Page 1
9-11, 9-17 applying to interfaces 31-18 ACEs creating 31-7 and QoS 33-8 matching criteria 31-7 defined 31-2 named 31-13 Ethernet 31-2 numbers 31-7 31-2 terminal lines, setting on 31-18 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-1 OL-26520-01...
Page 2
STP 19-4, 19-5, 19-6 16-23, 16-24 active links alarms, RMON 19-2 28-4 active traffic monitoring, IP SLAs 32-1 allowed-VLAN list 13-17 address aliasing 21-2 addresses defined 1-6, 5-24 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-2 OL-26520-01...
Page 3
(auto-advise) in switch stacks 7-11 backup interfaces automatic copy (auto-copy) in switch stacks 7-11 See Flex Links automatic discovery backup links 19-2 considerations banners beyond a noncandidate device configuring Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-3 OL-26520-01...
Page 4
25-2 BPDU guard transmission timer and holdtime, setting 25-3 described 18-2 updates 25-3 disabling 18-14 CGMP enabling 18-13 as IGMP snooping learning method 21-9 support for Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-4 OL-26520-01...
Page 5
6-13 wrapped lines TACACS+ 6-15 error messages See also candidate switch, command switch, cluster standby group, member switch, and standby command filtering command output switch getting help Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-5 OL-26520-01...
Page 6
39-12 described defined downloading passive (PC) automatically 3-18 password privilege levels 6-16 preparing A-11, A-13, A-16 priority reasons for recovery using FTP A-13 from command-switch failure 6-9, 39-8 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-6 OL-26520-01...
Page 7
Xmodem 39-2 daylight saving time debugging in Layer 2 frames 33-2 enabling all system diagnostics 39-21 override priority 15-6 enabling for a specific feature 39-20 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-7 OL-26520-01...
Page 18
Leaking IGMP Reports 19-4 login authentication LEDs, switch with RADIUS 9-30 See hardware installation guide with TACACS+ 9-14 lightweight directory access protocol login banners 5-11 See LDAP log messages Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-18 OL-26520-01...
Page 19
MAC address learning CoS-to-DSCP 33-63 MAC address learning, disabling on a VLAN 5-23 DSCP 33-63 MAC address notification, support for 1-15 DSCP-to-CoS 33-66 MAC address-table move update Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-19 OL-26520-01...
Page 20
5-11 described 17-6 MIBs BPDU filtering overview 30-1 described 18-3 SNMP interaction with 30-5 enabling 18-14 mirroring traffic for analysis 27-1 BPDU guard mismatches, autonegotiation 39-12 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-20 OL-26520-01...
Page 21
17-27 port role naming change 17-7 multiauth terminology 17-5 support for inaccessible authentication bypass 10-25 instances supported 16-10 multiauth mode interface state, blocking to forwarding 18-2 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-21 OL-26520-01...
Page 22
1-19 services 1-19 Network Edge Access Topology See NEAT network management critical authentication 10-24, 10-54 25-1 IEEE 802.1x authentication using a RADIUS server 10-58 RMON 28-1 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-22 OL-26520-01...
Page 23
See OBFL per-user ACLs and Filter-Ids 10-8 online diagnostics per-VLAN spanning-tree plus overview 40-1 See PVST+ running tests physical ports 40-3 12-2 understanding PIM-DVMRP, as snooping method 40-1 21-8 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-23 OL-26520-01...
Page 24
RADIUS server 10-44, 11-13 policed-DSCP map for QoS 33-65 RADIUS server parameters on the switch 10-43, policers 11-11 configuring restricted VLAN 10-53 for each matched traffic class 33-55 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-24 OL-26520-01...
Page 25
ACLs and RADIUS Filter-Id attribute 10-20 10-33 described port-based authentication methods, supported 10-19 10-7 RADIUS server attributes port blocking 10-19 1-4, 23-7 ports port-channel See EtherChannel Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-25 OL-26520-01...
Page 26
VLAN ID TLV changing 26-2 13-18 power management TLV for VTP pruning 26-3, 26-7 14-6 Power over Ethernet VLANs 14-16 See PoE PVST+ preemption, default configuration described 19-8 16-10 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-26 OL-26520-01...
Page 27
33-18 configuring 33-53 ingress queueing and scheduling 33-15 displaying 33-81 policing and marking 33-11 configuration guidelines implicit deny 33-8 auto-QoS 33-34 ingress queues standard QoS 33-40 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-27 OL-26520-01...
Page 28
33-9 communication, per-server 9-27 policing multiple UDP ports 9-27 described 33-4, 33-9 default configuration 9-27 token bucket algorithm 33-10 defining AAA server groups 9-32 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-28 OL-26520-01...
Page 29
VLAN A-35 preparing the server configuring A-34 10-53 uploading described A-37 10-23 readiness check using with IEEE 802.1x 10-23 port-based authentication restricting access configuring overview 10-38 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-29 OL-26520-01...
Page 30
31-4 17-10 RSPAN rapid convergence and stack changes 27-10 cross-stack rapid convergence 17-11 characteristics described 27-9 17-10 configuration guidelines edge ports and Port Fast 27-17 17-10 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-30 OL-26520-01...
Page 31
12-37 types of 23-9 shutdown command on interfaces 12-41 secure ports Simple Network Management Protocol and switch stacks 23-18 See SNMP secure ports, configuring 23-9 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-31 OL-26520-01...
Page 32
30-3 configuration guidelines 27-11 setting CPU threshold notification 30-16 default configuration 27-10 status, displaying 30-19 destination ports 27-8 system contact and location 30-17 displaying status 27-23 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-32 OL-26520-01...
Page 33
CLI of specific member 9-43 7-22 switch stack considerations configuring 7-15 user authentication methods, supported 9-43 member number 7-20 priority value 7-21 configuration guidelines defined 9-49 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-33 OL-26520-01...
Page 34
7-10 management connectivity 7-15 See also stack master and stack member managing standby command switch membership configuring merged considerations 6-10 MSTP instances supported 16-10 defined offline configuration priority Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-34 OL-26520-01...
Page 35
RMON group history cross-stack UplinkFast 28-5 SNMP input and output described 30-19 18-5 14-18 enabling 18-16 sticky learning default configuration 23-9 16-13 storm control default optional feature configuration 18-12 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-35 OL-26520-01...
Page 36
13-20 supported port-based authentication methods 10-7 loop guard SVIs described 18-11 and IP unicast routing 34-3 enabling 18-18 and router ACLs 31-4 modes supported 16-10 connecting VLANs 12-11 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-36 OL-26520-01...
Page 37
29-9 default configuration 9-13 disabling 29-4 displaying the configuration 9-17 displaying the configuration 29-14 identifying the server 9-13 enabling 29-5 in clusters 6-15 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-37 OL-26520-01...
Page 38
39-18 uploading See also IP traceroute A-12 configuration files in base directory traffic configuring for autoconfiguration blocking flooded 23-8 image files fragmented 31-4 deleting fragmented IPv6 A-28 37-2 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-38 OL-26520-01...
Page 39
STP path costs 13-22 and adding static addresses 5-22 using STP port priorities 13-20, 13-21 and broadcast MAC addresses 5-21 native VLAN for untagged traffic 13-19 and CPU packets 5-21 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-39 OL-26520-01...
Page 40
A-26, A-30, A-34 VLAN load balancing on flex links 19-3 reasons for A-24 configuration guidelines 19-8 using FTP A-32 VLAN management domain 14-2 using RCP A-37 VLAN Management Policy Server Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-40 OL-26520-01...
Page 41
13-3 802.1Q frames 15-5 static-access ports 13-10 connecting to an IP phone 15-4 STP and IEEE 802.1Q trunks 16-11 default configuration 15-3 supported 13-2 described 15-1 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-41 OL-26520-01...
Page 42
33-13 examples 14-7 setting thresholds overview 14-6 egress queue-sets 33-74 support for ingress queues 33-69 pruning-eligible list, changing 13-18 support for 1-14 server mode, configuring 14-11, 14-14 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-42 OL-26520-01...
Page 43
Index Xmodem protocol 39-2 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-43 OL-26520-01...
Page 44
Index Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE IN-44 OL-26520-01...
Page 45
Catalyst 2960, 2960-S, and 2960-C switches run one of these images: The LAN base software image provides enterprise-class intelligent services such as access control • lists (ACLs) and quality of service (QoS) features. On a Catalyst 2960-S switch, stacking is also supported. The LAN Lite image provides reduced functionality.
Page 46
It does not provide detailed information about these commands. For detailed information about these commands, see the Catalyst 2960, 2960-S, and 2960-C Switch Command Reference for this release. For information about the standard Cisco IOS Release 15.0 commands, see the Cisco IOS documentation set available on Cisco.com.
Preface Related Publications These documents provide complete information about the switch and are available from this Cisco.com site: http://www.cisco.com/en/US/products/ps6406/tsd_products_support_series_home.html Before installing, configuring, or upgrading the switch, see these documents: Note For initial configuration information, see the “Using Express Setup” section in the getting started •...
Page 48
Obtaining Documentation, Obtaining Support, and Security Guidelines For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed...
Page 49
C H A P T E R Overview This chapter provides these topics about the Catalyst 2960, 2960-S and 2960-C switch software: Features, page 1-1 • Default Settings After Initial Switch Configuration, page 1-17 • • Network Configuration Examples, page 1-19 •...
Page 50
The Network Assistant must be downloaded from cisco.com/go/cna. • Cisco FlexStack technology on Catalyst 2960-S switches running the LAN base image for – Connecting up to four switches through their FlexStack ports to operate as a single switch in the network.
Page 51
– Using a single IP address and configuration file to manage the entire switch stack. Automatic Cisco IOS version-check of new stack members with the option to automatically load – images from the stack master or from a TFTP server.
Call Home to provide e-mail-based and web-based notification of critical system events. Users with a service contract directly with Cisco Systems can register Call Home devices for the Cisco Smart Call Home service that generates automatic service requests with the Cisco TAC.
Network Assistant—Network Assistant is a network management application that can be downloaded from Cisco.com. You use it to manage a single switch, a cluster of switches, or a community of devices. For more information about Network Assistant, see Getting Started with Cisco Network Assistant, available on Cisco.com.
• the size of the MAC address table • Cisco Discovery Protocol (CDP) Versions 1 and 2 for network topology discovery and mapping between the switch and other Cisco devices on the network • Link Layer Discovery Protocol (LLDP) and LLDP Media Endpoint Discovery (LLDP-MED) for...
Page 55
• Network Time Protocol (NTP) version 4 for NTP time synchronization for both IPv4 and IPv6 Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • Configuration logging to log and to view changes to the switch configuration •...
• active on only one port at a time. (Catalyst 2960-S only) USB Type A port for external Cisco USB flash memory devices (thumb drives or USB keys). You • can use standard Cisco CLI commands to read, write, erase, copy, or boot from the flash memory.
Link-state tracking to mirror the state of the ports that carry upstream traffic from connected hosts • and servers, and to allow the failover of the server traffic to an operational link on another Cisco Ethernet switch. To use Link-state Tracking, the switch must be running the LAN Base image.
Protocol storm protection to control the rate of incoming protocol traffic to a switch by dropping • packets that exceed a specified ingress rate. BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 1-10 OL-26520-01...
Page 59
Note Port security for controlling access to 802.1x ports – Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized – or unauthorized state of the port IP phone detection enhancement to detect and recognize a Cisco IP phone.
Page 60
IEEE 802.1x authentication with downloadable ACLs and redirect URLs to allow per-user ACL – downloads from a Cisco Secure ACS server to an authenticated switch. Support for dynamic creation or attachment of an auth-default ACL on a port that has no –...
When there is a change in policy for a user or user group in AAA, administrators can send the RADIUS CoA packets from the AAA server, such as Cisco Secure ACS to reinitialize authentication, and apply to the new policies.
Page 62
(sharing is the only supported mode on ingress queues) Note To use ingress queueing, the Catalyst 2960 switch must be running the LAN Base image. Note Ingress queueing is not supported on Catalyst 2960-S switches.
Support for IEEE 802.3at, (PoE+) that increases the available power that can be drawn by powered • devices from 15.4 W per port to 30 W per port (Catalyst 2960-S only) Support for CDP with power consumption. The powered device notifies the switch of the amount of •...
Chapter 1 Overview Features Supports the third-party UPoE power device that complies with Cisco Catalyst 3000 switches. • Sources up to 60 W of power by configuring the 4-pair forced mode interface even if the power • device does not support the Layer-2 power negotiation protocol, such as CDP or LLDP.
Switch cluster is disabled. For more information about switch clusters, see Chapter 6, “Clustering • Switches,” and the Getting Started with Cisco Network Assistant, available on Cisco.com. No passwords are defined. For more information, see Chapter 5, “Administering the Switch.” •...
Page 66
No protected ports are defined. For more information, see Chapter 23, “Configuring Port-Based – Traffic Control.” Unicast and multicast traffic flooding is not blocked. For more information, see Chapter 23, – “Configuring Port-Based Traffic Control.” Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 1-18 OL-26520-01...
Ethernet connections. • “Design Concepts for Using the Switch” section on page 1-19 • “Small to Medium-Sized Network Using Catalyst 2960, 2960-S and 2960-C Switches” section on page 1-24 • “Long-Distance, High-Bandwidth Transport Configuration” section on page 1-25 Design Concepts for Using the Switch As your network users compete for network bandwidth, it takes longer to send and receive data.
Page 68
All stack members have synchronized copies of the saved mission-critical applications and running configuration files of the switch stack. Stacking is supported only on Catalyst 2960-S switches running the LAN base Note image. •...
Page 69
1-1)—A cost-effective way to connect many users to the wiring • closet is to have a switch stack of up to four Catalyst 2960-S switches. To preserve switch connectivity if one switch in the stack fails, connect the switches as recommended in the hardware installation guide, and enable either cross-stack Etherchannel or cross-stack UplinkFast.
Page 70
1-2)—For • high-speed access to network resources, you can use the Catalyst 2960 switch in the access layer to provide Gigabit Ethernet to the desktop. To prevent congestion, use QoS DSCP marking priorities on these switches. For high-speed IP forwarding at the distribution layer, connect the switches in the access layer to a Gigabit multilayer switch with routing capability, such as a Catalyst 3750 switch, or to a router.
Page 71
The various lengths of stack cable available, ranging from 0.5 meter to 3 meters provide extended connections to the switch stacks across multiple server racks, for multiple stack aggregation. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 1-23...
Page 72
Data and multimedia traffic are configured on the same VLAN. Voice traffic from the Cisco IP Phones are configured on separate VVIDs. If data, multimedia, and voice traffic are assigned to the same VLAN, only one VLAN can be configured per wiring closet.
Page 73
The CWDM OADM modules on the receiving end separate (or demultiplex) the different wavelengths. For more information about the CWDM SFP modules and CWDM OADM modules, see the Cisco CWDM GBIC and CWDM SFP Installation Note. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...
• Chapter 3, “Assigning the Switch IP Address and Default Gateway” • To locate and download MIBs for a specific Cisco product and release, use the Cisco MIB Locator: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...
C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your 2960, 2960-SC or 2960-S switch.Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Page 76
To return to line vty or line privileged EXEC console command. mode, press Ctrl-Z or enter end. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
You need to enter only enough characters for the switch to recognize the command as unique. This example shows how to enter the show configuration privileged EXEC command in an abbreviated form: Switch# show conf Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Logging and Notification feature to track changes on a per-session and per-user basis. The logger tracks each configuration command that is applied, the user who entered the command, the time that the Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Beginning in line configuration mode, enter this command to configure the number of command lines the switch records for all sessions on a particular line: Switch(config-line)# history size number-of-lines The range is from 0 to 256. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Although enhanced editing mode is automatically enabled, you can disable it, re-enable it, or configure a specific line to have enhanced editing. These procedures are optional. To globally disable enhanced editing mode, enter this command in line configuration mode: Switch (config-line)# no editing Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Press Esc D. Delete from the cursor to the end of the word. Capitalize or lowercase words or Press Esc C. Capitalize at the cursor. capitalize a set of letters. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
The dollar sign ($) appears at the end of the line to show that the line has been scrolled to the right: Switch(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1$ Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Commands you enter in one session are not displayed in the other sessions. Therefore, it is possible to lose track of the session from which you entered commands. Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note We recommend using one CLI session when managing the switch stack.
9-42. The switch supports up to five simultaneous secure SSH sessions. After you connect through the console port, through a Telnet session or through an SSH session, the user EXEC prompt appears on the management station. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 2-10 OL-26520-01...
It also describes how to modify the switch startup configuration. For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services from Cisco.com page.
If you are an experienced user familiar with the switch configuration steps, manually configure the switch. Otherwise, use the setup program described previously. Default Switch Information, page 3-3 • Understanding DHCP-Based Autoconfiguration, page 3-3 • Manually Assigning IP Information, page 3-14 • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
DHCP client is invoked and requests the IP address information for those interfaces. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Page 88
IP address for an interface, the client accepts the DHCP hostname option and sets the flag to show that the system now has a hostname configured. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Page 89
Unless you configure a timeout, the DHCP-based autoconfiguration with a saved configuration feature tries indefinitely to download an IP address. The auto-install process stops if a configuration file cannot be downloaded or it the configuration • file is corrupted. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Page 90
The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. These features are not operational. If your DHCP server is a Cisco device, for additional information about configuring DHCP, see the “Configuring...
Page 91
If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
The switch sends a unicast message to the TFTP server to retrieve the network-confg or cisconet.cfg default configuration file. (If the network-confg file cannot be read, the switch reads the cisconet.cfg file.) Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Page 94
It reads the configuration file that corresponds to its hostname; for example, it reads switch1-confg • from the TFTP server. Switches B through D retrieve their configuration files and IP addresses in the same way. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-10 OL-26520-01...
Page 96
Specify the IP address and mask for the interface. Step 17 Return to privileged EXEC mode. Step 18 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-12 OL-26520-01...
For information on setting the switch system name, protecting access to privileged EXEC commands, and setting time and calendar services, see Chapter 5, “Administering the Switch.” Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-14 OL-26520-01...
EXEC command. For more information about alternative locations from which to copy the configuration file, see Appendix A, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...
Configure the NVRAM buffersize in KB. The valid range for size is from 4096 to 1048576. Step 3 Return to privileged EXEC mode. Step 4 show boot Verify the configuration. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-16 OL-26520-01...
• Controlling Environment Variables, page 3-21 • See also Appendix A, “Working with the Cisco IOS File System, Configuration Files, and Software Images,” for information about switch configuration files. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-17...
Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot-up cycle.
Filenames and directory names are case sensitive. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable manual booting, use the no boot manual global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-19 OL-26520-01...
BOOT environment variable. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no boot system global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-20 OL-26520-01...
Cisco IOS configuration file can be stored as an environment variable. You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
(for example, to perform a software upgrade on all switches in the network). A scheduled reload must take place within approximately 24 days. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-22 OL-26520-01...
During the save operation, the system requests whether you want to proceed with the save if the CONFIG_FILE environment variable points to a startup configuration file that no longer exists. If you proceed in this situation, the system enters setup mode upon reload. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-23 OL-26520-01...
It displays reload information including the time the reload is scheduled to occur and the reason for the reload (if it was specified when the reload was scheduled). Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 3-24 OL-26520-01...
This chapter describes how to configure the feature on the Catalyst 2960, 2960-S, and 2960-C switch. Note For complete configuration information for the Cisco Configuration Engine, go to http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.html For complete syntax and usage information for the commands used in this chapter, go to the Cisco IOS Network Management Command Reference, Release 12.4: http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_book.html •...
(LDAP) URLs that reference the device-specific configuration information stored in a directory. The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show the success or failure of the syntax check. The configuration agent can either apply configurations immediately or delay the application until receipt of a synchronization event from the configuration server.
Understanding Cisco Configuration Engine Software Event Service The Cisco Configuration Engine uses the Event Service for receipt and generation of configuration events. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine.
Page 112
Therefore, the DeviceID, as originated on the switch, must match the DeviceID of the corresponding switch definition in the Configuration Engine. The origin of the DeviceID is defined by the Cisco IOS hostname of the switch. However, the DeviceID variable and its usage reside within the event gateway adjacent to the switch.
Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent. The Cisco IOS agent feature supports the switch by providing these features: •...
NVRAM for use at the next reboot. Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and automatically configured as described in the “Enabling Automated CNS Configuration” section on page 4-6.
For more information about running the setup program and creating templates on the Configuration Note Engine, see the Cisco Configuration Engine Installation and Setup Guide, 1.5 for Linux: http://www.cisco.com/en/US/docs/net_mgmt/configuration_engine/1.5/installation_linux/guide/ setup_1.html Enabling the CNS Event Agent You must enable the CNS event agent on the switch before you enable the CNS configuration agent.
Page 116
This example shows how to enable the CNS event agent, set the IP address gateway to 10.180.1.27, set 120 seconds as the keepalive interval, and set 10 as the retry count. Switch(config)# cns event 10.180.1.27 keepalive 120 10 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: •...
Page 118
ID, enter an arbitrary text string for string string as the unique ID, or enter udi to set the unique device identifier (UDI) as the unique ID. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 4-10 OL-26520-01...
Page 119
Verify your entries. To disable the CNS Cisco IOS agent, use the no cns config initial {ip-address | hostname} global configuration command. This example shows how to configure an initial configuration on a remote switch when the switch configuration is unknown (the CNS Zero Touch feature).
RemoteSwitch(config)# cns id ethernet 0 ipaddress RemoteSwitch(config)# cns config initial 172.28.129.22 no-persist Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch: Command...
Displays statistics about the CNS event agent. show cns event subject Displays a list of event agent subjects that are subscribed to by applications. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 4-13 OL-26520-01...
Page 123
The Catalyst 2960 and 2960-S switches run one of these images: The LAN base software image provides enterprise-class intelligent services such as access control • lists (ACLs) and quality of service (QoS) features. On a Catalyst 2960-S switch, stacking is also supported. •...
You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference on Cisco.com. These sections contain this configuration information: Understanding the System Clock, page 5-2 •...
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Switch F Workstations If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as if it is synchronized through NTP, when in fact it has learned the time by using other means. Other devices then synchronize to that device through NTP.
For day, specify the day by date in the month. • For month, specify the month by name. • For year, specify the year (no abbreviation). • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Page 128
Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours and .5 means 50 percent. In this case, the necessary command is clock timezone AST -3 30. To set the time to UTC, use the no clock timezone global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Page 129
This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00: Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
4. When you use this command, the stack member number is appended to the system prompt. For example, is the prompt in privileged EXEC mode for stack member 2, and the system prompt Switch-2# for the switch stack is Switch Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols.
Page 132
If your network devices require connectivity with devices in networks for which you do not control name assignment, you can dynamically assign device names that uniquely identify your devices by using the global Internet naming scheme (DNS). Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-10 OL-26520-01...
If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.
Page 134
Trying 172.2.5.4... Connected to 172.2.5.4. Escape character is '^]'. This is a secure site. Only authorized users are allowed. For access, contact technical support. User Access Verification Password: Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-12 OL-26520-01...
(static or dynamic). For complete syntax and usage information for the commands used in this section, see the command Note reference for this release. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-13 OL-26520-01...
Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in another until it is learned or statically associated with a port in the other VLAN. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-14...
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default value, use the no mac address-table aging-time global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-15 OL-26520-01...
Enable the switch to send MAC address change notification traps to the NMS. Step 4 mac address-table notification change Enable the MAC address change notification feature. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-16 OL-26520-01...
Page 139
Switch(config-if)# snmp trap mac-notification change added You can verify your settings by entering the show mac address-table notification change interface and the show mac address-table notification change privileged EXEC commands. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-17 OL-26520-01...
Return to privileged EXEC mode. Step 7 show mac address-table notification threshold Verify your entries. show running-config Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-19 OL-26520-01...
For static unicast addresses, you can enter only one interface at a time, but you can enter the command multiple times with the same MAC address and VLAN ID. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-20 OL-26520-01...
You enable unicast MAC address filtering and configure the switch to drop packets with a specific address by specifying the source or destination unicast MAC address and the VLAN from which it is received. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-21 OL-26520-01...
VLAN ID that you enter is an internal VLAN, the switch generates an error message and rejects the command. To view internal VLANs in use, enter the show vlan internal usage privileged EXEC command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-22 OL-26520-01...
Displays the aging time in all VLANs or the specified VLAN. show mac address-table count Displays the number of addresses present in all VLANs or the specified VLAN. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 5-23 OL-26520-01...
(represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed. For CLI procedures, see the Cisco IOS Release 12.4 documentation on Cisco.com. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...
Page 147
These sections describe the role of web-based authentication as part of AAA: Device Roles, page 11-2 • Host Detection, page 11-2 • • Session Creation, page 11-3 • Authentication Process, page 11-3 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-1 OL-26520-01...
Page 148
• IP address or a dynamic IP address. Dynamic ARP inspection • DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding • entry for the host. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-2 OL-26520-01...
The terminate action is included in the response from the server. • If the terminate action is default, the session is dismantled, and the applied policy is removed. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-3 OL-26520-01...
You create a banner by using the ip admission auth-proxy-banner http global configuration command. The default banner Cisco Systems and Switch host-name Authentication appear on the Login Page. Cisco Systems appears on the authentication result pop-up page, as shown in Figure 11-2.
Page 151
Figure 11-4 Login Screen With No Banner For more information, see the Cisco IOS Security Command Reference and the “Configuring a Web Authentication Local Banner” section on page 11-16. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-5 OL-26520-01...
You must include an HTML redirect command in the success page to access a specific URL. • The URL string must be a valid URL (for example, http://www.cisco.com). An incomplete URL • might cause page not found or similar errors on a web browser.
Page 153
You can then limit the number or group of clients that can access the network through the port. For more information about enabling port security, see the “Configuring Port Security” section on page 23-8. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-7 OL-26520-01...
Page 154
ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface, the ACL is applied to the host traffic only after the web-based authentication host policy is applied. For Layer 2 web-based authentication, you must configure a port ACL (PACL) as the default access policy for ingress traffic from hosts connected to the port.
Page 155
You must configure the default ACL on the interface before configuring web-based authentication. • Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface. You cannot authenticate hosts on Layer 2 interfaces with static ARP cache assignment. These hosts •...
This example shows how to enable web-based authentication on Fast Ethernet port 5/1: Switch(config)# ip admission name webauth1 proxy http Switch(config)# interface fastethernet 5/1 Switch(config-if)# ip admission webauth1 Switch(config-if)# exit Switch(config)# ip device tracking Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-10 OL-26520-01...
Configuring Switch-to-RADIUS-Server Communication RADIUS security servers identification: Host name • Host IP address • Host name and specific UDP port numbers • IP address and specific UDP port numbers • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-11 OL-26520-01...
Page 158
For more information, see the Cisco IOS Security Configuration Guide and the Cisco IOS Security Command Reference: http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...
Step 2 ip admission proxy http success page file Specify the location of the custom HTML file to use in device:success-filename place of the default login success page. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-13 OL-26520-01...
Page 160
Authentication global init state time is 2 minutes Authentication Proxy Session ratelimit is 100 Authentication Proxy Watch-list is disabled Authentication Proxy Auditing is disabled Max Login attempts per user is 5 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-14 OL-26520-01...
(Optional) Save your entries in the configuration file. This example shows how to set the maximum number of failed login attempts to 10: Switch(config)# ip admission max-login-attempts 10 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-15 OL-26520-01...
This example shows how to remove the web-based authentication session for the client at the IP address 209.165.201.1: Switch# clear ip auth-proxy cache 209.165.201.1 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-16 OL-26520-01...
Page 163
This example shows how to view only the global web-based authentication status: Switch# show authentication sessions This example shows how to view the web-based authentication settings for gigabit interface 3/27: Switch# show authentication sessions interface gigabitethernet 3/27 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 11-17 OL-26520-01...
C H A P T E R Clustering Switches This chapter provides the concepts and procedures to create and manage Catalyst 2960, 2960-S or and 2960-C switch clusters. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Cluster members can belong to only one cluster at a time. A switch cluster is different from a switch stack. A switch stack is a set of Catalyst 2960-S switches Note connected through their stack ports.
Member switch only Cluster Command Switch Characteristics A cluster command switch must meet these requirements: It is running Cisco IOS Release 12.2(25)FX or later for a Catalyst 2960 switch, or Cisco IOS • Release 12.2(53)SE or later for a Catalyst 2960-S switch.
Standby cluster command switches must be the same type of switches as the cluster command Note switch. For example, if the cluster command switch is a Catalyst 2960 switch, the standby cluster command switches must also be Catalyst 2960 switches. If the cluster command switch is a Catalyst 2960-S switch, the standby cluster command switches must also be Catalyst 2960-S switches.
Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
Page 170
Device 15 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Page 171
VLAN in common with the cluster command switch. They do not need to be connected to the cluster command switch through their management VLAN. The default management VLAN is VLAN 1. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Figure 6-4 (assuming they are Catalyst 2960, Catalyst 2970, Catalyst 2975, Catalyst 3550, Catalyst 3560, or Catalyst 3750 cluster command switches) have ports assigned to VLANs 9, 16, and 62. The management VLAN on the cluster command switch is VLAN 9. Each cluster command switch discovers the switches in the different...
The HSRP standby hold time interval should be greater than or equal to three times the hello time Note interval. The default HSRP standby hold time interval is 10 seconds. The default HSRP standby hello time interval is 3 seconds. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Page 174
If your switch cluster has a Catalyst 2960 switchor a Cisco FlexStack (a stack that contains only 2960-S switches), it should be the cluster command switch.
Page 175
However, because it was a passive standby cluster command switch, the previous cluster command switch did Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 6-11 OL-26520-01...
If a switch has a hostname, it retains that name when it joins a cluster and when it leaves the cluster. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 6-12...
Switch Clusters and Switch Stacks A switch cluster can have one or more Catalyst 2960-S switch stacks. Each switch stack can act as the cluster command switch or as a single cluster member.
Page 178
Cluster configuration of switch stacks is through the stack master. These are considerations to keep in mind when you have switch stacks in switch clusters: If the cluster command switch is not a Catalyst 2960-S switch or switch stack and a new stack master •...
Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.
“Switch Clusters and Switch Stacks” section on page 6-13. Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Catalyst 1900 and Catalyst 2820 CLI Considerations If your switch cluster has Catalyst 1900 and Catalyst 2820 switches running standard edition software, the Telnet session accesses the management console (a menu-driven interface) if the cluster command switch is at privilege level 15.
Page 181
Chapter 30, “Configuring SNMP.” Figure 6-7 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3 Member 1 Member 2 Member 3 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 6-17 OL-26520-01...
Page 182
Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 6-18 OL-26520-01...
Understanding Stacks A switch stack is a set of up to four Catalyst 2960-S switches connected through their stack ports. One of the switches controls the operation of the stack and is called the stack master. The stack master and the other switches in the stack are stack members.
Page 184
Minor Version Number Incompatibility Among Switches, page 7-10 – Incompatible Software and Member Image Upgrades, page 7-13 – Stack Configuration Files, page 7-14 – Additional Considerations for System-Wide Configuration on Switch Stacks, page 7-14 – Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Stack Configuration Scenarios, page 7-16 – Stack Membership A switch stack can have only Catalyst 2960-S stack members. Note A standalone switch is a stack with one member that is also the master. You can connect one standalone switch to another...
Page 186
Creating a Switch Stack from Two Standalone Switches Standalone switch Stack member 2 and stack master Stack member 1 Figure 7-2 Adding a Standalone Switch to a Switch Stack Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
When a new master is elected and the previous stack master becomes available, the previous master does not resume its role as stack master. For all powering considerations that affect stack-master elections, see the “Switch Installation” chapter in the hardware installation guide. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
3-21. Member numbers and configurations, see the “Stack Configuration Files” section on page 7-14. • Merging stacks, see the “Stack Membership” section on page 7-3. • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
The startup configuration file ensures that the stack can reload and can use the saved information whether or not the provisioned switch is part of the stack. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Page 190
The switch type of the provisioned switch does not match the switch type in the provisioned configuration on the stack. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Stack Software Compatibility Recommendations All stack members must run the same Cisco IOS software version to ensure compatibility in the stack protocol version among the members. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...
1 is the major version number and 4 is the minor version number). Switches with the same Cisco IOS software version have the same stack protocol version. All features function properly across the stack. These switches with the same software version as the master immediately join the stack.
Page 193
You can use the archive-download-sw /allow-feature-upgrade privileged EXEC command to allow installing an image with a different feature set. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-11 OL-26520-01...
Page 194
*Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:Extracting images from archive into flash on switch 1... *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:c260c-lanbase-mz.122-50.SE (directory) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:extracting c260c-lanbase-mz.122-50.SE/c260c-lanbase-mz.122-50.SE (4945851 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:extracting c260c-lanbase-mz.122-50.SE/info (450 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:extracting info (104 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-12 OL-26520-01...
For more information, see the “Copying an Image File from One Stack Member to Another” section on page A-38. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-13 OL-26520-01...
Page 196
• Configuration Files, and Software Images.” Additional Considerations for System-Wide Configuration on Switch Stacks “Planning and Creating Clusters” chapter in the Getting Started with Cisco Network Assistant, • available on Cisco.com “MAC Addresses and Switch Stacks” section on page 5-15 •...
Page 197
Therefore, it is possible that you might not be able to identify the session from which you entered a command. We recommend that you use only one CLI session when managing the stack. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-15 OL-26520-01...
Page 198
The master is kept. The new switch is added to the stack. Through their stack ports, connect the new switch to a powered-on stack. Power on the new switch. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-16 OL-26520-01...
However, you can set the persistent MAC address feature with a time delay before the stack MAC address changes. During this time period, if the previous master rejoins the stack, the stack Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-17...
Page 200
If the previous master does not rejoin the stack during this period, the stack uses the MAC address of the new master as the stack MAC address. If the entire switch stack reloads, it acquires the MAC address of the master as the stack MAC address. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-18 OL-26520-01...
Page 201
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no stack-mac persistent timer global configuration command to disable the persistent MAC address feature. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-19 OL-26520-01...
Reset the stack member. Step 5 show switch Verify the stack member number. Step 6 copy running-config startup-config Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-20 OL-26520-01...
Page 203
For type, enter the model number of the member. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify the correct numbering of interfaces in the configuration. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-21 OL-26520-01...
Page 204
Only the show and debug commands are available on a specific member. For more information, see the “Using Interface Configuration Mode” section on page 12-16. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-22 OL-26520-01...
• The stack is in the full-ring state, you can disable only one stack port. This message appears: Enabling/disabling a stack port may cause undesired stack changes. Continue?[confirm] Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-23 OL-26520-01...
Page 206
OK—A cable is detected, and the connected neighbor is up. • Neighbor Switch number of the active member at the other end of the stack cable. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-24 OL-26520-01...
Page 207
No—At least one stack port on the member has an attached stack • cable. Yes—None of the stack ports on the member has an attached stack • cable. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 7-25 OL-26520-01...
Understanding the SDM Templates Note The SDM template used by Catalyst 2960-C Gigabit Ethernet switch and by the Catalyst 2960-S running LAN Lite image is a default templates and is not configurable. Catalyst 2960-S switches running the LAN base image support a default template and the lanbase-routing template.
Page 210
Chapter 8 Configuring SDM Templates Understanding the SDM Templates The lanbase-routing template is supported only on Catalyst 2960 and 2960-S switches running Note Cisco IOS Release 12.2(55)SE or later andonly with the LAN base image. • QoS—The QoS template maximizes system resources for quality of service (QoS) access control entries (ACEs).
SDM Templates and Switch Stacks Note Stacking is supported only on Catalyst 2960-S switches running the LAN base image. All stack members use the same SDM template that is stored on the stack master. When a new switch is added to a stack, as with the switch configuration and VLAN database files, the SDM configuration that is stored on the stack master overrides the template configured on an individual switch.
• Setting the SDM Template, page 8-5 Default SDM Template The default template for the Catalyst 2960 and 2960-S switches is the default desktop template. SDM Template Configuration Guidelines • You configure multiple SDM templates on Catalyst 2960 switches and on Catalyst 2960-C Fast Ethernet switches.
If you enter the show sdm prefer command before you enter the reload privileged EXEC command, the show sdm prefer command shows the template in use and the template that becomes active after a reload. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Use the show sdm prefer [default | dual-ipv4-and-ipv6 default | lanbase-routing | qos] privileged EXEC command to display the resource numbers supported by the specified template. The Catalyst 2960-S switch supports only the default and lanbase-routing templates. The Catalyst Note 2960-C Gigabit Ethernet switch supports only a default template.
C H A P T E R Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 2960, 2960-S, or 2960-C switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.4 on Cisco.com.
We recommend that you use the enable secret command because it uses an improved encryption algorithm. If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Page 218
To remove a password and level, use the no enable password [level level] or no enable secret [level level] global configuration command. To disable password encryption, use the no service password-encryption global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Disable password recovery. This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Page 222
This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands: Switch(config)# privilege exec level 14 configure Switch(config)# enable password level 14 SecretPswd14 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Page 223
Log in to a specified privilege level. For level, the range is 0 to 15. Step 2 disable level Exit to a specified privilege level. For level, the range is 0 to 15. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
“Implementing ADSL for IPv6” chapter in the Cisco IOS XE IPv6 Configuration Guide, Release For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.4 and the Cisco IOS IPv6 Command Reference.
Page 225
TACACS+ daemon are encrypted. You need a system running the TACACS+ daemon software to use TACACS+ on your switch. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-11 OL-26520-01...
This process continues until there is successful communication with a listed method or the method list is exhausted. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-12 OL-26520-01...
Page 227
TACACS+ daemon. You must configure the same key on the TACACS+ daemon for encryption to be successful. Step 3 aaa new-model Enable AAA. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-13 OL-26520-01...
Page 228
Beginning in privileged EXEC mode, follow these steps to configure login authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-14 OL-26520-01...
Page 229
{default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-15 OL-26520-01...
Page 230
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.4 on Cisco.com.
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting for each Cisco IOS privilege level and for network services:...
“Implementing ADSL for IPv6” chapter in the Cisco IOS XE IPv6 Configuration Guide, Release For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference and the Cisco IOS IPv6 Command Reference.
X.25 PAD connections. Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. • RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. • Networks using a variety of services. RADIUS generally binds a user to one service model.
Session termination with port shutdown • Session termination with port bounce • This feature is integrated with the Cisco Secure Access Control Server (ACS) 5.1. For information about ACS: http://www.cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html The RADIUS interface is enabled by default on Catalyst switches. However, some basic configuration is required for these attributes: Security and Password—See the...
Page 235
Error-Cause Values Value Explanation Residual Session Context Removed Invalid EAP Packet (Ignored) Unsupported Attribute Missing Attribute NAS Identification Mismatch Invalid Request Unsupported Service Unsupported Extension Invalid Attribute Value Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-21 OL-26520-01...
Page 237
• • CoA Disconnect-Request • CoA Request: Disable Host Port • CoA Request: Bounce-Port Beginning with Cisco IOS Release 12.2(52)SE, the switch supports the commands shown in Table 9-4. Table 9-4 CoA Commands Supported on the Switch Command Cisco VSA Reauthenticate host Cisco:Avpair=“subscriber:command=reauthenticate”...
Page 238
“Session Identification” section on page 9-22. If the session cannot be located, the switch returns a Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-24 OL-26520-01...
Page 239
Stacking Guidelines for CoA-Request Bounce-Port Because the bounce-port command is targeted at a session, not a port, if the session is not found, the command cannot be executed. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-25 OL-26520-01...
You should have access to and should configure a RADIUS server before configuring RADIUS features on your switch. Default RADIUS Configuration, page 9-27 • Identifying the RADIUS Server Host, page 9-27 (required) • Configuring RADIUS Login Authentication, page 9-30 (required) • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-26 OL-26520-01...
Page 241
To apply these settings globally to all RADIUS servers communicating with the switch, use the three unique global Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-27...
Page 242
You can configure the switch to use AAA server groups to group existing server hosts for authentication. For more information, see the “Defining AAA Server Groups” section on page 9-32. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-28 OL-26520-01...
Page 243
This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-29 OL-26520-01...
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.4 on Cisco.com.
Page 247
RADIUS server in the AAA server group. Each server in the group must be previously defined in Step 2. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-33 OL-26520-01...
Use the local database if authentication was not performed by using RADIUS. • Authorization is bypassed for authenticated users who log in through the CLI even if authorization has Note been configured. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-34 OL-26520-01...
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
(Optional) Save your entries in the configuration file. To return to the default setting for the retransmit, timeout, and deadtime, use the no forms of these commands. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-36 OL-26520-01...
1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Step 7 auth-type {any | all | session-key} Specify the type of authorization the switch uses for RADIUS clients. The client must match all the configured attributes for authorization. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-39 OL-26520-01...
Configuring RADIUS Server Load Balancing This feature allows access and authentication requests to be evenly across all RADIUS servers in a server group. For more information, see the “RADIUS Server Load Balancing” chapter of the Cisco IOS Security Configuration Guide: http://www.ciscosystems.com/en/US/docs/ios/12_2sb/feature/guide/sbrdldbl.html...
(Optional) Save your entries in the configuration file. To disable AAA, use the no aaa new-model global configuration command. To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-41 OL-26520-01...
You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
When generating the RSA key pair, the message might appear. If it does, No host name specified you must configure a hostname by using the hostname global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-43 OL-26520-01...
Page 258
Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: Download the cryptographic software image from Cisco.com. This step is required. For more information, see the release notes for this release. Configure a hostname and IP domain name for the switch. Follow this procedure only if you are configuring the switch as an SSH server.
Page 259
(Optional) Save your entries in the configuration file. To return to the default SSH control parameters, use the no ip ssh {timeout | authentication-retries} global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-45 OL-26520-01...
Displaying Secure HTTP Server and Client Status, page 9-52 • For configuration examples and complete syntax and usage information for the commands used in this section, see the “HTTPS - HTTP Server and Client with SSL 3.0” feature description for Cisco IOS Release 12.2(15)T: http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_https_sc_ssl3.html...
Configuring the Switch for Secure Socket Layer HTTP The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response back to the application.
For additional information on Certificate Authorities, see the “Configuring Certification Authority Interoperability” chapter in the Cisco IOS Security Configuration Guide, Release 124 on Cisco.com. CipherSuites A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection.
Page 263
(Optional) Specify that the trustpoint should be used as the primary (default) trustpoint for CA requests. Step 10 exit Exit CA trustpoint configuration mode and return to global configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-49 OL-26520-01...
Page 264
The default is for the client to request a certificate from the server, but the server does not attempt to authenticate the client. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-50 OL-26520-01...
HTTP client certification. This procedure assumes that you have previously configured a CA trustpoint on the switch. If a CA trustpoint is not configured and the remote HTTPS server requires client authentication, connections to the secure HTTP client fail. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-51 OL-26520-01...
Berkeley r-tools. For SSH to work, the switch needs an RSA public/private key pair. This is the same with SCP, which relies on SSH for its secure transport. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-52 OL-26520-01...
Page 267
A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation.
Page 268
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 9-54 OL-26520-01...
Page 269
Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note The Catalyst 2960, 2960-S, and 2960-C switch command reference and the “RADIUS Commands” section in the Cisco IOS Security Command Reference, Release 12.4, have command syntax and usage information. This chapter includes these sections: Understanding IEEE 802.1x Port-Based Authentication, page 10-1...
Page 270
• To use IEEE 802.1x authentication with ACLs and the Filter-Id attribute, the switch must be Note running the LAN base image. Common Session ID, page 10-35 • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-2 OL-26520-01...
Page 271
Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Page 272
(critical authentication) to assign the critical 1 = This occurs if the switch does not port to a VLAN. detect EAPOL packets from the client. Done Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-4 OL-26520-01...
VLAN that provides limited services, or network access is not granted. For more information, see the “Ports in Authorized and Unauthorized States” section on page 10-10. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-5 OL-26520-01...
Page 274
VLAN. If the switch detects an EAPOL packet while waiting for an Ethernet packet, the switch stops the MAC authentication bypass process and stops 802.1x authentication. Figure 10-4 shows the message exchange during MAC authentication bypass. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-6 OL-26520-01...
RADIUS Access/Accept Authentication Manager In Cisco IOS Release 12.2(46)SE and earlier, you could not use the same authorization methods, including CLI commands and messages, on this switch and also on other network devices, such as a Catalyst 6000. You had to use separate authentication configurations. Cisco IOS Release 12.2(50)SE and later supports the same authorization methods on all Catalyst switches in a network.
Page 276
ACL configured on another device running Cisco IOS software, such as a Catalyst 6000 switch. In Cisco IOS Release 12.2(50)SE or later, the ACLs configured on the switch are compatible with other devices running the Cisco IOS release.
Page 277
Enable the restricted VLAN on a port. dot1x critical (interface Enable the inaccessible-authentication-bypass configuration) feature. Specify an active VLAN as an guest VLAN. dot1x guest-vlan6 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-9 OL-26520-01...
Beginning with Cisco IOS Release 12.2(55)SE, you can filter out verbose system messages generated by the authentication manager. The filtered content typically relates to authentication success. You can also filter verbose messages for 802.1x authentication and MAB authentication.
802.1x Authentication and Switch Stacks Switch stacks are supported only on Catalyst 2960-S switches running the LAN base image. Note If a switch is added to or removed from a switch stack, 802.1x authentication is not affected as long as the IP connectivity between the RADIUS server and the stack remains intact.
In this topology, the wireless access point is responsible for authenticating the clients attached to it, and it also acts as a client to the switch. Figure 10-5 Multiple Host Mode Example Authentication server (RADIUS) Workstations (clients) Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-12 OL-26520-01...
The switch supports multidomain authentication (MDA), which allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice domain.
When a port host mode changes from single- or multihost to multidomain mode, an authorized data • device remains authorized on the port. However, a Cisco IP phone on the port voice VLAN is automatically removed and must be reauthenticated on that port.
To configure the MAC replace feature, the switch must be running the LAN base image. Note Beginning with Cisco IOS Release 12.2(55)SE, the MAC replace feature can be configured to address the violation that occurs when a host attempts to connect to a port where another host was previously authenticated.
RADIUS accounting packets are sent by a switch: • START–sent when a new user session starts INTERIM–sent during an existing session for updates • STOP–sent when a session terminates • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-16 OL-26520-01...
DHCP snooping bindings table. You can view the AV pairs that are being sent by the switch by entering the debug radius accounting privileged EXEC command. For more information about this command, see the Cisco IOS Debug Command Reference: http://www.cisco.com/en/US/docs/ios/12_2/debug/command/reference/122debug.html...
Voice device authentication is supported with multidomain host mode in Cisco IOS Release 12.2(37)SE. In Cisco IOS Release 12.2(40)SE and later, when a voice device is authorized and the RADIUS server returned an authorized VLAN, the voice VLAN on the port is configured to send and receive packets on the assigned voice VLAN.
When the definitions are passed from the RADIUS server, they are created by using the extended naming convention. However, if you use the Filter-Id attribute, it can point to a standard ACL. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-19...
If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
Page 289
Note The auth-default-ACL does not support Cisco Discovery Protocol (CDP) bypass in the single host mode. You must configure a static ACL on the interface to support CDP bypass. The 802.1x and MAB authentication methods support two authentication modes, open and closed. If there is no static ACL on a port in closed authentication mode: An auth-default-ACL is created.
Page 290
ACL, this ACL takes precedence over the default ACL that is configured on the switch port. However, if the switch receives an host access policy from the Cisco Secure ACS but the default ACL is not configured, the authorization failure is declared.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication This feature is not supported on Cisco ACS Server. (The ACS server ignores the sent VLAN-IDs for new Note hosts and only authenticates based on the MAC address.) For configuration information, see the “Configuring VLAN ID-based MAC Authentication”...
Other security features such as dynamic ARP Inspection, DHCP snooping, and IP source guard can be configured independently on a restricted VLAN. For more information, see the “Configuring a Restricted VLAN” section on page 10-55. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-24 OL-26520-01...
Results” for a single host. As expected on a single-host mode port, if more than a single host is detected on the switch port, then the switch port enters an err-disable state. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-25...
Page 294
Support on Multiple-Authentication Ports To enable Inaccessible Authentication Bypass on ports configured with host mode multi-auth, you must use the authentication event server dead action reinitialize vlan vlan-id command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-26 OL-26520-01...
Page 295
RADIUS server. If a RADIUS server status changes from dead to up, all of the stack switches reauthenticate all switch ports currently in the critical-authentication state. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-27 OL-26520-01...
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several IP phones are connected in series, the switch recognizes only the one directly connected to it.
If you enable 802.1x authentication on an access port on which a voice VLAN is configured and to which Note a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds. For more information about voice VLANs, see Chapter 15, “Configuring Voice VLAN.”...
Page 298
For more configuration information, see the “Authentication Manager” section on page 10-7. Cisco IOS Release 12.2(55)SE and later supports filtering of verbose MAB system messages. See the “Authentication Manager CLI Commands” section on page 10-9. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...
VLAN group, none of the ports or users that are in the authenticated state in any VLAN within the group are cleared, but the VLAN mappings to the VLAN group are cleared. For more information, see the “Configuring 802.1x User Distribution” section on page 10-59. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-31 OL-26520-01...
(ACL) defined on the port. After the host is authenticated, the policies configured on the RADIUS server are applied to that host. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-32 OL-26520-01...
Once the supplicant switch authenticates successfully the port mode changes from access to trunk. If the access VLAN is configured on the authenticator switch, it becomes the native VLAN for the • trunk port after successful authentication. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-33 OL-26520-01...
Page 302
Spanning Tree Protocol (STP) bridge protocol data unit (BPDU) packets before the supplicant switch has authenticated. Beginning with Cisco IOS Release 15.0(1)SE, you can control traffic exiting the supplicant port during the authentication period. Entering the dot1x supplicant controlled transient global configuration command temporarily blocks the supplicant port during authentication to ensure that the authenticator port does not shut down before authentication completes.
This ID is used for all reporting purposes, such as the show commands and MIBs. The session ID appears with all per-session syslog messages. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-35...
EAP request/identity frame from the client before resending the request). Maximum retransmission number 2 times (number of times that the switch will send an EAP-request/identity frame before restarting the authentication process). Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-37 OL-26520-01...
Query Protocol [VQP]) port, an error message appears, and 802.1x authentication is not enabled. If you try to change an 802.1x-enabled port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-38 OL-26520-01...
Page 307
EtherChannel configuration from the interfaces on which 802.1x authentication and EtherChannel are configured. • Cisco IOS Release 12.2(55)SE and later supports filtering of system messages related to 802.1x authentication. See the “Authentication Manager CLI Commands” section on page 10-9.
In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with • a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice VLAN. In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one •...
If error-disabled recovery is not configured for the port, you re-enable it by using the shutdown and no-shutdown interface configuration commands. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-41 OL-26520-01...
You can configure an 802.1x port so that it shuts down, generates a syslog error, or discards packets from a new device when: • a device connects to an 802.1x-enabled port • the maximum number of allowed about devices have been authenticated on the port Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-42 OL-26520-01...
Step 2 VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration. Step 3 Step 4 The switch sends a start message to an accounting server. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-43 OL-26520-01...
Page 312
Step 12 Return to privileged EXEC mode. Step 13 show authentication Verify your entries. Step 14 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-44 OL-26520-01...
For more information, see the “Configuring Settings for All RADIUS Servers” section on page 9-36. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-45 OL-26520-01...
802.1x-authorized port that has the authentication port-control interface configuration command set to auto. Use the multi-domain keyword to configure multidomain authentication (MDA) to enable authentication of both a host and a voice device, such as an IP phone (Cisco or non-Cisco) on the same switch port.
Page 315
This example shows how to enable MDA and to allow both a host and a voice device on the port: Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# authentication port-control auto Switch(config-if)# authentication host-mode multi-domain Switch(config-if)# switchport voice vlan 101 Switch(config-if)# end Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-47 OL-26520-01...
This example shows how to enable periodic re-authentication and set the number of seconds between re-authentication attempts to 4000: Switch(config-if)# authentication periodic Switch(config-if)# authentication timer reauthenticate 4000 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-48 OL-26520-01...
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-49...
Beginning in privileged EXEC mode, follow these steps to globally enable MAC move on the switch. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 authentication mac-move permit Enable MAC move on the switch. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-51 OL-26520-01...
(Optional) Saves your entries in the configuration file. This example shows how to enable MAC replace on an interface: Switch(config)# interface gigabitethernet2/0/2 Switch(config-if)# authentication violation replace Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-52 OL-26520-01...
Page 321
1813 as the UDP port for accounting: Switch(config)# radius-server host 172.120.39.46 auth-port 1812 acct-port 1813 key rad123 Switch(config)# aaa accounting dot1x default start-stop group radius Switch(config)# aaa accounting system default start-stop group radius Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-53 OL-26520-01...
Configuration Guidelines” section on page 10-38. Step 3 switchport mode access Set the port to access mode. Step 4 authentication port-control auto Enable 802.1x authentication on the port. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-55 OL-26520-01...
Page 324
(Optional) Sets the number of minutes during which a RADIUS server is not sent minutes requests. The range is from 0 to 1440 minutes (24 hours). The default is 0 minutes. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-56 OL-26520-01...
Page 325
This example shows how to configure the inaccessible authentication bypass feature and configure the critical voice VLAN: Switch(config)# radius-server dead-criteria time 30 tries 20 Switch(config)# radius-server deadtime 60 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-57 OL-26520-01...
Page 326
To disable 802.1x authentication with WoL, use the no authentication control-direction interface configuration command. These examples show how to enable 802.1x authentication with WoL and set the port as bidirectional: Switch(config-if)# authentication control-direction both Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-58 OL-26520-01...
Verify the configuration. Step 3 no vlan group vlan-group-name vlan-list Clear the VLAN group configuration or elements of the VLAN vlan-list group configuration. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-59 OL-26520-01...
Page 328
For more information about these commands, see the Cisco IOS Security Command Reference. Configuring NAC Layer 2 802.1x Validation You can configure NAC Layer 2 802.1x validation, which is also referred to as 802.1x authentication with a RADIUS server.
“802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT)” section on page 10-33. The cisco-av-pairs must be configured as device-traffic-class=switch on the ACS, which sets the Note interface as a trunk after the supplicant is successfully authenticated. Beginning in privileged EXEC mode, follow these steps to configure a switch as an authenticator:...
Page 330
(Optional) Save your entries in the configuration file. This example shows how to configure a switch as a supplicant: Switch# configure terminal Switch(config)# cisp enable Switch(config)# dot1x credentials test Switch(config)# username suppswitch password myswitch Switch(config)# Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-62 OL-26520-01...
The acl-id is an access list name or number. Note Step 8 show running-config interface interface-id Verify your configuration. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-63 OL-26520-01...
ARP probe. The range is from 30 to 300 seconds. The default is 30 seconds. • use-svi—Uses the switch virtual interface (SVI) IP address as source of ARP probes. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-64 OL-26520-01...
Page 333
There is no show command to confirm the status of VLAN ID-based MAC authentication. You can use the debug radius accounting privileged EXEC command to confirm the RADIUS attribute 32. For more information about this command, see the Cisco IOS Debug Command Reference: http://www.cisco.com/en/US/docs/ios/debug/command/reference/db_q1.html#wp1123741...
(Optional) Enable or disable reauthentication on a port. Step 9 authentication port-control {auto | (Optional) Enable manual control of the port authorization state. force-authorized | force-un authorized} Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-66 OL-26520-01...
Page 335
This example shows how to disable 802.1x authentication on the port: Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# no dot1x pae authenticator Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 10-67 OL-26520-01...
Page 336
EXEC command. Beginning with Cisco IOS Release 12.2(55)SE, you can use the no dot1x logging verbose global configuration command to filter verbose 802.1x authentication messages. See the “Authentication...
C H A P T E R Configuring Interface Characteristics This chapter defines the types of Catalyst 2960, 2960-S, and 2960-C interfaces and describes how to configure them. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
Configuring Interface Characteristics Understanding Interface Types Port-Based VLANs Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see the Chapter 13, “Configuring VLANs.”...
Catalyst 6500 series switch. The Catalyst 2960, 2960-S or 2960-C switch cannot be a VMPS server. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 15, “Configuring Voice VLAN.”...
Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. The DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol (PAgP) operate only on physical ports.
Page 341
CDP messages for an agreed power-consumption level. The negotiation allows a high-power Cisco powered device, which consumes more than 7 W, to operate at its highest power mode. The powered device first boots up in low-power mode, consumes less than 7 W, and negotiates to obtain enough power to operate in high-power mode.
Page 342
AC adaptor. After device detection, the switch determines the device power requirements based on its type: A Cisco prestandard powered device does not provide its power requirement when the switch detects • it, so a switch that does not support PoE+ allocates 15.4 W as the initial allocation for power budgeting;...
LEDs. In a Catalyst 2960-S switch stack, the PoE feature operates the same whether or not the switch is a stack member. The power budget is per-switch and independent of any other switch in the stack. Election of a new stack master does not affect PoE operation.
Page 344
The switch also uses the power policing feature to police the power usage. Power monitoring is backward-compatible with Cisco intelligent power management and CDP-based power consumption. It works with these features to ensure that the PoE port can supply power to the powered device.
Page 345
6.3 W. If the CDP-power negotiated value or the IEEE classification value exceeds the configured cutoff value, the switch does not provide power to the connected device. After the switch turns on power to the Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-9...
Page 346
12-36. PoE Uplinks and PoE Pass-Through Capability The Catalyst 2960-C compact switch can receive power on the two uplink Gigabit Ethernet ports from a PoE or PoE+ capable-switch (for example a Catalyst 3750-X or 3560-X switch). The switch can also receive power from an AC power source when you use the auxiliary power input.
Page 347
Only Catalyst 2960-C switches support Universal Power over Ethernet. Note Universal Power over Ethernet (UPoE) is a Cisco proprietary technology that extends the IEEE 802.at PoE standard to provide the capability to source up to 60 W of power over standard Ethernet cabling infrastructure (Class D or better).
Page 348
Switch(config)# [no] lldp run Switch(config)# [no] cdp run The Power Device (PD) and Power Source Equipment (PSE) should run the same power negotiation Note protocol to negotiate power. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-12 OL-26520-01...
Using the Switch USB Ports USB ports are supported only on Catalyst 2960-S and 2960-C switches. Note The Catalyst 2960-S and Catalyst 2960-C Gigabit Ethernet switches have two USB ports on the front panel: • USB Mini-Type B Console Port, page 12-14 USB Type A Port, page 12-16 •...
Page 350
1 00:20:48.635: %USB_CONSOLE-6-MEDIA_RJ45: Console media-type is RJ45. You can configure the console type to always be RJ-45, and you can configure an inactivity timeout for the USB connector. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-14 OL-26520-01...
Page 351
The configured inactivity timeout applies to all switches in a stack. However, a timeout on one switch Note does not cause a timeout on other switches in the stack. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-15 OL-26520-01...
Page 352
The USB Type A port provides access to external USB flash devices, also known as thumb drives or USB keys. The switch supports Cisco 64 MB, 256 MB, 512 MB and 1 GB flash drives. You can use standard Cisco IOS command- line interface (CLI) commands to read, write, erase, and copy to or from the flash device.
Page 353
Chapter 12 Configuring Interface Characteristics Using the Switch USB Ports This example configures the switch to boot from the Catalyst 2960-S flash device. The image is the Catalyst 2960-S LAN base image. Switch# configure terminal Switch#(config)# boot system flash usbflash0: c2960s-lanbase-mz To disable booting from flash, enter the no form of the command.
12-20). To configure a physical interface (port) on a Catalyst 2960 or 2960-C switch or a Catalyst 2960-S switch running the LAN Lite image, specify the interface type, module number, and switch port number, and enter interface configuration mode. To configure a port on a Catalyst 2960-S switch running the LAN base image (supporting stacking), specify the interface type, stack member number, module number, and switch port number, and enter interface configuration mode.
Chapter 12 Configuring Interface Characteristics Using Interface Configuration Mode This example identifies an interface on a Catalyst 2960 or 2960-C switch or a Catalyst 2960-S switch running the LAN Lite image: • To configure 10/100/1000 port 4, enter this command:...
– Note Although the command-line interface shows options to set multiple VLANs, these options are not supported on Catalyst 2960 and 2960-S switches. gigabitethernet stack member/module/{first port} - {last port}, where the module is always 0 – fastethernet module/{first port} - {last port}, where the module is always 0 –...
The macro_name is a 32-character maximum character string. • A macro can contain up to five comma-separated interface ranges. Each interface-range must consist of the same port type. • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-21 OL-26520-01...
Page 358
Switch# configure terminal Switch(config)# define interface-range enet_list gigabitethernet1/0/1 - 2 Switch(config)# end Switch# show running-config | include define Switch# define interface-range enet_list gigabitethernet1/0/1 - 2 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-22 OL-26520-01...
Switch# show run | include define Switch# Using the Ethernet Management Port (Catalyst 2960-S Only) Note The Ethernet management port is not supported on Catalyst 2960 switches. • Understanding the Ethernet Management Port, page 12-23 • Supported Features on the Ethernet Management Port, page 12-24 •...
Network cloud In a Catalyst 2960-S stack, all the Ethernet management ports on the stack members are connected to a hub to which the PC is connected. As shown in Figure 12-3, the active link is from the Ethernet management port on the stack master (switch 2) through the hub, to the PC.
Clears the statistics for the Ethernet management port. mgmt_init Starts the Ethernet management port. mgmt_show Displays the statistics for the Ethernet management port. ping host_ip_address Sends ICMP ECHO_REQUEST packets to the specified network host. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-25 OL-26520-01...
Loads and boots an executable image from the TFTP server and enters the command-line interface. For more details, see the command reference for this release. copy tftp:/source-file-url Copies a Cisco IOS image from the TFTP server to the specified filesystem:/destination-file- location. For more details, see the command reference for this release.
This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the dual-purpose uplink port to be configured, and enter interface configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-27 OL-26520-01...
Page 364
If the link goes down, the switch disables the RJ-45 side and selects the SFP module interface. When the 100BASE-x SFP module is removed, the switch again dynamically selects the type • (auto-select) and re-enables the RJ-45 side. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-28 OL-26520-01...
The port LED is amber while STP reconfigures. Changing the interface speed and duplex mode configuration might shut down and re-enable the Caution interface during the reconfiguration. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-29 OL-26520-01...
Switch(config-if)# duplex half This example shows how to set the interface speed to 100 Mb/s on a 10/100/1000 Mb/s port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# speed 100 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-30 OL-26520-01...
To disable flow control, use the flowcontrol receive off interface configuration command. This example shows how to turn on flow control on a port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# flowcontrol receive on Switch(config-if)# end Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-31 OL-26520-01...
To disable auto-MDIX, use the no mdix auto interface configuration command. This example shows how to enable auto-MDIX on a port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# speed auto Switch(config-if)# duplex auto Switch(config-if)# mdix auto Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-32 OL-26520-01...
Page 369
The switch repowers the port only if the powered device is a Class 1, Class 2, or a Cisco-only powered device. Beginning in privileged EXEC mode, follow these steps to configure a power management mode on a...
Page 370
(CDP) to determine the actual power consumption of the devices, and the switch adjusts the power budget accordingly. The CDP protocol works with Cisco powered devices and does not apply to IEEE third-party powered devices. For these devices, when the switch grants a power request, the switch adjusts the power budget according to the powered-device IEEE classification.
Page 371
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no power inline consumption default global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-35 OL-26520-01...
Page 372
PoE port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the physical port to be configured, and enter interface configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-36 OL-26520-01...
Page 373
Configuring Catalyst PoE and PoE Pass-Through Ports on Compact Switches You can configure the power management, budgeting, and policing on the Catalyst 2960-C compact switch PoE ports the same as with any other PoE switch.
Page 374
This is an example of output from the show power inline command on a C2960CPD-8TT switch: Switch# show power inline Available:0.0(w) Used:0.0(w) Remaining:0.0(w) Interface Admin Oper Power Device Class Max (Watts) --------- ------ ---------- ------- ------------------- ----- ---- Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-38 OL-26520-01...
Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# description Connects to Marketing Switch(config-if)# end Switch# show interfaces gigabitethernet1/0/2 description Interface Status .Protocol Description Gi1/0/2 admin down down Connects to Marketing Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-39 OL-26520-01...
You can increase the MTU size to support jumbo frames on all Gigabit Ethernet interfaces by using the system mtu jumbo global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-40...
Page 377
Switch(config)# system mtu jumbo 1800 Switch(config)# exit Switch# reload This example shows the response when you try to set Gigabit Ethernet interfaces to an out-of-range number: Switch(config)# system mtu jumbo 25000 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-41 OL-26520-01...
(You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference, Release 12.4 from Cisco.com. Table 12-6...
Select the interface to be configured. interface-id} | {port-channel port-channel-number} Step 3 shutdown Shut down an interface. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entry. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-43 OL-26520-01...
Page 380
Chapter 12 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 12-44 OL-26520-01...
VLAN assignment from a VLAN Membership Policy Server (VMPS). Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
VTP transparent mode when you create VLAN IDs from 1006 to 4094. Cisco IOS Release 12.2(52)SE and later support VTP version 3. VTP version 3 supports the entire VLAN range (VLANs 1 to 4094). Extended range VLANs (VLANs 1006 to 4094) are supported only in VTP version 3.
For information about configuring trunk ports, see “Configuring an Ethernet Interface as a Trunk Port” section on page 13-15. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-3 OL-26520-01...
Page 384
EXEC command. The vlan.dat file is stored in flash memory on the stack master. Stack members have a vlan.dat file that is consistent with the stack master. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-4...
Page 385
Default Ethernet VLAN Configuration, page 13-7 • Creating or Modifying an Ethernet VLAN, page 13-8 • Deleting a VLAN, page 13-9 • Assigning Static-Access Ports to a VLAN, page 13-10 • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-5 OL-26520-01...
IEEE 802.1s Multiple STP (MSTP) on your switch to map multiple VLANs to a single spanning-tree instance. For more information about MSTP, see Chapter 17, “Configuring MSTP.” Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-6 OL-26520-01...
Note Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Configuring Normal-Range VLANs You configure VLANs in vlan global configuration command by entering a VLAN ID. Enter a new VLAN ID to create a VLAN, or enter an existing VLAN ID to modify that VLAN.
(Optional) Enter a name for the VLAN. If no name is entered for the VLAN, the default is to append the vlan-id with leading zeros to the word VLAN. For example, VLAN0004 is a default VLAN name for VLAN 4. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-8 OL-26520-01...
(Optional) If the switch is in VTP transparent mode, the VLAN configuration is saved in the running configuration file as well as in the VLAN database. This saves the configuration in the switch startup configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-9 OL-26520-01...
This example shows how to configure a port as an access port in VLAN 2: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 2 Switch(config-if)# end Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-10 OL-26520-01...
VTP transparent mode. Otherwise, you lose the extended-range VLAN configuration if the switch resets. If you create extended-range VLANs in VTP version 3, you cannot convert to VTP version 1 or 2. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-11 OL-26520-01...
Page 392
“Configuring a VLAN as an RSPAN VLAN” section on page 27-18. RSPAN is supported only if the switch is running the LAN Base image. Step 6 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-12 OL-26520-01...
Prevents the interface from generating DTP frames. You can use this command only when the interface switchport mode is access or trunk. You must manually configure the neighboring interface as a trunk interface to establish a trunk link. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-14 OL-26520-01...
VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Q switch.
(Optional) Specify the default VLAN, which is used if the interface stops trunking. Step 5 switchport trunk native vlan vlan-id Specify the native VLAN for IEEE 802.1Q trunks. Step 6 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-16 OL-26520-01...
VLANs from the allowed list. VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a Note requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1.
Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Select the trunk port for which VLANs should be pruned, and enter interface configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-18 OL-26520-01...
Step 5 show interfaces interface-id switchport Verify your entries in the Trunking Native Mode VLAN field. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-19 OL-26520-01...
Page 401
“Load Sharing Using STP Path Cost” section on page 13-22. Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 13-2.
Page 402
Step 8 show vlan When the trunk links come up, Switch A receives the VTP information from the other switches. Verify that Switch A has learned the VLAN configuration. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-22 OL-26520-01...
• If the host is allowed on the port, the VMPS sends the client a vlan-assignment response containing the assigned VLAN name and allowing access to the host. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-23 OL-26520-01...
Page 404
20 MAC addresses are allowed per port on the switch. A dynamic-access port can belong to only one VLAN at a time, but the VLAN can change over time, depending on the MAC addresses seen. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-24...
The VLAN configured on the VMPS server should not be a voice VLAN. • Configuring the VMPS Client You configure dynamic VLANs by using the VMPS (server). The switch can be a VMPS client; it cannot be a VMPS server. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-25 OL-26520-01...
Page 406
Configure the port as eligible for dynamic VLAN membership. The dynamic-access port must be connected to an end station. Step 5 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-26 OL-26520-01...
Page 407
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no vmps reconfirm global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-27 OL-26520-01...
End stations are connected to the clients, Switch B and Switch I. • The database configuration file is stored on the TFTP server with the IP address 172.20.22.7. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-29 OL-26520-01...
Page 410
Switch F 172.20.26.156 Switch G 172.20.26.157 Switch H Client switch I Dynamic-access port 172.20.26.158 station 2 Trunk port 172.20.26.159 Catalyst 6500 series Secondary VMPS Switch J Server 3 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 13-30 OL-26520-01...
Page 411
This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the Catalyst 2960, 2960-S or 2960-C switches. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
The switch supports up to 64 VLANs when it is running the LAN Lite image. Note VTP version 1 and version 2 support only normal-range VLANs (VLAN IDs 1 to 1005). Cisco IOS Release 12.2(52)SE and later support VTP version 3. VTP version 3 supports the entire VLAN range (VLANs 1 to 4094).
In VTP versions 1 and 2, in VTP client mode, VLAN configurations are not saved in NVRAM. In VTP version 3, VLAN configurations are saved in NVRAM in client mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-3...
MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each • VLAN. • Frame format VTP advertisements distribute this VLAN information for each configured VLAN: VLAN IDs (IEEE 802.1Q) • VLAN name • VLAN type • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-4 OL-26520-01...
VTP version 3 to version 1 or 2. VTP pruning still applies only to VLANs 1 to 1005, and VLANs 1002 to 1005 are still Note reserved and cannot be modified. Private VLAN support. • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-5 OL-26520-01...
Switch D are assigned to the Red VLAN. If a broadcast is sent from the host connected to Switch A, Switch A floods the broadcast and every switch in the network receives it, even though Switches C, E, and F have no ports in the Red VLAN. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-6 OL-26520-01...
Page 417
VTP pruning does not prune traffic from VLANs that are pruning-ineligible. VLAN 1 and VLANs 1002 to 1005 are always pruning-ineligible; traffic from these VLANs cannot be pruned. Extended-range VLANs (VLAN IDs higher than 1005) are also pruning-ineligible. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-7 OL-26520-01...
VTP and Switch Stacks Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note VTP configuration is the same in all members of a switch stack. When the switch stack is in VTP server or client mode, all switches in the stack carry the same VTP configuration.
If the VTP mode or the domain name in the startup configuration do not match the VLAN database, • the domain name and the VTP mode and configuration for the first 255 VLANs use the VLAN database information. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-9 OL-26520-01...
Page 420
VTP packets so that the VTP version 2 switch can update its database. A switch running VTP version 3 cannot move to version 1 or 2 if it has extended VLANs. • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-10 OL-26520-01...
When a switch is in VTP client mode, you cannot change its VLAN configuration. The client switch • receives VTP updates from a VTP server in the VTP domain and then modifies its configuration accordingly. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-11 OL-26520-01...
Page 422
If the switch has a trunk connection to a VTP domain, the switch learns the domain name from the VTP server in the domain. You should configure the VTP domain before configuring other VTP parameters. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-12 OL-26520-01...
Page 423
Setting VTP domain name to eng_group. Switch(config)# vtp mode server Setting device to VTP Server mode for VLANS. Switch(config)# vtp password mypassword Setting device VLAN database password to mypassword. Switch(config)# end Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-13 OL-26520-01...
Page 424
(Optional) force—Entering force overwrites the configuration of any • conflicting servers. If you do not enter force, you are prompted for confirmation before the takeover. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-14 OL-26520-01...
Token Ring VLAN switching to function properly. For Token Ring and Token Ring-Net media, disable VTP version 2 must be disabled. VTP version 3 is supported on switches running Cisco IOS Release 12.2(52) SE or later. • In VTP version 3, both the primary and secondary servers can exist on an instance in the domain.
Enter global configuration mode. Step 2 interface interface-id Identify an interface, and enter interface configuration mode. Step 3 Enable VTP on the specified port. Step 4 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-16 OL-26520-01...
(Optional) Verify that the domain name is the same as in Step 1 and that the configuration revision number is 0. After resetting the configuration revision number, add the switch to the VTP domain. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-17 OL-26520-01...
Display the VTP password. The form of the password displayed depends on whether or not the hidden keyword was entered and if encryption is enabled on the switch. show vtp status Display the VTP switch configuration information. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 14-18 OL-26520-01...
Page 429
The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. When the switch is connected to a Cisco 7960 IP Phone, the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service (CoS) values, which are both set to 5 by default. Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1p CoS.
Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. You can configure access ports on...
For more information, see Chapter 33, “Configuring QoS.” You must enable CDP on the switch port connected to the Cisco IP Phone to send the configuration • to the phone. (CDP is globally enabled by default on all switch interfaces.) The Port Fast feature is automatically enabled when voice VLAN is configured.
Configuring Voice VLAN Configuring Voice VLAN If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the • same IP subnet. These conditions indicate that they are in the same VLAN: –...
Page 433
Configuring Cisco IP Phone Voice Traffic You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value.
Page 434
Note You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in IEEE 802.1Q or IEEE 802.1p frames), you can configure the switch to send CDP packets to instruct the phone how to send data packets from the device attached to the access port on the Cisco IP Phone.
This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the Catalyst 2960, 2960-S, and 2960-C switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard.
The path cost value represents the media speed. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-2...
Page 439
When selecting the root port on a switch stack, spanning tree follows this sequence: – Selects the lowest root bridge ID – Selects the lowest path cost to the root switch Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-3 OL-26520-01...
Page 440
VLAN. Each VLAN on the switch has a unique 8-byte bridge ID. The 2 most-significant bytes are used for the switch priority, and the remaining 6 bytes are derived from the switch MAC address. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-4...
Page 441
An interface moves through these states: From initialization to blocking • From blocking to listening or to disabled • From listening to learning or to disabled • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-5 OL-26520-01...
Page 442
An interface always enters the blocking state after switch initialization. An interface in the blocking state performs these functions: Discards frames received on the interface • • Discards frames switched from another interface for forwarding Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-6 OL-26520-01...
A disabled interface performs these functions: Discards frames received on the interface • Discards frames switched from another interface for forwarding • Does not learn addresses • • Does not receive BPDUs Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-7 OL-26520-01...
If the speeds are the same, the port priority and port ID are added together, and spanning tree disables the link with the lowest value. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-8...
A spanning-tree reconfiguration on one VLAN can cause the dynamic addresses learned on that VLAN to be subject to accelerated aging. Dynamic addresses on other VLANs can be unaffected and remain subject to the aging interval entered for the switch. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-9 OL-26520-01...
Page 446
Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary • extensions. It is the default spanning-tree mode used on all Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.
Page 447
VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+.
VLAN that have a running spanning-tree instance can break loops. Therefore, spanning tree must be running on enough switches to break all the loops in the network; for example, at least one Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-13...
Page 450
“Optional Spanning-Tree Configuration Guidelines” section on page 18-12. Loop guard works only on point-to-point links. We recommend that each end of the link has a directly Caution connected device that is running STP. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-14 OL-26520-01...
To return to the default setting, use the no spanning-tree mode global configuration command. To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-15...
ID support will become the root switch. The extended system ID increases the switch priority value every time the VLAN number is greater than the priority of the connected switches running older software. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-16 OL-26520-01...
Page 453
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id root global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-17 OL-26520-01...
(higher numerical values) that you want selected last. If all interfaces have the same priority value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-18 OL-26520-01...
Page 455
The show spanning-tree interface interface-id privileged EXEC command displays information only Note if the port is in a link-up operative state. Otherwise, you can use the show running-config interface privileged EXEC command to confirm the configuration. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-19 OL-26520-01...
Return to privileged EXEC mode. Step 6 show spanning-tree interface interface-id Verify your entries. show spanning-tree vlan vlan-id Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-20 OL-26520-01...
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id priority global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-21 OL-26520-01...
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id hello-time global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-22 OL-26520-01...
Page 459
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id max-age global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-23 OL-26520-01...
Page 460
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-24 OL-26520-01...
Page 461
Chapter 16 Configuring STP Displaying the Spanning-Tree Status Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-25 OL-26520-01...
Page 462
Chapter 16 Configuring STP Displaying the Spanning-Tree Status Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 16-26 OL-26520-01...
Page 463
C H A P T E R Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the Catalyst 2960, 2960-S, or 2960-C switch. The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard. The MST Note implementations in Cisco IOS releases earlier than Cisco IOS Release 12.2(25)SED are prestandard.
65 spanning-tree instances. Instances can be identified by any number in the range from 0 to 4094. You can assign a VLAN to only one spanning-tree instance at a time. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-2 OL-26520-01...
Page 465
IST information, they leave their old subregions and join the new subregion that contains the true CIST regional root. Thus all subregions shrink, except for the one that contains the true CIST regional root. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-3 OL-26520-01...
Only the CST instance sends and receives BPDUs, and MST instances add their spanning-tree information into the BPDUs to interact with neighboring switches and compute the final spanning-tree topology. Because of this, the spanning-tree parameters related to BPDU transmission (for example, Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-4 OL-26520-01...
IEEE 802.1D switches. MSTP switches use MSTP BPDUs to communicate with MSTP switches. IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. These parameters are significant only within an MST region, as opposed to external parameters that are relevant to the whole network.
The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary, unless it is running in an STP-compatible mode.
Page 469
The boundary role is no longer in the final MST standard, but this boundary concept is maintained in Cisco’s implementation. However, an MST instance port at a boundary of the region might not follow the state of the corresponding CIST port. Two cases exist now: The boundary port is the root port of the CIST regional root—When the CIST instance port is...
Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.
LAN segment. Disabled port—Has no role within the operation of the spanning tree. • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-9 OL-26520-01...
Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide defines the port state as blocking instead of discarding. Designated ports start in the listening state. Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN.
RSTP forces it to synchronize with new root information. In general, when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions, its port state is set to blocking. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-11 OL-26520-01...
IEEE 802.1D switch and a configuration BPDU with the TCA bit set is received, the TC-while timer is reset. This behavior is only required to support IEEE 802.1D switches. The RSTP BPDUs never have the TCA bit set. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-13 OL-26520-01...
Spanning-tree mode PVST+ (Rapid PVST+ and MSTP are disabled). Switch priority (configurable on a per-CIST port basis) 32768. Spanning-tree port priority (configurable on a per-CIST port basis) 128. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-14 OL-26520-01...
Spanning-Tree Instances” section on page 16-10. MSTP Configuration Guidelines Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note These are the configuration guidelines for MSTP: When you enable MST by using the spanning-tree mode mst global configuration command, RSTP •...
1-63 maps VLANs 1 through 63 to MST instance 1. To specify a VLAN series, use a comma; for example, instance 1 vlan 10, 20, 30 maps VLANs 10, 20, and 30 to MST instance 1. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-16 OL-26520-01...
After configuring the switch as the root switch, we recommend that you avoid manually configuring the Note hello time, forward-delay time, and maximum-age time through the spanning-tree mst hello-time, spanning-tree mst forward-time, and the spanning-tree mst max-age global configuration commands. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-18 OL-26520-01...
You can execute this command on more than one switch to configure multiple backup root switches. Use the same network diameter and hello-time values that you used when you configured the primary root switch with the spanning-tree mst instance-id root primary global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-19 OL-26520-01...
For more information, see the “Configuring Path Cost” section on page 17-22. Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-20 OL-26520-01...
Page 483
Otherwise, you can use the show running-config interface privileged EXEC command to confirm the configuration. To return the interface to its default setting, use the no spanning-tree mst instance-id port-priority interface configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-21 OL-26520-01...
Page 484
Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. To return the interface to its default setting, use the no spanning-tree mst instance-id cost interface configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-22 OL-26520-01...
You can configure the switch priority and make it more likely that a standalone switch or a switch in the stack will be chosen as the root switch. Note Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Exercise care when using this command. For most situations, we recommend that you use the Note spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority.
(Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst forward-time global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-24 OL-26520-01...
RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the “Rapid Convergence” section on page 17-10. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-25 OL-26520-01...
(Optional) Save your entries in the configuration file. To return the port to its default setting, use the no spanning-tree mst prestandard interface configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-26 OL-26520-01...
Displays MST information for the specified interface. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-27 OL-26520-01...
Page 490
Chapter 17 Configuring MSTP Displaying the MST Configuration and Status Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 17-28 OL-26520-01...
Page 491
C H A P T E R Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the Catalyst 2960, 2960-S, or 2960-C switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+).
To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-2 OL-26520-01...
Figure 18-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-3 OL-26520-01...
Page 494
Switch B over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that is connected directly to Switch B is in a blocking state. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-4...
Switch C Understanding Cross-Stack UplinkFast Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note For Catalyst 2960-S switches, the UplinkFast feature is the cross-stack UplinkFast feature. Cross-stack UplinkFast (CSUF) provides a fast spanning-tree transition (fast convergence in less than 1 second under normal network conditions) across a switch stack.
The switch sending the fast-transition request needs to do a fast transition to the forwarding state of a port that it has chosen as the root port, and it must obtain an acknowledgement from each stack switch before performing the fast transition. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-6 OL-26520-01...
BPDU is a signal that the other switch might have lost its path to the root, and BackboneFast tries to find an alternate path to the root. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-7...
Page 498
When a stack member receives an RLQ reply from a nonstack member and the response is destined for the stack, the stack member forwards the reply so that all the other stack members receive it. Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note If the switch discovers that it still has an alternate path to the root, it expires the maximum aging time on the interface that received the inferior BPDU.
Page 499
(Switch B). The new switch begins sending inferior BPDUs that indicate it is the root switch. However, the other switches ignore these inferior BPDUs, and the new switch learns that Switch B is the designated switch to Switch A, the root switch. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-9 OL-26520-01...
MST instances. A boundary port is an interface that connects to a LAN, the designated switch of which is either an IEEE 802.1D switch or a switch with a different MST region configuration. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-10 OL-26520-01...
Fast-enabled port means an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the port in the error-disabled state. When this happens, the switch shuts down the entire port on which the violation occurred. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-13 OL-26520-01...
BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-14 OL-26520-01...
You can configure the UplinkFast or the CSUF feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-15...
Page 506
“Enabling UplinkFast for Use with Redundant Links” section on page 18-15. To disable UplinkFast on the switch and all its VLANs, use the no spanning-tree uplinkfast global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-16 OL-26520-01...
You can use the show interfaces status err-disabled privileged EXEC command to show which switch ports are disabled because of an EtherChannel misconfiguration. On the remote device, you can enter the show etherchannel summary privileged EXEC command to verify the EtherChannel configuration. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-17 OL-26520-01...
You cannot enable both loop guard and root guard at the same time. Note You can enable this feature if your switch is running PVST+, rapid PVST+, or MSTP. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-18 OL-26520-01...
Page 509
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-19 OL-26520-01...
Page 510
Chapter 18 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 18-20 OL-26520-01...
Page 511
Note Base image. This chapter describes how to configure Flex Links, a pair of interfaces on the Catalyst 2960, 2960-S, or 2960-C switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature.
If a primary (forwarding) link goes down, a trap notifies the network management stations. If the standby link goes down, a trap notifies the users. Flex Links are supported only on Layer 2 ports and port channels, not on VLANs. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-2 OL-26520-01...
Flex Link port. To achieve faster convergence of traffic, both Flex Link ports are learned as mrouter ports whenever either Flex Link port is learned as the mrouter port. Both Flex Link ports are always part of multicast groups. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-3 OL-26520-01...
Switch(config-if)# switchport mode trunk Switch(config-if)# end Switch# show interfaces switchport backup detail Switch Backup Interface Pairs: Active Interface Backup Interface State GigabitEthernet1/0/11 GigabitEthernet1/0/12 Active Up/Backup Standby Preemption Mode : off Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-4 OL-26520-01...
Page 515
This output shows a querier for VLAN 1 and 401 with their queries reaching the switch through Gigabit Ethernet0/11: Switch# show ip igmp snooping querier Vlan IP Address IGMP Version Port ------------------------------------------------------------- Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-5 OL-26520-01...
Page 516
When switch C gets a MAC address-table move update message from switch A, switch C learns the MAC address of the PC on port 4. Switch C updates the MAC address table, including the forwarding table entry for the PC. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-6 OL-26520-01...
Page 518
You can enable and configure this feature on the access switch to send the MAC address-table move updates. • You can enable and configure this feature on the uplink switches to receive the MAC address-table move updates. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-8 OL-26520-01...
Specify the interface, and enter interface configuration mode. The interface can be a physical Layer 2 interface or a port channel (logical interface). The port-channel range is 1 to 6. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-9 OL-26520-01...
When both interfaces are up, Gi2/0/8 forwards traffic for VLANs 60 and 100 to 120, and Gi0/6 forwards traffic for VLANs 1 to 50. Switch#show interfaces switchport backup Switch Backup Interface Pairs: Active Interface Backup Interface State ------------------------------------------------------------------------ GigabitEthernet2/0/6 GigabitEthernet2/0/8 Active Up/Backup Up Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-11 OL-26520-01...
Page 522
Configuring the MAC Address-Table Move Update Feature This section contains this information: Configuring a switch to send MAC address-table move updates • Configuring a switch to get MAC address-table move updates • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-12 OL-26520-01...
Page 524
When VLAN load balancing is enabled, the output displays the preferred VLANS on Active and Backup interfaces. show mac address-table move update Displays the MAC address-table move update information on the switch. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 19-14 OL-26520-01...
Page 525
Configuring DHCP and IP Source Guard Features This chapter describes how to configure DHCP snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the Catalyst 2960, 2960-S, or 2960-C switch. It also describes how to configure the IP source guard feature.
• For information about the DHCP client, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.4 on Cisco.com. DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them.
Page 527
DHCP server do not reside on the same IP network or subnet, a DHCP relay agent (the Catalyst switch) is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-3 OL-26520-01...
Page 528
Length of the circuit-ID type – Remote-ID suboption fields • Suboption type – Length of the suboption type – Remote-ID type – Length of the remote-ID type – Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-4 OL-26520-01...
Page 529
The length values are variable, depending on the length of the string that you configure. • Remote-ID suboption fields The remote-ID type is 1. – The length values are variable, depending on the length of the string that you configure. – Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-5 OL-26520-01...
(set by the write-delay and abort-timeout values), the update stops. This is the format of the file with bindings: <initial-checksum> TYPE DHCP-SNOOPING VERSION 1 BEGIN <entry-1> <checksum-1> <entry-2> <checksum-1-2> Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-6 OL-26520-01...
DHCP options for devices, or set up the DHCP database agent. If the DHCP relay agent is enabled but DHCP snooping is disabled, the DHCP option-82 data • insertion feature is not supported. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-8 OL-26520-01...
To disable the DHCP server and relay agent, use the no service dhcp global configuration command. See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.4 on Cisco.com for these procedures: Checking (validating) the relay agent information •...
The default is to verify that the source MAC address matches the client hardware address in the packet. Step 11 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-10 OL-26520-01...
Specify the duration for which the transfer should be delayed after the seconds binding database changes. The range is from 15 to 86400 seconds. The default is 300 seconds (5 minutes). Step 5 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-11 OL-26520-01...
If DHCP snooping is enabled and an interface changes to the down state, the switch does not delete the Note statically configured bindings. Understanding IP Source Guard Note To use the IP source guard feature, the switch must be running the LAN Base image. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-12 OL-26520-01...
DHCP packets. The switch uses port security to filter source MAC addresses. The interface can shut down when a port-security violation occurs. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-13 OL-26520-01...
The configuration is also removed if the switch reloads while the interface is removed from the binding table. For more information about provisioned switches, see the “Stack Offline Configuration” section on page 7-7. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-15 OL-26520-01...
(Optional) Activate port security for this port. Step 9 switchport port-security maximum value (Optional) Establish a maximum of MAC addresses for this port. Step 10 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-17 OL-26520-01...
Page 542
Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 1 Switch(config-if)# ip device tracking maximum 5 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 5 Switch(config-if)# ip verify source tracking port-security Switch(config-if)# end Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-18 OL-26520-01...
Page 543
IP Address MAC Address Vlan Interface STATE --------------------------------------------------------------------- 200.1.1.1 0001.0600.0000 GigabitEthernet0/1 ACTIVE 200.1.1.2 0001.0600.0000 GigabitEthernet0/1 ACTIVE 200.1.1.3 0001.0600.0000 GigabitEthernet0/1 ACTIVE 200.1.1.4 0001.0600.0000 GigabitEthernet0/1 ACTIVE 200.1.1.5 0001.0600.0000 GigabitEthernet0/1 ACTIVE Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-19 OL-26520-01...
In some environments, such as on a factory floor, if a device fails, the replacement device must be working immediately in the existing network. With the current DHCP implementation, there is no Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-20...
In all cases, by connecting the Ethernet cable to the same port, the same IP address is allocated through DHCP to the attached device. The DHCP server port-based address allocation feature is only supported on a Cisco IOS DHCP server and not a third-party server.
Page 546
Step 5 reserved-only (Optional) Use only reserved addresses in the DHCP address pool. The default is to not restrict pool addresses. Step 6 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-22 OL-26520-01...
Page 547
10.1.1.7 Et1/0 For more information about configuring the DHCP server port-based address allocation feature, go to Cisco.com, and enter Cisco IOS IP Addressing Services in the Search field to access the Cisco IOS software documentation. You can also access the documentation: http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_book.html...
Display the status and configuration of a specific interface. show ip dhcp pool Display the DHCP address pools. show ip dhcp binding Display address bindings on the Cisco IOS DHCP server. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 20-24 OL-26520-01...
Page 549
This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Catalyst 2960, 2960-S, or 2960-Cand 2960-S switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN.
Page 550
“Configuring ARP ACLs for Non-DHCP Environments” section on page 22-9. The switch logs dropped packets. For more information about the log buffer, see the “Logging of Dropped Packets” section on page 22-5. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-2 OL-26520-01...
Switch B (and Host 2, if the link between the switches is configured as trusted). This condition can occur even though Switch B is running dynamic ARP inspection. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-3...
The switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the switch also denies the packet even if a valid binding exists in the database populated by DHCP snooping. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-4 OL-26520-01...
The rate is unlimited on all trusted interfaces. The burst interval is 1 second. ARP ACLs for non-DHCP environments No ARP ACLs are defined. Validation checks No checks are performed. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-5 OL-26520-01...
30 pps on an EtherChannel that has one port on switch 1 and one port on switch 2, each port can receive packets at 29 pps without causing the EtherChannel to become error-disabled. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-6 OL-26520-01...
For information on how to configure dynamic ARP inspection when only one switch supports the feature, see the “Configuring ARP ACLs for Non-DHCP Environments” section on page 22-9. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-7 OL-26520-01...
Page 556
To disable dynamic ARP inspection, use the no ip arp inspection vlan vlan-range global configuration command. To return the interfaces to an untrusted state, use the no ip arp inspection trust interface configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-8 OL-26520-01...
Page 557
For more information, see the “Configuring the Log Buffer” section on page 22-13. Step 4 exit Return to global configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-9 OL-26520-01...
Page 558
To remove the ARP ACL, use the no arp access-list global configuration command. To remove the ARP ACL attached to a VLAN, use the no ip arp inspection filter arp-acl-name vlan vlan-range global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-10 OL-26520-01...
ARP packets.The range is 1 to 15. For rate none, specify no upper limit for the rate of incoming ARP • packets that can be processed. Step 4 exit Return to global configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-11 OL-26520-01...
Dynamic ARP inspection intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can configure the switch to perform additional checks on the destination MAC address, the sender and target IP addresses, and the source MAC address. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-12 OL-26520-01...
VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a single system message for the entry. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-13...
Page 562
The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-14 OL-26520-01...
Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN. If no VLANs are specified or if a range is specified, displays information only for VLANs with dynamic ARP inspection enabled (active). Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-15 OL-26520-01...
Page 564
Displays the configuration and contents of the dynamic ARP inspection log buffer. For more information about these commands, see the command reference for this release. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 22-16 OL-26520-01...
Page 565
For complete syntax and usage information for the commands used in this chapter, see the switch Note command reference for this release and the “IP Multicast Routing Commands” section in the Cisco IOS IP Command Reference, Volume 3 of 3:Multicast, Release 12.4 on Cisco.com.
The CPU also adds the interface where the join message was received to the forwarding-table entry. The host associated with that interface receives multicast traffic for that multicast group. See Figure 21-1. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-3 OL-26520-01...
Page 568
21-2. Note that because the forwarding table directs IGMP messages only to the CPU, the message is not flooded to other ports on the switch. Any known multicast traffic is forwarded to the group and not to the CPU. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-4 OL-26520-01...
Immediate Leave ensures optimal bandwidth management for all hosts on a switched network, even when multiple multicast groups are simultaneously in use. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-5 OL-26520-01...
However, multicast groups that are common for both Layer 2 and Layer 3 (IP multicast routing) might take longer to converge if the stack master is removed. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-6 OL-26520-01...
Global IGMP snooping overrides the VLAN IGMP snooping. If global snooping is disabled, you cannot enable VLAN snooping. If global snooping is enabled, you can enable or disable VLAN snooping. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-7...
Snooping on IGMP queries, Protocol Independent Multicast (PIM) packets, and Distance Vector • Multicast Routing Protocol (DVMRP) packets Listening to Cisco Group Management Protocol (CGMP) packets from other routers • Statically connecting to a multicast router port with the ip igmp snooping mrouter global •...
Page 573
The VLAN ID range is 1 to 1001 and 1006 to 4094. • The interface can be a physical interface or a port channel. • The port-channel range is 1 to 6. Step 3 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-9 OL-26520-01...
IGMP Version 2 leave message on that port. You should only use the Immediate-Leave feature when there is a single receiver present on every port in the VLAN. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-10 OL-26520-01...
100 to 32768 milliseconds. Configuring the leave time on a VLAN overrides the globally Note configured timer. Step 4 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-11 OL-26520-01...
Page 576
(Optional) Save your entries in the configuration file. To return to the default flooding query count, use the no ip igmp snooping tcn flood query count global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-12 OL-26520-01...
Page 577
(Optional) Save your entries in the configuration file. To re-enable multicast flooding on an interface, use the ip igmp snooping tcn flood interface configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-13 OL-26520-01...
(Optional) Verify that the IGMP snooping querier is enabled on the VLAN interface. The VLAN ID range is 1 to 1001 and 1006 to 4094. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-14 OL-26520-01...
Page 579
Switch(config)# end This example shows how to set the IGMP snooping querier feature to version 2: Switch# configure terminal Switch(config)# no ip igmp snooping querier version 2 Switch(config)# end Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-15 OL-26520-01...
• command options instead of the actual entries. dynamic—Display entries learned through IGMP snooping. • user—Display only the user-configured multicast entries. • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-16 OL-26520-01...
MVR assumes that subscriber ports subscribe and unsubscribe (join and leave) these multicast streams by sending out IGMP join and leave messages. These messages can originate from an IGMP Version-2-compatible host with an Ethernet connection. Although MVR operates on the underlying Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-17 OL-26520-01...
VLAN as a forwarding destination of the specified multicast stream when it is received from the multicast VLAN. Uplink ports that send and receive multicast data to and from the multicast VLAN are called MVR source ports. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-18 OL-26520-01...
Page 583
Multicast traffic for all channels is only sent around the VLAN trunk once—only on the multicast VLAN. The IGMP leave and join messages are in the VLAN to which the subscriber port is assigned. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-19...
Catalyst 3550 or Catalyst 3500 XL switches, you should not configure IP addresses that alias between themselves or with the reserved IP multicast addresses (in the range 224.0.0.xxx). MVR can coexist with IGMP snooping on a switch. • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-20 OL-26520-01...
This example shows how to enable MVR, configure the group address, set the query time to 1 second (10 tenths), specify the MVR multicast VLAN as VLAN 22, and set the MVR mode as dynamic: Switch(config)# mvr Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-21 OL-26520-01...
This command applies to only receiver ports and should only be Note enabled on receiver ports to which a single receiver device is connected. Step 7 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-22 OL-26520-01...
If the members keyword is entered, displays all multicast group members on this port or, if a VLAN identification is entered, all multicast group members on the VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-23 OL-26520-01...
The default is for the switch to have no IGMP profiles configured. When a profile is configured, if neither the permit nor deny keyword is included, the default is to deny access to the range of IP addresses. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-25 OL-26520-01...
You cannot apply profiles to ports that belong to an EtherChannel port group. You can apply a profile to multiple interfaces, but each interface can have only one profile applied to it. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-26...
• replace—Replace the existing group with the new group for which • the IGMP report was received. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-28 OL-26520-01...
Displays the configuration of the specified interface or the configuration of all interfaces interface-id] on the switch, including (if configured) the maximum number of IGMP groups to which an interface can belong and the IGMP profile applied to the interface. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-29 OL-26520-01...
Page 594
Chapter 21 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 21-30 OL-26520-01...
C H A P T E R Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the Catalyst 2960, 2960-S, or 2960-C switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
Page 596
Note When the storm control threshold for multicast traffic is reached, all multicast traffic except control traffic, such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. The graph in Figure 23-1 shows broadcast traffic patterns on an interface over a given period of time.
Beginning in privileged EXEC mode, follow these steps to storm control and threshold levels: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-3 OL-26520-01...
Page 598
If you do not enter a traffic type, broadcast storm control settings are displayed. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-4 OL-26520-01...
Page 599
Incoming VLAN-tagged packets smaller than 67 bytes are considered small frames. They are forwarded by the switch, but they do not cause the switch storm-control counters to increment. In Cisco IOS Release 12.2(44)SE and later, you can configure a port to be error disabled if small frames arrive at a specified rate (threshold).
Because a switch stack represents a single logical switch, Layer 2 traffic is not forwarded between any protected ports in the switch stack, whether they are on the same or different switches in the stack. Note Stacking is supported only on Catalyst 2960-S switches running the LAN base image. These sections contain this configuration information: •...
Note contain IPv4 or IPv6 information in the header are not blocked. Default Port Blocking Configuration, page 23-8 • Blocking Flooded Traffic on an Interface, page 23-8 • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-7 OL-26520-01...
MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-8...
If you do not save the sticky secure addresses, they are lost. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-9...
When you enable port security on an interface that is also configured with a voice VLAN, set the • maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...
Configuring Port Security VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
Page 607
Note a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-13 OL-26520-01...
Page 608
The voice keyword is available only if a voice VLAN is configured on a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-14 OL-26520-01...
Page 609
(to re-enable port security on the interface). If you use the no switchport port-security mac-address sticky interface configuration Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-15 OL-26520-01...
MAC addresses and to still limit the number of secure addresses on a port. You can enable or disable the aging of secure addresses on a per-port basis. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-16 OL-26520-01...
Page 611
Switch(config-if)# switchport port-security aging time 2 Switch(config-if)# switchport port-security aging type inactivity Switch(config-if)# switchport port-security aging static You can verify the previous commands by entering the show port-security interface interface-id privileged EXEC command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-17 OL-26520-01...
Virtual port error disabling is not supported for EtherChannel and Flexlink interfaces. Default Protocol Storm Protection Configuration Protocol storm protection is disabled by default. When it is enabled, auto-recovery of the virtual port is disabled by default. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-18 OL-26520-01...
The show interfaces interface-id switchport privileged EXEC command displays (among other characteristics) the interface traffic suppression and control configuration. The show storm-control and show port-security privileged EXEC commands display those storm control and port security settings. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-19 OL-26520-01...
Page 614
Displays the number of secure MAC addresses configured per VLAN on the specified interface. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 23-20 OL-26520-01...
Page 615
When you enable both autonegotiation and UDLD, the Layer 1 and Layer 2 detections work together to prevent physical and logical unidirectional connections and the malfunctioning of other protocols. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 24-1 OL-26520-01...
UDLD sends at least one message to inform the neighbors to flush the part of their caches affected by the status change. The message is intended to keep the caches synchronized. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 24-2...
Page 617
Configuration Guidelines, page 24-4 • Enabling UDLD Globally, page 24-5 • Enabling UDLD on an Interface, page 24-6 • Resetting an Interface Disabled by UDLD, page 24-6 • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 24-3 OL-26520-01...
Loop guard works only on point-to-point links. We recommend that each end of the link has a directly Caution connected device that is running STP. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 24-4 OL-26520-01...
To disable UDLD globally, use the no udld enable global configuration command to disable normal mode UDLD on all fiber-optic ports. Use the no udld aggressive global configuration command to disable aggressive mode UDLD on all fiber-optic ports. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 24-5 OL-26520-01...
The errdisable recovery cause udld global configuration command enables the timer to • automatically recover from the UDLD error-disabled state, and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error-disabled state. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 24-6 OL-26520-01...
To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 24-7 OL-26520-01...
• Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
25-5. Disabling and Enabling CDP CDP is enabled by default. Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Note Disabling CDP can interrupt cluster discovery and device connectivity. For more information, see Chapter 6, “Clustering Switches”...
Disable CDP on the interface. Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 25-4 OL-26520-01...
You can limit the display to neighbors of a specific interface or expand the display to provide more detailed information. show cdp traffic Display CDP counters, including the number of packets sent and received and checksum errors. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 25-5 OL-26520-01...
Page 629
Understanding LLDP, LLDP-MED, and Wired Location Service LLDP The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches). CDP allows network management applications to automatically discover and learn about other Cisco devices connected to the network.
Page 630
Configuring LLDP, LLDP-MED, and Wired Location Service Understanding LLDP, LLDP-MED, and Wired Location Service To support non-Cisco devices and to allow for interoperability between other devices, the switch supports the IEEE 802.1AB Link Layer Discovery Protocol (LLDP). LLDP is a neighbor discovery protocol that is used for network devices to advertise information about themselves to other devices on the network.
Page 631
Starting with Cisco IOS Release 12.2(52)SE, when LLDP is enabled and power is applied to a port, the power TLV determines the actual power requirement of the endpoint device so that the system power budget can be adjusted accordingly.
The switch uses the wired location service feature to send location and attachment tracking information for its connected devices to a Cisco Mobility Services Engine (MSE). The tracked device can be a wireless endpoint, a wired endpoint, or a wired switch or controller. The switch notifies the MSE of device link up and link down events through the Network Mobility Services Protocol (NMSP) location and attachment notifications.
You cannot configure a network-policy profile on a private-VLAN port. • For wired location to function, you must first enter the ip device tracking global configuration • command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 26-5 OL-26520-01...
Beginning in privileged EXEC mode, follow these steps to configure the LLDP characteristics. Steps 2 through 5 are optional and can be performed in any order. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 26-6 OL-26520-01...
Page 636
The telephone uses the configuration from the telephone key pad. untagged—(Optional) Configure the telephone to send untagged voice traffic. This is the default for the telephone. Step 4 exit Return to global configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 26-8 OL-26520-01...
• identifier id—Specify the ID for the civic location. • string—Specify the site or location information in alphanumeric • format. Step 3 exit Return to global configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 26-9 OL-26520-01...
Page 638
Your switch must be running the cryptographic (encrypted) software image to enable the nmsp global Note configuration commands. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 nmsp enable Enable the NMSP features on the switch. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 26-10 OL-26520-01...
Page 639
Display the location information for the specified administrative tag or site. show location civic-location identifier id Display the location information for a specific global civic location. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 26-11 OL-26520-01...
Page 640
Description show location elin-location identifier id Display the location information for an emergency location. show network-policy profile Display the configured network-policy profiles. show nmsp Display the NMSP information. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 26-12 OL-26520-01...
Page 641
Note This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 2960, 2960-S, or 2960-C switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. Stacking is supported only on Catalyst 2960-S switches running the LAN base image.
Port 10 Network analyzer Figure 27-2 is an example of a local SPAN in a switch stack, where the source and destination ports reside on different stack members. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-2 OL-26520-01...
RSPAN VLAN to a destination session monitoring the RSPAN VLAN. Each RSPAN source switch must have either ports or VLANs as RSPAN sources. The destination is always a physical port, as shown on Switch C in the figure. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-3 OL-26520-01...
RSPAN VLAN. To configure an RSPAN destination session on another device, you associate the destination port with the RSPAN VLAN. The destination session collects all RSPAN VLAN traffic and sends it out the RSPAN destination port. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-4 OL-26520-01...
A copy of each packet received by the source is sent to the destination port for that SPAN session. Packets that are modified because of routing or quality of service (QoS)—for example, modified Differentiated Services Code Point (DSCP)—are copied before modification. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-5 OL-26520-01...
Page 646
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP).
Page 647
SPAN traffic coming from other port types is not affected by VLAN filtering; that is, all VLANs are • allowed on other ports. VLAN filtering affects only traffic forwarded to the destination SPAN port and does not affect the • switching of normal traffic. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-7 OL-26520-01...
• For RSPAN, the original VLAN ID is lost because it is overwritten by the RSPAN VLAN identification. Therefore, all packets appear on the destination port as untagged. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-8 OL-26520-01...
SPAN session, it rejoins the EtherChannel group. Ports removed from an EtherChannel group remain members of the group, but they are in the inactive or suspended state. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-9 OL-26520-01...
SPAN state (SPAN and RSPAN) Disabled. Source port traffic to monitor Both received and sent traffic (both). Encapsulation type (destination port) Native form (untagged packets). Ingress forwarding (destination port) Disabled Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-10 OL-26520-01...
VLANs specified with this keyword is monitored. By default, all VLANs are monitored on a trunk port. You cannot mix source VLANs and filter VLANs within a single SPAN session. • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-11 OL-26520-01...
Page 652
This is the default. • rx—Monitor received traffic. • tx—Monitor sent traffic. • You can use the monitor session session_number source Note command multiple times to configure multiple source ports. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-12 OL-26520-01...
Page 653
Switch(config)# end This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional monitoring: Switch(config)# no monitor session 1 source interface gigabitethernet1/0/1 rx Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-13 OL-26520-01...
Page 654
Step 3 monitor session session_number source Specify the SPAN session and the source port (monitored port). {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx] Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-14 OL-26520-01...
Page 655
IEEE 802.1Q encapsulation and VLAN 6 as the default ingress VLAN. Switch(config)# no monitor session 2 Switch(config)# monitor session 2 source gigabitethernet1/0/1 rx Switch(config)# monitor session 2 destination interface gigabitethernet1/0/2 encapsulation replicate ingress dot1q vlan 6 Switch(config)# end Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-15 OL-26520-01...
Page 656
(Optional) Save the configuration in the configuration file. To monitor all VLANs on the trunk port, use the no monitor session session_number filter global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-16 OL-26520-01...
If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted • flooding of RSPAN traffic across the network for VLAN IDs that are lower than 1005. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-17 OL-26520-01...
For session_number, the range is 1 to 66. Specify all to remove all RSPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-18 OL-26520-01...
Page 660
To remove a destination port from the SPAN session, use the no monitor session session_number destination interface interface-id global configuration command. To remove the RSPAN VLAN from the session, use the no monitor session session_number source remote vlan vlan-id. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-20 OL-26520-01...
RSPAN VLAN and the destination port, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating an RSPAN Destination...
(Optional) Use a comma (,) to specify a series of VLANs or use a hyphen (-) to specify a range of VLANs. Enter a space before and after the comma; enter a space before and after the hyphen. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-22 OL-26520-01...
To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-23 OL-26520-01...
Page 664
Chapter 27 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 27-24 OL-26520-01...
Page 665
C H A P T E R Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the Catalyst 2960. 2960-S, or 2960-C switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Page 666
Because switches supported by this software release use hardware counters for RMON data processing, the monitoring is more efficient, and little processing power is required. Note 64-bit counters are not supported for RMON alarms. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 28-2 OL-26520-01...
You must also configure SNMP on the switch to access RMON MIB objects. For more information, see Chapter 30, “Configuring SNMP.” Note 64-bit counters are not supported for RMON alarms. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 28-3 OL-26520-01...
Page 668
SNMP community string used for this trap. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 28-4 OL-26520-01...
(Optional) For owner ownername, enter the name of the owner of the RMON group of statistics. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 28-5 OL-26520-01...
Commands for Displaying RMON Status Command Purpose show rmon Displays general RMON statistics. show rmon alarms Displays the RMON alarm table. show rmon events Displays the RMON event table. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 28-6 OL-26520-01...
Page 671
Displays the RMON statistics table. For information about the fields in these displays, see the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.4 on Cisco.com. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...
C H A P T E R Configuring System Message Logging This chapter describes how to configure system message logging on the Catalyst 2960. 2960-S, or and 2960-C switch. For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Note Configuration Fundamentals Command Reference, Release 12.4.
The part of the message preceding the percent sign depends on the setting of the service sequence-numbers, service timestamps log datetime, service timestamps log datetime [localtime] [msec] [show-timezone], or service timestamps log uptime global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-2 OL-26520-01...
Page 675
00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/2, changed state to up (Switch-2) 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down (Switch-2) 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/1, changed state to down 2 (Switch-2) Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-3 OL-26520-01...
Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. show logging Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-4 OL-26520-01...
To build a list of syslog servers that receive logging messages, enter this command more than once. For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 29-12. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-5 OL-26520-01...
Therefore, unsolicited messages and debug command output are not interspersed with solicited device output and prompts. After the unsolicited messages appear, the console again displays the user prompt. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-6 OL-26520-01...
Page 679
(Optional) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-7 OL-26520-01...
To disable logging to syslog servers, use the no logging trap global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-9...
By default, one message of the level warning and numerically lower levels (see Table 29-3 on page 29-10) are stored in the history table even if syslog traps are not enabled. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-10 OL-26520-01...
Page 683
[end-number] | statistics} [provisioning] privileged EXEC command to display the complete configuration log or the log for specified parameters. The default is that configuration logging is disabled. For information about the commands, see the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3 T: http://www.cisco.com/en/US/docs/ios/12_3/configfun/command/reference/cfr_1g04.html Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...
| exit Configuring UNIX Syslog Servers The next sections describe how to configure the UNIX server syslog daemon and how to define the UNIX system logging facility. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-12 OL-26520-01...
Limit messages logged to the syslog servers. Be default, syslog servers receive informational messages and lower. See Table 29-3 on page 29-10 for level keywords. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 29-13 OL-26520-01...
Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.4 on Cisco.com.
Page 687
Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on the Catalyst 2960, 2960-S, or 2960-C switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. Stacking is supported only on Catalyst 2960-S switches running the LAN base image.
Both SNMPv1 and SNMPv2C use a community-based form of security. The community of managers able to access the agent’s MIB is defined by an IP address access control list and password. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-2...
The SNMP manager uses information in the MIB to perform the operations described in Table 30-2. Table 30-2 SNMP Operations Operation Description get-request Retrieves a value from a specific variable. get-next-request Retrieves a value from a variable within a table. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-3 OL-26520-01...
For more information, see Chapter 6, “Clustering Switches” and see Getting Started with Cisco Network Assistant, available on Cisco.com. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-4 OL-26520-01...
SNMP manager receive every notification, use inform requests. If traffic on the network or memory in the switch is a concern and notification is not required, use traps. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-5...
Modifying the group's notify view affects all users associated with that group. See the Cisco IOS Network Management Command Reference for information about when you should configure notify views.
The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
Page 695
To disable access for an SNMP community, set the community string for that community to the null Note string (do not enter a value for the community string). To remove a specific community string, use the no snmp-server community string global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-9 OL-26520-01...
If you select remote, specify the ip-address of the device that • contains the remote copy of SNMP and the optional User Datagram Protocol (UDP) port on the remote device. The default is 162. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-10 OL-26520-01...
Page 697
64 characters) that is the name of the view in which you specify a notify, inform, or trap. • (Optional) Enter access access-list with a string (not to exceed 64 characters) that is the name of the access list. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-11 OL-26520-01...
Page 698
To display SNMPv3 information about auth | noauth | Note priv mode configuration, you must enter the show snmp user privileged EXEC command. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-12 OL-26520-01...
A trap manager is a management station that receives and processes traps. Traps are system alerts that the switch generates when certain events occur. By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Note Many commands use the word traps in the command syntax.
Page 700
[access access-list] | v3 [encrypted] configuring the engine ID for the remote host. Otherwise, you [access access-list] [auth {md5 | sha} receive an error message, and the command is not executed. auth-password]} Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-14 OL-26520-01...
Page 701
(Optional) Define how often to resend trap messages. The range is 1 to 1000; the default is 30 seconds. Step 10 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-15 OL-26520-01...
Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-16 OL-26520-01...
Place ones in the bit positions that you want to ignore. Recall that the access list is always terminated by an implicit deny statement for everything. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 30-17 OL-26520-01...
Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
EXEC command. You also can use the other privileged EXEC commands in Table 30-6 to display SNMP information. For information about the fields in the displays, see the Cisco IOS Configuration Fundamentals Command Reference. Table 30-6 Commands for Displaying SNMP Information Feature...
Cisco IOS IP SLAs generates and analyzes traffic either between Cisco IOS devices or from a Cisco IOS device to a remote IP device such as a network application server. Measurements provided by the various Cisco IOS IP SLAs operations can be used for troubleshooting, for problem analysis, and for designing network topologies.
Page 708
Depending on the specific Cisco IOS IP SLAs operation, various network performance statistics are monitored within the Cisco device and stored in both command-line interface (CLI) and Simple Network Management Protocol (SNMP) MIBs. IP SLAs packets have configurable IP and application layer...
Schedule the operation to run, then let the operation run for a period of time to gather statistics. Display and interpret the results of the operation using the Cisco IOS CLI or a network management system (NMS) system with SNMP.
The IP SLAs responder can be a Cisco IOS Layer 2, responder-configurable switch, such as a Note Catalyst 2960 or IE 3000 switch running the LAN base image, or a Catalyst 3560 or 3750 switch running the IP base image. The responder does not need to support full IP SLAs functionality.
This section does not include configuration information for all available operations as the configuration information details are included in the Cisco IOS IP SLAs Configuration Guide. It includes only the procedure for configuring the responder, as the switch includes only responder support.
The IP SLAs responder is available only on Cisco IOS software-based devices, including some Layer 2 switches that do not support full IP SLAs functionality, such as the Catalyst 2960 or the Cisco ME 2400 or IE 3000 switch running the LAN base image. Beginning in privileged EXEC mode, follow these steps...
C H A P T E R Configuring Network Security with ACLs This chapter describes how to configure network security on the Catalyst 2960, 2960-S, or 2960-C switch by using access control lists (ACLs), also referred to as access lists. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
ACL is applied are filtered by the port ACL. Outgoing routed IP packets are filtered by the router ACL. Other packets are not filtered. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-2...
Page 715
You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-3...
ACEs were checking different hosts. ACLs and Switch Stacks Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note ACL support is the same for a switch stack as for a standalone switch. ACL configuration information is propagated to all switches in the stack.
VLAN interfaces to filter traffic to the CPU. Configuring IP v4ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers. The process is briefly described here. For more detailed information on configuring ACLs, see the “Configuring IP Services”...
800–899 IPX standard access list 900–999 IPX extended access list 1000–1099 IPX SAP access list 1100–1199 Extended 48-bit MAC address access list 1200–1299 IPX summary address access list Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-7 OL-26520-01...
(Optional) Save your entries in the configuration file. Use the no access-list access-list-number global configuration command to delete the entire ACL. You cannot delete individual ACEs from numbered access lists. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-8 OL-26520-01...
Page 721
Control Protocol (tcp), or User Datagram Protocol (udp). For more details on the specific keywords for each protocol, see these command references: Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.4 • Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.4 •...
Page 722
0.0.0.0 [fragments] [time-range 255.255.255.255. time-range-name] [dscp dscp] You can use the any keyword in place of source and destination address and wildcard. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-10 OL-26520-01...
Page 723
TCP port. To see TCP port names, use the ? or see the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.4. Use only TCP port numbers or names when filtering TCP.
Page 724
ICMP message type and code name. To see a list of ICMP message type names and code names, use the ?, or see the “Configuring IP Services” section of the Cisco IOS IP Configuration Guide, Release 12.4. Step access-list access-list-number (Optional) Define an extended IGMP access list and the access conditions.
Page 725
Define a standard IPv4 access list using a name, and enter access-list configuration mode. The name can be a number from 1 to 99. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-13 OL-26520-01...
Page 726
ACL. This example shows how you can delete individual ACEs from the named access list border-list: Switch(config)# ip access-list extended border-list Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-14 OL-26520-01...
Page 727
Network Time Protocol (NTP) to synchronize the switch clock. For more information, see the “Managing the System Time and Date” section on page 5-2. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-15 OL-26520-01...
Page 728
Switch(config)# access-list 188 permit tcp any any time-range workhours Switch(config)# end Switch# show access-lists Extended IP access list 188 10 deny tcp any any time-range new_year_day_2006 (inactive) 20 permit tcp any any time-range workhours (inactive) Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-16 OL-26520-01...
In this example, the Jones subnet is not allowed to use outbound Telnet: Switch(config)# ip access-list extended telnetting Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out Switch(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-17 OL-26520-01...
If you apply an ACL to a port that is a member of a VLAN, the port ACL takes precedence over an • ACL applied to the VLAN interface. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-18 OL-26520-01...
Page 731
For outbound ACLs, after receiving and sending a packet to a controlled interface, the switch checks the packet against the ACL. If the ACL permits the packet, the switch sends the packet. If the ACL rejects the packet, the switch discards the packet. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-19 OL-26520-01...
The flag-related operators are not available. To avoid this issue, • Move the fourth ACE before the first ACE by using ip access-list resequence global configuration command: permit tcp source source-wildcard destination destination-wildcard Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-20 OL-26520-01...
This section provides examples of configuring and applying IPv4 ACLs. For detailed information about compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.4 and to the Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.4.
Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Define an extended MAC access list using a name. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-23 OL-26520-01...
A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 • interface that has a MAC ACL configured, the new ACL replaces the previously configured one. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-24 OL-26520-01...
Page 737
ACL to an interface, the switch acts as if the ACL has not been applied and permits all packets. Remember this behavior if you use undefined ACLs for network security. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-25...
[interface interface-id] Displays MAC access lists applied to all Layer 2 interfaces or the specified Layer 2 interface. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 31-26 OL-26520-01...
This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands on the Catalyst 2960, 2960-S or 2960-C switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size.
IP precedence values range from 0 to 7. DSCP values range from 0 to 63. For IPv6 QoS support on a Catalyst 2960-S switch, you must reload the switch with the sdm Note prefer lanbase-routing and mls qos global configuration command. The Catalyst 2960 switch supports only QoS trust and not all the other IPv6 QoS functions.
(police and mark), and provide different treatment (queue and schedule) in all situations where resource contention exists. The switch also needs to ensure that traffic sent from it meets a specific traffic profile (shape). Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-3 OL-26520-01...
Page 742
Scheduling services the four egress queues based on their configured SRR shared or shaped weights. One of the queues (queue 1) can be the expedited queue, which is serviced until empty before the other queues are serviced. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-4 OL-26520-01...
Page 743
0 as the DSCP and CoS values, which means best-effort traffic. Otherwise, the policy-map action specifies a DSCP or CoS value to assign to the incoming frame. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-5...
Page 744
States” section on page 33-42. After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. Catalyst 2960-S switches do not support ingress queueing. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-6 OL-26520-01...
Page 745
Generate the DSCP by using Assign the DSCP or CoS as specified Assign the default by ACL action to generate the QoS label. DSCP (0). the CoS-to-DSCP map. Done Done Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-7 OL-26520-01...
Page 746
Before a policy map can be effective, you must attach it to a port. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-8...
Policing, and Marking Traffic on Physical Ports by Using Policy Maps” section on page 33-57 and the “Classifying, Policing, and Marking Traffic by Using Aggregate Policers” section on page 33-62. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-9 OL-26520-01...
Page 748
You configure how fast (the average rate) that the tokens are removed from the bucket by using the rate-bps option of the police policy-map class configuration command or the mls qos aggregate-policer global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-10 OL-26520-01...
QoS domains, you can apply the configurable DSCP-to-DSCP-mutation map to the port that is on the boundary between the two QoS domains. You configure this map by using the mls qos map dscp-mutation global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-11 OL-26520-01...
The switch has queues at specific points to help prevent congestion as shown in Figure 33-5. Figure 33-5 Ingress and Egress Queue Location Policer Marker Egress queues Stack ring Policer Marker Ingress queues Traffic Classify Policer Marker Policer Marker Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-12 OL-26520-01...
“Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set” section on page 33-76, and the “Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID” section on page 33-78. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-13 OL-26520-01...
Page 752
“Allocating Bandwidth Between the Ingress Queues” section on page 33-74, the “Configuring SRR Shaped Weights on Egress Queues” section on page 33-80, and the “Configuring SRR Shared Weights on Egress Queues” section on page 33-81. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-14 OL-26520-01...
Page 753
SRR weights. Send packet to the internal ring. Note SRR services the priority queue for its configured share before servicing the other queue. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-15 OL-26520-01...
Page 754
The ratio of the weights is the ratio of the frequency in which the SRR scheduler sends packets from each queue. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-16...
Page 755
If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-17 OL-26520-01...
Page 756
(under-limit), whether it has consumed all of its maximum buffers (over limit), and whether the common pool is empty (no free Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-18...
Page 757
ID 1 and ID 2. The drop threshold for threshold ID 3 is preset to the queue-full state, and you cannot modify it. You map a port to queue-set by using the queue-set qset-id interface configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-19...
The input mutation causes the DSCP to be rewritten depending on the new value of DSCP chosen. The set action in a policy map also causes the DSCP to be rewritten. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-20...
Page 759
When you enable auto-QoS, it automatically classifies traffic based on the traffic type and ingress packet label. The switch uses the classification results to choose the appropriate egress queue. You use auto-QoS commands to identify ports connected to these Cisco devices: Cisco IP Phones •...
DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. When there is no Cisco IP Phone, the ingress classification is set to not trust the QoS label in the packet. The policing is applied to the traffic matching the policy-map classification before the switch enables the trust boundary feature.
Page 761
Ensure Port Security” section on page 39-42. When you enable auto-QoS by using the auto qos voip cisco-phone, the auto qos voip cisco-softphone, or the auto qos voip trust interface configuration command, the switch automatically generates a QoS configuration based on the traffic type and ingress packet label and applies the commands listed in Table 33-5 to the port.
Page 762
Auto-QoS configuration migration from legacy auto-QoS to enhanced auto-QoS occurs when: • A switch is booted with the Cisco IOS Release 12.2(55)SE image and QoS is not enabled. Any video or voice trust configuration on the interface automatically generates enhanced auto-QoS commands.
Page 768
Switch(config-if)# srr-queue bandwidth share 10 10 60 20 If you entered the auto qos voip cisco-phone command, the switch automatically enables the trusted boundary feature, which uses the CDP to detect the presence or absence of a Cisco IP Phone. Switch(config-if)# mls qos trust device cisco-phone Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...
Page 769
AutoQoS-Police-SoftPhone to an ingress interface on which auto-QoS with the Cisco SoftPhone feature is enabled. Switch(config-if)# service-policy input AutoQoS-Police-SoftPhone If you entered the auto qos voip cisco-phone command, the switch automatically creates class maps and policy maps. Switch(config-if)# mls qos trust device cisco-phone If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and policy maps.
Page 770
Switch(config-pmap)# class AUTOQOS_MULTIENHANCED_CONF_CLASS Switch(config-pmap-c)# set dscp af41 Switch(config-pmap-c)# police 5000000 8000 exceed-action drop Switch(config-pmap)# class AUTOQOS_BULK_DATA_CLASS Switch(config-pmap-c)# set dscp af11 Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Switch(config-pmap)# class AUTOQOS_TRANSACTION_CLASS Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-32 OL-26520-01...
Page 771
Switch(config-pmap-c)# set dscp default Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Switch(config-if)# service-policy input AUTOQOS-SRND4-CLASSIFY-POLICE-POLICY This is the enhanced configuration for the auto qos voip cisco-phone command: Switch(config)# mls qos map policed-dscp 0 10 18 to 8 Switch(config)# mls qos map cos-dscp 0 8 16 24 32 46 48 56...
Page 772
Auto-QoS configures the switch for VoIP with Cisco IP Phones on nonrouted and routed ports. Auto-QoS also configures the switch for VoIP with devices running the Cisco SoftPhone application. When a device running Cisco SoftPhone is connected to a nonrouted or routed port, the switch • supports only one Cisco SoftPhone application per port.
Page 773
By default, the CDP is enabled on all ports. For auto-QoS to function properly, do not disable the • CDP. When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address • to the IP phone.
Enable auto-QoS. cisco-softphone | trust} The keywords have these meanings: • cisco-phone—If the port is connected to a Cisco IP Phone, the QoS labels of incoming packets are trusted only when the telephone is detected. • cisco-softphone—The port is connected to device running the Cisco SoftPhone feature.
Table 33-8 shows the default CoS input queue threshold map when QoS is enabled. Table 33-8 Default CoS Input Queue Threshold Map CoS Value Queue ID–Threshold ID 0–4 1–1 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-38 OL-26520-01...
It is not possible to match IP fragments against configured IP extended ACLs to enforce QoS. IP • fragments are sent as best-effort. IP fragments are denoted by fields in the IP header. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-40 OL-26520-01...
Catalyst 2960-S switches do not support ingress queueing. Note You are likely to lose data when you change queue settings; therefore, try to make changes when • traffic is at a minimum. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-41 OL-26520-01...
Configuring the DSCP Trust State on a Port Bordering Another QoS Domain, page 33-47 • Configuring the Trust State on Ports within the QoS Domain Catalyst 2960-S switches do not support ingress queueing. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-42 OL-26520-01...
Page 781
Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be trusted, and enter interface configuration mode. Valid interfaces include physical ports. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-43 OL-26520-01...
Page 782
Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Valid interfaces include physical ports. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-44 OL-26520-01...
Page 783
CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...
Page 784
In some situations, you can prevent a PC connected to the Cisco IP Phone from taking advantage of a high-priority data queue. You can use the switchport priority extend cos interface configuration command to configure the telephone through the switch CLI to override the priority of the traffic received from the PC.
Page 785
QoS. If the two domains use different DSCP values, you can configure the DSCP-to-DSCP-mutation map to translate a set of DSCP values to match the definition in the other domain. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-47 OL-26520-01...
Page 786
For dscp-mutation-name, specify the mutation map name created in Step 2. You can configure multiple DSCP-to-DSCP-mutation maps on an ingress port. Step 6 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-48 OL-26520-01...
Classifying Traffic by Using Class Maps, page 33-53 Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps, page 33-57 • Classifying, Policing, and Marking Traffic by Using Aggregate Policers, page 33-62 • Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-49 OL-26520-01...
Page 789
This example shows how to create an ACL that permits IP traffic from a source host at 10.1.1.1 to a destination host at 10.1.1.2 with a precedence value of 5: Switch(config)# access-list 100 permit ip host 10.1.1.1 host 10.1.1.2 precedence 5 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-51 OL-26520-01...
Page 790
Return to privileged EXEC mode. Step 5 show access-lists [access-list-number | Verify your entries. access-list-name] Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-52 OL-26520-01...
Page 792
Switch(config-cmap)# end Switch# This example shows how to create a class map called class2, which matches incoming traffic with DSCP values of 10, 11, and 12. Switch(config)# class-map class2 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-54 OL-26520-01...
Page 793
Classifying Traffic by Using Class Maps and Filtering IPv6 Traffic The switch supports both IPv4 and IPv6 QoS on Catalyst 2960-S switches when a lanbase-routing SDM template is configured. The match ip dscp and match ip precedence classifications match both IPv4 and IPv6 traffic.
Page 794
Switch(config-cmap)# match access-group name ipv6-any Switch(config-cmap)# exit Switch(config)# Policy-map pm1 Switch(config-pmap)# class cm-1 Switch(config-pmap-c)# set dscp 4 Switch(config-pmap-c)# exit Switch(config-pmap)# class cm-2 Switch(config-pmap-c)# set dscp 6 Switch(config-pmap-c)# exit Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-56 OL-26520-01...
Page 795
When you configure a default traffic class by using the class class-default policy-map configuration command, unclassified traffic (traffic that does not meet the match criteria specified in the traffic classes) is treated as the default traffic class (class-default). Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-57 OL-26520-01...
Page 796
It is always placed at the end of a policy map. With an implied match any included in the class-default class, all packets that have not already matched the other traffic classes will match class-default. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-58 OL-26520-01...
Page 797
The range is 0 to 63. For ip precedence new-precedence, enter a new IP-precedence • value to be assigned to the classified traffic. The range is 0 to 7. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-59 OL-26520-01...
Page 798
The range is 8000 to 10000000000 For burst-byte, specify the normal burst size in bytes. The range is 8000 to 1000000. On Catalyst 2960-S switches, although you can configure a rate of 8000, the minimum rate granularity is actually 16000.
Page 800
By using an aggregate policer, you can create a policer that is shared by multiple traffic classes within the same policy map. However, you cannot use the aggregate policer across different policy maps or ports. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-62 OL-26520-01...
Page 801
For aggregate-policer-name, specify the name of the aggregate • policer. For rate-bps, specify average traffic rate in bits per second (b/s). The range is 8000 to 10000000000. (On Catalyst 2960-S switches, although you can configure a rate of 8000, the minimum rate granularity is actually 16000.) •...
CoS-to-DSCP map. Table 33-13 Default CoS-to-DSCP Map CoS Value DSCP Value If these values are not appropriate for your network, you need to modify them. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-65 OL-26520-01...
Page 804
IP-precedence-to-DSCP map: Table 33-14 Default IP-Precedence-to-DSCP Map IP Precedence Value DSCP Value If these values are not appropriate for your network, you need to modify them. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-66 OL-26520-01...
Page 805
Return to privileged EXEC mode. Step 4 show mls qos maps policed-dscp Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-67 OL-26520-01...
Page 806
Default DSCP-to-CoS Map DSCP Value CoS Value 0–7 8–15 16–23 24–31 32–39 40–47 48–55 56–63 If these values are not appropriate for your network, you need to modify them. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-68 OL-26520-01...
Page 807
With ingress mutation, the new DSCP value overwrites the one in the packet, and QoS treats the packet with this new value. The switch sends the packet out the port with the new DSCP value. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-69...
You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-71 OL-26520-01...
Page 810
To return to the default WTD threshold percentages, use the no mls qos srr-queue input threshold queue-id global configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-72 OL-26520-01...
This example shows how to allocate 60 percent of the buffer space to ingress queue 1 and 40 percent of the buffer space to ingress queue 2: Switch(config)# mls qos srr-queue input buffers 60 40 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-73 OL-26520-01...
The egress queue default settings are suitable for most situations. You should change them only when Note you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-76 OL-26520-01...
Page 815
For qset-id, enter the ID of the queue-set specified in Step 2. The range is 1 to 2. The default is 1. Step 6 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-77 OL-26520-01...
Page 816
The egress queue default settings are suitable for most situations. You should change them only when Note you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-78 OL-26520-01...
Page 817
This example shows how to map DSCP values 10 and 11 to egress queue 1 and to threshold 2: Switch(config)# mls qos srr-queue output dscp-map queue 1 threshold 2 10 11 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-79...
Page 818
2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which is 12.5 percent: Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# srr-queue bandwidth shape 8 0 0 0 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-80 OL-26520-01...
Page 819
1, 2, 3, and 4. This means that queue 4 has four times the bandwidth of queue 1, twice the bandwidth of queue 2, and one-and-a-third times the bandwidth of queue 3. Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# srr-queue bandwidth share 1 2 3 4 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-81 OL-26520-01...
Page 820
Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be rate limited, and enter interface configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-82 OL-26520-01...
Page 822
The control-plane and interface keywords are not supported, and the statistics shown in the display should be ignored. show running-config | include rewrite Display the DSCP transparency setting. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 33-84 OL-26520-01...
For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 Understanding IP Routing, page 34-1 •...
If a stack master fails, the stack detects that the stack master is down and elects a stack member to be the new stack master. Except for a momentary interruption, the hardware continues to forward packets. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 34-2...
By default, IP routing is disabled on the switch. For detailed IP routing configuration information, see the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software Releases > 12.2 Mainline > Configuration Guides.
Step 5 show interfaces [interface-id] Verify your entries. show ip interface [interface-id] show running-config interface [interface-id] Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 34-4 OL-26520-01...
Display the state of the routing table. show ip route summary Display the state of the routing table in summary form. show platform ip unicast Display platform-dependent IP unicast information. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 34-5 OL-26520-01...
Page 828
Chapter 34 Configuring Static IP Unicast Routing Monitoring and Maintaining the IP Network Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 34-6 OL-26520-01...
Chapter 36, “Configuring IPv6 MLD Snooping.” To enable dual stack environments (supporting both IPv4 and IPv6) on a Catalyst 2960 switch, you must configure the switch to use the a dual IPv4 and IPv6 switch database management (SDM) template. See “Dual IPv4 and IPv6 Protocol Stacks”...
2031:0:130F::09C0:080F:130B For more information about IPv6 address formats, address types, and the IPv6 packet header, see the “Implementing IPv6 Addressing and Basic Connectivity” chapter of Cisco IOS IPv6 Configuration Library on Cisco.com. In the “Implementing Addressing and Basic Connectivity” chapter, these sections apply to the...
For more information, see the section about IPv6 unicast addresses in the “Implementing IPv6 Addressing and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. DNS for IPv6 IPv6 supports Domain Name System (DNS) record types in the DNS name-to-address and address-to-name lookup processes.
Page 832
Cisco IOS IPv6 Configuration Library on Cisco.com. Dual IPv4 and IPv6 Protocol Stacks On a Catalyst 2960 switch, you must use the dual IPv4 and IPv6 template to allocate ternary content addressable memory (TCAM) usage to both IPv4 and IPv6 protocols.
Page 833
IPv4 and IPv6 SDM template, see Chapter 8, “Configuring SDM Templates.” The dual IPv4 and IPv6 templates on Catalyst 2960 switches allow the switch to be used in dual stack environments. If you try to configure IPv6 without first selecting a dual IPv4 and IPv6 template, a warning message •...
Basic network connectivity (ping) must exist between the client and the server hosts before HTTP connections can be made. For more information, see the “Managing Cisco IOS Applications over IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
For more information about configuring IPv6, see the “Implementing Addressing and Basic Connectivity for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. Beginning in privileged EXEC mode, follow these steps to assign an IPv6 address to a Layer 3 interface...
Page 836
ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 35-8 OL-26520-01...
This example shows how to configure an IPv6 ICMP error message interval of 50 milliseconds and a bucket size of 20 tokens. Switch(config)#ipv6 icmp error-interval 50 20 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 35-9 OL-26520-01...
To configure a floating static route, use an administrative distance greater than that of the dynamic routing protocol. Step 3 Return to privileged EXEC mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 35-10 OL-26520-01...
For more information about configuring static IPv6 routing, see the “Implementing Static Routes for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. Displaying IPv6 For complete syntax and usage information on these commands, see the Cisco IOS command reference publications. Table 35-2 shows the privileged EXEC commands for monitoring IPv6 on the switch.
Page 840
This is an example of the output from the show ipv6 static privileged EXEC command: Switch# show ipv6 static IPv6 Static routes Code: * - installed in RIB * ::/0 via nexthop 3FFE:C000:0:7::777, distance 1 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 35-12 OL-26520-01...
Page 841
IPv6 Routing Table - Default - 1 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route FF00::/8 [0/0] via Null0, receive Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 35-13 OL-26520-01...
Page 843
You can use Multicast Listener Discovery (MLD) snooping to enable efficient distribution of IP version 6 (IPv6) multicast data to clients and routers in a switched network on the Catalyst 2960, 2960-S, or 2960-C switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Message timers and state transitions resulting from messages being sent or received are the same as those of IGMPv2 messages. MLD messages that do not have valid link-local IPv6 source addresses are ignored by MLD routers and switches. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 36-2 OL-26520-01...
1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 2960, 2960-S, or 2960-C switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
If the deleted port is the last member of the multicast address, the multicast address is also deleted, and the switch sends the address leave information to all detected multicast routers. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 36-4 OL-26520-01...
1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 2960, 2960-S, or 2960-C switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 2960, 2960-S, or 2960-C switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
(add a static connection to a multicast router), use the ipv6 mld snooping vlan mrouter global configuration command on the switch. Static connections to multicast routers are supported only on switch ports. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 36-8 OL-26520-01...
(Optional) Verify that the MLD snooping querier information for the vlan-id] switch or for the VLAN. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 36-10 OL-26520-01...
You can display MLD snooping information for dynamically learned and statically configured router ports and VLAN interfaces. You can also display MAC address multicast entries for a VLAN configured for MLD snooping. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 36-11 OL-26520-01...
Page 854
• information for the switch or for a VLAN. show ipv6 mld snooping multicast-address vlan Display MLD snooping for the specified VLAN and IPv6 multicast vlan-id [ipv6-multicast-address] address. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 36-12 OL-26520-01...
Page 855
For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release or the Cisco IOS documentation referenced in the procedures. This chapter contains these sections: Understanding IPv6 ACLs, page 37-1 •...
Logging is supported for router ACLs, but not for port ACLs. IPv6 ACL Limitations With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 37-2 OL-26520-01...
Page 857
Chapter 37 Configuring IPv6 ACLs Configuring IPv6 ACLs The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions: IPv6 source and destination addresses—ACL matching is supported only on prefixes from /0 to /64 • and host addresses (/128) that are in the extended universal identifier (EUI)-64 format. The switch supports only these host addresses with no loss of information: –...
Beginning in privileged EXEC mode, follow these steps to create an IPv6 ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 access-list access-list-name Define an IPv6 access list name, and enter IPv6 access-list configuration mode. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 37-4 OL-26520-01...
Page 859
(Optional) Enter sequence value to specify the sequence number for the access list statement. The acceptable range is from 1 to 4294967295. • (Optional) Enter time-range name to specify a time range for the statement. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 37-5 OL-26520-01...
Page 860
Return to privileged EXEC mode. Step 5 show ipv6 access-list Verify the access list configuration. Step 6 copy running-config (Optional) Save your entries in the configuration file. startup-config Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 37-6 OL-26520-01...
This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all packets that have a destination TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000.
(15 matches) sequence 20 permit udp any any sequence 30 IPv6 access list outbound deny udp any any sequence 10 deny tcp any any eq telnet sequence 20 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 37-8 OL-26520-01...
To use link-state tracking, the switch must be running the LAN Base image. Note This chapter describes how to configure EtherChannels on the Catalyst 2960, 2960-S, or 2960-C switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
All ports in each EtherChannel must be configured as Layer 2 ports. The number of EtherChannels is limited to six. For more information, see the “EtherChannel Configuration Guidelines” section on page 38-12. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-2 OL-26520-01...
Page 865
EtherChannel are blocked from returning on any other link of the EtherChannel. Figure 38-2 Single-Switch EtherChannel Catalyst 2960-S switch stack Switch 1 Channel group 1 Stack port connections Switch A Switch 2 Channel group 2 Switch 3 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-3 OL-26520-01...
Page 866
If you use a new number, the channel-group command dynamically creates a new port channel. Each EtherChannel has a port-channel logical interface numbered from 1 to 6. This port-channel interface number corresponds to the one specified with the channel-group interface configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-4 OL-26520-01...
Layer 2 EtherChannel as a trunk. Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports.
For redundancy, remote switches, such as Catalyst 296,0, 2960-S, or 2960-C switches, are connected to the virtual switch by remote satellite links (RSLs). Only a Catalyst 2960 switch running the LAN Base image can be remote switch. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE...
Link Aggregation Control Protocol The LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between switches that conform to the IEEE 802.3ad protocol. LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports.
Therefore, to provide load balancing, packets from different hosts use different ports in the channel, but packets from the same host use the same port in the channel. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-8 OL-26520-01...
Page 871
MAC address, using the destination-MAC address always chooses the same link in the channel. Using source addresses or IP addresses might result in better load balancing. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-9...
STP reconvergence. Use the stack-mac persistent timer command to control whether or not the stack MAC address changes during a master failover. For more information about switch stacks, see Chapter 7, “Managing Switch Stacks.” Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-10 OL-26520-01...
LACP system priority and the switch or switch stack MAC address. Load balancing Load distribution on the switch is based on the source-MAC address of the incoming packet. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-11 OL-26520-01...
Configuring EtherChannels and Link-State Tracking Configuring EtherChannels EtherChannel Configuration Guidelines Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note If improperly configured, some EtherChannel ports are automatically disabled to avoid network loops and other problems. Follow these guidelines to avoid configuration problems: •...
Assign all ports as static-access ports in the same VLAN, or configure them as trunks. switchport access vlan vlan-id If you configure the port as a static-access port, assign it to only one VLAN. The range is 1 to 4094. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-13 OL-26520-01...
Page 876
Step 7 copy running-config (Optional) Save your entries in the configuration file. startup-config To remove a port from the EtherChannel group, use the no channel-group interface configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-14 OL-26520-01...
The device sends packets to the source by using any of the ports in the EtherChannel. With aggregate-port learning, it is not important on which physical port the packet arrives. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-16...
Page 879
When the link partner of the switch is a physical learner (such as a Catalyst 1900 series switch), we recommend that you configure the Catalyst 2960, 2960-S, or 2960-C switch as a physical-port learner by using the pagp learn-method physical-port interface configuration command. Set the load-distribution method based on the source MAC address by using the port-channel load-balance src-mac global configuration command.
Page 880
For more information, see the “Configuring the LACP System Priority” section on page 38-19 and the “Configuring the LACP Port Priority” section on page 38-19. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-18 OL-26520-01...
Page 881
EtherChannel are put in the hot-standby state and are used only if one of the channeled ports fails. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-19...
Page 882
(Optional) Save your entries in the configuration file. To return the LACP port priority to the default value, use the no lacp port-priority interface configuration command. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-20 OL-26520-01...
Page 883
Server 1 and server 2 use switch A for primary links and switch B for secondary links. – Server 3 and server 4 use switch B for primary links and switch A for secondary links. – Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-21 OL-26520-01...
Page 884
You can recover a downstream interface link-down condition by removing the failed downstream port from the link-state group. To recover multiple downstream interfaces, disable the link-state group. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-22 OL-26520-01...
Page 885
Configuring Link-State Tracking, page 38-24 • Displaying Link-State Tracking Status, page 38-25 • Default Link-State Tracking Configuration There are no link-state groups defined, and link-state tracking is not enabled for any group. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-23 OL-26520-01...
Page 886
Switch(config-if)# interface gigabitethernet1/0/1 Switch(config-if)# link state group 1 downstream Switch(config-if)# interface gigabitethernet1/0/3 Switch(config-if)# link state group 1 downstream Switch(config-if)# interface gigabitethernet1/0/5 Switch(config-if)# link state group 1 downstream Switch(config-if)# end Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-24 OL-26520-01...
Page 887
Downstream Interfaces : Gi1/0/11(Dis) Gi1/0/12(Dis) Gi1/0/13(Dis) Gi1/0/14(Dis) (Up):Interface up (Dwn):Interface Down (Dis):Interface disabled For detailed information about the fields in the display, see the command reference for this release. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 38-25 OL-26520-01...
This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the Catalyst 2960, 2960-S, or 2960-C. Depending on the nature of the problem, you can use the command-line interface (CLI), the device manager, or Network Assistant to identify and solve problems.
From your PC, download the software image tar file (image_filename.tar) from Cisco.com. Step 1 The Cisco IOS image is stored as a bin file in a directory in the tar file. For information about locating the software image files on Cisco.com, see the release notes.
When you enter the service password-recovery or no service password-recovery command on the stack master, it is propagated throughout the stack and applied to all switches in the stack. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-3...
Chapter 39 Troubleshooting Recovering from a Lost or Forgotten Password Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note Follow the steps in this procedure if you have forgotten or lost the switch password. Connect a terminal or PC with terminal-emulation software to the switch console port. If you are Step 1 recovering the password to a switch stack, connect to the console port of the stack master.
Page 893
Switch (config)# enable secret password The secret password can be from 1 to 25 alphanumeric characters, can start with a number, is case sensitive, and allows spaces but ignores leading spaces. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-5 OL-26520-01...
Elect to continue with password recovery and lose the existing configuration: Step 1 Would you like to reset the system back to the default configuration (y/n)? Y Load any helper files: Step 2 Switch: load_helper Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-6 OL-26520-01...
Page 895
Before continuing to Step 9, power on any connected stack members and wait until they have Note completely initialized. Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Step 9 Write the running configuration to the startup configuration file: Switch# copy running-config startup-config The new password is now in the startup configuration.
Chapter 6, “Clustering Switches.” Also see the Getting Started with Cisco Network Assistant, available on Cisco.com. HSRP is the preferred method for supplying redundancy to a cluster. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-8 OL-26520-01...
From privileged EXEC mode, enter setup, and press Return. Switch# setup --- System Configuration Dialog --- Continue with configuration dialog? [yes/no]: y At any point you may enter a question mark '?' for help. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-9 OL-26520-01...
Page 898
Start your browser, and enter the IP address of the new command switch. Step 17 From the Cluster menu, select Add to Cluster to display a list of candidate switches to add to the cluster. Step 18 Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-10 OL-26520-01...
When prompted for the enable secret and enable passwords, enter the passwords of the failed command switch again. Step 9 When prompted, make sure to enable the switch as the cluster command switch, and press Return. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-11 OL-26520-01...
A member switch (Catalyst 3750, Catalyst 3560, Catalyst 3550, Catalyst 3500 XL, Catalyst 2970, • Catalyst 2960, Catalyst 2950, Catalyst 2900 XL, Catalyst 2820, and Catalyst 1900 switch) cannot connect to the command switch through a port that is defined as a network port.
Disabled Port Caused by Power Loss If a powered device (such as a Cisco IP Phone 7910) that is connected to a PoE switch port and is powered by an AC power source loses power from the AC power source, the device might enter an error-disabled state.
If the module is identified as a Cisco SFP module, but the system is unable to read vendor-data information to verify its accuracy, an SFP module error message is generated. In this case, you should remove and re-insert the SFP module.
The switch can only identify the path from the source device to the destination device. It cannot identify the path that a packet takes from source host to the source device or from the destination device to the destination host. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-15 OL-26520-01...
Using Layer 2 Traceroute Usage Guidelines These are the Layer 2 traceroute usage guidelines: Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 • traceroute to function properly, do not disable CDP.
Because all errors except port-unreachable errors come from intermediate hops, the receipt of a port-unreachable error means that this message was sent by the destination port. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-17 OL-26520-01...
To end a trace in progress, enter the escape sequence (Ctrl-^ X by default). Simultaneously press and release the Ctrl, Shift, and 6 keys and then press the X key. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-18...
Running TDR and Displaying the Results When you run TDR on an interface, you can run it on the stack master or a stack member. Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Note To run TDR, enter the test cable-diagnostics tdr interface interface-id privileged EXEC command: To display the results, enter the show cable-diagnostics tdr interface interface-id privileged EXEC command.
For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Make sure to save the syslog to flash memory so that the syslog is not lost if the stack master fails. For more information about system message logging, see Chapter 29, “Configuring System Message Logging.” Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-21 OL-26520-01...
• Basic crashinfo Files The information in the basic file includes the Cisco IOS image name and version that failed, a list of the processor registers, and other switch-specific information. You can provide this information to the Cisco technical support representative by using the show tech-support privileged EXEC command.
You provide this information to the Cisco technical support representative by manually accessing the file and using the more or the copy privileged EXEC command.
When an OBFL-enabled switch is restarted, there is a 10-minute delay before logging of new data begins. Note OBFL is supported only on Catalyst 2960-S switches. It is not supported on Catalyst 2960 switches. Configuring OBFL To enable OBFL, use the hw-module module [switch-number] logging onboard [message level level] global configuration command.
ACL and ACL-like tables such as QoS classification and policy routing. The output from the show platform tcam errors privileged EXEC command provides information about the TCAM memory consistency integrity on the switch. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-26 OL-26520-01...
For more information about the show platform tcam errors privileged EXEC command, see the command reference for this release. Troubleshooting Tables These tables are a condensed version of troubleshooting documents on Cisco.com. “Troubleshooting CPU Utilization” section on page 39-28 •...
This example shows normal CPU utilization. The output shows that utilization for the last 5 seconds is 8%/0%, which has this meaning: The total CPU utilization is 8 percent, including both time running Cisco IOS processes and time • spent handling interrupts The time spent handling interrupts is zero percent.
Page 917
Troubleshooting Power over Ethernet (PoE) troubleshooting guide on Cisco.com. Power over Ethernet Plus (PoE+) is not supported on Catalyst 2960-S switches. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-29 OL-26520-01...
Page 918
(available PoE). Use the show inline power and show inline power detail commands to verify the amount of available power. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-30 OL-26520-01...
Page 919
If there is still no PoE at any port, a fuse might be open in the PoE section of the power supply. This normally produces an alarm. Check the log again for alarms reported earlier by system messages. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-31 OL-26520-01...
Page 920
If so, the problem might be an initial surge-in (or inrush) current that exceeds a current-limit threshold for the port. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-32 OL-26520-01...
Page 921
Troubleshooting Switch Stacks guide on Cisco.com. Note Stacking is supported only on Catalyst 2960-S switches running the LAN base image. Table 39-7 Switch Stack Troubleshooting Scenarios Symptom/problem How to Verify Problem...
Page 922
Defective StackWise switch interface or cable. upgraded. or minor versions of the Cisco IOS software. StackWise link connection Look at the LED behavior. Stack not operating at full bandwidth. problems Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 39-34 OL-26520-01...
C H A P T E R Configuring Online Diagnostics This chapter describes how to configure the online diagnostics on the Catalyst 2960, 2960-S, or 2960-C switches. Online Diagnostics is supported only on Catalyst 2960-S switches running the LAN base image.
Use the diagnostic monitor threshold switch num test {test_id | test_id_range | all} failure count command to remove the failure threshold. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 40-2 OL-26520-01...
16:43:29: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 2 has changed to state DOWN 16:43:30: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 9 has changed to state DOWN 16:43:30: %STACKMGR-4-SWITCH_REMOVED: Switch 1 has been REMOVED from the stack Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 40-3 OL-26520-01...
Diagnostics test suite attributes: B/* - Basic ondemand test / NA P/V/* - Per port test / Per device test / NA D/N/* - Disruptive test / Non-disruptive test / NA Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 40-4 OL-26520-01...
Page 927
Switch# show diagnostic schedule switch 1 Current Time = 14:39:49 PST Tue Jul 5 2005 Diagnostic for Switch 1: Schedule #1: To be run daily 12:00 Test ID(s) to be executed: 1. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 40-5 OL-26520-01...
Page 928
Chapter 40 Configuring Online Diagnostics Displaying Online Diagnostic Tests and Test Results Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE 40-6 OL-26520-01...
Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the Catalyst 2960, 2960-S, or 2960-C switch flash file system, how to copy configuration files, and how to archive (upload and download) software images to a switch.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating and Removing Directories, page A-4 • Copying Files, page A-5 • Deleting Files, page A-5 • Creating, Displaying, and Extracting tar Files, page A-6 •...
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Table A-1 show file systems Field Descriptions (continued) Field Value Flags Permission for file system. ro—read-only. rw—read/write.\ wo—write-only. Prefixes Alias for file system.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Table A-2 Commands for Displaying Information About Files (continued) Command Description show file information file-url Display information about a specific file.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System For filesystem, use flash: for the system board flash device. For file-url, enter the name of the directory to be deleted. All the files in the directory and the directory are removed.
Page 934
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System When files are deleted, their contents cannot be recovered. Caution This example shows how to delete the file myconfig from the default flash memory device:...
Page 935
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying the Contents of a tar File To display the contents of a tar file on the screen, use this privileged EXEC command: archive tar /table source-url For source-url, specify the source URL alias for the local or network file system.
7-14. Configuration files contain commands entered to customize the function of the Cisco IOS software. A way to create a basic configuration file is to use the setup program or to enter the setup privileged EXEC command. For more information, see Chapter 3, “Assigning the Switch IP Address and Default...
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files You can copy (upload) configuration files from the switch to a file server by using TFTP, FTP, or RCP. You might perform this task to back up a current configuration file to a server before changing its contents so that you can later restore the original configuration file from the server.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Configuration File Types and Location n Startup configuration files are used during system startup to configure the software. Running configuration files contain the current configuration of the software. The two configuration files can be different.
Page 939
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Preparing to Download or Upload a Configuration File B y Using TFTP Before you begin downloading or uploading a configuration file by using TFTP, do these tasks: Ensure that the workstation acting as the TFTP server is properly configured.
The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy a configuration file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: •...
Page 941
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files The username and password must be associated with an account on the FTP server. If you are writing to the server, the FTP server must be properly configured to accept your FTP write request.
Page 942
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 4 ip ftp username username (Optional) Change the default remote username. Step 5 ip ftp password password (Optional) Change the default password.
Page 943
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using FTP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using FTP:...
The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.
Page 945
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files When you upload a file to the RCP server, it must be properly configured to accept the RCP write • request from the user on the switch. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to specify a remote username of netadmin1. Then it copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101...
Replacing and Rolling Back Configurations The configuration replacement and rollback feature replaces the running configuration with any saved Cisco IOS configuration file. You can use the rollback function to roll back to a previous configuration. These sections contain this information: •...
Page 948
EXEC command displays information for all the configuration files saved in the configuration archive. The Cisco IOS configuration archive, in which the configuration files are stored and available for use with the configure replace command, is in any of these file systems: FTP, HTTP, RCP, TFTP.
Page 949
• replacement configuration file for the running configuration. The replacement file must be a complete configuration generated by a Cisco IOS device (for example, a configuration generated by the copy running-config destination-url command). If you generate the replacement configuration file externally, it must comply with the format of files Note generated by Cisco IOS devices.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Configuring the Configuration Archive Using the configure replace command with the configuration archive and with the archive config command is optional but offers significant benefit for configuration rollback scenarios. Before using the archive config command, you must first configure the configuration archive.
Page 951
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Performing a Configuration Replacement or Rollback Operation Starting in privileged EXEC mode, follow these steps to replace the running configuration file with a...
If you do not have access to a TFTP server, you can download a software image file directly to your PC or workstation by using a web browser (HTTP) and then by using the device manager or Cisco Network Assistant to upgrade your switch. For information about upgrading your switch by using a TFTP server or a web browser (HTTP), see the release notes.
Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the files needed for web management. The image is stored on the system board flash memory (flash:).
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Table A-3 info File Description (continued) Field Description image_min_dram Specifies the minimum amount of DRAM needed to run this image image_family Describes the family of products on which the software can be installed...
Page 955
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Ensure that the switch has a route to the TFTP server. The switch and the TFTP server must be in • the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the TFTP server by using the ping command.
Page 956
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 3 archive download-sw /overwrite /reload Download the image file from the TFTP server to the switch, and tftp:[[//location]/directory]/image-name.tar overwrite the current image.
The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 958
The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy an image file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
Page 959
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images and you have a valid username, this username is used, and you do not need to set the FTP username. Include the username in the archive download-sw or archive upload-sw privileged EXEC command if you want to specify a username for that operation only.
Page 960
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 8 archive download-sw /leave-old-sw /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and keep the current image.
The archive upload-sw command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 962
RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the switch to a server by using RCP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
Page 963
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Before you begin downloading or uploading an image file by using RCP, do these tasks: Ensure that the workstation acting as the RCP server supports the remote shell (rsh).
Page 964
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 6 archive download-sw /overwrite /reload Download the image file from the RCP server to the switch, rcp:[[[//[username@]location]/directory]/image-na and overwrite the current image.
Page 965
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 967
This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the Catalyst 2960, 2960-S, or 2960-C switch prompt but are not supported in this release, either because they are not tested or because of switch hardware limitations. This is not a complete list.
Page 970
Unsupported Commands in Cisco IOS Release 15.0(1)SE MAC Address Commands Use the show ip igmp snooping groups privileged EXEC command to display Layer 2 multicast Note address-table entries for a VLAN. Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Page 971
Network Address Translation (NAT) Commands Unsupported Privileged EXEC Commands show ip nat statistics show ip nat translations Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
(only on switches running the LAN Lite image) snmp-server enable informs snmp-server enable traps hsrp snmp-server enable traps rtr (only on switches running the LAN Lite image) Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
Unsupported VLAN Database Commands vlan show vlan private-vlan Unsupported Privileged EXEC Commands vtp {password password | pruning | version number} This command has been replaced by the vtp global configuration command. Note Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE OL-26520-01...
The switch families have different hardware. • If you use a Catalyst 2950 switch command, it might not be supported on the Catalyst 2960 switch. The Catalyst 2960 switch software handles the incompatible commands in these ways: They are accepted and translated. A message appears.
Page 976
Appendix A Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch Configuration Compatibility Issues In most cases, configuration files are loaded without rejections. Table A-1 lists the Catalyst 2950 exceptions. The features are listed in alphabetic order, with Catalyst 2950 commands and explanations, and the resulting action on the Catalyst 2960 switch.
Page 977
Appendix A Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch Configuration Compatibility Issues Table A-1 Catalyst 2950 and 2960 Switch Configuration Incompatibilities (continued) Feature Catalyst 2950 Switch Command and Explanation Result on the Catalyst 2960 Switch IEEE 802.1x...
Page 978
Appendix A Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch Configuration Compatibility Issues Table A-1 Catalyst 2950 and 2960 Switch Configuration Incompatibilities (continued) Feature Catalyst 2950 Switch Command and Explanation Result on the Catalyst 2960 Switch...
Access control lists (ACLs) • Even though the command syntax is the same on the Catalyst 2960 switch and on the Catalyst 2950 switch, the semantics of the IP and the MAC ACL between the two platforms differ. For example,...
Page 980
The Catalyst 2950 switch uses an extra port, called the reflector port, for its RSPAN implementation. This is not necessary in the Catalyst 2960 switch RSPAN implementation. The Catalyst 2960 switch also supports VLANs as SPAN sources and can forward received packets on SPAN destination ports.