Adding and Removing Static Address Entries

A static address has these characteristics It is manually entered in the address table and must be manually removed. It can be a unicast or multicast address. It does not age and is retained when the switch restarts. You can add and remove static addresses and define the forwarding behavior for them. The forwarding behavior determines how a port that receives a packet forwards it to another port for transmission. Because all ports are associated with at least one VLAN, the switch acquires the...

Applying the ACL to an Interface or Terminal Line

After you create an ACL, you can apply it to one or more interfaces or terminal lines. ACLs can be applied on inbound interfaces. This section describes how to accomplish this task for both terminal lines and network interfaces. Note these guidelines When controlling access to a line, you must use a number. Numbered ACLs and MAC extended ACLs can be applied to lines. When controlling access to an interface, you can use a name or number. Set identical restrictions on all the virtual terminal...

Changing the Switchto Client Retransmission Time

The client responds to the EAP-request identity frame from the switch with an EAP-response identity frame. If the switch does not receive this response, it waits a set period of time (known as the retransmission time), and then retransmits the frame. Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers. Beginning in privileged EXEC mode, follow...

Chapter 12Configuring Optional Spanning Tree Features 121

Understanding Optional Spanning-Tree Features 12-1 Understanding Port Fast 12-2 Understanding BPDU Guard 12-3 Understanding BPDU Filtering 12-3 Understanding UplinkFast 12-4 Understanding Cross-Stack UplinkFast 12-5 How CSUF Works 12-6 Events that Cause Fast Convergence 12-7 Limitations 12-8 Connecting the Stack Ports 12-8 Understanding BackboneFast 12-10 Understanding Root Guard 12-12 Understanding Loop Guard 12-13 Configuring Optional Spanning-Tree Features 12-13 Default Optional...

Chapter 7Administering the Switch

Preventing Unauthorized Access to Your Switch 7-1 Protecting Access to Privileged EXEC Commands 7-2 Default Password and Privilege Level Configuration 7-3 Setting or Changing a Static Enable Password 7-3 Protecting Enable and Enable Secret Passwords with Encryption 7-4 Setting a Telnet Password for a Terminal Line 7-5 Configuring Username and Password Pairs 7-6 Configuring Multiple Privilege Levels 7-7 Setting the Privilege Level for a Command 7-7 Changing the Default Privilege Level for Lines...

Classification

Note This feature is available only if your switch is running the enhanced software image. Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification occurs only on a physical interface basis. No support exists for classifying packets at the VLAN or the switched virtual interface level. You specify which fields in the frame or packet that you want to use to classify incoming traffic.

Classification Based on Class Maps and Policy Maps

A class map is a mechanism that you use to isolate and name a specific traffic flow (or class) from all other traffic. The class map defines the criteria used to match against a specific traffic flow to further classify it the criteria can include matching the access group defined by the ACL. If you have more than one type of traffic that you want to classify, you can create another class map and use a different name. After a packet is matched against the class-map criteria, you further...

CMS Window Components

CMS windows consistently present configuration information. Figure 3-12 shows the components of a typical CMS window. UiuIP AMk rilrtlljllP rillldK 4Ml U pVIP (Vu* UFVlirjr UiuIP AMk rilrtlljllP rillldK 4Ml U pVIP (Vu* UFVlirjr - OK saves your changes and closes the window. - Modify displays a secondary window from which you can change settings. - Click a row to select it. Press Shift, and left-click another row to select contiguous multiple rows. Press Ctrl, and left-click rows to select...

Colors in the Topology View

The colors of the Topology view icons show the status of the devices and links (Table 3-7, Table 3-8, and Table 3-9). The internal fan of the switch is not operating, or the switch is receiving power from an RPS. 1. Available only on the cluster members. 1. Available only on the cluster members. One link is active, and at least one link is down or blocked. The color of a device label shows the cluster membership of the device (Table 3-10). Table 3-10 Device Label Colors A cluster member, either...

Configuring a Messageofthe Day Login Banner

You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner For c, enter the delimiting character of your choice, for example, a pound sign ( ), and press the Return key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded. For message, enter a banner message up to 255...

Configuring a Secondary Root Switch

When you configure a Catalyst 2950 switch that supports the extended system ID as the secondary root, the spanning-tree switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified instance if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch. For Catalyst 2950 switches without the extended...

Configuring and Enabling Port Security Aging

You can use port security aging to set the aging time for all secure addresses on a port. Two types of aging are supported per port Absolute The secure addresses on that port are deleted after the specified aging time. Inactivity The secure addresess on this port are deleted only if the secure addresses are inactive for the specified aging time. Use this feature to remove and add PCs on a secure port without manually deleting the existing secure MAC addresses while still limiting the number of...

Configuring and Using Interface Range Macros

You can create an interface range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface range macro global configuration command string, you must use the define interface-range global configuration command to define the macro. Beginning in privileged EXEC mode, follow these steps to define an interface range macro define interface-range macro_name interface-range Define the interface-range macro, and save it in NVRAM. The...

Configuring Extended Range VLANs

When the switch is in VTP transparent mode (VTP disabled) and the enhanced software image is installed), you can create extended-range VLANs (in the range 1006 to 4094). Extended-range VLANs enable service providers to extend their infrastructure to a greater number of customers. The extended-range VLAN IDs are allowed for any switchport commands that allow VLAN IDs. You always use config-vlan mode (accessed by entering the vlan vlan-id global configuration command) to configure extended-range...

Configuring MVR Global Parameters

You do not need to set the optional MVR parameters if you choose to use the default settings. If you do want to change the default parameters (except for the MVR VLAN), you must first enable MVR. Beginning in privileged EXEC mode, follow these steps to configure MVR parameters Configure an IP multicast address on the switch or use the count parameter to configure a contiguous series of IP addresses. Any multicast data sent to this address is sent to all source ports on the switch and all...

Configuring MVR Interfaces

Beginning in privileged EXEC mode, follow these steps to configure MVR interfaces Enter interface configuration mode, and enter the type and number of the port to configure, for example, gi 0 1 or gigabitethernet 0 1 for Gigabit Ethernet port 1. Configure an MVR port as one of these source Configure uplink ports that receive and send multicast data as source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN....

Configuring NTP Broadcast Service

The communications between devices running NTP (known as associations) are usually statically configured each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can simply be configured to...

Configuring Port Based Traffic Control

This chapter describes how to configure the port-based traffic control features on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. This chapter consists of these sections Configuring Storm Control, page 17-1 Configuring Protected Ports, page 17-3 Configuring Port Security, page 17-3 Configuring and Enabling Port Security Aging, page 17-6 Displaying Port-Based Traffic...

Configuring STP for Use in a Cascaded Stack

STP uses default values that can be reduced when configuring your switch in cascaded configurations. If a root switch is part of a cluster that is one switch from a cascaded stack, you can customize spanning tree to reconverge more quickly after a switch failure. Figure 10-4 shows switches in three cascaded stacks that use the GigaStack GBIC. Table 10-4 shows the default STP settings and those that are acceptable for these configurations. Table 10-4 Default and Acceptable STP Parameter Settings...

Configuring the CoStoDSCP

You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic. Table 24-3 shows the default CoS-to-DSCP map. If these values are not appropriate for your network, you need to modify them. Beginning in privileged EXEC mode, follow these steps to modify the CoS-to-DSCP map For dscp1 dscp8, enter 8 DSCP values that correspond to CoS values 0 to 7. Separate each DSCP value with a space. The supported DSCP values...

Configuring the DSCPtoCoS

You use the DSCP-to-CoS map to map DSCP values in incoming packets to a CoS value, which is used to select one of the four egress queues. The Catalyst 2950 switches support these DSCP values 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56. Table 24-4 shows the default DSCP-to-CoS map. If these values are not appropriate for your network, you need to modify them. Catalyst 2950 Desktop Switch Software Configuration Guide_ Beginning in privileged EXEC mode, follow these steps to modify the...

Configuring the Forwarding Delay Time

Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for all MST instances spanning-tree mst forward-time seconds Configure the forward time for all MST instances. The forward delay is the number of seconds a port waits before changing from its spanning-tree learning and listening states to the forwarding state. For seconds, the range is 4 to 30 the default is 15. (Optional) Save your entries in the configuration file. To return the switch to its default...

Configuring the Path Cost

The spanning-tree path cost default value is derived from the media speed of an interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last. If all interfaces have the same cost value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Spanning...

Configuring the Source IP Address for NTP Packets

When the switch sends an NTP packet, the source IP address is normally set to the address of the interface through which the NTP packet is sent. Use the ntp source global configuration command when you want to use a particular source IP address for all NTP packets. The address is taken from the specified interface. This command is useful if the address on an interface cannot be used as the destination for reply packets. Beginning in privileged EXEC mode, follow these steps to configure a...

Configuring the Switch for Local Authentication and Authorization

You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration. Beginning in privileged EXEC mode, follow these steps to configure the switch for local AAA aaa authentication login default local Set the login authentication to use the local username database. The default keyword applies the local user database authentication to all interfaces....

Configuring the Switch for Secure Shell

This section describes how to configure the Secure Shell (SSH) feature. To use this feature, the crypto (encrypted) software image must be installed on your switch.You must download this software image from Cisco.com. For more information, refer to the release notes for this release. _ Note For complete syntax and usage information for the commands used in this section, refer to the Secure Shell Commands section in the Cisco IOS Security Command Reference for Release 12.2.

Configuring the Switch for Vendor Proprietary Radius Server Communication

Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes. As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with...

Configuring UNIX Syslog Servers

The next sections describe how to configure the UNIX server syslog daemon and define the UNIX system logging facility. Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server. Log in as root, and perform these steps Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network. If this is the case with your system, use the UNIX man syslogd command to...

Configuring VLAN Trunks

These sections describe how VLAN trunks function on the switch Trunking Overview, page 13-18 802.1Q Configuration Considerations, page 13-20 Default Layer 2 Ethernet Interface VLAN Configuration, page 13-21 A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch. Fast Ethernet and Gigabit Ethernet trunks carry the traffic of multiple VLANs over a single link, and you can extend the VLANs across an entire network....

Configuring Voice VLAN

These are the voice VLAN configuration guidelines You should configure voice VLAN on access ports. The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled. If you enable port security on a voice VLAN port and if there is a PC connected to the IP phone, you should set the maximum allowed secure addresses on the port to more than 1. You cannot configure static secure MAC addresses in the voice...

CoS and WRR

The Catalyst 2950 switches support four CoS queues for each egress port. For each queue, you can specify these types of scheduling Strict priority scheduling is based on the priority of queues. Queues can have priorities from 0 to 7, 7 being the highest. Packets in the high-priority queue always transmit first, and packets in the low-priority queue do not transmit until all the high-priority queues become empty. Weighted round-robin (WRR) scheduling WRR scheduling requires you to specify a...

Creating a Numbered Standard ACL

Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL access-list access-list-number deny permit remark source source-wildcard host source any Define a standard IP ACL by using a source address and wildcard. The access-list-number is a decimal number from 1 to 99 or 1300 to 1999. Enter deny or permit to specify whether to deny or permit access if conditions are matched. The source is the source address of the network or host from which the packet is being sent...

Creating MAC Access Groups

Beginning in privileged EXEC mode, follow these steps to create MAC access groups Identify a specific interface for configuration, and enter interface configuration mode. The interface must be a Layer 2 interface. Control access to the specified interface. Display the MAC ACLs applied to the interface. (Optional) Save your entries in the configuration file. This example shows how to apply ACL 2 on Gigabit Ethernet interface 0 1 to filter packets entering the interface Switch(config) interface...

Creating Named Standard and Extended ACLs

You can identify IP ACLs with an alphanumeric string (a name) rather than a number. You can use named ACLs to configure more IP access lists on a switch than if you use numbered access lists. If you identify your access list with a name rather than a number, the mode and command syntax are slightly different. However, not all commands that use IP access lists accept a named ACL. Note The name you give to a standard ACL or extended ACL can also be a number in the supported range of access list...

Default NTP Configuration

Table 7-2 shows the default NTP configuration. Table 7-2 Default NTP Configuration Table 7-2 shows the default NTP configuration. Table 7-2 Default NTP Configuration Disabled. No authentication key is specified. Disabled no interface sends or receives NTP broadcast packets. The source address is determined by the outgoing interface. NTP is enabled on all interfaces by default. All interfaces receive NTP packets. NTP is enabled on all interfaces by default. All interfaces receive NTP packets.

Default Optional Spanning Tree Configuration

Table 12-1 shows the default optional spanning-tree configuration. Table 12-1 Default Optional Spanning-Tree Configuration Table 12-1 Default Optional Spanning-Tree Configuration Port Fast, BPDU filtering, BPDU guard Globally disabled on the switch (unless they are individually configured per interface).

Default Password and Privilege Level Configuration

Table 7-1 shows the default password and privilege level configuration. Table 7-1 Default Password and Privilege Levels Table 7-1 Default Password and Privilege Levels No password is defined. The default is level 15 (privileged EXEC level). The password is not encrypted in the configuration file. Enable secret password and privilege level No password is defined. The default is level 15 (privileged EXEC level). The password is encrypted before it is written to the configuration file. Setting or...

Default System Message Logging Configuration

Table 21-2 shows the default system message logging configuration. Table 21-2 Default System Message Logging Configuration Table 21-2 shows the default system message logging configuration. Table 21-2 Default System Message Logging Configuration System message logging to the console Debugging (and numerically lower levels see Table 21-3 on page 21-9). Local7 (see Table 21-4 on page 21-12). Informational (and numerically lower levels see Table 21-3 on page 21-9).

Design Concepts for Using the Switch

As your network users compete for network bandwidth, it takes longer to send and receive data. When you configure your network, consider the bandwidth required by your network users and the relative priority of the network applications they use. Table 1-2 describes what can cause network performance to degrade and how you can configure your network to increase the bandwidth available to your network users. Table 1-2 Increasing Network Performance Table 1-2 Increasing Network Performance Too...

Device Popup Menu

You can display all switch and cluster configuration windows from the menu bar, or you can display commonly used configuration windows from the device popup menu (Table 3-13). To display the device popup menu, click the switch icon from the cluster tree or the front-panel image itself, and right-click. Launch Device Manager for the switch. Display graphs that plot the total bandwidth in use. Display information about the device and port on either end of the link and the state of the link. 1....

Device Popup Menus

Specific devices in the Topology view display a specific popup menu Command switch (Table 3-17) Member or standby command switch (Table 3-18) Candidate switch with an IP address (Table 3-19) Candidate switch without an IP address (Table 3-20) Neighboring devices (Table 3-21) The Device Manager option in these popup menus is available in read-only mode on Catalyst 2900 XL and Catalyst 3500 XL switches running Release 12.0(5)WC2 and later. It is also available on Catalyst 2950 switches running...

DHCP Client Request Process

When you boot your switch, the DHCP client can be invoked and automatically request configuration information from a DHCP server when the configuration file is not present on the switch. Figure 4-1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP server. Figure 4-1 DHCP Request for IP Information from a DHCP Server The client, Switch A, broadcasts a DHCPDISCOVER message to locate a DHCP server. The DHCP server offers configuration parameters (such as an IP...

Disabling and Enabling CDP

Note Creating and maintaining switch clusters is based on the regular exchange of CDP messages. Disabling CDP can interrupt cluster discovery. For more information, see Chapter 6, Clustering Switches. Beginning in privileged EXEC mode, follow these steps to disable the CDP device discovery capability Beginning in privileged EXEC mode, follow these steps to enable CDP when it has been disabled This example shows how to enable CDP if it has been disabled. Switch(config) cdp run Switch(config) end

Discovery through CDP Hops

By using CDP, a command switch can discover switches up to seven CDP hops away (the default is three hops) from the edge of the cluster. The edge of the cluster is where the last member switches are connected to the cluster and to candidate switches. For example, member switches 9 and 10 in Figure 6-1 are at the edge of the cluster. You can set the number of hops the command switch searches for candidate and member switches by selecting Cluster > Hop Count. When new candidate switches are...

Displaying Ether Channel and PAgP Status

You can use the user EXEC commands described in Table 25-3 to display EtherChannel and PAgP status information Table 25-3 Commands for Displaying EtherChannel and PAgP Status Table 25-3 Commands for Displaying EtherChannel and PAgP Status show etherchannel channel-group-number brief detail load-balance port port-channel summary Displays EtherChannel information in a brief, detailed, and one-line summary form. Also displays the load-balance or frame-distribution scheme, port, and port-channel...

Displaying IGMP Snooping Information

You can display IGMP snooping information for dynamically learned and statically configured router ports and VLAN interfaces. You can also display MAC address multicast entries for a VLAN configured for IGMP snooping. To display IGMP snooping information, use one or more of the privileged EXEC commands in Table 16-4. Table 16-4 Commands for Displaying IGMP Snooping Information Table 16-4 Commands for Displaying IGMP Snooping Information show ip igmp snooping vlan vlan-id Display the snooping...

Displaying Port Based Traffic Control Settings

The show interfaces interface-id switchport privileged EXEC command displays (among other characteristics) the interface traffic suppression and control configuration. The show interfaces counters privileged EXEC commands display the count of discarded packets. The show storm control and show port-security privileged EXEC commands display those features. H Displaying Port-Based Traffic Control Settings To display traffic control information, use one or more of the privileged EXEC commands in...

Displaying QoS Information

To display the current QoS information, use one or more of the privileged EXEC commands in Table 24-5 Table 24-5 Commands for Displaying QoS Information Display QoS class maps, which define the match criteria to classify traffic. show policy-map policy-map-name class class-namejj1 Display QoS policy maps, which define classification criteria for incoming traffic. show mls qos maps cos-dscp dscp-cosj1 Display QoS mapping information. Maps are used to generate an internal DSCP value, which...

Displaying the Logging Configuration

To display the current logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This chapter describes how to configure the Simple Network Management Protocol (SNMP) on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command...

Displaying the MST Configuration and Status

To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 11-4 Table 11-4 Commands for Displaying MST Status show spanning-tree mst configuration Displays the MST region configuration. Displays MST information for the specified instance. show spanning-tree mst interface interface-id Displays MST information for the specified interface. Valid interfaces include physical ports, VLANs, and port channels. The valid VLAN range is 1 to 4094 the valid port-channel...

Enabling an Initial Configuration

Step 2 cns config connect-intf interface-prefix ping-interval seconds retries num Enter the connect-interface-config submode, and specify the interface for connecting to the Configuration Registrar. Enter the interface-prefix for the connecting interface. You must specify the interface type but need not specify the interface number. (Optional) For ping-interval seconds, enter the interval between successive ping attempts. The range is 1 to 30 seconds. The default is 10 seconds. (Optional) For...

Enabling BPDU Guard

When you globally enable BPDU guard on ports that are Port Fast-enabled (the ports are in a Port Fast-operational state), spanning tree shuts down Port Fast-enabled ports that receive BPDUs. In a valid configuration, Port Fast-enabled ports do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled port signals an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the port in the error-disabled state. The BPDU guard feature provides a...

Enabling Cross Stack Uplink Fast

Before enabling CSUF, make sure your stack switches are properly connected. For more information, see the Connecting the Stack Ports section on page 12-8. The CSUF feature is supported only when the switch is running PVST. Beginning in privileged EXEC mode, follow these steps to enable CSUF Step 1 configure terminal Enter global configuration mode. (Optional) For max-update-rate pkts-per-second, specify the number of packets per second at which update packets are sent. The range is 0 to 65535...

Enabling IGMP Immediate Leave Processing

When you enable IGMP Immediate-Leave processing, the switch immediately removes a port from the IP multicast group when it detects an IGMP version 2 leave message on that port. Immediate-Leave processing allows the switch to remove an interface that sends a leave message from the forwarding table without first sending out group-specific queries to the interface. You should use the Immediate-Leave feature only when there is only a single receiver present on every port in the VLAN....

Enabling Root Guard

Root guard enabled on an interface applies to all the VLANs to which the interface belongs. Do not enable the root guard on interfaces to be used by the UplinkFast feature. With UplinkFast, the backup interfaces (in the blocked state) replace the root port in the case of a failure. However, if root guard is also enabled, all the backup interfaces used by the UplinkFast feature are placed in the root-inconsistent state (blocked) and are prevented from reaching the forwarding state. You cannot...

Enabling Uplink Fast for Use with Redundant Links

UplinkFast cannot be enabled on VLANs that have been configured for switch priority. To enable UplinkFast on a VLAN with switch priority configured, first restore the switch priority on the VLAN to the default value by using the no spanning-tree vlan vlan-id priority global configuration command. Note When you enable UplinkFast, it affects all VLANs on the switch. You cannot configure UplinkFast on an individual VLAN. The UplinkFast feature is supported only when the switch is running PVST....

Examples for Compiling ACLs

For detailed information about compiling ACLs, refer to the Security Configuration Guide and the IP Services chapter of the Cisco IOS IP and IP Routing Configuration Guide for IOS Release 12.1. Figure 23-2 shows a small networked office with a stack of Catalyst 2950 switches that are connected to a Cisco router. A host is connected to the network through the Internet using a WAN link. Create a standard ACL, and filter traffic from a specific Internet host with an address 172.20.128.64. Create...

HTTP Access to CMS

CMS uses Hypertext Transfer Protocol (HTTP), which is an in-band form of communication with the switch through any one of its Ethernet ports and that allows switch management from a standard web browser. The default HTTP port is 80. If you change the HTTP port, you must include the new port number when you enter the IP address in the browser Location or Address field (for example, http 10.1.126.45 184 where 184 is the new HTTP port number). Do not disable or otherwise misconfigure the port...

Info

A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name. A switch can be in only one VTP domain.You make global VLAN configuration changes for the domain by using the command-line interface (CLI), Cluster Management Suite (CMS) software, or Simple Network Management Protocol (SNMP). By default, the switch is in VTP no-management-domain state until it receives an...

Limiting Syslog Messages Sent to the History Table and to SNMP

If you have enabled syslog message traps to be sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the switch history table. You can also change the number of messages that are stored in the history table. Messages are stored in the history table because SNMP traps are not guaranteed to reach their destination. By default, one message of the level warning and numerically lower...

Managing the System Time and Date

You can manage the system time and date on your switch using automatic, such as the Network Time Protocol (NTP), or manual configuration methods. _ Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This section contains this configuration information Understanding the System Clock, page 7-33 Understanding Network Time Protocol, page 7-33 Configuring Time and Date Manually,...

Monitoring Interface and Controller Status

Commands entered at the privileged EXEC prompt display information about the interface, including the version of the software and the hardware, the controller status, and statistics about the interfaces. Table 9-2 lists some of these interface monitoring commands. (You can display the full list of show commands by using the show command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference for Release 12.1. Table 9-2 Show Commands for...

Multidwelling Network Using Catalyst 2950 Switches

A growing segment of residential and commercial customers are requiring high-speed access to Ethernet metropolitan-area networks (MANs). Figure 1-5 shows a configuration for a Gigabit Ethernet MAN ring using Catalyst 3550 multilayer switches as aggregation switches in the mini-point-of-presence (POP) location. These switches are connected through 1000BASE-X GBIC ports. The resident switches can be Catalyst 2950 switches, providing customers with high-speed connections to the MAN. Catalyst...

Name Space Mapper

The Configuration Registrar includes the NameSpace Mapper (NSM) that provides a lookup service for managing logical groups of devices based on application, device ID or group ID, and event. Cisco IOS devices recognize only event subject-names that match those configured in Cisco IOS software for example, cisco.cns.config.load. You can use the namespace mapping service to designate events by using any desired naming convention. When you have populated your data store with your subject names, NSM...

Other Considerations for Cluster Standby Groups

Standby command switches must meet these requirements - When the command switch is a Catalyst 3550 switch, all standby command switches must be Catalyst 3550 switches. - When the command switch is a Catalyst 2950 switch running Release 12.1(9)EA1 or later, all standby command switches must be Catalyst 2950 switches running Release 12.1(9)EA1 or later. - When the command switch is a Catalyst 2950 switch running Release 12.1(6)EA2 or later, all standby command switches must be Catalyst 2950...

Policing and Marking

Note This feature is available only if your switch is running the enhanced software image. Policing involves creating a policer that specifies the bandwidth limits for the traffic. Packets that exceed the limits are out ofprofile or nonconforming. Each policer specifies the action to take for packets that are in or out of profile. These actions, carried out by the marker, include dropping the packet or marking down the packet with a new value that is user-defined. You can create this type of...

Port Scheduling

Each port on the switch has a single receive queue buffer (the ingress port) for incoming traffic. When an untagged frame arrives, it is assigned the value of the port as its port default priority. You assign this value by using the CLI or CMS. A tagged frame continues to use its assigned CoS value when it passes through the ingress port. CoS configures each transmit port (the egress port) with a normal-priority transmit queue and a high-priority transmit queue, depending on the frame tag or...

Procedures for Configuring Interfaces

These general instructions apply to all interface configuration processes. Step 1 Enter the configure terminal command at the privileged EXEC prompt Enter configuration commands, one per line. End with CNTL Z. Switch(config) Step 2 Enter the interface global configuration command. Identify the interface type and the number of the connector. In this example, Gigabit Ethernet interface 0 1 is selected Switch(config) interface gigabitethernet0 1 Note You do not need to add a space between the...

QoS Configuration Examples

These examples are applicable only if your switch is running the enhanced software image. This section provides a QoS migration path to help you quickly implement QoS features based on your existing network and planned changes to your network, as shown in Figure 24-4. It contains this information QoS Configuration for the Common Wiring Closet, page 24-26 QoS Configuration for the Intelligent Wiring Closet, page 24-27 Figure 24-4 QoS Configuration Example Network Existing wiring closet Catalyst...

Replacing a Failed Command Switch with Another Switch

To replace a failed command switch with a switch that is command-capable but not part of the cluster, follow these steps Step 1 Insert the new switch in place of the failed command switch, and duplicate its connections to the cluster members. Step 2 Start a CLI session on the new command switch. You can access the CLI by using the console port or, if an IP address has been assigned to the switch, by using Telnet. For details about using the console port, refer to the switch hardware...

Resetting the 8021X Configuration to the Default Values

You can reset the 802.1X configuration to the default values with a single command. Beginning in privileged EXEC mode, follow these steps to reset the 802.1X configuration to the default values Reset the configurable 802.1X parameters to the default values. (Optional) Save your entries in the configuration file.

Saving Configuration Changes

The show command always displays the running configuration of the switch. When you make a configuration change to a switch or switch cluster, the change becomes part of the running configuration. The change does not automatically become part of the config.text file in Flash memory, which is the startup configuration used each time the switch restarts. If you do not save your changes to Flash memory, they are lost when the switch restarts. To save all configuration changes to Flash memory, you...

Setting Speed and Duplex Parameters

Beginning in privileged EXEC mode, follow these steps to set the speed and duplex parameters on a port Enter interface configuration mode, and enter the port to be configured. Enter the speed parameter for the port. The 10 100 1000 ports operate only in full-duplex mode. The GBIC-module ports operate only at 1000 Mbps. 100BASE-FX ports operate only at 100 Mbps in full-duplex mode. Note The Catalyst 2950C-24 does not support the speed and duplex interface configuration commands in Release...

SNMP Manager Functions

The SNMP manager uses information in the MIB to perform the operations described in Table 22-1. Retrieves a value from a specific variable. Retrieves a value from a variable within a table.1 Retrieves large blocks of data, such as multiple rows in a table, that would otherwise require the transmission of many small blocks of data. Replies to a get-request, get-next-request, and set-request sent by an NMS. Stores a value in a specific variable. An unsolicited message sent by an SNMP agent to an...

SPAN Concepts and Terminology

This section describes concepts and terminology associated with SPAN configuration. A SPAN session is an association of a destination port with source ports. You can monitor incoming or outgoing traffic on a series or range of ports. SPAN sessions do not interfere with the normal operation of the switch. You can configure SPAN sessions on disabled ports however, a SPAN session does not become active unless you enable the destination port and at least one source port. The show monitor session...

Spanning Tree Interface States

An interface moves through these states From initialization to blocking From blocking to listening or to disabled From listening to learning or to disabled From learning to forwarding or to disabled From forwarding to disabled Figure 10-2 illustrates how an interface moves through the states. Figure 10-2 Spanning-Tree Interface States Figure 10-2 Spanning-Tree Interface States When you power up the switch, STP is enabled by default, and every interface in the switch, VLAN, or network goes...

Specifying the Link Type to Ensure Rapid Transitions

If you connect a port to another port through a point-to-point link and the local port becomes a designated port, the RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the Rapid Convergence section on page 11-3. By default, the link type is determined from the duplex mode of the interface a full-duplex port is considered to have a point-to-point connection a half-duplex port is considered to have a...

Step 3 aaa newmodel

Step 4 aaa group server radius group-name Define the AAA server-group with a group name. This command puts the switch in a server group configuration mode. Associate a particular RADIUS server with the defined server group. Repeat this step for each RADIUS server in the AAA server group. Each server in the group must be previously defined in Step 2. _Chapter 7 Administering the Switch Controlling Switch Access with RADIUS (Optional) Save your entries in the configuration file. Enable RADIUS...

T

Table 16-2 Updated Multicast Forwarding Table Table 16-2 Updated Multicast Forwarding Table The router sends periodic IP multicast general queries, and the switch responds to these queries with one join response per MAC multicast group. As long as at least one host in the VLAN needs multicast traffic, the switch responds to the router queries, and the router continues forwarding the multicast traffic to the VLAN. The switch only forwards IP multicast group traffic to those hosts listed in the...

Troubleshooting CMS Sessions

Table 26-2 lists problems commonly encountered when using CMS Table 26-2 Common CMS Session Problems A blank screen appears when you click Web Console from the CMS access page. A missing Java plug-in or incorrect settings could cause this problem. CMS requires a Java plug-in order to function correctly. For instructions on downloading and installing the plug-ins, refer to the Release Notes for the Catalyst 2950 for this release. Note If your PC is connected to the Internet when you attempt to...

Understanding BPDU Guard

The BPDU guard feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences. At the global level, you can enable BPDU guard on Port Fast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command. Spanning tree shuts down ports that are in a Port Fast-operational state. In a valid configuration, Port Fast-enabled ports do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled port signals...

Understanding CLI Messages

Table 2-3 lists some error messages that you might encounter while using the CLI to configure your switch. Ambiguous command show con You did not enter enough characters for your switch to recognize the command. Re-enter the command followed by a question mark ( ) with a space between the command and the question mark. The possible keywords that you can enter with the command appear. You did not enter all of the keywords or values required by this command. Re-enter the command followed by a...

Understanding Ether Channels

EtherChannel consists of individual Fast Ethernet or Gigabit Ethernet links bundled into a single logical link as shown in Figure 25-1. The EtherChannel provides full-duplex bandwidth up to 800 Mbps (Fast EtherChannel) or 2 Gbps (Gigabit EtherChannel) between your switch and another switch or host. Each EtherChannel can consist of up to eight compatibly configured Ethernet interfaces. All interfaces in each EtherChannel must be the same speed, and all must be configured as Layer 2 interfaces. _...

Understanding IE2100 Series Configuration Registrar Software

The IE2100 Series Configuration Registrar is a network management device that acts as a configuration service for automating the deployment and management of network devices and services (see Figure 5-1). Each Configuration Registrar manages a group of Cisco IOS devices (switches and routers) and the services that they deliver, storing their configurations and delivering them as needed. The Configuration Registrar automates initial configurations and configuration updates by generating...

Understanding Network Time Protocol

The NTP is designed to time-synchronize a network of devices. NTP runs over User Datagram Protocol (UDP), which runs over IP. NTP is documented in RFC 1305. An NTP network usually gets its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP then distributes this time across the network. NTP is extremely efficient no more than one packet per minute is necessary to synchronize two devices to within a millisecond of one another. NTP uses...

Understanding Port Channel Interfaces

When you create an EtherChannel for Layer 2 interfaces, a logical interface is dynamically created. You then manually assign an interface to the EtherChannel by using the channel-group interface configuration command as shown in Figure 25-2. Each EtherChannel has a logical port-channel interface numbered from 1 to 6. Figure 25-2 Relationship of Physical Ports, Logical Port Channels, and Channel Groups Figure 25-2 Relationship of Physical Ports, Logical Port Channels, and Channel Groups After...

Understanding Root Guard

The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. In such a topology, the spanning tree can reconfigure itself and select a customer switch as the root switch, as shown in Figure 12-10. You can avoid this situation by configuring root guard on interfaces that connect to switches outside of your customer's network. If spanning-tree calculations cause an interface in the customer network to be selected as the root port, root...

Understanding Switch Clusters

A switch cluster is a group of connected Catalyst switches that are managed as a single entity. In a switch cluster, 1 switch must be the command switch and up to 15 switches can be member switches. The total number of switches in a cluster cannot exceed 16 switches. The command switch is the single point of access used to configure, manage, and monitor the member switches. Cluster members can belong to only one cluster at a time. The benefits of clustering switches include Management of...

Understanding the System Clock

The heart of the time service is the system clock. This clock runs from the moment the system starts up and keeps track of the current date and time. The system clock can then be set from these sources The system clock can provide time to these services Logging and debugging messages The system clock keeps track of time internally based on Universal Time Coordinated (UTC), also known as Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time (daylight...

Understanding Uplink Fast

Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 12-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops. Figure 12-2 Switches in a Hierarchical Network Figure 12-2 Switches in a Hierarchical Network If a switch looses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port....

Using Host Name DevicelD and ConfigID

In standalone mode, when a host name value is set for a switch, the configuration server uses the host name as the deviceID when an event is sent on host name. If the host name has not been set, the event is sent on the cn < value> of the device. In server mode, the host name is not used. In this mode, the unique deviceID attribute is always used for sending an event on the bus. If this attribute is not set, you cannot update the switch. These and other associated attributes (tag value...

Using SNMP to Access MIB Variables

An example of an NMS is the CiscoWorks network management software. CiscoWorks 2000 software uses the switch MIB variables to set device variables and to poll devices on the network for specific information. The results of a poll can be displayed as a graph and analyzed to troubleshoot internetworking problems, increase network performance, verify the configuration of devices, monitor traffic loads, and more. As shown in Figure 22-1, the SNMP agent gathers data from the MIB. The agent can send...

V

Note When the switch is in VTP transparent mode and the enhanced software image is installed, you can assign VLAN IDs greater than 1006, but they are not added to the VLAN database. See the Configuring Extended-Range VLANs section on page 13-14. For the list of default parameters that are assigned when you add a VLAN, see the Configuring Normal-Range VLANs section on page 13-6. Beginning in privileged EXEC mode, follow these steps to use config-vlan mode to create or modify an Ethernet VLAN...

Verifying a Switch Cluster

When you finish adding cluster members, follow these steps to verify the cluster Step 1 Enter the command switch IP address in the browser Location field (Netscape Communicator) or Address field (Microsoft Internet Explorer) to access all switches in the cluster. Step 2 Enter the command-switch password. Step 3 Select View > Topology to display the cluster topology and to view link information (Figure 3-6 on page 3-10). For complete information about the Topology view, including descriptions...

VLAN Port Membership Modes

You configure a port to belong to a VLAN by assigning a membership mode that determines the kind of traffic the port carries and the number of VLANs to which it can belong. Table 13-2 lists the membership modes and membership and VTP characteristics. A static-access port can belong to one VLAN and is manually assigned to that VLAN. For more information, see the Assigning Static-Access Ports to a VLAN section on page 13-13. VTP is not required. If you do not want VTP to globally propagate...

Applying IGMP Profiles

To control access as defined in an IGMP profile, use the ip igmp filter interface configuration command to apply the profile to the appropriate interfaces. You can apply IGMP profiles to Layer 2 ports only you cannot apply IGMP profiles to SVIs.You can apply a profile to multiple interfaces, but each interface can only have one profile applied to it. Beginning in privileged EXEC mode, follow these steps to apply an IGMP profile to a switch port Enter interface configuration mode, and enter the...

Configuring Trap Managers and Enabling Traps

A trap manager is a management station that receives and processes traps. Traps are system alerts that the switch generates when certain events occur. By default, no trap manager is defined, and no traps are issued. Switches running this IOS release can have an unlimited number of trap managers. Community strings can be any length. Table 22-3 describes the supported switch traps (notification types). You can enable any or all of these traps and configure a trap manager to receive them. Table...

Afo

Note You cannot remove VLAN 1 or VLANs 1002 to 1005 from the allowed-VLAN list. A trunk port can become a member of a VLAN if the VLAN is enabled, if VTP knows of the VLAN, and if the VLAN is in the allowed list for the port. When VTP detects a newly enabled VLAN and the VLAN is in the allowed list for a trunk port, the trunk port automatically becomes a member of the enabled VLAN. When VTP detects a new VLAN and the VLAN is not in the allowed list for a trunk port, the trunk port does not...

Configuring VTP

This section includes guidelines and procedures for configuring VTP. These sections are included Default VTP Configuration, page 14-6 VTP Configuration Options, page 14-7 VTP Configuration Guidelines, page 14-8 Configuring a VTP Server, page 14-9 Configuring a VTP Client, page 14-11 Disabling VTP (VTP Transparent Mode), page 14-12 Enabling VTP Version 2, page 14-13 Enabling VTP Pruning, page 14-14 Adding a VTP Client Switch to a VTP Domain, page 14-15 Table 14-2 shows the default VTP...

Configuring VMPS

The Catalyst 2950 switch cannot be a VMPS server but can act as a client to the VMPS and communicate with it through the VLAN Query Protocol (VQP). VMPS dynamically assigns dynamic access port VLAN membership. This section includes this information about configuring VMPS Understanding VMPS section on page 13-30 Default VMPS Configuration section on page 13-33 VMPS Configuration Guidelines section on page 13-33 Configuring the VMPS Client section on page 13-34 Monitoring the VMPS section on page...