Phone to a switch port as shown in Figure 30-4 on page 30-21, and cascade devices that generate data packets from the back of the telephone.
Page 584 CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high-priority queue.
Page 585: Enabling Pass-Through Mode
Configuring Standard QoS You cannot enable trusted boundary if auto-QoS is already enabled and vice-versa. If auto-QoS is enabled and a Cisco IP Phone is absent on a port, the port does not trust the classification of traffic that it receives.
Page 586: Configuring A Qos Policy
Chapter 30 Configuring QoS Configuring Standard QoS To disable pass-through mode, use the no mls qos trust pass-through dscp interface configuration command. If you enter the mls qos cos override and the mls qos trust [cos | dscp] interface commands when pass-through mode is enabled, pass-through mode is disabled.
Page 587: Classifying Traffic By Using Acls
Chapter 30 Configuring QoS Configuring Standard QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify Layer 2 traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1...
Page 588 Chapter 30 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number Create an IP extended ACL, repeating the command as many times as {permit | remark} protocol necessary.
Page 589 Chapter 30 Configuring QoS Configuring Standard QoS Command Purpose Step 4 show access-lists Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. For more information about creating IP extended ACLs, see the “Guidelines for Applying ACLs to Physical Interfaces”...
Page 590: Classifying Traffic By Using Class Maps
Chapter 30 Configuring QoS Configuring Standard QoS This example shows how to create a Layer 2 MAC ACL with a permit statement. The statement allows traffic from the host with MAC address 0001.0000.0001 to the host with MAC address 0002.0000.0001. Switch(config)# mac access-list extended maclist1 Switch(config-ext-macl)# permit host 0001.0000.0001 host 0002.0000.0001 Classifying Traffic by Using Class Maps...
Page 591: Classifying, Policing, And Marking Traffic By Using Policy Maps
Chapter 30 Configuring QoS Configuring Standard QoS Command Purpose Step 4 match {access-group acl-index | Define the match criterion to classify traffic. access-group name acl-name | ip dscp By default, no match criterion is supported. dscp-list} Only one match criterion per class map is supported, and only one ACL per class map is supported.
Page 592 Chapter 30 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a policy map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number permit Create an IP standard or extended ACL for IP traffic or a Layer 2 MAC {source source-wildcard | host source | ACL for non-IP traffic, repeating the command as many times as any}...
Page 593 Chapter 30 Configuring QoS Configuring Standard QoS Command Purpose Step 5 set {ip dscp new-dscp} Classify IP traffic by setting a new value in the packet. For ip dscp new-dscp, enter a new DSCP value to be assigned to the classified traffic.
Page 594: Configuring Cos Maps
Chapter 30 Configuring QoS Configuring Standard QoS This example shows how to create a policy map and attach it to an ingress interface. In the configuration, the IP standard ACL permits traffic from network 10.1.0.0. For traffic matching this classification, the DSCP value in the incoming packet is trusted.
Page 595: Configuring The Cos-To-Dscp Map
Chapter 30 Configuring QoS Configuring Standard QoS Configuring the CoS-to-DSCP Map You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic. Table 30-7 shows the default CoS-to-DSCP map.
Page 596: Configuring The Dscp-To-Cos Map
Chapter 30 Configuring QoS Configuring Standard QoS Configuring the DSCP-to-CoS Map You use the DSCP-to-CoS map to map DSCP values in incoming packets to a CoS value, which is used to select one of the four egress queues. The switch supports these DSCP values: 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56. Table 30-8 shows the default DSCP-to-CoS map.
Page 597: Configuring The Egress Queues
Chapter 30 Configuring QoS Configuring Standard QoS Configuring the Egress Queues Note This feature is supported by both the SI and EI. This section describes how to configure the egress queues: • Configuring CoS Priority Queues, page 30-37 Configuring WRR Priority, page 30-38 •...
Page 598: Configuring Wrr Priority
30-38. Enabling the Expedite Queue and Configuring WRR Priority In Cisco IOS Release 12.1(12c)EA1 or later, beginning in privileged EXEC mode, follow these steps to enable the expedite queue (queue 4) and assign WRR priority to the remaining queues: Command...
Page 599: Displaying Standard Qos Information
Chapter 30 Configuring QoS Displaying Standard QoS Information Displaying Standard QoS Information To display standard QoS information, use one or more of the privileged EXEC commands in Table 30-9: Table 30-9 Commands for Displaying QoS Information Command Purpose show class-map [class-map-name] Display QoS class maps, which define the match criteria to classify traffic.
Page 600: Qos Configuration For The Existing Wiring Closet
Catalyst 2900 XL and 3500 XL switches, for example. These switches are running Cisco IOS Release 12.0(5)XP or later, which supports the QoS-based IEEE 802.1p CoS values. QoS classifies frames by assigning priority-indexed CoS values to them and gives preference to higher-priority traffic.
Page 601: Qos Configuration For The Intelligent Wiring Closet
Chapter 30 Configuring QoS Standard QoS Configuration Examples For the Catalyst 2900 and 3500 XL switches, CoS configures each transmit port (the egress port) with a normal-priority transmit queue and a high-priority transmit queue, depending on the frame tag or the port information.
Page 602 Chapter 30 Configuring QoS Standard QoS Configuration Examples Command Purpose Step 18 show class-map videoclass Verify your entries. show policy-map videopolicy show mls qos maps [cos-dscp | dscp-cos] Step 19 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 30-42 78-11380-10...
Page 603: Chapter 31 Configuring Etherchannels
C H A P T E R Configuring EtherChannels This chapter describes how to configure EtherChannel on the Layer 2 interfaces of a Catalyst 2950 or Catalyst 2955 switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Page 604: Understanding Port-Channel Interfaces
Chapter 31 Configuring EtherChannels Understanding EtherChannels Figure 31-1 Typical EtherChannel Configuration Catalyst 8500 series switch Gigabit EtherChannel 1000BASE-X 1000BASE-X 10/100 10/100 Switched Switched links links Workstations Workstations Each EtherChannel can consist of up to eight compatibly configured Ethernet interfaces. All interfaces in each EtherChannel must be the same speed, and all must be configured as Layer 2 interfaces.
Page 605: Understanding The Port Aggregation Protocol And Link Aggregation Protocol
EtherChannels by exchanging packets between Ethernet interfaces. PAgP is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by licensed vendors to support PAgP. LACP is defined in IEEE 802.3ad and allows Cisco switches to manage Ethernet channels between switches that conform to the 802.3ad protocol.
Page 606: Pagp And Lacp Modes
Chapter 31 Configuring EtherChannels Understanding EtherChannels PAgP and LACP Modes Table 31-1 shows the user-configurable EtherChannel modes for the channel-group interface configuration command. Switch interfaces exchange PAgP packets only with partner interfaces configured in the auto or desirable modes. Switch interfaces exchange LACP packets only with partner interfaces configured in the active or passive modes.
Page 607: Physical Learners And Aggregate-Port Learners
Chapter 31 Configuring EtherChannels Understanding EtherChannels Note An Etherchannel cannot be configured in both the PAgP and LACP modes. Exchanging LACP Packets Both the active and passive LACP modes allow interfaces to negotiate with partner interfaces to determine if they can form an EtherChannel based on criteria such as interface speed and, for Layer 2 EtherChannels, trunking state and VLAN numbers.
Page 608: Pagp And Lacp Interaction With Other Features
Understanding EtherChannels PAgP and LACP Interaction with Other Features The Dynamic Trunking Protocol (DTP) and Cisco Discovery Protocol (CDP) send and receive packets over the physical interfaces in the EtherChannel. Trunk ports send and receive PAgP and LACP protocol data units (PDUs) on the lowest numbered VLAN.
Page 609: Configuring Etherchannels
Configuring EtherChannels Configuring EtherChannels Figure 31-3 Load Distribution and Forwarding Methods Switch with source-based forwarding enabled EtherChannel Cisco router with destination-based forwarding enabled Configuring EtherChannels These sections describe how to configure EtherChannel interfaces: • Default EtherChannel Configuration, page 31-8 •...
Page 610: Default Etherchannel Configuration
Chapter 31 Configuring EtherChannels Configuring EtherChannels Default EtherChannel Configuration Table 31-2 shows the default EtherChannel configuration. Table 31-2 Default EtherChannel Configuration Feature Default Setting Channel groups None assigned. PAgP mode No default. PAgP learn method Aggregate-port learning on all interfaces. PAgP priority 128 on all interfaces.
Page 611: Configuring Layer 2 Etherchannels
Layer 2 interface into a manually created port-channel interface. Note Layer 2 interfaces must be connected and functioning for Cisco the software to create port-channel interfaces. Beginning in privileged EXEC mode, follow these steps to assign a Layer 2 Ethernet interface to a...
Page 612 Chapter 31 Configuring EtherChannels Configuring EtherChannels Command Purpose Step 3 channel-group channel-group-number mode Assign the interface to a channel group, and specify the PAgP or {{auto [non-silent] | desirable [non-silent] | on} | LACP mode. {active | passive}} For channel-group-number, the range is 1 to 6. Each EtherChannel can have up to eight compatibly configured Ethernet interfaces.
Page 613: Configuring Etherchannel Load Balancing
Chapter 31 Configuring EtherChannels Configuring EtherChannels To remove an interface from the EtherChannel group, use the no channel-group interface configuration command. If you delete the EtherChannel by using the no interface port-channel global configuration command without removing the physical interfaces, the physical interfaces are shutdown. If you do not want the member physical interfaces to shut down, remove the physical interfaces before deleting the EtherChannel.
Page 614: Configuring The Pagp Learn Method And Priority
Chapter 31 Configuring EtherChannels Configuring EtherChannels To return EtherChannel load balancing to the default configuration, use the no port-channel load-balance global configuration command. Configuring the PAgP Learn Method and Priority Network devices are classified as PAgP physical learners or aggregate-port learners. A device is a physical learner if it learns addresses by physical ports and directs transmissions based on that knowledge.
Page 615: Configuring Hot Standby Ports
Chapter 31 Configuring EtherChannels Configuring EtherChannels Configuring Hot Standby Ports When enabled, LACP tries to configure the maximum number of LACP-compatible ports in a channel, up to a maximum of 16 ports. Only eight LACP links can be active at one time. Any additional links are put in a hot standby state.
Page 616: Displaying Etherchannel, Pagp, And Lacp Status
Chapter 31 Configuring EtherChannels Displaying EtherChannel, PAgP, and LACP Status Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. show lacp channel-group-number internal Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Displaying EtherChannel, PAgP, and LACP Status You can use the privileged EXEC commands described in Table 31-3...
Page 617: Chapter 32 Troubleshooting
This chapter describes how to identify and resolve Catalyst 2950 and Catalyst 2955 software problems related to the Cisco IOS software. Depending on the nature of the problem, you can use the command-line interface (CLI) or the Cluster Management Suite (CMS) to identify and solve problems.
Page 618: Recovering From Corrupted Software
Chapter 32 Troubleshooting Using Recovery Procedures Recovering from Corrupted Software Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity.
Page 619 Chapter 32 Troubleshooting Using Recovery Procedures Step 4 Press the Mode button, and at the same time, reconnect the power cord to the switch. You can release the Mode button a second or two after the LED above port 1X turns off. Several lines of information about the software appear, as do instructions: The system has been interrupted prior to initializing the flash file system.
Page 620: Recovering From Lost Or Forgotten Passwords On Catalyst 2950 Lre Switches
Chapter 32 Troubleshooting Using Recovery Procedures Step 15 Change the password: switch(config)# enable secret <password> switch(config)# enable password <password> Return to privileged EXEC mode: Step 16 switch(config)# exit switch# Step 17 Write the running configuration to the startup configuration file: switch# copy running-config startup-config The new password is now included in the startup configuration.
Page 621: Password Recovery With Password Recovery Enabled
Chapter 32 Troubleshooting Using Recovery Procedures • If you see a message that begins with this: The password-recovery mechanism has been triggered, but is currently disabled. go to the “Procedure with Password Recovery Disabled” section on page 32-6, and follow the steps. Password Recovery with Password Recovery Enabled If the password-recovery mechanism is enabled, this message appears: The system has been interrupted prior to initializing the flash file system.
Page 622: Procedure With Password Recovery Disabled
Chapter 32 Troubleshooting Using Recovery Procedures Step 9 Copy the configuration file into memory: Switch# copy flash:config.text system:running-config Source filename [config.text]? Destination filename [running-config]? Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can change the password. Enter global configuration mode: Step 10 Switch# configure terminal...
Page 623 Chapter 32 Troubleshooting Using Recovery Procedures • If you enter n (no), the normal boot process continues as if the Mode button had not been pressed; you cannot access the boot loader prompt, and you cannot enter a new password. You see the message: Press Enter to continue..
Page 624: Recovering From Lost Or Forgotten Passwords On Catalyst 2955 Switches
On a PC running Windows 2000, Ctrl-Break is the break key. Cisco TAC has tabulated break keys for most common operating systems and an alternative break key sequence for those terminal emulators that do not support the break keys. Refer to http://www.cisco.com/warp/public/701/61.html#how-to for that list.
Page 625 Chapter 32 Troubleshooting Using Recovery Procedures Step 4 When the boot loader prompts you, enter the break key. This example shows the messages that appear on the console after the user enters a break key: The system has been interrupted prior to initializing the flash file system. The following commands will initialize the flash file system, and finish loading the operating system software: flash_init...
Page 626: Recovering From A Command Switch Failure
Chapter 32 Troubleshooting Using Recovery Procedures Step 14 Enter global configuration mode: switch# configure terminal Step 15 Change the password: switch(config)# enable secret <password> switch(config)# enable password <password> Return to privileged EXEC mode: Step 16 switch(config)# exit switch# Step 17 Write the running configuration to the startup configuration file: switch# copy running-config startup-config The new password is now included in the startup configuration.
Page 627: Replacing A Failed Command Switch With A Cluster Member
Chapter 32 Troubleshooting Using Recovery Procedures Replacing a Failed Command Switch with a Cluster Member To replace a failed command switch with a command-capable member in the same cluster, follow these steps: Step 1 Disconnect the command switch from the member switches, and physically remove it from the cluster. Step 2 Insert the member switch in place of the failed command switch, and duplicate its connections to the cluster members.
Page 628: Replacing A Failed Command Switch With Another Switch
Chapter 32 Troubleshooting Using Recovery Procedures Step 10 Enter Y at the first prompt. The prompts in the setup program vary depending on the member switch you selected to be the command switch: Continue with configuration dialog? [yes/no]: y Configuring global parameters: If this prompt does not appear, enter enable, and press Return.
Page 629 Chapter 32 Troubleshooting Using Recovery Procedures Step 5 Use the setup program to configure the switch IP information. This program prompts you for IP address information and passwords. From privileged EXEC mode, enter setup, and press Return. Switch# setup --- System Configuration Dialog --- Continue with configuration dialog? [yes/no]: y At any point you may enter a question mark '?' for help.
Page 630: Recovering From Lost Member Connectivity
Note If you are using a non-Cisco approved CWDM GBIC or SFP module, remove the GBIC or SFP module from the switch, and replace it with a Cisco-approved module. Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide...
Page 631: Diagnosing Connectivity Problems
Troubleshooting Diagnosing Connectivity Problems After inserting a Cisco-approved GBIC or SFP module, use the errdisable recovery cause gbic-invalid global configuration command to verify the port status, and enter a time interval for recovering from the error-disabled state. After the elapsed interval, the switch brings the interface out of the error-disabled state and retries the operation.
Page 632: Using Layer 2 Traceroute
Chapter 32 Troubleshooting Diagnosing Connectivity Problems Note Though other protocol keywords are available with the ping command, they are not supported in this release. This example shows how to ping an IP host: Switch# ping 172.20.52.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 172.20.52.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms...
Page 633: Usage Guidelines
Usage Guidelines These are the Layer 2 traceroute usage guidelines: Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 • traceroute to functional properly, do not disable CDP. If any devices in the physical path are transparent to CDP, the switch cannot identify the path through these devices.
Page 634: Displaying The Physical Path
Chapter 32 Troubleshooting Diagnosing LRE Connection Problems Displaying the Physical Path You can display physical path that a packet takes from a source device to a destination device by using one of these privileged EXEC commands: traceroute mac [interface interface-id] {source-mac-address} [interface interface-id] •...
Page 635: Using Debug Commands
Chapter 32 Troubleshooting Using Debug Commands Table 32-2 LRE Port Problems (continued) Problem Suspected Cause and Suggested Solution High Reed-Solomon The interleave feature is helping Reed-Solomon error correction to function correctly in a noisy • error count without environment. This situation means that the system is on the verge of generating CRC errors. CRC errors –...
Page 636: Enabling Debugging On A Specific Feature
For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Page 637: Redirecting Debug And Error Message Output
Step 3 interface interface-id Enter interface configuration mode, and specify the interface that is connected to a Cisco IP Phone. You also can specify the uplink interface that is connected to another switch or router in the interior of the network.
Page 638: Using The Show Controllers Commands
LRE and CPE ports. show controllers lre cpe {identity | mfg | Displays information about the Cisco LRE CPE devices connected to an protected | version} [interface-id] LRE switch. show controllers lre Displays information about the LRE link.
Page 639: Using The Crashinfo File
The information in the file includes the software image name and version that failed, a dump of the processor registers, and a stack trace. You can give this information to the Cisco technical support representative by using the show tech-support privileged EXEC command.
Page 640 Chapter 32 Troubleshooting Using the crashinfo File Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 32-24 78-11380-10...
Page 641: Appendix
This appendix lists the supported MIBs for this release. It contains these sections: • MIB List, page A-1 Using FTP to Access the MIB Files, page A-3 • MIB List The Catalyst 2955 switch supports the ENTITY-MIB, CISCO-ENVMON-MIB and Note CISCO-ENTITY-ALARM-MIB. • BRIDGE-MIB (RFC1493) CISCO-2900-MIB •...
Page 642: Appendix A Supported Mib
Appendix A Supported MIBs MIB List • CISCO-PAE-MIB • CISCO-PAGP-MIB • CISCO-PING-MIB • CISCO-PORT-SECURITY-MIB CISCO-PROCESS-MIB • CISCO-PRODUCTS-MIB • CISCO-RTTMON-MIB (subsystems supported: sub_rtt_rmon and sub_rtt_rmonlib) • CISCO-SMI • • CISCO_STACKMAKER_MIB • CISCO-STP-EXTENSIONS-MIB • CISCO-SYSLOG-MIB CISCO-TC • CISCO-TCP-MIB • CISCO-VLAN-MEMBERSHIP-MIB • CISCO-VTP-MIB •...
Page 643: Using Ftp To Access The Mib Files
Supported MIBs Using FTP to Access the MIB Files Note The IF-MIB and the CISCO-IETF-VDSL-LINE-MIB are supported as read-only MIBs for the Fast Ethernet interfaces on the CPE devices. Using FTP to Access the MIB Files You can obtain each MIB file by using this procedure: Use FTP to access the server ftp.cisco.com.
Page 644 Appendix A Supported MIBs Using FTP to Access the MIB Files Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78-11380-10...
Page 645: Appendix
(upload and download) software images. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This appendix consists of these sections: •...
Page 646: Displaying Available File Systems
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC...
Page 647: A P P E N D I X B Working With The Cisco Ios File System, Configuration Files, And Software Images
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Table B-1 show file systems Field Descriptions (continued) Field Value Flags Permission for file system. ro—read-only. rw—read/write. wo—write-only. Prefixes Alias for file system.
Page 648: Changing Directories And Displaying The Working Directory
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System To display information about files on a file system, use one of the privileged EXEC commands in Table B-2: Table B-2...
Page 649: Copying Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Use the /recursive keyword to delete the named directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory.
Page 650: Creating, Displaying, And Extracting Tar Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Use the /recursive keyword for deleting a directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory.
Page 651: Displaying The Contents Of A Tar File
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying the Contents of a tar File To display the contents of a tar file on the screen, use this privileged EXEC command: archive tar /table source-url For source-url, specify the source URL alias for the local or network file system.
Page 652: Displaying The Contents Of A File
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to extract the contents of a tar file located on the TFTP server at 172.20.10.30. This command extracts just the new-configs directory into the root directory on the local flash file system.
Page 653: Guidelines For Creating And Using Configuration Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This section includes this information: • Guidelines for Creating and Using Configuration Files, page B-9 • Configuration File Types and Location, page B-10 •...
Page 654: Preparing To Download Or Upload A Configuration File By Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Configuration File Types and Location Startup configuration files are used during system startup to configure the software. Running configuration files contain the current configuration of the software. The two configuration files can be different.
Page 655 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Preparing to Download or Upload a Configuration File By Using TFTP Before you begin downloading or uploading a configuration file by using TFTP, do these tasks: Ensure that the workstation acting as the TFTP server is properly configured.
Page 656: Copying Configuration Files By Using Ftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to configure the software from the file tokyo-confg at IP address 172.16.2.155: Switch# copy tftp://172.16.2.155/tokyo-confg system:running-config Configure using tokyo-confg from 172.16.2.155? [confirm] y Booting tokyo-confg from 172.16.2.155:!!! [OK - 874/16000 bytes]...
Page 657: Preparing To Download Or Upload A Configuration File By Using Ftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files The username and password must be associated with an account on the FTP server. If you are writing to the server, the FTP server must be properly configured to accept your FTP write request.
Page 658: Uploading A Configuration File By Using Ftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 4 ip ftp username username (Optional) Change the default remote username. Step 5 ip ftp password password (Optional) Change the default password.
Page 659: Copying Configuration Files By Using Rcp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 3 configure terminal Enter global configuration mode. This step is required only if you override the default remote username or password (see Steps 4, 5, and 6).
Page 660: Preparing To Download Or Upload A Configuration File By Using Rcp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the software sends the first valid username in this list: •...
Page 661 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to download a configuration file by using RCP:...
Page 662 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using RCP:...
Page 663: Clearing Configuration Information
Depending on the setting of the file prompt global configuration command, you might be prompted for confirmation before you delete a file. By default, the switch prompts for confirmation on destructive file operations. For more information about the file prompt command, refer to the Cisco IOS Command Reference for Release 12.1.
Page 664 File Format of Images on a Server or Cisco.com Software images located on a server or downloaded from Cisco.com are provided in a tar file format, which contains these files: info file •...
Page 665: Copying Image Files By Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Table B-3 info and info.ver File Description (continued) Field Description ios_image_file_size Specifies the software image size in the tar file, which is an approximate measure of how much...
Page 666: Downloading An Image File By Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images • For download operations, ensure that the permissions on the file are set correctly. The permission on the file should be world-read.
Page 667: Uploading An Image File By Using Tftp
/overwrite option. The Catalyst 2950 LRE switch supports only one complete set of Cisco IOS, HTML, LRE binary files, and one Cisco IOS binary file on the flash device. You cannot have two complete image sets on the flash device.
Page 668: Copying Image Files By Using Ftp
The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, the HTML files, LRE binary files, and info.ver. After these files are uploaded, the upload algorithm creates the tar file format.
Page 669 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images If the server has a directory structure, the image file is written to or copied from the directory associated with the username on the server. For example, if the image file resides in the home directory of a user on the server, specify that user's name as the remote username.
Page 670 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 7 archive download-sw /overwrite /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and overwrite the current image.
Page 671 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Page 672: Copying Image Files By Using Rcp
The archive upload-sw command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, the HTML files, and info.ver. After these files are uploaded, the upload algorithm creates the tar file format.
Page 673 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Before you begin downloading or uploading an image file by using RCP, do these tasks: • Ensure that the workstation acting as the RCP server supports the remote shell (rsh).
Page 674 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 6 archive download-sw /overwrite /reload Download the image file from the RCP server to the switch, rcp:[[[//[username@]location]/directory]/image-na and overwrite the current image.
Page 675 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board flash device (flash:). The image is placed in a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Page 676 The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, the HTML files, and info.ver. After these files are uploaded, the upload algorithm creates the tar file format.
Page 677: I N D E X
I N D E X accessing Numerics clusters, switch 7-14 802.1D command switches 7-12 See STP member switches 7-14 802.1Q switch clusters 7-14 and trunk ports 11-2 access lists configuration limitations 17-16 See ACLs encapsulation 17-15 access ports native VLAN for untagged traffic 17-21 defined 11-2...
Page 678 Index ACLs (continued) addresses configuration guidelines displaying the MAC address table 8-28 management interfaces, applying to dynamic 29-6 physical interfaces, applying to accelerated aging 29-5 14-8 defined 29-2 changing the aging time 8-23 displaying interface default aging 29-23 14-8 examples of defined 29-23 8-21...
Page 679 Index ARP table automatic QoS address resolution 8-28 See QoS managing automatic recovery, clusters 8-28 7-11 asymmetric digital subscriber line See also HSRP See ADSL autonegotiation attributes, RADIUS interface configuration guidelines 11-11 vendor-proprietary mismatches 9-30 32-14 vendor-specific 9-29 auxiliary VLAN audience xxix See voice VLAN...
Page 680 Index BPDU Catalyst 2955 (continued) error-disabled state 16-2 configuring the power supply alarm filtering setting the power mode 16-3 3-4, 3-5 RSTP format setting the power supply alarm options 15-9 BPDU filtering configuring the temperature alarms described associating the temperature alarms to a relay 16-3 enabling setting a secondary temperature threshold...
Page 681 Cisco CallManager software See system clock 1-14, 1-19 Cisco Discovery Protocol clusters, switch See CDP accessing 7-14 Cisco Intelligence Engine 2100 Series Configuration adding member switches 7-19 Registrar automatic discovery See IE2100 automatic recovery 7-11 Cisco IP Phones 1-14...
Page 682 Index clusters, switch (continued) command switch (continued) See also candidate switch, command switch, cluster priority 7-11 standby group, member switch, and standby recovery command switch from command-switch failure 7-11 cluster standby group from failure 32-10 automatic recovery 7-14 from lost member connectivity 32-14 considerations 7-12...
Page 683 13-11 preparing Ethernet links B-11, B-13, B-16 reasons for connecting to LRE ports 13-6 using FTP B-14 considerations for Cisco 575 LRE CPE 13-11 using RCP B-18 considerations for Cisco 585 LRE CPE 13-12 using TFTP Ethernet links, described B-12...
Page 684 Index cross-stack UplinkFast, STP default configuration (continued) connecting stack ports 16-8 Layer 2 interfaces 11-9 described MAC address table 16-5 8-23 enabling MSTP 16-17 15-12 fast-convergence events 16-7 21-17 Fast Uplink Transition Protocol 16-6 limitations optional spanning-tree features 16-7 16-13 normal-convergence events 16-7 password and privilege level...
Page 685 Index DHCP-based autoconfiguration (continued) DHCP snooping binding table described See DHCP snooping binding database example Differentiated Services architecture, QoS 30-2 lease options Differentiated Services Code Point 30-3 for IP address information digital telephone networks for receiving the configuration file directories overview changing relationship to BOOTP...
Page 686 Index DSCP error messages 1-6, 30-3 DSCP-to-CoS map for QoS 30-36 during command entry setting the display destination device 1-5, 17-15 27-4 duplex mode severity levels 27-8 configuring 11-10 system message format 27-2 configuring, LRE EtherChannel 13-11 CPE Ethernet link automatic creation of 13-11 31-3...
Page 687 14-5, 14-22 forwarding See broadcast storm control accessing MIB files fallback VLAN name 17-26 configuration files Fast Uplink Transition Protocol 16-6 downloading B-13 features, Cisco IOS overview B-12 fiber-optic, detecting unidirectional links 23-1 preparing the server B-13 files uploading B-14 copying...
Page 688 Index hosts, limit on dynamic ports 17-31 HP OpenView GBICs HSRP 1000BASE-LX/LH module 1-11 automatic cluster recovery 7-14 1000BASE-SX module 1-11 cluster standby group considerations 7-12 1000BASE-ZX module 1-11 See also clusters, cluster standby group, and standby command switch GigaStack module 1-11 security and identification 32-14...
Page 689 Index IGMP filtering interfaces configuring 21-22 Cisco IOS supported default configuration configuration guidelines 21-22 11-10 described configuring 21-21 11-5 monitoring 21-27 configuring duplex mode 11-10 IGMP groups configuring speed 11-10 configuring the throttling action counters, clearing 21-25 11-16 setting the maximum number...
Page 690 Index IP ACLs (continued) management interfaces, applying to 29-19 LACP named 29-13 See EtherChannel physical interfaces, applying to 29-20 Layer 2 frames, classification with CoS 30-2 standard, creating 29-9 Layer 2 interfaces, default configuration 11-9 undefined 29-19, 29-21 Layer 2 traceroute virtual terminal lines, setting on 29-20 and ARP...
Page 691 13-12 13-1 assigning the default profile See also LRE ports and CPE 13-13 CPE Ethernet links LRE upstream power back-off 13-21 Cisco 575 LRE CPE considerations 13-11 Cisco 585 LRE CPE considerations 13-12 described 13-2, 13-6 duplex mode 13-11 MAC addresses...
Page 692 Index MAC addresses (continued) maximum hop count, MSTP 15-21 static membership mode, VLAN port 17-3 adding member switch 8-26 allowing adding 8-28 7-19 characteristics of 8-26 automatic discovery dropping defined 8-27 removing managing 8-26 7-23 sticky secure, adding 22-7 passwords 7-14 MAC address multicast entries, monitoring 21-13...
Page 693 Index monitoring (continued) MSTP (continued) network traffic for analysis with probe 25-1 default optional feature configuration 16-13 port displaying status 15-23 protection enabling the mode 22-13 15-13 port protection 22-13 EtherChannel guard speed and duplex mode described 11-12 16-11 traffic flowing among switches enabling 26-1 16-18...
Page 694 21-9 See NTP Multicast VLAN Registration no commands See MVR nonhomologated POTS splitter Multiple Spanning Tree Protocol See Cisco LRE POTS Splitter (PS-1M-LRE-48) See MSTP nontrunking mode 17-16 normal-range VLANs configuring interfaces 21-19 configuration modes 17-6...
Page 695 Index NTP (continued) PC (passive command switch) 7-11, 7-21 restricting access performing an LRE upgrade 13-24 creating an access group persistence, LRE link 13-19 disabling NTP services per interface per-VLAN spanning-tree plus 8-10 source IP address, configuring 8-10 See PVST+ stratum physical ports 11-1...
Page 696 Index port-based authentication (continued) port-based authentication (continued) configuring upgrading from a previous release 30-14 802.1x authentication VLAN assignment 10-11, 10-19 guest VLAN AAA authorization 10-18 10-19 host mode 10-17 port blocking 22-5 manual re-authentication of a client port-channel 10-15 periodic re-authentication See EtherChannel 10-14 quiet period...
Page 697 POTS splitters enabling 18-14 homologated 1-16 enabling on a port 17-20 nonhomologated examples 1-16 18-5 See also Cisco LRE 48 POTS Splitter (PS-1M-LRE-48) overview 18-4 POTS telephones 1-15, 1-18, 13-10 pruning-eligible list precedence 13-15 changing 17-20 preferential treatment of traffic...
Page 698 Index QoS, auto-QoS (continued) QoS, configuring (continued) egress queue defaults 30-10 port trust states within the domain 30-20 enabling for VoIP QoS policy 30-14 30-26 example, configuration trusted boundary 30-16 30-24 generated commands 30-11 default auto configuration 30-10 basic model default configuration 30-4 30-18...
Page 699 Index QoS (continued) rapid PVST+ trusted boundary 30-23 802.1Q trunking interoperability 14-10 trust states described 30-5 14-9 understanding instances supported 30-2 14-9 qualification, link 13-16 rapid-PVST+ 17-2 quality of service Rapid Spanning Tree Protocol See QoS See RSTP queries, IGMP 21-3 rate selection definition of...
Page 700 Index Remote Copy Protocol root switch See RCP MSTP 15-14 remote monitoring 14-14 see RMON RSPAN Remote Network Monitoring configuration guidelines 25-12 See RMON default configuration 25-7 report suppression, IGMP destination ports 25-4 described 21-5 displaying status 25-17 disabling 21-11 25-2 resetting a UDLD-shutdown interface interaction with other features...
Page 701 7-11, 7-21 Simple Network Management Protocol scheduled reloads 5-16 See SNMP secure ports, configuring 22-7 Smartports macros secure remote connections 9-33 applying Cisco-default macros 12-6 Secure Shell applying global parameter values 12-5, 12-6 See SSH applying macros 12-5 security, port 22-7...
Page 702 Index SNMP (continued) software images groups 28-9 location in flash B-20 in clusters recovery procedures 7-15 32-2 informs scheduling reloads 5-16 and trap keyword 28-11 tar file format, described B-20 described See also downloading and uploading 28-5 differences from traps source addresses, in ACLs 28-5 29-12...
Page 703 Index Stack Membership Discovery Protocol sticky learning 16-6 Standby Command Configuration window 7-22 configuration file 22-7 standby command switch defined 22-7 configuring disabling 7-21 22-7 considerations 7-12 enabling 22-7 defined saving addresses 22-7 priority storm control 7-11 requirements described 22-2 virtual IP address 7-12 displaying...
Page 704 Index STP (continued) STP (continued) designated port, defined 14-3 Port Fast designated switch, defined described 14-3 16-2 detecting indirect link failures enabling 16-9 16-13 disabling 14-14 port priorities 17-23 displaying status preventing root switch selection 14-24 16-11 EtherChannel guard protocols supported 14-9 described 16-11...
Page 705 Index syslog export system prompt and LRE logging 13-8 default setting 8-16 described manual configuration 13-8 8-17 disabling 13-23 enabling 13-22 system clock configuring TACACS+ daylight saving time 8-14 accounting, defined 9-11 manually 8-12 authentication, defined 9-11 summer time 8-14 authorization, defined 9-11 time zones...
Page 706 Index TFTP traffic policing configuration files transparent mode, VTP 18-3, 18-12 downloading trap-door mechanism B-11 preparing the server traps B-11 uploading B-12 configuring MAC address notification 8-24 configuration files in base directory configuring managers 28-11 configuring for autoconfiguration defined 28-3 image files enabling 8-24, 28-11...
Page 707 Index upgrading software images See downloading UDLD UplinkFast default configuration 23-4 described 16-3 echoing detection mechanism 23-3 enabling 16-16 enabling support for globally 23-5 uploading per interface 23-5 configuration files link-detection mechanism 23-1 preparing B-11, B-13, B-16 neighbor database 23-2 reasons for overview 23-1...
Page 708 IDs 1006 to 4094 17-12 retry count, changing 17-30 creating in config-vlan mode voice VLAN 17-8 creating in VLAN configuration mode Cisco 7960 phone, port connections 17-9 19-1 default configuration 17-7 configuration guidelines 19-3 deleting configuring IP phones for data traffic...
Page 709 Index VTP (continued) 17-25 pruning adding a client to a domain disabling 18-14 18-14 advertisements enabling 17-17, 18-3 18-14 and extended-range VLANs 18-1 examples 18-5 and normal-range VLANs overview 18-1 18-4 client mode, configuring pruning-eligible list, changing 18-11 17-20 configuration server mode, configuring 18-9 global configuration mode...
Page 710 Index Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide IN-34 78-11380-10...

This manual is also suitable for:

Catalyst 2955

Cisco 2950 - Catalyst Switch Configuration Manual

Chapter 1 Overview

Chapter 2 Using the Command-Line Interface

CHAPTER 3 Configuring Catalyst 2955 Switch Alarms

Chapter 4 Getting Started with CMS

Chapter 5 Assigning the Switch IP Address and Default Gateway

Chapter 6 Configuring IE2100 CNS Agents

Chapter 7 Clustering Switches

Chapter 8 Administering the Switch

Configuring Switch-Based Authentication

CHAPTER 10 Configuring 802.1X Port-Based Authentication

Chapter 11 Configuring Interface Characteristics

Quick Links

Troubleshooting

Related Manuals for Cisco 2950 - Catalyst Switch

Summary of Contents for Cisco 2950 - Catalyst Switch