Access Modes in CMS

CMS provides two levels of access to the configuration options read-write access and read-only access. Privilege levels 0 to 15 are supported. Privilege level 15 provides you with read-write access to CMS. Privilege levels 1 to 14 provide you with read-only access to CMS. Any options in the CMS windows, menu bar, toolbar, and popup menus that change the switch or cluster configuration are not shown in read-only mode. Privilege level 0 denies access to CMS. For more information about CMS access...

Adding a Description for an Interface

You can add a description about an interface to help you remember its function. The description appears in the output of these commands show configuration, show running-config, and show interfaces. Beginning in privileged EXEC mode, follow these steps to add a description for an interface Enter interface configuration mode, and enter the interface for which you are adding a description. Add a description (up to 240 characters) for an interface. show interfaces interface-id description...

Adding and Removing Secure Addresses

A secure address is a manually entered unicast address or dynamically learnt address that is forwarded to only one port per VLAN. If you enter a static address that is already assigned to another port, the request will be rejected. Secure addresses can be learned dynamically if the configured secure addresses do not reach the maximum limit of the port. Beginning in privileged EXEC mode, follow these steps to add a secure address Identify a specific interface for configuration, and enter...

Adding and Removing Static Address Entries

A static address has these characteristics It is manually entered in the address table and must be manually removed. It can be a unicast or multicast address. It does not age and is retained when the switch restarts. You can add and remove static addresses and define the forwarding behavior for them. The forwarding behavior determines how a port that receives a packet forwards it to another port for transmission. Because all ports are associated with at least one VLAN, the switch acquires the...

Adding Member Switches

As explained in the Automatic Discovery of Cluster Candidates and Members section on page 6-5, the command switch automatically discovers candidate switches. When you add new cluster-capable switches to the network, the command switch discovers them and adds them to a list of candidate switches. To display an updated cluster candidates list from the Add to Cluster window (Figure 6-11), either relaunch CMS and redisplay this window, or follow these steps 1. Close the Add to Cluster window.

Applying the ACL to an Interface or Terminal Line

After you create an ACL, you can apply it to one or more interfaces or terminal lines. ACLs can be applied on inbound interfaces. This section describes how to accomplish this task for both terminal lines and network interfaces. Note these guidelines When controlling access to a line, you must use a number. Numbered ACLs and MAC extended ACLs can be applied to lines. When controlling access to an interface, you can use a name or number. Set identical restrictions on all the virtual terminal...

Authentication Initiation and Message Exchange

The switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x port-control auto interface configuration command, the switch must initiate authentication when it determines that the port link state transitions from down to up. It then sends an EAP-request identity frame to the client to request its identity (typically, the switch sends an initial identity request frame followed by one or more requests for authentication information). Upon receipt...

Avoiding Autonegotiation Mismatches

The IEEE 802.3U autonegotiation protocol manages the switch settings for speed (10, 100, or 1000 Mbps) and duplex (half or full). Sometimes this protocol can incorrectly align these settings, reducing performance. A mismatch occurs under these circumstances A manually set speed or duplex parameter is different from the manually set speed or duplex parameter on the connected port. A port is set to autonegotiate, and the connected port is set to full duplex with no autonegotiation. To maximize...

Basic QoS Model

Figure 24-2 shows the basic QoS model. Actions at the ingress interface include classifying traffic, policing, and marking Note If you have the standard software image installed on your switch, only the queueing and scheduling features are available. Classifying distinguishes one kind of traffic from another. For more information, see the Classification section on page 24-4. Policing determines whether a packet is in or out of profile according to the configured policer, and the policer limits...

Bridge ID Switch Priority and Extended System ID

The IEEE 802.1D standard requires that each switch has an unique bridge identifier (bridge ID), which determines the selection of the root switch. Because each VLAN is considered as a different logical bridge with PVST+, the same switch must have as many different bridge IDs as VLANs configured on it. Each VLAN on the switch has a unique 8-byte bridge ID the two most-significant bytes are used for the switch priority, and the remaining six bytes are derived from the switch MAC address. In...

Bridge Protocol Data Units

The stable, active spanning-tree topology of a switched network is determined by these elements The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch The spanning-tree path cost to the root switch The port identifier (port priority and MAC address) associated with each Layer 2 interface When the switches in a network are powered up, each functions as the root switch. Each switch sends a configuration BPDU through all of its ports. The BPDUs communicate...

Candidate Switch and Member Switch Characteristics

Candidate switches are cluster-capable switches that have not yet been added to a cluster. Member switches are switches that have actually been added to a switch cluster. Although not required, a candidate or member switch can have its own IP address and password (for related considerations, see the IP Addresses section on page 6-17 and Passwords section on page 6-18). To join a cluster, a candidate switch must meet these requirements It is running cluster-capable software. It has CDP version 2...

Changing the Address Aging Time

Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use. You can change the aging time setting for all VLANs or for a specified VLAN. Setting too short an aging time can cause addresses to be prematurely removed from the table. Then when the switch receives a packet for an unknown destination, it floods the packet to all ports in the same VLAN as the receiving port. This unnecessary flooding can impact performance. Setting too long an aging time...

Changing the Command History Buffer Size

By default, the switch records ten command lines in its history buffer. Beginning in user EXEC mode, enter this command to change the number of command lines that the switch records during the current terminal session Switch> terminal history size number-of-lines Beginning in line configuration mode, enter this command to configure the number of command lines the switch records for all sessions on a particular line Switch(config-line) history size number-of-lines

Changing the Default Privilege Level for Lines

Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line Select the virtual terminal line on which to restrict access. Change the default privilege level for the line. For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges. Level 15 is the level of access permitted by the enable password. The first command displays the password and access level configuration. The second command displays the privilege level...

Changing the Quiet Period

When the switch cannot authenticate the client, the switch remains idle for a set period of time, and then tries again. The idle time is determined by the quiet-period value. A failed authentication of the client might occur because the client provided an invalid password. You can provide a faster response time to the user by entering a smaller number than the default. Beginning in privileged EXEC mode, follow these steps to change the quiet period Set the number of seconds that the switch...

Changing the Switchto Client Retransmission Time

The client responds to the EAP-request identity frame from the switch with an EAP-response identity frame. If the switch does not receive this response, it waits a set period of time (known as the retransmission time), and then retransmits the frame. Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers. Beginning in privileged EXEC mode, follow...

Chapter 12Configuring Optional Spanning Tree Features 121

Understanding Optional Spanning-Tree Features 12-1 Understanding Port Fast 12-2 Understanding BPDU Guard 12-3 Understanding BPDU Filtering 12-3 Understanding UplinkFast 12-4 Understanding Cross-Stack UplinkFast 12-5 How CSUF Works 12-6 Events that Cause Fast Convergence 12-7 Limitations 12-8 Connecting the Stack Ports 12-8 Understanding BackboneFast 12-10 Understanding Root Guard 12-12 Understanding Loop Guard 12-13 Configuring Optional Spanning-Tree Features 12-13 Default Optional...

Chapter 16Configuring IGMP Snooping and MVR 161

Understanding IGMP Snooping 16-1 Joining a Multicast Group 16-2 Leaving a Multicast Group 16-4 Immediate-Leave Processing 16-4 Configuring IGMP Snooping 16-5 Default IGMP Snooping Configuration 16-5 Enabling or Disabling IGMP Snooping 16-5 Setting the Snooping Method 16-6 Configuring a Multicast Router Port 16-7 Configuring a Host Statically to Join a Group 16-8 Enabling IGMP Immediate-Leave Processing 16-9 Displaying IGMP Snooping Information 16-10 Understanding Multicast VLAN Registration...

Chapter 21Configuring System Message Logging 211

Understanding System Message Logging 21-1 Configuring System Message Logging 21-2 System Log Message Format 21-2 Default System Message Logging Configuration 21-3 Disabling and Enabling Message Logging 21-4 Setting the Message Display Destination Device 21-4 Synchronizing Log Messages 21-6 Enabling and Disabling Timestamps on Log Messages 21-7 Enabling and Disabling Sequence Numbers in Log Messages 21-8 Defining the Message Severity Level 21-8 Limiting Syslog Messages Sent to the History Table...

Chapter 25Configuring Ether Channels 251

Understanding Port-Channel Interfaces 25-2 Understanding the Port Aggregation Protocol 25-3 PAgP Modes 25-3 Physical Learners and Aggregate-Port Learners 25-4 PAgP Interaction with Other Features 25-5 Understanding Load Balancing and Forwarding Methods 25-5 Default EtherChannel Configuration 25-6 EtherChannel Configuration Guidelines 25-7 Configuring EtherChannels 25-7 Configuring EtherChannel Load Balancing 25-9 Configuring the PAgP Learn Method and Priority 25-10 Displaying EtherChannel and...

Chapter 26Troubleshooting 261

Avoiding Configuration Conflicts 26-1 Avoiding Autonegotiation Mismatches 26-2 GBIC Security and Identification 26-2 Troubleshooting CMS Sessions 26-3 Copying Configuration Files to Troubleshoot Configuration Problems 26-4 Using Recovery Procedures 26-5 Recovering from Lost Member Connectivity 26-5 Recovering from a Command Switch Failure 26-6 Replacing a Failed Command Switch with a Cluster Member 26-6 Replacing a Failed Command Switch with Another Switch 26-8 Recovering from a Failed Command...

Chapter 3Getting Started with CMS

Features 3-2 Front Panel View 3-4 Cluster Tree 3-5 Front-Panel Images 3-6 Redundant Power System LED 3-7 Port Modes and LEDs 3-8 VLAN Membership Modes 3-9 Topology View 3-9 Topology Icons 3-11 Device and Link Labels 3-12 Colors in the Topology View 3-13 Topology Display Options 3-13 Menus and Toolbar 3-14 Menu Bar 3-14 Toolbar 3-20 Front Panel View Popup Menus 3-21 Device Popup Menu 3-21 Port Popup Menu 3-21 Topology View Popup Menus 3-22 Link Popup Menu 3-22 Device Popup Menus 3-23 Interaction...

Chapter 7Administering the Switch

Preventing Unauthorized Access to Your Switch 7-1 Protecting Access to Privileged EXEC Commands 7-2 Default Password and Privilege Level Configuration 7-3 Setting or Changing a Static Enable Password 7-3 Protecting Enable and Enable Secret Passwords with Encryption 7-4 Setting a Telnet Password for a Terminal Line 7-5 Configuring Username and Password Pairs 7-6 Configuring Multiple Privilege Levels 7-7 Setting the Privilege Level for a Command 7-7 Changing the Default Privilege Level for Lines...

Checking and Saving the Running Configuration

You can check the configuration settings you entered or changes you made by entering this privileged EXEC command service timestamps debug uptime service timestamps log datetime no service password-encryption service sequence-numbers enable secret 5 1 ej9. DMUvAUnZOAmvmgqBEzIxE0 ip subnet-zero vlan 3020 cluster member 1 mac-address 0030.9439.0900 cluster member 2 mac-address 0 0 01.425b.4d8 0 interface Port-channel1 no ip address interface FastEthernet0 1 switchport mode access switchport voice...

Classification

Note This feature is available only if your switch is running the enhanced software image. Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification occurs only on a physical interface basis. No support exists for classifying packets at the VLAN or the switched virtual interface level. You specify which fields in the frame or packet that you want to use to classify incoming traffic.

CLI Configuring CoS Priority Queues

Beginning in privileged EXEC mode, follow these steps to configure the CoS priority queues Specify the queue id of the CoS priority queue. (Ranges are 1 to 4 where 1 is the lowest CoS priority queue.) Specify the CoS values that are mapped to the queue id. Display the mapping of the CoS priority queues. To disable the new CoS settings and return to default settings, use the no wrr-queue cos-map global configuration command.

CMS Window Components

CMS windows consistently present configuration information. Figure 3-12 shows the components of a typical CMS window. UiuIP AMk rilrtlljllP rillldK 4Ml U pVIP (Vu* UFVlirjr UiuIP AMk rilrtlljllP rillldK 4Ml U pVIP (Vu* UFVlirjr - OK saves your changes and closes the window. - Modify displays a secondary window from which you can change settings. - Click a row to select it. Press Shift, and left-click another row to select contiguous multiple rows. Press Ctrl, and left-click rows to select...

CNS Configuration Service

The CNS Configuration Service is the core component of the Configuration Registrar. It consists of a configuration server that works with CNS configuration agents located on the switch. The CNS Configuration Service delivers device and service configurations to the switch for initial configuration and mass reconfiguration by logical groups. Switches receive their initial configuration from the CNS Configuration Service when they start up on the network for the first time. The CNS Configuration...

Colors in the Topology View

The colors of the Topology view icons show the status of the devices and links (Table 3-7, Table 3-8, and Table 3-9). The internal fan of the switch is not operating, or the switch is receiving power from an RPS. 1. Available only on the cluster members. 1. Available only on the cluster members. One link is active, and at least one link is down or blocked. The color of a device label shows the cluster membership of the device (Table 3-10). Table 3-10 Device Label Colors A cluster member, either...

Configure terminal

Ntp peer ip-address version number key keyid source interface prefer ntp server ip-address version number key keyid source interface prefer Configure the switch system clock to synchronize a peer or to be synchronized by a peer (peer association). Configure the switch system clock to be synchronized by a time server (server association). No peer or server associations are defined by default. For ip-address in a peer association, specify either the IP address of the peer providing, or being...

Configuring 8021X Authentication

The section describes how to configure 802.1X port-based authentication on your switch Default 802.1X Configuration, page 8-6 802.1X Configuration Guidelines, page 8-7 Enabling 802.1X Authentication, page 8-8 (required) Configuring the Switch-to-RADIUS-Server Communication, page 8-9 (required) Enabling Periodic Re-Authentication, page 8-10 (optional) Manually Re-Authenticating a Client Connected to a Port, page 8-11 (optional) Changing the Quiet Period, page 8-11 (optional) Changing the...

Configuring 8021X Port Based Authentication

Catalyst 2950 Desktop Switch Software Configuration Guide Catalyst 2950 Desktop Switch Software Configuration Guide Resetting the 802.1X Configuration to the Default Values 8-14 Displaying 802.1X Statistics and Status 8-14 Understanding Interface Types 9-1 Port-Based VLANs 9-1 Switch Ports 9-2 Access Ports 9-2 Trunk Ports 9-2 EtherChannel Port Groups 9-3 Connecting Interfaces 9-3 Using the Interface Command 9-4 Procedures for Configuring Interfaces 9-5 Configuring a Range of Interfaces 9-7...

Configuring a Messageofthe Day Login Banner

You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner For c, enter the delimiting character of your choice, for example, a pound sign ( ), and press the Return key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded. For message, enter a banner message up to 255...

Configuring a Secondary Root Switch

When you configure a Catalyst 2950 switch that supports the extended system ID as the secondary root, the spanning-tree switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified instance if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch. For Catalyst 2950 switches without the extended...

Configuring a System Name and Prompt

You configure the system name on the switch to identify it. By default, the system name and prompt are Switch. If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt. A greater-than symbol > is appended. The prompt is updated whenever the system name changes, unless you manually configure the prompt by using the prompt global configuration command. For complete syntax and usage information for the commands used in this section,...

Configuring a System Prompt

Beginning in privileged EXEC mode, follow these steps to manually configure a system prompt Configure the command-line prompt to override the setting from the hostname command. The default prompt is either switch or the name defined with the hostname global configuration command, followed by an angle bracket (> ) for user EXEC mode or a pound sign ( ) for privileged EXEC mode. The prompt can consist of all printing characters and escape sequences. (Optional) Save your entries in the...

Configuring and Enabling Port Security Aging

You can use port security aging to set the aging time for all secure addresses on a port. Two types of aging are supported per port Absolute The secure addresses on that port are deleted after the specified aging time. Inactivity The secure addresess on this port are deleted only if the secure addresses are inactive for the specified aging time. Use this feature to remove and add PCs on a secure port without manually deleting the existing secure MAC addresses while still limiting the number of...

Configuring and Using Interface Range Macros

You can create an interface range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface range macro global configuration command string, you must use the define interface-range global configuration command to define the macro. Beginning in privileged EXEC mode, follow these steps to define an interface range macro define interface-range macro_name interface-range Define the interface-range macro, and save it in NVRAM. The...

Configuring Community Strings

You use the SNMP community string to define the relationship between the SNMP manager and the agent. The community string acts like a password to permit access to the agent on the switch. Optionally, you can specify one or more of these characteristics associated with the string An access list of IP addresses of the SNMP managers that are permitted to use the community string to gain access to the agent A MIB view, which defines the subset of all MIB objects accessible to the given community...

Configuring Extended Range VLANs

When the switch is in VTP transparent mode (VTP disabled) and the enhanced software image is installed), you can create extended-range VLANs (in the range 1006 to 4094). Extended-range VLANs enable service providers to extend their infrastructure to a greater number of customers. The extended-range VLAN IDs are allowed for any switchport commands that allow VLAN IDs. You always use config-vlan mode (accessed by entering the vlan vlan-id global configuration command) to configure extended-range...

Configuring IGMP Profiles

To configure an IGMP profile, use the ip igmp profile global configuration command with a profile number to create an IGMP profile and to enter IGMP profile configuration mode. From this mode, you can specify the parameters of the IGMP profile to be used for filtering IGMP join requests from a port. When you are in IGMP profile configuration mode, you can create the profile by using these commands deny Specifies that matching addresses are denied this is the default condition. exit Exits from...

Configuring Interface Characteristics

This chapter defines the types of interfaces on the switch and describes how to configure them. The chapter has these sections Understanding Interface Types, page 9-1 Using the Interface Command, page 9-4 Configuring Layer 2 Interfaces, page 9-10 Monitoring and Maintaining the Interface, page 9-16 Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command Reference for this release and the online Cisco IOS Interface...

Configuring Layer 2 Interfaces

These sections describe the default interface configuration and the optional features that you can configure on most physical interfaces Default Layer 2 Ethernet Interface Configuration, page 9-11 Configuring the Port Speed and Duplex Mode, page 9-11 Adding a Description for an Interface, page 9-15 Configuring IEEE 802.3X Flow Control on Gigabit Ethernet Ports, page 9-14 Default Layer 2 Ethernet Interface Configuration Table 9-1 shows the Layer 2 Ethernet interface default configuration. For...

Configuring MVR Global Parameters

You do not need to set the optional MVR parameters if you choose to use the default settings. If you do want to change the default parameters (except for the MVR VLAN), you must first enable MVR. Beginning in privileged EXEC mode, follow these steps to configure MVR parameters Configure an IP multicast address on the switch or use the count parameter to configure a contiguous series of IP addresses. Any multicast data sent to this address is sent to all source ports on the switch and all...

Configuring MVR Interfaces

Beginning in privileged EXEC mode, follow these steps to configure MVR interfaces Enter interface configuration mode, and enter the type and number of the port to configure, for example, gi 0 1 or gigabitethernet 0 1 for Gigabit Ethernet port 1. Configure an MVR port as one of these source Configure uplink ports that receive and send multicast data as source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN....

Configuring NTP

The Catalyst 2950 switches do not have a hardware-supported clock, and they cannot function as an NTP master clock to which peers synchronize themselves when an external NTP source is not available. These switches also have no hardware support for a calendar. As a result, the ntp update-calendar and the ntp master global configuration commands are not available. This section contains this configuration information Default NTP Configuration, page 7-36 Configuring NTP Authentication, page 7-36...

Configuring NTP Authentication

This procedure must be coordinated with the administrator of the NTP server the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server. Beginning in privileged EXEC mode, follow these steps to authenticate the associations (communications between devices running NTP that provide for accurate timekeeping) with other devices for security purposes Enable the NTP authentication feature, which is disabled by default....

Configuring NTP Broadcast Service

The communications between devices running NTP (known as associations) are usually statically configured each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can simply be configured to...

Configuring Optional Spanning Tree Features

These sections include optional spanning-tree configuration information Default Optional Spanning-Tree Configuration, page 12-14 Enabling Port Fast, page 12-14 Enabling BPDU Guard, page 12-15 Enabling BPDU Filtering, page 12-16 Enabling UplinkFast for Use with Redundant Links, page 12-17 Enabling Cross-Stack UplinkFast, page 12-18 Enabling BackboneFast, page 12-19 Enabling Root Guard, page 12-19 Enabling Loop Guard, page 12-20

Configuring Port Security

Secured ports restrict a port to a user-defined group of stations. When you assign secure addresses to a secure port, the switch does not forward any packets with source addresses outside the defined group of addresses. If you define the address table of a secure port to contain only one address, the workstation or server attached to that port is guaranteed the full bandwidth of the port. As part of securing the port, you can also define the size of the address table for the port. Port security...

Configuring Port Based Traffic Control

This chapter describes how to configure the port-based traffic control features on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. This chapter consists of these sections Configuring Storm Control, page 17-1 Configuring Protected Ports, page 17-3 Configuring Port Security, page 17-3 Configuring and Enabling Port Security Aging, page 17-6 Displaying Port-Based Traffic...

Configuring QoS

This chapter describes how to configure quality of service (QoS) on your switch. With this feature, you can provide preferential treatment to certain types of traffic. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size. It transmits the packets without any assurance of reliability, delay bounds, or throughput. To use the features described in this chapter, you must have the enhanced software image installed on your switch. If you have...

Configuring Radius Authorization for Privileged EXEC Access and Network Services

AAA authorization limits the services available to a user. When AAA authorization is enabled, the switch uses information retrieved from the user's profile, which is in either the local user database or on the security server, to configure the user's session. The user is granted access to a requested service only if the information in the user profile allows it. You can use the aaa authorization global configuration command with the radius keyword to set parameters that restrict a user's...

Configuring RSTP and MSTP Features

These sections include basic RSTP and MSTP configuration information Default RSTP and MSTP Configuration, page 11-12 RSTP and MSTP Configuration Guidelines, page 11-12 Specifying the MST Region Configuration and Enabling MSTP, page 11-13 (required) Configuring the Root Switch, page 11-14 (optional) Configuring a Secondary Root Switch, page 11-16 (optional) Configuring the Port Priority, page 11-17 (optional) Configuring the Path Cost, page 11-18 (optional) Configuring the Switch Priority, page...

Configuring Settings for All Radius Servers

Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers Specify the shared secret text string used between the switch and all RADIUS servers. Note The key is a text string that must match the encryption key used on the RADIUS server. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks...

Configuring Spanning Tree Features

These sections include spanning-tree configuration information Default STP Configuration, page 10-10 STP Configuration Guidelines, page 10-10 Configuring the Root Switch, page 10-12 Configuring a Secondary Root Switch, page 10-13 Configuring the Port Priority, page 10-14 Configuring the Path Cost, page 10-15 Configuring the Switch Priority of a VLAN, page 10-17 H Configuring Spanning-Tree Features Configuring the Hello Time, page 10-18 Configuring the Forwarding-Delay Time for a VLAN, page...

Configuring STP for Use in a Cascaded Stack

STP uses default values that can be reduced when configuring your switch in cascaded configurations. If a root switch is part of a cluster that is one switch from a cascaded stack, you can customize spanning tree to reconverge more quickly after a switch failure. Figure 10-4 shows switches in three cascaded stacks that use the GigaStack GBIC. Table 10-4 shows the default STP settings and those that are acceptable for these configurations. Table 10-4 Default and Acceptable STP Parameter Settings...

Configuring System Message Logging

This section describes how to configure system message logging. It contains this configuration information System Log Message Format, page 21-2 Default System Message Logging Configuration, page 21-3 Disabling and Enabling Message Logging, page 21-4 Setting the Message Display Destination Device, page 21-4 Synchronizing Log Messages, page 21-6 Enabling and Disabling Timestamps on Log Messages, page 21-7 Enabling and Disabling Sequence Numbers in Log Messages, page 21-8 Defining the Message...

Configuring the CoStoDSCP

You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic. Table 24-3 shows the default CoS-to-DSCP map. If these values are not appropriate for your network, you need to modify them. Beginning in privileged EXEC mode, follow these steps to modify the CoS-to-DSCP map For dscp1 dscp8, enter 8 DSCP values that correspond to CoS values 0 to 7. Separate each DSCP value with a space. The supported DSCP values...

Configuring the DHCP Server

You should configure the DHCP server with reserved leases that are bound to each switch by the switch hardware address. If you want the switch to receive IP address information, you must configure the DHCP server with these lease options IP address of the client (required) Subnet mask of the client (required) DNS server IP address (optional) Router IP address (default gateway address to be used by the switch) (required) If you want the switch to receive the configuration file from a TFTP...

Configuring the DNS

The DHCP server uses the DNS server to resolve the TFTP server name to an IP address. You must configure the TFTP server name-to-IP address map on the DNS server. The TFTP server contains the configuration files for the switch. You can configure the IP addresses of the DNS servers in the lease database of the DHCP server from where the DHCP replies will retrieve them. You can enter up to two DNS server IP addresses in the lease database. The DNS server can be on the same or on a different LAN...

Configuring the DSCPtoCoS

You use the DSCP-to-CoS map to map DSCP values in incoming packets to a CoS value, which is used to select one of the four egress queues. The Catalyst 2950 switches support these DSCP values 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56. Table 24-4 shows the default DSCP-to-CoS map. If these values are not appropriate for your network, you need to modify them. Catalyst 2950 Desktop Switch Software Configuration Guide_ Beginning in privileged EXEC mode, follow these steps to modify the...

Configuring the Forwarding Delay Time

Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for all MST instances spanning-tree mst forward-time seconds Configure the forward time for all MST instances. The forward delay is the number of seconds a port waits before changing from its spanning-tree learning and listening states to the forwarding state. For seconds, the range is 4 to 30 the default is 15. (Optional) Save your entries in the configuration file. To return the switch to its default...

Configuring the Maximum Aging Time

Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for all MST instances Configure the maximum-aging time for all MST instances. The maximum-aging time is the number of seconds a switch waits without receiving spanning-tree configuration messages before attempting a reconfiguration. For seconds, the range is 6 to 40 the default is 20. (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no...

Configuring the Maximum Aging Time for a VLAN

Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for a VLAN spanning-tree vlan vlan-id max-age seconds Configure the maximum-aging time of a VLAN. The maximum-aging time is the number of seconds a switch waits without receiving spanning-tree configuration messages before attempting a reconfiguration. For vlan-id, the range is 1 to 4094 when the enhanced software image is installed and 1 to 1005 when the standard software image is installed. Do not enter...

Configuring the Maximum Hop Count

Beginning in privileged EXEC mode, follow these steps to configure the maximum-hop count for all MST instances spanning-tree mst max-hops hop-count Specify the number of hops in a region before the BPDU is discarded, and the information held for a port is aged. For hop-count, the range is 1 to 40 the default is 20. (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst max-hops global configuration command. __Chapter 11...

Configuring the Path Cost

The spanning-tree path cost default value is derived from the media speed of an interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last. If all interfaces have the same cost value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Spanning...

Configuring the Port Priority

If a loop occurs, spanning tree uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last. If all interfaces have the same priority value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Cisco IOS uses the port...

Configuring the Source IP Address for NTP Packets

When the switch sends an NTP packet, the source IP address is normally set to the address of the interface through which the NTP packet is sent. Use the ntp source global configuration command when you want to use a particular source IP address for all NTP packets. The address is taken from the specified interface. This command is useful if the address on an interface cannot be used as the destination for reply packets. Beginning in privileged EXEC mode, follow these steps to configure a...

Configuring the Switch for Local Authentication and Authorization

You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration. Beginning in privileged EXEC mode, follow these steps to configure the switch for local AAA aaa authentication login default local Set the login authentication to use the local username database. The default keyword applies the local user database authentication to all interfaces....

Configuring the Switch for Secure Shell

This section describes how to configure the Secure Shell (SSH) feature. To use this feature, the crypto (encrypted) software image must be installed on your switch.You must download this software image from Cisco.com. For more information, refer to the release notes for this release. _ Note For complete syntax and usage information for the commands used in this section, refer to the Secure Shell Commands section in the Cisco IOS Security Command Reference for Release 12.2.

Configuring the Switch for Vendor Proprietary Radius Server Communication

Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes. As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with...

Configuring the Time Zone

Beginning in privileged EXEC mode, follow these steps to manually configure the time zone clock timezone zone hours-offset minutes-offset The switch keeps internal time in universal time coordinated (UTC), so this command is used only for display purposes and when the time is manually set. For zone, enter the name of the time zone to be displayed when standard time is in effect. The default is UTC. For hours-offset, enter the hours offset from UTC. (Optional) For minutes-offset, enter the...

Configuring Time and Date Manually

If no other source of time is available, you can manually configure the current time and date after the system is restarted. The time remains accurate until the next system restart. We recommend that you use manual configuration only as a last resort. If you have an outside source to which the switch can synchronize, you do not need to manually set the system clock. This section contains this configuration information Setting the System Clock, page 7-43 Displaying the Time and Date...

Configuring UNIX Syslog Servers

The next sections describe how to configure the UNIX server syslog daemon and define the UNIX system logging facility. Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server. Log in as root, and perform these steps Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network. If this is the case with your system, use the UNIX man syslogd command to...

Configuring Username and Password Pairs

You can configure username and password pairs, which are locally stored on the switch. These pairs are assigned to lines or interfaces and authenticate each user before that user can access the switch. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair. Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication system that requests a login username...

Configuring VLAN Trunks

These sections describe how VLAN trunks function on the switch Trunking Overview, page 13-18 802.1Q Configuration Considerations, page 13-20 Default Layer 2 Ethernet Interface VLAN Configuration, page 13-21 A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch. Fast Ethernet and Gigabit Ethernet trunks carry the traffic of multiple VLANs over a single link, and you can extend the VLANs across an entire network....

Configuring VLANs 131

Catalyst 2950 Desktop Switch Software Configuration Guide Changing the Pruning-Eligible List 13-24 Configuring the Native VLAN for Untagged Traffic 13-25 Load Sharing Using STP 13-26 Load Sharing Using STP Port Priorities 13-26 Load Sharing Using STP Path Cost 13-28 Configuring VMPS 13-30 Dynamic Port VLAN Membership 13-31 VMPS Database Configuration File 13-31 Default VMPS Configuration 13-33 VMPS Configuration Guidelines 13-33 Configuring the VMPS Client 13-34 Entering the IP Address of the...

Configuring Voice VLAN

These are the voice VLAN configuration guidelines You should configure voice VLAN on access ports. The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled. If you enable port security on a voice VLAN port and if there is a PC connected to the IP phone, you should set the maximum allowed secure addresses on the port to more than 1. You cannot configure static secure MAC addresses in the voice...

Configuring WRR

Beginning in privileged EXEC mode, follow these steps to configure the WRR priority Assign WRR weights to the four CoS queues. (Ranges for the WRR values are 1 to 255.) Display the WRR bandwidth allocation for the CoS priority queues. To disable the WRR scheduler and enable the strict priority scheduler, use the no wrr-queue bandwidth global configuration command.

Connecting Interfaces

Devices within a single VLAN can communicate directly through any switch. Ports in different VLANs cannot exchange data without going through a routing device or interface. With a standard Layer 2 switch, ports in different VLANs have to exchange information through a router. In the configuration shown in Figure 9-1, when Host A in VLAN 20 sends data to Host B in VLAN 30, it must go from Host A to the switch, to the router, back to the switch, and then to Host B. Figure 9-1 Connecting VLANs...

Controlling Switch Access with RADIUS

This section describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS), which provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands. _ Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command...

Copying Configuration Files to Troubleshoot Configuration Problems

You can use the file system in Flash memory to copy files and to troubleshoot configuration problems. This could be useful if you want to save configuration files on an external server in case a switch fails. You can then copy the configuration file to a replacement switch and avoid reconfiguring the switch. Step 1 Enter the dir flash privileged EXEC command to display the contents of Flash memory as in this example Step 1 Enter the dir flash privileged EXEC command to display the contents of...

CoS and WRR

The Catalyst 2950 switches support four CoS queues for each egress port. For each queue, you can specify these types of scheduling Strict priority scheduling is based on the priority of queues. Queues can have priorities from 0 to 7, 7 being the highest. Packets in the high-priority queue always transmit first, and packets in the low-priority queue do not transmit until all the high-priority queues become empty. Weighted round-robin (WRR) scheduling WRR scheduling requires you to specify a...

Creating a Numbered Standard ACL

Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL access-list access-list-number deny permit remark source source-wildcard host source any Define a standard IP ACL by using a source address and wildcard. The access-list-number is a decimal number from 1 to 99 or 1300 to 1999. Enter deny or permit to specify whether to deny or permit access if conditions are matched. The source is the source address of the network or host from which the packet is being sent...

Creating MAC Access Groups

Beginning in privileged EXEC mode, follow these steps to create MAC access groups Identify a specific interface for configuration, and enter interface configuration mode. The interface must be a Layer 2 interface. Control access to the specified interface. Display the MAC ACLs applied to the interface. (Optional) Save your entries in the configuration file. This example shows how to apply ACL 2 on Gigabit Ethernet interface 0 1 to filter packets entering the interface Switch(config) interface...

Creating Named Standard and Extended ACLs

You can identify IP ACLs with an alphanumeric string (a name) rather than a number. You can use named ACLs to configure more IP access lists on a switch than if you use numbered access lists. If you identify your access list with a name rather than a number, the mode and command syntax are slightly different. However, not all commands that use IP access lists accept a named ACL. Note The name you give to a standard ACL or extended ACL can also be a number in the supported range of access list...

Creating the Spanning Tree Topology

In Figure 10-1, Switch A is elected as the root switch because the switch priority of all the switches is set to the default (32768) and Switch A has the lowest MAC address. However, because of traffic patterns, number of forwarding interfaces, or link types, Switch A might not be the ideal root switch. By increasing the priority (lowering the numerical value) of the ideal switch so that it becomes the root switch, you force a spanning-tree recalculation to form a new topology with the ideal...

Default 8021X Configuration

Table 8-1 shows the default 802.1X configuration. Table 8-1 Default 802.1X Configuration Table 8-1 shows the default 802.1X configuration. Table 8-1 Default 802.1X Configuration Authentication, authorization, and accounting (AAA) authentication The port transmits and receives normal traffic without 802.1X-based authentication of the client. Number of seconds between re-authentication attempts 60 seconds (number of seconds that the switch remains in the quiet state following a failed...

Default Ether Channel Configuration

Table 25-2 shows the default EtherChannel configuration. Table 25-2 Default EtherChannel Configuration Table 25-2 shows the default EtherChannel configuration. Table 25-2 Default EtherChannel Configuration Aggregate-port learning on all interfaces. 128 on all interfaces. (Changing this value on Catalyst 2950 switches has no effect.) Load distribution on the switch is based on the source-MAC address of the incoming packet.

Default NTP Configuration

Table 7-2 shows the default NTP configuration. Table 7-2 Default NTP Configuration Table 7-2 shows the default NTP configuration. Table 7-2 Default NTP Configuration Disabled. No authentication key is specified. Disabled no interface sends or receives NTP broadcast packets. The source address is determined by the outgoing interface. NTP is enabled on all interfaces by default. All interfaces receive NTP packets. NTP is enabled on all interfaces by default. All interfaces receive NTP packets.

Default Optional Spanning Tree Configuration

Table 12-1 shows the default optional spanning-tree configuration. Table 12-1 Default Optional Spanning-Tree Configuration Table 12-1 Default Optional Spanning-Tree Configuration Port Fast, BPDU filtering, BPDU guard Globally disabled on the switch (unless they are individually configured per interface).

Default Password and Privilege Level Configuration

Table 7-1 shows the default password and privilege level configuration. Table 7-1 Default Password and Privilege Levels Table 7-1 Default Password and Privilege Levels No password is defined. The default is level 15 (privileged EXEC level). The password is not encrypted in the configuration file. Enable secret password and privilege level No password is defined. The default is level 15 (privileged EXEC level). The password is encrypted before it is written to the configuration file. Setting or...

Default Radius Configuration

RADIUS and AAA are disabled by default. To prevent a lapse in security, you cannot configure RADIUS through a network management application. When enabled, RADIUS can authenticate users accessing the switch through the CLI. Switch-to-RADIUS-server communication involves several components You identify RADIUS security servers by their host name or IP address, host name and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP...

Default RSTP and MSTP Configuration

Table 11-3 shows the default RSTP and MSTP configuration. Table 11-3 Default RSTP and MSTP Configuration Table 11-3 Default RSTP and MSTP Configuration Switch priority (configurable on a per-CIST interface basis) Spanning-tree port priority (configurable on a per-CIST interface basis) Spanning-tree port cost (configurable on a per-CIST interface basis) 1000 Mbps 4. 100 Mbps 19. 10 Mbps 100.

Default STP Configuration

Table 10-3 shows the default STP configuration. Table 10-3 Default STP Configuration Table 10-3 Default STP Configuration Up to 64 spanning-tree instances can be enabled. Spanning-tree port priority (configurable on a per-interface basis used on interfaces configured as Layer 2 access ports) Spanning-tree port cost (configurable on a per-interface basis used on interfaces configured as Layer 2 access ports) 1000 Mbps 4. 100 Mbps 19. 10 Mbps 100. Spanning-tree VLAN port priority (configurable on...

Default System Message Logging Configuration

Table 21-2 shows the default system message logging configuration. Table 21-2 Default System Message Logging Configuration Table 21-2 shows the default system message logging configuration. Table 21-2 Default System Message Logging Configuration System message logging to the console Debugging (and numerically lower levels see Table 21-3 on page 21-9). Local7 (see Table 21-4 on page 21-12). Informational (and numerically lower levels see Table 21-3 on page 21-9).

Default UDLD Configuration

Table 18-1 shows the default UDLD configuration. Table 18-1 Default UDLD Configuration Table 18-1 shows the default UDLD configuration. Table 18-1 Default UDLD Configuration UDLD per-interface enable state for fiber-optic media Disabled on all Ethernet fiber-optic interfaces UDLD per-interface enable state for twisted-pair (copper) media Disabled on all Ethernet 10 100 and 1000BASE-TX interfaces A UDLD-capable interface also cannot detect a unidirectional link if it is connected to a...

Defining AAA Server Groups

You can configure the switch to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts. Server groups also can include multiple host entries for the same server if each entry has a unique identifier (the combination of the IP address and UDP port number), allowing different...