Page 1 Catalyst 2950 Desktop Switch Software Configuration Guide Cisco IOS Release 12.1(6)EA2b March, 2002 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7811380=...
Page 2 Logo, iQ Net Readiness Scorecard, MGX, the Networkers logo, ScriptBuilder, ScriptShare, SMARTnet, TransPath, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and Discover All That’s Possible are service marks of Cisco Systems, Inc.; and Aironet,...
Page 3: Table Of Contents
C H A P T E R Features Front Panel View Cluster Tree Front-Panel Images Redundant Power System LED 78-11380-03 xvii xvii xviii xxii xxii xxii xxiii 1-13 Catalyst 2950 Desktop Switch Software Configuration Guide C O N T E N T S 1-10 1-12...
Page 4: Link
Accessing CMS Access Modes in CMS Verifying Your Changes Change Notification Error Checking Saving Your Changes Using Different Versions of CMS Where to Go Next Catalyst 2950 Desktop Switch Software Configuration Guide 2-10 2-12 2-13 2-14 2-14 2-15 2-15 2-20...
Page 5 Using SNMP to Access MIB Variables Default Settings Clustering Switches C H A P T E R Understanding Switch Clusters Command Switch Characteristics Standby Command Switch Characteristics Candidate and Member Switches Characteristics 78-11380-03 3-10 3-10 Catalyst 2950 Desktop Switch Software Configuration Guide Contents...
Page 6 Using DHCP-Based Autoconfiguration Understanding DHCP-Based Autoconfiguration DHCP Client Request Process Configuring the DHCP Server Configuring the TFTP Server Configuring the Domain Name and the DNS Configuring the Relay Device Catalyst 2950 Desktop Switch Software Configuration Guide 5-10 5-11 5-12 5-13 5-14 5-14...
Page 7 6-11 6-12 6-12 6-12 6-12 6-13 6-14 6-14 6-15 6-15 6-16 6-16 6-17 6-18 6-18 6-18 6-20 6-20 6-21 6-22 6-23 6-24 6-24 6-25 6-26 6-26 6-27 6-29 Catalyst 2950 Desktop Switch Software Configuration Guide Contents 6-12 6-17 6-19 6-22...
Page 8 Changing the Management VLAN Through a Telnet Connection Assigning VLAN Port Membership Modes VLAN Membership Combinations Assigning Static-Access Ports to a VLAN Using VTP The VTP Domain VTP Modes and Mode Transitions Catalyst 2950 Desktop Switch Software Configuration Guide viii 6-31 6-34 6-37 7-10 7-11...
Page 9 8-11 8-11 8-12 8-12 8-12 8-13 8-14 8-14 8-15 8-15 8-15 8-16 8-16 8-16 8-17 8-18 8-18 8-18 8-19 8-20 8-21 8-21 8-22 8-22 8-23 8-23 8-24 8-24 8-25 8-25 8-27 8-28 Catalyst 2950 Desktop Switch Software Configuration Guide Contents...
Page 10 Accelerated Aging to Retain Connectivity Understanding Advanced STP Features Understanding Port Fast Understanding BPDU Guard Understanding UplinkFast Understanding Cross-Stack UplinkFast How CSUF Works Events that Cause Fast Convergence Catalyst 2950 Desktop Switch Software Configuration Guide 8-29 8-29 8-31 8-31 8-31 8-32 8-33...
Page 11 9-20 9-21 9-21 9-23 9-24 9-25 9-26 9-27 9-27 9-28 9-28 9-29 9-30 9-30 9-31 9-33 9-34 9-34 10-1 10-1 10-2 10-2 10-3 10-4 10-4 10-5 10-5 10-6 10-7 10-7 10-8 Catalyst 2950 Desktop Switch Software Configuration Guide Contents 9-32...
Page 12 CLI: Enabling IGMP Immediate-Leave Processing Setting the Snooping Method Joining a Multicast Group Statically Configuring a Host to Join a Group CLI: Statically Configuring a Interface to Join a Group Catalyst 2950 Desktop Switch Software Configuration Guide 10-8 10-9 10-10 10-10...
Page 13 C H A P T E R Understanding ACLs ACLs Handling Fragmented and Unfragmented Traffic Understanding Access Control Parameters Guidelines for Configuring ACLs on the Catalyst 2950 Switches Configuring ACLs Unsupported Features Creating Standard and Extended IP ACLs ACL Numbers...
Page 14: Port Priority
Replacing a Failed Command Switch with a Cluster Member Replacing a Failed Command Switch with Another Switch Recovering from a Failed Command Switch Without HSRP Recovering from a Lost or Forgotten Password Catalyst 2950 Desktop Switch Software Configuration Guide 13-8 13-8 13-8...
Page 15 Error Message Traceback Reports Error Messages and Recovery Procedures Chassis Message CMP Messages Environment Messages GigaStack Messages Link Message RTD Messages Storm Control Messages N D E X 78-11380-03 14-10 14-11 14-11 14-12 14-12 Catalyst 2950 Desktop Switch Software Configuration Guide Contents...
Page 16 Contents Catalyst 2950 Desktop Switch Software Configuration Guide 78-11380-03...
Page 17: Preface
The Catalyst 2950 switch is supported by either the standard software image or the enhanced software image. The enhanced software image provides a richer set of features, including access control lists (ACLs) and enhanced quality of service (QoS) features.
Page 18: Organization
• syntax and usage information about the commands that have been specifically created or changed for the Catalyst 2950 switches, refer to the Catalyst 2950 Desktop Switch Command Reference. Note This guide does not repeat the concepts and CLI procedures provided in the standard Cisco IOS Release 12.1 documentation.
Page 19: Conventions
Chapter 9, “Configuring STP,” advanced spanning-tree features. The online help provides the CMS procedures. Chapter 10, “Configuring the Switch Ports,” configuring the switch ports. The online help provides the CMS procedures for configuring the switch ports. Chapter 11, “Configuring IGMP Snooping and MVR,”...
Page 20: Related Publications
You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the • Release Notes for the Catalyst 2950 Switch (not orderable but is available on Cisco.com) Note Switch requirements and procedures for initial configurations and software upgrades tend to change and therefore appear only in the release notes.
Page 21: Documentation Cd-Rom
Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site. 78-11380-03 Obtaining Technical Assistance Catalyst 2950 Desktop Switch Software Configuration Guide...
Page 22: Cisco.com
Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to the following URL to register: http://www.cisco.com/register/ Catalyst 2950 Desktop Switch Software Configuration Guide xxii Preface yourself, saving both cost and time.
Page 23: Cisco Tac Escalation Center
SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). In addition, please have available your service agreement number and your product serial number. Catalyst 2950 Desktop Switch Software Configuration Guide xxiii 78-11380-03...
Page 24 Preface Obtaining Technical Assistance Catalyst 2950 Desktop Switch Software Configuration Guide xxiv 78-11380-03...
Page 25: Chapter 1 Overview
• Examples of the Catalyst 2950 switches in different network topologies Features The Catalyst 2950 software supports the switches listed in the Release Notes for the Catalyst 2950 Cisco IOS Release 12.1(6)EA2b. Note Some features require that you have the enhanced software image installed on your switch. See the “Purpose”...
Page 26: Overview
• Support for mini-jumbo frames. The Catalyst 2950 switches running Cisco IOS Release12.1(6)EA2 or later support frame sizes 1500 to 1530 bytes Per-port broadcast storm control for preventing faulty end stations from degrading overall system performance with •...
Page 27 Directed unicast requests to a Trivial File Transfer Protocol (TFTP) server for obtaining software upgrades from a TFTP • server • Default configuration storage in Flash memory to ensure that the switch can be connected to a network and can forward traffic with minimal user intervention • In-band management access through a CMS web-based session In-band management access through up to 16 simultaneous Telnet connections for multiple command-line interface •...
Page 28: Port Fast
STP root guard for preventing switches outside the network core from becoming the STP root Note A Catalyst 2950 switch can support up to 64 spanning-tree instances (see VLAN Support Catalyst 2950 switches support 250 port-based VLANs for assigning users to VLANs associated with appropriate • network resources, traffic patterns, and bandwidth. Note The Catalyst 2950-12 and Catalyst 2950-24 switches support only 64 port-based VLANs.
Page 29 Multilevel security for a choice of security level, notification, and resulting actions • MAC-based port-level security for restricting the use of a switch port to a specific group of source addresses and • preventing switch access from unauthorized stations Terminal Access Controller Access Control System Plus (TACACS+), a proprietary feature for managing network •...
Page 30: Management Options
1. This feature is available only on a switch running the enhanced software image. Management Options The Catalyst 2950 switches are designed for plug-and-play operation: you only need to assign basic IP information to the switch and connect it to the other devices in your network. If you have specific network needs, you can configure and monitor the switch—on an individual basis or as part of a switch...
Page 31: Advantages Of Using Cms And Clustering Switches
IP address as if they were a single entity. This can conserve IP addresses if you have a limited number of them. CMS is the easiest interface to use and makes switch and switch cluster management accessible to authorized users from any PC on your network.
Page 32: Network Configuration Examples
Network Configuration Examples Network Configuration Examples This section provides network configuration concepts and includes examples of using the switch to create dedicated network segments and interconnecting the segments through Fast Ethernet and Gigabit Ethernet connections. Design Concepts for Using the Switch As your network users compete for network bandwidth, it takes longer to send and receive data.
Page 33 Cost-effective wiring closet—A cost-effective way to connect many users to the wiring closet is to • connect up to nine Catalyst 2900 XL, Catalyst 2950, Catalyst 3500 XL, and Catalyst 3550 switches through GigaStack GBIC connections. When you use a stack of Catalyst 2950-48 switches, you can connect up to 432 users.
Page 34: Small To Medium-Sized Network Configuration
This divides the network into smaller segments (or workgroups) and reduces the amount of traffic that travels over a network backbone, thereby increasing the bandwidth available to each user and improving server response time. Catalyst 2950 Desktop Switch Software Configuration Guide 1-10 Catalyst 3550-12T or...
Page 35 It is required if numerous segments require access to the servers. The Catalyst 2900, Catalyst 2950, Catalyst 3500, and Catalyst 3550 switches in this network are connected through a GigaStack GBIC on each switch to form a 1-Gbps network backbone. This GigaStack can also be configured as a switch cluster, with primary and secondary command switches for redundant cluster management.
Page 36: Collapsed Backbone And Switch Cluster Configuration
10/100 inline-power ports on the Catalyst 3524-PWR XL switches and to the 10/100 ports on the Catalyst 2950 switches. These multiservice switch ports automatically detect if an IP phone is connected. Cisco CallManager controls call processing, routing, and IP phone features and configuration.
Page 37: Large Campus Configuration
130 Gigabit connections, a Catalyst 6500 multilayer switch is used as the backbone switch. You can use the workgroup configurations shown in previous examples to create workgroups with Gigabit uplinks to the Catalyst 6500 switch. For example, you can use switch clusters that have a mix of Catalyst 2950 switches.
Page 38 7500 router Servers Catalyst 6500 switch Catalyst 2950, 2900 XL, 3500 XL, and 3550 GigaStack cluster Workstations running Cisco SoftPhone software Catalyst 2950 Desktop Switch Software Configuration Guide 1-14 IP telephony network or PSTN Cisco access gateway 1 Gbps (2 Gbps...
Page 39 For procedures for using CMS, refer to the online help. • This chapter describes the CMS interface of the Catalyst 2950 switches. Refer to the appropriate switch Note documentation for descriptions of the web-based management software used on other Catalyst switches.
Page 40: Getting Started With Cms
(also referred to as Switch Manager). Device Manager is for configuring an individual switch. When you select Device Manager for a specific switch in the cluster, you launch a separate CMS session. The Device Manager interface can vary between the Catalyst switch platforms.
Page 41 For example, button displays the legend of icons and color codes. Topology view of the cluster. the cluster. Catalyst 2950 Desktop Switch Software Configuration Guide Features Click Guide or Expert interaction mode to change how some configuration options will be...
Page 42 Front Panel View Front Panel View When CMS is launched from a command switch, the Front Panel view displays the front-panel images of all switches in the cluster member switch, the Front Panel view displays only the front panel of the specific switch...
Page 43: Cluster Tree
Yellow The internal fan of the switch is not operating, or the switch is receiving power from an RPS. Switch is not powered up, has lost power, or the command switch is unable to communicate with the member switch. 78-11380-03...
Page 44: Front-Panel Images
Front Panel View Front-Panel Images You can manage the switch from a remote station by using the front-panel images. The front-panel images are updated based on the network polling interval that you set from CMS > Preferences. Note The Preferences window is not available if your switch access level is read-only. For more information...
Page 45: Redundant Power System Led
One of the RPS power supplies could be down. Contact Cisco Systems. • The RPS fan could have failed. Contact Cisco Systems. Blinking amber Internal power supply of the switch is down, and redundancy is lost. The switch is operating on the RPS. 78-11380-03 (Table 2-2).
Page 46: Port Modes And Leds
The bandwidth utilization mode (UTL LED) does not appear on the front-panel images. Select Reports Note > Bandwidth Graphs to display the total bandwidth in use by the switch. Refer to the switch hardware installation guide for information about using the UTL LED.
Page 47: Vlan Membership Modes
VLAN Membership Modes Mode Static access Dynamic access 802.1Q trunk Negotiate trunk 78-11380-03 (Table 8-4. Color Light green Pink Peach White Catalyst 2950 Desktop Switch Software Configuration Guide Front Panel View 2-5) when you click Highlight VLAN Port “Assigning VLAN Port Membership...
Page 48: Topology View
The Topology view displays only the switch cluster and network neighborhood of the specific command Note or member switch that you access. To display a different switch cluster, you need to access the command switch or member switch of that cluster.
Page 49 Figure 2-7 Collapse Cluster View 78-11380-03 Right-click a device icon to display a device popup menu. cluster1 Catalyst 2950 Desktop Switch Software Configuration Guide Topology View Cluster members of cluster1 and other devices connected to cluster1. Neighboring cluster connected to cluster1.
Page 50: Topology Icons
To select a link, click the link that you want to select. To select multiple links, press the Ctrl key, and click the links that you want to select. Catalyst 2950 Desktop Switch Software Configuration Guide 2-12 “Colors in the Topology View” section on page...
Page 51: Device And Link Labels
• The IP address displays only in the labels for the command switch and member switches. • The label of a neighboring cluster icon only displays the IP address of the command-switch IP address. • The displayed link speeds are the actual link speeds except on the LRE links, which display the administratively assigned speed settings.
Page 52: Colors In The Topology View
Icon Color Color Meaning Green The device is operating. Yellow The internal fan of the switch is not operating, or the switch is receiving power from an RPS. The device is not operating. 1. Available only on the cluster members.
Page 53: Menus And Toolbar
Layer 3 and Layer 2 switches in the cluster. – If the command switch is a Layer 2 switch, such as a Catalyst 2950 or Catalyst 3500 XL switch, the menu bar displays the features of all Layer 2 switches in the cluster. The menu bar does not display Layer 3 features even if the cluster has Catalyst 3550 Layer 3 member switches.
Page 54: Tabs, Cms
Catalyst 2950 member switches running Cisco IOS Release 12.0(5)WC2 or earlier – Catalyst 3550 member switches running Cisco IOS Release 12.1(6)EA1 or earlier For more information about this limitation, refer to the Catalyst 2950 release notes. These switches do not support CMS access modes: •...
Page 55 Remove a member from the cluster. Create a Hot Standby Router Protocol (HSRP) standby group to provide command-switch redundancy. Enter the number of hops away that a command switch looks for members and for candidate switches. Launch Device Manager for a specific switch.
Page 56: Management Vlan
Display the most recent system messages (IOS messages and switch-specific messages) sent by the switch software. This option is available on the Catalyst 2950 or Catalyst 3550 switches. It is not available from the Catalyst 2950 switches. You can display the system messages of the Catalyst 2950 switches when they are in a cluster where the command switch is a Catalyst 2950 switch running Cisco IOS Release 12.1(6)EA2 or later.
Page 57 2. Some options from this menu option are not available in read-only mode. 3. Available only from a Device Manager session on a cluster member. 4. Available only from a Device Manager session on a command-capable switch that is not a cluster member. 5. Available only from a cluster management session.
Page 58: Toolbar
Menus and Toolbar Toolbar The toolbar buttons display commonly used switch and cluster configuration options and information windows such as legends and online help. Hover the cursor over an icon to display the feature. describes the toolbar options, from left to right on the toolbar.
Page 59: Front Panel View Popup Menus
These popup menus are available in the Front Panel view. Device Popup Menu You can display all switch and cluster configuration windows from the menu bar, or you can display commonly used configuration windows from the device popup menu popup menu, click the switch icon from the cluster tree or the front-panel image itself, and right-click.
Page 60: Topology View Popup Menus
If multiple links are configured between two devices, when you click the link icon and right-click, the Multilink Content window appears display the link popup menu specific for that link. Figure 2-10 Multilink Decomposer Window Catalyst 2950 Desktop Switch Software Configuration Guide 2-22 Chapter 2 (Figure 2-10).
Page 61: Device Popup Menus
Candidate switch without an IP address • Neighboring devices The Device Manager option in these popup menus is available in read-only mode on Catalyst 2950 Note switches running Cisco IOS Release 12.0(5)WC2 and later. It is also available on Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 and later.
Page 62 2-31. 2. Available from a cluster member switch but not from the command switch. Table 2-19 Device Popup Menu of a Candidate-Switch Icon (When the Candidate Switch Does Not Have an IP Address) Popup Menu Option Task Add to Cluster Add a candidate to a cluster.
Page 63: Interaction Modes
Expert mode displays a configuration window in which you configure the feature options. Guide Mode Guide mode is not available if your switch access level is read-only. For more information about the Note read-only access mode, see the Guide mode is for users who want a step-by-step approach for completing a specific configuration task.
Page 64: Wizards
A yellow device icon in the cluster tree or in Topology view—A popup displays a fault message, such as that the RPS is faulty or that the switch is unavailable because you are in read-only mode. A red device icon in the cluster tree or in Topology view—A popup displays a message that the •...
Page 65: Online Help
Click Back and letters of the topic, Forward to redisplay and click Find to previously displayed search the index. pages. Click Feedback to send us your comments about the online help. Catalyst 2950 Desktop Switch Software Configuration Guide Online Help 2-27...
Page 66: Cms Window Components
Host Name List To display or change the configuration of a cluster member, you need to select the specific switch from the Host Name drop-down list. The list appears in the configuration window of each feature and lists only the cluster members that support that feature. For example, the Host Name list on the VLAN window does not include Catalyst 1900 and Catalyst 2820 switches even though they are part of the cluster.
Page 67: Tabs, Lists, And Tables
Modify—Display the secondary window for changing information on the selected item or items. You usually select an item from a list or table and click Modify. 78-11380-03 CMS Window Components (Figure 2-13). 2-32. Catalyst 2950 Desktop Switch Software Configuration Guide 2-29...
Page 68: Accessing Cms
You can access the CLI by clicking Monitor the router - HTML access to the command line interface from a cached copy of the Cisco Systems Access page. To prevent unauthorized access to CMS and the CLI, exit your browser to end the browser session.
Page 69: Access Modes In Cms
Catalyst 2950 member switches running Cisco IOS Release 12.0(5)WC2 or earlier Catalyst 3550 member switches running Cisco IOS Release 12.1(6)EA1 or earlier – For more information about this limitation, refer to the Catalyst 2950 release notes. These switches do not support read-only mode on CMS: •...
Page 70: Verifying Your Changes
When you enter valid data in the field, a green border replaces the red border until you either save or cancel the change. If there is an error in communicating with the switch or if you make an error while performing an action, a popup dialog notifies you about the error.
Page 71: Using Different Versions Of Cms
CMS on the Catalyst 1900 and Catalyst 2820 switches is referred to as Switch Manager. Cluster management options are not available on these switches. This is the earliest version of CMS. Refer to the documentation specific to the switch and its IOS release for descriptions of the CMS version you are using.
Page 72 Chapter 2 Getting Started with CMS Where to Go Next Catalyst 2950 Desktop Switch Software Configuration Guide 2-34 78-11380-03...
Page 73: Ios Command Modes
When you start a session on the switch, you begin in user mode, often called user EXEC mode. Only a limited subset of the commands are available in user EXEC mode. For example, most of the user EXEC commands are one-time commands, such as show commands, which show the current configuration status, and clear commands, which clear counters or interfaces.
Page 74: Ios Command Modes
While in global configuration mode, specify a line with the line vty or line console command. Catalyst 2950 Desktop Switch Software Configuration Guide Prompt Exit Method Enter logout or quit. Switch> Enter disable or exit. Use this mode to verify...
Page 75: Getting Help
? command keyword ? Abbreviating Commands You only have to enter enough characters for the switch to recognize the command as unique. This example shows how to enter the show configuration command: Switch# show conf 78-11380-03 3-2.
Page 76: Using No And Default Forms Of Commands
You entered the command at ‘^’ marker. incorrectly. The caret (^) marks the point of the error. Catalyst 2950 Desktop Switch Software Configuration Guide Chapter 3 Using the Command-Line Interface How to Get Help Re-enter the command followed by a question mark (?) with a space between the command and the question mark.
Page 77: Using Command History
Changing the Command History Buffer Size By default, the switch records ten command lines in its history buffer. Beginning in user EXEC mode, enter this command to change the number of command lines that the switch records during the current terminal session: Switch>...
Page 78: Using Editing Features
Recall commands from the buffer and paste them in the command line. (The switch provides a buffer with the last ten items that you deleted.) Catalyst 2950 Desktop Switch Software Configuration Guide Keystroke Purpose Press Ctrl-B, or press the Move the cursor back one character.
Page 79: Editing Command Lines That Wrap
Capitalize letters from the cursor to the end of the word. Press the Return key. Scroll down one line. Press the Space bar. Scroll down one screen. Press Ctrl-L or Ctrl-R. Redisplay the current command line. Catalyst 2950 Desktop Switch Software Configuration Guide Using Editing Features...
Page 80: Searching And Filtering Output Of Show And More Commands
Vlan1 is up, line protocol is up Vlan10 is up, line protocol is down GigabitEthernet0/1 is up, line protocol is down GigabitEthernet0/2 is up, line protocol is up Catalyst 2950 Desktop Switch Software Configuration Guide Chapter 3 3-6. Using the Command-Line Interface “Editing Commands through...
Page 81: Accessing The Cli
You can also access the CLI by clicking Monitor the router- HTML access to the command line interface from the Cisco Systems Access page. For information about the Cisco Systems Access page, see the “Accessing CMS” section in the release notes.
Page 82: Saving Configuration Changes
Access page. You can access the CLI by clicking Web Console - HTML access to the command line interface from a cached copy of the Cisco Systems Access page. To prevent unauthorized access to CMS and the CLI, exit your browser to end the browser session.
Page 83: Chapter 4 General Switch Administration
The switch uses IP address information to communicate with the local routers and the Internet. You need this if you plan to use the CMS to configure and manage the switch. The switch also requires a secret password. The IP information is •...
Page 84: Switch Software Releases
The switch software is regularly updated with new features and bug fixes, and you might want to upgrade your Catalyst 2950 with the latest software release. New software releases are posted on Cisco.com on the World Wide Web and are available through authorized resellers. Cisco also supplies a TFTP server that you can download from Cisco.com.
Page 85: Http Access To Cms
Note The HTTP Port option on CMS is not available if your access level to the switch is read-only. For more information about the read-only access mode, see Do not disable or otherwise misconfigure the port through which your management station is communicating with the switch.
Page 86: Snmp Network Management Platforms
You can configure these groups by using an SNMP application or by using the CLI. The four supported groups are alarms, events, history, and statistics. This section describes how to access MIB objects to configure and manage your switch. It provides this information: Using File Transfer Protocol (FTP) to access the MIB files •...
Page 87: Using Ftp To Access The Mib Files
An example of an NMS is the CiscoWorks network management software. CiscoWorks2000 software uses the switch MIB variables to set device variables and to poll devices on the network for specific information. The results of a poll can be displayed as a graph and analyzed to troubleshoot internetworking problems, to increase network performance, to verify the configuration of devices, to monitor traffic loads, and more.
Page 88: Default Settings
The switch is designed for plug-and-play operation, requiring only that you assign basic IP information to the switch and connect it to the other devices in your network. For information about assigning basic IP information to the switch, see the release notes.
Page 89 Concepts and CLI Procedures “Enabling a Command Switch” section on page 5-17. No CLI procedure provided. For the cluster commands, refer to the Catalyst 2950 Desktop Switch Command Reference. “Creating a Switch Cluster” section on page 5-16. No CLI procedure. For the cluster commands, refer to the Catalyst 2950 Desktop Switch Command Reference.
Page 90 – VMPS Configuration – VTP Management VTP server mode Catalyst 2950 Desktop Switch Software Configuration Guide Concepts and CLI Procedures “Configuring the Domain Name and the DNS” section on page 6-5. Documentation set for Cisco IOS Release 12.1 on Cisco.com.
Page 91 “Guidelines for Configuring ACLs on the Catalyst 2950 Switches” section on page “Creating Standard and Extended IP ACLs” section on page 12-7. Catalyst 2950 Desktop Switch Software Configuration Guide Default Settings CMS Option Port > Port Settings Port > Port Settings Port >...
Page 92: Switch Port Analyzer
Terminal Access Controller Disabled Access Control System Plus (TACACS+) Protected port Disabled Catalyst 2950 Desktop Switch Software Configuration Guide 4-10 Concepts and CLI Procedures “Configuring Classification Using Port Trust States” section on page 13-10. “Configuring a QoS Policy” section on page 13-13.
Page 93 802.1X port-based Disabled authentication 1. Available only from a Device Manager session on a command-capable switch that is not a cluster member. 2. Available only from a cluster management session. 3. Available only on a switch running the enhanced software image.
Page 94 Chapter 4 General Switch Administration Default Settings Catalyst 2950 Desktop Switch Software Configuration Guide 4-12 78-11380-03...
Page 95: Chapter 5 Clustering Switches
Java plug-in configurations. Note This chapter focuses on Catalyst 2950 switch clusters. It also includes guidelines and limitations for clusters mixed with other cluster-capable Catalyst switches, but it does not provide complete descriptions of the cluster features for these other switches. For complete cluster information for a specific Catalyst platform, refer to the software configuration guide for that switch.
Page 96: Understanding Switch Clusters
Understanding Switch Clusters A switch cluster is a group of connected Catalyst switches that are managed as a single entity. In a switch cluster, 1 switch must be the command switch and up to 15 switches can be member switches. The total number of switches in a cluster cannot exceed 16 switches.
Page 97: Standby Command Switch Characteristics
Chapter 5 Clustering Switches • If your switch cluster has Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL switches, the Catalyst 2950 should be the command switch. • If your switch cluster has Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, and Catalyst 3500 XL switches, either the Catalyst 2900 XL or Catalyst 3500 XL should be the command switch.
Page 98: Planning A Switch Cluster
Availability of Switch-Specific Features in Switch Clusters, page 5-16 Refer to the release notes for the list of Catalyst switches eligible for switch clustering, including which ones can be command switches and which ones can only be member switches, and for the required software versions and browser and Java plug-in configurations.
Page 99 VLAN 16. The CDP hop count is three. The command switch discovers switches 11, 12, 13, and 14 because they are within 3 hops from the edge of the cluster. It does not discover switch 15 because it is 4 hops from the edge of the cluster.
Page 100: Discovery Through Non-Cdp-Capable And Noncluster-Capable Devices
Figure 5-2 shows that the command switch discovers the Catalyst 3500 XL switch, which is connected to a third-party hub. However, the command switch does not discover the Catalyst 2950 switch that is connected to a Catalyst 5000 switch. Figure 5-2...
Page 101: Discovery Through The Same Management Vlan
Clustering Switches Discovery through the Same Management VLAN When the cluster has a Catalyst 2900 XL, Catalyst 2950, or Catalyst 3500 XL command switch, all cluster members must connect to it through the command-switch management VLAN, which is VLAN 1 by default.
Page 102: Discovery Through Different Management Vlans
We strongly recommend that a Catalyst 3550 switch be the command switch when the cluster has Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL member switches. These member switches must connect to each other and to a Catalyst 3550 command switch through their management VLAN, which is VLAN 1 by default.
Page 103: Discovery Of Newly Installed Switches
A new Catalyst 3550 switch automatically configures the access port to belong to the immediately upstream VLAN, VLAN 16. • A new Catalyst 2950 switch configures the access port to belong to the upstream VLAN, VLAN 16. The management VLAN of the Catalyst 2950 switch becomes VLAN 16. Figure 5-5...
Page 104: Hsrp And Standby Command Switches
• Catalyst 3550 switches or Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later. When the command switch is a Catalyst 2950 switch running Cisco IOS Release 12.1(6)EA2 or • later, all standby command switches must be Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later.
Page 105: Virtual Ip Addresses
Automatic discovery has these limitations: This limitation applies only to clusters that have Catalyst 2950 and Catalyst 3550 command and • standby command switches: If the active command switch and standby command switch become disabled at the same time, the passive command switch with the highest priority becomes the active command switch.
Page 106: Considerations For Cluster Standby Groups
Catalyst 3550 switches or Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later. When the command switch is a Catalyst 2950 switch running Cisco IOS Release 12.1(6)EA2 or later, all standby command switches must be Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later.
Page 107: Ip Addresses
IP address to access the cluster or the IP address available on the new active command switch. You can assign an IP address to a cluster-capable switch, but it is not necessary. A member switch is managed and communicates with other member switches through the command-switch IP address. If the member switch leaves the cluster and it does not have its own IP address, you then must assign IP information to it to manage it as a standalone switch.
Page 108: Host Names
For example, a command switch named eng-cluster could name the fifth cluster member eng-cluster-5. If a switch has a host name, it retains that name when it joins a cluster. It retains that host name even after it leaves the cluster.
Page 109: Tacacs
You can change the management VLAN of a member switch (not the command switch); however, the command switch will not be able to communicate with it. In this case, you will need to manage the switch as a standalone switch.
Page 110: Lre Profiles
VLAN of the cluster to a different management VLAN. If you add a new switch to an existing cluster and the cluster is using a management VLAN other than the default VLAN 1, the command switch automatically senses that the new switch has a different management VLAN and has not been configured.
Page 111: Enabling A Command Switch
If your switch cluster has a Catalyst 3550 switch, that switch should be the command switch. • If your switch cluster has Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL switches, the • Catalyst 2950 should be the command switch.
Page 112: Adding Member Switches
From CMS, there are two ways to add switches to a cluster: • Select Cluster > Add to Cluster, and select a candidate switch from the list. To add more than one candidate switch, press Ctrl, and make your choices, or press Shift, and choose the first and last switch in a range.
Page 113 Add to Cluster to add the switch to the cluster. Catalyst 2950 Desktop Switch Software Configuration Guide Creating a Switch Cluster Select a switch, and click Add. Press Ctrl and left- click to select more than one switch.
Page 114: Creating A Cluster Standby Group
• Catalyst 3550 switches or Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later. When the command switch is a Catalyst 2950 switch running Cisco IOS Release 12.1(6)EA2 or • later, all standby command switches must be Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later.
Page 115 Figure 5-10 Standby Command Configuration Window 2950C (cisco WS-C2950-C-24, HC, ... 78-11380-03 NMS-3550-12T-149 (cisco WS-C3550-1 3550-150 (cisco WS-C3550-12T, SC, ... Catalyst 2950 Desktop Switch Software Configuration Guide Creating a Switch Cluster Active command switch. Standby command switch. Must be a valid IP...
Page 116: Verifying A Switch Cluster
The summary includes information such as switch model numbers, serial numbers, software versions, IP information, and location. You can also display port and switch statistics from Reports > Port Statistics and Port > Port Settings > Runtime Status. Instead of using CMS to verify the cluster, you can use the show cluster members user EXEC command from the command switch or use the show cluster user EXEC command from the command switch or from a member switch.
Page 117: Using The Cli To Manage Switch Clusters
Telnet session accesses the management console (a menu-driven interface) if the command switch is at privilege level 15. If the command switch is at privilege level 1 to 14, you are prompted for the password to access the menu console.
Page 118: Using Snmp To Manage Switch Clusters
Using SNMP to Manage Switch Clusters When you first power on the switch, SNMP is enabled if you enter the IP information by using the setup program and accept its proposed configuration. If you did not use the setup program to enter the IP information and SNMP was not enabled, you can enable it as described in the “Configuring SNMP”...
Page 119: Chapter 6 Configuring The System
(CLI) procedures for using commands that have been specifically created or changed for the Catalyst 2950 switches. For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command Reference.
Page 120: Manually Assigning And Removing Switch Ip Information
Manually Assigning and Removing Switch IP Information You can manually assign an IP address, mask, and default gateway to the switch. The mask identifies the bits that denote the network number in the IP address. When you use the mask to subnet a network, the mask is then referred to as a subnet mask.
Page 121: Understanding Dhcp-Based Autoconfiguration
TFTP server, a Domain Name System (DNS) server, and possibly a relay device if the servers are on a different LAN than your switch. A relay device forwards broadcast traffic between two directly connected LANs. A router does not forward broadcast packets, but it forwards packets based on the destination IP address in the received packet.
Page 122: Configuring The Dhcp Server
If the IP address and subnet mask are not in the reply, the switch is not configured. If the DNS server IP address, router IP address, or TFTP server name are not found, the switch might broadcast TFTP requests. Unavailability of other lease options does not affect autoconfiguration.
Page 123: Configuring The Tftp Server
TFTP server name-to-IP-address mapping in the DNS-server database. The TFTP server can be on the same or on a different LAN as the switch. If it is on a different LAN, the switch must be able to access it through a relay device or a router. For more information, see the “Configuring the Relay Device”...
Page 124: Configuring The Relay Device
The DNS server can be on the same or on a different LAN as the switch. If it is on a different LAN, the switch must be able to access it through a relay device or router. For more information, see the “Configuring the Relay Device”...
Page 125: Obtaining Configuration Files
If the host name is not found in the file, the switch uses the host name in the DHCP reply. If the host name is not specified in the DHCP reply, the switch uses the default “Switch”...
Page 126: Example Configuration
Changing IP Information After obtaining its host name from the default configuration file or the DHCP reply, the switch reads the configuration file that has the same name as its host name (hostname-confg or hostname.cfg, depending on whether network-confg or cisconet.cfg was read earlier) from the TFTP server. If the cisconet.cfg file is read, the filename of the host is truncated to eight characters.
Page 127 The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method. This file contains the host name to be assigned to the switch based on its IP address. The base directory also contains a configuration file for each switch (switch1-confg, switch2-confg, and so forth) as shown in this display: prompt>...
Page 128: Changing The Password
• Note You can change a password only by using the CLI. Your connection with the switch ends when you change the enable secret password. You will then need to reopen the session with the new password. If you have forgotten your password, see the page 14-9.
Page 129: Setting The System Date And Time
Setting the System Date and Time You can change the date and a 24-hour clock time setting on the switch. If you are entering the time for an American time zone, enter the three-letter abbreviation for the time zone, such as PST for Pacific standard time.
Page 130: Configuring The Switch For Ntp Broadcast-Client Mode
IP address, the management station accesses the switch by using that IP address. By default, no trap manager is defined, and no traps are issued. switch traps. You can enable any or all of these traps and configure a trap manager on these switches to receive them.
Page 131: Configuring Cdp
Configuring CDP Use the Cisco IOS CLI and Cisco Discovery Protocol (CDP) to enable CDP for the switch, set global CDP parameters, and display information about neighboring Cisco devices. CDP enables the Cluster Management Suite (CMS) to display a graphical view of the network. For example, the switch uses CDP to find cluster candidates and to maintain information about cluster members and other devices up to three cluster-enabled devices away from the command switch.
Page 132: Configuring Cdp For Extended Discovery
Managing the ARP Table Configuring CDP for Extended Discovery You can change the default configuration of CDP on the command switch to discover devices up to seven hops away. See series switch. Although the Catalyst 5000 supports CDP, it does not support clustering, and the command switch cannot learn about connected candidate switches connected to it, even if they are running CMS.
Page 133: Managing The Mac Address Tables
These MAC tables include these types of addresses: • Dynamic address: a source MAC address that the switch learns and then drops when it is not in use. • Secure address: a manually entered unicast address or dynamically learnt address that is usually associated with a secured port.
Page 134: Changing The Address Aging Time
Setting too short an aging time can cause addresses to be prematurely removed from the table. Then when the switch receives a packet for an unknown destination, it floods the packet to all ports in the same VLAN as the receiving port. This unnecessary flooding can impact performance. Setting too long an aging time can cause the address table to be filled with unused addresses;...
Page 135: Mac Address Notification
MAC address notification enables you to keep track of the MAC addresses that are learned or removed from your switch. When a new MAC address is learned or an old MAC address is removed from the switch, an SNMP notification (trap) is generated. Traps can be bundled and sent at regular intervals.
Page 136: Adding Secure Addresses
• It can be a unicast or multicast address. It does not age and is retained when the switch restarts. • Catalyst 2950 Desktop Switch Software Configuration Guide 6-18 Purpose Enter global configuration mode. Identify a specific interface for configuration, and enter interface configuration mode.
Page 137: Configuring Static Addresses For Etherchannel Port Groups
Because all ports are associated with at least one VLAN, the switch acquires the VLAN ID for the address from the ports that you specify. You can specify a different list of destination ports for each source port.
Page 138: Configuring Tacacs
TACACS+ consists of three services: authentication, authorization, and accounting. Authentication determines who the user is and whether or not the user is allowed access to the switch. Authorization determines what the user is allowed to do on the system. Accounting collects data related to resource usage.
Page 139: Configuring Login Authentication
Enter line configuration mode, and configure the lines to which you want to apply the authentication list. Apply the authentication list to a line or set of lines. Return to privileged EXEC mode. Verify your entries. Catalyst 2950 Desktop Switch Software Configuration Guide Configuring TACACS+ 6-21...
Page 140: Specifying Tacacs+ Authorization For Privileged Exec Access And Network Services
Beginning in privileged EXEC mode, follow these steps to specify TACACS+ authorization for privileged EXEC access and network services: Command Step 1 configure terminal Step 2 aaa authorization network tacacs+ Configure the switch for user TACACS+ authorization for all Step 3 aaa authorization exec tacacs+ Step 4 exit Step 5...
Page 141: Configuring A Switch For Local Aaa
Release 12.1 Security Command Reference. Configuring a Switch for Local AAA You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then verifies authentication and authorization. No accounting is available in this configuration.
Page 142: Controlling Switch Access With Radius
RADIUS clients run on supported Cisco routers and switches (including Catalyst 3550 multilayer switches and Catalyst 2950 switches) and send authentication requests to a central RADIUS server, which contains all user authentication and network service access information.The RADIUS host is normally a multiuser system running RADIUS server software from Cisco (Cisco Secure Access Control Server version 3.0), Livingston, Merit, Microsoft, or another software provider.
Page 143: Radius Operation
Typical AAA Network Configuration Remote RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur: The user is prompted to enter a username and password.
Page 144: Configuring Radius
Connection parameters, including the host or client IP address, access list, and user timeouts Configuring RADIUS This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication.
Page 145: Identifying The Radius Server Host
Using this example, if the first host entry fails to provide accounting services, the switch tries the second host entry configured on the same device for accounting services. (The RADIUS host entries are tried in the order that they are configured.)
Page 146 Step 5 copy running-config startup-config To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 6-28 Purpose Enter global configuration mode. Specify the IP address or host name of the remote RADIUS server host.
Page 147: Configuring Radius Login Authentication
You also need to configure some settings on the RADIUS server. These settings include the IP address Note of the switch and the key string to be shared by both the server and the switch. For more information, refer to the RADIUS server documentation.
Page 148 {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 6-30 Purpose Enter global configuration mode.
Page 149: Defining Aaa Server Groups
Defining AAA Server Groups You can configure the switch to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts.
Page 150 Step 4 aaa group server radius group-name Step 5 server ip-address Step 6 Catalyst 2950 Desktop Switch Software Configuration Guide 6-32 Purpose Enter global configuration mode. Specify the IP address or host name of the remote RADIUS server host. •...
Page 151: Configuring Radius Authorization For Privileged Exec Access And Network Services
AAA authorization limits the services available to a user. When AAA authorization is enabled, the switch uses information retrieved from the user’s profile, which is in either the local user database or on the security server, to configure the user’s session. The user is granted access to a requested service only if the information in the user profile allows it.
Page 152: Starting Radius Accounting
The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
Page 153: Configuring Settings For All Radius Servers
The default is 3; the range 1 to 1000. Specify the number of seconds a switch waits for a reply to a RADIUS request before sending the request. The default is 5 seconds; the range is 1 to 1000.
Page 154: Configuring The Switch For Vendor-Proprietary Radius Server Communication
For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP’s IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“...
Page 155: Displaying The Radius Configuration
Return to privileged EXEC mode. Verify your settings. (Optional) Save your entries in the configuration file. Catalyst 2950 Desktop Switch Software Configuration Guide 6-37...
Page 156 Chapter 6 Configuring the System Controlling Switch Access with RADIUS Catalyst 2950 Desktop Switch Software Configuration Guide 6-38 78-11380-03...
Page 157 Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. This chapter consists of these sections: • Understanding 802.1X Port-Based Authentication, page 7-1 Configuring 802.1X Authentication, page 7-6...
Page 158: Chapter 7 Configuring 802.1X Port-Based Authentication
Authentication server—performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client.
Page 159: Authentication Initiation And Message Exchange
Chapter 7 Configuring 802.1X Port-Based Authentication The devices that can act as intermediaries include the Catalyst 3550 multilayer switch, Catalyst 2950 switch, or a wireless access point. These devices must be running software that supports the RADIUS client and 802.1X.
Page 160: Ports In Authorized And Unauthorized States
Ports in Authorized and Unauthorized States The switch port state determines whether or not the client is granted access to the network. The port starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for 802.1X packets.
Page 161: Supported Topologies
802.1X-enabled switch port. The switch detects the client when the port link state changes to the up state. If a client leaves or is replaced with another client, the switch changes the port link state to down, and the port returns to the unauthorized state.
Page 162: Configuring 802.1X Authentication
UDP authentication port • • Per-interface 802.1X enable state Periodic re-authentication Number of seconds between re-authentication attempts Quiet period Retransmission time Catalyst 2950 Desktop Switch Software Configuration Guide Chapter 7 Configuring 802.1X Port-Based Authentication (required) (required) (optional) (optional) (optional) (optional)
Page 163: 802.1X Configuration Guidelines
– Switch Port Analyzer (SPAN) destination port—You can enable 802.1X on a port that is a SPAN destination port; however, 802.1X is disabled until the port is removed as a SPAN destination. You can enable 802.1X on a SPAN source port.
Page 164: Enabling 802.1X Authentication
{default | list-name} method1 [method2...] global configuration command. To disable 802.1X, use the dot1x port-control force-authorized or the no dot1x port-control interface configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide Chapter 7 Purpose Enter global configuration mode.
Page 165: Configuring The Switch-To-Radius-Server Communication
RADIUS daemon. If you want to use multiple RADIUS servers, re-enter this command. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. Catalyst 2950 Desktop Switch Software Configuration Guide Configuring 802.1X Authentication...
Page 166: Enabling Periodic Re-Authentication
You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, refer to the RADIUS server documentation.
Page 167: Manually Re-Authenticating A Client Connected To A Port
Changing the Quiet Period When the switch cannot authenticate the client, the switch remains idle for a set period of time, and then tries again. The idle time is determined by the quiet-period value. A failed authentication of the client might occur because the client provided an invalid password.
Page 168: Changing The Switch-To-Client Retransmission Time
To return to the default retransmission time, use the no dot1x timeout tx-period global configuration command. This example shows how to set 60 seconds as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before retransmitting the request:...
Page 169: Setting The Switch-To-Client Frame-Retransmission Number
To return to the default retransmission number, use the no dot1x max-req global configuration command. This example shows how to set 5 as the number of times that the switch sends an EAP-request/identity request before restarting the authentication process. Switch(config)# dot1x max-req 5 Enabling Multiple Hosts You can attach multiple hosts to a single 802.1X-enabled port as shown in...
Page 170: Resetting The 802.1X Configuration To The Default Values
EXEC command. To display the 802.1X administrative and operational status for a specific interface, use the show dot1x interface interface-id privileged EXEC command. For detailed information about the fields in these displays, refer to the Catalyst 2950 Desktop Switch Command Reference for this release.
Page 171: Chapter 8 Configuring Vlans
(CLI) procedures for using commands that have been specifically created or changed for the Catalyst 2950 switches. For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command Reference.
Page 172 Catalyst 2950G-48-EI Catalyst 2950G-24-EI-DC 250 Catalyst 2950T-24 The Catalyst 2950 switches support IEEE 802.1Q trunking methods for transmitting VLAN traffic over 100BASE-T and Gigabit Ethernet ports. The GigaStack GBIC also supports both trunking methods. When you are configuring a cascaded stack...
Page 173: Management Vlans
Changing the Management VLAN for a New Switch If you add a new switch to an existing cluster and the cluster is using a management VLAN other than the default VLAN 1, the command switch automatically senses that the new switch has a different management VLAN and has not been configured.
Page 174: Changing The Management Vlan Through A Telnet Connection
Assigning VLAN Port Membership Modes Before a new switch can be added to a cluster, it must be connected to a port that belongs to the cluster management VLAN. If the cluster is configured with a management VLAN other than the default, the command switch changes the management VLAN for new switches when they are connected to the cluster.
Page 175 Membership Policy Server (VMPS). The VMPS can be a Catalyst 5000 series switch but never a Catalyst 2950, Catalyst 2900 XL, or Catalyst 3500 XL switch. When a port belongs to a VLAN, the switch learns and manages the addresses associated with the port on a per-VLAN basis. For more information, see the page 6-15.
Page 176: Vlan Membership Combinations
Assigning VLAN Port Membership Modes VLAN Membership Combinations You can configure your switch ports in the various VLAN membership combinations in Table 8-3 VLAN Combinations Port Mode VTP Required? Configuration Procedure Static-access ports Static-access and Recommended trunk ports Dynamic-access and...
Page 177: Assigning Static-Access Ports To A Vlan
Before you create VLANs, you must decide whether to use VTP in your network. Using VTP, you can make configuration changes centrally on a single switch, such as a Catalyst 2950 switch, and have those changes automatically communicated to all the other switches in the network. Without VTP, you cannot send information about VLANs to other switches.
Page 178: Vtp Advertisements
Because trunk ports send and receive VTP advertisements, you must ensure that at least one trunk port Note is configured on the switch and that this trunk port is connected to the trunk port of a second switch. Otherwise, the switch cannot receive any VTP advertisements.
Page 179: Vtp Version 2
Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning eligible on Catalyst 2950 trunk ports. If the VLANs are configured as pruning-ineligible, the flooding continues. VTP pruning is also supported with VTP version 1 and version 2.
Page 180: Vtp Configuration Guidelines
Switches without a password or with the wrong password reject VTP advertisements. Caution The domain does not function properly if you do not assign the same password to each switch in the domain. Catalyst 2950 Desktop Switch Software Configuration Guide...
Page 181: Upgrading From Previous Software Releases
Chapter 8 Configuring VLANs If you configure a VTP password for a domain, a Catalyst 2950 switch that is booted without a VTP configuration does not accept VTP advertisements until you configure it with the correct password. After the configuration, the switch accepts the next VTP advertisement that uses the same password and domain name in the advertisement.
Page 182: Configuring Vtp
If you are configuring VTP on a cluster member switch to a VLAN, use the rcommand privileged EXEC command to log in to the member switch. For more information on how to use this command, refer to the Catalyst 2950 Desktop Switch Command Reference.
Page 183: Disabling Vtp (Vtp Transparent Mode)
Disabling VTP (VTP Transparent Mode) When you configure the switch for VTP transparent mode, you disable VTP on the switch. The switch then does not send VTP updates and does not act on VTP updates received from other switches.
Page 184: Enabling Vtp Version 2
VTP version 1 and VTP version 2 are not interoperable on switches in the same VTP domain. Every Caution switch in the VTP domain must use the same VTP version. Do not enable VTP version 2 unless every switch in the VTP domain supports version 2.
Page 185: Enabling Vtp Pruning
Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You enable VTP pruning on a switch in VTP server mode. Pruning is supported with VTP version 1 and version 2. If you enable pruning on the VTP server, it is enabled for the entire VTP domain.
Page 186: Token Ring Vlans
VLAN media type. Token Ring VLANs Although the Catalyst 2950 switches do not support Token Ring connections, a remote device such as a Catalyst 5000 series switch with Token Ring connections could be managed from one of the supported switches.
Page 187: Configuring Vlans In The Vtp Database
VLANs can be configured to support a number of parameters that are not discussed in detail in this section. For complete information on the commands and parameters that control VLAN configuration, refer to the Catalyst 2950 Desktop Switch Command Reference. 78-11380-03...
Page 188: Adding A Vlan
Deleting a VLAN from the Database When you delete a VLAN from a switch that is in VTP server mode, the VLAN is removed from all switches in the VTP domain. When you delete a VLAN from a switch that is in VTP transparent mode, the VLAN is deleted only on that specific switch.
Page 189: Assigning Static-Access Ports To A Vlan
By default, all ports are in trunk-desirable mode and assigned to VLAN 1, which is the default management VLAN. If you are assigning a port on a cluster member switch to a VLAN, first use the privileged EXEC rcommand command to log in to the member switch. For more information on how to use this command, refer to the Catalyst 2950 Desktop Switch Command Reference.
Page 190: How Vlan Trunks Work
Trunks carry the traffic of multiple VLANs and can extend VLANs across an entire network. Figure 8-3 shows a network of switches that are connected by 802.1Q trunks. Figure 8-3 Catalyst 2950, 2900 XL, and 3500 XL Switches in a 802.1Q Trunking Environment Catalyst 2900 XL switch VLAN1 DTP is a point-to-point protocol.
Page 191: Ieee 802.1Q Configuration Considerations
Make sure your network is loop-free before disabling STP. • Note The Catalyst 2950 switches do not support ISL trunking. Trunks Interacting with Other Features IEEE 802.1Q trunking interacts with other switch features as described in Table 8-8...
Page 192: Configuring A Trunk Port
Because trunk ports send and receive VTP advertisements, you must ensure that at least one trunk port is configured on the switch and that this trunk port is connected to the trunk port of a second switch. Otherwise, the switch cannot receive any VTP advertisements.
Page 193: Cli: Defining The Allowed Vlans On A Trunk
Save the configuration. Purpose Enter global configuration mode. Enter interface configuration mode, and select the trunk port for which VLANs can be pruned. Catalyst 2950 Desktop Switch Software Configuration Guide How VLAN Trunks Work “Enabling VTP Pruning” section on 8-23...
Page 194: Configuring The Native Vlan For Untagged Traffic
Configuring the Native VLAN for Untagged Traffic A trunk port configured with 802.1Q tagging can receive both tagged and untagged traffic. By default, the switch forwards untagged traffic with the native VLAN configured for the port. The native VLAN is VLAN 1 by default.
Page 195: Load Sharing Using Stp Port Priorities
Load Sharing Using STP Port Priorities When two ports on the same switch form a loop, the STP port priority setting determines which port is enabled and which port is in standby mode. You can set the priorities on a parallel trunk port so that the port carries all the traffic for a given VLAN.
Page 196 Verify the VLAN configuration. Repeat Steps 7 through 11 on Switch 1 for interface fastethernet 0/2. Repeat Steps 7 through 11 on Switch 2 to configure the trunk ports on interface fastethernet 0/1 and fastethernet 0/2. When the trunk links come up, VTP passes the VTP and VLAN information to Switch 2.
Page 197: Load Sharing Using Stp Path Cost
Enter global configuration mode. Enter interface configuration mode, and define fastethernet 0/1 as the interface to set the STP cost. Set the spanning-tree path cost to 30 for VLAN 2. Catalyst 2950 Desktop Switch Software Configuration Guide Load Sharing Using STP Figure 8-5:...
Page 198: How The Vmps Works
If the switch receives an access-denied response from the VMPS, it continues to block traffic from the MAC address to or from the port. The switch continues to monitor the packets directed to the port and sends a query to the VMPS when it identifies a new address. If the switch receives a port-shutdown response from the VMPS, it disables the port.
Page 199: Dynamic Port Vlan Membership
VLAN name, and the MAC address-to-VLAN mapping. A Catalyst 3500, Catalyst 2900, or a Catalyst 2950 switch running this software release cannot act as the VMPS. Use a Catalyst 5000 series switch such as the VMPS.
Page 200 ! { port-group <group-name> | device <device-id> port <port-name> } vmps-port-policies vlan-group Engineering port-group WiringCloset1 vmps-port-policies vlan-name Green device 192.168.1.1 port Fa0/9 vmps-port-policies vlan-name Purple device 192.168.2.2 port Fa0/10 port-group “Executive Row” Catalyst 2950 Desktop Switch Software Configuration Guide 8-30 Chapter 8 Configuring VLANs 78-11380-03...
Page 201: Vmps Configuration Guidelines
You must enter the IP address of the Catalyst 5000 switch or the other device acting as the VMPS to configure the Catalyst 2950 switch as a client. If the VMPS is being defined for a cluster of switches, enter the address on the command switch.
Page 202: Configuring Dynamic Ports On Vmps Clients
Configuring Dynamic Ports on VMPS Clients If you are configuring a port on a member switch as a dynamic port, first use the privileged EXEC rcommand command to log into the member. For more information on how to use this command, refer to the Catalyst 2950 Desktop Switch Command Reference.
Page 203: Reconfirming Vlan Memberships
If you are configuring a member switch in a cluster, this parameter must be equal to or greater than the reconfirmation setting on the command switch. You also must first use the privileged EXEC rcommand command to log into the member s.
Page 204: Administering And Monitoring The Vmps
You can display information about the VMPS by using the privileged EXEC show vmps command. The switch displays the this information about the VMPS: VMPS VQP Version The version of VQP used to communicate with the VMPS. The switch queries Reconfirm Interval Server Retry Count VMPS domain server The IP address of the configured VLAN membership policy servers.
Page 205 172.20.26.156 Switch 7 172.20.26.157 Switch 8 Dynamic-access port Client 172.20.26.158 Switch 9 Secondary VMPS 172.20.26.159 Server 3 Switch 10 Catalyst 2950 Desktop Switch Software Configuration Guide How the VMPS Works TFTP server Router 172.20.26.150 172.20.22.7 Trunk port Trunk port 8-35...
Page 206 Chapter 8 Configuring VLANs How the VMPS Works Catalyst 2950 Desktop Switch Software Configuration Guide 8-36 78-11380-03...
Page 207: Understanding Basic Stp Features
This chapter describes how to configure the Spanning Tree Protocol (STP) on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 2950 Desktop Switch Command Reference for this release. This chapter consists of these sections: Understanding Basic STP Features, page 9-1 •...
Page 208: Configuring Stp
Therefore, STP must be running on enough switches to break all the loops in the network; for example, at least one switch on each loop in the VLAN must be running STP. It is not absolutely necessary to run STP on all switches in the VLAN; however, if you are running STP only on a minimal set of switches, an incautious change to the network that introduces another loop into the VLAN can result in a broadcast storm.
Page 209: Chapter 9 Configuring Stp
These conditions result in an unstable network. STP defines a tree with a root switch and a loop-free path from the root to all switches in the network. STP forces redundant data paths into a standby (blocked) state. If a network segment in the spanning tree fails and a redundant path exists, the spanning-tree algorithm recalculates the spanning-tree topology and activates the standby path.
Page 210: Stp Timers
Creating the STP Topology Figure 9-1, Switch A is elected as the root switch because the switch priority of all the switches is set to the default (32768) and Switch A has the lowest MAC address. However, due to traffic patterns, number of forwarding interfaces, or link types, Switch A might not be the ideal root switch.
Page 211: Stp Interface States
The goal is to make the fastest link the root port. For example, assume that one port on Switch B is a Gigabit Ethernet link and that another port on Switch B (a 10/100 link) is the root port. Network traffic might be more efficient over the Gigabit Ethernet link.
Page 212: Blocking State
Forwarding state When you power up the switch, STP is enabled by default, and every interface in the switch, VLAN, or network goes through the blocking state and the transitory states of listening and learning. Spanning tree stabilizes each interface at the forwarding or blocking state.
Page 213: Listening State
A disabled interface performs as follows: Discards frames received on the port • Discards frames switched from another interface for forwarding • Does not learn addresses • Does not receive BPDUs • 78-11380-03 Understanding Basic STP Features Catalyst 2950 Desktop Switch Software Configuration Guide...
Page 214: Mac Address Allocation
Understanding Basic STP Features MAC Address Allocation The switch has a pool of MAC addresses, one for each instance of STP, that is used as the bridge IDs for the VLAN spanning-tree instances. MAC addresses are allocated sequentially. STP Address Management IEEE 802.1D specifies 17 multicast addresses, ranging from 0x00180C2000000 to 0x0180C2000010, to...
Page 215: Accelerated Aging To Retain Connectivity
(spanning-tree vlan vlan-id forward-time seconds global configuration command) when STP reconfigures. Because each VLAN is a separate spanning-tree instance, the switch accelerates aging on a per-VLAN basis. An STP reconfiguration on one VLAN can cause the dynamic addresses learned on that VLAN to be subject to accelerated aging.
Page 216: Understanding Port Fast
Workstations Understanding BPDU Guard When the BPDU guard feature is enabled on the switch, STP shuts down Port Fast-enabled interfaces that receive BPDUs rather than putting them into the blocking state. In a valid configuration, Port Fast-enabled interfaces do not receive BPDUs. Receipt of a BPDU by a Port Fast-enabled interface means an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature places the interface into the ErrDisable state.
Page 217: Understanding Uplinkfast
Switch A, the root switch, is connected directly to Switch B over link L1 and to Switch C over link L2. The interface on Switch C that is connected directly to Switch B is in a blocking state.
Page 218: Understanding Cross-Stack Uplinkfast
Switch A (Root) If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked port on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in approximately 1 to 5 seconds.
Page 219: How Csuf Works
Link A, the root link, is in the STP forwarding state; Links B and C are alternate redundant links that are in the STP blocking state. If Switch A fails, if its stack- root port fails, or if Link A fails, CSUF selects either the Switch B or Switch C alternate stack root port and puts it into the forwarding state in less than 1 second.
Page 220: Events That Cause Fast Convergence
Each switch in the stack determines if the sending switch is a better choice than itself to be the stack root of this spanning-tree instance by comparing STP root, cost, and bridge ID. If the sending switch is the best choice as the stack root, each switch in the stack returns an acknowledgement;...
Page 221: Limitations
Each stack switch can be connected to the STP backbone through one uplink. • If the stack consists of a mixture of Catalyst 2900 XL, Catalyst 3500 XL, Catalyst 2950 and Catalyst • 3550 switches, up to 64 VLANs with STP enabled are supported. If the stack consists of Catalyst 3550 switches, up to 128 VLANs with STP enabled are supported.
Page 222: Gigastack
21 22 23 24 Catalyst 2950G-12 11 12 GigaStack GBIC connection for normal convergence Catalyst 2950G-12 Catalyst 2950G-24 Catalyst 2950G-48 Catalyst 2950 Desktop Switch Software Configuration Guide 9-16 Catalyst 3550-12T Catalyst 3500 Catalyst 2950G-24 Catalyst 3500 Catalyst 2950G-48 Catalyst 2950...
Page 223: Understanding Backbonefast
STP rules. If the switch has alternate paths to the root switch, it uses these alternate paths to transmit a new kind of Protocol Data Unit (PDU) called the Root Link Query PDU. The switch sends the Root Link Query PDU on all alternate paths to the root switch.
Page 224 BPDUs did not come from the recognized designated bridge (Switch B). The new switch begins sending inferior BPDUs that say it is the root switch. However, the other switches ignore these inferior BPDUs, and the new switch learns that Switch B is the designated bridge to Switch A, the root switch.
Page 225: Understanding Root Guard
If a switch outside the network becomes the root switch, the interface is blocked (root-inconsistent state), and STP selects a new root switch. The customer’s switch does not become the root switch and is not in the path to the root.
Page 226: Configuring Basic Stp Features
Spanning-tree VLAN port cost (configurable on a per-VLAN basis—used on interfaces configured as trunk ports) Hello time Catalyst 2950 Desktop Switch Software Configuration Guide 9-20 Chapter 9 “Configuring Advanced STP Features” section on Default Setting Enabled on VLAN 1.
Page 227: Disabling Stp
The switch maintains a separate spanning-tree instance for each active VLAN configured on it. A bridge ID, consisting of the switch priority and the switch MAC address, is associated with each instance. For each VLAN, the switch with the lowest bridge ID becomes the root switch for that VLAN.
Page 228 VLAN. If any root switch for the specified VLAN has a switch priority lower than 8192, the switch sets its own priority for the specified VLAN to 1 less than the lowest switch priority.
Page 229: Configuring A Secondary Root Switch
When you configure a switch as the secondary root, the STP switch priority is changed from the default value (32768) to 16384 so that the switch is likely to become the root switch for the specified VLAN if the primary root switch fails (if the other switches in the network use the default switch priority of 32768, and therefore, are unlikely to become the root switch).
Page 230: Configuring Stp Port Priority
(DTP). Otherwise, you can use the show running-config interface interface configuration command to confirm the configuration. To return the interface to its default setting, use the no spanning-tree vlan vlan-id port-priority interface configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 9-24 Chapter 9 Purpose Enter global configuration mode.
Page 231: Configuring Stp Path Cost
For cost, the range is 1 to 65535; the default value is derived from the media speed of the interface. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. Catalyst 2950 Desktop Switch Software Configuration Guide Configuring Basic STP Features 9-25...
Page 232: Configuring The Switch Priority Of A Vlan
For information on how to configure load sharing on trunk ports using STP path costs, see the Sharing Using STP” section on page Configuring the Switch Priority of a VLAN You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command.
Page 233: Configuring The Hello Time
Chapter 9 Configuring STP Configuring the Hello Time You can configure the interval between the generation of configuration messages by the root switch by changing the STP hello time. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree vlan vlan-id root primary and the spanning-tree vlan vlan-id root secondary global configuration commands to modify the hello time.
Page 234: Configuring The Maximum-Aging Time For A Vlan
STP uses default values that can be reduced when configuring your switch in cascaded configurations. If an STP root switch is part of a cluster that is one switch from a cascaded stack, you can customize STP to reconverge more quickly after a switch failure.
Page 235: Displaying Stp Status
[totals] For information about other keywords for the show spanning-tree command, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. 78-11380-03 Catalyst 3550 Catalyst 2950 series switch...
Page 236: Configuring Advanced Stp Features
Use Port Fast only when connecting a single end station to an access port. Enabling this feature on an Caution interface connected to a switch or hub could prevent STP from detecting and disabling loops in your network, which could cause broadcast storms and address-learning problems.
Page 237: Configuring Bpdu Guard
Beginning in privileged EXEC mode, follow these steps to enable the BPDU guard feature on the switch: Command...
Page 238: Configuring Uplinkfast For Use With Redundant Links
When UplinkFast is enabled, the switch priority of all VLANs is set to 49152, and the path cost of all interfaces and VLAN trunks is increased by 3000 if you did not modify the path cost from its default setting.
Page 239: Configuring Cross-Stack Uplinkfast
Step 5 copy running-config startup-config To disable CSUF on an interface, use the no spanning-tree stack-port interface configuration command. To disable UplinkFast on the switch and all of its VLANs, use the no spanning-tree uplinkfast global configuration command. 78-11380-03 9-15.
Page 240: Configuring Backbonefast
Step 6 copy running-config startup-config To disable the root guard feature, use the no spanning-tree guard or the spanning-tree guard none interface configuration commands. Catalyst 2950 Desktop Switch Software Configuration Guide 9-34 Purpose Enter global configuration mode. Enable BackboneFast on the switch.
Page 241: Chapter 10 Configuring The Switch Ports
(CLI) procedures for using commands that have been specifically created or changed for the Catalyst 2950 switches. For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command Reference.
Page 242: Connecting To Devices That Do Not Autonegotiate
{full | half | auto} Step 5 Step 6 show running-config Step 7 copy running-config startup-config Catalyst 2950 Desktop Switch Software Configuration Guide 10-2 Chapter 10 Purpose Enter global configuration mode. Enter interface configuration mode, and enter the port to be configured.
Page 243: Configuring Ieee 802.3X Flow Control
For details on the command settings and the resulting flow control resolution on local and remote ports, Note refer to the flowcontrol interface configuration command in the Catalyst 2950 Desktop Switch Command Reference for this release. Beginning in privileged EXEC mode, follow these steps to configure flow control on an interface:...
Page 244: Configuring Flooding Controls
Storm control uses rising and falling thresholds to block and then restore the forwarding of broadcast, unicast, or multicast packets. You can also set the switch to shut down the port when the rising threshold is reached. Storm control uses a bandwidth-based method to measure traffic activity. The thresholds are expressed as a percentage of the total available bandwidth that can be used by the broadcast, multicast, or unicast traffic.
Page 245: Disabling Storm Control
Layer 3 device such as a router. To meet this requirement, you can configure Catalyst 2950 ports as protected ports (also referred to as private VLAN edge ports). Protected ports do not forward any traffic to protected ports on the same switch.
Page 246: Enabling Port Security
Secured ports restrict a port to a user-defined group of stations. When you assign secure addresses to a secure port, the switch does not forward any packets with source addresses outside the defined group of addresses. If you define the address table of a secure port to contain only one address, the workstation or server attached to that port is guaranteed the full bandwidth of the port.
Page 247: Defining The Maximum Secure Address Count
• protect—When the port secure addresses reach the allowed limit on the port, all packets with unknown addresses are dropped. Return to privileged EXEC mode. Verify the entry. Catalyst 2950 Desktop Switch Software Configuration Guide Enabling Port Security 10-7...
Page 248: Disabling Port Security
Note The network device to which your switch is connected can impose its own limits on the number of interfaces in the EtherChannel. For Catalyst 2950 switches, the number of EtherChannels is limited to six with eight ports per EtherChannel.
Page 249: Understanding Port-Channel Interfaces
Each EtherChannel has a logical port-channel interface numbered from 1 to 6. 78-11380-03 Catalyst 8500, 6000, 5500, or 4000 series switch switch 1000BASE-X Catalyst 2950-T Catalyst 2950-T switch switch 10/100 Switched links Workstations Figure 10-2. Catalyst 2950 Desktop Switch Software Configuration Guide Understanding the EtherChannel 10-9...
Page 250: Understanding The Port Aggregation Protocol
The Port Aggregation Protocol (PAgP) facilitates the automatic creation of EtherChannels by exchanging packets between Ethernet interfaces. By using PAgP, the switch learns the identity of partners capable of supporting PAgP and learns the capabilities of each interface. It then dynamically groups similarly configured interfaces into a single logical link (channel or aggregate port);...
Page 251: Physical Learners And Aggregate-Port Learners
The silent mode is used when the switch is connected to a device that is not PAgP-capable and seldom, if ever, transmits packets. An example of a silent partner is a file server or a packet analyzer that is not generating traffic.
Page 252: Pagp Interaction With Other Features
EtherChannel. With aggregate-port learning, it is not important on which physical port the packet arrives. The Catalyst 2950 switch uses source-MAC address distribution for a channel if it is connected to a physical learner even if the user configures destination-MAC address distribution.
Page 253: Default Etherchannel Configuration
128 on all interfaces. (Changing this value on Catalyst 2950 switches has no effect.) Load distribution on the switch is based on the source-MAC address of the incoming packet. Catalyst 2950 Desktop Switch Software Configuration Guide Understanding the EtherChannel 10-13...
Page 254: Etherchannel Configuration Guidelines
You configure Layer 2 EtherChannels by configuring the Ethernet interfaces with the channel-group interface configuration command, which creates the port-channel logical interface. Note Layer 2 interfaces must be connected and functioning for IOS to create port-channel interfaces. Catalyst 2950 Desktop Switch Software Configuration Guide 10-14 Chapter 10 Configuring the Switch Ports...
Page 255 For information on compatible PAgP modes for the switch and its partner, see the “PAgP Modes” section on page Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. Catalyst 2950 Desktop Switch Software Configuration Guide Understanding the EtherChannel 10-10. 10-15...
Page 256: Configuring Etherchannel Load Balancing
Beginning in privileged EXEC mode, follow these steps to configure EtherChannel load balancing: Command Step 1 configure terminal Step 2 port-channel load-balance {dst-mac | src-mac} Configure an EtherChannel load-balancing method. Step 3 Catalyst 2950 Desktop Switch Software Configuration Guide 10-16 Chapter 10 “Understanding Load Balancing 10-12. Purpose Enter global configuration mode.
Page 257: Configuring The Pagp Learn Method And Priority
MAC address, regardless of the configured load distribution method. If the link partner to the Catalyst 2950 switch is a physical learner that has the channel-group interface configuration command set to on, set the load-distribution method based on the source MAC address by using the port-channel load-balance src-mac global configuration command.
Page 258: Configuring Unidirectional Link Detection
UniDirectional Link Detection (UDLD) is a Layer 2 protocol that detects and shuts down unidirectional links. You can configure UDLD on the entire switch or on an individual port. Use the udld reset command to reset all ports that have been shut down by UDLD.
Page 259: Span Concepts And Terminology
A copy of each packet sent by the source is sent to the destination port for that SPAN session. The copy is provided after the packet is modified. You can monitor a range of egress ports in a SPAN session.
Page 260: Source Port
In a single SPAN session, you can monitor source port traffic such as received (Rx), transmitted (Tx), or bidirectional (both). The switch supports any number of source ports (up to the maximum number of available ports on the switch).
Page 261: Span Traffic
For example, a bidirectional (both Rx and Tx) SPAN session is configured for sources a1 and a2 to a destination port d1. If a packet enters the switch through a1 and is switched to a2, both incoming and outgoing packets are sent to destination port d1. Both packets are the same.
Page 262: Configuring Span
• series or range of ports. • When you configure a switch port as a SPAN destination port, it is no longer a normal switch port; only monitored traffic passes through the SPAN destination port. • When you specify a single source port and do not specify a traffic type (Tx, Rx, or both), both is the default.
Page 263 For session_number, specify 1. For interface-id, specify the destination port. Valid interfaces include physical interfaces. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. None None Catalyst 2950 Desktop Switch Software Configuration Guide Configuring SPAN 10-23...
Page 264 Destination Ports:Gi0/2 This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional monitoring: Switch(config)# no monitor session 1 source interface gigabitethernet0/1 rx Catalyst 2950 Desktop Switch Software Configuration Guide 10-24 Gi0/1 Purpose Enter global configuration mode.
Page 265: Displaying Span Status
This is an example of output for the show monitor privileged EXEC command for session 1: Switch# show monitor session 1 Session 2 --------- Source Ports: RX Only: TX Only: Both: Destination Ports:Gi0/2 78-11380-03 Gi0/1 None None Catalyst 2950 Desktop Switch Software Configuration Guide Configuring SPAN 10-25...
Page 266 Chapter 10 Configuring the Switch Ports Configuring SPAN Catalyst 2950 Desktop Switch Software Configuration Guide 10-26 78-11380-03...
Page 267: Chapter 11 Configuring Igmp Snooping And Mvr
For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 2950 Desktop Switch Command Reference for this release and the Cisco IOS Release Network Protocols Command Reference, Part 1, for Release 12.1.
Page 268: Enabling Or Disabling Igmp Snooping
IGMP snooping. Multicast group membership lists can consist of both user-defined and IGMP snooping-learned settings. Catalyst 2950 switches support a maximum of 255 IP multicast groups and support both IGMP version 1 and IGMP version 2. If a port spanning-tree, a port group, or a VLAN ID change occurs, the IGMP snooping-learned multicast groups from this port on the VLAN are deleted.
Page 269: Immediate-Leave Processing
IP multicast group when it detects an IGMP version 2 leave message on that port. Immediate-Leave processing allows the switch to remove an interface that sends a leave message from the forwarding table without first sending out group-specific queries to the interface. You should use the Immediate-Leave feature only when there is only a single receiver present on every port in the VLAN.
Page 270: Setting The Snooping Method
Joining a Multicast Group When a host connected to the switch wants to join an IP multicast group, it sends an IGMP join message, specifying the IP multicast group it wants to join. When the switch receives this message, it adds the port to the IP multicast group port address entry in the forwarding table.
Page 271: Statically Configuring A Host To Join A Group
Note that the switch architecture allows the CPU to distinguish IGMP information packets from other packets for the multicast group. The switch recognizes the IGMP packets through its filter engine. This prevents the CPU from becoming overloaded with multicast frames.
Page 272: Cli: Statically Configuring A Interface To Join A Group
When hosts need to leave a multicast group, they can either ignore the periodic general-query requests sent by the router, or they can send a leave message. When the switch receives a leave message from a host, it sends out a group-specific query to determine if any devices behind that interface are interested in traffic for the specific multicast group.
Page 273: Cli: Configuring A Multicast Router Port
MVR. Join and leave messages from all other multicast groups are managed by IGMP snooping. The switch CPU identifies the MVR IP multicast streams and their associated MAC addresses in the switch forwarding table, intercepts the IGMP messages, and modifies the forwarding table to include or remove the subscriber as a receiver of the multicast stream, even though the receivers might be in a different VLAN from the source.
Page 274: Using Mvr In A Multicast Television Application
Understanding Multicast VLAN Registration The Catalyst 2950 switch has dynamic and compatible modes of MVR operation: When operating in MVR dynamic mode, the switch performs standard IGMP snooping. IGMP • information packets are sent to the switch CPU, but multicast data packets are not sent to the CPU.
Page 275 These messages dynamically register for streams of multicast traffic in the multicast VLAN on the Layer 3 device. The access layer switch (S1 switch) modifies the forwarding behavior to allow the traffic to be forwarded from the multicast VLAN to the subscriber port in a different VLAN, selectively allowing traffic to cross between two VLANs.
Page 276: Configuration Guidelines And Limitations
Understanding Multicast VLAN Registration Configuration Guidelines and Limitations Follow these guidelines when configuring MVR: Receiver ports cannot be trunk ports. Receiver ports on a switch can be in different VLANs, but • should not belong to the multicast VLAN. •...
Page 277 IP addresses. Any multicast data sent to this address is sent to all source ports on the switch and all receiver ports that have elected to receive data on that multicast address. Each multicast address corresponds to one television channel.
Page 278: Configuring Mvr Interfaces
Step 3 interface interface-id Step 4 mvr type {source | receiver} Step 5 mvr vlan vlan-id group ip-address Catalyst 2950 Desktop Switch Software Configuration Guide 11-12 Chapter 11 Purpose Enter global configuration mode. Enable MVR on the switch. Enter interface configuration mode, and enter the type and number of the port to configure, for example, gi 0/1 or gigabitethernet 0/1 for Gigabit Ethernet port 1.
Page 279 Exit configuration mode. Verify the configuration. DYNAMIC ACTIVE DYNAMIC ACTIVE DYNAMIC ACTIVE DYNAMIC ACTIVE DYNAMIC ACTIVE DYNAMIC ACTIVE DYNAMIC ACTIVE DYNAMIC ACTIVE DYNAMIC ACTIVE DYNAMIC ACTIVE Catalyst 2950 Desktop Switch Software Configuration Guide Understanding Multicast VLAN Registration 11-13...
Page 280: Displaying Mvr
11-14 Displays MVR status and values for the switch—whether MVR is enabled or disabled, the multicast VLAN, the number of multicast groups (always 256 for the Catalyst 2950 switch), the query response time, and the MVR mode. Displays all MVR interfaces and their MVR configurations.
Page 281 Members ------ ------- ACTIVE Gi0/1(d), Gi0/5(s) INACTIVE None INACTIVE None INACTIVE None INACTIVE None INACTIVE None INACTIVE None INACTIVE None INACTIVE None INACTIVE None INACTIVE None INACTIVE None Catalyst 2950 Desktop Switch Software Configuration Guide Understanding Multicast VLAN Registration 11-15...
Page 282 Chapter 11 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Catalyst 2950 Desktop Switch Software Configuration Guide 11-16 78-11380-03...
Page 283: Chapter 12 Configuring Network Security With Acls
“Getting Started with CMS” section on page You can also use the security wizard to filter inbound traffic on the Catalyst 2950 switches. Filtering can be based on network addresses or TCP/UDP applications. You can choose whether to drop or forward packets that meet the filtering criteria.
Page 284: Acls
If there are no restrictions, the switch forwards the packet; otherwise, the switch drops the packet. You configure access lists on a Layer 2 switch to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network.
Page 285: Handling Fragmented And Unfragmented Traffic
TCP-destination-port well-known numbers equaling Simple Mail Transfer Protocol (SMTP) and Telnet, respectively. 78-11380-03 Host A Catalyst 2950 switch Host B Research & Development network = ACL denying traffic from Host B and permitting traffic from Host A = Packet Catalyst 2950 Desktop Switch Software Configuration Guide Understanding ACLs 12-3...
Page 286: Understanding Access Control Parameters
ACEs were checking different hosts. Understanding Access Control Parameters Before configuring ACLs on the Catalyst 2950 switches, you must have a thorough understanding of the Access Control Parameters (ACPs). ACPs are referred to as masks in the switch CLI commands, output, and CMS.
Page 287: Guidelines For Configuring Acls On The Catalyst 2950 Switches
ACLs. The Catalyst 2950 switch ACL configuration is consistent with other Cisco Catalyst switches. However, there are significant restrictions as well as differences for ACL configurations on the Catalyst 2950 switches.
Page 288: Configuring Acls
IOS IP and IP Routing Command Reference for IOS Release 12.1. For a list of IOS features not supported on the Catalyst 2950 switch, see the Unsupported Features The Catalyst 2950 switch does not support these IOS router ACL-related features: • Non-IP protocol ACLs (see •...
Page 289: Creating Standard And Extended Ip Acls
The number you use to denote your ACL shows the type of access list that you are creating. lists the access list number and corresponding type and shows whether or not they are supported by the switch. The Catalyst 2950 switch supports IP standard and IP extended access lists, numbers 1 to 199 and 1300 to 2699.
Page 290: Creating A Numbered Standard Acl
(Optional) The source-wildcard applies wildcard bits to the source. (See first bullet item.) Note The log option is not supported on Catalyst 2950 switches. Return to privileged EXEC mode. Show the access list configuration. (Optional) Save your entries in the configuration file.
Page 291: Creating A Numbered Extended Acl
IP destination address Fragments TCP or UDP Layer 4 Parameters Source port operator Source port Destination port operator Destination port TCP flag 78-11380-03 Catalyst 2950 Desktop Switch Software Configuration Guide Configuring ACLs – – – – – – – –...
Page 292 Command Reference for IOS Release 12.1. Note The Catalyst 2950 switch does not support dynamic or reflexive access lists. It also does not support filtering based on the minimize-monetary-cost type of service (TOS) bit. When creating ACEs in numbered extended access lists, remember that after you create the list, any additions are placed at the end of the list.
Page 293 The keyword host, followed by the 32-bit quantity in dotted-decimal • format, as an abbreviation for a single host with source and source-wildcard of source 0.0.0.0. Only the ip, tcp, and udp protocols are supported on Catalyst 2950 Note switches. Verify the access list configuration.
Page 294: Creating Named Standard And Extended Acls
You can identify IP ACLs with an alphanumeric string (a name) rather than a number. You can use named ACLs to configure more IP access lists on a switch than if you use numbered access lists. If you identify your access list with a name rather than a number, the mode and command syntax are slightly different.
Page 295 • any represents a source and source wildcard of 0.0.0.0 255.255.255.255. Note The log option is not supported on Catalyst 2950 switches. Return to privileged EXEC mode. Show the access list configuration. (Optional) Save your entries in the configuration file.
Page 296: Including Comments About Entries In Acls
In this example, the Jones subnet is not allowed to use outbound Telnet: Switch(config)# ip access-list extended telnetting Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out Switch(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet Catalyst 2950 Desktop Switch Software Configuration Guide 12-14 78-11380-03...
Page 297: Applying The Acl To An Interface Or Terminal Line
The interface must be a Layer 2 or Layer 3 interface or a management interface VLAN ID. Control access to the specified interface. Return to privileged EXEC mode. Catalyst 2950 Desktop Switch Software Configuration Guide Configuring ACLs 12-15...
Page 298: Displaying Acls
When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the interface and permits all packets. Remember this behavior if you use undefined ACLs for network security.
Page 299: Displaying Access Groups
This example shows how to display the ACL configuration of Gigabit Ethernet interface 0/1: Switch# show running-config interface gigabitethernet0/1 Building configuration... Current configuration :112 bytes interface GigabitEthernet0/1 ip access-group 11 in snmp trap link-status no cdp enable end! 78-11380-03 Catalyst 2950 Desktop Switch Software Configuration Guide Configuring ACLs 12-17...
Page 300: Examples For Compiling Acls
Services” chapter of the Cisco IOS IP and IP Routing Configuration Guide for IOS Release 12.1. Figure 12-2 shows a small networked office with a stack of Catalyst 2950 switches that are connected to a Cisco router. A host is connected to the network through the Internet using a WAN link.
Page 301 Mail packets coming in from the Internet have a destination port of 25. Because the secure system behind the switch always accepts mail connections on port 25, the incoming services are controlled.
Page 302: Creating Named Mac Extended Acls
For more information about the supported non-IP protocols in the mac access-list extended command, refer to the Catalyst 2950 Desktop Switch Command Reference for this release. Though visible in the command-line help strings, appletalk is not supported as a matching condition for...
Page 303: Creating Mac Access Groups
Control access to the specified interface. Display the MAC ACLs applied to the interface. Return to privileged EXEC mode. Display the ACL configuration. (Optional) Save your entries in the configuration file. Catalyst 2950 Desktop Switch Software Configuration Guide Configuring ACLs 12-21...
Page 304 The MAC ACL applies to both IP as well as non-IP packets. When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the interface and permits all packets. Remember this behavior if you use undefined ACLs as a means of network security.
Page 305 Configuring This chapter describes how to configure quality of service (QoS) on your switch. With this feature, you can provide preferential treatment to certain types of traffic. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size. It transmits the packets without any assurance of reliability, delay bounds, or throughput.
Page 306: Configuring Qos
QoS Configuration Examples, page 13-25 Understanding QoS This section describes how QoS is implemented on the Catalyst 2950 switch. If you have the standard software image installed on your switch, some concepts and features in this section might not apply.
Page 307: Basic Qos Model
Basic QoS Model Figure 13-2 shows the basic QoS model. Actions at the ingress interface include classifying traffic, policing, and marking: If you have the standard software image installed on your switch, only the queueing and scheduling Note features are available. 78-11380-03...
Page 308: Classification
Classification Note This feature is available only if your switch is running the enhanced software image. Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification occurs only on a physical interface basis. No support exists for classifying packets at the VLAN or the switched virtual interface level.
Page 309: Classification Based On Qos Acls
• action, and QoS processing begins. • Configuration of a deny action is not supported in QoS ACLs on a Catalyst 2950 switch. • System-defined masks are allowed in class maps with these restrictions: A combination of system-defined and user-defined masks cannot be used in the multiple class –...
Page 310: Policing And Marking
You create and name a policy map by using the policy-map global configuration command. When you enter this command, the switch enters the policy-map configuration mode. In this mode, you specify the actions to take on a specific traffic class by using the class or set policy-map configuration and policy-map class configuration commands.
Page 311: Mapping Tables
Mapping Tables This feature is available only if your switch is running the enhanced software image. Note The Catalyst 2950 switches support these types of marking to apply to the switch: CoS value to the DSCP value • DSCP value to CoS value •...
Page 312: Queueing And Scheduling
How Class of Service Works Before you set up 802.1P CoS on a Catalyst 2950 that operates with the Catalyst 6000 family of switches, refer to the Catalyst 6000 documentation. There are differences in the 802.1P implementation, and they should be understood to ensure compatibility.
Page 313: Configuring Qos
The default port trust state is untrusted. No policy maps are configured. No policers are configured. No policers are configured. 78-11380-03 Information” sections are applicable. Catalyst 2950 Desktop Switch Software Configuration Guide Configuring QoS “Configuring CoS and WRR” and 13-9...
Page 314: Configuration Guidelines
• In a policy map, the class named class-default is not supported. The switch does not filter traffic based on the policy map defined by the class class-default policy-map configuration command. •...
Page 315 Packets entering a QoS domain are classified at the edge of the QoS domain. When the packets are classified at the edge, the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the QoS domain.
Page 316 By default, the port is not trusted. Use the cos keyword setting if your network is composed of Ethernet LANs, Catalyst 2950 switches, and has no more than two types of traffic. Use the dscp keyword if your network is not composed of only Ethernet LANs and if you are familiar with sophisticated QoS features and implementations.
Page 317: Configuring A Qos Policy
Configuring a QoS Policy Note This feature is available only if your switch is running the enhanced software image. Configuring a QoS policy typically requires classifying traffic into classes, configuring policies applied to those traffic classes, and attaching policies to interfaces.
Page 318: Classifying Traffic By Using Acls
Any host with a source address that does not match the ACL statements is rejected. Switch(config)# access-list 1 permit 192.5.255.0 0.0.0.255 Switch(config)# access-list 1 permit 36.0.0.0 0.0.0.255 Catalyst 2950 Desktop Switch Software Configuration Guide 13-14 Purpose Enter global configuration mode.
Page 319 Deny statements are not supported for QoS ACLS. See the “Classification Based on QoS ACLs” section on page 13-5 more details. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. Catalyst 2950 Desktop Switch Software Configuration Guide Configuring QoS 13-15...
Page 320 This example shows how to create a Layer 2 MAC ACL with a permit statement. The statement allows traffic from the host with MAC address 0001.0000.0001 to the host with MAC address 0002.0000.0001. Switch(config)# mac access-list extended maclist1 Switch(config-ext-macl)# permit host 0001.0000.0001 host 0002.0000.0001 Catalyst 2950 Desktop Switch Software Configuration Guide 13-16 Purpose Enter global configuration mode.
Page 321 Only one match criterion per class map is supported, and only one ACL per class map is supported. For access-group acl-index | name acl-name, specify the number or name of the ACL created in Step 3. Catalyst 2950 Desktop Switch Software Configuration Guide Configuring QoS “Classifying Traffic by Using ACLs” “Creating Named 12-20.
Page 322: Classifying, Policing, And Marking Traffic By Using Policy Maps
A separate policy-map class can exist for each type of traffic received through an interface. • You can attach only one policy map per interface in the input direction. Catalyst 2950 Desktop Switch Software Configuration Guide 13-18 Purpose Return to privileged EXEC mode.
Page 323 For ip dscp new-dscp, enter a new DSCP value to be assigned to the classified traffic. The supported DSCP values are 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and 56. Catalyst 2950 Desktop Switch Software Configuration Guide Configuring QoS “Creating Named MAC...
Page 324 DSCP value in the incoming packet is trusted. If the matched traffic exceeds an average traffic rate of 48000 bps and a normal burst size of 8000 bytes, its DSCP is marked down to a value of 10 and transmitted. Catalyst 2950 Desktop Switch Software Configuration Guide 13-20 Purpose Define a policer for the classified traffic.
Page 325: Configuring Cos Maps
Switch(config-if)# mls qos trust cos Switch(config-if)# service-policy input macpolicy1 Configuring CoS Maps Note This feature is available only if your switch is running the enhanced software image. This section describes how to configure the DSCP maps: • Configuring the CoS-to-DSCP Map, page 13-21 •...
Page 326: Configuring The Dscp-To-Cos Map
You use the DSCP-to-CoS map to map DSCP values in incoming packets to a CoS value, which is used to select one of the four egress queues. The Catalyst 2950 switches support these DSCP values: 0, 8, 10, 16, 18, 24, 26, 32, 34, 40, 46, 48, and Table 13-4 shows the default DSCP-to-CoS map.
Page 327: Configuring Cos And Wrr
56. The CoS range is 0 to 7. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. 8 10 16 18 24 26 32 34 40 46 48 56 Catalyst 2950 Desktop Switch Software Configuration Guide Configuring QoS 13-23...
Page 328: Cli: Configuring Cos Priority Queues
Step 4 show wrr-queue bandwidth To disable the WRR scheduler and enable the strict priority scheduler, use the no wrr-queue bandwidth global configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 13-24 Purpose Enter global configuration mode. 4 where 1 is the lowest CoS priority queue.) Specify the CoS values that are mapped to the queue id.
Page 329: Displaying Qos Information
2. You can define up to 16 DSCP values for which byte or packet statistics are gathered by hardware by using the mls qos monitor {bytes | dscp dscp1 ... dscp8 | packets} interface configuration command and the show mls qos interface statistics privileged EXEC command. 3. Access Control Parameters are called masks in the switch CLI commands and output. This example shows how to display the DSCP-to-CoS maps:...
Page 330: Qos Configuration For The Common Wiring Closet
XL switches, you can override this priority with the default value by using the switchport priority default override interface configuration command. For Catalyst 2950 and Catalyst 2900 XL switches and other 3500 XL models that do not have the override feature, the Catalyst 3550-12T switch at the distribution layer can override the 802.1P CoS value by using the mls qos cos override interface...
Page 331: Qos Configuration For The Intelligent Wiring Closet
1 2 3 4 Step 17 wrr-queue cos-map 4 6 7 78-11380-03 Figure 13-4 is composed of Catalyst 2950 switches. One of the switches Purpose Enter global configuration mode. Define an IP standard ACL, and permit traffic from the video server at 172.20.10.16.
Page 332 [cos-dscp | dscp-cos] Step 20 copy running-config startup-config Catalyst 2950 Desktop Switch Software Configuration Guide 13-28 Purpose Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file.
Page 333: Chapter 14 Troubleshooting
If you try to enable incompatible features by using CMS, it issues a warning message that you are configuring a setting that is incompatible with another setting, and the switch does not save the change. 78-11380-03...
Page 334: Avoiding Autonegotiation Mismatches
Protected Port 802.1X Port 1. Switch Port Analyzer (SPAN) can operate only if the monitor port or the port being monitored is not a protected port. Avoiding Autonegotiation Mismatches The IEEE 802.3U autonegotiation protocol manages the switch settings for speed (10 Mbps or 100 Mbps) and duplex (half or full).
Page 335: Troubleshooting Cms Sessions
Make sure that the HTTP port number is 80. CMS only works with port 80, which is the default HTTP port number. – Make sure the port that connects the PC to the switch belongs to the same VLAN as the management VLAN. For more information about management VLANs, see the “Management VLANs”...
Page 336: Copying Configuration Files To Troubleshoot Configuration Problems
You can use the file system in Flash memory to copy files and to troubleshoot configuration problems. This could be useful if you wanted to save configuration files on an external server in case a switch fails. You can then copy the configuration file to a replacement switch and avoid having to reconfigure the switch.
Page 337: Recovery Procedures
“Creating a Cluster Standby Group” section on page Catalyst desktop switches, refer to the Release Notes for the Catalyst 2950 Switch on Cisco.com. If you have not configured a standby command switch, and your command switch loses power or fails in some other way, management contact with the member switches is lost, and a new command switch must be installed.
Page 338: Replacing A Failed Command Switch With A Cluster Member
Start a CLI session on the new command switch. You can access the CLI by using the console port or, if an IP address has been assigned to the switch, by using Telnet. For details about using the console port, refer to the switch hardware installation guide.
Page 339: Replacing A Failed Command Switch With Another Switch
Step 2 You can access the CLI by using the console port or, if an IP address has been assigned to the switch, by using Telnet. For details about using the console port, refer to the switch hardware installation guide.
Page 340: Recovering From A Failed Command Switch Without Hsrp
When prompted for the host name, recall that on a command switch, the host name is limited to 28 characters. Do not use -n, where n is a number, as the last characters in a host name for any switch.
Page 341: Recovering From A Lost Or Forgotten Password
Unplug the switch power cord. Step 3 Press the Mode button, and at the same time, reconnect the power cord to the switch. Step 4 You can release the Mode button a second or two after the LED above port 1X goes off. Several lines of information about the software appear, as do instructions: The system has been interrupted prior to initializing the flash file system.
Page 342: Recovering From Corrupted Software
Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity.
Page 343: Debug Commands
Troubleshooting Step 4 Reconnect the power cord to the switch. The software image does not load. The switch starts in boot loader mode, which is indicated by the prompt. switch: Use the boot loader to enter commands, and start the transfer.
Page 344: Enabling All-System Diagnostics
Because debugging output takes priority over other network traffic, and because the debug all command generates more output than any other debug command, it can severely diminish switch performance or even render it unusable. In virtually all cases, it is best to use more specific debug commands.
Page 345: Appendix
Only one ACL can be allowed in a class map. This error means that there was an attempt to add another numbered ACL in the class map. Catalyst 2950 Desktop Switch Software Configuration Guide A P P E N D I X...
Page 346: Error Messages For Security And Qos Configurations
This error message means that an attempt was made to create an ACL with a different mask within a policy map. The Catalyst 2950 switches support the policy-map global configuration command with certain restrictions. This error message means that the policy map cannot be configured due to certain reasons.
Page 347 This is an error message that is preceded by a more explicit error message that gives the reasons for the ACE being invalid. In an ACL, a Layer 4 (TCP/UDP) ACE cannot precede a Layer 3 (IP protocol) ACE. Catalyst 2950 Desktop Switch Software Configuration Guide...
Page 348 %Error:FAILURE to reinsert old ACL, errcode=XX %Error:Egress port invalid %Error:The field sets of all the ACEs in an ACL should match Catalyst 2950 Desktop Switch Software Configuration Guide Appendix A Error Messages for Security and QoS Configurations Explanation and Suggested Solution This error message means that an access group is applied on an EtherChannel interface.
Page 349: Appendix
System Messages This appendix describes the IOS system messages for the switch. The system software sends these error messages to the console (and, optionally, to a logging server on another system) during operation. Not all system messages indicate problems with your system. Some messages are purely informational, and others can help diagnose problems with communications lines, internal hardware, or the system software.
Page 350: How To Read
MSG is a mnemonic that means that this is a message. It is always shown as MSG. • SLOT means that the slot number of the card reporting the error. It is shown as SLOT followed by a number. (For example, SLOT5.) Catalyst 2950 Desktop Switch Software Configuration Guide Table B-2 Description System is unusable.
Page 351: Error Message Traceback Reports
Error Messages and Recovery Procedures This section lists the switch system messages by facility. Within each facility, the messages are listed by severity levels 0 to 7: 0 is the highest severity level, and 7 is the lowest severity level. Each message is followed by an explanation and a recommended action.
Page 352: Environment Messages
Either check the switch itself, or use the show env privileged EXEC command to determine Action if a fan on the switch has failed. The Catalyst 2950 switch can operate normally with one failed fan. Replace the switch at your convenience.
Page 353: Link Message
EXEC command to see the alternate path-port on which the address is being learned. Go to the switch attached to that port. Note that the show cdp neighbors command is useful in determining the next switch. Repeat this procedure until the port is found that is receiving what it is transmitting, and remove that port from the network.
Page 354: Storm Control Messages
Recommended Action port-configuration commands. Catalyst 2950 Desktop Switch Software Configuration Guide This message means that an excessive number of link down-up events has been noticed If someone is reconfiguring the interface or device at the other side of the...
Page 355: I N D E X
Telnet access access levels, CMS access lists See ACLs access ports in switch clusters accounting in TACACS+ accounting with RADIUS 6-22 Catalyst 2950 Desktop Switch Software Configuration Guide I N D E X 5-10, 5-20 12-15 2-31 8-19 2-31 6-20 6-34...
Page 356 12-7 protocol parameters 12-9 standard IP creating 12-8 matching criteria 12-7 unsupported features 12-6 Catalyst 2950 Desktop Switch Software Configuration Guide IN-2 system-defined mask understanding user-defined mask adding secure addresses static addresses VLAN to database address count, secure resolution...
Page 357 VLAN for candidate switch adding automatic discovery defined 5-7, 5-8 passwords requirements standby group See also command switch, cluster standby group, and Catalyst 2950 Desktop Switch Software Configuration Guide 5-20 5-10 10-2 14-2 9-17, 9-34 9-10, 9-31 6-12 6-12 10-5...
Page 358 5-10 command switch configuration 5-17 compatibility creating 5-16 creating a cluster standby group described Catalyst 2950 Desktop Switch Software Configuration Guide IN-4 clusters, switch (continued) LRE profile considerations management VLAN, changing managing through CLI managing through SNMP planning considerations automatic discovery...
Page 359 (SC) See also candidate switch, clusters, and cluster standby see also candidates, member switches Catalyst 2950 Desktop Switch Software Configuration Guide 6-22 6-22 6-22 14-4 14-4 5-10, 5-20 14-5 5-17...
Page 360 802.1p class of service 8-24 6-23 aging time 6-16 broadcast messages 6-12 broadcast storm control 10-4 Catalyst 2950 Desktop Switch Software Configuration Guide IN-6 configuring (continued) community strings date and time daylight saving time duplex dynamic ports on VMPS clients dynamic VLAN membership...
Page 361 Differentiated Services architecture, QoS Differentiated Services Code Point dir flash command disabling 14-12 broadcast storm control port security SNMP trunking on a port trunk port Catalyst 2950 Desktop Switch Software Configuration Guide 13-9 6-26 9-20 8-16 8-31 8-11 8-18 12-11 6-19...
Page 362 VLAN membership configuration example 8-34 configuring 8-32 example 8-34 overview 8-29 Catalyst 2950 Desktop Switch Software Configuration Guide IN-8 dynamic port VLAN membership (continued) reconfirming troubleshooting VMPS database configuration file Dynamic Trunking Protocol See DTP dynamic VLAN membership...
Page 363 LEDs RPS LED switch images FTP, accessing MIB files GBICs 1000BASE-LX/LH module 1000BASE-SX module 1000BASE-ZX module GigaStack get-next-request operation Catalyst 2950 Desktop Switch Software Configuration Guide 8-1, 10-1 14-1 14-2 14-4 10-4 10-3 9-6, 9-27 6-18 2-21 Index...
Page 364 5-14 to address mappings hosts, limit on dynamic ports 8-34 HP OpenView 1-6, 1-7 Catalyst 2950 Desktop Switch Software Configuration Guide IN-10 HSRP automatic cluster recovery cluster standby group considerations See also clusters, cluster standby group, and standby HTTP access...
Page 365 RADIUS login authentication with TACACS+ LRE ports profiles switch clusters MAC addresses adding secure aging time allocation for STP discovering Catalyst 2950 Desktop Switch Software Configuration Guide 2-1, 4-1, 5-1 13-2 13-2 12-9 12-9 2-19 2-13 2-13 2-22...
Page 366 5-23 passwords 5-13 requirements See also candidate switch, clusters, cluster standby group, and command switch Catalyst 2950 Desktop Switch Software Configuration Guide IN-12 member switches accessing 8-19 recovering from lost connectivity menu bar described 2-15 variations...
Page 367 STP PC (passive command switch) 1-10 per-VLAN Spanning Tree (PVST) per-VLAN Spanning Tree+ (PVST+) planning considerations, switch clusters LRE profiles management VLAN switch-specific features Catalyst 2950 Desktop Switch Software Configuration Guide 8-20 6-11 6-12 6-11 6-11 6-11 2-29 2-27...
Page 368 VLAN port membership modes, VLAN port modes described LEDs port pop-up menu, Front Panel view port priority, STP 9-24 Catalyst 2950 Desktop Switch Software Configuration Guide IN-14 ports 802.1Q trunk 802.1X 13-18 configuration guidelines configuring protected trunk...
Page 369 CoS-to-DSCP 13-21 displaying 13-25 DSCP-to-CoS 13-22 types of 13-7 marked-down actions 13-20 marking, described 13-4, 13-6 overview 13-2 policers configuring 13-20 described 13-6 number of 13-7 types of 13-6 Catalyst 2950 Desktop Switch Software Configuration Guide Index 13-11 IN-15...
Page 370 6-25 overview 6-24 suggested network environments tracking services accessed by user rcommand command 5-23 read-only access mode 2-31 Catalyst 2950 Desktop Switch Software Configuration Guide IN-16 read-write access mode reconfirmation interval, changing recovery procedures redundancy EtherChannel backbone multidrop backbone path cost...
Page 371 14-6, monitoring ports 10-20 overview 10-18 ports, restrictions 14-2 received traffic 10-19 sessions creating 10-23 defined 10-19 removing destination (monitoring) ports Catalyst 2950 Desktop Switch Software Configuration Guide Index 6-12 5-24 6-12 14-10 8-11 12-11 6-19 10-22 10-21 10-24 IN-17...
Page 372 6-18 statistics QoS ingress and egress 13-25 statistics, VTP 8-15 statistics group, in RMON Catalyst 2950 Desktop Switch Software Configuration Guide IN-18 accelerating root port selection BackboneFast, described 10-24 BPDU guard, described BPDU message exchange configuring BackboneFast...
Page 373 AAA accounting commands AAA authorization commands configuring login authentication in clusters initializing server, creating starting accounting tacacs-server host command tacacs-server retransmit command tacacs-server timeout command Catalyst 2950 Desktop Switch Software Configuration Guide 6-11 2-18 2-18 2-29 2-29 6-22 6-22 6-20 5-15 6-21...
Page 374 12-3 reducing flooded 10-4 unfragmented 12-3 traffic policing Catalyst 2950 Desktop Switch Software Configuration Guide IN-20 transparent mode, VTP trap managers adding configuring traps troubleshooting with CiscoWorks2000 with debug commands trunk ports...
Page 375 VLAN VMPS administering configuration guidelines database configuration file example default configuration dynamic port membership configuring example overview reconfirming troubleshooting Catalyst 2950 Desktop Switch Software Configuration Guide 8-21 8-18 8-23 8-18 8-16 8-1, 8-17 8-16 8-18 6-15 8-18 8-24...
Page 376 8-23 statistics 8-15 Token Ring support transparent mode, configuring 8-13 traps 6-13 using version, determining 8-11 version 1 Catalyst 2950 Desktop Switch Software Configuration Guide IN-22 VTP (continued) version 2 8-28 configuration guidelines disabling 8-33 enabling overview VLAN parameters 8-31...

This manual is also suitable for:

2950 24 - catalyst switch 2950g 48 - catalyst switch - stackable

Cisco Catalyst 2950 Software Manual

Link

Preface

Audience

Purpose

Chapter 1 Overview

Getting Started with CMS

CHAPTER 3 Using the Command-Line Interface

IOS Command Modes

Getting Help

Abbreviating Commands

Using no and Default Forms of Commands

Understanding CLI Messages

Using Command History

Using Editing Features

Searching and Filtering Output of Show and more Commands

Accessing the CLI

Chapter 4 General Switch Administration

Chapter 5 Clustering Switches

HSRP and Standby Command Switches

IP Addresses

Host Names

Passwords

SNMP Community Strings

Tacacs

Access Modes in CMS

Management VLAN

Availability of Switch-Specific Features in Switch Clusters

Chapter 6 Configuring the System

Identifying the RADIUS Server Host

Configuring RADIUS Login Authentication

Defining AAA Server Groups

Configuring RADIUS Authorization for Privileged EXEC Access and Network Services

Starting RADIUS Accounting

Configuring Settings for All RADIUS Servers

Configuring the Switch to Use Vendor-Specific RADIUS Attributes

Configuring the Switch for Vendor-Proprietary RADIUS Server Communication

Chapter 7 Configuring 802.1X Port-Based Authentication

Understanding 802.1X Port-Based Authentication

Device Roles

Authentication Initiation and Message Exchange

Ports in Authorized and Unauthorized States

Supported Topologies

802.1X Configuration Guidelines

Enabling 802.1X Authentication

Configuring the Switch-To-RADIUS-Server Communication

Enabling Periodic Re-Authentication

Manually Re-Authenticating a Client Connected to a Port

Changing the Quiet Period

Changing the Switch-To-Client Retransmission Time

Setting the Switch-To-Client Frame-Retransmission Number

Enabling Multiple Hosts

Resetting the 802.1X Configuration to the Default Values

Chapter 8 Configuring Vlans

Table

Understanding Basic STP Features

MAC Address Allocation

STP Overview

Chapter 9 Configuring STP

Bridge Protocol Data Units

STP Timers

Creating the STP Topology

STP Interface States

Quick Links

Troubleshooting

Related Manuals for Cisco Catalyst 2950

Summary of Contents for Cisco Catalyst 2950