Adding a Description for an Interface

You can add a description about an interface to help you remember its function. The description appears in the output of these commands show configuration, show running-config, and show interfaces. Beginning in privileged EXEC mode, follow these steps to add a description for an interface Enter interface configuration mode, and enter the interface for which you are adding a description. Add a description (up to 240 characters) for an interface. show interfaces interface-id description...

Adding and Removing Secure Addresses

A secure address is a manually entered unicast address or dynamically learnt address that is forwarded to only one port per VLAN. If you enter a static address that is already assigned to another port, the request will be rejected. Secure addresses can be learned dynamically if the configured secure addresses do not reach the maximum limit of the port. Beginning in privileged EXEC mode, follow these steps to add a secure address Identify a specific interface for configuration, and enter...

Adding and Removing Static Address Entries

A static address has these characteristics It is manually entered in the address table and must be manually removed. It can be a unicast or multicast address. It does not age and is retained when the switch restarts. You can add and remove static addresses and define the forwarding behavior for them. The forwarding behavior determines how a port that receives a packet forwards it to another port for transmission. Because all ports are associated with at least one VLAN, the switch acquires the...

Adding Member Switches

As explained in the Automatic Discovery of Cluster Candidates and Members section on page 6-5, the command switch automatically discovers candidate switches. When you add new cluster-capable switches to the network, the command switch discovers them and adds them to a list of candidate switches. To display an updated cluster candidates list from the Add to Cluster window (Figure 6-11), either relaunch CMS and redisplay this window, or follow these steps 1. Close the Add to Cluster window.

Applying the ACL to an Interface or Terminal Line

After you create an ACL, you can apply it to one or more interfaces or terminal lines. ACLs can be applied on inbound interfaces. This section describes how to accomplish this task for both terminal lines and network interfaces. Note these guidelines When controlling access to a line, you must use a number. Numbered ACLs and MAC extended ACLs can be applied to lines. When controlling access to an interface, you can use a name or number. Set identical restrictions on all the virtual terminal...

Authentication Initiation and Message Exchange

The switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x port-control auto interface configuration command, the switch must initiate authentication when it determines that the port link state transitions from down to up. It then sends an EAP-request identity frame to the client to request its identity (typically, the switch sends an initial identity request frame followed by one or more requests for authentication information). Upon receipt...

Avoiding Autonegotiation Mismatches

The IEEE 802.3U autonegotiation protocol manages the switch settings for speed (10, 100, or 1000 Mbps) and duplex (half or full). Sometimes this protocol can incorrectly align these settings, reducing performance. A mismatch occurs under these circumstances A manually set speed or duplex parameter is different from the manually set speed or duplex parameter on the connected port. A port is set to autonegotiate, and the connected port is set to full duplex with no autonegotiation. To maximize...

Basic QoS Model

Figure 24-2 shows the basic QoS model. Actions at the ingress interface include classifying traffic, policing, and marking Note If you have the standard software image installed on your switch, only the queueing and scheduling features are available. Classifying distinguishes one kind of traffic from another. For more information, see the Classification section on page 24-4. Policing determines whether a packet is in or out of profile according to the configured policer, and the policer limits...

Bridge ID Switch Priority and Extended System ID

The IEEE 802.1D standard requires that each switch has an unique bridge identifier (bridge ID), which determines the selection of the root switch. Because each VLAN is considered as a different logical bridge with PVST+, the same switch must have as many different bridge IDs as VLANs configured on it. Each VLAN on the switch has a unique 8-byte bridge ID the two most-significant bytes are used for the switch priority, and the remaining six bytes are derived from the switch MAC address. In...

Candidate Switch and Member Switch Characteristics

Candidate switches are cluster-capable switches that have not yet been added to a cluster. Member switches are switches that have actually been added to a switch cluster. Although not required, a candidate or member switch can have its own IP address and password (for related considerations, see the IP Addresses section on page 6-17 and Passwords section on page 6-18). To join a cluster, a candidate switch must meet these requirements It is running cluster-capable software. It has CDP version 2...

Changing the Address Aging Time

Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use. You can change the aging time setting for all VLANs or for a specified VLAN. Setting too short an aging time can cause addresses to be prematurely removed from the table. Then when the switch receives a packet for an unknown destination, it floods the packet to all ports in the same VLAN as the receiving port. This unnecessary flooding can impact performance. Setting too long an aging time...

Changing the Command History Buffer Size

By default, the switch records ten command lines in its history buffer. Beginning in user EXEC mode, enter this command to change the number of command lines that the switch records during the current terminal session Switch> terminal history size number-of-lines Beginning in line configuration mode, enter this command to configure the number of command lines the switch records for all sessions on a particular line Switch(config-line) history size number-of-lines

Changing the Default Privilege Level for Lines

Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line Select the virtual terminal line on which to restrict access. Change the default privilege level for the line. For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges. Level 15 is the level of access permitted by the enable password. The first command displays the password and access level configuration. The second command displays the privilege level...

Changing the Quiet Period

When the switch cannot authenticate the client, the switch remains idle for a set period of time, and then tries again. The idle time is determined by the quiet-period value. A failed authentication of the client might occur because the client provided an invalid password. You can provide a faster response time to the user by entering a smaller number than the default. Beginning in privileged EXEC mode, follow these steps to change the quiet period Set the number of seconds that the switch...

Changing the Switchto Client Retransmission Time

The client responds to the EAP-request identity frame from the switch with an EAP-response identity frame. If the switch does not receive this response, it waits a set period of time (known as the retransmission time), and then retransmits the frame. Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers. Beginning in privileged EXEC mode, follow...

Chapter 12Configuring Optional Spanning Tree Features 121

Understanding Optional Spanning-Tree Features 12-1 Understanding Port Fast 12-2 Understanding BPDU Guard 12-3 Understanding BPDU Filtering 12-3 Understanding UplinkFast 12-4 Understanding Cross-Stack UplinkFast 12-5 How CSUF Works 12-6 Events that Cause Fast Convergence 12-7 Limitations 12-8 Connecting the Stack Ports 12-8 Understanding BackboneFast 12-10 Understanding Root Guard 12-12 Understanding Loop Guard 12-13 Configuring Optional Spanning-Tree Features 12-13 Default Optional...

Chapter 16Configuring IGMP Snooping and MVR 161

Understanding IGMP Snooping 16-1 Joining a Multicast Group 16-2 Leaving a Multicast Group 16-4 Immediate-Leave Processing 16-4 Configuring IGMP Snooping 16-5 Default IGMP Snooping Configuration 16-5 Enabling or Disabling IGMP Snooping 16-5 Setting the Snooping Method 16-6 Configuring a Multicast Router Port 16-7 Configuring a Host Statically to Join a Group 16-8 Enabling IGMP Immediate-Leave Processing 16-9 Displaying IGMP Snooping Information 16-10 Understanding Multicast VLAN Registration...

Chapter 7Administering the Switch

Preventing Unauthorized Access to Your Switch 7-1 Protecting Access to Privileged EXEC Commands 7-2 Default Password and Privilege Level Configuration 7-3 Setting or Changing a Static Enable Password 7-3 Protecting Enable and Enable Secret Passwords with Encryption 7-4 Setting a Telnet Password for a Terminal Line 7-5 Configuring Username and Password Pairs 7-6 Configuring Multiple Privilege Levels 7-7 Setting the Privilege Level for a Command 7-7 Changing the Default Privilege Level for Lines...

Classification

Note This feature is available only if your switch is running the enhanced software image. Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification occurs only on a physical interface basis. No support exists for classifying packets at the VLAN or the switched virtual interface level. You specify which fields in the frame or packet that you want to use to classify incoming traffic.

CLI Configuring CoS Priority Queues

Beginning in privileged EXEC mode, follow these steps to configure the CoS priority queues Specify the queue id of the CoS priority queue. (Ranges are 1 to 4 where 1 is the lowest CoS priority queue.) Specify the CoS values that are mapped to the queue id. Display the mapping of the CoS priority queues. To disable the new CoS settings and return to default settings, use the no wrr-queue cos-map global configuration command.

CMS Window Components

CMS windows consistently present configuration information. Figure 3-12 shows the components of a typical CMS window. UiuIP AMk rilrtlljllP rillldK 4Ml U pVIP (Vu* UFVlirjr UiuIP AMk rilrtlljllP rillldK 4Ml U pVIP (Vu* UFVlirjr - OK saves your changes and closes the window. - Modify displays a secondary window from which you can change settings. - Click a row to select it. Press Shift, and left-click another row to select contiguous multiple rows. Press Ctrl, and left-click rows to select...

CNS Configuration Service

The CNS Configuration Service is the core component of the Configuration Registrar. It consists of a configuration server that works with CNS configuration agents located on the switch. The CNS Configuration Service delivers device and service configurations to the switch for initial configuration and mass reconfiguration by logical groups. Switches receive their initial configuration from the CNS Configuration Service when they start up on the network for the first time. The CNS Configuration...

Colors in the Topology View

The colors of the Topology view icons show the status of the devices and links (Table 3-7, Table 3-8, and Table 3-9). The internal fan of the switch is not operating, or the switch is receiving power from an RPS. 1. Available only on the cluster members. 1. Available only on the cluster members. One link is active, and at least one link is down or blocked. The color of a device label shows the cluster membership of the device (Table 3-10). Table 3-10 Device Label Colors A cluster member, either...

Configure terminal

Ntp peer ip-address version number key keyid source interface prefer ntp server ip-address version number key keyid source interface prefer Configure the switch system clock to synchronize a peer or to be synchronized by a peer (peer association). Configure the switch system clock to be synchronized by a time server (server association). No peer or server associations are defined by default. For ip-address in a peer association, specify either the IP address of the peer providing, or being...

Configuring a Messageofthe Day Login Banner

You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner For c, enter the delimiting character of your choice, for example, a pound sign ( ), and press the Return key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded. For message, enter a banner message up to 255...

Configuring a Secondary Root Switch

When you configure a Catalyst 2950 switch that supports the extended system ID as the secondary root, the spanning-tree switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified instance if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch. For Catalyst 2950 switches without the extended...

Configuring a System Prompt

Beginning in privileged EXEC mode, follow these steps to manually configure a system prompt Configure the command-line prompt to override the setting from the hostname command. The default prompt is either switch or the name defined with the hostname global configuration command, followed by an angle bracket (> ) for user EXEC mode or a pound sign ( ) for privileged EXEC mode. The prompt can consist of all printing characters and escape sequences. (Optional) Save your entries in the...

Configuring and Enabling Port Security Aging

You can use port security aging to set the aging time for all secure addresses on a port. Two types of aging are supported per port Absolute The secure addresses on that port are deleted after the specified aging time. Inactivity The secure addresess on this port are deleted only if the secure addresses are inactive for the specified aging time. Use this feature to remove and add PCs on a secure port without manually deleting the existing secure MAC addresses while still limiting the number of...

Configuring and Using Interface Range Macros

You can create an interface range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface range macro global configuration command string, you must use the define interface-range global configuration command to define the macro. Beginning in privileged EXEC mode, follow these steps to define an interface range macro define interface-range macro_name interface-range Define the interface-range macro, and save it in NVRAM. The...

Configuring Community Strings

You use the SNMP community string to define the relationship between the SNMP manager and the agent. The community string acts like a password to permit access to the agent on the switch. Optionally, you can specify one or more of these characteristics associated with the string An access list of IP addresses of the SNMP managers that are permitted to use the community string to gain access to the agent A MIB view, which defines the subset of all MIB objects accessible to the given community...

Configuring Extended Range VLANs

When the switch is in VTP transparent mode (VTP disabled) and the enhanced software image is installed), you can create extended-range VLANs (in the range 1006 to 4094). Extended-range VLANs enable service providers to extend their infrastructure to a greater number of customers. The extended-range VLAN IDs are allowed for any switchport commands that allow VLAN IDs. You always use config-vlan mode (accessed by entering the vlan vlan-id global configuration command) to configure extended-range...

Configuring IGMP Profiles

To configure an IGMP profile, use the ip igmp profile global configuration command with a profile number to create an IGMP profile and to enter IGMP profile configuration mode. From this mode, you can specify the parameters of the IGMP profile to be used for filtering IGMP join requests from a port. When you are in IGMP profile configuration mode, you can create the profile by using these commands deny Specifies that matching addresses are denied this is the default condition. exit Exits from...

Configuring Interface Characteristics

This chapter defines the types of interfaces on the switch and describes how to configure them. The chapter has these sections Understanding Interface Types, page 9-1 Using the Interface Command, page 9-4 Configuring Layer 2 Interfaces, page 9-10 Monitoring and Maintaining the Interface, page 9-16 Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command Reference for this release and the online Cisco IOS Interface...

Configuring Layer 2 Interfaces

These sections describe the default interface configuration and the optional features that you can configure on most physical interfaces Default Layer 2 Ethernet Interface Configuration, page 9-11 Configuring the Port Speed and Duplex Mode, page 9-11 Adding a Description for an Interface, page 9-15 Configuring IEEE 802.3X Flow Control on Gigabit Ethernet Ports, page 9-14 Default Layer 2 Ethernet Interface Configuration Table 9-1 shows the Layer 2 Ethernet interface default configuration. For...

Configuring MVR Global Parameters

You do not need to set the optional MVR parameters if you choose to use the default settings. If you do want to change the default parameters (except for the MVR VLAN), you must first enable MVR. Beginning in privileged EXEC mode, follow these steps to configure MVR parameters Configure an IP multicast address on the switch or use the count parameter to configure a contiguous series of IP addresses. Any multicast data sent to this address is sent to all source ports on the switch and all...

Configuring MVR Interfaces

Beginning in privileged EXEC mode, follow these steps to configure MVR interfaces Enter interface configuration mode, and enter the type and number of the port to configure, for example, gi 0 1 or gigabitethernet 0 1 for Gigabit Ethernet port 1. Configure an MVR port as one of these source Configure uplink ports that receive and send multicast data as source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN....

Configuring NTP

The Catalyst 2950 switches do not have a hardware-supported clock, and they cannot function as an NTP master clock to which peers synchronize themselves when an external NTP source is not available. These switches also have no hardware support for a calendar. As a result, the ntp update-calendar and the ntp master global configuration commands are not available. This section contains this configuration information Default NTP Configuration, page 7-36 Configuring NTP Authentication, page 7-36...

Configuring NTP Authentication

This procedure must be coordinated with the administrator of the NTP server the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server. Beginning in privileged EXEC mode, follow these steps to authenticate the associations (communications between devices running NTP that provide for accurate timekeeping) with other devices for security purposes Enable the NTP authentication feature, which is disabled by default....

Configuring NTP Broadcast Service

The communications between devices running NTP (known as associations) are usually statically configured each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can simply be configured to...

Configuring Port Based Traffic Control

This chapter describes how to configure the port-based traffic control features on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. This chapter consists of these sections Configuring Storm Control, page 17-1 Configuring Protected Ports, page 17-3 Configuring Port Security, page 17-3 Configuring and Enabling Port Security Aging, page 17-6 Displaying Port-Based Traffic...

Configuring QoS

This chapter describes how to configure quality of service (QoS) on your switch. With this feature, you can provide preferential treatment to certain types of traffic. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size. It transmits the packets without any assurance of reliability, delay bounds, or throughput. To use the features described in this chapter, you must have the enhanced software image installed on your switch. If you have...

Configuring Radius Authorization for Privileged EXEC Access and Network Services

AAA authorization limits the services available to a user. When AAA authorization is enabled, the switch uses information retrieved from the user's profile, which is in either the local user database or on the security server, to configure the user's session. The user is granted access to a requested service only if the information in the user profile allows it. You can use the aaa authorization global configuration command with the radius keyword to set parameters that restrict a user's...

Configuring RSTP and MSTP Features

These sections include basic RSTP and MSTP configuration information Default RSTP and MSTP Configuration, page 11-12 RSTP and MSTP Configuration Guidelines, page 11-12 Specifying the MST Region Configuration and Enabling MSTP, page 11-13 (required) Configuring the Root Switch, page 11-14 (optional) Configuring a Secondary Root Switch, page 11-16 (optional) Configuring the Port Priority, page 11-17 (optional) Configuring the Path Cost, page 11-18 (optional) Configuring the Switch Priority, page...

Configuring Settings for All Radius Servers

Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers Specify the shared secret text string used between the switch and all RADIUS servers. Note The key is a text string that must match the encryption key used on the RADIUS server. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks...

Configuring Spanning Tree Features

These sections include spanning-tree configuration information Default STP Configuration, page 10-10 STP Configuration Guidelines, page 10-10 Configuring the Root Switch, page 10-12 Configuring a Secondary Root Switch, page 10-13 Configuring the Port Priority, page 10-14 Configuring the Path Cost, page 10-15 Configuring the Switch Priority of a VLAN, page 10-17 H Configuring Spanning-Tree Features Configuring the Hello Time, page 10-18 Configuring the Forwarding-Delay Time for a VLAN, page...

Configuring STP for Use in a Cascaded Stack

STP uses default values that can be reduced when configuring your switch in cascaded configurations. If a root switch is part of a cluster that is one switch from a cascaded stack, you can customize spanning tree to reconverge more quickly after a switch failure. Figure 10-4 shows switches in three cascaded stacks that use the GigaStack GBIC. Table 10-4 shows the default STP settings and those that are acceptable for these configurations. Table 10-4 Default and Acceptable STP Parameter Settings...

Configuring the CoStoDSCP

You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic. Table 24-3 shows the default CoS-to-DSCP map. If these values are not appropriate for your network, you need to modify them. Beginning in privileged EXEC mode, follow these steps to modify the CoS-to-DSCP map For dscp1 dscp8, enter 8 DSCP values that correspond to CoS values 0 to 7. Separate each DSCP value with a space. The supported DSCP values...

Configuring the DHCP Server

You should configure the DHCP server with reserved leases that are bound to each switch by the switch hardware address. If you want the switch to receive IP address information, you must configure the DHCP server with these lease options IP address of the client (required) Subnet mask of the client (required) DNS server IP address (optional) Router IP address (default gateway address to be used by the switch) (required) If you want the switch to receive the configuration file from a TFTP...

Configuring the DSCPtoCoS

You use the DSCP-to-CoS map to map DSCP values in incoming packets to a CoS value, which is used to select one of the four egress queues. The Catalyst 2950 switches support these DSCP values 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56. Table 24-4 shows the default DSCP-to-CoS map. If these values are not appropriate for your network, you need to modify them. Catalyst 2950 Desktop Switch Software Configuration Guide_ Beginning in privileged EXEC mode, follow these steps to modify the...

Configuring the Forwarding Delay Time

Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for all MST instances spanning-tree mst forward-time seconds Configure the forward time for all MST instances. The forward delay is the number of seconds a port waits before changing from its spanning-tree learning and listening states to the forwarding state. For seconds, the range is 4 to 30 the default is 15. (Optional) Save your entries in the configuration file. To return the switch to its default...

Configuring the Maximum Aging Time

Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for all MST instances Configure the maximum-aging time for all MST instances. The maximum-aging time is the number of seconds a switch waits without receiving spanning-tree configuration messages before attempting a reconfiguration. For seconds, the range is 6 to 40 the default is 20. (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no...

Configuring the Maximum Aging Time for a VLAN

Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for a VLAN spanning-tree vlan vlan-id max-age seconds Configure the maximum-aging time of a VLAN. The maximum-aging time is the number of seconds a switch waits without receiving spanning-tree configuration messages before attempting a reconfiguration. For vlan-id, the range is 1 to 4094 when the enhanced software image is installed and 1 to 1005 when the standard software image is installed. Do not enter...

Configuring the Maximum Hop Count

Beginning in privileged EXEC mode, follow these steps to configure the maximum-hop count for all MST instances spanning-tree mst max-hops hop-count Specify the number of hops in a region before the BPDU is discarded, and the information held for a port is aged. For hop-count, the range is 1 to 40 the default is 20. (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst max-hops global configuration command. __Chapter 11...

Configuring the Path Cost

The spanning-tree path cost default value is derived from the media speed of an interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last. If all interfaces have the same cost value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Spanning...

Configuring the Port Priority

If a loop occurs, spanning tree uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last. If all interfaces have the same priority value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Cisco IOS uses the port...

Configuring the Source IP Address for NTP Packets

When the switch sends an NTP packet, the source IP address is normally set to the address of the interface through which the NTP packet is sent. Use the ntp source global configuration command when you want to use a particular source IP address for all NTP packets. The address is taken from the specified interface. This command is useful if the address on an interface cannot be used as the destination for reply packets. Beginning in privileged EXEC mode, follow these steps to configure a...

Configuring the Switch for Local Authentication and Authorization

You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration. Beginning in privileged EXEC mode, follow these steps to configure the switch for local AAA aaa authentication login default local Set the login authentication to use the local username database. The default keyword applies the local user database authentication to all interfaces....

Configuring the Switch for Secure Shell

This section describes how to configure the Secure Shell (SSH) feature. To use this feature, the crypto (encrypted) software image must be installed on your switch.You must download this software image from Cisco.com. For more information, refer to the release notes for this release. _ Note For complete syntax and usage information for the commands used in this section, refer to the Secure Shell Commands section in the Cisco IOS Security Command Reference for Release 12.2.

Configuring the Switch for Vendor Proprietary Radius Server Communication

Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes. As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with...

Configuring the Time Zone

Beginning in privileged EXEC mode, follow these steps to manually configure the time zone clock timezone zone hours-offset minutes-offset The switch keeps internal time in universal time coordinated (UTC), so this command is used only for display purposes and when the time is manually set. For zone, enter the name of the time zone to be displayed when standard time is in effect. The default is UTC. For hours-offset, enter the hours offset from UTC. (Optional) For minutes-offset, enter the...

Configuring UNIX Syslog Servers

The next sections describe how to configure the UNIX server syslog daemon and define the UNIX system logging facility. Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server. Log in as root, and perform these steps Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network. If this is the case with your system, use the UNIX man syslogd command to...

Configuring Username and Password Pairs

You can configure username and password pairs, which are locally stored on the switch. These pairs are assigned to lines or interfaces and authenticate each user before that user can access the switch. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair. Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication system that requests a login username...

Configuring VLAN Trunks

These sections describe how VLAN trunks function on the switch Trunking Overview, page 13-18 802.1Q Configuration Considerations, page 13-20 Default Layer 2 Ethernet Interface VLAN Configuration, page 13-21 A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch. Fast Ethernet and Gigabit Ethernet trunks carry the traffic of multiple VLANs over a single link, and you can extend the VLANs across an entire network....

Configuring Voice VLAN

These are the voice VLAN configuration guidelines You should configure voice VLAN on access ports. The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled. If you enable port security on a voice VLAN port and if there is a PC connected to the IP phone, you should set the maximum allowed secure addresses on the port to more than 1. You cannot configure static secure MAC addresses in the voice...

Connecting Interfaces

Devices within a single VLAN can communicate directly through any switch. Ports in different VLANs cannot exchange data without going through a routing device or interface. With a standard Layer 2 switch, ports in different VLANs have to exchange information through a router. In the configuration shown in Figure 9-1, when Host A in VLAN 20 sends data to Host B in VLAN 30, it must go from Host A to the switch, to the router, back to the switch, and then to Host B. Figure 9-1 Connecting VLANs...

Copying Configuration Files to Troubleshoot Configuration Problems

You can use the file system in Flash memory to copy files and to troubleshoot configuration problems. This could be useful if you want to save configuration files on an external server in case a switch fails. You can then copy the configuration file to a replacement switch and avoid reconfiguring the switch. Step 1 Enter the dir flash privileged EXEC command to display the contents of Flash memory as in this example Step 1 Enter the dir flash privileged EXEC command to display the contents of...

CoS and WRR

The Catalyst 2950 switches support four CoS queues for each egress port. For each queue, you can specify these types of scheduling Strict priority scheduling is based on the priority of queues. Queues can have priorities from 0 to 7, 7 being the highest. Packets in the high-priority queue always transmit first, and packets in the low-priority queue do not transmit until all the high-priority queues become empty. Weighted round-robin (WRR) scheduling WRR scheduling requires you to specify a...

Creating a Numbered Standard ACL

Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL access-list access-list-number deny permit remark source source-wildcard host source any Define a standard IP ACL by using a source address and wildcard. The access-list-number is a decimal number from 1 to 99 or 1300 to 1999. Enter deny or permit to specify whether to deny or permit access if conditions are matched. The source is the source address of the network or host from which the packet is being sent...

Creating MAC Access Groups

Beginning in privileged EXEC mode, follow these steps to create MAC access groups Identify a specific interface for configuration, and enter interface configuration mode. The interface must be a Layer 2 interface. Control access to the specified interface. Display the MAC ACLs applied to the interface. (Optional) Save your entries in the configuration file. This example shows how to apply ACL 2 on Gigabit Ethernet interface 0 1 to filter packets entering the interface Switch(config) interface...

Creating Named Standard and Extended ACLs

You can identify IP ACLs with an alphanumeric string (a name) rather than a number. You can use named ACLs to configure more IP access lists on a switch than if you use numbered access lists. If you identify your access list with a name rather than a number, the mode and command syntax are slightly different. However, not all commands that use IP access lists accept a named ACL. Note The name you give to a standard ACL or extended ACL can also be a number in the supported range of access list...

Creating the Spanning Tree Topology

In Figure 10-1, Switch A is elected as the root switch because the switch priority of all the switches is set to the default (32768) and Switch A has the lowest MAC address. However, because of traffic patterns, number of forwarding interfaces, or link types, Switch A might not be the ideal root switch. By increasing the priority (lowering the numerical value) of the ideal switch so that it becomes the root switch, you force a spanning-tree recalculation to form a new topology with the ideal...

Default 8021X Configuration

Table 8-1 shows the default 802.1X configuration. Table 8-1 Default 802.1X Configuration Table 8-1 shows the default 802.1X configuration. Table 8-1 Default 802.1X Configuration Authentication, authorization, and accounting (AAA) authentication The port transmits and receives normal traffic without 802.1X-based authentication of the client. Number of seconds between re-authentication attempts 60 seconds (number of seconds that the switch remains in the quiet state following a failed...

Default Ether Channel Configuration

Table 25-2 shows the default EtherChannel configuration. Table 25-2 Default EtherChannel Configuration Table 25-2 shows the default EtherChannel configuration. Table 25-2 Default EtherChannel Configuration Aggregate-port learning on all interfaces. 128 on all interfaces. (Changing this value on Catalyst 2950 switches has no effect.) Load distribution on the switch is based on the source-MAC address of the incoming packet.

Default NTP Configuration

Table 7-2 shows the default NTP configuration. Table 7-2 Default NTP Configuration Table 7-2 shows the default NTP configuration. Table 7-2 Default NTP Configuration Disabled. No authentication key is specified. Disabled no interface sends or receives NTP broadcast packets. The source address is determined by the outgoing interface. NTP is enabled on all interfaces by default. All interfaces receive NTP packets. NTP is enabled on all interfaces by default. All interfaces receive NTP packets.

Default Optional Spanning Tree Configuration

Table 12-1 shows the default optional spanning-tree configuration. Table 12-1 Default Optional Spanning-Tree Configuration Table 12-1 Default Optional Spanning-Tree Configuration Port Fast, BPDU filtering, BPDU guard Globally disabled on the switch (unless they are individually configured per interface).

Default Password and Privilege Level Configuration

Table 7-1 shows the default password and privilege level configuration. Table 7-1 Default Password and Privilege Levels Table 7-1 Default Password and Privilege Levels No password is defined. The default is level 15 (privileged EXEC level). The password is not encrypted in the configuration file. Enable secret password and privilege level No password is defined. The default is level 15 (privileged EXEC level). The password is encrypted before it is written to the configuration file. Setting or...

Default Radius Configuration

RADIUS and AAA are disabled by default. To prevent a lapse in security, you cannot configure RADIUS through a network management application. When enabled, RADIUS can authenticate users accessing the switch through the CLI. Switch-to-RADIUS-server communication involves several components You identify RADIUS security servers by their host name or IP address, host name and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP...

Default RSTP and MSTP Configuration

Table 11-3 shows the default RSTP and MSTP configuration. Table 11-3 Default RSTP and MSTP Configuration Table 11-3 Default RSTP and MSTP Configuration Switch priority (configurable on a per-CIST interface basis) Spanning-tree port priority (configurable on a per-CIST interface basis) Spanning-tree port cost (configurable on a per-CIST interface basis) 1000 Mbps 4. 100 Mbps 19. 10 Mbps 100.

Default STP Configuration

Table 10-3 shows the default STP configuration. Table 10-3 Default STP Configuration Table 10-3 Default STP Configuration Up to 64 spanning-tree instances can be enabled. Spanning-tree port priority (configurable on a per-interface basis used on interfaces configured as Layer 2 access ports) Spanning-tree port cost (configurable on a per-interface basis used on interfaces configured as Layer 2 access ports) 1000 Mbps 4. 100 Mbps 19. 10 Mbps 100. Spanning-tree VLAN port priority (configurable on...

Default System Message Logging Configuration

Table 21-2 shows the default system message logging configuration. Table 21-2 Default System Message Logging Configuration Table 21-2 shows the default system message logging configuration. Table 21-2 Default System Message Logging Configuration System message logging to the console Debugging (and numerically lower levels see Table 21-3 on page 21-9). Local7 (see Table 21-4 on page 21-12). Informational (and numerically lower levels see Table 21-3 on page 21-9).

Default UDLD Configuration

Table 18-1 shows the default UDLD configuration. Table 18-1 Default UDLD Configuration Table 18-1 shows the default UDLD configuration. Table 18-1 Default UDLD Configuration UDLD per-interface enable state for fiber-optic media Disabled on all Ethernet fiber-optic interfaces UDLD per-interface enable state for twisted-pair (copper) media Disabled on all Ethernet 10 100 and 1000BASE-TX interfaces A UDLD-capable interface also cannot detect a unidirectional link if it is connected to a...

Defining AAA Server Groups

You can configure the switch to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts. Server groups also can include multiple host entries for the same server if each entry has a unique identifier (the combination of the IP address and UDP port number), allowing different...

Defining the Message Severity Level

You can limit messages displayed to the selected device by specifying the severity level of the message, which are described in Table 21-3. Beginning in privileged EXEC mode, follow these steps to define the message severity level Limit messages logged to the console. By default, the console receives debugging messages and numerically lower levels (see Table 21-3 on page 21-9). Limit messages logged to the terminal lines. By default, the terminal receives debugging messages and numerically...

Design Concepts for Using the Switch

As your network users compete for network bandwidth, it takes longer to send and receive data. When you configure your network, consider the bandwidth required by your network users and the relative priority of the network applications they use. Table 1-2 describes what can cause network performance to degrade and how you can configure your network to increase the bandwidth available to your network users. Table 1-2 Increasing Network Performance Table 1-2 Increasing Network Performance Too...

Device and Link Labels

The Topology view displays device and link information by using these labels Switch MAC and IP addresses Link type between the devices Link speed and IDs of the interfaces on both ends of the link When using these labels, keep these considerations in mind The IP address displays only in the labels for the command switch and member switches. The label of a neighboring cluster icon only displays the IP address of the command-switch IP address. The displayed link speeds are the actual link speeds...

Device Popup Menu

You can display all switch and cluster configuration windows from the menu bar, or you can display commonly used configuration windows from the device popup menu (Table 3-13). To display the device popup menu, click the switch icon from the cluster tree or the front-panel image itself, and right-click. Launch Device Manager for the switch. Display graphs that plot the total bandwidth in use. Display information about the device and port on either end of the link and the state of the link. 1....

Device Popup Menus

Specific devices in the Topology view display a specific popup menu Command switch (Table 3-17) Member or standby command switch (Table 3-18) Candidate switch with an IP address (Table 3-19) Candidate switch without an IP address (Table 3-20) Neighboring devices (Table 3-21) The Device Manager option in these popup menus is available in read-only mode on Catalyst 2900 XL and Catalyst 3500 XL switches running Release 12.0(5)WC2 and later. It is also available on Catalyst 2950 switches running...

Device Roles

With 802.1X port-based authentication, the devices in the network have specific roles as shown in Figure 8-1. Client the device (workstation) that requests access to the LAN and switch services and responds to the requests from the switch. The workstation must be running 802.1X-compliant client software such as that offered in the Microsoft Windows XP operating system. (The client is the supplicant in the Note To resolve Windows XP network connectivity and 802.1X authentication issues, read the...

DHCP Client Request Process

When you boot your switch, the DHCP client can be invoked and automatically request configuration information from a DHCP server when the configuration file is not present on the switch. Figure 4-1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP server. Figure 4-1 DHCP Request for IP Information from a DHCP Server The client, Switch A, broadcasts a DHCPDISCOVER message to locate a DHCP server. The DHCP server offers configuration parameters (such as an IP...

Disabling and Enabling CDP

Note Creating and maintaining switch clusters is based on the regular exchange of CDP messages. Disabling CDP can interrupt cluster discovery. For more information, see Chapter 6, Clustering Switches. Beginning in privileged EXEC mode, follow these steps to disable the CDP device discovery capability Beginning in privileged EXEC mode, follow these steps to enable CDP when it has been disabled This example shows how to enable CDP if it has been disabled. Switch(config) cdp run Switch(config) end

Disabling and Enabling CDP on an Interface

CDP is enabled by default on all supported interfaces to send and receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface Enter interface configuration mode, and enter the interface on which you are disabling CDP. (Optional) Save your entries in the configuration file. Beginning in privileged EXEC mode, follow these steps to enable CDP on an interface when it has been disabled Enter interface configuration mode, and enter the interface on...

Disabling Storm Control

Beginning in privileged EXEC mode, follow these steps to disable storm control Enter interface configuration mode, and enter the port to configure. no storm-control broadcast multicast unicast level no storm-control action shutdown trap Disable the specified storm control action. show storm-control broadcast multicast unicast (Optional) Save your entries in the configuration file.

Discovery through CDP Hops

By using CDP, a command switch can discover switches up to seven CDP hops away (the default is three hops) from the edge of the cluster. The edge of the cluster is where the last member switches are connected to the cluster and to candidate switches. For example, member switches 9 and 10 in Figure 6-1 are at the edge of the cluster. You can set the number of hops the command switch searches for candidate and member switches by selecting Cluster > Hop Count. When new candidate switches are...

Discovery through Different Management VLANs

We recommend using a Catalyst 3550 command switch or a Catalyst 2950 command switch running Release 12.1(9)EA1 or later. These command switches can discover and manage member switches in different VLANs and different management VLANs. Catalyst 3550 member switches and Catalyst 2950 member switches running Release 12.1(9)EA1 or later must be connected through at least one VLAN in common with the command switch. All other member switches must be connected to the command switch through their...

Discovery through NonCDPCapable and Noncluster Capable Devices

If a command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device. Figure 6-3 shows that the command switch discovers the Catalyst 3500 XL switch, which is connected to a third-party hub. However, the command...

Discovery through the Same Management VLAN

A Catalyst 2900 XL command switch, a Catalyst 2950 command switch running a release earlier than Release 12.1(9)EA1, or a Catalyst 3500 XL command switch must connect to all cluster members through its management VLAN. The default management VLAN is VLAN 1. For more information about management VLANs, see the Management VLAN section on page 6-20. You can avoid this limitation by using, whenever possible, a Catalyst 3550 command switch or a Catalyst 2950 command switch running Release 12.1(9)EA1...

Displaying 8021X Statistics and Status

To display 802.1X statistics for all interfaces, use the show dotlx statistics privileged EXEC command. To display 802.1X statistics for a specific interface, use the show dotlx statistics interface interface-id privileged EXEC command. To display the 802.1X administrative and operational status for the switch, use the show dotlx privileged EXEC command. To display the 802.1X administrative and operational status for a specific interface, use the show dotlx interface interface-id privileged...

Displaying Access Groups

You use the ip access-group interface configuration command to apply ACLs to a Layer 3 interface. When IP is enabled on an interface, you can use the show ip interface interface-id privileged EXEC command to view the input and output access lists on the interface, as well as other interface characteristics. If IP is not enabled on the interface, the access lists are not shown. This example shows how to view all access groups configured for VLAN 1 and for Gigabit Ethernet interface 0 2...

Displaying Address Table Entries

You can display the MAC address table by using one or more of the privileged EXEC commands described in Table 7-5 Table 7-5 Commands for Displaying the MAC Address Table Table 7-5 Commands for Displaying the MAC Address Table Displays MAC address table information for the specified MAC address. Displays the aging time in all VLANs or the specified VLAN. Displays the number of addresses present in all VLANs or the specified VLAN. Displays dynamic MAC address table entries only. Displays the MAC...

Displaying CNS Configuration

You can use the privileged EXEC commands in Table 5-2 to display CNS Configuration information. Table 5-2 Displaying CNS Configuration Displays the status of the CNS configuration agent connections. Displays information about incremental (partial) CNS configurations that have started but are not yet completed. Displays statistics about the CNS configuration agent. Displays the status of the CNS event agent connections. Table 5-2 Displaying CNS Configuration (continued) Table 5-2 Displaying CNS...