Accelerated Aging to Retain Connectivity

The default for aging dynamic addresses is 5 minutes, the default setting of the mac-address-table aging-time global configuration command. However, a spanning-tree reconfiguration can cause many station locations to change. Because these stations could be unreachable for 5 minutes or more during a reconfiguration, the address-aging time is accelerated so that station addresses can be dropped from the address table and then relearned. The accelerated aging is the same as the forward-delay...

Access Modes in CMS

CMS provides two levels of access to the configuration options read-write access and read-only access. Privilege levels 0 to 15 are supported. Privilege level 15 provides you with read-write access to CMS. Privilege levels 1 to 14 provide you with read-only access to CMS. Any options in the CMS windows, menu bar, toolbar, and popup menus that change the switch or cluster configuration are not shown in read-only mode. Privilege level 0 denies access to CMS. If you do not include a privilege...

Accessing CMS

You know the IP address and password of the command switch or a specific switch. This information is either - Assigned to the switch by following the setup program, as described in the release notes. - Changed on the switch by following the information in the Assigning Switch Information section on page 4-2 and Preventing Unauthorized Access to Your Switch section on page 7-1. Considerations for assigning IP addresses and passwords to a command switch and cluster members are described in the...

Accessing the CLI

This procedure assumes you have already assigned IP information and password to the switch or command switch. For information about assigning IP information to the switch, see the Assigning Switch Information section on page 4-2. To access the CLI, follow these steps Step 1 Start the emulation software (such as ProComm, HyperTerminal, tip, or minicom) on the management station. Step 2 If necessary, reconfigure the terminal-emulation software to match the switch console port settings (default...

Accessing the CLI from a Browser

This procedure assumes you have met the software requirements (including browser and Java plug-in configurations) and have assigned IP information and a Telnet password to the switch or command switch, as described in the release notes. To access the CLI from a web browser, follow these steps Step 1 Start one of the supported browsers. Step 2 In the URL field, enter the IP address of the command switch. Step 3 When the Cisco Systems Access page appears, click Telnet to start a Telnet session....

ACL Numbers

The number you use to denote your ACL shows the type of access list that you are creating. Table 23-2 lists the access list number and corresponding type and shows whether or not they are supported by the switch. The Catalyst 2950 switch supports IP standard and IP extended access lists, numbers 1 to 199 and 1300 to 2699. Extended 48-bit MAC address access list Table 23-2 Access List Numbers (continued) Table 23-2 Access List Numbers (continued) IP standard access list (expanded range) IP...

ACLs

You can apply ACLs on management VLANs, (see Management VLANs section on page 13-3), and on physical Layer 2 interfaces. ACLs are applied on interfaces for inbound directions. Standard IP access lists use source addresses for matching operations. Extended IP access lists use source and destination addresses and optional protocol type information for matching operations. MAC extended access list use source and destination mac addresses and optional protocol type information for matching...

Adding a Description for an Interface

You can add a description about an interface to help you remember its function. The description appears in the output of these commands show configuration, show running-config, and show interfaces. Beginning in privileged EXEC mode, follow these steps to add a description for an interface Enter interface configuration mode, and enter the interface for which you are adding a description. Add a description (up to 240 characters) for an interface. show interfaces interface-id description...

Adding and Removing Secure Addresses

A secure address is a manually entered unicast address or dynamically learnt address that is forwarded to only one port per VLAN. If you enter a static address that is already assigned to another port, the request will be rejected. Secure addresses can be learned dynamically if the configured secure addresses do not reach the maximum limit of the port. Beginning in privileged EXEC mode, follow these steps to add a secure address Identify a specific interface for configuration, and enter...

Adding and Removing Static Address Entries

A static address has these characteristics It is manually entered in the address table and must be manually removed. It can be a unicast or multicast address. It does not age and is retained when the switch restarts. You can add and remove static addresses and define the forwarding behavior for them. The forwarding behavior determines how a port that receives a packet forwards it to another port for transmission. Because all ports are associated with at least one VLAN, the switch acquires the...

Adding Member Switches

As explained in the Automatic Discovery of Cluster Candidates and Members section on page 6-5, the command switch automatically discovers candidate switches. When you add new cluster-capable switches to the network, the command switch discovers them and adds them to a list of candidate switches. To display an updated cluster candidates list from the Add to Cluster window (Figure 6-11), either relaunch CMS and redisplay this window, or follow these steps 1. Close the Add to Cluster window.

Administering the Switch

This chapter describes how to perform one-time operations to administer your switch. This chapter consists of these sections Preventing Unauthorized Access to Your Switch, page 7-1 Protecting Access to Privileged EXEC Commands, page 7-2 Controlling Switch Access with TACACS+, page 7-9 Controlling Switch Access with RADIUS, page 7-17 Configuring the Switch for Local Authentication and Authorization, page 7-31 Configuring the Switch for Secure Shell, page 7-32 Managing the System Time and Date,...

Advantages of Using CMS and Clustering Switches

Using CMS and switch clusters can simplify and minimize your configuration and monitoring tasks. You can use Cisco switch clustering technology to manage up to 16 interconnected and supported Catalyst switches through one IP address as if they were a single entity. This can conserve IP addresses if you have a limited number of them. CMS is the easiest interface to use and makes switch and switch cluster management accessible to authorized users from any PC on your network. By using switch...

Applying the ACL to an Interface or Terminal Line

After you create an ACL, you can apply it to one or more interfaces or terminal lines. ACLs can be applied on inbound interfaces. This section describes how to accomplish this task for both terminal lines and network interfaces. Note these guidelines When controlling access to a line, you must use a number. Numbered ACLs and MAC extended ACLs can be applied to lines. When controlling access to an interface, you can use a name or number. Set identical restrictions on all the virtual terminal...

Assigning Switch Information

You can assign IP information through the switch setup program, through a Dynamic Host Configuration Protocol (DHCP) server, or manually. Use the switch setup program if you are a new user and want to be prompted for specific IP information. With this program, you can also configure a host name and an enable secret password. It gives you the option of assigning a Telnet password (to provide security during remote management) and configuring your switch as a command or member switch of a cluster...

Assigning the Switch IP Address and Default Gateway

This chapter describes how to create the initial switch configuration (for example, assign the switch IP address and default gateway information) by using a variety of automatic and manual methods. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. This chapter consists of these sections Understanding the Boot Process, page 4-1 Assigning Switch Information, page 4-2 Checking and...

Authentication Initiation and Message Exchange

The switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x port-control auto interface configuration command, the switch must initiate authentication when it determines that the port link state transitions from down to up. It then sends an EAP-request identity frame to the client to request its identity (typically, the switch sends an initial identity request frame followed by one or more requests for authentication information). Upon receipt...

Automatic Recovery of Cluster Configuration

The active command switch continually forwards cluster-configuration information (but not device-configuration information) to the standby command switch. This ensures that the standby command switch can take over the cluster immediately after the active command switch fails. Automatic discovery has these limitations This limitation applies only to clusters that have Catalyst 2950 and Catalyst 3550 command and standby command switches If the active command switch and standby command switch...

Avoiding Autonegotiation Mismatches

The IEEE 802.3U autonegotiation protocol manages the switch settings for speed (10, 100, or 1000 Mbps) and duplex (half or full). Sometimes this protocol can incorrectly align these settings, reducing performance. A mismatch occurs under these circumstances A manually set speed or duplex parameter is different from the manually set speed or duplex parameter on the connected port. A port is set to autonegotiate, and the connected port is set to full duplex with no autonegotiation. To maximize...

Avoiding Configuration Conflicts

Certain combinations of port features conflict with one another. For example, if you define a port as the network port for a VLAN, all unknown unicast and multicast traffic is flooded to the port. You could not enable port security on the network port because a secure port limits the traffic allowed on it. In Table 26-1, no means that the two features are incompatible, and that both should not be enabled yes means that both can be enabled at the same time and will not cause an incompatibility...

Basic QoS Model

Figure 24-2 shows the basic QoS model. Actions at the ingress interface include classifying traffic, policing, and marking Note If you have the standard software image installed on your switch, only the queueing and scheduling features are available. Classifying distinguishes one kind of traffic from another. For more information, see the Classification section on page 24-4. Policing determines whether a packet is in or out of profile according to the configured policer, and the policer limits...

Boundary Ports

A boundary port is a a port that connects an MST region to a single spanning-tree region running RSTP, or to a single spanning-tree region running 802.1D, or to another MST region with a different MST configuration. A boundary port also connects to a LAN, the designated switch of which is either a single spanning-tree switch or a switch with a different MST configuration. At the boundary, the roles of the MST ports do not matter, and their state is forced to be the same as the IST port state...

Bridge ID Switch Priority and Extended System ID

The IEEE 802.1D standard requires that each switch has an unique bridge identifier (bridge ID), which determines the selection of the root switch. Because each VLAN is considered as a different logical bridge with PVST+, the same switch must have as many different bridge IDs as VLANs configured on it. Each VLAN on the switch has a unique 8-byte bridge ID the two most-significant bytes are used for the switch priority, and the remaining six bytes are derived from the switch MAC address. In...

Bridge Protocol Data Units

The stable, active spanning-tree topology of a switched network is determined by these elements The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch The spanning-tree path cost to the root switch The port identifier (port priority and MAC address) associated with each Layer 2 interface When the switches in a network are powered up, each functions as the root switch. Each switch sends a configuration BPDU through all of its ports. The BPDUs communicate...

Building the Address Table

With multiple MAC addresses supported on all ports, you can connect any port on the switch to individual workstations, repeaters, switches, routers, or other network devices. The switch provides dynamic addressing by learning the source address of packets it receives on each port and adding the address and its associated port number to the address table. As stations are added or removed from the network, the switch updates the address table, adding new dynamic addresses and aging out those that...

Candidate Switch and Member Switch Characteristics

Candidate switches are cluster-capable switches that have not yet been added to a cluster. Member switches are switches that have actually been added to a switch cluster. Although not required, a candidate or member switch can have its own IP address and password (for related considerations, see the IP Addresses section on page 6-17 and Passwords section on page 6-18). To join a cluster, a candidate switch must meet these requirements It is running cluster-capable software. It has CDP version 2...

Catalyst 1900 and Catalyst 2820 CLI Considerations

If your switch cluster has Catalyst 1900 and Catalyst 2820 switches running standard edition software, the Telnet session accesses the management console (a menu-driven interface) if the command switch is at privilege level 15. If the command switch is at privilege level 1 to 14, you are prompted for the password to access the menu console. Command-switch privilege levels map to the Catalyst 1900 and Catalyst 2820 member switches running standard and Enterprise Edition Software as follows If...

Changing the Address Aging Time

Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use. You can change the aging time setting for all VLANs or for a specified VLAN. Setting too short an aging time can cause addresses to be prematurely removed from the table. Then when the switch receives a packet for an unknown destination, it floods the packet to all ports in the same VLAN as the receiving port. This unnecessary flooding can impact performance. Setting too long an aging time...

Changing the Command History Buffer Size

By default, the switch records ten command lines in its history buffer. Beginning in user EXEC mode, enter this command to change the number of command lines that the switch records during the current terminal session Switch> terminal history size number-of-lines Beginning in line configuration mode, enter this command to configure the number of command lines the switch records for all sessions on a particular line Switch(config-line) history size number-of-lines

Changing the Default Privilege Level for Lines

Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line Select the virtual terminal line on which to restrict access. Change the default privilege level for the line. For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges. Level 15 is the level of access permitted by the enable password. The first command displays the password and access level configuration. The second command displays the privilege level...

Changing the Quiet Period

When the switch cannot authenticate the client, the switch remains idle for a set period of time, and then tries again. The idle time is determined by the quiet-period value. A failed authentication of the client might occur because the client provided an invalid password. You can provide a faster response time to the user by entering a smaller number than the default. Beginning in privileged EXEC mode, follow these steps to change the quiet period Set the number of seconds that the switch...

Changing the Switchto Client Retransmission Time

The client responds to the EAP-request identity frame from the switch with an EAP-response identity frame. If the switch does not receive this response, it waits a set period of time (known as the retransmission time), and then retransmits the frame. Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers. Beginning in privileged EXEC mode, follow...

Chapter 12Configuring Optional Spanning Tree Features 121

Understanding Optional Spanning-Tree Features 12-1 Understanding Port Fast 12-2 Understanding BPDU Guard 12-3 Understanding BPDU Filtering 12-3 Understanding UplinkFast 12-4 Understanding Cross-Stack UplinkFast 12-5 How CSUF Works 12-6 Events that Cause Fast Convergence 12-7 Limitations 12-8 Connecting the Stack Ports 12-8 Understanding BackboneFast 12-10 Understanding Root Guard 12-12 Understanding Loop Guard 12-13 Configuring Optional Spanning-Tree Features 12-13 Default Optional...

Chapter 14Configuring VTP 141

Understanding VTP 14-1 The VTP Domain 14-2 VTP Modes 14-3 VTP Advertisements 14-3 VTP Version 2 14-4 VTP Pruning 14-4 Configuring VTP 14-6 Default VTP Configuration 14-6 VTP Configuration Options 14-7 VTP Configuration in Privileged EXEC and Global Configuration Modes 14-7 VTP Configuration in VLAN Configuration Mode 14-7 VTP Configuration Guidelines 14-8 Domain Names 14-8 Passwords 14-8 Upgrading from Previous Software Releases 14-8 VTP Version 14-9 Configuration Requirements 14-9 Configuring...

Chapter 15Configuring Voice VLAN 151

Understanding Voice VLAN 15-1 Configuring Voice VLAN 15-2 Default Voice VLAN Configuration 15-2 Configuration Guidelines 15-3 Configuring a Port to Connect to a Cisco 7960 IP Phone 15-3 Configuring Ports to Carry Voice Traffic in 802.1Q Frames 15-4 Configuring Ports to Carry Voice Traffic in 802.1P Priority Tagged Frames 15-4 Overriding the CoS Priority of Incoming Data Frames 15-5 Configuring the IP Phone to Trust the CoS Priority of Incoming Data Frames 15-5 Displaying Voice VLAN 15-6

Chapter 16Configuring IGMP Snooping and MVR 161

Understanding IGMP Snooping 16-1 Joining a Multicast Group 16-2 Leaving a Multicast Group 16-4 Immediate-Leave Processing 16-4 Configuring IGMP Snooping 16-5 Default IGMP Snooping Configuration 16-5 Enabling or Disabling IGMP Snooping 16-5 Setting the Snooping Method 16-6 Configuring a Multicast Router Port 16-7 Configuring a Host Statically to Join a Group 16-8 Enabling IGMP Immediate-Leave Processing 16-9 Displaying IGMP Snooping Information 16-10 Understanding Multicast VLAN Registration...

Chapter 21Configuring System Message Logging 211

Understanding System Message Logging 21-1 Configuring System Message Logging 21-2 System Log Message Format 21-2 Default System Message Logging Configuration 21-3 Disabling and Enabling Message Logging 21-4 Setting the Message Display Destination Device 21-4 Synchronizing Log Messages 21-6 Enabling and Disabling Timestamps on Log Messages 21-7 Enabling and Disabling Sequence Numbers in Log Messages 21-8 Defining the Message Severity Level 21-8 Limiting Syslog Messages Sent to the History Table...

Chapter 22Configuring SNMP 221

Understanding SNMP 22-1 SNMP Versions 22-2 SNMP Manager Functions 22-2 SNMP Agent Functions 22-3 SNMP Community Strings 22-3 Using SNMP to Access MIB Variables 22-3 Default SNMP Configuration 22-4 Disabling the SNMP Agent 22-5 Configuring Community Strings 22-5 Configuring Trap Managers and Enabling Traps 22-7 Setting the Agent Contact and Location Information 22-9 Limiting TFTP Servers Used Through SNMP 22-9 SNMP Examples 22-10 Displaying SNMP Status 22-10

Chapter 23Configuring Network Security with ACLs 231

Handling Fragmented and Unfragmented Traffic 23-3 Understanding Access Control Parameters 23-4 Guidelines for Configuring ACLs on the Catalyst 2950 Switches 23-5 Configuring ACLs 23-6 Unsupported Features 23-6 Creating Standard and Extended IP ACLs 23-7 ACL Numbers 23-7 Creating a Numbered Standard ACL 23-8 Creating a Numbered Extended ACL 23-9 Creating Named Standard and Extended ACLs 23-12 Including Comments About Entries in ACLs 23-14 Applying the ACL to an Interface or Terminal Line 23-15...

Chapter 24Configuring QoS 241

Understanding QoS 24-2 Basic QoS Model 24-3 Classification 24-4 Classification Based on QoS ACLs 24-5 Classification Based on Class Maps and Policy Maps 24-5 Policing and Marking 24-6 Mapping Tables 24-7 How Class of Service Works 24-8 Port Priority 24-8 Port Scheduling 24-8 CoS and WRR 24-8 Configuring QoS 24-9 Default QoS Configuration 24-9 Configuration Guidelines 24-10 Configuring Classification Using Port Trust States 24-10 Configuring the Trust State on Ports within the QoS Domain 24-11...

Chapter 25Configuring Ether Channels 251

Understanding Port-Channel Interfaces 25-2 Understanding the Port Aggregation Protocol 25-3 PAgP Modes 25-3 Physical Learners and Aggregate-Port Learners 25-4 PAgP Interaction with Other Features 25-5 Understanding Load Balancing and Forwarding Methods 25-5 Default EtherChannel Configuration 25-6 EtherChannel Configuration Guidelines 25-7 Configuring EtherChannels 25-7 Configuring EtherChannel Load Balancing 25-9 Configuring the PAgP Learn Method and Priority 25-10 Displaying EtherChannel and...

Chapter 26Troubleshooting 261

Avoiding Configuration Conflicts 26-1 Avoiding Autonegotiation Mismatches 26-2 GBIC Security and Identification 26-2 Troubleshooting CMS Sessions 26-3 Copying Configuration Files to Troubleshoot Configuration Problems 26-4 Using Recovery Procedures 26-5 Recovering from Lost Member Connectivity 26-5 Recovering from a Command Switch Failure 26-6 Replacing a Failed Command Switch with a Cluster Member 26-6 Replacing a Failed Command Switch with Another Switch 26-8 Recovering from a Failed Command...

Chapter 3Getting Started with CMS

Features 3-2 Front Panel View 3-4 Cluster Tree 3-5 Front-Panel Images 3-6 Redundant Power System LED 3-7 Port Modes and LEDs 3-8 VLAN Membership Modes 3-9 Topology View 3-9 Topology Icons 3-11 Device and Link Labels 3-12 Colors in the Topology View 3-13 Topology Display Options 3-13 Menus and Toolbar 3-14 Menu Bar 3-14 Toolbar 3-20 Front Panel View Popup Menus 3-21 Device Popup Menu 3-21 Port Popup Menu 3-21 Topology View Popup Menus 3-22 Link Popup Menu 3-22 Device Popup Menus 3-23 Interaction...

Chapter 5Configuring IE2100 CNS Agents

Understanding IE2100 Series Configuration Registrar Software 5-1 CNS Configuration Service 5-2 CNS Event Service 5-3 NameSpace Mapper 5-3 What You Should Know About ConfigID, DeviceID, and Host Name 5-3 ConfigID 5-3 DeviceID 5-4 Host Name and DeviceID 5-4 Using Host Name, DeviceID, and ConfigID 5-4 Understanding CNS Embedded Agents 5-5 Initial Configuration 5-5 Incremental (Partial) Configuration 5-6 Synchronized Configuration 5-6 Configuring CNS Embedded Agents 5-6 Enabling Automated CNS...

Chapter 6Clustering Switches

Understanding Switch Clusters 6-2 Command Switch Characteristics 6-3 Standby Command Switch Characteristics 6-3 Candidate Switch and Member Switch Characteristics 6-4 Planning a Switch Cluster 6-5 Automatic Discovery of Cluster Candidates and Members 6-5 Discovery through CDP Hops 6-6 Discovery through Non-CDP-Capable and Noncluster-Capable Devices 6-8 Discovery through the Same Management VLAN 6-9 Discovery through Different Management VLANs 6-10 Discovery of Newly Installed Switches 6-12 HSRP...

Chapter 7Administering the Switch

Preventing Unauthorized Access to Your Switch 7-1 Protecting Access to Privileged EXEC Commands 7-2 Default Password and Privilege Level Configuration 7-3 Setting or Changing a Static Enable Password 7-3 Protecting Enable and Enable Secret Passwords with Encryption 7-4 Setting a Telnet Password for a Terminal Line 7-5 Configuring Username and Password Pairs 7-6 Configuring Multiple Privilege Levels 7-7 Setting the Privilege Level for a Command 7-7 Changing the Default Privilege Level for Lines...

Checking and Saving the Running Configuration

You can check the configuration settings you entered or changes you made by entering this privileged EXEC command service timestamps debug uptime service timestamps log datetime no service password-encryption service sequence-numbers enable secret 5 1 ej9. DMUvAUnZOAmvmgqBEzIxE0 ip subnet-zero vlan 3020 cluster member 1 mac-address 0030.9439.0900 cluster member 2 mac-address 0 0 01.425b.4d8 0 interface Port-channel1 no ip address interface FastEthernet0 1 switchport mode access switchport voice...

Classification

Note This feature is available only if your switch is running the enhanced software image. Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification occurs only on a physical interface basis. No support exists for classifying packets at the VLAN or the switched virtual interface level. You specify which fields in the frame or packet that you want to use to classify incoming traffic.

Classification Based on Class Maps and Policy Maps

A class map is a mechanism that you use to isolate and name a specific traffic flow (or class) from all other traffic. The class map defines the criteria used to match against a specific traffic flow to further classify it the criteria can include matching the access group defined by the ACL. If you have more than one type of traffic that you want to classify, you can create another class map and use a different name. After a packet is matched against the class-map criteria, you further...

Classification Based on QoS ACLs

You can use IP standard, IP extended, and Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs If a match with a permit action is encountered (first-match principle), the specified QoS-related action is taken. If no match with a permit action is encountered and all the ACEs have been examined, no QoS processing occurs on the packet....

Clearing and Resetting Interfaces and Counters

Table 9-3 lists the privileged EXEC mode clear commands that you can use to clear counters and reset interfaces. Table 9-3 Clear Commands for Interfaces clear line number console 0 vty number Reset the hardware logic on an asynchronous serial line. To clear the interface counters shown by the show interfaces privileged EXEC command, use the clear counters privileged EXEC command. The clear counters command clears all current interface counters from the interface unless optional arguments are...

CLI Configuring CoS Priority Queues

Beginning in privileged EXEC mode, follow these steps to configure the CoS priority queues Specify the queue id of the CoS priority queue. (Ranges are 1 to 4 where 1 is the lowest CoS priority queue.) Specify the CoS values that are mapped to the queue id. Display the mapping of the CoS priority queues. To disable the new CoS settings and return to default settings, use the no wrr-queue cos-map global configuration command.

Cluster Tree

The cluster tree (Figure 3-2) appears in the left frame of the Front Panel view and shows the name of the cluster and a list of its members. The sequence of the cluster-tree icons (Figure 3-4) mirror the sequence of the front-panel images. You can change the sequence by selecting View > Arrange Front Panel. The colors of the devices in the cluster tree show the status of the devices (Table 3-1). If you want to configure switch or cluster settings on one or more switches, select the...

Clustering Switches

This chapter provides these topics to help you get started with switch clustering Understanding Switch Clusters, page 6-2 Planning a Switch Cluster, page 6-5 Creating a Switch Cluster, page 6-21 Using the CLI to Manage Switch Clusters, page 6-28 Using SNMP to Manage Switch Clusters, page 6-29 Configuring switch clusters is more easily done from the Cluster Management Suite (CMS) web-based interface than through the command-line interface (CLI). Therefore, information in this chapter focuses on...

CMS Window Components

CMS windows consistently present configuration information. Figure 3-12 shows the components of a typical CMS window. UiuIP AMk rilrtlljllP rillldK 4Ml U pVIP (Vu* UFVlirjr UiuIP AMk rilrtlljllP rillldK 4Ml U pVIP (Vu* UFVlirjr - OK saves your changes and closes the window. - Modify displays a secondary window from which you can change settings. - Click a row to select it. Press Shift, and left-click another row to select contiguous multiple rows. Press Ctrl, and left-click rows to select...

CNS Configuration Service

The CNS Configuration Service is the core component of the Configuration Registrar. It consists of a configuration server that works with CNS configuration agents located on the switch. The CNS Configuration Service delivers device and service configurations to the switch for initial configuration and mass reconfiguration by logical groups. Switches receive their initial configuration from the CNS Configuration Service when they start up on the network for the first time. The CNS Configuration...

CNS Event Service

The Configuration Registrar uses the CNS Event Service for receipt and generation of configuration events. The CNS event agent resides on the switch and facilitates the communication between the switch and the event gateway on the Configuration Registrar. The CNS Event Service is a highly-scalable publish-and-subscribe communication method. The CNS Event Service uses subject-based addressing to send messages to their destinations. Subject-based addressing conventions define a simple, uniform...

Colors in the Topology View

The colors of the Topology view icons show the status of the devices and links (Table 3-7, Table 3-8, and Table 3-9). The internal fan of the switch is not operating, or the switch is receiving power from an RPS. 1. Available only on the cluster members. 1. Available only on the cluster members. One link is active, and at least one link is down or blocked. The color of a device label shows the cluster membership of the device (Table 3-10). Table 3-10 Device Label Colors A cluster member, either...

Configuration Guidelines and Limitations

Follow these guidelines when configuring MVR Receiver ports cannot be trunk ports. Receiver ports on a switch can be in different VLANs, but should not belong to the multicast VLAN. The maximum number of multicast entries that can be configured on a switch (that is, the maximum number of television channels that can be received) is 256. Each channel is one multicast stream destined for a unique IP multicast address. These IP addresses cannot alias between themselves or with the reserved IP...

Configure terminal

Ntp peer ip-address version number key keyid source interface prefer ntp server ip-address version number key keyid source interface prefer Configure the switch system clock to synchronize a peer or to be synchronized by a peer (peer association). Configure the switch system clock to be synchronized by a time server (server association). No peer or server associations are defined by default. For ip-address in a peer association, specify either the IP address of the peer providing, or being...

Configuring 8021X Authentication

The section describes how to configure 802.1X port-based authentication on your switch Default 802.1X Configuration, page 8-6 802.1X Configuration Guidelines, page 8-7 Enabling 802.1X Authentication, page 8-8 (required) Configuring the Switch-to-RADIUS-Server Communication, page 8-9 (required) Enabling Periodic Re-Authentication, page 8-10 (optional) Manually Re-Authenticating a Client Connected to a Port, page 8-11 (optional) Changing the Quiet Period, page 8-11 (optional) Changing the...

Configuring 8021X Port Based Authentication

This chapter describes how to configure IEEE 802.1X port-based authentication to prevent unauthorized devices (clients) from gaining access to the network. As LANs extend to hotels, airports, and corporate lobbies, insecure environments could be created. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. This chapter consists of these sections Understanding 802.1X Port-Based...

Configuring a Login Banner

You can configure a login banner to be displayed on all connected terminals. This banner is displayed after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner For c, enter the delimiting character of your choice, for example, a pound sign ( ), and press the Return key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded. For message, enter a...

Configuring a Messageofthe Day Login Banner

You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner For c, enter the delimiting character of your choice, for example, a pound sign ( ), and press the Return key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded. For message, enter a banner message up to 255...

Configuring a Secondary Root Switch

When you configure a Catalyst 2950 switch that supports the extended system ID as the secondary root, the spanning-tree switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified instance if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch. For Catalyst 2950 switches without the extended...

Configuring a System Name

Beginning in privileged EXEC mode, follow these steps to manually configure a system name Manually configure a system name. The default setting is switch. The name must follow the rules for ARPANET host names. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphens. Names can be up to 63 characters. (Optional) Save your entries in the configuration file. When you set the system name, it is also used as the system prompt. You...

Configuring a System Name and Prompt

You configure the system name on the switch to identify it. By default, the system name and prompt are Switch. If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt. A greater-than symbol > is appended. The prompt is updated whenever the system name changes, unless you manually configure the prompt by using the prompt global configuration command. For complete syntax and usage information for the commands used in this section,...

Configuring a System Prompt

Beginning in privileged EXEC mode, follow these steps to manually configure a system prompt Configure the command-line prompt to override the setting from the hostname command. The default prompt is either switch or the name defined with the hostname global configuration command, followed by an angle bracket (> ) for user EXEC mode or a pound sign ( ) for privileged EXEC mode. The prompt can consist of all printing characters and escape sequences. (Optional) Save your entries in the...

Configuring and Enabling Port Security Aging

You can use port security aging to set the aging time for all secure addresses on a port. Two types of aging are supported per port Absolute The secure addresses on that port are deleted after the specified aging time. Inactivity The secure addresess on this port are deleted only if the secure addresses are inactive for the specified aging time. Use this feature to remove and add PCs on a secure port without manually deleting the existing secure MAC addresses while still limiting the number of...

Configuring and Using Interface Range Macros

You can create an interface range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface range macro global configuration command string, you must use the define interface-range global configuration command to define the macro. Beginning in privileged EXEC mode, follow these steps to define an interface range macro define interface-range macro_name interface-range Define the interface-range macro, and save it in NVRAM. The...

Configuring CDP

This chapter describes how to configure Cisco Discovery Protocol (CDP) on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command Reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This chapter consists of these sections Understanding CDP, page 19-1 Monitoring and Maintaining CDP, page 19-5

Configuring Community Strings

You use the SNMP community string to define the relationship between the SNMP manager and the agent. The community string acts like a password to permit access to the agent on the switch. Optionally, you can specify one or more of these characteristics associated with the string An access list of IP addresses of the SNMP managers that are permitted to use the community string to gain access to the agent A MIB view, which defines the subset of all MIB objects accessible to the given community...

Configuring Ether Channel Load Balancing

This section describes how to configure EtherChannel load balancing by using source-based or destination-based forwarding methods. For more information, see the Understanding Load Balancing and Forwarding Methods section on page 25-5. Beginning in privileged EXEC mode, follow these steps to configure EtherChannel load balancing Step 2 port-channel load-balance dst-mac src-mac Configure an EtherChannel load-balancing method. The default is src-mac. Select one of these keywords to determine the...

Configuring Ether Channels

You configure Layer 2 EtherChannels by configuring the Ethernet interfaces with the channel-group interface configuration command, which creates the port-channel logical interface. _ Note Layer 2 interfaces must be connected and functioning for IOS to create port-channel interfaces. Beginning in privileged EXEC mode, follow these steps to assign a Layer 2 Ethernet interface to a Layer 2 EtherChannel Enter interface configuration mode, and specify a physical interface to configure. Valid...

Configuring Extended Range VLANs

When the switch is in VTP transparent mode (VTP disabled) and the enhanced software image is installed), you can create extended-range VLANs (in the range 1006 to 4094). Extended-range VLANs enable service providers to extend their infrastructure to a greater number of customers. The extended-range VLAN IDs are allowed for any switchport commands that allow VLAN IDs. You always use config-vlan mode (accessed by entering the vlan vlan-id global configuration command) to configure extended-range...

Configuring IE2100 CNS Agents

This chapter describes how to configure the Intelligence Engine 2100 (IE2100) Series Cisco Networking Services (CNS) embedded agents on your switch. To use the feature described in this chapter, you must have the enhanced software image installed on your switch. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco Intelligence Engine 2100 Series Configuration Registrar Manual, and select Cisco IOS Software Release 12.2 > New Feature...

Configuring IGMP Filtering

In some environments, for example metropolitan or multiple-dwelling unit (MDU) installations, an administrator might want to control the set of multicast groups to which a user on a switch port can belong. This allows the administrator to control the distribution of multicast services, such as IP TV, based on some type of subscription or service plan. With the IGMP filtering feature, you can filter multicast joins on a per-port basis by configuring IP multicast profiles and associating them...

Configuring IGMP Profiles

To configure an IGMP profile, use the ip igmp profile global configuration command with a profile number to create an IGMP profile and to enter IGMP profile configuration mode. From this mode, you can specify the parameters of the IGMP profile to be used for filtering IGMP join requests from a port. When you are in IGMP profile configuration mode, you can create the profile by using these commands deny Specifies that matching addresses are denied this is the default condition. exit Exits from...

Configuring Interface Characteristics

This chapter defines the types of interfaces on the switch and describes how to configure them. The chapter has these sections Understanding Interface Types, page 9-1 Using the Interface Command, page 9-4 Configuring Layer 2 Interfaces, page 9-10 Monitoring and Maintaining the Interface, page 9-16 Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command Reference for this release and the online Cisco IOS Interface...

Configuring Layer 2 Interfaces

These sections describe the default interface configuration and the optional features that you can configure on most physical interfaces Default Layer 2 Ethernet Interface Configuration, page 9-11 Configuring the Port Speed and Duplex Mode, page 9-11 Adding a Description for an Interface, page 9-15 Configuring IEEE 802.3X Flow Control on Gigabit Ethernet Ports, page 9-14 Default Layer 2 Ethernet Interface Configuration Table 9-1 shows the Layer 2 Ethernet interface default configuration. For...

Configuring Multiple Privilege Levels

By default, the IOS software has two modes of password security user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands. For example, if you want many users to have access to the clear line command, you can assign it level 2 security and distribute the level 2 password fairly widely. But if you want more restricted access to the configure...

Configuring MVR Global Parameters

You do not need to set the optional MVR parameters if you choose to use the default settings. If you do want to change the default parameters (except for the MVR VLAN), you must first enable MVR. Beginning in privileged EXEC mode, follow these steps to configure MVR parameters Configure an IP multicast address on the switch or use the count parameter to configure a contiguous series of IP addresses. Any multicast data sent to this address is sent to all source ports on the switch and all...

Configuring MVR Interfaces

Beginning in privileged EXEC mode, follow these steps to configure MVR interfaces Enter interface configuration mode, and enter the type and number of the port to configure, for example, gi 0 1 or gigabitethernet 0 1 for Gigabit Ethernet port 1. Configure an MVR port as one of these source Configure uplink ports that receive and send multicast data as source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN....

Configuring NTP

The Catalyst 2950 switches do not have a hardware-supported clock, and they cannot function as an NTP master clock to which peers synchronize themselves when an external NTP source is not available. These switches also have no hardware support for a calendar. As a result, the ntp update-calendar and the ntp master global configuration commands are not available. This section contains this configuration information Default NTP Configuration, page 7-36 Configuring NTP Authentication, page 7-36...

Configuring NTP Authentication

This procedure must be coordinated with the administrator of the NTP server the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server. Beginning in privileged EXEC mode, follow these steps to authenticate the associations (communications between devices running NTP that provide for accurate timekeeping) with other devices for security purposes Enable the NTP authentication feature, which is disabled by default....

Configuring NTP Broadcast Service

The communications between devices running NTP (known as associations) are usually statically configured each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can simply be configured to...

Configuring Optional Spanning Tree Features

These sections include optional spanning-tree configuration information Default Optional Spanning-Tree Configuration, page 12-14 Enabling Port Fast, page 12-14 Enabling BPDU Guard, page 12-15 Enabling BPDU Filtering, page 12-16 Enabling UplinkFast for Use with Redundant Links, page 12-17 Enabling Cross-Stack UplinkFast, page 12-18 Enabling BackboneFast, page 12-19 Enabling Root Guard, page 12-19 Enabling Loop Guard, page 12-20

Configuring Port Security

Secured ports restrict a port to a user-defined group of stations. When you assign secure addresses to a secure port, the switch does not forward any packets with source addresses outside the defined group of addresses. If you define the address table of a secure port to contain only one address, the workstation or server attached to that port is guaranteed the full bandwidth of the port. As part of securing the port, you can also define the size of the address table for the port. Port security...

Configuring Port Based Traffic Control

This chapter describes how to configure the port-based traffic control features on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. This chapter consists of these sections Configuring Storm Control, page 17-1 Configuring Protected Ports, page 17-3 Configuring Port Security, page 17-3 Configuring and Enabling Port Security Aging, page 17-6 Displaying Port-Based Traffic...

Configuring Protected Ports

Some applications require that no traffic be forwarded by the Layer 2 protocol between ports on the same switch. In such an environment, there is no exchange of unicast, broadcast, or multicast traffic between ports on the switch, and traffic between ports on the same switch is forwarded through a Layer 3 device such as a router. To meet this requirement, you can configure Catalyst 2950 ports as protected ports (also referred to as private VLAN edge ports). Protected ports do not forward any...

Configuring QoS

This chapter describes how to configure quality of service (QoS) on your switch. With this feature, you can provide preferential treatment to certain types of traffic. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size. It transmits the packets without any assurance of reliability, delay bounds, or throughput. To use the features described in this chapter, you must have the enhanced software image installed on your switch. If you have...

Configuring RADIUS

This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting. A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on a user. You can use method lists to designate one or more security protocols to be used (such...

Configuring Radius Authorization for Privileged EXEC Access and Network Services

AAA authorization limits the services available to a user. When AAA authorization is enabled, the switch uses information retrieved from the user's profile, which is in either the local user database or on the security server, to configure the user's session. The user is granted access to a requested service only if the information in the user profile allows it. You can use the aaa authorization global configuration command with the radius keyword to set parameters that restrict a user's...

Configuring Radius Login Authentication

To configure AAA authentication, you define a named list of authentication methods and then apply that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they are performed it must be applied to a specific interface before any of the defined authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default). The default method list is automatically applied to all...

Configuring RSTP and MSTP

This chapter describes how to configure the Cisco implementation of the IEEE 802.1W Rapid Spanning Tree Protocol (RSTP) and the IEEE 802.1S Multiple STP (MSTP) on your switch. To use the features described in this chapter, you must have the enhanced software image installed on your switch. RSTP provides rapid convergence of the spanning tree. MSTP, which uses RSTP to provide rapid convergence, enables VLANs to be grouped into a spanning-tree instance, provides for multiple forwarding paths for...

Configuring RSTP and MSTP 111

Catalyst 2950 Desktop Switch Software Configuration Guide Catalyst 2950 Desktop Switch Software Configuration Guide Hop Count 11-10 Boundary Ports 11-10 Interoperability with 802.1 D STP 11-10 Configuring RSTP and MSTP Features 11-11 Default RSTP and MSTP Configuration 11-12 RSTP and MSTP Configuration Guidelines 11-12 Specifying the MST Region Configuration and Enabling MSTP 11-13 Configuring the Root Switch 11-14 Configuring a Secondary Root Switch 11-16 Configuring the Port Priority 11-17...

Configuring RSTP and MSTP Features

These sections include basic RSTP and MSTP configuration information Default RSTP and MSTP Configuration, page 11-12 RSTP and MSTP Configuration Guidelines, page 11-12 Specifying the MST Region Configuration and Enabling MSTP, page 11-13 (required) Configuring the Root Switch, page 11-14 (optional) Configuring a Secondary Root Switch, page 11-16 (optional) Configuring the Port Priority, page 11-17 (optional) Configuring the Path Cost, page 11-18 (optional) Configuring the Switch Priority, page...

Configuring Settings for All Radius Servers

Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers Specify the shared secret text string used between the switch and all RADIUS servers. Note The key is a text string that must match the encryption key used on the RADIUS server. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks...

Configuring Spanning Tree Features

These sections include spanning-tree configuration information Default STP Configuration, page 10-10 STP Configuration Guidelines, page 10-10 Configuring the Root Switch, page 10-12 Configuring a Secondary Root Switch, page 10-13 Configuring the Port Priority, page 10-14 Configuring the Path Cost, page 10-15 Configuring the Switch Priority of a VLAN, page 10-17 H Configuring Spanning-Tree Features Configuring the Hello Time, page 10-18 Configuring the Forwarding-Delay Time for a VLAN, page...

Configuring STP

This chapter describes how to configure the Spanning Tree Protocol (STP) on your switch. For information about the Rapid Spanning Tree Protocol (RSTP) and the Multiple Spanning Tree Protocol (MSTP), see Chapter 11, Configuring RSTP and MSTP. For information about optional spanning-tree features, see Chapter 12, Configuring Optional Spanning-Tree Features. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command...