Adding and Removing Static Address Entries

A static address has these characteristics It is manually entered in the address table and must be manually removed. It can be a unicast or multicast address. It does not age and is retained when the switch restarts. You can add and remove static addresses and define the forwarding behavior for them. The forwarding behavior determines how a port that receives a packet forwards it to another port for transmission. Because all ports are associated with at least one VLAN, the switch acquires the...

Applying the ACL to an Interface or Terminal Line

After you create an ACL, you can apply it to one or more interfaces or terminal lines. ACLs can be applied on inbound interfaces. This section describes how to accomplish this task for both terminal lines and network interfaces. Note these guidelines When controlling access to a line, you must use a number. Numbered ACLs and MAC extended ACLs can be applied to lines. When controlling access to an interface, you can use a name or number. Set identical restrictions on all the virtual terminal...

Changing the Switchto Client Retransmission Time

The client responds to the EAP-request identity frame from the switch with an EAP-response identity frame. If the switch does not receive this response, it waits a set period of time (known as the retransmission time), and then retransmits the frame. Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers. Beginning in privileged EXEC mode, follow...

Chapter 7Administering the Switch

Preventing Unauthorized Access to Your Switch 7-1 Protecting Access to Privileged EXEC Commands 7-2 Default Password and Privilege Level Configuration 7-3 Setting or Changing a Static Enable Password 7-3 Protecting Enable and Enable Secret Passwords with Encryption 7-4 Setting a Telnet Password for a Terminal Line 7-5 Configuring Username and Password Pairs 7-6 Configuring Multiple Privilege Levels 7-7 Setting the Privilege Level for a Command 7-7 Changing the Default Privilege Level for Lines...

CMS Window Components

CMS windows consistently present configuration information. Figure 3-12 shows the components of a typical CMS window. UiuIP AMk rilrtlljllP rillldK 4Ml U pVIP (Vu* UFVlirjr UiuIP AMk rilrtlljllP rillldK 4Ml U pVIP (Vu* UFVlirjr - OK saves your changes and closes the window. - Modify displays a secondary window from which you can change settings. - Click a row to select it. Press Shift, and left-click another row to select contiguous multiple rows. Press Ctrl, and left-click rows to select...

Colors in the Topology View

The colors of the Topology view icons show the status of the devices and links (Table 3-7, Table 3-8, and Table 3-9). The internal fan of the switch is not operating, or the switch is receiving power from an RPS. 1. Available only on the cluster members. 1. Available only on the cluster members. One link is active, and at least one link is down or blocked. The color of a device label shows the cluster membership of the device (Table 3-10). Table 3-10 Device Label Colors A cluster member, either...

Configuring a Messageofthe Day Login Banner

You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner For c, enter the delimiting character of your choice, for example, a pound sign ( ), and press the Return key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded. For message, enter a banner message up to 255...

Configuring a Secondary Root Switch

When you configure a Catalyst 2950 switch that supports the extended system ID as the secondary root, the spanning-tree switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified instance if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch. For Catalyst 2950 switches without the extended...

Configuring and Using Interface Range Macros

You can create an interface range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface range macro global configuration command string, you must use the define interface-range global configuration command to define the macro. Beginning in privileged EXEC mode, follow these steps to define an interface range macro define interface-range macro_name interface-range Define the interface-range macro, and save it in NVRAM. The...

Configuring Extended Range VLANs

When the switch is in VTP transparent mode (VTP disabled) and the enhanced software image is installed), you can create extended-range VLANs (in the range 1006 to 4094). Extended-range VLANs enable service providers to extend their infrastructure to a greater number of customers. The extended-range VLAN IDs are allowed for any switchport commands that allow VLAN IDs. You always use config-vlan mode (accessed by entering the vlan vlan-id global configuration command) to configure extended-range...

Configuring IGMP Filtering

In some environments, for example metropolitan or multiple-dwelling unit (MDU) installations, an administrator might want to control the set of multicast groups to which a user on a switch port can belong. This allows the administrator to control the distribution of multicast services, such as IP TV, based on some type of subscription or service plan. With the IGMP filtering feature, you can filter multicast joins on a per-port basis by configuring IP multicast profiles and associating them...

Configuring IGMP Profiles

To configure an IGMP profile, use the ip igmp profile global configuration command with a profile number to create an IGMP profile and to enter IGMP profile configuration mode. From this mode, you can specify the parameters of the IGMP profile to be used for filtering IGMP join requests from a port. When you are in IGMP profile configuration mode, you can create the profile by using these commands deny Specifies that matching addresses are denied this is the default condition. exit Exits from...

Configuring MVR Global Parameters

You do not need to set the optional MVR parameters if you choose to use the default settings. If you do want to change the default parameters (except for the MVR VLAN), you must first enable MVR. Beginning in privileged EXEC mode, follow these steps to configure MVR parameters Configure an IP multicast address on the switch or use the count parameter to configure a contiguous series of IP addresses. Any multicast data sent to this address is sent to all source ports on the switch and all...

Configuring MVR Interfaces

Beginning in privileged EXEC mode, follow these steps to configure MVR interfaces Enter interface configuration mode, and enter the type and number of the port to configure, for example, gi 0 1 or gigabitethernet 0 1 for Gigabit Ethernet port 1. Configure an MVR port as one of these source Configure uplink ports that receive and send multicast data as source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN....

Configuring NTP Broadcast Service

The communications between devices running NTP (known as associations) are usually statically configured each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can simply be configured to...

Configuring Port Based Traffic Control

This chapter describes how to configure the port-based traffic control features on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. This chapter consists of these sections Configuring Storm Control, page 17-1 Configuring Protected Ports, page 17-3 Configuring Port Security, page 17-3 Configuring and Enabling Port Security Aging, page 17-6 Displaying Port-Based Traffic...

Configuring STP for Use in a Cascaded Stack

STP uses default values that can be reduced when configuring your switch in cascaded configurations. If a root switch is part of a cluster that is one switch from a cascaded stack, you can customize spanning tree to reconverge more quickly after a switch failure. Figure 10-4 shows switches in three cascaded stacks that use the GigaStack GBIC. Table 10-4 shows the default STP settings and those that are acceptable for these configurations. Table 10-4 Default and Acceptable STP Parameter Settings...

Configuring the CoStoDSCP

You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic. Table 24-3 shows the default CoS-to-DSCP map. If these values are not appropriate for your network, you need to modify them. Beginning in privileged EXEC mode, follow these steps to modify the CoS-to-DSCP map For dscp1 dscp8, enter 8 DSCP values that correspond to CoS values 0 to 7. Separate each DSCP value with a space. The supported DSCP values...

Configuring the DSCPtoCoS

You use the DSCP-to-CoS map to map DSCP values in incoming packets to a CoS value, which is used to select one of the four egress queues. The Catalyst 2950 switches support these DSCP values 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56. Table 24-4 shows the default DSCP-to-CoS map. If these values are not appropriate for your network, you need to modify them. Catalyst 2950 Desktop Switch Software Configuration Guide_ Beginning in privileged EXEC mode, follow these steps to modify the...

Configuring the Forwarding Delay Time

Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for all MST instances spanning-tree mst forward-time seconds Configure the forward time for all MST instances. The forward delay is the number of seconds a port waits before changing from its spanning-tree learning and listening states to the forwarding state. For seconds, the range is 4 to 30 the default is 15. (Optional) Save your entries in the configuration file. To return the switch to its default...

Configuring the Path Cost

The spanning-tree path cost default value is derived from the media speed of an interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last. If all interfaces have the same cost value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Spanning...

Configuring the Source IP Address for NTP Packets

When the switch sends an NTP packet, the source IP address is normally set to the address of the interface through which the NTP packet is sent. Use the ntp source global configuration command when you want to use a particular source IP address for all NTP packets. The address is taken from the specified interface. This command is useful if the address on an interface cannot be used as the destination for reply packets. Beginning in privileged EXEC mode, follow these steps to configure a...

Configuring the Switch for Local Authentication and Authorization

You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration. Beginning in privileged EXEC mode, follow these steps to configure the switch for local AAA aaa authentication login default local Set the login authentication to use the local username database. The default keyword applies the local user database authentication to all interfaces....

Configuring the Switch for Secure Shell

This section describes how to configure the Secure Shell (SSH) feature. To use this feature, the crypto (encrypted) software image must be installed on your switch.You must download this software image from Cisco.com. For more information, refer to the release notes for this release. _ Note For complete syntax and usage information for the commands used in this section, refer to the Secure Shell Commands section in the Cisco IOS Security Command Reference for Release 12.2.

Configuring the Switch for Vendor Proprietary Radius Server Communication

Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes. As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with...

Configuring UNIX Syslog Servers

The next sections describe how to configure the UNIX server syslog daemon and define the UNIX system logging facility. Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server. Log in as root, and perform these steps Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network. If this is the case with your system, use the UNIX man syslogd command to...

Configuring VLAN Trunks

These sections describe how VLAN trunks function on the switch Trunking Overview, page 13-18 802.1Q Configuration Considerations, page 13-20 Default Layer 2 Ethernet Interface VLAN Configuration, page 13-21 A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch. Fast Ethernet and Gigabit Ethernet trunks carry the traffic of multiple VLANs over a single link, and you can extend the VLANs across an entire network....

Configuring Voice VLAN

These are the voice VLAN configuration guidelines You should configure voice VLAN on access ports. The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled. If you enable port security on a voice VLAN port and if there is a PC connected to the IP phone, you should set the maximum allowed secure addresses on the port to more than 1. You cannot configure static secure MAC addresses in the voice...

CoS and WRR

The Catalyst 2950 switches support four CoS queues for each egress port. For each queue, you can specify these types of scheduling Strict priority scheduling is based on the priority of queues. Queues can have priorities from 0 to 7, 7 being the highest. Packets in the high-priority queue always transmit first, and packets in the low-priority queue do not transmit until all the high-priority queues become empty. Weighted round-robin (WRR) scheduling WRR scheduling requires you to specify a...

Creating a Numbered Standard ACL

Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL access-list access-list-number deny permit remark source source-wildcard host source any Define a standard IP ACL by using a source address and wildcard. The access-list-number is a decimal number from 1 to 99 or 1300 to 1999. Enter deny or permit to specify whether to deny or permit access if conditions are matched. The source is the source address of the network or host from which the packet is being sent...

Creating MAC Access Groups

Beginning in privileged EXEC mode, follow these steps to create MAC access groups Identify a specific interface for configuration, and enter interface configuration mode. The interface must be a Layer 2 interface. Control access to the specified interface. Display the MAC ACLs applied to the interface. (Optional) Save your entries in the configuration file. This example shows how to apply ACL 2 on Gigabit Ethernet interface 0 1 to filter packets entering the interface Switch(config) interface...

Creating Named Standard and Extended ACLs

You can identify IP ACLs with an alphanumeric string (a name) rather than a number. You can use named ACLs to configure more IP access lists on a switch than if you use numbered access lists. If you identify your access list with a name rather than a number, the mode and command syntax are slightly different. However, not all commands that use IP access lists accept a named ACL. Note The name you give to a standard ACL or extended ACL can also be a number in the supported range of access list...

Default NTP Configuration

Table 7-2 shows the default NTP configuration. Table 7-2 Default NTP Configuration Table 7-2 shows the default NTP configuration. Table 7-2 Default NTP Configuration Disabled. No authentication key is specified. Disabled no interface sends or receives NTP broadcast packets. The source address is determined by the outgoing interface. NTP is enabled on all interfaces by default. All interfaces receive NTP packets. NTP is enabled on all interfaces by default. All interfaces receive NTP packets.

Default Optional Spanning Tree Configuration

Table 12-1 shows the default optional spanning-tree configuration. Table 12-1 Default Optional Spanning-Tree Configuration Table 12-1 Default Optional Spanning-Tree Configuration Port Fast, BPDU filtering, BPDU guard Globally disabled on the switch (unless they are individually configured per interface).

Default Password and Privilege Level Configuration

Table 7-1 shows the default password and privilege level configuration. Table 7-1 Default Password and Privilege Levels Table 7-1 Default Password and Privilege Levels No password is defined. The default is level 15 (privileged EXEC level). The password is not encrypted in the configuration file. Enable secret password and privilege level No password is defined. The default is level 15 (privileged EXEC level). The password is encrypted before it is written to the configuration file. Setting or...

Default System Message Logging Configuration

Table 21-2 shows the default system message logging configuration. Table 21-2 Default System Message Logging Configuration Table 21-2 shows the default system message logging configuration. Table 21-2 Default System Message Logging Configuration System message logging to the console Debugging (and numerically lower levels see Table 21-3 on page 21-9). Local7 (see Table 21-4 on page 21-12). Informational (and numerically lower levels see Table 21-3 on page 21-9).

Design Concepts for Using the Switch

As your network users compete for network bandwidth, it takes longer to send and receive data. When you configure your network, consider the bandwidth required by your network users and the relative priority of the network applications they use. Table 1-2 describes what can cause network performance to degrade and how you can configure your network to increase the bandwidth available to your network users. Table 1-2 Increasing Network Performance Table 1-2 Increasing Network Performance Too...

Device Popup Menus

Specific devices in the Topology view display a specific popup menu Command switch (Table 3-17) Member or standby command switch (Table 3-18) Candidate switch with an IP address (Table 3-19) Candidate switch without an IP address (Table 3-20) Neighboring devices (Table 3-21) The Device Manager option in these popup menus is available in read-only mode on Catalyst 2900 XL and Catalyst 3500 XL switches running Release 12.0(5)WC2 and later. It is also available on Catalyst 2950 switches running...

DHCP Client Request Process

When you boot your switch, the DHCP client can be invoked and automatically request configuration information from a DHCP server when the configuration file is not present on the switch. Figure 4-1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP server. Figure 4-1 DHCP Request for IP Information from a DHCP Server The client, Switch A, broadcasts a DHCPDISCOVER message to locate a DHCP server. The DHCP server offers configuration parameters (such as an IP...

Disabling and Enabling CDP

Note Creating and maintaining switch clusters is based on the regular exchange of CDP messages. Disabling CDP can interrupt cluster discovery. For more information, see Chapter 6, Clustering Switches. Beginning in privileged EXEC mode, follow these steps to disable the CDP device discovery capability Beginning in privileged EXEC mode, follow these steps to enable CDP when it has been disabled This example shows how to enable CDP if it has been disabled. Switch(config) cdp run Switch(config) end

Discovery through CDP Hops

By using CDP, a command switch can discover switches up to seven CDP hops away (the default is three hops) from the edge of the cluster. The edge of the cluster is where the last member switches are connected to the cluster and to candidate switches. For example, member switches 9 and 10 in Figure 6-1 are at the edge of the cluster. You can set the number of hops the command switch searches for candidate and member switches by selecting Cluster > Hop Count. When new candidate switches are...

Displaying Ether Channel and PAgP Status

You can use the user EXEC commands described in Table 25-3 to display EtherChannel and PAgP status information Table 25-3 Commands for Displaying EtherChannel and PAgP Status Table 25-3 Commands for Displaying EtherChannel and PAgP Status show etherchannel channel-group-number brief detail load-balance port port-channel summary Displays EtherChannel information in a brief, detailed, and one-line summary form. Also displays the load-balance or frame-distribution scheme, port, and port-channel...

Displaying IGMP Filtering Configuration

You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface. Beginning in privileged EXEC mode, use the commands in Table 16-8 to display IGMP filtering configuration Table 16-8 Commands for Displaying IGMP Filtering Configuration Table 16-8 Commands for Displaying IGMP Filtering Configuration show ip igmp profile profile number Displays the specified IGMP profile or all IGMP...

Displaying IGMP Snooping Information

You can display IGMP snooping information for dynamically learned and statically configured router ports and VLAN interfaces. You can also display MAC address multicast entries for a VLAN configured for IGMP snooping. To display IGMP snooping information, use one or more of the privileged EXEC commands in Table 16-4. Table 16-4 Commands for Displaying IGMP Snooping Information Table 16-4 Commands for Displaying IGMP Snooping Information show ip igmp snooping vlan vlan-id Display the snooping...

Displaying Port Based Traffic Control Settings

The show interfaces interface-id switchport privileged EXEC command displays (among other characteristics) the interface traffic suppression and control configuration. The show interfaces counters privileged EXEC commands display the count of discarded packets. The show storm control and show port-security privileged EXEC commands display those features. H Displaying Port-Based Traffic Control Settings To display traffic control information, use one or more of the privileged EXEC commands in...

Displaying QoS Information

To display the current QoS information, use one or more of the privileged EXEC commands in Table 24-5 Table 24-5 Commands for Displaying QoS Information Display QoS class maps, which define the match criteria to classify traffic. show policy-map policy-map-name class class-namejj1 Display QoS policy maps, which define classification criteria for incoming traffic. show mls qos maps cos-dscp dscp-cosj1 Display QoS mapping information. Maps are used to generate an internal DSCP value, which...

Displaying the Logging Configuration

To display the current logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This chapter describes how to configure the Simple Network Management Protocol (SNMP) on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command...

Displaying the MST Configuration and Status

To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 11-4 Table 11-4 Commands for Displaying MST Status show spanning-tree mst configuration Displays the MST region configuration. Displays MST information for the specified instance. show spanning-tree mst interface interface-id Displays MST information for the specified interface. Valid interfaces include physical ports, VLANs, and port channels. The valid VLAN range is 1 to 4094 the valid port-channel...

Editing Commands through Keystrokes

Table 2-5 shows the keystrokes that you need to edit command lines. Table 2-5 Editing Commands through Keystrokes Table 2-5 shows the keystrokes that you need to edit command lines. Table 2-5 Editing Commands through Keystrokes Move around the command line to make changes or corrections. Press Ctrl-B, or press the left arrow key. Press Ctrl-F, or press the right arrow key. Move the cursor forward one character. Move the cursor to the beginning of the command line. Move the cursor to the end of...

Enabling an Initial Configuration

Step 2 cns config connect-intf interface-prefix ping-interval seconds retries num Enter the connect-interface-config submode, and specify the interface for connecting to the Configuration Registrar. Enter the interface-prefix for the connecting interface. You must specify the interface type but need not specify the interface number. (Optional) For ping-interval seconds, enter the interval between successive ping attempts. The range is 1 to 30 seconds. The default is 10 seconds. (Optional) For...

Enabling and Disabling Timestamps on Log Messages

By default, log messages are not timestamped. Beginning in privileged EXEC mode, follow these steps to enable timestamping of log messages Step 2 service timestamps log uptime service timestamps log datetime msec localtime show-timezone The first command enables timestamps on log messages, showing the time since the system was rebooted. The second command enables timestamps on log messages. Depending on the options selected, the timestamp can include the date, time in milliseconds relative to...

Enabling BPDU Guard

When you globally enable BPDU guard on ports that are Port Fast-enabled (the ports are in a Port Fast-operational state), spanning tree shuts down Port Fast-enabled ports that receive BPDUs. In a valid configuration, Port Fast-enabled ports do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled port signals an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the port in the error-disabled state. The BPDU guard feature provides a...

Enabling IGMP Immediate Leave Processing

When you enable IGMP Immediate-Leave processing, the switch immediately removes a port from the IP multicast group when it detects an IGMP version 2 leave message on that port. Immediate-Leave processing allows the switch to remove an interface that sends a leave message from the forwarding table without first sending out group-specific queries to the interface. You should use the Immediate-Leave feature only when there is only a single receiver present on every port in the VLAN....

Enabling Periodic ReAuthentication

You can enable periodic 802.1X client re-authentication and specify how often it occurs. If you do not specify a time period before enabling re-authentication, the number of seconds between re-authentication attempts is 3600 seconds. Automatic 802.1X client re-authentication is a global setting and cannot be set for clients connected to individual ports. To manually re-authenticate the client connected to a specific port, see the Manually Re-Authenticating a Client Connected to a Port section...

Enabling Root Guard

Root guard enabled on an interface applies to all the VLANs to which the interface belongs. Do not enable the root guard on interfaces to be used by the UplinkFast feature. With UplinkFast, the backup interfaces (in the blocked state) replace the root port in the case of a failure. However, if root guard is also enabled, all the backup interfaces used by the UplinkFast feature are placed in the root-inconsistent state (blocked) and are prevented from reaching the forwarding state. You cannot...

Enabling Uplink Fast for Use with Redundant Links

UplinkFast cannot be enabled on VLANs that have been configured for switch priority. To enable UplinkFast on a VLAN with switch priority configured, first restore the switch priority on the VLAN to the default value by using the no spanning-tree vlan vlan-id priority global configuration command. Note When you enable UplinkFast, it affects all VLANs on the switch. You cannot configure UplinkFast on an individual VLAN. The UplinkFast feature is supported only when the switch is running PVST....

Examples for Compiling ACLs

For detailed information about compiling ACLs, refer to the Security Configuration Guide and the IP Services chapter of the Cisco IOS IP and IP Routing Configuration Guide for IOS Release 12.1. Figure 23-2 shows a small networked office with a stack of Catalyst 2950 switches that are connected to a Cisco router. A host is connected to the network through the Internet using a WAN link. Create a standard ACL, and filter traffic from a specific Internet host with an address 172.20.128.64. Create...

HTTP Access to CMS

CMS uses Hypertext Transfer Protocol (HTTP), which is an in-band form of communication with the switch through any one of its Ethernet ports and that allows switch management from a standard web browser. The default HTTP port is 80. If you change the HTTP port, you must include the new port number when you enter the IP address in the browser Location or Address field (for example, http 10.1.126.45 184 where 184 is the new HTTP port number). Do not disable or otherwise misconfigure the port...

Info

A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name. A switch can be in only one VTP domain.You make global VLAN configuration changes for the domain by using the command-line interface (CLI), Cluster Management Suite (CMS) software, or Simple Network Management Protocol (SNMP). By default, the switch is in VTP no-management-domain state until it receives an...

Limiting Syslog Messages Sent to the History Table and to SNMP

If you have enabled syslog message traps to be sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the switch history table. You can also change the number of messages that are stored in the history table. Messages are stored in the history table because SNMP traps are not guaranteed to reach their destination. By default, one message of the level warning and numerically lower...

Managing the System Time and Date

You can manage the system time and date on your switch using automatic, such as the Network Time Protocol (NTP), or manual configuration methods. _ Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This section contains this configuration information Understanding the System Clock, page 7-33 Understanding Network Time Protocol, page 7-33 Configuring Time and Date Manually,...

Monitoring Interface and Controller Status

Commands entered at the privileged EXEC prompt display information about the interface, including the version of the software and the hardware, the controller status, and statistics about the interfaces. Table 9-2 lists some of these interface monitoring commands. (You can display the full list of show commands by using the show command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference for Release 12.1. Table 9-2 Show Commands for...

Multidwelling Network Using Catalyst 2950 Switches

A growing segment of residential and commercial customers are requiring high-speed access to Ethernet metropolitan-area networks (MANs). Figure 1-5 shows a configuration for a Gigabit Ethernet MAN ring using Catalyst 3550 multilayer switches as aggregation switches in the mini-point-of-presence (POP) location. These switches are connected through 1000BASE-X GBIC ports. The resident switches can be Catalyst 2950 switches, providing customers with high-speed connections to the MAN. Catalyst...

Name Space Mapper

The Configuration Registrar includes the NameSpace Mapper (NSM) that provides a lookup service for managing logical groups of devices based on application, device ID or group ID, and event. Cisco IOS devices recognize only event subject-names that match those configured in Cisco IOS software for example, cisco.cns.config.load. You can use the namespace mapping service to designate events by using any desired naming convention. When you have populated your data store with your subject names, NSM...

Other Considerations for Cluster Standby Groups

Standby command switches must meet these requirements - When the command switch is a Catalyst 3550 switch, all standby command switches must be Catalyst 3550 switches. - When the command switch is a Catalyst 2950 switch running Release 12.1(9)EA1 or later, all standby command switches must be Catalyst 2950 switches running Release 12.1(9)EA1 or later. - When the command switch is a Catalyst 2950 switch running Release 12.1(6)EA2 or later, all standby command switches must be Catalyst 2950...

Policing and Marking

Note This feature is available only if your switch is running the enhanced software image. Policing involves creating a policer that specifies the bandwidth limits for the traffic. Packets that exceed the limits are out ofprofile or nonconforming. Each policer specifies the action to take for packets that are in or out of profile. These actions, carried out by the marker, include dropping the packet or marking down the packet with a new value that is user-defined. You can create this type of...

Port Scheduling

Each port on the switch has a single receive queue buffer (the ingress port) for incoming traffic. When an untagged frame arrives, it is assigned the value of the port as its port default priority. You assign this value by using the CLI or CMS. A tagged frame continues to use its assigned CoS value when it passes through the ingress port. CoS configures each transmit port (the egress port) with a normal-priority transmit queue and a high-priority transmit queue, depending on the frame tag or...

Procedures for Configuring Interfaces

These general instructions apply to all interface configuration processes. Step 1 Enter the configure terminal command at the privileged EXEC prompt Enter configuration commands, one per line. End with CNTL Z. Switch(config) Step 2 Enter the interface global configuration command. Identify the interface type and the number of the connector. In this example, Gigabit Ethernet interface 0 1 is selected Switch(config) interface gigabitethernet0 1 Note You do not need to add a space between the...

QoS Configuration Examples

These examples are applicable only if your switch is running the enhanced software image. This section provides a QoS migration path to help you quickly implement QoS features based on your existing network and planned changes to your network, as shown in Figure 24-4. It contains this information QoS Configuration for the Common Wiring Closet, page 24-26 QoS Configuration for the Intelligent Wiring Closet, page 24-27 Figure 24-4 QoS Configuration Example Network Existing wiring closet Catalyst...

Replacing a Failed Command Switch with Another Switch

To replace a failed command switch with a switch that is command-capable but not part of the cluster, follow these steps Step 1 Insert the new switch in place of the failed command switch, and duplicate its connections to the cluster members. Step 2 Start a CLI session on the new command switch. You can access the CLI by using the console port or, if an IP address has been assigned to the switch, by using Telnet. For details about using the console port, refer to the switch hardware...

Resetting the 8021X Configuration to the Default Values

You can reset the 802.1X configuration to the default values with a single command. Beginning in privileged EXEC mode, follow these steps to reset the 802.1X configuration to the default values Reset the configurable 802.1X parameters to the default values. (Optional) Save your entries in the configuration file.

Saving Configuration Changes

The show command always displays the running configuration of the switch. When you make a configuration change to a switch or switch cluster, the change becomes part of the running configuration. The change does not automatically become part of the config.text file in Flash memory, which is the startup configuration used each time the switch restarts. If you do not save your changes to Flash memory, they are lost when the switch restarts. To save all configuration changes to Flash memory, you...

Setting Speed and Duplex Parameters

Beginning in privileged EXEC mode, follow these steps to set the speed and duplex parameters on a port Enter interface configuration mode, and enter the port to be configured. Enter the speed parameter for the port. The 10 100 1000 ports operate only in full-duplex mode. The GBIC-module ports operate only at 1000 Mbps. 100BASE-FX ports operate only at 100 Mbps in full-duplex mode. Note The Catalyst 2950C-24 does not support the speed and duplex interface configuration commands in Release...

Setting the Maximum Number of IGMP Groups

You can set the maximum number of IGMP groups that an interface can join. Use the no form of this command to set the maximum back to the default, which is no limit. Beginning in privileged EXEC mode, follow these steps to apply an IGMP profile to a switch port Enter interface configuration mode, and enter the physical interface to configure, for example fasthernet0 1. Set the maximum number of IGMP groups that the interface can join. The range is from 0 to 4294967294. The default is to have no...

Setting the Privilege Level for a Command

Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode Set the privilege level for a command. For mode, enter configure for global configuration mode, exec for EXEC mode, interface for interface configuration mode, or line for line configuration mode. For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges. Level 15 is the level of access permitted by the enable password. For command, specify the command to which you...

SNMP Manager Functions

The SNMP manager uses information in the MIB to perform the operations described in Table 22-1. Retrieves a value from a specific variable. Retrieves a value from a variable within a table.1 Retrieves large blocks of data, such as multiple rows in a table, that would otherwise require the transmission of many small blocks of data. Replies to a get-request, get-next-request, and set-request sent by an NMS. Stores a value in a specific variable. An unsolicited message sent by an SNMP agent to an...

SPAN Concepts and Terminology

This section describes concepts and terminology associated with SPAN configuration. A SPAN session is an association of a destination port with source ports. You can monitor incoming or outgoing traffic on a series or range of ports. SPAN sessions do not interfere with the normal operation of the switch. You can configure SPAN sessions on disabled ports however, a SPAN session does not become active unless you enable the destination port and at least one source port. The show monitor session...

Spanning Tree Interface States

An interface moves through these states From initialization to blocking From blocking to listening or to disabled From listening to learning or to disabled From learning to forwarding or to disabled From forwarding to disabled Figure 10-2 illustrates how an interface moves through the states. Figure 10-2 Spanning-Tree Interface States Figure 10-2 Spanning-Tree Interface States When you power up the switch, STP is enabled by default, and every interface in the switch, VLAN, or network goes...

Specifying the Link Type to Ensure Rapid Transitions

If you connect a port to another port through a point-to-point link and the local port becomes a designated port, the RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the Rapid Convergence section on page 11-3. By default, the link type is determined from the duplex mode of the interface a full-duplex port is considered to have a point-to-point connection a half-duplex port is considered to have a...

Specifying the MST Region Configuration and Enabling MSTP

For two or more switches to be in the same MST region, they must have the same VLAN-to-instance mapping, the same configuration revision number, and the same name. A region can have one member or multiple members with the same MST configuration each member must be capable of processing RSTP BPDUs. There is no limit to the number of MST regions in a network, but each region can support up to 16 spanning-tree instances. You can assign a VLAN to only one spanning-tree instance at a time. Beginning...

Step 3 aaa newmodel

Step 4 aaa group server radius group-name Define the AAA server-group with a group name. This command puts the switch in a server group configuration mode. Associate a particular RADIUS server with the defined server group. Repeat this step for each RADIUS server in the AAA server group. Each server in the group must be previously defined in Step 2. _Chapter 7 Administering the Switch Controlling Switch Access with RADIUS (Optional) Save your entries in the configuration file. Enable RADIUS...

T

Table 16-2 Updated Multicast Forwarding Table Table 16-2 Updated Multicast Forwarding Table The router sends periodic IP multicast general queries, and the switch responds to these queries with one join response per MAC multicast group. As long as at least one host in the VLAN needs multicast traffic, the switch responds to the router queries, and the router continues forwarding the multicast traffic to the VLAN. The switch only forwards IP multicast group traffic to those hosts listed in the...

Tacacs Operation

When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs 1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the user. The user enters a username, and the switch then contacts the TACACS+ daemon to obtain a password prompt. The switch displays the password prompt to the user, the user enters a password, and the password is then sent to the TACACS+ daemon. TACACS+...

Troubleshooting CMS Sessions

Table 26-2 lists problems commonly encountered when using CMS Table 26-2 Common CMS Session Problems A blank screen appears when you click Web Console from the CMS access page. A missing Java plug-in or incorrect settings could cause this problem. CMS requires a Java plug-in order to function correctly. For instructions on downloading and installing the plug-ins, refer to the Release Notes for the Catalyst 2950 for this release. Note If your PC is connected to the Internet when you attempt to...

Understanding BPDU Guard

The BPDU guard feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences. At the global level, you can enable BPDU guard on Port Fast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command. Spanning tree shuts down ports that are in a Port Fast-operational state. In a valid configuration, Port Fast-enabled ports do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled port signals...

Understanding CLI Messages

Table 2-3 lists some error messages that you might encounter while using the CLI to configure your switch. Ambiguous command show con You did not enter enough characters for your switch to recognize the command. Re-enter the command followed by a question mark ( ) with a space between the command and the question mark. The possible keywords that you can enter with the command appear. You did not enter all of the keywords or values required by this command. Re-enter the command followed by a...

Understanding Ether Channels

EtherChannel consists of individual Fast Ethernet or Gigabit Ethernet links bundled into a single logical link as shown in Figure 25-1. The EtherChannel provides full-duplex bandwidth up to 800 Mbps (Fast EtherChannel) or 2 Gbps (Gigabit EtherChannel) between your switch and another switch or host. Each EtherChannel can consist of up to eight compatibly configured Ethernet interfaces. All interfaces in each EtherChannel must be the same speed, and all must be configured as Layer 2 interfaces. _...

Understanding IE2100 Series Configuration Registrar Software

The IE2100 Series Configuration Registrar is a network management device that acts as a configuration service for automating the deployment and management of network devices and services (see Figure 5-1). Each Configuration Registrar manages a group of Cisco IOS devices (switches and routers) and the services that they deliver, storing their configurations and delivering them as needed. The Configuration Registrar automates initial configurations and configuration updates by generating...

Understanding Network Time Protocol

The NTP is designed to time-synchronize a network of devices. NTP runs over User Datagram Protocol (UDP), which runs over IP. NTP is documented in RFC 1305. An NTP network usually gets its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP then distributes this time across the network. NTP is extremely efficient no more than one packet per minute is necessary to synchronize two devices to within a millisecond of one another. NTP uses...

Understanding Port Channel Interfaces

When you create an EtherChannel for Layer 2 interfaces, a logical interface is dynamically created. You then manually assign an interface to the EtherChannel by using the channel-group interface configuration command as shown in Figure 25-2. Each EtherChannel has a logical port-channel interface numbered from 1 to 6. Figure 25-2 Relationship of Physical Ports, Logical Port Channels, and Channel Groups Figure 25-2 Relationship of Physical Ports, Logical Port Channels, and Channel Groups After...

Understanding QoS

This section describes how QoS is implemented on the Catalyst 2950 switch. If you have the standard software image installed on your switch, some concepts and features in this section might not apply. For a list of available features, see Table 24-1 on page 24-1. Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being...

Understanding Root Guard

The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. In such a topology, the spanning tree can reconfigure itself and select a customer switch as the root switch, as shown in Figure 12-10. You can avoid this situation by configuring root guard on interfaces that connect to switches outside of your customer's network. If spanning-tree calculations cause an interface in the customer network to be selected as the root port, root...

Understanding Switch Clusters

A switch cluster is a group of connected Catalyst switches that are managed as a single entity. In a switch cluster, 1 switch must be the command switch and up to 15 switches can be member switches. The total number of switches in a cluster cannot exceed 16 switches. The command switch is the single point of access used to configure, manage, and monitor the member switches. Cluster members can belong to only one cluster at a time. The benefits of clustering switches include Management of...

Understanding the System Clock

The heart of the time service is the system clock. This clock runs from the moment the system starts up and keeps track of the current date and time. The system clock can then be set from these sources The system clock can provide time to these services Logging and debugging messages The system clock keeps track of time internally based on Universal Time Coordinated (UTC), also known as Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time (daylight...

Understanding Uplink Fast

Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 12-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops. Figure 12-2 Switches in a Hierarchical Network Figure 12-2 Switches in a Hierarchical Network If a switch looses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port....

Using Host Name DevicelD and ConfigID

In standalone mode, when a host name value is set for a switch, the configuration server uses the host name as the deviceID when an event is sent on host name. If the host name has not been set, the event is sent on the cn < value> of the device. In server mode, the host name is not used. In this mode, the unique deviceID attribute is always used for sending an event on the bus. If this attribute is not set, you cannot update the switch. These and other associated attributes (tag value...

Using SNMP to Access MIB Variables

An example of an NMS is the CiscoWorks network management software. CiscoWorks 2000 software uses the switch MIB variables to set device variables and to poll devices on the network for specific information. The results of a poll can be displayed as a graph and analyzed to troubleshoot internetworking problems, increase network performance, verify the configuration of devices, monitor traffic loads, and more. As shown in Figure 22-1, the SNMP agent gathers data from the MIB. The agent can send...

V

Note When the switch is in VTP transparent mode and the enhanced software image is installed, you can assign VLAN IDs greater than 1006, but they are not added to the VLAN database. See the Configuring Extended-Range VLANs section on page 13-14. For the list of default parameters that are assigned when you add a VLAN, see the Configuring Normal-Range VLANs section on page 13-6. Beginning in privileged EXEC mode, follow these steps to use config-vlan mode to create or modify an Ethernet VLAN...

Verifying a Switch Cluster

When you finish adding cluster members, follow these steps to verify the cluster Step 1 Enter the command switch IP address in the browser Location field (Netscape Communicator) or Address field (Microsoft Internet Explorer) to access all switches in the cluster. Step 2 Enter the command-switch password. Step 3 Select View > Topology to display the cluster topology and to view link information (Figure 3-6 on page 3-10). For complete information about the Topology view, including descriptions...

VLAN Port Membership Modes

You configure a port to belong to a VLAN by assigning a membership mode that determines the kind of traffic the port carries and the number of VLANs to which it can belong. Table 13-2 lists the membership modes and membership and VTP characteristics. A static-access port can belong to one VLAN and is manually assigned to that VLAN. For more information, see the Assigning Static-Access Ports to a VLAN section on page 13-13. VTP is not required. If you do not want VTP to globally propagate...