Cisco Catalyst 2960 Software Configuration Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Router
  5. Catalyst 2960 Series
  6. Software configuration manual

Cisco Catalyst 2960 Software Configuration Manual

Hide thumbs Also See for Catalyst 2960:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
Table of Contents

Advertisement

Quick Links

See also: Configuration Manual , Installation Manual
A
abbreviating commands
AC (command switch)
6-9
access-class command
31-18
access control entries
See ACEs
access control entry (ACE)
access-denied response, VMPS
access groups
Layer 3
31-19
access groups, applying IPv4 ACLs to interfaces
accessing
clusters, switch
6-12
command switches
6-10
member switches
6-12
switch clusters
6-12
accessing stack members
access lists
See ACLs
access ports
in switch clusters
6-8
access ports, defined
12-3
accounting
with 802.1x
10-51
with IEEE 802.1x
10-16
with RADIUS
9-35
with TACACS+
9-11, 9-17
ACEs
and QoS
33-8
defined
31-2
Ethernet
31-2
IP
31-2
OL-26520-01
2-3
37-3
13-24
31-19
7-22
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
I N D E X
ACLs
ACEs
31-2
any keyword
31-10
applying
time ranges to
31-15
to an interface
31-18, 37-7
to IPv6 interfaces
to QoS
33-8
classifying traffic for QoS
comments in
31-17
compiling
31-21
defined
31-1, 31-7
examples of
31-21, 33-50
extended IP, configuring for QoS classification
extended IPv4
creating
31-9
matching criteria
hardware and software handling
host keyword
31-11
IP
creating
31-7
fragments and QoS guidelines
implicit deny
31-9, 31-13, 31-14
implicit masks
31-9
matching criteria
undefined
31-19
IPv4
applying to interfaces
creating
31-7
matching criteria
named
31-13
numbers
31-7
terminal lines, setting on
37-7
33-50
33-51
31-7
31-20
33-40
31-7
31-18
31-7
31-18
IN-1

Advertisement

Table of Contents
loading

Related Manuals for Cisco Catalyst 2960

Summary of Contents for Cisco Catalyst 2960

  • Page 1 9-11, 9-17 applying to interfaces 31-18 ACEs creating 31-7 and QoS 33-8 matching criteria 31-7 defined 31-2 named 31-13 Ethernet 31-2 numbers 31-7 31-2 terminal lines, setting on 31-18 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-1 OL-26520-01...
  • Page 2 STP 19-4, 19-5, 19-6 16-23, 16-24 active links alarms, RMON 19-2 28-4 active traffic monitoring, IP SLAs 32-1 allowed-VLAN list 13-17 address aliasing 21-2 addresses defined 1-6, 5-24 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-2 OL-26520-01...
  • Page 3 (auto-advise) in switch stacks 7-11 backup interfaces automatic copy (auto-copy) in switch stacks 7-11 See Flex Links automatic discovery backup links 19-2 considerations banners beyond a noncandidate device configuring Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-3 OL-26520-01...
  • Page 4 25-2 BPDU guard transmission timer and holdtime, setting 25-3 described 18-2 updates 25-3 disabling 18-14 CGMP enabling 18-13 as IGMP snooping learning method 21-9 support for Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-4 OL-26520-01...
  • Page 5 6-13 wrapped lines TACACS+ 6-15 error messages See also candidate switch, command switch, cluster standby group, member switch, and standby command filtering command output switch getting help Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-5 OL-26520-01...
  • Page 6 39-12 described defined downloading passive (PC) automatically 3-18 password privilege levels 6-16 preparing A-11, A-13, A-16 priority reasons for recovery using FTP A-13 from command-switch failure 6-9, 39-8 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-6 OL-26520-01...
  • Page 7 Xmodem 39-2 daylight saving time debugging in Layer 2 frames 33-2 enabling all system diagnostics 39-21 override priority 15-6 enabling for a specific feature 39-20 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-7 OL-26520-01...
  • Page 8 A-24 RADIUS 9-27 DHCP RMON 28-3 enabling RSPAN 27-10 relay agent 20-9 SDM template DHCP-based autoconfiguration SNMP 30-7 client request message exchange SPAN 27-10 configuring 9-49 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-8 OL-26520-01...
  • Page 9 20-24 delay value 20-12 enabling 20-21 timeout value 20-12 reserved addresses 20-22 DHCP snooping binding table DHCP server port-based address assignment See DHCP snooping binding database support for Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-9 OL-26520-01...
  • Page 10 CMS configuring using FTP A-31 ACLs for non-DHCP environments 22-9 using HTTP 1-2, A-24 in DHCP environments 22-7 using RCP A-35 log buffer 22-13 using TFTP A-27 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-10 OL-26520-01...
  • Page 11 STP 38-12 See DHCP-based autoconfiguration with VLANs 38-12 dynamic port VLAN membership LACP described 13-24 described 38-7 reconfirming 13-27 displaying status 38-21 troubleshooting 13-29 hot-standby ports 38-18 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-11 OL-26520-01...
  • Page 12 Fast Uplink Transition Protocol 18-6 supported features 12-22 features, incompatible 23-12 unsupported features 12-23 fiber-optic, detecting unidirectional links 24-1 Ethernet management port, internal files and routing 12-22 basic crashinfo Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-12 OL-26520-01...
  • Page 13 30-3, 30-4, 30-5 configuring preferred VLAN 19-12 get-response operation 30-4 configuring VLAN load balancing 19-11 Gigabit modules default configuration 19-8 See SFPs description 19-2 global configuration mode Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-13 OL-26520-01...
  • Page 14 IEEE 802.3x flow control 12-29 Hulc Forwarding TCAM Manager ifIndex values, SNMP 30-6 See HFTM space Hulc QoS/ACL TCAM Manager IGMP See HQATM space configurable leave timer described 21-6 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-14 OL-26520-01...
  • Page 15 12-27 IGMP snooping configuring and address aliasing procedure 21-2 12-17 and stack changes 21-6 counters, clearing 12-41 configuring default configuration 21-7 12-24 default configuration described 21-7, 36-6 12-37 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-15 OL-26520-01...
  • Page 16 5-24 32-4 for IP routing enabling 34-4 32-6 IPv6 35-2 response time 32-4 redundant clusters SNMP support 6-10 32-2 standby command switch supported metrics 6-10, 6-12 32-2 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-16 OL-26520-01...
  • Page 17 ICMP 39-17 35-3 IP unicast routing monitoring 35-11 assigning IP addresses to Layer 3 interfaces neighbor discovery 34-4 35-4 configuring static routes SDM templates 34-5 36-1, 37-1 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-17 OL-26520-01...
  • Page 18 Leaking IGMP Reports 19-4 login authentication LEDs, switch with RADIUS 9-30 See hardware installation guide with TACACS+ 9-14 lightweight directory access protocol login banners 5-11 See LDAP log messages Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-18 OL-26520-01...
  • Page 19 MAC address learning CoS-to-DSCP 33-63 MAC address learning, disabling on a VLAN 5-23 DSCP 33-63 MAC address notification, support for 1-15 DSCP-to-CoS 33-66 MAC address-table move update Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-19 OL-26520-01...
  • Page 20 5-11 described 17-6 MIBs BPDU filtering overview 30-1 described 18-3 SNMP interaction with 30-5 enabling 18-14 mirroring traffic for analysis 27-1 BPDU guard mismatches, autonegotiation 39-12 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-20 OL-26520-01...
  • Page 21 17-27 port role naming change 17-7 multiauth terminology 17-5 support for inaccessible authentication bypass 10-25 instances supported 16-10 multiauth mode interface state, blocking to forwarding 18-2 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-21 OL-26520-01...
  • Page 22 1-19 services 1-19 Network Edge Access Topology See NEAT network management critical authentication 10-24, 10-54 25-1 IEEE 802.1x authentication using a RADIUS server 10-58 RMON 28-1 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-22 OL-26520-01...
  • Page 23 See OBFL per-user ACLs and Filter-Ids 10-8 online diagnostics per-VLAN spanning-tree plus overview 40-1 See PVST+ running tests physical ports 40-3 12-2 understanding PIM-DVMRP, as snooping method 40-1 21-8 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-23 OL-26520-01...
  • Page 24 RADIUS server 10-44, 11-13 policed-DSCP map for QoS 33-65 RADIUS server parameters on the switch 10-43, policers 11-11 configuring restricted VLAN 10-53 for each matched traffic class 33-55 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-24 OL-26520-01...
  • Page 25 ACLs and RADIUS Filter-Id attribute 10-20 10-33 described port-based authentication methods, supported 10-19 10-7 RADIUS server attributes port blocking 10-19 1-4, 23-7 ports port-channel See EtherChannel Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-25 OL-26520-01...
  • Page 26 VLAN ID TLV changing 26-2 13-18 power management TLV for VTP pruning 26-3, 26-7 14-6 Power over Ethernet VLANs 14-16 See PoE PVST+ preemption, default configuration described 19-8 16-10 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-26 OL-26520-01...
  • Page 27 33-18 configuring 33-53 ingress queueing and scheduling 33-15 displaying 33-81 policing and marking 33-11 configuration guidelines implicit deny 33-8 auto-QoS 33-34 ingress queues standard QoS 33-40 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-27 OL-26520-01...
  • Page 28 33-9 communication, per-server 9-27 policing multiple UDP ports 9-27 described 33-4, 33-9 default configuration 9-27 token bucket algorithm 33-10 defining AAA server groups 9-32 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-28 OL-26520-01...
  • Page 29 VLAN A-35 preparing the server configuring A-34 10-53 uploading described A-37 10-23 readiness check using with IEEE 802.1x 10-23 port-based authentication restricting access configuring overview 10-38 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-29 OL-26520-01...
  • Page 30 31-4 17-10 RSPAN rapid convergence and stack changes 27-10 cross-stack rapid convergence 17-11 characteristics described 27-9 17-10 configuration guidelines edge ports and Port Fast 27-17 17-10 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-30 OL-26520-01...
  • Page 31 12-37 types of 23-9 shutdown command on interfaces 12-41 secure ports Simple Network Management Protocol and switch stacks 23-18 See SNMP secure ports, configuring 23-9 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-31 OL-26520-01...
  • Page 32 30-3 configuration guidelines 27-11 setting CPU threshold notification 30-16 default configuration 27-10 status, displaying 30-19 destination ports 27-8 system contact and location 30-17 displaying status 27-23 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-32 OL-26520-01...
  • Page 33 CLI of specific member 9-43 7-22 switch stack considerations configuring 7-15 user authentication methods, supported 9-43 member number 7-20 priority value 7-21 configuration guidelines defined 9-49 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-33 OL-26520-01...
  • Page 34 7-10 management connectivity 7-15 See also stack master and stack member managing standby command switch membership configuring merged considerations 6-10 MSTP instances supported 16-10 defined offline configuration priority Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-34 OL-26520-01...
  • Page 35 RMON group history cross-stack UplinkFast 28-5 SNMP input and output described 30-19 18-5 14-18 enabling 18-16 sticky learning default configuration 23-9 16-13 storm control default optional feature configuration 18-12 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-35 OL-26520-01...
  • Page 36 13-20 supported port-based authentication methods 10-7 loop guard SVIs described 18-11 and IP unicast routing 34-3 enabling 18-18 and router ACLs 31-4 modes supported 16-10 connecting VLANs 12-11 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-36 OL-26520-01...
  • Page 37 29-9 default configuration 9-13 disabling 29-4 displaying the configuration 9-17 displaying the configuration 29-14 identifying the server 9-13 enabling 29-5 in clusters 6-15 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-37 OL-26520-01...
  • Page 38 39-18 uploading See also IP traceroute A-12 configuration files in base directory traffic configuring for autoconfiguration blocking flooded 23-8 image files fragmented 31-4 deleting fragmented IPv6 A-28 37-2 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-38 OL-26520-01...
  • Page 39 STP path costs 13-22 and adding static addresses 5-22 using STP port priorities 13-20, 13-21 and broadcast MAC addresses 5-21 native VLAN for untagged traffic 13-19 and CPU packets 5-21 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-39 OL-26520-01...
  • Page 40 A-26, A-30, A-34 VLAN load balancing on flex links 19-3 reasons for A-24 configuration guidelines 19-8 using FTP A-32 VLAN management domain 14-2 using RCP A-37 VLAN Management Policy Server Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-40 OL-26520-01...
  • Page 41 13-3 802.1Q frames 15-5 static-access ports 13-10 connecting to an IP phone 15-4 STP and IEEE 802.1Q trunks 16-11 default configuration 15-3 supported 13-2 described 15-1 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-41 OL-26520-01...
  • Page 42 33-13 examples 14-7 setting thresholds overview 14-6 egress queue-sets 33-74 support for ingress queues 33-69 pruning-eligible list, changing 13-18 support for 1-14 server mode, configuring 14-11, 14-14 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-42 OL-26520-01...
  • Page 43 Index Xmodem protocol 39-2 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-43 OL-26520-01...
  • Page 44 Index Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-44 OL-26520-01...
  • Page 45 Catalyst 2960, 2960-S, and 2960-C switches run one of these images: The LAN base software image provides enterprise-class intelligent services such as access control • lists (ACLs) and quality of service (QoS) features. On a Catalyst 2960-S switch, stacking is also supported. The LAN Lite image provides reduced functionality.
  • Page 46 It does not provide detailed information about these commands. For detailed information about these commands, see the Catalyst 2960, 2960-S, and 2960-C Switch Command Reference for this release. For information about the standard Cisco IOS Release 15.0 commands, see the Cisco IOS documentation set available on Cisco.com.

  • Page 47: Related Publications

    Preface Related Publications These documents provide complete information about the switch and are available from this Cisco.com site: http://www.cisco.com/en/US/products/ps6406/tsd_products_support_series_home.html Before installing, configuring, or upgrading the switch, see these documents: Note For initial configuration information, see the “Using Express Setup” section in the getting started •...
  • Page 48 Obtaining Documentation, Obtaining Support, and Security Guidelines For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed...
  • Page 49 C H A P T E R Overview This chapter provides these topics about the Catalyst 2960, 2960-S and 2960-C switch software: Features, page 1-1 • Default Settings After Initial Switch Configuration, page 1-17 • • Network Configuration Examples, page 1-19 •...
  • Page 50 The Network Assistant must be downloaded from cisco.com/go/cna. • Cisco FlexStack technology on Catalyst 2960-S switches running the LAN base image for – Connecting up to four switches through their FlexStack ports to operate as a single switch in the network.
  • Page 51 – Using a single IP address and configuration file to manage the entire switch stack. Automatic Cisco IOS version-check of new stack members with the option to automatically load – images from the stack master or from a TFTP server.

  • Page 52: Performance Features

    Call Home to provide e-mail-based and web-based notification of critical system events. Users with a service contract directly with Cisco Systems can register Call Home devices for the Cisco Smart Call Home service that generates automatic service requests with the Cisco TAC.

  • Page 53: Management Options

    Network Assistant—Network Assistant is a network management application that can be downloaded from Cisco.com. You use it to manage a single switch, a cluster of switches, or a community of devices. For more information about Network Assistant, see Getting Started with Cisco Network Assistant, available on Cisco.com.

  • Page 54: Manageability Features

    • the size of the MAC address table • Cisco Discovery Protocol (CDP) Versions 1 and 2 for network topology discovery and mapping between the switch and other Cisco devices on the network • Link Layer Discovery Protocol (LLDP) and LLDP Media Endpoint Discovery (LLDP-MED) for...
  • Page 55 • Network Time Protocol (NTP) version 4 for NTP time synchronization for both IPv4 and IPv6 Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • Configuration logging to log and to view changes to the switch configuration •...

  • Page 56: Availability And Redundancy Features

    • active on only one port at a time. (Catalyst 2960-S only) USB Type A port for external Cisco USB flash memory devices (thumb drives or USB keys). You • can use standard Cisco CLI commands to read, write, erase, copy, or boot from the flash memory.

  • Page 57: Vlan Features

    Link-state tracking to mirror the state of the ports that carry upstream traffic from connected hosts • and servers, and to allow the failover of the server traffic to an operational link on another Cisco Ethernet switch. To use Link-state Tracking, the switch must be running the LAN Base image.

  • Page 58: Security Features

    Protocol storm protection to control the rate of incoming protocol traffic to a switch by dropping • packets that exceed a specified ingress rate. BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 1-10 OL-26520-01...
  • Page 59 Note Port security for controlling access to 802.1x ports – Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized – or unauthorized state of the port IP phone detection enhancement to detect and recognize a Cisco IP phone.
  • Page 60 IEEE 802.1x authentication with downloadable ACLs and redirect URLs to allow per-user ACL – downloads from a Cisco Secure ACS server to an authenticated switch. Support for dynamic creation or attachment of an auth-default ACL on a port that has no –...

  • Page 61: Qos And Cos Features

    When there is a change in policy for a user or user group in AAA, administrators can send the RADIUS CoA packets from the AAA server, such as Cisco Secure ACS to reinitialize authentication, and apply to the new policies.
  • Page 62 (sharing is the only supported mode on ingress queues) Note To use ingress queueing, the Catalyst 2960 switch must be running the LAN Base image. Note Ingress queueing is not supported on Catalyst 2960-S switches.

  • Page 63: Layer 3 Features

    Support for IEEE 802.3at, (PoE+) that increases the available power that can be drawn by powered • devices from 15.4 W per port to 30 W per port (Catalyst 2960-S only) Support for CDP with power consumption. The powered device notifies the switch of the amount of •...

  • Page 64: Monitoring Features

    Chapter 1 Overview Features Supports the third-party UPoE power device that complies with Cisco Catalyst 3000 switches. • Sources up to 60 W of power by configuring the 4-pair forced mode interface even if the power • device does not support the Layer-2 power negotiation protocol, such as CDP or LLDP.

  • Page 65: Default Settings After Initial Switch Configuration

    Switch cluster is disabled. For more information about switch clusters, see Chapter 6, “Clustering • Switches,” and the Getting Started with Cisco Network Assistant, available on Cisco.com. No passwords are defined. For more information, see Chapter 5, “Administering the Switch.” •...
  • Page 66 No protected ports are defined. For more information, see Chapter 23, “Configuring Port-Based – Traffic Control.” Unicast and multicast traffic flooding is not blocked. For more information, see Chapter 23, – “Configuring Port-Based Traffic Control.” Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 1-18 OL-26520-01...

  • Page 67: Network Configuration Examples

    Ethernet connections. • “Design Concepts for Using the Switch” section on page 1-19 • “Small to Medium-Sized Network Using Catalyst 2960, 2960-S and 2960-C Switches” section on page 1-24 • “Long-Distance, High-Bandwidth Transport Configuration” section on page 1-25 Design Concepts for Using the Switch As your network users compete for network bandwidth, it takes longer to send and receive data.
  • Page 68 All stack members have synchronized copies of the saved mission-critical applications and running configuration files of the switch stack. Stacking is supported only on Catalyst 2960-S switches running the LAN base Note image. •...
  • Page 69 1-1)—A cost-effective way to connect many users to the wiring • closet is to have a switch stack of up to four Catalyst 2960-S switches. To preserve switch connectivity if one switch in the stack fails, connect the switches as recommended in the hardware installation guide, and enable either cross-stack Etherchannel or cross-stack UplinkFast.
  • Page 70 1-2)—For • high-speed access to network resources, you can use the Catalyst 2960 switch in the access layer to provide Gigabit Ethernet to the desktop. To prevent congestion, use QoS DSCP marking priorities on these switches. For high-speed IP forwarding at the distribution layer, connect the switches in the access layer to a Gigabit multilayer switch with routing capability, such as a Catalyst 3750 switch, or to a router.
  • Page 71 The various lengths of stack cable available, ranging from 0.5 meter to 3 meters provide extended connections to the switch stacks across multiple server racks, for multiple stack aggregation. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 1-23...
  • Page 72 Data and multimedia traffic are configured on the same VLAN. Voice traffic from the Cisco IP Phones are configured on separate VVIDs. If data, multimedia, and voice traffic are assigned to the same VLAN, only one VLAN can be configured per wiring closet.
  • Page 73 The CWDM OADM modules on the receiving end separate (or demultiplex) the different wavelengths. For more information about the CWDM SFP modules and CWDM OADM modules, see the Cisco CWDM GBIC and CWDM SFP Installation Note. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...

  • Page 74: Where To Go Next

    • Chapter 3, “Assigning the Switch IP Address and Default Gateway” • To locate and download MIBs for a specific Cisco product and release, use the Cisco MIB Locator: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...

  • Page 75: Table Of Contents

    C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your 2960, 2960-SC or 2960-S switch.Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
  • Page 76 To return to line vty or line privileged EXEC console command. mode, press Ctrl-Z or enter end. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 77: Understanding The Help System

    You need to enter only enough characters for the switch to recognize the command as unique. This example shows how to enter the show configuration privileged EXEC command in an abbreviated form: Switch# show conf Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 78: Understanding No And Default Forms Of Commands

    Logging and Notification feature to track changes on a per-session and per-user basis. The logger tracks each configuration command that is applied, the user who entered the command, the time that the Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 79: Using Command History

    Beginning in line configuration mode, enter this command to configure the number of command lines the switch records for all sessions on a particular line: Switch(config-line)# history size number-of-lines The range is from 0 to 256. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 80: Recalling Commands

    Although enhanced editing mode is automatically enabled, you can disable it, re-enable it, or configure a specific line to have enhanced editing. These procedures are optional. To globally disable enhanced editing mode, enter this command in line configuration mode: Switch (config-line)# no editing Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 81: Editing Commands Through Keystrokes

    Press Esc D. Delete from the cursor to the end of the word. Capitalize or lowercase words or Press Esc C. Capitalize at the cursor. capitalize a set of letters. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 82: Editing Command Lines That Wrap

    The dollar sign ($) appears at the end of the line to show that the line has been scrolled to the right: Switch(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1$ Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 83: Searching And Filtering Output Of Show And More Commands

    Commands you enter in one session are not displayed in the other sessions. Therefore, it is possible to lose track of the session from which you entered commands. Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note We recommend using one CLI session when managing the switch stack.

  • Page 84: Accessing The Cli Through A Console Connection Or Through Telnet

    9-42. The switch supports up to five simultaneous secure SSH sessions. After you connect through the console port, through a Telnet session or through an SSH session, the user EXEC prompt appears on the management station. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 2-10 OL-26520-01...

  • Page 85: Understanding The Boot Process

    It also describes how to modify the switch startup configuration. For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services from Cisco.com page.

  • Page 86: Assigning Switch Information

    If you are an experienced user familiar with the switch configuration steps, manually configure the switch. Otherwise, use the setup program described previously. Default Switch Information, page 3-3 • Understanding DHCP-Based Autoconfiguration, page 3-3 • Manually Assigning IP Information, page 3-14 • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 87: Default Switch Information

    DHCP client is invoked and requests the IP address information for those interfaces. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
  • Page 88 IP address for an interface, the client accepts the DHCP hostname option and sets the flag to show that the system now has a hostname configured. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
  • Page 89 Unless you configure a timeout, the DHCP-based autoconfiguration with a saved configuration feature tries indefinitely to download an IP address. The auto-install process stops if a configuration file cannot be downloaded or it the configuration • file is corrupted. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
  • Page 90 The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. These features are not operational. If your DHCP server is a Cisco device, for additional information about configuring DHCP, see the “Configuring...
  • Page 91 If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.

  • Page 92: Obtaining Configuration Files

    The switch sends a unicast message to the TFTP server to retrieve the network-confg or cisconet.cfg default configuration file. (If the network-confg file cannot be read, the switch reads the cisconet.cfg file.) Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
  • Page 93 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 IP address 10.0.0.21 10.0.0.22 10.0.0.23 10.0.0.24 Subnet mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Router address 10.0.0.10 10.0.0.10 10.0.0.10 10.0.0.10 DNS server address 10.0.0.2 10.0.0.2 10.0.0.2 10.0.0.2 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
  • Page 94 It reads the configuration file that corresponds to its hostname; for example, it reads switch1-confg • from the TFTP server. Switches B through D retrieve their configuration files and IP addresses in the same way. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-10 OL-26520-01...

  • Page 95: Configuring The Dhcp Auto Configuration And Image Update Features

    Switch(dhcp-config)# network 10.10.10.0 255.255.255.0 Switch(dhcp-config)# bootfile config-boot.text Switch(dhcp-config)# default-router 10.10.10.1 Switch(dhcp-config)# option 150 10.10.10.1 Switch(dhcp-config)# exit Switch(config)# tftp-server flash:config-boot.text Switch(config-if)# no switchport Switch(config-if)# ip address 10.10.10.1 255.255.255.0 Switch(config-if)# end Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-11 OL-26520-01...
  • Page 96 Specify the IP address and mask for the interface. Step 17 Return to privileged EXEC mode. Step 18 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-12 OL-26520-01...

  • Page 97: Configuring The Client

    Switch(config)# vlan 99 Switch(config-vlan)# interface vlan 99 Switch(config-if)# no shutdown Switch(config-if)# end Switch# show boot BOOT path-list: Config file: flash:/config.text Private Config file: flash:/private-config.text Enable Break: Manual Boot: HELPER path-list: Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-13 OL-26520-01...

  • Page 98: Manually Assigning Ip Information

    For information on setting the switch system name, protecting access to privileged EXEC commands, and setting time and calendar services, see Chapter 5, “Administering the Switch.” Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-14 OL-26520-01...

  • Page 99: Checking And Saving The Running Configuration

    EXEC command. For more information about alternative locations from which to copy the configuration file, see Appendix A, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...

  • Page 100: Configuring The Nvram Buffer Size

    Configure the NVRAM buffersize in KB. The valid range for size is from 4096 to 1048576. Step 3 Return to privileged EXEC mode. Step 4 show boot Verify the configuration. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-16 OL-26520-01...

  • Page 101: Modifying The Startup Configuration

    • Controlling Environment Variables, page 3-21 • See also Appendix A, “Working with the Cisco IOS File System, Configuration Files, and Software Images,” for information about switch configuration files. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-17...

  • Page 102: Default Boot Configuration

    Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot-up cycle.

  • Page 103: Booting Manually

    Filenames and directory names are case sensitive. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable manual booting, use the no boot manual global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-19 OL-26520-01...

  • Page 104: Booting A Specific Software Image

    BOOT environment variable. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no boot system global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-20 OL-26520-01...

  • Page 105: Controlling Environment Variables

    Cisco IOS configuration file can be stored as an environment variable. You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.

  • Page 106: Scheduling A Reload Of The Software Image

    (for example, to perform a software upgrade on all switches in the network). A scheduled reload must take place within approximately 24 days. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-22 OL-26520-01...

  • Page 107: Configuring A Scheduled Reload

    During the save operation, the system requests whether you want to proceed with the save if the CONFIG_FILE environment variable points to a startup configuration file that no longer exists. If you proceed in this situation, the system enters setup mode upon reload. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-23 OL-26520-01...

  • Page 108: Displaying Scheduled Reload Information

    It displays reload information including the time the reload is scheduled to occur and the reason for the reload (if it was specified when the reload was scheduled). Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-24 OL-26520-01...

  • Page 109: Understanding Cisco Configuration Engine Software

    This chapter describes how to configure the feature on the Catalyst 2960, 2960-S, and 2960-C switch. Note For complete configuration information for the Cisco Configuration Engine, go to http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.html For complete syntax and usage information for the commands used in this chapter, go to the Cisco IOS Network Management Command Reference, Release 12.4: http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_book.html •...

  • Page 110: Configuration Service

    (LDAP) URLs that reference the device-specific configuration information stored in a directory. The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show the success or failure of the syntax check. The configuration agent can either apply configurations immediately or delay the application until receipt of a synchronization event from the configuration server.

  • Page 111: Event Service

    Understanding Cisco Configuration Engine Software Event Service The Cisco Configuration Engine uses the Event Service for receipt and generation of configuration events. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine.
  • Page 112 Therefore, the DeviceID, as originated on the switch, must match the DeviceID of the corresponding switch definition in the Configuration Engine. The origin of the DeviceID is defined by the Cisco IOS hostname of the switch. However, the DeviceID variable and its usage reside within the event gateway adjacent to the switch.

  • Page 113: Understanding Cisco Ios Agents

    Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent. The Cisco IOS agent feature supports the switch by providing these features: •...

  • Page 114: Synchronized Configuration

    NVRAM for use at the next reboot. Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and automatically configured as described in the “Enabling Automated CNS Configuration” section on page 4-6.

  • Page 115: Enabling The Cns Event Agent

    For more information about running the setup program and creating templates on the Configuration Note Engine, see the Cisco Configuration Engine Installation and Setup Guide, 1.5 for Linux: http://www.cisco.com/en/US/docs/net_mgmt/configuration_engine/1.5/installation_linux/guide/ setup_1.html Enabling the CNS Event Agent You must enable the CNS event agent on the switch before you enable the CNS configuration agent.
  • Page 116 This example shows how to enable the CNS event agent, set the IP address gateway to 10.180.1.27, set 120 seconds as the keepalive interval, and set 10 as the retry count. Switch(config)# cns event 10.180.1.27 keepalive 120 10 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 117: Enabling The Cisco Ios Cns Agent

    Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: •...
  • Page 118 ID, enter an arbitrary text string for string string as the unique ID, or enter udi to set the unique device identifier (UDI) as the unique ID. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 4-10 OL-26520-01...
  • Page 119 Verify your entries. To disable the CNS Cisco IOS agent, use the no cns config initial {ip-address | hostname} global configuration command. This example shows how to configure an initial configuration on a remote switch when the switch configuration is unknown (the CNS Zero Touch feature).

  • Page 120: Enabling A Partial Configuration

    RemoteSwitch(config)# cns id ethernet 0 ipaddress RemoteSwitch(config)# cns config initial 172.28.129.22 no-persist Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch: Command...

  • Page 121: Displaying Cns Configuration

    Displays statistics about the CNS event agent. show cns event subject Displays a list of event agent subjects that are subscribed to by applications. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 4-13 OL-26520-01...
  • Page 122 Chapter 4 Configuring Cisco IOS Configuration Engine Displaying CNS Configuration Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 4-14 OL-26520-01...
  • Page 123 The Catalyst 2960 and 2960-S switches run one of these images: The LAN base software image provides enterprise-class intelligent services such as access control • lists (ACLs) and quality of service (QoS) features. On a Catalyst 2960-S switch, stacking is also supported. •...

  • Page 124: Managing The System Time And Date

    You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference on Cisco.com. These sections contain this configuration information: Understanding the System Clock, page 5-2 •...

  • Page 125: Understanding Network Time Protocol

    Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.

  • Page 126: Ntp Version 4

    Switch F Workstations If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as if it is synchronized through NTP, when in fact it has learned the time by using other means. Other devices then synchronize to that device through NTP.

  • Page 127: Configuring Time And Date Manually

    For day, specify the day by date in the month. • For month, specify the month by name. • For year, specify the year (no abbreviation). • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
  • Page 128 Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours and .5 means 50 percent. In this case, the necessary command is clock timezone AST -3 30. To set the time to UTC, use the no clock timezone global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
  • Page 129 This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00: Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 130: Configuring A System Name And Prompt

    4. When you use this command, the stack member number is appended to the system prompt. For example, is the prompt in privileged EXEC mode for stack member 2, and the system prompt Switch-2# for the switch stack is Switch Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 131: Default System Name And Prompt Configuration

    Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols.
  • Page 132 If your network devices require connectivity with devices in networks for which you do not control name assignment, you can dynamically assign device names that uniquely identify your devices by using the global Internet naming scheme (DNS). Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-10 OL-26520-01...

  • Page 133: Creating A Banner

    If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.
  • Page 134 Trying 172.2.5.4... Connected to 172.2.5.4. Escape character is '^]'. This is a secure site. Only authorized users are allowed. For access, contact technical support. User Access Verification Password: Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-12 OL-26520-01...

  • Page 135: Configuring A Login Banner

    (static or dynamic). For complete syntax and usage information for the commands used in this section, see the command Note reference for this release. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-13 OL-26520-01...

  • Page 136: Building The Address Table

    Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in another until it is learned or statically associated with a port in the other VLAN. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-14...

  • Page 137: Mac Addresses And Switch Stacks

    Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default value, use the no mac address-table aging-time global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-15 OL-26520-01...

  • Page 138: Removing Dynamic Address Entries

    Enable the switch to send MAC address change notification traps to the NMS. Step 4 mac address-table notification change Enable the MAC address change notification feature. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-16 OL-26520-01...
  • Page 139 Switch(config-if)# snmp trap mac-notification change added You can verify your settings by entering the show mac address-table notification change interface and the show mac address-table notification change privileged EXEC commands. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-17 OL-26520-01...

  • Page 140: Configuring Mac Address Move Notification Traps

    Switch(config)# snmp-server host 172.20.10.10 traps private mac-notification Switch(config)# snmp-server enable traps mac-notification move Switch(config)# mac address-table notification mac-move You can verify your settings by entering the show mac address-table notification mac-move privileged EXEC commands. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-18 OL-26520-01...

  • Page 141: Configuring Mac Threshold Notification Traps

    Return to privileged EXEC mode. Step 7 show mac address-table notification threshold Verify your entries. show running-config Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-19 OL-26520-01...

  • Page 142: Adding And Removing Static Address Entries

    For static unicast addresses, you can enter only one interface at a time, but you can enter the command multiple times with the same MAC address and VLAN ID. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-20 OL-26520-01...

  • Page 143: Configuring Unicast Mac Address Filtering

    You enable unicast MAC address filtering and configure the switch to drop packets with a specific address by specifying the source or destination unicast MAC address and the VLAN from which it is received. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-21 OL-26520-01...

  • Page 144: Disabling Mac Address Learning On A Vlan

    VLAN ID that you enter is an internal VLAN, the switch generates an error message and rejects the command. To view internal VLANs in use, enter the show vlan internal usage privileged EXEC command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-22 OL-26520-01...

  • Page 145: Displaying Address Table Entries

    Displays the aging time in all VLANs or the specified VLAN. show mac address-table count Displays the number of addresses present in all VLANs or the specified VLAN. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-23 OL-26520-01...

  • Page 146: Managing The Arp Table

    (represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed. For CLI procedures, see the Cisco IOS Release 12.4 documentation on Cisco.com. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...
  • Page 147 These sections describe the role of web-based authentication as part of AAA: Device Roles, page 11-2 • Host Detection, page 11-2 • • Session Creation, page 11-3 • Authentication Process, page 11-3 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-1 OL-26520-01...
  • Page 148 • IP address or a dynamic IP address. Dynamic ARP inspection • DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding • entry for the host. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-2 OL-26520-01...

  • Page 149: Session Creation

    The terminate action is included in the response from the server. • If the terminate action is default, the session is dismantled, and the applied policy is removed. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-3 OL-26520-01...

  • Page 150: Local Web Authentication Banner

    You create a banner by using the ip admission auth-proxy-banner http global configuration command. The default banner Cisco Systems and Switch host-name Authentication appear on the Login Page. Cisco Systems appears on the authentication result pop-up page, as shown in Figure 11-2.
  • Page 151 Figure 11-4 Login Screen With No Banner For more information, see the Cisco IOS Security Command Reference and the “Configuring a Web Authentication Local Banner” section on page 11-16. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-5 OL-26520-01...

  • Page 152: Web Authentication Customizable Web Pages

    You must include an HTML redirect command in the success page to access a specific URL. • The URL string must be a valid URL (for example, http://www.cisco.com). An incomplete URL • might cause page not found or similar errors on a web browser.
  • Page 153 You can then limit the number or group of clients that can access the network through the port. For more information about enabling port security, see the “Configuring Port Security” section on page 23-8. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-7 OL-26520-01...
  • Page 154 ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface, the ACL is applied to the host traffic only after the web-based authentication host policy is applied. For Layer 2 web-based authentication, you must configure a port ACL (PACL) as the default access policy for ingress traffic from hosts connected to the port.
  • Page 155 You must configure the default ACL on the interface before configuring web-based authentication. • Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface. You cannot authenticate hosts on Layer 2 interfaces with static ARP cache assignment. These hosts •...

  • Page 156: Configuring The Authentication Rule And Interfaces

    This example shows how to enable web-based authentication on Fast Ethernet port 5/1: Switch(config)# ip admission name webauth1 proxy http Switch(config)# interface fastethernet 5/1 Switch(config-if)# ip admission webauth1 Switch(config-if)# exit Switch(config)# ip device tracking Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-10 OL-26520-01...

  • Page 157: Configuring Aaa Authentication

    Configuring Switch-to-RADIUS-Server Communication RADIUS security servers identification: Host name • Host IP address • Host name and specific UDP port numbers • IP address and specific UDP port numbers • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-11 OL-26520-01...
  • Page 158 For more information, see the Cisco IOS Security Configuration Guide and the Cisco IOS Security Command Reference: http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...

  • Page 159: Configuring The Http Server

    Step 2 ip admission proxy http success page file Specify the location of the custom HTML file to use in device:success-filename place of the default login success page. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-13 OL-26520-01...
  • Page 160 Authentication global init state time is 2 minutes Authentication Proxy Session ratelimit is 100 Authentication Proxy Watch-list is disabled Authentication Proxy Auditing is disabled Max Login attempts per user is 5 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-14 OL-26520-01...

  • Page 161: Configuring The Web-Based Authentication Parameters

    (Optional) Save your entries in the configuration file. This example shows how to set the maximum number of failed login attempts to 10: Switch(config)# ip admission max-login-attempts 10 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-15 OL-26520-01...

  • Page 162: Removing Web-Based Authentication Cache Entries

    This example shows how to remove the web-based authentication session for the client at the IP address 209.165.201.1: Switch# clear ip auth-proxy cache 209.165.201.1 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-16 OL-26520-01...
  • Page 163 This example shows how to view only the global web-based authentication status: Switch# show authentication sessions This example shows how to view the web-based authentication settings for gigabit interface 3/27: Switch# show authentication sessions interface gigabitethernet 3/27 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-17 OL-26520-01...
  • Page 164 Chapter 11 Configuring Web-Based Authentication Displaying Web-Based Authentication Status Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-18 OL-26520-01...

  • Page 165: Clustering Switches

    C H A P T E R Clustering Switches This chapter provides the concepts and procedures to create and manage Catalyst 2960, 2960-S or and 2960-C switch clusters. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.

  • Page 166: Understanding Switch Clusters

    Cluster members can belong to only one cluster at a time. A switch cluster is different from a switch stack. A switch stack is a set of Catalyst 2960-S switches Note connected through their stack ports.

  • Page 167: Cluster Command Switch Characteristics

    Member switch only Cluster Command Switch Characteristics A cluster command switch must meet these requirements: It is running Cisco IOS Release 12.2(25)FX or later for a Catalyst 2960 switch, or Cisco IOS • Release 12.2(53)SE or later for a Catalyst 2960-S switch.

  • Page 168: Candidate Switch And Cluster Member Switch Characteristics

    Standby cluster command switches must be the same type of switches as the cluster command Note switch. For example, if the cluster command switch is a Catalyst 2960 switch, the standby cluster command switches must also be Catalyst 2960 switches. If the cluster command switch is a Catalyst 2960-S switch, the standby cluster command switches must also be Catalyst 2960-S switches.

  • Page 169: Automatic Discovery Of Cluster Candidates And Members

    Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
  • Page 170 Device 15 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
  • Page 171 VLAN in common with the cluster command switch. They do not need to be connected to the cluster command switch through their management VLAN. The default management VLAN is VLAN 1. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 172: Discovery Of Newly Installed Switches

    Figure 6-4 (assuming they are Catalyst 2960, Catalyst 2970, Catalyst 2975, Catalyst 3550, Catalyst 3560, or Catalyst 3750 cluster command switches) have ports assigned to VLANs 9, 16, and 62. The management VLAN on the cluster command switch is VLAN 9. Each cluster command switch discovers the switches in the different...

  • Page 173: Hsrp And Standby Cluster Command Switches

    The HSRP standby hold time interval should be greater than or equal to three times the hello time Note interval. The default HSRP standby hold time interval is 10 seconds. The default HSRP standby hello time interval is 3 seconds. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
  • Page 174 If your switch cluster has a Catalyst 2960 switchor a Cisco FlexStack (a stack that contains only 2960-S switches), it should be the cluster command switch.
  • Page 175 However, because it was a passive standby cluster command switch, the previous cluster command switch did Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 6-11 OL-26520-01...

  • Page 176: Ip Addresses

    If a switch has a hostname, it retains that name when it joins a cluster and when it leaves the cluster. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 6-12...

  • Page 177: Passwords

    Switch Clusters and Switch Stacks A switch cluster can have one or more Catalyst 2960-S switch stacks. Each switch stack can act as the cluster command switch or as a single cluster member.
  • Page 178 Cluster configuration of switch stacks is through the stack master. These are considerations to keep in mind when you have switch stacks in switch clusters: If the cluster command switch is not a Catalyst 2960-S switch or switch stack and a new stack master •...

  • Page 179: Tacacs+ And Radius

    Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.

  • Page 180: Using Snmp To Manage Switch Clusters

    “Switch Clusters and Switch Stacks” section on page 6-13. Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Catalyst 1900 and Catalyst 2820 CLI Considerations If your switch cluster has Catalyst 1900 and Catalyst 2820 switches running standard edition software, the Telnet session accesses the management console (a menu-driven interface) if the cluster command switch is at privilege level 15.
  • Page 181 Chapter 30, “Configuring SNMP.” Figure 6-7 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3 Member 1 Member 2 Member 3 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 6-17 OL-26520-01...
  • Page 182 Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 6-18 OL-26520-01...

  • Page 183: Managing Switch Stacks

    Understanding Stacks A switch stack is a set of up to four Catalyst 2960-S switches connected through their stack ports. One of the switches controls the operation of the stack and is called the stack master. The stack master and the other switches in the stack are stack members.
  • Page 184 Minor Version Number Incompatibility Among Switches, page 7-10 – Incompatible Software and Member Image Upgrades, page 7-13 – Stack Configuration Files, page 7-14 – Additional Considerations for System-Wide Configuration on Switch Stacks, page 7-14 – Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 185: Stack Membership

    Stack Configuration Scenarios, page 7-16 – Stack Membership A switch stack can have only Catalyst 2960-S stack members. Note A standalone switch is a stack with one member that is also the master. You can connect one standalone switch to another...
  • Page 186 Creating a Switch Stack from Two Standalone Switches Standalone switch Stack member 2 and stack master Stack member 1 Figure 7-2 Adding a Standalone Switch to a Switch Stack Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 187: Master Election

    When a new master is elected and the previous stack master becomes available, the previous master does not resume its role as stack master. For all powering considerations that affect stack-master elections, see the “Switch Installation” chapter in the hardware installation guide. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 188: Stack Mac Address

    3-21. Member numbers and configurations, see the “Stack Configuration Files” section on page 7-14. • Merging stacks, see the “Stack Membership” section on page 7-3. • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 189: Member Priority Values

    The startup configuration file ensures that the stack can reload and can use the saved information whether or not the provisioned switch is part of the stack. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
  • Page 190 The switch type of the provisioned switch does not match the switch type in the provisioned configuration on the stack. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 191: Stack Software Compatibility Recommendations

    Stack Software Compatibility Recommendations All stack members must run the same Cisco IOS software version to ensure compatibility in the stack protocol version among the members. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...

  • Page 192: Stack Protocol Version Compatibility

    1 is the major version number and 4 is the minor version number). Switches with the same Cisco IOS software version have the same stack protocol version. All features function properly across the stack. These switches with the same software version as the master immediately join the stack.
  • Page 193 You can use the archive-download-sw /allow-feature-upgrade privileged EXEC command to allow installing an image with a different feature set. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-11 OL-26520-01...
  • Page 194 *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:Extracting images from archive into flash on switch 1... *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:c260c-lanbase-mz.122-50.SE (directory) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:extracting c260c-lanbase-mz.122-50.SE/c260c-lanbase-mz.122-50.SE (4945851 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:extracting c260c-lanbase-mz.122-50.SE/info (450 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:extracting info (104 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-12 OL-26520-01...

  • Page 195: Incompatible Software And Member Image Upgrades

    For more information, see the “Copying an Image File from One Stack Member to Another” section on page A-38. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-13 OL-26520-01...
  • Page 196 • Configuration Files, and Software Images.” Additional Considerations for System-Wide Configuration on Switch Stacks “Planning and Creating Clusters” chapter in the Getting Started with Cisco Network Assistant, • available on Cisco.com “MAC Addresses and Switch Stacks” section on page 5-15 •...
  • Page 197 Therefore, it is possible that you might not be able to identify the session from which you entered a command. We recommend that you use only one CLI session when managing the stack. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-15 OL-26520-01...
  • Page 198 The master is kept. The new switch is added to the stack. Through their stack ports, connect the new switch to a powered-on stack. Power on the new switch. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-16 OL-26520-01...

  • Page 199: Configuring The Switch Stack

    However, you can set the persistent MAC address feature with a time delay before the stack MAC address changes. During this time period, if the previous master rejoins the stack, the stack Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-17...
  • Page 200 If the previous master does not rejoin the stack during this period, the stack uses the MAC address of the new master as the stack MAC address. If the entire switch stack reloads, it acquires the MAC address of the master as the stack MAC address. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-18 OL-26520-01...
  • Page 201 Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no stack-mac persistent timer global configuration command to disable the persistent MAC address feature. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-19 OL-26520-01...

  • Page 202: Assigning Stack Member Information

    Reset the stack member. Step 5 show switch Verify the stack member number. Step 6 copy running-config startup-config Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-20 OL-26520-01...
  • Page 203 For type, enter the model number of the member. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify the correct numbering of interfaces in the configuration. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-21 OL-26520-01...
  • Page 204 Only the show and debug commands are available on a specific member. For more information, see the “Using Interface Configuration Mode” section on page 12-16. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-22 OL-26520-01...

  • Page 205: Troubleshooting Stacks

    • The stack is in the full-ring state, you can disable only one stack port. This message appears: Enabling/disabling a stack port may cause undesired stack changes. Continue?[confirm] Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-23 OL-26520-01...
  • Page 206 OK—A cable is detected, and the connected neighbor is up. • Neighbor Switch number of the active member at the other end of the stack cable. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-24 OL-26520-01...
  • Page 207 No—At least one stack port on the member has an attached stack • cable. Yes—None of the stack ports on the member has an attached stack • cable. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-25 OL-26520-01...
  • Page 208 Chapter 7 Managing Switch Stacks Troubleshooting Stacks Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-26 OL-26520-01...

  • Page 209: Understanding The Sdm Templates

    Understanding the SDM Templates Note The SDM template used by Catalyst 2960-C Gigabit Ethernet switch and by the Catalyst 2960-S running LAN Lite image is a default templates and is not configurable. Catalyst 2960-S switches running the LAN base image support a default template and the lanbase-routing template.
  • Page 210 Chapter 8 Configuring SDM Templates Understanding the SDM Templates The lanbase-routing template is supported only on Catalyst 2960 and 2960-S switches running Note Cisco IOS Release 12.2(55)SE or later andonly with the LAN base image. • QoS—The QoS template maximizes system resources for quality of service (QoS) access control entries (ACEs).

  • Page 211: Sdm Templates And Switch Stacks

    SDM Templates and Switch Stacks Note Stacking is supported only on Catalyst 2960-S switches running the LAN base image. All stack members use the same SDM template that is stored on the stack master. When a new switch is added to a stack, as with the switch configuration and VLAN database files, the SDM configuration that is stored on the stack master overrides the template configured on an individual switch.

  • Page 212: Configuring The Switch Sdm Template

    • Setting the SDM Template, page 8-5 Default SDM Template The default template for the Catalyst 2960 and 2960-S switches is the default desktop template. SDM Template Configuration Guidelines • You configure multiple SDM templates on Catalyst 2960 switches and on Catalyst 2960-C Fast Ethernet switches.

  • Page 213: Setting The Sdm Template

    If you enter the show sdm prefer command before you enter the reload privileged EXEC command, the show sdm prefer command shows the template in use and the template that becomes active after a reload. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 214: Displaying The Sdm Templates

    Use the show sdm prefer [default | dual-ipv4-and-ipv6 default | lanbase-routing | qos] privileged EXEC command to display the resource numbers supported by the specified template. The Catalyst 2960-S switch supports only the default and lanbase-routing templates. The Catalyst Note 2960-C Gigabit Ethernet switch supports only a default template.

  • Page 215: Preventing Unauthorized Access To Your Switch

    C H A P T E R Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 2960, 2960-S, or 2960-C switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.

  • Page 216: Protecting Access To Privileged Exec Commands

    Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.4 on Cisco.com.

  • Page 217: Setting Or Changing A Static Enable Password

    We recommend that you use the enable secret command because it uses an improved encryption algorithm. If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
  • Page 218 To remove a password and level, use the no enable password [level level] or no enable secret [level level] global configuration command. To disable password encryption, use the no service password-encryption global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 219: Disabling Password Recovery

    Disable password recovery. This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.

  • Page 220: Setting A Telnet Password For A Terminal Line

    If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 221: Configuring Multiple Privilege Levels

    Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
  • Page 222 This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands: Switch(config)# privilege exec level 14 configure Switch(config)# enable password level 14 SecretPswd14 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
  • Page 223 Log in to a specified privilege level. For level, the range is 0 to 15. Step 2 disable level Exit to a specified privilege level. For level, the range is 0 to 15. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 224: Controlling Switch Access With Tacacs

    “Implementing ADSL for IPv6” chapter in the Cisco IOS XE IPv6 Configuration Guide, Release For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.4 and the Cisco IOS IPv6 Command Reference.
  • Page 225 TACACS+ daemon are encrypted. You need a system running the TACACS+ daemon software to use TACACS+ on your switch. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-11 OL-26520-01...

  • Page 226: Configuring Tacacs

    This process continues until there is successful communication with a listed method or the method list is exhausted. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-12 OL-26520-01...
  • Page 227 TACACS+ daemon. You must configure the same key on the TACACS+ daemon for encryption to be successful. Step 3 aaa new-model Enable AAA. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-13 OL-26520-01...
  • Page 228 Beginning in privileged EXEC mode, follow these steps to configure login authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-14 OL-26520-01...
  • Page 229 {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-15 OL-26520-01...
  • Page 230 Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.4 on Cisco.com.

  • Page 231: Controlling Switch Access With Radius

    (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting for each Cisco IOS privilege level and for network services:...

  • Page 232: Understanding Radius

    “Implementing ADSL for IPv6” chapter in the Cisco IOS XE IPv6 Configuration Guide, Release For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference and the Cisco IOS IPv6 Command Reference.

  • Page 233: Radius Operation

    X.25 PAD connections. Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. • RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. • Networks using a variety of services. RADIUS generally binds a user to one service model.

  • Page 234: Radius Change Of Authorization

    Session termination with port shutdown • Session termination with port bounce • This feature is integrated with the Cisco Secure Access Control Server (ACS) 5.1. For information about ACS: http://www.cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html The RADIUS interface is enabled by default on Catalyst switches. However, some basic configuration is required for these attributes: Security and Password—See the...
  • Page 235 Error-Cause Values Value Explanation Residual Session Context Removed Invalid EAP Packet (Ignored) Unsupported Attribute Missing Attribute NAS Identification Mismatch Invalid Request Unsupported Service Unsupported Extension Invalid Attribute Value Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-21 OL-26520-01...
  • Page 236 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-22...
  • Page 237 • • CoA Disconnect-Request • CoA Request: Disable Host Port • CoA Request: Bounce-Port Beginning with Cisco IOS Release 12.2(52)SE, the switch supports the commands shown in Table 9-4. Table 9-4 CoA Commands Supported on the Switch Command Cisco VSA Reauthenticate host Cisco:Avpair=“subscriber:command=reauthenticate”...
  • Page 238 “Session Identification” section on page 9-22. If the session cannot be located, the switch returns a Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-24 OL-26520-01...
  • Page 239 Stacking Guidelines for CoA-Request Bounce-Port Because the bounce-port command is targeted at a session, not a port, if the session is not found, the command cannot be executed. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-25 OL-26520-01...

  • Page 240: Configuring Radius

    You should have access to and should configure a RADIUS server before configuring RADIUS features on your switch. Default RADIUS Configuration, page 9-27 • Identifying the RADIUS Server Host, page 9-27 (required) • Configuring RADIUS Login Authentication, page 9-30 (required) • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-26 OL-26520-01...
  • Page 241 To apply these settings globally to all RADIUS servers communicating with the switch, use the three unique global Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-27...
  • Page 242 You can configure the switch to use AAA server groups to group existing server hosts for authentication. For more information, see the “Defining AAA Server Groups” section on page 9-32. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-28 OL-26520-01...
  • Page 243 This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-29 OL-26520-01...

  • Page 244: Configuring Radius Login Authentication

    Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-30 OL-26520-01...
  • Page 245 Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config (Optional) Save your entries in the configuration file. startup-config Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-31 OL-26520-01...

  • Page 246: Defining Aaa Server Groups

    Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.4 on Cisco.com.
  • Page 247 RADIUS server in the AAA server group. Each server in the group must be previously defined in Step 2. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-33 OL-26520-01...

  • Page 248: Configuring Radius Authorization For User Privileged Access And Network Services

    Use the local database if authentication was not performed by using RADIUS. • Authorization is bypassed for authenticated users who log in through the CLI even if authorization has Note been configured. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-34 OL-26520-01...

  • Page 249: Starting Radius Accounting

    (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...

  • Page 250: Configuring Settings For All Radius Servers

    (Optional) Save your entries in the configuration file. To return to the default setting for the retransmit, timeout, and deadtime, use the no forms of these commands. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-36 OL-26520-01...

  • Page 251: Configuring The Switch To Use Vendor-Specific Radius Attributes

    1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.

  • Page 252: Configuring The Switch For Vendor-Proprietary Radius Server Communication

    Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.

  • Page 253: Configuring Coa On The Switch

    Step 7 auth-type {any | all | session-key} Specify the type of authorization the switch uses for RADIUS clients. The client must match all the configured attributes for authorization. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-39 OL-26520-01...

  • Page 254: Monitoring And Troubleshooting Coa Functionality

    Configuring RADIUS Server Load Balancing This feature allows access and authentication requests to be evenly across all RADIUS servers in a server group. For more information, see the “RADIUS Server Load Balancing” chapter of the Cisco IOS Security Configuration Guide: http://www.ciscosystems.com/en/US/docs/ios/12_2sb/feature/guide/sbrdldbl.html...

  • Page 255: Displaying The Radius Configuration

    (Optional) Save your entries in the configuration file. To disable AAA, use the no aaa new-model global configuration command. To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-41 OL-26520-01...

  • Page 256: Configuring The Switch For Secure Shell

    You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.

  • Page 257: Configuring Ssh

    When generating the RSA key pair, the message might appear. If it does, No host name specified you must configure a hostname by using the hostname global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-43 OL-26520-01...
  • Page 258 Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: Download the cryptographic software image from Cisco.com. This step is required. For more information, see the release notes for this release. Configure a hostname and IP domain name for the switch. Follow this procedure only if you are configuring the switch as an SSH server.
  • Page 259 (Optional) Save your entries in the configuration file. To return to the default SSH control parameters, use the no ip ssh {timeout | authentication-retries} global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-45 OL-26520-01...

  • Page 260: Displaying The Ssh Configuration And Status

    Displaying Secure HTTP Server and Client Status, page 9-52 • For configuration examples and complete syntax and usage information for the commands used in this section, see the “HTTPS - HTTP Server and Client with SSL 3.0” feature description for Cisco IOS Release 12.2(15)T: http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_https_sc_ssl3.html...

  • Page 261: Certificate Authority Trustpoints

    Configuring the Switch for Secure Socket Layer HTTP The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response back to the application.

  • Page 262: Configuring Secure Http Servers And Clients

    For additional information on Certificate Authorities, see the “Configuring Certification Authority Interoperability” chapter in the Cisco IOS Security Configuration Guide, Release 124 on Cisco.com. CipherSuites A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection.
  • Page 263 (Optional) Specify that the trustpoint should be used as the primary (default) trustpoint for CA requests. Step 10 exit Exit CA trustpoint configuration mode and return to global configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-49 OL-26520-01...
  • Page 264 The default is for the client to request a certificate from the server, but the server does not attempt to authenticate the client. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-50 OL-26520-01...

  • Page 265: Configuring The Secure Http Client

    HTTP client certification. This procedure assumes that you have previously configured a CA trustpoint on the switch. If a CA trustpoint is not configured and the remote HTTPS server requires client authentication, connections to the secure HTTP client fail. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-51 OL-26520-01...

  • Page 266: Displaying Secure Http Server And Client Status

    Berkeley r-tools. For SSH to work, the switch needs an RSA public/private key pair. This is the same with SCP, which relies on SSH for its secure transport. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-52 OL-26520-01...
  • Page 267 A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation.
  • Page 268 Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-54 OL-26520-01...
  • Page 269 Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note The Catalyst 2960, 2960-S, and 2960-C switch command reference and the “RADIUS Commands” section in the Cisco IOS Security Command Reference, Release 12.4, have command syntax and usage information. This chapter includes these sections: Understanding IEEE 802.1x Port-Based Authentication, page 10-1...
  • Page 270 • To use IEEE 802.1x authentication with ACLs and the Filter-Id attribute, the switch must be Note running the LAN base image. Common Session ID, page 10-35 • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-2 OL-26520-01...
  • Page 271 Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
  • Page 272 (critical authentication) to assign the critical 1 = This occurs if the switch does not port to a VLAN. detect EAPOL packets from the client. Done Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-4 OL-26520-01...

  • Page 273: Authentication Initiation And Message Exchange

    VLAN that provides limited services, or network access is not granted. For more information, see the “Ports in Authorized and Unauthorized States” section on page 10-10. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-5 OL-26520-01...
  • Page 274 VLAN. If the switch detects an EAPOL packet while waiting for an Ethernet packet, the switch stops the MAC authentication bypass process and stops 802.1x authentication. Figure 10-4 shows the message exchange during MAC authentication bypass. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-6 OL-26520-01...

  • Page 275: Authentication Manager

    RADIUS Access/Accept Authentication Manager In Cisco IOS Release 12.2(46)SE and earlier, you could not use the same authorization methods, including CLI commands and messages, on this switch and also on other network devices, such as a Catalyst 6000. You had to use separate authentication configurations. Cisco IOS Release 12.2(50)SE and later supports the same authorization methods on all Catalyst switches in a network.
  • Page 276 ACL configured on another device running Cisco IOS software, such as a Catalyst 6000 switch. In Cisco IOS Release 12.2(50)SE or later, the ACLs configured on the switch are compatible with other devices running the Cisco IOS release.
  • Page 277 Enable the restricted VLAN on a port. dot1x critical (interface Enable the inaccessible-authentication-bypass configuration) feature. Specify an active VLAN as an guest VLAN. dot1x guest-vlan6 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-9 OL-26520-01...

  • Page 278: Ports In Authorized And Unauthorized States

    Beginning with Cisco IOS Release 12.2(55)SE, you can filter out verbose system messages generated by the authentication manager. The filtered content typically relates to authentication success. You can also filter verbose messages for 802.1x authentication and MAB authentication.

  • Page 279: X Authentication And Switch Stacks

    802.1x Authentication and Switch Stacks Switch stacks are supported only on Catalyst 2960-S switches running the LAN base image. Note If a switch is added to or removed from a switch stack, 802.1x authentication is not affected as long as the IP connectivity between the RADIUS server and the stack remains intact.

  • Page 280: 802.1X Host Mode

    In this topology, the wireless access point is responsible for authenticating the clients attached to it, and it also acts as a client to the switch. Figure 10-5 Multiple Host Mode Example Authentication server (RADIUS) Workstations (clients) Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-12 OL-26520-01...

  • Page 281: Multidomain Authentication

    The switch supports multidomain authentication (MDA), which allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice domain.

  • Page 282: 802.1X Multiple Authentication Mode

    When a port host mode changes from single- or multihost to multidomain mode, an authorized data • device remains authorized on the port. However, a Cisco IP phone on the port voice VLAN is automatically removed and must be reauthenticated on that port.

  • Page 283: Mac Move

    To configure the MAC replace feature, the switch must be running the LAN base image. Note Beginning with Cisco IOS Release 12.2(55)SE, the MAC replace feature can be configured to address the violation that occurs when a host attempts to connect to a port where another host was previously authenticated.

  • Page 284: 802.1X Accounting

    RADIUS accounting packets are sent by a switch: • START–sent when a new user session starts INTERIM–sent during an existing session for updates • STOP–sent when a session terminates • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-16 OL-26520-01...

  • Page 285: 802.1X Readiness Check

    DHCP snooping bindings table. You can view the AV pairs that are being sent by the switch by entering the debug radius accounting privileged EXEC command. For more information about this command, see the Cisco IOS Debug Command Reference: http://www.cisco.com/en/US/docs/ios/12_2/debug/command/reference/122debug.html...

  • Page 286: 802.1X Authentication With Vlan Assignment

    Voice device authentication is supported with multidomain host mode in Cisco IOS Release 12.2(37)SE. In Cisco IOS Release 12.2(40)SE and later, when a voice device is authorized and the RADIUS server returned an authorized VLAN, the voice VLAN on the port is configured to send and receive packets on the assigned voice VLAN.

  • Page 287: Using 802.1X Authentication With Per-User Acls

    When the definitions are passed from the RADIUS server, they are created by using the extended naming convention. However, if you use the Filter-Id attribute, it can point to a standard ACL. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-19...

  • Page 288: X Authentication With Downloadable Acls And Redirect Urls

    If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
  • Page 289 Note The auth-default-ACL does not support Cisco Discovery Protocol (CDP) bypass in the single host mode. You must configure a static ACL on the interface to support CDP bypass. The 802.1x and MAB authentication methods support two authentication modes, open and closed. If there is no static ACL on a port in closed authentication mode: An auth-default-ACL is created.
  • Page 290 ACL, this ACL takes precedence over the default ACL that is configured on the switch port. However, if the switch receives an host access policy from the Cisco Secure ACS but the default ACL is not configured, the authorization failure is declared.

  • Page 291: 802.1X Authentication With Guest Vlan

    Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication This feature is not supported on Cisco ACS Server. (The ACS server ignores the sent VLAN-IDs for new Note hosts and only authenticates based on the MAC address.) For configuration information, see the “Configuring VLAN ID-based MAC Authentication”...

  • Page 292: 802.1X Authentication With Restricted Vlan

    Other security features such as dynamic ARP Inspection, DHCP snooping, and IP source guard can be configured independently on a restricted VLAN. For more information, see the “Configuring a Restricted VLAN” section on page 10-55. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-24 OL-26520-01...

  • Page 293: 802.1X Authentication With Inaccessible Authentication Bypass

    Results” for a single host. As expected on a single-host mode port, if more than a single host is detected on the switch port, then the switch port enters an err-disable state. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-25...
  • Page 294 Support on Multiple-Authentication Ports To enable Inaccessible Authentication Bypass on ports configured with host mode multi-auth, you must use the authentication event server dead action reinitialize vlan vlan-id command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-26 OL-26520-01...
  • Page 295 RADIUS server. If a RADIUS server status changes from dead to up, all of the stack switches reauthenticate all switch ports currently in the critical-authentication state. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-27 OL-26520-01...

  • Page 296: 802.1X Authentication With Voice Vlan Ports

    A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several IP phones are connected in series, the switch recognizes only the one directly connected to it.

  • Page 297: 802.1X Authentication With Port Security

    If you enable 802.1x authentication on an access port on which a voice VLAN is configured and to which Note a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds. For more information about voice VLANs, see Chapter 15, “Configuring Voice VLAN.”...
  • Page 298 For more configuration information, see the “Authentication Manager” section on page 10-7. Cisco IOS Release 12.2(55)SE and later supports filtering of verbose MAB system messages. See the “Authentication Manager CLI Commands” section on page 10-9. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...

  • Page 299: 802.1X User Distribution

    VLAN group, none of the ports or users that are in the authenticated state in any VLAN within the group are cleared, but the VLAN mappings to the VLAN group are cleared. For more information, see the “Configuring 802.1x User Distribution” section on page 10-59. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-31 OL-26520-01...

  • Page 300: Network Admission Control Layer 2 802.1X Validation

    (ACL) defined on the port. After the host is authenticated, the policies configured on the RADIUS server are applied to that host. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-32 OL-26520-01...

  • Page 301: Using Voice Aware 802.1X Security

    Once the supplicant switch authenticates successfully the port mode changes from access to trunk. If the access VLAN is configured on the authenticator switch, it becomes the native VLAN for the • trunk port after successful authentication. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-33 OL-26520-01...
  • Page 302 Spanning Tree Protocol (STP) bridge protocol data unit (BPDU) packets before the supplicant switch has authenticated. Beginning with Cisco IOS Release 15.0(1)SE, you can control traffic exiting the supplicant port during the authentication period. Entering the dot1x supplicant controlled transient global configuration command temporarily blocks the supplicant port during authentication to ensure that the authenticator port does not shut down before authentication completes.

  • Page 303: Using Ieee 802.1X Authentication With Acls And The Radius Filter-Id Attribute

    This ID is used for all reporting purposes, such as the show commands and MIBs. The session ID appears with all per-session syslog messages. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-35...
  • Page 304 Configuring 802.1x Accounting, page 10-53 (optional) • Enabling MAC Move, page 10-51 (optional) • Enabling MAC Replace, page 10-52 (optional) • Configuring a Guest VLAN, page 10-54 (optional) • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-36 OL-26520-01...

  • Page 305: Default 802.1X Authentication Configuration

    EAP request/identity frame from the client before resending the request). Maximum retransmission number 2 times (number of times that the switch will send an EAP-request/identity frame before restarting the authentication process). Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-37 OL-26520-01...

  • Page 306: 802.1X Authentication Configuration Guidelines

    Query Protocol [VQP]) port, an error message appears, and 802.1x authentication is not enabled. If you try to change an 802.1x-enabled port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-38 OL-26520-01...
  • Page 307 EtherChannel configuration from the interfaces on which 802.1x authentication and EtherChannel are configured. • Cisco IOS Release 12.2(55)SE and later supports filtering of system messages related to 802.1x authentication. See the “Authentication Manager CLI Commands” section on page 10-9.

  • Page 308: Configuring 802.1X Readiness Check

    In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with • a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice VLAN. In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one •...

  • Page 309: Configuring Voice Aware 802.1X Security

    If error-disabled recovery is not configured for the port, you re-enable it by using the shutdown and no-shutdown interface configuration commands. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-41 OL-26520-01...

  • Page 310: Configuring 802.1X Violation Modes

    You can configure an 802.1x port so that it shuts down, generates a syslog error, or discards packets from a new device when: • a device connects to an 802.1x-enabled port • the maximum number of allowed about devices have been authenticated on the port Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-42 OL-26520-01...

  • Page 311: Configuring 802.1X Authentication

    Step 2 VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration. Step 3 Step 4 The switch sends a start message to an accounting server. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-43 OL-26520-01...
  • Page 312 Step 12 Return to privileged EXEC mode. Step 13 show authentication Verify your entries. Step 14 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-44 OL-26520-01...

  • Page 313: Configuring The Switch-To-Radius-Server Communication

    For more information, see the “Configuring Settings for All RADIUS Servers” section on page 9-36. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-45 OL-26520-01...

  • Page 314: Configuring The Host Mode

    802.1x-authorized port that has the authentication port-control interface configuration command set to auto. Use the multi-domain keyword to configure multidomain authentication (MDA) to enable authentication of both a host and a voice device, such as an IP phone (Cisco or non-Cisco) on the same switch port.
  • Page 315 This example shows how to enable MDA and to allow both a host and a voice device on the port: Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# authentication port-control auto Switch(config-if)# authentication host-mode multi-domain Switch(config-if)# switchport voice vlan 101 Switch(config-if)# end Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-47 OL-26520-01...

  • Page 316: Configuring Periodic Re-Authentication

    This example shows how to enable periodic re-authentication and set the number of seconds between re-authentication attempts to 4000: Switch(config-if)# authentication periodic Switch(config-if)# authentication timer reauthenticate 4000 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-48 OL-26520-01...

  • Page 317: Manually Re-Authenticating A Client Connected To A Port

    You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-49...

  • Page 318: Setting The Switch-To-Client Frame-Retransmission Number

    Step 4 Return to privileged EXEC mode. Step 5 show authentication interface Verify your entries. interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-50 OL-26520-01...

  • Page 319: Setting The Re-Authentication Number

    Beginning in privileged EXEC mode, follow these steps to globally enable MAC move on the switch. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 authentication mac-move permit Enable MAC move on the switch. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-51 OL-26520-01...

  • Page 320: Enabling Mac Replace

    (Optional) Saves your entries in the configuration file. This example shows how to enable MAC replace on an interface: Switch(config)# interface gigabitethernet2/0/2 Switch(config-if)# authentication violation replace Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-52 OL-26520-01...
  • Page 321 1813 as the UDP port for accounting: Switch(config)# radius-server host 172.120.39.46 auth-port 1812 acct-port 1813 key rad123 Switch(config)# aaa accounting dot1x default start-stop group radius Switch(config)# aaa accounting system default start-stop group radius Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-53 OL-26520-01...

  • Page 322: Configuring A Guest Vlan

    VLAN 2 as an 802.1x guest VLAN when an 802.1x port is connected to a DHCP client: Switch(config-if)# authentication timer inactivity 3 Switch(config-if)# authentication timer reauthenticate 15 Switch(config-if)# authentication event no-response action authorize vlan 2 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-54 OL-26520-01...

  • Page 323: Configuring A Restricted Vlan

    Configuration Guidelines” section on page 10-38. Step 3 switchport mode access Set the port to access mode. Step 4 authentication port-control auto Enable 802.1x authentication on the port. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-55 OL-26520-01...
  • Page 324 (Optional) Sets the number of minutes during which a RADIUS server is not sent minutes requests. The range is from 0 to 1440 minutes (24 hours). The default is 0 minutes. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-56 OL-26520-01...
  • Page 325 This example shows how to configure the inaccessible authentication bypass feature and configure the critical voice VLAN: Switch(config)# radius-server dead-criteria time 30 tries 20 Switch(config)# radius-server deadtime 60 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-57 OL-26520-01...
  • Page 326 To disable 802.1x authentication with WoL, use the no authentication control-direction interface configuration command. These examples show how to enable 802.1x authentication with WoL and set the port as bidirectional: Switch(config-if)# authentication control-direction both Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-58 OL-26520-01...

  • Page 327: Configuring Mac Authentication Bypass

    Verify the configuration. Step 3 no vlan group vlan-group-name vlan-list Clear the VLAN group configuration or elements of the VLAN vlan-list group configuration. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-59 OL-26520-01...
  • Page 328 For more information about these commands, see the Cisco IOS Security Command Reference. Configuring NAC Layer 2 802.1x Validation You can configure NAC Layer 2 802.1x validation, which is also referred to as 802.1x authentication with a RADIUS server.

  • Page 329: Configuring An Authenticator And A Supplicant Switch With Neat

    “802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT)” section on page 10-33. The cisco-av-pairs must be configured as device-traffic-class=switch on the ACS, which sets the Note interface as a trunk after the supplicant is successfully authenticated. Beginning in privileged EXEC mode, follow these steps to configure a switch as an authenticator:...
  • Page 330 (Optional) Save your entries in the configuration file. This example shows how to configure a switch as a supplicant: Switch# configure terminal Switch(config)# cisp enable Switch(config)# dot1x credentials test Switch(config)# username suppswitch password myswitch Switch(config)# Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-62 OL-26520-01...

  • Page 331: Configuring Downloadable Acls

    The acl-id is an access list name or number. Note Step 8 show running-config interface interface-id Verify your configuration. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-63 OL-26520-01...

  • Page 332: Configuring A Downloadable Policy

    ARP probe. The range is from 30 to 300 seconds. The default is 30 seconds. • use-svi—Uses the switch virtual interface (SVI) IP address as source of ARP probes. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-64 OL-26520-01...
  • Page 333 There is no show command to confirm the status of VLAN ID-based MAC authentication. You can use the debug radius accounting privileged EXEC command to confirm the RADIUS attribute 32. For more information about this command, see the Cisco IOS Debug Command Reference: http://www.cisco.com/en/US/docs/ios/debug/command/reference/db_q1.html#wp1123741...

  • Page 334: Configuring Flexible Authentication Ordering

    (Optional) Enable or disable reauthentication on a port. Step 9 authentication port-control {auto | (Optional) Enable manual control of the port authorization state. force-authorized | force-un authorized} Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-66 OL-26520-01...
  • Page 335 This example shows how to disable 802.1x authentication on the port: Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# no dot1x pae authenticator Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-67 OL-26520-01...
  • Page 336 EXEC command. Beginning with Cisco IOS Release 12.2(55)SE, you can use the no dot1x logging verbose global configuration command to filter verbose 802.1x authentication messages. See the “Authentication...

  • Page 337: Understanding Interface Types

    C H A P T E R Configuring Interface Characteristics This chapter defines the types of Catalyst 2960, 2960-S, and 2960-C interfaces and describes how to configure them. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.

  • Page 338: Switch Ports

    Configuring Interface Characteristics Understanding Interface Types Port-Based VLANs Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see the Chapter 13, “Configuring VLANs.”...

  • Page 339: Switch Virtual Interfaces

    Catalyst 6500 series switch. The Catalyst 2960, 2960-S or 2960-C switch cannot be a VMPS server. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 15, “Configuring Voice VLAN.”...

  • Page 340: Etherchannel Port Groups

    Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. The DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol (PAgP) operate only on physical ports.
  • Page 341 CDP messages for an agreed power-consumption level. The negotiation allows a high-power Cisco powered device, which consumes more than 7 W, to operate at its highest power mode. The powered device first boots up in low-power mode, consumes less than 7 W, and negotiates to obtain enough power to operate in high-power mode.
  • Page 342 AC adaptor. After device detection, the switch determines the device power requirements based on its type: A Cisco prestandard powered device does not provide its power requirement when the switch detects • it, so a switch that does not support PoE+ allocates 15.4 W as the initial allocation for power budgeting;...

  • Page 343: Power Management Modes

    LEDs. In a Catalyst 2960-S switch stack, the PoE feature operates the same whether or not the switch is a stack member. The power budget is per-switch and independent of any other switch in the stack. Election of a new stack master does not affect PoE operation.
  • Page 344 The switch also uses the power policing feature to police the power usage. Power monitoring is backward-compatible with Cisco intelligent power management and CDP-based power consumption. It works with these features to ensure that the PoE port can supply power to the powered device.
  • Page 345 6.3 W. If the CDP-power negotiated value or the IEEE classification value exceeds the configured cutoff value, the switch does not provide power to the connected device. After the switch turns on power to the Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-9...
  • Page 346 12-36. PoE Uplinks and PoE Pass-Through Capability The Catalyst 2960-C compact switch can receive power on the two uplink Gigabit Ethernet ports from a PoE or PoE+ capable-switch (for example a Catalyst 3750-X or 3560-X switch). The switch can also receive power from an AC power source when you use the auxiliary power input.
  • Page 347 Only Catalyst 2960-C switches support Universal Power over Ethernet. Note Universal Power over Ethernet (UPoE) is a Cisco proprietary technology that extends the IEEE 802.at PoE standard to provide the capability to source up to 60 W of power over standard Ethernet cabling infrastructure (Class D or better).
  • Page 348 Switch(config)# [no] lldp run Switch(config)# [no] cdp run The Power Device (PD) and Power Source Equipment (PSE) should run the same power negotiation Note protocol to negotiate power. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-12 OL-26520-01...

  • Page 349: Connecting Interfaces

    Using the Switch USB Ports USB ports are supported only on Catalyst 2960-S and 2960-C switches. Note The Catalyst 2960-S and Catalyst 2960-C Gigabit Ethernet switches have two USB ports on the front panel: • USB Mini-Type B Console Port, page 12-14 USB Type A Port, page 12-16 •...
  • Page 350 1 00:20:48.635: %USB_CONSOLE-6-MEDIA_RJ45: Console media-type is RJ45. You can configure the console type to always be RJ-45, and you can configure an inactivity timeout for the USB connector. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-14 OL-26520-01...
  • Page 351 The configured inactivity timeout applies to all switches in a stack. However, a timeout on one switch Note does not cause a timeout on other switches in the stack. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-15 OL-26520-01...
  • Page 352 The USB Type A port provides access to external USB flash devices, also known as thumb drives or USB keys. The switch supports Cisco 64 MB, 256 MB, 512 MB and 1 GB flash drives. You can use standard Cisco IOS command- line interface (CLI) commands to read, write, erase, and copy to or from the flash device.
  • Page 353 Chapter 12 Configuring Interface Characteristics Using the Switch USB Ports This example configures the switch to boot from the Catalyst 2960-S flash device. The image is the Catalyst 2960-S LAN base image. Switch# configure terminal Switch#(config)# boot system flash usbflash0: c2960s-lanbase-mz To disable booting from flash, enter the no form of the command.

  • Page 354: Using Interface Configuration Mode

    12-20). To configure a physical interface (port) on a Catalyst 2960 or 2960-C switch or a Catalyst 2960-S switch running the LAN Lite image, specify the interface type, module number, and switch port number, and enter interface configuration mode. To configure a port on a Catalyst 2960-S switch running the LAN base image (supporting stacking), specify the interface type, stack member number, module number, and switch port number, and enter interface configuration mode.

  • Page 355: Procedures For Configuring Interfaces

    Chapter 12 Configuring Interface Characteristics Using Interface Configuration Mode This example identifies an interface on a Catalyst 2960 or 2960-C switch or a Catalyst 2960-S switch running the LAN Lite image: • To configure 10/100/1000 port 4, enter this command:...

  • Page 356: Configuring A Range Of Interfaces

    – Note Although the command-line interface shows options to set multiple VLANs, these options are not supported on Catalyst 2960 and 2960-S switches. gigabitethernet stack member/module/{first port} - {last port}, where the module is always 0 – fastethernet module/{first port} - {last port}, where the module is always 0 –...

  • Page 357: Configuring And Using Interface Range Macros

    The macro_name is a 32-character maximum character string. • A macro can contain up to five comma-separated interface ranges. Each interface-range must consist of the same port type. • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-21 OL-26520-01...
  • Page 358 Switch# configure terminal Switch(config)# define interface-range enet_list gigabitethernet1/0/1 - 2 Switch(config)# end Switch# show running-config | include define Switch# define interface-range enet_list gigabitethernet1/0/1 - 2 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-22 OL-26520-01...

  • Page 359: Understanding The Ethernet Management Port

    Switch# show run | include define Switch# Using the Ethernet Management Port (Catalyst 2960-S Only) Note The Ethernet management port is not supported on Catalyst 2960 switches. • Understanding the Ethernet Management Port, page 12-23 • Supported Features on the Ethernet Management Port, page 12-24 •...

  • Page 360: Supported Features On The Ethernet Management Port

    Network cloud In a Catalyst 2960-S stack, all the Ethernet management ports on the stack members are connected to a hub to which the PC is connected. As shown in Figure 12-3, the active link is from the Ethernet management port on the stack master (switch 2) through the hub, to the PC.

  • Page 361: Configuring The Ethernet Management Port

    Clears the statistics for the Ethernet management port. mgmt_init Starts the Ethernet management port. mgmt_show Displays the statistics for the Ethernet management port. ping host_ip_address Sends ICMP ECHO_REQUEST packets to the specified network host. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-25 OL-26520-01...

  • Page 362: Configuring Ethernet Interfaces

    Loads and boots an executable image from the TFTP server and enters the command-line interface. For more details, see the command reference for this release. copy tftp:/source-file-url Copies a Cisco IOS image from the TFTP server to the specified filesystem:/destination-file- location. For more details, see the command reference for this release.

  • Page 363: Setting The Type Of A Dual-Purpose Uplink Port

    This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the dual-purpose uplink port to be configured, and enter interface configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-27 OL-26520-01...
  • Page 364 If the link goes down, the switch disables the RJ-45 side and selects the SFP module interface. When the 100BASE-x SFP module is removed, the switch again dynamically selects the type • (auto-select) and re-enables the RJ-45 side. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-28 OL-26520-01...

  • Page 365: Configuring Interface Speed And Duplex Mode

    The port LED is amber while STP reconfigures. Changing the interface speed and duplex mode configuration might shut down and re-enable the Caution interface during the reconfiguration. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-29 OL-26520-01...

  • Page 366: Setting The Interface Speed And Duplex Parameters

    Switch(config-if)# duplex half This example shows how to set the interface speed to 100 Mb/s on a 10/100/1000 Mb/s port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# speed 100 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-30 OL-26520-01...

  • Page 367: Configuring Ieee 802.3X Flow Control

    To disable flow control, use the flowcontrol receive off interface configuration command. This example shows how to turn on flow control on a port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# flowcontrol receive on Switch(config-if)# end Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-31 OL-26520-01...

  • Page 368: Configuring Auto-Mdix On An Interface

    To disable auto-MDIX, use the no mdix auto interface configuration command. This example shows how to enable auto-MDIX on a port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# speed auto Switch(config-if)# duplex auto Switch(config-if)# mdix auto Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-32 OL-26520-01...
  • Page 369 The switch repowers the port only if the powered device is a Class 1, Class 2, or a Cisco-only powered device. Beginning in privileged EXEC mode, follow these steps to configure a power management mode on a...
  • Page 370 (CDP) to determine the actual power consumption of the devices, and the switch adjusts the power budget accordingly. The CDP protocol works with Cisco powered devices and does not apply to IEEE third-party powered devices. For these devices, when the switch grants a power request, the switch adjusts the power budget according to the powered-device IEEE classification.
  • Page 371 Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no power inline consumption default global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-35 OL-26520-01...
  • Page 372 PoE port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the physical port to be configured, and enter interface configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-36 OL-26520-01...
  • Page 373 Configuring Catalyst PoE and PoE Pass-Through Ports on Compact Switches You can configure the power management, budgeting, and policing on the Catalyst 2960-C compact switch PoE ports the same as with any other PoE switch.
  • Page 374 This is an example of output from the show power inline command on a C2960CPD-8TT switch: Switch# show power inline Available:0.0(w) Used:0.0(w) Remaining:0.0(w) Interface Admin Oper Power Device Class Max (Watts) --------- ------ ---------- ------- ------------------- ----- ---- Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-38 OL-26520-01...

  • Page 375: Adding A Description For An Interface

    Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# description Connects to Marketing Switch(config-if)# end Switch# show interfaces gigabitethernet1/0/2 description Interface Status .Protocol Description Gi1/0/2 admin down down Connects to Marketing Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-39 OL-26520-01...

  • Page 376: Configuring The System Mtu

    You can increase the MTU size to support jumbo frames on all Gigabit Ethernet interfaces by using the system mtu jumbo global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-40...
  • Page 377 Switch(config)# system mtu jumbo 1800 Switch(config)# exit Switch# reload This example shows the response when you try to set Gigabit Ethernet interfaces to an out-of-range number: Switch(config)# system mtu jumbo 25000 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-41 OL-26520-01...

  • Page 378: Monitoring And Maintaining The Interfaces

    (You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference, Release 12.4 from Cisco.com. Table 12-6...

  • Page 379: Clearing And Resetting Interfaces And Counters

    Select the interface to be configured. interface-id} | {port-channel port-channel-number} Step 3 shutdown Shut down an interface. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entry. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-43 OL-26520-01...
  • Page 380 Chapter 12 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-44 OL-26520-01...

  • Page 381: Configuring Vlans

    VLAN assignment from a VLAN Membership Policy Server (VMPS). Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.

  • Page 382: Supported Vlans

    VTP transparent mode when you create VLAN IDs from 1006 to 4094. Cisco IOS Release 12.2(52)SE and later support VTP version 3. VTP version 3 supports the entire VLAN range (VLANs 1 to 4094). Extended range VLANs (VLANs 1006 to 4094) are supported only in VTP version 3.

  • Page 383: Vlan Port Membership Modes

    For information about configuring trunk ports, see “Configuring an Ethernet Interface as a Trunk Port” section on page 13-15. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-3 OL-26520-01...
  • Page 384 EXEC command. The vlan.dat file is stored in flash memory on the stack master. Stack members have a vlan.dat file that is consistent with the stack master. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-4...
  • Page 385 Default Ethernet VLAN Configuration, page 13-7 • Creating or Modifying an Ethernet VLAN, page 13-8 • Deleting a VLAN, page 13-9 • Assigning Static-Access Ports to a VLAN, page 13-10 • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-5 OL-26520-01...

  • Page 386: Token Ring Vlans

    IEEE 802.1s Multiple STP (MSTP) on your switch to map multiple VLANs to a single spanning-tree instance. For more information about MSTP, see Chapter 17, “Configuring MSTP.” Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-6 OL-26520-01...

  • Page 387: Configuring Normal-Range Vlans

    Note Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Configuring Normal-Range VLANs You configure VLANs in vlan global configuration command by entering a VLAN ID. Enter a new VLAN ID to create a VLAN, or enter an existing VLAN ID to modify that VLAN.

  • Page 388: Creating Or Modifying An Ethernet Vlan

    (Optional) Enter a name for the VLAN. If no name is entered for the VLAN, the default is to append the vlan-id with leading zeros to the word VLAN. For example, VLAN0004 is a default VLAN name for VLAN 4. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-8 OL-26520-01...

  • Page 389: Deleting A Vlan

    (Optional) If the switch is in VTP transparent mode, the VLAN configuration is saved in the running configuration file as well as in the VLAN database. This saves the configuration in the switch startup configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-9 OL-26520-01...

  • Page 390: Assigning Static-Access Ports To A Vlan

    This example shows how to configure a port as an access port in VLAN 2: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 2 Switch(config-if)# end Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-10 OL-26520-01...

  • Page 391: Default Vlan Configuration

    VTP transparent mode. Otherwise, you lose the extended-range VLAN configuration if the switch resets. If you create extended-range VLANs in VTP version 3, you cannot convert to VTP version 1 or 2. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-11 OL-26520-01...
  • Page 392 “Configuring a VLAN as an RSPAN VLAN” section on page 27-18. RSPAN is supported only if the switch is running the LAN Base image. Step 6 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-12 OL-26520-01...

  • Page 393: Displaying Vlans

    Default Layer 2 Ethernet Interface VLAN Configuration, page 13-15 Configuring an Ethernet Interface as a Trunk Port, page 13-15 • Configuring Trunk Ports for Load Sharing, page 13-20 • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-13 OL-26520-01...

  • Page 394: Trunking Overview

    Prevents the interface from generating DTP frames. You can use this command only when the interface switchport mode is access or trunk. You must manually configure the neighboring interface as a trunk interface to establish a trunk link. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-14 OL-26520-01...

  • Page 395: Default Layer 2 Ethernet Interface Vlan Configuration

    VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Q switch.

  • Page 396: Interaction With Other Features

    (Optional) Specify the default VLAN, which is used if the interface stops trunking. Step 5 switchport trunk native vlan vlan-id Specify the native VLAN for IEEE 802.1Q trunks. Step 6 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-16 OL-26520-01...

  • Page 397: Defining The Allowed Vlans On A Trunk

    VLANs from the allowed list. VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a Note requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1.

  • Page 398: Changing The Pruning-Eligible List

    Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Select the trunk port for which VLANs should be pruned, and enter interface configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-18 OL-26520-01...

  • Page 399: Configuring The Native Vlan For Untagged Traffic

    Step 5 show interfaces interface-id switchport Verify your entries in the Trunking Native Mode VLAN field. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-19 OL-26520-01...

  • Page 400: Configuring Trunk Ports For Load Sharing

    Trunk 1 VLANs 3 – 6 (priority 16) VLANs 8 – 10 (priority 16) VLANs 8 – 10 (priority 128) VLANs 3 – 6 (priority 128) Switch B Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-20 OL-26520-01...
  • Page 401 “Load Sharing Using STP Path Cost” section on page 13-22. Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 13-2.
  • Page 402 Step 8 show vlan When the trunk links come up, Switch A receives the VTP information from the other switches. Verify that Switch A has learned the VLAN configuration. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-22 OL-26520-01...

  • Page 403: Configuring Vmps

    • If the host is allowed on the port, the VMPS sends the client a vlan-assignment response containing the assigned VLAN name and allowing access to the host. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-23 OL-26520-01...
  • Page 404 20 MAC addresses are allowed per port on the switch. A dynamic-access port can belong to only one VLAN at a time, but the VLAN can change over time, depending on the MAC addresses seen. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-24...

  • Page 405: Default Vmps Client Configuration

    The VLAN configured on the VMPS server should not be a voice VLAN. • Configuring the VMPS Client You configure dynamic VLANs by using the VMPS (server). The switch can be a VMPS client; it cannot be a VMPS server. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-25 OL-26520-01...
  • Page 406 Configure the port as eligible for dynamic VLAN membership. The dynamic-access port must be connected to an end station. Step 5 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-26 OL-26520-01...
  • Page 407 Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no vmps reconfirm global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-27 OL-26520-01...

  • Page 408: Monitoring The Vmps

    VQP Client Status: -------------------- VMPS VQP Version: Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.86 (primary, current) 172.20.128.87 Reconfirmation status --------------------- VMPS Action: other Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-28 OL-26520-01...

  • Page 409: Vmps Configuration Example

    End stations are connected to the clients, Switch B and Switch I. • The database configuration file is stored on the TFTP server with the IP address 172.20.22.7. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-29 OL-26520-01...
  • Page 410 Switch F 172.20.26.156 Switch G 172.20.26.157 Switch H Client switch I Dynamic-access port 172.20.26.158 station 2 Trunk port 172.20.26.159 Catalyst 6500 series Secondary VMPS Switch J Server 3 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-30 OL-26520-01...
  • Page 411 This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the Catalyst 2960, 2960-S or 2960-C switches. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.

  • Page 412: The Vtp Domain

    The switch supports up to 64 VLANs when it is running the LAN Lite image. Note VTP version 1 and version 2 support only normal-range VLANs (VLAN IDs 1 to 1005). Cisco IOS Release 12.2(52)SE and later support VTP version 3. VTP version 3 supports the entire VLAN range (VLANs 1 to 4094).

  • Page 413: Vtp Modes

    In VTP versions 1 and 2, in VTP client mode, VLAN configurations are not saved in NVRAM. In VTP version 3, VLAN configurations are saved in NVRAM in client mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-3...

  • Page 414: Vlan

    MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each • VLAN. • Frame format VTP advertisements distribute this VLAN information for each configured VLAN: VLAN IDs (IEEE 802.1Q) • VLAN name • VLAN type • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-4 OL-26520-01...

  • Page 415: Vtp Version 2

    VTP version 3 to version 1 or 2. VTP pruning still applies only to VLANs 1 to 1005, and VLANs 1002 to 1005 are still Note reserved and cannot be modified. Private VLAN support. • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-5 OL-26520-01...

  • Page 416: Vtp Pruning

    Switch D are assigned to the Red VLAN. If a broadcast is sent from the host connected to Switch A, Switch A floods the broadcast and every switch in the network receives it, even though Switches C, E, and F have no ports in the Red VLAN. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-6 OL-26520-01...
  • Page 417 VTP pruning does not prune traffic from VLANs that are pruning-ineligible. VLAN 1 and VLANs 1002 to 1005 are always pruning-ineligible; traffic from these VLANs cannot be pruned. Extended-range VLANs (VLAN IDs higher than 1005) are also pruning-ineligible. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-7 OL-26520-01...

  • Page 418: Vtp And Switch Stacks

    VTP and Switch Stacks Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note VTP configuration is the same in all members of a switch stack. When the switch stack is in VTP server or client mode, all switches in the stack carry the same VTP configuration.

  • Page 419: Default Vtp Configuration

    If the VTP mode or the domain name in the startup configuration do not match the VLAN database, • the domain name and the VTP mode and configuration for the first 255 VLANs use the VLAN database information. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-9 OL-26520-01...
  • Page 420 VTP packets so that the VTP version 2 switch can update its database. A switch running VTP version 3 cannot move to version 1 or 2 if it has extended VLANs. • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-10 OL-26520-01...

  • Page 421: Configuring Vtp Mode

    When a switch is in VTP client mode, you cannot change its VLAN configuration. The client switch • receives VTP updates from a VTP server in the VTP domain and then modifies its configuration accordingly. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-11 OL-26520-01...
  • Page 422 If the switch has a trunk connection to a VTP domain, the switch learns the domain name from the VTP server in the domain. You should configure the VTP domain before configuring other VTP parameters. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-12 OL-26520-01...
  • Page 423 Setting VTP domain name to eng_group. Switch(config)# vtp mode server Setting device to VTP Server mode for VLANS. Switch(config)# vtp password mypassword Setting device VLAN database password to mypassword. Switch(config)# end Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-13 OL-26520-01...
  • Page 424 (Optional) force—Entering force overwrites the configuration of any • conflicting servers. If you do not enter force, you are prompted for confirmation before the takeover. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-14 OL-26520-01...

  • Page 425: Enabling The Vtp Version

    Token Ring VLAN switching to function properly. For Token Ring and Token Ring-Net media, disable VTP version 2 must be disabled. VTP version 3 is supported on switches running Cisco IOS Release 12.2(52) SE or later. • In VTP version 3, both the primary and secondary servers can exist on an instance in the domain.

  • Page 426: Enabling Vtp Pruning

    Enter global configuration mode. Step 2 interface interface-id Identify an interface, and enter interface configuration mode. Step 3 Enable VTP on the specified port. Step 4 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-16 OL-26520-01...

  • Page 427: Adding A Vtp Client Switch To A Vtp Domain

    (Optional) Verify that the domain name is the same as in Step 1 and that the configuration revision number is 0. After resetting the configuration revision number, add the switch to the VTP domain. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-17 OL-26520-01...

  • Page 428: Monitoring Vtp

    Display the VTP password. The form of the password displayed depends on whether or not the hidden keyword was entered and if encryption is enabled on the switch. show vtp status Display the VTP switch configuration information. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-18 OL-26520-01...
  • Page 429 The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. When the switch is connected to a Cisco 7960 IP Phone, the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service (CoS) values, which are both set to 5 by default. Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1p CoS.

  • Page 430: Cisco Ip Phone Voice Traffic

    Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. You can configure access ports on...

  • Page 431: Default Voice Vlan Configuration

    For more information, see Chapter 33, “Configuring QoS.” You must enable CDP on the switch port connected to the Cisco IP Phone to send the configuration • to the phone. (CDP is globally enabled by default on all switch interfaces.) The Port Fast feature is automatically enabled when voice VLAN is configured.

  • Page 432: Configuring A Port Connected To A Cisco 7960 Ip Phone

    Configuring Voice VLAN Configuring Voice VLAN If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the • same IP subnet. These conditions indicate that they are in the same VLAN: –...
  • Page 433 Configuring Cisco IP Phone Voice Traffic You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value.
  • Page 434 Note You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in IEEE 802.1Q or IEEE 802.1p frames), you can configure the switch to send CDP packets to instruct the phone how to send data packets from the device attached to the access port on the Cisco IP Phone.

  • Page 435: Displaying Voice Vlan

    Chapter 15 Configuring Voice VLAN Displaying Voice VLAN Displaying Voice VLAN To display voice VLAN configuration for an interface, use the show interfaces interface-id switchport privileged EXEC command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 15-7 OL-26520-01...
  • Page 436 Chapter 15 Configuring Voice VLAN Displaying Voice VLAN Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 15-8 OL-26520-01...

  • Page 437: Configuring Stp

    This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the Catalyst 2960, 2960-S, and 2960-C switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard.

  • Page 438: Stp Overview

    The path cost value represents the media speed. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-2...
  • Page 439 When selecting the root port on a switch stack, spanning tree follows this sequence: – Selects the lowest root bridge ID – Selects the lowest path cost to the root switch Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-3 OL-26520-01...
  • Page 440 VLAN. Each VLAN on the switch has a unique 8-byte bridge ID. The 2 most-significant bytes are used for the switch priority, and the remaining 6 bytes are derived from the switch MAC address. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-4...
  • Page 441 An interface moves through these states: From initialization to blocking • From blocking to listening or to disabled • From listening to learning or to disabled • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-5 OL-26520-01...
  • Page 442 An interface always enters the blocking state after switch initialization. An interface in the blocking state performs these functions: Discards frames received on the interface • • Discards frames switched from another interface for forwarding Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-6 OL-26520-01...

  • Page 443: Listening State

    A disabled interface performs these functions: Discards frames received on the interface • Discards frames switched from another interface for forwarding • Does not learn addresses • • Does not receive BPDUs Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-7 OL-26520-01...

  • Page 444: How A Switch Or Port Becomes The Root Switch Or Root Port

    If the speeds are the same, the port priority and port ID are added together, and spanning tree disables the link with the lowest value. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-8...

  • Page 445: Accelerated Aging To Retain Connectivity

    A spanning-tree reconfiguration on one VLAN can cause the dynamic addresses learned on that VLAN to be subject to accelerated aging. Dynamic addresses on other VLANs can be unaffected and remain subject to the aging interval entered for the switch. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-9 OL-26520-01...
  • Page 446 Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary • extensions. It is the default spanning-tree mode used on all Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.
  • Page 447 VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+.

  • Page 448: Spanning Tree And Switch Stacks

    Configuring Port Priority, page 16-18 (optional) • Configuring Path Cost, page 16-20 (optional) • Configuring the Switch Priority of a VLAN, page 16-21 (optional) • Configuring Spanning-Tree Timers, page 16-22 (optional) • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-12 OL-26520-01...

  • Page 449: Default Spanning-Tree Configuration

    VLAN that have a running spanning-tree instance can break loops. Therefore, spanning tree must be running on enough switches to break all the loops in the network; for example, at least one Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-13...
  • Page 450 “Optional Spanning-Tree Configuration Guidelines” section on page 18-12. Loop guard works only on point-to-point links. We recommend that each end of the link has a directly Caution connected device that is running STP. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-14 OL-26520-01...

  • Page 451: Changing The Spanning-Tree Mode

    To return to the default setting, use the no spanning-tree mode global configuration command. To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-15...

  • Page 452: Disabling Spanning Tree

    ID support will become the root switch. The extended system ID increases the switch priority value every time the VLAN number is greater than the priority of the connected switches running older software. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-16 OL-26520-01...
  • Page 453 Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id root global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-17 OL-26520-01...

  • Page 454: Configuring A Secondary Root Switch

    (higher numerical values) that you want selected last. If all interfaces have the same priority value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-18 OL-26520-01...
  • Page 455 The show spanning-tree interface interface-id privileged EXEC command displays information only Note if the port is in a link-up operative state. Otherwise, you can use the show running-config interface privileged EXEC command to confirm the configuration. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-19 OL-26520-01...

  • Page 456: Configuring Path Cost

    Return to privileged EXEC mode. Step 6 show spanning-tree interface interface-id Verify your entries. show spanning-tree vlan vlan-id Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-20 OL-26520-01...

  • Page 457: Configuring The Switch Priority Of A Vlan

    Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id priority global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-21 OL-26520-01...

  • Page 458: Configuring Spanning-Tree Timers

    Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id hello-time global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-22 OL-26520-01...
  • Page 459 Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id max-age global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-23 OL-26520-01...
  • Page 460 You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-24 OL-26520-01...
  • Page 461 Chapter 16 Configuring STP Displaying the Spanning-Tree Status Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-25 OL-26520-01...
  • Page 462 Chapter 16 Configuring STP Displaying the Spanning-Tree Status Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-26 OL-26520-01...
  • Page 463 C H A P T E R Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the Catalyst 2960, 2960-S, or 2960-C switch. The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard. The MST Note implementations in Cisco IOS releases earlier than Cisco IOS Release 12.2(25)SED are prestandard.

  • Page 464: Understanding Mstp

    65 spanning-tree instances. Instances can be identified by any number in the range from 0 to 4094. You can assign a VLAN to only one spanning-tree instance at a time. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-2 OL-26520-01...
  • Page 465 IST information, they leave their old subregions and join the new subregion that contains the true CIST regional root. Thus all subregions shrink, except for the one that contains the true CIST regional root. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-3 OL-26520-01...

  • Page 466: Operations Between Mst Regions

    Only the CST instance sends and receives BPDUs, and MST instances add their spanning-tree information into the BPDUs to interact with neighboring switches and compute the final spanning-tree topology. Because of this, the spanning-tree parameters related to BPDU transmission (for example, Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-4 OL-26520-01...

  • Page 467: Hop Count

    IEEE 802.1D switches. MSTP switches use MSTP BPDUs to communicate with MSTP switches. IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. These parameters are significant only within an MST region, as opposed to external parameters that are relevant to the whole network.

  • Page 468: Boundary Ports

    The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary, unless it is running in an STP-compatible mode.
  • Page 469 The boundary role is no longer in the final MST standard, but this boundary concept is maintained in Cisco’s implementation. However, an MST instance port at a boundary of the region might not follow the state of the corresponding CIST port. Two cases exist now: The boundary port is the root port of the CIST regional root—When the CIST instance port is...

  • Page 470: Mstp And Switch Stacks

    Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.

  • Page 471: Understanding Rstp

    LAN segment. Disabled port—Has no role within the operation of the spanning tree. • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-9 OL-26520-01...

  • Page 472: Rapid Convergence

    Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide defines the port state as blocking instead of discarding. Designated ports start in the listening state. Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN.

  • Page 473: Synchronization Of Port Roles

    RSTP forces it to synchronize with new root information. In general, when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions, its port state is set to blocking. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-11 OL-26520-01...

  • Page 474: Bridge Protocol Data Unit Format And Processing

    RSTP flag fields. Table 17-3 RSTP BPDU Flags Function Topology change (TC) Proposal 2–3: Port role: Unknown Alternate port Root port Designated port Learning Forwarding Agreement Topology change acknowledgement (TCA) Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-12 OL-26520-01...

  • Page 475: Topology Changes

    IEEE 802.1D switch and a configuration BPDU with the TCA bit set is received, the TC-while timer is reset. This behavior is only required to support IEEE 802.1D switches. The RSTP BPDUs never have the TCA bit set. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-13 OL-26520-01...

  • Page 476: Configuring Mstp Features

    Spanning-tree mode PVST+ (Rapid PVST+ and MSTP are disabled). Switch priority (configurable on a per-CIST port basis) 32768. Spanning-tree port priority (configurable on a per-CIST port basis) 128. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-14 OL-26520-01...

  • Page 477: Mstp Configuration Guidelines

    Spanning-Tree Instances” section on page 16-10. MSTP Configuration Guidelines Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note These are the configuration guidelines for MSTP: When you enable MST by using the spanning-tree mode mst global configuration command, RSTP •...

  • Page 478: Specifying The Mst Region Configuration And Enabling Mstp

    1-63 maps VLANs 1 through 63 to MST instance 1. To specify a VLAN series, use a comma; for example, instance 1 vlan 10, 20, 30 maps VLANs 10, 20, and 30 to MST instance 1. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-16 OL-26520-01...
  • Page 479 Switch(config-mst)# instance 1 vlan 10-20 Switch(config-mst)# name region1 Switch(config-mst)# revision 1 Switch(config-mst)# show pending Pending MST configuration Name [region1] Revision Instance Vlans Mapped -------- --------------------- 1-9,21-4094 10-20 ------------------------------- Switch(config-mst)# exit Switch(config)# Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-17 OL-26520-01...

  • Page 480: Configuring The Root Switch

    After configuring the switch as the root switch, we recommend that you avoid manually configuring the Note hello time, forward-delay time, and maximum-age time through the spanning-tree mst hello-time, spanning-tree mst forward-time, and the spanning-tree mst max-age global configuration commands. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-18 OL-26520-01...

  • Page 481: Configuring A Secondary Root Switch

    You can execute this command on more than one switch to configure multiple backup root switches. Use the same network diameter and hello-time values that you used when you configured the primary root switch with the spanning-tree mst instance-id root primary global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-19 OL-26520-01...

  • Page 482: Configuring Port Priority

    For more information, see the “Configuring Path Cost” section on page 17-22. Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-20 OL-26520-01...
  • Page 483 Otherwise, you can use the show running-config interface privileged EXEC command to confirm the configuration. To return the interface to its default setting, use the no spanning-tree mst instance-id port-priority interface configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-21 OL-26520-01...
  • Page 484 Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. To return the interface to its default setting, use the no spanning-tree mst instance-id cost interface configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-22 OL-26520-01...

  • Page 485: Configuring The Switch Priority

    You can configure the switch priority and make it more likely that a standalone switch or a switch in the stack will be chosen as the root switch. Note Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Exercise care when using this command. For most situations, we recommend that you use the Note spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority.

  • Page 486: Configuring The Hello Time

    (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst forward-time global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-24 OL-26520-01...

  • Page 487: Configuring The Maximum-Aging Time

    RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the “Rapid Convergence” section on page 17-10. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-25 OL-26520-01...

  • Page 488: Designating The Neighbor Type

    (Optional) Save your entries in the configuration file. To return the port to its default setting, use the no spanning-tree mst prestandard interface configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-26 OL-26520-01...

  • Page 489: Restarting The Protocol Migration Process

    Displays MST information for the specified interface. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-27 OL-26520-01...
  • Page 490 Chapter 17 Configuring MSTP Displaying the MST Configuration and Status Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-28 OL-26520-01...
  • Page 491 C H A P T E R Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the Catalyst 2960, 2960-S, or 2960-C switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+).

  • Page 492: Understanding Optional Spanning-Tree Features

    To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-2 OL-26520-01...

  • Page 493: Understanding Bpdu Filtering

    Figure 18-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-3 OL-26520-01...
  • Page 494 Switch B over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that is connected directly to Switch B is in a blocking state. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-4...

  • Page 495: Understanding Cross-Stack Uplinkfast

    Switch C Understanding Cross-Stack UplinkFast Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note For Catalyst 2960-S switches, the UplinkFast feature is the cross-stack UplinkFast feature. Cross-stack UplinkFast (CSUF) provides a fast spanning-tree transition (fast convergence in less than 1 second under normal network conditions) across a switch stack.

  • Page 496: How Csuf Works

    The switch sending the fast-transition request needs to do a fast transition to the forwarding state of a port that it has chosen as the root port, and it must obtain an acknowledgement from each stack switch before performing the fast transition. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-6 OL-26520-01...

  • Page 497: Understanding Backbonefast

    BPDU is a signal that the other switch might have lost its path to the root, and BackboneFast tries to find an alternate path to the root. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-7...
  • Page 498 When a stack member receives an RLQ reply from a nonstack member and the response is destined for the stack, the stack member forwards the reply so that all the other stack members receive it. Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note If the switch discovers that it still has an alternate path to the root, it expires the maximum aging time on the interface that received the inferior BPDU.
  • Page 499 (Switch B). The new switch begins sending inferior BPDUs that indicate it is the root switch. However, the other switches ignore these inferior BPDUs, and the new switch learns that Switch B is the designated switch to Switch A, the root switch. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-9 OL-26520-01...

  • Page 500: Understanding Etherchannel Guard

    MST instances. A boundary port is an interface that connects to a LAN, the designated switch of which is either an IEEE 802.1D switch or a switch with a different MST region configuration. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-10 OL-26520-01...

  • Page 501: Understanding Loop Guard

    MST instances. Configuring Optional Spanning-Tree Features Default Optional Spanning-Tree Configuration, page 18-12 • Optional Spanning-Tree Configuration Guidelines, page 18-12 • Enabling Port Fast, page 18-12 (optional) • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-11 OL-26520-01...

  • Page 502: Enabling Port Fast

    Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-12...

  • Page 503: Enabling Bpdu Guard

    Fast-enabled port means an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the port in the error-disabled state. When this happens, the switch shuts down the entire port on which the violation occurred. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-13 OL-26520-01...

  • Page 504: Enabling Bpdu Filtering

    BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-14 OL-26520-01...

  • Page 505: Enabling Uplinkfast For Use With Redundant Links

    You can configure the UplinkFast or the CSUF feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-15...
  • Page 506 “Enabling UplinkFast for Use with Redundant Links” section on page 18-15. To disable UplinkFast on the switch and all its VLANs, use the no spanning-tree uplinkfast global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-16 OL-26520-01...

  • Page 507: Enabling Backbonefast

    You can use the show interfaces status err-disabled privileged EXEC command to show which switch ports are disabled because of an EtherChannel misconfiguration. On the remote device, you can enter the show etherchannel summary privileged EXEC command to verify the EtherChannel configuration. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-17 OL-26520-01...

  • Page 508: Enabling Root Guard

    You cannot enable both loop guard and root guard at the same time. Note You can enable this feature if your switch is running PVST+, rapid PVST+, or MSTP. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-18 OL-26520-01...
  • Page 509 You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-19 OL-26520-01...
  • Page 510 Chapter 18 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-20 OL-26520-01...
  • Page 511 Note Base image. This chapter describes how to configure Flex Links, a pair of interfaces on the Catalyst 2960, 2960-S, or 2960-C switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature.

  • Page 512: Flex Links

    If a primary (forwarding) link goes down, a trap notifies the network management stations. If the standby link goes down, a trap notifies the users. Flex Links are supported only on Layer 2 ports and port channels, not on VLANs. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-2 OL-26520-01...

  • Page 513: Vlan Flex Link Load Balancing And Support

    Flex Link port. To achieve faster convergence of traffic, both Flex Link ports are learned as mrouter ports whenever either Flex Link port is learned as the mrouter port. Both Flex Link ports are always part of multicast groups. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-3 OL-26520-01...

  • Page 514: Generating Igmp Reports

    Switch(config-if)# switchport mode trunk Switch(config-if)# end Switch# show interfaces switchport backup detail Switch Backup Interface Pairs: Active Interface Backup Interface State GigabitEthernet1/0/11 GigabitEthernet1/0/12 Active Up/Backup Standby Preemption Mode : off Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-4 OL-26520-01...
  • Page 515 This output shows a querier for VLAN 1 and 401 with their queries reaching the switch through Gigabit Ethernet0/11: Switch# show ip igmp snooping querier Vlan IP Address IGMP Version Port ------------------------------------------------------------- Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-5 OL-26520-01...
  • Page 516 When switch C gets a MAC address-table move update message from switch A, switch C learns the MAC address of the PC on port 4. Switch C updates the MAC address table, including the forwarding table entry for the PC. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-6 OL-26520-01...
  • Page 517 Configuration Guidelines, page 19-8 • Configuring Flex Links, page 19-9 • Configuring VLAN Load Balancing on Flex Links, page 19-11 • Configuring the MAC Address-Table Move Update Feature, page 19-12 • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-7 OL-26520-01...
  • Page 518 You can enable and configure this feature on the access switch to send the MAC address-table move updates. • You can enable and configure this feature on the uplink switches to receive the MAC address-table move updates. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-8 OL-26520-01...

  • Page 519: Configuring Flex Links

    Specify the interface, and enter interface configuration mode. The interface can be a physical Layer 2 interface or a port channel (logical interface). The port-channel range is 1 to 6. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-9 OL-26520-01...
  • Page 520 Interface Pair : Gi1/0/1, Gi1/0/2 Preemption Mode : forced Preemption Delay : 50 seconds Bandwidth : 100000 Kbit (Gi1/0/1), 100000 Kbit (Gi1/0/2) Mac Address Move Update Vlan : auto Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-10 OL-26520-01...

  • Page 521: Configuring Vlan Load Balancing On Flex Links

    When both interfaces are up, Gi2/0/8 forwards traffic for VLANs 60 and 100 to 120, and Gi0/6 forwards traffic for VLANs 1 to 50. Switch#show interfaces switchport backup Switch Backup Interface Pairs: Active Interface Backup Interface State ------------------------------------------------------------------------ GigabitEthernet2/0/6 GigabitEthernet2/0/8 Active Up/Backup Up Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-11 OL-26520-01...
  • Page 522 Configuring the MAC Address-Table Move Update Feature This section contains this information: Configuring a switch to send MAC address-table move updates • Configuring a switch to get MAC address-table move updates • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-12 OL-26520-01...
  • Page 523 Default/Current settings: Rcv Off/On, Xmt Off/On Max packets per min : Rcv 40, Xmt 60 Rcv packet count : 5 Rcv conforming packet count : 5 Rcv invalid packet count : 0 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-13 OL-26520-01...
  • Page 524 When VLAN load balancing is enabled, the output displays the preferred VLANS on Active and Backup interfaces. show mac address-table move update Displays the MAC address-table move update information on the switch. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-14 OL-26520-01...
  • Page 525 Configuring DHCP and IP Source Guard Features This chapter describes how to configure DHCP snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the Catalyst 2960, 2960-S, or 2960-C switch. It also describes how to configure the IP source guard feature.

  • Page 526: Dhcp Relay Agent

    • For information about the DHCP client, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.4 on Cisco.com. DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them.
  • Page 527 DHCP server do not reside on the same IP network or subnet, a DHCP relay agent (the Catalyst switch) is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-3 OL-26520-01...
  • Page 528 Length of the circuit-ID type – Remote-ID suboption fields • Suboption type – Length of the suboption type – Remote-ID type – Length of the remote-ID type – Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-4 OL-26520-01...
  • Page 529 The length values are variable, depending on the length of the string that you configure. • Remote-ID suboption fields The remote-ID type is 1. – The length values are variable, depending on the length of the string that you configure. – Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-5 OL-26520-01...

  • Page 530: Dhcp Snooping Binding Database

    (set by the write-delay and abort-timeout values), the update stops. This is the format of the file with bindings: <initial-checksum> TYPE DHCP-SNOOPING VERSION 1 BEGIN <entry-1> <checksum-1> <entry-2> <checksum-1-2> Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-6 OL-26520-01...

  • Page 531: Dhcp Snooping And Switch Stacks

    • Configuring the DHCP Relay Agent, page 20-9 • Enabling DHCP Snooping and Option 82, page 20-10 • Enabling the DHCP Snooping Binding Database Agent, page 20-11 • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-7 OL-26520-01...

  • Page 532: Default Dhcp Snooping Configuration

    DHCP options for devices, or set up the DHCP database agent. If the DHCP relay agent is enabled but DHCP snooping is disabled, the DHCP option-82 data • insertion feature is not supported. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-8 OL-26520-01...

  • Page 533: Configuring The Dhcp Relay Agent

    To disable the DHCP server and relay agent, use the no service dhcp global configuration command. See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.4 on Cisco.com for these procedures: Checking (validating) the relay agent information •...

  • Page 534: Enabling Dhcp Snooping And Option 82

    The default is to verify that the source MAC address matches the client hardware address in the packet. Step 11 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-10 OL-26520-01...

  • Page 535: Enabling The Dhcp Snooping Binding Database Agent

    Specify the duration for which the transfer should be delayed after the seconds binding database changes. The range is from 15 to 86400 seconds. The default is 300 seconds (5 minutes). Step 5 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-11 OL-26520-01...

  • Page 536: Displaying Dhcp Snooping Information

    If DHCP snooping is enabled and an interface changes to the down state, the switch does not delete the Note statically configured bindings. Understanding IP Source Guard Note To use the IP source guard feature, the switch must be running the LAN Base image. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-12 OL-26520-01...

  • Page 537: Source Ip Address Filtering

    DHCP packets. The switch uses port security to filter source MAC addresses. The interface can shut down when a port-security violation occurs. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-13 OL-26520-01...

  • Page 538: Ip Source Guard For Static Hosts

    Default IP Source Guard Configuration, page 20-15 • IP Source Guard Configuration Guidelines, page 20-15 • Enabling IP Source Guard, page 20-16 • Configuring IP Source Guard for Static Hosts, page 20-17 • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-14 OL-26520-01...

  • Page 539: Default Ip Source Guard Configuration

    The configuration is also removed if the switch reloads while the interface is removed from the binding table. For more information about provisioned switches, see the “Stack Offline Configuration” section on page 7-7. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-15 OL-26520-01...

  • Page 540: Enabling Ip Source Guard

    Switch(config-if)# ip verify source port-security Switch(config-if)# exit Switch(config)# ip source binding 0100.0022.0010 vlan 10 10.0.0.2 interface gigabitethernet1/0/1 Switch(config)# ip source binding 0100.0230.0002 vlan 11 10.0.0.4 interface gigabitethernet1/0/1 Switch(config)# end Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-16 OL-26520-01...

  • Page 541: Configuring Ip Source Guard For Static Hosts

    (Optional) Activate port security for this port. Step 9 switchport port-security maximum value (Optional) Establish a maximum of MAC addresses for this port. Step 10 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-17 OL-26520-01...
  • Page 542 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 1 Switch(config-if)# ip device tracking maximum 5 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 5 Switch(config-if)# ip verify source tracking port-security Switch(config-if)# end Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-18 OL-26520-01...
  • Page 543 IP Address MAC Address Vlan Interface STATE --------------------------------------------------------------------- 200.1.1.1 0001.0600.0000 GigabitEthernet0/1 ACTIVE 200.1.1.2 0001.0600.0000 GigabitEthernet0/1 ACTIVE 200.1.1.3 0001.0600.0000 GigabitEthernet0/1 ACTIVE 200.1.1.4 0001.0600.0000 GigabitEthernet0/1 ACTIVE 200.1.1.5 0001.0600.0000 GigabitEthernet0/1 ACTIVE Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-19 OL-26520-01...

  • Page 544: Displaying Ip Source Guard Information

    In some environments, such as on a factory floor, if a device fails, the replacement device must be working immediately in the existing network. With the current DHCP implementation, there is no Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-20...

  • Page 545: Configuring Dhcp Server Port-Based Address Allocation

    In all cases, by connecting the Ethernet cable to the same port, the same IP address is allocated through DHCP to the attached device. The DHCP server port-based address allocation feature is only supported on a Cisco IOS DHCP server and not a third-party server.
  • Page 546 Step 5 reserved-only (Optional) Use only reserved addresses in the DHCP address pool. The default is to not restrict pool addresses. Step 6 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-22 OL-26520-01...
  • Page 547 10.1.1.7 Et1/0 For more information about configuring the DHCP server port-based address allocation feature, go to Cisco.com, and enter Cisco IOS IP Addressing Services in the Search field to access the Cisco IOS software documentation. You can also access the documentation: http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_book.html...

  • Page 548: Displaying Dhcp Server Port-Based Address Allocation

    Display the status and configuration of a specific interface. show ip dhcp pool Display the DHCP address pools. show ip dhcp binding Display address bindings on the Cisco IOS DHCP server. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-24 OL-26520-01...
  • Page 549 This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Catalyst 2960, 2960-S, or 2960-Cand 2960-S switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN.
  • Page 550 “Configuring ARP ACLs for Non-DHCP Environments” section on page 22-9. The switch logs dropped packets. For more information about the log buffer, see the “Logging of Dropped Packets” section on page 22-5. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-2 OL-26520-01...

  • Page 551: Dhcp Server

    Switch B (and Host 2, if the link between the switches is configured as trusted). This condition can occur even though Switch B is running dynamic ARP inspection. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-3...

  • Page 552: Dhcp Snooping

    The switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the switch also denies the packet even if a valid binding exists in the database populated by DHCP snooping. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-4 OL-26520-01...

  • Page 553: Logging Of Dropped Packets

    The rate is unlimited on all trusted interfaces. The burst interval is 1 second. ARP ACLs for non-DHCP environments No ARP ACLs are defined. Validation checks No checks are performed. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-5 OL-26520-01...

  • Page 554: Dynamic Arp Inspection Configuration Guidelines

    30 pps on an EtherChannel that has one port on switch 1 and one port on switch 2, each port can receive packets at 29 pps without causing the EtherChannel to become error-disabled. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-6 OL-26520-01...

  • Page 555: Configuring Dynamic Arp Inspection In Dhcp Environments

    For information on how to configure dynamic ARP inspection when only one switch supports the feature, see the “Configuring ARP ACLs for Non-DHCP Environments” section on page 22-9. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-7 OL-26520-01...
  • Page 556 To disable dynamic ARP inspection, use the no ip arp inspection vlan vlan-range global configuration command. To return the interfaces to an untrusted state, use the no ip arp inspection trust interface configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-8 OL-26520-01...
  • Page 557 For more information, see the “Configuring the Log Buffer” section on page 22-13. Step 4 exit Return to global configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-9 OL-26520-01...
  • Page 558 To remove the ARP ACL, use the no arp access-list global configuration command. To remove the ARP ACL attached to a VLAN, use the no ip arp inspection filter arp-acl-name vlan vlan-range global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-10 OL-26520-01...

  • Page 559: Limiting The Rate Of Incoming Arp Packets

    ARP packets.The range is 1 to 15. For rate none, specify no upper limit for the rate of incoming ARP • packets that can be processed. Step 4 exit Return to global configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-11 OL-26520-01...

  • Page 560: Performing Validation Checks

    Dynamic ARP inspection intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can configure the switch to perform additional checks on the destination MAC address, the sender and target IP addresses, and the source MAC address. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-12 OL-26520-01...

  • Page 561: Configuring The Log Buffer

    VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a single system message for the entry. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-13...
  • Page 562 The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-14 OL-26520-01...

  • Page 563: Displaying Dynamic Arp Inspection Information

    Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN. If no VLANs are specified or if a range is specified, displays information only for VLANs with dynamic ARP inspection enabled (active). Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-15 OL-26520-01...
  • Page 564 Displays the configuration and contents of the dynamic ARP inspection log buffer. For more information about these commands, see the command reference for this release. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-16 OL-26520-01...
  • Page 565 For complete syntax and usage information for the commands used in this chapter, see the switch Note command reference for this release and the “IP Multicast Routing Commands” section in the Cisco IOS IP Command Reference, Volume 3 of 3:Multicast, Release 12.4 on Cisco.com.

  • Page 566: Understanding Igmp Snooping

    Leaving a Multicast Group, page 21-5 • Immediate Leave, page 21-5 • IGMP Configurable-Leave Timer, page 21-6 • IGMP Report Suppression, page 21-6 • IGMP Snooping and Switch Stacks, page 21-6 • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-2 OL-26520-01...

  • Page 567: Igmp Versions

    The CPU also adds the interface where the join message was received to the forwarding-table entry. The host associated with that interface receives multicast traffic for that multicast group. See Figure 21-1. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-3 OL-26520-01...
  • Page 568 21-2. Note that because the forwarding table directs IGMP messages only to the CPU, the message is not flooded to other ports on the switch. Any known multicast traffic is forwarded to the group and not to the CPU. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-4 OL-26520-01...

  • Page 569: Leaving A Multicast Group

    Immediate Leave ensures optimal bandwidth management for all hosts on a switched network, even when multiple multicast groups are simultaneously in use. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-5 OL-26520-01...

  • Page 570: Igmp Report Suppression

    However, multicast groups that are common for both Layer 2 and Layer 3 (IP multicast routing) might take longer to converge if the stack master is removed. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-6 OL-26520-01...

  • Page 571: Configuring Igmp Snooping

    Global IGMP snooping overrides the VLAN IGMP snooping. If global snooping is disabled, you cannot enable VLAN snooping. If global snooping is enabled, you can enable or disable VLAN snooping. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-7...

  • Page 572: Setting The Snooping Method

    Snooping on IGMP queries, Protocol Independent Multicast (PIM) packets, and Distance Vector • Multicast Routing Protocol (DVMRP) packets Listening to Cisco Group Management Protocol (CGMP) packets from other routers • Statically connecting to a multicast router port with the ip igmp snooping mrouter global •...
  • Page 573 The VLAN ID range is 1 to 1001 and 1006 to 4094. • The interface can be a physical interface or a port channel. • The port-channel range is 1 to 6. Step 3 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-9 OL-26520-01...

  • Page 574: Configuring A Host Statically To Join A Group

    IGMP Version 2 leave message on that port. You should only use the Immediate-Leave feature when there is a single receiver present on every port in the VLAN. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-10 OL-26520-01...

  • Page 575: Configuring The Igmp Leave Timer

    100 to 32768 milliseconds. Configuring the leave time on a VLAN overrides the globally Note configured timer. Step 4 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-11 OL-26520-01...
  • Page 576 (Optional) Save your entries in the configuration file. To return to the default flooding query count, use the no ip igmp snooping tcn flood query count global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-12 OL-26520-01...
  • Page 577 (Optional) Save your entries in the configuration file. To re-enable multicast flooding on an interface, use the ip igmp snooping tcn flood interface configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-13 OL-26520-01...

  • Page 578: Configuring The Igmp Snooping Querier

    (Optional) Verify that the IGMP snooping querier is enabled on the VLAN interface. The VLAN ID range is 1 to 1001 and 1006 to 4094. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-14 OL-26520-01...
  • Page 579 Switch(config)# end This example shows how to set the IGMP snooping querier feature to version 2: Switch# configure terminal Switch(config)# no ip igmp snooping querier version 2 Switch(config)# end Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-15 OL-26520-01...

  • Page 580: Disabling Igmp Report Suppression

    • command options instead of the actual entries. dynamic—Display entries learned through IGMP snooping. • user—Display only the user-configured multicast entries. • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-16 OL-26520-01...

  • Page 581: Understanding Multicast Vlan Registration

    MVR assumes that subscriber ports subscribe and unsubscribe (join and leave) these multicast streams by sending out IGMP join and leave messages. These messages can originate from an IGMP Version-2-compatible host with an Ethernet connection. Although MVR operates on the underlying Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-17 OL-26520-01...

  • Page 582: Using Mvr In A Multicast Television Application

    VLAN as a forwarding destination of the specified multicast stream when it is received from the multicast VLAN. Uplink ports that send and receive multicast data to and from the multicast VLAN are called MVR source ports. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-18 OL-26520-01...
  • Page 583 Multicast traffic for all channels is only sent around the VLAN trunk once—only on the multicast VLAN. The IGMP leave and join messages are in the VLAN to which the subscriber port is assigned. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-19...

  • Page 584: Configuring Mvr

    Catalyst 3550 or Catalyst 3500 XL switches, you should not configure IP addresses that alias between themselves or with the reserved IP multicast addresses (in the range 224.0.0.xxx). MVR can coexist with IGMP snooping on a switch. • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-20 OL-26520-01...

  • Page 585: Configuring Mvr Global Parameters

    This example shows how to enable MVR, configure the group address, set the query time to 1 second (10 tenths), specify the MVR multicast VLAN as VLAN 22, and set the MVR mode as dynamic: Switch(config)# mvr Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-21 OL-26520-01...

  • Page 586: Configuring Mvr Interfaces

    This command applies to only receiver ports and should only be Note enabled on receiver ports to which a single receiver device is connected. Step 7 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-22 OL-26520-01...

  • Page 587: Displaying Mvr Information

    If the members keyword is entered, displays all multicast group members on this port or, if a VLAN identification is entered, all multicast group members on the VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-23 OL-26520-01...

  • Page 588: Configuring Igmp Filtering And Throttling

    • Applying IGMP Profiles, page 21-26 (optional) • Setting the Maximum Number of IGMP Groups, page 21-27 (optional) • Configuring the IGMP Throttling Action, page 21-28 (optional) • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-24 OL-26520-01...

  • Page 589: Default Igmp Filtering And Throttling Configuration

    The default is for the switch to have no IGMP profiles configured. When a profile is configured, if neither the permit nor deny keyword is included, the default is to deny access to the range of IP addresses. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-25 OL-26520-01...

  • Page 590: Applying Igmp Profiles

    You cannot apply profiles to ports that belong to an EtherChannel port group. You can apply a profile to multiple interfaces, but each interface can have only one profile applied to it. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-26...

  • Page 591: Setting The Maximum Number Of Igmp Groups

    Step 4 Return to privileged EXEC mode. Step 5 show running-config interface Verify the configuration. interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-27 OL-26520-01...

  • Page 592: Configuring The Igmp Throttling Action

    • replace—Replace the existing group with the new group for which • the IGMP report was received. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-28 OL-26520-01...

  • Page 593: Displaying Igmp Filtering And Throttling Configuration

    Displays the configuration of the specified interface or the configuration of all interfaces interface-id] on the switch, including (if configured) the maximum number of IGMP groups to which an interface can belong and the IGMP profile applied to the interface. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-29 OL-26520-01...
  • Page 594 Chapter 21 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-30 OL-26520-01...

  • Page 595: Configuring Storm Control

    C H A P T E R Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the Catalyst 2960, 2960-S, or 2960-C switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
  • Page 596 Note When the storm control threshold for multicast traffic is reached, all multicast traffic except control traffic, such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. The graph in Figure 23-1 shows broadcast traffic patterns on an interface over a given period of time.

  • Page 597: Default Storm Control Configuration

    Beginning in privileged EXEC mode, follow these steps to storm control and threshold levels: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-3 OL-26520-01...
  • Page 598 If you do not enter a traffic type, broadcast storm control settings are displayed. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-4 OL-26520-01...
  • Page 599 Incoming VLAN-tagged packets smaller than 67 bytes are considered small frames. They are forwarded by the switch, but they do not cause the switch storm-control counters to increment. In Cisco IOS Release 12.2(44)SE and later, you can configure a port to be error disabled if small frames arrive at a specified rate (threshold).

  • Page 600: Configuring Protected Ports

    Because a switch stack represents a single logical switch, Layer 2 traffic is not forwarded between any protected ports in the switch stack, whether they are on the same or different switches in the stack. Note Stacking is supported only on Catalyst 2960-S switches running the LAN base image. These sections contain this configuration information: •...

  • Page 601: Protected Port Configuration Guidelines

    Note contain IPv4 or IPv6 information in the header are not blocked. Default Port Blocking Configuration, page 23-8 • Blocking Flooded Traffic on an Interface, page 23-8 • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-7 OL-26520-01...

  • Page 602: Default Port Blocking Configuration

    MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-8...

  • Page 603: Understanding Port Security

    If you do not save the sticky secure addresses, they are lost. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-9...

  • Page 604: Security Violations

    Table 23-1 Security Violation Mode Actions Violation Traffic is Sends SNMP Sends syslog Displays error counter Violation Mode forwarded trap message message increments Shuts down port protect restrict Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-10 OL-26520-01...

  • Page 605: Default Port Security Configuration

    When you enable port security on an interface that is also configured with a voice VLAN, set the • maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...

  • Page 606: Enabling And Configuring Port Security

    Configuring Port Security VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
  • Page 607 Note a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-13 OL-26520-01...
  • Page 608 The voice keyword is available only if a voice VLAN is configured on a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-14 OL-26520-01...
  • Page 609 (to re-enable port security on the interface). If you use the no switchport port-security mac-address sticky interface configuration Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-15 OL-26520-01...

  • Page 610: Enabling And Configuring Port Security Aging

    MAC addresses and to still limit the number of secure addresses on a port. You can enable or disable the aging of secure addresses on a per-port basis. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-16 OL-26520-01...
  • Page 611 Switch(config-if)# switchport port-security aging time 2 Switch(config-if)# switchport port-security aging type inactivity Switch(config-if)# switchport port-security aging static You can verify the previous commands by entering the show port-security interface interface-id privileged EXEC command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-17 OL-26520-01...

  • Page 612: Port Security And Switch Stacks

    Virtual port error disabling is not supported for EtherChannel and Flexlink interfaces. Default Protocol Storm Protection Configuration Protocol storm protection is disabled by default. When it is enabled, auto-recovery of the virtual port is disabled by default. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-18 OL-26520-01...

  • Page 613: Enabling Protocol Storm Protection

    The show interfaces interface-id switchport privileged EXEC command displays (among other characteristics) the interface traffic suppression and control configuration. The show storm-control and show port-security privileged EXEC commands display those storm control and port security settings. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-19 OL-26520-01...
  • Page 614 Displays the number of secure MAC addresses configured per VLAN on the specified interface. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-20 OL-26520-01...
  • Page 615 When you enable both autonegotiation and UDLD, the Layer 1 and Layer 2 detections work together to prevent physical and logical unidirectional connections and the malfunctioning of other protocols. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 24-1 OL-26520-01...

  • Page 616: Methods To Detect Unidirectional Links

    UDLD sends at least one message to inform the neighbors to flush the part of their caches affected by the status change. The message is intended to keep the caches synchronized. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 24-2...
  • Page 617 Configuration Guidelines, page 24-4 • Enabling UDLD Globally, page 24-5 • Enabling UDLD on an Interface, page 24-6 • Resetting an Interface Disabled by UDLD, page 24-6 • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 24-3 OL-26520-01...

  • Page 618: Default Udld Configuration

    Loop guard works only on point-to-point links. We recommend that each end of the link has a directly Caution connected device that is running STP. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 24-4 OL-26520-01...

  • Page 619: Enabling Udld Globally

    To disable UDLD globally, use the no udld enable global configuration command to disable normal mode UDLD on all fiber-optic ports. Use the no udld aggressive global configuration command to disable aggressive mode UDLD on all fiber-optic ports. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 24-5 OL-26520-01...

  • Page 620: Enabling Udld On An Interface

    The errdisable recovery cause udld global configuration command enables the timer to • automatically recover from the UDLD error-disabled state, and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error-disabled state. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 24-6 OL-26520-01...

  • Page 621: Displaying Udld Status

    To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 24-7 OL-26520-01...
  • Page 622 Chapter 24 Configuring UDLD Displaying UDLD Status Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 24-8 OL-26520-01...

  • Page 623: Configuring Cdp

    • Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.

  • Page 624: Cdp And Switch Stacks

    Feature Default Setting CDP global state Enabled CDP interface state Enabled CDP timer (packet update frequency) 60 seconds CDP holdtime (before discarding) 180 seconds CDP Version-2 advertisements Enabled Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 25-2 OL-26520-01...

  • Page 625: Configuring The Cdp Characteristics

    25-5. Disabling and Enabling CDP CDP is enabled by default. Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Note Disabling CDP can interrupt cluster discovery and device connectivity. For more information, see Chapter 6, “Clustering Switches”...

  • Page 626: Disabling And Enabling Cdp On An Interface

    Disable CDP on the interface. Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 25-4 OL-26520-01...

  • Page 627: Monitoring And Maintaining Cdp

    You can limit the display to neighbors of a specific interface or expand the display to provide more detailed information. show cdp traffic Display CDP counters, including the number of packets sent and received and checksum errors. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 25-5 OL-26520-01...
  • Page 628 Chapter 25 Configuring CDP Monitoring and Maintaining CDP Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 25-6 OL-26520-01...
  • Page 629 Understanding LLDP, LLDP-MED, and Wired Location Service LLDP The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches). CDP allows network management applications to automatically discover and learn about other Cisco devices connected to the network.
  • Page 630 Configuring LLDP, LLDP-MED, and Wired Location Service Understanding LLDP, LLDP-MED, and Wired Location Service To support non-Cisco devices and to allow for interoperability between other devices, the switch supports the IEEE 802.1AB Link Layer Discovery Protocol (LLDP). LLDP is a neighbor discovery protocol that is used for network devices to advertise information about themselves to other devices on the network.
  • Page 631 Starting with Cisco IOS Release 12.2(52)SE, when LLDP is enabled and power is applied to a port, the power TLV determines the actual power requirement of the endpoint device so that the system power budget can be adjusted accordingly.

  • Page 632: Wired Location Service

    The switch uses the wired location service feature to send location and attachment tracking information for its connected devices to a Cisco Mobility Services Engine (MSE). The tracked device can be a wireless endpoint, a wired endpoint, or a wired switch or controller. The switch notifies the MSE of device link up and link down events through the Network Mobility Services Protocol (NMSP) location and attachment notifications.

  • Page 633: Default Lldp Configuration

    You cannot configure a network-policy profile on a private-VLAN port. • For wired location to function, you must first enter the ip device tracking global configuration • command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 26-5 OL-26520-01...

  • Page 634: Enabling Lldp

    Beginning in privileged EXEC mode, follow these steps to configure the LLDP characteristics. Steps 2 through 5 are optional and can be performed in any order. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 26-6 OL-26520-01...
  • Page 635 Table 26-2. Table 26-2 LLDP-MED TLVs LLDP-MED TLV Description inventory-management LLDP-MED inventory management TLV location LLDP-MED location TLV network-policy LLDP-MED network policy TLV power-management LLDP-MED power management TLV Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 26-7 OL-26520-01...
  • Page 636 The telephone uses the configuration from the telephone key pad. untagged—(Optional) Configure the telephone to send untagged voice traffic. This is the default for the telephone. Step 4 exit Return to global configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 26-8 OL-26520-01...

  • Page 637: Configuring Location Tlv And Wired Location Service

    • identifier id—Specify the ID for the civic location. • string—Specify the site or location information in alphanumeric • format. Step 3 exit Return to global configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 26-9 OL-26520-01...
  • Page 638 Your switch must be running the cryptographic (encrypted) software image to enable the nmsp global Note configuration commands. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 nmsp enable Enable the NMSP features on the switch. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 26-10 OL-26520-01...
  • Page 639 Display the location information for the specified administrative tag or site. show location civic-location identifier id Display the location information for a specific global civic location. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 26-11 OL-26520-01...
  • Page 640 Description show location elin-location identifier id Display the location information for an emergency location. show network-policy profile Display the configured network-policy profiles. show nmsp Display the NMSP information. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 26-12 OL-26520-01...
  • Page 641 Note This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 2960, 2960-S, or 2960-C switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. Stacking is supported only on Catalyst 2960-S switches running the LAN base image.

  • Page 642: Local Span

    Port 10 Network analyzer Figure 27-2 is an example of a local SPAN in a switch stack, where the source and destination ports reside on different stack members. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-2 OL-26520-01...

  • Page 643: Remote Span

    RSPAN VLAN to a destination session monitoring the RSPAN VLAN. Each RSPAN source switch must have either ports or VLANs as RSPAN sources. The destination is always a physical port, as shown on Switch C in the figure. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-3 OL-26520-01...

  • Page 644: Span And Rspan Concepts And Terminology

    RSPAN VLAN. To configure an RSPAN destination session on another device, you associate the destination port with the RSPAN VLAN. The destination session collects all RSPAN VLAN traffic and sends it out the RSPAN destination port. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-4 OL-26520-01...

  • Page 645: Monitored Traffic

    A copy of each packet received by the source is sent to the destination port for that SPAN session. Packets that are modified because of routing or quality of service (QoS)—for example, modified Differentiated Services Code Point (DSCP)—are copied before modification. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-5 OL-26520-01...
  • Page 646 The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP).
  • Page 647 SPAN traffic coming from other port types is not affected by VLAN filtering; that is, all VLANs are • allowed on other ports. VLAN filtering affects only traffic forwarded to the destination SPAN port and does not affect the • switching of normal traffic. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-7 OL-26520-01...

  • Page 648: Destination Port

    • For RSPAN, the original VLAN ID is lost because it is overwritten by the RSPAN VLAN identification. Therefore, all packets appear on the destination port as untagged. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-8 OL-26520-01...

  • Page 649: Span And Rspan Interaction With Other Features

    SPAN session, it rejoins the EtherChannel group. Ports removed from an EtherChannel group remain members of the group, but they are in the inactive or suspended state. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-9 OL-26520-01...

  • Page 650: Span And Rspan And Switch Stacks

    SPAN state (SPAN and RSPAN) Disabled. Source port traffic to monitor Both received and sent traffic (both). Encapsulation type (destination port) Native form (untagged packets). Ingress forwarding (destination port) Disabled Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-10 OL-26520-01...

  • Page 651: Configuring Local Span

    VLANs specified with this keyword is monitored. By default, all VLANs are monitored on a trunk port. You cannot mix source VLANs and filter VLANs within a single SPAN session. • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-11 OL-26520-01...
  • Page 652 This is the default. • rx—Monitor received traffic. • tx—Monitor sent traffic. • You can use the monitor session session_number source Note command multiple times to configure multiple source ports. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-12 OL-26520-01...
  • Page 653 Switch(config)# end This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional monitoring: Switch(config)# no monitor session 1 source interface gigabitethernet1/0/1 rx Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-13 OL-26520-01...
  • Page 654 Step 3 monitor session session_number source Specify the SPAN session and the source port (monitored port). {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx] Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-14 OL-26520-01...
  • Page 655 IEEE 802.1Q encapsulation and VLAN 6 as the default ingress VLAN. Switch(config)# no monitor session 2 Switch(config)# monitor session 2 source gigabitethernet1/0/1 rx Switch(config)# monitor session 2 destination interface gigabitethernet1/0/2 encapsulation replicate ingress dot1q vlan 6 Switch(config)# end Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-15 OL-26520-01...
  • Page 656 (Optional) Save the configuration in the configuration file. To monitor all VLANs on the trunk port, use the no monitor session session_number filter global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-16 OL-26520-01...

  • Page 657: Configuring Rspan

    If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted • flooding of RSPAN traffic across the network for VLAN IDs that are lower than 1005. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-17 OL-26520-01...

  • Page 658: Creating An Rspan Source Session

    For session_number, the range is 1 to 66. Specify all to remove all RSPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-18 OL-26520-01...
  • Page 659 Switch(config)# monitor session 1 source interface gigabitethernet1/0/1 tx Switch(config)# monitor session 1 source interface gigabitethernet1/0/2 rx Switch(config)# monitor session 1 source interface port-channel 2 Switch(config)# monitor session 1 destination remote vlan 901 Switch(config)# end Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-19 OL-26520-01...
  • Page 660 To remove a destination port from the SPAN session, use the no monitor session session_number destination interface interface-id global configuration command. To remove the RSPAN VLAN from the session, use the no monitor session session_number source remote vlan vlan-id. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-20 OL-26520-01...

  • Page 661: Creating An Rspan Destination Session And Configuring Incoming Traffic

    RSPAN VLAN and the destination port, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating an RSPAN Destination...

  • Page 662: Specifying Vlans To Filter

    (Optional) Use a comma (,) to specify a series of VLANs or use a hyphen (-) to specify a range of VLANs. Enter a space before and after the comma; enter a space before and after the hyphen. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-22 OL-26520-01...

  • Page 663: Displaying Span And Rspan Status

    To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-23 OL-26520-01...
  • Page 664 Chapter 27 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-24 OL-26520-01...
  • Page 665 C H A P T E R Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the Catalyst 2960. 2960-S, or 2960-C switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
  • Page 666 Because switches supported by this software release use hardware counters for RMON data processing, the monitoring is more efficient, and little processing power is required. Note 64-bit counters are not supported for RMON alarms. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 28-2 OL-26520-01...

  • Page 667: Default Rmon Configuration

    You must also configure SNMP on the switch to access RMON MIB objects. For more information, see Chapter 30, “Configuring SNMP.” Note 64-bit counters are not supported for RMON alarms. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 28-3 OL-26520-01...
  • Page 668 SNMP community string used for this trap. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 28-4 OL-26520-01...

  • Page 669: Collecting Group History Statistics On An Interface

    (Optional) For owner ownername, enter the name of the owner of the RMON group of statistics. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 28-5 OL-26520-01...

  • Page 670: Collecting Group Ethernet Statistics On An Interface

    Commands for Displaying RMON Status Command Purpose show rmon Displays general RMON statistics. show rmon alarms Displays the RMON alarm table. show rmon events Displays the RMON event table. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 28-6 OL-26520-01...
  • Page 671 Displays the RMON statistics table. For information about the fields in these displays, see the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.4 on Cisco.com. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...
  • Page 672 Chapter 28 Configuring RMON Displaying RMON Status Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 28-8 OL-26520-01...

  • Page 673: Configuring System Message Logging

    C H A P T E R Configuring System Message Logging This chapter describes how to configure system message logging on the Catalyst 2960. 2960-S, or and 2960-C switch. For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Note Configuration Fundamentals Command Reference, Release 12.4.

  • Page 674: System Log Message Format

    The part of the message preceding the percent sign depends on the setting of the service sequence-numbers, service timestamps log datetime, service timestamps log datetime [localtime] [msec] [show-timezone], or service timestamps log uptime global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-2 OL-26520-01...
  • Page 675 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/2, changed state to up (Switch-2) 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down (Switch-2) 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/1, changed state to down 2 (Switch-2) Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-3 OL-26520-01...

  • Page 676: Default System Message Logging Configuration

    Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. show logging Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-4 OL-26520-01...

  • Page 677: Setting The Message Display Destination Device

    To build a list of syslog servers that receive logging messages, enter this command more than once. For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 29-12. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-5 OL-26520-01...

  • Page 678: Synchronizing Log Messages

    Therefore, unsolicited messages and debug command output are not interspersed with solicited device output and prompts. After the unsolicited messages appear, the console again displays the user prompt. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-6 OL-26520-01...
  • Page 679 (Optional) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-7 OL-26520-01...

  • Page 680: Enabling And Disabling Time Stamps On Log Messages

    This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service sequence-numbers Enable sequence numbers. Step 3 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-8 OL-26520-01...

  • Page 681: Defining The Message Severity Level

    To disable logging to syslog servers, use the no logging trap global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-9...

  • Page 682: Limiting Syslog Messages Sent To The History Table And To Snmp

    By default, one message of the level warning and numerically lower levels (see Table 29-3 on page 29-10) are stored in the history table even if syslog traps are not enabled. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-10 OL-26520-01...
  • Page 683 [end-number] | statistics} [provisioning] privileged EXEC command to display the complete configuration log or the log for specified parameters. The default is that configuration logging is disabled. For information about the commands, see the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3 T: http://www.cisco.com/en/US/docs/ios/12_3/configfun/command/reference/cfr_1g04.html Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...

  • Page 684: Configuring Unix Syslog Servers

    | exit Configuring UNIX Syslog Servers The next sections describe how to configure the UNIX server syslog daemon and how to define the UNIX system logging facility. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-12 OL-26520-01...

  • Page 685: Configuring The Unix System Logging Facility

    Limit messages logged to the syslog servers. Be default, syslog servers receive informational messages and lower. See Table 29-3 on page 29-10 for level keywords. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-13 OL-26520-01...

  • Page 686: Displaying The Logging Configuration

    Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.4 on Cisco.com.
  • Page 687 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on the Catalyst 2960, 2960-S, or 2960-C switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. Stacking is supported only on Catalyst 2960-S switches running the LAN base image.

  • Page 688: Snmp Versions

    Both SNMPv1 and SNMPv2C use a community-based form of security. The community of managers able to access the agent’s MIB is defined by an IP address access control list and password. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-2...

  • Page 689: Snmp Manager Functions

    The SNMP manager uses information in the MIB to perform the operations described in Table 30-2. Table 30-2 SNMP Operations Operation Description get-request Retrieves a value from a specific variable. get-next-request Retrieves a value from a variable within a table. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-3 OL-26520-01...

  • Page 690: Snmp Agent Functions

    For more information, see Chapter 6, “Clustering Switches” and see Getting Started with Cisco Network Assistant, available on Cisco.com. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-4 OL-26520-01...

  • Page 691: Using Snmp To Access Mib Variables

    SNMP manager receive every notification, use inform requests. If traffic on the network or memory in the switch is a concern and notification is not required, use traps. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-5...

  • Page 692: Snmp Ifindex Mib Object Values

    Setting the CPU Threshold Notification Types and Values, page 30-16 • Setting the Agent Contact and Location Information, page 30-17 • Limiting TFTP Servers Used Through SNMP, page 30-17 • • SNMP Examples, page 30-18 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-6 OL-26520-01...

  • Page 693: Default Snmp Configuration

    Modifying the group's notify view affects all users associated with that group. See the Cisco IOS Network Management Command Reference for information about when you should configure notify views.

  • Page 694: Disabling The Snmp Agent

    The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
  • Page 695 To disable access for an SNMP community, set the community string for that community to the null Note string (do not enter a value for the community string). To remove a specific community string, use the no snmp-server community string global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-9 OL-26520-01...

  • Page 696: Configuring Snmp Groups And Users

    If you select remote, specify the ip-address of the device that • contains the remote copy of SNMP and the optional User Datagram Protocol (UDP) port on the remote device. The default is 162. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-10 OL-26520-01...
  • Page 697 64 characters) that is the name of the view in which you specify a notify, inform, or trap. • (Optional) Enter access access-list with a string (not to exceed 64 characters) that is the name of the access list. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-11 OL-26520-01...
  • Page 698 To display SNMPv3 information about auth | noauth | Note priv mode configuration, you must enter the show snmp user privileged EXEC command. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-12 OL-26520-01...

  • Page 699: Configuring Snmp Notifications

    A trap manager is a management station that receives and processes traps. Traps are system alerts that the switch generates when certain events occur. By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Note Many commands use the word traps in the command syntax.
  • Page 700 [access access-list] | v3 [encrypted] configuring the engine ID for the remote host. Otherwise, you [access access-list] [auth {md5 | sha} receive an error message, and the command is not executed. auth-password]} Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-14 OL-26520-01...
  • Page 701 (Optional) Define how often to resend trap messages. The range is 1 to 1000; the default is 30 seconds. Step 10 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-15 OL-26520-01...

  • Page 702: Setting The Cpu Threshold Notification Types And Values

    Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-16 OL-26520-01...

  • Page 703: Setting The Agent Contact And Location Information

    Place ones in the bit positions that you want to ignore. Recall that the access list is always terminated by an implicit deny statement for everything. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-17 OL-26520-01...

  • Page 704: Snmp Examples

    Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...

  • Page 705: Displaying Snmp Status

    EXEC command. You also can use the other privileged EXEC commands in Table 30-6 to display SNMP information. For information about the fields in the displays, see the Cisco IOS Configuration Fundamentals Command Reference. Table 30-6 Commands for Displaying SNMP Information Feature...
  • Page 706 Chapter 30 Configuring SNMP Displaying SNMP Status Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-20 OL-26520-01...

  • Page 707: Understanding Cisco Ios Ip Slas

    Cisco IOS IP SLAs generates and analyzes traffic either between Cisco IOS devices or from a Cisco IOS device to a remote IP device such as a network application server. Measurements provided by the various Cisco IOS IP SLAs operations can be used for troubleshooting, for problem analysis, and for designing network topologies.
  • Page 708 Depending on the specific Cisco IOS IP SLAs operation, various network performance statistics are monitored within the Cisco device and stored in both command-line interface (CLI) and Simple Network Management Protocol (SNMP) MIBs. IP SLAs packets have configurable IP and application layer...

  • Page 709: Using Cisco Ios Ip Slas To Measure Network Performance

    Schedule the operation to run, then let the operation run for a period of time to gather statistics. Display and interpret the results of the operation using the Cisco IOS CLI or a network management system (NMS) system with SNMP.

  • Page 710: Ip Slas Responder And Ip Slas Control Protocol

    The IP SLAs responder can be a Cisco IOS Layer 2, responder-configurable switch, such as a Note Catalyst 2960 or IE 3000 switch running the LAN base image, or a Catalyst 3560 or 3750 switch running the IP base image. The responder does not need to support full IP SLAs functionality.

  • Page 711: Configuring Ip Slas Operations

    This section does not include configuration information for all available operations as the configuration information details are included in the Cisco IOS IP SLAs Configuration Guide. It includes only the procedure for configuring the responder, as the switch includes only responder support.

  • Page 712: Configuring The Ip Slas Responder

    The IP SLAs responder is available only on Cisco IOS software-based devices, including some Layer 2 switches that do not support full IP SLAs functionality, such as the Catalyst 2960 or the Cisco ME 2400 or IE 3000 switch running the LAN base image. Beginning in privileged EXEC mode, follow these steps...

  • Page 713: Understanding Acls

    C H A P T E R Configuring Network Security with ACLs This chapter describes how to configure network security on the Catalyst 2960, 2960-S, or 2960-C switch by using access control lists (ACLs), also referred to as access lists. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.

  • Page 714: Supported Acls

    ACL is applied are filtered by the port ACL. Outgoing routed IP packets are filtered by the router ACL. Other packets are not filtered. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-2...
  • Page 715 You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-3...

  • Page 716: Handling Fragmented And Unfragmented Traffic

    Switch(config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp Switch(config)# access-list 102 deny tcp any host 10.1.1.2 eq telnet Switch(config)# access-list 102 permit tcp any host 10.1.1.2 Switch(config)# access-list 102 deny tcp any any Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-4 OL-26520-01...

  • Page 717: Acls And Switch Stacks

    ACEs were checking different hosts. ACLs and Switch Stacks Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note ACL support is the same for a switch stack as for a standalone switch. ACL configuration information is propagated to all switches in the stack.

  • Page 718: Configuring Ipv4 Acls

    VLAN interfaces to filter traffic to the CPU. Configuring IP v4ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers. The process is briefly described here. For more detailed information on configuring ACLs, see the “Configuring IP Services”...

  • Page 719: Creating Standard And Extended Ipv4 Acls

    800–899 IPX standard access list 900–999 IPX extended access list 1000–1099 IPX SAP access list 1100–1199 Extended 48-bit MAC address access list 1200–1299 IPX summary address access list Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-7 OL-26520-01...

  • Page 720: Creating A Numbered Standard Acl

    (Optional) Save your entries in the configuration file. Use the no access-list access-list-number global configuration command to delete the entire ACL. You cannot delete individual ACEs from numbered access lists. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-8 OL-26520-01...
  • Page 721 Control Protocol (tcp), or User Datagram Protocol (udp). For more details on the specific keywords for each protocol, see these command references: Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.4 • Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.4 •...
  • Page 722 0.0.0.0 [fragments] [time-range 255.255.255.255. time-range-name] [dscp dscp] You can use the any keyword in place of source and destination address and wildcard. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-10 OL-26520-01...
  • Page 723 TCP port. To see TCP port names, use the ? or see the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.4. Use only TCP port numbers or names when filtering TCP.
  • Page 724 ICMP message type and code name. To see a list of ICMP message type names and code names, use the ?, or see the “Configuring IP Services” section of the Cisco IOS IP Configuration Guide, Release 12.4. Step access-list access-list-number (Optional) Define an extended IGMP access list and the access conditions.
  • Page 725 Define a standard IPv4 access list using a name, and enter access-list configuration mode. The name can be a number from 1 to 99. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-13 OL-26520-01...
  • Page 726 ACL. This example shows how you can delete individual ACEs from the named access list border-list: Switch(config)# ip access-list extended border-list Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-14 OL-26520-01...
  • Page 727 Network Time Protocol (NTP) to synchronize the switch clock. For more information, see the “Managing the System Time and Date” section on page 5-2. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-15 OL-26520-01...
  • Page 728 Switch(config)# access-list 188 permit tcp any any time-range workhours Switch(config)# end Switch# show access-lists Extended IP access list 188 10 deny tcp any any time-range new_year_day_2006 (inactive) 20 permit tcp any any time-range workhours (inactive) Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-16 OL-26520-01...

  • Page 729: Including Comments In Acls

    In this example, the Jones subnet is not allowed to use outbound Telnet: Switch(config)# ip access-list extended telnetting Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out Switch(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-17 OL-26520-01...

  • Page 730: Applying An Ipv4 Acl To A Terminal Line

    If you apply an ACL to a port that is a member of a VLAN, the port ACL takes precedence over an • ACL applied to the VLAN interface. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-18 OL-26520-01...
  • Page 731 For outbound ACLs, after receiving and sending a packet to a controlled interface, the switch checks the packet against the ACL. If the ACL permits the packet, the switch sends the packet. If the ACL rejects the packet, the switch discards the packet. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-19 OL-26520-01...

  • Page 732: Hardware And Software Treatment Of Ip Acls

    The flag-related operators are not available. To avoid this issue, • Move the fourth ACE before the first ACE by using ip access-list resequence global configuration command: permit tcp source source-wildcard destination destination-wildcard Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-20 OL-26520-01...

  • Page 733: Ipv4 Acl Configuration Examples

    This section provides examples of configuring and applying IPv4 ACLs. For detailed information about compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.4 and to the Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.4.

  • Page 734: Named Acls

    Switch(config)# access-list 1 remark Permit only Jones workstation through Switch(config)# access-list 1 permit 171.69.2.88 Switch(config)# access-list 1 remark Do not allow Smith workstation through Switch(config)# access-list 1 deny 171.69.3.13 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-22 OL-26520-01...

  • Page 735: Creating Named Mac Extended Acls

    Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Define an extended MAC access list using a name. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-23 OL-26520-01...

  • Page 736: Applying A Mac Acl To A Layer 2 Interface

    A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 • interface that has a MAC ACL configured, the new ACL replaces the previously configured one. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-24 OL-26520-01...
  • Page 737 ACL to an interface, the switch acts as if the ACL has not been applied and permits all packets. Remember this behavior if you use undefined ACLs for network security. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-25...

  • Page 738: Displaying Ipv4 Acl Configuration

    [interface interface-id] Displays MAC access lists applied to all Layer 2 interfaces or the specified Layer 2 interface. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-26 OL-26520-01...

  • Page 739: Configuring Qos

    This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands on the Catalyst 2960, 2960-S or 2960-C switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size.

  • Page 740: Understanding Qos

    IP precedence values range from 0 to 7. DSCP values range from 0 to 63. For IPv6 QoS support on a Catalyst 2960-S switch, you must reload the switch with the sdm Note prefer lanbase-routing and mls qos global configuration command. The Catalyst 2960 switch supports only QoS trust and not all the other IPv6 QoS functions.

  • Page 741: Basic Qos Model

    (police and mark), and provide different treatment (queue and schedule) in all situations where resource contention exists. The switch also needs to ensure that traffic sent from it meets a specific traffic profile (shape). Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-3 OL-26520-01...
  • Page 742 Scheduling services the four egress queues based on their configured SRR shared or shaped weights. One of the queues (queue 1) can be the expedited queue, which is serviced until empty before the other queues are serviced. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-4 OL-26520-01...
  • Page 743 0 as the DSCP and CoS values, which means best-effort traffic. Otherwise, the policy-map action specifies a DSCP or CoS value to assign to the incoming frame. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-5...
  • Page 744 States” section on page 33-42. After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. Catalyst 2960-S switches do not support ingress queueing. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-6 OL-26520-01...
  • Page 745 Generate the DSCP by using Assign the DSCP or CoS as specified Assign the default by ACL action to generate the QoS label. DSCP (0). the CoS-to-DSCP map. Done Done Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-7 OL-26520-01...
  • Page 746 Before a policy map can be effective, you must attach it to a port. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-8...

  • Page 747: Policing And Marking

    Policing, and Marking Traffic on Physical Ports by Using Policy Maps” section on page 33-57 and the “Classifying, Policing, and Marking Traffic by Using Aggregate Policers” section on page 33-62. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-9 OL-26520-01...
  • Page 748 You configure how fast (the average rate) that the tokens are removed from the bucket by using the rate-bps option of the police policy-map class configuration command or the mls qos aggregate-policer global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-10 OL-26520-01...

  • Page 749: Mapping Tables

    QoS domains, you can apply the configurable DSCP-to-DSCP-mutation map to the port that is on the boundary between the two QoS domains. You configure this map by using the mls qos map dscp-mutation global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-11 OL-26520-01...

  • Page 750: Queueing And Scheduling Overview

    The switch has queues at specific points to help prevent congestion as shown in Figure 33-5. Figure 33-5 Ingress and Egress Queue Location Policer Marker Egress queues Stack ring Policer Marker Ingress queues Traffic Classify Policer Marker Policer Marker Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-12 OL-26520-01...

  • Page 751: Weighted Tail Drop

    “Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set” section on page 33-76, and the “Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID” section on page 33-78. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-13 OL-26520-01...
  • Page 752 “Allocating Bandwidth Between the Ingress Queues” section on page 33-74, the “Configuring SRR Shaped Weights on Egress Queues” section on page 33-80, and the “Configuring SRR Shared Weights on Egress Queues” section on page 33-81. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-14 OL-26520-01...
  • Page 753 SRR weights. Send packet to the internal ring. Note SRR services the priority queue for its configured share before servicing the other queue. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-15 OL-26520-01...
  • Page 754 The ratio of the weights is the ratio of the frequency in which the SRR scheduler sends packets from each queue. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-16...
  • Page 755 If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-17 OL-26520-01...
  • Page 756 (under-limit), whether it has consumed all of its maximum buffers (over limit), and whether the common pool is empty (no free Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-18...
  • Page 757 ID 1 and ID 2. The drop threshold for threshold ID 3 is preset to the queue-full state, and you cannot modify it. You map a port to queue-set by using the queue-set qset-id interface configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-19...

  • Page 758: Packet Modification

    The input mutation causes the DSCP to be rewritten depending on the new value of DSCP chosen. The set action in a policy map also causes the DSCP to be rewritten. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-20...
  • Page 759 When you enable auto-QoS, it automatically classifies traffic based on the traffic type and ingress packet label. The switch uses the classification results to choose the appropriate egress queue. You use auto-QoS commands to identify ports connected to these Cisco devices: Cisco IP Phones •...

  • Page 760: Voip Device Specifics

    DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. When there is no Cisco IP Phone, the ingress classification is set to not trust the QoS label in the packet. The policing is applied to the traffic matching the policy-map classification before the switch enables the trust boundary feature.
  • Page 761 Ensure Port Security” section on page 39-42. When you enable auto-QoS by using the auto qos voip cisco-phone, the auto qos voip cisco-softphone, or the auto qos voip trust interface configuration command, the switch automatically generates a QoS configuration based on the traffic type and ingress packet label and applies the commands listed in Table 33-5 to the port.
  • Page 762 Auto-QoS configuration migration from legacy auto-QoS to enhanced auto-QoS occurs when: • A switch is booted with the Cisco IOS Release 12.2(55)SE image and QoS is not enabled. Any video or voice trust configuration on the interface automatically generates enhanced auto-QoS commands.
  • Page 763 3 threshold 3 0 Switch(config)# mls qos srr-queue output cos-map queue 4 threshold 3 0 Switch(config)# mls qos srr-queue output cos-map queue 4 threshold 3 1 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-25 OL-26520-01...
  • Page 764 Switch(config)# mls qos srr-queue Switch(config)# mls qos srr-queue input dscp-map queue 2 threshold 3 40 input dscp-map queue 2 threshold 3 46 41 42 43 44 45 46 47 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-26 OL-26520-01...
  • Page 765 4 threshold 2 10 10 11 12 13 14 15 12 14 Switch(config)# mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-27 OL-26520-01...
  • Page 766 1 buffers 15 25 40 20 Switch(config)# mls qos queue-set output 2 buffers 16 6 17 61 Switch(config-if)# priority-queue out Switch(config-if)# srr-queue bandwidth share 10 10 60 20 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-28 OL-26520-01...
  • Page 767 3 24 25 26 27 28 29 30 31 Switch(config)# mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-29 OL-26520-01...
  • Page 768 Switch(config-if)# srr-queue bandwidth share 10 10 60 20 If you entered the auto qos voip cisco-phone command, the switch automatically enables the trusted boundary feature, which uses the CDP to detect the presence or absence of a Cisco IP Phone. Switch(config-if)# mls qos trust device cisco-phone Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...
  • Page 769 AutoQoS-Police-SoftPhone to an ingress interface on which auto-QoS with the Cisco SoftPhone feature is enabled. Switch(config-if)# service-policy input AutoQoS-Police-SoftPhone If you entered the auto qos voip cisco-phone command, the switch automatically creates class maps and policy maps. Switch(config-if)# mls qos trust device cisco-phone If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and policy maps.
  • Page 770 Switch(config-pmap)# class AUTOQOS_MULTIENHANCED_CONF_CLASS Switch(config-pmap-c)# set dscp af41 Switch(config-pmap-c)# police 5000000 8000 exceed-action drop Switch(config-pmap)# class AUTOQOS_BULK_DATA_CLASS Switch(config-pmap-c)# set dscp af11 Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Switch(config-pmap)# class AUTOQOS_TRANSACTION_CLASS Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-32 OL-26520-01...
  • Page 771 Switch(config-pmap-c)# set dscp default Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Switch(config-if)# service-policy input AUTOQOS-SRND4-CLASSIFY-POLICE-POLICY This is the enhanced configuration for the auto qos voip cisco-phone command: Switch(config)# mls qos map policed-dscp 0 10 18 to 8 Switch(config)# mls qos map cos-dscp 0 8 16 24 32 46 48 56...
  • Page 772 Auto-QoS configures the switch for VoIP with Cisco IP Phones on nonrouted and routed ports. Auto-QoS also configures the switch for VoIP with devices running the Cisco SoftPhone application. When a device running Cisco SoftPhone is connected to a nonrouted or routed port, the switch • supports only one Cisco SoftPhone application per port.
  • Page 773 By default, the CDP is enabled on all ports. For auto-QoS to function properly, do not disable the • CDP. When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address • to the IP phone.

  • Page 774: Troubleshooting Auto Qos Commands

    Enable auto-QoS. cisco-softphone | trust} The keywords have these meanings: • cisco-phone—If the port is connected to a Cisco IP Phone, the QoS labels of incoming packets are trusted only when the telephone is detected. • cisco-softphone—The port is connected to device running the Cisco SoftPhone feature.

  • Page 775: Configuring Standard Qos

    Standard QoS Configuration Guidelines, page 33-40 • Enabling QoS Globally, page 33-42 (required) • Configuring Classification Using Port Trust States, page 33-42 (required • Configuring a QoS Policy, page 33-49 (required) • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-37 OL-26520-01...

  • Page 776: Default Standard Qos Configuration

    Table 33-8 shows the default CoS input queue threshold map when QoS is enabled. Table 33-8 Default CoS Input Queue Threshold Map CoS Value Queue ID–Threshold ID 0–4 1–1 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-38 OL-26520-01...

  • Page 777: Default Egress Queue Configuration

    CoS output queue threshold map when QoS is enabled. Table 33-11 Default CoS Output Queue Threshold Map CoS Value Queue ID–Threshold ID 0, 1 2–1 2, 3 3–1 4–1 1–1 6, 7 4–1 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-39 OL-26520-01...

  • Page 778: Standard Qos Configuration Guidelines

    It is not possible to match IP fragments against configured IP extended ACLs to enforce QoS. IP • fragments are sent as best-effort. IP fragments are denoted by fields in the IP header. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-40 OL-26520-01...

  • Page 779: Policing Guidelines

    Catalyst 2960-S switches do not support ingress queueing. Note You are likely to lose data when you change queue settings; therefore, try to make changes when • traffic is at a minimum. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-41 OL-26520-01...

  • Page 780: Enabling Qos Globally

    Configuring the DSCP Trust State on a Port Bordering Another QoS Domain, page 33-47 • Configuring the Trust State on Ports within the QoS Domain Catalyst 2960-S switches do not support ingress queueing. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-42 OL-26520-01...
  • Page 781 Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be trusted, and enter interface configuration mode. Valid interfaces include physical ports. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-43 OL-26520-01...
  • Page 782 Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Valid interfaces include physical ports. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-44 OL-26520-01...
  • Page 783 CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...
  • Page 784 In some situations, you can prevent a PC connected to the Cisco IP Phone from taking advantage of a high-priority data queue. You can use the switchport priority extend cos interface configuration command to configure the telephone through the switch CLI to override the priority of the traffic received from the PC.
  • Page 785 QoS. If the two domains use different DSCP values, you can configure the DSCP-to-DSCP-mutation map to translate a set of DSCP values to match the definition in the other domain. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-47 OL-26520-01...
  • Page 786 For dscp-mutation-name, specify the mutation map name created in Step 2. You can configure multiple DSCP-to-DSCP-mutation maps on an ingress port. Step 6 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-48 OL-26520-01...

  • Page 787: Configuring A Qos Policy

    Classifying Traffic by Using Class Maps, page 33-53 Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps, page 33-57 • Classifying, Policing, and Marking Traffic by Using Aggregate Policers, page 33-62 • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-49 OL-26520-01...
  • Page 788 Switch(config)# access-list 1 permit 192.5.255.0 0.0.0.255 Switch(config)# access-list 1 permit 128.88.0.0 0.0.255.255 Switch(config)# access-list 1 permit 36.0.0.0 0.0.0.255 ! (Note: all other access implicitly denied) Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-50 OL-26520-01...
  • Page 789 This example shows how to create an ACL that permits IP traffic from a source host at 10.1.1.1 to a destination host at 10.1.1.2 with a precedence value of 5: Switch(config)# access-list 100 permit ip host 10.1.1.1 host 10.1.1.2 precedence 5 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-51 OL-26520-01...
  • Page 790 Return to privileged EXEC mode. Step 5 show access-lists [access-list-number | Verify your entries. access-list-name] Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-52 OL-26520-01...
  • Page 791 {permit | deny} {host src-MAC-addr mask | any | host dst-MAC-addr | dst-MAC-addr mask} [type mask] Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-53 OL-26520-01...
  • Page 792 Switch(config-cmap)# end Switch# This example shows how to create a class map called class2, which matches incoming traffic with DSCP values of 10, 11, and 12. Switch(config)# class-map class2 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-54 OL-26520-01...
  • Page 793 Classifying Traffic by Using Class Maps and Filtering IPv6 Traffic The switch supports both IPv4 and IPv6 QoS on Catalyst 2960-S switches when a lanbase-routing SDM template is configured. The match ip dscp and match ip precedence classifications match both IPv4 and IPv6 traffic.
  • Page 794 Switch(config-cmap)# match access-group name ipv6-any Switch(config-cmap)# exit Switch(config)# Policy-map pm1 Switch(config-pmap)# class cm-1 Switch(config-pmap-c)# set dscp 4 Switch(config-pmap-c)# exit Switch(config-pmap)# class cm-2 Switch(config-pmap-c)# set dscp 6 Switch(config-pmap-c)# exit Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-56 OL-26520-01...
  • Page 795 When you configure a default traffic class by using the class class-default policy-map configuration command, unclassified traffic (traffic that does not meet the match criteria specified in the traffic classes) is treated as the default traffic class (class-default). Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-57 OL-26520-01...
  • Page 796 It is always placed at the end of a policy map. With an implied match any included in the class-default class, all packets that have not already matched the other traffic classes will match class-default. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-58 OL-26520-01...
  • Page 797 The range is 0 to 63. For ip precedence new-precedence, enter a new IP-precedence • value to be assigned to the classified traffic. The range is 0 to 7. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-59 OL-26520-01...
  • Page 798 The range is 8000 to 10000000000 For burst-byte, specify the normal burst size in bytes. The range is 8000 to 1000000. On Catalyst 2960-S switches, although you can configure a rate of 8000, the minimum rate granularity is actually 16000.
  • Page 799 Switch(config-pmap-c)# set dscp 6 Switch(config-pmap-c)# exit Switch(config-pmap)# class class-default Switch(config-pmap-c)# set dscp 10 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface G0/1 Switch(config-if)# switch mode access Switch(config-if)# service-policy input pm1 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-61 OL-26520-01...
  • Page 800 By using an aggregate policer, you can create a policer that is shared by multiple traffic classes within the same policy map. However, you cannot use the aggregate policer across different policy maps or ports. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-62 OL-26520-01...
  • Page 801 For aggregate-policer-name, specify the name of the aggregate • policer. For rate-bps, specify average traffic rate in bits per second (b/s). The range is 8000 to 10000000000. (On Catalyst 2960-S switches, although you can configure a rate of 8000, the minimum rate granularity is actually 16000.) •...
  • Page 802 Switch(config-pmap-c)# set dscp 56 Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Switch(config-pmap)# class class-default Switch(config-pmap-c)# set dscp 10 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# service-policy input aggflow1 Switch(config-if)# exit Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-64 OL-26520-01...

  • Page 803: Configuring Dscp Maps

    CoS-to-DSCP map. Table 33-13 Default CoS-to-DSCP Map CoS Value DSCP Value If these values are not appropriate for your network, you need to modify them. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-65 OL-26520-01...
  • Page 804 IP-precedence-to-DSCP map: Table 33-14 Default IP-Precedence-to-DSCP Map IP Precedence Value DSCP Value If these values are not appropriate for your network, you need to modify them. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-66 OL-26520-01...
  • Page 805 Return to privileged EXEC mode. Step 4 show mls qos maps policed-dscp Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-67 OL-26520-01...
  • Page 806 Default DSCP-to-CoS Map DSCP Value CoS Value 0–7 8–15 16–23 24–31 32–39 40–47 48–55 56–63 If these values are not appropriate for your network, you need to modify them. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-68 OL-26520-01...
  • Page 807 With ingress mutation, the new DSCP value overwrites the one in the packet, and QoS treats the packet with this new value. The switch sends the packet out the port with the new DSCP value. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-69...
  • Page 808 10 10 10 10 14 15 16 17 18 19 20 20 20 23 24 25 26 27 28 29 30 30 30 30 30 35 36 37 38 39 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-70 OL-26520-01...

  • Page 809: Configuring Ingress Queue Characteristics

    You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-71 OL-26520-01...
  • Page 810 To return to the default WTD threshold percentages, use the no mls qos srr-queue input threshold queue-id global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-72 OL-26520-01...

  • Page 811: Allocating Buffer Space Between The Ingress Queues

    This example shows how to allocate 60 percent of the buffer space to ingress queue 1 and 40 percent of the buffer space to ingress queue 2: Switch(config)# mls qos srr-queue input buffers 60 40 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-73 OL-26520-01...

  • Page 812: Allocating Bandwidth Between The Ingress Queues

    1 is 25/(25+75) and to queue 2 is 75/(25+75): Switch(config)# mls qos srr-queue input priority-queue 2 bandwidth 0 Switch(config)# mls qos srr-queue input bandwidth 25 75 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-74 OL-26520-01...

  • Page 813: Configuring The Ingress Priority Queue

    SRR equally shares the remaining 90 percent of the bandwidth between queues 1 and 2 by allocating 45 percent to each queue: Switch(config)# mls qos srr-queue input priority-queue 1 bandwidth 10 Switch(config)# mls qos srr-queue input bandwidth 4 4 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-75 OL-26520-01...

  • Page 814: Configuring Egress Queue Characteristics

    The egress queue default settings are suitable for most situations. You should change them only when Note you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-76 OL-26520-01...
  • Page 815 For qset-id, enter the ID of the queue-set specified in Step 2. The range is 1 to 2. The default is 1. Step 6 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-77 OL-26520-01...
  • Page 816 The egress queue default settings are suitable for most situations. You should change them only when Note you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-78 OL-26520-01...
  • Page 817 This example shows how to map DSCP values 10 and 11 to egress queue 1 and to threshold 2: Switch(config)# mls qos srr-queue output dscp-map queue 1 threshold 2 10 11 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-79...
  • Page 818 2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which is 12.5 percent: Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# srr-queue bandwidth shape 8 0 0 0 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-80 OL-26520-01...
  • Page 819 1, 2, 3, and 4. This means that queue 4 has four times the bandwidth of queue 1, twice the bandwidth of queue 2, and one-and-a-third times the bandwidth of queue 3. Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# srr-queue bandwidth share 1 2 3 4 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-81 OL-26520-01...
  • Page 820 Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be rate limited, and enter interface configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-82 OL-26520-01...

  • Page 821: Displaying Standard Qos Information

    Display QoS mapping information. cos-output-q | dscp-cos | dscp-input-q | dscp-mutation dscp-mutation-name | dscp-output-q | ip-prec-dscp | policed-dscp] show mls qos queue-set [qset-id] Display QoS settings for the egress queues. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-83 OL-26520-01...
  • Page 822 The control-plane and interface keywords are not supported, and the statistics shown in the display should be ignored. show running-config | include rewrite Display the DSCP transparency setting. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-84 OL-26520-01...

  • Page 823: Understanding Ip Routing

    For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 Understanding IP Routing, page 34-1 •...

  • Page 824: Types Of Routing

    If a stack master fails, the stack detects that the stack master is down and elects a stack member to be the new stack master. Except for a momentary interruption, the hardware continues to forward packets. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 34-2...

  • Page 825: Steps For Configuring Routing

    By default, IP routing is disabled on the switch. For detailed IP routing configuration information, see the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software Releases > 12.2 Mainline > Configuration Guides.

  • Page 826: Enabling Ip Unicast Routing

    Step 5 show interfaces [interface-id] Verify your entries. show ip interface [interface-id] show running-config interface [interface-id] Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 34-4 OL-26520-01...

  • Page 827: Configuring Static Unicast Routes

    Display the state of the routing table. show ip route summary Display the state of the routing table in summary form. show platform ip unicast Display platform-dependent IP unicast information. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 34-5 OL-26520-01...
  • Page 828 Chapter 34 Configuring Static IP Unicast Routing Monitoring and Maintaining the IP Network Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 34-6 OL-26520-01...

  • Page 829: Understanding Ipv6

    Chapter 36, “Configuring IPv6 MLD Snooping.” To enable dual stack environments (supporting both IPv4 and IPv6) on a Catalyst 2960 switch, you must configure the switch to use the a dual IPv4 and IPv6 switch database management (SDM) template. See “Dual IPv4 and IPv6 Protocol Stacks”...

  • Page 830: Ipv6 Addresses

    2031:0:130F::09C0:080F:130B For more information about IPv6 address formats, address types, and the IPv6 packet header, see the “Implementing IPv6 Addressing and Basic Connectivity” chapter of Cisco IOS IPv6 Configuration Library on Cisco.com. In the “Implementing Addressing and Basic Connectivity” chapter, these sections apply to the...

  • Page 831: Neighbor Discovery

    For more information, see the section about IPv6 unicast addresses in the “Implementing IPv6 Addressing and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. DNS for IPv6 IPv6 supports Domain Name System (DNS) record types in the DNS name-to-address and address-to-name lookup processes.
  • Page 832 Cisco IOS IPv6 Configuration Library on Cisco.com. Dual IPv4 and IPv6 Protocol Stacks On a Catalyst 2960 switch, you must use the dual IPv4 and IPv6 template to allocate ternary content addressable memory (TCAM) usage to both IPv4 and IPv6 protocols.
  • Page 833 IPv4 and IPv6 SDM template, see Chapter 8, “Configuring SDM Templates.” The dual IPv4 and IPv6 templates on Catalyst 2960 switches allow the switch to be used in dual stack environments. If you try to configure IPv6 without first selecting a dual IPv4 and IPv6 template, a warning message •...

  • Page 834: Ipv6 And Switch Stacks

    Basic network connectivity (ping) must exist between the client and the server hosts before HTTP connections can be made. For more information, see the “Managing Cisco IOS Applications over IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.

  • Page 835: Configuring Ipv6 Addressing And Enabling Ipv6 Host

    For more information about configuring IPv6, see the “Implementing Addressing and Basic Connectivity for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. Beginning in privileged EXEC mode, follow these steps to assign an IPv6 address to a Layer 3 interface...
  • Page 836 ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 35-8 OL-26520-01...

  • Page 837: Configuring Ipv6 Icmp Rate Limiting

    This example shows how to configure an IPv6 ICMP error message interval of 50 milliseconds and a bucket size of 20 tokens. Switch(config)#ipv6 icmp error-interval 50 20 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 35-9 OL-26520-01...

  • Page 838: Configuring Static Routes For Ipv6

    To configure a floating static route, use an administrative distance greater than that of the dynamic routing protocol. Step 3 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 35-10 OL-26520-01...

  • Page 839: Displaying Ipv6

    For more information about configuring static IPv6 routing, see the “Implementing Static Routes for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. Displaying IPv6 For complete syntax and usage information on these commands, see the Cisco IOS command reference publications. Table 35-2 shows the privileged EXEC commands for monitoring IPv6 on the switch.
  • Page 840 This is an example of the output from the show ipv6 static privileged EXEC command: Switch# show ipv6 static IPv6 Static routes Code: * - installed in RIB * ::/0 via nexthop 3FFE:C000:0:7::777, distance 1 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 35-12 OL-26520-01...
  • Page 841 IPv6 Routing Table - Default - 1 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route FF00::/8 [0/0] via Null0, receive Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 35-13 OL-26520-01...
  • Page 842 Rcvd: 0 input, 0 checksum errors, 0 length errors 0 no port, 0 dropped Sent: 26749 output TCP statistics: Rcvd: 0 input, 0 checksum errors Sent: 0 output, 0 retransmitted Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 35-14 OL-26520-01...
  • Page 843 You can use Multicast Listener Discovery (MLD) snooping to enable efficient distribution of IP version 6 (IPv6) multicast data to clients and routers in a switched network on the Catalyst 2960, 2960-S, or 2960-C switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.

  • Page 844: Mld Messages

    Message timers and state transitions resulting from messages being sent or received are the same as those of IGMPv2 messages. MLD messages that do not have valid link-local IPv6 source addresses are ignored by MLD routers and switches. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 36-2 OL-26520-01...

  • Page 845: Mld Queries

    1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 2960, 2960-S, or 2960-C switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.

  • Page 846: Mld Reports

    If the deleted port is the last member of the multicast address, the multicast address is also deleted, and the switch sends the address leave information to all detected multicast routers. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 36-4 OL-26520-01...

  • Page 847: Topology Change Notification Processing

    Configuring a Multicast Router Port, page 36-8 • Enabling MLD Immediate Leave, page 36-9 • Configuring MLD Snooping Queries, page 36-10 • Disabling MLD Listener Message Suppression, page 36-11 • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 36-5 OL-26520-01...

  • Page 848: Default Mld Snooping Configuration

    1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 2960, 2960-S, or 2960-C switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.

  • Page 849: Enabling Or Disabling Mld Snooping

    1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 2960, 2960-S, or 2960-C switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.

  • Page 850: Configuring A Static Multicast Group

    (add a static connection to a multicast router), use the ipv6 mld snooping vlan mrouter global configuration command on the switch. Static connections to multicast routers are supported only on switch ports. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 36-8 OL-26520-01...

  • Page 851: Enabling Mld Immediate Leave

    This example shows how to enable MLD Immediate Leave on VLAN 130: Switch# configure terminal Switch(config)# ipv6 mld snooping vlan 130 immediate-leave Switch(config)# exit Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 36-9 OL-26520-01...

  • Page 852: Configuring Mld Snooping Queries

    (Optional) Verify that the MLD snooping querier information for the vlan-id] switch or for the VLAN. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 36-10 OL-26520-01...

  • Page 853: Disabling Mld Listener Message Suppression

    You can display MLD snooping information for dynamically learned and statically configured router ports and VLAN interfaces. You can also display MAC address multicast entries for a VLAN configured for MLD snooping. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 36-11 OL-26520-01...
  • Page 854 • information for the switch or for a VLAN. show ipv6 mld snooping multicast-address vlan Display MLD snooping for the specified VLAN and IPv6 multicast vlan-id [ipv6-multicast-address] address. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 36-12 OL-26520-01...
  • Page 855 For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release or the Cisco IOS documentation referenced in the procedures. This chapter contains these sections: Understanding IPv6 ACLs, page 37-1 •...

  • Page 856: Supported Acl Features

    Logging is supported for router ACLs, but not for port ACLs. IPv6 ACL Limitations With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 37-2 OL-26520-01...
  • Page 857 Chapter 37 Configuring IPv6 ACLs Configuring IPv6 ACLs The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions: IPv6 source and destination addresses—ACL matching is supported only on prefixes from /0 to /64 • and host addresses (/128) that are in the extended universal identifier (EUI)-64 format. The switch supports only these host addresses with no loss of information: –...

  • Page 858: Default Ipv6 Acl Configuration

    Beginning in privileged EXEC mode, follow these steps to create an IPv6 ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 access-list access-list-name Define an IPv6 access list name, and enter IPv6 access-list configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 37-4 OL-26520-01...
  • Page 859 (Optional) Enter sequence value to specify the sequence number for the access list statement. The acceptable range is from 1 to 4294967295. • (Optional) Enter time-range name to specify a time range for the statement. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 37-5 OL-26520-01...
  • Page 860 Return to privileged EXEC mode. Step 5 show ipv6 access-list Verify the access list configuration. Step 6 copy running-config (Optional) Save your entries in the configuration file. startup-config Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 37-6 OL-26520-01...

  • Page 861: Applying An Ipv6 Acl To An Interface

    This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all packets that have a destination TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000.

  • Page 862: Displaying Ipv6 Acls

    (15 matches) sequence 20 permit udp any any sequence 30 IPv6 access list outbound deny udp any any sequence 10 deny tcp any any eq telnet sequence 20 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 37-8 OL-26520-01...

  • Page 863: Understanding Etherchannels

    To use link-state tracking, the switch must be running the LAN Base image. Note This chapter describes how to configure EtherChannels on the Catalyst 2960, 2960-S, or 2960-C switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.

  • Page 864: Etherchannel Overview

    All ports in each EtherChannel must be configured as Layer 2 ports. The number of EtherChannels is limited to six. For more information, see the “EtherChannel Configuration Guidelines” section on page 38-12. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-2 OL-26520-01...
  • Page 865 EtherChannel are blocked from returning on any other link of the EtherChannel. Figure 38-2 Single-Switch EtherChannel Catalyst 2960-S switch stack Switch 1 Channel group 1 Stack port connections Switch A Switch 2 Channel group 2 Switch 3 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-3 OL-26520-01...
  • Page 866 If you use a new number, the channel-group command dynamically creates a new port channel. Each EtherChannel has a port-channel logical interface numbered from 1 to 6. This port-channel interface number corresponds to the one specified with the channel-group interface configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-4 OL-26520-01...

  • Page 867: Port Aggregation Protocol

    Layer 2 EtherChannel as a trunk. Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports.

  • Page 868: Pagp Modes

    For redundancy, remote switches, such as Catalyst 296,0, 2960-S, or 2960-C switches, are connected to the virtual switch by remote satellite links (RSLs). Only a Catalyst 2960 switch running the LAN Base image can be remote switch. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...

  • Page 869: Link Aggregation Control Protocol

    Link Aggregation Control Protocol The LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between switches that conform to the IEEE 802.3ad protocol. LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports.

  • Page 870: Etherchannel On Mode

    Therefore, to provide load balancing, packets from different hosts use different ports in the channel, but packets from the same host use the same port in the channel. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-8 OL-26520-01...
  • Page 871 MAC address, using the destination-MAC address always chooses the same link in the channel. Using source addresses or IP addresses might result in better load balancing. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-9...

  • Page 872: Etherchannel And Switch Stacks

    STP reconvergence. Use the stack-mac persistent timer command to control whether or not the stack MAC address changes during a master failover. For more information about switch stacks, see Chapter 7, “Managing Switch Stacks.” Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-10 OL-26520-01...

  • Page 873: Configuring Etherchannels

    LACP system priority and the switch or switch stack MAC address. Load balancing Load distribution on the switch is based on the source-MAC address of the incoming packet. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-11 OL-26520-01...

  • Page 874: Etherchannel Configuration Guidelines

    Configuring EtherChannels and Link-State Tracking Configuring EtherChannels EtherChannel Configuration Guidelines Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note If improperly configured, some EtherChannel ports are automatically disabled to avoid network loops and other problems. Follow these guidelines to avoid configuration problems: •...

  • Page 875: Configuring Layer 2 Etherchannels

    Assign all ports as static-access ports in the same VLAN, or configure them as trunks. switchport access vlan vlan-id If you configure the port as a static-access port, assign it to only one VLAN. The range is 1 to 4094. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-13 OL-26520-01...
  • Page 876 Step 7 copy running-config (Optional) Save your entries in the configuration file. startup-config To remove a port from the EtherChannel group, use the no channel-group interface configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-14 OL-26520-01...
  • Page 877 Switch(config-if-range)# switchport access vlan 10 Switch(config-if-range)# channel-group 5 mode active Switch(config-if-range)# exit Switch(config)# interface gigabitethernet3/0/3 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 10 Switch(config-if)# channel-group 5 mode active Switch(config-if)# exit Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-15 OL-26520-01...

  • Page 878: Configuring Etherchannel Load Balancing

    The device sends packets to the source by using any of the ports in the EtherChannel. With aggregate-port learning, it is not important on which physical port the packet arrives. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-16...
  • Page 879 When the link partner of the switch is a physical learner (such as a Catalyst 1900 series switch), we recommend that you configure the Catalyst 2960, 2960-S, or 2960-C switch as a physical-port learner by using the pagp learn-method physical-port interface configuration command. Set the load-distribution method based on the source MAC address by using the port-channel load-balance src-mac global configuration command.
  • Page 880 For more information, see the “Configuring the LACP System Priority” section on page 38-19 and the “Configuring the LACP Port Priority” section on page 38-19. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-18 OL-26520-01...
  • Page 881 EtherChannel are put in the hot-standby state and are used only if one of the channeled ports fails. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-19...
  • Page 882 (Optional) Save your entries in the configuration file. To return the LACP port priority to the default value, use the no lacp port-priority interface configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-20 OL-26520-01...
  • Page 883 Server 1 and server 2 use switch A for primary links and switch B for secondary links. – Server 3 and server 4 use switch B for primary links and switch A for secondary links. – Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-21 OL-26520-01...
  • Page 884 You can recover a downstream interface link-down condition by removing the failed downstream port from the link-state group. To recover multiple downstream interfaces, disable the link-state group. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-22 OL-26520-01...
  • Page 885 Configuring Link-State Tracking, page 38-24 • Displaying Link-State Tracking Status, page 38-25 • Default Link-State Tracking Configuration There are no link-state groups defined, and link-state tracking is not enabled for any group. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-23 OL-26520-01...
  • Page 886 Switch(config-if)# interface gigabitethernet1/0/1 Switch(config-if)# link state group 1 downstream Switch(config-if)# interface gigabitethernet1/0/3 Switch(config-if)# link state group 1 downstream Switch(config-if)# interface gigabitethernet1/0/5 Switch(config-if)# link state group 1 downstream Switch(config-if)# end Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-24 OL-26520-01...
  • Page 887 Downstream Interfaces : Gi1/0/11(Dis) Gi1/0/12(Dis) Gi1/0/13(Dis) Gi1/0/14(Dis) (Up):Interface up (Dwn):Interface Down (Dis):Interface disabled For detailed information about the fields in the display, see the command reference for this release. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-25 OL-26520-01...
  • Page 888 Chapter 38 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-26 OL-26520-01...

  • Page 889: Troubleshooting

    This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the Catalyst 2960, 2960-S, or 2960-C. Depending on the nature of the problem, you can use the command-line interface (CLI), the device manager, or Network Assistant to identify and solve problems.

  • Page 890: Recovering From A Software Failure

    From your PC, download the software image tar file (image_filename.tar) from Cisco.com. Step 1 The Cisco IOS image is stored as a bin file in a directory in the tar file. For information about locating the software image files on Cisco.com, see the release notes.

  • Page 891: Recovering From A Lost Or Forgotten Password

    When you enter the service password-recovery or no service password-recovery command on the stack master, it is propagated throughout the stack and applied to all switches in the stack. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-3...

  • Page 892: Procedure With Password Recovery Enabled

    Chapter 39 Troubleshooting Recovering from a Lost or Forgotten Password Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note Follow the steps in this procedure if you have forgotten or lost the switch password. Connect a terminal or PC with terminal-emulation software to the switch console port. If you are Step 1 recovering the password to a switch stack, connect to the console port of the stack master.
  • Page 893 Switch (config)# enable secret password The secret password can be from 1 to 25 alphanumeric characters, can start with a number, is case sensitive, and allows spaces but ignores leading spaces. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-5 OL-26520-01...

  • Page 894: Procedure With Password Recovery Disabled

    Elect to continue with password recovery and lose the existing configuration: Step 1 Would you like to reset the system back to the default configuration (y/n)? Y Load any helper files: Step 2 Switch: load_helper Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-6 OL-26520-01...
  • Page 895 Before continuing to Step 9, power on any connected stack members and wait until they have Note completely initialized. Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Step 9 Write the running configuration to the startup configuration file: Switch# copy running-config startup-config The new password is now in the startup configuration.

  • Page 896: Preventing Switch Stack Problems

    Chapter 6, “Clustering Switches.” Also see the Getting Started with Cisco Network Assistant, available on Cisco.com. HSRP is the preferred method for supplying redundancy to a cluster. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-8 OL-26520-01...

  • Page 897: Replacing A Failed Command Switch With A Cluster Member

    From privileged EXEC mode, enter setup, and press Return. Switch# setup --- System Configuration Dialog --- Continue with configuration dialog? [yes/no]: y At any point you may enter a question mark '?' for help. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-9 OL-26520-01...
  • Page 898 Start your browser, and enter the IP address of the new command switch. Step 17 From the Cluster menu, select Add to Cluster to display a list of candidate switches to add to the cluster. Step 18 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-10 OL-26520-01...

  • Page 899: Replacing A Failed Command Switch With Another Switch

    When prompted for the enable secret and enable passwords, enter the passwords of the failed command switch again. Step 9 When prompted, make sure to enable the switch as the cluster command switch, and press Return. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-11 OL-26520-01...

  • Page 900: Recovering From Lost Cluster Member Connectivity

    A member switch (Catalyst 3750, Catalyst 3560, Catalyst 3550, Catalyst 3500 XL, Catalyst 2970, • Catalyst 2960, Catalyst 2950, Catalyst 2900 XL, Catalyst 2820, and Catalyst 1900 switch) cannot connect to the command switch through a port that is defined as a network port.

  • Page 901: Troubleshooting Power Over Ethernet Switch Ports

    Disabled Port Caused by Power Loss If a powered device (such as a Cisco IP Phone 7910) that is connected to a PoE switch port and is powered by an AC power source loses power from the AC power source, the device might enter an error-disabled state.

  • Page 902: Monitoring Sfp Module Status

    If the module is identified as a Cisco SFP module, but the system is unable to read vendor-data information to verify its accuracy, an SFP module error message is generated. In this case, you should remove and re-insert the SFP module.

  • Page 903: Using Layer 2 Traceroute

    The switch can only identify the path from the source device to the destination device. It cannot identify the path that a packet takes from source host to the source device or from the destination device to the destination host. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-15 OL-26520-01...

  • Page 904: Usage Guidelines

    Using Layer 2 Traceroute Usage Guidelines These are the Layer 2 traceroute usage guidelines: Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 • traceroute to function properly, do not disable CDP.

  • Page 905: Displaying The Physical Path

    Because all errors except port-unreachable errors come from intermediate hops, the receipt of a port-unreachable error means that this message was sent by the destination port. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-17 OL-26520-01...

  • Page 906: Executing Ip Traceroute

    To end a trace in progress, enter the escape sequence (Ctrl-^ X by default). Simultaneously press and release the Ctrl, Shift, and 6 keys and then press the X key. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-18...

  • Page 907: Using Tdr

    Running TDR and Displaying the Results When you run TDR on an interface, you can run it on the stack master or a stack member. Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note To run TDR, enter the test cable-diagnostics tdr interface interface-id privileged EXEC command: To display the results, enter the show cable-diagnostics tdr interface interface-id privileged EXEC command.

  • Page 908: Enabling Debugging On A Specific Feature

    For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

  • Page 909: Redirecting Debug And Error Message Output

    Make sure to save the syslog to flash memory so that the syslog is not lost if the stack master fails. For more information about system message logging, see Chapter 29, “Configuring System Message Logging.” Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-21 OL-26520-01...

  • Page 910: Using The Show Platform Forward Command

    Dscpv Gi1/0/2 0005 0001.0001.0001 0002.0002.0002 ------------------------------------------ <output truncated> ------------------------------------------ Packet 10 Lookup Key-Used Index-Hit A-Data OutptACL 50_0D020202_0D010101-00_40000014_000A0000 01FFE 03000000 Packet dropped due to failed DEJA_VU Check on Gi1/0/2 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-22 OL-26520-01...

  • Page 911: Using The Crashinfo Files

    • Basic crashinfo Files The information in the basic file includes the Cisco IOS image name and version that failed, a list of the processor registers, and other switch-specific information. You can provide this information to the Cisco technical support representative by using the show tech-support privileged EXEC command.

  • Page 912: Extended Crashinfo Files

    You provide this information to the Cisco technical support representative by manually accessing the file and using the more or the copy privileged EXEC command.

  • Page 913: Configuring Obfl

    When an OBFL-enabled switch is restarted, there is a 10-minute delay before logging of new data begins. Note OBFL is supported only on Catalyst 2960-S switches. It is not supported on Catalyst 2960 switches. Configuring OBFL To enable OBFL, use the hw-module module [switch-number] logging onboard [message level level] global configuration command.

  • Page 914: Displaying Obfl Information

    ACL and ACL-like tables such as QoS classification and policy routing. The output from the show platform tcam errors privileged EXEC command provides information about the TCAM memory consistency integrity on the switch. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-26 OL-26520-01...

  • Page 915: Troubleshooting Tables

    For more information about the show platform tcam errors privileged EXEC command, see the command reference for this release. Troubleshooting Tables These tables are a condensed version of troubleshooting documents on Cisco.com. “Troubleshooting CPU Utilization” section on page 39-28 •...

  • Page 916: Troubleshooting Cpu Utilization

    This example shows normal CPU utilization. The output shows that utilization for the last 5 seconds is 8%/0%, which has this meaning: The total CPU utilization is 8 percent, including both time running Cisco IOS processes and time • spent handling interrupts The time spent handling interrupts is zero percent.
  • Page 917 Troubleshooting Power over Ethernet (PoE) troubleshooting guide on Cisco.com. Power over Ethernet Plus (PoE+) is not supported on Catalyst 2960-S switches. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-29 OL-26520-01...
  • Page 918 (available PoE). Use the show inline power and show inline power detail commands to verify the amount of available power. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-30 OL-26520-01...
  • Page 919 If there is still no PoE at any port, a fuse might be open in the PoE section of the power supply. This normally produces an alarm. Check the log again for alarms reported earlier by system messages. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-31 OL-26520-01...
  • Page 920 If so, the problem might be an initial surge-in (or inrush) current that exceeds a current-limit threshold for the port. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-32 OL-26520-01...
  • Page 921 Troubleshooting Switch Stacks guide on Cisco.com. Note Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Table 39-7 Switch Stack Troubleshooting Scenarios Symptom/problem How to Verify Problem...
  • Page 922 Defective StackWise switch interface or cable. upgraded. or minor versions of the Cisco IOS software. StackWise link connection Look at the LED behavior. Stack not operating at full bandwidth. problems Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-34 OL-26520-01...

  • Page 923: Configuring Online Diagnostics

    C H A P T E R Configuring Online Diagnostics This chapter describes how to configure the online diagnostics on the Catalyst 2960, 2960-S, or 2960-C switches. Online Diagnostics is supported only on Catalyst 2960-S switches running the LAN base image.

  • Page 924: Scheduling Online Diagnostics

    Use the diagnostic monitor threshold switch num test {test_id | test_id_range | all} failure count command to remove the failure threshold. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 40-2 OL-26520-01...

  • Page 925: Running Online Diagnostic Tests

    16:43:29: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 2 has changed to state DOWN 16:43:30: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 9 has changed to state DOWN 16:43:30: %STACKMGR-4-SWITCH_REMOVED: Switch 1 has been REMOVED from the stack Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 40-3 OL-26520-01...

  • Page 926: Displaying Online Diagnostic Tests And Test Results

    Diagnostics test suite attributes: B/* - Basic ondemand test / NA P/V/* - Per port test / Per device test / NA D/N/* - Disruptive test / Non-disruptive test / NA Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 40-4 OL-26520-01...
  • Page 927 Switch# show diagnostic schedule switch 1 Current Time = 14:39:49 PST Tue Jul 5 2005 Diagnostic for Switch 1: Schedule #1: To be run daily 12:00 Test ID(s) to be executed: 1. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 40-5 OL-26520-01...
  • Page 928 Chapter 40 Configuring Online Diagnostics Displaying Online Diagnostic Tests and Test Results Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 40-6 OL-26520-01...

  • Page 929: Working With The Flash File System

    Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the Catalyst 2960, 2960-S, or 2960-C switch flash file system, how to copy configuration files, and how to archive (upload and download) software images to a switch.

  • Page 930: Displaying Available File Systems

    Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating and Removing Directories, page A-4 • Copying Files, page A-5 • Deleting Files, page A-5 • Creating, Displaying, and Extracting tar Files, page A-6 •...

  • Page 931: Setting The Default File System

    Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Table A-1 show file systems Field Descriptions (continued) Field Value Flags Permission for file system. ro—read-only. rw—read/write.\ wo—write-only. Prefixes Alias for file system.

  • Page 932: Changing Directories And Displaying The Working Directory

    Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Table A-2 Commands for Displaying Information About Files (continued) Command Description show file information file-url Display information about a specific file.

  • Page 933: Copying Files

    Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System For filesystem, use flash: for the system board flash device. For file-url, enter the name of the directory to be deleted. All the files in the directory and the directory are removed.
  • Page 934 Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System When files are deleted, their contents cannot be recovered. Caution This example shows how to delete the file myconfig from the default flash memory device:...
  • Page 935 Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying the Contents of a tar File To display the contents of a tar file on the screen, use this privileged EXEC command: archive tar /table source-url For source-url, specify the source URL alias for the local or network file system.

  • Page 936: Displaying The Contents Of A File

    7-14. Configuration files contain commands entered to customize the function of the Cisco IOS software. A way to create a basic configuration file is to use the setup program or to enter the setup privileged EXEC command. For more information, see Chapter 3, “Assigning the Switch IP Address and Default...

  • Page 937: Guidelines For Creating And Using Configuration Files

    Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files You can copy (upload) configuration files from the switch to a file server by using TFTP, FTP, or RCP. You might perform this task to back up a current configuration file to a server before changing its contents so that you can later restore the original configuration file from the server.

  • Page 938: Creating A Configuration File By Using A Text Editor

    Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Configuration File Types and Location n Startup configuration files are used during system startup to configure the software. Running configuration files contain the current configuration of the software. The two configuration files can be different.
  • Page 939 Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Preparing to Download or Upload a Configuration File B y Using TFTP Before you begin downloading or uploading a configuration file by using TFTP, do these tasks: Ensure that the workstation acting as the TFTP server is properly configured.

  • Page 940: Copying Configuration Files By Using Ftp

    The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy a configuration file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: •...
  • Page 941 Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files The username and password must be associated with an account on the FTP server. If you are writing to the server, the FTP server must be properly configured to accept your FTP write request.
  • Page 942 Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 4 ip ftp username username (Optional) Change the default remote username. Step 5 ip ftp password password (Optional) Change the default password.
  • Page 943 Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using FTP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using FTP:...

  • Page 944: Copying Configuration Files By Using Rcp

    The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.
  • Page 945 Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files When you upload a file to the RCP server, it must be properly configured to accept the RCP write • request from the user on the switch. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server.

  • Page 946: Uploading A Configuration File By Using Rcp

    Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to specify a remote username of netadmin1. Then it copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101...

  • Page 947: Clearing Configuration Information

    Replacing and Rolling Back Configurations The configuration replacement and rollback feature replaces the running configuration with any saved Cisco IOS configuration file. You can use the rollback function to roll back to a previous configuration. These sections contain this information: •...
  • Page 948 EXEC command displays information for all the configuration files saved in the configuration archive. The Cisco IOS configuration archive, in which the configuration files are stored and available for use with the configure replace command, is in any of these file systems: FTP, HTTP, RCP, TFTP.
  • Page 949 • replacement configuration file for the running configuration. The replacement file must be a complete configuration generated by a Cisco IOS device (for example, a configuration generated by the copy running-config destination-url command). If you generate the replacement configuration file externally, it must comply with the format of files Note generated by Cisco IOS devices.

  • Page 950: Configuring The Configuration Archive

    Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Configuring the Configuration Archive Using the configure replace command with the configuration archive and with the archive config command is optional but offers significant benefit for configuration rollback scenarios. Before using the archive config command, you must first configure the configuration archive.
  • Page 951 Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Performing a Configuration Replacement or Rollback Operation Starting in privileged EXEC mode, follow these steps to replace the running configuration file with a...

  • Page 952: Working With Software Images

    If you do not have access to a TFTP server, you can download a software image file directly to your PC or workstation by using a web browser (HTTP) and then by using the device manager or Cisco Network Assistant to upgrade your switch. For information about upgrading your switch by using a TFTP server or a web browser (HTTP), see the release notes.

  • Page 953: Image Location On The Switch

    Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the files needed for web management. The image is stored on the system board flash memory (flash:).

  • Page 954: Copying Image Files By Using Tftp

    Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Table A-3 info File Description (continued) Field Description image_min_dram Specifies the minimum amount of DRAM needed to run this image image_family Describes the family of products on which the software can be installed...
  • Page 955 Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Ensure that the switch has a route to the TFTP server. The switch and the TFTP server must be in • the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the TFTP server by using the ping command.
  • Page 956 Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 3 archive download-sw /overwrite /reload Download the image file from the TFTP server to the switch, and tftp:[[//location]/directory]/image-name.tar overwrite the current image.

  • Page 957: Copying Image Files By Using Ftp

    The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
  • Page 958 The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy an image file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
  • Page 959 Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images and you have a valid username, this username is used, and you do not need to set the FTP username. Include the username in the archive download-sw or archive upload-sw privileged EXEC command if you want to specify a username for that operation only.
  • Page 960 Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 8 archive download-sw /leave-old-sw /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and keep the current image.

  • Page 961: Copying Image Files By Using Rcp

    The archive upload-sw command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
  • Page 962 RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the switch to a server by using RCP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
  • Page 963 Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Before you begin downloading or uploading an image file by using RCP, do these tasks: Ensure that the workstation acting as the RCP server supports the remote shell (rsh).
  • Page 964 Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 6 archive download-sw /overwrite /reload Download the image file from the RCP server to the switch, rcp:[[[//[username@]location]/directory]/image-na and overwrite the current image.
  • Page 965 Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.

  • Page 966: Copying An Image File From One Stack Member To Another

    The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
  • Page 967 This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the Catalyst 2960, 2960-S, or 2960-C switch prompt but are not supported in this release, either because they are not tested or because of switch hardware limitations. This is not a complete list.

  • Page 968: Access Control Lists

    Unsupported Route-Map Configuration Commands match ip address prefix-list prefix-list-name [prefix-list-name...] Boot Loader Commands Unsupported Global Configuration Commands boot buffersize Embedded Syslog Manager Unsupported Global Configuration Commands Unsupported Privileged EXEC Commands Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 969: Igmp Snooping Commands

    Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
  • Page 970 Unsupported Commands in Cisco IOS Release 15.0(1)SE MAC Address Commands Use the show ip igmp snooping groups privileged EXEC command to display Layer 2 multicast Note address-table entries for a VLAN. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
  • Page 971 Network Address Translation (NAT) Commands Unsupported Privileged EXEC Commands show ip nat statistics show ip nat translations Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 972: Unsupported Global Configuration Command

    (only on switches running the LAN Lite image) snmp-server enable informs snmp-server enable traps hsrp snmp-server enable traps rtr (only on switches running the LAN Lite image) Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 973: Spanning Tree

    VLAN Unsupported Global Configuration Command vlan internal allocation policy {ascending | descending} Unsupported vlan-config Command private-vlan Unsupported User EXEC Commands show running-config vlan show vlan ifindex vlan database Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 974: Unsupported Vlan Database Commands

    Unsupported VLAN Database Commands vlan show vlan private-vlan Unsupported Privileged EXEC Commands vtp {password password | pruning | version number} This command has been replaced by the vtp global configuration command. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...

  • Page 975: Configuration Compatibility Issues

    The switch families have different hardware. • If you use a Catalyst 2950 switch command, it might not be supported on the Catalyst 2960 switch. The Catalyst 2960 switch software handles the incompatible commands in these ways: They are accepted and translated. A message appears.
  • Page 976 Appendix A Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch Configuration Compatibility Issues In most cases, configuration files are loaded without rejections. Table A-1 lists the Catalyst 2950 exceptions. The features are listed in alphabetic order, with Catalyst 2950 commands and explanations, and the resulting action on the Catalyst 2960 switch.
  • Page 977 Appendix A Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch Configuration Compatibility Issues Table A-1 Catalyst 2950 and 2960 Switch Configuration Incompatibilities (continued) Feature Catalyst 2950 Switch Command and Explanation Result on the Catalyst 2960 Switch IEEE 802.1x...
  • Page 978 Appendix A Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch Configuration Compatibility Issues Table A-1 Catalyst 2950 and 2960 Switch Configuration Incompatibilities (continued) Feature Catalyst 2950 Switch Command and Explanation Result on the Catalyst 2960 Switch...

  • Page 979: Feature Behavior Incompatibilities

    Access control lists (ACLs) • Even though the command syntax is the same on the Catalyst 2960 switch and on the Catalyst 2950 switch, the semantics of the IP and the MAC ACL between the two platforms differ. For example,...
  • Page 980 The Catalyst 2950 switch uses an extra port, called the reflector port, for its RSPAN implementation. This is not necessary in the Catalyst 2960 switch RSPAN implementation. The Catalyst 2960 switch also supports VLANs as SPAN sources and can forward received packets on SPAN destination ports.

This manual is also suitable for:

Catalyst 2960-s

Table of Contents