Page 1
Catalyst 2975 Switch Software Configuration Guide Cisco IOS Release 12.2(55)SE August 2010 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-19720-02...
Page 2
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks.
Default Settings After Initial Switch Configuration 1-13 Network Configuration Examples 1-15 Design Concepts for Using the Switch 1-15 Small to Medium-Sized Network Using Catalyst 2975 Switches 1-19 Long-Distance, High-Bandwidth Transport Configuration 1-20 Where to Go Next 1-21 Using the Command-Line Interface...
Page 4
Configuring DHCP Autoconfiguration (Only Configuration File) 3-12 Configuring DHCP Auto-Image Update (Configuration File and Image) 3-13 Configuring the Client 3-14 Manually Assigning IP Information 3-15 Checking and Saving the Running Configuration 3-16 Configuring the NVRAM Buffer Size 3-17 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 5
4-12 Displaying CNS Configuration 4-13 Clustering Switches C H A P T E R Understanding Switch Clusters Cluster Command Switch Characteristics Standby Cluster Command Switch Characteristics Candidate Switch and Cluster Member Switch Characteristics Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 6
Stack Protocol Version Compatibility Major Version Number Incompatibility Among Switches Minor Version Number Incompatibility Among Switches Understanding Auto-Upgrade and Auto-Advise 6-10 Auto-Upgrade and Auto-Advise Example Messages 6-11 Incompatible Software and Member Image Upgrades 6-13 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 7
6-28 Fixing a Bad Connection Between Stack Ports 6-29 Administering the Switch C H A P T E R Managing the System Time and Date Understanding the System Clock Understanding Network Time Protocol Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 8
7-25 Adding and Removing Static Address Entries 7-26 Configuring Unicast MAC Address Filtering 7-27 Disabling MAC Address Learning on a VLAN 7-28 Displaying Address Table Entries 7-30 Managing the ARP Table 7-30 Catalyst 2975 Switch Software Configuration Guide viii OL-19720-02...
Page 9
Establishing a Session with a Router if the AAA Server is Unreachable 9-18 Displaying the TACACS+ Configuration 9-18 Controlling Switch Access with RADIUS 9-18 Understanding RADIUS 9-18 RADIUS Operation 9-20 RADIUS Change of Authorization 9-20 Overview 9-20 Change-of-Authorization Requests 9-21 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 10
Default SSL Configuration 9-48 SSL Configuration Guidelines 9-49 Configuring a CA Trustpoint 9-49 Configuring the Secure HTTP Server 9-50 Configuring the Secure HTTP Client 9-51 Displaying Secure HTTP Server and Client Status 9-52 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 11
802.1x Authentication with VLAN Assignment 10-17 802.1x Authentication with Downloadable ACLs and Redirect URLs 10-18 Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL 10-20 Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs 10-20 VLAN ID-based MAC Authentication 10-20 802.1x Authentication with Guest VLAN...
Page 12
Configuring MAC Authentication Bypass 10-57 Configuring 802.1x User Distribution 10-58 Configuring NAC Layer 2 802.1x Validation 10-59 Configuring an Authenticator and a Supplicant Switch with NEAT 10-60 Configuring NEAT with Auto Smartports Macros 10-61 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 13
Configuring the HTTP Server 11-13 Customizing the Authentication Proxy Web Pages 11-13 Specifying a Redirection URL for Successful Login 11-15 Configuring an AAA Fail Policy 11-15 Configuring the Web-Based Authentication Parameters 11-16 Catalyst 2975 Switch Software Configuration Guide xiii OL-19720-02...
Page 14
Budgeting Power for Devices Connected to a PoE Port 12-24 Configuring Power Policing 12-26 Adding a Description for an Interface 12-27 Configuring Layer 3 SVIs 12-27 Configuring the System MTU 12-28 Monitoring and Maintaining the Interfaces 12-29 Monitoring Interface Status 12-30 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 16
Configuring Voice VLAN 14-3 Default Voice VLAN Configuration 14-3 Voice VLAN Configuration Guidelines 14-3 Configuring a Port Connected to a Cisco 7960 IP Phone 14-5 Configuring Cisco IP Phone Voice Traffic 14-5 Configuring the Priority of Incoming Data Frames 14-6...
Page 17
16-15 Disabling Spanning Tree 16-16 Configuring the Root Switch 16-16 Configuring a Secondary Root Switch 16-18 Configuring Port Priority 16-18 Configuring Path Cost 16-20 Configuring the Switch Priority of a VLAN 16-21 Catalyst 2975 Switch Software Configuration Guide xvii OL-19720-02...
Page 18
Specifying the MST Region Configuration and Enabling MSTP 17-17 Configuring the Root Switch 17-19 Configuring a Secondary Root Switch 17-20 Configuring Port Priority 17-21 Configuring Path Cost 17-23 Configuring the Switch Priority 17-24 Catalyst 2975 Switch Software Configuration Guide xviii OL-19720-02...
Page 19
Displaying the Spanning-Tree Status 18-19 Configuring Flex Links and the MAC Address-Table Move Update Feature 19-1 C H A P T E R Understanding Flex Links and the MAC Address-Table Move Update 19-1 Flex Links 19-1 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 20
Source IP and MAC Address Filtering 20-15 IP Source Guard for Static Hosts 20-16 Configuring IP Source Guard 20-17 Default IP Source Guard Configuration 20-17 IP Source Guard Configuration Guidelines 20-17 Enabling IP Source Guard 20-18 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 22
Configuring Storm Control and Threshold Levels 23-3 Configuring Small-Frame Arrival Rate 23-5 Configuring Protected Ports 23-6 Default Protected Port Configuration 23-7 Protected Port Configuration Guidelines 23-7 Configuring a Protected Port 23-7 Configuring Port Blocking 23-8 Catalyst 2975 Switch Software Configuration Guide xxii OL-19720-02...
Page 23
Enabling LLDP 25-6 Configuring LLDP Characteristics 25-7 Configuring LLDP-MED TLVs 25-8 Configuring Network-Policy TLV 25-9 Configuring Location TLV and Wired Location Service 25-10 Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service 25-12 Catalyst 2975 Switch Software Configuration Guide xxiii OL-19720-02...
Page 24
RSPAN Configuration Guidelines 27-17 Configuring a VLAN as an RSPAN VLAN 27-18 Creating an RSPAN Source Session 27-19 Creating an RSPAN Destination Session 27-20 Creating an RSPAN Destination Session and Configuring Incoming Traffic 27-21 Catalyst 2975 Switch Software Configuration Guide xxiv OL-19720-02...
Page 25
C H A P T E R Understanding SNMP 30-1 SNMP Versions 30-2 SNMP Manager Functions 30-3 SNMP Agent Functions 30-4 SNMP Community Strings 30-4 Using SNMP to Access MIB Variables 30-4 SNMP Notifications 30-5 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 26
Hardware and Software Treatment of IP ACLs 31-19 Troubleshooting ACLs 31-19 IPv4 ACL Configuration Examples 31-20 Numbered ACLs 31-21 Extended ACLs 31-21 Named ACLs 31-21 Time Range Applied to an IP ACL 31-21 Catalyst 2975 Switch Software Configuration Guide xxvi OL-19720-02...
Page 27
Configuring Cisco IOS IP SLAs Operations 32-1 C H A P T E R Understanding Cisco IOS IP SLAs 32-1 Using Cisco IOS IP SLAs to Measure Network Performance 32-2 IP SLAs Responder and IP SLAs Control Protocol 32-3 Response Time Computation for IP SLAs...
Page 28
Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds 33-63 Allocating Buffer Space Between the Ingress Queues 33-65 Allocating Bandwidth Between the Ingress Queues 33-65 Configuring the Ingress Priority Queue 33-66 Configuring Egress Queue Characteristics 33-67 Configuration Guidelines 33-68 Catalyst 2975 Switch Software Configuration Guide xxviii OL-19720-02...
Page 30
LACP Interaction with Other Features 37-8 EtherChannel On Mode 37-8 Load Balancing and Forwarding Methods 37-8 EtherChannel and Switch Stacks 37-10 Configuring EtherChannels 37-11 Default EtherChannel Configuration 37-11 EtherChannel Configuration Guidelines 37-12 Configuring Layer 2 EtherChannels 37-13 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 31
Understanding Ping 38-14 Executing Ping 38-14 Using Layer 2 Traceroute 38-15 Understanding Layer 2 Traceroute 38-15 Usage Guidelines 38-16 Displaying the Physical Path 38-17 Using IP Traceroute 38-17 Understanding IP Traceroute 38-17 Catalyst 2975 Switch Software Configuration Guide xxxi OL-19720-02...
Page 32
A P P E N D I X MIB List Using FTP to Access the MIB Files Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System...
Page 33
Working with Software Images B-23 Image Location on the Switch B-24 tar File Format of Images on a Server or Cisco.com B-24 Copying Image Files By Using TFTP B-25 Preparing to Download or Upload an Image File By Using TFTP...
Page 34
Contents Copying an Image File from One Stack Member to Another B-37 Unsupported Commands in Cisco IOS Release 12.2(55)SE A P P E N D I X Access Control Lists Unsupported Privileged EXEC Commands Unsupported Global Configuration Commands Unsupported Route-Map Configuration Commands...
Page 35
Contents Unsupported Interface Configuration Command VLAN Unsupported Global Configuration Command Unsupported vlan-config Command Unsupported User EXEC Commands Unsupported vlan-config Command Unsupported VLAN Database Commands Unsupported Privileged EXEC Commands N D E X Catalyst 2975 Switch Software Configuration Guide xxxv OL-19720-02...
Page 37
This guide is for the networking professional managing the Catalyst 2975 switch, hereafter referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking.
Means reader be careful. In this situation, you might do something that could result in equipment Caution damage or loss of data. Related Publications These documents provide complete information about the switch and are available from this Cisco.com site: http://www.cisco.com/en/US/products/ps10081/tsd_products_support_series_home.html Before installing, configuring, or upgrading the switch, see these documents: Note For initial configuration information, see the “Using Express Setup”...
Page 39
Obtaining Documentation, Obtaining Support, and Security Guidelines For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed...
Some features described in this chapter are available only on the cryptographic (supports encryption) version of the software. You must obtain authorization to use this feature and to download the cryptographic version of the software from Cisco.com. For more information, see the release notes for this release.
Using a single IP address and configuration file to manage the entire switch stack. – Automatic Cisco IOS version-check of new stack members with the option to automatically load – images from the stack master or from a TFTP server.
– OUI-based triggers, remote macros as well as for automatic configuration based on these two new device types: Cisco Digital Media Player (Cisco DMP) and Cisco IP Video Surveillance Camera (Cisco IPVSC). For information, see the Auto Smartports Configuration Guide.
Page 44
Switch Database Management (SDM) templates for allocating system resources to maximize • support for user-selected features. Support for Cisco IOS IP Service Level Agreements (SLAs) responder that allows the system to • anticipate and respond to Cisco IOS IP SLAs request packets for monitoring network performance.
Network Assistant—Network Assistant is a network management application that can be • downloaded from Cisco.com. You use it to manage a single switch, a cluster of switches, or a community of devices. For more information about Network Assistant, see Getting Started with Cisco Network Assistant, available on Cisco.com.
Page 46
Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external • source Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • Configuration logging to log and to view changes to the switch configuration •...
Root guard for preventing switches outside the network core from becoming the spanning-tree – root Loop guard for preventing alternate or root ports from becoming designated ports because of a – failure that leads to a unidirectional link Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
• Link-state tracking to mirror the state of the ports that carry upstream traffic from connected hosts and servers, and to allow the failover of the server traffic to an operational link on another Cisco Ethernet switch. VLAN Features Support for up to 255 VLANs for assigning users to VLANs associated with appropriate network •...
Page 49
VLAN. Voice VLAN assignment is supported for one IP phone. Port security for controlling access to 802.1x ports – Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized – or unauthorized state of the port IP phone detection enhancement to detect and recognize a Cisco IP phone.
Page 50
When there is a change in policy for a user or user group in AAA, administrators can send the RADIUS CoA packets from the AAA server, such as Cisco Secure ACS to reinitialize authentication, and apply to the new policies.
Trusted port states (CoS, DSCP, and IP precedence) within a QoS domain and with a port – bordering another QoS domain – Trusted boundary for detecting the presence of a Cisco IP Phone, trusting the CoS value received, and ensuring port security • Policing –...
Support for CDP with power consumption. The powered device notifies the switch of the amount of • power it is consuming. Support for Cisco intelligent power management. The powered device and the switch negotiate • through power-negotiation CDP messages for an agreed power-consumption level. The negotiation allows a high-power Cisco powered device to operate at its highest power mode.
Switch cluster is disabled. For more information about switch clusters, see Chapter 5, “Clustering Switches,” and the Getting Started with Cisco Network Assistant, available on Cisco.com. • No passwords are defined. For more information, see Chapter 7, “Administering the Switch.”...
Page 54
IGMP throttling setting is deny. For more information, see Chapter 22, “Configuring IGMP • Snooping and MVR.” • The IGMP snooping querier feature is disabled. For more information, see Chapter 22, “Configuring IGMP Snooping and MVR.” Catalyst 2975 Switch Software Configuration Guide 1-14 OL-19720-02...
Fast Ethernet and Gigabit Ethernet connections. “Design Concepts for Using the Switch” section on page 1-15 • “Small to Medium-Sized Network Using Catalyst 2975 Switches” section on page 1-19 • “Long-Distance, High-Bandwidth Transport Configuration” section on page 1-20 •...
Page 56
Use VLAN trunks and BackboneFast for traffic-load balancing on the uplink ports • and availability to provide always on so that the uplink port with a lower relative port cost is selected to carry the VLAN mission-critical applications traffic. Catalyst 2975 Switch Software Configuration Guide 1-16 OL-19720-02...
Page 57
1-1)—A cost-effective way to connect many users to the wiring • closet is to have a switch stack of up to nine Catalyst 2975 switches. To preserve switch connectivity if one switch in the stack fails, connect the switches as recommended in the hardware installation guide, and enable either cross-stack Etherchannel or cross-stack UplinkFast.
Page 58
1-2)—For • high-speed access to network resources, you can use the Catalyst 2975 switch stack in the access layer to provide Gigabit Ethernet to the desktop. To prevent congestion, use QoS DSCP marking priorities on these switches. For high-speed IP forwarding at the distribution layer, connect the switches in the access layer to a Gigabit multilayer switch with routing capability, such as a Catalyst 3750 switch, or to a router.
500 employees. This network uses a Catalyst 2975 switch stack with high-speed connections to two routers. This ensures connectivity to the Internet, WAN, and mission-critical network resources if one of the routers fails. The switch stack uses cross-stack EtherChannel for loading sharing.
Data and multimedia traffic are configured on the same VLAN. Voice traffic from the Cisco IP Phones are configured on separate VVIDs. If data, multimedia, and voice traffic are assigned to the same VLAN, only one VLAN can be configured per wiring closet.
The CWDM OADM modules on the receiving end separate (or demultiplex) the different wavelengths. For more information about the CWDM SFP modules and CWDM OADM modules, see the Cisco CWDM GBIC and CWDM SFP Installation Note. Figure 1-5...
Page 62
Chapter 1 Overview Where to Go Next Catalyst 2975 Switch Software Configuration Guide 1-22 OL-19720-02...
C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your Catalyst 2975 switch.Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
While in privileged To exit to privileged Use this mode to configure Switch(vlan)# EXEC mode, enter EXEC mode, enter VLAN parameters for VLANs the vlan database exit. 1 to 1005 in the VLAN command. database. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Obtain a list of commands that begin with a particular character string. For example: Switch# di? dir disable disconnect abbreviated-command-entry<Tab> Complete a partial command name. For example: Switch# sh conf<tab> Switch# show configuration Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
However, some commands are enabled by default and have variables set to certain default values. In these cases, the default command enables the command and sets variables to their default values. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
You can choose to have the notifications sent to the syslog. For more information, see the Configuration Change Notification and Logging feature module: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtconlog.html Only CLI or HTTP changes are logged. Note Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
The number of commands that appear is controlled by the setting of the terminal history global configuration command and the history line configuration command. 1. The arrow keys function only on ANSI-compatible terminals such as VT100s. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
To re-enable the enhanced editing mode for the current terminal session, enter this command in privileged EXEC mode: Switch# terminal editing To reconfigure a specific line to have enhanced editing mode, enter this command in line configuration mode: Switch(config-line)# editing Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Change the word at the cursor to lowercase. Press Esc U. Capitalize letters from the cursor to the end of the word. Designate a particular keystroke as Press Ctrl-V or Esc Q. an executable command, perhaps as a shortcut. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Use line wrapping with the command history feature to recall and modify previous complex command entries. For information about recalling previous command entries, see the “Editing Commands through Keystrokes” section on page 2-8. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Telnet session, but your switch must first be configured for this type of access. For more information, see the “Setting a Telnet Password for a Terminal Line” section on page 9-6. Catalyst 2975 Switch Software Configuration Guide 2-10 OL-19720-02...
Page 73
9-41. The switch supports up to five simultaneous secure SSH sessions. After you connect through the console port, through a Telnet session or through an SSH session, the user EXEC prompt appears on the management station. Catalyst 2975 Switch Software Configuration Guide 2-11 OL-19720-02...
Page 74
Chapter 2 Using the Command-Line Interface Accessing the CLI Catalyst 2975 Switch Software Configuration Guide 2-12 OL-19720-02...
Page 75
This chapter describes how to create the initial switch configuration (for example, assigning the IP address and default gateway information) for the Catalyst 2975 switch by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Data bits default is 8. • If the data bits option is set to 8, set the parity option to none. Note Stop bits default is 1. • Parity settings default is none. • Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
No default gateway is defined. Enable secret password No password is defined. Hostname The factory-assigned default hostname is Switch. Telnet password No password is defined. Cluster command switch functionality Disabled. Cluster name No cluster name is defined. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
(such as an IP address, subnet mask, gateway IP address, DNS IP address, a lease for the IP address, and so forth) to the client in a DHCPOFFER unicast message. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
DHCP autoconfiguration downloads a configuration file to one or more switches in your network from a DHCP server. The downloaded configuration file becomes the running configuration of the switch. It does not over write the bootup configuration saved in the flash, until you reload the switch. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
NVRAM unless you enter the write memory or copy running-configuration startup-configuration privileged EXEC command. Note that if the downloaded configuration is saved to the startup configuration, the feature is not triggered during subsequent system restarts. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. These features are not operational. If your DHCP server is a Cisco device, for additional information about configuring DHCP, see the “Configuring...
You can configure the IP addresses of the DNS servers in the lease database of the DHCP server from where the DHCP replies will retrieve them. You can enter up to two DNS server IP addresses in the lease database. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
Figure 3-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (tftpserver) Catalyst 2975 Switch Software Configuration Guide 3-10 OL-19720-02...
Page 85
It reads its host table by indexing its IP address 10.0.0.21 to its hostname (switcha). • It reads the configuration file that corresponds to its hostname; for example, it reads switch1-confg • from the TFTP server. Catalyst 2975 Switch Software Configuration Guide 3-11 OL-19720-02...
This example shows how to configure a switch as a DHCP server so that it will download a configuration file: Switch# configure terminal Switch(config)# ip dhcp pool pool1 Switch(dhcp-config)# network 10.10.10.0 255.255.255.0 Switch(dhcp-config)# bootfile config-boot.text Switch(dhcp-config)# default-router 10.10.10.1 Switch(dhcp-config)# option 150 10.10.10.1 Switch(dhcp-config)# exit Switch(config)# tftp-server flash:config-boot.text Switch(config)# interface gigabitethernet1/0/4 Catalyst 2975 Switch Software Configuration Guide 3-12 OL-19720-02...
Upload the tar file for the new image to the switch. Step 10 exit Return to global configuration mode. Step 11 tftp-server flash:config.text Specify the Cisco IOS configuration file on the TFTP server. Step 12 tftp-server flash:imagename.tar Specify the image name on the TFTP server. Step 13 tftp-server flash:filename.txt...
^C warning-message ^C (Optional) Create warning messages to be displayed when you try to save the configuration file to NVRAM. Step 5 Return to privileged EXEC mode. Step 6 show boot Verify the configuration. Catalyst 2975 Switch Software Configuration Guide 3-14 OL-19720-02...
When your switch is configured to route with IP, it does not need Note to have a default gateway set. Step 6 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 3-15 OL-19720-02...
VLAN1 ip address 172.20.137.50 255.255.255.0 no ip directed-broadcast ip default-gateway 172.20.137.1 ! snmp-server community private RW snmp-server community public RO snmp-server community private@es0 RW snmp-server community public@es0 RO snmp-server chassis-id 0x12 Catalyst 2975 Switch Software Configuration Guide 3-16 OL-19720-02...
EXEC command. For more information about alternative locations from which to copy the configuration file, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Configuring the NVRAM Buffer Size The default NVRAM buffer size is 512 KB.
Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot-up cycle.
• Use number to specify a stack member. (Specify only one stack member.) • Use all to specify all stack members. Step 4 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 3-20 OL-19720-02...
Cisco IOS configuration file can be stored as an environment variable. You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
Page 96
A semicolon-separated list of executable files to try to load and execute when automatically Specifies the Cisco IOS image to load during the booting. If the BOOT environment variable is not next boot cycle and the stack members on which set, the system attempts to load and execute the the image is loaded.
This example shows how to reload the software on the switch on the current day at 7:30 p.m: Switch# reload at 19:30 Reload scheduled for 19:30:00 UTC Wed Jun 5 1996 (in 2 hours and 25 minutes) Proceed with reload? [confirm] Catalyst 2975 Switch Software Configuration Guide 3-23 OL-19720-02...
EXEC command. It displays reload information including the time the reload is scheduled to occur and the reason for the reload (if it was specified when the reload was scheduled). Catalyst 2975 Switch Software Configuration Guide 3-24 OL-19720-02...
For complete configuration information for the Cisco Configuration Engine, go to Note http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.html For complete syntax and usage information for the commands used in this chapter, go to the Cisco IOS Network Management Command Reference, Release 12.4: http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_book.html Understanding Cisco Configuration Engine Software, page 4-1 •...
(LDAP) URLs that reference the device-specific configuration information stored in a directory. The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show the success or failure of the syntax check. The configuration agent can either apply configurations immediately or delay the application until receipt of a synchronization event from the configuration server.
Understanding Cisco Configuration Engine Software Event Service The Cisco Configuration Engine uses the Event Service for receipt and generation of configuration events. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine.
Therefore, the DeviceID, as originated on the switch, must match the DeviceID of the corresponding switch definition in the Configuration Engine. The origin of the DeviceID is defined by the Cisco IOS hostname of the switch. However, the DeviceID variable and its usage reside within the event gateway adjacent to the switch.
Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent. The Cisco IOS agent feature supports the switch by providing these features: •...
NVRAM for use at the next reboot. Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and automatically configured as described in the “Enabling Automated CNS Configuration” section on page 4-6.
For more information about running the setup program and creating templates on the Configuration Note Engine, see the Cisco Configuration Engine Installation and Setup Guide, 1.5 for Linux: http://www.cisco.com/en/US/docs/net_mgmt/configuration_engine/1.5/installation_linux/guide/ setup_1.html Enabling the CNS Event Agent You must enable the CNS event agent on the switch before you enable the CNS configuration agent.
Page 106
This example shows how to enable the CNS event agent, set the IP address gateway to 10.180.1.27, set 120 seconds as the keepalive interval, and set 10 as the retry count. Switch(config)# cns event 10.180.1.27 keepalive 120 10 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: •...
Page 108
ID, enter hostname (the default) to select the switch hostname as the unique ID, enter an arbitrary text string for string string as the unique ID, or enter udi to set the unique device identifier (UDI) as the unique ID. Catalyst 2975 Switch Software Configuration Guide 4-10 OL-19720-02...
Page 109
Verify your entries. To disable the CNS Cisco IOS agent, use the no cns config initial {ip-address | hostname} global configuration command. This example shows how to configure an initial configuration on a remote switch when the switch configuration is unknown (the CNS Zero Touch feature).
RemoteSwitch(config)# cns id ethernet 0 ipaddress RemoteSwitch(config)# cns config initial 172.28.129.22 no-persist Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch: Command...
Privileged EXEC show Commands Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed. show cns config stats Displays statistics about the Cisco IOS agent.
C H A P T E R Clustering Switches This chapter provides the concepts and procedures to create and manage Catalyst 2975 switch clusters. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Cluster members can belong to only one cluster at a time. A switch cluster is different from a switch stack. A switch stack is a set of Catalyst 2975 switches Note connected through their stack ports.
Standby cluster command switches must be the same type of switches as the cluster command Note switch. For example, if the cluster command switch is a Catalyst 2975 switch, the standby cluster command switches must also be Catalyst 2975 switches. Refer to the switch configuration guide of other cluster-capable switches for their requirements on standby cluster command switches.
This requirement does not apply if you have a Catalyst 2970, Catalyst 3550, Catalyst 3560, or Catalyst 3750 cluster command switch. Candidate and cluster member switches can connect through any VLAN in common with the cluster command switch. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
Page 118
Discovery Through CDP Hops Command device VLAN 16 VLAN 62 Member Member device 8 device 10 Member Device 12 device 9 Device 11 Candidate candidate Device 13 devices device Edge of cluster Device 14 Device 15 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Planning a Switch Cluster Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Figure 5-4 (assuming they are Catalyst 2960, Catalyst 2970, Catalyst 2975, Catalyst 3550, Catalyst 3560, or Catalyst 3750 cluster command switches) have ports assigned to VLANs 9, 16, and 62. The management VLAN on the cluster command switch is VLAN 9. Each cluster command switch discovers the switches in the different...
VLANs 9 and 16. When new cluster-capable switches join the cluster: One cluster-capable switch and its access port are assigned to VLAN 9. • The other cluster-capable switch and its access port are assigned to management VLAN 16. • Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
The HSRP standby hold time interval should be greater than or equal to three times the hello time Note interval. The default HSRP standby hold time interval is 10 seconds. The default HSRP standby hello time interval is 3 seconds. Catalyst 2975 Switch Software Configuration Guide 5-10 OL-19720-02...
Catalyst 2975 switches. Refer to the switch configuration guide of other cluster-capable switches for their requirements on standby cluster command switches. If your switch cluster has a Catalyst 2975 switch or switch stack, it should be the cluster command switch.
Catalyst 1900, Catalyst 2820, and Catalyst 2916M XL cluster member switches. You must re-add these cluster member switches to the cluster. Catalyst 2975 Switch Software Configuration Guide 5-12 OL-19720-02...
(such as eng-cluster-5) with the hostname of the cluster command switch in the new cluster (such as mkg-cluster-5). If the switch member number changes in the new cluster (such as 3), the switch retains the previous name (eng-cluster-5). Catalyst 2975 Switch Software Configuration Guide 5-13 OL-19720-02...
Switch Clusters and Switch Stacks A switch cluster can have one or more Catalyst 2975 switch stacks. Each switch stack can act as the cluster command switch or as a single cluster member.
Page 127
These are considerations to keep in mind when you have switch stacks in switch clusters: • If the cluster command switch is not a Catalyst 2975 switch or switch stack and a new stack master is elected in a cluster member switch stack, the switch stack loses its connectivity to the switch cluster if there are no redundant connections between the switch stack and the cluster command switch.
Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.
If a cluster member switch has its own IP address and community strings, they can be used in addition to the access provided by the cluster command switch. For more information about SNMP and community strings, see Chapter 30, “Configuring SNMP.” Catalyst 2975 Switch Software Configuration Guide 5-17 OL-19720-02...
Page 130
Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters Figure 5-7 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3 Member 1 Member 2 Member 3 Catalyst 2975 Switch Software Configuration Guide 5-18 OL-19720-02...
Understanding Stacks A switch stack is a set of up to nine Catalyst 2975 switches connected through their stack ports. One of the switches controls the operation of the stack and is called the stack master. The stack master and the other switches in the stack are stack members.
Minor Version Number Incompatibility Among Switches, page 6-9 – Incompatible Software and Member Image Upgrades, page 6-13 – Stack Configuration Files, page 6-13 – Additional Considerations for System-Wide Configuration on Switch Stacks, page 6-13 – Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 133
This can create an IP address configuration conflict in your network. If you want the stacks to remain separate, change the IP address or addresses of the newly created stacks. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
If two or more switches in the stack use different software images, a switch running the noncryptographic image might be selected as the master. A switch running the cryptographic image takes 10 seconds longer to start than does the switch running the noncryptographic image. The Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
10 seconds. To avoid this problem, upgrade the switch running the noncryptographic image to a software release later than Cisco IOS Release 12.2(46)EX, or manually start the master and wait at least 8 seconds before starting the new member.
The switch is then re-elected as master if a re-election occurs. The new priority value takes effect immediately but does not affect the current master until the current master or the stack resets. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
The switch stack applies the default not found in the provisioned configuration to the provisioned switch configuration. and adds it to the stack. The provisioned configuration is changed to reflect the new information. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 138
The switch stack then adds to its running configuration a switch stack-member-number provision type global configuration command that matches the new switch. For configuration information, see the “Provisioning a New Member for a Stack” section on page 6-20. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Stack Software Compatibility Recommendations All stack members must run the same Cisco IOS software version to ensure compatibility in the stack protocol version among the members. Stack Protocol Version Compatibility The stack protocol version has a major version number and a minor version number (for example 1.4,...
EXEC command, the correct directory structure is not properly created. For more information about the info file, see the “tar File Format of Images on a Server or Cisco.com” section on page B-24. Understanding Auto-Upgrade and Auto-Advise When the software detects mismatched software and tries to upgrade the switch in version-mismatch mode, two software processes are involved: automatic upgrade and automatic advise.
*Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Old image will be deleted after download. *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:Extracting images from archive into flash on switch 1... *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:c2975-i5-mz.122-0.0.313.EX (directory) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:extracting c2975-i5-mz.122-0.0.313.EX/c2975-lanbase-mz.122-46.EX (4945851 bytes) Catalyst 2975 Switch Software Configuration Guide 6-11 OL-19720-02...
Page 142
1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW: archive download-sw /force-reload /overwrite /dest 1 flash1:c2975-lanbase-mz.122-46.EX.tar *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW: For information about using the archive download-sw privileged EXEC command, see the “Working with Software Images” section on page B-23. Catalyst 2975 Switch Software Configuration Guide 6-12 OL-19720-02...
Configuration Files, and Software Images.” Additional Considerations for System-Wide Configuration on Switch Stacks • “Planning and Creating Clusters” chapter in the Getting Started with Cisco Network Assistant, available on Cisco.com “MAC Addresses and Switch Stacks” section on page 7-21 •...
The Secure Shell (SSH) connectivity to the stack can be lost if a master running the cryptographic version fails and is replaced by a switch that is running a noncryptographic version. We recommend that a switch running the cryptographic version of the software be the master. Catalyst 2975 Switch Software Configuration Guide 6-14 OL-19720-02...
Make sure that one member has a default configuration and that the other member has a saved (nondefault) configuration file. Restart both members at the same time. Catalyst 2975 Switch Software Configuration Guide 6-15 OL-19720-02...
Page 146
Use the Mode button and port LEDs on the switches to identify which switches are masters and which switches belong to each master. For information about the Mode button and the LEDs, see the hardware installation guide. Catalyst 2975 Switch Software Configuration Guide 6-16 OL-19720-02...
When you configure this feature, a warning message displays the consequences of your configuration. You should use this feature cautiously. Using the old master MAC address elsewhere in the domain could result in lost traffic. Catalyst 2975 Switch Software Configuration Guide 6-17 OL-19720-02...
Page 148
If you enter the no stack-mac persistent timer command after a new stack master takes over, before the time expires, the stack uses the current master MAC address. Step 3 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 6-18 OL-19720-02...
Setting the Member Priority Value, page 6-20 (optional) • • Provisioning a New Member for a Stack, page 6-20 (optional) Assigning a Member Number Note This task is available only from the master. Catalyst 2975 Switch Software Configuration Guide 6-19 OL-19720-02...
You can also set the SWITCH_PRIORITY environment variable. For more information, see the “Controlling Environment Variables” section on page 3-21. Provisioning a New Member for a Stack Note This task is available only from the master. Catalyst 2975 Switch Software Configuration Guide 6-20 OL-19720-02...
If you remove powered-on members but do not want to partition the stack: Power off the newly created stacks. Step 1 Reconnect them to the original stack through their stack ports. Step 2 Power on the switches. Step 3 Catalyst 2975 Switch Software Configuration Guide 6-21 OL-19720-02...
Display the number of frames per member that are sent to the [detail] stack ring. The detail keyword displays the number of frames per member that are sent to the stack ring, the receive queues, and the ASIC. Catalyst 2975 Switch Software Configuration Guide 6-22 OL-19720-02...
Reconnect the cable between Port 1 on Switch 1 and Port 2 on Switch 4 (the replacement switch). Re-enable the link between the switches. Enter the switch 1 stack port 1 enable privileged EXEC command to enable Port 1 on Switch 1. Power on Switch 4. Catalyst 2975 Switch Software Configuration Guide 6-23 OL-19720-02...
Yes—The port can send traffic to the link partner. Sync OK No—The link partner does not send valid protocol messages to the • stack port. Yes—The link partner sends valid protocol messages to the port. • Catalyst 2975 Switch Software Configuration Guide 6-24 OL-19720-02...
Link Sync Port# Port Length Active Changes Loopback Status To LinkOK -------- ------ -------- -------- ---- ------ ---- --------- -------- Absent None No cable 50 cm 50 cm Down None 50 cm Catalyst 2975 Switch Software Configuration Guide 6-25 OL-19720-02...
Switch# show switch stack-ports summary Switch#/ Stack Neighbor Cable Link Link Sync Port# Port Length Active Changes Loopback Status To LinkOK -------- ------ -------- -------- ---- ------ ---- --------- -------- 50 cm 50 cm Catalyst 2975 Switch Software Configuration Guide 6-26 OL-19720-02...
If you disconnect the cable from Port 2 on Switch 1, these messages appear: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 2 has changed to state DOWN %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN Catalyst 2975 Switch Software Configuration Guide 6-28 OL-19720-02...
The Cable Length value is 50 cm. The switch detects and correctly identifies the cable. • The connection between Port 2 on Switch 1 and Port 1 on Switch 2 is unreliable on at least one of the connector pins. Catalyst 2975 Switch Software Configuration Guide 6-29 OL-19720-02...
You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Configuration Fundamentals Command Reference from the Cisco.com page under Documentation >...
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Page 163
Switch F Workstations If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as if it is synchronized through NTP, when in fact it has learned the time by using other means. Other devices then synchronize to that device through NTP.
NTP access restrictions No access control is specified. NTP packet source IP address The source address is set by the outgoing interface. NTP is enabled on all interfaces by default. All interfaces receive NTP packets. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
This example shows how to configure the switch to synchronize only to devices providing authentication key 42 in the device’s NTP packets: Switch(config)# ntp authenticate Switch(config)# ntp authentication-key 42 md5 aNiceKey Switch(config)# ntp trusted-key 42 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
This example shows how to configure the switch to synchronize its system clock with the clock of the peer at IP address 172.16.22.44 using NTP Version 2: Switch(config)# ntp server 172.16.22.44 version 2 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
To disable the interface from sending NTP broadcast packets, use the no ntp broadcast interface configuration command. This example shows how to configure a port to send NTP Version 2 packets: Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ntp broadcast version 2 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
You can control NTP access on two levels as described in these sections: Creating an Access Group and Assigning a Basic IP Access List, page 7-9 • Disabling NTP Services on a Specific Interface, page 7-10 • Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 169
If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Specify the interface type and number from which the IP source address is taken. By default, the source address is set by the outgoing interface. Step 3 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 7-10 OL-19720-02...
[detail] show ntp status • For detailed information about the fields in these displays, see the Cisco IOS Configuration Note Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
The default is UTC. • For hours-offset, enter the hours offset from UTC. • (Optional) For minutes-offset, enter the minutes offset from UTC. Step 3 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 7-12 OL-19720-02...
This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00: Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00 Catalyst 2975 Switch Software Configuration Guide 7-13 OL-19720-02...
9. When you use this command, the stack member number is appended to the system prompt. For example, is the prompt in privileged EXEC mode for stack member 2, and the system prompt Switch-2# for the switch stack is Switch Catalyst 2975 Switch Software Configuration Guide 7-14 OL-19720-02...
Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, from the Cisco.com page, select Documentation > Cisco IOS Software > 12.2 Mainline > Command References and see the Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols.
If your network devices require connectivity with devices in networks for which you do not control name assignment, you can dynamically assign device names that uniquely identify your devices by using the global Internet naming scheme (DNS). Catalyst 2975 Switch Software Configuration Guide 7-16 OL-19720-02...
This example shows the banner that appears from the previous configuration: Unix> telnet 172.2.5.4 Trying 172.2.5.4... Connected to 172.2.5.4. Escape character is '^]'. This is a secure site. Only authorized users are allowed. For access, contact technical support. User Access Verification Password: Catalyst 2975 Switch Software Configuration Guide 7-18 OL-19720-02...
The address table lists the destination MAC address, the associated VLAN ID, and port number associated with the address and the type (static or dynamic). For complete syntax and usage information for the commands used in this section, see the command Note reference for this release. Catalyst 2975 Switch Software Configuration Guide 7-19 OL-19720-02...
Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in another until it is learned or statically associated with a port in the other VLAN. Catalyst 2975 Switch Software Configuration Guide 7-20 OL-19720-02...
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default value, use the no mac address-table aging-time global configuration command. Catalyst 2975 Switch Software Configuration Guide 7-21 OL-19720-02...
Step 3 snmp-server enable traps mac-notification change Enable the switch to send MAC address change notification traps to the NMS. Step 4 mac address-table notification change Enable the MAC address change notification feature. Catalyst 2975 Switch Software Configuration Guide 7-22 OL-19720-02...
Page 183
Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# snmp trap mac-notification change added You can verify your settings by entering the show mac address-table notification change interface and the show mac address-table notification change privileged EXEC commands. Catalyst 2975 Switch Software Configuration Guide 7-23 OL-19720-02...
NMS, enable the MAC address move notification feature, and enable traps when a MAC address moves from one port to another. Switch(config)# snmp-server host 172.20.10.10 traps private mac-notification Switch(config)# snmp-server enable traps mac-notification move Switch(config)# mac address-table notification mac-move Catalyst 2975 Switch Software Configuration Guide 7-24 OL-19720-02...
(Optional) For interval time, specify the time • between notifications; valid values are greater than or equal to 120 seconds. The default is 120 seconds. Step 6 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 7-25 OL-19720-02...
You add a static address to the address table by specifying the destination MAC unicast address and the VLAN from which it is received. Packets received with this destination address are forwarded to the interface specified with the interface-id option. Catalyst 2975 Switch Software Configuration Guide 7-26 OL-19720-02...
% Only unicast addresses can be configured to be dropped % CPU destined address cannot be configured as drop address • Packets that are forwarded to the CPU are also not supported. Catalyst 2975 Switch Software Configuration Guide 7-27 OL-19720-02...
MAC addresses. Before you disable MAC address learning, be sure that you are familiar with the network topology and the switch system configuration. Disabling MAC address learning on a VLAN could cause flooding in the network. Catalyst 2975 Switch Software Configuration Guide 7-28 OL-19720-02...
Page 189
Switch(config)# no mac ddress-table learning vlan 200 You can display the MAC address learning status of all VLANs or a specified VLAN by entering the show mac-address-table learning [vlan vlan-id] privileged EXEC command. Catalyst 2975 Switch Software Configuration Guide 7-29 OL-19720-02...
ARP entries added manually to the table do not age and must be manually removed. Note For CLI procedures, see the Cisco IOS Release 12.2 documentation from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline. Catalyst 2975 Switch Software Configuration Guide...
C H A P T E R Configuring SDM Templates The Catalyst 2975 switch command reference has command syntax and usage information. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. Understanding the SDM Templates, page 8-1 •...
2d23h:%STACKMGR-6-SWITCH_ADDED_SDM:Switch 2 has been ADDED to the stack (SDM_MISMATCH) 2d23h:%SDM-6-MISMATCH_ADVISE: 2d23h:%SDM-6-MISMATCH_ADVISE: 2d23h:%SDM-6-MISMATCH_ADVISE:System (#2) is incompatible with the SDM 2d23h:%SDM-6-MISMATCH_ADVISE:template currently running on the stack and 2d23h:%SDM-6-MISMATCH_ADVISE:will not function unless the stack is 2d23h:%SDM-6-MISMATCH_ADVISE:downgraded. Issuing the following commands Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
If you try to configure IPv6 features without first selecting a dual IPv4 and IPv6 template, a warning message appears. Using the dual stack templates results in less TCAM capacity allowed for each resource, so do not • use it if you plan to forward only IPv4 traffic. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
8 routed interfaces and 255 VLANs. number of unicast mac addresses: number of IPv4 IGMP groups + multicast routes: 0.25K number of IPv4 unicast routes: 4.25K number of directly-connected IPv4 hosts: number of indirect IPv4 routes: 0.25K Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 195
Chapter 8 Configuring SDM Templates .Displaying the SDM Templates number of IPv4 policy based routing aces: number of IPv4/MAC qos aces: 0.125k number of IPv4/MAC security aces: 0.375k Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
C H A P T E R Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 2975 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. This chapter consists of these sections: Preventing Unauthorized Access to Your Switch, page 9-1 •...
Page 198
Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2 from the Cisco.com page under Documentation >...
To remove the password, use the no enable password global configuration command. This example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted and provides access to level 15 (traditional privileged EXEC mode access): Switch(config)# enable password l1u2c3k4y5 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
By default, no password is defined. • (Optional) For encryption-type, only type 5, a Cisco proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password that you...
Disable password recovery. This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
(Optional) Save your entries in the configuration file. To remove the password, use the no password global configuration command. This example shows how to set the Telnet password to let45me67in89: Switch(config)# line vty 10 Switch(config-line)# password let45me67in89 Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
To disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Protecting Access to Privileged EXEC Commands Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
You might specify a high level or privilege level for your console line to restrict line usage. To return to the default line privilege level, use the no privilege level line configuration command. Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2.
Page 207
The goal of TACACS+ is to provide a method for managing multiple network access points from a single management service. Your switch can be a network access server along with other Cisco routers and access servers. A network access server provides connections to a single user, to a network or...
• Telnet, Secure Shell (SSH), rlogin, or privileged EXEC services • Connection parameters, including the host or client IP address, access list, and user timeouts Catalyst 2975 Switch Software Configuration Guide 9-12 OL-19720-02...
You can group servers to select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list and contains the list of IP addresses of the selected server hosts. Catalyst 2975 Switch Software Configuration Guide 9-13 OL-19720-02...
You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to Catalyst 2975 Switch Software Configuration Guide 9-14...
Page 211
• Step 4 line [console | tty | vty] line-number Enter line configuration mode, and configure the lines to which you want [ending-line-number] to apply the authentication list. Catalyst 2975 Switch Software Configuration Guide 9-15 OL-19720-02...
HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline >...
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting for each Cisco IOS privilege level and for network services:...
RADIUS is facilitated through AAA and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Security Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software >...
Page 215
Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. • RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
RADIUS Change of Authorization (CoA) extensions defined in RFC 5176 that are typically used in a pushed model and allow for the dynamic reconfiguring of sessions from external authentication, authorization, and accounting (AAA) or policy servers. Beginning with Cisco IOS Release 12.2(52)SE, the switch supports these per-session CoA requests: Session reauthentication •...
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This feature is integrated with the Cisco Secure Access Control Server (ACS) 5.1. For information about ACS: http://www.cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html The RADIUS interface is enabled by default on Catalyst switches. However, some basic configuration is required for these attributes: Security and Password—See the...
Page 218
• Acct-Session-Id (IETF attribute 44) Unless all session identification attributes included in the CoA message match the session, the switch returns a Disconnect-NAK or CoA-NAK with the Invalid Attribute Value error-code attribute. Catalyst 2975 Switch Software Configuration Guide 9-22 OL-19720-02...
Page 219
• Session Termination • CoA Disconnect-Request • CoA Request: Disable Host Port • CoA Request: Bounce-Port • Beginning with Cisco IOS Release 12.2(52)SE, the switch supports the commands shown in Table 9-4. Catalyst 2975 Switch Software Configuration Guide 9-23 OL-19720-02...
Page 220
To initiate session authentication, the AAA server sends a standard CoA-Request message which contains a Cisco vendor-specific attribute (VSA) in this form: Cisco:Avpair=“subscriber:command=reauthenticate” and one or more session identification attributes. The current session state determines the switch response to the message. If the session is currently authenticated by IEEE 802.1x, the switch responds by sending an Extensible Authentication Protocol...
Page 221
To restrict a host’s access to the network, use a CoA Request with the Cisco:Avpair="subscriber:command=disable-host-port" VSA. This command is useful when a host is known to be causing problems on the network, and you need to immediately block network access for the host.
(which is subsequently removed). If the stack master fails before sending a CoA-ACK message, the new stack master treats the re-sent command as a new command. Catalyst 2975 Switch Software Configuration Guide 9-26 OL-19720-02...
RADIUS and AAA are disabled by default. To prevent a lapse in security, you cannot configure RADIUS through a network management application. When enabled, RADIUS can authenticate users accessing the switch through the CLI. Catalyst 2975 Switch Software Configuration Guide 9-27 OL-19720-02...
“Configuring Settings for All RADIUS Servers” section on page 9-36. You can configure the switch to use AAA server groups to group existing server hosts for authentication. For more information, see the “Defining AAA Server Groups” section on page 9-32. Catalyst 2975 Switch Software Configuration Guide 9-28 OL-19720-02...
Page 225
This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2 Catalyst 2975 Switch Software Configuration Guide 9-29 OL-19720-02...
Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Catalyst 2975 Switch Software Configuration Guide 9-30 OL-19720-02...
Page 227
For list-name, specify the list created with the aaa authentication login command. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config (Optional) Save your entries in the configuration file. startup-config Catalyst 2975 Switch Software Configuration Guide 9-31 OL-19720-02...
HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline >...
Page 229
RADIUS server in the AAA server group. Each server in the group must be previously defined in Step 2. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Catalyst 2975 Switch Software Configuration Guide 9-33 OL-19720-02...
Use the local database if authentication was not performed by using RADIUS. • Authorization is bypassed for authenticated users who log in through the CLI even if authorization has Note been configured. Catalyst 2975 Switch Software Configuration Guide 9-34 OL-19720-02...
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
The Cisco RADIUS implementation supports one vendor-specific option by using the format recommended in the specification. Cisco’s vendor-ID is 9, and the supported option has vendor-type 1, which is named cisco-avpair. The value is a string with this format:...
Page 233
Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
(Optional) Save your entries in the configuration file. To disable AAA, use the no aaa new-model global configuration command. To disable the AAA server functionality on the switch, use the no aaa server radius dynamic authorization global configuration command. Catalyst 2975 Switch Software Configuration Guide 9-39 OL-19720-02...
Configuring RADIUS Server Load Balancing This feature allows access and authentication requests to be evenly across all RADIUS servers in a server group. For more information, see the “RADIUS Server Load Balancing” chapter of the “Cisco IOS Security Configuration Guide”, Release 12.2: http://www.ciscosystems.com/en/US/docs/ios/12_2sb/feature/guide/sbrdldbl.html...
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: Download the cryptographic software image from Cisco.com. This step is required. For more information, see the release notes for this release. Configure a hostname and IP domain name for the switch. Follow this procedure only if you are configuring the switch as an SSH server.
If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2. Catalyst 2975 Switch Software Configuration Guide 9-44 OL-19720-02...
Shows the status of the SSH server. For more information about these commands, see the “Secure Shell Commands” section in the “Other Security Features” chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html Catalyst 2975 Switch Software Configuration Guide...
(pages) back to the HTTP secure server, which, in turn, responds to the original request. The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response back to the application.
Page 243
For additional information on Certificate Authorities, see the “Configuring Certification Authority Interoperability” chapter in the Cisco IOS Security Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Configuring the Secure HTTP Server, page 9-50 • Configuring the Secure HTTP Client, page 9-51 • Default SSL Configuration The standard HTTP server is enabled. SSL is enabled. No CA trustpoints are configured. No self-signed certificates are generated. Catalyst 2975 Switch Software Configuration Guide 9-48 OL-19720-02...
RSA key pair. Step 13 Return to privileged EXEC mode. Step 14 show crypto ca trustpoints Verify the configuration. Step 15 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 9-49 OL-19720-02...
Step 10 ip http max-connections value (Optional) Set the maximum number of concurrent connections that are allowed to the HTTP server. The range is 1 to 16; the default value is 5. Catalyst 2975 Switch Software Configuration Guide 9-50 OL-19720-02...
HTTPS connection. If you do not have a reason to [rc4-128-sha] [des-cbc-sha]} specify a particular CipherSuite, you should allow the server and client to negotiate a CipherSuite that they both support. This is the default. Catalyst 2975 Switch Software Configuration Guide 9-51 OL-19720-02...
Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and • Adelman (RSA) key pair. When using SCP, you cannot enter the password into the copy command. You must enter the password Note when prompted. Catalyst 2975 Switch Software Configuration Guide 9-52 OL-19720-02...
A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation.
Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. The Catalyst 2975 switch command reference and the “RADIUS Commands” section in the Cisco IOS Security Command Reference, Release 12.2, have command syntax and usage information.
Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Page 254
The switch re-authenticates a client when one of these situations occurs: Periodic re-authentication is enabled, and the re-authentication timer expires. • You can configure the re-authentication timer to use a switch-specific value or to be based on values from the RADIUS server. Catalyst 2975 Switch Software Configuration Guide 10-4 OL-19720-02...
The specific exchange of EAP frames depends on the authentication method being used. Figure 10-3 shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method with a RADIUS server. Catalyst 2975 Switch Software Configuration Guide 10-5 OL-19720-02...
Page 256
MAC authentication bypass. Figure 10-4 Message Exchange During MAC Authentication Bypass Authentication server Client (RADIUS) Switch EAPOL Request/Identity EAPOL Request/Identity EAPOL Request/Identity Ethernet packet RADIUS Access/Request RADIUS Access/Accept Catalyst 2975 Switch Software Configuration Guide 10-6 OL-19720-02...
Understanding IEEE 802.1x Port-Based Authentication Authentication Manager In Cisco IOS Release 12.2(46)SE and earlier, you could not use the same authorization methods, including CLI commands and messages, on this switch and also on other network devices, such as a Catalyst 6000.
ACL configured on another device running Cisco IOS software, such as a Catalyst 6000 switch. In Cisco IOS Release 12.2(50)SE or later, the ACLs configured on the switch are compatible with other devices running the Cisco IOS release.
Enable periodic re-authentication of the client. authentication port-control {auto dot1x port-control {auto | Enable manual control of the authorization state of | force-authorized | force-un force-authorized | the port. authorized} force-unauthorized} Catalyst 2975 Switch Software Configuration Guide 10-9 OL-19720-02...
Beginning with Cisco IOS Release 12.2(55)SE, you can filter out verbose system messages generated by the authentication manager. The filtered content typically relates to authentication success. You can also filter verbose messages for 802.1x authentication and MAB authentication.
For example, you can have a redundant connection to the stack master and another to a stack member, and if the stack master fails, the switch stack still has connectivity to the RADIUS server. Catalyst 2975 Switch Software Configuration Guide 10-11...
The switch supports multidomain authentication (MDA), which allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice domain.
• Until a device is authorized, the port drops its traffic. Non-Cisco IP phones or voice devices are allowed into both the data and voice VLANs. The data VLAN allows the voice device to contact a DHCP server to obtain an IP address and acquire the voice VLAN information. After the voice device starts sending on the voice VLAN, its access to the data VLAN is blocked.
MAC move is supported on all host modes. (The authenticated host can move to any port on the switch, no matter which host mode is enabled on the that port.) Beginning with Cisco IOS Release 12.2(55)SE, MAC move can be configured in all host modes, along with port security.
“Enabling MAC Move” section on page 10-48. MAC Replace Beginning with Cisco IOS Release 12.2(55)SE, the MAC replace feature can be configured to address the violation that occurs when a host attempts to connect to a port where another host was previously authenticated.
DHCP snooping bindings table. You can view the AV pairs that are being sent by the switch by entering the debug radius accounting privileged EXEC command. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.2: http://www.cisco.com/en/US/docs/ios/12_2/debug/command/reference/122debug.html...
If an 802.1x port is authenticated and put in the RADIUS server-assigned VLAN, any change to the • port access VLAN configuration does not take effect. In the case of a multidomain host, the same applies to voice devices when the port is fully authorized with these exceptions: Catalyst 2975 Switch Software Configuration Guide 10-17 OL-19720-02...
ACL only to the phone as part of the authorization policies. Beginning with Cisco IOS Release 12.2(55)SE, if there is no static ACL on a port, a dynamic auth-default ACL is created, and policies are enforced before dACLs are downloaded and applied.
Page 269
Note The auth-default-ACL does not support Cisco Discovery Protocol (CDP) bypass in the single host mode. You must configure a static ACL on the interface to support CDP bypass. The 802.1x and MAB authentication methods support two authentication modes, open and closed. If there is no static ACL on a port in closed authentication mode: An auth-default-ACL is created.
ACL, this ACL takes precedence over the default ACL that is configured on the switch port. However, if the switch receives an host access policy from the Cisco Secure ACS but the default ACL is not configured, the authorization failure is declared.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication This feature is not supported on Cisco ACS Server. (The ACS server ignores the sent VLAN-IDs for new Note hosts and only authenticates based on the MAC address.) For configuration information, see the “Configuring VLAN ID-based MAC Authentication”...
Other port security features such as dynamic ARP Inspection, DHCP snooping, and IP source guard can be configured independently on a restricted VLAN. For more information, see the “Configuring a Restricted VLAN” section on page 10-51. Catalyst 2975 Switch Software Configuration Guide 10-22 OL-19720-02...
RADIUS server is again available. When this is configured, all critical ports in the critical-authentication state are automatically re-authenticated. For more information, see the command reference for this release and the “Configuring the Inaccessible Authentication Bypass Feature” section on page 10-53. Catalyst 2975 Switch Software Configuration Guide 10-23 OL-19720-02...
PVID to carry the data traffic to and from the workstation connected to the switch through the IP • phone. The PVID is the native VLAN of the port. Catalyst 2975 Switch Software Configuration Guide 10-24 OL-19720-02...
If you enable 802.1x authentication on an access port on which a voice VLAN is configured and to which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds. For more information about voice VLANs, see Chapter 14, “Configuring Voice VLAN.”...
802.1x ports connected to devices such as printers. If 802.1x authentication times out while waiting for an EAPOL response from the client, the switch tries to authorize the client by using MAC authentication bypass. Catalyst 2975 Switch Software Configuration Guide 10-26 OL-19720-02...
Page 277
For more configuration information, see the “Authentication Manager” section on page 10-7. Cisco IOS Release 12.2(55)SE and later supports filtering of verbose MAB system messages. See the “Authentication Manager CLI Commands” section on page 10-9. Catalyst 2975 Switch Software Configuration Guide...
VLAN group, none of the ports or users that are in the authenticated state in any VLAN within the group are cleared, but the VLAN mappings to the VLAN group are cleared. For more information, see the “Configuring 802.1x User Distribution” section on page 10-58. Catalyst 2975 Switch Software Configuration Guide 10-28 OL-19720-02...
Single-host mode with open authentication–Only one user is allowed network access before and • after authentication. MDA mode with open authentication–Only one user in the voice domain and one user in the data • domain are allowed. Catalyst 2975 Switch Software Configuration Guide 10-29 OL-19720-02...
Auto enablement: Automatically enables trunk configuration on the authenticator switch, allowing • user traffic from multiple VLANs coming from supplicant switches. Configure the cisco-av-pair as device-traffic-class=switch at the ACS. (You can configure this under the group or the user settings.)
If the session is over, authentication fails, or a link fails, the port becomes unauthorized, and the switch removes the ACL from the port. Catalyst 2975 Switch Software Configuration Guide 10-31 OL-19720-02...
Default 802.1x Authentication Configuration Feature Default Setting Switch 802.1x enable state Disabled. Per-port 802.1x enable state Disabled (force-authorized). The port sends and receives normal traffic without 802.1x-based authentication of the client. Disabled. Catalyst 2975 Switch Software Configuration Guide 10-33 OL-19720-02...
EtherChannel configuration from the interfaces on which 802.1x authentication and EtherChannel are configured. • Cisco IOS Release 12.2(55)SE and later supports filtering of system messages related to 802.1x authentication. See the “Authentication Manager CLI Commands” section on page 10-9.
• are inactive. The range is 1to 65535 seconds. You must enable port security before configuring a time out value. For more information, see the “Configuring Port Security” section on page 23-9. Catalyst 2975 Switch Software Configuration Guide 10-36 OL-19720-02...
In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with • a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice VLAN. In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one •...
If the shutdown vlan keywords are not included, the entire port Note enters the error-disabled state and shuts down. Step 3 errdisable recovery cause (Optional) Enable automatic per-VLAN error recovery. security-violation Catalyst 2975 Switch Software Configuration Guide 10-38 OL-19720-02...
For method1, enter the group radius keywords to use the list of all RADIUS servers for authentication. Though other keywords are visible in the command-line help Note string, only the group radius keywords are supported. Catalyst 2975 Switch Software Configuration Guide 10-39 OL-19720-02...
The switch sends an interim accounting update to the accounting server, that is based on the result of Step 6 re-authentication. The user disconnects from the port. Step 7 The switch sends a stop message to the accounting server. Step 8 Catalyst 2975 Switch Software Configuration Guide 10-40 OL-19720-02...
The RADIUS host entries are tried in the order in which they were configured. Catalyst 2975 Switch Software Configuration Guide 10-41 OL-19720-02...
Page 292
You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation. Catalyst 2975 Switch Software Configuration Guide 10-42 OL-19720-02...
802.1x-authorized port that has the dot1x port-control interface configuration command set to auto. Use the multi-domain keyword to configure multidomain authentication (MDA) to enable authentication of both a host and a voice device, such as an IP phone (Cisco or non-Cisco) on the same switch port.
• Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute [29]). This command affects the behavior of the switch only if periodic re-authentication is enabled. Catalyst 2975 Switch Software Configuration Guide 10-44 OL-19720-02...
Set the number of seconds that the switch remains in the quiet state after a failed authentication exchange with the client. The range is 1 to 65535 seconds; the default is 60. Step 4 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 10-45 OL-19720-02...
This example shows how to set 60 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request: Switch(config-if)# dot1x timeout tx-period 60 Catalyst 2975 Switch Software Configuration Guide 10-46 OL-19720-02...
You should change the default value of this command only to adjust for unusual circumstances such as Note unreliable links or specific behavioral problems with certain clients and authentication servers. Catalyst 2975 Switch Software Configuration Guide 10-47 OL-19720-02...
This example shows how to globally enable MAC move on a switch: Switch(config)# authentication mac-move permit Enabling MAC Replace MAC replace allows a host to replace an authenticated host on a port. Catalyst 2975 Switch Software Configuration Guide 10-48 OL-19720-02...
To turn on these functions, enable logging of “Update/Watchdog packets from this AAA client” in your RADIUS server Network Configuration tab. Next, enable “CVS RADIUS Accounting” in your RADIUS server System Configuration tab. Catalyst 2975 Switch Software Configuration Guide 10-49 OL-19720-02...
“802.1x Authentication Configuration Guidelines” section on page 10-35. Step 3 switchport mode access Set the port to access mode. Step 4 authentication port-control auto Enable 802.1x authentication on the port. dot1x port-control auto Catalyst 2975 Switch Software Configuration Guide 10-50 OL-19720-02...
“802.1x Authentication Configuration Guidelines” section on page 10-35. Step 3 switchport mode access Set the port to access mode. Step 4 authentication port-control auto Enable 802.1x authentication on the port. dot1x port-control auto Catalyst 2975 Switch Software Configuration Guide 10-51 OL-19720-02...
Page 302
Step 7 Return to privileged EXEC mode. Step 8 show authentication interface-id (Optional) Verify your entries. show dot1x interface interface-id Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 10-52 OL-19720-02...
(Optional) Set the number of minutes that a RADIUS server is not sent requests. The minutes range is from 0 to 1440 minutes (24 hours). The default is 0 minutes. Catalyst 2975 Switch Software Configuration Guide 10-53 OL-19720-02...
Page 304
[authorize | authorize–Move any new hosts trying to authenticate to the user-specified • reinitialize] vlan vlan-id critical VLAN. reinitialize–Move all authorized hosts on the port to the user-specified critical • VLAN. Catalyst 2975 Switch Software Configuration Guide 10-54 OL-19720-02...
To disable 802.1x authentication with WoL, use the no authentication control-direction or no dot1x control-direction interface configuration command. These examples show how to enable 802.1x authentication with WoL and set the port as bidirectional: Switch(config-if)# authentication control-direction both Switch(config-if)# dot1x control-direction both Catalyst 2975 Switch Software Configuration Guide 10-56 OL-19720-02...
(Optional) Save your entries in the configuration file. To disable MAC authentication bypass, use the no dot1x mac-auth-bypass interface configuration command. This example shows how to enable MAC authentication bypass: Switch(config-if)# dot1x mac-auth-bypass Catalyst 2975 Switch Software Configuration Guide 10-57 OL-19720-02...
This example shows how to clear all the VLAN groups: switch(config)# no vlan group end-dept vlan-list all switch(config)# show vlan-group all For more information about these commands, see the Cisco IOS Security Command Reference. Catalyst 2975 Switch Software Configuration Guide 10-58...
(Optional) Save your entries in the configuration file. This example shows how to configure NAC Layer 2 802.1x validation: Switch# configure terminal Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# dot1x reauthentication Switch(config-if)# dot1x timeout reauth-period server Catalyst 2975 Switch Software Configuration Guide 10-59 OL-19720-02...
10-30. Note The cisco-av-pairs must be configured as device-traffic-class=switch on the ACS, which sets the interface as a trunk after the supplicant is successfully authenticated. Beginning in privileged EXEC mode, follow these steps to configure a switch as an authenticator:...
You must configure a downloadable ACL on the ACS before downloading it to the switch. Note After authentication on the port, you can use the show ip access-list privileged EXEC command to display the downloaded ACLs on the port. Catalyst 2975 Switch Software Configuration Guide 10-61 OL-19720-02...
0.0.0.0. (Optional) Applies the source-wildcard wildcard bits to the source. (Optional) Enters log to cause an informational logging message about the packet that matches the entry to be sent to the console. Catalyst 2975 Switch Software Configuration Guide 10-62 OL-19720-02...
Page 313
Switch(config)# aaa authorization network default group radius Switch(config)# ip device tracking Switch(config)# ip access-list extended default_acl Switch(config-ext-nacl)# permit ip any any Switch(config-ext-nacl)# exit Switch(config)# radius-server vsa send authentication Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# ip access-group default_acl in Switch(config-if)# exit Catalyst 2975 Switch Software Configuration Guide 10-63 OL-19720-02...
There is no show command to confirm the status of VLAN ID-based MAC authentication. You can use the debug radius accounting privileged EXEC command to confirm the RADIUS attribute 32. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.2: http://www.cisco.com/en/US/docs/ios/debug/command/reference/db_q1.html#wp1123741...
Beginning in privileged EXEC mode, follow these steps to disable 802.1x authentication on the port. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Catalyst 2975 Switch Software Configuration Guide 10-65 OL-19720-02...
EXEC command. Beginning with Cisco IOS Release 12.2(55)SE, you can use the no dot1x logging verbose global configuration command to filter verbose 802.1x authentication messages. See the “Authentication...
ARP based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static • IP address or a dynamic IP address. Dynamic ARP inspection • DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding • entry for the host. Catalyst 2975 Switch Software Configuration Guide 11-2 OL-19720-02...
If the terminate action is RADIUS, the feature sends a nonresponsive host (NRH) request to the server. The terminate action is included in the response from the server. • If the terminate action is default, the session is dismantled, and the applied policy is removed. Catalyst 2975 Switch Software Configuration Guide 11-3 OL-19720-02...
You create a banner by using the ip admission auth-proxy-banner http global configuration command. The default banner Cisco Systems and Switch host-name Authentication appear on the Login Page. Cisco Systems appears on the authentication result pop-up page, as shown in Figure 11-2.
Page 323
Figure 11-4. Figure 11-4 Login Screen With No Banner For more information, see the Cisco IOS Security Command Reference and the “Configuring a Web Authentication Local Banner” section on page 11-16. Catalyst 2975 Switch Software Configuration Guide 11-5 OL-19720-02...
You must include an HTML redirect command in the success page to access a specific URL. • The URL string must be a valid URL (for example, http://www.cisco.com). An incomplete URL • might cause page not found or similar errors on a web browser.
You can then limit the number or group of clients that can access the network through the port. For more information about enabling port security, see the “Configuring Port Security” section on page 23-9. Catalyst 2975 Switch Software Configuration Guide 11-7 OL-19720-02...
ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface, the ACL is applied to the host traffic only after the web-based authentication host policy is applied. For Layer 2 web-based authentication, you must configure a port ACL (PACL) as the default access policy for ingress traffic from hosts connected to the port.
You must configure the default ACL on the interface before configuring web-based authentication. • Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface. You cannot authenticate hosts on Layer 2 interfaces with static ARP cache assignment. These hosts •...
This example shows how to enable web-based authentication on Fast Ethernet port 5/1: Switch(config)# ip admission name webauth1 proxy http Switch(config)# interface fastethernet 5/1 Switch(config-if)# ip admission webauth1 Switch(config-if)# exit Switch(config)# ip device tracking Catalyst 2975 Switch Software Configuration Guide 11-10 OL-19720-02...
Switch(config)# aaa authorization auth-proxy default group tacacs+ Configuring Switch-to-RADIUS-Server Communication RADIUS security servers identification: Host name • Host IP address • Host name and specific UDP port numbers • IP address and specific UDP port numbers • Catalyst 2975 Switch Software Configuration Guide 11-11 OL-19720-02...
Page 330
For more information, see Cisco IOS Security Configuration Guide, Release 12.2 and the Cisco IOS Security Command Reference, Release 12.2: http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html...
The device: is flash memory. Step 2 ip admission proxy http success page file Specify the location of the custom HTML file to use in device:success-filename place of the default login success page. Catalyst 2975 Switch Software Configuration Guide 11-13 OL-19720-02...
Page 332
Authentication global absolute time is 0 minutes Authentication global init state time is 2 minutes Authentication Proxy Session ratelimit is 100 Authentication Proxy Watch-list is disabled Authentication Proxy Auditing is disabled Max Login attempts per user is 5 Catalyst 2975 Switch Software Configuration Guide 11-14 OL-19720-02...
To remove the specification of a redirection URL, use the no form of the command. • This example shows how to configure a redirection URL for successful login: Switch(config)# ip admission proxy http success redirect www.cisco.com This example shows how to verify the redirection URL for successful login: Switch# show ip admission configuration...
(Optional) Create a custom banner by entering C banner-text C, where C is a delimiting character or a file-path indicates a file (for example, a logo or text file) that appears in the banner. Catalyst 2975 Switch Software Configuration Guide 11-16 OL-19720-02...
This example shows how to view only the global web-based authentication status: Switch# show authentication sessions This example shows how to view the web-based authentication settings for gigabit interface 3/27: Switch# show authentication sessions interface gigabitethernet 3/27 Catalyst 2975 Switch Software Configuration Guide 11-17 OL-19720-02...
C H A P T E R Configuring Interface Characteristics This chapter defines the types of Catalyst 2975 interfaces and describes how to configure them. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
VLAN assigned to the port. If an access port receives an 802.1Q tagged packet, the packet is dropped, and the source address is not learned. Catalyst 2975 Switch Software Configuration Guide 12-2 OL-19720-02...
Catalyst 6500 series switch. The Catalyst 2975 switch cannot be a VMPS server. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 14, “Configuring Voice VLAN.”...
Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. The DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol (PAgP) operate only on physical ports.
CDP messages for an agreed power-consumption level. The negotiation allows a high-power Cisco powered device, which consumes more than 7 W, to operate at its highest power mode. The powered device first boots up in low-power mode, consumes less than 7 W, and negotiates to obtain enough power to operate in high-power mode.
Page 342
After power is applied to the port, the switch uses CDP to determine the actual power consumption requirement of the connected Cisco powered devices, and the switch adjusts the power budget accordingly. This does not apply to third-party PoE devices. The switch processes a request and either grants or denies power.
PoE-capable port, making the port a data-only port. For information on configuring a PoE port, see the “Configuring a Power Management Mode on a PoE Port” section on page 12-23. Catalyst 2975 Switch Software Configuration Guide 12-7 OL-19720-02...
The switch also uses the power policing feature to police the power usage. Power monitoring is backward-compatible with Cisco intelligent power management and CDP-based power consumption. It works with these features to ensure that the PoE port can supply power to the powered device.
Page 345
PoE ports. Because the switch supports internal power supplies and the Cisco Redundant Power System 2300 (also referred to as the RPS 2300), the total amount of power available for the powered devices varies depending on the power supply configuration.
1 with 48 10/100/1000 ports, enter this command: Switch(config)# interface gigabitethernet1/0/49 Configuration examples and outputs in this book might not be specific to your switch, particularly Note regarding the presence of a stack member number. Catalyst 2975 Switch Software Configuration Guide 12-11 OL-19720-02...
You can use the interface range global configuration command to configure multiple interfaces with the same configuration parameters. When you enter the interface-range configuration mode, all command parameters that you enter are attributed to all interfaces within that range until you exit this mode. Catalyst 2975 Switch Software Configuration Guide 12-12 OL-19720-02...
Page 349
All interfaces defined in a range must be the same type (all Fast Ethernet ports, all Gigabit Ethernet • ports, all EtherChannel ports, or all VLANs), but you can enter multiple ranges in a command. Catalyst 2975 Switch Software Configuration Guide 12-13 OL-19720-02...
Show the defined interface range macro configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no define interface-range macro_name global configuration command to delete a macro. Catalyst 2975 Switch Software Configuration Guide 12-14 OL-19720-02...
Page 351
Switch(config)# define interface-range macro1 gigabitethernet1/0/1 - 2, gigabitethernet1/0/1 - 2 Switch(config)# end This example shows how to enter interface-range configuration mode for the interface-range macro enet_list: Switch# configure terminal Switch(config)# interface range macro enet_list Switch(config-if-range)# Catalyst 2975 Switch Software Configuration Guide 12-15 OL-19720-02...
Duplex mode Autonegotiate. Flow control Flow control is set to receive: off. It is always off for sent packets. EtherChannel (PAgP) Disabled on all Ethernet ports. Chapter 37, “Configuring EtherChannels and Link-State Tracking.” Catalyst 2975 Switch Software Configuration Guide 12-16 OL-19720-02...
Enabled. The switch might not support a pre-standard powered Note device—such as Cisco IP phones and access points that do not fully support IEEE 802.3af—if that powered device is connected to the switch through a crossover cable. This is regardless of whether auto-MIDX is enabled on the switch port.
Page 354
SFP module interface. In all other situations, the switch selects the active link based on which type first links up. Catalyst 2975 Switch Software Configuration Guide 12-18 OL-19720-02...
For information about which SFP modules are supported on your switch, see the product release notes. • If both ends of the line support autonegotiation, we highly recommend the default setting of auto negotiation. Catalyst 2975 Switch Software Configuration Guide 12-19 OL-19720-02...
Use the no speed and no duplex interface configuration commands to return the interface to the default speed and duplex settings (autonegotiate). To return all interface settings to the defaults, use the default interface interface-id interface configuration command. Switch# configure terminal Catalyst 2975 Switch Software Configuration Guide 12-20 OL-19720-02...
To disable flow control, use the flowcontrol receive off interface configuration command. This example shows how to turn on flow control on a port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# flowcontrol receive on Switch(config-if)# end Catalyst 2975 Switch Software Configuration Guide 12-21 OL-19720-02...
To disable auto-MDIX, use the no mdix auto interface configuration command. This example shows how to enable auto-MDIX on a port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# speed auto Switch(config-if)# duplex auto Catalyst 2975 Switch Software Configuration Guide 12-22 OL-19720-02...
(15400 milliwatts). never—Disable device detection, and disable power to the port. • If a port has a Cisco powered device connected to it, do not use Note the power inline never command to configure the port. A false link-up can occur, placing the port into an error-disabled state.
(CDP) to determine the actual power consumption of the devices, and the switch adjusts the power budget accordingly. The CDP protocol works with Cisco powered devices and does not apply to IEEE third-party powered devices. For these devices, when the switch grants a power request, the switch adjusts the power budget according to the powered-device IEEE classification.
Page 361
Display the power consumption status. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no power inline consumption interface configuration command. Catalyst 2975 Switch Software Configuration Guide 12-25 OL-19720-02...
Step 7 show power inline police Display the power monitoring status, and verify the error recovery settings. show errdisable recovery Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 12-26 OL-19720-02...
When you create an SVI, it does not become active until you associate it with a physical port. For information about assigning Layer 2 ports to VLANs, see Chapter 13, “Configuring VLANs.” Catalyst 2975 Switch Software Configuration Guide 12-27 OL-19720-02...
Although frames that are forwarded are typically not received by the CPU, in some cases, packets are sent to the CPU, such as traffic sent to control traffic, SNMP, or Telnet. Catalyst 2975 Switch Software Configuration Guide 12-28 OL-19720-02...
? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Catalyst 2975 switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS).
VTP transparent mode when you create VLAN IDs from 1006 to 4094. Cisco IOS Release 12.2(52)SE and later support VTP version 3. VTP version 3 supports the entire VLAN range (VLANs 1 to 4094). Extended range VLANs (VLANs 1006 to 4094) are supported only in VTP version 3.
VTP domain name. Catalyst 6500 series switch, for example, but never a To participate in VTP, at least one trunk port Catalyst 2975 switch. The Catalyst 2975 switch is a on the switch stack must be connected to a VMPS client.
This section does not provide configuration details for most of these parameters. For complete Note information on the commands and parameters that control VLAN configuration, see the command reference for this release. Catalyst 2975 Switch Software Configuration Guide 13-4 OL-19720-02...
VLAN anywhere in the VTP domain creates a VLAN on that switch that is not running spanning-tree. If you have the default allowed list on the trunk ports of that switch (which Catalyst 2975 Switch Software Configuration Guide 13-5...
• the first 1005 VLANs use the VLAN database information. VTP version 3 also supports VLANs 1006 to 4094. Default Ethernet VLAN Configuration Table 13-2 shows the default configuration for Ethernet VLANs. Catalyst 2975 Switch Software Configuration Guide 13-6 OL-19720-02...
1006, but they are not added to the VLAN database. See the “Configuring Extended-Range VLANs” section on page 13-10. For the list of default parameters that are assigned when you add a VLAN, see the “Configuring Normal-Range VLANs” section on page 13-4. Catalyst 2975 Switch Software Configuration Guide 13-7 OL-19720-02...
Token Ring VLANs 1002 to 1005. Caution When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated with the VLAN (and thus inactive) until you assign them to a new VLAN. Catalyst 2975 Switch Software Configuration Guide 13-8 OL-19720-02...
This example shows how to configure a port as an access port in VLAN 2: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet2/0/1 Catalyst 2975 Switch Software Configuration Guide 13-9 OL-19720-02...
VTP transparent mode. Otherwise, you lose the extended-range VLAN configuration if the switch resets. If you create extended-range VLANs in VTP version 3, you cannot convert to VTP version 1 or 2. Catalyst 2975 Switch Software Configuration Guide 13-10 OL-19720-02...
VLANs. Step 5 remote-span (Optional) Configure the VLAN as the RSPAN VLAN. See the “Configuring a VLAN as an RSPAN VLAN” section on page 27-18. Step 6 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 13-11 OL-19720-02...
Display parameters for all VLANs or the specified VLAN on the switch. For more details about the show command options and explanations of output fields, see the command reference for this release. Catalyst 2975 Switch Software Configuration Guide 13-12 OL-19720-02...
Makes the interface actively attempt to convert the link to a trunk link. The interface desirable becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode. Catalyst 2975 Switch Software Configuration Guide 13-13 OL-19720-02...
VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Q switch.
IEEE 802.1x on a dynamic port, an error message appears, and IEEE 802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to dynamic, the port mode is not changed. Catalyst 2975 Switch Software Configuration Guide 13-15...
This example shows how to configure a port as an IEEE 802.1Q trunk. The example assumes that the neighbor interface is configured to support IEEE 802.1Q trunking. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# switchport mode dynamic desirable Switch(config-if)# end Catalyst 2975 Switch Software Configuration Guide 13-16 OL-19720-02...
Note VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1.
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default pruning-eligible list of all VLANs, use the no switchport trunk pruning vlan interface configuration command. Catalyst 2975 Switch Software Configuration Guide 13-18 OL-19720-02...
STP port priorities, both load-sharing links must be connected to the same switch. For load sharing using STP path costs, each load-sharing link can be connected to the same switch or to two different switches. For more information about STP, see Chapter 16, “Configuring STP.” Catalyst 2975 Switch Software Configuration Guide 13-19 OL-19720-02...
Configure a VTP administrative domain. The domain name can be 1 to 32 characters. Step 3 vtp mode server Configure Switch A as the VTP server. Step 4 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 13-20 OL-19720-02...
VLANs 8 through 10 are assigned a path cost of 30 on Trunk port 2. • VLANs 2 through 4 retain the default 100BASE-T path cost on Trunk port 2 of 19. • Catalyst 2975 Switch Software Configuration Guide 13-21 OL-19720-02...
Page 390
Verify your entries. In the display, verify that the path costs are set correctly for both trunk interfaces. Step 16 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 13-22 OL-19720-02...
VMPS when it identifies a new host address. If the switch receives a port-shutdown response from the VMPS, it disables the port. The port must be manually re-enabled by using Network Assistant, the CLI, or SNMP. Catalyst 2975 Switch Software Configuration Guide 13-23 OL-19720-02...
When you configure a port as a dynamic-access port, the spanning-tree Port Fast feature is • automatically enabled for that port. The Port Fast mode accelerates the process of bringing the port into the forwarding state. Catalyst 2975 Switch Software Configuration Guide 13-24 OL-19720-02...
You must have IP connectivity to the VMPS for dynamic-access ports to work. You can test for IP Note connectivity by pinging the IP address of the VMPS and verifying that you get a response. Catalyst 2975 Switch Software Configuration Guide 13-25 OL-19720-02...
Beginning in privileged EXEC mode, follow these steps to confirm the dynamic-access port VLAN membership assignments that the switch has received from the VMPS: Command Purpose Step 1 vmps reconfirm Reconfirm dynamic-access port VLAN membership. Step 2 show vmps Verify the dynamic VLAN reconfirmation status. Catalyst 2975 Switch Software Configuration Guide 13-26 OL-19720-02...
Verify your entry in the Server Retry Count field of the display. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no vmps retry global configuration command. Catalyst 2975 Switch Software Configuration Guide 13-27 OL-19720-02...
The VMPS server and the VMPS client are separate switches. • The Catalyst 6500 series Switch A is the primary VMPS server. The Catalyst 6500 series Switch C and Switch J are secondary VMPS servers. • Catalyst 2975 Switch Software Configuration Guide 13-28 OL-19720-02...
Page 397
172.20.26.154 Switch E 172.20.26.155 Switch F 172.20.26.156 Switch G 172.20.26.157 Switch H Client switch I Dynamic-access port 172.20.26.158 station 2 Trunk port 172.20.26.159 Catalyst 6500 series Secondary VMPS Switch J Server 3 Catalyst 2975 Switch Software Configuration Guide 13-29 OL-19720-02...
The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. When the switch is connected to a Cisco 7960 IP Phone, the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service (CoS) values, which are both set to 5 by default. Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1p CoS.
Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. You can configure access ports...
In untrusted mode, all traffic in IEEE 802.1Q or IEEE 802.1p frames received through the access • port on the Cisco IP Phone receive a configured Layer 2 CoS value. The default Layer 2 CoS value is 0. Untrusted mode is the default.
Page 402
VLAN, the Port Fast feature is not automatically disabled. • If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the same IP subnet. These conditions indicate that they are in the same VLAN: –...
Because a Cisco 7960 IP Phone also supports a connection to a PC or other device, a port connecting the switch to a Cisco IP Phone can carry mixed traffic. You can configure a port to decide how the Cisco IP Phone carries voice traffic and data traffic.
Configuring the Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in IEEE 802.1Q or IEEE 802.1p frames), you can configure the switch to send CDP packets to instruct the phone how to send data packets from the device attached to the access port on the Cisco IP Phone.
Chapter 14 Configuring Voice VLAN Displaying Voice VLAN This example shows how to configure a port connected to a Cisco IP Phone to not change the priority of frames received from the PC or the attached device: Switch# configure terminal Enter configuration commands, one per line.
Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the Catalyst 2975 switches. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
VLAN. The output of the show vlan user EXEC command shows the VLAN in a suspended state. VTP version 1 and version 2 support only normal-range VLANs (VLAN IDs 1 to 1005). Cisco IOS Release 12.2(52)SE and later support VTP version 3. VTP version 3 supports the entire VLAN range (VLANs 1 to 4094).
VTP off A switch in VTP off mode functions in the same manner as a VTP transparent switch, except that it does not forward VTP advertisements on trunks. Catalyst 2975 Switch Software Configuration Guide 15-3 OL-19720-02...
Because VTP version 2 supports only one domain, it forwards VTP messages in transparent mode without inspecting the version and domain name. Catalyst 2975 Switch Software Configuration Guide 15-4 OL-19720-02...
For example, you can configure the switch as a VTP server for the VLAN database but with VTP off for the MST database. Catalyst 2975 Switch Software Configuration Guide 15-5...
Switches C, E, and F because traffic for the Red VLAN has been pruned on the links shown (Port 5 on Switch B and Port 4 on Switch D). Catalyst 2975 Switch Software Configuration Guide 15-6...
VTP database. In this case, the MAC address of the stack master is used as the primary server ID. If the master switch reloads or is powered off, a new stack master is elected. Catalyst 2975 Switch Software Configuration Guide 15-7...
VTP information, the domain name, and the mode, and to disable or enable pruning. For more information about available keywords, see the command descriptions in the command reference for this release. The VTP information is saved in the VTP VLAN database. When Catalyst 2975 Switch Software Configuration Guide 15-8 OL-19720-02...
When you configure a VTP domain password, the management domain does not function properly if you Caution do not assign a management domain password to each switch in the domain. Catalyst 2975 Switch Software Configuration Guide 15-9 OL-19720-02...
When you configure VTP, you must configure a trunk port on the switch stack so that the switch can send and receive VTP advertisements to and from other switches in the domain. For more information, see the “Configuring VLAN Trunks” section on page 13-13. Catalyst 2975 Switch Software Configuration Guide 15-10 OL-19720-02...
If all switches are operating in VTP client mode, do not configure a VTP domain name. If you do, it is Caution impossible to make changes to the VLAN configuration of that domain. Therefore, make sure you configure at least one switch as a VTP server. Catalyst 2975 Switch Software Configuration Guide 15-11 OL-19720-02...
Page 418
Switch(config)# vtp domain eng_group Setting VTP domain name to eng_group. Switch(config)# vtp mode server Setting device to VTP Server mode for VLANS. Switch(config)# vtp password mypassword Setting device VLAN database password to mypassword. Switch(config)# end Catalyst 2975 Switch Software Configuration Guide 15-12 OL-19720-02...
(Optional) mst—Select the multiple spanning tree (MST) database as • the takeover feature. (Optional) force—Entering force overwrites the configuration of any • conflicting servers. If you do not enter force, you are prompted for confirmation before the takeover. Catalyst 2975 Switch Software Configuration Guide 15-13 OL-19720-02...
Token Ring VLAN switching to function properly. For Token Ring and Token Ring-Net media, disable VTP version 2 must be disabled. VTP version 3 is supported on switches running Cisco IOS Release 12.2(52) SE or later. • In VTP version 3, both the primary and secondary servers can exist on an instance in the domain.
Verify the change to the port. interface-id Step 6 show vtp status Verify the configuration. To disable VTP on the interface, use the no vtp interface configuration command. Switch(config)# interface gigabitethernet 1/0/1 Switch(config-if)# vtp Switch(config-if)# end Catalyst 2975 Switch Software Configuration Guide 15-15 OL-19720-02...
You can use the vtp mode transparent global configuration command to disable VTP on the switch and Note then to change its VLAN information without affecting the other switches in the VTP domain. Catalyst 2975 Switch Software Configuration Guide 15-16 OL-19720-02...
Display the VTP password. The form of the password displayed depends on whether or not the hidden keyword was entered and if encryption is enabled on the switch. show vtp status Display the VTP switch configuration information. Catalyst 2975 Switch Software Configuration Guide 15-17 OL-19720-02...
Page 425
This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the Catalyst 2975 switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard.
The default is for the switch to send keepalive messages (to ensure the connection is up) only on Note interfaces that do not have small form-factor pluggable (SFP) modules. You can use the [no] keepalive interface configuration command to change the default for an interface. Catalyst 2975 Switch Software Configuration Guide 16-2 OL-19720-02...
Selects the lowest root bridge ID – Selects the lowest path cost to the root switch – Selects the lowest designated bridge ID – Selects the lowest designated path cost – Selects the lowest port ID – Catalyst 2975 Switch Software Configuration Guide 16-3 OL-19720-02...
Page 428
Figure 16-1 Spanning-Tree Port States in a Switch Stack All paths that are not needed to reach the root switch from anywhere in the switched network are placed in the spanning-tree blocking mode. Catalyst 2975 Switch Software Configuration Guide 16-4 OL-19720-02...
• Forwarding—The interface forwards frames. • Disabled—The interface is not participating in spanning tree because of a shutdown port, no link on the port, or no spanning-tree instance running on the port. Catalyst 2975 Switch Software Configuration Guide 16-5 OL-19720-02...
Page 430
In the learning state, the interface continues to block frame forwarding as the switch learns end-station location information for the forwarding database. When the forward-delay timer expires, spanning tree moves the interface to the forwarding state, where both learning and frame forwarding are enabled. Catalyst 2975 Switch Software Configuration Guide 16-6 OL-19720-02...
An interface in the forwarding state performs these functions: Receives and forwards frames received on the interface • Forwards frames switched from another interface • Learns addresses • Receives BPDUs • Catalyst 2975 Switch Software Configuration Guide 16-7 OL-19720-02...
Ethernet link. By changing the spanning-tree port priority on the Gigabit Ethernet port to a higher priority (lower numerical value) than the root port, the Gigabit Ethernet port becomes the new root port. Catalyst 2975 Switch Software Configuration Guide 16-8...
The accelerated aging is the same as the forward-delay parameter value (spanning-tree vlan vlan-id forward-time seconds global configuration command) when the spanning tree reconfigures. Catalyst 2975 Switch Software Configuration Guide 16-9 OL-19720-02...
Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary • extensions. It is the default spanning-tree mode used on all Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.
VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+.
VLAN that have a running spanning-tree instance can break loops. Therefore, spanning tree must be running on enough switches to break all the loops in the network; for example, at least one Catalyst 2975 Switch Software Configuration Guide 16-13...
Page 438
“Optional Spanning-Tree Configuration Guidelines” section on page 18-12. Loop guard works only on point-to-point links. We recommend that each end of the link has a directly Caution connected device that is running STP. Catalyst 2975 Switch Software Configuration Guide 16-14 OL-19720-02...
(Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree mode global configuration command. To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Catalyst 2975 Switch Software Configuration Guide 16-15 OL-19720-02...
ID support will become the root switch. The extended system ID increases the switch priority value every time the VLAN number is greater than the priority of the connected switches running older software. Catalyst 2975 Switch Software Configuration Guide 16-16 OL-19720-02...
Page 441
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id root global configuration command. Catalyst 2975 Switch Software Configuration Guide 16-17 OL-19720-02...
(higher numerical values) that you want selected last. If all interfaces have the same priority value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Catalyst 2975 Switch Software Configuration Guide 16-18 OL-19720-02...
Page 443
The show spanning-tree interface interface-id privileged EXEC command displays information only Note if the port is in a link-up operative state. Otherwise, you can use the show running-config interface privileged EXEC command to confirm the configuration. Catalyst 2975 Switch Software Configuration Guide 16-19 OL-19720-02...
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id priority global configuration command. Catalyst 2975 Switch Software Configuration Guide 16-21 OL-19720-02...
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id hello-time global configuration command. Catalyst 2975 Switch Software Configuration Guide 16-22 OL-19720-02...
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id max-age global configuration command. Catalyst 2975 Switch Software Configuration Guide 16-23 OL-19720-02...
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 2975 Switch Software Configuration Guide 16-24 OL-19720-02...
C H A P T E R Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the Catalyst 2975 switch. The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard.
Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special instance for a region, known as the internal spanning tree (IST). All other MST instances are numbered from 1 to 4094. Catalyst 2975 Switch Software Configuration Guide 17-2 OL-19720-02...
CST, which includes all MST regions and all legacy STP switches in the network. The MST instances combine with the IST at the boundary of the region to become the CST. Catalyst 2975 Switch Software Configuration Guide 17-3...
Page 452
Figure 17-1 MST Regions, CIST Masters, and CST Root IST master and CST root Legacy IEEE 802.1D MST Region 1 IST master IST master MST Region 2 MST Region 3 Catalyst 2975 Switch Software Configuration Guide 17-4 OL-19720-02...
IEEE 802.1D switches. MSTP switches use MSTP BPDUs to communicate with MSTP switches. IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. These parameters are significant only within an MST region, as opposed to external parameters that are relevant to the whole network.
The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary, unless it is running in an STP-compatible mode.
Configuring MSTP Understanding MSTP IEEE 802.1s Implementation The Cisco implementation of the IEEE MST standard includes features required to meet the standard, as well as some of the desirable prestandard functionality that is not yet incorporated into the published standard.
Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.
The RSTP takes advantage of point-to-point wiring and provides rapid convergence of the spanning tree. Reconfiguration of the spanning tree can occur in less than 1 second (in contrast to 50 seconds with the default settings in the IEEE 802.1D spanning tree). Catalyst 2975 Switch Software Configuration Guide 17-9 OL-19720-02...
Learning Enabled Forwarding Forwarding Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide defines the port state as blocking instead of discarding. Designated ports start in the listening state. Catalyst 2975 Switch Software Configuration Guide 17-10 OL-19720-02...
You can override the default setting that is controlled by the duplex setting by using the spanning-tree link-type interface configuration command. Catalyst 2975 Switch Software Configuration Guide 17-11 OL-19720-02...
RSTP forces it to synchronize with new root information. In general, when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions, its port state is set to blocking. Catalyst 2975 Switch Software Configuration Guide 17-12 OL-19720-02...
IEEE 802.1D switch and a configuration BPDU with the TCA bit set is received, the TC-while timer is reset. This behavior is only required to support IEEE 802.1D switches. The RSTP BPDUs never have the TCA bit set. Catalyst 2975 Switch Software Configuration Guide 17-14 OL-19720-02...
VTP propagation of the MST configuration is not supported. However, you can manually configure • the MST configuration (region name, revision number, and VLAN-to-instance mapping) on each switch within the MST region by using the command-line interface (CLI) or through the SNMP support. Catalyst 2975 Switch Software Configuration Guide 17-16 OL-19720-02...
Beginning in privileged EXEC mode, follow these steps to specify the MST region configuration and enable MSTP. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst configuration Enter MST configuration mode. Catalyst 2975 Switch Software Configuration Guide 17-17 OL-19720-02...
After configuring the switch as the root switch, we recommend that you avoid manually configuring the Note hello time, forward-delay time, and maximum-age time through the spanning-tree mst hello-time, spanning-tree mst forward-time, and the spanning-tree mst max-age global configuration commands. Catalyst 2975 Switch Software Configuration Guide 17-19 OL-19720-02...
You can execute this command on more than one switch to configure multiple backup root switches. Use the same network diameter and hello-time values that you used when you configured the primary root switch with the spanning-tree mst instance-id root primary global configuration command. Catalyst 2975 Switch Software Configuration Guide 17-20 OL-19720-02...
Assign lower cost values to ports that you want selected first and higher cost values to ports that you want selected last. For more information, see the “Configuring Path Cost” section on page 17-23. Catalyst 2975 Switch Software Configuration Guide 17-21 OL-19720-02...
Page 470
Otherwise, you can use the show running-config interface privileged EXEC command to confirm the configuration. To return the interface to its default setting, use the no spanning-tree mst instance-id port-priority interface configuration command. Catalyst 2975 Switch Software Configuration Guide 17-22 OL-19720-02...
Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. To return the interface to its default setting, use the no spanning-tree mst instance-id cost interface configuration command. Catalyst 2975 Switch Software Configuration Guide 17-23 OL-19720-02...
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst instance-id priority global configuration command. Catalyst 2975 Switch Software Configuration Guide 17-24 OL-19720-02...
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst forward-time global configuration command. Catalyst 2975 Switch Software Configuration Guide 17-25 OL-19720-02...
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst max-hops global configuration command. Catalyst 2975 Switch Software Configuration Guide 17-26 OL-19720-02...
Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical ports. Step 3 spanning-tree mst pre-standard Specify that the port can send only prestandard BPDUs. Catalyst 2975 Switch Software Configuration Guide 17-27 OL-19720-02...
Displays MST information for the specified instance. show spanning-tree mst interface interface-id Displays MST information for the specified interface. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 2975 Switch Software Configuration Guide 17-28 OL-19720-02...
Page 477
C H A P T E R Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the Catalyst 2975 switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+).
Port Fast-operational state if any BPDU is received on them. In a valid configuration, Port Fast-enabled ports do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled port means an invalid Catalyst 2975 Switch Software Configuration Guide 18-2...
Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 18-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops. Catalyst 2975 Switch Software Configuration Guide 18-3 OL-19720-02...
Page 480
Switch B over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that is connected directly to Switch B is in a blocking state. Catalyst 2975 Switch Software Configuration Guide 18-4...
Switch C Understanding Cross-Stack UplinkFast For Catalyst 2975 switches, the UplinkFast feature is the cross-stack UplinkFast feature. Cross-stack UplinkFast (CSUF) provides a fast spanning-tree transition (fast convergence in less than 1 second under normal network conditions) across a switch stack. During the fast transition, an alternate redundant link on the switch stack is placed in the forwarding state without causing temporary spanning-tree loops or loss of connectivity to the backbone.
The switch sending the fast-transition request needs to do a fast transition to the forwarding state of a port that it has chosen as the root port, and it must obtain an acknowledgement from each stack switch before performing the fast transition. Catalyst 2975 Switch Software Configuration Guide 18-6 OL-19720-02...
BPDU is a signal that the other switch might have lost its path to the root, and BackboneFast tries to find an alternate path to the root. Catalyst 2975 Switch Software Configuration Guide 18-7...
Page 484
Switch B over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that connects directly to Switch B is in the blocking state. Figure 18-6 BackboneFast Example Before Indirect Link Failure Switch A (Root) Switch B Blocked port Switch C Catalyst 2975 Switch Software Configuration Guide 18-8 OL-19720-02...
Page 485
BPDUs, and the new switch learns that Switch B is the designated switch to Switch A, the root switch. Figure 18-8 Adding a Switch in a Shared-Medium Topology Switch A (Root) Switch B Switch C (Designated bridge) Blocked port Added switch Catalyst 2975 Switch Software Configuration Guide 18-9 OL-19720-02...
MST instance. You can enable this feature by using the spanning-tree guard root interface configuration command. Misuse of the root-guard feature can cause a loss of connectivity. Caution Catalyst 2975 Switch Software Configuration Guide 18-10 OL-19720-02...
When the switch is operating in MST mode, BPDUs are not sent on nonboundary ports only if the interface is blocked by loop guard in all MST instances. On a boundary port, loop guard blocks the interface in all MST instances. Catalyst 2975 Switch Software Configuration Guide 18-11 OL-19720-02...
Feature Default Setting Port Fast, BPDU filtering, BPDU guard Globally disabled (unless they are individually configured per interface). UplinkFast Globally disabled. (On Catalyst 2975 switches, the UplinkFast feature is the CSUF feature.) BackboneFast Globally disabled. EtherChannel guard Globally enabled. Root guard Disabled on all interfaces.
You can use the spanning-tree portfast default global configuration command to globally enable the Note Port Fast feature on all nontrunking ports. To disable the Port Fast feature, use the spanning-tree portfast disable interface configuration command. Catalyst 2975 Switch Software Configuration Guide 18-13 OL-19720-02...
To disable BPDU guard, use the no spanning-tree portfast bpduguard default global configuration command. You can override the setting of the no spanning-tree portfast bpduguard default global configuration command by using the spanning-tree bpduguard enable interface configuration command. Catalyst 2975 Switch Software Configuration Guide 18-14 OL-19720-02...
To disable BPDU filtering, use the no spanning-tree portfast bpdufilter default global configuration command. You can override the setting of the no spanning-tree portfast bpdufilter default global configuration command by using the spanning-tree bpdufilter enable interface configuration command. Catalyst 2975 Switch Software Configuration Guide 18-15 OL-19720-02...
To return the update packet rate to the default setting, use the no spanning-tree uplinkfast max-update-rate global configuration command. To disable UplinkFast, use the no spanning-tree uplinkfast command. Catalyst 2975 Switch Software Configuration Guide 18-16 OL-19720-02...
To disable the BackboneFast feature, use the no spanning-tree backbonefast global configuration command. Enabling EtherChannel Guard You can enable EtherChannel guard to detect an EtherChannel misconfiguration if your switch is running PVST+, rapid PVST+, or MSTP. Catalyst 2975 Switch Software Configuration Guide 18-17 OL-19720-02...
Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable root guard, use the no spanning-tree guard interface configuration command. Catalyst 2975 Switch Software Configuration Guide 18-18 OL-19720-02...
Displays MST information for the specified interface. show spanning-tree summary [totals] Displays a summary of interface states or displays the total lines of the spanning-tree state section. Catalyst 2975 Switch Software Configuration Guide 18-19 OL-19720-02...
Page 496
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Catalyst 2975 Switch Software Configuration Guide 18-20 OL-19720-02...
Page 497
Configuring Flex Links and the MAC Address-Table Move Update Feature This chapter describes how to configure Flex Links, a pair of interfaces on the Catalyst 2975 switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature.
If a primary (forwarding) link goes down, a trap notifies the network management stations. If the standby link goes down, a trap notifies the users. Flex Links are supported only on Layer 2 ports and port channels, not on VLANs. Catalyst 2975 Switch Software Configuration Guide 19-2 OL-19720-02...
When the changeover happens, the backup port is unblocked, allowing the traffic to flow. In this case, the upstream multicast data flows as soon as the backup port is unblocked. Catalyst 2975 Switch Software Configuration Guide 19-3...
Active Interface Backup Interface State GigabitEthernet1/0/11 GigabitEthernet1/0/12 Active Up/Backup Standby Preemption Mode : off Multicast Fast Convergence : Off Bandwidth : 100000 Kbit (Gi1/0/11), 100000 Kbit (Gi1/0/12) Mac Address Move Update Vlan : auto Catalyst 2975 Switch Software Configuration Guide 19-4 OL-19720-02...
Page 501
This output shows a querier for VLAN 1 and 401 with their queries reaching the switch through Gigabit Ethernet1/0/11: Switch# show ip igmp snooping querier Vlan IP Address IGMP Version Port ------------------------------------------------------------- 1.1.1.1 Gi1/0/11 41.41.41.1 Gi1/0/11 Catalyst 2975 Switch Software Configuration Guide 19-5 OL-19720-02...
When switch C gets a MAC address-table move update message from switch A, switch C learns the MAC address of the PC on port 4. Switch C updates the MAC address table, including the forwarding table entry for the PC. Catalyst 2975 Switch Software Configuration Guide 19-6 OL-19720-02...
You can enable and configure this feature on the access switch to send the MAC address-table move updates. You can enable and configure this feature on the uplink switches to receive the MAC address-table • move updates. Catalyst 2975 Switch Software Configuration Guide 19-8 OL-19720-02...
Switch# show interfaces switchport backup Switch Backup Interface Pairs: Active Interface Backup Interface State ------------------------------------------------------------------------ GigabitEthernet1/0/1 GigabitEthernet1/0/3 Active Standby/Backup Up Vlans Preferred on Active Interface: 1-3,5-4094 Vlans Preferred on Backup Interface: 4 Catalyst 2975 Switch Software Configuration Guide 19-9 OL-19720-02...
VLAN ID on the interface, which is used for sending the MAC address-table move update. When one link is forwarding traffic, the other interface is in standby mode. Catalyst 2975 Switch Software Configuration Guide 19-12 OL-19720-02...
Page 509
Enter global configuration mode. Step 2 mac address-table move update receive Enable the switch to get and process the MAC address-table move updates. Step 3 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 19-13 OL-19720-02...
When VLAN load balancing is enabled, the output displays the preferred VLANS on Active and Backup interfaces. show mac address-table move update Displays the MAC address-table move update information on the switch. Catalyst 2975 Switch Software Configuration Guide 19-14 OL-19720-02...
This chapter describes how to configure DHCP snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the Catalyst 2975 switch. It also describes how to configure the IP source guard feature. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
For information about the DHCP client, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Configuration Guides.
Page 513
The port on the edge switch that connects to the aggregation switch must be configured as a trusted interface. Catalyst 2975 Switch Software Configuration Guide 20-3 OL-19720-02...
If the IP address of the relay agent is configured, the switch adds this IP address in the DHCP packet. • The switch forwards the DHCP request that includes the option-82 field to the DHCP server. • Catalyst 2975 Switch Software Configuration Guide 20-4 OL-19720-02...
Page 515
The switch uses the packet formats when you globally enable DHCP snooping and enter the ip dhcp snooping information option global configuration command. Catalyst 2975 Switch Software Configuration Guide 20-5 OL-19720-02...
Page 516
The length values are variable, depending on the length of the string that you configure. – Remote-ID suboption fields • – The remote-ID type is 1. – The length values are variable, depending on the length of the string that you configure. Catalyst 2975 Switch Software Configuration Guide 20-6 OL-19720-02...
If the file is not updated in a specified time (set by the write-delay and abort-timeout values), the update stops. Catalyst 2975 Switch Software Configuration Guide 20-7...
The new master of the partitioned stack begins processing the new incoming DHCP packets. For more information about switch stacks, see Chapter 6, “Managing Switch Stacks.” Catalyst 2975 Switch Software Configuration Guide 20-8 OL-19720-02...
DHCP snooping MAC address verification Enabled DHCP snooping binding database agent Enabled in Cisco IOS software, requires configuration. This feature is operational only when a destination is configured. 1. The switch responds to DHCP requests only if it is configured as a DHCP server.
Page 520
EXEC command. Do not enable Dynamic Host Configuration Protocol (DHCP) snooping on RSPAN VLANs. If Note DHCP snooping is enabled on RSPAN VLANs, DHCP packets might not reach the RSPAN destination port. Catalyst 2975 Switch Software Configuration Guide 20-10 OL-19720-02...
To disable the DHCP server and relay agent, use the no service dhcp global configuration command. See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software >...
Page 522
100 packets per second on a port: Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan 10 Switch(config)# ip dhcp snooping information option Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# ip dhcp snooping limit rate 100 Catalyst 2975 Switch Software Configuration Guide 20-12 OL-19720-02...
To clear the statistics of the DHCP snooping binding database agent, use the clear ip dhcp snooping database statistics privileged EXEC command. To renew the database, use the renew ip dhcp snooping database privileged EXEC command. Catalyst 2975 Switch Software Configuration Guide 20-13 OL-19720-02...
Displays the DHCP snooping statistics in summary or detail form. Note If DHCP snooping is enabled and an interface changes to the down state, the switch does not delete the statically configured bindings. Catalyst 2975 Switch Software Configuration Guide 20-14 OL-19720-02...
IP or non-IP packet matches a valid IP source binding, the switch forwards the packet. The switch drops all other types of packets except DHCP packets. The switch uses port security to filter source MAC addresses. The interface can shut down when a port-security violation occurs. Catalyst 2975 Switch Software Configuration Guide 20-15 OL-19720-02...
DHCP snooping. Multiple bindings are established on a port that is connected to both DHCP and static hosts. For example, bindings are stored in both the device tracking database as well as in the DHCP snooping binding database. Catalyst 2975 Switch Software Configuration Guide 20-16 OL-19720-02...
If you again provision the switch by entering the switch stack-member-number provision command, the binding is restored. To remove the binding from the running configuration, you must disable IP source guard before entering the no switch Catalyst 2975 Switch Software Configuration Guide 20-17 OL-19720-02...
This example shows how to enable IP source guard with source IP and MAC filtering on VLANs 10 and 11: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip verify source port-security Catalyst 2975 Switch Software Configuration Guide 20-18 OL-19720-02...
IP device tracking table allows on the port. The range is 1to 10. The maximum number is 10. Note You must configure the ip device tracking maximum limit-number interface configuration command. Catalyst 2975 Switch Software Configuration Guide 20-19 OL-19720-02...
Page 530
IP-MAC bindings on the interface Gi0/3, and to verify that the number of bindings on this interface has reached the maximum: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# ip device tracking Switch(config)# interface gigabitethernet 0/3 Switch(config-if)# switchport mode access Catalyst 2975 Switch Software Configuration Guide 20-20 OL-19720-02...
Page 531
IP Device Tracking Probe Interval = 30 --------------------------------------------------------------------- IP Address MAC Address Vlan Interface STATE --------------------------------------------------------------------- 200.1.1.1 0001.0600.0000 GigabitEthernet0/1 ACTIVE 200.1.1.2 0001.0600.0000 GigabitEthernet0/1 ACTIVE 200.1.1.3 0001.0600.0000 GigabitEthernet0/1 ACTIVE 200.1.1.4 0001.0600.0000 GigabitEthernet0/1 ACTIVE 200.1.1.5 0001.0600.0000 GigabitEthernet0/1 ACTIVE Catalyst 2975 Switch Software Configuration Guide 20-21 OL-19720-02...
Display the active IP or MAC binding entries for all interfaces. show ip source binding Display the IP source bindings on a switch. show ip verify source Display the IP source guard configuration on the switch. Catalyst 2975 Switch Software Configuration Guide 20-22 OL-19720-02...
In all cases, by connecting the Ethernet cable to the same port, the same IP address is allocated through DHCP to the attached device. The DHCP server port-based address allocation feature is only supported on a Cisco IOS DHCP server and not a third-party server.
By entering this command, users can configure a group of switches with DHCP pools that share a common IP subnet and that ignore requests from clients of other switches. Catalyst 2975 Switch Software Configuration Guide 20-24 OL-19720-02...
Page 535
10.1.1.1 10.1.1.3 ip dhcp pool dhcppool Catalyst 2975 Switch Software Configuration Guide 20-25 OL-19720-02...
10.1.1.7 Et1/0 For more information about configuring the DHCP server port-based address allocation feature, go to Cisco.com, and enter Cisco IOS IP Addressing Services in the Search field to access the Cisco IOS software documentation. You can also access the documentation: http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_book.html...
This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Catalyst 2975 switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
“Configuring ARP ACLs for Non-DHCP Environments” section on page 21-9. The switch logs dropped packets. For more information about the log buffer, see the “Logging of Dropped Packets” section on page 21-5. Catalyst 2975 Switch Software Configuration Guide 21-2 OL-19720-02...
If Switch A is not running dynamic ARP inspection, Host 1 can easily poison the ARP cache of Switch B (and Host 2, if the link between the switches is configured as trusted). This condition can occur even though Switch B is running dynamic ARP inspection. Catalyst 2975 Switch Software Configuration Guide 21-3 OL-19720-02...
The switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the switch also denies the packet even if a valid binding exists in the database populated by DHCP snooping. Catalyst 2975 Switch Software Configuration Guide 21-4 OL-19720-02...
15 new hosts per second. The rate is unlimited on all trusted interfaces. The burst interval is 1 second. ARP ACLs for non-DHCP environments No ARP ACLs are defined. Validation checks No checks are performed. Catalyst 2975 Switch Software Configuration Guide 21-5 OL-19720-02...
30 pps on an EtherChannel that has one port on switch 1 and one port on switch 2, each port can receive packets at 29 pps without causing the EtherChannel to become error-disabled. Catalyst 2975 Switch Software Configuration Guide 21-6 OL-19720-02...
Chapter 20, “Configuring DHCP Features and IP Source Guard Features.” For information on how to configure dynamic ARP inspection when only one switch supports the feature, see the “Configuring ARP ACLs for Non-DHCP Environments” section on page 21-9. Catalyst 2975 Switch Software Configuration Guide 21-7 OL-19720-02...
Page 544
This example shows how to configure dynamic ARP inspection on Switch A in VLAN 1. You would perform a similar procedure on Switch B: Switch(config)# ip arp inspection vlan 1 Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip arp inspection trust Catalyst 2975 Switch Software Configuration Guide 21-8 OL-19720-02...
For more information, see the “Configuring the Log Buffer” section on page 21-13. Step 4 exit Return to global configuration mode. Catalyst 2975 Switch Software Configuration Guide 21-9 OL-19720-02...
Page 546
To remove the ARP ACL, use the no arp access-list global configuration command. To remove the ARP ACL attached to a VLAN, use the no ip arp inspection filter arp-acl-name vlan vlan-range global configuration command. Catalyst 2975 Switch Software Configuration Guide 21-10 OL-19720-02...
ARP packets.The range is 1 to 15. For rate none, specify no upper limit for the rate of incoming ARP • packets that can be processed. Step 4 exit Return to global configuration mode. Catalyst 2975 Switch Software Configuration Guide 21-11 OL-19720-02...
Dynamic ARP inspection intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can configure the switch to perform additional checks on the destination MAC address, the sender and target IP addresses, and the source MAC address. Catalyst 2975 Switch Software Configuration Guide 21-12 OL-19720-02...
A log-buffer entry can represent more than one packet. For example, if an interface receives many packets on the same VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a single system message for the entry. Catalyst 2975 Switch Software Configuration Guide 21-13 OL-19720-02...
Page 550
The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds. Catalyst 2975 Switch Software Configuration Guide 21-14 OL-19720-02...
Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN. If no VLANs are specified or if a range is specified, displays information only for VLANs with dynamic ARP inspection enabled (active). Catalyst 2975 Switch Software Configuration Guide 21-15 OL-19720-02...
Page 552
Clears the dynamic ARP inspection log buffer. show ip arp inspection log Displays the configuration and contents of the dynamic ARP inspection log buffer. For more information about these commands, see the command reference for this release. Catalyst 2975 Switch Software Configuration Guide 21-16 OL-19720-02...
For complete syntax and usage information for the commands used in this chapter, see the switch Note command reference for this release and the “IP Multicast Routing Commands” section in the Cisco IOS IP Command Reference, Volume 3 of 3:Multicast, Release 12.2 from the Cisco.com page under Documentation >...
IGMPv3 report from a host, the switch can forward the IGMPv3 report to the multicast router. Note The switch supports IGMPv3 snooping based only on the destination multicast MAC address. It does not support snooping based on the source MAC address or on proxy reports. Catalyst 2975 Switch Software Configuration Guide 22-2 OL-19720-02...
“Configuring the IGMP Leave Timer” section on page 22-11. IGMP Report Suppression IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. Note This feature is not supported when the query includes IGMPv3 reports. Catalyst 2975 Switch Software Configuration Guide 22-5 OL-19720-02...
Return to privileged EXEC mode. Step 4 copy running-config startup-config (Optional) Save your entries in the configuration file. To globally disable IGMP snooping on all VLAN interfaces, use the no ip igmp snooping global configuration command. Catalyst 2975 Switch Software Configuration Guide 22-7 OL-19720-02...
Snooping on IGMP queries, Protocol Independent Multicast (PIM) packets, and Distance Vector • Multicast Routing Protocol (DVMRP) packets • Listening to Cisco Group Management Protocol (CGMP) packets from other routers • Statically connecting to a multicast router port with the ip igmp snooping mrouter global configuration command You can configure the switch either to snoop on IGMP queries and PIM/DVMRP packets or to listen to CGMP self-join or proxy-join packets.
(Optional) Save your entries in the configuration file. To remove a multicast router port from the VLAN, use the no ip igmp snooping vlan vlan-id mrouter interface interface-id global configuration command. Catalyst 2975 Switch Software Configuration Guide 22-9 OL-19720-02...
IGMP Version 2 leave message on that port. You should only use the Immediate-Leave feature when there is a single receiver present on every port in the VLAN. Immediate Leave is supported only on IGMP Version 2 hosts. Note Catalyst 2975 Switch Software Configuration Guide 22-10 OL-19720-02...
0.0.0.0. However, when you enable the ip igmp snooping tcn query solicit global configuration command, the switch sends the global leave message whether or not it is the spanning-tree root. When the router receives this special leave, it immediately Catalyst 2975 Switch Software Configuration Guide 22-12 OL-19720-02...
Verify the TCN settings. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To re-enable multicast flooding on an interface, use the ip igmp snooping tcn flood interface configuration command. Catalyst 2975 Switch Software Configuration Guide 22-13 OL-19720-02...
(Optional) Verify that the IGMP snooping querier is enabled on the VLAN interface. The VLAN ID range is 1 to 1001 and 1006 to 4094. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 22-14 OL-19720-02...
You can display IGMP snooping information for dynamically learned and statically configured router ports and VLAN interfaces. You can also display MAC address multicast entries for a VLAN configured for IGMP snooping. Catalyst 2975 Switch Software Configuration Guide 22-15 OL-19720-02...
Page 568
IGMP query message in the VLAN and the configuration and operational state of the IGMP snooping querier in the VLAN. For more information about the keywords and options in these commands, see the command reference for this release. Catalyst 2975 Switch Software Configuration Guide 22-16 OL-19720-02...
PC. When a subscriber selects a channel, the set-top box or PC sends an IGMP report to Switch A to join the appropriate multicast. If the IGMP report matches one of the Catalyst 2975 Switch Software Configuration Guide 22-17...
Page 570
With Immediate Leave, an IGMP query is not sent from the receiver port on which the Catalyst 2975 Switch Software Configuration Guide 22-18...
Multicast addresses None configured Query response time 0.5 second Multicast VLAN VLAN 1 Mode Compatible Interface (per port) default Neither a receiver nor a source port Immediate Leave Disabled on all ports Catalyst 2975 Switch Software Configuration Guide 22-19 OL-19720-02...
(Optional) Specify the VLAN in which multicast data is received; all source ports must belong to this VLAN. The VLAN range is 1 to 1001 and 1006 to 4094. The default is VLAN 1. Catalyst 2975 Switch Software Configuration Guide 22-20 OL-19720-02...
IGMP leave and join messages. Receiver ports cannot belong to the multicast VLAN. The default configuration is as a non-MVR port. If you attempt to configure a non-MVR port with MVR characteristics, the operation fails. Catalyst 2975 Switch Software Configuration Guide 22-21 OL-19720-02...
Page 574
Switch(config-if)# mvr type receiver Switch(config-if)# mvr vlan 22 group 228.1.23.4 Switch(config-if)# mvr immediate Switch(config)# end Switch# show mvr interface Port Type Status Immediate Leave ---- ---- ------- --------------- Gi1/0/2 RECEIVER ACTIVE/DOWN ENABLED Catalyst 2975 Switch Software Configuration Guide 22-22 OL-19720-02...
VLAN ID range is 1 to 1001 and 1006 to 4094. show mvr members [ip-address] Displays all receiver and source ports that are members of any IP multicast group or the specified IP multicast group IP address. Catalyst 2975 Switch Software Configuration Guide 22-23 OL-19720-02...
The default is for the switch to have no IGMP profiles configured. When a profile is configured, if neither the permit nor deny keyword is included, the default is to deny access to the range of IP addresses. Catalyst 2975 Switch Software Configuration Guide 22-25 OL-19720-02...
You cannot apply profiles to ports that belong to an EtherChannel port group. You can apply a profile to multiple interfaces, but each interface can have only one profile applied to it. Catalyst 2975 Switch Software Configuration Guide 22-26...
The range is 0 to 4294967294. The default is to have no maximum set. Step 4 Return to privileged EXEC mode. Step 5 show running-config interface Verify the configuration. interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 22-27 OL-19720-02...
• replace—Replace the existing group with the new group for which • the IGMP report was received. Catalyst 2975 Switch Software Configuration Guide 22-28 OL-19720-02...
Displays the configuration of the specified interface or the configuration of all interfaces interface-id] on the switch, including (if configured) the maximum number of IGMP groups to which an interface can belong and the IGMP profile applied to the interface. Catalyst 2975 Switch Software Configuration Guide 22-29 OL-19720-02...
C H A P T E R Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the Catalyst 2975 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
When the storm control threshold for multicast traffic is reached, all multicast traffic except control Note traffic, such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. The graph in Figure 23-1 shows broadcast traffic patterns on an interface over a given period of time.
Storm control is supported on physical interfaces. You can also configure storm control on an Note EtherChannel. When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel physical interfaces. Catalyst 2975 Switch Software Configuration Guide 23-3 OL-19720-02...
Page 586
Select the shutdown keyword to error-disable the port during a storm. • Select the trap keyword to generate an SNMP trap when a storm is • detected. Step 5 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 23-4 OL-19720-02...
Incoming VLAN-tagged packets smaller than 67 bytes are considered small frames. They are forwarded by the switch, but they do not cause the switch storm-control counters to increment. In Cisco IOS Release 12.2(44)SE and later, you can configure a port to be error disabled if small frames arrive at a specified rate (threshold).
All data traffic passing between protected ports must be forwarded through a Layer 3 device. • Forwarding behavior between a protected port and a nonprotected port proceeds as usual. Catalyst 2975 Switch Software Configuration Guide 23-6 OL-19720-02...
To disable protected port, use the no switchport protected interface configuration command. This example shows how to configure a port as a protected port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# switchport protected Switch(config-if)# end Catalyst 2975 Switch Software Configuration Guide 23-7 OL-19720-02...
Block unknown unicast forwarding out of the port. Step 5 Return to privileged EXEC mode. Step 6 show interfaces interface-id switchport Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 23-8 OL-19720-02...
If you try to set the maximum value to a number less than the number of secure addresses already Note configured on an interface, the command is rejected. Catalyst 2975 Switch Software Configuration Guide 23-9 OL-19720-02...
We do not recommend configuring the protect violation mode on a trunk port. The protect Note mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit. Catalyst 2975 Switch Software Configuration Guide 23-10 OL-19720-02...
Violation mode Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded. Port security aging Disabled. Aging time is 0. Static aging is disabled. Type is absolute. Catalyst 2975 Switch Software Configuration Guide 23-11 OL-19720-02...
IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
The voice keyword is available only if a voice VLAN is configured Note on a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses. Catalyst 2975 Switch Software Configuration Guide 23-13 OL-19720-02...
Page 596
You can manually re-enable it by entering the shutdown and no shutdown interface configuration commands or by using the clear errdisable interface vlan privileged EXEC command. Catalyst 2975 Switch Software Configuration Guide 23-14 OL-19720-02...
Page 597
VLAN. Step 11 Return to privileged EXEC mode. Step 12 show port-security Verify your entries. Step 13 copy running-config (Optional) Save your entries in the configuration file. startup-config Catalyst 2975 Switch Software Configuration Guide 23-15 OL-19720-02...
MAC addresses for each interface, the number of secure MAC addresses on the interface, the number of security violations that have occurred, and the violation mode. Catalyst 2975 Switch Software Configuration Guide 23-18 OL-19720-02...
Page 601
[interface interface-id] address Displays all secure MAC addresses configured on all switch interfaces or on a specified interface with aging information for each address. show port-security interface interface-id vlan Displays the number of secure MAC addresses configured per VLAN on the specified interface. Catalyst 2975 Switch Software Configuration Guide 23-19 OL-19720-02...
• Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
Chapter 24 Configuring CDP Configuring CDP For a switch and connected endpoint devices running Cisco Medianet CDP identifies connected endpoints that communicate directly with the switch. • To prevent duplicate reports of neighboring devices, only one wired switch reports the location •...
24-5. Disabling and Enabling CDP CDP is enabled by default. Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Note Disabling CDP can interrupt cluster discovery and device connectivity. For more information, see Chapter 5, “Clustering Switches”...
Step 3 no cdp enable Disable CDP on the interface. Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 24-4 OL-19720-02...
You can limit the display to neighbors of a specific interface or expand the display to provide more detailed information. show cdp traffic Display CDP counters, including the number of packets sent and received and checksum errors. Catalyst 2975 Switch Software Configuration Guide 24-5 OL-19720-02...
Understanding LLDP, LLDP-MED, and Wired Location Service LLDP The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches). CDP allows network management applications to automatically discover and learn about other Cisco devices connected to the network.
A switch stack appears as a single switch in the network. Therefore, LLDP discovers the switch stack, not the individual stack members. When you configure LLDP or CDP location information on a per-port basis, remote devices can send Cisco Medianet location information to the switch. For information, go to http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cdp_discover.html. LLDP-MED LLDP for Media Endpoint Devices (LLDP-MED) is an extension to LLDP that operates between endpoint devices such as IP phones and network devices such as switches.
Understanding LLDP, LLDP-MED, and Wired Location Service Starting with Cisco IOS Release 12.2(52)SE, when LLDP is enabled and power is applied to a port, the power TLV determines the actual power requirement of the endpoint device so that the system power budget can be adjusted accordingly.
Page 612
If you change a location address on the switch, the switch sends an NMSP location notification message that identifies the affected ports and the changed address information. Catalyst 2975 Switch Software Configuration Guide 25-4 OL-19720-02...
You cannot configure static secure MAC addresses on an interface that has a network-policy profile. • You cannot configure a network-policy profile on a private-VLAN port. • • For wired location to function, you must first enter the ip device tracking global configuration command. Catalyst 2975 Switch Software Configuration Guide 25-5 OL-19720-02...
Switch# configure terminal Switch(config)# lldp run Switch(config)# end This example shows how to enable LLDP on an interface. Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# lldp transmit Switch(config-if)# lldp receive Switch(config-if)# end Catalyst 2975 Switch Software Configuration Guide 25-6 OL-19720-02...
Use the no form of each of the LLDP commands to return to the default setting. This example shows how to configure LLDP characteristics. Switch# configure terminal Switch(config)# lldp holdtime 120 Switch(config)# lldp reinit 2 Switch(config)# lldp timer 30 Switch(config)# end Catalyst 2975 Switch Software Configuration Guide 25-7 OL-19720-02...
(Optional) Save your entries in the configuration file. This example shows how to enable a TLV on an interface: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# lldp med-tlv-select inventory-management Switch(config-if)# end Catalyst 2975 Switch Software Configuration Guide 25-8 OL-19720-02...
Verify the configuration. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of each command to return to the default setting. Catalyst 2975 Switch Software Configuration Guide 25-9 OL-19720-02...
ID for the civic location or the ELIN location. The ID range is 1 to 4095. word—Specify a word or phrase with additional location information. Step 6 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 25-10 OL-19720-02...
Page 619
(Optional) Save your entries in the configuration file. This example shows how to enable NMSP on a switch and to set the location notification time to 10 seconds: Switch(config)# nmsp enable Switch(config)# nmsp notification interval location 10 Catalyst 2975 Switch Software Configuration Guide 25-11 OL-19720-02...
TLVs. show location Display the location information for an endpoint. show network-policy profile Display the configured network-policy profiles. show nmsp Display the NMSP information. Catalyst 2975 Switch Software Configuration Guide 25-12 OL-19720-02...
Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst 2975 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
UDLD sends at least one message to inform the neighbors to flush the part of their caches affected by the status change. The message is intended to keep the caches synchronized. Catalyst 2975 Switch Software Configuration Guide 26-2...
When configuring the mode (normal or aggressive), make sure that the same mode is configured on • both sides of the link. Loop guard works only on point-to-point links. We recommend that each end of the link has a directly Caution connected device that is running STP. Catalyst 2975 Switch Software Configuration Guide 26-4 OL-19720-02...
To disable UDLD globally, use the no udld enable global configuration command to disable normal mode UDLD on all fiber-optic ports. Use the no udld aggressive global configuration command to disable aggressive mode UDLD on all fiber-optic ports. Catalyst 2975 Switch Software Configuration Guide 26-5 OL-19720-02...
The errdisable recovery cause udld global configuration command enables the timer to • automatically recover from the UDLD error-disabled state, and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error-disabled state. Catalyst 2975 Switch Software Configuration Guide 26-6 OL-19720-02...
To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release. Catalyst 2975 Switch Software Configuration Guide 26-7 OL-19720-02...
Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 2975 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Figure 27-1 Example of Local SPAN Configuration on a Single Switch Port 5 traffic mirrored 1 2 3 4 5 6 7 8 9 10 11 12 on Port 10 Network analyzer Catalyst 2975 Switch Software Configuration Guide 27-2 OL-19720-02...
RSPAN VLAN to a destination session monitoring the RSPAN VLAN. Each RSPAN source switch must have either ports or VLANs as RSPAN sources. The destination is always a physical port, as shown on Switch C in the figure. Catalyst 2975 Switch Software Configuration Guide 27-3 OL-19720-02...
RSPAN VLAN. To configure an RSPAN destination session on another device, you associate the destination port with the RSPAN VLAN. The destination session collects all RSPAN VLAN traffic and sends it out the RSPAN destination port. Catalyst 2975 Switch Software Configuration Guide 27-4 OL-19720-02...
SPAN; the destination port receives a copy of the packet even if the actual incoming packet is dropped. These features include IP standard and extended input access control lists (ACLs), ingress QoS policing, and egress QoS policing. Catalyst 2975 Switch Software Configuration Guide 27-5 OL-19720-02...
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP).
SPAN traffic coming from other port types is not affected by VLAN filtering; that is, all VLANs are • allowed on other ports. VLAN filtering affects only traffic forwarded to the destination SPAN port and does not affect the • switching of normal traffic. Catalyst 2975 Switch Software Configuration Guide 27-7 OL-19720-02...
IEEE 802.1Q-tagged packets. • For RSPAN, the original VLAN ID is lost because it is overwritten by the RSPAN VLAN identification. Therefore, all packets appear on the destination port as untagged. Catalyst 2975 Switch Software Configuration Guide 27-8 OL-19720-02...
SPAN destination, it is removed from the group. After the port is removed from the SPAN session, it rejoins the EtherChannel group. Ports removed from an EtherChannel group remain members of the group, but they are in the inactive or suspended state. Catalyst 2975 Switch Software Configuration Guide 27-9 OL-19720-02...
You can configure a disabled port to be a source or destination port, but the SPAN function does not • start until the destination port and at least one source port or source VLAN are enabled. Catalyst 2975 Switch Software Configuration Guide 27-11 OL-19720-02...
Page 640
This is the default. rx—Monitor received traffic. • tx—Monitor sent traffic. • Note You can use the monitor session session_number source command multiple times to configure multiple source ports. Catalyst 2975 Switch Software Configuration Guide 27-12 OL-19720-02...
Page 641
Switch(config)# no monitor session 1 source interface gigabitethernet1/0/1 Switch(config)# end This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional monitoring: Switch(config)# no monitor session 1 source interface gigabitethernet1/0/1 rx Catalyst 2975 Switch Software Configuration Guide 27-13 OL-19720-02...
Page 642
VLANs and the destination ports, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating a Local SPAN Session”...
Page 643
IEEE 802.1Q encapsulation and VLAN 6 as the default ingress VLAN. Switch(config)# no monitor session 2 Switch(config)# monitor session 2 source gigabitethernet1/0/1 rx Switch(config)# monitor session 2 destination interface gigabitethernet1/0/2 encapsulation replicate ingress dot1q vlan 6 Switch(config)# end Catalyst 2975 Switch Software Configuration Guide 27-15 OL-19720-02...
Step 8 copy running-config startup-config (Optional) Save the configuration in the configuration file. To monitor all VLANs on the trunk port, use the no monitor session session_number filter global configuration command. Catalyst 2975 Switch Software Configuration Guide 27-16 OL-19720-02...
Page 645
You can configure any VLAN as an RSPAN VLAN as long as these conditions are met: • The same RSPAN VLAN is used for an RSPAN session in all the switches. – All participating switches support RSPAN. – Catalyst 2975 Switch Software Configuration Guide 27-17 OL-19720-02...
To remove the remote SPAN characteristic from a VLAN and convert it back to a normal VLAN, use the no remote-span VLAN configuration command. This example shows how to create RSPAN VLAN 901. Switch(config)# vlan 901 Switch(config-vlan)# remote span Switch(config-vlan)# end Catalyst 2975 Switch Software Configuration Guide 27-18 OL-19720-02...
Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command. Catalyst 2975 Switch Software Configuration Guide 27-19 OL-19720-02...
Specify the RSPAN session and the source RSPAN VLAN. remote vlan vlan-id For session_number, the range is 1 to 66. For vlan-id, specify the source RSPAN VLAN to monitor. Catalyst 2975 Switch Software Configuration Guide 27-20 OL-19720-02...
RSPAN VLAN and the destination port, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating an RSPAN Destination...
To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions. Catalyst 2975 Switch Software Configuration Guide 27-24 OL-19720-02...
C H A P T E R Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the Catalyst 2975 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Because switches supported by this software release use hardware counters for RMON data processing, the monitoring is more efficient, and little processing power is required. Note 64-bit counters are not supported for RMON alarms. Catalyst 2975 Switch Software Configuration Guide 28-2 OL-19720-02...
You must also configure SNMP on the switch to access RMON MIB objects. For more information, see Chapter 30, “Configuring SNMP.” 64-bit counters are not supported for RMON alarms. Note Catalyst 2975 Switch Software Configuration Guide 28-3 OL-19720-02...
Page 656
SNMP community string used for this trap. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 28-4 OL-19720-02...
1800 seconds. • (Optional) For owner ownername, enter the name of the owner of the RMON group of statistics. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Catalyst 2975 Switch Software Configuration Guide 28-5 OL-19720-02...
To disable the collection of group Ethernet statistics, use the no rmon collection stats index interface configuration command. This example shows how to collect RMON statistics for the owner root: Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# rmon collection stats 2 owner root Catalyst 2975 Switch Software Configuration Guide 28-6 OL-19720-02...
For information about the fields in these displays, see the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
This chapter describes how to configure system message logging on the Catalyst 2975 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Note Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under...
The part of the message preceding the percent sign depends on the setting of the service sequence-numbers, service timestamps log datetime, service timestamps log datetime [localtime] [msec] [show-timezone], or service timestamps log uptime global configuration command. Catalyst 2975 Switch Software Configuration Guide 29-2 OL-19720-02...
00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/2, changed state to up (Switch-2) 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down (Switch-2) 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/1, changed state to down 2 (Switch-2) Catalyst 2975 Switch Software Configuration Guide 29-3 OL-19720-02...
When the logging process is disabled, messages appear on the console as soon as they are produced, often appearing in the middle of command output. Catalyst 2975 Switch Software Configuration Guide 29-4 OL-19720-02...
The severity range is 0 to 7. For a list of logging type keywords, see Table 29-3 on page 29-10. By default, the log file receives debugging messages and numerically lower levels. Step 5 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 29-5 OL-19720-02...
Unsolicited messages and debug command output appears on the console after the prompt for user input is returned. Therefore, unsolicited messages and debug command output are not interspersed with solicited device output and prompts. After the unsolicited messages appear, the console again displays the user prompt. Catalyst 2975 Switch Software Configuration Guide 29-6 OL-19720-02...
Page 667
(Optional) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command. Catalyst 2975 Switch Software Configuration Guide 29-7 OL-19720-02...
To disable logging to the console, use the no logging console global configuration command. To disable logging to a terminal other than the console, use the no logging monitor global configuration command. To disable logging to syslog servers, use the no logging trap global configuration command. Catalyst 2975 Switch Software Configuration Guide 29-9 OL-19720-02...
By default, one message of the level warning and numerically lower levels (see Table 29-3 on page 29-10) are stored in the history table even if syslog traps are not enabled. Catalyst 2975 Switch Software Configuration Guide 29-10 OL-19720-02...
[end-number] | statistics} [provisioning] privileged EXEC command to display the complete configuration log or the log for specified parameters. The default is that configuration logging is disabled. For information about the commands, see the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3 T: http://www.cisco.com/en/US/docs/ios/12_3/configfun/command/reference/cfr_1g04.html...
| switchport mode trunk temi@vty5 | exit Configuring UNIX Syslog Servers The next sections describe how to configure the UNIX server syslog daemon and how to define the UNIX system logging facility. Catalyst 2975 Switch Software Configuration Guide 29-12 OL-19720-02...
To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation >...
Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on the Catalyst 2975 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release and the Cisco IOS Network Management Command Reference, Release 12.4:...
A combination of the security level and the security model determine which security mechanism is used when handling an SNMP packet. Available security models are SNMPv1, SNMPv2C, and SNMPv3. Catalyst 2975 Switch Software Configuration Guide 30-2 OL-19720-02...
1. With this operation, an SNMP manager does not need to know the exact variable name. A sequential search is performed to find the needed variable from within a table. 2. The get-bulk command only works with SNMPv2 or later. Catalyst 2975 Switch Software Configuration Guide 30-3 OL-19720-02...
(@esN, where N is the switch number) to the first configured RW and RO community strings on the command switch and propagates them to the member switches. For more information, Chapter 5, “Clustering Switches” and see Getting Started with Cisco Network Assistant, available on Cisco.com. Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software.
2 an ifIndex value of 10003, this value is the same after the switch reboots. The switch uses one of the values in Table 30-3 to assign an ifIndex value to an interface: Table 30-3 ifIndex Values Interface Type ifIndex Range 1–4999 EtherChannel 5000–5012 Loopback 5013–5077 Catalyst 2975 Switch Software Configuration Guide 30-5 OL-19720-02...
SNMP notification type If no type is specified, all notifications are sent. 1. This is the default when the switch starts and the startup configuration does not have any snmp-server global configuration commands. Catalyst 2975 Switch Software Configuration Guide 30-6 OL-19720-02...
The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
Place ones in the bit positions that you want to ignore. Recall that the access list is always terminated by an implicit deny statement for everything. Step 4 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 30-8 OL-19720-02...
If you select remote, specify the ip-address of the device that • contains the remote copy of SNMP and the optional User Datagram Protocol (UDP) port on the remote device. The default is 162. Catalyst 2975 Switch Software Configuration Guide 30-9 OL-19720-02...
Page 684
64 characters) that is the name of the view in which you specify a notify, inform, or trap. • (Optional) Enter access access-list with a string (not to exceed 64 characters) that is the name of the access list. Catalyst 2975 Switch Software Configuration Guide 30-10 OL-19720-02...
Page 685
To display SNMPv3 information about auth | noauth | Note priv mode configuration, you must enter the show snmp user privileged EXEC command. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 30-11 OL-19720-02...
A trap manager is a management station that receives and processes traps. Traps are system alerts that the switch generates when certain events occur. By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Note Many commands use the word traps in the command syntax.
Page 687
[access access-list] | v3 [encrypted] configuring the engine ID for the remote host. Otherwise, you [access access-list] [auth {md5 | sha} receive an error message, and the command is not executed. auth-password]} Catalyst 2975 Switch Software Configuration Guide 30-13 OL-19720-02...
Page 688
1 to 1000; the default is 10. Step 9 snmp-server trap-timeout seconds (Optional) Define how often to resend trap messages. The range is 1 to 1000; the default is 30 seconds. Step 10 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 30-14 OL-19720-02...
Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 30-15 OL-19720-02...
Place ones in the bit positions that you want to ignore. Recall that the access list is always terminated by an implicit deny statement for everything. Catalyst 2975 Switch Software Configuration Guide 30-16 OL-19720-02...
Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
EXEC command. You also can use the other privileged EXEC commands in Table 30-6 to display SNMP information. For information about the fields in the displays, see the Cisco IOS Configuration Fundamentals Command Reference. Table 30-6 Commands for Displaying SNMP Information Feature...
C H A P T E R Configuring Network Security with ACLs This chapter describes how to configure network security on the Catalyst 2975 switch by using access control lists (ACLs), also referred to as access lists. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
When an output router ACL and input port ACL exist in an SVI, incoming packets received on the ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are filtered by the router ACL. Other packets are not filtered. Catalyst 2975 Switch Software Configuration Guide 31-2 OL-19720-02...
With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface. Catalyst 2975 Switch Software Configuration Guide 31-3 OL-19720-02...
Chapter 6, “Configuring the Switch Stack.”) The ACL configuration that is part of the running configuration is also reparsed during this step. The new stack master distributes the ACL information to all switches in the stack. Catalyst 2975 Switch Software Configuration Guide 31-5 OL-19720-02...
Configuring IPv4 ACLs Configuring IPv4 ACLs Configuring IP v4ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers. The process is briefly described here. For more detailed information on configuring ACLs, see the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
IP ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you can delete individual entries from a named list. Catalyst 2975 Switch Software Configuration Guide 31-7 OL-19720-02...
For more details on the specific keywords for each protocol, see these command references: • Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2 •...
Page 702
[precedence precedence] [tos tos] an abbreviation for a destination and destination wildcard of 0.0.0.0 [fragments] [time-range 255.255.255.255. time-range-name] [dscp dscp] You can use the any keyword in place of source and destination address and wildcard. Catalyst 2975 Switch Software Configuration Guide 31-10 OL-19720-02...
Page 703
TCP port. To see TCP port names, use the ? or see the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2. Use only TCP port numbers or names when filtering TCP.
Page 704
ICMP message type and code name. To see a list of ICMP message type names and code names, use the ?, or see the “Configuring IP Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. Step access-list access-list-number (Optional) Define an extended IGMP access list and the access conditions.
Page 706
Being able to selectively remove lines from a named ACL is one reason you might use named ACLs instead of numbered ACLs. After creating a named ACL, you can apply it to interfaces (see the “Applying an IPv4 ACL to an Interface” section on page 31-18). Catalyst 2975 Switch Software Configuration Guide 31-14 OL-19720-02...
(Optional) Save your entries in the configuration file. Repeat the steps if you have multiple items that you want in effect at different times. To remove a configured time-range limitation, use the no time-range time-range-name global configuration command. Catalyst 2975 Switch Software Configuration Guide 31-15 OL-19720-02...
To include a comment for IP numbered standard or extended ACLs, use the access-list access-list number remark remark global configuration command. To remove the remark, use the no form of this command. Catalyst 2975 Switch Software Configuration Guide 31-16 OL-19720-02...
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove an ACL from a terminal line, use the no access-class access-list-number {in | out} line configuration command. Catalyst 2975 Switch Software Configuration Guide 31-17 OL-19720-02...
Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip access-group 2 in This example shows how to apply access list 3 to filter packets going to the CPU: Switch(config)# interface vlan 1 Switch(config-if)# ip access-group 3 in Catalyst 2975 Switch Software Configuration Guide 31-18 OL-19720-02...
EXEC command. If the switch does not have available resources, the output shows that index 0 to index 15 are not available. For more information about configuring ACLs with insufficient resources, see CSCsq63926 in the Bug Toolkit. Catalyst 2975 Switch Software Configuration Guide 31-19 OL-19720-02...
This section provides examples of configuring and applying IPv4 ACLs. For detailed information about compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2 and to the Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Define an extended MAC access list using a name. Catalyst 2975 Switch Software Configuration Guide 31-22 OL-19720-02...
A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 • interface that has a MAC ACL configured, the new ACL replaces the previously configured one. Catalyst 2975 Switch Software Configuration Guide 31-23 OL-19720-02...
Page 716
If the ACL rejects the packet, the switch discards it. When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied and permits all packets. Remember this behavior if you use undefined ACLs for network security. Catalyst 2975 Switch Software Configuration Guide 31-24 OL-19720-02...
MAC and IP access lists and which access groups are applied to an interface. show mac access-group [interface interface-id] Displays MAC access lists applied to all Layer 2 interfaces or the specified Layer 2 interface. Catalyst 2975 Switch Software Configuration Guide 31-25 OL-19720-02...
This chapter describes how to use Cisco IOS IP Service Level Agreements (SLAs) on the Catalyst 2975 switch. Cisco IP SLAs is a part of Cisco IOS software that allows Cisco customers to analyze IP service levels for IP applications and services by using active traffic monitoring—the generation of traffic in a continuous, reliable, and predictable manner—for measuring network performance.
Virtual Private Network (VPN) routing/forwarding instance (VRF), and URL web address. Because Cisco IP SLAs is Layer 2 transport independent, you can configure end-to-end operations over disparate networks to best reflect the metrics that an end user is likely to experience. IP SLAs collects a...
IP SLAs Responder and IP SLAs Control Protocol The IP SLAs responder is a component embedded in the destination Cisco device that allows the system to anticipate and respond to IP SLAs request packets. The responder provides accurate measurements without the need for dedicated probes.
(such as Telnet or HTTP). You cannot configure the IP SLAs responder on non-Cisco devices and Cisco IOS IP SLAs can send operational packets only to services native to those devices.
This section does not include configuration information for all available operations as the configuration information details are included in the Cisco IOS IP SLAs Configuration Guide. It includes only the procedure for configuring the responder, as the switch includes only responder support.
The IP SLAs responder is available only on Cisco IOS software-based devices, including some Layer 2 switches that do not support full IP SLAs functionality, such as the Catalyst 2960 or the Cisco ME 2400 or IE 3000 switch running the LAN base image. Beginning in privileged EXEC mode, follow these steps...
This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands on the Catalyst 2975 switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size.
Page 726
Layer 2 802.1Q and 802.1p Frame Start frame Preamble Data delimiter 3 bits used for CoS (user priority) Layer 3 IPv4 Packet Version Offset TTL Proto FCS IP-SA IP-DA Data length (1 byte) IP precedence or DSCP Catalyst 2975 Switch Software Configuration Guide 33-2 OL-19720-02...
Implementing QoS in your network can be a simple or complex task and depends on the QoS features offered by your internetworking devices, the traffic types and patterns in your network, and the granularity of control that you need over incoming and outgoing traffic. Catalyst 2975 Switch Software Configuration Guide 33-3 OL-19720-02...
Scheduling services the four egress queues based on their configured SRR shared or shaped weights. • One of the queues (queue 1) can be the expedited queue, which is serviced until empty before the other queues are serviced. Catalyst 2975 Switch Software Configuration Guide 33-4 OL-19720-02...
0 as the DSCP and CoS values, which means best-effort traffic. Otherwise, the policy-map action specifies a DSCP or CoS value to assign to the incoming frame. Catalyst 2975 Switch Software Configuration Guide 33-5 OL-19720-02...
Page 730
For configuration information on port trust states, see the “Configuring Classification Using Port Trust States” section on page 33-37. After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. Catalyst 2975 Switch Software Configuration Guide 33-6 OL-19720-02...
Page 731
CoS-to-DSCP map. Generate the DSCP by using Assign the DSCP or CoS as specified Assign the default by ACL action to generate the QoS label. DSCP (0). the CoS-to-DSCP map. Done Done Catalyst 2975 Switch Software Configuration Guide 33-7 OL-19720-02...
You can configure a default class by using the class class-default policy-map configuration command. Unclassified traffic (traffic that does not meet the match criteria specified in the traffic classes) is treated as default traffic. Catalyst 2975 Switch Software Configuration Guide 33-8 OL-19720-02...
For configuration information, see the “Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps” section on page 33-50 and the “Classifying, Policing, and Marking Traffic by Using Aggregate Policers” section on page 33-55. Catalyst 2975 Switch Software Configuration Guide 33-9 OL-19720-02...
You configure how fast (the average rate) that the tokens are removed from the bucket by using the rate-bps option of the police policy-map class configuration command or the mls qos aggregate-policer global configuration command. Catalyst 2975 Switch Software Configuration Guide 33-10 OL-19720-02...
This configurable map is called the policed-DSCP map. You configure this map by using the mls qos map policed-dscp global configuration command. Catalyst 2975 Switch Software Configuration Guide 33-11 OL-19720-02...
Both the ingress and egress queues use an enhanced version of the tail-drop congestion-avoidance mechanism called weighted tail drop (WTD). WTD is implemented on queues to manage the queue lengths and to provide drop precedences for different traffic classifications. Catalyst 2975 Switch Software Configuration Guide 33-12 OL-19720-02...
With sharing, the ratio of the weights controls the frequency of dequeuing; the absolute values are meaningless. Shaping and sharing is configured per interface. Each interface can be uniquely configured. Catalyst 2975 Switch Software Configuration Guide 33-13 OL-19720-02...
Queue the packet. Service the queue according to the SRR weights. Send packet to the stack ring. SRR services the priority queue for its configured share before servicing the other queue. Note Catalyst 2975 Switch Software Configuration Guide 33-14 OL-19720-02...
Page 739
The priority queue should be used for traffic (such as voice) that requires guaranteed delivery because this queue is guaranteed part of the bandwidth regardless of the load on the stack ring. Catalyst 2975 Switch Software Configuration Guide 33-15 OL-19720-02...
Queueing and Scheduling on Egress Queues Figure 33-8 shows the queueing and scheduling flowchart for egress ports. If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Note Catalyst 2975 Switch Software Configuration Guide 33-16 OL-19720-02...
Page 741
(under-limit), whether it has consumed all of its maximum buffers (over limit), and whether the common pool is empty (no free Catalyst 2975 Switch Software Configuration Guide 33-17...
Page 742
You assign the two WTD threshold percentages for threshold ID 1 and ID 2. The drop threshold for threshold ID 3 is preset to the queue-full state, and you cannot Catalyst 2975 Switch Software Configuration Guide 33-18...
CoS-to-DSCP map. The input mutation causes the DSCP to be rewritten depending on the new value of DSCP chosen. The set action in a policy map also causes the DSCP to be rewritten. Catalyst 2975 Switch Software Configuration Guide 33-19 OL-19720-02...
Table 33-5.) • Switch enables the trusted boundary feature and uses the Cisco Discovery Protocol (CDP) to detect the presence of a supported device. • Policing is used to determine whether a packet is in or out of profile and specifies the action on the packet.
DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. When there is no Cisco IP Phone, the ingress classification is set to not trust the QoS label in the packet. The policing is applied to the traffic matching the policy-map classification before the switch enables the trust boundary feature.
Ensure Port Security” section on page 39-42. When you enable auto-QoS by using the auto qos voip cisco-phone, the auto qos voip cisco-softphone, or the auto qos voip trust interface configuration command, the switch automatically generates a QoS configuration based on the traffic type and ingress packet label and applies the commands listed in Table 33-5 to the port.
Auto-QoS Generated Configuration For VoIP Devices If you entered the auto qos voip cisco-phone command, the switch automatically enables the trusted boundary feature, which uses the CDP to detect the presence or absence of a Cisco IP Phone. Switch(config-if)# mls qos trust device cisco-phone If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and policy maps.
AutoQoS-Police-SoftPhone to an ingress interface on which auto-QoS with the Cisco SoftPhone feature is enabled. Switch(config-if)# service-policy input AutoQoS-Police-SoftPhone If you entered the auto qos voip cisco-phone command, the switch automatically creates class maps and policy maps. Switch(config-if)# mls qos trust device cisco-phone If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and policy maps.
Auto-Qos VoIP uses the priority-queue interface configuration command for an egress interface. • You can also configure a policy-map and trust device on the same interface for Cisco IP phones. To take advantage of the auto-QoS defaults, you should enable auto-QoS before you configure other •...
Chapter 33 Configuring QoS Configuring Auto-QoS When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address • to the IP phone. • This release supports only Cisco IP SoftPhone Version 1.3(3) or later.
To display information about the QoS configuration that might be affected by auto-QoS, use one of these commands: show mls qos • show mls qos maps cos-dscp • show mls qos interface [interface-id] [buffers | queueing] • Catalyst 2975 Switch Software Configuration Guide 33-32 OL-19720-02...
No policy maps are configured. The default port trust state on all ports is untrusted. The default ingress and egress queue settings are described in the “Default Ingress Queue Configuration” section on page 33-34 and the “Default Egress Queue Configuration” section on page 33-34. Catalyst 2975 Switch Software Configuration Guide 33-33 OL-19720-02...
The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value. The default policed-DSCP map is a null map, which maps an incoming DSCP value to the same DSCP value (no markdown). Catalyst 2975 Switch Software Configuration Guide 33-35 OL-19720-02...
If you do not first remove the policy map from all interfaces, high CPU usage can occur, which, in turn, can cause the console to pause for a very long time. Catalyst 2975 Switch Software Configuration Guide 33-36...
QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the QoS domain. Figure 33-10 shows a sample network topology. Catalyst 2975 Switch Software Configuration Guide 33-37 OL-19720-02...
Page 762
Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be trusted, and enter interface configuration mode. Valid interfaces include physical ports. Catalyst 2975 Switch Software Configuration Guide 33-38 OL-19720-02...
CoS to all incoming packets on the port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Valid interfaces include physical ports. Catalyst 2975 Switch Software Configuration Guide 33-39 OL-19720-02...
CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the Catalyst 2975 Switch Software Configuration Guide...
In some situations, you can prevent a PC connected to the Cisco IP Phone from taking advantage of a high-priority data queue. You can use the switchport priority extend cos interface configuration command to configure the telephone through the switch CLI to override the priority of the traffic received from the PC.
QoS. If the two domains use different DSCP values, you can configure the DSCP-to-DSCP-mutation map to translate a set of DSCP values to match the definition in the other domain. Catalyst 2975 Switch Software Configuration Guide 33-42 OL-19720-02...
Page 767
Step 6 Return to privileged EXEC mode. Step 7 show mls qos maps dscp-mutation Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 33-43 OL-19720-02...
Classifying Traffic by Using Class Maps, page 33-48 • • Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps, page 33-50 • Classifying, Policing, and Marking Traffic by Using Aggregate Policers, page 33-55 Catalyst 2975 Switch Software Configuration Guide 33-44 OL-19720-02...
Page 770
This example shows how to create an ACL that permits PIM traffic from any source to a destination group address of 224.0.0.2 with a DSCP set to 32: Switch(config)# access-list 102 permit pim any 224.0.0.2 dscp 32 Catalyst 2975 Switch Software Configuration Guide 33-46 OL-19720-02...
Page 771
MAC address 0001.0000.0002 to the host with MAC address 0002.0000.0002. Switch(config)# mac access-list extended maclist1 Switch(config-ext-macl)# permit 0001.0000.0001 0.0.0 0002.0000.0001 0.0.0 Switch(config-ext-macl)# permit 0001.0000.0002 0.0.0 0002.0000.0002 0.0.0 xns-idp ! (Note: all other access implicitly denied) Catalyst 2975 Switch Software Configuration Guide 33-47 OL-19720-02...
If neither the match-all or match-any keyword is specified, the default is match-all. Because only one match command per class map is supported, Note the match-all and match-any keywords function the same. Catalyst 2975 Switch Software Configuration Guide 33-48 OL-19720-02...
Page 773
This example shows how to create a class map called class3, which matches incoming traffic with IP-precedence values of 5, 6, and 7: Switch(config)# class-map class3 Switch(config-cmap)# match ip precedence 5 6 7 Switch(config-cmap)# end Switch# Catalyst 2975 Switch Software Configuration Guide 33-49 OL-19720-02...
When you configure a default traffic class by using the class class-default policy-map configuration • command, unclassified traffic (traffic that does not meet the match criteria specified in the traffic classes) is treated as the default traffic class (class-default). Catalyst 2975 Switch Software Configuration Guide 33-50 OL-19720-02...
Page 775
It is always placed at the end of a policy map. With an implied match any included in the class-default class, all packets that have not already matched the other traffic classes will match class-default. Catalyst 2975 Switch Software Configuration Guide 33-51 OL-19720-02...
Page 776
DSCP value (by using the policed-DSCP map) and to send the packet. For more information, see the “Configuring the Policed-DSCP Map” section on page 33-59. Catalyst 2975 Switch Software Configuration Guide 33-52 OL-19720-02...
Create a policy map by entering the policy map name, and enter policy-map configuration mode. For more information, see the “Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps” section on page 33-50. Catalyst 2975 Switch Software Configuration Guide 33-55 OL-19720-02...
Table 33-12 shows the default CoS-to-DSCP map. Table 33-12 Default CoS-to-DSCP Map CoS Value DSCP Value If these values are not appropriate for your network, you need to modify them. Catalyst 2975 Switch Software Configuration Guide 33-57 OL-19720-02...
QoS uses internally to represent the priority of the traffic. Table 33-13 shows the default IP-precedence-to-DSCP map: Table 33-13 Default IP-Precedence-to-DSCP Map IP Precedence Value DSCP Value If these values are not appropriate for your network, you need to modify them. Catalyst 2975 Switch Software Configuration Guide 33-58 OL-19720-02...
DSCP-to-CoS map. Table 33-14 Default DSCP-to-CoS Map DSCP Value CoS Value 0–7 8–15 16–23 24–31 32–39 40–47 48–55 56–63 If these values are not appropriate for your network, you need to modify them. Catalyst 2975 Switch Software Configuration Guide 33-60 OL-19720-02...
The switch sends the packet out the port with the new DSCP value. You can configure multiple DSCP-to-DSCP-mutation maps on an ingress port. The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value. Catalyst 2975 Switch Software Configuration Guide 33-61 OL-19720-02...
Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Catalyst 2975 Switch Software Configuration Guide 33-63 OL-19720-02...
Page 788
To return to the default WTD threshold percentages, use the no mls qos srr-queue input threshold queue-id global configuration command. Catalyst 2975 Switch Software Configuration Guide 33-64 OL-19720-02...
SRR scheduler sends packets from each queue. The bandwidth and the buffer allocation control how much data can be buffered before packets are dropped. On ingress queues, SRR operates only in shared mode. Catalyst 2975 Switch Software Configuration Guide 33-65 OL-19720-02...
Then, SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr-queue input bandwidth weight1 weight2 global configuration command. Catalyst 2975 Switch Software Configuration Guide 33-66 OL-19720-02...
• Does the bandwidth of the port need to be rate limited? • How often should the egress queues be serviced and which technique (shaped, shared, or both) • should be used? Catalyst 2975 Switch Software Configuration Guide 33-67 OL-19720-02...
The egress queue default settings are suitable for most situations. You should change them only when Note you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution. Catalyst 2975 Switch Software Configuration Guide 33-68 OL-19720-02...
Page 793
Map the port to a queue-set. For qset-id, enter the ID of the queue-set specified in Step 2. The range is 1 to 2. The default is 1. Step 6 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 33-69 OL-19720-02...
The egress queue default settings are suitable for most situations. You should change them only when Note you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution. Catalyst 2975 Switch Software Configuration Guide 33-70 OL-19720-02...
Page 795
This example shows how to map DSCP values 10 and 11 to egress queue 1 and to threshold 2: Switch(config)# mls qos srr-queue output dscp-map queue 1 threshold 2 10 11 Catalyst 2975 Switch Software Configuration Guide 33-71 OL-19720-02...
2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which is 12.5 percent: Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# srr-queue bandwidth shape 8 0 0 0 Catalyst 2975 Switch Software Configuration Guide 33-72 OL-19720-02...
1, 2, 3, and 4. This means that queue 4 has four times the bandwidth of queue 1, twice the bandwidth of queue 2, and one-and-a-third times the bandwidth of queue 3. Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# srr-queue bandwidth share 1 2 3 4 Catalyst 2975 Switch Software Configuration Guide 33-73 OL-19720-02...
Beginning in privileged EXEC mode, follow these steps to limit the bandwidth on an egress port. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be rate limited, and enter interface configuration mode. Catalyst 2975 Switch Software Configuration Guide 33-74 OL-19720-02...
Page 800
EXEC command to display classification information for incoming traffic. The control-plane and interface keywords are not supported, and the statistics shown in the display should be ignored. show running-config | include rewrite Display the DSCP transparency setting. Catalyst 2975 Switch Software Configuration Guide 33-76 OL-19720-02...
For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 Understanding IP Routing, page 34-1 •...
If a stack master fails, the stack detects that the stack master is down and elects a stack member to be the new stack master. Except for a momentary interruption, the hardware continues to forward packets. Catalyst 2975 Switch Software Configuration Guide 34-2...
By default, IP routing is disabled on the switch. For detailed IP routing configuration information, see the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software Releases > 12.2 Mainline > Configuration Guides.
Return to privileged EXEC mode. Step 5 show interfaces [interface-id] Verify your entries. show ip interface [interface-id] show running-config interface [interface-id] Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 34-4 OL-19720-02...
[address [mask] [longer-prefixes]] | Display the state of the routing table. show ip route summary Display the state of the routing table in summary form. show platform ip unicast Display platform-dependent IP unicast information. Catalyst 2975 Switch Software Configuration Guide 34-5 OL-19720-02...
Page 806
Chapter 34 Configuring Static IP Unicast Routing Monitoring and Maintaining the IP Network Catalyst 2975 Switch Software Configuration Guide 34-6 OL-19720-02...
Page 807
IPv4 and IPv6 switch database management (SDM) template. See the “Dual IPv4 and IPv6 Protocol Stacks” section on page 35-4. For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Note documentation referenced in the procedures. This chapter consists of these sections: “Understanding IPv6”...
• Use the Search field to locate the Cisco IOS software documentation. For example, if you want information about static routes, you can enter Implementing Static Routes for IPv6 in the search field to get this document about static routes: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-stat_routes_ps6441_TSD_Pro...
For more information, see the section about IPv6 unicast addresses in the “Implementing IPv6 Addressing and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. DNS for IPv6 IPv6 supports Domain Name System (DNS) record types in the DNS name-to-address and address-to-name lookup processes.
For more information about autoconfiguration and duplicate address detection, see the “Implementing IPv6 Addressing and Basic Connectivity” chapter of Cisco IOS IPv6 Configuration Library on Cisco.com. IPv6 Applications...
TCAM capacity for each resource. For more information about IPv4 and IPv6 protocol stacks, see the “Implementing IPv6 Addressing and Basic Connectivity” chapter of Cisco IOS IPv6 Configuration Library on Cisco.com. SNMP and Syslog Over IPv6 To support both IPv4 and IPv6, IPv6 network management requires both IPv6 and IPv4 transports.
Basic network connectivity (ping) must exist between the client and the server hosts before HTTP connections can be made. For more information, see the “Managing Cisco IOS Applications over IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
• all-routers link-local multicast group FF02::2 • For more information about configuring IPv6, see the “Implementing Addressing and Basic Connectivity for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. Catalyst 2975 Switch Software Configuration Guide 35-7 OL-19720-02...
Page 814
Output from the show ipv6 interface EXEC command shows how the interface ID (20B:46FF:FE2F:D940) is appended to the link-local prefix FE80::/64 of the interface. Switch(config)# sdm prefer dual-ipv4-and-ipv6 default Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ipv6 address 2001:0DB8:c18:1::/64 eui 64 Switch(config-if)# end Catalyst 2975 Switch Software Configuration Guide 35-8 OL-19720-02...
Switch(config-if)# end For more information about configuring DRP for IPv6, see the “Implementing IPv6 Addresses and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. Configuring IPv6 ICMP Rate Limiting ICMP rate limiting is enabled by default with a default interval between error messages of 100 milliseconds and a bucket size (maximum number of tokens to be stored in a bucket) of 10.
To configure a floating static route, use an administrative distance greater than that of the dynamic routing protocol. Step 3 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 35-10 OL-19720-02...
For more information about configuring static IPv6 routing, see the “Implementing Static Routes for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. Displaying IPv6 For complete syntax and usage information on these commands, see the Cisco IOS command reference publications. Table 35-2 shows the privileged EXEC commands for monitoring IPv6 on the switch.
Page 818
This is an example of the output from the show ipv6 static privileged EXEC command: Switch# show ipv6 static IPv6 Static routes Code: * - installed in RIB * ::/0 via nexthop 3FFE:C000:0:7::777, distance 1 Catalyst 2975 Switch Software Configuration Guide 35-12 OL-19720-02...
You can use Multicast Listener Discovery (MLD) snooping to enable efficient distribution of IP version 6 (IPv6) multicast data to clients and routers in a switched network on the Catalyst 2975 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Message timers and state transitions resulting from messages being sent or received are the same as those of IGMPv2 messages. MLD messages that do not have valid link-local IPv6 source addresses are ignored by MLD routers and switches. Catalyst 2975 Switch Software Configuration Guide 36-2 OL-19720-02...
1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 2975 switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
If the deleted port is the last member of the multicast address, the multicast address is also deleted, and the switch sends the address leave information to all detected multicast routers. Catalyst 2975 Switch Software Configuration Guide 36-4 OL-19720-02...
1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 2975 switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 2975 switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
(add a static connection to a multicast router), use the ipv6 mld snooping vlan mrouter global configuration command on the switch. Static connections to multicast routers are supported only on switch ports. Note Catalyst 2975 Switch Software Configuration Guide 36-8 OL-19720-02...
To disable MLD Immediate Leave on a VLAN, use the no ipv6 mld snooping vlan vlan-id immediate-leave global configuration command. This example shows how to enable MLD Immediate Leave on VLAN 130: Switch# configure terminal Switch(config)# ipv6 mld snooping vlan 130 immediate-leave Switch(config)# exit Catalyst 2975 Switch Software Configuration Guide 36-9 OL-19720-02...
[vlan (Optional) Verify that the MLD snooping querier information for the vlan-id] switch or for the VLAN. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2975 Switch Software Configuration Guide 36-10 OL-19720-02...
Verify that IPv6 MLD snooping report suppression is disabled. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To re-enable MLD message suppression, use the ipv6 mld snooping listener-message-suppression global configuration command. Catalyst 2975 Switch Software Configuration Guide 36-11 OL-19720-02...
Enter user to display MLD snooping user-configured group • information for the switch or for a VLAN. show ipv6 mld snooping multicast-address vlan Display MLD snooping for the specified VLAN and IPv6 multicast vlan-id [ipv6-multicast-address] address. Catalyst 2975 Switch Software Configuration Guide 36-12 OL-19720-02...
Page 833
Configuring EtherChannels and Link-State Tracking This chapter describes how to configure EtherChannels on the Catalyst 2975 switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
An EtherChannel consists of individual Fast Ethernet or Gigabit Ethernet links bundled into a single logical link as shown in Figure 37-1. Figure 37-1 Typical EtherChannel Configuration Catalyst 8500 series switch Gigabit EtherChannel 1000BASE-X 1000BASE-X 10/100 10/100 Switched Switched links links Workstations Workstations Catalyst 2975 Switch Software Configuration Guide 37-2 OL-19720-02...
EtherChannel are blocked from returning on any other link of the EtherChannel. Figure 37-2 Single-Switch EtherChannel Catalyst 2975 switch stack Switch 1 Channel group 1 Stack port connections Switch 2 Switch A Channel group 2 Switch 3 Catalyst 2975 Switch Software Configuration Guide 37-3 OL-19720-02...
If you use a new number, the channel-group command dynamically creates a new port channel. Each EtherChannel has a port-channel logical interface numbered from 1 to 6. This port-channel interface number corresponds to the one specified with the channel-group interface configuration command. Catalyst 2975 Switch Software Configuration Guide 37-4 OL-19720-02...
Layer 2 EtherChannel as a trunk. Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports.
(VSLs) that carry control and data traffic between them. One of the switches is in active mode. The others are in standby mode. For redundancy, remote switches, such as Catalyst 2975 switches, are connected to the virtual switch by remote satellite links (RSLs).
Link Aggregation Control Protocol The LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between switches that conform to the IEEE 802.3ad protocol. LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports.
Therefore, to provide load balancing, packets from different hosts use different ports in the channel, but packets from the same host use the same port in the channel. Catalyst 2975 Switch Software Configuration Guide 37-8 OL-19720-02...
Page 841
MAC address, using the destination-MAC address always chooses the same link in the channel. Using source addresses or IP addresses might result in better load balancing. Catalyst 2975 Switch Software Configuration Guide 37-9...
STP reconvergence. Use the stack-mac persistent timer command to control whether or not the stack MAC address changes during a master failover. For more information about switch stacks, see Chapter 6, “Managing Switch Stacks.” Catalyst 2975 Switch Software Configuration Guide 37-10 OL-19720-02...
LACP system priority 32768. LACP system ID LACP system priority and the stack MAC address. Load balancing Load distribution on the switch is based on the source-MAC address of the incoming packet. Catalyst 2975 Switch Software Configuration Guide 37-11 OL-19720-02...
If you configure an EtherChannel from trunk ports, verify that the trunking mode (ISL or IEEE 802.1Q) is the same on all the trunks. Inconsistent trunk modes on EtherChannel ports can have unexpected results. Catalyst 2975 Switch Software Configuration Guide 37-12 OL-19720-02...
Assign all ports as static-access ports in the same VLAN, or configure them as trunks. switchport access vlan vlan-id If you configure the port as a static-access port, assign it to only one VLAN. The range is 1 to 4094. Catalyst 2975 Switch Software Configuration Guide 37-13 OL-19720-02...
Page 846
Verify your entries. Step 7 copy running-config (Optional) Save your entries in the configuration file. startup-config To remove a port from the EtherChannel group, use the no channel-group interface configuration command. Catalyst 2975 Switch Software Configuration Guide 37-14 OL-19720-02...
Configuring EtherChannel Load Balancing This section describes how to configure EtherChannel load balancing by using source-based or destination-based forwarding methods. For more information, see the “Load Balancing and Forwarding Methods” section on page 37-8. Catalyst 2975 Switch Software Configuration Guide 37-15 OL-19720-02...
You also must set the load-distribution method to source-based distribution, so that any given source MAC address is always sent on the same physical port. Catalyst 2975 Switch Software Configuration Guide 37-16 OL-19720-02...
Page 849
When the link partner of the switch is a physical learner (such as a Catalyst 1900 series switch), we recommend that you configure the Catalyst 2975 switch as a physical-port learner by using the pagp learn-method physical-port interface configuration command. Set the load-distribution method based on the source MAC address by using the port-channel load-balance src-mac global configuration command.
LACP-configured channel. By changing this value from the default, you can affect how the software selects active and standby links. You can use the show etherchannel summary privileged EXEC command to see which ports are in the hot-standby mode (denoted with an H port-state flag). Catalyst 2975 Switch Software Configuration Guide 37-18 OL-19720-02...
For priority, the range is 1 to 65535. The default is 32768. The lower the value, the more likely that the port will be used for LACP transmission. Step 4 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 37-19 OL-19720-02...
Note An interface can be an aggregation of ports (an EtherChannel), or a single physical port in access or trunk mode. Catalyst 2975 Switch Software Configuration Guide 37-20 OL-19720-02...
Page 853
37-22. If the upstream link for port 6 is lost, the link states of downstream ports 1 and 2 do not change. However, if the link for upstream port 5 is also lost, the link state of the Catalyst 2975 Switch Software Configuration Guide 37-21...
Page 854
Port Port Port Port Link- Link- state state group 2 group 1 Link- Link- state state group 1 group 2 Server 1 Server 2 Server 3 Server 4 Primary link Secondary link Catalyst 2975 Switch Software Configuration Guide 37-22 OL-19720-02...
Specify a link-state group, and configure the interface as either downstream} an upstream or downstream interface in the group.The group number can be 1 to 2; the default is 1. Step 5 Return to privileged EXEC mode. Catalyst 2975 Switch Software Configuration Guide 37-23 OL-19720-02...
Upstream Interfaces : Gi1/0/15(Dwn) Gi1/0/16(Dwn) Gi1/0/17(Dwn) Downstream Interfaces : Gi1/0/11(Dis) Gi1/0/12(Dis) Gi1/0/13(Dis) Gi1/0/14(Dis) (Up):Interface up (Dwn):Interface Down (Dis):Interface disabled For detailed information about the fields in the display, see the command reference for this release. Catalyst 2975 Switch Software Configuration Guide 37-24 OL-19720-02...
This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the Catalyst 2975 switch. Depending on the nature of the problem, you can use the command-line interface (CLI), the device manager, or Network Assistant to identify and solve problems.
From your PC, download the software image tar file (image_filename.tar) from Cisco.com. Step 1 The Cisco IOS image is stored as a bin file in a directory in the tar file. For information about locating the software image files on Cisco.com, see the release notes.
After the Xmodem request appears, use the appropriate command on the terminal-emulation software to Step 11 start the transfer and to copy the software image into flash memory. Boot the newly downloaded Cisco IOS image. Step 12 switch:boot flash:image_filename.bin Use the archive download-sw privileged EXEC command to download the software image to the switch Step 13 or to the switch stack.
If you had set the console port speed to anything other than 9600, it has been reset to that particular Step 2 speed. Change the emulation software line speed to match that of the switch console port. Load any helper files: Step 3 switch: load_helper Catalyst 2975 Switch Software Configuration Guide 38-4 OL-19720-02...
Page 861
The secret password can be from 1 to 25 alphanumeric characters, can start with a number, is case sensitive, and allows spaces but ignores leading spaces. Return to privileged EXEC mode: Step 12 Switch (config)# exit Switch# Catalyst 2975 Switch Software Configuration Guide 38-5 OL-19720-02...
Elect to continue with password recovery and lose the existing configuration: Step 1 Would you like to reset the system back to the default configuration (y/n)? Y Load any helper files: Step 2 Switch: load_helper Catalyst 2975 Switch Software Configuration Guide 38-6 OL-19720-02...
Page 863
VLAN ID of the shutdown interface. With the switch in interface configuration mode, enter the no shutdown command. You must now reconfigure the switch. If the system administrator has the backup switch and VLAN Step 10 configuration files available, you should use those. Catalyst 2975 Switch Software Configuration Guide 38-7 OL-19720-02...
Hot Standby Router Protocol (HSRP). For more information, see Chapter 5, “Clustering Switches.” Also see the Getting Started with Cisco Network Assistant, available on Cisco.com. HSRP is the preferred method for supplying redundancy to a cluster.
From privileged EXEC mode, enter setup, and press Return. Switch# setup --- System Configuration Dialog --- Continue with configuration dialog? [yes/no]: y At any point you may enter a question mark '?' for help. Catalyst 2975 Switch Software Configuration Guide 38-9 OL-19720-02...
Page 866
Start your browser, and enter the IP address of the new command switch. Step 17 From the Cluster menu, select Add to Cluster to display a list of candidate switches to add to the cluster. Step 18 Catalyst 2975 Switch Software Configuration Guide 38-10 OL-19720-02...
When prompted for the enable secret and enable passwords, enter the passwords of the failed command switch again. Step 9 When prompted, make sure to enable the switch as the cluster command switch, and press Return. Catalyst 2975 Switch Software Configuration Guide 38-11 OL-19720-02...
If a remote device does not autonegotiate, configure the duplex settings on the two ports to match. The Note speed parameter can adjust itself even if the connected port does not autonegotiate. Catalyst 2975 Switch Software Configuration Guide 38-12 OL-19720-02...
Disabled Port Caused by Power Loss If a powered device (such as a Cisco IP Phone 7910) that is connected to a PoE switch port and is powered by an AC power source loses power from the AC power source, the device might enter an error-disabled state.
If the module is identified as a Cisco SFP module, but the system is unable to read vendor-data information to verify its accuracy, an SFP module error message is generated. In this case, you should remove and re-insert the SFP module.
The switch can only identify the path from the source device to the destination device. It cannot identify the path that a packet takes from source host to the source device or from the destination device to the destination host. Catalyst 2975 Switch Software Configuration Guide 38-15 OL-19720-02...
Using Layer 2 Traceroute Usage Guidelines These are the Layer 2 traceroute usage guidelines: Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 • traceroute to function properly, do not disable CDP.
ICMP port-unreachable error to the source. Because all errors except port-unreachable errors come from intermediate hops, the receipt of a port-unreachable error means that this message was sent by the destination port. Catalyst 2975 Switch Software Configuration Guide 38-17 OL-19720-02...
Port unreachable. To end a trace in progress, enter the escape sequence (Ctrl-^ X by default). Simultaneously press and release the Ctrl, Shift, and 6 keys and then press the X key. Catalyst 2975 Switch Software Configuration Guide 38-18 OL-19720-02...
These sections explains how you use debug commands to diagnose and resolve internetworking problems: Enabling Debugging on a Specific Feature, page 38-20 • Enabling All-System Diagnostics, page 38-20 • Redirecting Debug and Error Message Output, page 38-21 • Catalyst 2975 Switch Software Configuration Guide 38-19 OL-19720-02...
For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Most of the information in the output from the command is useful mainly for technical support personnel, who have access to detailed information about the switch application-specific integrated circuits (ASICs). However, packet forwarding information can also be helpful in troubleshooting. Catalyst 2975 Switch Software Configuration Guide 38-21 OL-19720-02...
• Basic crashinfo Files The information in the basic file includes the Cisco IOS image name and version that failed, a list of the processor registers, and other switch-specific information. You can provide this information to the Cisco technical support representative by using the show tech-support privileged EXEC command.
For more information about the show platform tcam errors privileged EXEC command, see the command reference for this release. Troubleshooting Tables These tables are a condensed version of troubleshooting documents on Cisco.com. “Troubleshooting CPU Utilization” section on page 38-25 •...
This example shows normal CPU utilization. The output shows that utilization for the last 5 seconds is 8%/0%, which has this meaning: • The total CPU utilization is 8 percent, including both time running Cisco IOS processes and time spent handling interrupts •...
(available PoE). Use the show inline power and show inline power detail commands to verify the amount of available power. For more information, see No PoE On One Port on Cisco.com. Catalyst 2975 Switch Software Configuration Guide 38-27 OL-19720-02...
Page 884
This normally produces an alarm. Check the log again for alarms reported earlier by system messages. For more information, see No PoE On Any Port or a Group of Ports Cisco.com. Catalyst 2975 Switch Software Configuration Guide 38-28 OL-19720-02...
Page 885
Verify that sufficient power is available for the powered device type before you A non-Cisco powered device is connected connect it. to a Cisco PoE switch, but never powers on or powers on and then quickly powers off. Use the show interface status command to verify that the switch detects the Non-PoE devices work normally.
Cable Connections). Enter the show switch privileged • EXEC command to see whether new Check status of stack members (see • switch shows as Ready, Progressing, Verifying StackWise Cable Connections). or Provisioned. Catalyst 2975 Switch Software Configuration Guide 38-30 OL-19720-02...
Page 887
Typical Sequence States and Rules.) Stack members need to be Stack members running different major Defective StackWise switch interface or cable upgraded. or minor versions of the Cisco IOS (see Quick-and-Easy Catalyst 3750 and software. Catalyst 3750E Switch Stack Upgrades.) StackWise link connection Look at the LED behavior.
SNMPv2-MIB • TCP-MIB • UDP-MIB You can also use this URL for a list of supported MIBs for the Catalyst 2975 switch: Note ftp://ftp.cisco.com/pub/mibs/supportlists/cat2975/cat2975-supportlist.html You can access other information about MIBs and Cisco products on the Cisco web site: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml...
Page 892
Appendix A Supported MIBs Using FTP to Access the MIB Files Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the Catalyst 2975 switch flash file system, how to copy configuration files, and how to archive (upload and download) software images to a switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System These sections contain this configuration information: Displaying Available File Systems, page B-2 • , page B-2 • Displaying Information about Files on a File System, page B-3 •...
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Table B-1 show file systems Field Descriptions (continued) Field Value Flags Permission for file system. ro—read-only. rw—read/write.\ wo—write-only. Prefixes Alias for file system.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Table B-2 Commands for Displaying Information About Files (continued) Command Description show file information file-url Display information about a specific file.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System For filesystem, use flash: for the system board flash device. For file-url, enter the name of the directory to be deleted. All the files in the directory and the directory are removed.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System When files are deleted, their contents cannot be recovered. Caution This example shows how to delete the file myconfig from the default flash memory device:...
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying the Contents of a tar File To display the contents of a tar file on the screen, use this privileged EXEC command: archive tar /table source-url For source-url, specify the source URL alias for the local or network file system.
6-13. Configuration files contain commands entered to customize the function of the Cisco IOS software. A way to create a basic configuration file is to use the setup program or to enter the setup privileged EXEC command. For more information, see Chapter 3, “Assigning the Switch IP Address and Default...
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files You can copy (upload) configuration files from the switch to a file server by using TFTP, FTP, or RCP. You might perform this task to back up a current configuration file to a server before changing its contents so that you can later restore the original configuration file from the server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Configuration File Types and Location n Startup configuration files are used during system startup to configure the software. Running configuration files contain the current configuration of the software. The two configuration files can be different.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Make sure that the /etc/services file contains this line: tftp 69/udp You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services files.
The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy a configuration file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files If the server has a directory structure, the configuration file is written to or copied from the directory associated with the username on the server. For example, if the configuration file resides in the home directory of a user on the server, specify that user's name as the remote username.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 6 Return to privileged EXEC mode. Step 7 copy Using FTP, copy the configuration file from a network ftp:[[[//[username[:password]@]location]/directory]...
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 1 configure terminal Enter global configuration mode. This step is required only if you override the default remote username or password (see Steps 4, 5, and 6).
The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to download a configuration file by using RCP:...
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using RCP:...
Replacing and Rolling Back Configurations The configuration replacement and rollback feature replaces the running configuration with any saved Cisco IOS configuration file. You can use the rollback function to roll back to a previous configuration. These sections contain this information: Understanding Configuration Replacement and Rollback, page B-19 •...
Page 912
EXEC command displays information for all the configuration files saved in the configuration archive. The Cisco IOS configuration archive, in which the configuration files are stored and available for use with the configure replace command, is in any of these file systems: FTP, HTTP, RCP, TFTP.
• replacement configuration file for the running configuration. The replacement file must be a complete configuration generated by a Cisco IOS device (for example, a configuration generated by the copy running-config destination-url command). If you generate the replacement configuration file externally, it must comply with the format of files Note generated by Cisco IOS devices.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 5 time-period minutes (Optional) Set the time increment for automatically saving an archive file of the running configuration in the configuration archive.
If you do not have access to a TFTP server, you can download a software image file directly to your PC or workstation by using a web browser (HTTP) and then by using the device manager or Cisco Network Assistant to upgrade your switch. For information about upgrading your switch by using a TFTP server or a web browser (HTTP), see the release notes.
Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the files needed for web management. The image is stored on the system board flash memory (flash:).
Field Description total_image_file_size Specifies the size of all the images (the Cisco IOS image and the web management files) in the tar file, which is an approximate measure of how much flash memory is required to hold them image_feature Describes the core functionality of the image...
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Make sure that the /etc/services file contains this line: tftp 69/udp You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services files.
Page 919
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 3 archive download-sw /overwrite /reload Download the image file from the TFTP server to the switch, and tftp:[[//location]/directory]/image-name.tar overwrite the current image.
The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy an image file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The new username is stored in NVRAM. If you are accessing the switch through a Telnet session and you have a valid username, this username is used, and you do not need to set the FTP username.
Page 923
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 8 archive download-sw /leave-old-sw /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and keep the current image.
The archive upload-sw command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the switch to a server by using RCP, the Cisco IOS software sends the first valid username in this list: •...
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images For the RCP copy request to execute successfully, an account must be defined on the network server for the remote username. If the server has a directory structure, the image file is written to or copied from the directory associated with the remote username on the server.
Page 927
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 5 Return to privileged EXEC mode. Step 6 archive download-sw /overwrite /reload Download the image file from the RCP server to the switch, rcp:[[[//[username@]location]/directory]/image-na and overwrite the current image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images If you specify the /leave-old-sw, the existing files are not removed. If there is not enough room to install the new image an keep the running image, the download process stops, and an error message is displayed.
The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 930
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Beginning in privileged EXEC mode from the stack member that you want to upgrade, follow these steps to copy the running image file from the flash memory of a different stack member:...
This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the Catalyst 2975 switch prompt but are not supported in this release, either because they are not tested or because of switch hardware limitations. This is not a complete list. These...
Appendix C Unsupported Commands in Cisco IOS Release 12.2(55)SE Boot Loader Commands show access-lists rate-limit [destination] show accounting show ip accounting [checkpoint] [output-packets | access violations] show ip cache [prefix-mask] [type number] Unsupported Global Configuration Commands access-list rate-limit acl-index {precedence | mask prec-mask}...
Appendix C Unsupported Commands in Cisco IOS Release 12.2(55)SE Unsupported Global Configuration Command priority-list Unsupported Interface Configuration Commands priority-group rate-limit Unsupported Policy-Map Configuration Command class class-default where class-default is the class-map-name. RADIUS Unsupported Global Configuration Commands aaa nas port extended...
Appendix C Unsupported Commands in Cisco IOS Release 12.2(55)SE Unsupported VLAN Database Commands vlan show vlan private-vlan Unsupported Privileged EXEC Commands vtp {password password | pruning | version number} This command has been replaced by the vtp global configuration command.
Page 938
Appendix C Unsupported Commands in Cisco IOS Release 12.2(55)SE Catalyst 2975 Switch Software Configuration Guide OL-19720-02...
Page 939
9-11, 9-17 applying to interfaces 31-18 ACEs creating 31-6 and QoS 33-8 matching criteria 31-6 defined 31-2 named 31-13 Ethernet 31-2 numbers 31-7 31-2 terminal lines, setting on 31-17 unsupported features 31-6 Catalyst 2975 Switch Software Configuration Guide IN-1 OL-19720-02...
Page 941
See also CDP DHCP snooping automatic extraction (auto-extract) in switch stacks 6-10 See DHCP snooping binding database automatic QoS bindings See QoS DHCP snooping database 20-7 IP source guard 20-15 Catalyst 2975 Switch Software Configuration Guide IN-3 OL-19720-02...
Page 942
23-4 updates 24-3 broadcast storms 23-2 CGMP as IGMP snooping learning method 22-8 joining multicast group 22-3 CipherSuites 9-48 Cisco 7960 IP Phone 14-1 Cisco Discovery Protocol See CDP Catalyst 2975 Switch Software Configuration Guide IN-4 OL-19720-02...
Page 943
Index Cisco intelligent power management 12-5 CLI (continued) Cisco IOS File System history See IFS changing the buffer size Cisco IOS IP Service Level Agreements (SLAs) described responder disabling Cisco IOS IP SLAs 32-1 recalling commands Cisco Secure ACS managing clusters...
Page 944
5-11 clearing the startup configuration B-19 active (AC) creating using a text editor 5-10 B-10 configuration conflicts default name 38-12 3-18 defined deleting a stored configuration B-19 passive (PC) 5-10 described Catalyst 2975 Switch Software Configuration Guide IN-6 OL-19720-02...
Page 948
7-16 dual-purpose uplinks support for defined 12-4 domain names LEDs 12-4 7-15 link selection 12-4, 12-17 15-9 setting the type 12-17 Domain Name System See DNS downloadable ACL 10-18, 10-20, 10-61 Catalyst 2975 Switch Software Configuration Guide IN-10 OL-19720-02...
Page 949
21-13 encryption, CipherSuite 9-48 displaying 21-16 encryption for passwords logging of dropped packets, described 21-5 environment variables, function of 3-22 man-in-the middle attack, described 21-2 error-disabled state, BPDU 18-3 Catalyst 2975 Switch Software Configuration Guide IN-11 OL-19720-02...
Page 950
37-16 modes 37-6 support for fa0 interface with dual-action detection 37-6 failover support port-channel interfaces Fast Convergence 19-3 described 37-4 Fast Uplink Transition Protocol 18-6 numbering of 37-4 features, incompatible 23-12 Catalyst 2975 Switch Software Configuration Guide IN-12 OL-19720-02...
Page 954
IP Service Level Agreements implicit deny See IP SLAs 31-8, 31-12 implicit masks IP service levels, analyzing 31-8 32-1 named IP SLAs 31-13 undefined 31-19 benefits 32-2 configuration guidelines 32-5 Control Protocol 32-3 Catalyst 2975 Switch Software Configuration Guide IN-16 OL-19720-02...
Page 955
20-18, 20-19 35-7 filtering autoconfiguration 35-4 source IP address 20-15 configuring static routes 35-10 source IP and MAC address default configuration 20-15 35-7 on provisioned switches defined 20-17 35-2 Catalyst 2975 Switch Software Configuration Guide IN-17 OL-19720-02...
Page 956
25-2 assigning IPv6 addresses to 35-8 LLDP Media Endpoint Discovery changing from Layer 2 mode 34-4 See LLDP-MED Layer 3 packets, classification methods 33-2 local SPAN 27-2 LDAP location TLV 25-3, 25-8 Catalyst 2975 Switch Software Configuration Guide IN-18 OL-19720-02...
Page 961
Network Time Protocol open1x See NTP configuring 10-65 no commands open1x authentication nonhierarchical policy maps overview 10-29 described 33-10 optimizing system resources non-IP traffic filtering 31-22 options, management nontrunking mode 13-13 out-of-profile markdown 1-11 Catalyst 2975 Switch Software Configuration Guide IN-23 OL-19720-02...
Page 962
38-15 for each matched traffic class 33-50 executing 38-14 for more than one traffic class 33-55 overview 38-14 described 33-4 displaying 33-75 number of 33-36 types of 33-10 Catalyst 2975 Switch Software Configuration Guide IN-24 OL-19720-02...
Page 963
10-47 and voice VLAN 10-26 switch-to-client retransmission time 10-46 described 10-25 violation modes 10-39 to 10-40 interactions 10-25 default configuration 10-33, 11-9 multiple-hosts mode 10-12 described 10-1 Catalyst 2975 Switch Software Configuration Guide IN-25 OL-19720-02...
Page 964
TLV preemption, default configuration 25-2 19-8 Port Fast preemption delay, default configuration 19-8 described 18-2 preferential treatment of traffic enabling See QoS 18-13 mode, spanning tree preventing unauthorized access 13-24 Catalyst 2975 Switch Software Configuration Guide IN-26 OL-19720-02...
Page 972
HTTP client displaying information of 9-51 6-22 configuring a secure HTTP server number 9-50 cryptographic software image 9-46 priority value described provisioning a new member 9-46 6-20 monitoring replacing 9-52 6-13 Catalyst 2975 Switch Software Configuration Guide IN-34 OL-19720-02...
Page 973
6-10 managing examples 6-11 membership manual upgrades with auto-advise 6-10 merged upgrades with auto-extract 6-10 MSTP instances supported 16-10 version-mismatch mode described See also stack master and stack member Catalyst 2975 Switch Software Configuration Guide IN-35 OL-19720-02...
Page 977
9-17 limiting access by servers 30-16 tar files TFTP server creating threshold, traffic level 23-2 displaying the contents of time extracting See NTP and system clock image file format B-24 Catalyst 2975 Switch Software Configuration Guide IN-39 OL-19720-02...
Page 978
VLAN for untagged traffic 1-11 13-19 traffic suppression 23-2 parallel 13-21 transmit hold-count pruning-eligible list 13-18 see STP to non-DTP device 13-13 transparent mode, VTP trusted boundary for QoS 15-3 33-40 trap-door mechanism Catalyst 2975 Switch Software Configuration Guide IN-40 OL-19720-02...
Page 979
MAC address filtering and adding static addresses 7-28 and broadcast MAC addresses 7-27 and CPU packets 7-27 and multicast addresses 7-27 and router MAC addresses 7-27 configuration guidelines 7-27 described 7-27 Catalyst 2975 Switch Software Configuration Guide IN-41 OL-19720-02...
Page 980
VLAN Management Policy Server Token Ring 13-5 See VMPS traffic between 13-2 VLAN membership VTP modes 15-3 confirming 13-26 VLAN Trunking Protocol modes 13-3 See VTP VLAN Query Protocol VLAN trunks 13-13 See VQP Catalyst 2975 Switch Software Configuration Guide IN-42 OL-19720-02...
Page 981
13-18 IP phone data traffic, described server mode, configuring 14-3 15-11, 15-13 IP phone voice traffic, described statistics 14-2 15-17 1-8, 13-23 support for Token Ring support 15-4 transparent mode, configuring 15-11 Catalyst 2975 Switch Software Configuration Guide IN-43 OL-19720-02...
Page 982
See WTD wired location service configuring 25-10 displaying 25-12 location TLV 25-3 understanding 25-3 wizards described 33-12 setting thresholds egress queue-sets 33-68 ingress queues 33-63 support for 1-11, 1-12 Catalyst 2975 Switch Software Configuration Guide IN-44 OL-19720-02...